As with the rest of the world, artificial intelligence (AI) technologies are changing industries and societies in Kenya fast, and the potential benefits of this technological leap for economies, especially in sectors such as health, agriculture, financial services, and public administration, are enormous. However, so are the risks and challenges related to data privacy, algorithmic bias, transparency, and accountability as AI systems proliferate. As more companies develop or deploy AI in Kenya, they must become more cognizant of the rapidly shifting legal and regulatory landscape.

Constitutional Rights and AI

The Constitution of Kenya 2010 guarantees rights and principles that can be exploited for AI governance. These include a right to privacy; a right to access information held by the State, including an obligation for the State and nonstate actors to publish information; freedom of the press, subject to fair regulation; freedom of assembly and association; a right to a clean and healthy environment; a right of the family to be protected; a right of access to basic goods and services, including water, housing, food, and primary healthcare; a right to education; the right to equality and freedom from discrimination; and a value for human dignity, human rights, and freedom; as well as the rule that every person has inherent dignity and the right to have that dignity respected and protected.

• Article 31 protects 'the right to respect for private and family life, home and correspondence, ' including the right not 'to have one's private life unnecessarily exposed to public scrutiny' and the right not 'to have private communications intercepted.' AI systems that process private data must respect such privacy rights.
• Article 35 sub preambles the right of access to information held by the state and information held by another person required for the exercise or protection of any right or fundamental freedom. This right might be used to ask for explanations about opaque AI systems with implications for individual rights.

Companies must ensure that their development and use of AI aligns with these constitutional principles.

Data Protection Act 2019

 Much of the data that underpins many AI applications are built from personal data. Thus, one of the most important legislations on AI in Kenya is the Data Protection Act 2019 (which commenced operations in 2021). Section 29 of this Act stipulates the requirements for the processing of personal data, including:

• provided for by section 30, this duty requires an entity that processes personal data (a 'data controller') to inform the person to which the data relates (a 'data subject') about the envisaged purposes of the processing and specifically to inform if the processing encompasses the use of an AI system.
• Sections 32-38 that subjects of data have, including the right of access, correction, deletion, and portability. AI systems must be designed so that these rights can be exhausted.
• Section 41 requires data protection impact assessments before processing where this is 'likely to result in a high risk to the rights and freedoms of natural persons,' as is the case in many uses of AI.

Companies deploying AI must ensure their data governance frameworks comply with the Act's requirements.

Kenya Information and Communications Act

This is enforced through the Kenya Information and Communications Act 1998 (as amended), which provides a legal framework for investigating and prosecuting cybercrimes. These are relevant to AI governance:

• Section 84 makes it a crime to intercept communications illegally. AI systems that crawl the internet to capture personal data without permission might be committing offenses under this section.
• Section 93 states whoever accesses or seeks to access or causes damage to any protected computer system - knowing that such access or attempt to access or damage is unauthorized, or with - intent to cause harm to a protected system, or with the knowledge that such action - constitutes an offense committed against a protected system, shall be punished - with imprisonment for a term which may extend to seven years and shall also - be liable to fine. Any hacking of AI systems or databases will fall under this.

Companies need robust cybersecurity measures to protect their AI assets and training data.

Draft Guidance and Ongoing Court Case

In 2019, for example, Kenya's digital ministry released the Emerging Digital Technologies for Kenya: Exploration Analysis report, arguing that regulation of AI was 'necessary' for 'safety, privacy, transparency, accountability and fairness.Proposed measures included algorithmic impact assessments, ethics review boards, and a top-level AI authority.

 In any case, work is underway on a draft AI regulatory framework. When enacted, it will likely increase the obligations of companies that develop or deploy AI.

 Last year, in a case still pending before the courts, Lawyers Hub Kenya and the Kenya Legal and Ethical Issues Network filed a petition to stop an AI-intensive Case Management and Tracking System that the Judiciary was planning to adopt to 'transform and digitize the systems and operations of the judiciary.' The petitioners have argued that using AI in the justice system without first putting in place an adequate regulatory framework violates constitutional rights. If the courts rule against the Judiciary, this could have wide-ranging implications for how AI is used in the public sector.

Conclusion

Although distinct AI-specific regulation in Kenya is still in its infancy, existing laws already provide

important guardrails. Companies aiming to exploit AI in Kenya must follow relevant laws on

constitutional principles, data protection, cybersecurity, and other sector-specific regulations. They

must also monitor emerging regulatory and judicial developments to stay ahead of the curve. By

developing robust AI regulation anchored in emerging Kenya law, companies the opportunities that

AI presents for job creation while mitigating its risks and heightening public confidence.