Internet Service Providers (ISPs) and Copyright in Kenya: Commentary on the Copyright Amendment Act 2019



Image provided by Google Images

By Caroline Wanjiru

This post forms part one of a two part series focused on the Intellectual Property considerations in the Copyright Amendment Act. The IT considerations, focusing on digital rights will be addressed in a follow up series.

ISPs and Copyright

The Copyright Amendment Act (Amended Act) 2019 has brought in new provisions which have created new obligations and extended rights for some parties within the copyright practice in Kenya.

In the next few weeks, the CIPIT IP Team shall undertake a review of these new provisions in a series of blogs all aimed at informing, analyzing and probably providing a critique to the same. This week’s blog begins with looking at the provisions relating to the liability of the Internet Service Providers (ISPs) in Kenya.

From the onset, it is a matter of common notoriety now that copyright enforcement is an arduous task. It requires concerted effort from all players and 3rd parties as well. ISPs are 3rd parties who provide a vehicle through which the copyright owners can easily distribute their works and the users to freely enjoy the same. Section 2 of the Amended Act defines an ISP;

As a person providing information system services or access software that provides or enables computer access by multiple users to a computer server including connection for, the transmission or routing of data.’

Simply put an ISP is a company or entity that provides internet access to its subscribers. How this works is that the owner or holder of copyrighted material reduces it to a format which can be transmitted or carried through the ISP network. The aim is to distribute the works to those who have access to internet. Access of the copyrighted material can be free or paid service. Payment is typically to the owner or an authorized agent. Challenge within the copyright arena arises when the material that should be paid for is accessed for free. Such access would be unauthorized and infringing on the rights of the copyright holder. ISPs are enablers of access, authorized or unauthorized hence their inclusion in copyright enforcement.

ISPs and Internet Freedom

Based on their position, ISPs have the capacity to take down or disable access to sites which are considered to be providing access/accessing infringing materials. As is said, every coin has two, or three sides. So the associated question is, in taking down the content or disabling the content, will the ISP be infringing on anyone’s digital or access rights, limiting the user’s internet freedom? Where is the balance, if any? We shall address this with a post.

ISPs and the Law

From their role in the distribution of copyright works, ISPs can be enablers of infringement or can be the infringers depending on their role. Section 35A provides for scenarios where an ISP shall not be liable for infringement. These include where the ISP:

  1. If it only provides either automatic, intermediate or temporary transmission, routing or storage of content (subject to copyright) in its ordinary course of business on condition that:
  1. It does not initiate transmission
  2. it does not select the addressee/person receiving the content
  3. these functions are automated and technical such as not to select the material;
  4. does not promote the content or the material being transmitted.
  5. For the automatic, intermediate and temporary storage of content for purposes making onward transmission of the data more efficient to other recipients of the service upon their request on condition that the ISP:
    1. does not modify the material;
    2. complies with conditions on access to the material;
    3. complies with rules regarding the updating the cache in conformity with generally accepted standards within the service sector;
    4. does not interfere with the lawful use of technology to obtain information on the use of the material;
    5. removes or disables access once it receives a takedown notice or where the original material has been deleted or access disabled on orders of a competent court or otherwise on obtaining knowledge of unlawful nature of the cached material.

Comment: The above places an obligation on the ISPs to ensure that they do not promote infringing materials under the guise of conducting business. This can be done partly by policing on the content or by requiring the internet content owners to indemnify the ISPs or exonerate them from liability should claims arise.

Continue reading




By Jackline Akello


The Cyberrights Research Initiative and Localized Legal Almanac (CYRILLA – is producing an open and federated resource toolkit and online database, of legal information on digital rights. It addresses an increasingly urgent need “for comprehensive databases aggregating legislation and case law across a variety of jurisdictions” expressed by digital rights researchers, journalists, civil society advocates, human rights defenders, legal professionals, and others seeking to shape rapidly evolving legal frameworks for digital rights worldwide.

