LEGAL ISSUES IN IT AND BUSINESS

IT LAWS
IT poses new and complex ethical, legal and other issues in society which result in legislative responses
due to both the good and the bad uses of ICT.
 New and constantly evolving area of law.
 Covers a wide range of legal issues including, but not limited to, cybercrime, data protection, privacy,
and e-commerce.
 Growing internet users and the increasing reliance on technology.
 For businesses operating to comply with the law and avoid legal liability.
 For individuals because to understand their rights and responsibilities online.
IT law provides the legal framework for collecting, storing, and disseminating electronic information in
the global marketplace.
IT Law also referred as Cyber law or internet Law is a term used to refer to the legal aspects of computer
technology and the internet. It covers various topics, including intellectual property, data protection,
cybercrime, e-commerce etc. It also encompass various subtopics as well as freedom of expression, and
online privacy.
Cyber law offers legal protections for people who are using the Internet as well as running an online
business.
Cyber laws help to reduce or prevent people from cybercriminal activities by protecting information
access from unauthorized people, freedom of speech related to the use of the Internet, privacy,
communications, email, websites, intellectual property, hardware and software, such as data storage
devices.
Types of Cyber Law
There are several types of cyber laws, each addressing specific aspects of digital activities and cyber
security. Here are some common categories of cyber laws:
Privacy Laws:
 Privacy laws govern the collection, use, and protection of individuals’ personal information online.
Examples include the General Data Protection Regulation (GDPR) and Consumer Privacy Act
(CCPA)
Cybercrime Laws:
 Cybercrime laws focus on criminal activities conducted online, including hacking, identity theft,
online fraud, and cyberbullying. These laws define offenses, penalties, and procedures for
investigation and prosecution.
Data Breach Laws:
 Data breach laws mandate that organizations inform affected individuals and authorities when a data
breach occurs. These laws aim to ensure transparency and help individuals take necessary actions to
protect themselves.
Intellectual Property Laws:
 Intellectual property laws protect digital content, patents, trademarks, and copyrights in the digital
realm. They address issues like copyright infringement and online piracy.
Cyber security Laws:
 Cyber security laws require organizations to implement measures to protect their digital infrastructure
and sensitive data. These laws often set standards and requirements for data security practices.
E-Commerce and Online Contracts:
 Laws related to e-commerce and online contracts establish legal frameworks for online transactions,
electronic signatures, and consumer rights. They provide a basis for resolving disputes in the digital
marketplace.
Social Media and Online Content Regulations:
 Regulations governing social media and online content address issues such as hate speech,
defamation, and harmful content. They set guidelines for the removal or restriction of such content.
Computer Crime Laws:
 Computer crime laws specifically target offenses involving computer systems and networks. They
encompass unauthorized access, malware distribution, and cyber-attacks on critical infrastructure.
Cryptocurrency and Blockchain Regulations:
 As digital currencies and blockchain technology gain prominence, regulations address issues like
crypto currency trading, initial coin offerings (ICOs), and blockchain-based contracts.
International Cybersecurity Agreements:
 Some laws and agreements focus on international cooperation in combating cybercrimes and
promoting cybersecurity best practices.
The need for cyber laws
Protection of Personal Information
With the proliferation of digital platforms, the threat to privacy has become more pronounced. Cyber laws
enforce strict regulations on organizations and individuals handling personal data, ensuring its
confidentiality, integrity, and availability. Compliance with these laws becomes paramount, as they
safeguard against unauthorised access, use, or disclosure of personal information. Individuals can
confidently engage in digital transactions, knowing that legal provisions protect their sensitive data.
Prevention of Cybercrimes
Cyber laws play a crucial role in preventing and combating cybercrimes. They establish provisions and
penalties for various forms of digital offences, including hacking, identity theft, online fraud,
cyberbullying, and harassment. By criminalising such activities, cyber laws act as a deterrent, dissuading
potential offenders from engaging in unlawful behaviour.
Facilitation of E-commerce
Cyber laws provide a supportive environment for e-commerce transactions. They establish legal
frameworks for electronic contracts, digital signatures, and electronic payment systems. These laws help
build trust among buyers and sellers, as they ensure the enforceability of electronic transactions and the
validity of digital signatures.
Safeguarding Intellectual Property
Intellectual property protection is a critical aspect of cyber laws. These laws address copyright
infringement, software piracy, and digital content protection issues. By safeguarding intellectual property
rights, cyber laws incentivise creativity, innovation, and technological advancements. Cyber promote a
conducive environment for artists, authors, inventors, and Enablement of International Cooperation
Cybercrimes often transcend national boundaries, necessitating international cooperation to address them
effectively. Cyber laws enable collaboration with other countries through bilateral and multilateral
agreements. These agreements facilitate the exchange of information, mutual legal assistance, and
extradition of cyber criminals.
Redressal Mechanisms
Cyber laws provide individuals with accessible and effective redressal mechanisms in case of cyber
offences. These mechanisms ensure timely resolution and justice for victims of cybercrimes, offering a
sense of security and trust in the legal system.
Awareness and Education
Cyber laws emphasize the significance of awareness and education regarding cybersecurity and digital
rights. These laws promote initiatives to educate individuals, businesses, and government agencies about
best practices, safe online behaviour, and legal obligations.
Categories of Cyber Crime
Generally, there are three major categories of cybercrimes that you need to know about. These categories
include:
 Crimes against People. While these crimes occur online, they affect the lives of actual people. Some
of these crimes include cyber harassment and stalking, distribution of child pornography, various
types of spoofing, credit card fraud, human trafficking, identity theft, and online related libel or
slander.
 Crimes against Property. Some online crimes happen against property, such as a computer or
server. These crimes include DDOS attacks, hacking, virus transmission, cyber and typo squatting,
computer vandalism, copyright infringement, and IPR violations.
 Crimes against Government. When a cybercrime is committed against the government, it is
considered an attack on that nation's sovereignty and an act of war. Cybercrimes against the
government include hacking, accessing confidential information, cyber warfare, cyber terrorism, and
pirated software.

