Kenya has recorded another major judicial milestone in the enforcement of digital rights and data protection. The High Court in Nairobi has halted the rollout of the Kenya Broadcasting Corporation’s facial biometric attendance system, ruling that the state broadcaster violated constitutional and statutory safeguards when it introduced the technology without consent, transparency, or a Data Protection Impact Assessment.
The case, Kenya Union of Journalists v. Kenya Broadcasting Corporation, arose from a challenge filed by the Kenya Union of Journalists on behalf of its members employed at KBC. The union argued that the mandatory facial recognition system amounted to unlawful processing of sensitive personal data and exposed staff to high privacy risks.
Court Faults KBC for Ignoring Mandatory Safeguards
In its judgment delivered on November 25, 2025, the Court found that KBC introduced the system in violation of Article 31 of the Constitution and several provisions of the Data Protection Act. Facial templates qualify as sensitive personal data, and the law requires entities to conduct a Data Protection Impact Assessment before deploying high-risk technologies. The Court noted that KBC bypassed this obligation entirely.
The judges also held that the broadcaster failed to provide staff with essential information about how their data would be used, the identity of the service provider behind the system, or the safeguards in place to protect the data. This omission violated Article 35 on the right of access to information as well as statutory obligations on transparency.
The Court further observed that the rollout lacked meaningful public participation and engagement with affected employees. These gaps amounted to breaches of the national values of transparency and good governance under Article 10.
Respondent Concedes. Court Issues Strong Orders
KBC conceded the case in full, confirming that it was in the process of seeking compliance with the Data Protection Act and undertaking a long-overdue Data Protection Impact Assessment. Despite this concession, the Court proceeded to issue substantive declarations and orders, citing significant irregularities and referencing its earlier Worldcoin judgment as a cautionary example of the risks posed by unregulated biometric processing.
Key orders issued include:
- Declarations affirming that KBC violated constitutional privacy rights, the Data Protection Act, and principles of transparency, participation, and public information.
- A Prohibition Order restraining KBC from implementing the facial recognition system unless staff consent is obtained, requisite information is provided, objections are honored, and a compliant DPIA is conducted.
- A Certiorari Order quashing the initial decision to roll out the system.
- A Mandamus Order compelling KBC to delete all biometric data already collected, with supervision from the Data Protection Commissioner.
- A direction for supervised deletion, requiring the Commissioner to oversee and report to the Court on the process.
- No order on costs, with each party directed to bear its own expenses.
The Court fixed January 21, 2026 for a compliance mention, where the Data Protection Commissioner is expected to confirm whether the deletion has been completed.
A Win for Data Rights and a Warning to Public Bodies
The judgment reinforces the growing judicial scrutiny on how public institutions handle personal data and signals a clear message to both government and private actors: biometric processing cannot proceed without robust due diligence, transparency, and respect for data subjects.
It also demonstrates the increasing assertiveness of trade unions and civil society actors in defending digital rights in the workplace. As more employers adopt biometric systems for attendance and access control, the ruling sets a critical precedent for how such technologies must be governed in Kenya.
For data governance professionals, the decision highlights the importance of embedding accountability mechanisms, conducting DPIAs for all high-risk processing, and ensuring that procurement of digital systems complies with both data protection and administrative law requirements.