The Kenya Information & Communications (Amendment) Bill 2025 has the potential to negatively impact human rights in Kenya. Specifically it may limit the right to privacy.
In my opinion, it is a the Kenya Information & Communications (Amendment) Bill 2025 it is a bad law. The proposed law will for instance enable customers to track data they have purchased but it creates a system that will also be able to surveil them. Such systems exist and all ISP companies need to do is to make them client facing.
Here’s a breakdown of the key reasons why I considered this bill a problematic piece of legislation:
1. Mandatory Internet Metering and Data Collection
The bill seeks to compel Internet Service Providers (ISPs) to implement metered billing systems that assign each customer a unique, traceable internet meter number. ISPs would be required to monitor customer usage, convert this data into readable details, and submit it to the Communications Authority of Kenya (CA) annually. This raises concerns about the extent of data collected, how it will be stored, protected, and used, with fears of potential government surveillance and abuse.
2. Lack of Safeguards
The bill lacks clear guidelines on the type of customer data to be tracked, the duration of its storage, and the security measures to protect it. There’s also a lack of transparency regarding how the CA will use this vast amount of data, raising concerns about potential misuse and the absence of user consent mechanisms.
3. Real-time Monitoring
The requirement for ISPs to install “signature-creation devices” suggests the possibility of real-time monitoring of user data, further infringing on the right to privacy.
4. Potential for Abuse and Undermining Digital Rights
The ambiguous language in the bill could be exploited by the government to stifle dissent and control online content. Terms like “readable details” of internet usage are not clearly defined, leaving room for broad interpretation and potential overreach.
5. Weakening Data Protection
The bill could undermine Kenya’s Data Protection Act (2019) and Article 31 of the Constitution, which guarantees the right to privacy. The extensive data collection and potential for surveillance contradict the principles of data minimization and purpose limitation.
6. Cybersecurity Risks
Centralizing vast amounts of sensitive personal data with ISPs and government agencies could create a significant cybersecurity risk, making these entities prime targets for hackers and malicious actors.
7. Costs to ISPs
The stringent regulations and potential costs associated with implementing the proposed systems could burden smaller ISPs, potentially leading to market consolidation and hindering the expansion of internet access, especially in rural areas. The metered billing system might also discourage high-bandwidth activities crucial for education and economic development among lower-income users.
8. Lack of Public Consultation
The bill has not undergone sufficient public consultation, which is crucial for legislation that impacts fundamental rights and freedoms. Key sector actors have not been consulted before enacted of the bill.