US health deal: The law is strict on transfer of data out of Kenya

Now that there is a brewing discussion and tension on data transfer or sharing in the Kenya-USA deal, one wonders, if any person is to take any personal data outside the country, how is it to be done? Article 31 of the Constitution jealously protects privacy whether it is at the workplace, home or even online.

In order to strengthen this constitutional pillar of the Bill of Rights, the Office of the Data Protection Commissioner (ODPC) has been empowered to implement the Data Protection Act, a role they have played meticulously.

The idea of privacy and data protection flows from the understanding that the dignity of a person is inherent and there exists a ‘sphere’ beyond which no one should access except with reasonable and lawful reasons. Put differently, if you access someone’s personal data through illegal means, you both violate the person and their very essence of existing outside the world of ‘other’ humanity.

In the entire jurisprudence generated by the ODPC through its decisions, I have not come across a decision that relates to transfer of personal data outside the country. However, this is very common especially with companies that are either domiciled in Kenya but operate in other many jurisdictions or vice versa.  The Constitution and the Data Protection Act will not be kind to you if you do not follow the law to transfer the data of an individual outside the country.

Sections 48 to 50 of the Data Protection Act requires you to do certain crucial things before you can undertake the transfer, before any personal data leaves Kenya, the data controller or data processor must first satisfy the Data Commissioner that adequate safeguards are in place.

This begins with demonstrating clear and credible proof that the transfer will not jeopardise the safety or integrity of the data. The individual or organisation responsible for the data must show that proper security systems, both technical and legal, exist to protect personal data throughout its transfer and in its destination country. Equally important, the destination jurisdiction must have data protection laws that are commensurate with Kenya’s own standards.

The Data Commissioner needs assurance that the receiving country upholds comparable legal principles, ensuring personal data remains shielded from misuse, unauthorised access, or exploitation. In circumstances where such equivalency is established, transfers may proceed.

However, there are specific instances where the law allows data to be transferred even if these safeguards are not explicitly proven. These include situations necessary for performing or preparing contracts between the data subject and the data controller or processor.

For example, if a Kenyan citizen engages with an international company for a service, the necessary personal details may lawfully be transferred to fulfill that agreement. Transfers are also permitted when they serve broader public interests, such as international cooperation in health, security, or humanitarian efforts or when they are essential for the establishment or defence of legal claims. In moments of urgency, where the life or vital interests of a person are at stake and the data subject is unable to provide consent, a transfer can also be justified.

Finally, data transfers may occur where the data controller or processor has a legitimate interest that does not override the rights and freedoms of the data subject. This balance ensures that while legitimate business or administrative needs may be pursued, they never eclipse the individual’s fundamental right to privacy.

When sensitive personal data, such as health information, biometric data, or financial details, is to be transferred outside Kenya, the law becomes even more stringent. Such transfers can only happen with the explicit consent of the data subject and after confirming that appropriate safeguards are in place. Consent here is very key, it signifies the informed, voluntary, and unambiguous permission of the individual whose data is being moved.

The Data Commissioner retains the authority to request proof that the security measures are indeed effective. The person or entity responsible for the transfer may be called upon to demonstrate both the technical soundness of their safeguards and the legitimacy of their reasons for transferring the data. Moreover, to uphold the public interest and protect the fundamental rights and freedoms of data subjects, the Data Commissioner possesses the power to prohibit, suspend, or impose specific conditions on data transfers. This regulatory oversight ensures that even where consent and safeguards exist, transfers cannot proceed if they risk undermining the principles of data protection or national security.

Recognising that certain categories of data are of strategic importance to Kenya’s national interests, the Act empowers the Cabinet Secretary to determine specific types of data processing that must occur within the country’s borders. Such processing must be conducted through data servers or data centres located in Kenya. This provision is guided by two main considerations: the strategic interests of the state and the protection of revenue. In essence, some forms of data, especially those critical to government operations, national security, or the economy must remain under local jurisdiction to ensure sovereignty, accountability, and economic benefit.

The right to data privacy and protection safeguards individuals from unauthorised access, misuse, or transfer of personal information. When data is transported outside a country, strict regulations, such as consent, lawful processing, and adequacy requirements. This is to ensure foreign recipients uphold equivalent privacy standards, maintaining confidentiality, accountability, and respect for fundamental human rights.