The Constitution of Kenya, 2010
The regulatory framework governing cybersecurity in Kenya has its foundation in the Bill of Rights of the Constitution of Kenya, 2010 that sets out every citizen’s right to not have the privacy of their communication infringed. The constitutional principles of individual privacy protection are further reiterated in statutes and subsidiary legislation that protect the privacy of citizen’s information.
The Kenya Information and Communications Act, 1998 (KICA) and Regulations
The Act has established the Communications Authority of Kenya which is mandated to develop a national cybersecurity management framework. It was in this regard and in order to minimise fraud incidences and cyberthreats in Kenyan cyberspace that the National Kenya Computer Incident Response Team – Co-ordination Centre (National KE-CIRT/CC) (the “Co-ordination Centre”) was established.
The National KE-CIRT/CC is responsible for the national co-ordination of cybersecurity and serves as Kenya’s national point of contact on cybersecurity matters. It co-ordinates responses to cybersecurity issues at the national level and engages in collaborative efforts with cybersecurity experts and industry actors both locally and internationally by detecting, preventing, and responding to various cyberthreats targeted at the country.
The collaborative effort with international cybersecurity service providers enables the National KE-CIRT/CC to mitigate and address cross-jurisdictional cybercrimes in addition to working together with local law enforcement and judicial forums to investigate and prosecute cybercrimes.
From its inception in 2017, the Co-ordination Centre has published advisory opinions on notable breaches of cybersecurity within the Kenyan cyberspace as well as providing daily cybersecurity updates on the Co-ordination Centre’s website, https://ke-cirt.go.ke/.
The Co-ordination Center through the Communications Authority has further published a General Information Security Best Practice Guidelines, targeted towards small and medium-size enterprises (SMEs) for the protection of their information and that of their clients in the course of their operations.
The use of electronic contracts and electronic signatures as a valid way of contracting and carrying on business in Kenya has been acknowledged in the KICA. In this regard, the communication’s authority has been mandated to license electronic certification service providers who are required by the authority to provide a reasonable level of reliability in their services and adhere to procedures that ensure that the secrecy and privacy of the electronic signatures are assured.
Data breach notification to the National KE-CIRT/CC
The Co-ordination Center has provided for a procedure of incident reporting of cybercrimes on its website (https://ke-cirt.go.ke/). Through this platform, incidents of breach and cybersecurity vulnerabilities – whether individual or institutional – are brought to the attention of the Co-ordination Center. The said incidents include abusive content, malicious code, information gathering, intrusion attempts and fraud.
Incident response procedure under National KE-CIRT/CC
Issuance of a tracking number
Once the incident or the vulnerability has been reported, the reporting party will be issued with a tracking number for purposes of tracking their complaint with the Co-ordination Center.
Triage process and response
The Co-ordination Center will then submit the complaint through a “triage” process of analysing the nature of the complaint to determine whether it falls within the Center’s capacity and ability to resolve. The incidents that fall within the Center’s capacity are then addressed and those that exceed the capacity are referred to other government agencies, private institutions with the ability to resolve the complaint and to the police where it is established that a criminal offence has been committed; the Co-ordination Center further works closely with the police in offering technical advice and providing forensic evidence in the prosecution of a cybersecurity crime.
Incident response under KICA
The KICA has also provided the following incident response mechanisms where there has been a breach of the protection of information.
Entry and search of premises
If a court is satisfied that there is reasonable ground for suspecting that an offence has been or is being committed, and that the evidence of the commission of the offence is to be found on any premises specified in the information, it may grant a search warrant, authorising any person or persons authorised on behalf of the Authority, together with any police officer, to enter the premises at any time within one month from the date of the warrant to examine and test any apparatus or obtain any article or item found in such premises.
Seizure of apparatus, article or other property
A search warrant granted above may authorise the person or persons named in it to seize and detain, for the purposes of any relevant proceedings, any apparatus, article or other thing found in the course of the search carried out in pursuance of the warrant which appears to have been used in connection with or to be evidence of the commission of any offence under the Act. If a police officer or any person authorised by a warrant has reasonable grounds to suspect that an offence under the Act has been committed, he or she may seize and detain, for the purposes of any relevant proceedings, any apparatus, article or other thing which appears to have been used in connection with or to be evidence of the commission of any such offence.
