You are on page 1of 52
No. me THE REPUBLIC OF KENYA HIS EXCELLENCY THE PRESIDENT UHURU KENYATTA, Tassent President +2018 AN ACT of Parliament to to provide for offences relating to computer systems; to enable timely and effective detection, prohibition, prevention, “response, investigation and prosecution of computer and. cybercimes: 10 ‘dciltate "international co-operation in dealing with computer” and cybercrime matters; and for connected purposes ___the Computer Masse and Cpbercrines At ‘THE COMPUTER MISUSE AND CYBERCRIMES ACT, 2018 ARRANGEMENT OF CLAUSES PART [PRELIMINARY Clause 1 Shoe tte 2 Interpretation 3 Objecs ofthe Act PART Il—THE NATIONAL COMPUTER AND CYBERCRIMES COORDINATION COMMITTEE, 4— Establishment of Commitee 5 Composition of the Commit, Functions of the Commitee. Seeretaiat ofthe Commitee. Reports by the Commie ee Critical information infratruetare Protection of critical information iftasteuctare ‘Reports on critical information infrastructure. Information sharing agreements, Aualting of critical information infrastructures to ensure compliance, PART IN—OFFENCES 14— Unauthorised access, 15 Access-with intent to commit further offence, 16— Unauthorised interference. 17 Unauthorised interception, 18— Illegal devices and acess codes. 19— Unauthorised disclosure of password or access code. 20— Eahanced penalty for offences involving protected comput system, 21— Cyber espionage. 22— False publications. 23 Publication of false information 24— Child pornography. 5 26 2 28 20— 30— 31 a 3F aM 3s— 36— a 38S 305 40— a a a “a 45 46 a a8 49 so si ae 3 5a 3 Computer forgery (Computer frau. CCyberstaking and eyber-bullying Cybersquating deatity theft and impersonation, Phishing Interception of electronic messages or money tansfes. ‘Willful misdirection of electronic messages. Cyber terorism. Inducement t deliver electronic message. Intentionally withholding message delivered exoneously ‘Unlawfal destruction of electronic messages. . ‘Wrongful distribution of obscene or intimate images. Fraudulent use of electronic daa , Issuance of false e-instructions ‘Reporting of eyber threat. Employee responsibility to relinguish access codes. Aiding or abeting in the commission of an ofetic. Offences by a body corporate and limitation of liability. ‘Confiscation or forfeiture of assets, ‘Compensation order ‘Additional penalty for other offences commited tough use of @ computer system. a PART IV—INVESTIGATION PROCEDURES. ‘Scope of procedural provisions. Search nd seiante of stored computer dat, Reoord of and access to seized data Production oder. Expedited preserv Real-time collection of traffic dat, Interception of content data Obstruction and misuse. Appeal ion and partial disclosure of traffic dat, 56 Confidentiality and limitation of ably, PART V— INTERNATIONAL COOPERATION General prncipes relating to international co-operation, 58— Spontaneous information 59 Expedited preservation of stored computer data (60— Expedited disclosure of preserved taffic data, O1— Mutual assistance regarding accesing of stored computer data C2 Trane horde acest to stored computer data with consent or where publicly available, 63— Mutual assistance inthe yel-time collection of traffic data G4— Mutual assistance regarding the interception of content det, 65 Point of contact, PART VI—GENERAL PROVISIONS ’ Tervitorial jurisdiction, Forfeiture, Prevailing Clause Consequential Amendments PART VI-PROVISIONS ON DELEGATED POWERS 70— Regulations, SCHEDULE, ‘THE COMPUTER MISUSE AND CYBERCRIMES ACT, 2018, AN ACT of Parliament to provide for offences relating to computer system {o enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and eybererimes; to facilitate international co-operation in dealing with computer and cybererime matters; and for eonnected purposes ENACTED by the Paliement of Kenya as follows — PART PRELIMINARY 1L.This Act may be cited as the Computer Misus: and Cybercrimes ‘Act, 2018, prin, 2. In this Act, unless the context otherwise requires — ‘scess” means gaining entry into or intent to gain etry by a person to a program or data sfored in a computer system: and the person either (@) alters, modifies or erases a program or data or eny aspect related to the program or data in the computer system, (©) copies, transfers or moves a program or data to— @ any computer system, device or stomge medium other than that in whic itis stored; of (i) 0 different location in the same computer system, ‘device or storage medium in which its stored; (©) causes it tbe output from the computer in which itis held, whether by having it displayed or in any other (@) uses it by causing the computer fo execu a program or is itself a function ofthe program; “Authority” means the Communications Authority of Kenya; means an officer in a ‘aw enforcement “authorised. person” Noss o¢200. _The Computer Mize and Cyberrimes det, 2018 agency or a cybersecurity expert designated by the Cabinet Secretary responsible for matters relating to nalional security by notice in the Gazette forthe purposes of Part Il of this Act "Dlockchain technology" means a digitized, decentralized, public ledger ofall eryptocurteney transactions; “Cabinet Secretary” means the Cabinet Sect matters relating to internal security tary responsible for “Cental Authority” means the Office ofthe Atorney General; “Committee” has the meaning assigned to it under section 4; “computer data storage medium” means device, wiether physical fr virtual, containing or designed to contain, or enzbling or designed to ‘enable storage of data, whether available in a single or dstibuted form for use by a computer, and from which data i capable of being reproduced; “computer system” means a physical or virtua dove, or a set of associated physical or virtual devices, which use eledtronie, magnetic, ‘optical or other technology, to perform logical, arithmetic storage and communication functions on datt or which perform 2ontol functions on physical or virtual devices including mobile devices and reference to a ‘computer system includes a reference to pat of a computer system; “content data” means the substance, its meaning or purport of & specified communication, “critical information infastructure system or data” means an information ‘system, program of data that supports or performs “1 ‘fmetion with respect to a national eritcal information infrastructure, “critical infestucture” means the processes, aystems, facilities, technologies, networks, assets and services essentials to the health, safety, security or economic well-being of Kenyans and the effective unetioning of Governments “eybersqutting” means the acquisition of a domain name over the intemet in bad faith to profit, mislead, destroy repuation, or deprive another fiom registering the same, ifthe domtin name is (@) simila, identical or confusingly similar to an existing mademark repisteed withthe appropriate ‘povemment agency atthe time of registration, (identical or in any way similar withthe name of a person other than the registrant, incase of & Personal name; of 1508 omyaeue manus ume prresinees mice wn (© acquired without right oF ictelletual_ property interests init “data” means any representation of facts, information or concepts in a form suitable for processing in a computer ssstem, including. « program suitable to cause a computer system to perform a function; “interception” means the monitoring, modifying, viewing or recording of non-public transmissions of data to oF fom a computer system over a telecommonications system, and includes, in relation t 8 function of « computer system, listening to or recording a function of a contr sem or seguing he tbe, fs menng oop of such function; interference” means any impairment to the confidentiality, integrity or availabilty of « computer system, or any program or data ‘ona computer system, or eny act i reltion to the computer system ‘which impairs the operation of the computer system, rogram or dats; “mobile money" means electronic transfer of fads between banks ‘or account depost or withdrawal of funds or payment of bills by ‘mobile pone; “national erica information infastracture” means a vital ital soc, facility, system, network or process whose incapacity, destruction crmodiication wold have (a debilitating impact on the_ availabilty, integrity or delivery of estental services including. those servis, whose integiy i compromised, could rest in significant oss oe or casuals; or (© significant impact on _national_seeuity, faliona defense, ofthe finetioning “of the state “network” means a collection of hardware components _ and ‘computers inteteonested by communications chéanels that allow sharing of resourees and information; “password” means any data by which a comruter service or & ‘compiiter system is capable of being obtained or used; “pornography” includes the representation in books, magazines, ‘The Computer Misuse and Cyberrimes det, 2018. photographs, films, and other media, elecommun.cation apparatus of Scenes of sexual behaviour that are erotic or lewd and are designed to srouse sexual incre"; “premises” includes land, buildings, movable structures, a physical ‘r virtual space in which data is mainained, nainaged, backed up remotely and made available to users over a network, vehicles, vessel orsireet “program means data representing instructions or statements that, if executed in» computer system, causes the computer system 0 peeform a function and reference toa program includes a reference lo & att ofa program, “requested State” means a stete being requested to provide legal assistance under the terms ofthis Act “requesting State” means a state requesting for legal assistance and may forthe purposes of this Act include an international ently 0 ‘which Kenya is obligated; “seize” with respect to a program or dat includes ty— (secure a computer system or par of it or device; (©) take and retain a cigital image or secure a copy of any program or data including using an on-site exuipment, (e) render the computer system inaccessible: () temove data in the accessed computer system; of (6) oblain output of data from a computer syste: ‘service provider” means— (@) public or private entity that provites to users of its Seevices the means to communicate by use ofa computer system; snd (©) aay other entity hat processes or stores computer data on behalf ofthat entity ofits users: “subseriber information” means any informatior contained in the form of data or any form that is eld by a sevice provider, relating to subscribers of its services, other than traffic data of content datas by ‘whieh can be established — The Computer suse and Cybercrimes Act, 2018, (@) the ‘ype of communication service used, the technical provisions taken thereto and the period of sevice; () the subscriber's identity, postal, geographic locaton, electronic mail address, telephone and other access number, billing and payment information, available onthe basis ofthe service agreement or arrangement, or (© any other information on the site of tke installation of ‘elecommunication apparatus, available on the basis of the service agreement or arrangement “telecommunication apparatus” means an apparetus constructed of adapted for use in transmitting anything which is transmissible by a felecommunication system or in conveying aathing which is teansmited through such