Jurisprudential Frontiers of the Computer Misuse and Cybercrimes Act (CMCA) 2025

The following analysis outlines the critical pillars defining our current digital jurisprudence:

1. The Constitutional Firewall & Article 24

My review of the October 2025 amendments to the CMCA underscores a persistent tension with Article 33 (Freedom of Expression). While the state argues that regulation is necessary to manage megadata and national security, the judiciary remains firm: any limitation must meet the rigorous standards of Article 24.

As noted in our discussions, the court will not grant judicial imprimatur, or official approval, to provisions that are vague or subversive. For instance, the new penalties for “cyber harassment” are currently under high-court scrutiny i.e., Reuben Kigame & KHRC v. Attorney General, with conservatory orders staying several clauses that human rights advocates argue lack clear guiding principles. At the heart of the challenge is a sweeping clause criminalizing publication of what the law vaguely calls “false, misleading or mischievous information.”

2. Constitutional Protections to Safeguard against Digital Suppression

Recent regional trends, including internet shutdowns during the 2025/2026 electoral cycles in neighbouring states, have sparked a debate on the ecosystem of suppression. Research indicates that shutting down digital spaces is often an expression of state dissatisfaction with content rather than a genuine security necessity.

Kenya’s path forward lies in technological attunement, where the state uses innovative, constitutionally-aligned methods to control harmful information without resorting to the dehumanizing blanket shutdowns of the past. Justice Wanjala highlighted that, “once we deconstruct state security, the courts are better positioned to protect individual freedoms of opinion.”

3. The AI Liability Gap: Actus Reus in the Code

With the rise of Generative AI, the question of liability for hallucinations or misinformation has moved from theory to the courtroom. My assessment of the CMCA’s application to AI suggests that liability follows the “tail end” of the act:

1. The User: Bears criminal responsibility if they knowingly deploy AI as a vehicle for cyber-bullying or the dissemination of false information under Section 22.
2. The Developer: May be held liable if the platform’s architecture is found to inherently facilitate or promote unlawful activities, terrorism, or religious extremism.

4. Regulatory Lane Discipline

Kenya currently faces an untidy regulatory space with overlapping mandates between the Communications Authority (CA), the Media Council of Kenya (MCK), the DCI, and the National Computer and Cybercrimes Coordination Committee (NC4).

The consensus from the webinar was a call for strict lane discipline. Each agency must stick to its statutory mandate to prevent the over-regulation that currently overwhelms citizens and practitioners alike. For example, while the NC4 now has powers to block certain extremist websites under Section 46A, this must be exercised only under strict judicial oversight to prevent it from becoming a tool for censorship.

Conclusion

The evolution of the Computer Misuse and Cybercrimes Act (CMCA) 2025 marks a definitive era in Kenyan law one where the gavel must navigate the binary complexities of the digital age. As my research and the insights from the Promise of Leadership Institute (PLI) suggest, the Digital Dictum is not a mandate for state overreach, but a call for technological attunement. The Judiciary stands as the ultimate arbiter, ensuring that in the pursuit of cyber-security, we do not inadvertently dismantle the very democratic freedoms that Article 33 seeks to protect. Ultimately, the legitimacy of the CMCA rests on its fidelity to the Article 24 limitation clause. We must move away from blanket shutdowns and vague criminalizations, favoring instead a regime of Regulatory Lane Discipline and clear AI accountability. By deconstructing the often-opaque veil of state security, our legal fraternity can ensure that Kenya remains a bastion of digital innovation governed by the rule of law, rather than a victim of digital suppression.