Negotiating Digital Frontiers: The United States Kenya STIP and the Future of Cross-Border Data Flows

Introduction

The United States and Kenya have successfully completed the third, fourth, and fifth rounds of negotiations for the Strategic Trade and Investment Partnership (STIP), which took place from January 29 to 31, April 2 to 12, and May 13 to 17, 2024, respectively.¹ The fifth session was held in Washington, D.C. The sixth round of negotiations has also been completed, having taken place from June 3 to 7, 2024, in Mombasa, Kenya.² Dates for the seventh round have yet to be announced.

A particularly critical aspect of the STIP negotiations is the digital trade chapter, which is expected to significantly influence Kenya’s approach to cross-border data transfers, a central element of modern Free Trade Agreements. This blog aims to provide an analysis of cross-border data transfers, exploring their significance to trade, how they are managed in both Kenya and the United States, and offering insights into what the final provisions might entail.

What are cross border data flows and their significance?

Cross-border data flows refer to the transfer of information that is routed or transmitted across national boundaries over the internet or through other digital means.³ This movement of data typically occurs when individuals, companies, or governments exchange data internationally, including everything from personal information and communications to commercial data and transactions.⁴ Data has emerged as a highly valuable asset in the context of digital trade, particularly with the rapid advancement of technology and the increasing integration of the world through globalisation.⁵

Cross border data flows are integral to modern business operations significantly enhancing the economic efficiency and global reach of enterprises.⁶ The ability to transmit data seamlessly across borders enables businesses to access foreign markets and integrate into global supply chains, which are crucial for driving growth, creating jobs, and fostering new investments in developing economies.⁷ In environments where data can flow freely, businesses benefit from a broad array of competitively priced products, inputs, and services.⁸ By analysing consumer preferences, browsing habits, and purchase histories, companies can create customised products, services and marketing messages.⁹

The types of data transferred across borders are diverse and cater to various functional needs of multinational corporations. These include personal data, which, while serving as a new currency in the digital economy, raises concerns regarding privacy and security.¹⁰ Business data, another significant category, encompasses information used for managing and controlling multinational operations.¹¹ This data is crucial for the internal processes of firms, such as strategic planning, management decisions, and operational supervision.

Current framework on regulation of cross border data flows

Currently, there is no global consensus on how to effectively regulate cross-border data flows. The World Trade Organisation’s (WTO) existing frameworks such as the General Agreement on Tariffs and Trade (GATT) and the General Agreement on Trade in Services (GATS), were established before the advent of advanced digital technologies and thus do not adequately address the complexities of modern data transfers.¹² This gap has resulted in a patch work of national laws where countries like the USA advocate for a free market approach to data liberalisation, whereas others like China implement stringent controls to safeguard data sovereignty and national security.¹³

The United States approach to regulating cross border data flows

The United States does not have a unified data protection law, instead, it relies on a diverse array of federal and state regulations. This decentralised approach leads to varying standards across different sectors and regions, posing risks such as inconsistent protection of personal data and requiring significant resources to oversee compliance among private entities.¹⁴ In contrast, Kenya operates under a conditional data transfer regime that enforces stringent guidelines safeguarding data subject rights, ensuring a more uniform standard of data protection.¹⁵

The United States has consistently prioritised commercial interests and market access in its digital trade agreements with other nations.¹⁶ This policy orientation was notably articulated during the Clinton administration, which championed the principle of the ‘maximum possible free flow of cross-border information’.¹⁷ This stance was intended to ensure that regulatory differences between nations do not morph into significant barriers to trade.

In 2002, the US proposed the Digital Agenda to promote the liberal flow of cross border data through bilateral and regional trade agreements.¹⁸ US led agreements tend to focus on the freedom of choice of individuals in digital products and services and the restriction of data localisation requirements.¹⁹

In 2016 the US led the negotiations for the Trans-Pacific Partnership Agreement (TPP). It was the first time the USA made a binding commitment to free cross border data flow.²⁰ Chapter 14 committed each TPP government to permit cross-border transfer of information, including personal and business information, by electronic means on condition the activity is for the business of a covered person. It also allowed a government to maintain data localization requirements on condition that it was necessary to achieve a public policy objective.²¹

In 2017, the United States Mexico Canada Agreement was negotiated by the three countries to replace the North American Free Trade Agreement (NAFTA).²² The Agreement creates an avenue for the expansion of trade and investment in innovative products and services, a field where the US has a competitive advantage.²³ This Agreement laid a stronger emphasis on favouring cross-border data flows to enable digital commerce prohibiting parties from restricting cross border transfer of information²⁴ and restricting companies from using or locating computing facilities in a party territory for conducting business.²⁵

American corporations have maintained the same view and advised the government to adopt the same provisions as the United Mexico Canada Agreement in the coming US-Kenya STIP.²⁶ For example, PhRMA, IBM, and The App Association all opposed the prohibition of cross border data flows rationalising them as barriers to trade.²⁷ Similarly for data localisation requirements, they advise that the agreement should discourage data localisation requirements to allow better market access and reduce operating costs.²⁸

Kenya’s regulation of data

In 2019, Kenya enacted the Data Protection Act, establishing a comprehensive framework for the protection of personal data.²⁹ This legislation outlines specific regulations concerning cross-border data flows and mandates for data localization. The Act is designed to safeguard the privacy and integrity of personal data, stipulating conditions under which data can be processed and transferred internationally, thus aligning Kenya’s data protection standards with global norms.³⁰ This legislative measure not only enhances the security of personal data within Kenya but also regulates the movement of such data across national boundaries, addressing potential risks and ensuring compliance with international data protection practices.

