By Cristalia Laing
Abstract
Nigeria and Kenya are the among the first African states to develop legislative frameworks that address the rise in cyberthreats. While innovative, they have been documented to have implementation gaps that weaken state protection of free expression, privacy, and other civil liberties. This paper is a comparative analysis of Kenya and Nigeria’s cybersecurity governance structures. It examines how both states navigate the persistent tension between balancing national security strategies and international human rights norms. Well-developed policies have become imperative to maintaining national security, as Interpol reported that cybercrime accounted for more than 30 percent of all reported crimes in Western and Eastern Africa.[1] While both countries have adopted policies, there remain exploitable gaps as demonstrated by Richards and Eboibi in their article detailing the ramifications of lacking cybercrime legal frameworks in Africa’s sub-region.[2] Drawing on international norms set by the UN regarding human rights to free expression, privacy, the right to assemble and public dissent, this paper highlights the shared gaps within Kenya and Nigeria’s legislative cybergovernance strategy, and their differing approaches of abiding to global human rights standards.
Introduction
Kenya and Nigeria are emerging regional powers in cyberspace. Kenya is a regional leader in e-governance whilst Nigeria hosts rapid growth in commercial sectors on the continent.[3] Kenya and Nigeria have begun investing in infrastructure that addresses rising vulnerabilities in government systems, education, and international communication.[4] New developments relevant to their pursuit of a nationally secure cyberspace, however, conflict with human rights standards articulated by the UN Charter, customary international law, international humanitarian law, and international human rights law.[5] In this way, Kenya and Nigeria’s cybersecurity policies remain incompatible with international human rights norms surrounding freedom of expression, state surveillance, and data protection.
The primary cybergovernance challenges Kenya and Nigeria face include but are not limited to weak policy implementation, disinformation, and cybercrime. In response, both states have made legislative attempts to strengthen their cybersecurity frameworks. Kenya has made efforts to integrate international human rights norms into regulatory coordination by enacting laws like the Data Protection Act[6] and the Access to Information Act.[7] These acts hold government institutions accountable for strengthening public trust across national and local institutions. The Access to Information Act was proposed to ensure that public institutions disclose information unless there is a justified reason to not do so that is legally backed. Similarly, the Data Protection Act reaffirms that personal data is not collected, misused or shared to protect personal data. Likewise, Nigeria has developed broad regulations and institutions, like the Nigerian Data Protection Commission (NDPC), in recent years that have also gained public praise, both nations struggle to address under sourcing of institutions and low public awareness. These issues emphasize the struggles that Kenya and Nigeria’s have surrounding implementation and lack of address to state infringement on privacy, free speech, as well as broader civil liberties that threaten the credibility of contemporary policies.
Kenya and Nigeria sit in comparable positions as emerging regional powers in cybersecurity, as well as competitors who are shaping the regional balance of digital power. As they shape their regulatory systems, they diverge in their enforcement and approach to drafting policy. This blog highlights how differing governance models shape the cybersecurity dynamics in Sub-Saharan Africa. By examining Kenya’s coordination strategies in comparison to Nigeria’s simpler policy approach, this blog aims to highlight the consequences of these decisions on citizens’ freedoms, digital privacy, and trust in governmental institutions. Kenya and Nigeria’s struggles to implement policy reveal the tradeoff between national security and humanitarian freedom as digital powers are stabilized in the region. These tradeoffs hold implications for freedom of expression, privacy, and other civil liberties that are critical to the balance of state power in these regions.
