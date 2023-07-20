About a month ago, the Data Protection Commissioner and her delegation visited the European Union. Their most important meeting was with the European Commission (EC), in which they discussed the possibility of a mutual adequacy decision between Kenya and the EU.

The Data Protection Act is comparable to the EU’s General Data Protection Regulations (GDPR), giving Kenya a competitive edge. The data would be safeguarded and free to flow, allowing Kenyan entities to service the EU market from the country without incurring additional GDPR compliance expenses.

On July 10, the EU granted adequacy decision for the EU-US Data Privacy Framework with respect to transfers of personal data with a lot of fanfare. That saw the United States join Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, South Korea, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom as the only nations with adequacy decisions with the EU.

“Adequacy decision” denotes a legal judgment by the EU recognising that another country, region, sector or international organisation provides a comparable level of personal data protection as the GDPR. Hence, personal data can be seamlessly transferred and protected from the EU to it.

The EC takes into account factors like laws, respect for human rights and freedoms, national security, data protection regulations, existence of a data protection authority and binding commitments by the country/territories/sector/international organisation in terms of data protection.

Schrems I and Schrems II cases

The EU-US adequacy decision is the culmination of years of intense EU-US negotiations in the aftermath of the Court of Justice of the European Union (CJEU) invalidating the 15-year-old US-EU Safe Harbor agreement, as well as its successor, the Privacy Shield, in the Schrems I and Schrems II cases.

Austrian privacy lawyer Maximilian Schrems filed many legal challenges in EU courts to alter legislation governing foreign data transfers. He successfully asserted in his campaign against Facebook that personal data maintained or carried to the US may be exposed to US intelligence agencies.

To mitigate the concerns raised by the CJEU in Schrems decisions, the EU-US Data Privacy Framework was developed. It includes new binding safeguards and limits to personal data flows between the EU and participating US entities and monitoring and review mechanisms to ensure compliance.

Data will be moved between the EU and the US under a stable and trustworthy secure system that also offers legal certainty to corporations. This could be a huge victory for small- and medium-sized businesses and large cloud and social media firms. It removes uncertainty about the legal foundation for trans-Atlantic data transfers by providing a less expensive and more sophisticated alternative.

Conversely, opponents, led by Schrems, believe the EU-US Data Privacy Framework is merely a re-enactment of the defunct Privacy Shield, motivated by political reasons rather than practical gains owing to no significant changes in US surveillance legislation. Thus, the framework is ripe for a legal challenge, making ‘Schrems III’ a distinct possibility.



