International data transfer from Africa
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
As nations continue to explore the options of drafting clauses guiding international data transfer, there seems to be a missing link in the global economic discourse, and this is especially true of African nations. In the United Kingdom, there is the International Data Transfer Agreement. Hong Kong, South Korea, China, just to mention these countries, are taking steps toward owning how data passed outside their countries fall in line with general data protection principles.
However, there is a lack somewhere that needs to be addressed when it comes to the international transfer of data from African nations. There has been an argument that the lack of leaning into this is the historical lack of respect for human lives and I think that’s a fair point; but it doesn’t do justice to the global economic trajectory. Businesses are now aware that in these data driven times, they need to do right by their customers/consumers in the protection of their data.
Then the question remains, is there a clear guidance for exportation of data from these regions or is there something that could guide businesses in the right approach to transferring data? The Standard Contractual Clauses (SCC), which is the gold standard for transfer of data outside Europe, is something most African nations have adopted as their own. Not to mention any African nation, I think that’s not good enough as these clauses take into consideration the European context.
Let’s not forget that international transfer would also cover the storage, for example, of datasets in cloud systems in regions outside Africa. There has been clamour that companies store certain levels of datasets in these cloud databases and not store all information in these regions. There have even been guidelines about this but there hasn’t been much audit on these new standards, and one is yet to discover if truly many of these businesses abide by these standards.
Another argument is that we can’t have what Eduardo Ustaran calls localisation of data and opine that for this to work a strategic approach is required, and actively engaging with local businesses to show the practical ways that this can work will go a long way towards addressing the economic drivers behind this trend.
Perhaps, what the African data protection authorities lack, therefore, might be the active engagement with local businesses. It is the case of pushing for the implementation of draft laws and carrying along local businesses. There is no way a business that intends to expand or increase its revenue wouldn’t depend on the existing technology of other companies.
The international data transfer from Africa and its respective nations deserves a collaborative effort between, first, data protection authorities and the existing businesses, among African nations and of course, between African nations and the western authorities. These discussions must be transparent and “actively engage” the right parties to have the best of outcomes. For now, clarity and simplicity is what should be presented when it comes to international transfer and of course, the implementation and monitoring aspect needs to be factored in.