Forfeiture of property and disposal
Where a person is convicted of an offence under the Act for the contravening of any of the provisions relating to any telecommunication system, or in the use of any apparatus for the purpose of interfering with any telecommunication, the court may, in addition to any other penalty, order all or any of the apparatus with which the offence was committed to be forfeited to the commission, of which the Commission may dispose of it in such manner as it thinks fit.
The Data Protection Act, 2019
Data breach notification and incident response requirements
The issue of data breach and incident response is comprehensively addressed in the Data Protection Act, 2019.
Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data, a data controller (a natural or legal person mandated with processing personal data) shall notify the Data Commissioner (the Regulator) within 72 hours of becoming aware of such breach, and shall also notify the person whose data was accessed (the data subject) in writing within a reasonably practical period, unless the identity of the person cannot be established.
The notification to the Data Commissioner and the data subject should provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach, including:
It is important to note that the communication of a breach to the data subject shall not be required where the data controller or data processor has implemented appropriate security safeguards, which may include encryption of affected personal data.
After receipt of the notification of breach of personal data, the data controller must keep the following information relating to the personal data breach:
Principles of data protection
Every data processor (a natural or legal person who processes personal data on behalf of a data controller) or data controller in Kenya shall ensure that personal data is:
The governing statutes provide for different regulators.
Under the Kenya Information and communication Act, 1998, the Communications Authority of Kenya is mandated with the licensing of all the telecommunication service providers. The Authority has been mandated with the responsibility of developing sound frameworks to minimise the incidence of forged electronic records and fraud in electronic commerce and other electronic transactions.
Under the Computer Misuse and Cybercrimes Act, 2018, there is established the National Computer and Cybercrimes Co-ordination Committee which is the body mandated to deal with security-related aspects of cybercrimes and matters connected thereto.
Under the Data Protection Act, 2019, there is an established office of the Data Protection Commissioner headed by the Data Commissioner. Under this Act, the Data Commissioner is authorised to carry out periodic audits of the processes and systems of the data controllers or data processors to ensure compliance with this Act.
Investigation of cybercrimes is governed by the Computer Misuse and Cybercrimes Act, 2018.
Search and seizure of stored computer data
Where a police officer has reasonable grounds to believe that a computer contains data that is reasonably required for the purposes of an investigation or that the data was acquired as a result of the commission of an offence, such a police officer may apply to court for a warrant to search the premises where such computers are stored and seize the data.
Any person who obstructs the police in conducting the search/seizure or who interferes with the integrity of the computer commits an offence and is liable on conviction to a fine not exceeding KES5 million or to a term of imprisonment not exceeding three years or to both.
Similarly, when a police officer has reasonable grounds to believe that specified data stored in a computer system is in the possession or control of a person, such a police officer may apply to the court for a Production Order.
The Production Order shall direct the person named therein to submit the computer data that is in their possession.
Real-time collection of traffic data
Police officers are also allowed to collect or record through the application of technical means traffic data, in real-time, where they have reasonable grounds to believe that the data is associated with a person under investigation or that it relates to commission of a crime.
The police officer must, however, obtain a Court Order prior to effecting search and seizure or collecting the real-time traffic data.
Interception of content data
Subject to obtaining a Court Order, police officers are also allowed to intercept electronic communications if such communication is required for the purposes of a specific investigation in respect of an offence.
A person aggrieved by the decision of the police officer or by the Court Order can appeal such a decision to the High Court or the Court of Appeal within 30 days from the date of the decision or Order.
In order to prevent abuse of powers by the police officers while conducting investigations, the Act provides that any police officer who is convicted of abuse of power is liable to a fine not exceeding KES5 million or to imprisonment for a term not exceeding three years, or to both.
Additionally, it is also an offence for any person to obstruct the investigations being conducted by the police and upon conviction such a person is liable to a fine not exceeding KES5 million or to imprisonment for a term not exceeding three years, or to both.
The East African Community, of which Kenya is a member, is yet to come up with a regional cybersecurity law.
