Regular cyber-attacks and attempts carried out on both private sector and government bodies are now a real threat, one that cannot be ignored and must be proactively dealt with. Successful attacks in the recent past have brought about devastating financial and reputational impacts on the victims. Increasing use of technology, digitization of systems and growing e-commerce trends mean that the number of Kenyan citizens and organizations vulnerable to cyber attacks is high. Despite its benefits, the use of technology comes with its fair share of risks.
As the use, adaptation and consumption of technology becomes more widespread, the country has become exposed to the dangers that come with its use ranging from identity theft to cyber terrorism. Even organizations with the best information security strategy have had challenges when dealing with cyber criminals after an attack since the existing criminal law was not complementary. Cyber criminals have previously exploited loopholes in the domestic laws to avoid prosecution.
Kenya has, in line with its development goals, massively invested in the information technology sector as a vehicle for economic prosperity.
The first draft of the Computer Misuse and Cybercrimes Act was initiated by a multi- governmental committee in 2015 as the Computer and Cybercrime Bill. This bill was subjected to parliamentary review and amendment which resulted to the final version that received presidential assent on the 16th of May 2018.
Objectives of the Act
The Act aims to counter the evolution of crime through technology. It seeks to bridge the gap between advancement in technology and its regulation.
Generally, the Act addresses the following emerging issues in the cybersphere;
1. Unlawful use of computer systems;
2. Prevention, detection, investigation, prosecution and punishment of cybercrimes;
3. Protection of rights to privacy, freedom of expression and access to information as guaranteed under the Constitution; and
4. Facilitation of international cooperation on matters covered under the Act.
The Act is divided as follows;
a) Part II-National Computer and Cybercrimes Committee
The role of this committee will be to advise the government on security related in the technological field. The committee will also coordinate collection and analysis of cyberthreats for the country as well as be responsible for establishing the codes of cybersecurity practice and standards of performance for implementation by owners of critical national information infrastructure such as telecommunication service providers. This measure is important as it acknowledges that technological infrastructure is essential to the nation and thus it creates safeguards and regulation which was previously absent in the sector. Previously, the approach to such emerging issues was spearheaded by the parent ministry in collaboration with various state agencies. Regulation was highly dependent on the industry or sector and in some instances a multi-agency approach was used. We expect to see this committee very busy in the year as they provide regulations and guidelines on emerging issues in technology such as blockchain, cryptocurrency and artificial intelligence.
b) Part III-Offences
Prior to this Act, cybercrime offences were not exhaustively provided for in the Penal Code and other subsidiary legislation. The evolution of cyberspace has seen technology facilitating the perpetration of cybercrimes both domestically and internationally as well as aggravating the impact of the same. Part II of the Act deals with offences and their corresponding penalties. The inclusion of the definition of offences will greatly enhance the capability of law enforcement agencies to carry out investigations and prosecute cyber criminals. The offences cut across both individual and corporate actions and omissions. At the tail end of this article, we list a summary of the offences and their corresponding penalties. Notably, as at the date of this article, there was a ruling issued by High Court Judge Hon. (Mr.) Chacha Mwita suspending 26 sections of this Act. The conservatory orders suspended the offences in Sections 22-24,27-29,31-41(highlighted in purple below) due to the issues raised on infringement of fundamental rights guaranteed under the Constitution.
c) Part IV-Investigative Procedures
Prior to the Act, there was no legal framework providing for the investigation and prosecution of cybercrime, specifically the collection of evidence. The Act brings certainty to a previously unexplored area of the law since it now provides for clear mechanisms in the collection of electronic evidence and investigation thereof. Procedure relating to; search and seizure of computer data; recording of access to seized data; preservation and partial disclosure of traffic data; real time collection of traffic data and; interception of data is clearly outlined. The Honorable Court in the above mentioned case also suspended sections 48-53 which detailed the investigation procedures to be followed.
d) Part V-International Cooperation
The global nature of technology makes it impossible for a single jurisdiction to regulate and enforce its cybersecurity laws efficiently. There is therefore a need for different countries to foster ties and facilitate collaboration in regulation and enforcement of cybersecurity law s. The Act at Part V seeks to address this need by providing for international cooperation between Kenyan law enforcement agencies and their colleagues from other countries to allow for the investigation of crimes that take place across multiple jurisdictions. The Act requires that it is read together with the Extradition (Contiguous & Foreign Countries) Act, 2011 and the Mutual Legal Assistance Act, 2011 which house salient provisions for International Criminal Law. Harmonization of these laws is essential as it allows for seamless prosecution of international crimes by law enforcement agencies. The hindrances presented by jurisdictional differences are done away with. The Act also provides for the establishment of the Central Authority (Office of the Attorney General) which will be the main point of contact in international cooperation under the Act. This will obviously lead to better cooperation, faster and efficient investigation of crime as having a single point of contact reduces the bureaucracy that is associated with having numerous agencies carrying out similar functions.
e) Part VI-Extraterritorial Jurisdiction
Section 66 of the Act provides for the extraterritorial nature of the Act. This allows for the application of the Act outside Kenyan borders. This means that the Act can be applied to Kenyan citizens or residents carrying out crimes while outside Kenya as well as foreigners who carry out crimes against Kenyan citizens, residents and entities regardless of their geographical location.
f) Prevailing Clause
Technology cuts across a myriad of sectors possibly regulated by other laws. Section 68 of the Act has a prevailing clause which provides that the Act will supersede any other law in case of conflict.
The Computer Misuse and Cybercrimes Act is a step in the right direction. However, it will need to be supplemented with regulations and guidelines in order to effectively address emerging issues such as Artificial Intelligence and Financial Technology which undoubtably pose a challenge to the dynamics of the regulation and enforcement of cybersecurity laws.
This post was first published in "the Above Standard", a publication of TRIPLEOKLAW advocates, Issue 001 June 2018; Written by:Catherine Kariuki Mulika, Janet Othero, Fiona Makaka & Robert Dachi