Kenya’s new proposed local data storage regulations will affect every major mobility platform operating in the country and could force Uber, Bolt, and others to rebuild their infrastructure.
New guidance issued by the Office of the Data Protection Commissioner (ODPC) mandates that all transport service providers processing data “for the strategic interest of the state” must maintain serving copies of personal data on servers physically located within Kenya’s borders.
In its proposal, the ODPC is relying on Kenyan law, particularly Section 20(2)(c) of the Computer Misuse and Cybercrimes Act, which designates “the provision of services related to public transportation” as a protected computer system subject to data localization rules.
As such, if the guidance becomes ratified, the mobility platforms would have to ensure they process personal user data through a server and data center located in Kenya.
They can have a primary server located outside Kenya, but in this case, they must store at least one serving copy of the concerned personal data in a data center located in Kenya.
READ: World Bank Wants Law Changes to Ease Export of Kenyans’ Data
Real-Time Data Access Required
Using a fictional company, the ODPC states:
“Jamotokaa, a digital transport service provider operating in Kenya, stores its primary database on a cloud server hosted in Spain but maintains a live-serving copy of all personal data relating to Kenyan data subjects, including names, phone numbers, location data, payment information, and trip histories, on a local server on its own premises in Kenya.”
The example specifies that the two copies are continuously synchronized, with the local server handling real-time requests from Kenyan users. This copy is not merely a backup requirement.
“This dual-storage arrangement means that at any given moment, a complete and current copy of Kenyan user data exists within the country’s borders, accessible without routing requests through foreign jurisdictions or relying on international data retrieval mechanisms,” reads part of the Guidance Note for the transport sector.
Kenya Airways, SGR Affected
While non-Kenyan ride-hailing apps face the most immediate impact, the guidance applies broadly across Kenya’s transport ecosystem.
The ODPC states it covers “public transport providers, private bus and matatu companies, matatu SACCOs, freight and logistics firms, taxi-hailing and ride-hailing platforms, rail operators, aviation service providers, and maritime operators.”
Any transport operator using electronic ticketing, mobile applications, GPS tracking, fleet management systems, and digital payment platforms’ data processing will be subject to the new requirements.
These operators are already classified as data controllers, processors, or both and must register with the ODPC to avoid fines of up to KES 5 million.
This means the likes of BuuPass, GoBeba, AfrKonekta, and online booking platforms operated individually by transport operators such as Mash, Kenya Railways, Dreamline, Kenya Airways, and others.
READ: How to Book an SGR Train Ticket in Kenya in 2025
For global technology platforms, the local data storage requirement represents a significant departure from the cloud computing model that has enabled their rapid international expansion. It may also mean added operational costs, which are often passed on to the customer base.
Kenya currently has over 14900 entities registered as data handlers, with transport companies forming part of the list. The guidance does not specify an enforcement timeline.
At the draft stage, the data commissioner has not outlined what grace period will be provided for compliance. Kenya’s constitution requires public participation, and the public is asked to share its feedback by the May 15, 2026.
