Moving Data Beyond Borders

Moving Data Beyond Borders

 In Data Protection
0

When President William Ruto met the European Commission’s Executive Vice-President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, in Brussels, among the issues reportedly discussed was one that could fundamentally reshape Kenya’s digital future: the ongoing process towards a possible European Union adequacy decision in favour of Kenya. The discussions on adequacy relate to the safe movement of personal data between Kenya and the European Union. If successful, Kenya could become the first African country to secure an adequacy decision from the EU under the General Data Protection Regulation (GDPR).

As Kenya deepens its participation in the global digital economy, questions about how personal data can lawfully move outside the country become increasingly important. The Data Protection Act and the Data Protection (General) Regulations provide the legal framework within which such transfers may occur. The law establishes safeguards designed to ensure that the constitutional right to privacy does not disappear the moment personal data leaves Kenya.

Kenya’s Approach to Cross-Border Data Transfers

Kenya’s approach to international data transfers is both pragmatic and rights based. The Data Protection Act permits personal data to be transferred outside Kenya where the data handler demonstrates that appropriate safeguards exist to protect the data and the rights of the data subject. The underlying principle is that the level of protection afforded to personal data should not diminish merely because the information crosses national borders.

This approach reflects the realities of a digital economy in which cloud computing, artificial intelligence, global outsourcing, digital finance and international research collaborations depend upon the lawful movement of information across jurisdictions.

Transfers Based on Adequacy Decisions

One of the simplest mechanisms for transferring personal data internationally is through adequacy determinations.

An adequacy decision involves recognising that another country, territory or international organisation provides a level of data protection substantially similar to that available under Kenyan law. In making such assessments, factors including the rule of law, respect for human rights, the existence of independent supervisory authorities, effective enforcement mechanisms and accessible remedies for individuals may be considered.

The benefits of adequacy are significant. Organisations can transfer personal data without having to negotiate complex contractual safeguards for every transaction. This reduces compliance costs, enhances legal certainty and facilitates digital trade.

The Significance of Kenya–EU Adequacy Discussions

Kenya’s engagement with the European Union on adequacy carries enormous implications. An adequacy decision would permit European organisations to transfer personal data to Kenya without relying on additional mechanisms such as Standard Contractual Clauses. For Kenyan enterprises operating in business process outsourcing, financial technology, healthcare, cloud services, artificial intelligence and digital innovation, this would significantly reduce barriers to international business.

More importantly, adequacy would signal international confidence in Kenya’s data protection framework and the effectiveness of the Office of the Data Protection Commissioner. It would position Kenya as a trusted destination for digital investment and reinforce its ambition to become Africa’s leading technology and innovation hub.

Obtaining adequacy is not automatic. The European Commission assesses the robustness of domestic legislation, the independence and powers of supervisory authorities, safeguards against disproportionate state access to personal data, enforcement practices and the availability of effective judicial remedies.

Whether Kenya ultimately secures adequacy remains to be seen. However, the discussions themselves demonstrate that data protection has become a strategic economic issue rather than merely a compliance obligation.

Alternative Pathways for Cross-Border Data Transfers

Where adequacy is unavailable, Kenyan organisations may still transfer personal data through appropriate safeguards such as legally enforceable agreements that address confidentiality, security measures, onward transfers, breach notification and data subject rights. Multinational groups may also rely on Binding Corporate Rules to ensure consistent privacy standards across affiliated entities. These mechanisms help preserve protections equivalent to those required under Kenyan law.

The law further recognises that some transfers are necessary regardless of adequacy or contractual safeguards. Personal data may be transferred where required to perform a contract, implement pre-contractual measures, establish or defend legal claims, protect vital interests, or serve important public interests. This enables practical activities such as international travel, cross-border litigation and emergency medical treatment.

Personal data may also be transferred based on the data subject’s free, prior, and informed consent. Individuals should understand where their information is going, who will receive it and the risks involved. However, organisations should not rely on vague consent clauses as a substitute for sound data governance and meaningful choice.

Certification Schemes and Trusted Data Flows

Perhaps one of the most innovative aspects of Kenya’s framework is its recognition of certification mechanisms. Section 74 of the Data Protection Act empowers the Data Commissioner to develop codes, guidelines and certification schemes designed to promote compliance with data protection obligations.

