Skip to main content

Kenya Computer Misuse and Cybercrimes Act No. 5

THE COMPUTER MISUSE AND CYBERCRIMES
ACT, 2018
ARRANGEMENT OF SECTIONS
PART I—PRELIMINARY
Section
1— Short title.
2—Interpretation.
3—Objects of the Act.
PART II—THE NATIONAL COMPUTER AND
CYBERCRIMES CO-ORDINATION COMMITTEE
4—Establishment of Committee.
5—Composition of the Committee.
6—Functions of the Committee.
7—Secretariat of the Committee.
8—Reports by the Committee etc.
9—Critical information infrastructure.
10—Protection of critical information infrastructure.
11—Reports on critical information infrastructure.
12—Information sharing agreements.
13—Auditing of critical information infrastructures to
ensure compliance.
PART III—OFFENCES
14—Unauthorised access.
15—Access with intent to commit further offence.
16—Unauthorised interference.
17—Unauthorised interception.
18—Illegal devices and access codes.
19—Unauthorised disclosure of password or access
code.
20—Enhanced penalty for offences involving protected
computer system.
38
No. 5 Computer Misuse and Cybercrimes 2018
21—Cyber espionage.
22—False publications.
23—Publication of false information.
24—Child pornography.
25—Computer forgery.
26—Computer fraud.
27—Cyber harassment.
28—Cybersquatting.
29—Identity theft and impersonation.
30—Phishing.
31—Interception of electronic messages or money
transfers.
32—Willful misdirection of electronic messages.
33—Cyber terrorism.
34—Inducement to deliver electronic message.
35—Intentionally withholding message delivered
erroneously.
36—Unlawful destruction of electronic messages.
37 —Wrongful distribution of obscene or intimate
images.
38—Fraudulent use of electronic data.
39—Issuance of false e-instructions.
40—Reporting of cyber threat.
41—Employee responsibility to relinquish access codes.
42—Aiding or abetting in the commission of an offence.
43—Offences by a body corporate and limitation of
liability.
44—Confiscation or forfeiture of assets.
45—Compensation order.
46—Additional penalty for other offences committed
through use of a computer system.
PART IV—INVESTIGATION PROCEDURES
47—Scope of procedural provisions.
39
2018 Computer Misuse and Cybercrimes No. 5
48—Search and seizure of stored computer data.
49—Record of and access to seized data.
50—Production order.
51 — Expedited preservation and partial disclosure of
traffic data.
52—Real-time collection of traffic data.
53—Interception of content data.
54—Obstruction and misuse of power.
55 —Appeal.
56—Confidentiality and limitation of liability.
PART V— INTERNATIONAL CO-OPERATION
57 — General principles relating to international cooperation.
58—Spontaneous information.
59—Expedited preservation of stored computer data.
60—Expedited disclosure of preserved traffic data.
61 —Mutual assistance regarding accessing of stored
computer data.
62—Trans-border access to stored computer data with
consent or where publicly available.
63—Mutual assistance in the real-time collection of
traffic data.
64—Mutual assistance regarding the interception of
content data.
65—Point of contact.
PART VI—GENERAL PROVISIONS
66—Territorial jurisdiction.
67—Forfeiture.
68—Prevailing Clause.
69—Consequential Amendments.
PART VII—PROVISIONS ON DELEGATED
POWERS
70—Regulations.
SCHEDULE
40
No. 5 Computer Misuse and Cybercrimes
THE COMPUTER MISUSE AND CYBERCRIMES ACT
No. 5 of 2018
Date of Assent: 16th May, 2018
Date of Commencement: 30th May, 2018
AN ACT of Parliament to provide for offences relating
to computer systems; to enable timely and effective
detection, prohibition, prevention, response,
investigation and prosecution of computer and
cybercrimes; to facilitate international co-operation
in dealing with computer and cybercrime matters;
and for connected purposes
ENAt;TED by the Parliament of Kenya as follows—
PART 1—PRELIMINARY
1. This Act may be cited as the Computer Misuse and
Cybercrimes Act, 2018.
2. In this Act, unless the context otherwise requires —
“access” means gaining entry into or intent to gain
entry by a person to a program or data stored in a computer
system and the person either—
(a) alters, modifies or erases a program or data or any
aspect related to the program or data in the
computer system;
(b) copies, transfers or moves a program or data to —
(i) any computer system, device or storage
medium other than that in which it is stored; or
(ii) to a different location in the same computer
system, device or storage medium in which it
is stored;
(c) causes it to be output from the computer in which
it is held, whether by having it displayed or in any
other manner; or
(d) uses it by causing the computer to execute a
program or is itself a function of the program;
“Authority” means the Communications Authority of
Kenya;
“authorised person” means an officer in a law
enforcement agency or a cybersecurity expert designated
2018
Short title.
Interpretation.
Cap. 411A.
41
2018 Computer Misuse and Cybercrimes
by the Cabinet Secretary responsible for matters relating to
national security by notice in the Gazette for the purposes
of Part III of this Act;
“blockchain technology” means a digitized,
decentralized, public ledger of all crypto currency
transactions;
“Cabinet Secretary” means the Cabinet Secretary
responsible for matters relating to internal security;
“Central Authority” means the Office of the Attorney
General and Department of Justice;
“Committee” means the National Computer and
Cybercrimes Co-ordination Committee established under
section 4;
“computer data storage medium” means a device,
whether physical or virtual, containing or designed to
contain, or enabling or designed to enable storage of data,
whether available in a single or distributed form for use by
a computer, and from which data is capable of being
reproduced;
“computer system” means a physical or virtual device,
or a set of associated physical or virtual devices, which use
electronic, magnetic, optical or other technology, to
perform logical, arithmetic storage and communication
functions on data or which perform control functions on
physical or virtual devices including mobile devices and
reference to a computer system includes a reference to part
of a computer system;
“content data” means the substance, its meaning or
purport of a specified communication;
“critical information infrastructure system or data”
means an information system, program or data that
supports or performs a function with respect to a national
critical information infrastructure;
“critical infrastructure” means the processes, systems,
facilities, technologies, networks, assets and services
essentials to the health, safety, security or economic wellbeing of Kenyans and the effective functioning of
Government;
“cybersquatting” means the acquisition of a domain
name over the internet in bad faith to profit, mislead,
No. 5
No. 49 of 2012.
42
No. 5 Computer Misn,L and Cybercrimes 2018
destroy reputation, or deprive another from registering the
same, if the domain name is —
(a) similar, identical or confusingly similar to an
existing trademark registered with the
appropriate government agency at the time of
registration;
(b) identical or in any way similar with the name of a
person other than the registrant, in case of a
personal name; or
(c) acquired without right or intellectual property
interests in it.
“data” means any representation of facts, information
or concepts Li a form suitable for processing in a computer
system, including a program suitable to cause a computer
system to perform a function;
“interception” means the monitoring, modifying,
viewing or recording of non-public transmissions of data to
or from a computer system over a telecommunications
system, and includes, in relation to a function of a computer
system, listening to or recording a function of a computer
system or acquiring the substance, its meaning or purport of
such function;
“interference” means any impairment to the
confidentiality, integrity or availability of a computer
system, or any program or data on a computer system, or
any act in relation to the computer system which impairs
the operation of the computer system, program or data;
“mobile money” means electronic transfer of funds
between banks or accounts’ deposit or withdrawal of funds
or payment of bills by mobile phone;
“national critical information infrastructure” means a
vital virtual asset, facility, system, network or process
whose incapacity, destruction or modification would
have —
(a) a debilitating impact on the availability, integrity
or delivery of essential services including those
services, whose integrity, if compromised, could
result in significant loss of life or casualties; or
(b) significant impact on national security, national
defense, or the functioning of the state.
43
2018 Computer Misuse and Cybercrimes No. 5
“network” means a collection of hardware
components and computers interconnected by
communications channels that allow sharing of resources
and information;
“password” means any data by which a computer
service or a computer system is capable of being obtained
or used;
“pornography” includes the representation in books,
magazines, photographs, films, and other media,
telecommunication apparatus of scenes of sexual behaviour
that are erotic or lewd and are designed to arouse sexual
interest”;
“premises” includes land, buildings, movable
structures, a physical or virtual space in which data is
maintained, managed, backed up remotely and made
available to users over’ a network, vehicles, vessels or
aircraft;
“program” means data representing instructions or
statements that, if executed in a computer system, causes
the computer system to perform a function and reference to
a program includes a reference to a part of a program;
“requested State” means a state being requested to
provide legal assistance under the terms of this Act;
“requesting State” means a state requesting for legal
assistance and may for the purposes of this Act include an
international entity to which Kenya is obligated;
“seize” with respect to a program or data includes to-
(a) secure a computer system or part of it or a device;
(b) make and retain a digital image or secure a copy of
any program or data, including using an on-site
equipment;
(c) render the computer system inaccessible;
(d) remove data in the accessed computer system; or
(e) obtain output of data from a computer system;
“service provider” means —
(a) a public or private entity that provides to users of
its services the means to communicate by use of a
computer system; and
44
No. 5 Computer Misuse and Cybercrimes 2018
(b) any other entity that processes or stores computer
data on behalf of that entity or its users;
“subscriber information” means any information
contained in the form of data or any form that is held by a
service provider, relating to subscribers of its services,
other than traffic data or content data, by which can be
established —
(a) the type of communication service used, the
technical provisions taken thereto and the period
of service;
(b) the subscriber’s identity, postal, geographic
location, electronic mail address, telephone and
other access number, billing and payment
information, available on the basis of the service
agreement or arrangement; or
(c) any other information on the site of the installation
of telecommunication apparatus, available on the
basis of the service agreement or arrangement;
“telecommunication apparatus” means an apparatus
constructed or adapted for use in transmitting anything
which is transmissible by a telecommunication system or in
conveying anything which is transmitted through such a
system;
“telecommunication system” means a system for the
conveyance, through the use of electric, magnetic, electromagnetic, electro-chemical or electro-mechanical energy,
of—
(a) speech, music or other sounds;
(b) visual images;
(c) data;
(d) signals serving for the impartation, whether as
between persons and persons, things and things or
persons and things, of any matter otherwise than in
the form of sound, visual images or data; or
(e) signals serving for the activation or control of
machinery or apparatus and includes any cable for
the distribution of anything falling within
paragraphs (a), (b), (c) or (d);
45
2018 Computer Misuse and Cybercrimes
“traffic data” means computer data relating to a
communication by means of a computer system, generated
by a computer system that formed a part in the chain of
communication, indicating the communication’s origin,
destination, route, time, date, size, duration or the type of
underlying service; and
“trust accounts” means an account where a bank or
trust company is holding funds in relation to mobile money
on behalf of the public depositors.
