Section 18(2) of Ghana’s Data Protection Act of 2012 (GDPA) contains no specific provisions on international transfer of data. The mere stipulation in this section that where a foreign data subject’s personal data are sent to Ghana for processing, such processing should occur in accordance with the data protection legislation of the foreign jurisdiction, does not determine international data transfer requirements for data subjects in Ghana. Further, the GDPA does not specify data transfer governance prerequisites between Ghana and foreign jurisdictions. This compares unfavourably with legislation of jurisdictions such as South Africa, which explicitly governs the transfer of personal information outside the country (Section 27).³ We affirm our position: the GDPA offers inadequate protection to its data subjects in relation to data transfers to foreign jurisdictions.

At the time at which our manuscript² was submitted for publication (2022), Nigeria’s Data Protection Regulation (DPR) of 2019 governed international data transfers in the country⁴. In 2023, the Data Protection Act was approved and promulgated in Nigeria, which repealed the Data Protection Regulation. In terms of the erstwhile DPR, specifically Reg. 2.11, international data transfer had to take place under the supervision of the Attorney General of Nigeria and the National Information Technology Development Agency (NITDA) had to determine whether the foreign country provided an adequate level of protection⁴ (words italicised for emphasis). Authorisation for international data transfer was provided by way of a decision by NITDA.

The Kenyan Data Protection Act is clear that public interest, which includes a public health emergency, could be a legitimate basis for the lawful transfer of personal data to another country (sec. 48 (c) (iii)).⁵ Furthermore, the Kenyan Data Protection Regulations, 2021, provide strict rules for the international transfer of data that include “adequate data protection safeguards” as an important basis for allowing the transfer.⁵ The fact that provision is made for exemptions in very specific situations, such as a public health emergency, does not weaken the legislative framework. On the contrary, the overall approach of the Kenyan legislature is to have a detailed strict regulatory framework which includes allowing for special cases such as public health emergencies.

Section 57 of the Protection of Personal Information Act 4 of 2013 (POPIA) specifies that the responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing – if that responsible party plans to transfer special personal information (including health information of a data subject) to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information, as referred to in section 72³ (words italicised for emphasis). No such prior authorisation from the Regulator is required if the foreign country is deemed to provide an “adequate level of protection”. More significantly, sections 57 and 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.

ASSAf refers to its draft “Code of Conduct for Research” as “the Code”⁶,⁷. Reference to “the Code” in the manuscript is intended to be interpreted in this context.