A major constitutional challenge has been filed in the High Court of Kenya seeking to nullify the recently enacted Computer Misuse and Cybercrimes (Amendment) Act, 2024.
The lawsuit, filed by activist Reuben Kigame Lichete and the Kenya Human Rights Commission (KHRC), argues that the new law severely infringes upon fundamental rights, including privacy and freedom of expression, and was passed through a flawed legislative process.
The petitioners have sued the Attorney General and the Speaker of the National Assembly. There is also crucial input from interested parties including the Law Society of Kenya (LSK), the Kenya Union of Journalists (KUJ), and the Data Protection Commissioner.
The core of the challenge lies in specific amendments the petitioners argue are vague, overreaching, and directly contradict existing law.
1. Diluting data privacy
The most significant clash involves the right to privacy (Article 31) and the existing Data Protection Act (DPA). The petitioners challenge the Act’s provision for mandatory verification of social media accounts, which forces users to link their online identity to their government-issued legal names.
The lawsuit asserts this creates an unconstitutional conflict with the DPA by violating key principles:
- Lawfulness and Fairness: Making the disclosure of a sensitive personal identifier mandatory for simply accessing a service.
- Data Minimization: Collecting a legal name is argued as unnecessary for platform use, which typically functions with user-chosen identifiers globally.
2. Vague criminalization of speech
The petitioners argue that the amendment creating a new offense for distributing “false, misleading, and mischievous” information is dangerously vague and overbroad, violating the freedom of expression (Article 33). This vagueness, they contend, creates a severe chilling effect that risks arbitrary enforcement against citizens, journalists, and activists.
Furthermore, the petitioners challenge the amendment to Section 27, which criminalizes communications that cause another person to commit suicide. They argue this provision is unconstitutionally speculative, lacking objective criteria like intent or immediacy, and fails to establish a practical legal standard for causation.
Procedural impropriety
Beyond the rights violations, the lawsuit asserts the entire Act is void due to a procedural defect during its enactment.
The petitioners argue that because the Cybercrimes Bill contains provisions that affect the functions of County Governments, it was legally defined as a “bill concerning county governments.”
In what they deem a “blatant disregard for the Constitution,” the National Assembly failed to follow the mandatory steps:
- The Bill was never referred to the Senate Speaker for the required preliminary decision (Article 110(3)).
- The Bill was never transmitted to the Senate for its participation in the legislative process (Article 110(4)).
This exclusion of the Senate, a co-equal house on matters affecting counties, constitutes a fatal procedural defect that should vitiate the entire Act.
Relief Sought
The petitioners are asking the High Court to:
- Declare the Computer Misuse and Cybercrimes (Amendment) Act, 2024, null and void in its entirety.
- Issue a Permanent Order of Prohibition stopping the Attorney General and the National Assembly from implementing or enforcing the unconstitutional provisions.
Download the Computer Misuse and Cybercrimes (Amendment) Act, 2024 HERE and the petition HERE.