Kenya’s Cross-Border Data Transfer Regulation
The Framework
Kenya’s Data Protection Act (No. 24 of 2019) established a comprehensive legal framework for processing personal data, including rules for transferring data beyond its borders. Under this law, businesses must show “appropriate safeguards” when sending data abroad, such as robust security measures and demonstrable data privacy protections. In some cases, organizations must obtain approval from the data commissioner before conducting transfers, especially if the data is deemed sensitive. Draft regulations in 2021 further clarified that certain categories of data may require local storage or processing, particularly when processing supports public services. Together, these measures aim to protect Kenyan citizens’ personal information by keeping regulators closely involved in overseeing cross-border data flows.[1]
Implications for U.S. Technology Companies
Because Kenyan authorities may require evidence of stringent data protection measures before permitting data transfers, large U.S. technology companies face additional compliance obligations, costs, and potential delays. These rules can raise the cost of cloud infrastructure, necessitate local data centers, and compel intricate legal agreements to satisfy regulatory standards. Companies without a local footprint or resources for local data storage may find market entry more difficult. In effect, cross-border data transfer restrictions can disproportionately affect multinational firms that rely on seamless global data flows to power their services, conduct analytics, and coordinate regional operations.
How China Benefits
By curbing the flexibility of U.S. companies to transfer and process data abroad, Kenya’s rules create openings for Chinese firms that often receive state support and can more readily build local infrastructure or handle stricter storage mandates. With fewer legacy deployments across multiple jurisdictions, Chinese providers—especially those backed by government financing—may position themselves as “turnkey” compliance solutions, capitalizing on Kenya’s data localization trend. Over time, limiting U.S. providers’ ability to operate freely could grant Chinese tech enterprises a stronger foothold in emerging African digital markets.
Endnotes
[1] Nigel Cory and Luke Dascoli, “How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them” (Information Technology & Innovation Foundation, July 2021). https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost/.
