On March 6, 2026, the Court of Appeal of Kenya delivered a landmark ruling that reshapes the legal landscape of online expression. In a decision with far-reaching implications, the court struck down key provisions of the Computer Misuse and Cybercrimes Act (CMCA) that criminalized the publication of “false information.”
The three-judge bench, Justices Patrick Kiage, Aggrey Muchelule, and Weldon Korir, held that Sections 22 and 23 of the Act were unconstitutional.
The judges reasoned that the wording was so broad that it could criminalize ordinary speech. This ruling marks a major victory for digital rights advocates and reopens a debate that has simmered since the law’s inception.
The Digital Dark Alley
While the CMCA was enacted in 2018 and amended in 2024 to combat genuine threats like hacking and identity theft, its application has often strayed.
Instead of targeting cybercriminals, the law has frequently been deployed against journalists, activists, and ordinary citizens.
On October 28, 2025, I wrote an article, “Rethinking Kenya’s Cybercrimes Act,” in The Kenya Times, arguing that our digital revolution was entering a “dark alley.”
While Kenya ranks among global leaders in internet use and AI adoption, our legal framework has struggled to align with constitutional values.
Instead of nurturing an open digital ecosystem, the CMCA, particularly after the hurried 2024 amendment, has risked chilling public debate.
Flawed sections of the Act
The problem is not the existence of cybercrime legislation; every modern state needs laws to address digital harms. The deeper issue lies in five specific flaws.
First, terms like “false publication,” “offensive communication,” and “misleading information” are dangerously broad. They fail the constitutional test of legal precision, leaving citizens uncertain about what actually constitutes a crime.
Also Read: How Kenya’s New Computer Misuse and Cybercrimes Law Will Curb Rising Cyber Threats
Two, the Act enables investigators to block or compel the removal of digital content before a court determines if a crime has been committed. This undermines the presumption of innocence and turns enforcement into punishment before trial.
Three, the law grants sweeping authority to “authorized officers” to seize devices and demand data without sufficiently strong judicial safeguards.
Fourth, relying heavily on fines and prison sentences of up to ten years, the Act echoes colonial-era traditions designed to control speech rather than protect democratic dialogue.
Lastly, the 2024 amendment was rushed through Parliament with limited public participation, ignoring calls from civil society and tech experts for deeper consultation.
To fix what I bluntly described then as a “foolish law,” I proposed several reforms, such as reopening public participation; narrowing definitions in Sections 22, 23, and 46A; requiring judicial warrants for content removal; and moving regulatory leadership from the Ministry of Interior to the Ministry of ICT so that innovation, not policing, guides digital policy.
Events since then have vindicated many of these concerns.
On October 22, 2025, High Court Justice Lawrence Mugambi issued conservatory orders suspending Sections 27(1)(b), (c), and (2) of the Act, provisions dealing with cyber harassment, particularly communications “likely to cause apprehension or fear.” And now the Court of Appeal ruling.
A Victory for Free Expression
The Court of Appeal’s decision specifically targeted the most controversial sections. Section 22 criminalized the intentional publication of misleading information, while Section 23 targeted false information likely to cause panic or reputational harm.
The judges concluded that such sweeping language was incompatible with the Constitution.
Also Read: Social Media and the Fragile Line Between Freedom of Expression and Defamation
“In the end, this appeal partially succeeds to the extent that we find Sections 22 and 23 of the Act unconstitutional for being too broad to the extent that they are likely to net innocent persons.”
This represents a significant win for the Bloggers Association of Kenya (BAKE), which challenged the provisions after a 2020 High Court judgment had originally upheld them.
Patterns of Prosecution
The practical history of the CMCA reveals a trend of policing dissent rather than preventing harm. Over the last several years, the Act has appeared regularly in cases involving the criticism of public officials:
Journalists such as Peter Maseke Mwita and Collins Kweyu faced charges while investigating corruption.
Software developer Rose Njeri was prosecuted after creating a civic engagement platform for public debate.
In 2024, David Mokaya, a university student, was charged for posting an AI-generated image of a presidential coffin during national protests; he was acquitted only in early 2026, while Blogger Maverick Aoko continues to face cyber-harassment charges tied to controversial online posts.
These cases illustrate the inherent risk of broadly worded laws. When speech can be criminalized simply for being “offensive” or “misleading,” enforcement inevitably drifts toward silencing political opposition.
Restoring the Balance
Kenya’s Constitution guarantees freedom of expression, media freedom, and access to information under Articles 33, 34, and 35.
These are not merely ornamental; they are the foundation of accountability. In the digital age, social media is the modern public square.
If speech in these spaces is stifled by vague legal threats, our constitutional promises become hollow.
The Court of Appeal’s decision is more than a technical correction; it is a reminder that the state’s interest in security must be balanced against civil liberties.
Cybercrime legislation should protect us from fraud and exploitation, not serve as a tool for policing the very speech that sustains a democracy.
Follow our WhatsApp Channel and X Account for real-time news updates.




