The Compliance Brief
Ireland's regulator fined Meta and its subsidiaries close to a billion euros. Kenya's Data Protection Act caps the equivalent fine at roughly USD 38,500 — because of one overlooked phrase in Section 63.
In November 2022, Ireland's Data Protection Commission fined Meta €265 million after 533 million users' data was scraped and dumped online — one of nearly €1 billion in cumulative GDPR penalties against Meta, Instagram and WhatsApp in an eighteen-month window. The mechanism behind that figure exposes a structural weakness in Kenya's own Data Protection Act, 2019 — one Kenyan legislators are, encouragingly, already working to fix.
The mechanism matters more than the number.
Under GDPR Article 83, the most serious infringements attract fines of up to €20 million or 4% of a company's total worldwide annual turnover — whichever is higher. For a company turning over well over $100 billion annually, that formula is what allows a single enforcement action to reach hundreds of millions of euros. It is a genuine percentage of global economic activity, not a fixed penalty dressed up as deterrence.
The ODPC has repeatedly shown it will use the full extent of its powers.
By 2025, cumulative ODPC fines exceeded KES 26 million, alongside 357 determinations, 134 enforcement notices and 184 compensation orders.
Section 63 of the Data Protection Act, 2019 caps administrative fines at KES 5,000,000 or 1% of annual turnover — whichever is lower.
For any multinational platform, 1% of turnover would always exceed KES 5 million. Because the Act selects the lower figure, the maximum possible fine — for the most serious breach imaginable, by the largest company imaginable — is capped at roughly USD 38,500.
The pending Data Protection (Amendment) Bill, 2025 proposes flipping Section 63 from "lower" to "higher." Five further amendments would close the remaining gap.
| Question | GDPR (Ireland) | Kenya's DPA, 2019 (current) |
|---|---|---|
| Maximum fine formula | €20M or 4% global turnover — whichever is higher | KES 5M or 1% turnover — whichever is lower |
| Effective ceiling for a multinational | Hundreds of millions of euros, scaled to size | ~USD 38,500, regardless of company size |
| Continuing-violation fine | Scales with the underlying penalty structure | KES 10,000/day flat |
| Publication of decisions | Standard practice | Informal, not statutorily mandated |
Ireland's fines were the ordinary output of a fine structure built to scale with company size. Kenya's ODPC has already shown it is willing to enforce at the maximum extent the law allows — what it hasn't yet been given is a statute that lets that enforcement mean the same thing against a multinational platform that it means against a Kenyan SME.
The Data Protection (Amendment) Bill, 2025 is still pending. The window to go beyond a simple word-flip in Section 63 — to a genuinely scaled fine structure — remains open.
An AI governance framework doesn't sit apart from data protection law — most AI systems in Kenya run on personal data, which means your obligations under the Data Protection Act, 2019 are already live even before the AI Bill passes.
Muchangi Patrick & Co. Advocates advises boards, AI deployers, and startups on data protection compliance, AI governance readiness, and cross-border data flows. If you're building or deploying AI systems in Kenya, we can help you map your exposure before the regulator does it for you.
Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.