Cyber bill set to tackle Fake News

A new law set to tackle the scourge of fake news is expected to be introduced to Parliament in due course. The Computer and Cybercrimes Bill (the bill) gazetted on 16th June 2017 introduces the following language in clause 12:

“(1) A person who intentionally inputs, alters, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible commits an offence and is liable, on conviction, to fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.

 (2) A person who commits an offence under subsection (1), dishonestly or with similar intent—

(a) for wrongful gain;

(b) for wrongful loss to another person; or

(c) for any economic benefit for oneself or for another person, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.”

The bill attempts a catch-all situation but mostly describes the sensationalizing of news as well as individuals manipulating their academic credentials. It makes more sense in trying to curb this which has put a number of politicians in the spotlight as well as a few cases involving a fake doctor, a fake lawyer and a fake CEO).

Fake news is defined as falsehoods presented as news. The use of this term has been applied to legitimate news sources, whose primary asset is their credibility. But perhaps the biggest reason in pushing for gazettement must have come from the fake news factor that many believe impacted the 2016 United States presidential election. If interpreted politically, the bill could result in a chaotic free-for-all of mudslinging with candidates and others being accused of crimes at the slightest hint of hyperbole, exaggeration, poetic license, or common error and thus a recipe for amendment. And campaigns heating up, bloggers and social media administrators should be careful.

The bill awaits Parliamentary approval.


Fintech: Using compliance as a competitive advantage in 2017

East Africa’s FinTech scene is ‘boomin’. Major disruptive developments are identifiable: crowd funding is becoming an important part of corporate finance, mobile payment is growing fast, virtual currencies such as bitcoin are gaining popularity and algorithms are providing a new way of assessing credit-worthiness.

The main challenge in launching and expanding FinTech businesses is navigating the complex regulatory landscape, to understand, develop and implement a compliance and regulatory framework and to obtain the required regulatory permissions to get started.

To add on to my previous post I thought it would be useful to highlight the key compliance issues that FinTech firms should be focused on in 2017, whether they plan to revolutionize the delivery of a financial service, or simply provide a better mouse trap to existing industry players. FinTech investors also can use this post to ask questions of the companies they have or will invest in as a way to gauge whether management’s creativity extends to the concerns of key regulators.

Operating FinTech that is separate from regulation

Ideally before rolling out, a Fintech firm will have to undertake a detailed analysis of its business model against applicable financial regulation to fully understand what can be achieved without becoming a regulated entity, or, conversely, to help them seek appropriate licenses or approvals.

Anti-money Laundering

The Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) of 2009 introduced various obligations and restrictions on “financial institutions” as measures for combating money laundering. The extent to which the POCAMLA affects the operations of a Platform depends on whether the Platform falls within the definition of “financial institutions” or a “designated non-financial business”. POCAMLA defines financial institutions to include:

  • any person who transfers funds or value through formal and informal channels;
  • issues and manages means of payment including credit cards and electronic money; and
  • engages in money and currency changing.


Cyber security issues continue to present compliance challenges for everyone, with reports of high-profile cyber events now a regular occurrence. FinTech firms are no exception to this trend. In fact, the intersection between cybersecurity and FinTech business models means that FinTech firms will likely find themselves increasingly in the cybersecurity “crosshairs” in 2017.

Consumer protection 

Laws and regulations governing the provision of financial services and products to consumers/retail investors are part of the FinTech competitive landscape. Depending on the nature of the particular product or service, firms may need to understand consumer protection is a constitutional right and that a customer includes a natural person or a company which the firm may contract with or would offer its services to.

Opportunity & outlook

The momentum of the tech boom should build a good platform for potential capacities of FinTech firms in the East African region. Networking, know-how and resources sharing between start-ups, investors and established players on the market are essential for the success of startups.

