Legal and Regulatory Framework
Kenya’s rules on cross-border data transfers are primarily found in the following legal instruments:
- The Constitution of Kenya: Article 31 establishes the right to privacy.
- The Data Protection Act, 2019: Part Six (Sections 48-50) specifically addresses the conditions for cross-border transfers and data localization.
- The Data Protection (General) Regulations, 2021: Part Eight provides detailed rules on implementing the Act’s requirements for transfers.
Conditions for Transferring Data Abroad
For a data controller or processor to legally transfer personal data outside of Kenya, they must establish a lawful basis. The main conditions are:
- Adequacy Decision: This is a determination by the Data Commissioner that the recipient country or organization has an adequate level of data protection.
- Status: The ODPC has not yet issued any adequacy decisions for any country, territory, or specific sector. This option is currently not available in practice.
- Appropriate Safeguards: These are mechanisms to ensure data remains protected. They include:
- Standard Contractual Clauses (SCCs): While the ODPC has not yet published its own approved template SCCs (unlike the EU), it is willing to review clauses that organizations draft themselves to ensure they comply with the Act.
- Binding Corporate Rules (BCRs): These are internal rules for multinational companies. Organizations can submit their BCRs to the ODPC for review and approval.
- Ratification of the Malabo Convention: Kenya has not yet ratified this convention, so it cannot be used as a safeguard.
- Necessity: The transfer may be permitted if it’s necessary for specific, limited reasons, such as performing a contract with the data subject, for matters of public interest, or to protect a person’s vital interests.
- Consent: Consent can be used as a basis for transfer in two key scenarios:
- Sensitive Data: When transferring sensitive personal data (e.g., health or biometric data), explicit consent from the data subject is always required, even if another condition (like having appropriate safeguards) is met.
- As a Last Resort (Derogation): If no adequacy decision, appropriate safeguards, or necessity grounds apply, a transfer can be based on the data subject’s explicit consent. In this case, the data subject must be fully informed of the risks associated with the transfer.
Data Localization 🇰🇪
Section 50 of the Act introduces data localization requirements for specific categories of data. This is described as one of the most complex and expensive aspects of compliance.
- The Rule: For certain data, processing must be done through a server and data center located in Kenya.
- The Alternative: If the data is processed internationally, at least one serving copy of that data must be stored in a data center located within Kenya.
- Affected Data: This rule applies to specific data such as civil registration data, information related to legal identity management, and any data from systems designated as critical infrastructure under the Computer Misuse and Cybercrimes Act.
Practical Guidance from the Q&A Session
- No Prior Approval Needed: Organizations are not required to seek prior approval from the ODPC for every cross-border transfer. However, if an organization is unsure about its compliance, it is encouraged to write to the ODPC for an advisory opinion.
- Cloud Storage: If an organization collects sensitive personal data (e.g., for “Know Your Customer” or KYC purposes) and stores it on an international cloud server, it must obtain explicit consent from the data subject for that transfer. This must be clearly explained in the privacy notice.
- Research Exemptions: Exemptions for research institutions are not blanket exemptions. They must still comply with the data transfer provisions of the Act.