Silent trail: Every click, swipe or scan creates a map of your habits

Every mobile money transaction, SIM card registration, CCTV recording, supermarket loyalty card swipe, biometric scan, and public WiFi login leaves behind a trail of data.

These fragments may seem trivial; however, privacy experts caution that when combined, they can paint an unusually detailed portrait of a person’s life. From where they go, whom they communicate with, what they purchase, search online and generally the routines they follow on a daily.     

The debate over digital privacy and surveillance in Kenya has intensified following a recent Al Jazeera documentary that raised concerns about how State agencies may use mobile phone data, telecommunications systems and digital surveillance tools.

The documentary reignited public scrutiny about the amount of personal data held by telecom operators and technology platforms and raised questions about whether existing legal safeguards are sufficient to protect individuals’ constitutional rights.

At the heart of the debate lies a constitutional question. In a country rapidly embracing digital governance and interconnected technologies, how much privacy do citizens realistically retain?

Kenya’s Constitution guarantees the right to privacy under Article 31, including protection against unnecessary disclosure of personal information and infringement of private communications. However, it also permits lawful limitations in cases involving national security, crime prevention and public safety.

The tension between these two realities, security and privacy, is increasingly defining Kenya’s digital age.

The Standard reached out to Data Commissioner Immaculate Kassait to explain how Kenya’s data protection framework operates, particularly regarding access to personal data by law enforcement agencies and safeguards designed to prevent abuse.

“The legal architecture governing the processing of personal data in Kenya is rooted in Article 31 of the Constitution, which explicitly guarantees every citizen the right to privacy. Specifically, Articles 31(c) and (d) protect individuals from unnecessary disclosure of private affairs and safeguard the privacy of their communications,” Kassait said.

She noted that any collection, processing or retrieval of personal data must comply with the Data Protection Act (DPA), 2019, which sets out the legal framework governing how personal information is handled in Kenya.

“The law balances these constitutional protections with specific, lawful exceptions, such as public interest or national security, which are governed by distinct legal thresholds under relevant Kenyan statutes,” she said.

Kassait’s remarks come amid growing concerns over digital surveillance following the anti-government protests in 2024, during which allegations of abductions, arbitrary arrests and digital tracking fuelled fears about the extent of State surveillance capabilities.

Privacy and cybersecurity experts say modern surveillance no longer relies solely on physical observation or traditional wiretapping. Instead, today’s systems operate through the aggregation of data from multiple digital sources.

Telecommunications metadata (data about data), mobile money records, geolocation tracking, facial recognition cameras, social media activity and open-source intelligence tools can collectively reveal intimate details about individuals without necessarily accessing the content of private communications.

In recent analyses on surveillance and privacy published in The Conversation, High Court advocate and data governance scholar, Mugambi Laibuta, argued that the issue is no longer whether surveillance exists, but whether adequate constitutional safeguards meaningfully constrain its use.

“Privacy attaches to the person, not the platform,” Dr Laibuta wrote in an analysis examining Kenya’s emerging surveillance ecosystem.

His argument reflects a growing concern among digital rights advocates that visibility in the digital age should not automatically amount to consent.

Under Section 2 of the Data Protection Act 2019, telecommunications companies operate as both data controllers and data processors, depending on how personal information is handled.

That obligation places telecom operators such as Safaricom and Airtel, who are major custodians of personal data, at the centre of Kenya’s privacy debate.

Every phone call generates call data records. Every mobile money transaction creates a transactional history linked to a registered identity.

Mobile devices continuously interact with nearby communication towers, producing location information capable of estimating a user’s movements over time.

Metadata alone, even without listening to calls or reading messages, can reveal behavioural patterns, associations and routines with remarkable accuracy. For instance, it may indicate that a call originated from Nairobi Central Business District, that persons A and B frequently communicate, and that their interactions often take place at night.

The scale of digital traceability has expanded rapidly alongside Kenya’s transition into a digital economy.

Public transport payments, digital banking, online education systems, eCitizen services and health platforms now generate massive streams of personal data daily.

CCTV network

Surveillance infrastructure in urban centres has grown significantly with Nairobi’s CCTV network, part of broader smart city initiatives, is reported to be equipped with facial recognition and automatic number plate recognition capabilities in some systems. This has become a visible symbol of the country’s smart-city ambitions.

Proponents argue that such systems enhance public safety and assist criminal investigations. However, insufficient oversight could allow surveillance technologies to expand faster than the legal protections designed to regulate them.

Laibuta has warned that surveillance conducted without judicial oversight risks eroding democratic freedoms and shrinking civic space.

