For digital trade to occur, data has to be moved across borders. While data accumulation can be a safe and secure way to manage data, hoarding data without means to use, exchange, or repurpose in a safe manner can create underutilisation risks, which may decrease efficiency and diminish other benefits of digital trade. Cross border data flows are necessary for the realisation of the African single digital market.
In Part II of our series “Dissecting the African Union Data Policy Framework”, we will explore the cross border data regimes and recommendations proposed under the Framework.
In recognition of the varied classes of data that crosses borders, the Framework has proposed three data governance regimes to aid policymakers with deciding the best approach to follow in the context of their sovereign and development priorities.
Choosing one stylised cross-border data protection regime over another should strike a balance between promoting equitable economic development and providing adequate data protection safeguards. Member States need to understand the economic effects of different cross-border data governance regimes based on their economic realities and development priorities
The Framework makes the following assumptions for the proposed cross border transfer regimes to operate:
- Interoperable data systems and infrastructure across AU member states.
- Human, technical and institutional capacity to create value from data.
- Strong preconditions (enablers) to leverage the data-driven digital economy.
- Data subjects with digital capabilities to provide consent.
- International collaboration and geopolitical influence to enforce ex-ante conditions.
The following are the data transfer regimes identified in the Framework.
- Open transfer regime – A relatively low a priori mandatory approval requirements, and voluntary private sector industry standards inform the free movement of data (eg. USA, APEC)
- Minimal regulatory burden allows for the greatest flexibility in the movement of data.
- Most suitable for digital services trade and data value creation.
- Privacy is a consumer right
- Risks of proliferation of standards across firms and jurisdictions, without guaranteeing any minimum standard for personal data protection.
- Requires technical human, and institutional capacity to monitor private firms and exercise accountability.
- Limited data subject rights e.g. no consent required before data subjected to transfer across borders.
- Conditional transfers regime- Consensus based transfers of data informed by established regulatory data safeguards and overarching regulatory guidance from data protection authorities or international agreements (eg. GDPR).
- Offers more balance between data protection and the need for openness of data transfer for value creation.
- Encourages establishment of a domestic data processing authority (DPA).
- Clear guidelines and mandatory regulatory safeguards that once met allow for the free flow of cross-border data.
- Based on strong data subject rights.
- Certain conditions need to be fulfilled ex-ante.
- Can perpetuate compliance burdens and digital trade bottlenecks.
- Limited transfer model – Cross-border data flows are conditional based on government approval and localization requirements for domestic storage or processing of data (eg. China, Russia).
- Based on strong national security and public data control imperatives
- Stringent regulatory approval for international data transfers and may require explicit or implied data localization and mandatory storage
The Framework has proposed to facilitate data circulation across sectors and cross borders by developing a Common Data Categorisation and Sharing Framework that considers the broad types of data and their different levels of privacy and security.
In addition, the Framework proposes that national authorities in charge of personal data protection of AU members work in close collaboration, with the support of the African Network of Authorities (RAPDP), to establish a coordination mechanism and body that oversees the transfer of personal data within the continent and ensures compliance with existing laws and rules governing data and information security at national level.
Based on the above recommendations, AU member states that are due to ratify the Malabo Convention will be encouraged to adopt an open transfer regime for non-personal data while adopting a conditional transfer regime for personal data based on continental standards that are mutually agreed upon.
Kenya’s Cross Border data transfer regime in light of the AU data policy framework
Ratification of the AU Malabo Convention (Convention on Cyber Security and Personal Data Protection) remains a key milestone Kenya has yet to attain as it joins fellow AU members in their journey to standardise data protection and transfer regimes across the continent. This is despite the Data Protection (General) Regulations passed in March 2022 permitting transfer of personal data to countries that have ratified the Malabo Convention.
The Convention creates continental obligations and standards concerning:
- Electronic transaction laws
- Personal Data Protection laws including
- Institutional frameworks for protecting personal data including the status, composition and organisation of National Personal Data Protection Authorities
- Obligations relating to conditions governing personal data processing
- Data Subject Rights
- A legal framework that promotes cybersecurity and combats cybercrime:
- Cybersecurity measures to be taken at a national level;
- Classifies cybercrime offences that need to be legislated at the national level.
Kenya has cyberspace legislation in the above legal domains already enacted in applicable. However, with increased ratification of the Malabo Convention, Kenya’s ICT policymakers should anticipate the need to amend the current legal framework to ensure that it is in harmony with the continental standard.
Kenya’s commitment to intra-African cooperation will, before all else, be demonstrated through ratification of the Malabo Convention. In the interim, Kenya should consider concluding reciprocal (bilateral) data protection agreements with key trading partners as it settles its broader international and regional treaty framework position. This should entail encouraging AU member states to avoid stringent data localisation requirements and take an active role in promoting free flow of non-personal data.