Types of cyber crimes

 Theft
 Masquerading or identity theft
 Vandalism and sabotage
 Espionage or tapping or spying
 Copyright infringements
 Violating intellectual property rights
 Trade secrets violation
 Tampering with Computer Source Documents
 Hacking Computer Systems and Data Alteration
 Publishing Obscene Information
 Unauthorized Access of Protected Systems
 Breach of Confidentiality and Privacy
 Publishing False Digital Signature Certificates
 Sending Threating Messages or defamatory Messages
 Breaching contract and employment laws
 Forgery of Electronic Records
 Bogus Websites & Cyber Fraud
 Email Spoofing and Abuse
 Denial of service attack
 Cyber terrorism
  Child pornography
 Social engineering
 Phishing

Advantages of Cyber Law

1. Protecting personal information – Cyber law helps to ensure that our sensitive personal
information, such as our financial and medical records, are kept secure online.
2. Combatting cybercrime – Cyber law helps to deter and punish those who engage in illegal
activities on the internet, such as hacking and identity theft.
3. Promoting fair competition – Cyber law helps to level the playing field for businesses by
prohibiting unfair practices such as cyber espionage and false advertising.
4. Facilitating e-commerce – Cyber law helps to establish rules and regulations for buying and
selling goods and services online, making it easier and safer for consumers to make transactions.
5. Protecting intellectual property – Cyber law helps to safeguard creative works such as music,
literature, and software from being pirated or used without permission.
Disadvantages of Cyber Law
1. Complexity and confusion – Cyber law can be difficult to understand and apply, leading to
confusion for individuals and businesses trying to comply with it.
2. Limited jurisdiction – Cyber law can only be enforced within the borders of a particular
country, making it challenging to address cross-border cyber issues.
3. Encroachment on civil liberties – Some argue that cyber law may infringe upon civil liberties,
such as freedom of speech and privacy, in the name of protecting national security or public
order.
4. Slowing down innovation – Cyber law may impose burdensome regulations on new
technologies and innovations, stifling their development and adoption.
5. Lack of universal standards – There is currently a lack of universally agreed upon cyber laws,
leading to discrepancies and conflicts between different countries’ legal systems.

INTERNATIONAL LAWS ON IT
Convention of the International Telecommunication Union - ITU
Virtually every facet of modern life – in business, culture or entertainment, at work and at home depends
on information and communication technologies. Today, there are billions of mobile phone subscribers,
close to five billion people with access to television, and tens of millions of new Internet users every year.
Hundreds of millions of people around the world use satellite services – whether getting directions from a
satellite navigation system, checking the weather forecast or watching television from isolated areas.
Millions more use video compression every day in mobile phones, music players and cameras.