“Surveillance can enhance security and service delivery, but its misuse poses significant threats to democracy, human rights and public trust,” he wrote in a previous analysis for The Conversation.

Investigations by organisations such as Citizen Lab and Privacy International have previously cited Kenya in reports examining the use of surveillance technologies, including Pegasus spyware and communications interception systems.

Pegasus, developed by Israeli cyber-intelligence company NSO Group, is capable of extracting messages, emails, passwords, photographs and encrypted communications from infected mobile phones.

Although the Kenyan government has never publicly confirmed the use of such technologies, cybersecurity experts say the global growth of digital surveillance tools has fundamentally altered the balance between privacy and State power.

Government surveillance

“The more transparent society becomes, the more invisible the watcher becomes,” Laibuta stated in his analysis on open-source intelligence and data protection law, titled KDPA and OSINT: Where Public Intelligence Meets Private Rights. KDPA refers to the Kenya Data Protection Act, OSINT stands for Open Source Intelligence.

The debate has also extended beyond government surveillance into the role played by private corporations, digital platforms and commercial data collection systems.

Retail loyalty programmes, financial applications, ride-hailing services and social media platforms collect volumes of behavioural data from consumers, often in exchange for convenience or personalised services.

Experts warn that many users remain unaware of how extensively their personal information is processed, analysed and potentially shared.

Kassait says the Office of the Data Protection Commissioner (ODPC) continues to conduct awareness campaigns and sector-specific compliance efforts aimed at educating both citizens and institutions.

“As an active safeguard, data subjects hold the statutory right to file official complaints with the ODPC against any data handler found non-compliant,” she said.

Kenya is expanding digital partnerships with foreign governments and technology companies have added another layer to the conversation.

Recent Kenya-United States cooperation frameworks on cybersecurity, digital infrastructure and technology development have highlighted the growing strategic importance of data governance in international relations.

While such partnerships focus on cybersecurity, innovation and digital transformation, experts caution that cross-border data sharing and foreign technology integration raise complex questions around sovereignty, accountability and privacy protections.

Laibuta argued that artificial intelligence and automated data analysis tools are magnifying both the promise and dangers of modern surveillance.

“Automated scraping and facial-recognition systems now process millions of data points in seconds, generating behavioural inferences of unsettling precision,” he wrote.

The challenge, he argues, is ensuring that technological capability does not outpace constitutional safeguards.

Kenya’s courts have increasingly become an important battleground in this debate.

Although no major surveillance case has conclusively established liability against the state, constitutional litigation involving digital identity systems, data collection and biometric registration has repeatedly forced courts to examine the limits of state power in the digital era.

One notable example was the Huduma Namba litigation, in which the High Court underscored the need for adequate data protection safeguards before implementation of the national digital identity programme.

The proportionality principle has similarly emerged as a central legal test in determining whether state intrusion into privacy rights is constitutionally justifiable.

This principle requires courts to assess whether surveillance measures are necessary, whether less intrusive alternatives exist and whether the limitation of rights is proportionate to the intended objective.

The broader issue is not simply surveillance itself, but the absence of public understanding regarding how traceable modern life has become.

A smartphone carried in a pocket now functions simultaneously as a communication tool, financial wallet, location beacon and behavioural archive.

Combined with data from social media, banking systems, transport networks and digital government services, the result is a society where ordinary activities continuously generate searchable, analysable information trails.

Kassait maintains that Kenya’s legal framework remains robust and aligned with international best practices, though she acknowledged that reforms may still be necessary as technology evolves.

“Law is dynamic and must evolve alongside technological advancements,” she said.

“To ensure the framework remains agile and adequate against emerging digital realities, a dedicated review team is currently evaluating the Act. This process is focused on identifying potential systemic gaps and drafting progressive recommendations for amendments where necessary, ensuring Kenya’s regulatory environment remains cutting-edge and protective of its citizens.”

For now, however, the debate continues to grow louder.

Following public concern raised by media investigations, the ODPC’s position on the Al Jazeera documentary states that no formal complaint has been filed regarding the specific instances cited, though the office is reviewing the issues raised.

Kassait added that the ODPC would initiate inquiries where necessary into matters falling within its regulatory jurisdiction under the Data Protection Act.

As Kenya accelerates towards a fully digitised economy, citizens are confronting growing concerns about privacy, accountability and the systems quietly collecting their data.

The issue is no longer simply whether surveillance technologies exist, but whether democratic safeguards, institutional oversight and public awareness are evolving fast enough to protect citizens in an age where nearly every aspect of modern life leaves a digital footprint.