3. The objects of this Act are to—
(a) protect the confidentiality, integrity and
availability of computer systems, programs and
data;
(b) prevent the unlawful use of computer systems;
(c) facilitate the prevention, detection, investigation,
prosecution and punishment of cybercrimes;
(d) protect the rights to privacy, freedom of expression
and access to information as guaranteed under the
Constitution; and
(e) facilitate international co-operation on matters
covered under this Act.
PART II—THE NATIONAL COMPUTER AND
CYBERCRIMES CO-ORDINATION COMMITTEE
4. There is established the National Computer and
Cybercrimes Co-ordination Committee.
5. (1) The Committee shall comprise of —
(a) the Principal Secretary responsible for matters
relating to internal security or a representative
designated and who shall be the chairperson;
(b) the Principal Secretary responsible for matters
relating to information, communication and
technology or a representative designated in
writing by the Principal Secretary responsible for
information, communication and technology;
(c) the Attorney-General or a representative
designated in writing by the Attorney-General;
(d) the Chief of the Kenya Defence Forces or a
representative designated in writing by the Chief
of the Kenya Defence Forces;
No. 5
Objects of the
Act.
Establishment
of Committee.
Composition of
the Committee.
46
No. 5 Computer Misuse and Cybercrimes 2018
(e) the Inspector-General of the National Police
Service or a representative designated in writing
by the Inspector-General of the National Police
Service;
(f) the Director-General of the National Intelligence
Service or a representative designated in writing
by the Director General of the National
Intelligence Service;
(g) the Director-General of the Communications
Authority of Kenya or a representative designated
in writing by the Director-General of the
Communications Authority of Kenya;
(h) the Director of Public Prosecutions or a
representative designated in writing by the
Director of Public Prosecutions;
(i) the Governor of the Central Bank of Kenya or a
representative designated in writing by the
Governor of the Central Bank of Kenya; and
(j) the Director who shall be the secretary of the
Committee and who shall not have a right to vote.
(2) The. Committee shall report to the Cabinet
Secretary responsible for matters relating to internal
security.
6. (1) The Committee shall — Functions of the
Committee.
(a) advise the Government on security related aspects
touching on matters relating to blockchain
technology, critical infrastructure, mobile money
and trust accounts;
(b) advise the National Security Council on computer
and cybercrimes;
(c) co-ordinate national security organs in matters
relating to computer and cybercrimes;
(d) receive and act on reports relating to computer and
cybercrimes;
(e) develop a framework to facilitate the availability,
integrity and confidentiality of critical national
information infrastructure including
telecommunications and information systems of
Kenya;
7
47
2018 Computer Misuse and Cybercrimes
(f) co-ordinate collection and analysis of cyber
threats, and response to cyber incidents that
threaten cyberspace belonging to Kenya, whether
such threats or incidents of computer and
cybercrime occur within or outside Kenya;
(g) co-operate with computer incident response teams
and other relevant bodies, locally and
internationally on response to threats of computer
and cybercrime and incidents;
(h) establish codes of cyber-security practice and
standards of performance for implementation by
owners of critical national information
infrastructure;
(i) develop and manage a national public key
infrastructure framework;
(j) develop a framework for training on prevention,
lictltA.Aaull and mitigation of computer and
cybercrimes and matters connected thereto; and
(k) perform any other function conferred on it by this
Act or any other written law.
(2) Subject to the provisions of this Act, the
Committee shall regulate its own procedure.
7. (1) There shall be a Secretariat which shall
comprise of the Director and such number of public officers
that, subject to the approval of the Committee, the Cabinet
Secretary responsible for matters relating to internal
security in consultation with the Cabinet Secretary
responsible for matters relating to information,
communications and technology may deploy to the
Secretariat.
(2) The Director shall be —
(a) the head of the Secretariat; and
(b) responsible to the Committee for the day to day
administration of the affairs of the Secretariat and
implementation of the decisions arising from the
Committee.
(3) Without prejudice to the generality of the
provisions of subsection (2), the Director shall be
responsible for—
No. 5
Secretariat of the
Committee.
48
No. 5 Computer Misuse and Cybercrimes 2018
(a) the implementation of the decisions of the
Committee;
(b) the efficient administration of the Secretariat;
(c) the management of staff of the Secretariat;
(d) the maintenance of accurate records on financial
matters and resource use;
(e) the preparation and approval of the budget for the
required funding of the operational expenses of the
Secretariat; and
(f) the performance of any other duties as may be
assigned to him or her by the Committee.
(4) The Director shall be appointed for a single term
of four years and shall not be eligible for reappointment.
8. The Committee shall submit quarterly reports to the
National Security Council.
9. (1) The Director shall, by notice in the Gazette,
designate certain systems as critical infrastructure.
(2) The Director shall designate a system as a critical
infrastructure if a disruption of the system would result
in—
(a) the interruption of a life sustaining service
including the supply of water, health services and
energy;
(b) an adverse effect on the economy of the Republic;
(c) an event that would result in massive casualties or
fatalities;
(d) failure or substantial disruption of the money
market of the Republic; and
(e) adverse and severe effect of the security of the
Republic including intelligence and military
services.
(3) The Director shall, within a reasonable time of
designating a system as critical infrastructure, inform the
owner or operator of the system the reasons for the
designation of the system as a critical infrastructure.
(4) The Director shall, within a reasonable time of the
declaration of any information infrastructure, or category or
Reports by the
Committee etc.
Critical
information
infrastructure.
49
2018 Computer Misuse and Cybercrimes
class of information infrastructure or any part thereof, as a
critical information infrastructure, in line with a critical
infrastructure framework issue directives to regulate —
(a) the classification of data held by the critical
information infrastructure;
(b) the protection of, the storing of and archiving of
data held by the critical information infrastructure;
(c) cyber security incident management by the critical
information infrastructure;
(d) disaster contingency and recovery measures,
which must be put in place by the critical
information infrastructure;
(e) minimum physical and technical security measures
that must be implemented in order to protect the
critical information infrastructure;
(f) the period within which the owner, or person in
control of a critical information infrastructure must
comply with the directives; and
(g) any other relevant matter which is necessary or
expedient in order to promote cyber security in
respect of the critical information infrastructure.
10. (1) The Committee shall within reasonable time
and in consultation with the owner or a person in control of
an identified critical information infrastructure, submit to
the National Security Council its recommendations of
entities to be gazetted as critical information
infrastructures.
(2) The Committee shall, after the gazettement under
subsection (1), in consultation with a person that owns or
operates the critical information infrastructure—
(a) conduct an assessment of the threats,
vulnerabilities, risks, and probability of a cyberattack across all critical infrastructure sectors;
(b) determine the harm to the economy that would
result from damage or unauthorized access to
critical infrastructure;
(c) measure the overall preparedness of each sector
against damage or unauthorized access to critical
infrastructure including the effectiveness of market
No. 5
Protection of
critical
information
infrastructure.
50
Computer Misuse and Cybercrimes
forces driving security innovation and secure
practices.
(d) identify any other risk-based security factors
appropriate and necessary to protect public health
and safety, or national socio-economic security;
and
I 4
(e) recommend to the owners of sYstaiirdesitmated as
critical infrastructure, methods of securing their
systems against cyber threats.
11. (1) The owner or operator of a system designated
as critical infrastructure shall report to the Committee any
incidents likely to constitute a threat in the nature of an
attack that amounts to a computer and cybercrime and the
action the owner or operator intends to take to prevent the
threat.
(2) Upon receipt of a report by the Committee, under
subsection (1), the National Security Council shall provide
technical assistance to the owner or operator of a critical
infrastructure to mitigate the threat.
(3) The Director may institute an investigation of a
computer and cybercrime attack on his or her own volition
and may take necessary steps to secure any critical
infrastructure without reference to the entity.
(4) The Director shall submit a report on any threat in
the nature of a computer and cybercrime reported by the
owners or operators of critical infrastructure periodically to
the National Security Council.
12. (1) A private entity may enter into an information
sharing agreement with a public entity on critical
information infrastructure.
(2) An agreement under subsection (1) shall only be
entered into for the following purposes and in line with a
critical infrastructure framework—
(a) to ensure cyber security;
(b) for the investigation and prosecution of crimes
related to cyber security;
(c) for the protection of life or property of an
individual; and
(d) to protect the national security of the country.
No. 5 2018
Reports on critical
information
infrastructure.
Information
sharing
agreements.
51
2018 Computer Misuse and Cybercrimes
(3) Prior to the sharing of information under
subsection (1), a party to an agreement shall review the
information and ascertain whether the information contains
personal details that may identify a specific person not
directly related to a threat that amounts to a computer and
cybercrime and remove such information.
(4) A person shall not, under this Part, share
information relating to the health status of another person
without the prior written consent of the person to whom the
information relates.
