Navigating the Crossroads: The Challenges of Cross-Border Data Flows under Domestic Laws in Africa
- Dan Allan Kipkoech |
- November 23, 2023 |
- Data Protection,
- US-Kenya FTA
The seamless flow of data across borders, a cornerstone of the digital age, faces significant hurdles due to inconsistencies between domestic data protection laws in various African countries.1 This blog explores how the requirements set out under domestic data protection laws may pose a challenge to the realization of cross-border data flows in Africa. Some of the challenges that will be analyzed is the effect of opt-in consent obligations and data localization requirements. While these requirements are often driven by concerns over data sovereignty and security, they can act as barriers to cross-border data flows, hindering the growth of digital services and innovation.2
Highlighting Contradictions between Domestic Laws
While there are 55 African countries, 35 of them have data protection laws and 3 have draft laws.3 Most of the data protection laws contain provisions on cross-border data flows.4 These provisions typically require data controllers to obtain the consent of individuals before transferring their personal data to a foreign country.5 Additionally, some laws require data controllers to transfer personal data only to countries that have been deemed to have adequate data protection safeguards.6
While these data protection laws are generally supportive of cross-border data flows, there are some instances where they may create challenges for businesses.7 For example, data localization requirements, which mandate that certain types of data be stored and processed within a country’s borders, can make it difficult for companies to operate across multiple jurisdictions. Additionally, conflicting data protection standards and varying interpretations of data privacy principles can lead to confusion and compliance difficulties.8 The subsequent section will entail examining the provisions of data protection frameworks for 6 African countries and their impact on cross-border data flows.
Explicit Opt-in Consent Requirement
i. Kenya
Part VI of The Kenya Data Protection Act provides for the transfer of personal data outside Kenya.9 The data controller or data processor may transfer personal data outside Kenya subject to giving proof to the Data Commissioner that appropriate safeguards have been taken to protect and secure personal data.10 The Data Protection (General) Regulations, 2021 outlines principles for the transfer of personal data outside the country.11 In addition, it necessitates that personal data can only be transferred outside Kenya on the basis of appropriate safeguards, adequacy decision, necessity, and consent.12 Prior to transferring personal data, an agreement may be executed between the transferring entity and the recipient of the personal data.13
Kenya’s Data Protection Act (DPA) requires explicit opt-in consent for certain types of data processing before data can be transferred to a foreign country.14 This means that individuals must actively give their consent to the transfer of their data, rather than simply opting out of having their data transferred.15 An “explicit opt-in consent” is “a clear and unambiguous statement or act which signifies the individual’s agreement to the processing of their personal data for a specific purpose.” This consent must be freely given, informed, and specific.
In practice, these data protection consent requirements means that Kenyan companies may need to obtain explicit opt-in consent from its customers before transferring their data to a foreign country, such as for the purpose of cloud storage or data processing. The strict approach adopted by Kenya’s Data Protection Act on data processing consent, can create compliance difficulties for companies operating across multiple jurisdictions.16
Data Localization Requirement
ii. Nigeria
Nigeria’s Data Protection Act has a data localization requirement, thus, the personal data of Nigerian citizens must be stored within Nigeria.17 The Act defines personal data as “any information relating to an individual who can be identified or is identifiable by reference to an identifier such as name, address, contact information, and financial information.18
The data localization requirement applies to all data controllers and processors that process personal data of Nigerian citizens.19 Section 41 of the Nigeria Data Protection Act 2023 restricts cross-border personal data transfer unless the recipient is governed by a law that protects personal data and subject to the consent of the data subject.20 The data can also only be transferred on the basis of necessity, public interest, sole benefit of the data owner and in order to protect certain vital interests of the data subject.21 Any basis of transfer of personal data is recorded by the data controller or processor.
The Act emphasizes that personal data ought to be transferred to jurisdictions that afford adequate levels of protection to data subjects.22 Adequacy of protection is assessed based on the availability of enforceability mechanisms, the agreement between the Commission and the receiving jurisdiction, ability of data subjects to access a public authority, presence of effective data protection law, existence of independent supervisory authority and international commitments binding on the respective country.23
These obligations outlined under Nigeria’s Data protection law, although enacted with the goal of protecting the personal data of Nigerian citizens, pose a challenge for companies operating across multiple African markets.24 They can lead to higher operating costs and make it difficult to do business in Nigeria. For example, a multinational e-commerce company operating in Nigeria and Ghana may face difficulties in complying with both countries’ data localization requirements, as data stored in Nigeria cannot be freely transferred to Ghana and vice versa.
