Nine petitioners, eighteen respondents, and eight interested parties collide over a single amendment clause — and a website-blocking power nobody voted on.
On 6 November 2025, the High Court folded six separate petitions — filed by, among others, the Law Society of Kenya, the Kenya Human Rights Commission, ICJ-Kenya, Article 19 East Africa, and MP Babu Owino — into one consolidated challenge. Before the merits were even argued, the court had already suspended the most contentious phrase in the amendment: the words "is likely to cause them to commit suicide." That conservatory order is the reason this case has been watched so closely since last year, and it's worth understanding exactly what is — and isn't — being fought over.
Criminalises electronic communication that is "grossly offensive," causes "serious emotional distress," or is "likely to cause" the recipient to commit suicide. Petitioners say these are subjective, unmeasurable standards; a conviction carries up to Kshs 20 million in fines or 10 years' imprisonment.
Lets the National Computer and Cybercrimes Co-ordination Committee (NC4) restrict access to websites or apps linked to "unlawful activities," "religious extremism," or "cultism" — without a prior court order. This is the provision petitioners call administrative "prior restraint."
Criminalises "pornographic, immoral or sexually explicit content" online, which petitioners frame as unconstitutional moral paternalism reaching into private digital consumption.
Strip away the procedural noise and the fight comes down to two irreconcilable readings of the same words.
The State's entire res judicata defence rests on treating the 2025 amendment as old news. But petitioners point out the 2020 BAKE case tested the 2018 wording of Section 27 — the suicide clause, the NC4 blocking power, and the identity-verification dispute didn't exist yet. Courts generally can't be barred from reviewing a provision that wasn't even law the last time they looked. Whether Justice Nyaundi accepts that distinction is arguably the single most consequential threshold question in the entire case — more consequential, procedurally, than the vagueness arguments that dominate the headlines.
Here is the detail that separates a court filing from a headline. A central plank of the petitioners' privacy argument is that the amendment imposes mandatory identity verification for social media users — a surveillance risk to whistleblowers and activists.
The Data Protection Commissioner, joined as the 4th Interested Party, says that provision does not exist. In sworn testimony from John Walubengo, the Commissioner states that a textual review of the actual assented statute reveals no such identity-verification requirement anywhere in it. What the Act does contain are narrower cybersecurity definitions — of "access," "identity theft," and "virtual account" — which is a materially different thing from compelling every user to verify who they are.
That doesn't kill the petitioners' broader privacy case, but it means one of their most-quoted claims may be arguing against a law that isn't actually on the books. It's the kind of factual correction that only surfaces when someone reads the interested-party affidavits rather than the press statement.
Both sides reach for the same three constitutional tests, and how the court weighs them will decide the case far more than any single fact will:
Interested parties widened the lens further than either side alone: the Kenya National Commission on Human Rights argued that suicide-related harm needs a public health response, not criminalisation, and cited an ECOWAS ruling and European Court of Human Rights precedent treating internet access itself as a derivative right that arbitrary shutdowns impermissibly chill.
Beyond striking down individual clauses, the consolidated petition asks the court to go further than most cybercrime challenges typically do:
This record captures the introduction, the parties' full pleadings, and their written and oral submissions — the argument, not yet the outcome. The suicide-clause wording remains suspended under the November 2025 conservatory order while the court weighs its decision. Anyone citing a "ruling" on the substantive questions at this stage is getting ahead of the record.
Whichever way the court rules on Section 6(1)(ja) and the identity-verification question, the underlying compliance exposure for Kenyan businesses is already live: what data you collect, how you verify users, and what you're obliged to disclose if NC4 or the ODPC comes calling.
Muchangi Patrick & Co. Advocates advises boards, fintechs, and platforms on exactly this intersection — data protection compliance under Kenya's Data Protection Act, cybercrimes exposure, and how to respond if a regulator or law enforcement request lands on your desk. If this case affects how your business handles user data or content moderation, we can help you get ahead of it rather than react to it.