13. (1) The owner or person in control of a critical
information infrastructure shall annually submit a
compliance report on the critical information infrastructure
to the Committee in line with a critical infrastructure
framework in order to evaluate compliance.
(2) The Director, shall within a reasonable time before
an audit on a critical information infrastructure or at any
time there is an imminent threat in the nature of an attack
that amounts to a computer and cybercrime, notify the
owner or person in control of a critical information
infrastructure in writing —
(a) the date on which an audit is to be performed; and
(b) the particulars and contact details of the person
who is responsible for the overall management and
control of the audit.
(3) The Director shall monitor, evaluate and report on
the adequacy and effectiveness of any audit.
(4) The Director may request the owner or person in
control of a critical information infrastructure to provide
such additional information as may be necessary within a
specified period in order to evaluate the issues raised from
the audit.
(5) An owner or authorised person in control of a
critical information infrastructure commits an offence and
if convicted is liable to a fine not exceeding two hundred
thousand shillings or to term of imprisonment not
exceeding five years or both if the owner or authorized
person —
(a) fails to file a compliance report and fails to cooperate with an audit to be performed on a critical
information infrastructure in order to evaluate
compliance with the directives issued;
No. 5
Auditing of
critical
information
infrastructures to
ensure
compliance.
52
No. 5 Computer Misuse and Cybercrimes 2018
(b) fails to provide to the Director such additional
information as may be necessary within a specified
period in order to evaluate the report of an audit in
line with the critical infrastructure after he or she
has been requested to do so to the Director;
(c) hinders, obstructs or improperly attempts to
influence any member of the Committee, person or
entity to monitor, evaluate and report on the
adequacy and effectiveness of an audit;
(d) hinders, obstructs or improperly attempts to
influence any person authorized to carry out an
audit;
(e) fails to co-operate with any person authorized to
carry out an audit; or
(0 fails to assist or provide technical assistance and
support to a person authorized to carry out an
audit.
(6) A person shall not perform an audit on a critical
information infrastructure unless he or she —
(a) has been authorized in writing by the Director to
perform such audit; or
(b) is in possession of a certificate of appointment, in
the prescribed form, issued by the Director, which
certificate must be submitted to the owner or
person in control of a critical information
infrastructure at the commencement of the audit.
PART III—OFFENCES
14. (1) A person who causes, whether temporarily or
permanently, a computer system to perform a function, by
infringing security measures, with intent to gain access, and
knowing such access is unauthorised, commits an offence
and is liable on conviction, to a fine not exceeding five
million shillings or to imprisonment for a term not
exceeding three years, or to both.
(2) Access by a person to a computer system is
unauthorised if—
(a) that person is not entitled to control access of the
kind in question to the program or data; or
Unauthorised
access.
53
2018 Computer Misuse and Cybercrimes
(b) that person does not have consent from any person
who is entitled to access the computer system
through any function to the program or data.
(3) For the purposes of this section, it is immaterial
that the unauthorised access is not directed at—
(a) any particular program or data;
(b) a program or data of any kind; or
(c) a program or data held in any particular computer
system.
15. (1) A person who commits an offence under
section 14 with intent to commit a further offence under
any law, or to facilitate the commission of a further offence
by that person or any other person, commits an offence and
is liable, on conviction, to a fine not exceeding ten million
shillings or to imprisonment for a term not exceeding ten
years, or to both.
(2) For the purposes of subsection (1), it is immaterial
that the further offence to which this section applies is
committed at the same time when the access is secured or
at any other time.
16. (1) A person who intentionally and without
authorisation does any act which causes an unauthorised
interference, to a computer system, program or data,
commits an offence and is liable on conviction, to a fine not
exceeding ten million shillings or to imprisonment for a
term not exceeding five years, or to both.
(2) For the purposes of this section, an interference is
unauthorised, if the person whose act causes the
interference —
(a) is not entitled to cause that interference;
(b) does not have consent to interfere from a person
who is so entitled.
(3) A person who commits an offence under
subsection (1) which,—
(a) results in a significant financial loss to any person;
(b) threatens national security;
(c) causes physical injury or death to any person; or
No. 5
Access with intent
to commit further
offence.
Unauthorised
interference.
54
No. 5 Computer Misuse and Cybercrimes 2018
(d) threatens public health or public safety, is liable,
on conviction, to a fine not exceeding twenty
million shillings or to imprisonment for a term not
exceeding ten years, or to both.
(4) For the purposes of this section, it is immaterial
whether or not the unauthorised interference is directed
at—
(a) any particular computer system, program or data;
(b) a program or data of any kind; or
(c) a program or data held in any particular computer
system.
(5) For the purposes of this section, it is immaterial
whether an unauthorised modification or any intended
effect of it is permanent or temporary.
17. (1) A person who intentionally and without
authorisation does any act which intercepts or causes to be
intercepted, directly or indirectly and causes the
transmission of data to or from a computer system over a
telecommunication system commits an offence and is
liable, on conviction, to a fine not exceeding ten million
shillings or to imprisonment for a term not exceeding five
years, or to both.
(2) A person who commits an offence under
subsection (1) which —
(a) results in a significant financial loss;
(b) threatens national security;
(c) causes physical or psychological injury or death to
any person; or
(d) threatens public health or public safety, is liable,
on conviction to a fine not exceeding twenty
million shillings or to imprisonment for a term not
exceeding ten years, or to both.
(3) For the purposes of this section, it is immaterial
that the unauthorised interception is not directed at —
(a) a telecommunication system;
(b) any particular computer system data;
(c) a program or data of any kind; or
Unauthorised
interception.
55
2018 Computer Misuse and Cybercrimes
(d) a program or data held in any particular computer
system.
(4) For the purposes of this section, it is immaterial
whether an unauthorised interception or any intended effect
of it is permanent or temporary.
18. (1) A person who knowingly manufactures, adapts,
sells, procures for use, imports, offers to supply, distributes
or otherwise makes available a device, program, computer
password, access code or similar data designed or adapted
primarily for the purpose of committing any offence under
this Part, commits an offence and is liable, on conviction,
to a fine not exceeding twenty million shillings or to
imprisonment for a term not exceeding ten years, or to
both.
No. 5
Illegal devices and
access codes.
(2) A person who knowingly receives, or is in
possession of, a program or a computer password, device,
access code, or similar data from any action specified under
subsection (1) and intends that it be used to commit or
assist in commission of an offence under this Part commits
an offence and is liable on conviction, to a fine not
exceeding ten million shillings or to imprisonment for a
term not exceeding five years, or to both.
(3) Despite subsections (1) and (2), the activities
described under the subsections do not constitute an
offence if —
(a) any act intended for the authorised training, testing
or protection of a computer system; or
(b) the use of a program or a computer password,
access code, or similar data is undertaken in
compliance of and in accordance with the terms of
a judicial order issued or in exercise of any power
under this Act or any law.
(4) For the purposes of subsections (1) and (2),
possession of any program or a computer password, access
code, or similar data includes having —
(a) possession of a computer system which contains
the program or a computer password, access code,
or similar data;
(b) possession of a data storage device in which the
program or a computer password, access code, or
similar data is recorded; or
56
No. 5 Computer Misuse and Cybercrimes 2018
(c) control of a program or a computer password,
access code, or similar data that is in the
possession of another person.
19. (1) A person who knowingly and without authority
discloses any password, access code or other means of
gaining access to any program or data held in any computer
system commits an offence and is liable, on conviction, to a
fine not exceeding five million shillings or to imprisonment
for a term not exceeding three years, or to both.
(2) A person who commits the offence under
subsection (1)—
(a) for any wrongful gain;
(b) for any unlawful purpose; or
(c) to occasion any loss,
is liable, on conviction, to a fine not exceeding ten
million shillings or to imprisonment for a term not
exceeding five years, or to both.
Unauthorised
disclosure of
password or
access code.
20. (1) Where a person commits any of the offences
specified under sections 14, 15, 16 and 17 on a protected
computer system, that person shall be liable, on conviction,
to a fine not exceeding twenty five million shillings or
imprisonment for a term not exceeding twenty years or
both.
(2) For purposes of this section —
“protected computer system” means a computer
system used directly in connection with, or necessary for,
(a) the security, defence or international relations of
Kenya;
(b) the existence or identity of a confidential source of
information relating to the enforcement of a
criminal law;
(c) the provision of services directly related to
communications infrastructure, banking and
financial services, payment and settlement systems
and instruments, public utilities or public
transportation, including government services
delivered electronically;
Enhanced penalty
for offences
involving
protected
computer system.
57
2018 Computer Misuse and Cybercrimes
(d) the protection of public safety including systems
related to essential emergency services such as
police, civil defence and medical services;
(e) the provision of national registration systems; or
(f) such other systems as may be designated relating
to the security, defence or international relations of
Kenya, critical information, communications,
business or transport infrastructure and protection
of public safety and public services as may be
designated by the Cabinet Secretary responsible
for matters relating to information, communication
and technology.
21. (1) A person who unlawfully and intentionally
performs or authorizes or allows another person to perform
a prohibited act envisaged in this Act, in order to —
(a) gain access, as provided under section 14, to
critical data, a critical database or a national
critical information infrastructure; or
(b) intercept data, as provided under section 17, to,
from or within a critical database or a national
critical information infrastructure, with the
intention to directly or indirectly benefit a foreign
state against the Republic of Kenya,
commits an offence and is liable, on conviction, to
imprisonment for a period not exceeding twenty years
or to a fine not exceeding ten million shillings, or to
both.
(2) A person who commits an offence under
subsection (1) which causes physical injury to any person is
liable, on conviction, to imprisonment for a term not
exceeding twenty years.
(3) A person who commits an offence under
subsection (1) which causes the death of a person is liable,
on conviction, to imprisonment for life.