iii. Zambia
In 2021, Zambia passed its Data Protection Act. Part X of the Act, regulates transfer of personal data across borders.25 Section 70 (1) and (3) obligates a data controller to process and store personal and sensitive personal data on a data centre or server within Zambia.26 These sections mandate that data controllers process and store personal data and sensitive personal data on a server or data center located within Zambia. This means that organizations are not allowed to store personal data or sensitive personal data of Zambian citizens or residents outside of Zambia.27 This provision is designed to protect the privacy and security of personal data by keeping it within the country. It also aims to promote the development of the local data center industry and create jobs in Zambia.28
Furthermore. Section 70 (2) allows the Minister of Transport, Works, Supply and Communications to prescribe the categories of personal data that can be stored outside Zambia.29 Personal data categorized under this section can be transferred outside the Republic if they meet the following requirements: One, if the data subject has consented to the transfer. Two, if the transfer is made in accordance with intragroup schemes and standard contracts approved by the Office of the Data Protection Commissioner. Three, if the Minister has prescribed that the transborder transfers are permissible. Fourth, if the Office of the Data Protection Commissioner approves a particular transfer or a set of transfers due to a situation of necessity.
Zambia’s Data Protection Act can be a significant restriction on organizations that operate in Zambia. This restriction can make it difficult for organizations to innovate and manage their data effectively. For example, A Zambian e-commerce company that collects personal data from its Zambian customers may need to invest in building or renting data centers in Zambia if it wants to store all of its customers’ personal data within the country.
iv. Botswana
Section 48 (1) of the Botswana Data Protection Act, 2018 bars the transfer of data from Botswana to another country.30 This means that as a general rule, organizations are not allowed to send personal data of Botswana citizens or residents outside of Botswana. However, there are a few exceptions to this general rule, Section 48 (2) allows the Minister of State President to outline a list of countries where transfer of personal data is permitted. This means that the Minister has the power to designate certain countries as “adequate” for data protection purposes, which would allow organizations to transfer personal data to those countries without obtaining additional consent from individuals.31
In 2022, the Minister of State President published a Transfer of Personal Data Order, which declares that personal data may be transferred from Botswana to 45 countries.32 South Africa and Kenya are the only African countries on the list. The list includes other countries such as the Republic of Korea, United Kingdom, New Zealand, Japan, Isle of Man, Switzerland, Uruguay and Argentina.33
The general prohibition on the transfer of personal data from Botswana to other countries is a significant restriction on organizations that operate in Botswana. This restriction can make it difficult for organizations to comply with their contractual obligations, to manage their data effectively, and to innovate. The Minister’s power to designate certain countries as “adequate” for data protection purposes can also be a source of uncertainty for organizations. This is because the Minister’s criteria for determining adequacy may not be clear or transparent.
Countries that have Adequate Legal Protection Requirement
v. South Africa
Data protection in South Africa is governed by the Protection of Personal Information Act, 2013 (POPIA).34 POPIA safeguards the constitutional right to privacy by protecting personal information that is processed by a “responsible party,” while at the same time maintaining the right to access information. The Act regulates the circumstances where a responsible party in South Africa transfers personal information about a data subject to a third party. Section 72 of the POPIA outlines the requirements for cross-border transfer of data; it ensures the data subject enjoys sufficient legal protection.35 It ensures that the data subject enjoys sufficient legal protection. This means that organizations must take steps to protect the privacy and security of personal information when it is transferred to a foreign country.
Section 72 (1) provides that a responsible party may only transfer personal information to a third party which is a foreign country if it meets certain requirements.36 The requirements include: first, adequate legal protection, the cross-border recipient must be subject to law or a contract to ensure sufficient legal protection. Second, the data subject must consent to the transfer of personal information. Third, the transfer of personal information is necessary for the performance of a contract between the responsible party and the data subject. Fourth, the transfer of personal data is essential in meeting the interests of the data subject. Fifth, the transfer of personal data must benefit the data subject.
While the requirements of Section 72(1) are aimed at increasing privacy protection and enhanced data security, they can have a number of implications for organizations that operate in South Africa. These implications include: First, increased costs as organizations may need to invest in new technologies and infrastructure to comply with the requirements of Section 72.37 Second, organizations may face reduced efficiency as it may be difficult to manage their data if they are scattered across multiple data centers in different countries. Consequently, they make it more difficult to attain cross-border data flows.
