Icons made by Freepik from

The use of information technology in the country has increased over the years, and this can be attributed to the use of social media that has made it easier for people to communicate and share information. With this increase of use, there have been concerns on the sharing of false information of these platforms and cropping up of blog pages that post false content.

The Social Media Bill, officially called the Kenya Information and Communications (Amendment) Bill 2019, aims to provide for regulation of social media platforms. It seeks to introduce a new part to the Kenya Information Communications Act with sections regulating on licensing of social media platforms, sharing of information by a licensed person, creates obligations to social media users, registers bloggers and seeks to give responsibility to the Communication Authority to develop a bloggers code of conduct in consultation with bloggers. The Bill also seeks to restrict the usage of social media by minors.

The Parliamentary statement also provides that the Amendment Act will not limit any right. However, all these new provision directly affect digital rights, i.e. the freedom of expression, the right to access information and the freedom of association. This Bill will see social media users requiring licenses to form groups, group administrators being held liable for the content posted in these groups and minors being restricted from being on the same platforms adults are in. The Act had been amended previously in 2013 so as to include regulation on the registration of mobile SIM card users.

We invite the public to comment and vote on the Bill on our digital public forum, Jadili. Click here to access the forum. If this link is not active in your browser, please copy and paste the entire link into your browser’s address bar:,-2019




Icons made by Smashicons from

By Jentrix Wanyama & Jaaziyah Sataar


A closed-circuit television (CCTV) is a type of television system that enables surveillance by transmitting its signals only to the screens that are directly connected to it. Use of CCTVs boosts security efforts by making it possible for owners to monitor their premises. However, caution ought to be taken to avoid using CCTVs for illegal surveillance.

The government has embarked on a process of regulating the use of CCTVs in Kenya. A step taken is the drafting of a national CCTV policy (available here). In its preamble, the policy states that Kenya has faced grave security threats over the past thirty years and as a result, there has been an increase in CCTV installations. Further, the policy notes that the installations have been ‘ad hoc’ and ‘disjointed.’ The policy is presumably meant to provide some uniformity. The objective of the proposed policy is to ‘guide installation, operation and management of all CCTV systems in public and private premises while promoting their use as a mechanism to deter, detect and prevent crime for a safe and secure nation.’

The Ministry of Interior and Coordination recently called for comments on the policy, a process CIPIT participated in. Below, we highlight concerns that we raised in our submission.

Certain provisions disproportionately limit the right to privacy.

Continue reading

Did we get Huduma Namba because of a simple mistake in Parliament?



Icons made by photo3idea_studio from

By Isaac Rutenberg

The Hansard for the Miscellaneous Amendment Act 2018 makes for very interesting reading. On 7th August 2018, Parliament debated proposed amendments to the Registration of Persons Act that would create the National Integrated Identity Management System (NIIMS, a.k.a. “Huduma Namba”).

Many Parliamentarians questioned the legality and wisdom of introducing NIIMS via the Miscellaneous Amendment process. Said Hon. Robert Mbui:

this [bill] is basically meant to deal with minor amendments to various laws. It also helps us to save time. I have gone through the Bill and I have seen quite a number of major amendments. The amendments are basically good and a lot of them seek to add value to the laws that exist. It is unfortunate that they have come as omnibus; they have all come together, so they may not receive the kind of attention that they require. I have picked about five amendments that I think are major and require a lot of deliberations. The first one is the amendment on the registration of persons.”

Similarly, said Hon. Ronald Tonui:

I normally assume that the Statute Law (Miscellaneous Amendments) Bill normally takes care of minor corrections in Acts but in this one, massive proposals have been put forward that we ought to amend. Many of them may be unconstitutional in nature.”

Hon. (Dr.) Wilberforce Oundo similarly agreed:

The basic and straightforward reading of the term “miscellaneous” or “minor amendments” should surely be done to rectify clerical and typographical issues or to align an Act of Parliament to any political or constitutional dispensation or any changes in some Acts that touch on that particular Act. What we have here touches close to 60 Acts, making it practically impossible for any reasonable Member to literally review, interrogate and make reasonable comments in respect of each and every Bill. The time allowed is not adequate.”

