Data Protection Commissioner moves to protect online personal data with new guidelines
The push for tighter regulation follows the Worldcoin controversy, in which the company scanned the irises of Kenyan citizens in exchange for cryptocurrency, without adequate consent or safeguards.
The Office of the Data Protection Commissioner (ODPC) has called for public views after releasing two draft guidance notes, one on biometric data processing and another on safeguarding children’s data online.
Kenyans have until May 30, 2025, to submit their comments and help shape the final regulations that will impact digital rights and responsibilities across the country.
More To Read
Biometric identifiers, like fingerprints, facial scans, iris patterns, and voice recognition, are no longer niche technologies. They are integrated into banking apps, employee attendance systems, and even public services.
With this ubiquity comes risk, prompting the ODPC to introduce stringent controls on how such data can be handled.
According to the draft guidance, organisations collecting or processing biometric data must:
- Be registered with the ODPC.
- Establish a lawful basis for processing.
- Minimise data collection to what is strictly necessary.
- Carry out Data Protection Impact Assessments (DPIAs).
- Notify authorities of data breaches within 72 hours.
- Adhere to global standards like ISO/IEC 39794.
The push for tighter regulation follows the 2023 Worldcoin controversy, in which the company scanned the irises of Kenyan citizens in exchange for cryptocurrency, without adequate consent or safeguards.
The operation was halted, and the High Court ordered the deletion of all collected biometric data, signalling a turning point in Kenya’s approach to data privacy.
The second guidance note zeroes in on protecting children in digital environments.
It proposes risk-based age assurance measures that preserve privacy while ensuring platforms implement stronger safeguards where necessary.
The draft Guidance Note on Processing of Children’s Data by the ODPC does not mandate blanket government-issued ID checks for age assurance yet.
Instead, it promotes a privacy-preserving, proportionate, and risk-based approach to age verification.
This means platforms must choose methods that are effective without being overly intrusive. While ID-based verification could be used in high-risk scenarios, such as platforms with adult content or financial transactions involving minors, it is not the default or encouraged method across the board.
The goal is to balance safety with privacy.
For example, educational platforms or kid-friendly entertainment sites may be expected to use less invasive age estimation technologies or self-declaration backed by parental oversight, depending on their risk profile.
To oversee this, the Communications Authority of Kenya has set October 2025 as the enforcement deadline for platforms to comply with these age-related provisions.
Enforcement underway
The ODPC’s enforcement arm is not waiting for final drafts to act.
In 2023 alone, it fined multiple institutions a combined Sh 9.3 million for data protection violations, including a school that posted photos of minors without parental approval.
These penalties are more than symbolic; they signal the end of laxity in data practices in Kenya.
Recently, the Office of the Data Protection Commission (ODPC) ordered a top school to pay a fine of Sh500,00 for sharing a student's personal data without the parent's consent.
The Commission found that the school breached the minor's personal data when the school shared the information with a travel agency and the US Embassy.
These developments position Kenya alongside global leaders like the EU, UK, South Africa, and Nigeria in advancing a robust data protection regime.
All stakeholders, from tech firms and educators to parents and concerned citizens, are encouraged to participate.
Feedback should be submitted using the comment template available on the ODPC website and sent to [email protected] no later than May 30, 2025.
Top Stories Today
