MNL ADVOCATES LLP (MN LEGAL)

Data Protection

  • Finance Bill 2026: KRA’s New Data Powers and What Founders Must Know | MNL Advocates LLP

    Finance Bill 2026: KRA’s New Data Powers and What Founders Must Know | MNL Advocates LLP

    When the Taxman Becomes the Data Collector: KRA’s New Powers Under Finance Bill 2026 and What Founders Must Know

    Quick Summary: The Finance Bill 2026, published on 5 May 2026 and tabled before the National Assembly, proposes a new Section 18A into the Tax Procedures Act. The provision empowers the Kenya Revenue Authority Commissioner to issue tax assessments using secondary data including eTIMS records, withholding tax declarations, and whistleblower reports. This creates a direct collision with the Data Protection Act 2019 and raises constitutional questions under Articles 24, 27, 31, and 47 of the Constitution of Kenya. Founders and business operators need to act now.

    Every year, Kenya’s Finance Bill arrives with new proposals. Every year, businesses brace. Most founders read the headline changes, note the new rates, and move on. Finance Bill 2026, published on 5 May 2026 and formally tabled before the National Assembly, deserves considerably more attention than that.

    Buried within its proposed amendments to the Tax Procedures Act is a provision that fundamentally changes the relationship between the Kenya Revenue Authority, your business data, and the law enacted specifically to protect it.

    The provision is proposed Section 18A. It would empower the KRA Commissioner to determine whether a person has entered into or carried out a tax avoidance scheme and to issue tax assessments accordingly, using secondary data. The data sources the Bill authorises are broad: withholding tax declarations, employer tax filings, eTIMS transaction records, whistleblower reports, third-party information, KRA audit findings, and any information obtained under other written laws. KRA would have up to five years to issue assessments arising from such determinations.

    This is not a routine tax measure. It is a structural realignment of how the state can access, interpret, and act on your personal and business information, without necessarily asking you first.

    The Finance Bill 2026 matters to every founder running transactions through eTIMS, every fintech operator filing withholding tax records, every digital asset platform with user data sitting in third-party systems, and every business operator whose tax position could be assessed by a regulator who has access to data you have never personally disclosed to KRA.

    Understanding what the Bill proposes, where it conflicts with existing law, and what you should do right now is not optional. It is operational necessity.

    What Section 18A of the Finance Bill 2026 Actually Proposes

    The plain-language version of Section 18A is this: the KRA Commissioner gains the power to form a view that you have engaged in a tax avoidance scheme, and to assess your tax liability on that basis, using data that was collected by other parties for other purposes.

    The secondary data sources the Bill lists are not hypothetical. They are systems already in operation. eTIMS records reflect every transaction your business has processed through the electronic tax invoice management system. Withholding tax declarations carry financial information filed by your counterparties. Employer tax filings show your payroll obligations. Whistleblower reports can come from anyone. Third-party information can originate from financial institutions, other government agencies, or individuals with no direct relationship to your business. KRA audit findings from entirely separate investigations are included.

    The five-year assessment window means that KRA can revisit your tax position for up to five years after identifying a suspected avoidance scheme, using data aggregated across that entire period.

    Two parallel provisions compound the picture. The Bill introduces mandatory annual information returns for virtual asset service providers, requiring them to file detailed user and transaction data with KRA. It also proposes expanded royalty definitions that capture digital payment platforms, card schemes, and switching systems, widening the net of entities under heightened reporting obligations.

    The government frames all of this as modernising Kenya’s tax administration, aligning with global digital enforcement trends, and closing longstanding revenue leakages. That framing is not entirely without foundation. But the mechanism chosen to achieve those objectives raises serious legal questions that no founder operating in Kenya should ignore.

    Data SourceOriginal PurposeProposed New Use Under Section 18A
    eTIMS transaction recordsInvoice compliance and VAT trackingEvidence of tax avoidance schemes
    Withholding tax declarationsThird-party tax deduction reportingSecondary data for income assessments
    Employer tax filingsPAYE and payroll complianceCross-referencing business income positions
    Whistleblower reportsVoluntary information from informantsEvidentiary basis for avoidance determination
    Third-party informationVarious, including financial institutionsSupporting data for assessments
    KRA audit findingsConclusions from separate audit processesCross-use in new avoidance determinations

    Not sure how these provisions affect your specific business? Speak with MNL’s compliance team.

    Finance Bill 2026 Kenya tax documents being reviewed and annotated at a legal desk
    Section 18A of the Finance Bill 2026 proposes to allow KRA to issue tax assessments using secondary data collected by third parties for entirely different purposes.

    Where Finance Bill 2026 Collides with Kenya’s Data Protection Framework

    Kenya’s Data Protection Act 2019 is not aspirational. It is operational, enforceable, and backed by the Office of the Data Protection Commissioner, which has demonstrated a willingness to act. The Act gives effect to Articles 31(c) and 31(d) of the Constitution. It applies to every entity that collects and processes personal data, including financial data, and it applies to government bodies as much as it applies to private ones.

    The proposed KRA framework under Section 18A cuts against four of the DPA’s core principles.

    Purpose Limitation

    Data collected for one purpose cannot be repurposed for another without a fresh lawful basis. When a supplier’s withholding tax data, visible on iTax for payroll compliance purposes, is used to compute an entirely separate tax liability under a suspected avoidance scheme, the purpose for which that data was originally collected has been exceeded. The DPA does not permit this without explicit authority and proportionality.

