Lifting the veil of ambiguity around transfers of personal data outside Kenya – the 2022 version of the draft Data Protection (General) Regulations
In an increasingly globalised world, consequential and integral to international trade is the flow of data. More than ever, for-profit organizations are expanding the scope of their operations across the globe to access new and larger markets or to capitalize on lenient tax regimes. Correspondingly, more personal data is transferred across jurisdictions in the pursuit of facilitating and enhancing economic activities of organisations.
The increased flow of data across borders has coincided with an increased enactment of legislation preventing the free flow of personal data across borders. This has mainly been attributed to the government’s concerns over the security of its citizen’s data.
The rationale for the implementation of an International Personal Data Transfer (IPDT) regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction with weaker laws or enforcement.
The Kenyan Data Protection Act of 2019 bears striking similarities to the European Union’s General Data Protection Regulation (GDPR). The imitation of GDPR based provisions was further emulated in the first version of Kenya’s draft Data Protection General Regulations (General Regulations) released in March 2021.
The 2021 draft General Regulations adoption of cross border provisions reciprocal to those in the GDPR can be attributed to Kenya’s strong trade ties within the EU Bloc. Between 2014 and 2019, trade between Kenya and the EU has totalled approximately $2.8 billion, with projections indicating an expected increase in bilateral trade into the foreseeable future.
However, the IPDT provisions in the 2021 version of draft General Regulations were ambiguous, cumbersome and inconsistent with the parent legislation. As such, the latest draft of the General Regulations, gazetted on 14th January 2022, has sought to address the inadequacies of the 2021 draft through the following additions.
Latest amendments to the draft General Regulations provisions on IPDTs
General principles for transfers of personal data out of the country
The regulations have established the four bases for transferring personal data outside Kenya. These four measures are:
- appropriate data protection safeguards;
- an adequacy decision made by the Data Commissioner;
- transfer as a necessity; or
- consent of the data subject.
Transfers on the basis of appropriate safeguards
The general regulations have sought to expand on what are appropriate safeguards in the context of a cross border data transfer. As such, personal data can be transferred abroad if a legal instrument, such as a contract, is utilised to bind the recipient of personal data to ensure a level of protection essentially equivalent to the Data Protection Act 2019. Prior to the use of the legal instrument, the transferring entity must conduct due diligence to ensure that the recipient actually has the appropriate safeguards in place, as accountability for any data mishaps remain with the transferring entity.
Furthermore, the general regulations clarify that a transfer based on appropriate safeguards is valid if the recipient country or entity has –
- ratified the African Union Convention on Cyber Security and Personal Data Protection;
- a reciprocal data protection agreement/ treaty with Kenya; or
- contractual binding corporate rules (BCRs) – BCRs are legally binding data protection policies enforced by every member of a group of undertakings or enterprises engaged in a joint economic activity across multiple jurisdictions. The BCRs ensure a standardized and privacy conscious method for transferring data between entities of the same organization
Transfers on the basis of an adequacy decision
An adequacy decision exists when the Office of the Data Protection Commissioner (ODPC) has determined that the data protection framework of another country is proportional to Kenya’s data protection framework. The ODPC till date has not issued any adequacy decisions, therefore it is currently not a viable means for transferring personal data outside Kenya.
Transfers on the basis of necessity
The General Regulations have explicitly stated that transfers on the basis of necessity are to be applied restrictively, and do not constitute a basis for conducting voluminous transfers abroad. Reliance on this IPDT base is predicated upon demonstrating why the transfer is necessary in line with the provisions of Section 48(c) of the Data Protection Act. Furthermore, the rights of a data subject should not
Transfers based on consent
The General Regulations permit transfers based on the consent of a data subject only in the absence of an adequacy decision, appropriate safeguards, or prerequisites for transfer as a necessity (briefly discussed above). However, a transferring entity has the increased obligation to prove that the data subject has explicitly consented to the transfer and is reasonably informed of the possible risks of such transfers.
Subsequent transfers
Transfers of personal data outside Kenya are agreed upon between the parties to the transfer. As such, the 2020 General Regulations have introduced a provision preventing the onward transfer of data that was not previously contemplated between parties to the transfer. Therefore, a recipient of transferred data must seek approval from the transferring entity or the ODPC prior to conducting onward transfers.
The 2022 draft Data Protection General Regulations are due to be tabled before the National Assembly delegated legislation committee for further deliberation.