Kenya's ODPC: AI Needs Human Review and a DPIA | TLY

AI Regulation Tracker  /  Regulator guidance

Kenya's data regulator says existing law already limits solely automated AI decisions and requires DPIAs

The Office of the Data Protection Commissioner is applying the Data Protection Act 2019 to AI systems, meaning firms cannot rely on purely automated decisions with significant effects and must run impact assessments for AI profiling. This regime bites now, separate from the pending Kenya AI Bill.

Kenya's data regulator says existing law already limits solely automated AI decisions and requires DPIAs regulation briefing
The Leveraged Years AI Regulation Tracker

Kenya's Office of the Data Protection Commissioner has made a point that many firms deploying AI have not fully absorbed. The country does not need a new AI statute to regulate automated decisions and profiling, because the Data Protection Act 2019 already does. In guidance addressing the growth of AI, the ODPC frames AI processing as falling squarely inside existing data-protection duties, and it points firms toward the obligations that already bind them.

The automated-decision limit that already applies

The operative provision is Section 35 of the Data Protection Act 2019. It provides that a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal effects or similarly significant effects. The exceptions are narrow. Solely automated decisions are permitted where they are necessary to enter into or perform a contract, where they are authorized by law with suitable safeguards, or where the data subject has given consent. Even within those exceptions, the controller must put measures in place to protect the person's rights, which in practice means human intervention, an explanation of the decision, and a way to contest it.

For AI systems, that reframes the compliance question. A model that approves or declines a loan, screens a job applicant, or prices an insurance policy without a human able to review and change the outcome is exactly the kind of processing Section 35 restricts. The duty is not to abandon automation. It is to ensure a person, not only a model, stands behind decisions that carry weight. In operational terms, three elements have to be present. There must be genuine human intervention, meaning a trained reviewer with authority to overturn the result rather than a rubber stamp. There must be transparency, so the person knows a decision was made by automated means. And there must be contestability, a channel through which the person can challenge the outcome and have it looked at again.

Profiling and large-scale processing trigger a DPIA

The second obligation is the Data Protection Impact Assessment. The ODPC guidance directs organizations to conduct impact assessments where AI processing is involved, consistent with the Act's requirement that processing likely to result in high risk to data subjects be assessed before it begins. AI profiling and large-scale processing of personal data are the paradigm cases. The assessment is meant to identify risks, document safeguards, and confirm the processing has a lawful basis before deployment, not after a complaint.

What the regime does not do

This is not a ban on AI, and it is not a licensing scheme. The Act does not require pre-approval of models, and it does not prohibit profiling as such. It conditions solely automated significant decisions and requires risk assessment and safeguards. Firms retain the ability to automate, provided they build in the human review, transparency, and contestability the law expects. The ODPC guidance also does not, on its own, set new penalty levels. The enforcement teeth come from the Act itself.

The penalties and the enforcer

Under Section 63 of the Data Protection Act 2019, the Data Commissioner may impose a penalty of up to five million Kenyan shillings, or in the case of an undertaking up to one per cent of its annual turnover of the preceding financial year, whichever is lower. Those figures, sometimes reported as headline AI fines, are the general administrative penalty ceiling of the Act as it applies to breaches, including breaches involving AI processing. The ODPC is the body that investigates and issues penalty notices.

Distinct from the Kenya AI Bill

This regime should not be confused with the Kenya AI Bill under discussion in 2026, which is a separate, forward-looking instrument covered on its own. The distinction matters for planning. The AI Bill is prospective and still moving through process. The Data Protection Act duties on automated decisions and impact assessments are in force today. A firm waiting for the AI Bill before acting is exposed under the law that already applies.

For a US or other foreign firm, the cross-border reach is direct. The Data Protection Act applies to controllers and processors handling the personal data of people in Kenya, regardless of where the firm sits. A company running automated decisioning on Kenyan customers is inside the regime whether or not it has an office in Nairobi.

Frequently Asked Questions

What changed for firms using AI in Kenya?

Nothing in the statute changed, but the ODPC has made clear that the Data Protection Act 2019 already governs AI. Section 35 limits solely automated decisions with significant effects, and AI profiling or large-scale processing requires a Data Protection Impact Assessment. These duties apply now, without waiting for the separate Kenya AI Bill.

Who is affected by this?

Any data controller or processor handling the personal data of people in Kenya through AI, including lenders using automated credit scoring, insurers, employers using AI screening, and platforms running profiling. It reaches foreign firms serving Kenyan customers, not only companies based in Kenya.

Does this ban solely automated decisions?

No. Section 35 restricts decisions based solely on automated processing that carry legal or similarly significant effects, but it allows them where necessary for a contract, authorized by law with safeguards, or based on consent. Even then, the firm must provide human review, an explanation, and a way to contest the outcome.

What are the possible penalties?

Section 63 of the Data Protection Act 2019 allows the Data Commissioner to impose a penalty of up to five million Kenyan shillings, or for an undertaking up to one per cent of its preceding year's annual turnover, whichever is lower. These are the Act's general administrative penalties as applied to AI-related breaches.

How is this different from the Kenya AI Bill 2026?

The AI Bill is a separate, prospective law still moving through process and covered on its own. The Data Protection Act duties described here are already in force. Firms should comply with the existing automated-decision and impact-assessment rules now, rather than treating AI compliance as a future obligation tied to the Bill.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.