Kenya’s data regulator intends to tighten control over the vast streams of personal data generated by its transport sector, requiring digital transport companies to keep a live copy of sensitive user information within local data centers while imposing a broad set of rules on how that data is collected, used, and protected.
- •The new guidance from the Office of the Data Protection Commissioner (ODPC) places digital transport platforms at the center of the shift, with app-based operators such as Uber and Bolt expected to face the most direct impact because their services depend on continuous data flows between passengers, drivers, and backend systems.
- •Public bus companies, matatu SACCOs, freight and logistics firms, aviation services, rail operators, and maritime players must either process personal data on servers located in Kenya or maintain a synchronized local copy that is accessible within the country at all times.
- •Transport companies routinely process passenger identities, driver records, trip routes, payment details, and location information generated in real time as the sector continues to become digitized through mobile applications, electronic ticketing, GPS tracking, and integrated payment platforms.
According to the ODPC, ride-hailing and digital transport systems can profile users and drivers, drawing inferences about behavior and movement patterns. They can expose driver information before trips begin, creating opportunities for large-scale data harvesting. Continuous location tracking can also reveal detailed insights into individuals’ routines.
The guidance defines eight lawful bases under which personal data can be processed by these transport companies. It must fulfil a client contract, emergency situations, satisfaction of public interest, and for historical and scientific research.
Information collected for transport services cannot be repurposed for unrelated activities such as marketing without a valid legal basis or explicit user consent. Where personal data is used for commercial purposes such as sending promotional messages or targeted advertising, firms must obtain express consent, clearly inform users and provide simple, free and accessible opt-out mechanisms.
The ODPC also highlights the necessity of the guidelines due to the risk of data breaches arising from weak authentication and system vulnerabilities as transport systems move online. There is also concern about unauthorized sharing of personal data with advertisers, analytics firms or technology partners, alongside the growing use of surveillance tools such as CCTV and dashboard cameras, which can lead to excessive monitoring if not properly governed.
In the event of a data breach, controllers must notify the regulator within 72 hours, while processors must inform controllers within 48 hours. Affected individuals must also be notified where their data has been compromised and companies are expected to maintain breach registers and document how incidents are handled.
To address these risks, the framework sets out seven core principles that must guide all data handling including lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Transport operators are required not only to follow these principles but to demonstrate compliance through documented processes and records.
Transport firms must register with the data regulator as controllers or processors, depending on their activities and provide information on the types of data they handle, the purposes of processing, and the safeguards in place. They must also appoint a data protection officer with sufficient expertise to oversee compliance and act as a liaison with the regulator.
Operators are also required to document how personal data flows through their systems; from collection to storage, use, sharing, and eventual deletion. This includes identifying data sources, categories of information processed, purposes of use, lawful bases for processing, retention periods and any third parties involved.
The firms must also track cross-border data transfers and ensure appropriate safeguards are in place. Transfers of transport data outside Kenya are permitted only where the destination country provides adequate protection, appropriate safeguards, or the transfer is necessary for contractual or legal reasons.
Penalties for non-compliance with these guidelines can reach up to KSh5 million or 1% of annual turnover or imprisonment of up to two years, while broader offenses may attract penalties of up to 10 years in prison. Individuals affected by data breaches can also seek compensation for financial loss or emotional harm. Additional measures may also include suspension of licenses.
