- As part of the data protection measures in place, the regulation of the free flow of personal data from the EU to other countries is heavily and deliberately regulated.
- Countries that are not part of the EU (third countries) have used various methods to have free flows of personal data from the EU to them.
A world without privacy is dangerous,” warns Carissa Véliz in her book, Privacy is Power. She explores the relationship between privacy and power, and how it is used by tech companies to “amass, wield and transform power in the digital age”.
As one of the remedies to the power wielded by tech companies, the EU, through the General Data Protection Regulation (GDPR), has been at the forefront in its quest to ensure that personal data of EU residents is protected and used for the proper purpose(s).
As part of the data protection measures in place, the regulation of the free flow of personal data from the EU to other countries is heavily and deliberately regulated.
Countries that are not part of the EU (third countries) have used various methods to have free flows of personal data from the EU to them. One of them is the “adequacy decision” route.
In a 2019 legal opinion from the Advocate General of the EU, a third country will be granted an adequate decision by the European Commission when it considers that said country or territory ensures an adequate level of protection of personal data resulting of its internal law or of its international law. commitments.
Essentially, the protection in place is equivalent to that provided within the EU.
The UK, which was part of the EU until January 31, 2020, the transition period ending on December 31, 2020, has returned to the EU to seek an “adequacy decision” in its favor which has was granted on June 28, 2021 for a period of four years.
On August 26, 2021, the UK Government, through the Department for Digital, Culture, Media and Sport, released a statement on its post-Brexit global data plans to drive growth, increase trade and improve health care.
In the statement, he listed the countries the UK would immediately prioritize the establishment of “data adequacy partnerships”. These are the United States, Australia, the Republic of Korea, Singapore, the Dubai International Financial Center and Colombia.
In the list of countries that are in second position in their priority, they have Kenya, India, Brazil and Indonesia, designated for “future partnerships”.
Additionally, as part of its strategy to build the right partnerships, the UK recently launched its International Council of Data Transfer Experts. The aim of the council is to advise the UK government on new tools for international data transfer and to provide the UK government with practical information on the implementation of international data transfer policy.
It’s also part of the UK’s plan to remove unnecessary barriers to cross-border data. This will ensure that they realize benefits such as driving technological innovation, supporting scientific research, among others, in their quest to become “the world’s leading data destination”.
On January 28, 2022, Kenya signed a Joint Statement on Kenya-European Union Strategic Dialogue by Foreign Cabinet Secretary Raychelle Omamo and EU High Representative for Foreign Affairs and Policy. security, Josep Borrell.
The purpose of the statement was to guide bilateral talks on a number of thematic areas, including security and trade. Kenya’s place in trade through e-commerce cannot be ignored; the country is ranked seventh fastest growing e-commerce in Africa, according to UNCTAD’s Business-to-Consumer (B2C) e-commerce index, 2020.
It is important to note that the EU has not yet issued an adequacy decision for an African country despite 29 countries having data protection and data privacy laws (UNCTAD data as of December 14, 2021) .
Now that Kenya is in trade talks with the UK and the EU, perhaps we should start thinking about pursuing an adequacy decision in our favor.
November 25, 2021 marked two years since the entry into force of the Data Protection Act (LPD). The first Data Protection Commissioner, Miss Immaculate Kassez took office on November 17, 2020.
Since taking office, we have seen her attend various public forums as part of the general awareness of the implications of the DPA. His office released three draft regulations intended to give the law the force of law.
Regulations that have already been the subject of public participation are expected to enter into force soon. We’ve also seen some of the complaints filed with his office about alleged breaches of data shared with the public and we’ve seen his responses on that as well.
The Office of the Data Protection Commissioner (ODPC) has further launched its strategic plan with “Advancing Data Protection by Design or Default” as the main theme.
That said, we have yet to see the full implementation of the law as the ODPC is not yet fully operational. As a practitioner, I am confident that the full implementation of the Act will give Kenya much needed leverage in today’s data economy.
Data protection and privacy laws have been seen as barriers to digital trade. And more specifically, restricted cross-border data flows. One way to overcome this and give leverage to Kenya is not just to have the right laws in place, but to enforce them in full. Adequacy actions through administrative fines must begin.
This will not only ensure compliance for data controllers, but will also increase awareness in the field. Competition over privacy by data controllers and data processors will also take shape, with the ultimate winner being the consumer.
Kenya, having key human resources ranging from data analysts to innovative software developers, will attract multinational companies intending to outsource their data processing activities to Kenyan-based individuals and companies.
This will boost employment, in addition to making Kenya a destination for innovation. Kenya currently ranks 3rd out of 27 sub-Saharan economies listed in the 2021 World Innovation Index by WIPO (World Intellectual Property Organization).
Companies should therefore start thinking about developing transfer impact assessments to ensure that a third country to which they wish to transfer data has sufficient safeguards.
At the same time, they must take into account the technical, contractual and organizational measures in place before the transfers. If they are not sufficient, then the transfer(s) must be prohibited.
In conclusion, I believe that once the DPA is fully implemented, Kenya can be among the first African countries to be granted adequacy status by the EU and the UK.
We should take advantage of the soon-to-be-started bilateral trade negotiations between Kenya and the EU, which boasts of 27 countries.