On 16th May 2018, the President signed the Computer Misuse and Cybercrimes Bill (“the Act”) which will come into force on 30th May, 2018. The Act provides for offences relating to computer systems and is expected to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes. It will also facilitate international co-operation in dealing with computer and cybercrime matters.
The objects of the Act are to:
- protect the confidentiality, integrity and availability of computer systems, programs and data;
- prevent the unlawful use of computer systems;
- facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes;
- protect the rights to privacy, freedom of expression and access to information as guaranteed under the Constitution; and
- facilitate international co-operation on matters covered under the Act.
- The National Computer and Cybercrimes Co-ordination Committee
The law creates the National Computer and Cybercrimes Co-ordination Committee (“the Committee”). The role of this committee includes advising the Government on security related aspects touching on matters relating to blockchain technology, critical infrastructure, mobile money and trust account. The Committee shall also advise the National Security Council on computer and cybercrimes and shall receive and act on reports relating to computer and cybercrimes.
- Offences
The Act provides for various offences including unauthorised access, unauthorised interference, unauthorised interception, unauthorised disclosure of passwords, cyber espionage, false publications, child pornography, cyber terrorism and wrongful distribution of obscene or intimate images. The Act also deals with computer forgery, computer fraud, cyber harassment, publication of false information, cybersquatting, identity theft and impersonation, phishing, interception of electronic messages or money transfers, willful misdirection of electronic messages and fraudulent use of electronic data among other cybercrimes.
- Hacking– The Act covers a range of offences commonly referred to as hacking including unauthorised access, unauthorised interference, unauthorised interception and access with an intention to commit a further offence. These crimes carry a penalty of a fine of between Kshs. 5 million and Kshs. 10 million (approximately between US$ 50,000 and US$ 100,000) or a jail term of between 3 years and 10 years. Where hacking results in financial loss, causes death/ physical /psychological injury, threatens national security, public health or public security the offence may carry a fine of up to Kshs. 20 million (approximately US$ 200,000). Further trading in hacking tools is also criminalized under the Act. If convicted a person shall be liable to imprisonment for a term not exceeding 10 years of a fine not exceeding Kshs. 10 million (approximately US$ 100,000) or to both fine and imprisonment.
- Unauthorised disclosure of passwords or access codes-The offence carries a jail term of up to 3 years or a fine not exceeding Kshs. 5 million (approximately US$ 500,000) or to both fine and jail term. Further if the offence is committed on a protected computer system such a government system, banks system etc., the accused will be liable to an aggravated penalty of up to 20 years imprisonment or a fine not exceeding Kshs. 20 million (approximately US$ 200,000) or both.
- Cyber espionage-Unauthorised access of a computer system to intercept data and obtain information with the intention of directly or indirectly benefiting a foreign state against Kenya is criminalized under the Act. The Act provides different variations of the offence and if convicted one may be liable to a jail term of 10 years and in some instance life imprisonment.
- Fake news-The Act outlaws “false publications” and the “publication of false information”. Section 22 of the Act criminalises the intentional publication of false, misleading or fictitious data with the intent that it is acted upon or considered authentic. The offence carries a fine of up to Kshs. 5 million (approximately US$ 50,000) or imprisonment for a term not exceeding 2 years. Further section 23 criminalises the publication of false information that is calculated or cause panic, chaos or violence or which is likely to discredit the reputation of a person. Upon conviction, one shall be liable to a fine not exceeding Kshs. 5million (approximately US$ 50,000) or to imprisonment for a term not exceeding ten years, or to both. This section of the Act has been criticised as an attempt to criminalise defamation which was held to be unconstitutional.
- Cyber harassment– The Act outlaws any online conduct that causes apprehension or fear of violence or loss/ damage to property, detrimentally affects a person, or is indecent and gross. The offence carries a fine of Kshs. 20 million (approximately US$ 200,000), a 10 year prison term or both. Further victims of ongoing cyber harassment may obtain court orders to put an end to the harassment even outside court working hours. A court may also order online service providers to provide the perpetrators’ subscriber information for purposes of identifying the perpetrator.
- Cybersquatting– Section 2 of the Act defines cybersquatting as the acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, or deprive another from registering the same, if the domain name is-
(a) similar, identical or confusingly similar to an existing trademark registered with the appropriate government agency at the time of registration;
(b) identical or in any way similar with the name of a person other than the registrant, in case of a personal name; or
(c) acquired without right or IP interests in it.
The offence carries a fine of Kshs, 200,000.00 (approximately US$ 2,000) or imprisonment for a term not exceeding 2 years or both.
- Impersonation-Any person who fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person commits an offence and is liable, on conviction, to a fine not exceeding Kshs. 200,000.00 (approximately US$ 2,000) or to imprisonment for a term not exceeding 3 years or both.
- Erroneous electronic payment-Any person who hides or detains any electronic mail or payment delivered to him in error shall commit an offence and shall be liable upon convinction to a fine not exceeding Kshs. 200,000.00 (approximately US$ 2,000) or imprisonment for a term not exceeding 2 years or to both.
- Revenge pornography-The Act criminalises the distribution of any sexual explicit images or videos of a person without their consent. The offence carries a penalty of imprisonment for a term not exceeding 2 years or a fine of up to Kshs. 200,000.00 (approximately US$ 2,000) or both.
- Child pornography-The publication, production and distribution of child pornography is an offence under the Act. A person convicted of the offence shall be liable to a fine not exceeding Kshs. 20 milion (approximately US$ 200,000) or to imprisonment for a term not exceeding 25 years or both.
- Employee responsibility– Employees are required to relinquish all codes and access rights to their employer’s computer network or system immediately upon termination of employment. An employee who fails to surrender such passwords and access codes shall commit an offence and shall upon conviction be liable to a fine not exceeding Kshs. 200,000.00 (approximately US$ 2,000) or imprisonment for a term not exceeding 2 years, or to both.
- Investigation procedures
Part IV of the Act outlines the investigation procedures to be followed in relation to an offence under the Act.
On 29th May 2018, in a suit challenging the constitutionality of some parts of the Act, A suit has now been filled challenging the constitutionality of some of the provisions of the Act, the High Court issued conservatory orders suspending some sections of the Act from coming into effect. The sections suspend mostly prescribe the offences under the Act. The matter shall be heard in June and we shall update our readers on the further developments.
The Act is available here.
Please contact us at Info@cfllegal.com should you require further information.