CYRILLA aims to organize and make accessible the world’s digital rights – related laws so that a wide range of actors can more readily and confidently assess legal trends as they shape and impact digitally networked spaces, highlighting threats to human rights and opportunities for legal reform.

CYRILLA Collaborative Partners

Formerly known as the Arab Digital Rights Dataset, the CYRILLA database was launched in late 2017 with a dataset of bills, law, and case law from the 22 Arab League states. With the addition of new CYRILLA Collaborative partners – Association for Progressive Communications (APC)1, Centre for Intellectual Property and Information Technology Law (CIPIT)2 at Strathmore Law School, Columbia University’s Global Freedom of Expression Program, Derechos Digitales3, HURIDOCS4 and Social Media Exchange (SMEX)5 – the database will expand over the next two years to include legal information on digital rights from more than 90 countries in Latin America, Africa and Asia.

CIPIT’s Role

CIPIT, a think tank established under Strathmore Law School, is the African partner in this Collaborative, whose mandate relates to sub-Saharan Africa countries. As part of its role CIPIT has been reaching out to partners across Africa and collating, developing and populating a repository6 with digital rights data from across sub-Saharan Africa. This data includes both hard and soft law instruments such as legislation, case law and policies from various African jurisdictions.

Continue reading

Eliud Kipchoge, the breaker of records and Intellectual Property


Image from INEOS

By Caroline Wanjiru

Today we pause our continuing IP series to dedicate this entire blog to the one and only Eliud Kipchoge. Why you ask? How is he related to your core business- IP? Well, there are several reasons as to why we had to do this. Most importantly, Eliud is a Kenyan champion. He is an athlete who holds several titles including 2016 Olympic Marathon Winner 2018 World Record Holder with 2.01.39 just to name a few. He is personne extra ordinaire. More OF his achievements here. There are many things to write about Eliud but for today we shall discuss his upcoming challenge. You see, no athlete has attempted to break the current world record held by Eliud set in Berlin. So he took it upon himself to break his own record by running the 42km Marathon in a record time of 1.59.59. In this journey which he has documented in his various social media accounts, he has partnered with INEOS who are also the organisers of the challenge. The challenge is set to happen in Vienna, Austria for various reasons including weather and the course for the marathon. The challenge is tentatively planned to happen on 12th October, 2019 with the confirmation of this date from INEOS Performance Team planned for 9th October. From this side of the desk and the whole CIPIT Team would like to wish Eliud nothing but the best and this blogger promises to cheer him to the finish line. As Ben Cyco says, Cheza kama wewe!!

The second reason for dedicating this to Eliud is the commercial aspect that the challenge presents both to him and to the partners, official and unofficial. This part is meant to provoke everyone who reads it and to see the challenge from an IP perspective. In the challenge, Eliud will be wearing brands such as Nike and the event will be live on KBC, Standard group (KTN), NTV and Citizen TV in Kenya. There are other broadcasters all over the world. Nike have further specially designed 3-D printed Nike Zoom Vaporfly 4% shoe for Eliud which is aimed to give him peak performance. With such official sponsorship it is expected that Nike and Eliud, the companies will benefit commercially, directly and indirectly. This could be in the form of increased sales and reputation of the companies and that of the products endorsed by the athlete.

During the challenge, the broadcasters broadcasting to millions of people will not only focus on Eliud and also every other entity whose product which will be exhibited. This is advertising, creating brand presence, consumer awareness which in turn creates consumer loyalty. The resulting effect is a presumption by the consumers is that for an entity to be associated with such a challenge, their products (and services) must be of a certain status or quality. Such impact would ordinary times take time to create. The consumerism, the loyalty and pride resulting from this impact has a direct co-relation with the athlete. It is against this background that this blogger argues that such association should then be accompanied by commensurate commercial value to the athlete as well as the company. 