Firms should also recognize that as they become more successful, regulators such as the CBK will increasingly turn their attention to FinTech. The areas highlighted above may provide the lens through which regulators will seek to further regulate FinTech. Even firms that only provide their technologies to others will feel the pressure from vendor management requirements.

The tip

Speed and reliable partnerships are key to success. To deal with the legal issues, a reliable partner makes a difference. Regulation is a hurdle but a solvable one.


The legals on phone tapping and personal data

Last Friday media reports suggested that the Communications Authority of Kenya(“the CA”) intended to roll out an application called the Device Management System (DMS) capable of tapping into a mobile phone carrier’s network enabling the CA to access personal information from people using that carrier’s network. The CA clarified that it intends to curb the proliferation of counterfeit devices by identifying and isolating those devices and denying them access to services and not collecting a subscriber’s personal information. Despite this, questions as to data protection for the rest of the users of the network have arisen.

Current position

It is well known that phone tapping, surveillance and interception of communications violates the right to privacy (see Kennedy vs Ireland (1987) I.R 587 and Coalition for Reforms and Democracy (CORD) v Attorney General Petition No.630 of 2014.)

There are two bases to challenge this phone tapping.  Firstly, the Constitution provides that every person has the right to privacy – which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.

The Constitution grants every person the right to institute court proceedings when his/her fundamental right or freedom, such as the right to privacy as described above, has been denied, violated, infringed or is threatened.

The Kenya Information and Communications Act (Act no. 2 of 1998 (as amended)) (“KICA”), provides that the Cabinet Secretary in charge of  Information and Communication has the power to make regulations in relation to a telecommunication service and specifically, to make regulations on the privacy of telecommunication.

Pursuant thereto, the KICA Consumer Protection Regulations require that a Customer has a right to personal privacy and protection against unauthorized use of personal information and specifically restricts a telecommunication licensee from allowing any person to monitor or disclose the content flowing through their system.

Further,  the KICA (Registration of Subscribers of Telecommunication Services) Regulations bars the sharing of subscriber data by mobile providers without the express authority of the affected subscriber.


The current legal position in Kenya is that any person, including a public entity, collecting personal information has to abide by the Constitutional provisions of the Right to Privacy and the KICA regulations on consumer/customer protection.

Consequently, it appears that there would be good grounds to challenge the tapping of the carrier networks by the CA. For now the High Court has granted orders stopping the implementation of the CA directive ordering that it be heard on March 6 2017.


Verizon to get Yahoo at a 350M discount following cyber attacks

Yahoo will now sell its core business to Verizon at 4.48 billion USD (350 million less the original amount of 4.8) following Yahoo’s disclosure on massive cyber-attacks back in September 2016. While not a deal-breaker as posted earlier, a significant cut to the original price has left Yahoo licking its wounds and sending a message to Kenyan companies that cyber security is a big deal.

It is reported that Verizon will get Yahoo’s Internet business, which includes Yahoo Mail, Flickr, Tumblr and Web properties such as Yahoo Finance and Yahoo Sports, hoping to rival Facebook and Google in digital advertising.

Read more of the story here

Kenya’s drone regulations approved

In January I wrote on the impact of technology in Africa in which I delved deeply into Kenya’s global outlook as a technology hub. One of the issues I touched on was the impact of drone-tech in inaccessible areas looking at the success of Zipline in Rwanda. Recent developments from the Kenya Civil Aviation Authority (the KCAA) are that the Remotely Piloted Aircraft Systems Regulations (the drone regulations) have been approved enabling drone-tech firms to operate the technology. What started out in the military to increase surveillance and hit enemy targets has crossed over to wildlife conservation, film production, delivery of goods in neighborhoods, relief services, oil and gas exploration as well as recreation.

The KCAA approved the drone regulations on Monday 6th February after the authority met with the Executive Arm. An official Kenya Gazette together with an Aeronautical Information Circular will be published as soon as notice from the meeting is received. The regulations classify drones as recreational, private and commercial.

