I&M Bank House, 7th Floor, 2nd Ngong Avenue

+254 716 209 673


IP & TMT ( Telecommunications, Media & Technology)

CM Advocates > IP & TMT ( Telecommunications, Media & Technology)

Our TMT team has an in-depth understanding of the framework for the regulation of the telecommunication sector and of the commercial and technological aspects of telecommunication, media and technology. We pride ourselves on our understanding of the sector, and place great emphasis on maintaining proximity to the industry, with our partners having worked in the sector at service provider levels. Through this proximity, we are able to anticipate and advise our clients on industry changes.

Our team regularly advises and represents local and international clients in a broad range of issues including but not limited to telecommunications law and regulatory practice, media law, internet and e-commerce transactional advice, financial technology (Fintech), legal advisory services, tax consulting, intellectual property advisory and protection and related matters.

We work with multi-media, telecommunications and web-based companies to navigate emerging intellectual property rights issues in new media and online technologies and assists entities with their online activities by crafting policies and agreements for use of the website, user generated content, and personal data, as well as formulating internal compliance procedures and audits relevant for these technologies.


We offer a full spectrum of legal advice on the licensing and regulation as well as transactional advice of telecommunication operators. We also advise them on, inter alia, on competition (anti-trust) law matters, gaming laws, mergers and acquisition, project financing, infrastructure sharing, taxation, employment matters, competition issues, intellectual property matters and dispute resolution.


The firm also has a wide experience in drafting agreements and contracts essential to the ordinary course of the telecommunication business including system and supply contracts, interconnection agreements, agreements for the sale, leasing and sharing of switches and other equipment, distribution agreements, branded Reseller/ Mobile Virtual Network Operator (MVNO) agreements, co-location and infrastructure sharing agreements, distributorship agreements, dealership agreements, franchising agreements, telephony service agreements, aggregator agreements, sponsorship agreements and cross-border mobile commerce agreements.


The Firm also advises private equity clients intending to invest in or purchase government-owned telecommunications companies in Kenya on a broad range of corporate, tax, regulatory, securities, intellectual property, competition, consumer protection regime and related issues that arise from such matters.

Media Law

We have practical experience on advising publishers, broadcasters, online content providers, outdoor advertising companies, reporters, film makers, authors, and other key players in the media industry on a wide range of contentious and non-contentions issues including but not limited to publishing rights, content acquisition, pre- publication rights clearance, intellectual property law matters, licensing and regulation matters, data management rights and privacy matters.


We have also been involved in drafting and review of publishing agreements, endorsements agreements, arts and music rights recording agreements, non-disclosure agreements, royalty agreements, non- competition agreements etc.


We also advise and provide representation to clients on contentious matters including libel and defamation, invasion of privacy and related claims.


Our firm provides strategic advice and guidance to help clients navigate the ever-changing technology market. We advise clients on a full spectrum of regulatory, transactional, compliance, legislative, taxation, corporate and financial transactions enforcement and litigation issues.


We have an unparalleled combination of experience in cutting- edge legal issues relating to information technology, financial technology, gaming and betting, internet and electronic commerce, life science and biomed (healthcare, medical and pharmaceutical inventions), and other technology intensive services.


Our range of services include; reviewing, drafting and negotiation on IP and ICT based agreements related, inter alia, to procurement, technology procurement, technology development, escrow arrangements, outsourcing, manufacturing, media, web, software, franchise, publishing, distribution, licensing, hosting, co-location, data and content management and service level agreements.


We also offer legal advice in relation to internet use (advertisement, e-commerce, sector-specific legislation in banking, insurance and medical care and other sectors). In relation to technology, the firm also offers legal advisory services on a full range area including: –


Fintech is the intersection of finance and technology and one of the most challenging and fastest-growing segments in the financial services sector. We provide our clients with innovative and strategic guidance in navigating through the legal and regulatory issues. We offer guidance in identifying opportunities, licensing requirements and preparations for compliance procedures.

We help our clients identify legal risks and understand the regulatory compliance issues within which their technologies operate.

Our fintech team comprises lawyers with expertise in various areas of law from tax, private equity, commercial, intellectual property, banking and finance, competition, data protection and cyber security, anti-money-laundering and anti-bribery, corporate governance, compliance and investigations. Our services include –

  • financial services regulations;
  • capital markets regulations;
  • debt and equity financing;
  • intellectual property;
  • data privacy and cyber security;
  • anti-money laundering and Know Your Customer (KYC) rules;
  • information technology;
  • legal compliance audits and remediation;
  • legal advisory on regulatory approvals and regulatory compliance;
  • lobbying for regulatory measures;
  • dispute resolution; and
  • competition and consumer protection.



In Kenya, there is no comprehensive law governing blockchain but there are various pieces of legislation that address different aspects of blockchain transactions. Nevertheless, Kenya is one of the leading countries in terms of cryptocurrency holdings and blockchain related technologies. At CM Advocates, we are ready to offer packaged solutions or separate tools that will help your business in the era of the rising blockchain world. We develop tailor made solutions specifically for each of our client’s requirements and we are always there to adapt to a rapidly changing and developing industry. Our field of expertise lies in areas of legal consulting, regulatory compliance and approvals, technology and intellectual property related matters.


