EU Commission and Kenya close to agreeing a mutual adequacy agreement



Kenya’s Data Commissioner, Immacculate Kassait, told PL&B at the Global Privacy Assembly (GPA) last week that the EU Commission and Kenya’s Data Commission are currently identifying any gaps in Kenya’s regulatory framework. Kenya’s Data Protection Act largely mirrors the GDPR, so there are not so many areas that need to be looked at, Kassait said. She stressed the importance of an independent authority for achieving adequacy, and that the decision will be a mutual adequacy decision, meaning that there will be an equivalent decision on the Kenyan side regarding the EU.

Kenya’s Data Protection Act was adopted in 2019, and the dialogue with the EU about adequacy for international data transfers started in earnest in spring this year. We hope to see the adequacy decision some time in 2025, perhaps even by mid-2025, Kassait said. However, after the Commission issues its decision, progress depends on other parties. Approval is needed by the European Parliament and Council, who will be given advice by the European Data Protection Board in the form of an Opinion.

Kenya would be the first African country to achieve EU data adequacy. Kassait considers that there could be a network effect, and the decision would be positive for data protection awareness in Africa. “But most importantly adequacy would create more business opportunities for the country, for example in outsourcing.”

EU Commissioner for Justice, Didier Reynders, met the heads of Kenya’s, Brazil’s and Korea’s privacy authorities on the margins of the GPA. They discussed progress in the negotiations with these countries on free and safe data flows.

See: 46th Global Privacy Assembly