Africa: EU-US Data Privacy Framework — Adequately adequate — no additional protections or authorizations needed for EU to US data flows

African countries to be impacted by adequacy but formal adequacy decision still uncertain

In brief

In July this year, the European Commission (EC) adopted an adequacy decision for the EU-US Data Privacy Framework. The decision allows the free flow of data from the European Union to the United States if US companies abide by the Framework. It is likely that the EC will soon look at adopting adequacy decisions for African countries, in addition to other regions, with such decisions expected to have applicability for those countries that have developed privacy laws that are modeled, fully or partially, on the European Union’s General Data Protection Regulations (GDPR) or the earlier EU Data Protection Directive (1995).


In depth

Under the EU’s primary data privacy law, the General Data Protection Regulation (GDPR), for personal data to be transferred from the EU to another country without additional safeguards, an adequacy decision must be made by the European Commission in relation to the level of protection afforded to the information being transferred by the receiving country.

The power of the European Commission to make an adequacy decision is set out in Article 45 of the GDPR, which provides that "a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection."

An 'adequate level of protection' means that the level of protection afforded to the data is essentially equivalent to the level of protection provided to the data within the EU. The effect of an adequacy decision is that personal data may be transferred from the EU to another country without any additional safeguards having to be put in place.

According to our Global Data Privacy and Security team, on 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). US companies that participate in the DPF will be deemed to provide "adequate protection" under Article 45 of the EU General Data Protection Regulation for personal data transfers received from the EU and European Economic Area. In response to the EU’s Schrems II, the US government and the EC worked collaboratively to develop the DPF as a successor to Privacy Shield, and a means to provide greater certainty for transatlantic personal data transfers. Among other activities, the US Administration adopted Executive Order 14086 to establish enhanced privacy protections for personal data in the context of government surveillance and a new process for individuals to seek redress on these issues concerning personal data transfers from a "qualifying state" to the United States.

The adequacy decision eliminates the uncertainty around the transfer of data across borders. This is particularly important for multinational companies that operate in both the EU and the US and allows these companies to continue processing personal data in the manner in which they did prior to the adequacy decision. The adequacy decision ultimately benefits companies and individuals on both sides of the Atlantic.

African multinationals that operate across the EU and the US will also be impacted by this decision with respect to their cross-border data flows, for example, between their group entities in these regions. However, the adequacy of the flow of data in the context of Africa is uncertain. At present, the EU has not made a finding in relation to the adequacy of the data protection legislation of any African country. Over the last few years, there has been a rise in the implementation of data protection laws in African countries. South Africa, Algeria, Eswatini, Tanzania, Botswana, Kenya and Uganda, for example, are among the jurisdictions in Africa that have implemented privacy laws. Although personal data may still be transferred from EU countries to African countries, additional safeguards are still required.

The rapidly increasing flow of data between the EU and other regions, including Africa, means that the EC might in the future focus on launching adequacy decisions to assess data protection laws that have recently been adopted in countries across the continent. Many of Africa’s data privacy and security laws have been modelled, at least to some extent, on the GDPR and its earlier iteration, the EU Data Protection Directive. Data privacy laws in Africa with some similarities to the GDPR include those in Ghana, Kenya, Mauritius, Nigeria and Uganda. Data privacy laws in Rwanda also closely follow the GDPR. Data protection laws in South Africa and Morocco, for example, were modelled on the earlier EU Directive, resulting in laws that are similar but with some differences to the GDPR (notably, and in contrast to the GDPR, South African data protection law protects the personal data of juristic persons in addition to natural persons). This could mean that data flowing from these countries will be more likely to be recognized as having an adequate level of protection.

* * * * *

With thanks to Samantha Whitaker (Trainee, IPTech Practice Group, Johannesburg) for her assistance with this alert. Reference was made to articles by Baker McKenzie’s Global Privacy & Security and IPTech teams.

Related content

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.