a system; “‘elecommunication system” means a system fer the conveyance, ttwough the use of electric, magnetic, eleco-magnetc, electro-chemical orelectro-mechanical energy, of — (@) speech, musi or other sounds; (visual images; (© data; (@) signals serving for the impartation, whether as between persons and persons, things and things or persons and things, of any matter otherwise than in the form Of sound, visual images oF data; or (©) signals serving for the activation or contr of machinery or ‘apparatus and includes any cable for the dstibution of anything falling within paragraphs (3), (b),(e) or (2), “‘waffc data” means computer data relating to a communication by ‘means of a computer system, generated by a computer system that formed & pt in the chain of communication, indicating the communication's or ‘estination, route, ime, date, size, dation o the typeof underlying service. "eaust accounts" means an sccount where bank or trst company {is holding funds in relation to mobile money on betalf of the public depositors. Objects othe {The objets of this Act are to— ms (@) protect the confidentiality, integrity and availablity of ‘computer systems, programs and data; _____ The Compuer tous nd Cybercrines At, 2018 camstee 0) © © © prevent the until use of computer systems; facilitate the prevention, detection, investigation, prosecution and punishment of eybererimes; protect the rights (0 privacy, freedom: of expression and fccess to information 25 guariteed under the Constitationsand facilitate international co-operation on nsters covered under this Act PART | I-THE NATIONAL COMPUTER AND. ‘CYBERCRIMES COORDINATION COMMITTEE, 4. (1) There is established & National Computer and Cybercrimes Coordination Committe. 5, (1) The Committee shall comprise of — (@) the Principal Secretary responsible for matters relating to intemal security or a representative designated an ‘who shall be the chairperson, (©) the Attomey General ora representative designated in ‘stiting by the Attorney General; (© the Chief of the “Kenya Defence Forces or a representative designated in writing by the Chief of the Kenya Defence Forces; (® the Inspector Generel of the National Police Service or a representative designated writing by the Inspector-General ofthe National Police Service (©) the Director Genetal of the Netional Intelligence Service or a representative desigrated in writing by the Director General of the Neional Tatelligence Service, (0 the Director General of the Communications Authority of Kenya or a representative designated in ‘writing by the Director General ofthe Communications Authority of Kenya; the Director of the Public Prosecutions or a representative designated in writing by the Director of Publi Prosecutions; (8) the Governor of the Central Bark of Kenya or a representative designated in writing by the Governor of the Central Bank of Kenya; and (the Director who shall be the seoretary of the ‘Commitee and who shall not havea right o vote. @ @) The Committee shall report tothe Cabinet Seietary responsible for matters relating ta intemal security r Misuse and Cy Recto he 6.(O)The Commitee shal — (@)_sdvise the Goverament on stourty related aspocts touching ‘on_ matters relating, 10. blockcbain technology, critical inftastructre, mobile money and trust secounts; () advise the National Security Council on computer and cybercrimes; (© coordinate national security organs in matters relating to ‘computer and cybercrime; (@) receive and act on reports relating to computer and ceybererimes; (©) develop 2 framework to facilitate the availabilty, integrity and confidentiality of eritieal national information infastueture including telecommunications and information systems of Kenya; © coordinate collection and analysis of cyber threats, and response to cyber incidents that threaten cyberspace belonging fo Kenya, whether such thrals or incidents of ‘computer and eyberctime occur within e ouside Kenya, (@) cooperate with computer incident response teams and other relevant bodies, locally and internationally on response (0 threats of computer and eybererime and incidents; (i) establish codes of eyber-security practive and standatds of performance for implementation by owners of critical ‘ational information infiastucture; (develop and manage a national public key inffastrcture framework, (develop a framework for taining onprevention, detection and mitigation of computer and cybercrimes and maters ‘connected thereto; and (perform any other function confered on it by this Act or any other wten law, (2) Subject to the provisions ofthis Act, the Comite shall regulate its own procedure. Seema oftbe 7. (1) There shall Be a Secretariat which shall comprise of the Comite Dietor and such numberof public officers tha, subjet to the approval of the Committe, the Cabinet Secretary responsible fo: matters relating ‘o internal security in consultation with the Cabinet Secretary responsible for matters relating (o information, communications and technology may deploy to the Secretariat. (2) The Director shall be— (@) the head ofthe Secretariat; and () responsible to the Committee for the day to day administration of the affairs of the Secretariat and implementation of the decisions avsing. trom the Commitee The Computer Mise and Cyberrines det, 2018 @) Without prejudice to the generality 0° the provisions of subsection (2), the Director shall be responsible for — (@) the implementation of the decisions the Committee (b) the efficient administration ofthe Secetariat; (© the management of staff ofthe Seeretaiat; (@) the maintenance of accurate rezords on financial ‘matters and resource use} © the preparation and approval of the budget for the required funding of the operations! expenses of the Secretariat; and (the performance of any other dates as may be assigned to him or herby the Committe, {) The Director shall be appointed for a single term of four years and sil not be eligible for reappointment Reports te 8. The Committe shall submit quarterly reports to the National Committe Security Council, od 9. (1) The Director shall, by notice in the Gazette, designate ‘Memmecire &tain systems as ertcl infrastructure (2) The Director shall designate a sjstem as a critical infastructure if disruption ofthe system would resut in— (@) the interruption of a lif sustaining service including the supply of water, health services and energy, (©) an adverse effect onthe economy of the Republic; (6) ancvent that would result in massive casualties 0: fatalities; (€) faite or substartial disruption ofthe money market of the Republic; and ©) adverse and severe effect of the secutty of the Republic including intelligence and military services, (6) The Director shall, within a reasonable time of designating a system as critical infiastructre, inform the owner or operator of the system the reasons for the designation of the system’ as a cttical iniastracure. (4) The Director shall, within a reasonable time ofthe declaration cof any information infrastructure, or eategory or elas of information infiastucture or any pat thereof, ass ertel information infrastructure, in line with a critical inftastructure framework isue directives. 10 requlate— (@) the classification of data held by the titial information inftastructure; (©) the protetion of, the storing of and archiving of data held by the critical information infmstuctre: Prseton of ‘nts Seren (©) cyber security incident management by the critical information infrastructure; (@ disaster contingency and recovery measies, which must be put in place bythe ertical information irasiructure; (©) minimum physical and technical security measures that must be implemented in order to protect the sritical information infastucture; (© the period within which the owner, or person in contol of a critical information infrastructure mist comply with the Girectives and (2) any other relevant mater which is necessary or expedient in ftder to promote oyber security in resect of the critica information infrastrcture 10, (1) The Committce shall within seasonsble time and in ‘consultation with the owner or a person in control of an identified ‘rtcal information infrastructure, submit to the National Security ‘Council its recommendations of entities 1o be gnvtted as critical information infastractures. {@) The Committee shall, after the gazettement under subsection (1), in consutation with a person that owns or operates the critical information infrastructure — (@) conduct an assessment of the threats, vulnertbiltes, risks, fand. probability of a cyberattack scross all citical inastructure sectors; (2) determine the harm fo the economy that would result from {damage or unauthorized access to ertcal infastructure; (©) measure the overall preparedness of each sector against damage or unauthorized access to crtical infrastructure including the effectiveness of market forces driving security ‘innovation and seeure practices, (@ ey any or based scary fore aperoprate and necessary to protect public health and safety, oF socio-economic security; and : recommend to the owners of systems designated as éifical infrastructure, ‘methods of securing their systems against eye threats. 11, (1) The owner or operator of a system designated as critical infeasticture shall report 0 the Commitice any incidents likely to ‘constitute a deat in the nature of an attack that amotals to a computer tnd eybererime and the action the owner a operator intends to take to prevent the threat, (@) Upon receipt of a report by the Committe, under subsection (1), the National Security Couneil shall provide techaical assistance to the over ot operator ofa critical infrastructure to mitigate the threat, (@) The Director may institute an investigtion of « computer and cybercrime attack on his or her own volition and may take necessary ‘eps to secure any eitialiniastucture without reference to the ently oe compo (4) The Director shall submit a report on any threat in the nature fof a computer and cybercrime reported by the owners or operators of oxiialinfrastractre periodically to the National Security Cotmeil. 