Existing Measures and Literature
The growing integration of developing nations into supply chains through globalization creates unique challenges to states such as Kenya and Nigeria as they seek to fulfill globalized interactions. This shift is constrained by evolving cyberthreats that have detrimental impact, attributed to a lack of preparedness and sophisticated cyber technology. Kenya’s first comprehensive national security strategy emerged in 2014, while Nigeria’s first was integrated in 2015.[8] In 2011, Western African nations developed the ECOWAS cybercrime directive. It was intended to function as a legal structure that would guide the regulation of cyber activities in West.[9] This guideline prioritizes Substantive Criminal Law, Procedural Law, and Judicial Cooperation. Substantive Criminal Law. It primarily identified criminal acts such as illegal access to computer systems, child pornography, and computer interference.[10] Procedural Law is more limited, as the instruments provided by this directive are solely related to search and seizure. These laws are regarded as extremely vague, since many governments do not have the sophisticated instruments required for cybercrime investigations. Judicial cooperation is limited to a single, vague provision, with its purpose being to establish a minimum standard for member states, not to enforce a binding procedure for international cooperation.[11]
Existing literature on cybersecurity policies in developing countries highlights the growing concern for expanding digital innovation and how the reshape of state power influences civil liberties. Emphasized is a common tension: while African states are strengthening cybersecurity frameworks to address rising cyber threats, the frameworks often overstep the boundary of state surveillance.[12] The progress within this framework adaptation is significant, and while Kenya’s Data Protection Act of 2019[13] and Nigeria’s Data Protection Act of 2023[14] are regional legislative milestones, they still struggle to fall in line with international humanitarian norms like free speech and the right to privacy.
A primary challenge for Kenya and Nigeria to upholding humanitarian norms occurs at the implementation level of the policy process. The Office of Data Protection Commissioner (ODPC) in Kenya offers a higher level of autonomy for users to prevent political interference, because the Kenyan DPA has provisions that grant the office financial independence and legal protections. This allows the ODPC to conduct legislative mandates without the fear of political refutation.[15] Conversely, the Nigerian Data Protection Commission (NDPC) naturally operates in a much more politically charged climate, making legislative autonomy more complex. While it was formally independent, Nigeria’s commission now reports to a council, inherently reducing its autonomy due to its subjection to greater political influence. This political environment makes independent regulatory authority harder to maintain.[16] This is a substantive threat to online civil liberties.
Online freedom in Kenya remains vulnerable due to restrictive state practices such as content removal, state monitoring, and the criminalization of dissent. Rates of journalists and human rights advocates being arrested, intimidated, kidnapped, and killed for free expression continue to rise under this sphere.[17] This escalation is further emphasized as Kenya proposed new laws to further criminalize online speech and assembly. These include:
“(i) a bill to amend the Cybercrimes Act, which would make cyber harassment a crime; (ii) the Kenya Assembly and Demonstrations Bill, which aims to regulate assemblies on the nebulous grounds of “public safety” and “public order”; and (iii) the Public Fundraising Appeals Bill, 2024, which intends to restrict public fundraising, including online fundraising by requiring permits.”[18]
Similarly, the Nigerian government has been accused of using Section 24 of the Cybercrime (Prohibition, Prevention, etc.) Act, 2015,[19] to wrongfully arrest, detain, and prosecute journalists, writers, and activists. The ECOWAS Court of Justice had ordered that Nigeria amend or repeal this section, because it violates freedom of expression according to the African Charter on Human and Peoples’ Rights.[20] A legal analysis of this case explains the section as such:
“Section 24 is not a creation of law, it is not pursuing a legitimate purpose, it is reasonably unjustified being not a necessary or proportionate restriction on the right to freedom of expression, and it includes words that are not defined by the Act e.g. ‘grossly offensive’ hence overbroad and ambiguous.”[21]
While this policy has been contested in court via Okedara v. Attorney General, the Court of Appeal upheld Section 24(1), finding it sufficiently precise and not infringing freedom of speech under Nigeria’s constitution.[22] Like Nigeria, Kenya’s section 22 of the Computer Misuse and Cybercrimes Act, 2018 (CMCA) criminalizes “false, misleading, or fictitious data, with imprisonment consequently.[23] These provisions have led to heavy criticism from international governance for vague definitions that can and have been applied to dissenting speech or political commentary.
Comparative Analysis
Kenya and Nigeria both have adopted comprehensive cybersecurity protections, and these legal developments reflect the increasing prioritization of strengthening state capacity to detect, prosecute, and prevent cybercrime. Comparatively, CMCA criminalizes offenses such as unauthorized access (Sec. 14), illegal devices (Sec. 18), and phishing (Sec. 30),[24] while Nigeria’s Cybercrimes (Prohibition, Prevention, etc.) Act of 2015 covers hacking, identity theft, cyberstalking, and phishing.[25] Both countries also created working institutions that mean to coordinate cybersecurity strategies, like Kenya’s National Computer and Cybercrimes Coordination Committee (NCCCC) and Nigeria’s Nigeria Data Protection Commission (NDPC) under the Data Protection Act 2023. Therefore, both countries utilize state-led approaches to enforce cybercrime suppression through policy work.