ITU is at the very heart of the ICT sector, brokering agreement on technologies, services, and
allocation of global resources like radio-frequency spectrum and satellite orbital positions, to create a
seamless global communications system that’s robust, reliable, and constantly evolving. The global
international telecommunications network is the largest and most sophisticated engineering feat ever
created. You use it every time you log on to the web, send an e-mail or SMS, listen to the radio, watch
television, order something online, travel by plane or ship – and of course every time you use a mobile
phone, smartphone or tablet computer.

The International Telecommunication Union (ITU) is a specialized agency of the United Nations
responsible for many matters related to information and communication technologies. It was established
on 17 May 1865 as the International Telegraph Union, making it the oldest UN agency.
The name of ITU has been changed from The International Telegraph Union to International
Telecommunication Union ITU
The ITU was initially aimed at helping connect telegraphic networks between countries, with its mandate
consistently broadening with the advent of new communications technologies; it adopted its current name
in 1932 to reflect its expanded responsibilities over radio and the telephone. On 15 November 1947, the
ITU entered into an agreement with the newly created United Nations to become a specialized agency
within the UN system, which formally entered into force on 1 January 1949.
Based in Geneva, Switzerland, the ITU's global membership includes 193 countries and around 900
businesses, academic institutions, and international and regional organizations.
At ITU, members from the public and private sectors are working together to help shape the future ICT
policy and regulatory environment, global standards, and best practices to help spread access to ICT
services. Public-private collaboration has always been at the centre of ITU's work. Now more than ever,
businesses realize that the path to sustainable growth can be found by working closely with
governments, academia, as well as other stakeholders, in a common effort to put in place the right rules
to drive investment, innovation and widely shared opportunities.

Functions of the ITU

The ITU promotes the shared global use of the radio spectrum,
 ITU coordinates the world’s satellites through the management of spectrum and orbits, bringing
you television, vehicle GPS navigation, maritime and aeronautical communications, weather
information and online maps, and enabling communications in even the remotest parts of the
planet.
 The ITU promotes the shared global use of the radio spectrum
 Assists in developing and coordinating worldwide technical standards
 Works to improve telecommunication infrastructure in the developing world
 It is also active in the areas of broadband Internet, wireless technologies, aeronautical and
maritime navigation, radio astronomy, satellite-based meteorology, TV broadcasting, amateur
radio, and next-generation networks.
 ITU standards, protocols and international agreements are the essential elements underpinning the
global telecommunication system.
 ITU makes Internet access possible. The majority of Internet connections are facilitated by ITU
standards.
 ITU helps support communications in the wake of disasters and emergencies – through on-the-
ground assistance, dedicated emergency communications channels, technical standards for early
warning systems, and practical help in rebuilding after a catastrophe.
 ITU works with the industry to define the new technologies that will support tomorrow’s
networks and services.
  ITU powers the mobile revolution, forging the technical standards and policy frameworks that
make mobile and broadband possible.
 ITU works with public and private sector partners to ensure that ICT access and services are
affordable, equitable and universal.
 ITU empowers people around the world through technology education and training.
ITU has three main areas of activity organized in three Sectors:
 The Radiocommunication Sector (ITU-R);
 The Telecommunication Standardization Sector (ITU-T); and
 The Telecommunication Development Sector (ITU-D).
ITU-R plays a vital role in the global management of the radio-frequency spectrum and satellite orbit
resources, with the mission to ensure their rational, equitable, efficient and economical use by all radio
communication services.
ITU-T provides a unique forum for industry and government to work together to foster the development
and use of interoperable, non-discriminatory and demand-driven international standards (known as ITU-T
Recommendations).
ITU-D fosters international cooperation and solidarity in the delivery of technical assistance and in the
creation, development and improvement of telecommunication/ICT equipment and networks in
developing countries.
Standard Setting on the Global Stage
The ITU sets global ICT standards and makes policy on a range of critical telecom issues, although this
occurs in a diffuse way. Each of the three ITU technical sectors organize “study groups” made up of
experts that get together at meetings to discuss technical issues. The study groups write
recommendations, which roll up to inform resolutions that are sent up to the larger body to vote on as
decisions. Once a resolution receives unanimous vote by the members, it effectively becomes
international law, enforced and implemented at the national level.
ITU decisions and outcomes are implemented through national-level rules and regulations. Member states
are held accountable for implementing the terms of the resolutions and reporting to the ITU on progress.
They are also implemented through technical standards and practices of private industry. ITU regulations
matter; they determine what type of access to information you have when you open an internet browser or
how much you pay for say Netflix.
The ITU’s 2020 Global Report states, “No single actor alone can achieve the ambitious goal of
connecting everyone to universal, affordable broadband connectivity by 2030.” Nor should any bilateral
set the rules around digital connectivity on its own. The aim is to prioritize fair and open digital systems,
which can serve as the foundation for collaboration both at the bilateral and multilateral level.

