EAC Cross-Border Data Transfer Framework: Regional Harmonisation in Progress and What It Means for Businesses Operating Across Borders

Data protection experts from EAC partner states are this week validating a proposed regional framework for cross-border data transfers, designed to remove regulatory fragmentation that officials have explicitly characterised as a non-tariff barrier to the EAC Common Market. The framework seeks to establish common standards, interoperable compliance tools, and structured cooperation among national regulators, while preserving national legal systems and regulatory sovereignty. For businesses operating across Kenya, Uganda, Tanzania, Rwanda, Burundi, South Sudan, and the DRC particularly in financial services, fintech, e-commerce, digital health, and public services , the framework, once adopted, will reshape cross-border data compliance obligations materially. The validation process underway now is the moment at which professional input can still influence the framework's design, making this the most actionable point in the regulatory cycle for affected organisations

The EAC Secretariat, through its Directorate of Customs, Trade and Monetary Affairs, is advancing a regional cross-border data transfer framework that responds to a problem that has been building since EAC partner states began enacting national data protection legislation at different speeds and with different requirements. Kenya enacted the Data Protection Act in 2019. Tanzania, Uganda, and Rwanda have each developed their own frameworks. The result is a patchwork of national regimes that businesses moving data across the region must navigate simultaneously at significant compliance cost and with material legal uncertainty about which rules apply to which data flows in which circumstances.

EAC Deputy Secretary General Annette Ssemuwemba has framed the problem in terms that go beyond technical regulatory inconvenience. Cross-border data flows, she has stated, are central infrastructure for regional trade, financial services, digital public services, and health systems. A fragmented data regime is, in practical terms, a non-tariff barrier to the Common Market. That framing matters because it positions data governance as a trade policy issue, not merely a privacy issue and it signals that the EAC Secretariat is prepared to use its trade integration mandate to push for harmonisation even where national regulatory sovereignty creates political resistance.

Cross-border data transfer regulation globally has been shaped by the tension between the free flow of data as an enabler of digital trade and the protection of personal data as a fundamental right. The EAC partner states have approached this tension differently. Kenya's Data Protection Act 2019, administered by the Office of the Data Protection Commissioner, restricts transfers of personal data outside Kenya to countries with adequate data protection frameworks or under specific safeguards including standard contractual clauses and binding corporate rules. Similar restrictions exist in Rwanda's Law No. 058/2021 on Personal Data Protection and Uganda's Data Protection and Privacy Act 2019. Tanzania's framework is less developed. The resulting compliance environment requires businesses operating regionally to apply the most restrictive applicable national standard to each data flow , a burden that falls disproportionately on MSMEs without dedicated legal and compliance resources.

The proposed EAC framework draws on international models including the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention), the COMESA Cross-Border Data Policy Framework, and to a degree the EU's General Data Protection Regulation adequacy decision mechanism. The EAC's approach seeks common standards rather than uniformity, meaning that national laws would remain in place but would be designed to interoperate rather than conflict. The validation process currently underway involves national data protection regulators, trade officials, and technical experts assessing whether the draft framework achieves that balance without compromising national privacy protections.

The compliance implications of a harmonised EAC cross-border data framework depend significantly on what the framework actually requires and that detail is not yet public. What is clear from the validation process and the Secretariat's public statements is the direction: common standards for data transfer adequacy assessments, interoperable compliance tools that businesses can use across multiple jurisdictions, and a regulatory cooperation mechanism that allows national data protection authorities to work together rather than in parallel silos. For businesses, the practical outcome of that direction is likely to be a single cross-border data transfer compliance exercise rather than five or seven separate national exercises a material reduction in compliance burden if the framework is well-designed.

The financial services and fintech sectors are the most directly exposed. Cross-border payments, mobile money interoperability, regional banking operations, and digital lending all involve continuous movement of customer personal data across EAC borders. Currently, each of those flows must be assessed against the national data protection requirements of every jurisdiction involved. A harmonised framework with a common adequacy standard and interoperable contractual safeguards would significantly streamline that assessment. For regional banks and fintechs, the framework also has direct implications for their data localisation strategies , investments made in country-specific data infrastructure to comply with national localisation requirements may need to be reassessed if the framework establishes a regional adequacy standard that removes the localisation rationale.

The MSME dimension, which the Secretariat has specifically highlighted, is a genuine governance concern. Small businesses operating across EAC borders in e-commerce, logistics, digital services, and trade finance face the same legal complexity as large corporates but without the resources to manage it. A fragmented compliance environment that large businesses can navigate through dedicated legal teams effectively excludes MSMEs from cross-border digital trade. The framework's success in reducing that barrier will be a meaningful measure of its practical value beyond the formal compliance sphere. The validation process currently underway is the most important moment in the framework's development for affected organisations. Once the framework is adopted by the EAC Council of Ministers, its design will be largely fixed. Businesses that engage now through industry associations, national data protection authorities, or direct submissions to the EAC Secretariat have the opportunity to shape interoperability standards, adequacy assessment criteria, and contractual safeguard templates in ways that reflect operational realities. Businesses that wait for adoption will inherit whatever framework the validation process produces.

The EAC cross-border data transfer framework is being built now, and the organisations that engage during the validation process will have shaped it. Those that wait for adoption will have inherited it. For businesses moving data across the region in financial services, fintech, e-commerce, health, or any digital service , the difference between those two positions is significant, and the window to act is open now.