vi. Eswatini
In 2022, Mswati III, King of the Kingdom of Eswatini passed the Data Protection Act to regulate processing, disclosure and protecting personal data while balancing competing values of personal information privacy.38 Part V of the Act provides for trans-border flow of personal information outside Eswatini. Section 32 covers transfer of personal information within SADC Member States. It provides that transfer to recipients in a Member State can only happen to a country that has transposed the SADC data protection requirements.39 Furthermore, the recipient must establish that the data is necessary for the performance of the task and the legitimate interests of the data subjects is protected. Section 33 regulates the transfer of personal information to non-SADC Member States. It outlines that transfer of personal data can only be affected to such countries if they meet the adequate level of protection depending on the circumstances surrounding the data transfer.40
Eswatini Data Protection law makes it even more difficult to implement cross-border transfer as it categorizes countries into SADC and non-SADC members, essentially adding another layer of obligations for non-SADC members to meet before effecting cross-border transfer of data across Africa.41 For instance, a fintech company seeking to transfer customer data from Eswatini to Kenya may encounter delays and administrative hurdles due to the lack of a harmonized data transfer mechanism between the two countries.
Although the requirements of Section 32 and 33 are a significant step forward in protecting the privacy of personal information in Eswatini, they can result in increased costs and compliance challenges for organizations in Eswatini that need to ensure that their data transfer practices comply with data protection laws and regulations.42
The Effect of Conflicting Data Protection Standards on Cross Border Transfer of Data
The patchwork of data protection laws across African countries creates a complex regulatory landscape for businesses operating in the digital realm.43 Varying levels of data protection standards and differing interpretations of data privacy principles can lead to confusion and compliance challenges.44 The mechanisms for transferring data across borders also vary significantly among African countries. While some countries have adopted adequacy frameworks, which recognize jurisdictions with equivalent data protection standards, others rely on contractual arrangements or specific authorizations for data transfers.45
Conflicting data protection standards can have a number of negative effects on businesses, individuals, and the economy as a whole. These effects include: One, increased costs as businesses may need to invest in new technologies and infrastructure to comply with multiple and conflicting data protection standards.46 Two, reduced efficiency due to the need to comply with multiple and conflicting data protection standards can be a complex and time-consuming process.47 Three, legal uncertainty caused by conflicting data protection standards can create legal ambiguity for businesses.48 Four, conflicting data protection standards can stifle innovation. Businesses may be reluctant to develop new products or services if they are uncertain about whether they will comply with all applicable data protection laws.49
Five, conflicting data protection standards can fragment the global digital economy. This can make it more difficult for businesses to operate internationally and can lead to higher costs for consumers.50 For instance, a company seeking to transfer data from Kenya to South Africa may need to navigate different legal requirements and obtain separate authorizations, adding to the complexity and cost of doing business. Due to conflicting standards, a cloud service provider operating across multiple African countries may struggle to meet the varying data protection standards, such as different consent requirements or data retention periods, leading to potential compliance risks.51
Conclusion: Harmonization as the Way Forward
In this blog, we pinpointed a number of domestic data protection laws in Africa and highlighted the implications of their provisions on cross-border data transfers. Data protection laws in Africa are becoming increasingly complex and stringent, with the aim of safeguarding the privacy of individuals while enabling the flow of data across borders. However, these laws can also pose challenges for cross-border transfer data for businesses operating in the region, particularly due to opt-in consent and data localization requirements. Opt-in consent requirements can be difficult to obtain on a large scale, and data localization obligations can increase costs and reduce efficiency. Harmonizing data protection standards and developing clear data transfer mechanisms across the continent can help mitigate these challenges and facilitate a more seamless flow of data within Africa.
Image by WangXiNa on Freepik
1 Beyleveld, A. and Sucker, F., 2023. Regulating Cross-Border Data Flows Under the AfCFTA Protocol on Digital Trade: The What, Why, How, Where, and When. Why, How, Where, and When (May 3, 2023).
2 Selby, J., 2017. Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both? International Journal of Law and Information Technology, 25(3), pp.213-232.
3 Data Protection Africa, 2023. https://dataprotection.africa/
4 Daigle, B., 2021. Data protection laws in Africa: A pan-African survey and noted trends. J. Int’l Com. & Econ., p.1.
5 Ibid
6 Daigle, B., 2021. Data protection laws in Africa: A pan-African survey and noted trends. J. Int’l Com. & Econ., p.1.
7 Boshe, P., Hennemann, M. and von Meding, R., 2022. African Data Protection Laws: Current Regulatory Approaches, Policy Initiatives, and the Way Forward. Global Privacy Law Review, 3(2).
8 Diorio, S., 2014. Data Protection laws: Quilts versus blankets. Syracuse J. Int’l L. & Com., 42, p.485.
9 Kenya, Data Protection Act, 2019.
10 ibid section 48 (b).
