Zero Rating of the Internet and its Impact on Net Neutrality

Mobile phone penetration in the Kenya has increased tremendously over the years. The Communication Authority of Kenya (CA), in its first quarter 2017/2018 financial year report placed mobile and Internet subscriptions in the country at 41 and 51 million subscriptions respectively. In spite of this increased mobile and Internet penetration, the high cost of accessing the Internet continues to be a constant hindrance to a majority of mobile users in Kenya.

Private companies, in response to this issue, have attempted to provide ‘free’ or subsidised Internet through what has come to be known as zero-rating of the Internet. In this practice, providers of zero-rated Internet, partner with Internet service providers (typically mobile networks) to subsidise access to the Internet. Access to the Internet under such programs is however limited to the zero-rated Internet providers’ website. Examples of such services include: Free Basics by Facebook and Wikipedia’s Zero.

These services are however extremely controversial due to concerns about their impact on net neutrality and effectiveness as a long-term policy for improving Internet access.

Proponents of zero-rated Internet claim that such services connect people who previously did not have access to the Internet especially in emerging markets in Africa and Asia. While connectivity may increase, the fact remains that Internet service providers and companies that engage in this service derive immense financial benefits from such services. For example, mobile Internet providers use free access to the Internet as an on-boarding strategy. Secondly, access to the Internet under this practice is limited to one or a few popular sites depending on the zero-rated Internet service in question. This calls to question the supposed ‘benevolence’ of such services especially in light of their detrimental impact on net neutrality, which holds that all content and users be treated equally so as to ensure free flow of information online.

While zero-rating can be viewed as beneficial to consumers as they do not incur data charges when visiting zero rated websites, it is detrimental as it in a sense changes the “face of the Internet” by limiting the number of websites which users can access. It effectively operates as an information control principally in the event that such services become ubiquitous and to the extent that they are the first point of entry to the Internet for millions and potentially billions of people.

Furthermore, zero-rating of the Internet jeopardizes freedom of expression online. The forums on which Internet users can freely develop and express their opinions are limited and to a great extent controlled by the parties that subsidize access to the Internet. The ideological underpinnings of the internet, and its role as a medium for advocacy on the protection of civil rights, is at danger of being obfuscated in this paradigm.

Moreover, zero-rating greatly reduces the incentive for content creators who do not have the required financial muscle to continue producing content. It is therefore no surprise that companies like Microsoft and other tech giants are at the forefront of championing zero rating. This is however highly ironic seeing that companies such as Wikipedia and Facebook would not have been able to transcend the ‘start-up’ stage had the Internet at their time of inception been limited through zero-rating. Again, the undermining of the right of Internet users to freedom of expression and uninhibited access to the Internet cuts to the core of this issue.

The impact of zero rated Internet is best gleaned through an analysis of the areas where it is widely offered as illustrated below.

Binge On™, is a video streaming service provided by T-Mobile, a mobile telecommunications company. Binge On™ provides zero-rated streaming for specific content providers while limiting the capacity of “non zero-rated” content providers from streaming its platform. “T-Mobile’s Binge On Violates Key Net Neutrality Principles” a report done by Stanford Law School found that T-Mobile, through its zero-rated service, stifled innovation by barring content creators who did not meet its substantial technical requirements. This exposes the fallacy of the perceived ‘altruism’ behind such services i.e. through the commercialization of information and innovation by extension. This further underscores the importance of maintaining ‘diversity of expression’, in the current knowledge economy, where large tracts of information are generated and disseminated online.

Proponents of this practice argue that zero rating is necessary if we are to achieve universal connectivity. The discussion above however, pokes serious holes into this argument. While universal connectivity is necessary to bolster communication, such hopes shall be relegated to a pipe dream as companies that cannot afford to zero rate their services are unable to fairly compete and reach consumers.

It is with this in mind that a need for a comprehensive legal and policy framework to address zero rating arises. Zero-rating should not be used as a substitute for Internet access. Openness, which is a central tenet of the Internet, must be legally protected. While, there are no country specific laws that deal with the effects of zero rating on freedom of expression, article 33(1a) of the Constitution of Kenya provides for the freedom to seek, receive and impart ideas. Internationally, article 19(2) of the International Covenant on Civil and Political Rights (ICCPR) provides for the freedom of expression.

The Internet is and should remain a bastion of freedom of expression. Kenya is thus bound to enact laws and policies that specifically protect this right ‘out of the normal context of speech’ seeing as Internet based modes of protection are protected under the ICCPR.