    Transparency

    Data subjects have the right to know who is accessing their information and why. When whistleblower reports, whose sources a taxpayer may never be permitted to know, form the evidentiary basis of a tax assessment, the transparency requirement has been circumvented. The taxpayer has no visibility into the origin, accuracy, or context of the information driving the assessment against them.

    Automated Processing and Profiling

    The DPA provides that individuals have the right not to be subjected to decisions made solely through automated processing, including profiling. When eTIMS transaction records are fed into KRA’s digital systems to profile business behaviour and generate assessments, this prohibition is directly engaged. KRA has not published the technical architecture of how these assessments will be generated. The absence of that disclosure is itself a transparency problem.

    Data Accuracy

    As EY Associate Director Rachel Njuguna noted in published commentary on the Bill, the risk is concrete: data held by third parties may not accurately reflect a taxpayer’s actual tax position. The proposed framework offers no mechanism for a taxpayer to verify or challenge the accuracy of the source data before an assessment is issued. The burden of disproving an assessment derived from potentially inaccurate data falls on the taxpayer after the fact.

    KRA Proposed PowerConflicting DPA 2019 Protection
    Use eTIMS data to determine tax avoidancePurpose limitation: data must be used only for the purpose collected
    Use whistleblower reports without source disclosureTransparency: data subjects must know who accesses their data and why
    Profile business behaviour through transaction dataRight not to be subject to automated processing with legal effects
    Issue assessments before taxpayer can review source dataRight to challenge inaccurate personal data before legal consequences arise
    Proposed KRA exemption from DPA accuracy obligationsDPA requires all data controllers to maintain accurate, current data

    The Constitutional Dimension

    Kenya’s Constitution is explicit. Article 31 guarantees every person the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed. Any law that limits this right must satisfy Article 24, which requires that the limitation be reasonable and justifiable in an open and democratic society, and that it be proportionate to the objective being pursued.

    Civil society organisations, including Amnesty International Kenya and ARTICLE 19 Eastern Africa, have assessed the proposed expansion of KRA’s data powers directly. Their conclusion is unequivocal: the provision does not meet the Article 24 threshold. The limitation goes beyond what is necessary to achieve the stated objective of closing tax revenue leakages. Less intrusive enforcement mechanisms already exist and are in active use.

    The due process concern is compounded by the proposed exemption of KRA from certain DPA accountability obligations. If the Bill is enacted as drafted, KRA would face reduced obligations to ensure that the data it uses is accurate, to maintain clear data retention policies, and to give taxpayers meaningful visibility into how their information is being used. For a framework that will determine tax liabilities, with direct legal and financial consequences for individuals and businesses, that is a significant gap.

    Article 47, the right to fair administrative action, reinforces the concern. Where an administrative decision is likely to adversely affect a person, that person is entitled to written reasons and an opportunity to be heard. An assessment issued on the basis of third-party secondary data, without prior disclosure of that data to the taxpayer, raises serious questions about compliance with Article 47 obligations.

    This Pattern Is Not New

    Finance Bill 2026 is not the first time this boundary has been tested, and understanding the pattern matters for how you position your business going forward.

    Finance Bill 2025 contained a provision seeking to repeal Section 59A(1B) of the Tax Procedures Act, a statutory safeguard that then prohibited KRA from compelling taxpayers to disclose personal data or trade secrets obtained during business operations. That proposal drew fierce opposition from the Law Society of Kenya, KPMG East Africa, and Ernst and Young. KRA’s Commissioner General subsequently committed, before the Departmental Committee on Finance and Economic Planning, to work with the Office of the Data Protection Commissioner on a Data Minimisation Strategy under the 9th Corporate Plan.

    Finance Bill 2026 returns to the same contested territory. The mechanism is different but the practical effect is the same: expanding KRA’s reach to data that the existing legal framework was not designed to accommodate without additional safeguards.

    The policy direction is now clear across successive Finance Bills. Kenya is moving toward a data-driven tax enforcement model. Whether Parliament enacts or moderates these specific provisions, the trajectory will not reverse. Businesses need to be positioned for a compliance environment where the state has broader access to financial data than it has had at any previous point, where assessments can be generated from aggregated secondary sources, and where the burden of proving inaccuracy may rest with the taxpayer.

    Preparation now costs far less than litigation later. That is not a theoretical observation. It is the consistent finding of every business that has waited for enforcement pressure before addressing its compliance posture.

    Five Things Founders and Business Operators Should Do Right Now

    This is about operational readiness, not legal panic. The Bill has not passed. You have time to act intelligently. Here is where to start.

    1. Audit Your Digital Data Footprint

    Every transaction processed through eTIMS, every withholding tax record filed against your PIN, and every employer filing associated with your payroll is already visible within KRA’s digital systems. Under the proposed framework, this data can be aggregated, cross-referenced, and used to assess your tax position without a prior audit flag. Accuracy in your digital records is no longer merely good practice. It is your first line of defence. Reconcile your eTIMS records against your own books now, before any assessment process begins.

    2. Know Your Rights as a Data Subject

    Even before these amendments are enacted, the Data Protection Act 2019 gives you rights that apply today. You can request to know what personal data KRA holds on you. You can challenge inaccuracies in that data. You have the right to be informed about automated processing that produces legal effects. These rights exist under current law, and exercising them proactively creates a documented record that is valuable if an assessment dispute arises. Understand your Data Protection Act 2019 obligations and the corresponding rights they give you.

