Artificial intelligence is moving faster than legislation everywhere in the world, and Kenya is no exception. The legal architecture is taking shape across three statutes and several sector regulators.
The Data Protection Act, 2019
AI systems that process personal data fall squarely within the DPA. Lawful basis, consent, DPIAs for high-risk processing and cross-border transfer rules all apply to AI deployments by Kenyan businesses.
The Computer Misuse and Cybercrimes Act, 2018
Unauthorised access, identity theft, computer fraud and the publication of false information all carry criminal penalties. Deepfakes and AI-generated impersonation now sit squarely within these offences.
Emerging AI regulation
The Kenya National AI Strategy 2025–2030 sets out the policy direction, and sector regulators (CBK, IRA, CMA, ODPC) are issuing thematic guidance on responsible AI use. A dedicated AI Act remains in development.
What this means for Nairobi businesses
Conduct DPIAs before deploying AI on customer data; document model governance; require vendors to warrant compliance with the DPA; maintain logs sufficient to demonstrate accountability.
Cybersecurity baseline
The National KE-CIRT/CC issues sectoral advisories. Mandatory breach notification within 72 hours under the DPA applies to most material incidents.
Citations & further reading
Frequently asked questions
Is there an AI law in Kenya?
Not yet a dedicated statute, but AI is already regulated by the Data Protection Act, the Computer Misuse and Cybercrimes Act and sector regulator guidance.
Do I need to disclose AI use to customers?
Where AI processes personal data, the DPA's transparency requirements apply — customers must be informed of automated decision-making that has legal or similarly significant effects.
Related practice areas
This article is for general information only and does not constitute legal advice. Readers should obtain specific counsel on their particular matters.