Originally posted in


ICOs world over have received rejection due to their unregulated activities. Governments have not stopped at anything to render them illegal and ban any offerings to the market. However, this does not mean that all is lost for the supporters of the digital currencies. Last week Akon the musician announced that he would be building the ‘Real Wakanda City’, a crypto city which will be using his own digital currency called Akoin. He was given a 2000 acre piece of land by the President of Senegal to construct it. In Kenya, cryptocurrencies were banned in one year and allowed in the same one, this back and forth shows the lack understanding that is in the market as to how to safely transact in the currencies, Bitcoin being the most common one.

All said and done, the largest challenge such currencies will have is to gain the trust of the African, in a continent where Ponzi schemes have rendered people deeper into poverty and that internationally there are crypto exchanges that have collapsed. Despite all these there are still optimists who believe that the digital currency craze is not just a bubble but is here to stay, with that in mind let us consider the basics of the process of investing in the currencies.

An Initial Coin Offering (ICO) is the process of launching a cryptocurrency where supporters (early investors) are invited to contribute money to the development of the currency. Before an investor decides to participate in an ICO many things need to be considered but a few are paramount. This however, does not constitute legal advice rather it is legal information.

  1. Token legal design

Before investing in an ICO, it is prudent to know whether it is being launched as a security or a utility. Tokens can be used as currency, asset, company share, method of payment etc. As a security, an ICO is a tool for raising capital to get money to develop the currency so that once it is developed and acquires value it can be used to purchase commodities and at this point it has utility.

As security, the tokens will be representative of shares in a business hence you own an asset but cannot take possession. In the U.S. the SEC suggested that to categorise a token as a security it must pass the Howey Test which includes:

  • an investment of money or assets
  • the investment of money or assets in a common enterprise
  • an expectation of profits from the investment
  • profit come from the efforts of a promoter or third party i.e. the investor has no control over how the profit comes from the investment


As utility tokens, the ICO will be offering the token as a service/product that can be purchased. Utility tokens as the name suggests have a use. Akon’s proposed Akoin edges on being a utility token as he intends to use Akoin as the official currency of the city. The price of such tokens increases when the demand for a service or product goes up.

As a security token, there is limitation on who can launch an ICO and is associated with fewer legal risks than utility tokens. The bipolar nature of crypto currencies is important to understand.


  1. Simple Agreement for Future Transfer(SAFT)

A SAFT is an investment contract where an investor agrees to purchase tokens even before they are created with the future hope that once it is created and in use its value will increase. The investor is allowed to sell the tokens at a future date when the token price increases and this is how they make their money. This is a legal safeguard for early investors as proof that they gave out money to the issuer for some future benefit.

  1. Whitepaper

A whitepaper provides information to potential investors on the philosophy behind the coin. A typical ICO whitepaper contains the following categories: introduction, problem to be solved, use of the token, how to purchase the ICO, how the funds will be used and the team behind the creation. As an investor this should be sufficient preliminary information to prepare your mind on whether to invest or not. Sample statements of most whitepapers: on use of funds; “80 percent of funds will go to the development of the platform and 20 percent of funds will be distributed to the market”. However, a whitepaper should not be the reason you invest in an ICO, whether a company has users, a product or traction are vital questions to ask. In the paper, it is mandatory that it states that in the event the intended amount is not raised all the raised money is returned to the owners.


  1. Tokenomics

This means how does the token operate i.e. its usage and the underlying business model and it is close to the legal design. It involves the rights accruing with the token, the value exchange, the toll, how the earning will be made and the currency.

  1. Know Your Customer Policy

That cryptocurrencies are likely target for use for money laundering and other illegal activities is not news, what is news however is the fact that jurisdictions are coming up with their own lists of accredited investors thus not anyone can be an investor. KYC policies are necessary to verify investors. Your policies should however stick to the jurisdictions privacy laws. With the GDPR in force it is important to put safeguards on how the investors’ information will be processed and stored.

With investor confidence ICOs are set to increase and be successful. Governments should embrace the currencies rather than seeing them as a threat to the centralized financial system. As one William Mougayar said, “The stone age did not end for lack of stones”. Central players such as Central Banks will not go away rather appreciation of block chain enabled innovations could see an integration with the current financial system.

Cyber Law Series: #2 Cyber Espionage

In this article allow your mind to wander and to think about forensics, hacking and any other related terms because the discussion will follow this course.

Section 21 of the Act provides for the crime of cyber espionage and states that any person who performs an act that results in gaining access or intercepting data unlawfully commits a crime and is liable for a term not exceeding twenty years. Additionally, the Act criminalizes unauthorized access by infringing security measures so as to gain access. The focus for today shall be on persons who commit such acts which are translated as hacking.

