The State now wants Kenyans to believe that the sale of government data is harmless because the data will allegedly be “anonymised” and “non-personal.” That is the language being used to soften the blow. The plan, as reported, is to create a State-run marketplace where data collected through platforms such as eCitizen and other government agencies can be packaged and sold to businesses, researchers, non-governmental organisations and innovators. The stated justification is familiar: the government wants to raise revenue, support planning, and make public data useful for development.

But beneath that polished explanation lies a dangerous constitutional question. When a citizen gives information to the State, that citizen is not entering a commercial contract with a data broker. A Kenyan using eCitizen is not donating their life to be mined, cleaned, aggregated, priced and sold. They are complying with the machinery of government because they need a passport, a business name, a birth certificate, a death certificate, a land service, immigration processing, company registration, driving services or access to public administration. That information is given under necessity, not commercial consent.

That is why this proposal must be resisted in court and in the court of public opinion. It is not enough for government to say that names and ID numbers will not be included. The real issue is not only whether a spreadsheet contains a column called “Name” or “ID Number.” The issue is whether data drawn from identity-based public systems can still reveal patterns, locations, demographics, economic behaviour, family events, land activity, migration habits, business formation trends and service demand in ways that can expose citizens, communities, markets and vulnerable groups.

There is no magic wand called anonymisation. Data does not become morally clean merely because a name has been removed. In the modern data economy, re-identification is a real risk. A dataset stripped of obvious identifiers can still be matched with other datasets to reveal the people, households, businesses or communities behind the numbers. Location, age band, transaction timing, service type, region, rare events, land records, business filings and civil registration patterns can become fingerprints. The more detailed the data, the easier it becomes to connect the dots.

This is why the government’s argument is weak. If the data is genuinely anonymous, broad and harmless, why sell it through a controlled marketplace as a valuable revenue product? If it is valuable enough for businesses and foreign-linked entities to buy, then it likely contains insight powerful enough to influence markets, target communities, profile behaviour, predict demand, shape credit decisions, plan campaigns, price services or identify opportunities. That value does not come from thin air. It comes from citizens’ lives.

Kenya must therefore ask a hard question: who gave the State permission to turn compulsory citizen interaction with government into a commercial raw material? Public data can be used for public planning, public research, transparency and service delivery. But commercial sale is a different purpose. A citizen who submitted information to obtain a passport did not consent to their data traces being used later to build a State data marketplace. A business owner who registered a company did not authorise government to turn registration patterns into a private-sector intelligence product. A parent registering a birth did not agree to become part of a monetised civil-registration dataset.

Read Also: Data Governance Across Africa Will Define The Continent’s AI Future

The Constitutional Case Against the Move

The constitutional case begins with Article 31 of the Constitution of Kenya. Article 31 protects the right to privacy, including the right not to have information relating to one’s family or private affairs unnecessarily required or revealed, and the right not to have the privacy of communications infringed. Government cannot defeat that right by clever labelling. If a dataset can expose private affairs, enable profiling, permit re-identification, or reveal sensitive patterns about people and communities, then privacy concerns remain alive.

Article 10 is also implicated. The national values and principles of governance bind every State organ, State officer, public officer and all persons whenever they apply or interpret the Constitution, enact law, or make and implement public policy decisions. These values include the rule of law, democracy, participation of the people, human dignity, human rights, good governance, integrity, transparency and accountability. A data sale policy built in boardrooms without meaningful public participation would be constitutionally suspect from birth.

Article 35 strengthens the case. Every citizen has the right of access to information held by the State. Before the government sells public datasets, Kenyans have a right to know what data is being packaged, which agencies collected it, the original purpose of collection, who will buy it, how prices will be set, how revenue will be accounted for, what safeguards will be used, how re-identification will be prevented, whether foreign entities will access it, and how citizens can object. Without full disclosure, the government is asking Kenyans to trust a system they cannot inspect.