    3. Engage the Public Participation Process

    Finance Bill 2026 is at the public participation stage before the National Assembly. This is a formal legal opportunity to submit memoranda, appear before the committee, or support industry associations presenting evidence-based objections. Bowmans and other firms have already made public submissions on specific provisions. The window is open. Founders with direct knowledge of how data-driven tax assessments would affect their operating models have information the committee needs and does not yet have from affected parties at scale.

    4. Assess Your Obligations If You Operate in Fintech or Digital Assets

    Virtual asset service providers and digital payment platforms face the most immediate and specific new obligations under the Bill. If your business falls within those categories, the question of what data you will be required to file, when, and under what governance framework requires legal advice now, before enactment. The fintech reporting compliance Kenya landscape is changing materially with this Bill, and the obligations are not minor.

    5. Document Your Internal Data Governance

    If your data is going to be used in an assessment against you, the best protection is records that speak for themselves. Clear internal policies on data retention, transaction documentation, and reconciliation processes that can withstand external scrutiny are not just compliance infrastructure. They are your evidentiary foundation in any dispute. Building strong corporate data governance in Kenya now converts a future risk into a managed position.

    Not sure how Finance Bill 2026 affects your specific business model? Our Team can walk you through the risk exposure and what documentation you need in place before this Bill passes. Book a compliance review with MNL.

    The Window to Act Is Open

    Finance Bill 2026 does not exist in a regulatory vacuum. Kenya has a Data Protection Act. It has a functioning Office of the Data Protection Commissioner. It has a Constitution with an enforceable bill of rights. None of these are suspended by a Finance Bill.

    The legal question Parliament must answer before enacting Section 18A is not whether tax enforcement matters. It plainly does. The question is whether this particular mechanism, with its current absence of taxpayer safeguards, data accuracy obligations, and transparency requirements, is the proportionate and lawful means of achieving that objective.

    For businesses, the practical question is narrower but no less urgent: are you operationally prepared for a tax environment where secondary data can drive assessments, where the burden of proving inaccuracy may fall on you, and where the data generating those assessments may be held by parties you have never directly dealt with?

    The Bill is before the National Assembly. The public participation window is open. Your records are either accurate and documented or they are not. Your data rights are either understood and exercised or they are not. The cost of getting ahead of this is low. The cost of responding to an assessment after the fact is not.

    Ready to understand exactly how Finance Bill 2026 affects your business?
    MNL Advocates LLP advises clients across fintech, technology, and commercial law on regulatory compliance, data protection, and tax matters in Kenya and across East Africa.
    Initiate a Confidential Consultation with MNL.

    Frequently Asked Questions: Finance Bill 2026 and KRA Data Powers

    What does Section 18A of the Finance Bill 2026 allow KRA to do?

    Section 18A proposes to empower the Kenya Revenue Authority Commissioner to determine whether a person has entered into or carried out a tax avoidance scheme and to issue tax assessments accordingly using secondary data. The authorised sources include withholding tax declarations, employer tax filings, eTIMS transaction records, whistleblower reports, third-party information, KRA audit findings, and information obtained under other written laws. KRA would have up to five years to issue assessments arising from such

  • The Silicon Savannah’s Social Contract: A Critical Deep Dive into Kenya’s Artificial Intelligence Bill, 2026

    The Silicon Savannah’s Social Contract: A Critical Deep Dive into Kenya’s Artificial Intelligence Bill, 2026

    For over a decade, Kenya has been the poster child for “permissionless innovation.” We built a global fintech hub on the back of regulatory forbearance, allowing code to outpace the law. But with the introduction of the Kenya Artificial Intelligence Bill 2026, the era of the algorithmic “Wild West” is officially over.

    Working at the intersection of law and digital transformation, I view this Bill not merely as a regulatory hurdle. It is a profound re-architecting of the Kenyan tech ecosystem’s social contract.

    It attempts a delicate, and at times precarious, balancing act: importing the rigorous rights-based framework of the European Union while preserving the developmental agility of an emerging market economy.

    This is the analytical breakdown of what AI regulation in Kenya means for the lawyers, founders, general counsel, and operators who call the Silicon Savannah home.

    1. The Architecture of Power: The Rise of the AI Commissioner

    The Bill establishes the Office of the Artificial Intelligence Commissioner Kenya, and this is not a ceremonial post. It is a “body corporate” with the power to sue, be sued, and, most critically, to enter premises and inspect AI systems upon reasonable notice.

    The Advisory Committee on Artificial Intelligence brings together representatives from the ICT sector, the National Commission for Science, Technology and Innovation (NACOSTI), the Data Protection Commissioner, and independent experts in ethics and human rights.

    Two nominees from the Council of Governors complete the committee. This is a structural acknowledgment of Kenya’s devolved constitutional reality: AI’s most consequential impacts on healthcare and agriculture will be felt most acutely at the county level, not in Nairobi boardrooms.

    The Commissioner is a presidential appointee, subject to parliamentary approval.

    The Critique:

    The Bill creates a highly centralised power structure. The Commissioner’s “independence” is stated, yet the appointment mechanism runs through the executive.

    For a sector that moves at the speed of innovation, the risk of a regulatory bottleneck is not hypothetical. It is structural. Founders and multinationals must factor regulatory lag into their compliance timelines from day one.

    2. The Philosophy of “Protective Developmentalism”

    The Bill adopts a risk-based regulatory posture that mirrors the EU AI Act in its fundamental architecture, categorising AI systems into four tiers:

    • Unacceptable Risk: Flatly prohibited systems.
    • High Risk: The Bill’s primary compliance battleground.
    • Limited Risk: Targeted transparency obligations.
    • Minimal Risk: Largely unregulated.

