Under‍standing‍ Kenya’s‍ Computer‍ Misuse‍and‍ Cybercrimes‍ (Amendment)‍ Bill 2024

1. ABSTRACT 

Kenya’s Compu ter Misuse and Cybercrimes (Amendment) Bill, 2024 seeks to modernise the  countr y’s cyber governance framework in response to rising digital threats targeting mobile  money platforms, critical infrastructure and online information spaces. Wh ile the Bill is framed  as a necessary national se curity measure, it has sp arked constitutional debate over whether  certain provisions — particularly those expanding surveillance powers and criminalising o nline  expression — may risk infringing the rights to privacy and freedom of expression under A rticles  31 and 33 of the Constitution. This ar ticle adopts a neutral analytical a pproach to evaluate  whether the propose d amendments strike a propo rtionate balance between safeguarding  cybersecurity and protecting civil libe rties. It critically assesses the Bill’s legal, constitutional  and policy implications and concludes with recommendati ons for ri ghts-centred yet security effective reform. 

2. INT‍RODUCTION 

Kenya’s rapi d digitisat ion — particularly thro ugh mobile money, e‑gov ernance systems and  social media — has fun damentally transformed how citizens communicate, transact and  participate in public life. Yet this transfor mation has also ex posed th e nation to increasingly  sophisticated cyber threats, ranging f rom SI M‑swap fraud and financial scams to d isinformation campaigns and cyber‑harrasment targeting critical infr astructure.1In response, Parliament  intr oduced the Computer Misuse and Cyb ercrimes (Am endment) Bill, 20242, aimed at  strengthenin g the enforcement powers and scope of the existing 2018 Act.3 While the Bi ll is framed as a necessary legislative response to escalating digital insecurity, it has  pro voked contentio us constitutional debate — particular ly concerning whether its expanded offences and surveillance provisions risk infringing fr eed om of e xpression and privacy as  protected under Articles 31 an d 33 of the Constitution.4 

This article adopts a neutral and analytical perspective to examine wh ether the proposed  amendments appropriately balance national security in terests with constitutional civil libe rties, or whether the y risk enablin g disproportionate state control over online expression. The objec t ive is  to assess the constitutionality, necessity and proportionality of the Bill within Kenya’s broa der  digital governance framework. 

3. RESEARCH METHODOLOGY 

This article adopts a primarily doctrinal a nd analytical research methodology . It relies on a  critical examination of statutory provisions within the Computer Misuse and Cybercrimes Act,  2018 and the proposed 2024 Amendment Bill5, alongside relevant constitu tional provisions under  the 2010 Constitution .6 The analysis is further supported by jurisprud enc e from Kenyan courts,  comparative insi ghts from internationa l cyber law frameworks, and scholarly commentary on  digital r ights and cybersecu rity r egulation. The objecti ve is to evaluate the B ill’s legality,  constitut ional compatibility and policy implications through a rights -bas ed proportionalit y lens.

        4. LEGAL‍FRAMEWORK 

Kenya enacted the Computer‍Misuse‍and‍Cybercrimes Act‍(CMCA)‍in‍2018 with the  objective of criminalising cyber-enabled offences, enhancing digital security and empowering  law enforcement to respond to emerging cyber threats.7 The Act addresses offences such as  unauthorised access, cyber fraud, identity theft, cy ber harassment and publication of false  information. However, several provisions—particularly tho se r elatin g to speech offences—were challenged in c ourt for allegedly infringing constitutional rights, le ading to the landmark  decision i n BAKE v Attorney General (2019), where the High Court suspen de d enforcement of  Section 84D (criminalising publication of false information), finding it overly vague and a  disproportionate limitat ion on Article 33. Other cases such as Kat iba Institute v. Attorney  General (2020) furt her questioned surveillance po wers under Section 28 for lacking adequate  judicial oversight, thereby threatening the ri ght to privacy under Art icle 31.8 The 2024 Amend ment Bill seeks to exp and and strengthen the CMCA by introducing broader  definitions of cybercrime, enhancing investigatory powers and imposing stricter penalties. It also introduces provisions targeting deepfake content, SIM-swap fraud, and digital misinformation.  Key proposed amendments inc lude: 

1. Expansion of Section 22 t o crim inali se d issem ination of “fa lse or manipulated digital  content,” in cluding AI-generated deepfakes, with ha rsher penalties. 
2. Revision of Sect ion 23 to cover SIM-swap fraud and unauthorised interference with  mobile money accounts.
3. Introduction of enhanced i nvesti g atory powers unde r Section 28, enabling law  enforce ment to compel service providers to provide real-time interception of  communication data. 
4. Broade ned definition of cyber harassment under Section 27, potentially extending to  po litically charged online speech. 

These provisions hav e raised concern among civil soci ety and digital rights advocates for their  potenti al vagueness an d susceptibilit y to misuse against journalists, activists and opposition  voices. However, concern s h ave been raised that certain clauses may enable increased state  surveillance and control o ver online discourse. 

