Professional Documents
Culture Documents
IT LAWS
IT poses new and complex ethical, legal and other issues in society which result in legislative responses
due to both the good and the bad uses of ICT.
New and constantly evolving area of law.
Covers a wide range of legal issues including, but not limited to, cybercrime, data protection, privacy,
and e-commerce.
Growing internet users and the increasing reliance on technology.
For businesses operating to comply with the law and avoid legal liability.
For individuals because to understand their rights and responsibilities online.
IT law provides the legal framework for collecting, storing, and disseminating electronic information in
the global marketplace.
IT Law also referred as Cyber law or internet Law is a term used to refer to the legal aspects of computer
technology and the internet. It covers various topics, including intellectual property, data protection,
cybercrime, e-commerce etc. It also encompass various subtopics as well as freedom of expression, and
online privacy.
Cyber law offers legal protections for people who are using the Internet as well as running an online
business.
Cyber laws help to reduce or prevent people from cybercriminal activities by protecting information
access from unauthorized people, freedom of speech related to the use of the Internet, privacy,
communications, email, websites, intellectual property, hardware and software, such as data storage
devices.
Types of Cyber Law
There are several types of cyber laws, each addressing specific aspects of digital activities and cyber
security. Here are some common categories of cyber laws:
Privacy Laws:
Privacy laws govern the collection, use, and protection of individuals’ personal information online.
Examples include the General Data Protection Regulation (GDPR) and Consumer Privacy Act
(CCPA)
Cybercrime Laws:
Cybercrime laws focus on criminal activities conducted online, including hacking, identity theft,
online fraud, and cyberbullying. These laws define offenses, penalties, and procedures for
investigation and prosecution.
Data Breach Laws:
Data breach laws mandate that organizations inform affected individuals and authorities when a data
breach occurs. These laws aim to ensure transparency and help individuals take necessary actions to
protect themselves.
Intellectual Property Laws:
Intellectual property laws protect digital content, patents, trademarks, and copyrights in the digital
realm. They address issues like copyright infringement and online piracy.
Cyber security Laws:
Cyber security laws require organizations to implement measures to protect their digital infrastructure
and sensitive data. These laws often set standards and requirements for data security practices.
E-Commerce and Online Contracts:
Laws related to e-commerce and online contracts establish legal frameworks for online transactions,
electronic signatures, and consumer rights. They provide a basis for resolving disputes in the digital
marketplace.
Social Media and Online Content Regulations:
Regulations governing social media and online content address issues such as hate speech,
defamation, and harmful content. They set guidelines for the removal or restriction of such content.
Computer Crime Laws:
Computer crime laws specifically target offenses involving computer systems and networks. They
encompass unauthorized access, malware distribution, and cyber-attacks on critical infrastructure.
Cryptocurrency and Blockchain Regulations:
As digital currencies and blockchain technology gain prominence, regulations address issues like
crypto currency trading, initial coin offerings (ICOs), and blockchain-based contracts.
International Cybersecurity Agreements:
Some laws and agreements focus on international cooperation in combating cybercrimes and
promoting cybersecurity best practices.
The need for cyber laws
Protection of Personal Information
With the proliferation of digital platforms, the threat to privacy has become more pronounced. Cyber laws
enforce strict regulations on organizations and individuals handling personal data, ensuring its
confidentiality, integrity, and availability. Compliance with these laws becomes paramount, as they
safeguard against unauthorised access, use, or disclosure of personal information. Individuals can
confidently engage in digital transactions, knowing that legal provisions protect their sensitive data.
Prevention of Cybercrimes
Cyber laws play a crucial role in preventing and combating cybercrimes. They establish provisions and
penalties for various forms of digital offences, including hacking, identity theft, online fraud,
cyberbullying, and harassment. By criminalising such activities, cyber laws act as a deterrent, dissuading
potential offenders from engaging in unlawful behaviour.
Facilitation of E-commerce
Cyber laws provide a supportive environment for e-commerce transactions. They establish legal
frameworks for electronic contracts, digital signatures, and electronic payment systems. These laws help
build trust among buyers and sellers, as they ensure the enforceability of electronic transactions and the
validity of digital signatures.