    High-risk AI systems compliance Kenya covers the most strategically significant sectors: healthcare, education, agriculture, finance, security, and public administration. These systems face the most stringent oversight requirements, including pre-deployment assessments and ongoing monitoring obligations.

    But Kenya’s philosophy diverges from pure restriction in one critical way. The Commissioner is mandated to promote “equitable access to AI infrastructure” and “digital inclusion in underserved areas.” This is not incidental language. It is a developmental directive embedded in a compliance statute.

    This is what I call “Protective Developmentalism”: law as an instrument of directed innovation, not merely restriction.

    Unlike purely restrictive regulatory models, Kenya is attempting to channel AI toward national development priorities. The Bill does not just police AI. It attempts to shape where it goes.

    3. The “Human-Centric” Mandate: A Corporate Burden?

    Sections 32 and 33 are, arguably, the most commercially consequential provisions in the entire Bill. They deserve surgical examination.

    Section 32 establishes a “human-in-the-loop” requirement for AI systems that affect human rights or safety. AI must be designed to enhance, not replace, human capabilities. A qualified person must retain the ability to override an AI system’s output. If your AI architecture is a closed loop, it is a legal liability under this Bill.

    Section 33 goes further, and this is where significant industry friction will emerge.

    The Workforce Impact Assessment Obligation

    Any enterprise deploying an AI system likely to impact employment must conduct a formal AI workforce impact assessment Kenya and, more controversially, implement reskilling programmes in direct collaboration with the government.

    This is not aspirational corporate social responsibility language. It is a statutory obligation.

    The Critique:

    In virtually every other jurisdiction that has grappled with AI-driven displacement, reskilling is a policy goal, a government initiative funded by public resources.

    Here, it is a legal burden placed directly on the private sector. Enterprises in BPO, manufacturing, and large-scale agriculture will need to weigh the efficiency gains from AI adoption against the mandatory compliance cost of reskilling the workforce it displaces.

    For businesses operating at scale, this provision is a material factor in AI investment decisions. The employment law advisory implications are significant, and they begin from the moment you identify an AI implementation that touches any human role.

    Is your business prepared for workforce compliance under the Kenya AI Bill 2026?

    Our employment law advisory team is ready to map your exposure and build a compliant reskilling framework before the Bill comes into force.Initiate a Confidential Consultation →

    4. Strengths: The Forward-Thinking Provisions Kenya Got Right

    Despite the legitimate tensions above, the Bill contains several genuinely visionary provisions that position Kenya as a potential global leader in ethical AI governance.

    Environmental Stewardship

    Section 30(2)(d) requires that AI ethical guidelines address environmental sustainability, including assessments of the carbon footprint and energy consumption of AI systems.

    In an era of hyperscale data centres driving unprecedented energy demand globally, this provision is ahead of the regulatory curve. It signals that Kenya is thinking about AI governance in systemic, not merely transactional, terms.

    Synthetic Media and Deepfake Accountability

    The Bill takes an uncompromising position on AI-generated synthetic media. Explicit consent is required before using a person’s likeness in AI-generated content, and clear labelling of synthetic media is mandated.

    This directly addresses the legal implications of deepfakes under the Kenya AI Bill, filling a gap that many advanced jurisdictions have left open. This also carries significant intellectual property protection dimensions for creators, public figures, and brand owners operating in Kenya.

    The Regulatory Sandbox

    This is the Bill’s olive branch to innovators building at the frontier. The AI regulatory sandbox Kenya provides a controlled environment for testing novel AI systems with oversight from the Commissioner’s office, allowing for “safe innovation” that serves national priorities while actively mitigating risk.

    For founders building in regulated sectors, the sandbox is not optional. It is a strategic instrument, and the only formal path to regulatory protection during the development phase.

    5. The Gaps: Ambiguities and Implementation Risks

    No legislative instrument of this ambition ships without gaps. Intellectual honesty demands we name them clearly.

    The Definition Problem

    The Bill defines AI broadly as any “machine-based system leveraging data processing” to infer outputs. In strict legal construction, a sufficiently complex Excel macro or legacy rule-based enterprise software could fall within this definition.

    The risk of over-compliance for non-AI technologies is real. Until the Cabinet Secretary issues clarifying regulations, General Counsel will need to err on the side of caution, at significant cost.

    The “Unacceptable” Void

    The Bill prohibits “unacceptable risk” AI systems but defers the detailed criteria to future subsidiary legislation. This creates a foreseeable period of “regulatory chill”: investors and founders may be reluctant to fund borderline-category technologies until the list is formally published. In a fast-moving venture ecosystem, that hesitation has a measurable cost.

    Director Criminal Liability: Section 35(3)

    This is the sharpest provision in the Bill, and it requires careful reading by every board member and company officer in Kenya’s tech sector.

    Section 35(3) establishes that if a body corporate commits an offence under the Act, every director or officer who had knowledge of the offence and failed to exercise due diligence is personally guilty of the same offence. The AI Bill 2026 penalties at stake are not trivial: a fine of KES 5 million and/or up to two years imprisonment.

    For an offence such as failing to conduct a workforce impact assessment, the personal exposure for directors is considerable. The risk of talented professionals avoiding directorships in Kenyan tech companies is not speculative.

