Kenya Recording Laws: Privacy Rules and Penalties (2026)

Overview of Recording Laws in Kenya

Kenya does not have a single, dedicated wiretapping or recording consent statute like those found in many Western countries. There is no formal "one-party consent" or "two-party consent" framework written into Kenyan law. Instead, the legality of recording conversations, phone calls, and video in Kenya is governed by a patchwork of constitutional provisions, cybercrime legislation, and data protection rules.

The primary legal sources that affect recording in Kenya include:

• The Constitution of Kenya (2010), particularly Article 31 on the right to privacy
• The Computer Misuse and Cybercrimes Act (CMCA), No. 5 of 2018, which criminalizes unauthorized interception of electronic communications
• The Data Protection Act (DPA), No. 24 of 2019, which regulates the collection and processing of personal data
• The Kenya Information and Communications Act (KICA), Chapter 411A, which governs telecommunications interception
• The National Intelligence Service Act, No. 28 of 2012, which authorizes state surveillance under judicial oversight

Because Kenya lacks a clear recording consent law, individuals and businesses must rely on these overlapping statutes. The result is a legal landscape where the purpose and context of a recording often matter more than the act of recording itself.

Constitutional Right to Privacy Under Article 31

The foundation of recording law in Kenya is Article 31 of the Constitution of Kenya. This provision establishes that every person has the right to privacy, which includes the right not to have:

• Their person, home, or property searched
• Their possessions seized
• Information relating to their family or private affairs unnecessarily required or revealed
• The privacy of their communications infringed

Subsections (c) and (d) are the most relevant to recording. They protect individuals from having their private communications intercepted or their personal information disclosed without authorization. Any recording that captures private conversations or personal information could potentially violate these constitutional guarantees.

Article 31 applies broadly. It covers phone calls, in-person conversations, digital messages, and any other form of private communication. However, the Constitution does not define specific penalties for privacy violations. Instead, individuals whose privacy rights are violated may seek remedies through the courts, including injunctions and damages.

The right to privacy under Article 31 is not absolute. Article 24 of the Constitution permits limitations on fundamental rights, provided those limitations are reasonable and justifiable in an open and democratic society. This means recordings may be lawful when they serve a legitimate purpose, such as preventing crime or protecting public safety.

The Computer Misuse and Cybercrimes Act 2018

The Computer Misuse and Cybercrimes Act (CMCA) is the most relevant criminal statute for unauthorized electronic recording and interception in Kenya. Enacted on May 30, 2018, the CMCA addresses offences related to computer systems and electronic communications.

Section 17: Unauthorized Interception

Section 17 of the CMCA makes it a criminal offence to intentionally and without authorization intercept, or cause to be intercepted, the transmission of data to or from a computer system over a telecommunications system. The Act defines "interception" broadly to include monitoring, modifying, viewing, or recording non-public transmissions of data over telecommunications systems.

Penalties for unauthorized interception under Section 17:

Offence	Fine	Imprisonment
Unauthorized interception	Up to KES 10 million (approx. USD 77,000)	Up to 5 years
Interception threatening public safety	Up to KES 20 million (approx. USD 154,000)	Up to 10 years

These penalties apply to the interception of electronic communications, including phone calls conducted over telecommunications networks, email transmissions, and other digital communications. The key element is that the interception must be "without authorization," meaning that authorized law enforcement interception under a valid court order is exempt.

Other Relevant CMCA Provisions

Section 37 of the CMCA addresses the wrongful distribution of obscene or intimate images. Recording and distributing intimate content without consent carries separate criminal liability. Section 38 covers the fraudulent use of electronic data. Both provisions can apply to scenarios involving unauthorized recording and dissemination of private content.

The Data Protection Act 2019

The Data Protection Act (DPA), No. 24 of 2019 is Kenya's comprehensive data privacy law. It gives effect to Articles 31(c) and 31(d) of the Constitution and establishes the Office of the Data Protection Commissioner (ODPC) as the regulatory authority.

How the DPA Applies to Recording

The DPA defines "processing" broadly to include the collection, recording, organization, storage, retrieval, use, disclosure, dissemination, and destruction of data. Audio recordings, video recordings, photographs, and CCTV footage all constitute personal data under this definition, because they contain information that can identify individuals.