Constitutionally, the Bill inters ects directly with Article 3 1, which protect s the right to privacy,  and Article 33,9 which guar antees freedom of expression subject only to the limitations per mitted  under Article 24. Therefore, any amendments must satisfy the constitutional test of reason ableness, necessity and pro portionality in limiting rights within a democratic society. 

5. JUDICIAL‍INTERPRETATION 

Kenyan courts have played a pivotal role in defining the constitutional limits of the Computer  Misuse and Cybercrimes Act, particularly where its provisions intersect wi th fundamental rights. In BAKE v Attorney General (2019)10, the Hi gh Court suspended the enforcement of Sec ti on  84D, which criminalised “publication of false information,” ruling th at its wording was vague,  subjective and likely to chill legitimate expression. The Court held that any limitation on Article  33 must satisfy the Article 24 test — it must be reasonable,‍justifiable‍and‍proportionate‍in‍a‍ dem‍ocratic‍society.11 

Similarly, in Katiba Institute & Article 19 v A ttorney General (2020)12, the High Court  questioned the constitution ality of Section 28, which allowed state age ncies to intercept private  communications. Th e Court emphasised that surveillance powers must be subject to stri ct  judicial oversight t o protect Article 31 rights to privacy. 

In Republic v Cyprian Nyakundi (2021)13, involving alleged cyber harassment, the courts  s ign alled caution, holding that criminal law should not be used to stifle online criticis m or di ssent  unless it crosses into clearly defined harm, such as incitement or targeted malicious attacks. In summary, judicial interpretation dem onstrat es a co nsistent trend toward upholding digital  rights and requiring precision, necessity and proportionality in cybersecurity legislation.

         6. ANALYSIS 

The 2024 Amendment Bil l addresses genuine and escalating cybersecurity threats — particularly  financial fraud, deepfake manipulation and coordinated digital misinformation — all of wh ich  pose real risks to Kenya’s digital e conomy and democratic st ability. From a national security  perspective, the Bill reflects a reasonab le legislative r esponse to evolving cybercriminal tactics  and aligns with global trends in str engthening digi tal resilience.  

However, concerns arise fro m the vagueness and breadth of certain provisions which expand  criminal liability to “false or manipulated digi tal content” without narrowly defining thresholds  of harm. This risks criminalising legitimate jo urnalistic reporting, satire or political com mentary.  Moreove r, the expanded surveillance powers under Section 28 potentially undermine the  con stit utional requirement for judicial oversight and data prote ction safeguards. A key cons t itut ion al test is proportionality — whether the State’s security objectives cou ld be  achieved through less restrictive means, such as independent oversight bodies, judicial w arrants  or tiered of fences distinguishing m alicious intent from mere error. Comparative frameworks,  such as the African‍Declaration‍on‍Internet‍Rights‍an‍d‍Freedoms‍and UN‍Human‍Rights‍ Committee‍standards, emphasise transparency, ne cessity and strict legal ity in restricting online  expressi on. 

Thus, while the Bill is justifiable in its aim , its current drafting risks enabling dis p roportionate  state control over digital discourse unless accompa nied by clearer safeguards and na rrower  definitional precision. 

7. RECENT‍DEVEL‍OPMEN‍TS 

Since the Bill’s introducti on, developments on multiple fronts have shaped the policy and  litigation landscape. 

a) Judicial action and litigation: Key speech-related provisio ns have faced judicial scrutiny.  In October 2025, the High Court issued conservatory orders suspending enforcement of  Sections 27(1)(b), (c) and (2) ( cyber harassment and false information) pending  constitution al petitions brought by Dr. Reuben Kigame and the Kenya Human Rights  Commission.14 These orders illustrate continued judicial vigilance where digital rights  and legislative clarity collide. 

b) Parliamentary process and executive response: The Bill was tabled for c ommittee  consideration and parliamentary debate, with le gislative drafters and the Minist ry of ICT  defending the amendments as necessary to combat escalating SIM-swap fraud, deepfakes  and large-scale disinformation campaigns. Parliamentar ians have signalled ope nness to  refining clauses following stakeholder input, although political pressures around security  concerns remai n sig nificant. 

c) Civil society and media reaction: Organisations such as ARTICLE 19 ,15 KICTANet and  the Bloggers Association of Kenya h ave publicly criticised broad drafting and the NC4’s  expanded powe rs, calling for judicial ove rsight, narrow definition s and proportional  sanctions. Media houses and jo urnalism bodies emphasised the ris k to in vestigative  reporting and whistleblowi ng. 

d) Private sector impact and compliance: Tel ecomm unications companies, fintech platforms  and cloud service providers have been urg ed to u pdate incident-reporting pro tocols,  enhance SIM-registration systems and prepare for potential NC4 directives. L egal  advisory firms — including local practitione rs — h ave circulated guidance to businesses  on c ompliance and risk mitigation while litigation re mains pending. 

e) Regional and i nternational context: Ke nya’s reform eff orts occur alongside regional  moves toward harmonised cyber norms (e.g. AU instrument s) and global debates on  balancing cyberse curity with human rights (EU, UN norms). Comparat ive jurisp rudence  — n otably India’s Shreya Singhal decision and Nigerian case law — continues to in form  Ken yan judicial reaso ning and legislative caution. 