(4) A person who unlawfully and intentionally
possesses, communicates, delivers or makes available or
receives, data , to, from or within a critical database or a
national critical information infrastructure, with the
intention to directly or indirectly benefit a foreign state
against the Republic of Kenya, commits an offence and is
liable on conviction to imprisonment for a period not
No. 5
Cyber espionage.
58
No. 5 Computer ‘lisuse and Cybercrimes 2018
exceeding twenty years or to a fine not exceeding ten
million shillings, or to both.
(5) A person who unlawfully and intentionally
performs or authorizes, or allows another person to perform
a prohibited act as envisaged under this Act in order to gain
access, as provided under section 14 ,to or intercept data ,as
provided under section 17, which is in possession of the
State and which is exempt information in accordance with
the law relating to access to information, with the intention
to directly or indirectly benefit a foreign state against the
Republic of Kenya , commits an offence and is liable, on
conviction , to a fine not exceeding five million shillings or
to imprisonment for a period not exceeding ten years, or to
both.
22. (1) A person who intentionally publishes false,
misleading or fictitious data or misinforms with intent that
the data shall be considered or acted upon as authentic, with
or without any financial gain, commits an offence and shall,
on conviction, be liable to a fine not exceeding five million
shillings or to imprisonment for a term not exceeding two
years, or to both.
(2) Pursuant to Article 24 of the Constitution, the
freedom of expression under Article 33 of the Constitution
shall be limited in respect of the intentional publication of
false, misleading or fictitious data or misinformation that —
(a) is likely to —
(i) propagate war; or
(ii) incite persons to violence;
(b) constitutes hate speech;
(c) advocates hatred that —
(i) constitutes ethnic incitement, vilification of
others or incitement to cause harm; or
(ii) is based on any ground of discrimination
specified or contemplated in Article 27(4) of
the Constitution; or
(d) negatively affects the rights or reputations of
others.
23. A person who knowingly publishes information
that is false in print, broadcast, data or over a computer
system, that is calculated or results in panic, chaos, or
False publications.
Publication of
false information.
59
2018 Computer Misuse and Cybercrimes
violence among citizens of the Republic, or which is likely
to discredit the reputation of a person commits an offence
and shall on conviction, be liable to a fine not exceeding
five million shillings or to imprisonment for a term not
exceeding ten years, or to both.
24. (1) A person who, intentionally —
(a) publishes child pornography through a computer
system;
(b) produces child pornography for the purpose of its
publication through a computer system;
(c) downloads, distributes, transmits, disseminates,
circulates, delivers, exhibits, lends for gain,
exchanges, barters, sells or offers for sale, lets on
hire or offers to let on hire, offers in another way,
or make available in any way from a
telecommunications apparatus pornography; or
(d) possesses child pornography in a computer system
or on a computer data storage medium,
commits an offence and is liable, on conviction, to a
fine not exceeding twenty million or to imprisonment
for a term not exceeding twenty five years, or both.
(2) It is a defence to a charge of an offence under
subsection (1) that a publication which is proved to be
justified as being for the public good on the ground that
such book, pamphlet, paper, writing, drawing, painting, art,
representation or figure is in the interest of science,
literature, learning or other objects of general concerns.
(3) For purposes of this section —
“child” means a person under the age of eighteen
years;
“child pornography” includes data which, whether
visual or audio, depicts —
(a) a child engaged in sexually explicit conduct;
(b) a person who appears to be a child engaged in
sexually explicit conduct; or
(c) realistic images representing a child engaged in
sexually explicit conduct;
No. 5
Child
pornography.
60
No. 5 Computer Misuse and Cybercrimes 2018
“publish” includes to —
(a) distribute, transmit, disseminate, circulate, deliver,
exhibit, lend for gain, exchange, barter, sell or
offer for sale, let on hire or offer to let on hire,
offer in any other way, or make available in any
way;
(b) having in possession or custody, or under control,
for the purpose of doing an act referred to in
paragraph (a); or
(c) print, photograph, copy or make in any other
manner whether of the same or of a different kind
or nature for the purpose of doing an act referred
to in paragraph (a).
25. (1) A person who intentionally inputs, alters,
deletes, or suppresses computer data, resulting in
inauthentic data with the intent that it be considered or
acted upon for legal purposes as if it were authentic,
regardless of whether or not the data is directly readable
and intelligible commits an offence and is liable, on
conviction, to fine not exceeding ten million shillings or to
imprisonment for a term not exceeding five years, or to
both.
(2) A person who commits an offence under
subsection (1), dishonestly or with similar intent —
(a) for wrongful gain;
(b) for wrongful loss to another person; or
(c) for any economic benefit for oneself or for another
person,
is liable, on conviction, to a fine not exceeding
twenty million shillings or to imprisonment for a
term not exceeding ten years, or to both.
26. (1) A person who, with fraudulent or dishonest
intent—
(a) unlawfully gains;
(b) occasions unlawful loss to another person; or
(c) obtains an economic benefit for oneself or for
another person, through any of the means
described in subsection (2),
commits an offence and is liable, on conviction, to a
fine not exceeding twenty million shillings or
Computer
forgery.
Computer
fraud.
61
2018 Computer Misuse and Cybercrimes
imprisonment term for a term not exceeding ten years,
or to both.
(2) For purposes of subsection (1) the word ” means”
refers to —
(a) an unauthorised access to a computer system ,
program or data;
(b) any input, alteration, modification, deletion,
suppression or generation of any program or data;
(c) any interference, hindrance, impairment or
obstruction with the functioning of a computer
system;
(d) copying, transferring or moving any data or
program to any computer system, data or computer
data storage medium other than that in which it is
held or to a different location in any other
computer system, program, data or computer data
storage medium in which it is held; or
(e) uses any data or program, or has any data or
program output from the computer system in
which it is held, by having it displayed in any
manner.
27. (1) A person who, individually or with other
persons, wilfully communicates, either directly or
indirectly, with another person or anyone known to that
person, commits an offence, if they know or ought to know
that their conduct —
(a) is likely to cause those persons apprehension or
fear of violence to them or damage or loss on that
persons’ property; or
(b) detrimentally affects that person; or
(c) is in whole or part, of an indecent or grossly
offensive nature and affects the person.
(2) A person who commits an offence under
subsection (1) is liable, on conviction, to a fine not
exceeding twenty million shillings or to imprisonment for a
term not exceeding ten years, or to both.
(3) A person may apply to Court for an order
compelling a person charged with an offence under
subsection (1) to refrain from—
No. 5
Cyber harassment.
62
No. 5 Computer Misuse and Cybercrimes 2018
(a) engaging attempting to engage in; or
(b) enlisting the help of another person to engage in,
any communication complained of under
subsection (1).
(4) The Court —
(a) may grant an interim order; and
(b) shall hear and determine an application under
subsection (4) within fourteen days.
(5) An intermediary may apply for the order under
subsection (4) on behalf of a complainant under this
section.
(6) A person may apply for an order under his section
outside court working hours.
(7) The Court may order a service provider to provide
any subscriber information in its possession for the purpose
of identifying a person whose conduct is complained of
under this section.
(8) A person who contravenes an order made under
this section commits an offence and is liable, on conviction
to a fine not exceeding one million shillings or to
imprisonment for a term not exceeding six months, or to
both.
28. A person who, intentionally takes or makes
use of a name, business name, trademark, domain
name or other word or phrase registered, owned or in
use by another person on the internet or any other
computer network, without authority or right, commits
an offence and is liOble on conviction to a fine not
exceeding two hundred thousand shillings or imprisonment
for a term not exceedirig two years or both.
29. A person who fraudulently or dishonestly
makes use of the electronic signature, password or
any other unique identification feature of any other
person commits an offence and is liable, on conviction, to a
fine not exceeding two hundred thousand shillings or to
imprisonment for a term not exceeding three years or both.
30. A person who creates or operates a website or
sends a message through a computer system with the
intention to induce the user of a website or the recipient of
Cybersquatting.
Identity theft and
impersonation.
Phishing.
63
2018 Computer Misuse and Cybercrimes No. S
the message to disclose personal information for an
unlawful purpose or to gain unauthorized access to a
computer system, commits an offence and is liable upon
conviction to a fine not exceeding three hundred thousand
shillings or to imprisonment for a term not exceeding three
years or both.
31. A person who unlawfully destroys or aborts any
electronic mail or processes through which money or
information is being conveyed commits an offence and
is liable on conviction to a fine not exceeding two hundred
thousand shillings or to a term of imprisonment not
exceeding seven years or to both.
32. A person who willfully misdirects electronic
messages commits an offence and is liable on conviction to
a fine not exceeding one hundred thousand shillings or to
imprisonment for a term not exceeding two years or to
both.
33.(11 A person who accesses or causes to be
accessed a computer or computer system or network for
purposes of carrying out a terrorist act, commits an offence
and shall on conviction, be liable to a fine not exceeding
five million shillings or to imprisonment for a term not
exceeding ten years, or to both.
Willful
misdirection of
electronic
messages.
Cyber terrorism.
(2) For the purpose of this section, “terrorist act” shall No.30 of 2012.
have the same meaning as assigned under the Prevention of
Terrorism Act, 2012.
34. A person who induces any person in charge of
electronic devices to deliver any electronic messages not
specifically meant for him commits an offence and is liable
on conviction to a fine not exceeding two hundred thousand
shillings or imprisonment for a term not exceeding two
years or to both.
35. A person who intentionally hides or detains any
electronic mail, message, electronic payment, credit and
debit card which was found by the person or delivered to
the person in error and which ought to be delivered to
another person, commits an offence and is liable on
conviction a fine not exceeding two hundred thousand
shillings or imprisonment for a term not exceeding two
years or to both.
36. A person who unlawfully destroys or aborts any
electronic mail or processes through which money or
information is being conveyed commits an offence and is
Interception of
electronic
messages or
money transfers.