Safeguarding Intellectual Property
Intellectual property protection is a critical aspect of cyber laws. These laws address copyright
infringement, software piracy, and digital content protection issues. By safeguarding intellectual property
rights, cyber laws incentivise creativity, innovation, and technological advancements. Cyber promote a
conducive environment for artists, authors, inventors, and Enablement of International Cooperation
Cybercrimes often transcend national boundaries, necessitating international cooperation to address them
effectively. Cyber laws enable collaboration with other countries through bilateral and multilateral
agreements. These agreements facilitate the exchange of information, mutual legal assistance, and
extradition of cyber criminals.
Redressal Mechanisms
Cyber laws provide individuals with accessible and effective redressal mechanisms in case of cyber
offences. These mechanisms ensure timely resolution and justice for victims of cybercrimes, offering a
sense of security and trust in the legal system.
Awareness and Education
Cyber laws emphasize the significance of awareness and education regarding cybersecurity and digital
rights. These laws promote initiatives to educate individuals, businesses, and government agencies about
best practices, safe online behaviour, and legal obligations.
Categories of Cyber Crime
Generally, there are three major categories of cybercrimes that you need to know about. These categories
include:
Crimes against People. While these crimes occur online, they affect the lives of actual people. Some
of these crimes include cyber harassment and stalking, distribution of child pornography, various
types of spoofing, credit card fraud, human trafficking, identity theft, and online related libel or
slander.
Crimes against Property. Some online crimes happen against property, such as a computer or
server. These crimes include DDOS attacks, hacking, virus transmission, cyber and typo squatting,
computer vandalism, copyright infringement, and IPR violations.
Crimes against Government. When a cybercrime is committed against the government, it is
considered an attack on that nation's sovereignty and an act of war. Cybercrimes against the
government include hacking, accessing confidential information, cyber warfare, cyber terrorism, and
pirated software.
INTERNATIONAL LAWS ON IT
Convention of the International Telecommunication Union - ITU
Virtually every facet of modern life – in business, culture or entertainment, at work and at home depends
on information and communication technologies. Today, there are billions of mobile phone subscribers,
close to five billion people with access to television, and tens of millions of new Internet users every year.
Hundreds of millions of people around the world use satellite services – whether getting directions from a
satellite navigation system, checking the weather forecast or watching television from isolated areas.
Millions more use video compression every day in mobile phones, music players and cameras.
ITU is at the very heart of the ICT sector, brokering agreement on technologies, services, and
allocation of global resources like radio-frequency spectrum and satellite orbital positions, to create a
seamless global communications system that’s robust, reliable, and constantly evolving. The global
international telecommunications network is the largest and most sophisticated engineering feat ever
created. You use it every time you log on to the web, send an e-mail or SMS, listen to the radio, watch
television, order something online, travel by plane or ship – and of course every time you use a mobile
phone, smartphone or tablet computer.
The International Telecommunication Union (ITU) is a specialized agency of the United Nations
responsible for many matters related to information and communication technologies. It was established
on 17 May 1865 as the International Telegraph Union, making it the oldest UN agency.
The name of ITU has been changed from The International Telegraph Union to International
Telecommunication Union ITU
The ITU was initially aimed at helping connect telegraphic networks between countries, with its mandate
consistently broadening with the advent of new communications technologies; it adopted its current name
in 1932 to reflect its expanded responsibilities over radio and the telephone. On 15 November 1947, the
ITU entered into an agreement with the newly created United Nations to become a specialized agency
within the UN system, which formally entered into force on 1 January 1949.
Based in Geneva, Switzerland, the ITU's global membership includes 193 countries and around 900
businesses, academic institutions, and international and regional organizations.
At ITU, members from the public and private sectors are working together to help shape the future ICT
policy and regulatory environment, global standards, and best practices to help spread access to ICT
services. Public-private collaboration has always been at the centre of ITU's work. Now more than ever,
businesses realize that the path to sustainable growth can be found by working closely with
governments, academia, as well as other stakeholders, in a common effort to put in place the right rules
to drive investment, innovation and widely shared opportunities.
