By John Walubengo
The Network of African Data Protection Authorities (NADPA—RADPD) conference brought together over 30 African data commissioners in charge of regulating the personal data space in their respective countries.
The conference, which will take place between 7th and 9th May 2024, features a variety of panels and activities centred on critical issues in data protection and privacy, digital identity, and AI technologies.
One of the highlights of Day 1 was cross-border data flows and the Adequacy Rule and Decision.
Cross-border data flow refers to the transmission of data across the boundaries of one country to another. This data can include anything from personal information and financial details to general business data and is often transferred between governments, multinational companies, across servers, or between consumer and business entities in different countries.
Managing these data flows is critical because countries have various laws and regulations regarding data protection, privacy, and security.
For example, the Kenya Data Protection Act (2019) imposes strict rules on transferring personal data outside Kenya, requiring that the remote countries receiving or storing Kenyan citizen data have adequate protection or implement specific safeguards for the Kenyan data.
Hence, the issue of the Adequacy Rule or Decision.
Data Protection Adequacy Rule or Decision
In practical terms, this means that if you are a Kenyan enterprise with a regional presence in Uganda, Tanzania, Rwanda, Juba, or Mauritius, you may not host Kenyan citizen data in those remote jurisdictions unless the Kenyan Data Commissioner considers those jurisdictions safe in terms of having adequate and similar regulatory frameworks to Kenya.
In other words, if the regional countries are NOT considered adequate, then Kenyan enterprises become quite restricted regarding business options, particularly from a data centre or infrastructure perspective.
For example, consider a Kenyan regional enterprise facing a business decision regarding locating its backup data centre in Rwanda or Mauritius. That enterprise can only decide if Kenya considers these two destinations safe and adequate from a data protection perspective.
How will Kenya decide if the remote destination is safe enough?
Measuring Data Protection Adequacy
Beyond having a comprehensive data protection law, some of the parameters that the Kenyan Data Commissioner may use to grant or deny an adequacy decision include, but are not limited to, that remote country having relevant data protection regulations, as well as its capacity and independence to regulate and enforce them.
A data protection law alone does not automatically make the remote country a safe destination for Kenyan personal data. Additional checks are required.
However, once that adequacy status is achieved, the remote country benefits economically, as data-related investments in those countries can potentially increase since various data-driven enterprises are no longer faced with regulatory overheads to, for example, build backup data centres in those destinations.
Suppose you flip this adequacy concept around and think about EU data regulators granting Kenya an adequacy status in the context of data protection. In that case, you realize that is quite a big deal.
An EU adequacy status would unlock digital economy-related investments and make Kenya the only and first African country to join the list of just about eleven other countries enjoying this status.
We look forward to that day and beginning conversations about adequacy rules within the African continent.
John Walubengo is an ICT Lecturer and Consultant. @jwalu.
RELATED
