On 6 March 2026, the Court of Appeal in Nairobi (Court) issued a landmark decision on the Computer Misuse and Cybercrimes Act (2018) (Act). The Court held that sections 22 and 23 of the Act – which criminalised publication of certain forms of ‘false’ information – are unconstitutional.
The Bloggers Association of Kenya (BAKE), backed by media and civil society groups including Article 19 East Africa, the Kenya Union of Journalists, and the Law Society of Kenya, argued that large portions of the Act violated fundamental rights, including freedom of expression, privacy, and fair trial protections. The Attorney General, the Speaker of the National Assembly, the Inspector General of the National Police Service and the Director of Public Prosecutions defended the law.
With this decision, Kenya’s cybercrimes framework has been largely validated, but the Court drew a clear line – the government cannot use the law to silence speech or conduct unchecked surveillance. For Internet Service Providers (ISPs) and tech companies, this decision is both a compliance roadmap and a shield.
A declaration of unconstitutionality
Section 22 of the Act criminalises intentional publication of false, misleading or fictitious data or misinformation with the intent that the data or information be considered or acted upon as authentic. Section 23 of the Act makes it an offence to publish information that is false (in print, broadcast, data or over a computer system) that is calculated or results in panic, chaos or violence, or which is likely to discredit the reputation of any person.
BAKE argued that these provisions unjustifiably limited constitutional rights, including freedom of belief and opinion (Article 32), freedom of expression (Article 33) and media freedom (Article 34). According to BAKE, section 23 also offended Article 24 of the Constitution which prescribes the extent to which a constitutional right may be limited. In sum, BAKE argued that the provisions as drafted were broad, vague and lacked specificity.
The Court found that sections 22 and 23 of the Act are broad, wide, untargeted and are likely to capture both the original publisher of content and individuals who simply forward information without knowing it is false. The Court emphatically held that ‘in a world without universal truths or falsities, the offences may be difficult to prove’ and ‘what we may hold to be false today may turn out to be true tomorrow’. The Court separately noted that section 13 of the National Cohesion and Integration Act (2008) already criminalised what sections 22 and 23 of the Act seek to criminalise (in this context, hate speech and negative ethnicity).
Key takeaways for ISPs and technology companies operating in Kenya:
- Compliance obligations on data requests are confirmed: When served with lawful court orders for traffic or content data, ISPs and platform providers will be expected to comply. The good news is that the Court has emphasised that parties seeking such orders must meet a high threshold of specificity and proportionality.
- The ‘fake news’ risk has reduced: With sections 22 and 23 declared unconstitutional, platforms and users no longer face criminal liability for publishing information the State considers ‘false’. This is significant for content moderation policies, as the threat of criminal sanctions can push platforms to over-moderate user speech to avoid liability. The ruling may therefore shift greater responsibility for addressing misinformation to platform policies rather than fear of state prosecution.
- Domain name practices matter: Cybersquatting remains a criminal offence under the Act. Businesses involved in domain registration and management should ensure they have robust policies to prevent bad-faith domain registrations.
- Surveillance and data requests remain lawful, but with guardrails: Sections 48, 50, 51, 52 and 53 of the Act, which accord state authorities the power to obtain court orders for real-time data collection, search, and seizure of digital evidence, were upheld. However, the Court sent a strong signal that these powers must be exercised with care. Surveillance orders must clearly specify the offence being investigated, the period of interception, and how the data will be examined, used, stored, and ultimately destroyed.