    It is the rational response to poorly calibrated criminal liability. This is a corporate governance crisis waiting to happen for any board that does not proactively establish documented AI oversight frameworks and due diligence trails before the Bill comes into force.

    Concerned about director liability under Kenya’s AI Bill 2026?

    Our corporate governance team delivers surgical precision on AI compliance risk, mapping your exposure before it becomes a legal event.Schedule a Consultation →

    6. Positioning Kenya in the Global Regulatory Landscape

    The Kenya AI Bill vs EU AI Act comparison is instructive, but it only tells part of the story.

    Kenya is clearly rejecting the United States’ “hands-off,” innovation-first regulatory philosophy. The Bill explicitly references the EU AI Act in its objects clause, a deliberate signal to the international investor community that AI systems built under Kenyan law are structurally “export-ready” for the European market.

    This is the Brussels Effect in action: global regulatory gravity pulling smaller jurisdictions toward the EU’s standard-setting model.

    But Kenya is not simply transposing EU law. It is adding what I call the “African Layer”, embedding devolved governance through county-level representation, mandating workforce reskilling as a corporate obligation, and centering digital inclusion as a core regulatory objective.

    The result is a genuine “Third Way” of AI regulation: rights-based in architecture, yet explicitly developmental in ambition. Neither purely protective nor purely permissive.

    For businesses and multinationals with data privacy compliance obligations spanning multiple jurisdictions, Kenya’s deliberate alignment with EU standards simplifies the compliance matrix considerably, provided implementation keeps pace with legislative ambition.

    7. The Legal-by-Design Framework: Actionable Guidance for Businesses

    For founders, General Counsel, and enterprise operators in Kenya, “wait and see” is not a strategy. The Legal-by-Design AI framework demands proactive action now, while the regulatory landscape is still being formed.

    1. Risk Triage: Conduct an immediate audit of every AI-enabled product and process in your stack. Operating in finance, healthcare, agriculture, education, or public administration? Begin scoping your Human Rights Impact Assessments (HRIA) immediately. The compliance infrastructure for HRIA takes time to build. Do not wait for a commencement date.
    2. Data Hygiene: The Bill requires maintaining records of training datasets and AI system outputs for a minimum of five years. If your data logging practices are informal or inconsistent, you are already non-compliant by the standards this Bill will impose.
    3. Human Override Audit: Review every automated decision-making process in your business. Under Section 32, a fully closed-loop AI system, one that makes consequential decisions without a documented human override capability, is a legal liability. Build the “Red Button” into your architecture before the Bill requires it.
    4. Workforce Planning: If your AI implementation automates tasks currently performed by human staff, begin mapping your AI workforce impact assessment obligations now. Under Section 33, the government will be your mandatory partner in workforce transition planning. Getting ahead of this is both a compliance strategy and a talent retention strategy.
    5. Engage the Sandbox: If you are building innovative AI systems at the frontier of regulated sectors, apply for the AI regulatory sandbox Kenya programme early. The sandbox provides the only formal mechanism for testing novel systems with the Commissioner’s oversight during development.

    Frequently Asked Questions: Kenya’s AI Bill 2026

    What is the Kenya Artificial Intelligence Bill 2026?

    The Kenya Artificial Intelligence Bill 2026 is proposed legislation establishing a comprehensive regulatory framework for the development, deployment, and use of AI systems in Kenya.

    It creates the Office of the AI Commissioner as an independent regulatory body, defines four risk tiers (Unacceptable, High, Limited, and Minimal), and imposes specific compliance obligations including impact assessments, data record-keeping, and human oversight mechanisms.

    What are the penalties for non-compliance with the Kenya AI Bill 2026?

    Under Section 35(3), penalties extend to individual directors and officers. Any director who had knowledge of a corporate offence and failed to exercise due diligence is personally guilty.

    Penalties include fines of up to KES 5 million and/or imprisonment for up to two years, making director-level AI oversight a matter of personal legal risk, not just corporate policy.

    What qualifies as a high-risk AI system in Kenya?

    AI systems deployed in healthcare, education, agriculture, finance, security, and public administration are classified as high-risk. These face the most stringent compliance requirements, including pre-deployment human rights impact assessments, mandatory human-in-the-loop oversight, and ongoing monitoring and record-keeping obligations.

    What is the AI regulatory sandbox in Kenya?

    The AI regulatory sandbox is a controlled testing environment under the Bill allowing startups and innovators to develop and test novel AI systems with formal oversight from the Office of the AI Commissioner. It enables “safe innovation” in real-world conditions while managing risk and ensuring alignment with national development priorities, providing regulatory protection during the development phase.

    How does the Kenya AI Bill compare to the EU AI Act?

    Kenya’s Bill mirrors the EU AI Act’s risk-based, tiered regulatory architecture and explicitly references EU standards, signalling that AI systems built under Kenyan law are “export-ready” for European markets. However, Kenya adds a distinctive “African Layer”: devolved governance, statutory workforce reskilling as a corporate obligation, and digital inclusion as a core mandate. The result is a “Third Way” of AI regulation, rights-protective in structure, yet explicitly developmental in purpose.

    Final Verdict: Trust-as-a-Service

    The Kenya Artificial Intelligence Bill 2026 is a sophisticated, deliberately opinionated piece of legislation. It refuses to treat AI as merely another software update. It treats AI as a societal shift, one that demands a recalibration of the relationship between technology, commerce, and citizenship.

    The workforce reskilling mandates will generate industry pushback. The personal criminal liability of directors will send a chill through boardrooms. The definitional ambiguities will create compliance uncertainty in the near term.