It is, however, worth noting that the Computer Misuse and Cybercrimes Act, 2018 provides for a mechanism for its implementation beyond the territory of Kenya. This is mainly through international co-operation where the Kenyan agencies are allowed to enter into reciprocal arrangements for mutual legal assistance in any criminal matter for purposes of:
At the continental level, there is the African Union Convention on Cybersecurity and Personal Data Protection. The Convention applies to collection, processing, transmission, storage or use of personal data by a natural person, the state, local communities and public or private corporate bodies. However, at the moment Kenya has not yet ratified the Convention.
In 2014, the Kenyan Ministry of Information Communications and Technology published the National Cybersecurity Strategy. One of the key areas that is addressed in the Strategy is fostering information sharing and collaboration. In this regard, the government aims to cultivate a culture of information sharing that facilitates the real-time exchange of cybersecurity information between the government and the private sector.
The government has further entered into public-private partnerships such as the establishment of the Kenya Network Information Center (KENIC), endeavouring to facilitate the growth and uptake of the ICT subsector in Kenya. The public-private partnership was established following comprehensive consultation with the local internet community. Such collaborations entail the movement of information between private entities and government agencies with a bid to enhance the growth and security of Kenyan cyberspace.
There are a lot of similarities between the Kenyan laws on data protection and cybersecurity and those of other countries. Two principal similarities are:
The Kenyan laws on cybersecurity and data protection are relatively new and as such we have not experienced any significant changes in these areas of law.
The only recent development in this area is the decision of the High Court in Senate of the Republic of Kenya & 4 others v Speaker of the National Assembly & another; also, Attorney General & 7 others (Interested Parties)  eKLR where the court declared several Acts of Parliament to be unconstitutional because they were passed without the input of the Senate. One of the laws that was declared unconstitutional was the Computer Misuse and Cybercrimes Act, 2018. It is, however, important to note that the court suspended the implementation of its decision to allow Parliament time to regularise the laws. This means that, as at the time of writing this article, the Computer Misuse and Cybercrimes Act, 2018 is still in force.
Significant Pending Changes
Authentication of electronic signatures
The COVID-19 pandemic has led to the evolution of digital operations and transactions worldwide. In Kenya, the Business Laws Amendment Act was enacted to ensure the continued efficiency of transactions, one of which was the introduction of electronic signatures in transactions that had been previously restricted to wet ink signatures.
However, there exists a gap in the provision of electronic signature authentication services. The Communications Authority has not published any entities that are licensed to provide authentication services. The Authority, in response to the increased use of electronic signatures, published an invitation to foreign digital authentication service providers to apply for recognition by the Authority to enable them to provide such services in Kenya. From our research, we have noted that the Authority has not yet published a list of the licensed and recognised authentication service providers.
Pursuant to the KICA, a digital signature has to be authenticated by a licensed electronic certification services provider (E-CSP) through the issuance of a digital certificate. Since the authority has not confirmed to the public that it has licensed any E-CSPs for the provision of authentication services, the electronic signatures being used are therefore not valid under the provisions of authentication in the KICA.
The licensing and recognition of local and foreign E-CSPs is, therefore, a pending issue that has to be addressed by the Communication Authority. Once resolved, this will ensure that the digital signatures which are now increasingly been used are authenticated, eliminating forgery/fraud in this form of transaction that is now increasing in popularity.
Investigation and prosecution of cybersecurity crimes
There is a need to build the capacity of Kenya’s Police Force to investigate and prosecute cybercrimes. There have been joint collaborative efforts between the police force and the National KE-CIRT/CC in obtaining forensic evidence to prosecute cybercrimes. The police force, however, needs to be comprehensively trained on the legal framework addressing cybersecurity in Kenya and how best to handle reported issues of criminal offences as forwarded by the National KE-CIRT/CC or any other source.
Maturity of the country’s cybersecurity approach
While the Communications Authority, the National KE-CIRT/CC the National Computer and Cybercrimes Co-ordination Committee and the office of the Data Commissioner have helped evolve the country’s cybersecurity bearing, it is still relatively immature in the face of the growing complexity and sophistication of cyberthreats. The Ministry of Information, Communications and Technology developed the National Cybersecurity Strategy which seeks to help mature the country’s cybersecurity approach by providing a strategic cybersecurity direction, with accompanying implementation actions to secure the nation’s critical cyber-infrastructure against existing and emerging threats.
