Pymnts - 23 August 2022
Kenya’s GDPR-style legislation threatens US firms’ x-border data transfer model
Around the world, data protection legislation sets the rules for how companies collect and process personal information. The EU’s General Data Protection Regulation (GDPR) is often cited as a benchmark and model framework for data protection laws.
In Africa, very few countries have an advanced data privacy framework but one of the countries that is furthest ahead in the implementation of GDPR-style legislation is Kenya. Last month, the country imposed a requirement for startups that handle personal data to register with the Office of the Data Protection Commissioner (ODPC).
The beefing up of Kenya’s data protection regulation is the latest move in a journey that began with passage of the country’s Data Protection Act in 2019. And while the law shares a number of similarities with the EU’s GDPR, it also creates an opportunity for the East African nation to learn from the EU’s regulation, which has presented many challenges over the years.
For example, one of the criticisms of GDPR is that by requiring organizations to store information about EU citizens on servers located within the bloc, it risks interfering with the cross-border data flow that many international businesses currently rely on.
Meta’s continued warnings that it may have to pull its Facebook and Instagram platforms from Europe because EU regulators deem its current data transferal model illegal is a prime example of this.
In fact, ever since the EU-U.S. Privacy shield was struck down by the Court of Justice of the European Union in 2020, Meta has been in legal limbo in the region, with regional data protection watchdogs arguing that its wholesale exportation of EU user data to the U.S. doesn’t comply with GDPR.
But for the time being, Meta has been given some extra breathing room. After receiving input from other data protection watchdogs in the bloc, the Irish Data Protection Commission, which is leading the case against Meta, has had to put off its final decision on whether or not to prevent Meta’s EU-U.S. data exports.
Free Trade vs Data Sovereignty
In the Kenyan context, Meta’s GDPR woes may be avoided if the U.S. gets its way in a proposed free trade deal between the two countries which is currently in discussions.
Among other objectives that relate to the free movement of data, U.S. negotiators have explicitly stated their demand for “commitments to ensure that Kenya refrains from imposing measures in the financial services sector that restrict cross-border data flows or that require the use or installation of local computing facilities.”
But the assurances being sought in the anticipated free trade agreement seem to stand in direct opposition to Kenya’s Data Protection Act.
Like GDPR, that act sets strict consent requirements for any organization that wants to transfer personal data outside of the country, requirements that the Irish Data Protection Commission has found Meta doesn’t meet.
How this plays out could set a precedent for other countries engaged in similar talks with the U.S. and will be especially critical as issues pertaining to cross-border data flows become increasingly important in the negotiation of trade deals.
The EU, for instance, can afford to be bullheaded in their approach to American Big Tech. But not all economies have that luxury considering the significant economic benefits they could potentially gain from a free trade deal with the U.S.
At the end of the day, no matter which side of the coin they fall on, it will not all be smooth sailing.
For Kenya, pursuing the kind of strong data protection rules that have been implemented in the EU could cost them important deals, and at the same time precipitate further trouble for the U.S.-centric data transfer model currently favored by Meta and other U.S. Big Tech companies.