Inducement to
deliver electronic
message.
Intentionally
withholding
message delivered
erroneously.
Unlawful
destruction of
electronic
messages.
64
No. 5 Computer Misuse and Cybercrimes 2018
liable on conviction to a fine not exceeding two hundred
thousand shillings or imprisonment for a term not
exceeding two years, or to both.
37. A person who transfers, publishes, or dw. mtfintrutil f
disseminates, including making a digital depiction available obisscenue 07° for distribution or downloading through a intimate images.
telecommunications network or though any other means of
transferring data to a computer, the intimate or obscene
image of another person commits an offence and is liable,
on conviction to a fine not exceeding two hundred thousand
shillings or imprisonment for a term not exceeding two
years, or to both.
38. (1) A person who knowingly and without authority Fraudulent use of
causes any loss of property to another by altering, erasing, electronic data.
inputting or suppressing any data stored in a computer,
commits an offence and is liable on conviction to a fine not
exceeding two hundred thousand shillings or imprisonment
for a term not exceeding two years, or to both.
(2) A person who sends an electronic message which
materially misrepresents any fact upon which reliance by
another person is caused to suffer any damage or loss
commits an offence and is liable on conviction to
imprisonment for a fine not exceeding two hundred
thousand shillings or imprisonment for a term not
exceeding two years, or to both.
(3) A person who with intent to defraud, franks
electronic messages, instructions, subscribes any electronic
messages or instructions, commits an offence and is liable
on conviction a fine not exceeding two hundred thousand
shillings or imprisonment for a term not exceeding two
years, or to both.
(4) A person who manipulates a computer or other
electronic payment device with the intent to short pay or
overpay commits an offence and is liable on conviction to a
fine not exceeding two hundred thousand shillings or
imprisonment for a term not exceeding two years, or to
both.
(5) A person convicted under subsection (4) shall
forfeit the proprietary interest in the stolen money or
property to the bank, financial institution or the customer.
39. A person authorized to use a computer or other Issuance of false
electronic devices for financial transactions including e-instructions.
posting of debit and credit transactions, issuance of
65
2018 Computer Misuse and Cybercrimes
electronic instructions as they relate to sending of
electronic debit and credit messages or confirmation of
electronic fund transfer, issues false electronic instructions,
commits an offence and is liable, on conviction, a fine not
exceeding two hundred thousand shillings or imprisonment
for a term not exceeding two years, or to both.
40. (1) A person who operates a computer system or a
computer network, whether public or private, shall
immediately inform the Committee of any attacks,
intrusions and other disruptions to the functioning of
another computer system or network within twenty four
hours of such attack, intrusion or disruption.
(2) A report made under subsection (1) shall include—
(a) information about the breach, including a
summary of any information that the agency
knows on how the breach occurred;
(b) an estimate of the number of people affected by
the breach;
(c) an assessment of the risk of harm to the affected
individuals; and
(d) an explanation of any circumstances that would
delay or prevent the affected persons from being
informed of the breach.
(3) The Committee may propose the isolation of any
computer systems or network suspected to have been
attacked or disrupted pending the resolution of the issues.
(4) A person who contravenes the provisions of
subsection (1) commits an offence and is liable upon
conviction a fine not exceeding two hundred thousand
shillings or imprisonment for a term not exceeding two
years, or to both.
41. (1) An employee shall, subject to any contractual
agreement between the employer and the employee,
relinquish all codes and access rights to their employer’s
computer network or system immediately upon termination
of employment.
(2) A person who contravenes the provision of this
subsection (1) commits an offence and shall be, liable on
conviction, to a fine not exceeding two hundred thousand
No. 5
Reporting of
cyber threat.
Employee
responsibility to
relinquish access
codes.
66
No. 5 Computer Misuse and Cybercrimes 2018
shillings or imprisonment for a term not exceeding two
years, or to both.
42. (1) A person who knowingly and willfully aids or
abets the commission of any offence under this Act
commits an offence and is liable, on conviction, to a fine
not exceeding seven million shillings or to imprisonment
for a term not exceeding four years, or to both.
(2) A person who knowingly and willfully attempts to
commit an offence or does any act preparatory to or in
furtherance of the commission of any offence under this
Act, commits an offence and is liable, on conviction, to a
fine not exceeding seven million shillings or to
imprisonment for a term not exceeding four years, or to
both.
Aiding or abetting
in the commission
of an offence.
43. (1) Where any offence under this Act has been
committed by a body corporate —
(a) the body corporate is liable, on conviction, to a
fine not exceeding fifty million shillings; and
(b) every person who at the time of the commission of
the offence was a principal officer of the body
corporate, or anyone acting in a similar capacity, is
also deemed to have committed the offence, unless
they prove the offence was committed without
their consent or knowledge and that they exercised
such diligence to prevent the commission of the
offence as they ought to have exercised having
regard to the nature of their functions and to
prevailing circumstances, and is liable, on
conviction, to a fine not exceeding five million
shillings or imprisonment for a term not exceeding
three years, or to both .
(2) If the affairs of the body corporate are managed by
its members, subsection (1) (b) applies in relation to the
acts or defaults of a member in connection with their
management functions, as if the member was a principal
officer of the body corporate or was acting in a similar
capacity.
44. (1) A court may order the confiscation or forfeiture
of monies, proceeds, properties and assets purchased or
obtained by a person with proceeds derived from or in the
commission of an offence under this Act.
Offences by a
body corporate
and limitation of
liability.
Confiscation or
forfeiture of
assets.
67
2018 Computer Misuse and Cybercrimes
(2) The court may, on conviction of a person for any
offence lip this Act make an order of restitution of any
asset gained from the commission of the offence, in
accordance with the provisions and procedures of the
Proceeds of Crime and Anti-Money Laundering Act, 2009.
45. (1) Where the court convicts a person for any
offence under this Part, or for an offence under any other
law committed through the use of a computer system, the
court may make an order for the payment by that person of
a sum to be fixed by the court as compensation to any
person for any resultant loss caused by the commission of
the offence for which the sentence is passed.
(2) Any claim by a person for damages sustained by
reason of any offence committed under this Part is deemed
to have been satisfied to the extent of any amount which
they have been paid under an order for compensation, but
the order shall not prejudice any right to a civil remedy for
the recovery of damages beyond the amount of
compensation paid under the order.
(3) An order of compensation under this section is
recoverable as a civil debt.
46. (1) A person who commits an offence under any
other law through the use of a computer system commits an
offence and shall be liable on conviction to a penalty
similar to the penalty provided under that law.
(2) A Court shall, in determining whether to sentence
a person convicted of an offence under this section,
consider —
(a) the manner in which the use of a computer system
enhanced the impact of the offence;
(b) whether the offence resulted in a commercial
advantage or financial gain;
(c) the value involved, whether of the consequential
loss or damage caused, or the profit gained from
commission of the offence through the use of a
computer system;
(d) whether there was a breach of trust or
responsibility;
(e) the number of victims or persons affected by the
offence;
No. 5
No. 9 of 2009.
Compensation
order.
Additional penalty
for other offences
committed
through use of a
computer system.
68
No. 5 Computer Misuse and Cybercrimes 2018
(f) the conduct of the accused; and
(g) any other matter that the court deems fit to
consider.
PART IV— INVESTIGATION PROCEDURES
47. (1) All powers and procedures under this Act are
applicable to and may be exercised with respect to any —
(a) criminal offences provided under this Act;
(b) other criminal offences committed by means of a
computer system established under any other law;
and
(c) the collection of evidence in electronic form of a
criminal offence under this Act or any other law.
(2) In any proceedings related to any offence, under
any law of Kenya, the fact that evidence has been
generated, transmitted or seized from, or identified in a
search of a computer system, shall not of itself prevent that
evidence from being presented, relied upon or admitted.
(3) The powers and procedures provided under this
Part are without prejudice to the powers granted under —
(a) the National Intelligence Service Act, 2012;
(b) the National Police Service Act, 2011;
(c) the Kenya Defence Forces Act, 2012; and
(d) any other relevant law.
48. (1) Where a police officer or an authorised person
has reasonable grounds to believe that there may be in a
specified computer system or part of it, computer data
storage medium, program, data, that—
(a) is reasonably required for the purpose of a criminal
investigation or criminal proceedings which may
be material as evidence; or
(b) has been acquired by a person as a result of the
commission of an offence, the police officer or the
authorised person may apply to the court for issue
of a warrant to enter any premises to access, search
and similarly seize such data.
Scope of
procedural
provisions.
No.28 of 2012.
No. 30 of 2011.
No. 25 of 2012.
Search and seizure
of stored
computer data.
69
2018 Computer Misuse and Cybercrimes No. 5
(2) A search warrant issued under subsection (1) shall
(a) identify the police officer or authorised person;
(b) direct the police officer or authorised person under
paragraph (a) to seize the data in question ; or
(c) direct the police officer or authorised person to:
(i) search any person identified in the warrant;
(ii) enter and search any premises identified in
the warrant; or
(iii) search any person found on or at such
premises.
(3) A search warrant may be issued on any day and
shall be of force until it is executed or is cancelled by the
issuing court.
(4) A police officer or an authorised person shall
present a copy of the warrant to a person against whom it is
issued.
(5) A person who —
(a) obstructs the lawful exercise of the powers under
this section;
(b) compromises the integrity or confidentiality of a
computer system, data, or information accessed or
retained under this section; or
(c) misuses the powers granted under this section,
commits an offence and is liable on conviction to a
fine not exceeding five million shillings or to a term of
imprisonment not exceeding three years or to both.
