Europe's AI Governance Gaps Are Glaring: What the EU Can Learn from Kenya's Data Protection Journey

The GDPR, now seven years old, is widely regarded as the global benchmark for data protection. Kenya's 2019 Act was explicitly modelled on it, and by most assessments it has served the country well. But GDPR's architects did not anticipate the scale or sophistication of AI-driven data processing that now characterises both developed and emerging digital economies. The EU AI Act attempts to fill that gap, but its risk-based tiering system, phased implementation schedule, and reliance on national competent authorities create exactly the kind of fragmented oversight that Kenya's critics identify at home.

Digital Inclusion: The Uncomfortable Variable

Kenya counts 23.4 million internet users, representing 40.5% of its population, with social media adoption growing at 34.6% year on year. Yet significant urban-rural divides persist, with cost barriers, device affordability, and digital literacy gaps excluding the most vulnerable from the benefits of an expanding digital economy. The European parallel is not as flattering as Brussels would like to admit. Eurostat data consistently shows that digital exclusion in rural Romania, southern Italy, and parts of eastern Germany remains stubbornly high. Universal connectivity targets under the EU's Digital Decade policy programme are still aspirational in large parts of the bloc.

The point is not to suggest equivalence between Kenya's infrastructure challenges and Europe's. It is to argue that the structural logic, inequality of access reproducing inequality of outcome, is identical. AI systems trained on data skewed towards urban, connected, higher-income populations will perform poorly, and sometimes dangerously, for everyone else. That is a lesson European AI developers and procurers need to internalise, not just acknowledge in a footnote.

What European Policymakers Should Take Seriously

Professor Virginia Dignum of Umea University, one of Europe's most cited AI ethics researchers and a former member of the European Commission's High-Level Expert Group on AI, has long argued that governance frameworks must be built around accountability structures, not just prohibited use cases. Kenya's situation illustrates why: without clear algorithmic auditing requirements, transparency obligations for public sector AI procurement, and mandatory human oversight provisions, even well-intentioned legislation fails to produce trustworthy systems in practice.

The UK's AI Safety Institute, established in late 2023 and now rebranded as the AI Security Institute under the current government, has taken a more empirical approach, publishing technical evaluations of frontier models rather than waiting for comprehensive legislation. That model has merit. But it is not a substitute for enforceable rules with real penalties. The ICO's recent guidance on generative AI and data protection is a step forward, but guidance is not enforcement.

Kenya's experience points to five areas that European institutions would do well to prioritise:

• Algorithmic auditing requirements for AI systems processing personal data at scale, with results published and independently verified.
• Public sector AI procurement standards that mandate transparency, explainability, and defined human oversight at every stage of deployment.
• Digital literacy programmes integrated into national curricula and adult education, treating AI literacy as a civic competence, not a technical specialism.
• Cross-sector stakeholder governance that includes civil society and academic voices alongside industry, not as a box-ticking exercise but as a structural check on regulatory capture.
• Regulatory capacity investment inside data protection and AI oversight bodies, because rules without trained enforcers are theatre.

The Governance Gap Is a Shared Problem

Kenya's trajectory from strong data protection law to incomplete AI governance is not a failure of ambition. It is a failure of sequencing and resourcing that many jurisdictions, including several EU member states, are quietly replicating. The country's internet freedom score of 78 out of 100 reflects a genuinely open digital environment, but critics of the Computer Misuse and Cybercrimes Act of 2018 continue to raise legitimate concerns about its potential chilling effect on press freedom and civil society. Europe has its own version of this tension: member state surveillance laws that sit awkwardly alongside Charter of Fundamental Rights protections, and platform regulation that risks being weaponised against legitimate journalism.

The broader lesson is structural. Good data protection law is necessary but not sufficient. AI governance requires a distinct regulatory architecture, purpose-built for the speed, opacity, and systemic risk of algorithmic decision-making. Kenya is working out how to build that architecture in real time, with limited resources and significant external pressure. European institutions have more resources and more time. Whether they use that advantage well is a political choice, not a technical inevitability.

The question for EU and UK policymakers is not whether they can learn from Kenya's experience. Clearly they can. The question is whether they will act on those lessons before their own governance gaps become as visible, and as consequential, as the ones now playing out in Nairobi.