United Nations Model Law on Electronic Commerce,

UNCITRAL United Nations Commission on International Trade Law - UNCITRAL
UNCITRAL’s mandate and work
 The core legal body of the United Nations system in the field of commercial law.
 A UN Commission with universal membership active in commercial law reform since 50 years.
 UNCITRAL's goal is the modernization and harmonization of international business law.
 UNCITRAL deals with the law of electronic transactions, electronic contracting and electronic
signatures,
UNCITRAL has prepared a suite of legislative texts to enable and facilitate the use of electronic means to
engage in commercial activities, which have been adopted in over 100 States. The most widely enacted
text is the UNCITRAL Model Law on Electronic Commerce (1996), which establishes rules for the equal
treatment of electronic and paper-based information, as well as the legal recognition of electronic
transactions and processes, based on the fundamental principles of non-discrimination against the use of
electronic means, functional equivalence and technology neutrality. The UNCITRAL Model Law on
Electronic Signatures (2001) provides additional rules on the use of electronic signatures.
The United Nations Convention on the Use of Electronic Communications in International Contracts
(New York, 2005) builds on pre-existing UNCITRAL texts to offer the first treaty that provides legal
certainty for electronic contracting in international trade.
Most recently, the UNCITRAL Model Law on Electronic Transferable Records (2017) applies the same
principles to enable and facilitate the use in electronic form of transferable documents and instruments,
such as bills of lading, bills of exchange, cheques, promissory notes and warehouse receipts.
In 2019, UNCITRAL approved the publication of Notes on the Main Issues of Cloud Computing
Contracts, while continuing work towards a new instrument on the use and cross border recognition of
electronic identity management services (IdM services) and authentication services (trust services).
Model Law on Electronic Commerce MLEC
The most widely enacted text is the UNCITRAL Model Law on Electronic Commerce (1996), which
establishes rules for the equal treatment of electronic and paper-based information, as well as the legal
recognition of electronic transactions and processes, based on the fundamental principles of non-
discrimination against the use of electronic means, functional equivalence and technology neutrality
Principle of non-discrimination
A communication shall not be denied validity on the sole ground that it is in electronic form.
– Conditions for legal recognition of electronic documents shall be the same as for paper documents
– Easier to implement in the private sector than in the public sector.
Principle of functional equivalence
Purposes and functions of paper-based requirements may be satisfied with electronic
communications, provided certain criteria are met
– For instance, the written form requirement is met if the electronic communications is accessible for
future reference
– Electronic accessibility satisfies the same function as paper accessibility
Principle of technology neutrality
Legislation shall not impose the use of or otherwise favour any specific technology
– This approach is necessary to enable the use of future technologies
– Challenge in jurisdictions where only documents signed with national PKI standards are given legal
recognition
• This may increase costs, affect interoperability and prevent mutual legal recognition
• These principles have already been adopted in at least 25 States in Asia and the Pacific
 Adopted in 1996, the MLEC aims to enable the commercial use of modern means of communications
and storage of information.
 It contains the first formulation of the three fundamental principles of technology neutrality, non
discrimination and functional equivalence in electronic media.
 It also establishes rules for the formation and validity of contracts concluded electronically and for
the attribution and retention of data messages.
 Enacted in over 70 States, including most States in East and South Asia.
Model Law on Electronic Signature MLES
 Adopted in 2001, the MLES aims at bringing additional legal certainty to the use of electronic
signatures.
 It establishes criteria of technical reliability for the equivalence between electronic and hand-written
signatures.
 It follows a technology-neutral “two tier” approach, which avoids favoring the use of any specific
software, method or product while attaching legal presumptions to more secure signatures.
 It establishes rules for assessing possible liability of signatories, relying parties and trusted service
providers intervening in the signature process.
 Enacted in over 30 States, including China, India.