49. (1) Where a computer system or data has been
removed or rendered inaccessible, following a search or a
seizure under section 48, the person who made the search
shall, at the time of the search or as soon as practicable
after the search —
(a) make a list of what has been seized or rendered
inaccessible, and shall specify the date and time of
seizure; and
(b) provide a copy of the list to the occupier of the
premises or the person in control of the computer
system referred to under paragraph (a).
Record of and
access to seized
data.
70
No. 5 Computer Misuse and Cybercrimes 2018
(2) Subject to subsection (3), a police officer or an
authorised person shall, on request, permit a person who —
(a) had the custody or control of the computer system;
(b) has a right to any data or information seized or
secured; or
(c) has been acting on behalf of a person under
subsection (1)(a) or (b), to access and copy
computer data on the system or give the person a
copy of the computer data.
(3) The police officer or authorised person may refuse
to give access or provide copies under subsection (2), if
they have reasonable grounds for believing that giving the
access or providing the copies, may —
(a) constitute a criminal offence; or
(b) prejudice —
(i) the investigation in connection with the
search that was carried out;
(ii) an ongoing investigation; or
(iii) any criminal proceeding that is pending or
that may be brought in relation to any of those
investigations.
(4) Despite subsection (3), a court may, on reasonable
grounds being disclosed, allow a person who has qualified
under subsection (2) (a) or (b) —
(a) access and copy computer data on the system; or
(b) obtain a copy of the computer data.
50. (1) Where a police officer or an authorised person
has reasonable grounds to believe that —
(a) specified data stored in a computer system or a
computer data storage medium is in the
possession or control of a person in its territory;
and
(b) specified subscriber information relating to
services offered by a service provider in Kenya are
in that service provider’s possession or control and
is necessary or desirable for the purposes of the
investigation, the police officer or the authorised
person may apply to court for an order .
Production order.
71
2018 Computer Misuse and Cybercrimes
(2) The Court shall issue an order directing —
(a) a specified person to submit specified computer
data that is in that person’s possession or control,
and is stored in a computer system or a computer
data storage medium; or
(b) a specified service provider offering its services in
Kenya to submit subscriber information relating to
such services in that service provider’s possession
or control.
51. (1) Where a police officer or an authorised person
has reasonable grounds to believe that —
(a) any specified traffic data stored in any computer
system or computer data storage medium or by
means of a computer system is reasonably required
for the purposes of a criminal investigation; and
(b) there is a risk or vulnerability that the traffic data
may be modified, lost, destroyed or rendered
inaccessible, the police officer or an authorised
person shall serve a notice on the person who is in
possession or control of the computer system,
requiring the person to —
(i) undertake expeditious preservation of such
available traffic data regardless of whether one
or more service providers were involved in the
transmission of that communication; or
(ii) disclose sufficient traffic data concerning any
communication in order to identify the service
providers and the path through which
communication was transmitted.
(2) The data specified in the notice shall be preserved
and its integrity shall be maintained for a period not
exceeding thirty days.
(3) The period of preservation and maintenance of
integrity may be extended for a period exceeding thirty
days if, on an application by the police officer or authorised
person, the court is satisfied that —
(a) an extension of preservation is reasonably required
for the purposes of an investigation or prosecution;
(b) there is a risk or vulnerability that the traffic data
may be modified, lost, destroyed or rendered
inaccessible; and
No. 5
Expedited
preservation and
partial disclosure
of traffic data.
72
No. 5 Computer Misuse and Cybercrimes 2018
(c) the cost of the preservation is not overly
burdensome on the person in control of the
computer system.
(4) The person in possession or control of the
computer system shall be responsible to preserve the data
specified —
(a) for the period of notice for preservation and
maintenance of integrity or for any extension
thereof permitted by the court; and
(b) for the period of the preservation to keep
confidential any preservation ordered under this
section.
(5) Where the person in possession or control of the
computer system is a service provider, the service provider
shall be required to —
(a) respond expeditiously to a request for assistance,
whether to facilitate requests for police assistance,
or mutual assistance requests; and
(b) disclose as soon as practicable, a sufficient amount
of the non-content data to enable a police officer
or an authorised person to identify any other
telecommunications providers involved in the
transmission of the communication.
(6) The powers of the police officer or an authorised
person under subsection (1) shall apply whether there is
one or more service providers involved in the transmission
of communication which is subject to exercise of powers
under this section.
52. (1) Where a police officer or an authorised person
has reasonable grounds to believe that traffic data
associated with specified communications and related to
the person under investigation is required for the purposes
of a specific criminal investigation, the police officer or
authorised person may apply to the court for an order to —
(a) permit the police officer or authorised person to
collect or record through the application of
technical means traffic data, in real-time;
(b) compel a service provider, within its existing
technical capability —
Real-time
collection of
traffic data.
73
2018 Computer Misuse and Cybercrimes
(i) to collect or record through application of
technical means traffic data in real time; or
(ii) to cooperate and assist a police officer or an
authorised person in the collection or recording
of traffic data, in real-time, associated with
specified communications in its jurisdiction
transmitted by means of a computer system.
(2) In making an application under subsection (1), the
police officer or an authorised person shall —
(a) state the grounds they believe the traffic data
sought is available with the person in control of
the computer system;
(b) identify and explain, the type of traffic data
suspected to be found on such computer system;
(c) identify and explain the subscribers, users or
unique identifier the subject of an investigation or
prosecution suspected as may be found on such
computer system;
(d) identify and explain the offences identified in
respect of which the warrant is sought; and
(e) explain the measures to be taken to prepare and
ensure that the traffic data shall be sought —
(i) while maintaining the privacy of other users,
customers and third parties; and
(ii) without the disclosure of data to any party not
part of the investigation.
(3) Where the court is satisfied with the explanations
provided under subsection (2), the court shall issue the
order provided for under subsection (1).
(4) For purposes of subsection (1), real-time collection
or recording of traffic data shall be ordered for a period not
exceeding six months.
(5) The court may authorize an extension of time
under subsection (4), if it is satisfied that —
(a) such extension of real-time collection or recording
of traffic data is reasonably required for the
purposes of an investigation or prosecution;
No. 5
74
No. 5 Computer Misuse and Cybercrimes
(b) the extent of real-time collection or recording of
traffic data is commensurate, proportionate and
necessary for the purposes of investigation or
prosecution;
(c) despite prior authorisation for real-time collection
or recording of traffic data, additional real-time
collection or recording of traffic data is necessary
and needed to achieve the purpose for which the
warrant is to be issued;
(d) measures taken to prepare and ensure that the realtime collection or recording of traffic data is
carried out while maintaining the privacy of other
users, customers and third parties and without the
disclosure of information and data of any party not
part of the investigation;
(e) the investigation may be frustrated or seriously
prejudiced unless the real-time collection or
recording of traffic data is permitted; and
the cost of such preservation is not overly
burdensome upon the person in control of the
computer system.
(6) A court may, in addition to the requirement
specified under subsection (3) require the service provider
to keep confidential the order and execution of any power
provided under this section.
(7) A service provider who fails to comply with an
order under this section commits an offence and is liable on
conviction —
(a) where the service provider is a corporation, to a
fine not exceeding ten million shillings; or
(b) in case of a principal officer of the service
provider, to a fine not exceeding five million
shillings or to imprisonment for a term not
exceeding three years, or to both.
53. (1) Where a police officer or an authorised person
has reasonable grounds to believe that the content of any
specifically identified electronic communications is
required for the purposes of a specific investigation in
respect of an offence, the police officer or authorised
person may apply to the court for an order to—
(0
2018
Interception of
content data.
75
2018 Computer Misuse and Cybercrimes No. 5
(a) permit the police officer or authorised person to
colleci or record through the application of
technical means;
(b) compel a service provider, within its existing
technical capability —
(i) to collect or record through the application of
technical means; or
(ii) to co-operate and assist the competent
authorities in the collection or recording of,
content data, in real-time, of specified
communications within the jurisdiction
transmitted by means of a computer system.
(2) In making an application under subsection (1), the
police officer or an authorised person shall —
(a) state the reasons he believes the content data being
sought is in possession of the person in control of
the computer system;
(b) identify and state the type of content data
suspected to be found on such computer system;
(c) identify and state the offence in respect of which
the warrant is sought;
(d) state if they have authority to seek real-time
collection or recording on more than one occasion
is needed, and shall specify the additional number
of disclosures needed to achieve the purpose for
which the warrant is to be issued;
(e) explain measures to be taken to prepare and ensure
that the real-time collection or recording is carried
out—
(i) while maintaining the privacy of other users,
customers and third parties; and
(ii) without the disclosure of information and data
of any party not part of the investigation;
(f) state how the investigation may be frustrated or
seriously prejudiced unless the real time collection
or recording is permitted; and
(g) state the manner in which they shall achieve the
objective of the warrant, real time collection or
76
No. 5 Computer Misuse and Cybercrimes
recording by the person in control of the computer
system where necessary.
(3) Where the court is satisfied with the grounds
provided under subsection (2), the court shall issue the
order applied for under subsection (1).
(4) For purposes of subsection (1), the real-time
collection or recording of content data shall not be ordered
for a period that exceeds the period that is necessary for the
collection thereof and in any event not for more than a
period of nine months.
(5) The period of real-time collection or recording of
content data may be extended for such period as the court
may consider necessary where the court is satisfied that —
(a) such extension of real-time collection or recording
of content data is required for the purposes of an
investigation or prosecution;
(b) the extent of real-time collection or recording of
content data is proportionate and necessary for the
purposes of investigation or prosecution;
(c) despite prior authorisation for real-time collection
or recording of content data, further real-time
collection or recording of content data is necessary
to achieve the purpose for which the warrant is to
be issued;
(d) measures shall be taken to prepare and ensure that
the real-time collection or recording of content
data is carried out while maintaining the privacy of
other users, customers and third parties and
without the disclosure of information and data of
any party not part of the investigation;
(e) the investigation may be frustrated or seriously
prejudiced unless the real-time collection or
recording of content data is permitted; and
(f) the cost of such real-time recording and collection
is not overly burdensome upon the person in
control of the computer system.