Data protection
Local data protection laws and scope
Data protection in Kenya is regulated by the Data Protection Act No. 24 of 2019 (the "DPA"). The DPA
came into effect on 25 November 2019.
Subsequently, the following regulations came into effect on 31 December 2021:
1. The Data Protection (General) Regulations, 2021;
2. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021;
and
3. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, (the
"Regulations").
Data protection authority – vested in the office of the data commissioner.
Administrative sanctions:
Data commissioner is given power to impose administrative fines for failure to comply with the
DPA act. May impose a fine of up to KES. 5 million or in the case of an undertaking, up to 1% of
its annual turnover of the preceding financial year, whichever is lower. The fine is payable to the
Office of the Data Commissioner.
Failure to comply with an order of the Office of the Data Commissioner is considered an offence
under the DPA.
Section 65 of the DPA accords all data subjects the right to compensation from data processors or
controllers for damage caused to them.
Criminal sanctions:
There are certain specific offences under the DPA, including:
Unlawful disclosure of personal data in a manner incompatible with the purpose for which the
data was collected;
Unlawful disclosure of personal data that the data processor processed without the prior
authorisation of the data controller;
Obtaining access to personal data without the prior authorisation of the data controller or
processor holding the data;
Disclosure of personal data to a third party without prior authorisation by the data controller or
processor holding the data;
Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to
sell under this offence;
Failure to register with the Office of the Data Commissioner as a data processor or controller;
Provision of false or misleading information during the application process for registration as a
data processor or controller; and
Obstruction of the Office of the Data Commissioner during an investigation.
On conviction, an offence under the DPA carries a general penalty of a fine not exceeding KES. 3 million
or an imprisonment term not exceeding ten years, or both.
Registration / notification / authorisation
The DPA requires all data processors or controllers to register with the Office of the Data
Commissioner. However, data processors and data controllers with an annual turnover of below KES. 5
million or annual revenue of below KES. 5 million and have less than 10 employees are exempt from the
mandatory requirement for registration. This exemption does not apply to data controllers or data
processors who process personal data for the following purposes:
Canvassing political support among the electorate
Crime prevention and prosecution of offenders
Gambling
Operating an educational institution
Health administration and provision of patient care
Hospitality industry firms (excluding tour guides)
Property management, including the sale of land
Provision of financial services
Telecommunications networks or service providers
Businesses that are wholly or mainly in direct marketing
Transport service firms (including online passenger hailing applications)
Businesses that process genetic data
Main obligations and processing requirements
Data Processing Principles:
All data processors/controllers are required to follow the data protection principles, which are:
Data processing in accordance with the right to privacy of the data subject;
Fair and transparent processing of a data subject's personal data;
Collection of personal data for specified and legitimate purposes and not further processing
beyond those purposes;
Purpose limitation for data collected;
Collection of personal data relating to family or private affairs only where a valid explanation is
provided;
Accuracy of collected personal data and every reasonable step being taken to ensure that any
inaccurate personal data is erased or rectified without delay;
Personal data is to be kept in a form which identifies the data subjects for no longer than is
necessary for the purposes which it was collected; and
Personal data shall not be transferred outside Kenya unless there is proof of adequate data
protection safeguards or consent from the data subject.
Duty to Notify:
Before collecting any personal data, data processors/controllers are required to notify a data subject of:
Their rights as data subjects under the DPA;
The fact that their data is being collected and the purpose for the collection;
Any third parties that have or will have access to their data, including details of safeguards
adopted;
The contacts of the data controller/processor and any other entity receiving the collected personal
data;
The technical and organizational security measures taken to ensure the integrity and
confidentiality of the data;
Whether the data is being collected pursuant to any law and whether such collection is voluntary
or mandatory; and
The consequences, if any, if they fail to provide all or any part of the requested data.