11 Data Protection (General) Regulations, 2021 Regulation 40.
12 Ibid, Regulations 41-46.
13 Ibid, Regulation 48.
14 Kenya, Data Protection Act, 2019. Section 49
15 Ibid, Section 49(1)
16 Bouke, M.A., Abdullah, A., Alshatebi, S.H., Atigh, H.E. and Cengiz, K., 2023. African Union Convention on Cyber Security and Personal Data Protection: Challenges and Future Directions. arXiv preprint arXiv:2307.01966.
17 Nigeria Data Protection Act, 2023. Section 41. https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf
18 Ibid, Section 65
19 Ibid, Section 41(1)
20 Ibid, Section 41
21 Ibid , Section 43.
22 Nigeria Data Protection Act, Section 42(1).
23 Nigeria Data Protection Act, Section 42(1).
24 Adeleke, F., 2021. Exploring Policy Trade-offs for Data Localisation in South Africa, Kenya and Nigeria. Policy Brief.
25 Zambia, Data Protection Act, 2021. Available at:https://www.parliament.gov.zm/sites/default/files/documents/acts/Act%20No.%203%20The%20Data%20Protection%20Act%202021_0.pdf
26 Zambia, Data Protection Act, 2021, section 70 (1) and (3)
27 Prinsloo, P. and Kaliisa, R., 2022. Data privacy on the African continent: Opportunities, challenges and implications for learning analytics. British Journal of Educational Technology, 53(4), pp.894-913.
28 Ibid
29 Ibid section 70 (2)
30 Botswana Data Protection Act, 2018. Available at https://www.bocra.org.bw/sites/default/files/documents/DataProtectionAct.pdf
31 Walters, R., 2023. Data Flows and Data Protection Law. In Cybersecurity and Data Laws of the Commonwealth: International Trade, Investment and Arbitration (pp. 49-74). Singapore: Springer Nature Singapore.
32 Data Guidance, Botswana: Minister of State President publishes Transfer of Personal Data Order 2022. Available at: https://www.dataguidance.com/news/botswana-minister-state-president-publishes-transfer
33 Data Guidance, Botswana: Minister of State President publishes Transfer of Personal Data Order 2022. Available at: https://www.dataguidance.com/news/botswana-minister-state-president-publishes-transfer
34 Protection of Personal Information Act, 2013. Available at: https://popia.co.za/
35 Ibid Section 72.
36 Ibid Section 72(1)
37 Walters, R., 2023. Data Flows and Data Protection Law. In Cybersecurity and Data Laws of the Commonwealth: International Trade, Investment and Arbitration (pp. 49-74). Singapore: Springer Nature Singapore.
38 Data Protection Act, 2022. Available at: https://www.esccom.org.sz/legislation/DATA%20PROTECTION%20ACT.pdf
39 Ibid, Section 32(1)
40 Ibid Section 33 (1)
41 Kugler, K., 2022. The impact of data localisation laws on trade in Africa. Policy Brief, 8.
42 Walters, R., 2023. Data Flows and Data Protection Law. In Cybersecurity and Data Laws of the Commonwealth: International Trade, Investment and Arbitration (pp. 49-74). Singapore: Springer Nature Singapore.
43 Aaronson, S., 2015. Why trade agreements are not setting information free: The lost history and reinvigorated debate over cross-border data flows, human rights, and national security. World Trade Review, 14(4), pp.671-700.
44 Mitchell, A.D. and Mishra, N., 2019. Regulating cross-border data flows in a data-driven world: how WTO Law can contribute. Journal of International Economic Law, 22(3), pp.389-416.
45 Osakwe, S. and Adeniran, A.P., 2021. Strengthening data governance in Africa.
46 Walters, R., 2023. Data Flows and Data Protection Law. In Cybersecurity and Data Laws of the Commonwealth: International Trade, Investment and Arbitration (pp. 49-74). Singapore: Springer Nature Singapore.
47 Prinsloo, P. and Kaliisa, R., 2022. Data privacy on the African continent: Opportunities, challenges and implications for learning analytics. British Journal of Educational Technology, 53(4), pp.894-913.
48 Tyre Jr, K.H., Newton, N. and Vilmenay, D., 2018. Franchising in Africa: Growth in the industry and data privacy and protection issues. Int’l J. Franchising L., 16, p.7.
49 Kugler, K., 2022. The impact of data localisation laws on trade in Africa. Policy Brief, 8.
50 Babalola, O., 2023. Data Protection Legal Regime and Data Governance in Africa: An Overview.
51 Aaronson, S.A., 2019. Data is different, and that’s why the world needs a new approach to governing cross-border data flows. Digital Policy, Regulation and Governance, 21(5), pp.441-460.