In Kenya, the main law that deals with data protection is the Data Protection Act, 2019. The Act applies to the processing of personal data by a data controller, data processor, data protection officer or by automated or non-automated means.
Where personal data is processed by non-automated means, the Act will only be applicable where the data forms whole or part of a filing system by a data controller or data processor who:
National Computer and Cybercrimes Co-ordination Committee
This Committee is established under the Computer Misuse and Cybercrimes Act, 2018 and is responsible for:
The Communication Authority of Kenya
The Kenya Information and Communications Act, 1998, mandates the Communications Authority of Kenya (CA) to develop a national cybersecurity management framework. To this end, the CA has established the National Kenya Computer Incident Response Team – Co-ordination Centre (National KE-CIRT/CC) which is responsible for:
As indicated above, Kenya does not have one over-arching cybersecurity agency. Each Act of Parliament touching on cybersecurity has an agency that deals with specific aspects of cybersecurity. Be that as it may, it can be argued that, since the Computer Misuse and Cybercrimes Act, 2018 is the main law that deals with the issues of cybersecurity, then the National Computer and Cybercrimes Co-ordination Committee (which is the agency established therein) is effectively the over-arching cybersecurity agency.
The main Data Protection Authority is the Office of the Data Protection Commissioner established under the Data Protection Act, 2019.
The functions of this Office are to:
The main financial regulator in Kenya is the Central Bank of Kenya (CBK) established under the Central Bank of Kenya Act. The CBK is empowered to issue directives and guidelines to be adhered to by payment service providers in order to maintain a sound, secure and efficient national payment system.
In this regard, the CBK issued its Guideline on Cybersecurity for Payment Service Providers (PSPs), 2019. This Guideline sets the minimum standards that PSPs should adopt to develop effective cybersecurity governance and risk-management frameworks.
Other key relevant agencies include the following.
The Kenya Network Information Center (KENIC) was established through the facilitation of the Communications Authority of Kenya (CAK) in a public-private partnership and was issued with a licence by the authority to manage and administer the dot ke country code top-level domain (.ke ccTLD) name to facilitate the growth and uptake of the ICT subsector in Kenya. The Center maintains a register of the domain name holders and this provides a repository that can be used to track sources of cybersecurity threats.
The National Kenya Computer Incident Response Team – Co-ordination Centre (National KE-CIRT/CC) – the functions of which have already been discussed in 2.2 Regulators.
The Data Protection Act provides for the acceptable standards while dealing with personal data.
To begin with, there is the requirement that any person processing personal data must first seek the express consent of the data subject.
Secondly, there is also a clear definition of what constitutes “sensitive data”. Sensitive data now includes property details, marital status and family details, including names of the person’s children, parents, spouse or spouses. The law requires that such data be handled with utmost care.
Thirdly, the Act prohibits processing of personal data belonging to children.
Personal data should also be processed in accordance with the right of privacy of the data subject.
The Act also explicitly provides that the data subjects have several rights that must be observed by any person involved in processing of personal data. They include the right to correction of false or misleading data; the right to be informed of the use to which their personal data is to be put; the right to access their personal data which is in the custody of data controllers and data processors among others.
Legal jurisprudence on cybersecurity in Kenya is still in its early stages of development and therefore a standard of “reasonable security” is yet to be established. We can, however, infer “reasonableness” from already established principles of common law in tort as the care or degree of caution that a prudent and rational person would take to guard against probable danger.
Written Information Security Plans or Programmes
While there are no mandatory statutory provisions requiring an institution to have a written information security plans or programme, such plans or programmes can be drafted in accordance with the general data protection principles set out in the Data Protection Act.
These include ensuring that an individual’s privacy rights are protected when processing information, ensuring that information is collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes and that personal information is not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
Incident Response Plans
There are no statutory requirements or national standards guiding the formulation of incident response plans. The National Cybersecurity Strategy (the “Strategy”) in its action plan indicates that the Ministry will formulate a national-level cyber-incident response plan. However, this is yet to be formulated.
