Part 13: Regulation of Cross-Border Data Transfers
By Benedict Alex Ishabakaki
The world is becoming more connected than ever, multinational companies are operating on a global scale and therefore international data transfer becomes inevitable, for example a company may store employee personal data at a subsidiary established in another country.[i] It is common for personal data to be collected from one country and transferred to another country for different reasons. Safeguarding such transfer is vital and one of the key fundamentals for any data protection law. For instance, the EU has developed specific provisions concerning cross-border data flows and privacy protections to be tabled in international trade negotiations.[ii] Also, it is worth noting that, transfers in certain sectors are based on specific international agreements. Examples of international agreements involving the transfer of personal data are: the Passenger Name Records (PNR) and the Terrorist Financing Tracking Programme (TFTP)[iii].
13.2 Prerequisites for Data Transfer
The key requirement for a cross-border data transfer is to obtain approval from the data protection authority. In most jurisdictions, data cannot be transferred outside with the approval of the data protection authority. However, with time and development, some countries have gone further to establish binding corporate rule mechanisms. Binding Corporate Rules (BCRs) is a mechanism whereby an organization can set out its global policy on the international transfer of personal data within that corporate group[iv].
In obtaining approval from the data protection authority, some countries have set specific criteria which a data controller or processor is required to satisfy before the transfer of data outside the country. In some cases, data subject approval is required, but this is only with respect to transfer of sensitive personal data only. For instance, under section 48 of the Kenya Data Protection Act, a data controller or processor may transfer data only where, the proof is given to the Data Commissioner on the appropriate security and protection safeguards of the personal data employed by the data processor or controller, appropriate safeguards in the jurisdiction where data are transferred to and a necessity for such transfer. Section 49 of the same Act provides that processing of sensitive personal data out of Kenya shall only be effected upon obtaining the consent of a data subject and on obtaining confirmation of appropriate safeguards.
The position is a bit different in Uganda. Unlike Kenya, the provisions of section 19 (b) of the Data Protection and Privacy Act of Uganda, require consent from the data subject and not authority.
It is argued that, with the new complexes and connected world, the structure of the corporations and regional integrations, obtaining approval of the authority before cross-border data transfer may be difficult and not practical. It is better for a country to adopt model-binding corporate rules in lieu of stringent approval requirements.
Lastly, in order to take advantage of the open market, data usage and e-commerce within the East Africa Community (EAC), it is imperative to harmonize the data privacy Legislation. This will serve as an enabling framework potential to generate significant economic development gains for countries. This will be achieved by boosting investors’ confidence, and responding to the increasing reliance on data applications in all sectors (government, commerce, health, education, banking, insurance, etc.).[v]
This current article marks the end of our Data Protection and Privacy Article series. Our next series of Articles shall focus on and explore the law, trends and practice of Artificial Intelligence.
This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.
[i] https://www2.deloitte.com/nl/nl/pages/risk/articles/cyber-security-privacy-gdpr-update-future-of-international-data-transfers.html accessed on 6th October 2021.
[ii] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en, accessed on 6th October 2021.
[iv] https://www2.deloitte.com/nl/nl/pages/risk/articles/cyber-security-privacy-gdpr-update-future-of-international-data-transfers.html, accessed on 6th October 2021
[v] https://unctad.org/webflyer/harmonizing-cyberLegislation-and-regulations-experience-east-african-community visited on 12th October 2021