An edited version to this article was first published on Business Daily August 15, 2016
If there is an industry that is hard to regulate, it is information and communication technology. Other than being too dynamic, it is complex. There is a common saying that states that a year in tech is 90 days. This out rightly means it is an industry which states all over the world will continue playing chase when it comes to regulation. Here in Kenya, the legislature has come up with two bills of similar nature. Namely, the Computer and Cybercrimes Bill, sponsored by Leader of Majority Hon. Aden Duale and the Senate’s Cybercrimes and Protection Bill sponsored by Chairperson, Committee on Information and Technology Sen.Mutahi Kagwe.
Cybercrime rates have been growing by the day and it is encouraging to see that the government is taking action. The Computer and Cybercrimes Bill seeks to criminalise unauthorised access and interference, gaining access with the intention of committing an offence and unauthorised interception. The latter being in the spirit of protecting the right to privacy which is enshrined in the Constitution.
Unauthorised disclosure of passwords or access codes, child pornography, computer forgery, computer fraud, cyber stalking and cyber-bullying are also criminalized. Distinct features of this bill are the clauses which provide for confiscation or forfeiture of assets and proceeds of cybercrime. The bill also provides for a compensation order for victims and it has an entire chapter on how cybercrimes committed outside Kenya will be prosecuted. The extraterritorial nature of this proposed law is good considering the nature of cybercrimes. The Bangladesh Bank was hacked into by persons who were not within its borders. The chapter also provides for extradition of suspects, though relying on the Mutual Legal Assistance Act 2011. Lest we forget, Kick Ass Torrents creator Artem Vaulin was extradited from Poland to the United States of America under such an agreement.
The Cybercrimes and Protection Bill on the other hand will criminalise unlawful access to a computer system, system interference, unlawful interceptions, fraud and cyber-bullying. All these are covered in the other bill. The other offences in this senate bill are interception of electronic messages or money transfers, wilful misdirection of electronic messages, forgery, unauthorised modification of data and even cyber terrorism.
One can say that this bill is elaborate since it ropes in more cyber offenses that are not in the Computer and Cybercrimes Bill. These offenses include issuance of false e-instructions, phishing and identity theft and impersonation which is rampant in this age of social media. Electronic distribution of pornography and child exploitation are also outlawed. The provision on child exploitation will be in important in curbing the developing menace where children meet people on social media who later take advantage of them sexually. This proposed law will also make it illegal to distribute intimate images of a jilted lover while it also illegalizes cyber-squatting.
The investigation procedures in the Computer and Cybercrimes Bill leave a lot to be desired. While the normal procedure is that a court issues a warrant is before security officers take any action that would infringe the privacy of an individual, there are clauses that allow any officer to act without a warrant. While it may be argued that the intention of the provisions is to avoid unnecessary delay, there is a high likelihood of human rights breaches if the bill is enacted into law without those provisions being aligned with the Constitution.
The Cybercrimes and Protection Bill on the other hand has clauses that have some constitutional conformity as far as the right to privacy is concerned. The bill prohibits the sharing of some personal information in the course of investigation like health records. Despite this, Kenya still needs the Data Protection Bill 2013 to be assented into law because data protection principles would provide a better guide with the handling of personal data. The bill also proposes a National Cyber Threat Response Unit which will investigate cybercrime cases. This unit is not provided for in the Computer and Cybercrimes Bill which will allow any officer to confiscate a computer system just because they believe that one is committing a crime with it.
And the Ugly…
The mere fact that we have two draft laws seeking to regulate the same thing at the same time from the same legislature is appalling. It is at this point that we ask what mischief the legislature sought to remedy that they drafted two bills. In the event both bills become laws, we will have a situation similar to that in Lon Fuller’s book ‘The Morality of Law.’ In the book Lon Fuller tells the story of King Rex who made contradictory law and his subjects sent him a pamphlet written “This time the king made himself clear in both directions.” In this case of the two draft laws, the contradictions are likely to arise because one law provides for lenient sentences while the other prescribe a harsh sentences for the same crimes. With this in mind, will we be wrong if we say that the legislature made it clear in both directions?
We hope that the relevant bodies will work together and harmonise the two bills because together, it will be a very good piece of legislation. That way the weaknesses of each draft law will be dealt with. Conformity to the bill of rights as contained in the Constitution should guide the drafters in the harmonization. In the same spirit, the Data Protection Bill and the Access to Information Bill should be enacted because they are long overdue.