Continue reading

Internet Service Providers (ISPs) and Copyright in Kenya: Commentary on the Copyright Amendment Act 2019



Image provided by Google Images

By Caroline Wanjiru

This post forms part 2 of our series on the Intellectual Property considerations in the Copyright Amendment Act. The IT considerations, focusing on digital rights will be addressed in a follow up series.

ISPs and Take Down Notices

Section 35B covers take down notices, their form, content, addressees etc. A take down notice is a request to an ISP by a copyright holder (complainant) to remove infringing content.

  1. The take down notice shall:
  1. Be in writing and addressed to the ISP or their agent.
  2. Contain the name and address of the complainant.
  3. Signed by or for the complainant.
  4. Contain specific details of the copyrighted works subject of infringement or which is to be removed.
  5. Identify the rights being infringed, for instance the broadcast, production rights etc.
  6. Set out the details of the content to be taken down and the location of this content.
  7. Be accompanied by a sworn statement attesting to the ownership of the content, validity of the rights under e) above, good faith on the complainant and the efforts (albeit unsuccessful attempts) made to the entities responsible for making the content available remove the content; and
  8. be copied to the Board Communication Authority and the recognized ISP umbrella body.

Comment: Conspicuously missing is a requirement to include the alleged infringer (who is the ISP subscriber hence the addressing of the notice to the ISP) in the notice to take down. Such inclusion would notify and provide an alleged infringer of the notice and the option to ‘challenge’ a take-down notice issued to their ISP. There exists a relationship between the ISP and their subscribers contractual or otherwise. The obligation to notify the subscriber, if any, shifts to the ISP (see below). It is not clear as to why such a requirement would be excluded yet the requirement of a sworn statement by the complainant would be presumptive that they have attempted to reach the alleged infringer to remove the infringing content. Would the subscriber not be entitled to demand to be heard before the notice is effected? If yes, at what point would they be heard yet the notice is to be effected within 48 hours? Article 47 of the Constitution of Kenya provides that every person has a right to fair administrative action, this right includes the right to be heard.

  1. A take down notice will be deemed delivered
    1. Next business day following physical delivery at an ISP’s registered office.
    2. 2 days after the day post if by registered post.
    3. Immediately if sent by electronically to a designated ISP address.

Comment: This provision has serious implication for the ISPs as it dictates when the 48 hours of compliance starts running. Where an ISP has provided a designated address, time starts running immediately a complainant sends it. It is not clear what would happen if there is delivery failure, if it is sent on a day that the ISP is closed for business or is even intercepted by a third party. While this blogger appreciates the fact that electronic transmission is instant, she acknowledges that there are circumstances that may interfere with the ISPs ability to receive the electronic notification. Legislating on time of delivery elevates time to a statutory requirement which carries weighty consequences. Time is truly of essence. However, having such a statutory requirement is an open invitation to breach. This is best left to the industry to regulate. The Board in charge of regulating ISPs may issue policy directions on the same therefore introducing implementation flexibilities.

  1. An ISP shall upon receipt of a valid take down notice, notify the person responsible for making the infringing content available and provide them with a copy as soon as is practicable.

Comment: This provision is vague, yet its content creates a duty for the ISP. The mandatory requirement, albeit on their cost, for the ISP to find or establish mechanisms within which to ‘notify’ an alleged infringer that they have received a takedown notice from the complainant. It’s unclear if the notification should be in the same manner as received from the complainant. For instance, if the takedown notice is received electronically, can the ISP notify the alleged infringer by mail? The latter would mean that time is substantially altered. Yet it is a possibility.

The notification should be immediate or as soon as is practicable. In light of subsection 5 which mandates an ISP to take down content within 48 hours, what is immediate? What takes precedence? Taking down the content or serving the notice on an alleged infringer? If this should be as soon as practicable, whose practicality is it? The complainant whose interest is to have the content taken down; the ISP whose primary interest would be first to serve their clients, must act within 48hours and disable access to the content; or the alleged infringer whose interest is to have the content online at all time and who may be benefiting economically from the content, who may require ‘reasonable’ time to file a counter notice? Lastly, if it is the ISP’s practicability, can they take down the content i.e. comply with the law and then serve notice later? The option of having the notice sent ‘as soon as is practical is ambiguous capable of more than one interpretation.

