Kenya and the US recently initiated negotiations that will probably lead to a bilateral trade agreement. The trade talks have elicited mixed reactions, some believe that a trade deal will provide greater access for Kenyan goods and services in the US market while others posit that the deal will be a blow to Kenya’s agricultural and manufacturing sectors. While the different views on the negotiations have merit, I wish to highlight one key issue that may not feature much in the public domain, that is personal data transfers from Kenya to the US.

Not long ago, the European Court of Justice made a ruling on data transfers between the EU and the US (third countries). The decision popularly known as Schrems II centred on data subject rights. One of the key aspects of the decisions is that any personal data that is transferred from the EU to the US by commercial entities for commercial purpose fell within the GDPR framework. Secondly, the US should ensure that it has a concrete and comprehensive data protection regime with adequate provision for data subject rights. Third, data subjects must be provided with statutory redress on issues relating to their rights; that is there must be effective legal remedies in place. Fourth, that anyone transferring data outside the EU must ensure that the recipient of the data has put in place adequate data protection mechanisms like those provided for in the GDPR; in case of non- compliance, data transfer should be stopped. Fifth, US surveillance systems are a violation of privacy and data protection in reference to GDPR protections. The Schrems II  decision basically stops transfer of personal data from the EU to third countries to the extent that they do not comply with the above stated principles.

The Kenya Data Protection Act, 2019 has personal data transfer provisions that mirror the EU GDPR. Section 48 of the Act provides that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data. Two, where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws. Three, where the transfer is necessary for among other purposes,  the performance of a contract between the data subject and the data controller or data processor or implementation of pre-contractual measures taken at the data subject’s request, for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person, for any matter of public interest and for the establishment, exercise or defence of a legal claim.

Section 49 of the Act provides that the processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards. The Section further provides that the Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests.  Section 49 concludes by stating that the Data Commissioner may, to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

In view of as Schrems II decision, Kenyans need to think hard about any data transfer provisions that may find their way into the Kenya-US trade agreements. The decision places the EU-GDPR at the centre of any personal data transfers; that is, the provisions of the GDPR trump agreement or policy that may be adopted by parties wishing to engage in personal data transfers. The decision also highlights the inadequacy of privacy and data protection laws in the US.

There are tens, perhaps hundreds of US multinationals that process personal data within Kenya and transfer the same to the US further processing or storage. These multinationals include social media companies who have for decades been engaging in surveillance capitalism. Shoshana Zuboff the author of ‘The Age of Surveillance Capitalism’ generally describes the concept of surveillance capitalism as  a market driven process where the commodity for sale is personal data, and the capture and production of this data relies on mass surveillance of the internet. The Cambridge Analytica scandal in the last general elections where personal data mined from Facebook was used for political micro-targeted messaging is an example of personal data transfers out of Kenya.

None of the social media companies have registered offices in Kenya. What this means is that their personal data processing operations are carried out of Kenyan borders. Thus, personal data transfers out of Kenya has been occurring without regulation. It is a wait and see situation to see whether the Data Commissioner will crack the whip on such data transfers in line with Sections 48 and 49 of the Data Protection Act, 2019. I am cautiously optimistic and I have stated as much in my recent article – ‘What awaits the Data Protection Commissioner’.

With the ongoing trade talks, Kenya should ensure compliance with among other laws the Data Protection Act especially in relation to data transfers to the US. The US data protection regime is wanting; thus, personal data transfers should not take place unless Sections 48 and 49 are fully complied with. Additionally, provisions of the resulting trade agreements must not result in a dilution of the above provisions. With the Data Protection Act, 2019 having similar guiding principles with the EU GDPR, the Schrems II decision provides a guide on what negotiators in the Kenya-US trade talks need to bear in mind.