Appointment of Chief Information Security Officer
The Central Bank of Kenya in its Guidance Note on Cybersecurity has recommended the appointment of a chief information security officer who will oversee the implementation of the institution’s cybersecurity programme and the enforcement of its cybersecurity policy.
The Data Protection Act has also established the office of a Data Commissioner who heads the office of the Data Protection Commissioner. The principal responsibility of the Data Commissioner is to exercise oversight on data processing operations, either of their own volition or at the request of a data subject, and verify whether the processing of data is done in accordance with the Data Protection Act.
Involvement of Board of Directors or the Equivalent
The Data Commissioner has not yet prescribed the threshold required for mandatory registration of data controllers and processors. Once the threshold has been prescribed by the Data Commissioner, directors of a company may be required to be registered as data controllers if they fall within the prescribed threshold. The Companies Act, however, provides for the general duties and responsibilities (fiduciary duties) of directors, which include exercising reasonable care and skill in the operation of a company. This would then include ensuring that the company is not engaged in cybersecurity infringement and that the company’s data is adequately protected.
Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests
The Computer Misuse and Cybercrimes Act provides that the owner or person in control of a critical information infrastructure – a vital virtual asset, facility, system, network or process whose incapacity, destruction or modification would have a debilitating impact on the availability, integrity or delivery of essential services including those services, whose integrity, if compromised, could result in significant loss of life or casualties – shall annually submit a compliance report on the critical information infrastructure to the Committee in line with a critical infrastructure framework in order to evaluate compliance.
The director of the National Computer and Cybercrimes Co-ordination Committee may also notify the owner or person in control of a critical information infrastructure in writing to carry out an audit where there is imminent threat of an attack that will amount to a computer and cybercrime.
Multi-factor Authentication, Anti-phishing Measures, Protection Against Business Email Compromise, Ransomware, Threat Intelligence, Insider Threat Programmes
While the KE-CIRT/CC is yet to publish legal requirements and standards on these issues, it has published brief reader-friendly "best practice guidelines" on cat-phishing, email-phishing, drop-box phishing, two-step authentication, ransomware and insider threat programmes.
Vendor and Service Provider Due Diligence, Oversight and Monitoring
The Central Bank of Kenya’s Guidance Note on Cybersecurity encourages banking institutions to undertake due diligence on prospective service providers and select their vendors based on compliance and risk assessments. Banks have further been urged to oversee the evaluation and management of risks introduced by third-party service providers by requiring attestation/assurance reports provided by reputable independent auditors for service providers.
Use of Cloud, Outsourcing, Offshoring and Training
The KE-CIRT/CC has published best public practice guidelines for cloud computing.
The Central Bank of Kenya’s Guidance Note on Cybersecurity has directed banking institutions to undertake the following measures in respect to outsourcing of cybersecurity services:
The CBK guidance note sets out that:
The Computer Misuse and Cybercrime Act, 2018 provides for international co-operation between the Kenyan Cybercrime agencies and foreign agencies. The co-operation takes the form of mutual legal assistance in criminal prosecution for the purposes of:
Data Breach Notification and Incident Response Requirements
As indicated in 1.1 Laws, the issue of data breach and incident reporting is comprehensively dealt with in the Data Protection Act, 2019.
Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data, a data controller shall (i) notify the Data Commissioner within 72 hours of becoming aware of such breach, and (ii) notify the person whose data has been accessed (the data subject) in writing within a reasonably practical period, unless the identity of the person cannot be established.
The notification to the Data Commissioner and the data subject should provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach.
After receipt of the notification of breach of personal data, the data controller must keep the following information relating to the personal data:
See 4.1 Personal Data.
Under Kenyan law, critical infrastructure includes the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Kenyans and the effective functioning of government.
Once a system has been designated as a critical infrastructure, the National Computer and Cybercrimes Co-ordination Committee is required to conduct an assessment of the threats, vulnerabilities, risks, and probability of a cyber-attack on such critical infrastructure sectors and determine the harm to the economy that would result from damage or unauthorised access to the critical infrastructure.