In Kenya cases of hacking with an intent to gain access to systems are not new. Last year we were treated to news that KRA system had been hacked and a staggering 4 billion made away with. The man behind the alleged electronic fraud was Alex Mutuku. When the arrest was made police disconnected and took away every gadget with a memory; mobile phones, computers, hard drives, digital video recorders and servers. While the story has taken different twists, what is certain is that evidence to prove the case is a necessary component otherwise, the allegations hold no water.

In Kenya, the laws dealing with electronic fraud are the Kenya Information Communication Act under section 84B and now the Computer Misuse and Cybercrimes Act, 2018. When faced with a case where evidence would be digitally presented, the court is guided by section 78A of the Evidence Act. In the case of Republic v Mark Lloyd Stevenson (2016) eKLR the emails were not authenticated by giving their technological footprint hence were not admissible in court. Authentication is necessary to prohibit tampering which is common in e-evidence and could render an allegation invalid.

The case of Oquendo where the accused was recently found guilty of killing her step daughter, the investigators produced geolocation information extracted from a mobile device but the judge expected a more scientific treatment of the evidence while casting doubt on the reliability of the digital traces this can be loosely translated to mean, more evidence to the authenticity of the e-evidence.

In both cases, the importance of e-evidence to try a matter is clear as well the risk of tampering or falsification is evident hence the need to clearly preserve the evidence.

Why is tampering a risk? E-evidence is highly volatile hence can be changed or manipulated through file deletion softwares, viruses, and botnets. Once manipulated it is difficult to detect and trace it unless with the help of a forensics expert. While in fact the duty of making decisions is the reserve of the judge, the role of an expert testimony cannot be undermined at all costs as they help judges to understand forensic findings and their value in a case.

The role of an expert is not to make decisions but to give an assessment hence it is important for the expert not to present the material as facts such that it gives no room for exploring the alternatives. This will also help curb bias.

There is need for a standardized approach to expert evidence with an insistence on them acting as assessors. The law being in place already points to a need for regulating the cyberspace hence more needs to be done on the procedure of producing expert evidence as we expect more of evidence to be presented in this manner.  The standalone laws should be made in consultation with computer forensics experts to establish a nomenclature for digital evidence.



CYBER SERIES FOR CYBERLAWYER: #1 Information Sharing Agreements and International Cooperation

The Computer Misuse and Cybercrimes Act, 2018 was assented to on 16th May 2018 and came into force on 30th May 2018. The law which makes certain acts punishable by law aims at regulating the many things that could go wrong on the cyberspace. As expected, and of course, as a matter of genuine concern the law came under strict scrutiny from the public which led to the suspension of 26 sections of the Act. The Act was accused among other things of attempting to gag media freedom.

At Legal Hub we shall begin a CyberLaw series to expound more on the legislation which can silently have far reaching consequences for its offenders. The series will borrow from past cyber incidents and potential cyber events that Kenya suffered and how to avoid such pitfalls in the future.

During a court hearing or in pleadings it is common to hear/ read an advocate saying “section 2 of … read together with section 6 of …” This is exactly how this post will proceed by reading section 12 of the Act together with Part V of it. Section 12 provides for international cooperation between a private and public entity for information sharing on critical infrastructure and states the conditions of such an agreement. It limits sharing of two categories of data; of a person not directly related to a cyber crime and health status information. Part v of the Act provides how to go about the process of information sharing with regards to a cyber crime.

Information sharing in this context is in a bid to avert or prosecute a cyber crime and as such the process must be handled with utmost care to preserve the confidentiality, integrity and availability of the data. While not involving trans-border crimes, the case of tampering with digitally stored records in the just concluded elections should be a lesson that alteration is a possibility and any interested parties will go to whatever lengths to do that. Internationally, the case of Gutman v Klein is proof (no pun intended :-)) of how electronics tampering of evidence can affect discovery in the event that a cyber crime goes to trial. In this case, the respondent destroyed electronic evidence by “downloading a file deletion program, backdated specific programs and files and then reinstalled computer software on his laptop prior to producing it during discovery”. This is important in the case where such information sharing is done over insecure networks posing the risk of eavesdropping and stored in insecure areas such a public cloud. Faced with such ever evolving risks, there will be need for comprehensive regulations that adhere to standard practices for the sake of preserving the CIA of information.

What is impressive about the Act is that it highlights a kind data sharing code by requiring:

  1. That only relevant information is shared.
  2. The name of the offence that is the subject of a criminal investigation.
  3. The authority that will deal with the information be stated.
  4. That how the data being sought is linked to alleged crime be revealed.
  5. Reasons why that information needs to be preserved.
  6. The intention to seek mutual cooperation to be stated.
  7. The requesting authority to have conducted some due diligence before making a request by requiring that they give any information they have with regards to the stored computer data and location of the system they want.