Continue reading

Internet Service Providers (ISPs) and Copyright in Kenya: Commentary on the Copyright Amendment Act 2019



Image provided by Google Images

By Caroline Wanjiru

This post forms part one of a two part series focused on the Intellectual Property considerations in the Copyright Amendment Act. The IT considerations, focusing on digital rights will be addressed in a follow up series.

ISPs and Copyright

The Copyright Amendment Act (Amended Act) 2019 has brought in new provisions which have created new obligations and extended rights for some parties within the copyright practice in Kenya.

In the next few weeks, the CIPIT IP Team shall undertake a review of these new provisions in a series of blogs all aimed at informing, analyzing and probably providing a critique to the same. This week’s blog begins with looking at the provisions relating to the liability of the Internet Service Providers (ISPs) in Kenya.

From the onset, it is a matter of common notoriety now that copyright enforcement is an arduous task. It requires concerted effort from all players and 3rd parties as well. ISPs are 3rd parties who provide a vehicle through which the copyright owners can easily distribute their works and the users to freely enjoy the same. Section 2 of the Amended Act defines an ISP;

As a person providing information system services or access software that provides or enables computer access by multiple users to a computer server including connection for, the transmission or routing of data.’

Simply put an ISP is a company or entity that provides internet access to its subscribers. How this works is that the owner or holder of copyrighted material reduces it to a format which can be transmitted or carried through the ISP network. The aim is to distribute the works to those who have access to internet. Access of the copyrighted material can be free or paid service. Payment is typically to the owner or an authorized agent. Challenge within the copyright arena arises when the material that should be paid for is accessed for free. Such access would be unauthorized and infringing on the rights of the copyright holder. ISPs are enablers of access, authorized or unauthorized hence their inclusion in copyright enforcement.

ISPs and Internet Freedom

Based on their position, ISPs have the capacity to take down or disable access to sites which are considered to be providing access/accessing infringing materials. As is said, every coin has two, or three sides. So the associated question is, in taking down the content or disabling the content, will the ISP be infringing on anyone’s digital or access rights, limiting the user’s internet freedom? Where is the balance, if any? We shall address this with a post.

ISPs and the Law

From their role in the distribution of copyright works, ISPs can be enablers of infringement or can be the infringers depending on their role. Section 35A provides for scenarios where an ISP shall not be liable for infringement. These include where the ISP:

  1. If it only provides either automatic, intermediate or temporary transmission, routing or storage of content (subject to copyright) in its ordinary course of business on condition that:
  1. It does not initiate transmission
  2. it does not select the addressee/person receiving the content
  3. these functions are automated and technical such as not to select the material;
  4. does not promote the content or the material being transmitted.
  5. For the automatic, intermediate and temporary storage of content for purposes making onward transmission of the data more efficient to other recipients of the service upon their request on condition that the ISP:
    1. does not modify the material;
    2. complies with conditions on access to the material;
    3. complies with rules regarding the updating the cache in conformity with generally accepted standards within the service sector;
    4. does not interfere with the lawful use of technology to obtain information on the use of the material;
    5. removes or disables access once it receives a takedown notice or where the original material has been deleted or access disabled on orders of a competent court or otherwise on obtaining knowledge of unlawful nature of the cached material.

Comment: The above places an obligation on the ISPs to ensure that they do not promote infringing materials under the guise of conducting business. This can be done partly by policing on the content or by requiring the internet content owners to indemnify the ISPs or exonerate them from liability should claims arise.

Continue reading




By Jackline Akello


The Cyberrights Research Initiative and Localized Legal Almanac (CYRILLA – is producing an open and federated resource toolkit and online database, of legal information on digital rights. It addresses an increasingly urgent need “for comprehensive databases aggregating legislation and case law across a variety of jurisdictions” expressed by digital rights researchers, journalists, civil society advocates, human rights defenders, legal professionals, and others seeking to shape rapidly evolving legal frameworks for digital rights worldwide.