    But the Bill’s animating logic is sound. In a global technology market increasingly wary of algorithmic bias, opaque decision systems, and unchecked AI power, the Bill offers Kenyan businesses a strategic proposition: “Trust-as-a-Service.”

    A “Made in Kenya” seal of approval, backed by this rigorous, rights-based Act, could become East Africa’s most valuable technology export credential. Not a constraint on innovation. A premium attached to it.

    The Silicon Savannah is getting a fence. Our job, as Innovators, lawyers, founders, and operators, is to ensure it functions as a gateway to the global digital economy.

    Not a wall. A gateway.

    Navigate Kenya’s AI Bill 2026 with confidence.

    MN Legal’s LegalTech practice provides end-to-end AI compliance advisory for Kenyan businesses, corporates, and multinationals, from risk triage and workforce assessments to board-level governance frameworks.Speak With Our Team Today →

    Explore more analysis from our team at our legal insights.

    Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific legal guidance on your situation, please contact our team. © 2026 MN Legal. All rights reserved.

  • AI Vendor Contracts: Key Clauses to Demand in 2026

    AI Vendor Contracts: Key Clauses to Demand in 2026

    A practical guide to negotiating AI vendor terms: data use, training limits, security, audit rights, and liability, without slowing procurement.

    AI adoption is now routine. What is not routine is how most organisations buy AI. Many businesses still procure AI tools like ordinary software: click accept, sign an order form, and move on. In 2026, that approach creates avoidable risk. AI changes the procurement risk surface: data may be reused in unexpected ways, outputs may affect customers and employees, and models can change after signature.

    Practical rule: AI risk starts before the first prompt, inside your contract.

    AI vendor contract negotiation: why contracts are where privacy, security, IP, and liability become enforceable
    Contracts are where privacy, security, IP, and liability become enforceable.

    Contents

    1. What changed in 2026 and why AI contracts matter more
    2. The AI procurement risk map
    3. The 12 clauses to demand
    4. Case example: AI support tool adoption
    5. Common mistakes companies make
    6. 30-minute contract review checklist
    7. 30-day implementation plan
    8. FAQ

    1. What Changed in 2026 and Why AI Vendor Contracts Matter More

    Three shifts make AI contracts materially different from standard SaaS procurement:

    • AI is embedded into core operations. Support, marketing, finance, HR, fraud, and analytics workflows increasingly depend on AI features.
    • Models update continuously. What you buy today can change next month, affecting accuracy, cost, and risk.
    • Evidence expectations have increased. Partners and enterprise customers now ask for vendor terms, security posture, and governance controls as part of due diligence.

    Helpful global references include the NIST AI Risk Management Framework and the NIST Privacy Framework.

    2. The AI Procurement Risk Map: What You Are Really Buying

    Before negotiating clauses, align internally on what the tool actually does. Most procurement surprises happen because teams do not map data and decision pathways before signing.

    AI procurement risk map: inputs, processing, outputs, storage, transfers, third parties, and decision pathways
    Map inputs, processing, outputs, storage, transfers, third parties, and who relies on AI decisions before you sign.

    Questions Your Team Should Answer Before Signing

    • Inputs: What data goes in: customer tickets, IDs, HR data, financial data, call recordings?
    • Outputs: What comes out: recommendations, replies, scores, summaries?
    • Training: Does the vendor train on your content by default?
    • Location: Where is data stored and processed? Are there cross-border processing concerns?
    • Third parties: Which sub-processors or model providers are involved?
    • Change control: Can the vendor materially change the model or terms without notice?

    3. The 12 AI Vendor Contract Clauses to Demand in 2026

    12 essential AI vendor contract clauses for 2026: data use, training, security, sub-processors, audit rights, liability
    A practical clause set that aligns AI procurement with privacy, security, and business risk.

    1) Data Use Restrictions

    Limit processing strictly to service delivery. Avoid broad “business purposes” language that could expose your data to reuse you did not intend.

    2) Training and Improvement: Opt-In, Not Default

    Require an explicit opt-in before your data, prompts, or outputs are used to train or improve models. Without this, your confidential information could become part of a vendor’s training dataset.

    3) Retention, Deletion, and Exit Obligations

    Define retention periods, deletion timelines, and how deletion is confirmed after termination. Ensure you have audit rights to verify compliance.

    4) Confidentiality Covering Prompts, Outputs, and Derived Data

    Prompts can contain trade secrets and personal data. Outputs can create sensitive derivatives. Your contract must cover both explicitly.

    5) Security Controls That Are Specific, Not Vague

    Anchor security to concrete commitments: encryption standards, access controls, logging, and vulnerability management. Demand specifics, not general assurances.

    6) Sub-Processor Controls and Change Notifications

    Get an up-to-date sub-processor list, notice periods for changes, and a right to object where risk is high. Ensure flow-down obligations are in place.

    7) Incident and Breach Notification Timelines

    Define notice timelines and cooperation obligations so you can meet your own regulatory and client requirements after an incident.

    8) Audit Rights and Reporting

    Where full audits are not feasible, require structured alternatives: SOC2 or ISO reports, penetration test summaries, and security questionnaires. You need real visibility, not just promises.

    9) Change Control for Material Model Updates

    Require notice of material changes, transparency on impact, and exit or rollback rights where risk or performance materially changes. The model you signed up for may not be the one you are using next month.