Big Data and Microfinance in Kenya: Privacy Concerns in Alternative Credit Scoring Models

The era of digitisation has ushered in the development of many new technologies that have improved the way in which business is undertaken. One such improvement is in the area of data. Data-driven companies are likely to be the most competitive in this current era. This has attracted efforts from the government and private sector in collecting and sharing data from various sectors. There is a lot of personally identifiable information that is collected and archived in data stores; all of which is taking place in a regulatory environment devoid of a national data protection law.

Big data is defined as the voluminous, high velocity and different variety of information requiring specific technology and analytical methods for it to be transformed into value. The advantage of big data in the business world cannot be overemphasized with its importance ranging from cutting operating costs such as storage to determining how products should be tailored for advertising. Creating value out of these disparate data sets has been made possible using powerful data analytics tools such as Hadoop.

One particular way in which big data continues to be useful is in the Kenyan financial sector through Alternative Credit Scoring Models. One of the key drivers of economic change in Kenya is Small Medium Enterprises but one challenge these SMEs all face is access to financing. In response, there has been an increase in micro finance lending institutions which, unlike the brick-and-mortal banking sector, do not need collateral rather use different data points to assess one’s credit-worthiness. One such company is Tala which establishes a user’s financial identity by gathering 10,000 data points in a few seconds. As a result, information other than previous credit history is used to assess credit-worthiness.

Kenyans generate data from limited sources the most common one being their mobile phones and social media activity; noting that publicly available data is not detailed enough to assist in making decisions such as eligibility for a loan. These other data points may include mobile money payments and exam scores.  Branch, a digital lender uses an individual’s GPS data, SMS, call log data and contact list to determine ones loan size. While all these may be a noble attempt at ensuring that persons not previously eligible for loans receive credit to enhance their daily lives it does so in the face of numerous data privacy concerns.

The question of how data is sourced, stored and shared remains unclear to borrowers. This concern is further aggravated by the lack of a national law and regulations on data protection. Undoubtedly, there exist industry specific regulations on dealing with data however, a stand-alone piece of data protection legislation is necessary since industry specific regulations such as those applicable to Interswitch which is PCI-DSS compliant are tailored based on international requirements. This is not to mean that the Kenyan government has not made efforts at developing a national data protection law. The rise of big data has seen the government intervene in an attempt to offer protection to Kenyans with regards to how their data is used. Aside from the Kenya Information and Communication Act which has provisions on data protection, a draft Data Protection Bill is in the pipeline.

The draft bill has important provisions which will protect the data generated by Kenyans. One such provision is on data processing which relinquishes power to data subjects by requiring their consent in order to process their information. The Bill further provides for the adherence to the principles on data protection. It will be interesting to see how it all plays out given that some data controllers have terms and conditions that cause a data subject relinquish his/her right to consent. The Bill also deals with the commercial use by requiring that a person obtains express consent from the data subject before such data is commercialised. Data controllers have found a way to circumvent this provision even before enactment of the law through the already set terms and conditions that a user has to accept before using a product. Of course, an argument that organisations should be tasked with the duty of securing personal data through secure mechanisms in their databases may be raised but this duty cannot be wholly delegated to organisations to self-regulate. A more inclusive approach involving the government through its legislative arm would create more certainty in enhancing the right to data privacy.

The absence of consent has led to the usage of data in Kenya for a multitude of purposes even unrelated to those for which the data was provided. By giving people the opportunity to give consent and control how their data is used, the right to privacy is enhanced. Power to the data subjects will ensure that data ethics are maintained as we await a comprehensive piece of legislation. Concerted efforts from the various stakeholders; government bodies and private bodies need to ensure that the laws to be enacted are comprehensive. With the issues of privacy and consent not well addressed, Big Data is sure to cause Big Problems!

Originally posted in CIPIT Blog

Tobacco Regulations, 2014: Balancing the Protection of Trade Secrets and the Right to Privacy.

Part III of the regulations provides that the tobacco industry must provide the following information about their products:

  1. List of ingredients in tobacco products and tobacco product components;
  2. Reasons for including the ingredients;
  3. All the toxicological data available to the manufacturer about the ingredients of the tobacco products and their effects on health and information on the characteristics of the leaves i.e. their type, percentage, percentage when expanded and changes made about tobacco product ingredients.

These requirements are a replica 2009 US law that granted the Food and Drug Administration (FDA) powers to direct tobacco companies to disclose ingredients in new products and changes to existing products. They also adhere to article 9 and 10 of the WHO Framework Convention on Tobacco Control (FCTC).