Technology Procurement, Development & Licensing

Technology has evolved to become an essential part of many businesses. The evolution of technology has created opportunities and challenges in the same measure.

At CM Advocates, we assist clients on legal and commercial issues that arise in connection with the protection, acquisition, exploitation and use of technology related assets.

Our areas of focus include –

  • negotiation, development, drafting, review and implementation of technology development agreements, technology acquisition agreements, licensing agreements, joint ventures agreements, and other contractual agreements;
  • privacy policies and terms of use;
  • intellectual property;
  • e-commerce;
  • outsourcing;
  • procurement;
  • joint ventures;
  • technology transactions; and


FAQs On Data Protection

The Act provides for the registration of a data controller and data processor where an entity has an annual turnover of more than KES 5 million and employs more than ten (10) people. In addition, the Act and the subsequent Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require the mandatory registration of a data controller or processor participating in the following activities:

  • canvassing political support among the electorate;
  • crime prevention and prosecution of offenders (including operating CCTV systems);
  • gambling;
  • operating an educational institution;
  • health administration and provision of patient care;
  • hospitality industry firms but excludes tour guides;
  • property management including the selling of land;
  • provision of financial services;
  • telecommunications network or service providers;
  • businesses that are wholly or mainly in direct marketing;
  • transport service firms (including online passenger hailing applications); and
  • businesses that process genetic data.

All persons processing personal data, whether previously or going-forward are required to be in compliance with the Act and its subsequent regulations. As such, all persons who have previously collected or processed personal data in any way will be required to ensure their processing is done in compliance with the Act. This means that such persons should ensure their obligations are performed effectively, such as ensuring they obtain the consent of the data subjects before any further processing, ensuring there are appropriate safeguards are in place, ensuring the data subjects are informed of their rights and purpose of processing, among other responsibilities.

The Act under Section 58 gives the ODPC the power to impose administrative fines for a failure to comply with any provision of this Act. The ODPC may impose a fine of up to KES. 5 million (approx. USD. 41,700) or, in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.

In addition, there are further sanctions imposed on specific offences provided under the Act, including;

  1. Unlawful disclosure of personal data in a manner incompatible with the purpose for which the data was collected;
  2. Unlawful disclosure of personal data that the data processor processed without the prior authorization of the data controller;
  3. Obtaining access to personal data without the prior authorization of the data controller or processor holding the data;
  4. Disclosure of personal data to a third party without prior authorization by the data controller or processor holding the data;
  5. Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to sell under this offence;
  6. Failure to register with the Office of the Data Commissioner as a data processor or controller;
  7. Provision of false or misleading information during the application process for registration as a data processor or controller; and
  8. Obstruction of the Office of the Data Commissioner during an investigation.

On conviction, an offence under the DPA carries a general penalty of a fine not exceeding KES. 3 million (USD. 30,000) or an imprisonment term not exceeding ten years, or both. In addition, obstruction of the Data Commissioner during an investigation is an offence liable to a fine not exceeding KES. 5 million (USD. 50,000) or imprisonment for a term not exceeding two years, or to both.

For the consent of a data subject to be deemed to be valid, the Act requires such consent to be “freely given, specific, unambiguous, express, explicit, unequivocal and informed indication of the data subject’s wishes” by which the said person signifies agreement to the processing of their personal data either by a statement verbally or in writing or by a clear affirmative action.

This is possible. A person can register both as a data controller and data processor where they are performing both functions as part of the nature of their operations.

The Act does not provide for a specific timeline within which one must get rid of personal data who’s intended purpose for processing has been achieved, as Act appreciates that the data is collected for different reasons. It only provides that one must retain personal data for a reasonable time and that one must not hold personal data where the data has accomplished the purpose for collection.
This means that the retention of personal data is based on the purpose and use attributed to it at the point of collection. As such, personal data relating to employees may be kept after the employee leaves the organization, only where there may be some use of such information thereafter, for instance, where required by law to retain information for a specific period of time. The Act mandates that one should keep information for “no longer than is necessary”, and for a legitimate purpose which must not be excessive. Ultimately, the retention of personal data for a reasonable time period after an employee leave will be determined on a case-to-case basis where the company/business would have to justify the period they require such information to be held. The emphasis is on the employer (as the data controller) to have systems/policies in place to determine how long the data should be retained and when records should be disposed off or destroyed.
Please note that there are various uses of an employee’s personal data, including when defending against a claim brought by the data subject (former employee). Among other things, you may be used to disprove details of their accusations or even serve as evidence that you complied with the law as an employer. A claim for unfair dismissal must be filed within a maximum of up to three (3) years after such dismissal (Section 90 of the Employment Act). For this reason, it’s would be justifiable to retain such information for a similar period.

× How can I help you?