Additionally, in the event of attack or breach to a critical infrastructure, the operator of such infrastructure is required to immediately notify the Committee of such a breach and the remedial measure that he or she intends to take. Upon receipt of such a notification, the committee shall provide technical assistance to the operator of a critical infrastructure to mitigate the threat.
See 4.1 Personal Data.
See 4.1 Personal Data.
The Data Protection Act does not define what constitutes data breach. However, it defines "personal data breach" as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
The Data Protection Act exclusively deals with personal data. The Act further defines "personal data" to mean any information relating to an identified or identifiable natural person.
Data breach reporting and notification covers the following systems:
The Kenya Pharmacy and Poisons Board (PPB) is the body mandated with the regulation of medical devices. Generally, medical devices are required to meet certain safety and performance thresholds depending on the intended use of the concerned device.
The obligation to ensure that medical devices are secure and safe chiefly lies with the manufacturer of such devices. Medical devices should be designed and manufactured in such a way that, when used for the intended purpose, by a person who has the required technical knowledge, experience, or training, they will not compromise the clinical condition or the safety of patients.
There are currently no specific regulatory cybersecurity requirements for industrial control systems in Kenya; however, general data protection regulations and individual data privacy rights are applicable in the operation of industrial control systems.
There are currently no specific regulatory cybersecurity requirements for IoTs in Kenya; however, general data protection regulations and individual data privacy rights are applicable in the movement of data in the use of IoT.
Notification and communication of breach happens where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access.
As indicated above, a data controller is allowed to report an incident of breach or authorised access of personal data when there is “real risk of harm”. It follows that a data controller must first satisfy himself or herself that the risk of harm to the personal data is real and not merely illusory. Unfortunately, the Act does not define what amounts to “real risk of harm”. Therefore, this gives the data controller a very wide discretion of determining what amounts to real risk of harm that warrant making a notification.
There are several cybersecurity defensive measures permitted in Kenya. These include the following.
Use of Strong Passwords and Changing Default Passwords
Strong passwords, which constitute a combination of characters, are usually encouraged to ensure that there is reduced risk of targeted attacks. It is also important to always use different passwords for different accounts.
Use of Secure Remote Access Methods Such as a Virtual Private Network (VPN)
This is a very important defensive measure for organisations that allow employees to work remotely. It reduces the chances of unauthorised access into the organisation’s systems and data.
This is one of the most important defensive mechanisms that can be implemented by any organisation. Proper training of staff in aspects of cybersecurity reduces their vulnerability to cyber-attacks.
Development and Enforcement of Cybersecurity Policies
In this age of technology, it has become very important for organisations to develop comprehensive cybersecurity policies. Such policies should cover the following elements:
Cybersecurity and data protection are opposite sides of the same coin. A violation of data protection laws would invariably amount to violation of cybersecurity laws and vice versa.
The law places a responsibility on the data controller and processors to ensure that personal data in their possession is safe. If someone gains unauthorised access to this personal data, there will definitely be a violation of privacy and data rights of the data subject.
The data that has been illegally accessed can also be used to access the personal accounts (if the data included passwords/access codes) or in commission of an offense in cyberspace.
Due to this interplay between data protection and cybersecurity, it is important for there to be proper co-ordination between the agencies dealing with data protection and those dealing with cybersecurity.
The Computer Misuse and Cybercrime Act provides for an avenue of information sharing with respect to critical information infrastructure. In this regard, a private entity may enter into an information-sharing agreement with a public entity for:
See 7.1 Required or Authorised Sharing of Cybersecurity Information.
It is important to note that for a long time Kenya did not have a legal framework that dealt with the protection of personal data until the coming into force of the Data Protection Act in November 2019. Therefore, most of the cases dealt with the issue of data protection as a component of the right to privacy.
For instance, in Okiya Omtatah Okoiti v Communication Authority of Kenya & 8 others  eKLR and Kenya Human Rights Commission v Communications Authority of Kenya & 4 others  eKLR, the petitioners in the two petitions challenged the introduction of a device management system (DMS) device which had the capacity to access customers’ information illegally into the networks of the interested parties and respondents who are providers of telecommunication services.
