Why the US-Kenya Free Trade Agreement Negotiations Set a Bad Precedent for Data Policy

This blog is part of CGD’s Governing Data for Development project, which explores how governments can use data to support innovation, development, and inclusive growth while protecting citizens and communities against harm. Isaac Rutenberg is a member of the working group that guides the project.

Cross-border data flows increasingly take center stage in the global trade discourse, as digital trade or “e-commerce” chapters have become a regular feature in bilateral trade agreements. The COVID-19 pandemic has sharpened focus on the role of cross-border data flows by highlighting their importance for informing a coordinated global health response and the importance of accessing online services while working from home.  

Because most of the global digital economy is driven by technology that is owned and controlled by companies based in rich countries, particularly the United States, data tends to flow away from developing and least developed countries rather than towards them. At the same time, these countries have imported frameworks for regulating the use of data that tend to favor technologies and the jurisdictions within which they are developed. Promoting this trend is the advent of bilateral trade agreements that include clauses that explicitly support this aim within their objectives if not the final text. These trends highlight the need to develop local capacity in developing countries for governing data and the ability of countries to pursue a regulatory environment where cross-border data flows are encouraged but balanced against the right to privacy of individuals.

The United States Kenya Free Trade Agreement, which is still under negotiation, illustrates the dynamics at play. Unlike the 2020 UK-Kenya Economic Partnership Agreement, which reserved negotiations surrounding issues related to intellectual property and the digital economy to a later date, the United States’ negotiation objectives are to influence the intellectual property, digital economy, and data protection landscape of Kenya to the benefit of US companies.

US negotiation objectives would establish a competitive advantage for US firms

The US has stated three main objectives on the issue of cross-border data flows: first, to prevent Kenya from imposing measures that restrict these flows, including by requiring the use or installation of local computing facilities; second,  to promote the interoperability of data protection regimes and mechanisms to facilitate cross-border information transfers; and third, to establish rules that prevent governments from mandating the disclosure of computer source code or algorithms. Kenya’s objectives, on the other hand, focus on obtaining a “secure commitment to allow gradual regulations at facilitation of Digital trade in goods and services and cross-border data flow in line with the [Country’s] development agenda in particular contribution of this trade to economic development.”

What stands out from these objectives is that Kenya’s goal is vague and connected to a development agenda that is not clearly defined, while the US is clearly focused on maintaining unfettered cross-border data flows between the two countries, in line with the interest of US companies. For example, retailers and data-centric businesses such as Amazon and Google are undoubtedly interested in the immense amount of e-commerce data associated with MPesa, Kenya’s innovative and ubiquitous mobile money transfer system that has been gathering detailed commerce data since 2006. The importance of such data is underscored by recent updates to WhatsApp’s terms of use, which called attention to the company’s longstanding policy of allowing commercial user data to be shared with parent company Facebook and used to target advertising updates. US tech companies could use the data collected from local transactions to identify and target new business opportunities in Kenya, eroding local firms’ competitiveness.                                                                              

Putting Kenya’s nascent data protection regime at risk

The local context of the ongoing trade negotiations is important. The Kenyan data protection landscape is still at a nascent stage but it is rapidly evolving, with many similarities to European-style data protection, as well as many of the same vulnerabilities. Kenya’s Data Protection Act (‘the DPA’) was enacted in 2019 and the country’s first Data Protection Commissioner was appointed at the end of 2020, notably after the US-Kenya trade negotiations had begun. The legal infrastructure that will support the DPA is yet to be operationalized and there are a number of regulations that still need to be passed.

Although still evolving, Kenya’s data protection regime does require proof of adequate data protection safeguards in the destination country as a prerequisite to cross-border data transfers. The US-Kenya Free Trade Agreement as currently drafted would undermine this requirement.  

What Kenya should focus on in negotiations regarding cross-border data flows

Kenya’s Office of the Data Protection Commissioner needs to act from a position of independence. While free trade agreements are, as a rule, negotiated in secret, we hope that the relevant data protection authorities and experts in Kenya will be engaged in negotiating and concluding the agreement. Their engagement, after consulting with relevant stakeholders, would go a long way in attaining the constitutional principle of public participation. Even though data protection is a new area for Kenya, the county’s rapidly growing digital economy requires the government to remain vigilant. Moreover, Kenya’s DPA is based on the individual’s right to privacy, and any free trade agreement should ensure that this right is preserved.

Melissa Omino is the Research Manager at the Center for Intellectual Property and Information Technology Law (CIPIT), Strathmore University, Nairobi. Isaac Rutenberg is the Director of CIPIT.