An Act of Parliament to amend the Computer Misuse and Cybercrimes Act, CAP 79C and for connected purposes.
| CLAUSE NO. | CONTENTS OF THE CLAUSE | OUR COMMENTS |
|---|---|---|
| Clause 2 Amendment of section 2 of Cap 79C | Section 2 of the Computer Misuse and Cybercrimes Act (in this Act referred to as the “principal act”), is amended - | |
| (a) in the definition of “access” by inserting the words “through a program or a device or” immediately after the words “by a person”; and | The amendment broadens the scope of unauthorised access by explicitly including entry "through a program or a device." This expansion enhances the ability to prosecute cybercrimes involving automated attacks, malware, and hacking tools. |
|
| (b) by inserting the following new definitions in their alphabetical sequence- | ||
| “asset” includes all property movable or immovable, physical or virtual and all estates, easements and rights whether equitable or legal in, over or out of property, choses-in-action, money or goodwill whether situated in Kenya or elsewhere; | The expansion of the definition of “asset” to include virtual assets aligns with the evolving nature of digital finance, property, and cyber-related economic transactions. This amendment enhances the legal recognition of intangible assets, ensuring that emerging financial instruments such as cryptocurrencies, non-fungible tokens (NFTs), and other digital assets fall within the scope of the Act. However, the definition lacks specificity regarding the classification of virtual assets, which may create legal uncertainty. The amendment should distinguish between different categories of virtual assets, including tokenised securities, digital currencies, and decentralised financial instruments, to provide clearer guidance on their legal treatment. Additionally, the definition should account for intellectual property rights, digital credits, and domain names, which are increasingly recognised as assets in digital commerce. |
|
| “identity theft” means the use of another person’s personal identification information including the name, identification number, SIM-card, bank card, bank account information address or any other subscriber information; | The proposed definition expands the legal framework for combating digital fraud and unauthorised use of personal data. Additionally, it clarifies the scope of the offence in Section 29 of the principal Act (Identity theft and Impersonation). However, the definition seems rather incomplete as it lacks specificity in whether identity theft requires fraudulent intent or financial harm, because there are certain uses of personal information, such as parody accounts or investigative journalism that could otherwise fall within its scope. The term “any other subscriber information” is vague. We recommend that the definition account for partial identity misuse, where only certain aspects of a person’s identity, such as an email address or phone number are used deceptively. We further recommend a more precise definition that also differentiates between identity cloning, synthetic identity fraud, and unauthorised impersonation to ensure that the law adequately captures all forms of digital identity misuse without inadvertently criminalising legitimate activities. The amendment should also specifically address emerging concerns such as biometric data theft, deepfake-generated identity fraud, and unauthorised access to cloud-based digital profiles, which pose increasing risks in an evolving technological landscape. |
|
| “SIM-card” has the meaning assigned to it under the Kenya Information and Communications Act, 1998; | Aligning with the definition of a SIM-card with the definition under the Kenya Information and Communications Act, ensures consistency in telecommunications laws. However, the definition does not adequately address advancements such as embedded SIMs (e-SIMs) and virtual SIMs, which do not require a physical card and are increasingly used in modern mobile devices and Internet of Things applications. The lack of clarity on whether these technologies fall within the scope of the Act may create a challenge in enforcement. |
|
| “terrorist act” has the meaning assigned to it under the Prevention of Terrorism Act, 2012 | The incorporation of the definition of “terrorist act” from the Prevention of Terrorism Act ensures legal consistency. The definition broadly encompasses acts that involve violence, threats to public safety, serious property damage, cyber-attacks on critical infrastructure, and coercion of governments or international organisations. |
|
| “virtual account” means a digital account acquired through virtual representation. | This provision recognises digital financial systems which is progressive given the rise of fintech. We recommend that the provision provide clear distinctions between types of virtual accounts (e.g., cryptocurrency wallets vs. online banking) may be needed. It is also noteworthy that the term is not used in the principal Act. |
|
| Clause 3 Amendment of section 6 of Cap 79C | Section 6 of the principal Act is amended in subsection (1) by inserting the following new paragraphs immediately after paragraph (j): (ja) where it is proved that a website or application promotes illegal activities, child pornography, terrorism, extreme religious and cultic practices, issue a directive to render the website or application inaccessible | This provision is intended to curb harmful content and protect digital users from illegal material. However, granting the National Computer and Cybercrimes Coordination Committee with broad discretionary authority to issue directives for the restriction of access to websites or applications that are deemed to promote unlawful content, without a mechanism for judicial oversight risks encroaching upon constitutionally enshrined rights, including freedom of expression and access to information. It is also imperative that the provision incorporates a clear framework for appeal to ensure due process and safeguard against potential misuse. |
| Clause 4 Amendment of section 27 of Cap 79C | Section 27 of the principal Act is amended in subsection (1) by inserting the words “or is likely to cause them to commit suicide'” immediately after the word “person” appearing in paragraph (b). | The inclusion of the phrase, “likely to cause a person to commit suicide” seeks to enhance protection against cyber harassment and its psychological effects. However, its current wording is ambiguous as it lacks clear criteria for establishing causation which may result in arbitrary enforcement, and could lead to the criminalisation of public discourse, activism, or political speech. The provision should therefore be refined to target clear cases of harassment and establish specific thresholds for liability, ensuring that it aligns with constitutional rights and due process. |
| Clause 5 Amendment of section 30 of Cap 79C | Section 30 of the principal Act is amended- (a) by inserting the words “or makes a call” immediately after the words “sends a message”; and (a) by inserting the words “or makes a call” immediately after the words “sends a message”; and | Including phone calls under the provision on phishing expands cyber fraud by addressing evolving criminal tactics. |
| Clause 6 Insertion of a new section 42A in Cap 79C. | The principal Act is amended by inserting the following new section immediately after section 42- 42A. A person who wilfully causes unauthorized alteration and unlawfully takes ownership of another person’s SIM-card with intent to commit an offence is liable on conviction, to a fine not exceeding Kenya Shillings two hundred thousand or to imprisonment for a term not exceeding two years, or to both. | This amendment addresses the growing issue of SIM-swap fraud, enhancing security in mobile transactions. |