Kenya: The Computer Misuse and Cybercrimes Act

​published on November 26, 2018 / Reading time approx. 7 minutes

    

   

The Computer and Cybercrimes Bill (the "Bill") has been the subject of much public debate given the perceived impact it would have on Kenyan's use of the internet, the freedom of the press and civil society groups ability to engage in political activism through social media.  

 

  

ICT professionals, bloggers, journalists and civil society came out strongly during the Bill's public participation phase to share their concerns about provisions they claim infringed on their constitutional rights and freedoms as well as to suggest constructive amendments such as the inclusion of offences such as cyber-squatting and phishing that were not part of the Bill of the time.

 

The National Assembly made various amendments to the Bill following the close of the round of public participation and consideration of proposals for amendments by the relevant departmental committees and the members of parliament in general. The Bill was passed and later assented into law as the Computer Misuse and Cybercrimes Act (the "Act") by the president of Kenya on the 16th of May, 2018.

 

Since its assent, a petition has been filed in the High Court challenging the constitutionality and legality of some of the provisions of the Act. The petition is yet to be heard and determined however the High Court issued conservatory orders suspending the coming into force of twenty-six provisions of the Act.

In this article we will highlight some of the amendments made to the Bill by the National Assembly as an update to our last article on this subject titled 'The Computer And Cybercrimes Bill of 2017'. We will also briefly touch on the constitutional petition against the Act.

 

Amendments to the bill

Name of the Statute

The Bill was named the Computer and Cybercrimes Bill. This was amended and as passed it is now known as the Computer Misuse and Cybercrimes Act.

 

Objects of Act and Protection of Constitutional Rights and Freedoms

The National Assembly to its credit made several amendments to the Act in general to provide for the primacy of constitutional rights and freedoms.

 

One example is the inclusion as an object of the Act the protection of the constitutional right to privacy, freedom of expression and access to information. This was intended to address concerns that several provisions of the Bill (at the time) threatened to violate these constitutional rights. Many of those controversial provisions nonetheless made it to the final statute and are subject of the constitutional petition.

 

National Computer and Cybercrimes Coordination Committee ("NCCCC")

The amendments also saw the introduction of the National Computer and Cybercrimes Coordination Committee whose mandate includes advising and coordinating national security organs on matters relating to computer and cybercrimes; coordinating the collection and analysis of cyber-threats and responses to cyber incidents that threaten Kenya's cyber space;  receiving and acting on reports related to computer and cybercrimes; advising the national government on critical and emerging technology such as mobile money and block chain technology; establishing codes and frameworks to manage critical national information infrastructure; and for the training of security personnel on the prevention, detection and mitigation of computer and cybercrimes.

 

The committee is composed of representatives from the Kenya Defence Forces, the National Police Service, the National Intelligence Service, the Ministry of the Interior, as well as representatives from the office of the Attorney General and Director of Public Prosecutions, Communications Authority of Kenya and the Central Bank.

 

New Offences

The National Assembly amended the Bill to include additional computer and cybercrime offences. Below we highlight some of these added offences:

 

Cybersquatting: - This is the unauthorized and intentional use of a name, business name, trademark, domain name or other word or phrase that is registered, owned or in use by another person. The penalty for the commission of this offence is the imposition of a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.

 

Phishing: - This is the creation or operation of a website or the sending of messages intended induce a person to disclose personal information. The penalty for the commission of this offence is a fine not exceeding three hundred thousand shillings, imprisonment for a term not exceeding three years or both.

 

The wrongful distribution of obscene or intimate images: - This is the publication and dissemination of intimate or obscene pictures of another person. If found guilty of this offence one is liable to a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.

 

Identity theft and impersonation: - This is the dishonest or fraudulent use of an electronic signature, password or the unique identification feature of another person. On conviction, one is liable to a fine not exceeding two hundred thousand, imprisonment for a term not exceeding three years or both.

 

Failure by an employee to relinquish access codes: - Employees are required to relinquish all codes and rights upon termination of their employment. Failure to do so will invite a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.