INFORMATION LAW AND POLICY:

Issues concerning the use of information technology and informational privacy i.e. the gathering, use and
protection of information about individuals.

Data protection
Local data protection laws and scope
Data protection in Kenya is regulated by the Data Protection Act No. 24 of 2019 (the "DPA"). The DPA
came into effect on 25 November 2019.
Subsequently, the following regulations came into effect on 31 December 2021:
1. The Data Protection (General) Regulations, 2021;
2. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021;
and
3. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, (the
"Regulations").
Data protection authority – vested in the office of the data commissioner.
Administrative sanctions:
 Data commissioner is given power to impose administrative fines for failure to comply with the
DPA act. May impose a fine of up to KES. 5 million or in the case of an undertaking, up to 1% of
its annual turnover of the preceding financial year, whichever is lower. The fine is payable to the
Office of the Data Commissioner.
 Failure to comply with an order of the Office of the Data Commissioner is considered an offence
under the DPA.
 Section 65 of the DPA accords all data subjects the right to compensation from data processors or
controllers for damage caused to them.
Criminal sanctions:
There are certain specific offences under the DPA, including:
 Unlawful disclosure of personal data in a manner incompatible with the purpose for which the
data was collected;
 Unlawful disclosure of personal data that the data processor processed without the prior
authorisation of the data controller;
  Obtaining access to personal data without the prior authorisation of the data controller or
processor holding the data;
 Disclosure of personal data to a third party without prior authorisation by the data controller or
processor holding the data;
 Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to
sell under this offence;
 Failure to register with the Office of the Data Commissioner as a data processor or controller;
 Provision of false or misleading information during the application process for registration as a
data processor or controller; and
 Obstruction of the Office of the Data Commissioner during an investigation.
On conviction, an offence under the DPA carries a general penalty of a fine not exceeding KES. 3 million
or an imprisonment term not exceeding ten years, or both.
Registration / notification / authorisation
The DPA requires all data processors or controllers to register with the Office of the Data
Commissioner. However, data processors and data controllers with an annual turnover of below KES. 5
million or annual revenue of below KES. 5 million and have less than 10 employees are exempt from the
mandatory requirement for registration. This exemption does not apply to data controllers or data
processors who process personal data for the following purposes:
 Canvassing political support among the electorate
 Crime prevention and prosecution of offenders
 Gambling
 Operating an educational institution
 Health administration and provision of patient care
 Hospitality industry firms (excluding tour guides)
 Property management, including the sale of land
 Provision of financial services
 Telecommunications networks or service providers
 Businesses that are wholly or mainly in direct marketing
 Transport service firms (including online passenger hailing applications)
 Businesses that process genetic data
Main obligations and processing requirements
Data Processing Principles:
All data processors/controllers are required to follow the data protection principles, which are:
 Data processing in accordance with the right to privacy of the data subject;
 Fair and transparent processing of a data subject's personal data;
 Collection of personal data for specified and legitimate purposes and not further processing
beyond those purposes;
 Purpose limitation for data collected;
 Collection of personal data relating to family or private affairs only where a valid explanation is
provided;
 Accuracy of collected personal data and every reasonable step being taken to ensure that any
inaccurate personal data is erased or rectified without delay;
 Personal data is to be kept in a form which identifies the data subjects for no longer than is
necessary for the purposes which it was collected; and
  Personal data shall not be transferred outside Kenya unless there is proof of adequate data
protection safeguards or consent from the data subject.
Duty to Notify:
Before collecting any personal data, data processors/controllers are required to notify a data subject of:
 Their rights as data subjects under the DPA;
 The fact that their data is being collected and the purpose for the collection;
 Any third parties that have or will have access to their data, including details of safeguards
adopted;
 The contacts of the data controller/processor and any other entity receiving the collected personal
data;
 The technical and organizational security measures taken to ensure the integrity and
confidentiality of the data;
 Whether the data is being collected pursuant to any law and whether such collection is voluntary
or mandatory; and
 The consequences, if any, if they fail to provide all or any part of the requested data.
Lawful Processing:
Personal data may only be processed on the lawful basis provided under Section 30 of the DPA as:
1. Consent: the individual has given clear consent for a data processor or controller to process their
personal data for a specific purpose;
2. Contract: the processing is necessary for a contract's performance between a data processor or
controller and the data subject or because the data subject has asked the data processor or
controller to take specific steps before entering into a contract;
3. Legal obligation: the processing is necessary for a data processor or controller to comply with the
law (not including contractual obligations);
4. Vital interests: the processing is necessary to protect the vital interests of the data subject or
another natural person;
5. Public task: the processing is necessary for a data processor or controller to perform a task in the
public interest or the exercise of official authority vested in the controller;
6. Legitimate interests: the processing is necessary for a data processor or controller's legitimate
interests or the legitimate interests of a third party unless there is a good reason to protect the data
subject's data which overrides those legitimate interests; and
7. Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required
in such pursuits.
Data Retention Obligations
Data processors and data controllers are required to retain personal data for a lawful purpose and only for
as long as may reasonably be necessary for the purpose.
Under the Regulations, the data controllers and processors are required to establish a data retention
schedule with appropriate time limits for review of the need for continued storage. Periodic audits of the
