The Unique Kenyan Stance on Data Localization

A particularly distinctive provision within Kenyan law concerns the mandatory location of data processing infrastructure, specifically linked to "protection of revenue". This element of the Data Protection Act, 2019, sets it apart from many other data protection frameworks, which, while often addressing data localization, typically do not tie it so explicitly and directly to fiscal objectives.

Kenya's Data Protection Act, 2019, grants the Cabinet Secretary the authority to stipulate that certain types of personal data processing "shall only be effected through a server or data centre located in Kenya". The Act explicitly provides two core justifications for such a mandate: "strategic interests of the state or protection of revenue." While "strategic interests of the state" is a common ground for data localization or restrictions on cross-border data flows in many jurisdictions, the inclusion of "protection of revenue" as a distinct and co-equal ground for mandating in-country data processing infrastructure is notable.

Comparative Analysis: "Protection of Revenue" Across Jurisdictions

To fully appreciate the distinctiveness of Kenya's approach, it is crucial to compare it with how other countries, as represented in the provided sources, address data localization and economic interests:

ETHIOPIA , for instance, has a Personal Data Protection Proclamation (No. 1321/2024) that allows its Authority to prescribe categories of "critical personal data" that must be processed in-country based on "strategic interests of the state." This is very similar to Kenya's "strategic interests" clause but does not explicitly add "protection of revenue" as a separate or co-equal justification for mandating in-country server location. This suggests a broader interpretation of state interests in Ethiopia, without the specific fiscal focus seen in Kenya.

Many other data protection laws in Africa acknowledge economic or financial interests as grounds for restricting data subject rights or allowing certain processing activities, rather than mandating physical data localization. They are analysed below.

BOTSWANA's Data Protection Bill, 2024, states that obligations and rights can be restricted if it is a "necessary and proportionate measure in a democratic society to safeguard... other objectives of general public interest, including... the economic or financial interest of Botswana, monetary, budgetary and taxation matters." This provision allows for limitations on individual rights to protect revenue, but it does not equate to a direct mandate for data localization.
Similarly, REPUBLIC OF CONGO's law mentions "economic or financial interest important of the State, including in the monetary, budgetary, customs and fiscal fields" as a reason to process data for state interests. However, this is framed as a justification for processing in the public interest, not for requiring data to be physically stored within the country.
GHANA's Data Protection Act, 2012, refers to "revenue collection" as a reason for exempting data controllers from certain non-disclosure principles, indicating a focus on fiscal oversight. Yet, it does not mandate in-country server placement for this purpose.
LESOTHO's Data Protection Act, 2011, mentions the need for a legal infrastructure compatible with international best practices to support "trans-border flows of personal data purposes of trade, economic and social development". This reflects a general objective of economic benefit from data flows, rather than a specific revenue-driven localization requirement.
RWANDA's Law N° 058/2021 generally states that personal data should be stored in Rwanda but allows for exceptions if the data controller or processor has a valid registration certificate authorizing external storage. While promoting in-country storage, it lacks the specific "protection of revenue" trigger for mandatory localization seen in Kenya.
EQUATORIAL GUINEA's law (Ley Núm. /2016) permits exceptions to data subject rights for "tax activities intended to ensure compliance with tax obligations" [8]. It also allows for data communication or transfer when "legally required for the safeguard of a public interest, especially in the fulfillment of the fiscal and customs competences" [9]. These provisions relate to exceptions to rights or data transfer rules, not the mandatory physical location of data infrastructure for revenue purposes.
MAURITIUS specifies that its Act applies to controllers or processors who use "equipment in Mauritius for processing personal data, other than for the purpose of transit through Mauritius," and requires non-established entities to nominate a representative. However, this is a general application rule rather than a specific mandate for localization tied to revenue.
ZIMBABWE, other countries like CHAD, MALI , MAURITANIA, NIGER , SOMALIA, SOUTH AFRICA, UGANDA, ZAMBIA, and ZIMBABWE have provisions for cross-border data transfers, typically based on "adequate level of protection" in the recipient country, or include state interests (such as national security or public interest) as exceptions to general data protection principles or for specific processing activities. None, however, explicitly mandate in-country server location for the express purpose of "protection of revenue" as a distinct justification. Zimbabwe for instance, has a general localization rule for non-established controllers if the processing means are in Zimbabwe, but the justification is not explicitly revenue-related. South Africa's law regulates transborder information flows but focuses on adequacy in the recipient country.

<aside> ⚖️

Access Africa Country Data Protection Laws and Country Fact Sheets

</aside>

This review highlights that while many countries recognize the state's economic and fiscal interests within their data protection frameworks, Kenya's explicit linkage of "protection of revenue" to the mandatory physical location of data processing infrastructure (servers or data centers) is a highly specific and distinctive feature among the sampled African laws.

Rationale Behind Kenya’s Explicit Inclusion

The explicit phrasing in Kenya’s Data Protection Act, 2019, regarding "protection of revenue" as a ground for data localization suggests several underlying motivations:

Facilitating Tax Collection and Fiscal Oversight: The most direct inference is the government's intention to enhance its capacity for tax collection and fiscal oversight.

By mandating certain data processing activities to occur on servers or in data centers within Kenya's borders, the government gains more immediate and direct access to, and oversight over, critical transactional, operational, and financial data of businesses. This could be particularly relevant for digital economy companies, where value creation and transactions often transcend physical borders, making traditional tax enforcement challenging. Local data presence allows tax authorities to more easily conduct audits, verify declared revenues, and combat tax evasion. It provides a clearer jurisdictional basis for requesting data for fiscal purposes, streamlining investigations and ensuring compliance with national tax laws.
Strengthening National Economic Sovereignty: In an era where data is increasingly viewed as a valuable economic asset, a significant portion of economic activity and value creation happens digitally.

This provision can be seen as a measure to assert greater national control and sovereignty over digital economic activities. By potentially requiring data to be kept locally, Kenya aims to ensure that the state can effectively tax and regulate these activities to its benefit, reducing reliance on complex and often slow cross-border data access agreements. It's a move to capture a larger share of the digital economy's value within national borders.