The Infrastructure Gap: When Data Centers Outpace Data Protection

I've been away from writing for a few weeks working as a CORDA Democracy Fellow at the AI Whistleblower Initiative! Exciting work but wanted to address these recent reports

The Green Web Foundation just released their 2026 State of Green Web Report, examining obstacles to a fossil-free internet. Their focus this year: the rise of “too many dirty data centers s controlled by unaccountable companies.”

Meanwhile, Amnesty International Kenya published Data Protection Guidelines for Kenyan CSOs, helping civil society organizations navigate the country’s 2019 Data Protection Act.

These reports, published continents apart, reveal the same infrastructure gap I documented in my surveillance article: we’re building powerful systems faster than we’re building accountability for them.

The Data Center Problem: Scale Without Accountability

The Green Web Foundation’s findings are stark. Data centers - the physical infrastructure powering AI, cloud computing, and digital surveillance - are multiplying rapidly. Most remain powered by fossil fuels. Most operate under corporate control with minimal public oversight.

This matters for AI governance because data centers ARE AI infrastructure. Every frontier model trained, every surveillance system deployed, every algorithm scaled - it all runs through these facilities.

The pattern I keep seeing:

• Build first, regulate later

• Deploy in communities with least power to resist

• Externalize environmental costs onto local populations

• Operate behind corporate opacity

Sound familiar? It’s the same playbook I documented with surveillance systems testing in African cities before scaling globally.

The Kenya Data Protection Gap: Law Without Enforcement

Kenya passed its Data Protection Act in 2019 - ahead of many countries. The law looks good on paper: consent requirements, cross-border data transfer restrictions, rights for data subjects.

But Amnesty International Kenya felt compelled to publish extensive guidelines because having a law doesn’t mean having protection.

The guidelines reveal gaps between legal framework and practical reality:

Cross-Border Data Transfers: The DPA requires safeguards when personal data leaves Kenya. But when Chinese “safe city” surveillance systems operate in Nairobi (as documented in the Nairobi Corridor report), where does that data actually go? The law exists. Enforcement is another matter.

Data Controller Obligations: CSOs must register as data controllers, conduct impact assessments, ensure lawful processing bases. These are resource-intensive compliance requirements.

Question: If well-meaning civil society organizations struggle to comply, what about tech companies deploying at scale?

Sensitive Data Processing: The DPA defines sensitive data including biometric information. Kenya’s national digital ID system (Maisha Namba/Huduma Namba) collects exactly this data. The legal framework exists. The surveillance infrastructure expanded anyway.

Here’s the pattern connecting these reports:

STEP 1: Build Physical Infrastructure (Data Centers)

• Powered by fossil fuels

• Located where regulation is weakest

• Controlled by unaccountable companies

• Environmental costs externalized to local communities

STEP 2: Deploy Digital Infrastructure (Surveillance, AI Systems)

• Runs through those data centers

• Often in same countries with weak enforcement

• Collects massive amounts of personal data

• Operates behind corporate and government opacity

STEP 3: Pass Data Protection Laws (Kenya DPA 2019)

• Looks good on paper

• Civil society struggles to comply

• Companies deploy anyway

• Gap between law and enforcement

RESULT: Infrastructure outpaces accountability.

Why This Matters for AI Governance

The Green Web Foundation is hosting a free public briefing on May 27, 2026 about their findings. I’ll be there because this isn’t just about climate - it’s about who controls the infrastructure that AI runs on.

The questions we should be asking:

On Data Centers:

• Who decides where data centers get built? (Currently: companies, not communities)

• Who bears environmental costs? (Currently: local populations, especially in Global South)

• Who has visibility into what’s running in these facilities? (Currently: almost no one)

On Data Protection:

• What good is a data protection law if surveillance infrastructure deploys anyway?

• How do we close the gap between legal frameworks and actual enforcement?

• Why are civil society organizations publishing compliance guides five years after a law passes?

On AI Infrastructure:

• Every AI system runs through data centers - who oversees that?

• When AI systems collect biometric data in Kenya, where does it go?

• How do we prevent “deploy first, regulate later” becoming permanent pattern

Resources

Green Web Foundation 2026 Report:

• Full Report

• Free Public Briefing: May 27, 2026

Amnesty Kenya Data Protection Guidelines:

• Full Guidelines PDF

• Covers: Legal framework, controller obligations, cross-border transfers, impact assessments, lawful processing bases

Related Reading:

• My previous piece: “When AI Watches: Surveillance Systems Built on Vulnerable Communities”

• Nairobi Corridor Report: 30 Operations, Zero Accountability