    10) IP and Output Rights

    Clarify your rights to use outputs commercially, address restrictions, and ensure your inputs remain your property. Do not assume ownership without a clear contractual basis.

    11) Warranties and Disclaimers

    For critical use cases, avoid accepting “as-is” terms without meaningful commitments on security, performance, or compliance. Negotiate warranties that match your actual risk profile.

    12) Liability Allocation That Matches Risk

    Liability caps and exclusions should reflect the sensitivity of data processed and the impact of the use case. Consider tailored indemnities where appropriate.

    For broader governance guidance, see the EDPB and UK ICO.

    4. Case Example: SME Adopts an AI Support Tool

    A growing services company implements an AI support assistant integrated into its helpdesk. Staff begin pasting screenshots into the tool to speed up ticket resolution. Those screenshots include customer IDs, account details, and internal notes.

    A customer subsequently complains after receiving a response that reveals information that should not have been shared. No security breach occurred. The business now faces a confidentiality issue, a data protection question about what data was processed and under what terms, and commercial risk as clients begin asking for vendor due diligence evidence.

    The first document everyone opens is the vendor agreement. What it says about data use, retention, training, security, incident notice, and cooperation determines how fast and how effectively the business can respond.

    5. Common Mistakes Companies Make in AI Procurement

    • Shadow procurement. Teams buy AI tools without legal or security review, so risk accumulates unnoticed.
    • No AI use register. The business cannot state what AI tools are in use or what data they process.
    • Assuming terms are non-negotiable. Many vendors negotiate, especially for business plans. Always ask.
    • Ignoring cross-border processing. The tool stack is often global by default, creating transfer obligations that go unaddressed.
    • Relying on staff care alone. Without clear policy, training, and technical restrictions, sensitive data will be entered into external tools.

    6. 30-Minute AI Vendor Contract Review Checklist

    30-minute AI vendor contract review checklist: data use, security, change control, sub-processors, and liability
    Use this checklist to triage AI vendor terms before signature.

    MN Legal supports organisations reviewing and negotiating AI vendor contracts and DPAs, mapping cross-border and vendor risk, drafting AI usage policies and governance frameworks, and advising on incident readiness where AI touches personal or confidential data.

    Make an enquiry  |  Explore Practice Areas

    7. What Businesses Should Do Next: 30-Day Plan

    Week 1: Inventory and Ownership

    • Create an AI use register: tool, owner, purpose, data types, vendor, and risk rating.
    • Flag high-risk uses such as customer decisions, HR screening, and sensitive data processing.

    Week 2: Procurement Controls

    • Set a minimum contract standard covering DPA, security, change control, and incident notice.
    • Define when legal and security sign-off is mandatory before a tool is adopted.

    Week 3: Contract Cleanup

    • Negotiate high-risk vendor terms or implement a contractual addendum.
    • Document cross-border processing and sub-processors for critical tools.

    Week 4: Training and Operational Rules

    • Train teams on what data cannot be entered into external AI tools.
    • Implement a practical escalation process for AI incidents such as harmful outputs or data exposure.

    Frequently Asked Questions

    Are AI vendor terms negotiable?

    Often yes, especially for business and enterprise tiers. Where standard terms apply, use addenda to address data use, security, incident notice, audit rights, and change control.

    Do we need a DPA when buying AI tools?

    If the vendor processes personal data on your behalf, you typically need data processing terms covering purpose, security, sub-processors, international transfers, and deletion obligations.

    What if the vendor changes the AI model after we sign?

    Include a change control clause requiring notice of material changes, transparency on impact, and rights to pause, roll back, or terminate if risk or performance materially changes.

    What is the biggest contractual risk in AI procurement?

    Unrestricted data use including training on your content, unclear retention and deletion obligations, weak incident notification requirements, and liability caps that do not match the sensitivity of data or the use case.

    How can MN Legal help with AI vendor contracts?

    MN Legal helps businesses implement practical procurement controls and defensible vendor terms for AI tools, aligned with privacy, security, and commercial realities. If you are procuring AI tools this quarter, a scoped contract and risk review can prevent expensive rework later.

    Disclaimer: This article is for general information only and does not constitute legal advice. Requirements vary by jurisdiction and specific facts. For advice on your organisation’s situation, contact MN Legal.

  • The Privacy Evidence Pack: What to Build, Measure, and Show in 2026

    The Privacy Evidence Pack: What to Build, Measure, and Show in 2026

    Updated guidance for organisations on building a defensible data protection record: what to document, what to measure, and what to show regulators, partners, and customers.

    In 2026, data protection compliance is no longer judged by what your privacy policy says. It is judged by what you can prove on demand: decisions, controls, logs, contracts, and records. Organisations that cannot produce a credible privacy evidence pack quickly will struggle under regulator questions, enterprise procurement scrutiny, or post-incident review.

    Bottom line: Build a privacy evidence pack that lets you answer due diligence and audit questions fast, without scrambling across email threads and spreadsheets.

    Contents

    1. What a privacy evidence pack is and why it matters in 2026
    2. The 10 privacy artifacts every organisation should have
    3. Cross-border data transfers: document it in 5 steps
    4. AI and privacy: 7 controls for teams using AI tools
    5. How to run privacy as a system: cadence and KPIs
    6. FAQ

    1. What a Privacy Evidence Pack Is and Why It Matters in 2026

    A privacy evidence pack is the set of materials that demonstrate how your organisation manages personal data in practice, not just in policy. It is what makes data protection auditable and defensible internally (board oversight), externally (partners and enterprise customers), and regulator-facing (when questions arise).

