In April 2018, ARTICLE 19 reviewed the draft Computer and Cybercrimes Bill, 2017 (Draft Cyber-crimes Bill) of Kenya, currently submitted to the National Assembly for approval. This is the third contribution of ARTICLE 19 to the drafting process.
Our analysis shows that the Draft Cybercrimes Bill contains several important additions that are apparently modelled after relevant international standards. However, we also note that the Draft Bill also contains several broadly defined offences with harsh sentences that could dramatically chill freedom of expression online in Kenya. Further, many of the offences unnecessarily overlap with one another.
ARTICLE 19 urges drafters of the Bill to address its inconsistencies with human rights standards before it is voted on in the National Assembly. We also urge the National Assembly to incorporate these comments into the final version of the Bill.
Summary of key recommendations:
- The definition of “computer system” should explicitly limit its scope to systems that engage in automatic processing of data. The definition of “content data” should remove references to the “meaning or purport” of the communication. The definition of “damage” should be added and require serious impairment or loss to a computer system or to specified legitimate national security or public order interests;
- Section 4(1) should only penalize unauthorized access as described in the provision if it is committed with intent to obtain computer data or other “dishonest” intent. The Bill and/or implementing regulations should also provide examples of “dishonest” intent;
- The following sections should be removed in their entirety: Section 4(3), Section 5(2), Section 8(2), Section 9, Section 10, Section 10(2), Section 11, Section 12, Section 14(2), Section 16, and Section 17;
- Section 5(1) should require “intent to commit specific and serious offences” and specify all the offences that would trigger liability under this Section;
- Section 7(1) of the Draft Bill should be amended to require serious damage or impairment;
- Section 8(1) should replace “knowingly” with “intentionally;”
- Section 10(2) should also limit the definition of a “protected computer system” to those systems that are necessary for a specified range of legitimate national security and public safety purposes;
- The Bill should establish a public interest defence against offences specified in Part II for “any person who discloses information that he or she reasonably believes, at the time of disclosure, to be true and to constitute a threat or harm to a specified public interest, such as a violation of national or international law, abuse of authority, waste, fraud or harm to the environment, public health or public safety;”
- Sections 14 and 15 should be drafted consistently with existing criminal laws on fraud and forgery to avoid duplication or contradiction;
- Section 14(1) should incorporate the requirement of dishonest intent;
- Any attempt to regulate cyber stalking or cyber bullying should be developed in consultation with a meaningful and representative cross-section of civil society, academics, the technology and media industry and other relevant non-State actors;
- Section 18 should expressly state that internet service providers are exempt from liability with respect to any offence committed by a third party under the Bill when they are acting as mere conduits, or merely performing hosting, caching or information location functions;
- Section 18 should clarify that the Bill does not impose general obligations on internet service providers to monitor the information which they transmit or store, or to actively seek facts or circumstances indicating illegal activity;
- Sections 23(3)(d) through 23(3)(f) should permit warrants compelling decryption, technical assistance and government access to communications and communications data only when such orders are necessary and the least intrusive means available to conduct a specific and legitimate investigation, and focused on a specific target.