Article 201 also matters because the government is presenting this as a revenue measure. The Constitution demands openness, accountability and public participation in financial matters. If public data is being converted into public revenue, then the process cannot be informal, secretive or hidden behind policy language. The country must know whether Parliament has approved the model, whether the proceeds will go to the Consolidated Fund, whether procurement rules apply to the marketplace, whether private intermediaries will earn commissions, and whether public officers are creating a new rent-seeking pipeline.

Article 232 on values and principles of public service is equally important. Public service must be accountable, transparent, responsive, ethical and must provide the public with timely, accurate information. Selling data collected from citizens while refusing to give citizens clear information on the datasets, safeguards, buyers and revenue structure would be the opposite of accountable public administration.

Why “Anonymised” Is Not Enough

The Data Protection Act and the Data Protection (General) Regulations make the case even stronger. Kenyan data law is built around lawful, fair and transparent processing; purpose limitation; data minimisation; accuracy; security; accountability; and the rights of data subjects. The Regulations expressly require that where personal data is to be used for a new purpose, the new purpose must be compatible with the initial purpose; where it is not compatible, fresh consent is required. Commercialising data collected for public service delivery is not a minor administrative adjustment. It is a new purpose.

The government may argue that because the proposed datasets will be “non-personal,” the Data Protection Act does not apply. That argument should be tested, not swallowed. A label does not determine legality; the structure, source, granularity, use, buyer access, risk of re-identification and safeguards determine risk. If the data begins life as personal data collected through identity-based State systems, the burden should be on government to prove that anonymisation is irreversible, that the data cannot reasonably be linked back to individuals, and that no buyer can combine it with other datasets to re-identify people or profile communities.

This is the heart of the case: anonymisation cannot be a slogan. It must be a technical, legal and constitutional standard. The State must show the methodology used to anonymise the data, the independent audit of that methodology, the residual risk assessment, the categories of data excluded, the rules governing buyer access, the penalties for misuse, the restrictions on onward sharing, the limits on cross-border access, and the remedies available to affected citizens. Without this, “anonymised data” becomes a public-relations mask for mass data extraction.

The Cross-Border and National Security Risk

The danger becomes even more serious where foreign firms or entities outside Kenya may access the data. Kenya’s data-protection framework places restrictions and safeguard requirements on cross-border transfers of personal data. If the government cannot prove that the data is truly outside the personal-data regime, then any transfer or access by foreign entities must meet strict legal safeguards. A country that casually exports citizen-derived intelligence without accountability exposes its people to profiling, discrimination, exploitation and geopolitical vulnerability.

There is also a democratic danger. Data is power. Whoever controls large public datasets can understand a country better than many of its elected leaders. They can know where businesses are forming, where land is changing hands, where people are applying for passports, which regions are registering deaths or births, where demand for services is rising, where economic desperation is visible, and where communities are shifting. In the wrong hands, that information is not just statistics. It is a map of the nation’s nervous system.

Government planning does not require selling citizens’ data. The State already has the power and duty to use lawful, secure, aggregated data internally to improve hospitals, schools, roads, licensing, immigration, land administration and service delivery. Researchers can be supported through properly governed public-interest data access frameworks. Counties can receive dashboards. Parliament can receive reports. The public can receive open statistics. None of this requires turning the citizen into a commodity.

The proposed sale also raises a moral issue. Kenyans already pay taxes. They pay fees on eCitizen. They pay levies, charges, service fees, excise duty, VAT, income tax, land rates, business permits and countless other costs. To then take the data generated from those compulsory interactions and sell it as a new revenue stream is double extraction. First the citizen pays to access government. Then the government profits from the citizen’s trace.

What a Court Case Should Demand

This is why litigation is necessary. A constitutional petition should seek conservatory orders stopping the sale or commercialisation of any eCitizen or State-held citizen-derived datasets until the government publishes the full policy, conducts meaningful public participation, obtains an independent privacy and data-protection impact assessment, demonstrates irreversible anonymisation, discloses revenue and procurement structures, clarifies cross-border safeguards, and obtains proper parliamentary oversight where public revenue and public assets are involved.

