20 February marks a turning point for Kenya’s controversial Computer Misuse and Cybercrimes Act, 2018 (the “Act”). The suspension of critical provisions that have been a subject of dispute since the Act partially came into force on 30 May 2018, has now been lifted. Yesterday, the High Court of Kenya (“High Court”) dismissed the Bloggers Association of Kenya’s ("BAKE") petition challenging the constitutionality and legality of several provisions of the Act.
The Act is an important milestone in countering cybercrime by:
- providing for offences relating to computer systems and the establishment of the National Computer and Cybercrimes Co-ordination Committee;
- protecting the confidentiality, integrity and availability of computer systems, programs and data;
- facilitating timely and effective prevention, detection, investigation, prosecution and punishment of computer and cybercrimes; and
- facilitating international cooperation in dealing with computer and cybercrime matters.
However, much of the central aims of the Act rested on the enforcement of the suspended provisions.
Why were the provisions suspended?
BAKE's petition argued that several provisions of the Act violated and denied constitutionally guaranteed rights and freedoms such as the freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property, the right to a fair hearing and access to information. BAKE also contended that some provisions of the Act were introduced without public participation in violation of the constitution. These provisions, BAKE claimed, were introduced anew after the public participation phase of the legislative process, thereby denying the public a chance to express its views.
The High Court granted conservative orders on 29 May 2018 (a day before the marked commencement date of the Act), temporarily suspending the coming into force of 26 sections of the Act. The Attorney General later filed an application to have the suspension lifted, but his application was dismissed and the suspension was extended six times in succession starting from 5 November 2018 to 23 October 2019 when the parties submitted their final submissions in court. The suspension was then set to remain extended until yesterday.
What was the court’s ruling?
After almost two years since the Act partially came into force, and after postponement of the ruling date on 30 January 2020 and 3 February 2020, the petition has at last been deliberated by the High Court. In the judgment issued by Hon. Justice James A. Makau, the court found that the petition was unjustified and consequently lifted the suspension of the 26 provisions of the Act.
These provisions aim to regulate emerging technology issues such as the unauthorised interference of computer systems; intercepting the transmission of data, electronic messages or money transfers over telecommunication systems; publication of fake news; cyber harassment; cybersquatting; and the fraudulent use of electronic data, among others.
What are the implications of the ruling?
As a matter of compliance, companies must now ensure implementation of effective cybersecurity measures that prevent unauthorised persons from accessing private data and restricted computer systems. Employees now have the responsibility to securely relinquish all codes and access rights of their employer’s computer network and systems upon termination of their employment. Where damage can be attributed to the negligent cybersecurity standards of a company or a failed responsibility of the employee, the Act imposes substantial fines and/or imprisonment upon conviction.
While the disputed provisions are now effective it can, first, be anticipated that interested parties, including BAKE, may seek to appeal yesterday’s decision. Second, depending on the future status of the Act, it is anticipated that regulations and subsidiary legislation will be published to guide compliance with and implementation of the Act.