googleSearch (CSE)

Computer & Cyber Crimes Bill, 2016 and Regulations - Technology Service Providers Association of Kenya (TESPOK)

Kenya has made several attempts to develop a law on cyber security. The ICT Ministry together with the Kenya Law Reform Commission (KLRC) drafted Computer and Cyber Crimes (CCC), Bill 2016.  By December 2017 the Bill was approved by Cabinet on the 6th April, 2017 and forwarded to the Attorney General for publication before tabling in the National Assembly (Computer and Cyber Crimes (CCC), Bill 2017). The Bill was tabled for the first reading but House Committees were yet to be formed.

The objective of the CCC Bill, 2016 was to provide for offences relating to computer systems timely and effective collection of forensic material for use as evidence, and to facilitate international co-operation in dealing with cybercrime matters e.g. unauthorised access of computers, passwords; computer forgery, computer fraud, cyber bullying, aiding or abetting in the commission of an offence, offences by a corporate and limitation of liability and offences committed through the use of a computer system.

Although TESPOK was involved in the development of the Bill, some critical industry proposals and positions were ignored by the ICT Ministry who lacked sufficient appreciation of global industry standards of practice in cyber security. TESPOK had highlighted the following key issues with the current draft CCC Bill that they consider could have adverse effects on the sector:

  1. Provisions relating to search and seizure of equipment and data.

The Bill proposes a mechanism for search and seizure of computer systems from offenders as well as during investigation processes. This infringes Article 31 of the Constitution of Kenya 2010 which specifically protects the right to privacy. It guarantees the right not to have—

(a) their person, home or property searched;

(b) their possessions seized;

(c) information relating to their family or private affairs unnecessarily required or revealed;

(d) the privacy of their communications infringed.

Without clear guidelines on the processes, the implementation of such a provision would have resulted in violation of the Constitution. The proposed ‘search and seizure’ provision exposed industry providers to litigation matters that would have been costly and time consuming to resolve. The provision also violated the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights which form part of revised Kenyan law. TESPOK proposed to support and facilitate the development of regulations and seizure provisions in order to mitigate any potential infringements.

  1. Corporate liability:

The CCC Bill proposed that the Kenyan authorities would have the power to search data transmission companies (ISPs) and mobile phone operators under the mistaken understanding that they retained this data and information on their equipment (servers and computers). This is technologically wrong. It is the platforms (Twitter, Facebook etc.) that retain that data and information. On this basis, TESPOK argued that its members should NOT be held liable. This amendment is crucial for the protection of Kenya’s privacy rights under the constitution and under other international agreements.

Nevertheless, it is, important to note the security threat or the distribution of inappropriate material will remain unresolved, it is an issue internationally not just in Kenya.


Following advocacy efforts by TESPOK the issue with the Computer and Cyber Crimes Bill were addressed. The Computer Misuse and Cybercrimes Act, 2018 was assented to on the 16th May 2018. It came into force in a few days on 30th May 2018.

Share this Issue