AI, Data Privacy, Cybersecurity To Drive IT Sector In 2025

No photo availableByBowmans Kenya Partners
7 min read
MICDE is implementing strategic initiatives, regulatory frameworks and legal reforms to balance technological innovation with robust security measures.
law tech

The IT sector in Kenya is expected to continue its rapid growth trajectory in 2025 with developments in artificial intelligence (AI), data privacy and cybersecurity leading the way. As such, the Ministry of Information, Communications and the Digital Economy (MICDE) is implementing strategic initiatives, regulatory frameworks and legal reforms to balance technological innovation with robust security measures.

It takes a strategic approach to AI regulation, focusing on an evidence-based, adaptable policy that responds to the fast pace of technological change. In 2024, the Kenya Bureau of Standards (KEBS) published the AI Code of Practice for public consultation. It covers AI application guidelines and risk management. Further, the MICDE’s AI strategy to foster AI growth via public-private collaboration and local research and development is expected to be implemented imminently. The National AI Policy should be introduced by mid to late 2025. The policy is expected to absorb aspects of global legislation and policy frameworks such as the European Union’s AI Act (2024) and the African Union’s Continental AI Strategy (2024). Having actively engaged local and international stakeholders, the National AI Policy will be keenly awaited alongside increased engagement and use of AI in Kenya.

The Key Case Potentially Setting Precedent For AI Regulation

A key case to watch in 2025 highlights the potential for parties to abuse AI. The US Department of Justice (DOJ) has filed a landmark antitrust lawsuit against RealPage, alleging that its AI-powered software facilitates rent price-fixing among landlords. RealPage’s pricing algorithm allegedly enables landlords to share sensitive rental data, leading to coordinated rent increases and reduced competition. ​This case is significant as it marks one of the first major civil antitrust actions focused on the role of AI in pricing manipulation, potentially setting a precedent for how AI can be regulated in competitive markets.

Data Protection In Favour Of Data Subject

The interpretation of the Data Protection Act 2019 (DPA) continues to evolve through determinations by the Office of the Data Protection Commissioner (ODPC) and decisions by the High Court. In 2025, we expect further clarity on the EU-Kenya adequacy decision (a determination by the EU that Kenya provides adequate levels of data protection) and further guidance on data protection from the ODPC as its jurisprudence develops. The current trend in ODPC decision-making so far appears to favour the data subject and the assertion of digital rights. With increased complaint resolution by the ODPC, we also expect to see more appeals being filed against the ODPC’s determinations in 2025.

For example, in ODPC Complaint No 0608 of 2024: Victor Manga Munyua v Liquid Technologies Limited, the complainant alleged that the respondent, without proper cause, processed his image without his consent for marketing and commercial purposes on their website. The ODPC held that valid consent is a product of conscious decision-making and requires affirmative action.

Further, in ODPC Complaint No 1175 of 2023, Jeremy Obano vs Kenya Airways PLC (KQ), the complainant alleged that in 2023, they contacted KQ about its services via a telephone call, which was, as per the complainant’s assertion, recorded by KQ. The complainant later requested to be given access to the telephone voice recording. The ODPC held that the right to access is absolute, and KQ had an obligation to avail the same to him within seven days from the date of the request.

We expect ODPC to enforce jurisdiction over foreign data processors and controllers. A position recently affirmed by the Data Commissioner.

Moves To Regulate Cybersecurity

A streamlined regulatory framework is increasingly essential to tackle cybersecurity risks, especially in critical sectors like financial services and telecommunications. Ongoing collaboration between the private sector and regulators will be key to addressing these challenges in 2025. Further, we expect to see the increased visibility of the National Computer and Cybercrimes Coordination Committee (NC4).

Legislation changes impacting cybersecurity that are expected in 2025 include the enactment and implementation of the Computer Misuse and Cybercrimes Act & Amendment Bill 2024, which contains an expanded list of offences and tougher penalties for cybersecurity breaches. The Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations 2024 (CII Regulations) have been enacted and the implementation phase is expected to continue into 2025. The CII Regulations provide a framework for detecting and/or responding to threats and protecting critical infrastructure and are expected to strengthen the powers of the NC4.

The Protection of Critical Infrastructure Bill 2024 is expected to be finalised in 2025. The Bill aims to secure vital services against cyber threats. New Guidelines to the Data Protection Act (DPA) 2019 are also expected, covering data security and breach notifications more aligned with the EU’s General Data Protection Regulation (GDPR). In addition, the National Cybersecurity Strategy (2022-2027) is expected to continue to strengthen governance, legal frameworks, and collaboration in the cybersecurity sector after being implemented in 2024.

Further trends in this space include a focus on cloud security and an emphasis on securing cloud data. Increased cyber-attacks are likely in 2025 considering that 1.1 billion threats were detected in Kenya by the second quarter of 2024. A growth in public-private partnerships is also expected in this space, with the collaboration bolstering resilience in the sector. Legislative reforms and advisories will continue to develop; for example, the Kenya Computer Incident Response Team (KE-CIRT) issued 9.3 million advisories by Q2 2024.

The Need To Regulate Fintech And Digital Assets

Kenya’s regulatory approach to fintech has been fragmented. There are no specific laws covering fintech and current legal oversight is based on the sector in which the fintech operates. The main regulators in the space include the Central Bank of Kenya (CBK), the Capital Markets Authority (CMA), the Insurance Regulatory Authority (IRA), and the Communications Authority of Kenya (CAK).

Both the CMA and CBK have commented on the lack of appropriate regulation, with the CBK’s National Payment Strategy 2022-2025 (Strategy) providing direction for digital asset regulation to enhance the country’s payment systems, foster innovation in the space, and improve digital inclusion while also ensuring robust security. Some salient provisions of the Strategy include building a payment system anchored on four pillars – trust, security, usefulness and innovation. The Strategy also proposes an overhaul of the national payment system laws, the finalisation of the Digital Finance Policy and admissions of companies into the CMA Regulatory Sandbox, which provides a less restrictive regulatory framework to enable fintech companies and other market intermediaries to test their products and solutions before launching them to market.

Disputes In The IP And Technology Space

While traditional IP litigation frameworks remain, emerging technologies like AI, fintech, and cryptocurrency call for clearer alternative dispute resolution mechanisms to ensure efficient enforcement. In 2024, disputes in the technology sector centred mostly on data breaches, intermediary liability, social media complaints and employment. These disputes were played out via the regulators – the ODPC (privacy disputes), the Kenya Industrial Property Institute (intellectual property disputes) and the Kenyan courts, most notably the High Court’s Constitutional and Human Rights Division and the Commercial and Tax Division. We expect to see more cross-border IP and technology litigation, with potential cases testing the liability of social media platforms in different jurisdictions, regional IP infringements, company name objections and the embracing of alternative dispute resolution such as arbitration and out-of-court settlements.

Kenya is aligning with global trends and legal frameworks in the technology space and fostering an environment of increased regulation, compliance, collaboration and innovation. This will position the country to harness the full potential of its burgeoning IT sector in 2025 and beyond.

By John Syekei, Ariana Issaias, Daniel Mwathe, and David Opijah, Partners, Bowmans Kenya

 

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co