Under the DPA, data controllers and processors must comply with several key principles when recording:

• Consent: Personal data may not be processed without the consent of the data subject. It is the responsibility of the data controller or processor to prove that consent for a specific purpose was granted.
• Purpose limitation: Data must be collected for a specified, explicit, and legitimate purpose and not further processed in a manner incompatible with that purpose.
• Data minimization: Data collected must be adequate, relevant, and limited to what is necessary for the stated purpose.
• Transparency: Data subjects must be informed about the collection and use of their data.

DPA Penalties

The DPA imposes significant penalties for non-compliance:

Type of Penalty	Amount
General criminal penalty	Fine up to KES 3 million or imprisonment up to 10 years, or both
Administrative fine (ODPC)	Up to KES 5 million or 1% of annual turnover, whichever is lower
Obstruction of Data Commissioner	Fine up to KES 5 million or imprisonment up to 2 years, or both

These penalties apply to any person or organization that processes personal data, including recordings, in violation of the Act. Businesses that operate CCTV systems, call recording systems, or other surveillance technology must ensure full DPA compliance.

Participant Recording and Court Admissibility

One of the most practical questions about recording in Kenya is whether a person who participates in a conversation can legally record it and later use that recording as evidence in court. Kenyan courts have addressed this issue in several cases.

The General Rule

Kenyan courts generally treat secret recordings as potentially illegally obtained evidence because they are made without the knowledge and express consent of all parties involved. However, courts have drawn an important distinction between third-party surveillance and participant recording.

A recording made by someone who was present during the conversation and participated in it is generally admissible in evidence. Courts reason that a participant already has direct knowledge of the conversation, and the recording merely preserves what they would otherwise testify about from memory.

Key Court Decisions

In Mbugua v Echo Network Africa (Employment and Labour Relations Petition E064 of 2022, decided February 23, 2024), the court examined whether an employer could use a secretly recorded phone conversation to justify terminating an employee. The court held that private communications are confidential and require express consent from the owner. Because the employer failed to show how it obtained the recording and did not have the employee's consent, the court found a violation of the right to privacy.

The Balancing Test Under Article 50(4)

Article 50(4) of the Constitution creates a balancing test that allows courts to admit otherwise illegally obtained evidence if its relevance and impact on justice outweigh privacy concerns. This means that even recordings made without consent may be admitted if the court determines that:

• The evidence is highly relevant to the case
• Excluding it would cause a greater injustice than admitting it
• The recording was not obtained through extreme or abusive means

This balancing approach makes the admissibility of recordings in Kenya highly contextual. The outcome depends on the specific facts, the type of case, and the court's assessment of competing interests.

Workplace Recording and CCTV Surveillance

Employers in Kenya who wish to record employees or install surveillance systems must comply with both the Data Protection Act and constitutional privacy protections.

CCTV in the Workplace

The use of CCTV cameras in Kenyan workplaces is lawful, but only if it meets the requirements of the Data Protection Act 2019. Employers must:

• Identify a lawful basis for processing under the DPA before installing cameras
• Post clear CCTV signage that includes the identity of the company (as data controller), contact information for the data protection officer (if applicable), the purpose of the surveillance, and information about data subject rights
• Limit surveillance to what is "adequate, relevant, and limited to what is necessary" for the stated purpose
• Develop a comprehensive CCTV Data Protection Policy
• Conduct a Data Protection Impact Assessment for extensive surveillance systems

Audio Recording in the Workplace

Audio surveillance in the workplace raises heightened privacy concerns compared to video-only CCTV. Recording employee conversations without their knowledge or consent is likely to violate both the DPA and the constitutional right to privacy under Article 31. Employers who wish to record calls for quality assurance or training purposes should obtain explicit consent from employees and inform all callers that the call is being recorded.

Penalties for Employer Non-Compliance

Employers who violate the DPA through unauthorized surveillance face administrative fines of up to KES 5 million or 1% of annual turnover, whichever is lower. Additionally, affected employees may bring civil claims for violation of their constitutional privacy rights.

Recording in Public Spaces

The rules for recording in public places in Kenya differ from those governing private conversations.