Weight, height and time

With the exception of the military, drones are not permitted in areas designated by the KCAA as restricted. Those that weigh between 0-5 kilograms are categorized for recreation or sports only. Those weighing between 5-25 kilograms will be for private activities. Those weighing more than 25 kilograms will be used for commercial purposes.

The regulations provide that a drone used for recreational or private purposes should not fly at more than 400 feet above the ground. Drone operators (who will require KCAA approval) are also barred from flying them at night.

Flying cross-borders

The regulations also require an operator starting a flight in Kenya and landing it any other territory to seek KCAA approval beforehand. The same applies to those who start flying in other countries and want to land in Kenya.

Cyber Security – What if Yahoo was a Kenyan Company?


On 22nd September 2016, Yahoo confirmed a cyber-attack in which over 500 million personal accounts were compromised. This was arguably the largest cyber security breach in history. The information obtained by the hackers includes names, email addresses, telephone numbers, dates of birth and in some cases, security questions and answers.  This comes in the wake of the on-going merger with Verizon Communications in which Yahoo is selling its core business (search, email and messenger assets as well as advertising technology tools) for USD 4.8 Billion.

While not as embarrassing to its members as the Ashley Madison hack from 2015, this recent event raises a good prompt to question whether Kenyan law is relevant to the internet. What if Yahoo was a Kenyan company?  What would be the legal outcome of this breach?

Kenyan context 

Kenya’s legislature is attempting to keep up with evolving cyber security issues.  Existing law does not impose any sanction or penalty on to the Kenyan equivalent of Yahoo however there are three bills which would change this.

The Data Protection Bill 2013, the Computer and Cyber Crimes Bill 2016 (CCC) and the Cyber Security and Protection Bill 2016 (CSP) are based on the equivalent laws in South Africa and the UK and aim to incentivize companies to increase their internet security and to prohibit certain acts in the use of the internet. It is unclear if, or when, they will become law.

The Data Protection Bill aims to regulate the collection, retrieval, processing, storing, use and disclosure of personal data. The Bill proposes that all companies will be required to put in measures to protect data against loss, destruction and manipulation. Failure to put in adequate security measures will attract a penalty of 100,000 Kenya Shillings or to imprisonment of 2 years or both.

The CSP and the CCC share the same vision of regulating cyber crimes but adopt competing methods to try and deal with this issue. The CCC is a Government Bill whereas the CSP is privately sponsored, so there is currently no clarity on when or if these bills will be progressed.

The CSP aims to establish a Response Unit in the ICT Ministry to receive and investigate reports on cyber threats. The CCC proposes additional investigative procedures for police officers.

The CSP proposes an information sharing mechanism between public and private companies (and with each other) whereas the CCC is seeking to improve international co-operation for prosecuting cyber crimes.  Broadly, the goal of both bills is to hasten investigations and prosecution of cyber crimes.

Relevantly for corporations, the CSP would require a company suffering a cyber-breach to report it to the Response Unit within 7 days of it occurring. Failure to do so will be an offence.  Worryingly, for corporations, there is no element of knowledge to trigger the 7 day reporting requirement.  A company could be in breach of this provision if it were hacked and did not discover this fact for a significant period of time.  As mentioned above, the CSP bill does not currently have government support and so its chance of becoming law is not high.  However, its existence, and the Government’s CCC bill shows that the Kenyan legislature is moving towards regulating and imposing penalties in this area.  It is only a matter of time before one of these bills is enacted.

Separate to the legal outcomes, from a commercial perspective, a cyber-attack is bad for business. Yahoo not only faces potential class action suits, and reputational damage but the likelihood of the hack being a deal breaker on the merger with Verizon is high. With the potential for new legislative penalties in Kenya on the horizon, companies should place data protection and cyber-security on their risk management agenda sooner rather than later and before a cyber-breach occurs, not as a result of one.

Below is a clip on simple cyber security tips  we can all embrace from the Herjavec Group a cyber security firm.