Lawful Processing:
Personal data may only be processed on the lawful basis provided under Section 30 of the DPA as:
1. Consent: the individual has given clear consent for a data processor or controller to process their
personal data for a specific purpose;
2. Contract: the processing is necessary for a contract's performance between a data processor or
controller and the data subject or because the data subject has asked the data processor or
controller to take specific steps before entering into a contract;
3. Legal obligation: the processing is necessary for a data processor or controller to comply with the
law (not including contractual obligations);
4. Vital interests: the processing is necessary to protect the vital interests of the data subject or
another natural person;
5. Public task: the processing is necessary for a data processor or controller to perform a task in the
public interest or the exercise of official authority vested in the controller;
6. Legitimate interests: the processing is necessary for a data processor or controller's legitimate
interests or the legitimate interests of a third party unless there is a good reason to protect the data
subject's data which overrides those legitimate interests; and
7. Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required
in such pursuits.
Data Retention Obligations
Data processors and data controllers are required to retain personal data for a lawful purpose and only for
as long as may reasonably be necessary for the purpose.
Under the Regulations, the data controllers and processors are required to establish a data retention
schedule with appropriate time limits for review of the need for continued storage. Periodic audits of the
data retained are also required.
Upon lapse of the purpose for which the personal data was collected, data controllers and data processors
are required to erase, delete, anonymise or pseudonymise the personal data retained.
Data Sharing Obligations
A data controller or data processor may share or exchange personal data collected if requested in writing
by another data controller, data processor, third party or a data subject.
The written request for data sharing must specify the purpose for which the personal data is required, the
duration it will be retained, and proof of safeguards in place to secure the personal data.
Under the Regulations, upon such a request, the providing data controller or data processor is required to
enter into a data-sharing agreement with the requesting party.
Data Protection Policy
Data processors and data controllers in Kenya are required to develop, publish and regularly update a
policy reflecting their personal data handling practices.
Elements in Implementing Data Protection by Design or Default
Data controllers and data processors are required under the Regulations to establish data protection
mechanisms aligned with the DPA and the Regulations and design technical and organisational measures
to safeguard and implement the data protection principles. These principles are spelt out in the
Regulations, where the elements of the principles and the obligations of data controllers and data
processors are listed as follows:
Lawfulness: Appropriate legal basis or legitimate interests clearly connected to the specific purpose of
the processing;
Transparency: The use of clear, simple and plain language to communicate with a data subject for them
to make decisions on the processing of their personal data;
Purpose Limitation: Specifying the purpose for each processing;
Integrity, Confidentiality and Availability: Having an operative means of managing policies and
procedures for information security;
Data Minimisation: Avoiding the processing of personal data altogether when data processing is not
necessary for the relevant purpose;
Accuracy: Having clear internal procedures for deletion;determining what data and length of storage of
personal data that is necessary for the purpose;
Fairness: Granting the data subjects the highest degree of autonomy with respect to control over their
personal data;
Data subject rights
1. Right to be informed of the use to which their personal data is to be put;
2. Right to access their personal data in the custody of the data controller or processor;
3. Right to object to the processing of all or part of their personal data;
4. Right to correction of false or misleading data;
5. Rights to deletion of false or misleading data about them;
6. Right to withdraw the consent given to data processor or controller at any time;
7. Right not to be subject to a decision based solely on automated processing, including profiling,
which produces legal effects concerning or significantly affects the data subject;
8. Right to object to the processing of their personal data, unless the data controller or data
processor demonstrates compelling legitimate interest for the processing which overrides the data
subject's interests, or for the establishment, exercise or defence of a legal claim; and
9. Right to receive personal data concerning them in a structured, commonly used and machine-
readable format and the right to transmit such data from one data controller to another.
Processing by third parties
The DPA does not prohibit the processing of personal data by third parties but requires that the data
subject be informed of any third parties that may have access to their personal data and the safeguards
adopted to ensure their data security.
The data processor or controller must also provide the third party's contact details to the data subject. This
information should be provided before the data is collected.
