By benadeta mwaura - Reporter
Kenya, January 26, 2026 - The Office of the Data Protection Commissioner (ODPC) has issued 184 compensation orders to Kenyans whose personal data was mishandled, marking one of the strongest enforcement moves under the Data Protection Act, 2019 since its enactment.
The orders come after thousands of complaints were lodged over breaches of individuals’ privacy rights. Since the law came into force, the ODPC has received 9,061 data protection complaints, of which 84 disputes were resolved through Alternative Dispute Resolution (ADR) and 357 determinations, 134 enforcement notices and 20 penalty notices have been issued to promote compliance with data protection rules.
The Data Protection Act, 2019, gives effect to Kenya’s constitutional right to privacy and sets out rules on how personal data should be collected, processed, stored, and shared by both public and private organisations.
It is designed to protect individuals from misuse of their personal information while ensuring organisations handle data responsibly. Under the law, individuals are empowered with several rights. They have the right to be informed about how their data is being used, giving them transparency and control over their personal information.
They can also access and correct any data held about them, ensuring accuracy in records that affect their personal or professional life. Additionally, the Act allows individuals to object to the processing of their data in cases where they do not consent to certain uses, and to request the deletion of information that is inaccurate, irrelevant, or unlawfully collected.
These provisions make privacy protection enforceable and give citizens practical tools to safeguard their personal information. Under the Act, entities that breach data protection requirements can face fines of up to Sh5 million, imprisonment for up to 10 years, or both, and data controllers and processors must register with the ODPC before handling personal data.
The compensation orders reflect the ODPC’s growing use of its enforcement powers to deliver remedies to individuals whose privacy rights were violated. Unlike fines that punish organisations, these orders directly compensate victims, holding data controllers and processors accountable for harms caused by unlawful data handling.
For example, Kenya courts and the ODPC have upheld compensation in cases where individuals suffered distress or misuse of personal data, affirming that the regulator’s authority to award damages is supported by law and judicial precedent.
This marks a shift from compliance reminders toward active enforcement and accountability, compelling organisations to take privacy obligations seriously or face legal consequences and compensation claims. For businesses operating in Kenya, the recent compensation orders from the ODPC send a clear message: data privacy violations can no longer be treated as low-risk. Organisations are now under increased scrutiny, and failure to comply with the law can result in both financial penalties and reputational damage.
More from Kenya
To meet these obligations, companies must conduct data protection impact assessments to identify and mitigate risks associated with the collection and processing of personal data. They also need to ensure lawful collection and processing, making certain that all data handled has a clear legal basis.
Additionally, businesses must provide transparent consent mechanisms, clearly informing individuals how their data will be used and obtaining their permission where necessary. Finally, organisations are expected to respond promptly to data breach reports, addressing incidents quickly to protect affected individuals and demonstrate regulatory compliance.
Many organisations, including county governments, banks, health platforms and digital services, are now collaborating with the ODPC to ensure compliance and protect citizens’ personal data as corporate assets and consumer trust.
For consumers, the orders reinforce that privacy is a fundamental right with enforceable remedies. Individuals affected by data breaches now have a functioning avenue to seek justice and compensation without resorting to lengthy court battles.
The ODPC has expanded its presence with regional offices in Nairobi, Mombasa, Kisumu, Nakuru, Eldoret, Machakos, Garissa and Nyeri to deepen enforcement, awareness and compliance outreach nationwide. It has also rolled out strategic plans including 2025–2029 goals to enhance policy frameworks, institutional capacity and data protection oversight across public and private sectors.
As digital services proliferate, from mobile banking and healthcare platforms to ecommerce and public sector data systems, enforcement actions like these reinforce Kenya’s evolving data governance ecosystem, pushing organisations to embed privacy by design and cultivate trust in the digital economy.
The ODPC’s issuance of 184 compensation orders signals a firm step toward enforcing Kenya’s Data Protection Act, empowering citizens and compelling organisations to prioritise privacy compliance. By expanding enforcement, mandating registration and providing remedies for affected individuals, the regulator is shaping a more accountable and rights respecting digital environment that supports Kenya’s broader tech driven growth.