data retained are also required.
Upon lapse of the purpose for which the personal data was collected, data controllers and data processors
are required to erase, delete, anonymise or pseudonymise the personal data retained.
Data Sharing Obligations
A data controller or data processor may share or exchange personal data collected if requested in writing
by another data controller, data processor, third party or a data subject.
The written request for data sharing must specify the purpose for which the personal data is required, the
duration it will be retained, and proof of safeguards in place to secure the personal data.
Under the Regulations, upon such a request, the providing data controller or data processor is required to
enter into a data-sharing agreement with the requesting party.
Data Protection Policy
Data processors and data controllers in Kenya are required to develop, publish and regularly update a
policy reflecting their personal data handling practices.
Elements in Implementing Data Protection by Design or Default
Data controllers and data processors are required under the Regulations to establish data protection
mechanisms aligned with the DPA and the Regulations and design technical and organisational measures
to safeguard and implement the data protection principles. These principles are spelt out in the
Regulations, where the elements of the principles and the obligations of data controllers and data
processors are listed as follows:
Lawfulness: Appropriate legal basis or legitimate interests clearly connected to the specific purpose of
the processing;
Transparency: The use of clear, simple and plain language to communicate with a data subject for them
to make decisions on the processing of their personal data;
Purpose Limitation: Specifying the purpose for each processing;
Integrity, Confidentiality and Availability: Having an operative means of managing policies and
procedures for information security;
Data Minimisation: Avoiding the processing of personal data altogether when data processing is not
necessary for the relevant purpose;
Accuracy: Having clear internal procedures for deletion;determining what data and length of storage of
personal data that is necessary for the purpose;
Fairness: Granting the data subjects the highest degree of autonomy with respect to control over their
personal data;
Data subject rights
1. Right to be informed of the use to which their personal data is to be put;
2. Right to access their personal data in the custody of the data controller or processor;
3. Right to object to the processing of all or part of their personal data;
4. Right to correction of false or misleading data;
5. Rights to deletion of false or misleading data about them;
6. Right to withdraw the consent given to data processor or controller at any time;
7. Right not to be subject to a decision based solely on automated processing, including profiling,
which produces legal effects concerning or significantly affects the data subject;
8. Right to object to the processing of their personal data, unless the data controller or data
processor demonstrates compelling legitimate interest for the processing which overrides the data
subject's interests, or for the establishment, exercise or defence of a legal claim; and
9. Right to receive personal data concerning them in a structured, commonly used and machine-
readable format and the right to transmit such data from one data controller to another.
Processing by third parties
The DPA does not prohibit the processing of personal data by third parties but requires that the data
subject be informed of any third parties that may have access to their personal data and the safeguards
adopted to ensure their data security.
The data processor or controller must also provide the third party's contact details to the data subject. This
information should be provided before the data is collected.
Transfers out of country
Before a data controller or processor transfers data outside Kenya, they need to ascertain that the transfer
is being done on one of the following bases:
1. Appropriate data protection safeguards
2. An adequacy decision made by the Data Commissioner
3. Transfer as a necessity
4. Consent of the data subject
 ISSUES IN INFORMATION TECHNOLOGY
INTELLECTUAL PROPERTY
Intellectual property represent a set of intangible assets owned and legally protected by a company or
individual from outside use or implementation without consent. An intangible asset is a non-physical
asset that a company or person owns. Intellectual property can take many forms and includes things like
artwork, symbols, logos, brand names, and designs, among others. The concept of intellectual property
relates to the fact that certain products of human intellect should be afforded the same protective rights
that apply to physical property, which are called tangible assets.
 Intellectual property is an umbrella term for a set of intangible assets or assets that are not
physical in nature.
 Intellectual property is owned and legally protected by a person or company from outside use or
implementation without consent.
 It can consist of many types of assets, including trademarks, patents, and copyrights.
 Intellectual property infringement occurs when a third party engages in the unauthorized use of
the asset.
 Legal protections for most intellectual property expire after some time but last forever for others.
Extracting value from intellectual property and preventing others from deriving value from it is an
important responsibility of any company. Although it's an intangible asset, intellectual property can be far
more valuable than a company's physical assets. It can represent a competitive advantage and, as a result,
is fiercely guarded and protected by the companies that own the property.
Intellectual Property rights (IP Rights) are the rights given to persons over the creations of their minds.
They are a form of property granted that enable the owner to exercise monopoly on the subject of the
Intellectual Property rights and comprise of a set of exclusive rights to exclude others from making,
copying or using certain intangible creations for a certain period of time.
They are not only aimed at protecting the innovative and creative capacity of owners of Intellectual
Property and promoting competition in various industries, but also have to do with the welfare of the
consumers of the goods and services to which they apply.
Protection of Intellectual Property is enshrined in Article 40(5) of the Constitution of Kenya 2010 which
places the mandate on the government to protect and enforce Kenyan’s Intellectual Property Rights.
Being that Kenya is a member state of WIPO since 1971, it has in place four intellectual property
protection bodies being:
1. The Kenya Industrial Property Institute (KIPI)
2. The Kenya Copyright Board (KECOBO)
3. Kenya Plant Health Inspectorate Services (KEPHIS)
4. The Anti- Counterfeit Agency (ACA)