12. (1) A private entity may enter into an information sharing ‘agreement with public entity on eiial information inftasttuctre (@) An agreement under subsection (1) shall only be entered into for the following purposes and in line with a critical infrastructure Framework (2) to ensure eyber security; (6) for the investigation and prosecution of crimes related to cyber security, (©) forthe protetion of life or property of an and (@) to proect the national security of thecountr. (@) Prior to the sharing of information under subsection), a party to an agreement shall review the information and ascertain whether the information contains personal details that may ently a specific person not diveetly related to a threat that amounts ‘9 a computer and cybercrime and emave such information (4) A person shall not, under this Pat, share information relating to the health status of another person without the prior writen conseat ofthe person to wiiom the information relates, ividua; 413. (1) The owner or person in contol of a eritca information infrastructure shall annually submit a compliance report onthe eritcal information infiastructure to the Committee in line with a ettical Sngfestructurefremework inorder to evaluate compliance, {@) The Director, shall within a reasonable tine before an audit on 4 critical information infrastructure or at any time there is an imminent threat in the nature of an attack that amounts t & computer and cybercrime, notify the owmer or person in contol of critical information infrastructure in writing — (@) the date on which an audit isto be performed; and (@) the particulars and contact details of the person who is responsible fr the overall management and contol of the anit, @) The Director shall monitor, evaluate and report on the adequacy and effectiveness of any audit (4) The Ditector may request the owner or person in control of @ titcal information infiasiucture t© provide further provide. such additional information as may be necessary within a specified period in order to evaluat the issues raised from the aut. (S) An owner o authorised person in corttol of a eitcal “ information inftatructure commits an offence and ifeonvicted is liable to a fine not exceeding shillings two hundred thousand or term of imprisonment not exceeding five years or both if the owner or authorized person— @) fails files compliance report and fils to cooperate with fan audit to be performed on a critical information infastricture in onder to evaluate compliance with the diectives issued, () falls to provide such additional infoumation as. may be necessary within a specified period in crder to evaluate the report of an audit inline with the n critcal infrastructure (0 the Director after he or she has been requested to do 0 (0 the Director; (©) hinders, obstructs or improperly attempts to influence any member of the Committee, person or entity to monitor, evaluate and report on the adequacy anc effectiveness of an audit (@) hinders, obstructs or improperly attempts to influence any person authorized to cary out an audit (© ls o cooperate with any person authorized to carry out an avait, or (9 fails to assist or provide technical assistance and support to ‘person authorized to erry out an audit (6)A person shall not perform an audit on a citcal information infastructare anless he or she — (@) has been authorized in writing by the Director to perform such audit; or (is in possession of certificate of appointment, in the prescribed form, issued by the Director, which certificate ‘must be submitted to the owner or peron in contol of a Critical information infrastructure at the commencement of the audit PART II—OFFENCES 14,(1)__A person who causes, whether temporarily or permanently, a ‘computer system to perfoom a function, by infinging security measures, with intent to gain access, and knowing sueh access is unauthorised, commits an offence and is liable on conviction, toa fine not exceeding five million shillings or to imprisonment for & tem not exceeding three years, oro bath, (2) Access by # person to a computer system is unauthorised if — (@) that person is not entitled to contol access of the kind in ‘question tothe program or data; or Compute Miase and Cybareimes det, 2018 () that person does not have consent fiom any person who is entitled to access the computer sysiem though any function fo the program or dat, (@) For the purposes of this section, it is immaterial that the ‘authorised access isnot directed at — (2) any particular program or datas (6) a program or data of any kind o (©) program or data held in any paticular cemputer system, ‘Aecewin inset 15, (1) A person who commits an offence under section 4 with intent ‘geammiiteter fo commit a furher offence under any law, or to faciilae the : commission of a further offence by that person or any other person, ‘commits an offence and is liable, on conviction, to 4 fine not exczeding ten million shillings or to impeisonment for a tem not excceding ten years, o to both (2) For the punposes of subsection (1), it is immateril that the further offence to which ths section applies is committed atthe same time whed the access is secured or at any other time, nmr 16. (1) A person who intentionally and withow: authorisation does ‘mertrnes, any act which eauses an unauthorised interference 1 compute system, program or data, commits an offence and is liable on sonvieion, toa fine ot exceeding ten million shillings orto imprisonnent for term not exceeding five years, orto both 2) For the purposes of this section, an interference is unauthorised, if the person whose act eauses the interference — (@) is not ented to cause that interference, (©) does not have consent to interfere froma person who is so ented, {G)A person who commits an offence under subsection (1) which, (@) results ina significant financial loss to any person; _£1ve amyunes eave wes we () tteatens national security; (6) causes physical injury or death to any person; or (threatens public health or publi safety, is liable, on convietion, to fine not exceeding twenty milion shillings or to imprisonment for aterm not exceeding ten years, or:0 both (4) For the purposes ofthis section, itis immaterial whether or not the unauthorised interference is directed at— (@) any particular computer system, program o: dats; (©) aprogram or data of any kind or (64 program or data helé in any particular computer system, (6) Por the purposes of this section, it is immaterial whether an ‘unauthorised modification or any intended effect of iis permanent oF temporary amtoried 17, (1) A person who intentionally and without authorisation does any lesan. gt hich interepts o eases tobe intercepted, ducety or indirectly and fcauses the transmission of dala to or from a computer system over & telecommunication system commits an offence end is liable, on conviction, ta a Gine not exceoding ten millon shillings or to {imprisonment for term not exceeding five years, orto both @) A person who commits an offence under subsection (1) whic (@) results ina si at financial loss, (6) threatens national security; (©) causes physical or psychologieal injury or death to any person; or (@ threatens public health or public safety, __The Computer. is lable, on conviction toa fine not exceeding wen milion shillings or ‘0 imprisonment for aterm not execeding te years, oo bath, @) For the purposes of this section, it is immaterial that the ‘unauthorised interception is not directed at (@) atelecommunicaton system; (© any particular computer system dats; (©) program or data of any kind; or (© 4 program or data held in any particular computer ‘system. (8) For the purposes of this section, it is immaterial whether an ‘unauthorised interception or any intended effect of it is permanent of temporary. ga device 18. (1) A person who Knowingly manufactures, adapts, sells, ‘fees ends. procures fr use, imports, offers to supply, distributes or otherwise makes Available device, program, computer password, acess code or similar lata designed of adapted primarily for the purpose of commiting say offence under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty millon shillings of t imprisonment for & ‘erm not exceeding ten years, orto both, @) A person who knowingly receives, or isin posession of, a program ‘or 8 computer password, device, access code, or sinila data ftom any action specified under subsection (1) and intends thtit be used to commit (or assist in commission of an offence under this Pet commits an offence ‘and is liable on conviction, toa fine not exceeding en milion shillings of ‘o imprisonment for aterm not exceeding five years, eto both. {G) Despite subsections (1) and (2), the activities described under the subsections do not constitute at offence if (@) any oct intended for the authorised taining, testing, oF protetion of «computer system; ot (@) the use ofa program or a computer password, access code, or similar data is undertaken in compiance of and in accordance withthe terms of judicial crder issued or in ihe computer saisuse ana \yoercrimes Act 6010 exercise of any power under this Act or any law, (4) For the purposes of subsections (I) and @), possession of any program or a computer password, access code, oF similar data includes heving— (@) possession of a computer system which ecntsins the program bra computer password, access cod, or similar data; (©) possession of a data storage deviee in which the program or 2 Computer password, access code, or similr data is recorded; (© contol of «program or a computer password, access code, oF ‘Similar daa that isin the possession of ancther person. nerd 19, (1) A person who knowingly and witht autor discloses any isnt password acess code orate means of ging sees to any program or sermedsy Gata eld in ny computer sytem commis an offence end i ale, on conviction, toa fine not exceeding. five million shillings oF to {imprisonment for tem not exceeding three years, o © bot (@)A person who commits the offence under subsection (I) (@) for any wrongful ein, (@) for any unlawful purpose or (©) occasion any loss, liable, on conviction, to a fine not exceeding ten million shillings orto Jmprisonment fora term not exceeding five year, or te both, nance 20, (1) Where & person commits any of the offences specified under ena or seetions 4 5,6 and 7 ona protected computer system, that person shall be a Tiable, on convition, toa fine not exceeding twenty five milion shilings| ‘or imprisonment fora term not exceeding twenty years ot both Sartre (@) For purposes ofthis section — “protected computer system” means a computer system used directly in The Computer Misuse and Cybercrimes dct, 2018 connection with, or necessary for, — (@) the security, defence or international relations of Kenya; (©) the existence or identity of a confidential source of information relating tothe enforcement of &erminal lave, (© the provision of services dieetly related to communications infrastructure, banking and. financi services, payment and sclement systems and instruments, public utilities “or puslie. transportation, including goverament services delivered electronically (@ the protection of public safety including systems related to essential emergency services suth as police, civil defence and medical services; (©) the provision of national registration sjstems; ot ( such other systems as may be designated relating to the seeutty, defence or intemational relations of ‘Kenya, critical "information, communicaiens, business or (cansport infastrcture and protection of public safety and public services as may be designzied by the Cabinet ‘Seeretary responsible for matters relaing to information, ‘communication and techalogy. Oereniones 21. (1) A. person who unlawfully and intentionally performs or authorizes or allows another person to perform a prokibited act envisaged inthis Ac, in order to (@) gain acces, as provided under setion 4, to citicl data, ci database ore national eriialinforiaion infrastructure; 1 (©) intercept data, as provided under section 7, to, from or within a itcal databese or a national critical information infastucture, with the intention to directly of indirectly bafta foreign sae gains the Republic of Kenya, commits an offence and is liable, on conviction, te imprisonment fora period not exceeding twenty years or to a fine not exceeding, ten nillion shillings, orto both. (@)A person who commits an offence under subsection (1) which auses physical injury to any person is Table, on conviction, to ‘imprisonment fora term not exceeding twenty