In summary, recent Developm ents reveal a contested but dynamic policy space : the state’s  cybersecurity imperatives are compelling, yet civil society and courts are actively checking  potential overreach. Ongoing l itigation and parliamentary amendments are likely to further shape  the final balance between security and rights. 

8. RECOMMENDATIONS 

To ensure the 2024 Amendment Bill effective ly co mbats cybercrim e while upholding  constitut io nal rights, t he fol lowing reforms are rec ommended: 

1. Narrow and precisely define speech-related offences — Terms such as “false or  manip ulated digital content” should be limited to content that causes demons trable harm (e.g. financial f raud, inciteme nt to violen ce, electoral sabotage) to avoid criminalising  satire, journalism or political dissent. 
2. Guarantee judicial oversight over surveillance powers — Any rea l-time interception or a ccess to personal data under Section 28 should require prior judicial warr ant, with strict  time limits and reporting obligations to prevent abuse.
3. Introduce tiered pe nalti es based on intent and harm — Differenti ate malicious cyb ercrime from uninten tional or low-risk conduct, preventing excessive criminalisation o f  ordina ry online users. 
4. Establish an independent digital rights oversi ght body — A rights-focused insti tution  (e.g. under the Data Commissioner or Judiciary) should audit state use of cyber laws,  publish compliance re ports and receive public complaint s. 
5. Align with regi onal and international norms — Kenya should harmonise its cyber laws with African Union and UN human rights standards to remain globally credible while  maintaining stron g d igital security. 
6. Enhance public awareness and digital literacy — Rathe r than solely punitive enfor ce ment, the state should invest in public educ ation on cyber hygi ene, misinformation  aw areness and responsible digital engagement.

These reforms would ensure a proportional, accountable and future-proof cybersecurit y regime  that protects both national security and democratic freedoms. 

9. CONCLUSION 

The Computer Misuse and Cybercrimes (Amendment) Bill, 202 4 represents a critical step in  Kenya’s effort to s afeguard its rapidly evolving digital ecosystem against e merging cyber threats.  Its objectives — particularly combating digital frau d, dee pfake manipulation and na tional securi ty risks — are legitimate and timely. However, as demonstrated through judicial precedents an d  stakehol der reactions, overly broad or vague provisions risk undermin ing the constitutional guarantees of privacy and freedom of expression un der Articles 31 and 33. This article has highlighted the impor tance of adopting a proportionate, rights-sensiti ve  regu latory approach . Cybersecurity legislation must be effective, but also transparent, narrowly  tailored and subje ct to judicial ov ersight. Ul timatel y, the challenge is not whether Kenya should  regulate cyberspace, but how it does so — ensuring th at national security is strengthen ed wit hout  enabling digital authoritaria nism. The path forward must therefore priorit ise a balanced legal  framework that simultaneously protects citizens from cyber harms and preserves the democra tic values that underpin the Constitution. 

10. BIBLIOGRAPHY 

Computer Misuse and Cybercrimes Act, No. 5 of 2018 (Kenya). 

Computer Misuse and Cybercrimes (Amendment) Bill, 2024. 

Constitution of Kenya, 2010, Articles 24, 31, 33. 

Bloggers Association of Kenya (BAKE) v Attorney General [2018] eKLR. Katiba Institute & Article 19 v Attorney General [2020] eKLR. 

Shreya Singhal v Union of India (2015) 5 SCC 1 (India). 

ARTICLE 19, “Kenya: Cybercrimes Amendment Bill 2024 Analysis”. 

Kenya ICT Action Network (KICTANet) Policy Briefs. 

National Institute of Standards and Technology (NIST) Glossary. 

International Covenant on Civil and Political Rights (ICCPR)

1 Digital Economy Report, UNCTAD (2023) 

2 https://share.google/D0iXHSjrksERTpq6I 

3 Kenya Gazette Supplement No. 44 The Computer Misuse and Cybercrimes (Amendment) Bill, 2024.

4 Constitution of Kenya, 2010, Art. 33(1).

5 Computer Misuse and Cybercrimes (Amendment) Bill, 2024 (Kenya Gazette Supplement).

6 Constitution of Kenya (2010). 

7 Computer Misuse and Cybercrimes Act, No. 5 of 2018 (Kenya) 

8Id. Art. 31, 24.

9 Constitution of Kenya 2010, arts. 33. 

10 Bloggers Association of Kenya (BAKE) v. Attorney General, Petition No. 206 of 2018 (2020) eKLR. 11 Id.

12 Katiba Institute & Another v. Attorney General, Petition No. 251 of 2019 (2023) eKLR 

13 Republic v. Cyprian Nyakundi, [2021] eKLR.

14 https://share.google/Y7G8q6s6dIlVyokN5 

15 Kenya ICT Action Network (KICTANet), Policy Brief on the Computer Misuse & Cybercrimes (Amendment) Bill  (2024)