Whether the information that tobacco companies want to protect qualifies to be trade secrets is disputable. The law of confidence which is rooted in equity and legislated under article 39 of the Agreement on Trade- Related Aspects of Intellectual Property Rights (TRIPS) to which Kenya is a signatory to protects trade secrets. Article 39 of the Agreement stipulates that the following requirements must be met for information to be regarded as trade secrets: secrecy, commercial value and reasonable efforts to maintain secrecy.

The information held must be of a secretive nature though not absolutely secret. Employees, business partners and other persons can know the particulars, provided they keep them secret. Besides, ordinary and mundane information can be the subject of confidence so long as the information is private to the compiler. This was illustrated in Coco v AN Clark (Engineers) Ltd [1969] where the Court found that information that is common knowledge to a group of persons (in this case tobacco manufacturers) is part of the public domain and is not confidential. Therefore information regarding ingredients must be confidential to qualify as a trade secret.

Secondly, the information must have commercial value i.e. there must be some utility obtained from the information being secret. The manufacturer must be able to use it to acquire a business advantage over other manufacturer(s) in the same industry. Therefore, the information must only be known to the manufacturer to have commercial value. Disputably, players in the tobacco industry could argue that the information they guard has commercial value to them as it is what gives one company an edge over a competitor that uses different ingredients and manufacturing processes

Lastly, the owners of the secrets must carry out steps to ensure that the information is well secured. According to WIPO, some of the reasonable steps that can be taken to secure trade secrets include: non-disclosure agreements, training and capacity building with employees, instituting an information protection team, having a trade secret SWAT team, establishing due diligence and continuous third-party management procedures among others.

Kenya, as a signatory to TRIPS, is obligated to protect trade secrets. These regulations do not however protect trade secrets and business ‘know-how’ once it is revealed; meaning once revealed it loses its secrecy. This leaves trade secrets and business ‘know-how’, such as the list of ingredients and percentage of leaves expanded, vulnerable to appropriation.

In taking the role of devil’s advocate, it is worth considering whether the information that the tobacco industry is required to reveal under Part III really falls within the scope of trade secrets. Let us go back in history to understand the situation as it was that caused the emergence of such requirements. In 1998, 35 million pages of what was considered confidential information were revealed as a result of the Minnesota’s Tobacco Trial in the US. This information was on the harmful ingredients that tobacco companies used in the products. In what was considered the Master Settlement Agreement, the U.S. agreed not to sue the corporations in exchange of the corporations revealing all documents considered to be confidential to the public. It is important to note that one of the companies involved in the Supreme Court application to throw out the regulations was implicated in this law suit for failing to reveal to consumers harmful ingredients contained in their tobacco products.

Moreover, research carried out between 1937 and 2001 of tobacco companies, some of which operate in Kenya, revealed that tobacco ingredients are not secret rather the companies simply reverse engineer their competitor’s brands to create their own. This report argues that since the reverse engineering process is done routinely, it does not meet the threshold of secrecy for information to be a trade secret. The report implicates some multinationals that operate in Kenya. If this is anything to go by, then it negates the fact that the information in question has commercial value and is secret.

It is thus important to strike a balance between consumer protection measures and the protection of corporations’ intellectual property. Overzealous consumer protection regulations result in laws that infringe on corporations right to privacy and violate their intellectual property rights, to the detriment of their revenue and the country’s economy as a whole. Since the appeal was dismissed at the Supreme Court, it will be interesting to see whether the manufacturers will abide by the regulations.

Originally posted at CIPIT Blog.


The Finnovation Fintech series events organized by Ethico Live had a session in Nairobi last week at the Radisson Blu in Nairobi. The event meant to steer conversations around financial innovation in the banking sector brought together key players in the industry including banking leaders, policy makers, investors and most importantly the innovators driving the change for financial inclusion. As part of the discussion one idea became prominent; the need for collaboration between the old and new; the banks and fintechs respectively. This need takes me back to the article by Sunny Bindra’s article here where he tackles the importance of staying analogue as much as it is important to go digital for the sake of progress. Collaboration was seen as a key factor to drive the agenda of financial inclusion as the banks are endowed with resources among other advantages while the fintechs operate within little to no regulation which encourages innovation among other advantages.

This article shall discuss issues discussed that touched on regulation. As the end customer of these businesses, the aspect of consumer protection was explored with regards to the emerging fintech apps available in the Kenyan market and claims that some of them charge abnormal interest rates for lending. Additionally, the apps were faulted for giving out loans without scrutinizing whether the same person had borrowed a loan on another app calling for a review of lending policies. Consequently, people borrow loans to repay loans borrowed on other apps; not surprising that these money lending apps were among the most downloaded apps in Kenya according to BAKE. In this light, it was agreed that some due diligence ought to be exercised by the apps before lending to ensure that credit is obtained for purposeful reasons. In what has been dubbed ‘fintech fueled lending craze’ that has seen almost 2.7 million users negatively listed by the Credit Reference Bureau, the government of Kenya intends to bring sanity into this area. Currently, a draft Bill (Financial Markets Conduct Bill, 2018) to regulate the lending has been proposed which among other things will seek to cap the lending rates of the different lending apps. In matters of regulating the lending apps it was agreed that it is important to not add other levels of regulators which would consequently increase the cost of compliance.

