Blog By
Ms. Jane Ombiro, CIPP/E, CIPM, FIP
Data Protection Expert
South-End Tech Limited
Date: 30th May, 2024
An adequacy decision is a declaration made by the European Commission that a country outside the European Union offers adequate personal data protection. The declaration is made under Article 45 of the EU General Data Protection Regulations (GDPR).
Article 45 of the GDPR allows for transferring personal data to a country outside the European Union where the European Commission has decided that the country, a territory or one or more specified sectors within that country ensures adequate protection.
During the 2024 Network of African Data Protection Authorities (NADPA/RAPDP) held in Nairobi, Kenya, it was announced that Kenya and the European Union (EU) were engaged in the first adequacy dialogue in the African Continent.
As part of the Adequacy Dialogue, Ondrej Simek, European Union EU chargé d’affaires, explained that the EU would be working closely with the Office of the Data Protection Commissioner (ODPC) and the Ministry of Information, Communication and The Digital Economy to explore the possibility of building a safe ‘personal data bridge’ between Kenya and the EU. Should the dialogue bear fruit Kenya will be granted an adequacy status by the European Commission.
Once granted, the adequacy status will allow the free flow of personal data from the European Union to Kenya without any specific authorization. This will increase digital trade, enhance the exchange of best practices, promote cooperation and facilitate commercial operations by granting Kenya access to the extensive EU data economy. The European Commission estimates that the EU data economy will be worth 829 billion euros in 2025.
When assessing the adequacy of the level of protection in Kenya the European Commission shall take the following into account.
- The rule of law, respect for human rights and fundamental freedoms, relevant legislation and the implementation of such legislation, data protection rules, professional rules and security measures, case law, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.
- The existence and effective functioning of one or more independent supervisory authorities, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the EU Member States.
- The international commitments Kenya has entered into, or other obligations arising from legally binding conventions or instruments as well as from Kenya’s participation in multilateral or regional systems, particularly concerning the protection of personal data.
Some of the territories granted the adequacy status by the European Commission are Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (Commercial organizations participating in the EU-US data privacy framework). Whether Kenya will join the list of the above-mentioned territories will depend on the outcome of the dialogue.
Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email. jombiro@southendtech.co.ke; dataprotection@southendtech.co.ke; or info@southendtech.co.ke