Transfers out of country
Before a data controller or processor transfers data outside Kenya, they need to ascertain that the transfer
is being done on one of the following bases:
1. Appropriate data protection safeguards
2. An adequacy decision made by the Data Commissioner
3. Transfer as a necessity
4. Consent of the data subject
ISSUES IN INFORMATION TECHNOLOGY
INTELLECTUAL PROPERTY
Intellectual property represent a set of intangible assets owned and legally protected by a company or
individual from outside use or implementation without consent. An intangible asset is a non-physical
asset that a company or person owns. Intellectual property can take many forms and includes things like
artwork, symbols, logos, brand names, and designs, among others. The concept of intellectual property
relates to the fact that certain products of human intellect should be afforded the same protective rights
that apply to physical property, which are called tangible assets.
Intellectual property is an umbrella term for a set of intangible assets or assets that are not
physical in nature.
Intellectual property is owned and legally protected by a person or company from outside use or
implementation without consent.
It can consist of many types of assets, including trademarks, patents, and copyrights.
Intellectual property infringement occurs when a third party engages in the unauthorized use of
the asset.
Legal protections for most intellectual property expire after some time but last forever for others.
Extracting value from intellectual property and preventing others from deriving value from it is an
important responsibility of any company. Although it's an intangible asset, intellectual property can be far
more valuable than a company's physical assets. It can represent a competitive advantage and, as a result,
is fiercely guarded and protected by the companies that own the property.
Intellectual Property rights (IP Rights) are the rights given to persons over the creations of their minds.
They are a form of property granted that enable the owner to exercise monopoly on the subject of the
Intellectual Property rights and comprise of a set of exclusive rights to exclude others from making,
copying or using certain intangible creations for a certain period of time.
They are not only aimed at protecting the innovative and creative capacity of owners of Intellectual
Property and promoting competition in various industries, but also have to do with the welfare of the
consumers of the goods and services to which they apply.
Protection of Intellectual Property is enshrined in Article 40(5) of the Constitution of Kenya 2010 which
places the mandate on the government to protect and enforce Kenyan’s Intellectual Property Rights.
Being that Kenya is a member state of WIPO since 1971, it has in place four intellectual property
protection bodies being:
1. The Kenya Industrial Property Institute (KIPI)
2. The Kenya Copyright Board (KECOBO)
3. Kenya Plant Health Inspectorate Services (KEPHIS)
4. The Anti- Counterfeit Agency (ACA)
PATENTS
A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20 years. The
intent behind patent law was to ensure that inventors of new machines, devices, or methods receive the
full financial and other rewards of their labor and yet still make widespread use of the invention possible
by providing detailed diagrams for those wishing to use the idea under license from the patent’s owner.
The granting of a patent is determined by the relevant legal office. The key concepts in patent law are
originality, novelty, and invention. The strength of patent protection is that it grants a monopoly on the
underlying concepts and ideas of software.
To receive a patent your idea must meet four requirements:
The subject matter must be “patentable”
Your idea must be “new.”
The idea must be “useful.”
Your idea must be “non-obvious.”
There are three types of patents you can file for:
Utility patent – Utility patents may be granted to anyone who invents or discovers any new and
useful process, machine, article of manufacture, composition of matter, or any new and useful
improvement thereof (good for 20 years).
Design patent – Design patents may be granted to anyone who invents a new, original, and
ornamental design (good for 14 years).
Plant patent – Plant patents may be granted to anyone who invents or discovers and asexually
reproduces any distinct and new variety of plant (good for 20 years).
Patents can be expensive to obtain and maintain, as there are yearly or regular fees required to main them.
And, like trademarks, patents are only good in the country where the patent was granted. So, in-house
counsel must consider which countries and markets require patent protection.
TRADEMARKS
A trademark is a sign capable of distinguishing the goods or services of one enterprise from those of other
enterprises. Trademarks date back to ancient times when artisans used to put their signature or "mark" on
their products. A trademark can be any word, phrase, symbol, design, or combination of these things that
identifies your goods or services — it’s how customers recognize your company in the marketplace.