The question of whether regulation would be an enabler or a threat to financial innovation was addressed. The good example of M-pesa and how it is has grown largely unregulated as a financial services provider was given; the challenge here remains whether it should be regulated as financial services provider or under telecommunications. Despite the fear of the stifling effect of regulation, it was well agreed that it is mandatory to regulate the multi-faceted fintech space due to the various ways it is affected; systems security, cybercrime, adherence to sector standards such as PCI-DSS where a company stores, transmits and processes card information and IFRS reporting. One of the self-regulation practices that financial institutions that carry out digital banking may be involved in is the Know Your Customer procedures (eKYC), this was highlighted as a way of lenders to shield themselves from risk. In Kenya, KYC regulations are legislated only for money laundering under the Proceeds of Crimes and Anti Money Laundering Regulations.

The State of the Internet report 2017 by BAKE indicated the importance of sound regulation as regulation can affect public perceptions; progressive regulations have the potential of bringing about good perceptions hence there may be more adoption of the technology.


Having discussed the importance of policy and regulation in the fintech world, it will be mandatory to ensure that these should be formulated to enable investments. The Nigerian market was used as a good example of how policy can be used as a propeller of growth. One such regulation is the Venture Capital (Incentives) Act that gives companies engaging in venture projects incentives to operate in the country.

The issue of regulation lagging behind due to rapid technological advancements was raised. This was met by a suggestion of real time regulation in these times where lending is done in a faster way than before and as more products continue to infiltrate the market. In practical terms, the regulations should ensure that such innovations come with transparency in terms of how it works and reveal the interest rates that are charged on a monthly basis this will curtail enterprises that charge exorbitant rates to unknowing customers.

The aspect of cloud computing adoption by banks was explored. Several emerging cloud trends which legislation could have a bearing on were also highlighted such as data localization. Data localization laws are crucial because they would inform where customers’ data would be stored. Thus, informing certain business decisions such as whether to open data centres in the region. However, for now Kenya has no data protection laws and such decisions are the sole reserve for organisations.

Discussion around data analytics were held as this is as a key factor driving these fintech which use alternative credit scoring methods most of which are data driven as opposed to the brick and mortar banks which largely perform collateral based lending. Indeed, from a legal perspective, this raises data privacy issues, especially the contention around hideous terms and conditions which force users to give up data privacy to be able to use the apps.

Lastly, the issue of security of wallets (a software that facilitates the transaction of digital currencies by storing the private and public keys necessary to conduct a transaction) was addressed. It was stated that as more adoption of cryptocurrency continues it will be necessary to get a trusted wallet provider for safe transactions.



The annual event brought by Communication Authority was meant to coincide with the day when the International Telegraph Convention was signed establishing the International Telegraph Union, 17 May 1865 where Kenya is a member state. The event focused on emerging technologies and how they can be used to drive the recently unveiled Big 4 agenda; food security, manufacturing, universal health and affordable housing. The post shall address the legal perspective of these technologies that were addressed.

First, the technologies in discussion were Artificial Intelligence (AI), Internet of Things (IoT) and block chain. The first day began with a panel discussion comprised of the AI and block chain taskforce led by Mr. Bitange Ndemo.  Of importance emphasis was the way such technology continues to be used unregulated. However, Bitange was quick to state that technology should be allowed to thrive before the law could come to govern so as to avoid stifling technological development in the country. That way it becomes possible to know the various ways which the technology can be used before such usage can be restricted or allowed.

The rate of absorption of technology by various sectors was highlighted. One key highlight was the decision to use block chain in the land registry to deal with the challenges of land transaction in Kenya. In terms of ranking, the legal sector was ranked the last due to the resistance by lawyers in the fear that such usage of technology would cut off their revenue streams. Despite such opposition, the reality of having to deal with disputes associated with these emerging technologies was discussed and this was posed as a new opportunity for such lawyers. Other benefits included enjoying economies of scale, since with technology carrying out the repetitive, time-consuming and unambiguous legal tasks, the lawyer will be able to handle more cases at the substance level rather than procedural that can be delegated to machines. The most expected challenge would be the lack of capacity to deal with such cases at the judiciary level.

