proof of ineffectiveness required for the free flow of data in country and across borders. 4.5 Lawful transfer of data across borders Most instruments on data protection, either at national,60 regional61 or international62 level has as one of its objectives the enhancing of cross border data transfers. The importance of cross border data flows increases with ecommerce and with globalisation seen as during the height of the pandemic as governments shared sensitive health data in an effort to combat the pandemic, while concurrently data subjects traded across borders, through online shopping. National laws have specific provisions allowing for cross border transfers. And as a matter of international practices, data flows are allowed in the under four specific instances. First, if there is consent, second if there is necessity (with or without consent), third where there are appropriate safeguards at data controller level (binding corporate rules or standard contract clauses) and fourth and last where there is an adequate decision that the country or international organisation is a safe data destination. The paper will not discuss the first three. The countries reviewed have a cascading and mixed approval regimes on cross border flows, starting from blanket prohibition of flows, to flows only allowed to a country with adequacy or similar or substantial protection standards, and that even if there are no country safeguards, individual proposed data controller adequate safeguards are sufficient. The argument is that it is not sufficient to delegate the adequacy satisfaction to a data controller whose actual effectiveness is dependent on other country level factors such as national security interests, data localisation practices, and general state of the rule of law. In other instances, transfer is not prohibited, but the law starts with approval based on consent, standard contracts, approval by relevant minister,63 or data protection authority. This is true of Zambia's provision under section 71 of the ZDPA. Countries also have separate provisions on data transfer for SADC and non-SADC states. For instance, Eswatini law section 32(1) provides that 'SADC member states must have transposed the SADC data protection This is true of some national laws such as South Africa as POPIA preamble specifically includes to regulate the flow of personal information across borders of the Republic . Other laws, Zimbabwe, Lesotho, Zambia, Mauritius, eSwatini, and Botswana are silent on this being an objective or purpose of the data protection law despite further providing for cross border data transfers. The GDPR article this Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The Council of Europe Convention on the Processing of Personal Data Convention + ; the OECD Guidelines on Data Protection The provisions of approvals by relevant minister for data transfers can easily be abused especially for national security matters. PAGE