Every mobile money transaction, SIM card registration, CCTV recording, supermarket loyalty card swipe, biometric scan, public WiFi login leaves behind a trail of data.
These fragments may seem trivial. However, privacy experts caution that when combined, they can paint an unusually detailed portrait of a person’s life. From where they go, whom they communicate with, what they purchase, search online and generally the routines they follow on a daily basis.
The debate over digital privacy and surveillance in Kenya has intensified following a recent Al Jazeera documentary that raised concerns about how State agencies may use mobile phone data, telecommunications systems and digital surveillance tools.
The documentary reignited public scrutiny about the amount of personal data held by telecom operators and technology platforms and raised questions about whether existing legal safeguards are sufficient to protect individuals’ constitutional rights.
At the heart of the debate lies a constitutional question. In a country rapidly embracing digital governance and interconnected technologies, how much privacy do citizens realistically retain?
National security
Kenya’s constitution guarantees the right to privacy under Article 31, including protection against unnecessary disclosure of personal information and infringement of private communications. However, it also permits lawful limitations in cases involving national security, crime prevention and public safety.
The tension between these two realities, security and privacy, is increasingly defining Kenya’s digital age.
The Nairobian reached out to Data Commissioner Immaculate Kassait to explain how Kenya’s data protection framework operates, particularly regarding access to personal data by law enforcement agencies and safeguards designed to prevent abuse.
“The legal architecture governing the processing of personal data in Kenya is rooted in Article 31 of the Constitution, which explicitly guarantees every citizen the right to privacy. Specifically, Articles 31(c) and (d) protect individuals from unnecessary disclosure of private affairs and safeguard the privacy of their communications,” Kassait said.
She noted that any collection, processing or retrieval of personal data must comply with the Data Protection Act (DPA), 2019, which sets out the legal framework governing how personal information is handled in Kenya.
“The law balances these constitutional protections with specific, lawful exceptions, such as public interest or national security, which are governed by distinct legal thresholds under relevant Kenyan statutes,” she said.
Kassait’s remarks come amid growing concerns over digital surveillance following the anti-government protests in 2024 during which allegations of abductions, arbitrary arrests and digital tracking fuelled fears about the extent of State surveillance capabilities.
Privacy and cybersecurity experts say modern surveillance no longer relies solely on physical observation or traditional wiretapping. Instead, today’s systems operate through the aggregation of data from multiple digital sources.
Telecommunications metadata (data about data), mobile money records, geolocation tracking, facial recognition cameras, social media activity and open-source intelligence tools can collectively reveal intimate details about individuals without necessarily accessing the content of private communications.
In recent analyses on surveillance and privacy published in The Conversation, High Court advocate and data governance scholar Mugambi Laibuta argued that the issue is no longer whether surveillance exists, but whether adequate constitutional safeguards meaningfully constrain its use.
Growing concern
“Privacy attaches to the person, not the platform,” Dr Laibuta wrote in an analysis examining Kenya’s emerging surveillance ecosystem.
His argument reflects a growing concern among digital rights advocates that visibility in the digital age should not automatically amount to consent. Under Section 2 of the Data Protection Act 2019, telecommunications companies operate as both data controllers and data processors, depending on how personal information is handled.
That obligation places telecom operators such as Safaricom and Airtel, who are major custodians of personal data, at the centre of Kenya’s privacy debate. Every phone call generates call data records. Every mobile money transaction creates a transactional history linked to a registered identity.
Mobile devices continuously interact with nearby communication towers, producing location information capable of estimating a user’s movements over time.
Metadata alone, even without listening to calls or reading messages, can reveal behavioural patterns, associations and routines with remarkable accuracy.
For instance, it may indicate that a call originated from Nairobi Central Business District, that persons A and B frequently communicate, and that their interactions often take place at night.
The scale of digital traceability has expanded rapidly alongside Kenya’s transition into a digital economy.
Public transport payments, digital banking, online education systems, eCitizen services and health platforms now generate massive streams of personal data daily.
Surveillance infrastructure in urban centres has grown significantly with Nairobi’s CCTV network, part of broader smart city initiatives, reported to be equipped with facial recognition and automatic number plate recognition capabilities in some systems. This has become a visible symbol of the country’s smart-city ambitions.
Proponents argue that such systems enhance public safety and assist criminal investigations. However, insufficient oversight could allow surveillance technologies to expand faster than the legal protections designed to regulate them.
Laibuta has warned that surveillance conducted without judicial oversight risks eroding democratic freedoms and shrinking civic space.
“Surveillance can enhance security and service delivery, but its misuse poses significant threats to democracy, human rights and public trust,” he wrote in a previous analysis for The Conversation.
Investigations by organisations such as Citizen Lab and Privacy International have previously cited Kenya in reports examining the use of surveillance technologies, including Pegasus spyware and communications interception systems.
Pegasus, developed by Israeli cyber-intelligence company NSO Group, is capable of extracting messages, emails, passwords, photographs and encrypted communications from infected mobile phones.
Government surveillance
Although the Kenyan government has never publicly confirmed the use of such technologies, cybersecurity experts say the global growth of digital surveillance tools has fundamentally altered the balance between privacy and State power.
“The more transparent society becomes, the more invisible the watcher becomes,” Laibuta stated in his analysis on open-source intelligence and data protection law, titled KDPA and OSINT: Where Public Intelligence Meets Private Rights. KDPA refers to the Kenya Data Protection Act, OSINT stands for Open Source Intelligence.