When the Taxman Becomes the Data Collector: KRA’s New Powers Under Finance Bill 2026 and What Founders Must Know
Quick Summary: The Finance Bill 2026, published on 5 May 2026 and tabled before the National Assembly, proposes a new Section 18A into the Tax Procedures Act. The provision empowers the Kenya Revenue Authority Commissioner to issue tax assessments using secondary data including eTIMS records, withholding tax declarations, and whistleblower reports. This creates a direct collision with the Data Protection Act 2019 and raises constitutional questions under Articles 24, 27, 31, and 47 of the Constitution of Kenya. Founders and business operators need to act now.
Every year, Kenya’s Finance Bill arrives with new proposals. Every year, businesses brace. Most founders read the headline changes, note the new rates, and move on. Finance Bill 2026, published on 5 May 2026 and formally tabled before the National Assembly, deserves considerably more attention than that.
Buried within its proposed amendments to the Tax Procedures Act is a provision that fundamentally changes the relationship between the Kenya Revenue Authority, your business data, and the law enacted specifically to protect it.
The provision is proposed Section 18A. It would empower the KRA Commissioner to determine whether a person has entered into or carried out a tax avoidance scheme and to issue tax assessments accordingly, using secondary data. The data sources the Bill authorises are broad: withholding tax declarations, employer tax filings, eTIMS transaction records, whistleblower reports, third-party information, KRA audit findings, and any information obtained under other written laws. KRA would have up to five years to issue assessments arising from such determinations.
This is not a routine tax measure. It is a structural realignment of how the state can access, interpret, and act on your personal and business information, without necessarily asking you first.
The Finance Bill 2026 matters to every founder running transactions through eTIMS, every fintech operator filing withholding tax records, every digital asset platform with user data sitting in third-party systems, and every business operator whose tax position could be assessed by a regulator who has access to data you have never personally disclosed to KRA.
Understanding what the Bill proposes, where it conflicts with existing law, and what you should do right now is not optional. It is operational necessity.
What Section 18A of the Finance Bill 2026 Actually Proposes
The plain-language version of Section 18A is this: the KRA Commissioner gains the power to form a view that you have engaged in a tax avoidance scheme, and to assess your tax liability on that basis, using data that was collected by other parties for other purposes.
The secondary data sources the Bill lists are not hypothetical. They are systems already in operation. eTIMS records reflect every transaction your business has processed through the electronic tax invoice management system. Withholding tax declarations carry financial information filed by your counterparties. Employer tax filings show your payroll obligations. Whistleblower reports can come from anyone. Third-party information can originate from financial institutions, other government agencies, or individuals with no direct relationship to your business. KRA audit findings from entirely separate investigations are included.
The five-year assessment window means that KRA can revisit your tax position for up to five years after identifying a suspected avoidance scheme, using data aggregated across that entire period.
Two parallel provisions compound the picture. The Bill introduces mandatory annual information returns for virtual asset service providers, requiring them to file detailed user and transaction data with KRA. It also proposes expanded royalty definitions that capture digital payment platforms, card schemes, and switching systems, widening the net of entities under heightened reporting obligations.
The government frames all of this as modernising Kenya’s tax administration, aligning with global digital enforcement trends, and closing longstanding revenue leakages. That framing is not entirely without foundation. But the mechanism chosen to achieve those objectives raises serious legal questions that no founder operating in Kenya should ignore.
| Data Source | Original Purpose | Proposed New Use Under Section 18A |
|---|---|---|
| eTIMS transaction records | Invoice compliance and VAT tracking | Evidence of tax avoidance schemes |
| Withholding tax declarations | Third-party tax deduction reporting | Secondary data for income assessments |
| Employer tax filings | PAYE and payroll compliance | Cross-referencing business income positions |
| Whistleblower reports | Voluntary information from informants | Evidentiary basis for avoidance determination |
| Third-party information | Various, including financial institutions | Supporting data for assessments |
| KRA audit findings | Conclusions from separate audit processes | Cross-use in new avoidance determinations |
Not sure how these provisions affect your specific business? Speak with MNL’s compliance team.
Where Finance Bill 2026 Collides with Kenya’s Data Protection Framework
Kenya’s Data Protection Act 2019 is not aspirational. It is operational, enforceable, and backed by the Office of the Data Protection Commissioner, which has demonstrated a willingness to act. The Act gives effect to Articles 31(c) and 31(d) of the Constitution. It applies to every entity that collects and processes personal data, including financial data, and it applies to government bodies as much as it applies to private ones.