(6) The court may also require the service provider to
keep confidential the order and execution of any power
provided for under this section.
2018
77
2018 Computer Misuse and Cybercrimes
(7) A service provider who fails to comply with an
order under this section commits an offence and is liable,
on conviction —
(a) where the service provider is a corporation, to a
fine not exceeding ten million shillings;
(b) in case of an officer of the service provider, to a
fine not exceeding five million shillings or to
imprisonment for a term not exceeding three years,
or to both.
54. (1) A person who obstructs the lawful exercise of
the powers under this Part, including destruction of data, or
fails to comply with the requirements of this Part is liable,
on conviction, to a fine not exceeding five million shillings
or to imprisonment for a term not exceeding three years, or
to both.
(2) A police officer or an authorised person who
misuses the exercise of powers under this Part commits an
offence and is liable, on conviction, to a fine not exceeding
five million shillings or to imprisonment for a term not
exceeding three years, or to both.
55. Any person aggrieved by any decision or order of
the Court made under this Part, may appeal to the High
Court or Court of Appeal as the case may be within thirty
days from the date of the decision or order.
56. (1) A service provider shall not be subject to any
civil or criminal liability, unless it is established that the
service provider had actual notice, actual knoWledge, or
willful and malicioaa ninifAt, ,apd, not merely through
omission or failure to act, had thereby facilitated, aided or
abetted the ukPlfitiiiiY 13eiC6f 4 y ithiliAtter system
controlled or managed by a service provider in connection
with a contravealeamf thin Actetanylotheirl written law.
(2) A service provider shirhof hell-able under this
Act or any other law for maintaining and making available
the provision of their service.
(3) A service provider shall not be liable under this
Act or any other law for the disclosure of any data or other
information that the service provider discloses only to the
extent required under this Act or in compliance with the
exercise of powers under this Part.
No. 5
Obstruction and
misuse of power.
Appeal.
Confidentiality
and limitation of
liability.
78
No. 5 Computer Misuse and Cybercrimes
PART V —INTERNATIONAL CO-OPERATION
57. (1) This Part shall apply in addition to the Mutual
Legal Assistance Act, 2011 and the Extradition
(Contiguous and Foreign Countries) Act.
(2) Thr Central Authority rmay make a request for
mutual legal assistance in any criminal matter to a
requested State for purposes of—
(a) undertaking investigations or proceedings
concerning offences related to computer systems,
electronic communications or data;
(b) collecting evidence of an offence in electronic
form; or
(c) obtaining expeditious preservation and disclosure
of traffic data, real-time collection of traffic data
associated with specified communications or
interception of content data or any other means,
power, function or provisions under this Act.
(3) A requesting State may make a request for mutual
legal assistance to the Central Authority in any criminal
matter, for the purposes provided in subsection (2).
(4) Where a request has been received under
subsection (3), the Central Authority may, subject to the
provisions of the Mutual Legal Assistance Act, 2011, the
Extradition (Contiguous and Foreign Countries) Act, this
Act and any other refevant law —
(a) grant the legal assistance requested; or
(b) refuse to grant the legal assistance requested.
(5) The Central Authority may require a requested
State to —
(a) keep the contents, any information and material
provided in a confidential manner;
(b) only use the contents, information and material
provided for the purpose of the criminal matter
specified in the request; and
(c) use it subject to other specified ciondid.
58. (1) The Central Authority may, sub
and any other relevant law, without prior
2018
General principles
relating to
international cooperation.
No. 36 of 2011.
cap. 6
No. 36 of 2011.
Cap. 76.
79
2018 Computer Misuse and Cybercrimes
to a foreign State information obtained within the
framework of its own investigations when it considers that
the disclosure of such information might assist the foreign
State in initiating or carrying out investigations or
proceedings concerning criminal offences or might lead to
a request for co-operation by the foreign State under this
Act.
(2) Prior to providing the information under subsection
(1), the Central Authority may request that such
information be kept confidential or only subject to other
specified conditions.
(3) Where a foreign State cannot comply with the
specified conditions specified under subsection (2), the
State shall notify the Central Authority as soon as
practicable.
(4) Upon receipt of a notice under subsection (3), the
Central Authority may determine whether to provide such
information or not.
(5) Where the foreign State accepts the information
subject to the conditions specified by the Central Authority,
that State shall be bound by them.
59. (1) Subject to section 57, a requesting State which
has the intention to make a request for mutual legal
assistance for the search or similar access, seizure or
similar securing or the disclosure of data, may request the
Central Authority to obtain the expeditious preservation of
data stored by means of a computer system, located within
the territory of Kenya.
(2) When making a request under subsection (1), the
requesting State shall specify —
(a) the authority seeking the preservation;
(b) the offence that is the subject of a criminal
investigation or proceedings and a brief summary
of the related facts;
(c) the stored computer data to be preserved and its
connection to the offence;
(d) any available information identifying the custodian
of the stored computer data or the location of the
computer system;
No. 5
Expedited
preservation of
stored computer
data.
80
No. 5 Computer Misuse and Cybercrimes 2018
(e) the necessity of the preservation; and
(f) the intention to submit a request for mutual
assistance for the search or similar access, seizure
or similar securing or the disclosure of the stored
computer data.
(3) Upon receiving the request under this section, the
Central Authority shall take the appropriate measures to
preserve the specified data in accordance with the
procedures and powers provided under this Act and any
other relevant law.
(4) A preservation of stored computer data effected
under this section, shall be for a period of not less one
hundred and twenty days, in order to enable the requesting
State to submit a request for the search or access, seizure or
securing, or the disclosure of the data.
(5) Upon receipt for a request under this section, the
data shall continue to be preserved pending the final
decision being made with regard to that request.
60. Where during the course of executing a request
under section 57 with respect to a specified communication,
the investigating agency discovers that a service provider in
another State was involved in the transmission of the
communication, the Central Authority shall expeditiously
disclose to the requesting State a sufficient amount of
traffic data to identify that service provider and the path
through which the communication was transmitted.
61. (1) Subject to section 57, a requesting State may
request the Central Authority to search or similarly access,
seize or similarly secure, and disclose data stored by means
of a computer system located within the territory of Kenya,
including data that has been preserved in accordance with
section 60.
(2) When making a request under subsection (1), the
requesting State shall —
(a) give the name of the authority conducting the
investigation or proceedings to which the request
relates;
(b) give a description of the nature of the criminal
matter and a statement setting-out a summary of
the relevant facts and laws;
Mutual assistance
regarding
accessing of
stored computer
data.
Expedited
disclosure of
preserved traffic
data.
81
2018 Computer Misuse and Cybercrimes No. 5
(c) give a description of the purpose of the request and
of the nature of the assistance being sought;
(d) in the case of a request to restrain or confiscate
assets believed on reasonable grounds to be
located in the requested State, give details of the
offence in question, particulars of the investigation
or proceeding commenced in respect of the
offence, and be accompanied by a copy of any
relevant restraining or confiscation order;
(e) give details of any procedure that the requesting
State wishes to be followed by the requested State
in giving effect to the request, particularly in the
case of a request to take evidence;
(0 include a statement setting out any wishes of the
requesting State concerning any confidentiality
relating to the request and the reasons for those
wishes;
(g) give details of the period within which the
requesting State wishes the request to be complied
with;
(h) where applicable, give details of the property,
computer, computer system or electronic device to
be traced, restrained, seized or confiscated, and of
the grounds for believing that the property is
believed to be in the requested State;
(i) give details of the stored computer data, data or
program to be seized and its relationship to the
offence;
(j) give any available information identifying the
custodian of the stored computer data or the
location of the computer, computer system or
electronic device;
(k) include an agreement on the question of the
payment of the damages or costs of fulfilling the
request; and
(1) give any other information that may assist in
giving effect to the request.
(3) Upon receiving the request under this section, the
Central Authority shall take all appropriate measures to
82
No. 5 Computer Misuse and Cybercrimes 2018
obtain necessary authorisation including any warrants to
execute upon the request in accordance with the procedures
and powers provided under this Act and any other relevant
law.
(4) Where the Central Authority obtains the necessary
authorisation in accordance with subsection (3), including
any warrants to execute the request, the Central Authority
may seek the support and cooperation of the requesting
State during such search and seizure.
(5) Upon conducting the search and seizure request,
the Central Authority shall, subject to section 59, provide
the results of the search and seizure as well as electronic or
physical evidence seized to the requesting State.
62. A police officer or authorised person may, subject
to any applicable provisions of this Act —
(a) access publicly available stored computer data,
regardless of where the data is located
geographically; or
(b) access or receive, through a computer system in
Kenya, stored computer data located in another
territory, if such police officer or authorised person
obtains the lawful and voluntary consent of the
person who has the lawful authority to disclose the
data through that computer system.
63. (1) Subject to section 57, a requesting State may
request the Central Authority to provide assistance in realtime collection of traffic data associated with specified
communications in Kenya transmitted by means of a
computer system.
(2) When making a request under subsection (1), the
requesting State shall specify —
(a) the authority seeking the use of powers under this
section;
(b) the offence that is the subject of a criminal
investigation or proceedings and a brief summary
of the related facts;
(c) the name of the authority with access to the
relevant traffic data;
Trans-border
access to stored
computer data
with consent or
where publicly
available.
Mutual assistance
in the real-time
collection of
traffic data.
83
2018 Computer Misuse and Cybercrimes
(d) the location at which the traffic data may be held;
(e) the intended purpose for the required traffic data;
(1) sufficient information to identify the traffic data;
(g) any further details relevant to the traffic data;
(h) the necessity for use of powers under this section;
and
(i) the terms for the use and disclosure of the traffic
data to third parties.
