Finance committee urged to strengthen data protection in crypto tax laws
By Faith Lagat, May 29, 2026Finance stakeholders have called on Parliament’s Departmental Committee on Finance and National Planning to strengthen data protection safeguards in the Finance Bill, 2026, particularly in provisions governing cryptocurrency taxation and cross-border information sharing.
The proposals aim to ensure compliance with constitutional privacy rights while aligning Kenya with global tax transparency standards.
Appearing before the committee on May 29, 2026, Mabuti Mutua of Lex Chain Consulting Limited supported Kenya’s adoption of the OECD Crypto-Asset Reporting Framework (CARF) under Clause 38 of the Finance Bill.
The framework would require Virtual Asset Service Providers (VASPs), including crypto exchanges and trading platforms, to submit annual user data reports to the Kenya Revenue Authority (KRA). It also enables Kenya to enter automatic information-sharing agreements with foreign jurisdictions.
Mutua, however, warned that the current provisions could result in the collection and exchange of large volumes of sensitive financial data without adequate legal safeguards. He urged Parliament to explicitly align the framework with Articles 24 and 31 of the Constitution and the Data Protection Act, to ensure protection of privacy rights in digital financial transactions.
“By expressly limiting reporting to information that is necessary, relevant, and proportionate, the amendment gives effect to the data minimisation and purpose limitation principles,” Mutua noted in his presentation.
Proposed safeguards on data handling and privacy
The stakeholder recommended limiting reporting obligations to information that is necessary, relevant, and proportionate, in line with data minimisation and purpose limitation principles.
He further proposed mandatory encryption systems, strict access controls, and comprehensive audit trails within VASPs to prevent unauthorised access, alteration, or destruction of user data.
Under the proposed safeguards, crypto platforms would be required to notify users of the categories of data collected, the purpose of collection, and any intended disclosure to the tax authority. Access to internal systems would be restricted to authorised officers performing official duties, while ensuring transparency in data processing and storage.
Cross-border data sharing and accountability measures
Mutua also raised concerns over Clause 38(6D), which governs the transfer of financial and personal data to foreign jurisdictions. He proposed that the Kenya Revenue Authority be prohibited from sharing data internationally unless the receiving country demonstrates equivalent legal, technical, and organisational safeguards as required under Kenyan law.
He further recommended that KRA maintain detailed audit logs of all international disclosures, including recipient jurisdictions, dates, legal basis, and categories of data shared. This, he said, would enhance accountability and traceability in cross-border tax cooperation.
The Finance Committee is currently reviewing all stakeholder submissions as part of public participation on the Finance Bill, 2026, before tabling its report in the National Assembly for debate.