When President William Ruto assented to the amended Computer Misuse and Cybercrimes Act (CMCA) on Wednesday, October 15, 2025, the spotlight quickly shifted from the legislative achievement to the potential dangers it posed for civil liberties. The law, passed the same day former Prime Minister Raila Odinga died, quietly introduced far-reaching powers, including allowing the government to preemptively shut down online platforms if investigators believe they are being used to “facilitate criminal activity.”
At Data Governance Africa, we previously covered the progression of this bill, warning that broad language and vague definitions could easily enable abuse. With its passage into law, those concerns have become more urgent, especially given Kenya’s history of weaponizing the CMCA against citizens, activists, and critics.
A Law with a Troubled Past
Since its enactment in 2018, the CMCA has repeatedly been used as a tool to silence dissent. The most commonly invoked provisions, Section 23 (Publication of False Information) and Section 27 (Cyber Harassment), have been used to arrest or intimidate individuals who challenge the government or powerful officials online.
The Rose Njeri Case (2025)
In May 2025, activist and software developer Rose Njeri was arrested and charged with unauthorized interference with a computer system under Section 16 of the CMCA. Her crime? Creating Civic Email, an online platform that enabled citizens to send mass opposition emails to Parliament against the controversial Finance Bill. Authorities claimed her tool disrupted government systems. For many observers, this case became a striking example of how digital civic participation is criminalized when it challenges authority.
The Case of Edwin Mutemi wa Kiama (2021)
Blogger and activist Edwin Kiama was arrested under Section 23 for publishing social media posts critical of government borrowing and corruption. His home was raided, his devices confiscated, and his online presence temporarily silenced. The arrest triggered widespread condemnation from human rights groups, who warned that the CMCA was being used to suppress legitimate political criticism rather than combat misinformation.
The Case of Edgar Obare (2020)
Popular blogger Edgar Obare was similarly charged under Section 23 for posts about the private affairs of a public servant. While framed as a defamation issue, the incident raised broader concerns about freedom of expression and journalistic freedom online. Critics argued that the CMCA was being used to settle personal scores and regulate moral conduct rather than address genuine cyber threats.
The Case of Albert Ojwang’ (2025)
Perhaps the most tragic case linked to the CMCA is that of Albert Ojwang’, a 31-year-old teacher and blogger arrested on June 6, 2025, for allegedly publishing “false information” about Deputy Inspector General Eliud Lagat. Days later, Ojwang’ was found dead in police custody, with an autopsy showing signs of assault and strangulation. The government has since charged several police officers with murder, but the case exposed how easily vague cybercrime provisions can spiral into state-sanctioned abuse.
The Controversial Amendments
The new amendments, despite claims of modernization, expand government powers in ways that could further endanger free expression and privacy.
Clause 2 – Expanded Definition of Identity Theft
The new definition now includes “any other subscriber information,” which is vague and could inadvertently criminalize parody accounts, satire, or investigative reporting. Without clarity on intent or harm, legitimate online expression could fall under “identity theft.”
Clause 3 – Power to Block Websites and Apps
Perhaps the most alarming amendment, Clause 3 gives the National Computer and Cybercrimes Coordination Committee (NC4) authority to order internet service providers to render websites or apps inaccessible if they are deemed to promote illegal content. While aimed at curbing terrorism and child exploitation, the lack of judicial oversight creates room for arbitrary content takedowns and censorship.
Clause 4 – Cyber Harassment and Suicide Provision
The amendment to Section 27 adds language targeting content “likely to cause a person to commit suicide.” While this aims to protect mental health, its ambiguous phrasing makes it difficult to establish causation, opening the door for abuse against whistleblowers, journalists, or online critics accused of causing emotional harm through public commentary.
A Digital Crossroads: Security vs. Freedom
Civil society groups including ARTICLE 19, BAKE, and KICTANet have warned that these provisions could lead to digital authoritarianism, arguing that the new law infringes on Articles 31 and 33 of Kenya’s Constitution, which guarantee privacy and freedom of expression. The expanded powers of NC4 also blur the lines between investigator, enforcer, and regulator, raising significant due process concerns.
While the government insists the law is necessary to combat cybercrime, the pattern of enforcement suggests otherwise. Past arrests under the CMCA rarely involved genuine cybersecurity threats. Instead, they often targeted those who dared to question authority.
If implemented without clear safeguards, this law risks chilling online discourse and eroding public trust in digital governance.
Proceeding with Caution
Kenya stands at a delicate juncture. The intention to modernize cyber laws is valid, but the execution must uphold constitutional freedoms. Before enforcement begins, the government should:
- Define key terms clearly to prevent selective interpretation.
- Establish independent judicial oversight for all content takedown or shutdown orders.
- Protect whistleblowers and civic tech innovators whose work strengthens accountability.
- Engage civil society and digital rights advocates in developing implementation guidelines.
Our Stand at Data Governance Africa
At Data Governance Africa, we believe that digital safety and digital freedom must coexist. A secure cyberspace is vital, but not at the cost of expression, privacy, or civic participation.
Our principles remain clear:
- Transparency: Laws governing the internet must be clear, fair, and open to scrutiny.
- Accountability: Enforcement should follow due process, with checks against abuse.
- Rights-Centered Design: Cybersecurity frameworks should strengthen, not weaken, constitutional rights.
- Inclusive Governance: Policymaking must involve all stakeholders, from government to citizens.
Kenya’s digital future depends not just on protecting systems, but also on protecting the voices that hold power to account.