← Muchangi Patrick Published Work
⇩ Download PDF
Muchangi Patrick & Co. Advocates logo Muchangi Patrick & Co. Advocates ← Back to Insights

The Jurisprudence Review Vol. II

Data Protection & Privacy Law
ODPC & High Court, Kenya
Where Kenyan privacy law goes once it leaves the ODPC's building
Kenya Data Protection & Privacy Jurisprudence · Volume II · 2026

Kenya's data protection case law, Volume II: privacy rights, consent and digital identity beyond the ODPC

Our first jurisprudence review mapped twelve decisions on ODPC determinations. This second review looks at nineteen further High Court rulings that push Article 31 privacy rights into succession disputes, neighbour disputes, employment disputes, business acquisitions, and — for the first time — the regulation of artificial intelligence. Read together, they show how far Kenyan privacy law now reaches beyond the Data Protection Act's own complaints process.

Analysis 13 min read Data Protection · Privacy Rights · Administrative Law
By Patrick Muchangi, Founder & Advocate — Muchangi Patrick & Co. Advocates · Published July 2026
Download PDF

Volume I of this review asked a narrow question: how is the High Court handling appeals, judicial reviews and petitions arising directly out of ODPC determinations? Volume II asks a wider one. Once Kenyan litigants realised Article 31 of the Constitution could do independent work — not just as a gateway into the Data Protection Act, but as a freestanding right — they began raising it everywhere: in succession causes over DNA testing, in neighbour disputes over surveillance and WhatsApp groups, in employment and business-sale disputes over commercial use of a person's image, and in a landmark petition over the absence of any AI regulatory framework at all. Nineteen further 2026 KEHC decisions now answer, in practical terms, when a privacy claim needs to go through the ODPC first, when it can bypass the ODPC entirely, and what counts as protectable personal data outside the Act's own definitions.

19Further High Court decisions reviewed
7/19Struck out or dismissed for exhaustion / avoidance
2026Includes Kenya's first AI-regulation ruling
§1 The exhaustion trapWhen a petition is really an ODPC complaint §2 Consent has an expiry dateImage rights & commercial use §3 Privacy beyond the ActDigital identity, surveillance, genetic data §4 Jurisdiction & the AI questionStaggered jurisdiction and Kenya's first AI ruling §5 Frequently asked questionsQuick answers, cited to the cases

§1 The exhaustion trap: when a petition is really an ODPC complaint

The single most common outcome across this second batch of rulings is dismissal or striking out — not because the underlying grievance was weak, but because the claimant went to the High Court before the ODPC.

Five separate petitions fell on this ground alone. A petitioner who alleged his phone messages were used without authorisation in a Succession Cause was told this was a collateral attack on proceedings already before another court. An advocate sued personally over documents he filed for a client was struck out because he was acting as agent, not as a wrongdoer in his own right, and because the real complaint was again a disguised attack on an evidentiary ruling elsewhere. A university employee who filed a constitutional petition just four days after lodging an ODPC complaint on the same facts was found to be forum shopping. A petitioner opposing an ODPC-adjacent objection on mental incapacity nonetheless lost on the separate, cleaner ground that clear statutory remedies existed and had not been tried. And a former employee whose image was kept on a company website after resignation lost entirely because he never approached the ODPC at all before petitioning.

The pattern across all five is consistent: Kenyan courts are not hostile to privacy claims, but they insist on the right sequence. A constitutional petition that could have been an ODPC complaint, or that collaterally attacks a decision already made elsewhere, will not survive a preliminary objection.

Practical rule of thumb

Before drafting a privacy petition, ask three questions: has this been raised, or could it be raised, in another proceeding already under way? Has a complaint been lodged with the ODPC? And is the relief sought something the ODPC could actually grant? A "no" to the first two, or a "yes" to the third, means the petition is not yet ripe.

§3 Privacy beyond the Act: digital identity, surveillance and genetic data

Three rulings extend Article 31 protection into territory the Data Protection Act does not squarely cover at all — recognising new categories of protectable personal information outside the Act's own definitions.

The most significant is a petition brought by prisoners over the unregulated reassignment of deactivated mobile numbers. The High Court held that a registered mobile number is itself a "digital identifier" attracting Article 31 protection, and ordered the Attorney General to develop safeguards against unfettered reassignment — with a hard deadline and a default order if nothing was done. A second ruling addressed neighbourhood harassment: persistent calls, secret filming of a residence, and a WhatsApp group set up specifically to discuss a resident were held to violate Articles 28 and 31, with damages of Kshs 1 million awarded, even though none of the respondents was a data controller in any conventional sense. A third, in a succession dispute, saw the Court decline to order a DNA test on a minor, holding that compelled genetic testing implicates both privacy and bodily integrity and will not be ordered where the underlying legal question can be resolved without it.

