A Nairobi High Court has temporarily suspended the actualisation of the Computer Misuse and Cybercrimes (Amendment) Act, 2024, which was signed into law by President William Ruto on October 15, 2025, until a petition filed in court is heard and determined.
Justice Lawrence Mugambi on Wednesday, October 22, 2025, issued a conservatory order blocking the enforcement and operation of Section 27(1)(b), (c) and (2) of the Computer Misuse and Cybercrimes (Amendment) Act, 2024.
“Pending the hearing and determination of this application, a conservatory order is hereby issued suspending the enforcement, implementation, and operation of Section 27(1)(b), (c), and (2) of the Computer Misuse and Cybercrimes (Amendment) Act, 2025,” Justice Mugambi directed.
The conservatory order comes after a petition was filed by musician Reuben Kigame and the Kenya Human Rights Commission (KHRC) on Tuesday, October 21, 2025, challenging the signing of the amended Cybercrimes Act, 2024, by President Ruto.
According to the two petitioners, the signed law contravenes the Constitution and specifically undermines and dilutes the carefully established provisions of the Data Protection Act (DPA).
“The impugned amendment introduces provisions that are unconstitutional and create a direct conflict with the Data Protection Act (DPA),” the petitioners state.
“The Criminalisation of ‘False, Misleading, and Mischievous’ Information: This vague and overbroad offence chills freedom of expression and lacks the precision required by law,” the petitioners add.
Further, they argue that the mandatory verification of social media accounts in the signed law forces all social media users to link their online identities to their government-issued legal names.
Notably, they state that the amended law exposes social media users’ data, thus diluting the data protection framework, and creates parallel, overlapping, and less rigorous procedures for data access and handling, thereby undermining the core objective of the Data Protection Act (DPA).
In addition, they state that the legislative conflict creates legal uncertainty and severely dilutes the protections Kenyans were granted under the DPA.
“The amendments are overly vague, ambiguous, and overbroad, lacking in specificity and clarity in that the Act does not provide any specific and unambiguous definitions and/or meaning in utter contravention of Article 24 (2) of the Constitution,” part of the petition read.
The petitioners now want the court to declare the provisions of the Computer Misuse and Cybercrimes (Amendment) Act, 2024, inconsistent with Articles 10, 24, 33, 34, 35, 36 and 47 of the Constitution and are therefore null and void.
Further, they want the court to declare that the provisions of the Computer Misuse and Cybercrimes (Amendment) Act, 2024, are inconsistent with Article 31 of the Constitution and Sections 25 and 27 of the Data Protection Act and are therefore null and void.
Judge Mugambi has directed that the application and submissions to the application be physically served within three days, and a return of service be filed.
Notably, he has directed that the responses and submissions to the application be filed and served within seven days from the date of service.
The matter will be mentioned on November 5, 2025, for further directions.
