logo2
Let’s Talk Now

Finance Bill 2025: Does KRA’s Data Access Power Violate Kenya’s Data Protection Act 2019?

Infographic highlighting key sections of the Data Protection Act 2019 potentially violated by proposed KRA powers.
Trendy Tax Topics

June 5, 2025

By Maina Susan – Tax & Finance Writer
Author

Maina Susan is a Tax & Finance Writer at Quartet Solutions, simplifying tax regulations and financial concepts to help businesses stay compliant.

LinkedIn >>

The Kenya Revenue Authority (KRA) is once again under scrutiny following a controversial proposal in the Finance Bill 2025.

 

This proposed legislation, currently undergoing public participation, aims to grant KRA access to personal and business data of taxpayers without a court order.

 

KRA argues that this move is necessary to enhance tax compliance, close existing loopholes, and combat widespread tax evasion. 

 

However, legal analysts, privacy advocates, and data protection experts warn that the amendment directly undermines the Data Protection Act 2019, exposing both individuals and businesses to serious violations of data privacy and financial security.

 

In this article, we explore the key protections enshrined in the Data Protection Act 2019, and explain how the Finance Bill 2025 proposals by KRA violate these rights explicitly and substantially.

 

 Let’s dive in.

 

What Is the Proposed Amendment to the Tax Procedures Act?

The Finance Bill 2025 seeks to amend the Tax Procedures Act (TPA) by deleting Section 59A(1B). 

 

This section currently provides legal safeguards by prohibiting the KRA Commissioner from requiring access to trade secrets or private data held on behalf of customers or collected during business operations.

 

If passed:

  • KRA will have automatic access to personal data including customer information, bank statements, mobile money transactions, and other sensitive financial records.
  • Businesses will be compelled to provide such data without court oversight or due process.

How KRA’s Finance Bill 2025 Proposal Clashes with the Data Protection Act 2019

The proposed amendment may appear as a bold compliance measure, but it directly conflicts with Kenya’s Data Protection Act, 2019 in several significant ways:

 

1. Violation of the Right to Privacy (Section 25)

The Data Protection Act guarantees:

  • Protection from unlawful collection, processing, and storage of personal data
  • Protection against unauthorized access to such data
  • The KRA’s blanket authority to collect private financial information without consent or legal safeguards is a direct violation of this right.

2. No Lawful Basis for Data Processing (Section 30)

Under the Data Protection Act, all data processing must be backed by a lawful basis such as:

  • Informed consent
  • Legal obligation
  • Public interest

N/B: The deletion of Section 59A(1B) removes the existing legal boundaries, enabling automatic, non-consensual access by KRA –  potentially leading to unlawful data processing.

 

3. Breach of Data Minimization and Purpose Limitation (Section 41)

KRA’s proposed access is not only limited to non-compliant taxpayers but to everyone. 

 

This broad, untargeted data sweep:

  • Goes against the principle that data must be adequate, relevant, and limited
  • Opens doors to over-collection and use of data for unintended purposes (a phenomenon known as mission creep)

 

4. Compromising Data Confidentiality and Integrity (Section 43)

The Act mandates robust systems to:

  • Ensure data confidentiality and integrity
  • Prevent unauthorized access or misuse
  • KRA has not outlined how it will securely manage the influx of sensitive data. Without oversight or a clear audit mechanism, the risk of data breaches or abuse increases exponentially.

5. Risk of Mass Surveillance and Profiling

While the goal of increasing tax compliance is legitimate, the scope of access is disproportionate. It may lead to:

  • Mass surveillance
  • Profiling of law-abiding citizens
  • Suppression of financial innovation
  • This overreach conflicts with the Act’s aim of proportionate, fair, and lawful data processing.

Major Opposition from Legal and Industry Stakeholders

The Law Society of Kenya (LSK) and top audit firms like KPMG East Africa have strongly opposed this amendment.

 

They argue that it could cause irreversible damage to Kenya’s data protection ecosystem by enabling unauthorised access to personal and proprietary business information.

 

What Should Be Done?

To align with the Data Protection Act, the proposed amendment must include:

 

1. Judicial oversight

  • Before KRA can access private data, they must obtain authorization through a court order. 
  • This ensures that data access is case-specific, justified, and subject to independent legal review, preventing arbitrary or excessive intrusion into personal or business privacy.

2. Specific limitations on the scope of data access

  • Data access should be narrowly defined and limited to cases involving known or suspected non-compliance. 
  • KRA should not have broad or open-ended rights to collect all customer, financial, or transactional data, as this violates data minimization principles under Section 41 of the Act.

3. Transparent data handling and audit mechanisms

  • KRA must implement clear, public protocols on how taxpayer data will be accessed, stored, and used.
  • Additionally, independent audits and regular disclosures should be conducted to monitor KRA’s compliance with data protection obligations, ensuring accountability and deterring misuse.

Without these safeguards, the amendment is likely to be challenged in court as unconstitutional and unlawful.

 

What’s the Impact of KRA Access to Your Personal Data?

KRA’s plan to access your personal and financial information without your consent or a court order poses a significant risk to your data privacy and financial autonomy. 

 

The Finance Bill 2025 has far-reaching implications for all Kenyan taxpayers.

 

What are your thoughts on this? Share in the comments below.

 

Learn More: Take Advantage of the KRA Tax Amnesty Before 30 June 2025

Did you know the KRA Tax Amnesty Program 2024–2025 offers waivers on penalties and interest for taxes owed up to 31 December 2023?

 

This is a great opportunity for individuals and businesses with outstanding obligations to become compliant without heavy penalties.

 

Deadline to apply: 30th June 2025

 

Read our full guide on the KRA Tax Amnesty 2025

 

Table of Contents:

1. What Is the Proposed Amendment to the Tax Procedures Act?

2. How KRA’s Finance Bill 2025 Proposal Clashes with the Data Protection Act 2019

3. Major Opposition from Legal and Industry Stakeholders

4. What Should Be Done?

5. What’s the Impact of KRA Access to Your Personal Data?

6. Learn More: KRA Tax Amnesty Program 2024–2025

5. Sources

 

Other Posts

We're excited to connect and collaborate with you on innovative strategies that will shape the future of your business.

Let’s Talk
  • +254 710 951 698
  • info@quartet-co.com
  • Woodlands Business park,
    4th floor-Suite 15,
    Kiambere road, Upperhill,
    Nairobi.
logo white

Your Partner in Crafting Effective Strategies for Lasting Success.

© Copyright 2025 Quartet Consulting - All Rights Reserved.