 

Reporting of cyber threats: - Operators of computer systems and networks are required to report to the NCCCC within 24 hours, incidences of attacks, intrusions and disruptions to the functioning of their computer systems or networks. In the report, the operators are required to provide details of the breach, estimates of the number of affected individuals, an assessment of the risk of harm and circumstances that may delay or prevent affected persons from being informed of the breach. Failure to report would lead to the imposition of a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.

 

The interception of electronic messages or money transfers: - This is the unlawful destruction or termination of any electronic mail or process for the transfer of money or information. If found guilty of this offence one is liable to a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding seven years or both.

  

Cyberterrorism: - This is the accessing or the facilitation of access to a computer, a computer system or network for the purposes of committing a terrorist act. The penalty for the commission of this offence is a fine not exceeding five million shillings, imprisonment for a term not exceeding ten years or both.

 

Penalty for other offences committed through use of a computer system

The Bill had provided that where offences under any other law are committed through the use of a computer system, that in addition to the penalty imposed under that law, a court may impose a further penalty of either a fine not exceeding three million shillings, imprisonment for a term not exceeding four years or both.

The National Assembly amended the Act to provide that for such offences an individual is liable to an additional penalty similar to that provided in the other law. The amendments also clarify that the additional penalty will imposed upon consideration of whether the use of a computer system enhanced the impact of the crime, whether the offence resulted in financial gain or commercial advantage, the value of the consequential loss or damage caused, the number of victims and whether the commission of the offence involved a breach of the trust.

 

Search without Warrant

The Bill gave police officers the power to conduct a search and seizure without a warrant in 'special circumstances'. What these special circumstances were was not provided for in the Bill leading to public concern that the provision could be misused by the security services. This provision was deleted and it is now required that police officers obtain a warrant from the courts in all circumstances before conducting a search and seizure.

  

Production Orders

A production order is an order directing a person or service provider to hand over data in their possession to the police service or other authorized persons. The Bill gave the courts the discretion to direct the subject of the order to keep the existence and contents of the order confidential. Failure to keep this confidentiality was an offence under the Bill. This clause has been deleted.

  

Petition by the Bloggers Association of Kenya

Soon after the coming into force of the Act, the Bloggers Association of Kenya ("BAKE") filed a petition challenging the constitutionality and legality of several of its provisions. BAKE, which identifies itself as an association of Kenyan bloggers and content creators, brought the petition against the Attorney General as a representative of the government, the speaker of the National Assembly, the Inspector General of the National Police Service and the Director of Public Prosecutions.

 

BAKE's main contention is that several provisions of the Act violate and deny constitutionally guaranteed rights and freedoms of such as expression, access to information, property and privacy.

 

BAKE also contends that the some provisions of the act were introduced without public participation in violation of the Constitution. These provisions, the petitioner claims, were introduced anew after the public participation phase of the legislative process thereby denying the public a chance to give their views. The petitioner has also challenged the constitutionality of the Standing Orders of the National Assembly so far as they permit the inclusion of clauses into Bills without the participation of the public.

 

On BAKE's application, the court issued conservatory orders temporarily suspending the coming into force of twenty-six sections of the Act, which concern the composition of the NCCCC, some offences under the Act and the means of investigating computer and cybercrimes.

 

The sections of the Act which have been temporarily suspended that relate to computer and cybercrime offences include those of unauthorized interference, unauthorized interception, false publications, publication of false information, child pornography, cyber harassment, cybersquatting, identity theft and impersonation, willful misdirection of electronic messages, cyber terrorism, inducement to deliver electronic message, intentionally withholding message delivered erroneously, unlawful destruction of electronic messages, wrongful distribution of obscene or intimate images, fraudulent use of electronic data, issuance of false e-instructions, reporting of cyber threat, and failure by employees to relinquish access codes.

The full text of the petition can be found on the BAKE website.

 

As has been mentioned earlier, the petition is still under consideration by the High Court. We will make a further update to this article and make our comments on the petition once it has been finally heard and determined.

 

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.
Deutschland Weltweit Search Menu