Sections 22 and 23 of the Computer Misuse and Cybercrimes Act, 2018 are unconstitutional, the Court of Appeal of Kenya ruled.
In a judgment delivered on March 6, 2026, a three-judge bench comprising Justices Patrick Kiage, Aggrey Muchelule and William Ouko found that the two provisions which criminalised false publications and publication of false information were overly broad and likely to net innocent persons.
The judges held that the provisions were “so broad, wide and untargeted, akin to unguided missiles,” and could easily capture innocent citizens, including individuals who share or forward information online without verifying its accuracy.
“These provisions are a danger to the social media warriors who are on sentinel duty day and night, forwarding information without even reading what they are forwarding,” ruled the court.
Section 22 prescribed a fine of up to Sh5 million or imprisonment for up to two years, or both, for false publications, while section 23 provided for a prison term of up to ten years for publishing false information likely to cause panic or chaos.
“These provisions risk criminalising satire, opinions and journalistic inaccuracies,” ruled the court.
However, the appellate court dismissed the appeal by the Bloggers Association of Kenya on other grounds.
The court rejected challenges to provisions dealing with cyber harassment, child pornography, cybersquatting, and investigative powers, finding them constitutionally sound.
It also upheld investigative powers under the Act that allow authorities to conduct searches, seize computer data, issue production orders and collect real-time traffic data, ruling that these powers are exercised under judicial oversight and therefore contain adequate safeguards.
The court also dismissed BAKE’s argument that section 5 of the Act violated the two-thirds gender principle, finding the challenge “speculative and premature” since the National Computer and Cybercrimes Co-ordination Committee had not yet been constituted.
The court held that the introduction of section 23 during the Committee of the Whole House stage in Parliament did not require fresh public input because it fell within the same subject matter as an existing provision in the Bill.
“Courts are called upon to authorise or review actions under these provisions bear a heightened constitutional responsibility. They must ensure that surveillance orders are specific, time-bound, and narrowly tailored, and that the collection and retention of data does not exceed what is strictly required for the investigation at hand,” ruled the court
The case traces back to May 2018, when the Computer Misuse and Cybercrimes Act, 2018 was enacted by the Kenyan Parliament.
The legislation was designed to address the growing threat of cybercrime, establish offences related to computer misuse, and provide law enforcement with investigative powers to tackle offences in the digital space.
Shortly after its enactment, the Bloggers Association of Kenya (BAKE) filed Constitutional Petition at the High Court in Nairobi, challenging the constitutionality of more than 25 sections of the Act.
The matter was heard by Justice J.A. Makau of the High Court, who delivered a judgment on February 20, 2020.
The learned Judge dismissed BAKE’s petition in its entirety, affirming that the impugned provisions were constitutional.
Justice Makau found that the Act did not violate, infringe, or threaten constitutional rights and fundamental freedoms, and that any limitations imposed were justified under Article 24 of the Constitution.
He ordered each party to bear their own costs.
BAKE was dissatisfied with the High Court’s decision and filed an appeal at the Court of Appeal.
The appellant raised 42 grounds of appeal, which were consolidated into six key issues for determination by the appellate court.
Email your news TIPS to Editor@Kahawatungu.com — this is our only official communication channel