CYRILLA aims to organize and make accessible the world’s digital rights – related laws so that a wide range of actors can more readily and confidently assess legal trends as they shape and impact digitally networked spaces, highlighting threats to human rights and opportunities for legal reform.

CYRILLA Collaborative Partners

Formerly known as the Arab Digital Rights Dataset, the CYRILLA database was launched in late 2017 with a dataset of bills, law, and case law from the 22 Arab League states. With the addition of new CYRILLA Collaborative partners – Association for Progressive Communications (APC)1, Centre for Intellectual Property and Information Technology Law (CIPIT)2 at Strathmore Law School, Columbia University’s Global Freedom of Expression Program, Derechos Digitales3, HURIDOCS4 and Social Media Exchange (SMEX)5 – the database will expand over the next two years to include legal information on digital rights from more than 90 countries in Latin America, Africa and Asia.

CIPIT’s Role

CIPIT, a think tank established under Strathmore Law School, is the African partner in this Collaborative, whose mandate relates to sub-Saharan Africa countries. As part of its role CIPIT has been reaching out to partners across Africa and collating, developing and populating a repository6 with digital rights data from across sub-Saharan Africa. This data includes both hard and soft law instruments such as legislation, case law and policies from various African jurisdictions.

Continue reading

Eliud Kipchoge, the breaker of records and Intellectual Property


Image from INEOS

By Caroline Wanjiru

Today we pause our continuing IP series to dedicate this entire blog to the one and only Eliud Kipchoge. Why you ask? How is he related to your core business- IP? Well, there are several reasons as to why we had to do this. Most importantly, Eliud is a Kenyan champion. He is an athlete who holds several titles including 2016 Olympic Marathon Winner 2018 World Record Holder with 2.01.39 just to name a few. He is personne extra ordinaire. More OF his achievements here. There are many things to write about Eliud but for today we shall discuss his upcoming challenge. You see, no athlete has attempted to break the current world record held by Eliud set in Berlin. So he took it upon himself to break his own record by running the 42km Marathon in a record time of 1.59.59. In this journey which he has documented in his various social media accounts, he has partnered with INEOS who are also the organisers of the challenge. The challenge is set to happen in Vienna, Austria for various reasons including weather and the course for the marathon. The challenge is tentatively planned to happen on 12th October, 2019 with the confirmation of this date from INEOS Performance Team planned for 9th October. From this side of the desk and the whole CIPIT Team would like to wish Eliud nothing but the best and this blogger promises to cheer him to the finish line. As Ben Cyco says, Cheza kama wewe!!

The second reason for dedicating this to Eliud is the commercial aspect that the challenge presents both to him and to the partners, official and unofficial. This part is meant to provoke everyone who reads it and to see the challenge from an IP perspective. In the challenge, Eliud will be wearing brands such as Nike and the event will be live on KBC, Standard group (KTN), NTV and Citizen TV in Kenya. There are other broadcasters all over the world. Nike have further specially designed 3-D printed Nike Zoom Vaporfly 4% shoe for Eliud which is aimed to give him peak performance. With such official sponsorship it is expected that Nike and Eliud, the companies will benefit commercially, directly and indirectly. This could be in the form of increased sales and reputation of the companies and that of the products endorsed by the athlete.

During the challenge, the broadcasters broadcasting to millions of people will not only focus on Eliud and also every other entity whose product which will be exhibited. This is advertising, creating brand presence, consumer awareness which in turn creates consumer loyalty. The resulting effect is a presumption by the consumers is that for an entity to be associated with such a challenge, their products (and services) must be of a certain status or quality. Such impact would ordinary times take time to create. The consumerism, the loyalty and pride resulting from this impact has a direct co-relation with the athlete. It is against this background that this blogger argues that such association should then be accompanied by commensurate commercial value to the athlete as well as the company. 

Continue reading

Third party data sharing: Analysis of the Data Protection Bill, 2019


Icons made by Smashicons from

By Grace Mutung’u

This is the finale in our series on Data Protection principles espoused in the Data Protection Bill.

Clause 25 of the 2019 Data Protection Bill spells out the principles of data protection. Among this is the prohibition from sharing data with third parties without the consent of the data subject.