Continue reading

Third party data sharing: Analysis of the Data Protection Bill, 2019


Icons made by Smashicons from

By Grace Mutung’u

This is the finale in our series on Data Protection principles espoused in the Data Protection Bill.

Clause 25 of the 2019 Data Protection Bill spells out the principles of data protection. Among this is the prohibition from sharing data with third parties without the consent of the data subject.

“Third party” is a term that originates from contracts. Traditionally contracts are between two parties and a third party is a person who deals with the contracting parties but is not party to the contract. In data protection however, there are typically three parties- the person whom the data concerns (data subject), the person who designs how data will be processed (data controller) and the person who actually processes the data (the data processor). In some cases, data is processed by the same organisation that is the controller. In other cases, it is processed by a third party processor. A third party processor would not typically require further consent to process data on behalf of the data controller.

For example, a manufacturing firm may outsource their payroll function to a HR firm. The manufacturing firm is the data controller as they determine which data is collected, and how it is processed. The HR firm is the third party data processor and employees of the manufacturing firm are data subjects.

The Data Protection Bill envisages that the data controller will inform the data subject of the use to which their data is being put. Clause 26 lists the rights of the data subject, and they include the right to be informed about their data use; right to access their data in the custody of the controller or processor; as well as the right to object to processing of all or part of their personal data. In the above example, the manufacturing firm would need to inform their employees that their personal data is processed by the payroll company.

In the event that the data controller or processor were to share the data with a third party, then the consent of the data subject would be needed. Clause 25(g) states:

Continue reading

Net Neutrality: a brief


Icons made by Freepik from

By Jaaziyah Satar and Malcolm Kijirah

Net neutrality is the concept of free access to the internet.

Net neutrality has many advantages and disadvantages. The success or failure of net neutrality in a State has been relative, from a case-to-case basis.

Net neutrality advocates argue that keeping the internet open playing is crucial for innovation; if broadband providers pick favourites online, new companies and technologies might never have the chance to grow. Furthermore repealing net neutrality would lead to broadband providers being “gatekeepers” of the internet (who have the power of defining what websites and services are accessible). Customers would find themselves in a helpless position at the hands of broadband providers. This goes against the idea of net neutrality giving Internet users more freedom without service provider interference.

Adding on to the point above a handful of large telecommunications companies dominate the broadband market. As a result they have the power to suppress particular views or limit online speech depending on who can pay the most.

For example a broadband provider may allow some companies to pay for priority or special treatments on broadband networks. The amount for these special treatments may be high and every company may not be able to afford and access it. Large companies would be able to afford premiums for next-generation internet services and higher priority lanes, but startups with no buying power will be squeezed out. That’s relevant in the engineering space, with a lot of innovation happening around Artificial Intelligence and robotics. Innovators are concerned that broadband provider will become “arbiters of acceptable online business models

Continue reading

Identification of the data subject: an analysis of section 25(f) of the Data Protection Bill


Icons made by Icon Pond from

By Malcolm Kijirah

This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes for which it is collected.

Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of processing of personal data, and provides rights of data subjects and obligations of data controllers and processors.

Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.

These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used on s25 (f) it appears self-evident that data identifying any data subject should not be held for an infinite timeframe particularly after its utility has ended.

For example, it should be a primary privacy concern to any Kenyan citizen how the data they use in their communications online or over the phone, is stored by local telecommunication companies, who can access this data(for example if required for national security purposes), and for how long this data is held by these companies.

It is an open secret that the Bill borrows heavily from the the European Union’s General Data Protection Regulation (GDPR).[1] Being a Bill, as the interpretation of this clause hasn’t yet been tested from a Kenyan jurisprudence perspective, it is therefore prudent to look to the intent of the GDPR principles for an analysis of s25 (f). In this case it ascribes to the following principles:

  • The purpose limitation principle –  a Data controller[2] or Data processor[3] should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
  • The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.

