The World Bank is recommending changes to the Kenyan Data Protection Act of 2019. Based on the bank’s report, the recommendations specifically target regulations on the localization of data. According to the Data Protection Act, at least one copy of data must be stored locally. This is the precondition set in law before Kenyans’ data can be transferred outside the country’s borders.
Notably, healthcare data is not transferrable even if it has first been stored in a local data centre. Further, Section 50 of the act gives the Cabinet Secretary powers to prevent the export of any form of data to protect “strategic interests of the state or protection of revenue.”
This report assembled by a team led by Alex Sienaert and Elwyn Davies, claims such regulations impose restrictions that increase costs for businesses. Moreover, it observes that nations with open cross-border data flows engage in more substantial trade in digital services than those that enforce stringent regulatory conditions on data transfers, even surpassing those with data restrictions such as data localization requirements.
The World Bank claims knowledge-intensive services, often referred to as ‘global innovator’ services, which include IT, currently employ only 2% of the workforce in the economy. However, they make a substantial contribution, accounting for 14% of Kenya’s GDP and fuelling 19% of economic growth.
As such, a change to the law will lead to the expansion of these services and present significant advantages to the economy including growth in job opportunities.
Recommendations Contradict Global Trends
Ironically, the World Bank proposal comes in the same year the European Union slapped Meta with a record $1.3 billion fine for transferring users’ personal information outside the EU borders. It also comes at a time when many Western nations are banning the use of Huawei network infrastructure due to concerns about data security and privacy.
Not reading the room, the bank pushes the changes even as Kenyan authorities continue investigating Worldcoin. Activities of Worldcoin in the country were halted after data privacy concerns were raised.
A parliamentary committee found that the US-registered company chose to launch in Kenya due to regulatory lapses. This shows that the data laws may need adjustments to seal loopholes not loosen restrictions.
It is important to note that data localization does not necessarily translate to data protection. Data localisation helps a country like Kenya enforce domestic data protection standards over that data. These standards may not be the same outside of the country. Data in local servers, whether operated by domestic or foreign companies, is still open to misuse. However, such cases are open to prosecution under the Kenyan laws.
The world bank’s report proposes a flexible and standardized system for data sharing within Eastern Africa and beyond the East African Community (EAC). Ultimately, the World Bank hopes for the establishment of a unified data market in eastern Africa. This would be achieved by facilitating the regional integration of data processing and storage requirements.