Status regarding Budapest ConventionStatus : NA See legal profile
In 2014, Kenya’s Ministry of Information, Communications and Technology developed a Cybersecurity Strategy with four main objectives:
- Enhance the nation’s cybersecurity posture in a manner that facilitates the country’s growth, safety, and prosperity;
- Build national capability by raising cybersecurity awareness and developing Kenya’s workforce to address cybersecurity needs;
- Foster information sharing and collaboration among relevant stakeholders to facilitate an information sharing environment focused on achieving the Strategy’s goals and objectives; and
- Provide national leadership by defining the national cybersecurity vision, goals, and objectives and coordinating cybersecurity initiatives at the national level.
The Cybersecurity Strategy also include, among its planned near-term actions, the development of “specific cybercrime penal code”, meaning the drafting of technology neutral cybercrime legislation, including procedural powers for investigations of cybercrimes.
State of cybercrime legislation
The Computer Misuse and Cybercrime Bill, which was drafted with the assistance of the Council of Europe, was adopted in 2018 by the Inter-Agency Technical Committee on the Development of a Comprehensive Cyber Crimes Law. The National Assembly (Parliament) added some clauses, which are mostly relevant to content-related criminal offences before it passed it to law (Computer Misuse and Cybercrimes Act - CMCA). A better part of the Act is in line with the provisions of the Budapest Convention.
The Bloggers’ Association of Kenya (BAKE) raised concerns on constitutionality of the Act and filed a petition to the High Court, which suspended 26 sections of the Act. The High Court, after the hearing, dismissed the application to suspend the 26 sections of the Act in February 2020, thus leading to full operationalization of the Act.
The Act deals with offences relating to computer systems including but not limited to unauthorised access, unauthorised interference, unauthorised interception, unauthorised disclosure of passwords, cyber espionage, false publications, child pornography, cyber terrorism and wrongful distribution of obscene or intimate images. It also deals with computer forgery, computer fraud, cyber harassment, publication of false information, cybersquatting, identity theft and impersonation, phishing, interception of electronic messages or money transfers, wilful misdirection of electronic messages and fraudulent use of electronic data among other cybercrimes.
The procedural powers listed in the CMCA include: search and seizure, record of and access to seized data, production order, expedited preservation and partial disclosure of traffic data, real-time collection of traffic data and interception of content data, referring also to questions of confidentiality and limitation of liability. Among the amendments made during the consultation process, there was no specification of any legal ground to be presented to the judge for obtaining warrants for production orders and search and seizure.
The CMCA includes, among its objectives, the protection of the confidentiality, integrity, and availability of computer systems, programmes and data, as well as the protection of the rights to privacy, freedom of expression and access to information as guaranteed under the Constitution.
Related laws and regulations
- Kenya Information and Commnications Act, CAP 411A, 1998, revised in 2012
- amended by The Kenya Information and Communication (Amendment) Act, 2014
- Sexual Offences Act, 2006
- Penal Code, 2012
- Prevention of Terrorism Act, 2012
- Cyber Crime Unit, Directorate of Criminal Investigation, National Police Service
- KE-CIRT/CC – National Computer Incident Response Team
Competent authorities and channels
Part V of the Act refers to international cooperation, in addition to the Mutual Legal Assistance Act and the Extradition (Contiguous and Foreign Countries) Act. It lays down the general principles and specific measures such as: sharing of spontaneous information, expedited preservation of stored computer data, expedited disclosure of preserved data, mutual legal assistance regarding access of stored computer data, trans-border access to stored computer data with consent or where publicly available, MLA in the real-time collection of traffic data, MLA regarding interception of content data, and establishes the 24/7 point of contact.
The Attorney General’s Office and the Department of Justice may make and receive requests to/from other states for the above mentioned procedures.
Practical guides, templates and best practices
Republic v Priscillah Wanjiru Salome, 2017 [mentions digital evidence gathered by the Cyber Crime Unit]
Sources and links
- International Comparative Legal Gides – ICLG Cybersecrity Laws and Regulations – Kenya
- UNIDIR Cyber Policy Portal – Kenya
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.