Worship in the Digital Age Meets Kenyan Law

NAIROBI – The widespread practice of filming and live-streaming church services for online platforms like YouTube and Facebook has placed many Kenyan religious organisations on a collision course with the country's data privacy laws. Under the Data Protection Act (DPA) of 2019, churches, mosques, and other religious bodies are classified as 'data controllers' and are legally obligated to obtain explicit, informed consent from worshippers before their images are captured and broadcast, a requirement many are currently flouting.

Failure to comply with the Act, enforced by the Office of the Data Protection Commissioner (ODPC), can attract severe penalties, including fines of up to KSh 5 million or up to 1% of an organisation's annual turnover. This legal reality check challenges the common assumption that attending a public worship service implies consent to be filmed, a notion legal experts have firmly dismissed.

Consent is More Than Attendance

According to legal analysis, a person's image is considered personal data. The simple act of a congregant walking into a church does not constitute the “express, specific, informed, and unambiguous” consent required by the DPA. Mary Audi, an associate advocate at Muri Mwaniki Thige & Kageni LLP Advocates, speaking to the Daily Nation on November 25, 2025, clarified that worshippers are legally considered 'data subjects' with enforceable rights over their personal data. These rights include knowing how their image will be used, objecting to its processing, and requesting its deletion. The burden of proving consent was lawfully obtained rests entirely on the church.

Furthermore, images of individuals in moments of worship can be classified as 'sensitive personal data' because they can reveal a person's religious beliefs. This category of data is afforded a higher standard of protection under the Act. For children under 18, the law is even stricter, requiring explicit consent from a parent or guardian before their image can be used.

Regulatory Scrutiny and Lack of Awareness

While the ODPC has not yet publicly announced any enforcement action against a religious organisation for this specific violation, it has demonstrated a firm stance on the misuse of personal images. In a press release dated September 26, 2023, the ODPC announced fines against three entities, including KSh 4.55 million for a school that posted minors' pictures without parental consent and KSh 1.85 million for a restaurant that used a patron's image on social media without permission. These actions signal that no sector is exempt from the law's reach.

Despite the clear legal risks, there appears to be a significant awareness gap among religious leaders. Dr. Nelson Makanda, the General Secretary of the Evangelical Alliance of Kenya (EAK), stated in a December 2023 report that churches in Kenya are largely unaware of their full obligations under the DPA and called for more civic education. While supporting the law's intent, he questioned its scope in public gatherings compared to media coverage of events like football matches. The EAK's own strategic documents show an intention to develop policies for data security and management, indicating a growing recognition of the issue.

During a sensitization forum in Kirinyaga County in June 2023, religious leaders were advised that they must register as data controllers and were encouraged to report any misuse of information, even as some requested exemptions from registration fees for smaller congregations.

International Precedent and Practical Solutions

The challenge of balancing faith outreach with privacy rights is not unique to Kenya. In the United Kingdom, which has similar data protection laws (GDPR), the Information Commissioner's Office (ICO) has taken action against religious-affiliated charities for data breaches. In June 2018, the British and Foreign Bible Society was fined £100,000 for failing to protect supporters' personal data, which included inferred religious beliefs.

To avoid such penalties, many international religious bodies have adopted clear and proactive policies. The Church of England, for instance, provides detailed guidelines for its parishes. These include obtaining written consent from anyone who will be identifiably filmed, clearly informing visitors with prominent signage about recording, and, crucially, establishing designated 'film-free zones' within the church where congregants who do not wish to be filmed can sit and worship without concern. Such measures allow for both the continuation of online ministry and the protection of individual privacy rights.

For Kenyan churches, legal experts suggest a similar path of proactive compliance. This includes developing clear data protection policies, training media teams on the law, and implementing a robust consent management process. As online streaming becomes an embedded feature of modern worship, ignoring the legal right to privacy is a risk that religious organisations can no longer afford to take.