Cybersecurity was at the forefront of the discussion especially with the Cybercrime and Computer Related Act that was passed. Additionally, as more activities are expected to be carried out in the cyberspace in fulfillment of the Agenda it will be necessary to ensure such safety online. The greatly contested piece of legislation was seen as a solution to deal with ever evolving threat in the cyberspace.

There were presentations on how the various emerging technologies are being used to implement the Agenda. Two presentations that stood out in their use of technology for service delivery. One was by M-health, a telehealth company that provides medical services by utilizing mobile technology. The company uses mobile messaging services to remind patients to take their drugs, when to go to their clinics among other services to the patients and caregivers. Another one was Acre Africa that gives crop insurance to farmers. In this case, farmers purchase seeds from agrovets licensed by Acre Africa, in the packaging there are scratch card like tokens which the farmers scratches and sends to the number written on it. Using this method the company is able to know which farmer bought their seeds, where they planted them, the weather at the time among other details that will determine the particulars of the insurance taken out. Therefore, in case of crop failure, they are able to know the amount lost and pay back the farmer. Among the technologies used are satellite imaging to locate the farmers and mobile payment to pay out the cash.

Concerns of data privacy were highlighted, in light of possible adoption of such technologies. One example was in the use of Internet of Things to collect data that will drive other technologies such as machine learning and block chain. The concerns were mainly because of the lack of a data protection regime in the country and the lack of comprehensiveness of the Bill that once existed. Up until such laws are established organisations were urged to come up with self-regulatory policies that would guide how data driven organisations handle data. The progress of having such a legislation is currently pegged to the recently formed Taskforce on the Development of the Policy and Regulatory Framework for Privacy and Data Protection in Kenya led by Mercy Wanjau. There was consensus that such laws on data privacy would do better if more public participation was done as a tool of consumer protection; at this point I got the chance to introduce the audience to the site Jadili to add their input for ICT and IP related policy laws that are currently before Parliament.

Lastly, in terms of expertise to propel the technological turbine in Kenya, it was stated that more people need to enter the technical sphere and acquire the knowledge to use the technologies to tackle our unique issues to increase homegrown solutions. Indeed, the challenges to be surmounted in Kenya could benefit a huge deal from the use of these emerging technologies. However, such activities need to thrive under regulation that promotes their use.





The successful report launch by the Centre for Intellectual Property and Information Technology on the use of Biometrics technology for elections was well attended with key players in the ICT sphere. The event began with opening remarks from the Dr. Isaac Rutenberg, Director of CIPIT followed by presentations on the findings on the investigations by Francis Monyango and Robert Muthuri both from CIPIT. This was followed by presentations by John Walubengo, Mr. Fernando, Sharon Bosire, IEBC representative and lastly, Senator Halake.

The report found that Kenyan voters remain exposed to personal data abuse so long as there lacks appropriate legislative and enforcement issues. The full report can be found here.

John Walubengo, an ICT expert shed more light on the General Data Protection Regulations (GDPR). The presentation focused on defining who a data collector is as per the GDPR while giving emphasis on the rights and obligations of the data collectors and data subjects. The concept of data minimization as a principle of data privacy emerged in explaining the rights of data subjects one of them being the right to have only relevant and not excessive data of the subjects collected. In terms of security of data, developers of products that use personal data were advised on the importance of not only securing data but demonstrating to users that their data is secure.

With regards to data controllers who in this case are the developers, certain obligations were highlighted. They include: breach notification, obtaining the necessary consents before using data, territoriality of data and lastly, the issue of penalties with regards to not fulfilling obligations was highlighted.

Sharon Bosire the Legal Officer at Communication Authority, brought to the attention of the attendees, the legal framework currently in existence in Kenya that addresses issues of data privacy; the Kenya Information Communication Act (KICA), 2009 and the KICA (Consumer Protection) Regulations, 2010. The CA representative was brought to task to explain why the authority did not have a portal for complaints on matters of infringement of data privacy during the election similar to the one of NCIC for reporting hate speech during the electioneering period.

Mr. Fernando Wangila, the ICT Director at National Transport and Safety Authority (NTSA) made a presentation on the efforts that the transport authority is making to ensure that the citizens’ data is secure given the introduction on the smart driving licenses that replaces the manual process of obtaining licenses. The presentation pointed to a belief that the illegalities that mar the vehicle registration and insuring of motor vehicles in Kenya will be cured through the use of online services and such efforts can only be bolstered by a secure data base that is free from manipulation. In this presentation, the aspect of integrity on the part of the authority’s officials was emphasized as a key ingredient to ensure that such databases remain accurate and trustworthy. One of the ways mentioned that would prevent illegal activities is the Transport Integrated Management System(TIMS) platform by NTSA where one can obtain digital log books, for online transfer of motor vehicles and for registration of vehicles.