A trademark has many benefits, including:
Identifying the source of your goods or services
Providing legal protection for your brand
Guarding against counterfeiting and fraud
A trademark does not mean you own a particular word or phrase. Rather, you own the rights to how that
word or phrase is used with respect to specific goods or services. Key to obtaining trademark protection is
the need to identify the specific categories of goods and services the mark will cover. And, the company
must actually use or provide such goods and services in the chosen categories — or have a good faith and
demonstrative intent to do so.
In-house counsel also need to avoid seeking trademarks that are merely descriptive of the goods or
services. Unique words or phrases are far easier to protect and more likely to qualify for trademark
protection. For example, “Nike” is a stronger, more unique mark than “Quality Tennis Shoes Company.”
You own a trademark as soon as you start using it along with your goods or services. This is known as
common law trademarks and it applies only to the geographic area where the company provides its goods
or services.
Every time you use your trademark, you can use a symbol with it: “™” for goods, “℠” for services, or
“®” for registered trademark. The symbol lets consumers and competitors know you are claiming the
mark as yours. You can use “™” for goods or “℠” for services even if you haven’t sought to register
your trademark.
Critically, in-house counsel must take steps to protect trademarks by actively going after infringers —
other companies using the mark or a similar mark — and ensuring that the mark does not become generic
in the minds of the public. Failing to do so can cause the company to lose the mark.
Copyrights
Copyright is a statutory grant that protects creators of intellectual property from having their work copied
by others for any purpose during the life of the author plus an additional 70 years after the author’s death.
For corporate-owned works, copyright protection lasts for 95 years after their initial creation. Congress
has extended copyright protection to books, periodicals, lectures, dramas, musical compositions, maps,
drawings, artwork of any kind, and motion pictures. The intent behind copyright laws has been to
encourage creativity and authorship by ensuring that creative people receive the financial and other
benefits of their work.
Copyright is a legal term used to describe the rights that creators have over their literary and artistic
works. Works covered by copyright range from books, music, paintings, photographs, sound recordings,
blog posts, architectural works,plays, sculpture and films, to computer programs, databases,
advertisements, maps and technical drawings.
There are some things that are not “creative,” like titles, names, short phrases, and slogans; familiar
symbols or designs; lettering or coloring; and mere listings of ingredients or contents. Copyrights protect
expression and never ideas, procedures, methods, systems, processes, concepts, principles, or
discoveries.
Companies can be copyright owners as the law allows ownership through “works made for hire” —
works created by an employee within the scope of employment or certain independent contractors owned
by the employer. Copyright law provides copyright owners with the following exclusive rights (among
others):
Reproduce the work
Prepare derivative works
Distribute copies by sale, transfer of ownership, or license
Perform or display the work publicly
Copyright registration is not mandatory but allows copyright owners to seek certain types of monetary
damages and attorney fees. Notable exceptions to the exclusive rights are “copyright fair use” or the use
of copyrighted works that have fallen into the “public domain.” As to the latter, in-house counsel must
ensure any company copyrights are kept current until they otherwise expire.
TRADE SECRETS
While businesses have a lot of confidential information, not everything is a trade secret. A trade secret is
typically something not generally known to the public, where reasonable efforts are made to keep it
confidential, and confers some type of economic value to the holder by the information not being known
by another party.
What exactly constitutes a trade secret can vary. A trade secret is: any information you would not want
your competitors to have. Some examples of likely trade secrets include new business models; customer
and supplier information, especially around price; marketing strategy; processes and formulae; and other
confidential business information
Any intellectual work product—a formula, device, pattern, or compilation of data used for a business
purpose can be classified as a trade secret, provided it is not based on information in the public domain.
Protections for trade secrets vary from state to state. In general, trade secret laws grant a monopoly on the
ideas behind a work product, but it can be a very tenuous monopoly. Software that contains novel or
unique elements, procedures, or compilations can be included as a trade secret. Trade secret law protects
the actual ideas in a work product, not only their manifestation. To make this claim, the creator or owner
must take care to bind employees and customers with nondisclosure agreements and to prevent the secret
from falling into the public domain.
The limitation of trade secret protection is that although virtually all software programs of any complexity
contain unique elements of some sort, it is difficult to prevent the ideas in the work from falling into the
public domain when the software is widely distributed.