In relation to international human rights and cybersecurity standards, both countries face pitfalls in diverse ways. In Kenya,
“[The] Kenyan Cybercrimes Act adopts a punitive and slipshod approach to drafting criminal offences. It has embraced such an excess of zeal in criminalizing actions that it overlooks the duplication of offences. With a few notable exceptions, the Act gives insufficient attention to the imperative of legal certainty by failing to specify the key elements of specific intent and the degree of harm.”[26]
The overexpansion of criminalization standards in Kenya heightens the risk of state overreach, especially in areas that discuss freedom of expression and privacy. Conversely, Nigeria encounters similar challenges but within a separate policy pathway. Nigeria Data Protection Act (NDPA)[27] demonstrates Nigeria’s attempts to align with international cyberspace standards, most particularly the General Data Protection Regulation EU (GDPR) which comes with its own pitfalls.
“Although the NDPA was presented as a solution towards a robust data privacy framework, it was of limited force. It was a mere guideline rather than a formalized legal; [and] furthermore, the absence of a formalized institutionalized structure for privacy enforcement brought about resistance based on a lack of statutory powers and capacity to implement the NDPR.”[28]
The NDPA mirrors the GDPR in material aspects, but its provisions often suffer adaptation problems because the provisions are not developed to fit with the context of Nigeria’s institutional capacity or socio-political environment.[29]
Conclusion
Together, both Kenya’s and Nigeria’s struggles to efficiently install these standards into their institutions reflect how both states struggle to balance cybersecurity imperatives with international human rights standards. The lessons that can be taken away from these attempts are essential for guiding the structures of cybersecurity regulations. First, the case of Kenya illustrates that clarity in legislation is essential. Provisions criminalizing “false information”, “offensive content”, or the vaguely mentioned “unlawful activities” create difficulties in enforcement and carrying out these laws. The law governing digital spaces must be clear, precise, and able to be carried out without questioning whether an act applies to the provision.
Second, both countries show that independent oversight is critical for implementing legal rights. Nigeria’s NDPC, formed under the NDPA, represents a promising model, but one that will be dependent on funding, technical expertise, and complete isolation from political influence. Kenya, having a more limited supervisory structure, enforces the need to strengthen their independent oversight strategies. Lastly, both countries struggle to balance security objectives with safeguards. To prevent overstep from the state, enforcement and drafting need to be balanced within transparency, judicial review, and warrant requirements for arrests and detainment. Without this, currently broad cybercrime laws can easily be repurposed into surveillance and/or suppression. Courts in both Kenya and Nigeria have proven essential in checking and preventing executive overreach.
Kenya and Nigeria situate themselves into governmental overstep as a trade-off for better cyber-security protection. Governmental overstep is a hole that many developing nations fall into as they realize that simply inputting international and regional standards into state practice without much change is insufficient. While Nigeria’s GDPR-influenced NDPA and Kenya’s consistent inspiration from AU and Commonwealth cyber norms are a good start, simply aligning their structure does not address their own political, institutional, and socioeconomic realities. Without using these structures and changing them to fit within their own societal context, they risk formal compliance without human rights protection.
References
Adewopo, Victor A., Sylvia Worlali Azumah, Mustapha Awinsongya Yakubu, Emmanuel Kojo Gyamfi, Murat Ozer, and Nelly Elsayed. “Comprehensive Analytical Review of Cybercrime and Cyber Policy in West Africa.” Journal of Electrical Systems and Information Technology 12, no. 1 (2025): 20. https://doi.org/10.1186/s43067-025-00216-x.
(APC), Association for Progressive Communications and Kenya ICT Action Network Published by Association for Progressive Communications. “Human Rights in the Digital Context in Kenya: Summary of the Submission by APC and KICTANet to the 49th Session of the Universal Periodic Review at the UN Human Rights Council.” January 16, 2025. https://www.apc.org/en/pubs/human-rights-digital-context-kenya-summary-submission-apc-and-kictanet-49th-session-universal.
Babalola, Olumide. “The GDPR-Styled Nigeria Data Protection Act 2023 and the Reverberations of a Legal Transplant.” SSRN Electronic Journal, ahead of print, 2024. https://doi.org/10.2139/ssrn.4786872.
