Country after country in Africa is introducing data protection legislation. One issue that is emerging as a universal priority is the regulation of the transfer of sensitive or special personal information, such as health data, across borders.
‘Transferring personal information across borders is of great importance to many companies in the health sector, especially in this era of COVID-19 where multi-jurisdictional collaboration in clinical trials and other health initiatives is common,’ says Julie Oppenheim, head of pharmaceuticals and healthcare at leading African law firm Bowmans.
Understandably, the regulatory safeguards for cross-border transfers of health and other sensitive or special personal information may be more onerous than for ‘ordinary’ personal information, where it is generally sufficient to ensure that receiving countries provide an adequate level of data protection.
While the regulatory hurdles for cross-border transfers of health data vary from jurisdiction to jurisdiction, two African countries that have particularly stringent approaches are Nigeria and Zambia.
Sensitive data must stay in Zambia
‘All sensitive personal information must be processed and stored in Zambia or using a data centre in Zambia,’ says Joshua Mwamulima, senior associate at Bowmans in Zambia.
There is only one narrowly defined exception to this requirement.
‘That is where the data subject has given express consent that the data may be transferred out of the country,’ he says.
This stringent approach is spelt out in Zambia’s new Data Protection Act, which was enacted in April 2021. As there was no transitional or grace period, the Act took effect as of 1 April this year.
Mwamulima says that although it appears that enforcement will depend largely on the office of the Data Protection Commission, which has yet to be set up, as well as regulations yet to be published, organisations working with personal information should ensure that they are ready to comply with all provisions of the new legislation.
Attorney-General supervises data transfers in Nigeria
‘In Nigeria, transferring data, including sensitive personal data, to third-party countries, follows a unique process. One is required to transfer the data under the supervision of the Attorney-General of the Federation of Nigeria,’ says Jumoke Lambo partner at Udo Udoma & Belo-Osagie, Bowmans’ alliance partner in Nigeria.
The rule applies even when a registered data controller or processor is transferring data to any of the 44 countries currently on Nigeria’s ‘white list’, which consists of jurisdictions that the relevant government ministry considers to have adequate data protection safeguards.
‘The fact that a country is on the white list merely simplifies the process,’ says Lambo, adding that companies are expected to apply to the Attorney-General for an ‘adequacy decision’ about the receiving country.
Exceptions to the requirement for an adequacy decision are limited and clearly articulated.
If binding corporate rules are in place between a company in Nigeria and related entities in foreign countries, such as a parent company or subsidiary, a copy of these rules must accompany the application for an adequacy decision.’
No white lists or red lists in most countries
At this point, Nigeria seems to be alone in Africa in having compiled a white list of jurisdictions considered to have adequate data protection safeguards.
In countries such as Kenya, South Africa and Uganda, the adequacy of data protection in receiving countries is one of the limited exceptions to the general prohibition on the cross-border transfer of personal information, including health information.
‘Our Information Regulator has not yet provided any adequacy decisions. There are currently no white lists or red lists. At this stage, entities will need to assess the laws in place in the receiving countries and take a decision on the adequacy of such laws,’ says Nadine Mather, senior associate at Bowmans in South Africa.
She says that where an assessment reveals that a receiving country lacks adequate protection, the entity wishing to transfer health data from South Africa may be required to create an adequate level of protection by entering into a binding transfer agreement or binding corporate rules with the third party receiving the data, failing which the entity will be required to obtain prior authorisation from the Information Regulator.
Adequacy and consent in Kenya
In Kenya, health data may only be transferred across borders with the express consent of the data subjects and if the Data Commissioner has been provided with evidence of adequate protections in the receiving country, says Daniel Mwathe, senior associate at Bowmans in Kenya. This means requests for approval of cross-border transfers are dealt with on a case-by-case basis, with the Data Commissioner recently confirming to a Bowmans client that the United Kingdom meets its adequacy requirements.
In Uganda, it is a case of one or the other: companies either need the data subject’s consent to having their health information transferred to a foreign country, or that country must be on the list of those countries deemed to have adequate data protection measures. As the Ugandan Data Protection Office has not yet published a list of safe-harbour countries, companies are advised to stay ‘on the safe side’ by obtaining the consent of the data subject, says Brian Kalule, partner at Bowmans in Uganda.
Staying on the safe side is a sound strategy for companies grappling with Africa’s new data protection laws. In most jurisdictions that have introduced data protection legislation, there are substantial penalties for contraventions of the law. For example, in Kenya, the penalty is a fine of up to KES 5 million (USD 50 000) or 1% of an offending company’s annual turnover, while in Nigeria and Uganda, it is a fine of up to 2% of annual turnover.
The stakes are high, and regulators mean business. Cross-border transfers of health information are in their sights and companies would do well to ensure that they comply.