The court held that the plan seeking to integrate the DMS to the parties’ networks to inter alia create connectivity between the DMS and the parties’ system to access information on the IMEI, IMSI, MSISDN and CDRs of their subscribers on their network was a threat to the subscribers’ privacy, hence a breach of the subscribers’ constitutionally guaranteed rights to privacy, and therefore unconstitutional.
The second case is the case of Nubian Rights Forum & 2 others v Attorney-General & 6 others; Child Welfare Society & 8 others (Interested Parties); Centre for Intellectual Property & Information Technology (Proposed Amicus Curiae)  eKLR, where the petitioners challenged the constitutionality of the national integrated information management system (NIIMS) that was intended to be a single repository of personal information of all Kenyans, as well as foreigners resident in Kenya. The petitioners averred that NIIMS violated the right to privacy considering the nature of personal information that would be collected in the NIIMS and the lack of any security in the manner of storage of and access to the collected data.
In its decision, the court was alive to the reality that, at the time, there was no specific legislation that provided for the collection, storage, protection and use of data collected by or held by government or other entities. It went on to state that it was in the public interest to have an efficient and organised system of registration of persons and storage of personal data so collected.
What is common in the above cases is that protection of personal data is heavily guarded by the law and any contravention of data protection rights ought to be remedied. Therefore, with the enactment of the Data Protection Act, 2019, we are of the view that there will be a significant development of jurisprudence in this area of law.
Given that the Kenyan Cybersecurity laws are still relatively new, there are no reported decisions on cybersecurity violations and data security breaches by the High Court, Court of Appeal or Supreme Court.
However, we anticipate that due to the growth of e-commerce and the technological advancements in the country, there is bound to be reported decisions on lawsuits arising from cybersecurity violations and data security breaches.
The Computer Misuse and Cybercrime Act provides for a number of legal standards that are applicable in investigation and prosecution of cybercrimes.
First, the Act provides for several criminal offences such as:
Secondly, the Act provides for comprehensive investigative procedures that are necessary for prosecution. These include criteria for search and seizure of computer equipment and data, production orders, real-time collection of traffic data, interception of content data and international co-operation. (See 1.3 Administration and Enforcement Process and 3.4 Key Multinational Relationships for comprehensive details.)
The Act further provides for safeguards against abuse of the investigative powers by providing that search and seizures, production orders, interception of data and collection of real-time data can only be affected through an order of the court.
Finally, the Act also guarantees the right of appeal from the decisions of the investigators or the court that gave the order pursuant to which the investigation was conducted.
See 8.1 Regulatory Enforcement or Litigation.
Class action suits are permitted in Kenya, but they are referred to as "representative suits".
Order 1 rule 8 of the Civil Procedure Rules 2010 provides that a person can institute or defend a suit on behalf of others if they have the same interest. Therefore, the test for representative suits is that the person instituting or defending the suit must demonstrate to the satisfaction of the court that they have the same interest as the persons on whose behalf they are instituting or defending the suit.
The following issues are critical when conducting due diligence:
The CBK, through its guidance note on cybersecurity, requires banking institutions to maintain and file cybersecurity reports on a quarterly basis.
The Computer Misuse and Cybercrime Act has a few deficiencies which need to be improved on, going forward. For instance:
According to the Quarterly Statistic Report (July–September 2020) published by the Communications Authority of Kenya (CA), Kenya experienced a 152.9% increase in cyberthreats between July and September 2020. This was mainly attributed to the increase in e-commerce, cashless payments through mobile money platforms and the shift towards remote working, among other factors.
In addition to this, the report indicates that there has been significant increase in cases of online child abuse, cyberbullying, internet trolling and internet fraud. Against this backdrop, cybersecurity has become a key priority area in the wake of the spread of COVID-19 and the resultant economic and social changes that have been brought about.
This article explores the current trends in the regulatory framework governing cybersecurity in Kenya.
The Legal Framework
Before 30 May 2018, Kenya did not have an overarching law comprehensively addressing different aspects of cybersecurity. The Kenya Information and Communications Act (KICA) was the only statute that had limited provisions on cybersecurity, together with prescribed penalties.