(3) Upon receiving the request under this section, the
Central Authority shall take all appropriate measures to
obtain necessary authorisation including any warrants to
execute upon the request in accordance with the procedures
and powers provided under this Act and any other relevant
law.
(4) Where the Central Authority obtains the necessary
authorisation including any warrants to execute upon the
request, the Central Authority may seek the support and
cooperation of the requesting State during the search and
seizure.
(5) Upon conducting the measures under this section
the Central Authority shall, subject to section 57, provide
the results of such measures as well as real-time collection
of traffic data associated with specified communications to
the requesting State.
64. (1) Subject to section 57, a requesting State may
request the Central Authority to provide assistance in the
real-time collection or recording of content data of
specified communications in the territory of Kenya
transmitted by means of a computer system.
(2) When making a request under subsection (1), a
requesting State shall specify —
(a) the authority seeking the use of powers under this
section;
(b) the offence that is the subject of a criminal
investigation or proceedings and a brief summary
of the related facts;
(c) the name of the authority with access to the
relevant communication;
No. 5
Mutual assistance
regarding the
interception of
content data.
84
No. 5 Computer Misuse and Cybercrimes 2018
(d) the location at which or nature of the
communication;
(e) the intended purpose for the required
communication;
(f) sufficient information to identify the
communications;
(g) details of the data of the relevant interception;
(h) the recipient of the communication;
(i) the intended duration for the use of the
communication;
(j) the necessity for use of powers under this section;
and
(k) the terms for the use and disclosure of the
communication to third parties.
(3) Upon receiving the request under this section, the
Central Authority shall, take all appropriate measures to
obtain necessary authorisation including any warrants to
execute upon the request in accordance with the procedures
and powers provided under this Act and any other relevant
law.
(4) Where the Central Authority obtains the necessary
authorisation, including any warrants to execute upon the
request, the Central Authority may seek the support and
cooperation of the requesting State during the search and
seizure.
(5) Upon conducting the measures under this section
the Central Authority shall subject to section 57, provide
the results of such measures as well as real-time collection
or recording of content data of specified communications to
the requesting State.
65. (1) The Central Authority shall ensure that the
investigation agency responsible for investigating
cybercrime, shall designate a point of contact available on a
twenty-four hour, seven-day-a-week basis, in order to
ensure the provision of immediate assistance for the
purpose of investigations or proceedings concerning
criminal offences related to computer systems and data, or
for the collection of evidence in electronic form of a
criminal offence, including carrying out the following
measures —
Point of contact.
85
2018 Computer Misuse and Cybercrimes
(a) the provision of technical advice;
(b) the preservation of data pursuant to sections 59
and 60;
(c) the collection of evidence, the provision of legal
information, and locating of suspects, within
expeditious timelines to be defined by regulations
under this Act.
(2) The point of contact shall be resourced with and
possess the requisite capacity to securely and efficiently
carry out communications with other points of contact in
other territories, on an expedited basis.
(3) The point of contact shall have the authority and be
empowered to coordinate and enable access to international
mutual assistance under this Act.
PART VI—GENERAL PROVISIONS
66. (1) Any court of competent jurisdiction shall try
any offence under this Act where the act or omission
constituting the offence is committed in Kenya.
(2) For the purposes of subsection (1), an act or
omission committed outside Kenya which would if
committed in Kenya constitute an offence under this Act is
deemed to have been committed in Kenya if —
(a) the person committing the act or omission is —
(i) a citizen of Kenya; or
(ii) ordinarily resident in Kenya; and
(b) the act or omission is committed —
(i) against a citizen of Kenya;
(ii) against property belonging to the Government
of Kenya outside Kenya; or
(iii) to compel the Government of Kenya to do or
refrain from doing any act; or
(c) the person who commits the act or omission is,
after its commission or omission, present in
Kenya.
67. The court before which a person is convicted of
any offence may, in addition to any other penalty imposed,
order the forfeiture of any apparatus, device or thing to the
No. 5
Territorial
jurisdiction.
Forfeiture.
86
No. 5 Computer Misuse and Cybercrimes 2018
Authority which is the subject matter of the offence or is
used in connection with the commission of the offence.
68. Whenever there is a conflict between this Act and
any other law regarding cybercrimes, the provisions of this
Act shall supersede any such other law.
69. The laws specified in the first column of the
Schedule are amended, in the provisions specified in the
second column thereof, in the manner respectively
specified in the third column.
PART VII—PROVISIONS ON DELEGATED
POWERS
70. (1) The Cabinet Secretary may make regulations
generally for the better carrying into effect of any
provisions under this Act.
(2) Without prejudice to the foregoing, regulations
made under this section may provide for —
(a) designation of computer systems, networks,
programs, data as national critical information
infrastructure;
(b) protection, preservation and management of
critical information infrastructure;
(c) access to, transfer and control of data in any
critical information infrastructure;
(d) storage and archiving of critical data or
information;
(e) audit and inspection of national critical
information infrastructure
recovery plans in the event of disaster, breach
or loss of national critical information
infrastructure or any part of it;
standard operating procedures for the conduct,
search, seizure and collection of electronic
evidence; and
(h) mutual legal assistance.
(3) For the purposes of Article 94 (6) of the
Constitution—
(a) the purpose and objective of delegation under this
section is to enable the Cabinet Secretary to make
(f)
(g)
Prevailing Clause.
Consequential
Amendments.
Cap 411A.
Regulations.
Cap 2,
No. 23 of 2013
87
2018 Computer Misuse and Cybercrimes No. 5
regulations to provide for the better carrying into
effect of the provisions of this Act and to enable
the Authority to discharge its functions more
effectively;
(b) the authority of the Cabinet Secretary to make
regulations under this Act will be limited to
bringing into effect the provisions of this Act and
to fulfil the objectives specified under this section;
(c) the principles and standards applicable to the
regulations made under this section are those set
out in the Interpretation and General Provisions
Act and the Statutory Instruments Act, 2013.
88
No. 5 Computer Misuse and Cybercrimes 2018
Written law
Kenya Information
and Communication
Act,1998
SCHEDULE
Provision Amendment
83U Repeal
(s.69)
83V
83W
83X
83Z
84A
84B
84F
Sexual Offences Act, 16
2011
Repeal
Repeal
Repeal
Repeal
Repeal
Repeal
Repeal
Delete and replace with the
following section—
Child pornography
16. (1) A person, including a
juristic person, who knowingly —
(a) possesses an indecent
photograph of a child;
(b) displays, shows, exposes or
exhibits obscene images,
words or sounds by means
of print, audio-visual or any
other media to a child with
intention of encouraging or
enabling a child to engage
in a sexual act;
(c) sells, lets to hire,
distributes, publicly exhibits
or in any manner puts into
circulation, or for purposes
of sale, hire, distribution,
public exhibition or
circulation, makes,
produces or has in his or her
possession an indecent
photograph of a child;
(d) imports, exports or conveys
any obscene object for any
of the purposes specified in
89
2018 Computer Misuse and Cybercrimes No. 5
Written law Provision Amendment
subsection (1), or
knowingly or having reason
to believe that such object
will be sold, let to hire,
distributed or publicly
exhibited or in any manner
put into circulation;
(e) takes part in or receives
profits from any business in
the course of which he or
she knows or has reason to
believe that obscene objects
are, for any of the purposes
specifically in this section,
made, produced, purchased,
kept, imported, exported,
conveyed, publicly
exhibited or in any manner
put into circulation;
(f) advertises or makes known
by any means whatsoever
that any person is engaged
or is ready to engage in any
act which is an offence
under this section, or that
any such obscene object can
be produced from or
through any person; or
(g) offers or attempts to do any
act which is an offence
under this section, commits
an offence and is liable
upon conviction to
imprisonment for a term of
not less than six years or to
a fine of not less than five
hundred thousand shillings
or to both and upon
subsequent conviction, to
imprisonment to a term of
not less than seven years
without the option of a fine.
90
No. 5 Computer Misuse and Cybercrimes 2018
Written law Provision Amendment
(2) This section shall not apply
to—
(a) publication or possession of
an indecent photograph
where it is proved that such
publication or possession
was intended for bona fide
scientific research, medical,
religious or law
enforcement purpose; the
indecent representation of a
child in a sculpture,
engraving, painting or other
medium on or in any
ancient monument
recognised by law; and
(b) activities between two
persons above eighteen
years of age by mutual
consent.
(3) For the purposes of
subsection (1),—
(a) an image is obscene if—
(i) it is lascivious or
appeals to prurient
interest; or
(ii) its effect, or where it
comprises two or more
distinct items, the effect
of any one of its items,
if taken as a whole,
tends to deprave and
corrupt persons who are
likely, having regard to
all relevant
circumstances, to read,
see or hear the matter
contained or embodied
in it.
(b) an indecent photograph
includes a visual, audio or
91
2018 Computer Misuse and Cybercrimes No. 5
Written law Provision Amendment
audio visual representation
depicting —
(i) a child engaged in
sexually explicit
conduct;
(ii) a person who appears to
be a child engaged in
sexually explicit
conduct; or realistic
images representing a
child engaged in sexual
activity.
New Insert a new section
immediately after section 16 as
follows—
Sexual communication with a
child
16A. (1) A person of eighteen
years and above who knowingly
communicates with a child in—
(i) a sexual manner; or
(ii) a manner intended to
encourage the child to
communicate in a sexual
manner, commits an
offence and is liable, on
conviction, to a fine of not
less than five hundred
thousand shillings or
imprisonment for a term of
not less than five years, or
to both.
(2) For the purposes of this
section, a communication is sexual
if—
(a) any part of it relates to
sexual activity, or
(b) a reasonable person would
consider any part of the
communication to be
sexual.

-->