The IEBC Representative gave an overview of how the IEBC systems work and the security measures that it has taken up. He sought to set the record straight with regards to security measures that IEBC has taken up to secure that citizens’ data is secure. The importance of accuracy of data that is inputted in systems was well emphasised, pointing out that inaccurate data would inadvertently affect the smooth operation of elections as was witnessed in the last elections.

Senator Halake, the Vice- Chair of the ICT Committee gave suggestions on how to tackle the data privacy issue form a legislative and enforcement point. In terms of legislation, she advised the academic sector such as CIPIT as well as other stakeholders such as KICTANET to come up with draft laws on Data Protection and Cybersecurity and submit them to the ICT committee for consideration. She emphasized that such contributions would be more practical as compared to expecting the legislature to come up with draft laws that are consistently requiring amendments due to challenges such as lack of well researched laws. In enforcement, she called for a reduction in the number of authorities being created to oversee implementation of various legislations. In this case, she applauded the recommendation in the report to allocate the role of Data Protection Authorities as is in other jurisdictions to the Office of the Ombudsman in Kenya. Lastly, she warned against adopting the provisions of the GDPR into our national legislation and called for coming up with legislation that serves our unique needs as GDPR serves the EU needs. In legislating, she pointed out the importance of striking a balance between encouraging innovation using data and protection of data of Kenyan citizens as she cautioned against too much legislation that would end up stifling innovation.




So for those who I have interacted with in the last few weeks must have heard a mention of the word ‘DIFC’. This opportunity was accorded to us during the international law school trip where we paid a visit to the centre. The DIFC stands for Dubai International Financial Centre, located in Dubai it is a host to more than 1853 registered companies. The Centre acts as a meeting point for most foreign investors coming to set shop in Dubai. Two factors make this place lucrative for the businesses; the registration process and the legal framework in use at the Centre which are among the top factors in allocating the ease of doing business index. DIFC has an authority other than the state authority that assists in registration of businesses, administration and strategic development.

On the legal side of it, there are two limbs; the current courts and a new division to be established dubbed “Courts of the Future”. The article shall focus on the Courts of the Future project. The project is quite ambitious in my opinion due to two factors namely; the intended operation of the courts and the cases which it intends to take up.

The courts will conduct all its transactions on a paperless basis. This means that from the point of instituting a claim to the point of receiving a judgement all activities will be conducted online. More details on how the online activities will be performed shall be highlighted on the rules of the court.

In terms of the cases to be dealt with DIFC is taking the bold move to deal with innovations and the liability that can arise out of the use of new technologies such as Artificial Intelligence, autonomous cars, 3D printing (it is interesting to note that DIFC buildings are the world’s first 3D printed buildings), block chain technology and though not an innovation, it will deal with cybersecurity issues. The courts will deal with such matters only when the parties have submitted to their jurisdiction.

The courts have also developed the “Part 40,000 Principles” which are the foundation of the operation of this division of the court. Interestingly, the court will apply these technologies that it seeks to adjudge on. One such example is the option where a successful litigant could opt to have their interim/ final payment made in cryptocurrency or online assets instead of fiat money.

During the short but impactful visit to the Centre the presenter, Mr. Charlie Riggs gave good insights on how these innovative technologies can be used to deliver justice in the court system and I could not help but think of how such technology could be utilized in Kenyan courts. First, in a bid to reduce the back log of cases in the courts, AI can be used to settle small and simple claims. The government through the Small Claims Court Act, 2016 under section 23 provides that proceedings can be carried out through electronic means, this is a step in the right direction. However, the efforts to speed up court processes could be bolstered by introducing AI supported mechanisms for adjudicating; it would be expeditiously resolve cases.

Additionally, courts can use block chain technology to store evidence to prevent evidence tampering and also for sharing and effecting judgements throughout various jurisdictions especially in private international law where the law has evolved to permit judgements of one country to be recognized in other countries in civil and commercial matters. The case of DNB Bank ASA v Gulf Eyadah Corporation and Gulf Navigation Holdings PJSC which involved enforcement and recognition of a foreign judgement order that the DIFC courts were granted jurisdiction to enforce the order. In this case which involved a dispute over the payments of a ship, the respondents had vacated the one of the ships away from the jurisdiction of the English courts to UAE jurisdiction, it is on these grounds that the case was submitted to the Dubai jurisdiction and later on to DIFC courts which operates under common law. The case had to deal with the legality of submitting the matter to DIFC. However, had the countries mutually agreed to share such judgements using distributed ledgers, it would have been easier to enforce the judgements.

This discussion will set the base for the next article that shall delve more into the foundational Part 40,000 principles” as we break down the terms and the tackle the legal aspects therein.