years G) A person who commits an offence under subsection (1) witch ‘causes the death ofa person is liable, on convition, o imprisonment fot 2» ihe Computer Misuse and \:yoererimes Act, 4U18 life, (® A person who unlawfully and intentionally possesses, communicates, delivers or makes available or receives, data, 16, from of ‘within a ertical database of national riticl information infrastruc, ‘with the intention to directly or indirectly benchit a freign sate against the Republic of Kenya, commits an offence and is late on conviction to imprisonment for a period not exceeding, twenty Yes oF tO a fine not exceeding fen million shillings, ot both. (5) A person who unlawfully and intentionally performs oF suthorizes, of allows another person to perform a prohibited act as envisaged under this Act in order to gain access, a5 provided under Section 4 ,o or intercept data as provided under section 7, whichis in possession of the State and which is exempt information in accordance ‘with the law relating 0 access to information, wit the intention to directly or indirectly benefit a foreign state against the Republic of Kenya 1 commits an offence and is liable, on conviction, to afine not exceeding five million shillings oto imprisonment fora period not exceeding ten eats, oo both. 22, (1) A person who intentionally publishes fae, misleading or fititious data or misinforms with intent thatthe data stall be considered ‘or acted upon as authentic, with or without any financal gain, commits ‘a offence and shall, on conviction, be linble toa fine not exceeding five rllon shillings or ta imprisonment fora tem not exereing two Years, ‘orto bath, (2) Pursuant to AMticle 24 of the Constitution, the fieedom of expression under Article 33 of the Constitution shall be limited in pect of the intentional publication of false, misleading or fictitious data or misinformation tht — (is ikely t— @ propagate war; ot (i) incite persons to violence; (©) constitutes hate speech; (©) advocates hatred that (@) constitutes ethnic incitement, vilification of others or incitement to cause harm; or (jis based on any ground of discrimination specified or ‘ontemplted in Article 27(4) of the Constitution; or (@) negatively affets the rights or reputations of others 223, A person who knowingly publishes information thet is false in Dirint, broadcast, data or over a computer system, that is caleulted or Fesulis in pani, chaos, or violence among citizens of the Republic, or which is likely to discredit the reputation of @ person commits’ an offence and shall on conviction, be liable to fine nat exceeding five rillon shillings ot to imprisonment for aterm not exceeding ten Yeats, ‘rt both ous 24. (1) A person who intentionally — noel, We » (publishes child pomography throughs computer systems () produces child pornography for the purpose of its publication through a computer syste © downloads, distributes, transmits, disseminates, circulates,” delivers, exhibits, lends for gain, exchanges, barters, sells or offers for sale, lets on hire or offers to let on hire, offers in another’ way, ot make available in" any way from a ‘elecommunications apparatus pornography; ot (possesses cild pornography in a computer system or on & Computer data storage medium, commits an offence and is liable, on convietan, to a fine not ‘exceeding twenty million orto imprisonment fr «team not exceeding ‘owenty five yeas, ofboth (2) 1s a defence wo a charge of an offence under subsection (1) that 4 publication which is proved to be justified as being for the publi ‘200d on the ground that such book, pape, paper, writing, drawing, Painting, art representation or figure is in'the invest of science, literature, leaming or ather objects of general concerns. (@) For purposes of tis section — “child” means a person under the age of eighteen yeats; “child pornography” includes data which, whether visual or suio, depiets— (®) achild engaged in sexually explicit conduct; (©) person who appears to be a child engaged in n sexually explicit conduct; or (© ‘realistic images representing a child engaged in sexually explicit conduct, “publish includes to— (@) distribute, transmit, disseminate, circulate, deliver, exhibit, end for gsi, exchenge, berer, sell or offer for sale, let on hte or offer to let on it, offer in any other way, or make avaiable in any way: (6) having in possession or custody, or under control, for the purpose of doing an act referred to in paragraph @sor (© prin, photograph, copy or make in any other manner Twhether of the same or of a different kind or nature for the purpose of doing an ac referred to in paragraph (2). Conpater 25. (1) A. petson who intentionally inputs, alters, deletes, or ‘ony suppresses computer dat, resulting in inauthentic data with te intent that it be considered or acted upon for legal purposes as if it were tuthentc, regardless of whether or not the dta is dretly readable and intelligibie commits an offence and is lable, on conviction, to fine not exceeding ten million shillings or to imprisonmen: for a term not exceeding five years, or to both, @ A person who commits an offence unde> subsection (1), Aishogestty or with similar itent— (@) for wrongful gain; (©) for wrongful loss to another person; or (© forany economic benefit for oneself o for another person, is liable, on conviction, to fine not exceeding twenty milion shilings| orto imprisonment for a term not exceeding ten years, otto both, compar 26, (1) A person who, with fraudulent or dishonest intent— The Computer Misuse ond Cybercrimes Act, 2018 (@) unlawfully gxins; (© occasions unlawfil loss another petsons or © obiains an economic benefit for oneself oF for anather person, through any of the means described in subseeton (2), commits an offence and is table, on convietion, to a fine net exceeding twenty ‘million shillings or imprisonment term for a tet not exceeding tn years, o to both (@) For purposes of subsection (1) the word " mesns" refers to— (@) an unauthorised aocess toa computer system, program or date; () any input, alteration, modification, deletion, suppression or feneration of any progsam or data; (© any interference, hindrance, impairment or ebstruction with the functioning ofa computer system; © copying, transfering or moving any data or program to any computer system, date or computer date storage medium other ‘than that in which itis held orto a different leation in any other computer system, program, data or computer data. storage medium in whieh itis held; or (6) ses any data or program, of has any data or program output from the computer system in which itis held, By having it displayed in any manner. oe 27. (1) A person who, individually or with other persons, willy = communicates, either dived’ or indirectly, with another person ot ‘anyone known to that person, commits an offen: if they know or ‘ugh to know that their eondct — (2) is likely to eause those persons apprhension or fear of Violence to them or damage ot lss on that persons" property: u aa The Computer Misuse and Cybercvimes Act (6) detrimentally affects that persons or (©) @ isin whole o part, of an indecent or grossly offensive nature and affects the pezzon. (@) A person who commits an offence under subscetion (1) i lise, on conviction, (0 a fine not exceeding twenty million shilings oF Imprisonment fora term not exceeding ten years o toboth (@) A person may apply to Court for an order compelling a person charged with an offence under sublause (1) to refs fom— (@) engaging or stempting to engage in; or (©) enlisting the help of another person to engage in, any communication complained of under subsection (1). (@) The Cour— (@) may grant an interim order; and jon under subsection (4) () shall heat and determine an epi Within fourteen days, (5) An intermediary may apply’ forthe order under subsection (4) on behalf of a complainant under this section (© A person may apply for an order under his section outside court, ‘working hours. () The Court may order a service provider to provide any subseriber information in its possession for the purpose of identifying a person whose conduct is complained of under this secton (A person who contravenes an order made under this section commits ‘a offence and is liable, on convietion to a fine not exceeding one nillion shillings or to imprisonment for « term not exceeding six ‘months, orto both 28. person who, intentionlly takes or makes use of a name, business name, trademark, domain name o other word ot phrase registered, owned or in use by another person on the Inlernet or anyother computer. network, without authority or ght, commits an offence and” is liable on conviction toa fine not exceeding two hundred thousand shillings or imprisonment for a term fot exceading two years or both, Neswora012 ‘ives creme, __he Computer Mize and Cpbererines Ae, 2018 29.A person who fraudulently or dishonesty makes use of the “electronic signature, password or ary other unique ienieation feature of any other person commits an offence an is liable, on convition, to a fine not exceeding two hundked thousand shillings or to imprisonment for aterm not exceeding three years or bath. 30. A petson who ereates or operates a website or sends a message though « computer system withthe intention to induce the user of @ ‘website or the recipient ofthe message to disclose personal information for an unlawful purpose or to gain unauthorized access to a computer system, commits an offence and i liable upon convition to a fine not exceeding three hundred thousand shillings or to imprisonment for & term not exceeding thre years or both, 31. A person who unlawlly destroys or aborts any electronic mail for processes through which money or information is being conveyed commits an offence. and is liable on conviction o fine not exceeding two hundred thousand shillings or to ater of imprisonment not exceeding seven years or to both 32. A person who wilfully misdirect electronic messages commits aan offence and is liable on conviction to & fine aot exceeding one ‘hundred thowssnd shillings o to imprisonment fora xm not exceeding ‘to years orto bath 33. (1)A person who accesses or causes to be accessed a computer oF computer system or network for purposes ‘of tererim, commits an offence and shall on conviction, be liable to fine not exceeding five nillion sings orto imprisonment for aterm note exceeding ten Years, ‘orto both. 2) For the purpose of this section, “terrorism” stall have the same meaning under the Prevention of Terrorism Act, 2012 ‘34. A person who indices any person in chtge of electronic devises to deliver any electronic messages not specifically meant for him commits an offence and is lable on conviction toa ine not exceeding to hundred thousand shillings o¢ imprisonment for «term not exceeding two years or both 35. person who intentionally hides or detsins any electonic ms message, electronic payment, eredit and debit ead whith was found by the person ot delivered tthe person in eror and which avg to be delivered ‘o another person, commits an offence andi lable on canvition a ine not exceeding two hundred thousand shillings or imprisoement fate not exceeding two Years ofboth, 136. A person swho unlawfully destroys of aborts any electronic mal or processes through which money or information is being conveyed commits tn