A Comparative Perspective On Privacy Safeguards in Kenya and Uganda Data Protection Laws

Introduction

Kenya¹ and Uganda² enacted data protection laws in 2019 to give effect to the right to privacy under Articles 31³ and 27⁴ of the respective countries’ Constitutions. Both Acts took effect in 2019. To allow for the operationalisation of the Data Protection Act (DPA), Kenya adopted civil registration; general; complaints handling procedure and enforcement; and registration of data controllers and processors regulations, between 2020 and 2021.⁵ Similarly, to operationalise the Data Protection and Privacy Act (DPPA), Uganda gazetted the Data Protection and Privacy Regulations in March 2021.⁶

The Kenyan DPA and the Ugandan DPPA contain provisions that are broadly similar to the EU General Data Protection Regulation.⁷ These Acts were enacted in the context of increasing globalisation, cross-border transactions, widespread internet adoption, and the growing use of digital platforms, reflecting the need to align local data protection standards with international best practices.⁸

Both laws establish a central body that is responsible for overseeing the appropriate handling of personal data. Kenya has established the Office of the Data Protection Commissioner (ODPC).⁹ The ODPC has taken great steps to implement the DPA. For instance, the ODPC launched the Data Protection Registration System in 2023, through which fifteen thousand data handlers (15,000) had been registered as of January 2026.¹⁰ Furthermore, the OPDC had also resolved over nine thousand (9,000) complaints.¹¹ The ODPC has developed a set of guidelines, in the form of guidance notes, to assist organisations in various sectors in understanding and implementing the DPA.¹² To bring service closer to people, the ODPC has created branches throughout the country, for instance, it has offices in Nakuru, Kisumu, Garissa, Eldoret, Nyeri and Machakos.¹³

Uganda, similarly, has established the Personal Data Protection Office (PDPO) led by the National Personal Data Protection Director.¹⁴ The PDPO commenced its operations by first registering all individuals, institutions, and public bodies involved in the collection and processing of personal data.¹⁵ As of January 2026, the PDPO had registered nine thousand eight hundred and five data controllers and processors (9,805).¹⁶ The PDPO is also resolving and issuing determination on data protection complaints.¹⁷ One notable determination of the PDPO, is a 18 July 2025 determination against Google. This determination affirmed that the data protection compliance obligations under Ugandan law apply to all entities that handle the personal data in Uganda, regardless of where they are based.’¹⁸ Previously, the PDPO took proactive steps to resolve a data breach at the Uganda Securities Exchange in June 2023.¹⁹

Building on the above discussions, this article examines key similarities and differences between the DPA and DPPA, and assesses the status of their implementation by the respective national data protection authorities.

Similarities between Kenya’s and Uganda’s Data Protection Laws

1. Lawful Processing of Data

Both Kenya’s DPA and Uganda’s DPPA recognise consent as a central lawful basis for processing personal data,²⁰ However, consent is not superior to other grounds. Both laws do not have hierarchy among the bases, meaning any single valid condition is sufficient to justify processing.²¹

Both laws allow processing of personal data to occur where it is necessary for performance required in the public interest or for public duties. Kenya’s DPA offers a broader range of additional lawful bases.²² These include processing that is necessary to protect the vital interests of the data subject or another person, for tasks carried out in the public interest or under official authority, for legitimate interests pursued by the controller, processor, or a thirds party and for historical, statistical, journalistic, literary, artistic or scientific research purposes.²³

The expanded lawful basis in Kenya provides more flexibility for processing that serves a public benefit purpose, such as academic research, media reporting or statistical analysis without needing to rely on consent. This approach reduces the need to obtain consent from data subjects.

2. Collection of Data from the Data Subject

A data collector²⁴, data controller²⁵ or data processor²⁶ must obtain consent directly from the data subject.²⁷ However, there are instances where data may be collected indirectly from the data subject. Both the DPA and the DPPA lists the following indirect instance, i.e., the data is part of a public record,²⁸ the data subject has purposely made the data public,²⁹ the data subject has consented to the collection of the information from another source,³⁰ the collection of data from another source is not likely to prejudice the privacy of the data subject.³¹ Furthermore, data may be collected indirectly if it is necessary for the prevention, detection, investigation, prosecution, or punishment of a crime,³² and the enforcement of a law that imposes a pecuniary penalty.³³ The Ugandan DPPA goes further to codify that data may be indirectly collected if it is necessary for the enforcement of law that concerns public revenue collection,³⁴ for the conduct of proceedings before any court or tribunal that have commenced or reasonably contemplated,³⁵ or for the protection of national security.³⁶

The distinction between direct and indirect collection underscores how both Kenya’s and Uganda’s data protection frameworks attempt to balance privacy rights with legitimate state interests. Uganda’s broader list of exceptions, especially those relating to judicial proceedings, revenue collection and national security may risk state surveillance and overreach. Kenya’s narrower scope reflects a more cautious approach, balancing necessity and proportionality.

