December 2025 saw a whirlwind of events in the health corridors of Kenya. On December 4, Kenya signed a landmark five-year aid deal with the United States: a $2.5 billion Health Cooperation Framework. Under the Framework, the United States plans to support priority health programs in Kenya—including HIV/AIDS, tuberculosis, malaria, maternal and child health, polio eradication, disease surveillance, and infectious disease outbreak response and preparedness—over the next five years. The new health agreements are a welcome relief for African states, which had experienced funding cuts as a result of the dismantling of the US Agency for International Development (USAID) earlier in 2025. These funding cuts disrupted public health services across the world, with Africa hardest hit.

Kenya was the first African country to sign onto President Trump’s America First Global Health Strategy. The US later signed other bilateral health agreements with Rwanda, Liberia, Uganda, Lesotho, Eswatini, Mozambique, Cameroon, Nigeria, Ethiopia, Botswana, Sierra Leone, Madagascar, and Ivory Coast in December 2025. What is unique about these deals is that rather than go through health bodies such as GAVI, the World Health Organization, the African Union, and the Africa Centres for Disease Control and Prevention, the new American strategy is to enter into one-on-one agreements with individual states.

Interestingly enough, two days before the health deal between Kenya and the US was signed, on December 2, 2025, whistleblower Nelson Amenya sounded the alarm on X (@amenya_nelson) about potential data privacy risks and concerns about health-data sovereignty. He posted what appeared to be a sample of the model specimen sharing agreement and highlighted that the agreement would give the US complete access to Kenya’s entire national health database—and further, that the agreement would be construed in accordance with US federal law, not Kenyan law. As you can imagine, Kenyans began asking questions.

This led to a torrent of public statements released in quick succession, with everyone from US Ambassador to Kenya Susan Burns, to Health Cabinet Secretary Aden Duale, to Medical Services Principal Secretary Dr. Ouma Oluga, and even President William Ruto trying to allay fears with a unified message: the health data shared under the agreement would be aggregated and not personally identifiable.

In the midst of all these assurances, Busia Senator Okiya Omtatah and the Consumer Federation of Kenya took the government to court, with key issues of concern being that the deal was signed without public participation, parliamentary approval, or transparency, and that it posed potential data privacy risks. Mind you, when all these discussions were happening, the agreement in question was still not publicly available as required by law. During a public briefing on December 8, 2025, Health Cabinet Secretary Duale announced that the government would soon publish the full documents and table them in Parliament as public records.

However, everything was forced to come to a screeching halt on December 11 and 19, 2025, when the High Court of Kenya ruled to suspend the implementation of the $2.5 billion health aid deal over data privacy concerns until the matter is mentioned on February 12, 2026. The High Court issued conservatory orders barring the agreement in its entirety, pending the hearing and determination of a petition challenging the health agreement. Then on January 11, 2026, Attorney General Dorcas Oduor made an application to the Court of Appeal seeking to stay the conservatory orders issued by the High Court.

Watching all this unfold, you might be wondering what all the hullabaloo is about—and why the privacy of your health data even matters. Every time you visit your local hospital or dispensary for treatment, go to a lab for testing and analysis, or put on a wellness watch, your health information is collected. This personal information about one’s health—including your name, age, sex, occupation, health condition, treatment options, and frequency of hospital visits—is a type of personal data collected for health purposes, referred to as health data.

The digitization of health care systems has made it easier to collect health data at unprecedented capacity and speed. This data is of great value—so much so that it is being touted as the new gold or oil of our times. Information about people is power. It is a game changer not just for governments but also for companies and organizations. Personal data, including health data, when collected and adequately analyzed, helps in understanding people’s habits and needs. Health data can be used by doctors and hospitals to provide better care, track health trends, and catch diseases earlier. It can also drive innovation in new treatment processes and medicines. However, if not adequately regulated or protected, the exposure of health data can put a person at great privacy risk, including identity theft, financial fraud, cyberattacks, loss of anonymity, unauthorized access, profiling, bias and discrimination, leaks, misuse by data collectors or processors, intrusive surveillance, and reputational harm.

As of January 2026, both US-Kenya agreements—the Cooperation Framework and the Data Sharing Agreement—are available on the Ministry of Health website. It is now clear which law will be applicable. The agreement protects Kenya’s sovereignty in Article 2(a) and data ownership in Articles 3(d) and (e). It also establishes Kenya’s governing law supremacy in Article 4(f), which provides that in the event of divergence or conflict between Kenyan and US law, Kenyan law shall prevail.

This is a win for Kenya because the US lacks a comprehensive, cross-sectoral data protection framework comparable to Kenya’s; instead, US policy prioritizes innovation over strict personal data protection. At the basic level of health data protection, Kenya’s legal framework is more exhaustive. It includes the Data Protection Act, 2019; the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (Legal Notice 265 of 2021); the Digital Health Act, 2023; and the Digital Health (Health Information Management Procedures) Regulations, 2025. Additionally, the Kenya Medical Practitioners and Dentists Council requires that all health facilities be certified as Data Handlers or Processors registered with the Data Protection Commission. The health agreement also obligates the US to inform Kenya in the case of any unauthorized access or data breaches within the timelines prescribed by Kenyan law under Article 3(b). Hence, it is plausible to argue that there are adequate safeguards when it comes to protecting health data privacy at the basic level.

However, the agreement is also lacking in a number of ways that pose significant privacy risks. For example, the agreement fails to account for the new data privacy risks enhanced in today’s age of artificial intelligence. It does not recognize the extractive capabilities of AI that can excavate and retain hidden or protected attributes of sensitive information, allowing for use of this data without continuous access to the original datasets. Although the health agreement provides in Article 2(c) that it will handle only aggregated health data of Kenyans—data that is grouped and anonymized to the point where no single person can be identified—there is no mention or acknowledgment that AI has the ability to re-identify individuals. Therefore, although Kenya has a comprehensive data protection law, it does not have AI-specific legislation that regulates derived datasets, which have the ability to collect inferred attributes or synthetic data generated through AI excavation of protected aggregated health data. There is thus a need for the agreement to include provisions that explicitly regulate AI.

Further, the allocation of responsibilities in Article 4 of the agreement is not equally distributed between both states, as Kenya bears a heavier burden when it comes to system maintenance, yet the agreement is mutually beneficial to both parties. Kenya is solely responsible for maintaining data quality, accuracy, and security. The US government has barely any operational obligations. This imbalance is especially concerning in light of data privacy risks associated with AI.

Lastly, it is important to note that data privacy risks enhanced by AI do not apply only to the health deal that Kenya has signed with the US. The risk is also present when data is collected by local entities or organizations in Kenya, which today also use AI to enhance efficiency and service delivery. Therefore, beyond pushing for a health agreement that effectively protects the health data of Kenyans in today’s AI age, Kenyans should also be advocating for a comprehensive law that specifically regulates AI-enabled data privacy risks. This applies not only to Kenya but to the entire African continent, where currently 44 countries have comprehensive data protection laws and 38 have fully operational Data Protection Authorities as of the end of 2025—but no country as yet has a comprehensive law regulating AI.

Dr. Shirley Genga is a Postdoctoral Fellow at the Free State Centre for Human Rights in South Africa. She conducts research on the intersection of artificial intelligence, human rights, and the law. She also researches disability rights.