Forms of Intellectual Property

The most common forms of Intellectual Property that have been developed and to be discussed include:
1. Trademarks
2. Patents
3. Trade Secrets
4. Copyright

The Value of Intellectual Property

  The value of intellectual property includes
 Strengthening national economies,
 Driving innovation and technology,
 Fostering new ideas and
 Enhancing society and culture.
 Grows the economy of the Country through GDP (Gross Domestic Property),
 Employment,
 Tax revenues
 Competitiveness
 Intellectual property has the potential to drive innovation and technology attracting FDI (Foreign
Direct Investment)
 Monetizing inventions and growing inventions

PATENTS
A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20 years. The
intent behind patent law was to ensure that inventors of new machines, devices, or methods receive the
full financial and other rewards of their labor and yet still make widespread use of the invention possible
by providing detailed diagrams for those wishing to use the idea under license from the patent’s owner.
The granting of a patent is determined by the relevant legal office. The key concepts in patent law are
originality, novelty, and invention. The strength of patent protection is that it grants a monopoly on the
underlying concepts and ideas of software.
To receive a patent your idea must meet four requirements:
 The subject matter must be “patentable”
 Your idea must be “new.”
 The idea must be “useful.”
 Your idea must be “non-obvious.”
There are three types of patents you can file for:
 Utility patent – Utility patents may be granted to anyone who invents or discovers any new and
useful process, machine, article of manufacture, composition of matter, or any new and useful
improvement thereof (good for 20 years).
 Design patent – Design patents may be granted to anyone who invents a new, original, and
ornamental design (good for 14 years).
 Plant patent – Plant patents may be granted to anyone who invents or discovers and asexually
reproduces any distinct and new variety of plant (good for 20 years).
Patents can be expensive to obtain and maintain, as there are yearly or regular fees required to main them.
And, like trademarks, patents are only good in the country where the patent was granted. So, in-house
counsel must consider which countries and markets require patent protection.