3. Data Subject Rights

Both the DPA and the DPPA provide for data subjects’ rights, but the way these rights are codified differs slightly. The Kenyan DPA provides five distinct data subject rights, which are the rights to be informed,³⁷ access personal data,³⁸ object to the processing of all of their personal data,³⁹ correction of false and misleading data,⁴⁰ and deletion of false or misleading data.⁴¹ In addition, Article 35 of the Kenyan Act provides data subjects with the right to object to automated individual decision-making.⁴² The Ugandan DPPA mirrors these rights as well as the right of data subjects to challenge decisions made solely through automated processing.⁴³ This right ensures that any decision made by or on behalf of the data controller that has a significant impact on a data subject is not based solely on the automated processing of that individual’s personal data.⁴⁴ In both frameworks, where a decision is made solely through automated processing, the data controller is to notify the data subject accordingly.⁴⁵

Under the Ugandan Act, a data subject is entitled to require a data controller to reconsider a decision made solely through automated processing within twenty-one days of being notified of such a decision.⁴⁶ By contrast, the Kenyan Act recognises the right to object to automated decision-making but does not stipulate a fixed statutory timeline, instead requiring that such objections be raised within a reasonable time.⁴⁷

Notwithstanding these differences, both frameworks are forward-looking in their recognition of data subject rights, particularly the right to object to automated decision-making—a safeguard that is likely to become increasingly crucial as artificial intelligence technologies are more deeply integrated into social, economic, and administrative life.

4. Data Protection Impact Assessments

Both laws mandate a Data Protection Impact Assessment (DPIA) before data processing activities commence, where such processing is likely to result in high risks to the rights and freedoms of a data subject.⁴⁸ In Kenya, a DPIA includes a systematic description of the planned processing activities and the purpose of processing;⁴⁹ an assessment of the necessity and proportionality of the processing operations in relation to the purposes;⁵⁰ an assessment of the risks to the rights and freedoms of data subjects;⁵¹ the planned measures to mitigate risks and outline the safeguards, security controls, and mechanisms established to protect personal data and demonstrate compliance with the Act, while considering the rights and legitimate interests of data subjects and other affected persons.⁵² Similarly, in Uganda, every DPIA includes a systematic description of the planned processing and purposes of processing;⁵³ an assessment of the risks to personal data and the measures to address the risks;⁵⁴ and any other matter the Office may require.⁵⁵

A comparison of the two regimes reveals that while both Kenya and Uganda recognise the importance of DPIA as a preventive safeguard, Kenya adopts a more comprehensive and detailed approach by explicitly requiring assessments of necessity, proportionality, and the inclusion of specific safeguards and compliance mechanisms.⁵⁶ Uganda, by contrast, provides a more flexible framework, focusing primarily on risk identification and mitigation but leaving room for the regulator to require additional elements on a case-by-case basis. In practice, Kenya’s approach may enhance consistency and accountability by clearly setting out what controllers must demonstrate, but it also risks creating a more burdensome compliance process. Uganda’s model, meanwhile, offers adaptability and reduced administrative strain, but this may come at the cost of weaker standardisation and potential uncertainty for data subjects and processors alike.

Kenya has enforced the requirement of conducting a DPIA prior to processing data via courts, in the High Court decision of Republic v Joe Mucheru.⁵⁷ The court quashed the government’s decision to roll out National ID Huduma Cards because no DPIA had been conducted prior to rollout.⁵⁸ The court held that the rollout violated the Data Protection Act because it involved large-scale, high-risk processing.⁵⁹ The Government of Kenya argued that the Data Protection Act was not meant to apply toNational Integrated Identity Management System (NIIMS), The Court rejected this argument, holding instead that Section 31 of the Data Protection Act created a current, ongoing obligation for high-risk processing taking place after the DPA commenced.⁶⁰ The case compels the State to build privacy by design and build systems with privacy by design as a key principle. Additionally, it positions DPIA as a substantive, ex ante legality test for any high-risk system.

In contrast, there is no court-led enforcement of DPIA’s in Uganda yet. Instead, the enforcement is administrative with the PDPO requiring organisations to indicate in their annual compliance reports whether any DPIA has been carried out.⁶¹

Key Gaps and Divergences between Kenya and Uganda’s Data Protection Regimes

Beginning with definitions of key terms, the DPA defines anonymisation as the removal of personal identifiers from personal data so that the data subject is no longer identifiable.⁶² The DPPA does not define anonymisation. This is the same for the definition of biometric data, where the DPA has a definition,⁶³ but the DPPA lacks a definition. This gap creates potential uncertainty in Uganda’s regime, as the absence of a statutory definition of biometric data may leave room for inconsistent interpretation and application across sectors.

