18 May 22 | Published by Ruth Magona

Adequacy and Adequacy Decision

The term ‘adequacy’ is used by the European Union (EU) to describe other countries, territories, industries, or international organizations that it considers to provide a ‘essentially equivalent’ level of data protection to that which exists within the European Union (EU)

An adequacy decision is a formal decision made by the European Union (EU) that acknowledges that another country, territory, sector, or international organization provides an equivalent level of personal data protection as the European Union (EU).

Why Kenya Needs to be Adequate

Kenya needs the European Commission to determine or decide whether Kenya provides an adequate level of personal data protection. So far, the European Commission has recognized Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Japan, Switzerland, Uruguay, and the United States of America (limited to the Privacy Shield framework) as offering adequate protection. Kenya must undeniably be included on this list.

Japan is the commission’s most recent non-EU country to be found to provide an adequate level of protection, following the Republic of Korea in 2021.This allows for personal data to flow freely between the two economies and creates the world’s largest area of safe data flow. Japan has the Act on the Protection of Personal Information.

Kenya’s Data Protection Act was enacted and went into effect on November 25, 2019, making Kenya one of the African countries to have a comprehensive data privacy law. Kenya’s Data Protection Act is one of the world’s most recent major data privacy laws,closely modeled after the EU’s GDPR, which empowers individuals with enforceable rights over their personal information while also providing clear guidelines for businesses to handle their users’ data with care.

Some of the rights granted to data subjects by the Data Protection Act Kenya include the right to be informed about data tracking, the right to access data, the right to erasure and rectification of data, the right to opt-out of tracking, the right to data portability, and the right not to be subject to automated decision-making.

The Data Protection Act in Kenya applies to data controllers or data processors who process personal data of data subjects in Kenya who are either established or resident in or outside of Kenya. This means that Kenya’s Data Protection Act has both territorial and extra-territorial application, which is one of the similarities between it and the EU’s GDPR.

In Kenya, the Data Protection Act differentiates between sanctions for companies and sanctions for individuals. Infringement of the Data Protection Act Kenya provisions by businesses will result in a fine of up to five million KES. In the case of an undertaking, the fine will be 1% of the previous fiscal year’s annual turnover, unless that figure exceeds five million KES. In that case, they will face a fine of 5 million KES.

Individuals will face a maximum fine of three shillings or a prison sentence of up to ten years. Individuals can also be subjected to both sanctions.

Importance of Adequacy

The advantages of an adequacy decision extend beyond data transfers to the EU. Many non-EU countries, including Argentina, Colombia, Israel, and Switzerland, recognize that the countries and territories identified by the European Commission as adequate also provide an adequate level of protection to meet the requirements for international transfers under their own data protection legislation.

In practice, this means that when benefiting from an adequacy decision, African countries like Kenya can enjoy free data flows with a global network of countries. Kenya would be able to participate in the global data economy as a result of this. When the data is transferred to Kenya, Europeans will benefit from high privacy standards as well. At the same time, when the data is transferred to the EU, Kenyans will benefit from high privacy standards.

Kenyan businesses and organizations seeking to expand their operations on a global scale will benefit as well, as they will gain access to millions of consumers in the EU. It is highly likely that EU firms will outsource to Kenyan firms. This is especially true if the outsourcing arrangement includes the processing of personal data. In practice, data protection legislation and international trade go hand in hand.

Furthermore there’s a guarantee of safety for customers personal data by the two parties. As a matter of fact, businesses will become more trustworthy, and customers will no longer be afraid of intimidation or ransom.

UK Lists Future Adequate Countries

The United Kingdom (UK) recently left the European Union, and as a result, they are now able to make data adequacy decisions independently with their international partners. As a matter of fact, UK adequacy is the most efficient way for UK organizations to freely transfer personal data because it eliminates the need for alternative transfer mechanisms, which can be costly to implement. Adequacy can also provide consumers and organizations with greater certainty and confidence in another country’s regulatory landscape. The priority is to maintain high levels of data security.

The UK is working in partnership with a number of priority destinations for adequacy. New collaborations will spur more growth and allow both countries to share critical information across borders, such as life-saving research and cutting-edge technological innovation. Kenya was colonized by Britain from 1940 to 1963, so being a member of the Commonwealth as well as a hub of technology and innovation has given it a priority due to good relations with its early colonizers to be listed among the future priority adequacy countries like Australia, Brazil, The Dubai International Financial Centre, India, Indonesia, The Republic of Korea, Singapore, and The United States of America.

To Register: International Data Protection and Privacy | Cybersecurity | Training – Building Resiliency Post Covid