Photography and Filming

The Photography and Film Regulations, 2019 require photographers and filmmakers to obtain permits before taking photographs or filming in public spaces, including streets, parks, and beaches. This requirement applies primarily to commercial photography and organized filming rather than casual personal use.

The Official Secrets Act, Cap 187 prohibits photographing or sketching military installations, government buildings, and other designated sensitive areas. Violations of this provision can result in criminal prosecution.

CCTV in Public Areas

Businesses and property owners who install CCTV cameras that capture public areas must comply with the Data Protection Act. The household exemption under the DPA applies only when cameras are installed in a fixed position, do not point toward neighboring property, do not capture a neighbor's residence, and do not monitor movements into or out of another person's home. Once surveillance extends beyond these boundaries, full DPA compliance is required.

Government Surveillance and Lawful Interception

Kenya has several legal frameworks that authorize government agencies to intercept communications under specific conditions.

National Intelligence Service Act 2012

The National Intelligence Service (NIS) Act, No. 28 of 2012 allows the Director-General of the NIS to monitor or interfere with the privacy of a person's communications. Under Section 42, the Director-General may apply ex parte to a High Court judge for a surveillance warrant when there are reasonable grounds to believe the warrant is necessary for national security purposes.

Article 36 of the NIS Act explicitly states that the right to privacy under Article 31 of the Constitution may be limited for a person suspected of committing an offence, to the extent that their communications may be investigated, monitored, or otherwise interfered with.

Prevention of Terrorism Act 2012

The Prevention of Terrorism Act grants additional interception powers for counter-terrorism purposes. A police officer of or above the rank of Chief Inspector may apply ex parte to a Chief Magistrate or the High Court for an interception order. The officer must first obtain written consent from the Inspector-General of Police or the Director of Public Prosecutions.

Under Section 36 of this Act, unauthorized interception of communications is punishable by imprisonment of up to 10 years or a fine of up to KES 5 million, or both.

Kenya Information and Communications Act

Section 31 of the Kenya Information and Communications Act (KICA) makes it an offence for a licensed telecommunications operator to intercept subscriber messages, disclose message contents, or reveal subscriber account details outside the course of business. Violations carry a fine of up to KES 300,000 or imprisonment of up to three years, or both.

Business Compliance Checklist

Organizations operating in Kenya that record calls, use CCTV, or collect audio or video data should take the following steps to comply with Kenyan law:

1. Register with the ODPC: Data controllers and processors who handle personal data (including recordings) should register with the Office of the Data Protection Commissioner.

2. Obtain consent: Before recording any conversation, phone call, or meeting, obtain clear, informed consent from all participants. Document this consent.

3. Post notices: For CCTV and other continuous recording systems, post visible notices that identify the data controller, explain the purpose of recording, and inform individuals of their rights.

4. Limit data collection: Record only what is necessary for the stated purpose. Avoid recording in areas where individuals have a heightened expectation of privacy (restrooms, break rooms, changing areas).

5. Conduct impact assessments: For extensive surveillance systems, conduct a Data Protection Impact Assessment as required by the DPA.

6. Establish retention policies: Define how long recordings will be stored and when they will be deleted. The DPA requires that personal data not be kept longer than necessary.

7. Secure recordings: Implement appropriate technical and organizational measures to protect recorded data from unauthorized access, disclosure, or destruction.

8. Train employees: Ensure staff understand recording policies, consent requirements, and the consequences of unauthorized recording.

Penalties Summary

The following table summarizes the key penalties for recording-related violations in Kenya:

Law	Offence	Fine	Imprisonment
CMCA 2018, Section 17	Unauthorized interception	Up to KES 10 million	Up to 5 years
CMCA 2018, Section 17(2)	Interception threatening public safety	Up to KES 20 million	Up to 10 years
DPA 2019	General data protection offence	Up to KES 3 million	Up to 10 years
DPA 2019	Administrative fine	Up to KES 5 million or 1% turnover	N/A
KICA, Section 31	Telecom operator interception	Up to KES 300,000	Up to 3 years
Prevention of Terrorism Act	Unauthorized interception	Up to KES 5 million	Up to 10 years