The DPA mandates every data controller and processor to implement data protection by design or by default.⁶⁴ Organisations must adopt a proactive, preventive and continuous approach to data protection. They must integrate safeguards into systems and processes at the design stage, and ensure that only necessary data is processed by default, and implement technical and organisational measures such as risk assessment, encryption, recovery mechanisms, and continuous monitoring.⁶⁵ The DPPA has no provisions mandating privacy by default or design. This omission places Uganda at a disadvantage as it weakens the preventive dimension of its data protection framework, making compliance largely reactive rather than anticipatory. Without explicit obligations to implement safeguards from the outset, organisations in Uganda may adopt weaker or inconsistent protection measures, potentially exposing data subjects to higher risks of misuse or breaches.

Uganda and Kenya take divergent approaches to appeals of decisions made by the Authority and the Commissioner, respectively. Under the DPPA, appeals are to be made to the Minister,⁶⁶ whereas for the DPA, appeals are made to the High Court of Kenya.⁶⁷ In contrast, Kenya’s judicial approach enhances the legitimacy and credibility of data protection enforcement by subjecting appeals to an independent and impartial court, consistent with the principles of separation of powers and the rule of law. However, the High Court process may be more costly and time-consuming, potentially limiting access for individuals or smaller organisations. Overall, Kenya’s model offers stronger guarantees of fairness and accountability, while Uganda’s system may create doubts about impartiality and the robustness of oversight.

The DPA and DPPA in Practice, and Institutional Effectiveness

A study conducted by Unwanted Witness between 2022 and 2024, employed a comparative, cross-sectoral assessment of data protection and privacy compliance across five jurisdictions: Tanzania, Kenya, Uganda, Mauritius and Zimbabwe. The study evaluated one hundred and nine (109) public and private entities operating across eight data-intensive sectors, namely telecommunications, e-commerce, online betting, banking and finance, insurance, government, health and digital lending.⁶⁸ Kenya recorded the highest overall score at 40%, followed by Uganda (38%), both countries registered comparatively lower scores, indicating significant disparities in performance across the countries assessed.⁶⁹

At the sectoral level, the Banking and Finance sector achieved the highest overall score at 42%, suggesting relatively stronger institutional practices within this sector.⁷⁰ This was closely followed by the Insurance sector (40%), and a joint performance by Telecommunications and E-commerce, both scoring 39%.⁷¹ In contrast, the Government and Health sectors recorded the lowest scores, at 20% and 19% respectively, underscoring persistent structural and regulatory challenges within these domains. These scorecard figures allude to the challenges faced by both Data Protection Regulators. The ODPC being a relatively new statutory body faced hurdles in securing adequate funding which had an impact on the recruitment of personnel and operations.⁷² This has knock-on consequences to citizens’ level of awareness.

In addition, a study conducted by Amnesty International revealed that amongst the citizens of Kenya, there is generally a moderate level of awareness of the Data Protection Act, with Urban areas showing a higher level of awareness than rural counterparts.⁷³ For both Kenya and Uganda, the study found that the National Regulators had 100% registration of entities operating in banking, finance, and insurance. With the lowest registration figures coming from government agencies, digital loan services⁷⁴ and the online betting sector.⁷⁵

The findings suggest that while registration is well-established in highly regulated sectors such as banking and insurance, substantive data protection governance remains underdeveloped in other sectors. The persistently low scores, particularly in government, health, digital lending, and online betting, point to insufficient regulatory enforcement, limited public and institutional awareness of data protection obligations, and weak accountability mechanisms.

There is a clear need for regulators in both Kenya and Uganda to move beyond registration-focused compliance by strengthening awareness-raising initiatives, mandating and standardising transparency reporting, and investing in institutional capacity, including the development and retention of skilled data protection professionals.

Conclusion

Kenya and Uganda have both taken important steps toward safeguarding personal data through dedicated legislation, but their approaches reveal different priorities and levels of maturity. Kenya’s framework is more comprehensive and closely aligned with international best practices, emphasising accountability, detailed compliance requirements, and judicial oversight. This provides stronger guarantees of consistency, transparency, and protection for data subjects, though it may also impose heavier compliance burdens on organisations. Uganda’s regime, by contrast, is more flexible and less prescriptive, allowing regulatory discretion and potentially easing administrative demands, but at the cost of weaker standardisation, less preventive protection, and risks of politicisation in oversight mechanisms. Ultimately, Kenya’s model appears better positioned to inspire trust in cross-border data flows and ensure long-term robustness, while Uganda may need to refine its framework to close definitional gaps and strengthen independence in enforcement in order to fully safeguard the rights and interests of data subjects.

Image was generated using the Dall E AI tool