The proposed KRA framework under Section 18A cuts against four of the DPA’s core principles.
Purpose Limitation
Data collected for one purpose cannot be repurposed for another without a fresh lawful basis. When a supplier’s withholding tax data, visible on iTax for payroll compliance purposes, is used to compute an entirely separate tax liability under a suspected avoidance scheme, the purpose for which that data was originally collected has been exceeded. The DPA does not permit this without explicit authority and proportionality.
Transparency
Data subjects have the right to know who is accessing their information and why. When whistleblower reports, whose sources a taxpayer may never be permitted to know, form the evidentiary basis of a tax assessment, the transparency requirement has been circumvented. The taxpayer has no visibility into the origin, accuracy, or context of the information driving the assessment against them.
Automated Processing and Profiling
The DPA provides that individuals have the right not to be subjected to decisions made solely through automated processing, including profiling. When eTIMS transaction records are fed into KRA’s digital systems to profile business behaviour and generate assessments, this prohibition is directly engaged. KRA has not published the technical architecture of how these assessments will be generated. The absence of that disclosure is itself a transparency problem.
Data Accuracy
As EY Associate Director Rachel Njuguna noted in published commentary on the Bill, the risk is concrete: data held by third parties may not accurately reflect a taxpayer’s actual tax position. The proposed framework offers no mechanism for a taxpayer to verify or challenge the accuracy of the source data before an assessment is issued. The burden of disproving an assessment derived from potentially inaccurate data falls on the taxpayer after the fact.
| KRA Proposed Power | Conflicting DPA 2019 Protection |
|---|---|
| Use eTIMS data to determine tax avoidance | Purpose limitation: data must be used only for the purpose collected |
| Use whistleblower reports without source disclosure | Transparency: data subjects must know who accesses their data and why |
| Profile business behaviour through transaction data | Right not to be subject to automated processing with legal effects |
| Issue assessments before taxpayer can review source data | Right to challenge inaccurate personal data before legal consequences arise |
| Proposed KRA exemption from DPA accuracy obligations | DPA requires all data controllers to maintain accurate, current data |
The Constitutional Dimension
Kenya’s Constitution is explicit. Article 31 guarantees every person the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed. Any law that limits this right must satisfy Article 24, which requires that the limitation be reasonable and justifiable in an open and democratic society, and that it be proportionate to the objective being pursued.
Civil society organisations, including Amnesty International Kenya and ARTICLE 19 Eastern Africa, have assessed the proposed expansion of KRA’s data powers directly. Their conclusion is unequivocal: the provision does not meet the Article 24 threshold. The limitation goes beyond what is necessary to achieve the stated objective of closing tax revenue leakages. Less intrusive enforcement mechanisms already exist and are in active use.
The due process concern is compounded by the proposed exemption of KRA from certain DPA accountability obligations. If the Bill is enacted as drafted, KRA would face reduced obligations to ensure that the data it uses is accurate, to maintain clear data retention policies, and to give taxpayers meaningful visibility into how their information is being used. For a framework that will determine tax liabilities, with direct legal and financial consequences for individuals and businesses, that is a significant gap.
Article 47, the right to fair administrative action, reinforces the concern. Where an administrative decision is likely to adversely affect a person, that person is entitled to written reasons and an opportunity to be heard. An assessment issued on the basis of third-party secondary data, without prior disclosure of that data to the taxpayer, raises serious questions about compliance with Article 47 obligations.
This Pattern Is Not New
Finance Bill 2026 is not the first time this boundary has been tested, and understanding the pattern matters for how you position your business going forward.
Finance Bill 2025 contained a provision seeking to repeal Section 59A(1B) of the Tax Procedures Act, a statutory safeguard that then prohibited KRA from compelling taxpayers to disclose personal data or trade secrets obtained during business operations. That proposal drew fierce opposition from the Law Society of Kenya, KPMG East Africa, and Ernst and Young. KRA’s Commissioner General subsequently committed, before the Departmental Committee on Finance and Economic Planning, to work with the Office of the Data Protection Commissioner on a Data Minimisation Strategy under the 9th Corporate Plan.
Finance Bill 2026 returns to the same contested territory. The mechanism is different but the practical effect is the same: expanding KRA’s reach to data that the existing legal framework was not designed to accommodate without additional safeguards.