offence and is lable on conviction to fine not exceeding to hundred ‘thousand shillings or imprisonment for @ term not exceeding two years 26 Wrong iit i Insane of ee Seer or both. 37. person who transfers, publishes, or disseminates, including ‘making a‘digtal depiction available for distibution or downloading through @ telecommunications network or though any ether means of itansfering. data toa computer, the inmate or omscene image of ‘another person commits an offence and i liable, on cenvition to fine not exceeding two hundred thousand shillings or imprisonment for a term not exeeeding two years or bath 38, (1) A person who knowingly and without sutsority causes any loss of property to another by alering, erasing, inputting or suppressing ‘any data stored im a computer, commits an offence and is lable on ‘canvietion to fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years orboth. (@) A person who sends an electronic message which materially misrepresents any fact upon which reliance by another person is eaused to suffer any damage or loss commits an offence and is liable on Convition to imprisonment for a fine not exceed-ng two hundred ‘thousand shillings or imprisonment for a term not exceeding two years or both, A person who with intent 0 defraud, franks electronic messages, instructions, superscribes any electronic messages. or fnstiction, commits an offence and is lisble on conviction & fine not ‘exceeding two hundfed thousand shillings or imprisonment for. term pot exceeding two years or bath (8A person who manipulates « computer or other electronic payment deviee with the intent to short pay or overpay commits an bffence and s liable on conviction ta a fine not exceeding two hundred thousand shillings or imprisonment’ for aterm mot exceeding ¢¥0 ‘years or both (5) A person convicted under subsection (4) shall forfeit the proprietary intrest i the stolen money” or propety to the-bank, Financial institution or the customer, 39, A person authorized to use a computer cr other electronic devices for financial transactions including posting of debit and credit teansaetions, issuance of electronic instructions as they relate to sending of electronic debit and credit messages or confimmition of electronic fund transfer, issues false electronic instructions, commits an offence and is liable, on convition, a fine not exceeding two hundred thousand slullings or imprisonment for a term not exceeding two years or both. 40. (1) A person who operates a computer systom or a computer network, whether public or private, shall immediately inform the Committee of any’ attacks, jatusions and other disruptions 10 the fimetioning of another computer system or neswork within twenty four hours of such attack, intrusion or discuption reposbiy Feng ce ceomsion oF ct aby (@)A report made under subsection (1) shall include — (@) information about the breach, including @ summary of any information that the ageney knows on how the beach occurred: (©) am estimate of the number of people affected by the breach; (©) an assessment of the risk of harm to the alfected individuals; nd (©) an explanation of eny cireumstances that would delay ‘or prevent the affected persons frm being informed of the breach, G) The Committee may propose the isoltica of any computer systems or network suspected to have been attsked oF sistupted pending the resolution ofthe issues, (4) A person who contravenes the provisions of subsection (I) commits fan offence and is Table upon convition a fine aot exceeding two hundred thousand shillings o imprisonment for a term not exceeding ‘90 years o both, 41, (1) An employee shall, subject to any cortractual agreement between the employer and the employee, relinquish all codes and access Fights to their employet’s computer network or system immediately ‘pon termination of emplayment @) A person wito contravenes the provision of -his subsection (1) commits'an offence and shall bo, liable on convicion, to ¢ fine not exceeding two hundred thousand shillings of imprisnment for aterm rot exceeding two years or both, 42, (1) A person who knowingly and willfully aids oF abets the commission of any offence under this Act commits an offence and is liable, on convition, to a fine not exceeding seven nillon shillings oF ‘to imprisonment fora term not exceeding four yeas, cto both. @) A person who knowingly and willflly atterpts to commit an offence or does any act preparatory to or in furtherance of the ‘commission of any offence under this Act, commits an offence and is liie, on conviction, to a fine not exceeding seven million shillings oF ‘0 imprisonment for aterm not exceeding four years, to both 43. (1) Where any offence under this Act has been committed by body corporate (@) the body corporate is lable, on conviction, toa fine not execeding fifty million shillings; and (6) every person wito atthe time ofthe commission of the offence was a principal officer of the body corporate, or anyone acting in similar capacity i 2 the Computer misuse and yoererimes Act, éU18 also deemed to have commited the offence, unless they prove the offence vas commited without theit ‘consent or knowledge and that they exercised such lligence to prevent the commission ofthe offence ‘as they ought to have exeresed having regard tothe nature of theit fonctions and to prevailing circumstances, and is Hable, on conviction, toa fine not exceeding five million shilling or imprisonment {ora term not exceeding three years, oF to both (2) If the alfsirs of the body corporate are managed by its members, subsection (1) (b) applies in relation to the aes or defaults of ‘2 member in connection with their management functions, as if the member was principal officer of the body corporate or was acting in & similar eapacity. 4. (1) A court may order the confiscation or forfeiture of menies, ‘proceeds, properties and assets purchased or obtained by & person with proceeds derived from or in tke commission of fn offence under this Act, (2) The court may, on convition ofa person for any’ offence under this Act make an order of restitution of any asset gained from the commission of the offence, in accordance with the provisions and procedures of the Proceeds of Crime and Anti-Money Laundering Act, 2009. 45. (1) Where the court convicts a person for any offence unde this Part, oF for an offence under any other law committed through the use of ‘computer system, the court may make an order for the payment by th person of a sum t@ be fixed by the court as compensation fo any person or any resultant loss caused by the commission of the offencé for which the sentence is passed (2) Any claim by a person for damages sustained by reason of any offence committed under this Pat is deemed to have been satisfied (0 the extent of any amount which they have been paid under an order for compensation, but the order shall not prejudice any right to & civil remedy for ‘the recovery of damages beyond the amount of ‘compensation pai under the order. (@) An order of compensation under this section is recoverable as @ civil debe ct Scope Ne s09¢201 _The Computer Mins and Chterrimes det, 2018 46, (1) A person who commits an offence under any other law through the use of # computer system commits an offence and shell be linble on conviction to a penalty similar to the penalty provided under that lave @) A Court shall, in determining whether te sentence a person convicted of an offence under this section, consider — (©) the manner in which the use of a computer system enhanced the impact ofthe offence, (©) whether the offence resulted in s consmercal advantage or financial gain; (© the value involved, whether of the consequential loss oF damage caused, or the profit gained from commission of the offence through the use of computer system; (© whether there was a breach of trust or responsibility; ( © the number of victims or persons affected by the offence; (9 the conduct ofthe accused; and (@) any other matter tha the court deems 5tto consider. PART IV INVESTIGATION PROCEDURES 47. (1) All powers and procedures under this Ax are applicable to and may be exeteised with eepect 0 any-— (@) criminal offences provided under this Act (©) other criminal offences committed by means of a computer system ‘slablished under any other law; and (© the collestioi of evidence in electionic form of a criminal offence under this Act or any ther law. @) In any proceedings related to any offence, under any law of Kenya, the fact that evidence has been generated, trensmited or seized ‘fom, or identified ina search ofa computer system, shall not of iself ‘revent that evidence from being presented, relied upon or admitted (@) The powers and procedures provided under this Patt are without rejice to the powers granted under (@) the National Intelligence Service Act, 2012 (©) the National Police Service Act, 2011; 30 Sencha ‘the Computer Misuse ana ybercrimes Ach £063 (©) the Kenya Defence Forees Act, 2012; ant (@) any other retevant law. 48. (1) Where a police officer or an euthorsed person has reasonable grounds to believe that there may be ina specified computer system of part of it, computer data storage medium, program, data, that (@) is reasonably requited for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (0) has been acquired by a person as a result of the ‘commission of en offence, the police officer or the authorised person may apply tothe court for issue of a warant fo enter any premises to access, seach and similarly seize such data (@)A search warrant issued under subsection (1 shall — (a) iden the police officer or authorised person; (6) direct the police officer or authotised person under paragraph (8) to seize the data in question; or (© ect the police officer or authorised person to {@).__ search any person identified inthe warrant (ii) enter and search any premises identified ih the ‘warrant or (i seareh any person found on or at such premises. G) A search warrant may be issued on any day and shall be of force until it is executed or is cancelled by the issuing cout. (4) A police officer or an authorised person shall present a copy ofthe warrant o a person agains whom iis issued. (SYA person who- (@) obstructs the lawful exercise of the powers under this section, (@oompromises the integrity or confidentiality of = ‘computer system, data, or informsion accessed or retained under this section; or (6) misuses the powers granted under this rection, ‘commits sn offence and is liable on conviction to a fne not exceeding five million shillings oto a term of imprisonment act exceeding three yeats orto both, fuse and Cpborrimes Act 2018 Ronda 49. (1) Where a computer systom or data has been removed oF Gea?" rendered inaccessible, following a search or a seizure under section 23, the person who made the search shall, tthe time ofthe search or 35 S00 as practicable after the search — (6) ake a list of what hasbeen seized or rendered inaccessible, and shal specify the date and time of seizure; and (©) provide s copy of the lis to the oceupier ofthe premises oF the ‘person in contol of the computer system refered to under paragraph (a). (2) Subject to subsection (3), «police officer or an authorised person shal, on equest, permit a person who (6) had the custody or control of the computer system; (©) has right to any data or information seized or secured; ot (©) has been acting on behalf of a person under subsection (1)(a) or @, ‘o access and copy computer data onthe system or give the person a copy of the computer data, (2) The police officer or authorised person may refuse to give access oF provide copies under subsection (2), if they have reasonable grounds for believing tha giving the acess or providing the ecpie, mey-—— (@) constitute a criminal offence; or (©) prejudion— (0) the itvestigation in connection with the search that was cated out (Gian ongoing investiga (i any criminal proceeding that is pending. or that may be brought in relation to” sty “of those investigations. () Despite subsection (3), a court may, on reasonale grounds being disclosed, allow a person who bas qualified under subsection (2) (@) of wo (2) access and copy computer data onthe system; oF ne Comper saususe ana ybererimes Act 2018 (6) obtain a copy ofthe computer data, Protections. 