The petition should ask the court to declare that citizen-derived data collected for public service delivery cannot be commercialised without a clear legal framework, transparency, necessity, proportionality, public participation, data-protection compliance and enforceable safeguards. It should also ask for orders compelling disclosure of any pilot projects, contracts, memoranda of understanding, buyers, intermediaries, consultants, foreign partners, technical vendors, pricing models and revenue already received from any sale or sharing of such data.

The court should also be invited to find that the State holds citizen data in trust. Government is not the owner of the citizen’s digital life. It is a steward. A steward cannot secretly convert entrusted information into a commodity. Public trust requires loyalty to the people, not opportunistic monetisation. The State cannot say, on one hand, that citizens must digitise everything for efficiency, and on the other hand, treat the resulting data exhaust as a national cash crop.

Parliament must also act. Members of Parliament cannot pretend this is a small technology policy. This is a sovereignty issue, a privacy issue, a public finance issue, a consumer protection issue, a national security issue and a constitutional governance issue. Parliament should summon the Ministry of ICT, the Office of the Data Protection Commissioner, Treasury, eCitizen administrators, the Auditor-General and all relevant agencies to explain the legal basis, safeguards, buyers, revenue expectations and risks.

What Parliament and the Data Commissioner Must Do

The Office of the Data Protection Commissioner must not be silent. This is precisely the kind of moment for which the office exists. It should require a data protection impact assessment, demand technical evidence of anonymisation, clarify whether the datasets fall outside the personal-data regime, publish guidance on State commercialisation of citizen-derived data, and insist on enforceable safeguards before any sale, pilot or marketplace is launched.

Civil society, lawyers, consumer groups, technology experts, digital-rights organisations, business associations and ordinary citizens should treat this as a defining test of Kenya’s digital future. If this passes quietly, the precedent will be enormous. Tomorrow, every government database can be described as “anonymised,” every citizen interaction can become a product, and every public-service platform can become a silent marketplace.

The phrase “non-personal data” should not be allowed to end the debate. It should begin the scrutiny. Kenyans must demand proof, law, consent, safeguards, accountability and remedy. The burden is not on citizens to prove that harm will occur. The burden is on the State to prove that rights will not be violated.

Kenya is not short of ways to raise revenue. The country loses billions through corruption, waste, inflated procurement, tax leakages, stalled projects, debt mismanagement and political extravagance. It is therefore insulting to tell citizens that the next frontier of revenue is the quiet sale of data collected from them under the authority of the State. A government that cannot protect public money should not be trusted to auction public data.

This is not innovation. It is extraction dressed in digital language. It is not planning. It is monetisation of public trust. It is not harmless anonymisation. It is a risky attempt to commercialise the shadows that citizens leave behind when they interact with government. And once those shadows are sold, copied, transferred, combined and analysed, the damage may be impossible to reverse.

The line must be drawn now. Our names may be removed, but our lives may still be visible. Our ID numbers may be deleted, but our patterns may still identify us. Our records may be aggregated, but our communities may still be profiled. Our data may be called non-personal, but its origin is deeply personal because it was born from the daily lives of Kenyans.

The government should be sued. Not because data cannot support development, but because constitutional government must never treat citizens as inventory. Kenya needs data governance that serves the people, not a data bazaar that sells the people. Our data is not a government side hustle. Our privacy is not a budget line. Our digital lives are not for sale.

Reliefs Kenyans Should Seek

• Immediate conservatory orders stopping the sale or commercialisation of eCitizen and other citizen-derived State datasets until the court determines legality.
• Full disclosure of all policies, contracts, pilots, memoranda, buyers, intermediaries, consultants, pricing models and revenue already received or expected.
• A declaration that State-held citizen-derived data is held in public trust and cannot be commercialised without a clear legal framework, public participation and enforceable safeguards.
• An independent data protection impact assessment and technical audit proving that anonymisation is irreversible and that re-identification risk is sufficiently controlled.
• Clear rules on cross-border access, onward sharing, buyer liability, sanctions for misuse and remedies for affected citizens.
• Parliamentary oversight of any revenue model involving public data and direct reporting to the public on how any proceeds are collected and used.

Read Also: The Trust Economy: Why the Data Protection Act Is The New SME Gold Standard