Part VI of the Act introduces a nuanced framework for the regulation of cross-border data transfers, without imposing an outright prohibition.³¹ Under this framework, any data controller or processor wishing to transfer data internationally must first demonstrate to the Data Commissioner that adequate security measures are in place to protect the information.³² This includes ensuring compliance with jurisdictions that maintain similar data protection standards.

Additionally, the Act allows for data transfers under specific conditions that justify the necessity of such actions. These include instances where the transfer is essential for the fulfilment of a contract between the data subject and the controller, supports public interest or legal claims, protects the vital interests of the data subject, or serves other legitimate interests that do not infringe upon the rights and freedoms of the data subject.³³ In all cases, explicit consent from the data subject is required, along with confirmation that appropriate safeguards are being maintained. Before the transfer of personal data out of Kenya occurs, consent from the data subject must be obtained along with confirmation of appropriate safeguards.³⁴ The Data Commissioner has the authority to request proof of the effectiveness of security measures or the presence of legitimate interests.³⁵

Kenya’s position on transfer on digital trade data

Kenya’s approach to the transfer of digital trade data is elucidated through several key documents: the Kenya-UK Economic Partnership Agreement concluded in 2020, the East African Community E-Commerce Strategy adopted in 2022, and the Data Protection Act enacted in 2019. Collectively, these documents reveal Kenya’s willingness to engage in the transfer of data, provided that such transfers incorporate robust safety mechanisms to ensure data protection.

The Kenya-UK Economic Partnership Agreement, specifically under Article 10 of Protocol 2, stipulates that the exchange of personal data between the two states is permissible provided that there are robust protection mechanisms in place.³⁶ This provision ensures that any transferred personal data is safeguarded under equivalent data protection standards in both the sending and receiving countries. Moreover, the article emphasises the necessity of maintaining a balanced level of data security, thereby fostering trust and compliance in bilateral data exchanges. This clause reflects a commitment to uphold high data protection standards, ensuring that personal information remains secure across borders.

The East African Community (EAC) E-Commerce Strategy adopted on July 12, 2022, addresses several aspects of cross-border data transfers within the region.³⁷ It identifies the importance of harmonising policies, laws, and regulations regarding data and information to facilitate cross-border trade.³⁸ Specifically, it acknowledges the challenges posed by data localisation and sovereignty which can hinder the free flow of data within the EAC.³⁹ The strategy proposes the development of a harmonised regional framework for e-transactions that includes internationally accepted principles. This approach aims to ensure that data flows are unrestricted within the EAC, promoting a more integrated digital economy.

The Data Protection Act, 2019, and the accompanying Data Protection (General) Regulations 2021,⁴⁰ aim to balance the need for data protection with the facilitation of international trade. The regulations stipulate that personal data can be transferred outside Kenya only under specific conditions to ensure adequate protection. These conditions include obtaining the consent of the data subject, ensuring the recipient has appropriate data protection safeguards in place, making a transfer based on necessity, or an adequacy decision by the Data Commissioner. The emphasis is on maintaining a high level of data protection to prevent circumvention by moving data to jurisdictions with weaker protections.

Perceived risks

There are significant risks to liberalising cross border data flows. Cross border data transfers raise concerns about government surveillance and the potential for foreign interference which can undermine national security and privacy.⁴¹ Another risk is the potential for inconsistency in data protection standards. Countries like the US view personal data predominantly as a factor of production, placing its economic value over privacy.⁴² This perspective can result in data being treated more like a commodity than a human rights concern. Furthermore, liberalising cross-border data flows could intensify competitive pressures on Kenyan corporations, particularly in the technology sector. Kenyan firms may struggle to compete with larger, more technologically advanced US corporations, potentially undermining the growth and sustainability of domestic industries.⁴³ Additionally, this shift might lead to a dependence on US digital technologies and services, thereby reducing the incentive for local innovation and development in Kenya.

What to expect – a blend of digital liberalisation and privacy concerns

The United States has historically championed the free flow of data across borders as part of its trade policies, which aligns with the interests of major US corporations, especially tech companies. This stance helps reduce operational costs and regulatory hurdles for US business, promoting more efficient global digital trade and market access. The advantages for the US include enhancing the competitiveness of its tech industry globally, securing data driven innovations. In contrast, Kenya’s Data Protection Act of 2019 reflects a cautious approach to cross-border data transfers requiring that any foreign country receiving data from Kenya must provide protection standards equivalent to those within Kenya.

The shift in USA’s position, where it withdrew support for specific provisions on cross-border data flows at the WTO reflects its objection to maintaining firm commitments on these flows and its opposition to data localisation mandates.⁴⁴ This pivot may impact the ongoing US-KE STIP negotiations, in that, the US may potentially infringe on Kenya’s policy space by negotiating for more liberal access to data and the abolishment of data localisation measures to reduce costs of trade for US companies. This may have a significant impact on Kenya. Firstly by advocating for more liberal access to data access and opposing data localisation mandates, the US could limit Kenya’s ability to enforce its own data protection laws regulations. This could undermine Kenya’s ability to control and protect the personal data of citizens. Secondly, this could disadvantage local Kenyan companies that rely on localised data processing and storage as part of their business models. Thirdly, while the elimination of data localisation could reduce operational costs for U.S. companies, it will position Kenya as a net importer of digital goods and services, potentially skewing trade balances significantly in favour of the United States.