None of these three cases involved the ODPC at all. Together they confirm that Article 31 functions as a freestanding constitutional right that Kenyan courts will apply directly to new categories of personal information — digital identifiers, surveillance footage, genetic material — as they arise, rather than waiting for the Data Protection Act to catch up.

§4 Jurisdiction, access to information, and Kenya's first AI ruling

The final strand of this volume clarifies exactly how the High Court's data protection jurisdiction sits alongside the ODPC's, and shows the judiciary's first substantial engagement with regulating artificial intelligence.

One ruling put to rest, in the clearest terms yet, an argument data controllers had been raising in preliminary objections: that the existence of the ODPC strips the High Court of jurisdiction over data protection claims entirely. The Court rejected this as "mistaken and misconceived," describing the High Court's jurisdiction as staggered rather than absent — the ODPC investigates and determines first, and the High Court's constitutional role follows, either on appeal or through adoption and enforcement of the resulting award. A separate ruling confirmed that the right of access to information under Article 35 extends to private entities, not just public bodies, where the information is needed to protect a right, and that using a relative's KRA PIN to file statutory returns without their knowledge is an independent violation of Article 31.

The most closely watched decision, however, is the first Kenyan ruling to squarely engage with regulating artificial intelligence. Petitioners sought a broad moratorium on "high-risk" AI systems generally. The Court declined to issue anything so undefined, but recognised the underlying case for AI regulation, granted leave to amend the petition to name specific systems, joined the Kenya National Commission on Human Rights, and adopted a structural interdict requiring the government to file periodic reports on progress toward an AI regulatory framework. It is a template — specificity required, but active judicial oversight guaranteed — that is likely to shape how AI regulation litigation proceeds in Kenya well ahead of any dedicated statute.

Key takeaway

The High Court's data protection jurisdiction is deferred to the ODPC, not surrendered to it — and Kenyan courts are already applying the same constitutional privacy toolkit built for the Data Protection Act to entirely new questions, from recycled phone numbers to artificial intelligence.

§5 Frequently asked questions

Quick answers to the questions we're asked most often about privacy litigation and ODPC disputes in Kenya — each grounded in the case law above.

Do I need to complain to the ODPC before filing a privacy petition?

In most cases, yes. Kenyan courts have dismissed or struck out several petitions filed without first lodging an ODPC complaint, including one filed only four days after a complaint was submitted on the same facts. The exception is where the petition raises a genuine constitutional question the ODPC cannot resolve, or seeks a remedy the ODPC has no power to grant.

Can a business keep using a former employee's image for advertising?

Generally no, without fresh, specific consent. Consent given for a photoshoot during employment does not extend indefinitely, and does not transfer automatically to a new owner if the business is sold. Continued commercial use without fresh authorisation has resulted in damages awards running into the millions of shillings. See our individual case notes on the Blog for the four rulings on this point.

Is a mobile phone number treated as personal data in Kenya?

Yes. The High Court has recognised a registered mobile number as a digital identifier protected under Article 31 of the Constitution, and ordered the government to develop safeguards against unregulated reassignment of deactivated or recycled numbers.

Does the ODPC's existence remove the High Court's jurisdiction over data protection claims?

No. The High Court has confirmed its jurisdiction over data protection claims is "staggered," not absent — the ODPC investigates and determines first, and the High Court's role, on appeal or in enforcing the resulting award, remains fully intact.

How is Kenya regulating artificial intelligence?

There is no dedicated AI statute yet. In 2026, the High Court declined to issue a broad moratorium on undefined AI systems, but recognised the need for regulation, ordered the petition amended with specific systems named, joined the Kenya National Commission on Human Rights, and required government progress reports — an active oversight approach pending fuller legislation.

Cite this page: Muchangi Patrick & Co. Advocates, "Kenya's Data Protection Case Law, Volume II: Privacy Rights Beyond the ODPC" (dataprivacyadvocates.co.ke, July 2026) <https://dataprivacyadvocates.co.ke/insight-kenya-odpc-case-law-vol2.html>.
If a privacy, image-rights or ODPC matter has landed on your desk

Whether the question is exhaustion, consent, digital identity or a straightforward ODPC appeal, the forum you choose and the evidence you can produce usually decide the outcome.

Muchangi Patrick & Co. Advocates represents complainants and respondents before the Office of the Data Protection Commissioner and on appeal, judicial review and constitutional petition before the High Court of Kenya.

Read the individual cases

This overview draws on all nineteen rulings in our Volume II case-by-case digest. Jump directly to any decision:

See All 19 Cases → Read Volume I Browse the Resource Centre