“Third party” is a term that originates from contracts. Traditionally contracts are between two parties and a third party is a person who deals with the contracting parties but is not party to the contract. In data protection however, there are typically three parties- the person whom the data concerns (data subject), the person who designs how data will be processed (data controller) and the person who actually processes the data (the data processor). In some cases, data is processed by the same organisation that is the controller. In other cases, it is processed by a third party processor. A third party processor would not typically require further consent to process data on behalf of the data controller.

For example, a manufacturing firm may outsource their payroll function to a HR firm. The manufacturing firm is the data controller as they determine which data is collected, and how it is processed. The HR firm is the third party data processor and employees of the manufacturing firm are data subjects.

The Data Protection Bill envisages that the data controller will inform the data subject of the use to which their data is being put. Clause 26 lists the rights of the data subject, and they include the right to be informed about their data use; right to access their data in the custody of the controller or processor; as well as the right to object to processing of all or part of their personal data. In the above example, the manufacturing firm would need to inform their employees that their personal data is processed by the payroll company.

In the event that the data controller or processor were to share the data with a third party, then the consent of the data subject would be needed. Clause 25(g) states:

Continue reading

Net Neutrality: a brief


Icons made by Freepik from

By Jaaziyah Satar and Malcolm Kijirah

Net neutrality is the concept of free access to the internet.

Net neutrality has many advantages and disadvantages. The success or failure of net neutrality in a State has been relative, from a case-to-case basis.

Net neutrality advocates argue that keeping the internet open playing is crucial for innovation; if broadband providers pick favourites online, new companies and technologies might never have the chance to grow. Furthermore repealing net neutrality would lead to broadband providers being “gatekeepers” of the internet (who have the power of defining what websites and services are accessible). Customers would find themselves in a helpless position at the hands of broadband providers. This goes against the idea of net neutrality giving Internet users more freedom without service provider interference.

Adding on to the point above a handful of large telecommunications companies dominate the broadband market. As a result they have the power to suppress particular views or limit online speech depending on who can pay the most.

For example a broadband provider may allow some companies to pay for priority or special treatments on broadband networks. The amount for these special treatments may be high and every company may not be able to afford and access it. Large companies would be able to afford premiums for next-generation internet services and higher priority lanes, but startups with no buying power will be squeezed out. That’s relevant in the engineering space, with a lot of innovation happening around Artificial Intelligence and robotics. Innovators are concerned that broadband provider will become “arbiters of acceptable online business models

Continue reading

Identification of the data subject: an analysis of section 25(f) of the Data Protection Bill


Icons made by Icon Pond from

By Malcolm Kijirah

This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes for which it is collected.

Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of processing of personal data, and provides rights of data subjects and obligations of data controllers and processors.

Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.

These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used on s25 (f) it appears self-evident that data identifying any data subject should not be held for an infinite timeframe particularly after its utility has ended.

For example, it should be a primary privacy concern to any Kenyan citizen how the data they use in their communications online or over the phone, is stored by local telecommunication companies, who can access this data(for example if required for national security purposes), and for how long this data is held by these companies.

It is an open secret that the Bill borrows heavily from the the European Union’s General Data Protection Regulation (GDPR).[1] Being a Bill, as the interpretation of this clause hasn’t yet been tested from a Kenyan jurisprudence perspective, it is therefore prudent to look to the intent of the GDPR principles for an analysis of s25 (f). In this case it ascribes to the following principles:

  • The purpose limitation principle –  a Data controller[2] or Data processor[3] should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
  • The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.

The question then follows, how this principle is effected in this Bill. From this blogger’s review, aspects of this principle are espoused in the following clauses:

  • Section 28(3) provides that a data controller or processor shall collect, use or store personal data for a lawful, specific and explicitly defined purpose (purpose limitation principle).
  • Section 29(c) on the duty to notify, a data controller shall be mandated to inform the data subject of the purpose for which the personal data is collected (purpose limitation principle).
  • Section 34(b) provides that processing of personal data may be restricted where personal data is no longer required for the purpose it was intended for (purpose limitation principle).
  • Section 39 provides for limitation of retention of personal data and outlines some exemptions (storage limitation principle)
Continue reading