TRADEMARKS
A trademark is a sign capable of distinguishing the goods or services of one enterprise from those of other
enterprises. Trademarks date back to ancient times when artisans used to put their signature or "mark" on
their products. A trademark can be any word, phrase, symbol, design, or combination of these things that
identifies your goods or services — it’s how customers recognize your company in the marketplace.
A trademark has many benefits, including:
  Identifying the source of your goods or services
 Providing legal protection for your brand
 Guarding against counterfeiting and fraud
A trademark does not mean you own a particular word or phrase. Rather, you own the rights to how that
word or phrase is used with respect to specific goods or services. Key to obtaining trademark protection is
the need to identify the specific categories of goods and services the mark will cover. And, the company
must actually use or provide such goods and services in the chosen categories — or have a good faith and
demonstrative intent to do so.
In-house counsel also need to avoid seeking trademarks that are merely descriptive of the goods or
services. Unique words or phrases are far easier to protect and more likely to qualify for trademark
protection. For example, “Nike” is a stronger, more unique mark than “Quality Tennis Shoes Company.”
You own a trademark as soon as you start using it along with your goods or services. This is known as
common law trademarks and it applies only to the geographic area where the company provides its goods
or services.
Every time you use your trademark, you can use a symbol with it: “™” for goods, “℠” for services, or
“®” for registered trademark. The symbol lets consumers and competitors know you are claiming the
mark as yours. You can use “™” for goods or “℠” for services even if you haven’t sought to register
your trademark.
Critically, in-house counsel must take steps to protect trademarks by actively going after infringers —
other companies using the mark or a similar mark — and ensuring that the mark does not become generic
in the minds of the public. Failing to do so can cause the company to lose the mark.

Copyrights
Copyright is a statutory grant that protects creators of intellectual property from having their work copied
by others for any purpose during the life of the author plus an additional 70 years after the author’s death.
For corporate-owned works, copyright protection lasts for 95 years after their initial creation. Congress
has extended copyright protection to books, periodicals, lectures, dramas, musical compositions, maps,
drawings, artwork of any kind, and motion pictures. The intent behind copyright laws has been to
encourage creativity and authorship by ensuring that creative people receive the financial and other
benefits of their work.
Copyright is a legal term used to describe the rights that creators have over their literary and artistic
works. Works covered by copyright range from books, music, paintings, photographs, sound recordings,
blog posts, architectural works,plays, sculpture and films, to computer programs, databases,
advertisements, maps and technical drawings.
There are some things that are not “creative,” like titles, names, short phrases, and slogans; familiar
symbols or designs; lettering or coloring; and mere listings of ingredients or contents. Copyrights protect
expression and never ideas, procedures, methods, systems, processes, concepts, principles, or
discoveries.
Companies can be copyright owners as the law allows ownership through “works made for hire” —
works created by an employee within the scope of employment or certain independent contractors owned
by the employer. Copyright law provides copyright owners with the following exclusive rights (among
others):
 Reproduce the work
 Prepare derivative works
  Distribute copies by sale, transfer of ownership, or license
 Perform or display the work publicly
Copyright registration is not mandatory but allows copyright owners to seek certain types of monetary
damages and attorney fees. Notable exceptions to the exclusive rights are “copyright fair use” or the use
of copyrighted works that have fallen into the “public domain.” As to the latter, in-house counsel must
ensure any company copyrights are kept current until they otherwise expire.

TRADE SECRETS
While businesses have a lot of confidential information, not everything is a trade secret. A trade secret is
typically something not generally known to the public, where reasonable efforts are made to keep it
confidential, and confers some type of economic value to the holder by the information not being known
by another party.
What exactly constitutes a trade secret can vary. A trade secret is: any information you would not want
your competitors to have. Some examples of likely trade secrets include new business models; customer
and supplier information, especially around price; marketing strategy; processes and formulae; and other
confidential business information
Any intellectual work product—a formula, device, pattern, or compilation of data used for a business
purpose can be classified as a trade secret, provided it is not based on information in the public domain.
Protections for trade secrets vary from state to state. In general, trade secret laws grant a monopoly on the
ideas behind a work product, but it can be a very tenuous monopoly. Software that contains novel or
unique elements, procedures, or compilations can be included as a trade secret. Trade secret law protects
the actual ideas in a work product, not only their manifestation. To make this claim, the creator or owner
must take care to bind employees and customers with nondisclosure agreements and to prevent the secret
from falling into the public domain.
The limitation of trade secret protection is that although virtually all software programs of any complexity
contain unique elements of some sort, it is difficult to prevent the ideas in the work from falling into the
public domain when the software is widely distributed.