← Muchangi Patrick Published Work
⇩ Download PDF
Muchangi Patrick & Co. Advocates logo Muchangi Patrick & Co. Advocates ← Back to Insights

The Compliance Brief

Vol. 03 — Issue 34
Nairobi Edition
Regulation, technology & the business of Kenya
Meta €265M Fine · Ireland DPC, 2022

The Price of a Breach: Meta's GDPR fines and Kenya's own fine ceiling

Ireland's regulator fined Meta and its subsidiaries close to a billion euros. Kenya's Data Protection Act caps the equivalent fine at roughly USD 38,500 — because of one overlooked phrase in Section 63.

Analysis 8 min read Data Protection & Enforcement
By Patrick Muchangi, Founder & Advocate — Muchangi Patrick & Co. Advocates · Published July 2026
Download PDF

In November 2022, Ireland's Data Protection Commission fined Meta €265 million after 533 million users' data was scraped and dumped online — one of nearly €1 billion in cumulative GDPR penalties against Meta, Instagram and WhatsApp in an eighteen-month window. The mechanism behind that figure exposes a structural weakness in Kenya's own Data Protection Act, 2019 — one Kenyan legislators are, encouragingly, already working to fix.

§1 What the Irish fines actually demonstrate

The mechanism matters more than the number.

Under GDPR Article 83, the most serious infringements attract fines of up to €20 million or 4% of a company's total worldwide annual turnover — whichever is higher. For a company turning over well over $100 billion annually, that formula is what allows a single enforcement action to reach hundreds of millions of euros. It is a genuine percentage of global economic activity, not a fixed penalty dressed up as deterrence.

€265M+
Ireland's Meta scraping fine — one of four against the company since 2021
4% / €20M
GDPR's ceiling — whichever figure is higher

§2 Kenya's own enforcement record — already serious

The ODPC has repeatedly shown it will use the full extent of its powers.

By 2025, cumulative ODPC fines exceeded KES 26 million, alongside 357 determinations, 134 enforcement notices and 184 compensation orders.

§3 The flaw: "whichever is lower"

Section 63 of the Data Protection Act, 2019 caps administrative fines at KES 5,000,000 or 1% of annual turnover — whichever is lower.

Why it matters

For any multinational platform, 1% of turnover would always exceed KES 5 million. Because the Act selects the lower figure, the maximum possible fine — for the most serious breach imaginable, by the largest company imaginable — is capped at roughly USD 38,500.

§4 Kenya is already moving — the question is how far

The pending Data Protection (Amendment) Bill, 2025 proposes flipping Section 63 from "lower" to "higher." Five further amendments would close the remaining gap.

§5 How the two frameworks compare

QuestionGDPR (Ireland)Kenya's DPA, 2019 (current)
Maximum fine formula€20M or 4% global turnover — whichever is higherKES 5M or 1% turnover — whichever is lower
Effective ceiling for a multinationalHundreds of millions of euros, scaled to size~USD 38,500, regardless of company size
Continuing-violation fineScales with the underlying penalty structureKES 10,000/day flat
Publication of decisionsStandard practiceInformal, not statutorily mandated

§6 The bottom line

Ireland's fines were the ordinary output of a fine structure built to scale with company size. Kenya's ODPC has already shown it is willing to enforce at the maximum extent the law allows — what it hasn't yet been given is a statute that lets that enforcement mean the same thing against a multinational platform that it means against a Kenyan SME.

Where this goes next

The Data Protection (Amendment) Bill, 2025 is still pending. The window to go beyond a simple word-flip in Section 63 — to a genuinely scaled fine structure — remains open.

How this touches your data protection exposure

An AI governance framework doesn't sit apart from data protection law — most AI systems in Kenya run on personal data, which means your obligations under the Data Protection Act, 2019 are already live even before the AI Bill passes.

Muchangi Patrick & Co. Advocates advises boards, AI deployers, and startups on data protection compliance, AI governance readiness, and cross-border data flows. If you're building or deploying AI systems in Kenya, we can help you map your exposure before the regulator does it for you.

Talk to us

Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.

Book a Consultation → Chat on WhatsApp