Certification schemes function as trust marks. They provide assurance that an organisation has implemented recognised privacy safeguards and can handle personal data responsibly. For consumers, certification enhances confidence. For businesses, it offers demonstrable evidence of compliance. For regulators, it promotes accountability and encourages a culture of continuous improvement.

Certification may become particularly important in facilitating international transfers because it offers a practical means of establishing trust across jurisdictions.

Lessons from the APEC Cross-Border Privacy Rules

A useful example of certification in practice is the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system, now administered through the Global CBPR Forum.

Unlike adequacy regimes that rely primarily on government recognition, the CBPR framework focuses on organisational accountability. Businesses voluntarily seek certification through independent accountability agents who assess compliance against agreed privacy standards.

Once certified, organisations may transfer personal data among participating economies with greater confidence and predictability. The CBPR framework is built upon principles including preventing harm, transparency, collection limitation, choice, security safeguards, access and correction, integrity and accountability. Importantly, the framework does not replace domestic privacy laws. Instead, it creates an interoperable mechanism through which different legal systems recognise shared commitments to responsible data stewardship.

There are important lessons for Kenya. Certification can complement statutory safeguards rather than replace them. Independent assessment can build confidence among international trading partners.

Regional Certification

Regional certification frameworks could play a transformative role in the implementation of the African Continental Free Trade Area (AfCFTA) by fostering trust in cross-border digital transactions and reducing regulatory friction associated with the movement of personal data. As African businesses increasingly provide services across borders, the absence of common mechanisms for demonstrating compliance can create uncertainty, increase transaction costs and discourage innovation. Certification schemes that are recognised across multiple jurisdictions could provide businesses with a practical way of evidencing adherence to agreed standards of data protection without having to navigate entirely different compliance assessments in every country in which they operate.

As more African states enact data protection legislation, the continent faces the challenge of reconciling national sovereignty with the need for regional economic integration. While countries may legitimately adopt different legal approaches reflecting their constitutional values and policy priorities, these differences need not become barriers to digital trade. Interoperable certification mechanisms could establish a shared baseline of accountability and trust, allowing regulators to recognise that organisations certified under agreed frameworks have implemented appropriate safeguards for the protection of personal data. Such an approach would complement domestic regulatory systems rather than replace them, while enabling data to move more efficiently in support of regional commerce, innovation and public service delivery.

In practical terms, a continent-wide or mutually recognised African certification framework could facilitate the development of regional payment systems, digital identity initiatives, cross-border healthcare services, collaborative research, and integrated supply chains envisioned under the AfCFTA. It would also strengthen Africa’s collective bargaining position in international adequacy discussions by demonstrating that the continent can develop credible and enforceable mechanisms for responsible data governance. Ultimately, trusted certification frameworks could help realise the promise of a single African digital market by ensuring that the free flow of data occurs alongside robust protections for privacy, thereby advancing both economic integration and the fundamental rights of African citizens.

 Kenya’s Opportunity to Lead

Kenya occupies a unique position on the continent. It has an operational data protection law, an increasingly active regulator and a dynamic digital economy. Developing robust certification schemes under section 74 could strengthen Kenya’s adequacy ambitions, simplify vendor due diligence, enhance consumer trust and support participation in international value chains.

In an increasingly data-driven world, demonstrable compliance may become as important as technological sophistication. Organisations that can prove responsible stewardship of personal information will enjoy a competitive advantage.

Cross-border data flows are indispensable. The question is not whether personal data should move beyond Kenya’s borders, but how it can do so responsibly. Kenya’s legal framework provides multiple pathways for lawful international transfers, including adequacy determinations, contractual safeguards, Binding Corporate Rules, necessity-based exceptions, informed consent and emerging certification mechanisms.

The ongoing discussions between Kenya and the European Union underscore the growing recognition that privacy protection and economic development are not mutually exclusive. Likewise, international initiatives such as the APEC Cross-Border Privacy Rules system demonstrate that trust, accountability and interoperability can coexist with innovation and trade.

If Kenya successfully leverages these opportunities, it could emerge not only as a continental leader in data protection, but also as a trusted gateway for Africa’s participation in the global digital economy.

Recent Posts
Data Protection Enforcement Against JudasData Protection