50, (1) Where a police officer or an authorised person has reasoneble grounds to believe that— (@) specified data stored in a computer system or a computer data stomge medium is in the possession or control of a person in ts tevitory; and (©) specified subscriber information relating 10 services offered by a service provider in Kenya ate in that service provider's possession or control ard. is necessary or Aesirable forthe purposes of the investigation, the police office or the authorised person may’ apply‘ court for an order (@) The Court shall issue an order dicecting — (©) a specified person to submit specified computer data that is in that person’s possession ar contol, and is stored in & ‘computer system ora computer data stage medium; or (©) 2 specified service provider offering its services in Kenya, ‘© submit subseriber information relating to such services in that service provider's possession or zontal pets 51. (1) Whete a police officer or an authorised person has reasonable secenatin grounds to believe that et (@) any specified taffic data stored in any computer system or ‘computer data storage medium or by means of a computer system is reasonably required forthe purposes of a criminal investigation; and () there is a ssk or vulnerability thatthe taffic data may be ‘modified, lost, desttoyed or rendered inaccessible, the police officer or an authorised person shal serve a notice on ‘the person who is in possession or contol of the computer system, requiring the person to— (undertake expeditious preservation of such ave a ‘The Computer Mise an Cybererimes det 2018 taffic data regardless of whether one or mote stivice providers were involved in the transmission ofthat communication; or (i) disclose sufficient atic data conceming any communication in order to identify the service providers and. the pata through which ‘communication was trensimita, @) The data specified in the notice shall be preserved and its {integrity shall be maintained for a period not exceeding thirty days. (G) The period of preservation and maintenance of integrity may be extended for a period exceeding thirty days if, on an application by the police officer or authorised person, the courts stisted hat (®) an extension of preservation is reasonably required {forthe purposes ofan investigation or prosecution; (0) there is a risk or vulnerability that the trafic date ‘may be modified, lost, desroyed vor rendered inaecesible; and (©) the cost ofthe preservation is mat overly burdensome ‘on the person in contol ofthe enmputer system, (Te person in posséssion or contol ofthe computer system shall be responsible to preserve the dala specified @) for the period of notice for preservation and maintenance of integrity or for any extension thereof pemitted by the court, and (6) for the period of the preservation to keep confidential any preservation ordered under this section, (©) Where the person in possession or contol of the computer system isa sevice provide, the service provider shall be requed ‘The Computer Misuse and Cybercrimes Ac, 2018 (@) respond expeditiously to a request for assistance, whether to facilitate requests for police assistance, or mutual assistance requests; and () disclose as soon as practicable, a sufficient mount of the non- content data to enable a police officer or an authorised person. {0 identity any other telecommunieations aoviders involved inthe transmission ofthe communication. (7) The powers of the police officer or an authorised person under subsection (1) shall apply whether there is one or mor: serve providers involved in the transmission of communication which is subject to exercise of powers under this section. eine 52, (1) Where police officer or an autberied person has sslesonof reasonable grounds to believe that traffic data assocced with specified communications and related tothe person under investigation is required forthe purposes ofa specific criminal investigation, te police officer or authorised person may apply othe court for an order to— (@) permit the police officer authorized rerson to collect oF Fecord through the application of technical means trafic dat, in real-time; (©) compel a service provider, within its existing technical capability — (© t collector record through application of technical ‘means traffic data in eal time; oF Gi) w cooperate and assist a police office or an authorised person inthe collection or ecoeding of traffic data, Feal-ime, associated with specified communication its jurisdiction transmitted by means of a computer system. (@) In making an application under subsection (1), the police officer fran authorised person shall— (@) state the grounds they believe the trafic data sought is available with the person in control of the computer system; (©) identify and explain, the type of wafic daa suspected 10 be found on such computer system; as Conpucer Maur and Cybercrines At 2018. (©) identify. and explain the subscribers, wsers or unique idenifier the subject of an investigition or prosecution suspected as may be found on such computer system; identify. and explain the offences identified in respect of Which the warrant i sought; and (©) explain the measures to be taken to prepare and ensure that the trafic data shall be sought-— © while maintaining the privacy of oter users, customers snd third parties; and (i) without the disclosure of data to any party nt part of the investigation. (2) Where the cout i satisfied with the explanations provided under subsection (2), the court shall issue the order provided for under ‘subsection (1), (4) For purposes of subsection (I), real-time collection or recording ‘of wfc data shall be ordered fora period not exceeding six months, (5) The court may authorize an extension of tine under subsection (if itissatistied that— (®) such extension of realtime collection oF recording of Uwaffe data is reasonably required for the purposes of an investigation or prosecution; (6) the extent of reabtime collection or recording of traffic data is commensurete, proportionate ad necessary for the purposes of investigation or prosecution; (©) despite prior authorisation for realtime collection or recording of trafic data, additional red-time collection oF recording of trafic data is necessary and needed 10 achieve the purpose for which the watrant isto be issued (©) measures taken to prepare and ensure thatthe real-time collection or recording of tate data is eartied out while 36 __the Computer omsuse ana Cyoercromes ach, 610 maintaining the privacy of ther wsers, customers and thitd Duties and without the disclosure of information and dat Df any party not part ofthe investigation; (©) the investigation may be frustrated or seriously prejudiced unless the real-time collection or econing of traffic data is permitted; and (0, the cost of such preservation is not overly burdensome ‘upon the person in convo ofthe compute system. (©) A cout may, in addition 10 the requiremest specified under subsection (3) require the service provider to keep confidential the order find execution of any power provided under this section, (A service provider who fils to comply with en order under this section commits an offence and is liable on conviction— (@) where the service provider is a corporation, to a fine not exceeding ten million shillings; or (6) in case of principal officer of the service provider, to a fine hot exceeding five million shillings or to mprisonment for a tern not exceeding thee yeas, orto both. lesen of 53. (1) Where a police officer or an authorised person has reasonable conunldea: grounds to believe that the content of any specifically identified tlectronic communications is required for the purposes of a specific investigation in respect of offence, the police officer er authorised person say apply fo the eourt for a ord io— {@) permit the police officer or authorised person to collect or ( record through the aplication of technical mesa; () compel service provider, within its existing. technical capabilty— (to collector record through the application of technical (i) to co-operate and assist the competent authorities inthe collection or recording of, content data, in real-time, of specified communications within the juvedition rasmitted by means of a computer system. (@) In making an application under subsection (1), the police officer ot an authorised petson shall — (@) sate the reasons he believes the content data being sought 's in possession of the person in contol ofthe computer ‘stem; (©) identify and state the type of content data suspected to be found on such compute systent; (© ideatfy and state the offence in respect of which the warrant is sought; (sate if they have authority to seck real-time collection or ‘recording on more than one eecasion is needed, ad shall specify the addtional number of dsclosures needed 10 achieve the purpose for which the wana isto be issued; © explain measures to be taken to prepare and ensure that the real-time collection or recording is canied out © while maintaining the privacy of other users, ‘customers and third partes; an without the distosute of information and data of any party not part ofthe investigation; (O, state how the investigation may be frasttated or seriously Drejudiced unless the rea time collection or recording i permited; and () ‘ate the manner in which they shall achieve the objective of the warrant, realtime collection er recording by the peron in contol of the compu system where necessary, (G) Where the court is satistied with the grounts provided under subsection (2), the court shall issue the order applied fir under subsection o. (4) For purposes of subsection (1), the real-ime collestion or recording of content dat shall not be ordered for a period that exceeds the period that is necessary forte collection thereof an in any event not for more than a period of nine months. nara Computer Mis and Cybererimes Act, 2058 (6) The period of real-time collection or recording of content data ‘may be extended for such period as the court may consider necessary where the cour is satisfied that (@) such extension of real-time collection or recording of ‘content data is requited for the purposes of an investigation ‘or prosecution; ()_ the extent of realtime collection oF recarding of content data is proportionate and necessary for the purposes of investigation or prosecution; (©) despite prior