The Office of the Data Protection Commissioner has issued fresh guidance tightening how personal data is moved across borders, setting tougher conditions for organisations as cyber threats rise and cloud use expands.
The new framework outlines firm requirements on safeguards, consent, adequacy decisions and accountability for any entity handling personal data outside Kenya. It also widens obligations around cloud storage, onward transfers and the handling of sensitive information, in a move aimed at strengthening privacy protections and aligning the country with global standards.
In the guidance released on Wednesday, the regulator defines cross-border data transfer as “the transfer of personal data across international borders,” noting that such activity has increased sharply due to cloud computing, digital services and global business operations.
It warns that this growth has exposed both individuals and organisations to higher cyber risks. According to the Office, “due to emerging technological trends, the country has experienced a rise in the cross-border transfer of personal data,” increasing exposure to threats such as “data breaches, phishing, ransomware attacks, and account takeovers.”
The regulator says these risks are more severe where data is processed or stored in countries with weaker protections, or where organisations fail to put in place proper safeguards.
It adds that “the widespread adoption of cloud computing and the interconnection of numerous organisational systems and devices have further complicated data security challenges.”
Under the new rules, organisations transferring personal data outside Kenya must follow key principles including lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
The Office states that entities must ensure transfers are lawful and that individuals are clearly informed, while also making sure the data is used only for a specific and legitimate purpose. Organisations are further required to limit transfers to only the necessary data, avoiding the sharing of excess information.
The framework sets four legal grounds for cross-border transfers: appropriate safeguards, adequacy decisions by the Data Commissioner, necessity, or consent. Where consent is relied upon, it must be explicit and informed, with individuals made aware of potential risks.
For transfers based on safeguards, organisations must put in place binding protections that match Kenyan law. These may include Binding Corporate Rules, reciprocal agreements or international conventions. The document stresses that such safeguards must ensure a level of protection essentially equivalent to that provided under the Act.
The regulator also refers to the African Union’s Malabo Convention, noting that while it promotes harmonisation, “ratification does not confer an automatic approval of transfer,” and each case must still undergo regulatory review.
Accountability is a central requirement under the guidance. Organisations must keep detailed records of all transfers, including the date and time, recipient details, reasons for the transfer, and the type of personal data involved.
Strict conditions have also been introduced for onward transfers, with the Office stating that no further sharing is allowed without prior written approval and without ensuring equivalent protections. Data recipients will remain fully responsible for any breaches involving third parties.
Cloud computing is a key focus area in the new rules. The regulator states that processing personal data in cloud systems hosted outside Kenya amounts to a cross-border transfer, meaning organisations must carry out risk assessments and sign binding agreements with service providers.
Security measures expected include encryption, multi-factor authentication, anonymisation, audit logs and continuous monitoring. The Office cautions that unprotected data, whether in transit or storage, can expose an organisations to serious risks.
Entities handling sensitive personal data, including health, biometric or family information, will face stricter controls. These include the need for explicit consent and stronger safeguards before any transfer is made.
The guidance also reinforces data localisation requirements for systems considered critical to the state, such as civil registration, elections, public finance, education and healthcare. In such cases, the data must be stored or mirrored within Kenya.
The Office says the framework is intended to ensure that “personal data remains protected when transmitted to foreign jurisdictions,” while still allowing Kenya to take part in global digital systems.
It adds that privacy is protected under the Constitution, and that the updated rules seek to strike a balance between innovation and data protection, ensuring organisations remain compliant as they operate across borders.
Comments
Sign in with Google to comment, reply, and like comments.
Continue with Google