Cybercrime Africa Cyberthreat Assessment Report. n.d.
Digital, Global Partners. “Law Restricting Disinformation in Sub-Saharan Africa: Impacts of Their Enforcement.” LEXCOTA, September 18, 2023. https://www.gp-digital.org/wp-content/uploads/2023/09/PB2_final_EN_.pdf.
(ECOWAS), Economic Community of West African States. “ECOWAS Fighting Cybercrime.” Preprint, 2011.
Expression, Columbia Global Freedom of. “Solomon Okedara v. Attorney General.” Preprint, February 28, 2019. https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2018/02/SOLOMON-OKEDARA-V-ATTORNEY-GENERAL-OF-THE-FEDERATION-section-24.pdf.
Gercke, Marco. UNDERSTANDING CYBERCRIME :A GUIDE FOR DEVELOPING COUNTRIES. 2021. https://www.itu.int/ITU-D/cyb/cybersecurity/docs/ITU_Guide_A5_12072011.pdf.
Juma, Isaac, and Bukola Faturoti. “Enforcing Data Privacy in Kenya and Nigeria: Towards an African Approach to Regulatory Practice.” International Review of Law, Computers & Technology ahead-of-print, no. ahead-of-print (2025): 1–26. https://doi.org/10.1080/13600869.2025.2506918.
Kenya, Government of. “National Cybersecurity Strategy 2022-2027.” 2022. https://nc4.go.ke/national-cybersecurity-strategy-2022-2027/.
Kenya, Republic of. “Access to Information Act.” Preprint, 2016. file:///C:/Users/crist/Downloads/Access%20to%20Information%20Act%20(1).pdf.
Kenya, The Republic of. “Computer Misuse and Cybercrimes Act.” Preprint, National Council for Law Reporting, 2018. http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/ComputerMisuseandCybercrimesActNo5of2018.pdf.
Kenya, The Republic of. “Data Protection Act.” Preprint, 2019. https://www.kentrade.go.ke/wp-content/uploads/2022/09/Data-Protection-Act-1.pdf.
Muthembwa, Keziah. “Kenya’s Economy Exhibited Robust Growth in 2023 Despite Persistent Challenges.” World Bank Group, 2024. https://www.worldbank.org/en/news/press-release/2024/06/05/kenya-afe-economy-exhibited-robust-growth-in-2023-despite-persistent-challenges.
Nigeria, Federal Republic of. “CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT.” Preprint, 2015.
Nigeria, Federal Republic of. National Cybersecurity Policy and Strategy. February 1, 2021.
Nigeria, Federal Republic of. “Nigeria Data Protection Act.” Preprint, 2023. https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf.
Stade, R. C. “CYBERSTALKING OFFENCE IN NIGERIA AND ECOWAS COURT ORDER FOR REPEAL: REVIEW OF THE INCORPORATED TRUSTEES OF LAWS AND RIGHTS AWARENESS INITIATIVES V. THE FEDERAL REPUBLIC OF NIGERIA.” The Muslim World 54, no. 2 (1964): 129–31. https://doi.org/10.1111/j.1478-1913.1964.tb00003.x.
YK, Brian Sang, and Ivan Sang. “A Comparative Review of Cybercrime Law in Kenya: Juxtaposing National Legislation with International Treaty Standards.” Commonwealth Cybercrime Journal, 2023, 60–83.
[1] Cybercrime Africa Cyberthreat Assessment Report, n.d.
[2] Richards and Eboibi, “African Governments and the Influence of Corruption.”
[3] Keziah Muthembwa, “Kenya’s Economy Exhibited Robust Growth in 2023 Despite Persistent Challenges,” World Bank Group, 2024, https://www.worldbank.org/en/news/press-release/2024/06/05/kenya-afe-economy-exhibited-robust-growth-in-2023-despite-persistent-challenges.
[4] Federal Republic of Nigeria, National Cybersecurity Policy and Strategy, February 1, 2021; Government of Kenya, “National Cybersecurity Strategy 2022-2027,” 2022, https://nc4.go.ke/national-cybersecurity-strategy-2022-2027/.
