By Meshack Masibo
According to Section 48 of the Data Protection Act, a data controller or data processor may transfer personal data to another country only where it has given proof to the Data Commissioner that the data will be transferred securely to a place with equal or stronger data protection laws compared to Kenya.
However, there are certain situations where data can be transferred without notifying the data commissioner. Episode 4 of the Data Protector’s Podcast delves into this critical topic.
Some of the highlights of the episode include John Walubengo’s statement that in Kenya some companies would opt to transfer personal data to countries with less restrictive data protection laws and this is why the Data Commissioner is concerned with cross-border data transfers. Having been part of the task force tasked with formulating the Data Protection Act, Mr Walubengo stated that this is the mischief behind the introduction of this section in the Act.
On the other hand, Simon Verschaeve stated that in the European Union, the GDPR provides that personal data can only be transferred to a data controller or data processor outside the European Union – also referred to as a “data importer” – when the level of protection guaranteed by the GDPR is not undermined.
John Walubengo added that when it comes to cross-border data transfers, SMEs should not only build their legal awareness and capacity but also their technical know-how and capacity so as to ensure their transfers are not only secure but also effective. Simon Verschaeve concluded with the statement that it is important to deploy the use of technology to make compliance easier for small and medium-sized enterprises. He also added that his law firm, DLA Piper, offers such kinds of technologies.
Technology and Globalization have changed the way we run our businesses and manage our organizations. In today’s world, we increasingly rely on technology to run our businesses and where technology is not our main business, it is the platform that we use to carry out our business and organizational activities. This automatically carries with it a lot of harvesting and exchange of personal information.
With globalization, the world is increasingly interconnected and a lot of transactions transcend the borders between countries. For example, Tala Mobile is originally based in California in the United States but offers digital lending services to Kenyans. In the same way, a lot of small and medium-sized enterprises that heavily rely on foreign donors and investors may come to a point where they need to transfer personal data belonging to their users, customers or employees overseas.
Many times, you transfer data across borders without even knowing about it. For example, only by using a Gmail account, you are already storing the personal data of your contacts on Google’s servers in a country far away. One of the first steps you should undertake, therefore, is to map out in your organization what data you are transferring and where to. Are you using an online accounting platform that contains personal data on your employee’s and suppliers’ contacts? Where is this data hosted? Do you have partners that help you process your data, like credit scoring services? Where are they located?
In Kenya, the Data Protection Act is clear that you can only transfer data outside the country in the following instances. Firstly, a transfer is allowed if you have given the Data Commissioner proof of the appropriate safeguards that you have put in place with respect to the security and protection of personal data.
Secondly, you should be able to demonstrate that the transfer is necessary for the performance of a contract between the data subject and the data controller or data processor.
Thirdly, a transfer of data out of the country is allowed if you can demonstrate that the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person. Fourthly, a data transfer out of the country is allowed if it is done in the public interest.
Fifthly, a transfer is allowed if it is for the establishment, exercise or defence of a legal claim or to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. Penultimately, a cross-border transfer is allowed if it is based on compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Ultimately, all cross-border transfers are weighed against the prism of consent. The processing of sensitive personal data out of Kenya can only be effected upon obtaining the consent of a data subject. You can listen to more of the discussion on cross-border data transfers here.