World Bank urges Kenya to alter law on servers abroad

A server room.

The World Bank has asked Kenya to revoke a law that forces companies to store sensitive personal data on servers located within the country as one of the ways to ease trade in digital services with other countries.

The global lender says such curbs are hindering cross-border trade in digital services.

It has asked Kenya to upgrade the current Data Protection Act and related instruments such as the Health Information System Policy to scrap requirements for data localisation and adopt compatible and interoperable standards, in a move towards a single regional data market.

“In particular, Kenya may seek to reduce data localisation requirements at least for privately generated personal data within its legal framework,” said the World Bank in its Country Economic Memorandum for Kenya.

This comes at a time when thousands of digital service providers including global giants such as Google, Meta, TikTok, Netflix, Oracle, and Microsoft operate in Kenya making them a crucial cog in job creation and economic output.

As the world rapidly digitises, data has been referred to as the “oil of the digital economy”, underlining the great power that its controllers such as banks, e-commerce firms, telecommunications companies, content sites, health facilities, schools, and digital service providers wield. To safeguard this increasingly huge volume of sensitive information being held by private entities, Kenya enacted the Data Protection Act, of 2019 which requires data handlers to host it locally in what is known localisation.

Some of the sensitive data identified by the law include the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, and biometric data.

Others are property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex, or the sexual orientation of the subject.

Under the Act, data controllers or processors can only share specific sensitive information across borders with the approval of the Data Commissioner. Kenya is among 31 African countries out of the 54 that have enacted data protection laws as of February 2020.