Ideas & Debate

How data transfer laws slow down digital trade


Port of Mombasa. FILE PHOTO | NMG

No transfer, no deal”, was the title of a 2014 report by the Swedish National Board of Trade. This followed a study on 15 data-transfer dependent companies. From the study it was evident that for these companies, trade was inconceivable without data being transferred.

For many people across the world, the Covid-19 pandemic has tilted lifestyles towards a more digital reality and arguably, the digital economy has helped the global machinery to continue grinding despite the catastrophic disruption.

Bar hangouts have become virtual parties and movie dates have become Netflix parties.

Satya Nadella, the CEO of Microsoft, posed recently: “We’ve seen two years’ worth of digital transformation in two months.”

Even before the outbreak of Covid-19, the influence of digital technology on import-export trade was growing and has played a significant role in increasing the total value of cross-border transactions from $5 million in 1990 to $30 trillion in 2014, according to the McKinsey Global Institute.

Whereas the possibilities of digital trade have been accelerated on account of the pandemic, we have to remain alive to the existing and developing barriers to digital trade.

Restrictions imposed by countries on the cross-border transfer of data is one of the barriers. In a world where it is increasingly difficult to ring-fence the digital economy, data flows across borders are becoming the bloodstream of cross-border trade.

Restrictions and limitations on data flows could be in the form of data localisation requirements, adequacy decisions as provided under the General Data Protection Regulation (GDPR) or the requirement to satisfy certain conditions before transferring data to a third country.

With GDPR, cross-border data transfers between EU countries and third world countries is unrestricted where an adequacy determination has been made, which means that such countries have been found to have appropriate data protection safeguards.

This is particularly problematic in the overall digital trade as the process of issuing the adequacy determination can be arguably unclear, with a country like Morocco still waiting for a determination having requested an adequacy decision over a decade ago in 2009.

Even more interesting, is that it is almost impossible that the EU will ever issue an adequacy decision in favour of China whose influence on the global economy cannot be ignored.

The GDPR approach EU is arguably centred on pushing countries to harmonise their outlook on privacy rather than prioritising keeping businesses accountable on personal data protection.

As a result, different regimes will enact their own data protection laws and require adherence by the residents of third countries, ending in a “spaghetti bowl” of regulations that will be tough to traverse.

Data localisation is another restriction to the cross-border transfer of data. Data localisation regimes usually involve two main types of requirements — localisation of data storage and localisation of data processing.

The former requires that certain or all personal data should be located within the national borders and the latter requires that specific activities relating to collected data should take place domestically.

These requirements are implemented by countries for various reasons including data security, protection of the right to privacy of citizens, protection from foreign governments’ access and easier access to data and control by government agencies.

In addition, countries implement such requirements to spur the setting up of domestic data infrastructure and creation of local jobs.

Most countries are yet to implement data localisation requirements, however some countries, such as China, Russia, Indonesia, Nigeria and Vietnam have them.

Data localisation requirements can lead to additional costs for businesses that depend on cross-border data transfers for their operations. For example, PayPal suspended its service in Turkey after its business licence was denied because of new localisation requirements which cost it $22 million in revenue and access to 20 million Turkish customers.


The difficulty of transferring data across borders due to data localisation further poses a threat to companies that require such data flows for customer identification, for effective anti-money laundering and fraud detection purposes and generally, for customer protection.

In Kenya, the barrier to free data flow is in the form of conditional cross-border data transfers.

The Data Protection Act, 2019 (DPA) sets out the principal provisions on cross-border data transfers and requires that a data controller or processor can only transfer personal data outside Kenya if they have given proof to the Data Commissioner on the appropriate safeguards or given proof of the appropriate safeguards with regard to security and protection of personal data .

This covers jurisdictions with commensurate data protection laws or if the transfer is necessary, for example contractual performance or defending a legal claim.

Restrictions and limitations of cross-border data transfers pose a barrier to the realisation of the optimal potential of digital trade.

Global economies need to identify common principles between their data protection regimes to enable mutual recognition of different frameworks across the different jurisdictions to eliminate barriers to cross-border data transfers.

Arnold is data protection compliance and commercial law practitioner; Alex is corporate and commercial lawyer