Kenya, following the enactment of the Data Protection Act 2019 (DPA), has adopted a restrictive principle on International Personal Data Transfers (IPDT). Part VI of DPA obligates data controllers or processors that intend on conducting IPDTs to provide evidence of appropriate safeguards, as well as submit proof that the recipient countries possess commensurate data protection laws.
The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction.
However, there is a concerning lack of clear and sufficient regulations, as exemplified by the newly proposed draft General Regulation, which fails to provide a comprehensive supplementary IPDT framework to Part VI DPA. Furthermore, the ODPC has not conducted assessments on foreign jurisdictions, nor declared the minimum principles and characteristics of data protection laws that need to be satisfied when determining the adequacy of foreign data protection legislation. The lack of clear guidelines and criteria on lawful IPDTs enables organisations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions.
The paper, which is the extension of this blog, develops and proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.
The DPA expressly provides that it shall ensure that the processing of personal data of a data subject is guided by the principles set out in section 25. Section 25(h) states that organisations must ensure that personal data is not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject. The significance of the inclusion of conditional IPDTs as a guiding principle to the DPA should not be considered a mere coincidence, as it attempts to address the mischief of circumventing obligations created under the DPA by transferring personal data to a more favourable or a deficiently regulated jurisdiction. The provisions of section 25(h) induced and influenced the provisions of the Part VI DPA on the ‘transfer of personal data outside Kenya’. The focus of the paper will be on the conditions under which voluminous and regular IPDTs are conducted, namely the Appropriate safeguard condition and the Adequate data regulation condition enshrined under Section 48(a) and Section 48(b) of the DPA.
The Kenyan IPDT framework does not establish a concise hierarchy of the conditions that may be used to conduct IPDTs. These conditions are, for the most part, consistent with the IPDT provisions of the GDPR. It is on this basis that the paper borrows elements from the GDPR’s IPDT framework in an attempt to address the inadequacies of the current Kenyan IPDT framework and establish a more definitive structure that may be relied upon to engage in lawful cross border data transfers.
The paper shall briefly examine the global IPDT frameworks that are currently adopted and relied upon to determine the legality of IPDTs. The frameworks identified shall assist in supplementing the inadequacies of the DPA’s IPDT provision. More specifically, the paper shall refer to the General Data Protection Regulation (GDPR), its Recitals and guiding documentation, the Asia Pacific Economic Cooperation, Cross Border Privacy Rules (APEC CBPR) and OECD: 1980 Regulations and Revised and Updated Regulations on Protection of Privacy and Transport Flows of Personal Data. The identified frameworks shall inform the evaluation criterion and appropriate safeguards to be relied upon when conducting IPDTs as per Part VI DPA. In addition, the paper succinctly explores the need for the Kenyan IPDT framework to develop mechanisms enabling International Cooperation, Coordination, and Implementation of cross border transfers of personal data between the ODPC and foreign data protection supervisory authorities. Finally, the paper concisely develops an argument for the development of a more robust set of exemptions that permit data exporters to circumvent the Appropriate safeguard condition and the Adequate data regulation condition for conducting IPDTs.
In a nutshell, the paper advocates for the development of a more comprehensive Kenyan IPDT framework based on the current foundation created by Part VI DPA. What is mostly learned from the conducted comparative analysis is the derivation of content and procedural principles, which are simultaneously present within the DPA and global IPDT frameworks. The authors also note that the adequacy guidelines reiterate that the data protection concepts do not have to mirror the GDPR terminology, but should reflect and be consistent with the concepts enshrined in the European data protection law. The ODPC may adopt a similar methodology, and evaluate a recipient’s data protection framework for synonymous concepts expressly defined under Section 2 of the DPA. Evaluation of the data protection concepts should not be limited to the DPA, alternatively, it should be inclusive of concepts furnished under subsequent regulations developed to supplement the DPA.
Amrit Labhuram is a Data Protection Lawyer and Research Assistant who works on Data Governance and International Personal Data Transfer research at CIPIT. He is currently pursuing certifications to be a globally recognised Data Protection Officer under the IAPP.
Micheal Butera is a Research Intern at CIPIT. He is currently working on a Data Localisation research project.
 Data Protection Act (Act No. 24 of 2019) -<https://www.odpc.go.ke/download/kenya-gazette-data-protection-act-2019/#> on 12 July 2021.
 Phillips M, ‘International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR)’ Human Genetics, 2018, 575-<International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR) | SpringerLink> on 12 July 2021.
 Data Protection (General) Regulations, 2021 -<https://www.odpc.go.ke/wp-content/uploads/2021/04/Data-Protection-General-regulations.pdf> on 12 July 2021.
 Section 3(b), Data Protection Act (Act No. 24 of 2019).