[5] Global Partners Digital, “Law Restricting Disinformation in Sub-Saharan Africa: Impacts of Their Enforcement,” LEXCOTA, September 18, 2023, https://www.gp-digital.org/wp-content/uploads/2023/09/PB2_final_EN_.pdf.
[6] The Republic of Kenya, “Data Protection Act,” preprint, 2019, https://www.kentrade.go.ke/wp-content/uploads/2022/09/Data-Protection-Act-1.pdf.
[7] Republic of Kenya, “Access to Information Act,” preprint, 2016, file:///C:/Users/crist/Downloads/Access%20to%20Information%20Act%20(1).pdf.
[8] Victor A. Adewopo et al., “Comprehensive Analytical Review of Cybercrime and Cyber Policy in West Africa,” Journal of Electrical Systems and Information Technology 12, no. 1 (2025): 20, https://doi.org/10.1186/s43067-025-00216-x.
[9] Economic Community of West African States (ECOWAS), “ECOWAS Fighting Cybercrime,” preprint, 2011.
[10] Marco Gercke, UNDERSTANDING CYBERCRIME :A GUIDE FOR DEVELOPING COUNTRIES (2021), https://www.itu.int/ITU-D/cyb/cybersecurity/docs/ITU_Guide_A5_12072011.pdf.
[11] Ibid.
[12] Isaac Juma and Bukola Faturoti, “Enforcing Data Privacy in Kenya and Nigeria: Towards an African Approach to Regulatory Practice,” International Review of Law, Computers & Technology ahead-of-print, no. ahead-of-print (2025): 1–26, https://doi.org/10.1080/13600869.2025.2506918.
[13] Kenya, “Data Protection Act.”
[14] Federal Republic of Nigeria, “Nigeria Data Protection Act,” preprint, 2023, https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf.
[15] Juma and Faturoti, “Enforcing Data Privacy in Kenya and Nigeria: Towards an African Approach to Regulatory Practice,” 17–18.
[16] Ibid., 18–19.
[17] Association for Progressive Communications and Kenya ICT Action Network Published by Association for Progressive Communications (APC), “Human Rights in the Digital Context in Kenya: Summary of the Submission by APC and KICTANet to the 49th Session of the Universal Periodic Review at the UN Human Rights Council,” January 16, 2025, https://www.apc.org/en/pubs/human-rights-digital-context-kenya-summary-submission-apc-and-kictanet-49th-session-universal.
[18] Ibid.
[19] Federal Republic of Nigeria, “CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT,” preprint, 2015, sec. 24.
[20] Juma and Faturoti, “Enforcing Data Privacy in Kenya and Nigeria: Towards an African Approach to Regulatory Practice.”
[21] R. C. Stade, “CYBERSTALKING OFFENCE IN NIGERIA AND ECOWAS COURT ORDER FOR REPEAL: REVIEW OF THE INCORPORATED TRUSTEES OF LAWS AND RIGHTS AWARENESS INITIATIVES V. THE FEDERAL REPUBLIC OF NIGERIA,” The Muslim World 54, no. 2 (1964): 129–31, https://doi.org/10.1111/j.1478-1913.1964.tb00003.x.
[22] Columbia Global Freedom of Expression, “Solomon Okedara v. Attorney General,” preprint, February 28, 2019, https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2018/02/SOLOMON-OKEDARA-V-ATTORNEY-GENERAL-OF-THE-FEDERATION-section-24.pdf.
[23] Republic of Kenya, “Computer Misuse and Cybercrimes Act,” preprint, National Council for Law Reporting, 2018, http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/ComputerMisuseandCybercrimesActNo5of2018.pdf.
[24][24] Ibid.
[25] Nigeria, “CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT.”
[26] Brian Sang YK and Ivan Sang, “A Comparative Review of Cybercrime Law in Kenya: Juxtaposing National Legislation with International Treaty Standards,” Commonwealth Cybercrime Journal, 2023, 60–83.
[27] Kenya, “Data Protection Act.”
[28] Juma and Faturoti, “Enforcing Data Privacy in Kenya and Nigeria: Towards an African Approach to Regulatory Practice.”
[29] Olumide Babalola, “The GDPR-Styled Nigeria Data Protection Act 2023 and the Reverberations of a Legal Transplant,” SSRN Electronic Journal, ahead of print, 2024, https://doi.org/10.2139/ssrn.4786872.