The policy direction is now clear across successive Finance Bills. Kenya is moving toward a data-driven tax enforcement model. Whether Parliament enacts or moderates these specific provisions, the trajectory will not reverse. Businesses need to be positioned for a compliance environment where the state has broader access to financial data than it has had at any previous point, where assessments can be generated from aggregated secondary sources, and where the burden of proving inaccuracy may rest with the taxpayer.
Preparation now costs far less than litigation later. That is not a theoretical observation. It is the consistent finding of every business that has waited for enforcement pressure before addressing its compliance posture.
Five Things Founders and Business Operators Should Do Right Now
This is about operational readiness, not legal panic. The Bill has not passed. You have time to act intelligently. Here is where to start.
1. Audit Your Digital Data Footprint
Every transaction processed through eTIMS, every withholding tax record filed against your PIN, and every employer filing associated with your payroll is already visible within KRA’s digital systems. Under the proposed framework, this data can be aggregated, cross-referenced, and used to assess your tax position without a prior audit flag. Accuracy in your digital records is no longer merely good practice. It is your first line of defence. Reconcile your eTIMS records against your own books now, before any assessment process begins.
2. Know Your Rights as a Data Subject
Even before these amendments are enacted, the Data Protection Act 2019 gives you rights that apply today. You can request to know what personal data KRA holds on you. You can challenge inaccuracies in that data. You have the right to be informed about automated processing that produces legal effects. These rights exist under current law, and exercising them proactively creates a documented record that is valuable if an assessment dispute arises. Understand your Data Protection Act 2019 obligations and the corresponding rights they give you.
3. Engage the Public Participation Process
Finance Bill 2026 is at the public participation stage before the National Assembly. This is a formal legal opportunity to submit memoranda, appear before the committee, or support industry associations presenting evidence-based objections. Bowmans and other firms have already made public submissions on specific provisions. The window is open. Founders with direct knowledge of how data-driven tax assessments would affect their operating models have information the committee needs and does not yet have from affected parties at scale.
4. Assess Your Obligations If You Operate in Fintech or Digital Assets
Virtual asset service providers and digital payment platforms face the most immediate and specific new obligations under the Bill. If your business falls within those categories, the question of what data you will be required to file, when, and under what governance framework requires legal advice now, before enactment. The fintech reporting compliance Kenya landscape is changing materially with this Bill, and the obligations are not minor.
5. Document Your Internal Data Governance
If your data is going to be used in an assessment against you, the best protection is records that speak for themselves. Clear internal policies on data retention, transaction documentation, and reconciliation processes that can withstand external scrutiny are not just compliance infrastructure. They are your evidentiary foundation in any dispute. Building strong corporate data governance in Kenya now converts a future risk into a managed position.
Not sure how Finance Bill 2026 affects your specific business model? Our Team can walk you through the risk exposure and what documentation you need in place before this Bill passes. Book a compliance review with MNL.
The Window to Act Is Open
Finance Bill 2026 does not exist in a regulatory vacuum. Kenya has a Data Protection Act. It has a functioning Office of the Data Protection Commissioner. It has a Constitution with an enforceable bill of rights. None of these are suspended by a Finance Bill.
The legal question Parliament must answer before enacting Section 18A is not whether tax enforcement matters. It plainly does. The question is whether this particular mechanism, with its current absence of taxpayer safeguards, data accuracy obligations, and transparency requirements, is the proportionate and lawful means of achieving that objective.
For businesses, the practical question is narrower but no less urgent: are you operationally prepared for a tax environment where secondary data can drive assessments, where the burden of proving inaccuracy may fall on you, and where the data generating those assessments may be held by parties you have never directly dealt with?
The Bill is before the National Assembly. The public participation window is open. Your records are either accurate and documented or they are not. Your data rights are either understood and exercised or they are not. The cost of getting ahead of this is low. The cost of responding to an assessment after the fact is not.
Ready to understand exactly how Finance Bill 2026 affects your business?
MNL Advocates LLP advises clients across fintech, technology, and commercial law on regulatory compliance, data protection, and tax matters in Kenya and across East Africa.
Initiate a Confidential Consultation with MNL.
Frequently Asked Questions: Finance Bill 2026 and KRA Data Powers
What does Section 18A of the Finance Bill 2026 allow KRA to do?
Section 18A proposes to empower the Kenya Revenue Authority Commissioner to determine whether a person has entered into or carried out a tax avoidance scheme and to issue tax assessments accordingly using secondary data. The authorised sources include withholding tax declarations, employer tax filings, eTIMS transaction records, whistleblower reports, third-party information, KRA audit findings, and information obtained under other written laws. KRA would have up to five years to issue assessments arising from such