    This matters globally because privacy regimes differ in their details but converge on a shared expectation: accountability, transparency, and demonstrable controls. Whether you are subject to Kenya’s Data Protection Act, the GDPR, or equivalent frameworks, the evidence standard is broadly the same.

    2. The 10 Privacy Artifacts Every Organisation Should Have (2026)

    If you want a documentation standard that travels well across jurisdictions, focus on artifacts that satisfy multiple regulatory frameworks simultaneously. These ten items form a practical baseline for any organisation handling personal data.

    Privacy evidence pack checklist 2026: 10 essential data protection artifacts for organisations
    Use this as your internal index: each missing item is a documented gap to close before an audit or due diligence request.

    What “Good” Looks Like Across All 10 Artifacts

    • Owned: each artifact has a named owner and a defined review cadence.
    • Current: updated whenever vendors, products, or data flows change.
    • Provable: you can show records and decisions, not just policy statements.

    3. Cross-Border Data Transfers: Document It in 5 Steps

    Most organisations transfer personal data across borders without recognising it as a transfer. Cloud hosting, CRMs, helpdesks, analytics platforms, marketing tools, and AI vendors can all create cross-border data flows that require documentation and appropriate safeguards.

    Cross-border data transfer documentation framework: five-step approach for privacy compliance
    A practical five-step method to map and document cross-border data flows without overcomplicating the process.

    Practical Tip

    Start with your top ten vendors ranked by data sensitivity and volume. Do not attempt to perfect the entire map at once. Get a defensible baseline documented first, then iterate as you onboard new tools or expand into new markets.

    4. AI and Privacy: 7 Controls for Teams Using AI Tools

    In 2026, many organisations face a data protection risk that did not exist at the same scale a few years ago: everyday data leakage into AI tools through prompts, file uploads, meeting notes, transcripts, and customer tickets. AI adoption also increases vendor complexity and creates new cross-border transfer obligations.

    AI and data protection: seven privacy controls for organisations using AI tools in 2026
    These AI privacy controls are designed to be genuinely adoptable by operational teams and designed to be used, not written and ignored.

    Minimum Documentation for AI Use

    • AI use register: tool name, purpose, owner, data input types, and risk classification.
    • Data entry restrictions: a clear record of what categories of data cannot be entered into external AI tools.
    • Vendor controls: data retention terms, training-use clauses, incident notification obligations, and sub-processor lists.

    5. How to Run Privacy as a System: Cadence and KPIs

    Monthly Review

    • Vendor changes and newly adopted tools, especially AI tools.
    • New processing activities arising from product or service changes.
    • Open data subject rights requests and incident log review.

    Quarterly Review

    • High-risk processing review: DPIAs and PIAs for new or changed activities.
    • Cross-border transfer review for top vendors.
    • Board and leadership privacy report covering risks, incidents, and remediation status.

    KPIs That Are Practical to Track

    • Average time to complete data subject rights requests.
    • Percentage of critical vendors with signed DPAs and documented transfer safeguards.
    • Time-to-triage for incidents and time-to-close for remediation actions.
    • Percentage of teams trained and completion rate of AI-use controls.

    Need This Implemented in Your Organisation?

    MN Legal supports privacy evidence-pack readiness, vendor and cross-border transfer contracting, AI governance controls, and breach readiness so your organisation can demonstrate compliance efficiently when it matters most.

    Make an enquiry  |  Explore Practice Areas

    Key References

    Frequently Asked Questions

    What is a privacy evidence pack?

    A privacy evidence pack is the set of documents, logs, and records that prove how your organisation manages personal data in practice, going beyond policy statements alone. It typically includes your processing register, DPIAs, vendor DPAs, incident log, data subject rights log, retention schedule, and staff training records.

    Does our organisation need a DPIA?

    A DPIA is most valuable when processing is likely to create high risk for individuals. For example, large-scale processing of sensitive data, profiling, automated decision-making, or the use of new technologies. It is also strong evidence that you assessed risks and implemented appropriate controls before processing began.

    How should we handle cross-border data transfers in 2026?

    Map your transfers by system, vendor, and destination country. Identify the legal mechanism and safeguards applicable to each transfer, document your risk assessment, ensure appropriate contractual clauses are in place, and maintain an evidence trail of approvals and periodic reviews.

    What should we do about staff using AI tools with personal data?

    Maintain an AI use register, establish clear restrictions on what data categories may be entered into external tools, implement vendor procurement and contractual controls, require human review for high-impact AI outputs, and keep an audit trail for high-risk use cases.

    What do regulators and procurement teams ask for during due diligence?

    Common requests include your processing register, privacy notices, completed DPIAs, vendor DPAs and transfer documentation, a security measures summary, your incident response plan and incident log, and records of data subject rights requests and staff training completion.

    How can MN Legal help with data protection compliance?

    MN Legal supports privacy programme design and evidence-pack readiness, vendor and cross-border transfer contracting, AI governance controls, and incident readiness so organisations can demonstrate compliance efficiently when facing regulators, partners, or post-incident scrutiny.

    Disclaimer: This article is for general information only and does not constitute legal advice. Requirements vary by jurisdiction and specific facts. For advice on your organisation’s situation, contact MN Legal.

    Download: Privacy Evidence Pack Checklist (2026)

    A one-page index of the 10 artifacts and logs your organisation should be able to produce on demand. Built for international organisations operating across multiple jurisdictions.

    Download PDF Checklist