Regulation Of Cross Border Data Transfers (Article 11)
September 16, 2022

Part 13: Regulation of Cross-Border Data Transfers

By Benedict Alex Ishabakaki

13.1 Introduction

The world is becoming more connected than ever, multinational companies are operating on a global scale and therefore international data transfer becomes inevitable, for example a company may store employee personal data at a subsidiary established in another country.[i]  It is common for personal data to be collected from one country and transferred to another country for different reasons. Safeguarding such transfer is vital and one of the key fundamentals for any data protection law. For instance, the EU has developed specific provisions concerning cross-border data flows and privacy protections to be tabled in international trade negotiations.[ii] Also, it is worth noting that, transfers in certain sectors are based on specific international agreements. Examples of international agreements involving the transfer of personal data are: the Passenger Name Records (PNR) and the Terrorist Financing Tracking Programme (TFTP)[iii].

13.2 Prerequisites for Data Transfer

The key requirement for a cross-border data transfer is to obtain approval from the data protection authority. In most jurisdictions, data cannot be transferred outside with the approval of the data protection authority.  However, with time and development, some countries have gone further to establish binding corporate rule mechanisms. Binding Corporate Rules (BCRs) is a mechanism whereby an organization can set out its global policy on the international transfer of personal data within that corporate group[iv].

In obtaining approval from the data protection authority, some countries have set specific criteria which a data controller or processor is required to satisfy before the transfer of data outside the country. In some cases, data subject approval is required, but this is only with respect to transfer of sensitive personal data only. For instance, under section 48 of the Kenya Data Protection Act, a data controller or processor may transfer data only where, the proof is given to the Data Commissioner on the appropriate security and protection safeguards of the personal data employed by the data processor or controller, appropriate safeguards in the jurisdiction where data are transferred to and a necessity for such transfer. Section 49 of the same Act provides that processing of sensitive personal data out of Kenya shall only be effected upon obtaining the consent of a data subject and on obtaining confirmation of appropriate safeguards.

The position is a bit different in Uganda. Unlike Kenya, the provisions of section 19 (b) of the Data Protection and Privacy Act of Uganda, require consent from the data subject and not authority.

It is argued that, with the new complexes and connected world, the structure of the corporations and regional integrations, obtaining approval of the authority before cross-border data transfer may be difficult and not practical.  It is better for a country to adopt model-binding corporate rules in lieu of stringent approval requirements.

13.3 Conclusion

Lastly, in order to take advantage of the open market, data usage and e-commerce within the East Africa Community (EAC), it is imperative to harmonize the data privacy Legislation. This will serve as an enabling framework potential to generate significant economic development gains for countries. This will be achieved by boosting investors’ confidence, and responding to the increasing reliance on data applications in all sectors (government, commerce, health, education, banking, insurance, etc.).[v]

 

This current article marks the end of our Data Protection and Privacy Article series. Our next series of Articles shall focus on and explore the law, trends and practice of Artificial Intelligence.

 

DISCLAIMER

This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.

 

[i] https://www2.deloitte.com/nl/nl/pages/risk/articles/cyber-security-privacy-gdpr-update-future-of-international-data-transfers.html accessed on 6th October 2021.

[ii] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en, accessed on 6th October 2021.

[iii] Ibid.

[iv] https://www2.deloitte.com/nl/nl/pages/risk/articles/cyber-security-privacy-gdpr-update-future-of-international-data-transfers.html, accessed on 6th  October 2021

[v] https://unctad.org/webflyer/harmonizing-cyberLegislation-and-regulations-experience-east-african-community  visited on 12th October 2021

Victory Attorneys & Consultants © 2024

Augustine Dominic Shio

Managing Partner

Augustine Dominic Shio is also known as Mr Shio is a highly sought-after and widely recognized criminal law expert with more than 30 years of experience advising and assisting corporations and individuals charged with white-collar crimes.

Overview

Before founding the firm Mr Shio held several positions in the public sector, he served as a Principal State Attorney at the Attorney General’s Chambers, Legal Advisor at the President’s Office (Commission for Enforcement of the Leadership Code), Director of Legal Services and Complaints at the Ministry of Home Affairs and retired as a Deputy Director of Public Prosecutions at the Directorate of the Public Prosecutions.

Mr Shio is a recipient of the Presidential Medal for his distinctive public services and ethics of the highest order. His distinguished aptitude in handling complex criminal cases, particularly money laundering, economic and organized crimes has enabled the firm to handle high profile criminal cases in Tanzania.

Practice Focus

As the firm’s head of the Financial & Organized Crimes Department, Mr Shio represents corporations and individuals in the telecoms, media & ICT, mining, oil & gas and banking sectors in high profile criminal cases. He has advised and prepared legal compliance models and for large scale agribusiness operators, public listed companies and securities dealers and brokers in line with sector-specific laws.

He possesses vast experience in advising multinational corporations on money laundering and tax evasion throughout the life span of their commercial transactions.

Mr Shio has represented clients in major plea bargaining negotiations at the office of the Director of Public Prosecutions. He is renowned for closing some of the best pleas deals in the country on behalf of many locals and expatriates charged with money laundering, economic and organized crimes and cybercrimes. Additionally, Mr Shio consults and assists criminally charged individuals to secure pre-trail and post-trial bail on serious criminal charges.

Education

Mr Shio holds a Bachelor’s Degree (LL.B Hons) from the University of Dar es Salaam, Certificate in Criminal Justice and Treatment of Offenders from the United Nations Institute (Fuchu, Japan). He is a certified criminal law expert in Money Laundering and Terrorism.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest legal updates, events announcements and many more.

You have Successfully Subscribed!

Share This