authorisation for realtime colletion or recording of content data, further real-time collection oF recording of content data is necessury to achieve the [purpose for which the warrant isto be issued; (@)_ measures shall be taken to prepare and ersure thatthe real~ time collection or recording of content date is carried out ‘while maintaining the privacy of eer users, customers and third parties and without the disclosure f information and data of any party not pat of the investigation; (©) the investigation may be Fustated or seiously prejudiced ‘unless the real-time collection or recording of eontent data is permite; and (Othe cost of sich real-time recording an¢ collection is not fovelly burdensome upon the petson i control of the ‘computer system, (6) The court may also require the service provider t ketp confidentis! the order and exeution of ny power provided for under this section. (IVA service provider who fails to comply with an onler under this section commits an offence and is liable, on conviction— (8) where the service provider is a corporation, io a fine not ‘exceeding ten million shillings, (©) in cade of an officer of the service proviter,f9 a fine not ‘exceeding five million shillings orto imprionment for aterm not exceeding three years, o to bot. 54, (1) A person who obstructs the lawful exercise of the powers ‘under this Pat, including destruction of data, or fails te comply withthe ‘equitements ofthis Paris liable, on conviction, to a fne not exceeding, five million shillings o 9 imprisonment for term not exceeding three years oo oth, Q) A police aficer or an authorised person who misses the exercise ‘of powers under this Part commits an offence and is liable, on onvietion, (© a fine not exceeding five millon shillings or to imprisonment fora term not exceeding thee years, ort both » Noseot20n, cm _The Compute Mace and Cybersvimes Act 2018 55. Any person aggrieved by any decision or onder of the Court made under this Part, may appeal to the High Coutt or Court of Appeal 1s the ease may be within thirty days fiom the date of the decision or order 56. (1) A service provider shall not be subjet to any civil or ertninal libily, unless it js established that the service provider had actual ‘otice, actual knowledge, or wilful and malicious intent, and not merely trough omission or failure to act, had thereby facilitated, aided oF abetted the use by any person of any computer system controlled or ‘managed by a service provider in connéeton with a contravention ofthis ‘Act oF any other wt law (@) A service provider shall not be liable under this Act or any other Jaw for maintaining and making available the provison oftheir service. G) A service provider shall not be liable under this Act or any other Jaw for the disclosure of any data or other information thatthe service provider discloses only to the extent required under this Act ot in ‘compliance with the exereise of powers under this Par PART V—INTERNATIONAL COOPERATION 57. (1) This Part shall apply in addition to the Mutual Legal Assistance Act, 2011 and the Extradition (Contiguous and Foreign Countries) Act @) The Central Authority may make a request for mutual legal ‘asssianee in any criminal mater to requested State for purposes of @) undertaking investigations or proceedings concerning offences related to computer systems, electronic comminications or data, () colleting evidence of an offence in electronic form; or (©) obtaining expeditious preservation and disclosure of tafe dat real-time collection of traffic data. associated with. specifi communications or interception of content data or any other ‘means, power, funtion or provisions under this Act. G) A requesting State may make a request for mutual legal assistance to the Central Authority in any ctiminal matter, for the purposes provided in subsection (2). 0 ip. Spananesas ‘toma Spite ner Misuse and Cyberorimes Act 201 (4) Where a request has been received under subsection (3), the ‘Central Authority may, subject to the provisions ofthe Mutual Legal ‘Assistance “Act, 2011, the Extradition (Contiguous and Foreign (Countries) Aet this Act and any other relevant Lays— (a) grant the legs assistance requested; oF (8) refuse to grant the legal assistance requested (6) The Central Authority may requires requested Sate to— (@) keep the contents, any information and mateil provided in a confidential manner, () only use the contents, information and materia. provided forthe purpose of the criminal mater specifid in the request; and {@) se it subject to other specified condilions 58, (1) The Central Authority may, subject to this Act and any other relevant law, without prior request, forward to a foreign State information obtained within the ffamework of its own investigations ‘when it considers that the disclosure of such information might assist the foreign State in inating or carrying out investigations or Jproceadings concerning criminal offences or might lead to a request for co-operation by the foreign State under this Act ) Prior to providing the information under subsection (1), the Central Authority ‘may request that such infornation be kept ‘confidential or ony subject to other specified conditions. (3) Where 2 fortign State cannot eémply with the spetified conditions specified under subsection (2), the State shall notify the ‘Centzal Authority as soon as practicable. (@ Upon receipt of a notice under subsection (3), the Central Authority may determine whether to provide such information or not. (6) Where the foreign State acepts the information subject to the ‘conditions specified by the Cental Authority, that tte shall be bound by them, 59, (1) Subject to section 57, 2 requesting State wiich has the intention fo make a request for mutial legal asistance forthe search ot “1 clot ‘The Computer Manse and Cyercrines At 2018 Similar access, seizure or similar securing or the disclosure of data, mey request the Central Authority to obiain the expeditious preservation of ata stored by means ofa computer system, located within the teritory of Kenya @) When making a request under subsection (1), the requesting State hall specify— (2) the authority secking the preservation; () the offence that i the subject ofa crmtnal investigation or proceedings and a bref summary othe related facts: (© the stored computer data to be areserved and. its connection to the offence: © any available information identifying tre custodian ofthe sored computer data or the locatior of the computer system; (6) the necessity ofthe preservation; and (© the inteation to submits request for mutual assistance for te search or similar access, seizure or similar secuing or the disclosure ofthe stored computer data {G) Upon receiving the request under this section, the Cental Authority shall take the appropriate measures to preserve the specified data in accordance with the procedures and powers rovided under this ‘Act and any other relevant law. (A preservation of stored computer data effected under this section, shal be fora period of not less one hundred and twenty days, in ‘order to enable the requesting State to submit a requet forthe search oF access, seizure or securing, ofthe disclosure of the dat (3) Upon receipt for a request under this section, the data shall Continue to be preserved pending the final decision being made with regard to that request, 0, Where during the couse of executing a request under section ‘57 with respect toa specified communication, the investigating agency discovers that a service provider in another State was involved in the transmission of the communication, the Central Authority shall expeditiously disclose to the requesting State a suffcient amount of Italie dats to identify that service provider and the peth trough which the communication as transmitted 1. (1) Subject to section 57, a requesting Siete may request the 2 ‘The Computer Msase end Cyberevines Ae, 2018 soma Central Authority to search or similarly acess, seize or similarly secure, SEGRE and disclose data stored by means ofa computer sysem located within the temitory of Kenya, including data that has been preserved in > accordance with section 60. @ When making a request under subsection (1), the requesting State shall — (@ give the name of the authority conducting the investigation or proceedings to which the request relates; (© give a description of the nature ofthe rminal matter and 2 statement setting-out a summary ofthe relevant facts and lav (© give a description of the purpose ofthe request and of the ‘ature ofthe assistance being sought; (@) in the case of a request to restsin or confiscate assets believed om reasonable grounds to be located in the requested State, give details of the ofence in question, particulars of the investigation or proceeding commenced In respect of the offence, and be accompanied by a copy of any relevant restraining or confiscation order; (©) give details of any procedure that the requesting State Wishes to be followed by the requested State in giving effet tothe request, particulary inthe case of a request to take evidence; () include a statement seting out any wishes of the ‘requesting tate concerning any confieatialty relating to ‘the request and the reasons for those wishes; (@) give detils of the period within which the requesting State wishes the request fo be complied with; (0) where applicable, give details of the property, computer, computer system or electronic device to be traced, restrained, seized or confiscated, and of the grounds for believing, that the property is ‘believed to be in the requested State; (give details of the stored computer data, data or program to be seized and its elationship tothe offence; © give any available information identifsng the custodian fof the stored computer data or the location of the computer, computer system or electrons device; (@ include an agreement on the question of the payment of| the damages or costs of fulbling the request; and () give aay other information that may asst in giving efTeet forthe request. @) Upon receiving the request under this section, the Cente Authority shall take all appropriate messures 10 obtain necessary futhorisation including any warrants to execute upon the request in fecatdance with the procedures and powers provided under this Act an e sale ‘toe i te ‘tec any other relevant law. (4) Whete the Cental Authority obtains the necessary authorisation in accordance with subsection (3), ine uding any warrants to execute the request, the Central Authority may seek the support ad cooperation ofthe requesting State during such search and seizure (6) Upon conducting the search and seizure quest, the Cental Authority shall, subject to section 59, provide the results of the search and seizure as well as electronic or physieal evidence seized 0 the requesting State 62. A police officer or authorised person may, subject to any applicable provisions of his Act— (@) access publicly available stored compater data, regatdess of where the data is located geography oF (6) access or receive, through a computer system in Kenya, stored computer data locate in atte teritory, if such police officer or authorised person bans the lawful and voluntary consent of the person who has the lawful authority (© disclose the data throagh that computer system, 3. (1) Subject to