Only a week after President William Ruto signed the Computer Misuse and Cybercrimes (Amendment) Act, 2024 into law, the Nairobi High Court stepped in to suspend key provisions that many fear could curtail online freedoms.
The halted sections-specifically Section 27(1)(b), (c), and (2)-target intentional electronic communications that harm an individual’s reputation, violate privacy, or negatively impact mental well-being, including content that might encourage suicidal behavior. Breaching these clauses could result in hefty penalties, with fines up to KES 20 million (about $155,000) or imprisonment for as long as ten years.
This judicial intervention has reignited the debate over how to balance the regulation of online behavior with the protection of free speech in Kenya‘s digital space. It underscores the judiciary’s growing scrutiny of government attempts to tighten control over cyberspace.
The court’s ruling followed a petition by Reuben Kigame and the Kenya Human Rights Commission (KHRC), sparking renewed constitutional discussions on the extent of state power in regulating online expression.
While the amendments were intended to enhance Kenya’s cybersecurity by addressing crimes such as SIM-swap fraud, phishing, and cyberbullying, civil society groups have criticized certain provisions as overly vague and potentially open to misuse for silencing dissent and legitimate criticism.
Broadening Kenya’s Cybercrime Framework
The 2024 amendments expand upon the original 2018 Computer Misuse and Cybercrimes Act, which criminalized unauthorized access, misinformation, and online harassment. The new law widens the scope of offenses, increases penalties, and introduces new categories of cybercrimes.
A significant addition is the criminalization of SIM-swap fraud, where criminals manipulate SIM cards to steal money, punishable by up to ten years in prison or fines reaching KES 5 million (approximately $39,000).
Moreover, the legislation requires operators of critical information infrastructure-such as those in banking, telecommunications, and fintech-to report cybersecurity breaches within 24 hours and mandates that sensitive data be stored domestically within Kenya.
The law also grants the National Computer and Cybercrimes Coordination Committee (NC4), an advisory body on cyber policy, extensive powers to order the blocking or removal of websites, apps, or online content suspected of facilitating illegal activities such as terrorism or child exploitation.
However, critics including the KHRC caution that this broad authority lacks adequate judicial oversight, raising concerns that it could be exploited to arbitrarily silence digital platforms and restrict online freedoms.
Examination of the Suspended Clauses
Justice Lawrence Mugambi issued a temporary injunction suspending the enforcement of Section 27(1)(b), (c), and (2), which criminalize the dissemination of “false, misleading, or fictitious” information that could incite public panic or damage reputations.
The petitioners argued that these provisions are vaguely drafted and susceptible to selective enforcement against journalists, activists, and online commentators. The court’s interim order halts any prosecutions under these sections pending a full hearing.
For defenders of digital rights, this suspension is a vital protection, shielding internet users from potential abuse of the law while the judiciary assesses whether the amendments violate constitutional guarantees of free speech and privacy.
This legal challenge echoes earlier disputes over Kenya’s cyber laws. In 2021, courts similarly suspended parts of the original 2018 Act following objections from groups like the Bloggers Association of Kenya (BAKE) and ARTICLE 19, highlighting ongoing concerns about government overreach into online expression.
Consequences for Kenya’s Digital Ecosystem
The new law compels fintech and telecom firms to establish incident response protocols, conduct annual risk evaluations, and ensure that sensitive data remains within Kenya’s borders. While these steps aim to strengthen cybersecurity, they also introduce additional operational burdens and could slow down services in sectors where speed is crucial.
For ordinary internet users, the suspended provisions have more immediate significance, as they regulate the content shared or commented on, where even casual remarks could have led to criminal charges.
Although this judicial pause temporarily protects Kenyans from such risks, the ambiguity around what constitutes “false” or “misleading” information will be clarified during the next court hearing scheduled for November 11.