The question then follows, how this principle is effected in this Bill. From this blogger’s review, aspects of this principle are espoused in the following clauses:

  • Section 28(3) provides that a data controller or processor shall collect, use or store personal data for a lawful, specific and explicitly defined purpose (purpose limitation principle).
  • Section 29(c) on the duty to notify, a data controller shall be mandated to inform the data subject of the purpose for which the personal data is collected (purpose limitation principle).
  • Section 34(b) provides that processing of personal data may be restricted where personal data is no longer required for the purpose it was intended for (purpose limitation principle).
  • Section 39 provides for limitation of retention of personal data and outlines some exemptions (storage limitation principle)
Continue reading

The Principle of Accuracy: Section 25 (e) of the Data Protection Bill



Icons made by Eucalyp from

By Jackline Akello

The following post is the third of CIPIT’s analysis of the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on Section 25(e) which provides that personal data needs to be accurate, up to date and contains a right to rectify or erase inaccurate personal data.

As noted in our previous two posts, the Data Protection Bill, 2019,1 has been designed to give effect to the right to privacy provided under Article 31 (c) and (d) of the Constitution of Kenya, 2010, which states that – every person has a right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communication revealed. By using the word “includes”, the Constitution seems to allow a wide interpretation of the right, for example to cover all personal information.

Continue reading



, , ,

An excerpt from the Huduma Namba Registration Form. The whole form can be downloaded here.
An excerpt from the Huduma Namba Registration Form. The whole form can be downloaded here.

The Huduma Namba draft bill (“the Bill”) was introduced in July 2019 against the backdrop of a petition that challenged the recent amendments to the Registration of Persons Act found in the Statute Miscellaneous (Amendment) Act. The impugned amendments created the National Integrated Identity Management System (NIIMS) by adding section 9A to the Registration of Persons Act, and extend the data that can be collected during the registration of persons to include personally identifying data such as Deoxyribonucleic acid (DNA) data and global positioning system (GPS) coordinates.

The grounds for the petition were: that the registration process lacked legal basis, the registration process infringes on the right to privacy, Kenya lacks a comprehensive data protection law, and the process would further marginalise persons who have not acquired the primary documents required to register for Huduma Namba.

Continue reading



, ,

FEB 17 1986, 3-18-1986, MAR 21 1986; Logos & Trademarks; Colorado University; possible CU logo designs; block…contemporary…some with flames, some without…some colored in; (Photo By Lyn Alweis/The Denver Post via Getty Images)

By Cynthia Nzuki

You walk into a supermarket thirsting for a cold orange flavoured drink; on getting to the drinks aisle you are faced with a difficult choice of what packaging to take off the shelf as there are various options; effortlessly, you reach out for the 500ml can of Fanta, a product of Coca Cola Company. If asked why that was your choice, your most likely answer would be “I know the brand” or “I trust it”.

In the world of drinks and beverages, Coca-Cola is known to be one of the most, if not the most, popular brand. Bringing it home, Safaricom has created a brand for its services within the telecommunications industry. Names such as Apple & Samsung; Gucci & Ray ban; Delmonte & Brookside; Bata & Nike; Citizen TV & NTV; etc are brands in the same industry but owned by different owners. The names are used in the same industry with the intention of differentiating the goods and services offered by the different traders. They are brands and, in every industry, there are leading brands.

Continue reading

Imitations versus Counterfeits in Kenya: Are all Imitations Counterfeits?

By Cynthia Nzuki.

The word counterfeit often denotes a product that is fake and of poor quality. Dictionaries have defined the word to mean an imitation intended to be passed off fraudulently or deceptively as genuine[1].Breaking down this definition, counterfeit goods are intended to trick consumers to believe that that which they purchase are genuine goods; whereas they are unauthorized copies of branded goods presented as the authentic goods. For example, Christian Louboutin high heels are well known for having red bottoms; the sale of high heels with red bottoms and passing them off as Louboutin shoes is a good example of counterfeiting.

Continue reading