EAC charts path for secure cross-border data flows
… As Partner States eye unified legal framework for data protection
East African Community Headquarters, Arusha, Tanzania, 16th September, 2025: The EAC, under the Eastern Africa Regional Digital Integration Project (EARDIP), has taken another important step towards creating a common framework to safeguard personal data and strengthen cybersecurity in the region. This follows the Second Meeting of the Technical Working Group (TWG) on the Development of Data Protection and Cyber Security Legal Frameworks, held from 8th to 12th September, 2025 in Dar es Salaam, Tanzania.
The meeting was convened as part of the EARDIP’s data market development and integration objective to enhance cross-border data flows while ensuring robust cybersecurity and data protection frameworks. The regional effort aims to make cross-border data sharing safe and secure, protect citizens’ rights, and support the growth of the EAC Single Digital Market.
In his opening remarks, the Chairperson of the TWG, Mr. Gisiora Dickson Ochoki, Director of Cyber Security, Ministry of ICT and the Digital Economy, Republic of Kenya, thanked participants for their commitment and underscored the importance of sustaining momentum. “This meeting builds on the strong foundation laid during the first Technical Working Group session,” he noted. “Our continued collaboration and consistency in participation will be critical in shaping a robust regional framework that safeguards citizens’ rights, strengthens trust, and accelerates East Africa’s journey towards a secure and integrated digital market,” he said.
The framework is being developed through a Partner State–driven process led by the TWG, bringing together technical and legal inputs from across the region. It is guided by EAC integration goals and aligned with national laws to prevent overlap or conflict.
During the meeting, the Partner States deliberated extensively on the principles and elements of the proposed regional instrument and confirmed alignment on enabling trusted cross-border data flows within a framework that complements and reinforces national regimes while respecting sovereignty. To ensure the framework is both rigorous and context-appropriate, The TWG is fast-tracking research and holding consultations to adapt global best practices to the EAC context.
The TWG further agreed that the core data protection principles of lawfulness, transparency, fairness, data limitation, integrity and confidentiality, storage limitation and purpose limitation should form the backbone of the Community’s approach, ensuring that data is processed responsibly and with safeguards for citizens.
Recognising sensitive policy areas, the TWG agreed on balanced approaches for national security exemptions, careful handling of data localisation, and stronger protections for children, vulnerable groups, and other sensitive personal data.
The meeting agreed that individuals must enjoy strong rights, including timely access and rectification, erasure where appropriate, data portability, protection against decisions based solely on automated processing without human review, and clear avenues for redress.
On cross-border transfers, the TWG reviewed various available mechanisms and noted that offering options such as Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and appropriate assessments allows entities to choose what best fits their needs. The meeting also emphasised practical cooperation among national data protection authorities to support consistent application and enforcement across borders, including coordinated incident response, clarity on government-access requests, and alignment on safeguard implementation.
The meeting further observed that while some Partner States have already enacted national laws, others are yet to do so. This highlighted the importance of a regional framework that not only fills gaps in national regimes but also provides uniform standards for cross-border transfers. The idea of establishing a “Single Data Territory” was floated, mirroring the approach taken in the EAC’s Single Customs Territory, as a way of streamlining data flows across the region.
The TWG agreed that putting the region-first approach to trusted cross-border data flows into practice requires a solid legal foundation that ensures a regional focus, protects people and institutions, provides legal certainty, safeguards personal data, and includes all Partner States. To this end, the TWG called for fast-tracking of research on best practices to enrich the framework.
A legal framework for cross-border data flows helps protect citizens’ personal information when it moves across countries. It ensures that companies and governments handle data safely, reducing the risk of misuse, fraud, or identity theft. It also gives people control over their data, including the right to access, correct, delete, or transfer their information.
The EAC Secretariat, together with Partner States, will lead the drafting of a regional legal instrument for consideration by the Community’s policy organs and stakeholders. This process will stay region-focused, align with national laws, and include broad consultations. By establishing trusted cross-border data flows in a clear legal framework, the EAC will protect citizens’ personal information, enhance data security, build trust in digital services, and support reliable regional transactions, driving progress toward a secure, competitive, and inclusive Single Digital Market.
For more information, please contact:
Aileen Mallya
Communications Expert
Eastern African Regional Digital Integration Project (EARDIP)
EAC Secretariat
Arusha, Tanzania
Tel: +255 754 266564
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Website: www.eac.int/eardip
About the East African Community Secretariat:
The East African Community (EAC) is a regional intergovernmental organisation of eight (8) Partner States, comprising the Republic of Burundi, the Democratic Republic of Congo, the Republic of Kenya, the Republic of Rwanda, the Federal Republic of Somalia, the Republic of South Sudan, the Republic of Uganda and the United Republic of Tanzania, with its headquarters in Arusha, Tanzania. The Federal Republic of Somalia was admitted into the EAC bloc by the Summit of EAC Heads of State on 24th November, 2023 and became a full member on 4th March, 2024.