As part of the data protection measures in place, regulation of the free flow of personal data from the EU to other countries is heavily and deliberately regulated.
Countries that are not part of the EU (third countries) have relied on various methods to have free personal data flows from the EU to them.
A world without privacy is a dangerous one” warns Carissa Véliz in her book, Privacy is Power. She explores the relationship between privacy and power, and how it’s used by tech companies to “amass, wield and transform power in the digital age”.
As one of the remedies to the power exercised by tech companies, the EU through the General Data Protection Regulation (GDPR) has been at the forefront in its quest to ensure that personal data of EU residents is protected and is used for the right purpose(s).
As part of the data protection measures in place, regulation of the free flow of personal data from the EU to other countries is heavily and deliberately regulated.
Countries that are not part of the EU (third countries) have relied on various methods to have free personal data flows from the EU to them. One of them is the “adequacy decision” route.
In a 2019 legal opinion by the EU Advocate General, a third country will be granted an adequate decision by the EU Commission where it finds that the said country or territory ensures an adequate level of protection for personal data resulting from its domestic law or its international commitments.
Essentially, the protection in place is equivalent to that issued within the EU.
The UK, which was part of the EU up until January 31, 2020, with the transition period ending December 31, 2020, went back to the EU to seek for “an adequacy decision” in her favour which was granted on June 28, 2021 for a period of four years.
On August 26, 2021, the UK government through the Department for Digital, Culture, Media & Sport released a statement on its post-Brexit global data plans to boost growth, increase trade and improve healthcare.
In the statement, it listed countries which the UK would immediately prioritise in having in place “data adequacy partnerships”. They are the US, Australia, Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia.
In the list of countries that are second in their priority, they have Kenya, India, Brazil and Indonesia, slated for “future partnerships”.
Further, as part of its strategy to get into adequacy partnerships, the UK recently launched their International Data Transfer Expert Council. The purpose of the council is to advise the UK government on new international data transfer tools and issue the UK government with practical feedback on implementation of international data transfer policy.
It is also part of the UK’s plan to remove unnecessary barriers to cross-border data follows. This will ensure that they realise benefits such as powering technological innovation, supporting scientific research among other reasons, in their quest to become “the world’s number one data destination”.
On January 28, 2022, Kenya signed a Joint Declaration on the Kenya-European Union Strategic Dialogue by Foreign Affairs Cabinet secretary Raychelle Omamo and the EU High Representative for Foreign Affairs and Security Policy, Josep Borrell.
The purpose of the declaration was to guide bilateral talks on a number of thematic areas with both security and trade being among them. Kenya’s place in trade through e-commerce cannot be ignored; the country is ranked seventh fastest-growing e-commerce in Africa, this is according to the UNCTAD B2C (Business-to-Consumer) E-Commerce Index, 2020.
It is important to note that the EU is yet to issue an adequacy decision for an African country despite 29 countries having data protection and data privacy laws (UNCTAD Data as at 14th December 2021).
Now that Kenya is in trade talks with both the UK and the EU, we should perhaps start thinking of pursuing an adequacy decision in our favour.
November 25, 2021, marked two years since the Data Protection Act (DPA) came into force. The first Data Protection Commissioner, Miss Immaculate Kassait assumed office on November 17, 2020.
Since she came into office, we have seen her attend various public fora as part of the general awareness of the implications of the DPA. Her office has published three draft regulations meant to give force to the Act.
The regulations which have already undergone public participation are soon expected to be in force. We have also seen some of the complaints to her office arising from suspected data breaches being shared with the public and have also seen her responses on the same.
The Office of the Data Protection Commissioner (ODPC) further launched its strategic plan with “Promoting data protection by design or default” as the overarching theme.
That said, we are yet to see the full implementation of the Act as the ODPC is yet to be fully operationalised. As a practitioner, I am convinced that full implementation of the Act will hand Kenya much-needed leverage in the current data economy.
Data protection and privacy laws have been deemed to be barriers to digital trade. And specifically, restricted cross-border data flows. One way to overcome this and give Kenya leverage is not just having the right laws in place, but having them implemented in their entirety. Adequacy actions through administrative fines needs to start.
This will not only ensure data controllers are compliant but also build on awareness on the area. Competition on privacy by data controllers and data processors will also take shape with the ultimate winner being the consumer.
Kenya having the key human resource ranging from data analysts to innovative software developers, will attract multinationals intending to outsource their data processing activities to individuals and companies based in Kenya.
This will spur employment, in addition to cementing Kenya as a destination for innovation. Kenya currently ranks 3rd out of 27 Sub-Saharan Economies featured in the 2021 Global Innovation Index by WIPO (World Intellectual Property Organisation).
Companies should therefore start thinking of developing Transfer Impact Assessments so as to ensure that a third country in which they want to transfer data, has sufficient safeguards.
They should concurrently factor in technical, contractual and organisational measures in place prior to the transfers. If not sufficient, the transfer(s) should then be prohibited.
In conclusion, I believe that once the DPA is fully implemented, Kenya can be among the first African countries to be granted an adequacy status by both the EU and the UK.
We should take advantage of the soon to begin bilateral trade negotiations between Kenya and the EU, which boasts of 27 countries.
PAYE Tax Calculator
Note: The results are not exact but very close to the actual.