Section 57, «requesting Sate may request the Cen ‘Authority to provide asistnce in realtime collection of afc data ‘sssociated with specified communication in Kenya tratmited by means of computer system, (2) When making a request under subsection (1), the requesting State ‘hall specify — (@) the authority seeking the use of powers under thie setion; ©) the offence that is the subject of a criminal investigation or proceedings anda brief summary ofthe elated facts; (©) the name ofthe authority with acess tothe televant traffic det; (the location at which the trafic data may be reds (©) the intended purpose for the requted trafic dat; (D)_sulficient information o identity the trafic data; (any farther deals elevant to te tai dat (8) the necessity for use of powers under his ection nd (the terms for the use and diselosure of the trafic data to thin! aa ‘The Computer Misuse and Cybererimes Act, 2018 eerie pats (2) Upon receiving the request under this setion, the Central Authority shall fie all appropriate measures to obisinnowessry authorisation including any warrants to execute upon the request in accordance withthe procedures and powers provided under this Act and any othe relevant aw (#) Where the Cental Authority obtains the necessary authorization including any warrants to execute upon the request, the Central Authority may seek the support and cooperation of the requesting State during the search and seizure (6) Upon conducting. the measures under this section the Cental ‘Authovty shall, subject to section 57, provide the result of such measures as well as realtime collection of taffic data associsted with specified communications tothe requesting State 64, (1) Subject to section 57, a requesting State may request the Cental Authority to provide assistance in the realtime collecton or recording of content data of specified communications in the tnitory of Kenya ‘ransmited by means of computer sytem. (2) When making a request under subsection (1), @ requesting State shal specify (2) the authority seeking the use of powers unde this section; () the offence that is the subject of « eximiral investigation or proceedings anda brief summary ofthe related facts; (©) the name of the authority with ageess to the relevant ‘communication; (@) the location at which or nature ofthe communication; (@) the intended purpose forthe required comminicstion (0 suficient information to identity the communications; (@) details of the data ofthe relevant interception; {G) the recipient of the communication; () the intended duration forthe use ofthe communication; {) the necessity for use of powers under tis seion; and AW) the terms for the se and disclosure of the communication to ‘hie pats, (2) Upon receiving the request under thie section, the Central Authority shall, take all appropriate measures to obtain necestary authoxstion including any warrans to execute ypon the equest in accordance With the procedures and powers provided under this Act and any other rlevaot law. (4) Whece the Central Authority obtins the necessary authorisation, including any warcats to execute upon the request, te Cente Authority may stek the support and cooperation ofthe requesting State dusing the search and seizure (6) Upon conducting the measures under this section the Cental ‘Authority shall subject to setion $7, provide the resus of such measures 3 well as realtime collection or recording of content date of specified ‘communications tthe requesting State, 65. (1) The Cente Authority shall ensute thet the investigation ‘agency responsible for investigating eybererime, shall designate a point of contact available on a twenty-four hour, seven-dty-a-week bas, in fgtder to ensue the provision of immediate assistance forthe purpose of investigations or proceedings concerning criminal offences releted to computer systems and dats, or for the collection of evidence in lectronic form of criminal offence, including carrying out the following measures — (@) the provision of technical advice; () the preservation of date pursuant to secions 35 and 36; (© the collection of evidence, the provision of legal information, and locating of suspects, ‘within expeditious timelines to be defined by tegilations under this Ace (2) The point of contact shall be resourced with and possess the equsite capacity to securely and efficiently eary ott communications With other points of contact in other territories, on an expedited basis. {G) The point of contact shall ave the authority end be empowered 'o coordinate and enable access to intematonal muftelassstanee under this Act, PART VI—GENERAL PROVISIONS 66. (1) Any court of competent jurisdiction shall try any offence “6 The Compute Sin, ‘under this Act where the actor omission constitu ng the offence is ‘committed in Kenya @) For the purposes of subsection (1), an act or omission committed outside Kenya which would if commited in Kenye onstitite an offence under this Act is deemed to have been committed in Kenya if (6) the person commiting the actor omission is— © citizen of Kenya; or (i) ondinaily resident in Kenya; and (0) the act or omission is committed — (© ageinst a citizen of Kenya; (i ageinst property belonging to the Goverment of Kenya outside Kenya; or ito compel the Government of Kenyé to do or refrain ‘from doing any act; ot {) the person who commits the act or omission i, after its fon, present in Kenya, 67, The court before which a person is convicted of any offence say, in addition to any other penalty imposed, otder the forfeiture of fy apparatus, deviee or thing to the Authority which is the subject matter of the offence or is used in connection with the commission of the offence. reson (68, Whenever there is conflict between this Act and any other law hte regarding eybererimes, the provisions of this Act shall supersede any such other law. coneeuet 69, The law specified in the first column of the Schedule is ‘Amendment gmnendd, in the provisions specified in the second column thereof, in The Computer Misuse and Cybererines At, 2018 opstta the manner respectively specified inthe thir column, PART VII—-PROVISIONS ON DELEGATED POWERS wns, 70. (1) The Cabinet Secretary may make regulations generally for ‘he beter canying into effect of aay provisions under this Act. @ Without prejudice to the foregoing, regulations made under this section may provide for () designation of computer systems, networks, programs, data ss national critical information infestucture, (©) protection, preservation and -manegement of critical Information infrastueture; (©) access to, transfer and control of Jala in any critical information infrastructure, (@ storage and archiving. of ertical data or information; (©) audit and inspection of national critical information inrasteeture (D secovery plans in the event of disaster, breach or loss of national critical information infrastructure or any part oft; (@) standard operating procedures for tye conduct, search, seizure and collection of electronic evigenee, and (by mutual legal assistance (6) For the purposes of Article 94 (6) ofthe Constitution — @ the purpose and objective of delegation under this section is to enable the Cabinet Secretary to make regulations to Provide for the better carrying into effet of the provisions ‘of this Act and to enable the Auchory to discharge its functions more effectively: ©) the authority of the Cabinet Secretary to make regulations under this Act wall be limited to bringing into effect the provisions ofthis Act and to fll the objectives specified Inder this section; (© the principles and standards applicable to the regulations ‘made under this section are those set out. inthe Inteqpretation and General Provisions Act andthe Statutory ow, Instruments Act, 2013, ra2sa0n SCHEDULE (45) Wren Taw Provision [Amendment Kenya Information and | 83U Repeal Communication ‘Act,1998 — BV Repeat aw Repeat - ~ Bx Repeal ~ wz Repel i. wR Repel eB Repeal eF Repeat Sexual Offenses Act, [16 Delete and replace Wilk the following 2011 section— Child pornography ~ ] 16. (1) A person, including a juristic person, who knowingly — (@) possess an indecent photograph of a = etl: ” ©) displays, shows, exposes or ‘obscene images, words or sounds by means of print, audio-visual or any other media to a child with intention ‘of encouraging cx enabling a ehild to engage in asexual act: (6) sells, lets to hit, distributes, publicly exhibits or in any manner puts into circulation, or for purposes of sale, Die, distribution, public exhibition of circulation, makes, produces or has in his or her possession an indevent photograph ofa cil; (@) imports, exports or conveys any obscene object for any of the purposes specified in subsection (1), ‘or knowingly or having reason 10 believe that such object will be sold, Jet to hire, distibuted or publicly exhibited of in any manner put into circulations (©) lakes part in or receives profits from any business in the course of which hhe or she knows or hss reason to believe that obseene objects ate, for any of the purposes specifically in this section, » made, produced, purchased, kept, imported, exported, conveyed, publicy exhibited or in ‘any manner put in‘ circulation; (9 advertises or mates known by any ‘means whatsoever that any person is engaged or is reacy'to engage in any fact which is an offence under this section, or that any such obscene object can be produced ffom or trough any persor; or (@) offers or attempis 1 do any act which is an offence under this section, ‘commits an offence and is liable upon ‘conviction to imprisonment for a term of hot less than six years of toa fine of not less than five hundred thossand shillings or to bot and upon subsequent conviction, to imprisonment to a term of not less than seven years without the option ofa fine, __ The Computer Mase and Cyberrine At 2018 | cenfy that this printed impression is a true copy ofthe Bill passed by the [National Assembly on the 26" April 2018. . (Clerk ofthe National ssembly Presented for assent in accordance with the provisions of the Constitition of Kenya on the atthe hour of 2 The Computer Misuse and oo (@) This weton shall not apply to— () Publication or postession of an indecent photograph where it is proved that such publication of possession was intended for bona fide scientific research, medical, religious for law enforcement purpose; the indecent representation ofa child in a seulpture, engraving, painting or other medium "on or ia any’ ancient ‘monument recognised by las and (©) activities between two persons above eighteen years of age by mutual consent. (6) For te purposes of subseetion (1),— (@) an image is obscene if— @ itis lascivious or appeals to prurient interest; or Gi) its effect, “or whete it comprises two or more distinet items, the effect of ‘any one of is items, if taken as a whol, tends 10. deprave and corrupt persons who re likely, having regard tall relevant circumstances, to read, see or hear the matter contained or embodied init. () an indecent photograph includes a visual, audio or audio visual representation depicting — (a child-engaged in. sexually explicit onder, (ii) a person who appears to be & child engaged in sexually explicit conduct; or realistic images reprsenting a. child engaged in sexu activity. (©) inserting the following new section immediately after section 16—