In order to develop a national cybersecurity management framework and to ensure the safety of Kenyan cyberspace, the Communication Authority of Kenya (CA), which is the regulatory body established under the KICA, established the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), a multi-agency association framework responsible for the national harmonisation of cybersecurity reporting and incident responses.
Despite the provisions of the KICA and the establishment of the National KE-CIRT/CC, cybersecurity remained an emotive issue in Kenya that required a comprehensive policy and legal framework; it is for this reason that the Computer Misuse and Cybercrimes Act 2018 was enacted.
Computer Misuse and Cybercrimes Act 2018
This Act of Parliament came into force on 30 May 2018. The Act aims is to protect the confidentiality, integrity and availability of computer systems, programs and data as well as facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes.
However, since its enactment, there has been significant litigation surrounding the constitutionality of some of its provisions, with the latest being the decision of the High Court in Senate of the Republic of Kenya & 4 others v Speaker of the National Assembly & another and in the case of Attorney General & 7 others (Interested Parties)  eKLR, where the Court declared several Acts of Parliament to be unconstitutional because they were passed without the input of the Senate. One of the laws that was declared unconstitutional was the Computer Misuse and Cybercrimes Act, 2018. It is, however, important to note that the Court suspended the implementation of its decision to allow Parliament time to regularise the procedure in which the laws were passed. This means that, as at the date of publication of this article, the Computer Misuse and Cybercrimes Act, 2018 was and is in force.
The following are some of the key provisions of the Act:
The Act also provides for an avenue of international co-operation between Kenyan and foreign agencies. In this regard, the Communications Authority may make a request: for mutual legal assistance in any criminal matter to a requested state for purposes of undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data; for collecting evidence of an offence in electronic form; or for obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data.
Business Laws (Amendment) Act 2020
The Act that was recently enacted came in force to improve the ease of doing business in Kenya. The following are some of the changes the Act brought in line with the cybersecurity regulations:
In response to this, The Communication Authority invited electronic certification service providers to apply for licensing and recognition from the Authority to provide electronic signature authentication services to electronic signature users.
Civil Procedure Amendment Rules 2020
The notable change in line with cybersecurity regulations is that the Service of Court summons can now be effected through email and/or mobile messaging applications. The Amendment Rules are an attempt to reform civil procedure in the Magistrates Court and High Court and align it to technological advancement by providing alternative modes of service of Court summons, including by email and mobile-enabled messaging applications.
Data Protection Act 2019
The Act brings into play comprehensive laws that protect the personal information of individuals. It establishes the Office of the Data Protection Commissioner and makes provisions for the regulation of the processing of personal data. The Act further provides for the rights of data subjects and the responsibilities of data controllers and processors who are required to be registered by the Data Protection Commissioner. The Act provides an investigation procedure that will be undertaken by the Commissioner, including powers of entry and search and issuing administrative fines. Any persons contravening the provisions of the Act, will be liable to pay a fine of KES5 million.
The data controller and data processor are required to notify the Commissioner without delay and within 72 hours of becoming aware of a breach of any of the provisions of the Act. Nonetheless, a gap exists in the Act when it comes to prosecution of multinational companies. This will potentially be addressed in any subsequent amendments to the Act or by legal jurisprudence from Kenyan courts.
Central Bank of Kenya (CBK) guidelines
In order to reduce cyberthreats within the banking sector in Kenya, the CBK pursuant to the provisions of the National Payment Systems Act, 2011 implemented guidelines for payment service providers (PSPs). The guidelines promote the stability of the Kenyan payment system sub-sector and require PSPs to maintain a cybersecurity programme with specified minimum standards designed to mitigate cyber-risk. These guidelines set minimum standard that the board of directors and senior management dealing with PSPs are expected to adopt, develop and implement to ensure compliance.
The guideline states that each PSP must maintain a clearly defined written policy that addresses key cybersecurity issues and the protection of its data and confidential information stored on those data systems.
With the recent high uptake of fibre connectivity in Kenya, internet access has become a perceived “need” rather than a “want”. Further, with the COVID-19 pandemic and the resultant socio-economic changes that have been brought about, cybersecurity has become a key priority area in the country’s legislative framework.