Kenya’s Finance Bill 2025 contains a provision that will make it legal for the government to compel businesses to disclose personal data and trade secrets.
A key provision within the Bill seeks to repeal Section 59A (1B) of the Tax Procedures Act, a statutory safeguard that currently prohibits the Kenya Revenue Authority (KRA) Commissioner from compelling taxpayers to disclose personal data or trade secrets obtained during business operations.
This proposed repeal has drawn criticism from legal bodies, audit firms, and civil society organizations, who argue it directly contravenes Kenya’s Data Protection Act of 2019 and undermines citizens’ constitutional right to privacy. The Law Society of Kenya (LSK) and audit firms like KPMG East Africa and Ernst & Young have been vocal in their opposition, stating that granting the KRA such automatic and unfettered access to sensitive personal and corporate data could lead to invasive audits, expose trade secrets, and significantly erode public trust.
Concerns have also been raised regarding the KRA’s existing iTax business registration platform, which some critics claim already allows retrieval of sensitive personal information. This includes contacts, email addresses, residential locations, and places of employment, simply with a taxpayer’s PIN. This suggests a potential history of data privacy breaches even before the proposed legislative changes.
During recent parliamentary committee hearings, KRA Commissioner General Humphrey Wattanga was pressed to explain the agency’s support for the controversial clause. While he acknowledged it as a “serious matter” that would be addressed, the KRA’s rationale is primarily to boost tax compliance and meet ambitious revenue targets.
Critics, however, fear that the erosion of data protection is not an isolated issue but part of a broader tension between technological advancement and the preservation of fundamental freedoms. They warn of the risks of unchecked surveillance and the potential for misuse of vast troves of data for purposes beyond tax collection, including political profiling or electoral interference, which could undermine democratic processes.
Kenya Revenue Authority (KRA) has claimed, in a press statement, that it is committed to safeguard taxpayer data. Speaking during a meeting with the Departmental Committee on Finance and Economic Planning, KRA Commissioner General, Humphrey Wattanga has said the Authority is working closely with the Office of the Data Protection Commissioner (ODPC) to implement a Data Minimisation Strategy that will reduce risks pertaining to personal taxpayer data.
The KRA Commissioner General has said this is part of the wider Digital Modernisation Strategy that KRA is rolling out under the 9th Corporate Plan. He said, “We have already put in place immediate measures to swiftly disable loopholes on our portals that could be maliciously exploited to access personal taxpayer data. Our collaboration with the ODPC aims to ensure that we continuously improve the integrity of our systems, especially with regard to access to third party data.”