By

Njoki Kimemia

Legal and Data Protection Associate

South-End Tech Limited

Tuesday, May 23, 2023

Thousands of businesses rely on data flow for their operations locally or internationally. The ability to transfer data across borders is fundamental for facilitating cross-border trade and how the global open internet works.

On  Monday 22, May 2023, the Irish Data Protection Commission fined Meta 1.2 billion euros ($1.3 billion) over the transfer of European Union (E.U) user data to the United States of America (USA) without putting enough measures to transfer and store the data to the U.S.A. This landmark data breach fines arose from the case of the Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems II EU: C:2020:559, commonly referred to as the Schrems case who argued that the framework for transferring E.U citizen’s data to America did not protect Europeans from American surveillance.

Meta argued that they had used standard contractual clauses to transfer personal data in and out of the EU  with additional supplementary measures that were implemented by the European Commission. Meta believed that they acted in good faith by relying on the common legal instrument that they believed was compliant with the General Data Protection Regulations. However, the European Court of Justice opined that these agreements did not address risks to the data subject’s fundamental rights and freedom.

Three months ago, the Office of the Data Protection Commissioner (ODPC) in  Kenya embarked on a series of creating awareness on the guiding principles for the transfer of personal data in and out of Kenya. The ODPC also put out a list of countries considered as ‘safe havens’ for Kenya Data Subjects. In the guidelines, the ODPC advised data controllers and processors to ensure the following criteria:

1. The transfer is based on appropriate safeguards. The data controller has to ensure that there is a legal instrument that contains appropriate safeguards akin to our laws in the transfer country.
2. A transfer based on an adequacy decision made by the ODPC that the transfer country has put in adequate measures and safeguards for its data subjects.
3. A transfer based on necessity or legally required on important public interest grounds.
4. Transfer on the basis that the Data subject has consented.

Amrit Labhuram and Michael Buter in their article titled ‘The Gap in Kenyan-based IPDTs: Adequacy Considerations?’ highlighted key considerations that Kenya should look into before cross-border transfer. These include:

1. Principles of lawfulness, fairness, and transparency concerning any data subject must be observed.
2. The data should be processed only for the specific purposes it was collected for and not any other.
3. The data should be accurate, adequate, relevant, and not excessive for the purposes for which they are processed.
4. The data subject in certain circumstances should be in a position to access this data, to rectify and to ask for it to be deleted.
5. The data should be deleted or stored for a limited time in a way that doesn’t identify the data subject.
6. The transfer country should put in appropriate technical and organizational safeguards to ensure the data is protected against accidental loss or damage and or unauthorized processing.
7. The transferred data should only be between clearly defined parties to the transfer and not non-privy third parties.
8. In the foreign country where their data is being transferred, the data subjects should be able to pursue legal remedies to enforce their rights quickly, effectively, and without incurring exorbitant costs. This covers monetary compensation for losses or harms sustained as a result of a breach of their data as well as legal recourse

RECOMMENDATIONS

Businesses should do a data map and analysis before transferring data to the recipient country.

Additionally, they should conduct a transfer impact assessment.

In conclusion, businesses and organizations should carefully consider the transfer country before transferring data to see if it has taken the necessary precautions to secure the data of its inhabitants.