WHAT YOU NEED TO KNOW ABOUT PERSONAL DATA PROTECTION AND PRIVACY PROTECTION LAW IN TANZANIA.

The volume of personal data being generated and stored has increased at an unprecedented rate over the past few years, making personal data protection more important in order to prevent the misuse thereof.  

In Tanzania, the right to privacy and personal security has been recognised since the introduction of the Bill of Rights into the Constitution of the United Republic of Tanzania of 1977 (as amended from time to time) (hereinafter referred to as 'the Constitution'). However, there has not been a specific law enacted to meet the objectives of Article 16 (1) of the Constitution, which states that every Tanzanian is entitled to respect and protection of his person, the privacy of his own person, his family and his matrimonial life, respect and protection of his residence, and private communications.

Over the years, the Parliament of the United Republic of Tanzania has passed several legislation that in one way or the other, captures basic elements of protection of personal data from third party users. Such legislation include, but not limited to: -

  1. The Banking and Financial Institutions Act, Number 5 of 2006 (as amended from time to time);
  2. The Electronic and Postal Communications Act, Chapter 306, Revised Edition of 2022;
  3. The Cybercrimes Act, Number 14 of 2015;
  4. The Electronic Transactions Act, Chapter 442. Revised Edition of 2022; and
  5. The Access to Information Act, Number 6 of 2016.

The legislation referred to above had some shortfalls with regard to the protection of personal data and privacy, for instance, detailed provisions on data ownership and whether individuals whose information has been released have any power over such information once it is under the control of a third party, whether such personal data can be transferred to a destination outside Tanzania with or without consent of the subject and whether or not the individual has the right to demand  their personal information  be deleted from the record of the party who collected such data, even if such collection was for a legitimate reason.

One could argue that these gaps or shortfalls have resulted in a vacuum in safeguarding individual privacy, and indeed, such an argument was brought forward in Miscellaneous Civil Case Number 15 of 2019 and Number 5 of 2020 (consolidated) between Raymond Paul Kanegene & Another vs. The Attorney General, whereby the Petitioner was challenging the constitutionality of sections 16 and 39 (2)(a) and (b) of the Cybercrimes Act, Number 14 of 2015, which were alleged to be in violation of the right to privacy and the right to freedom of expression under Articles 16 and 18 of the Constitution. The High Court of Tanzania had previously set out common law principles in respect of one’s right to privacy in Civil Appeal Number 110 of 2018 between Deogras John Marando vs. Managing Director, Tanzania Beijing Huayuan Security Guard Service Co. Ltd, whereby Hon. Mlyambina J, at page 19 listed the conditions which must be proved to establish breach of right to privacy and reputation, which are as follows:-  

  1. There must be an intrusion of personal privacy of the claimant on their identity/image by the respondent;
  2. There must be an appropriation of the claimant's image, celebrity or likeness for the respondent's advantage in any form but in particular for commercial purposes;
  3. There must be lack of consent from the claimant; and
  4. There must be proof that the respondent earned profit out of the illegal use of the claimant's image.

As such, the Parliament of the United Republic of Tanzania enacted the Personal Data Protection Act, Number 11 of 2022 (hereinafter referred to as ‘the Personal Data Protection Act’) in an attempt to codify these basic principles or set out certain minimum requirements in connection with Article 16 of the Constitution.  However, it should be noted that the Personal Data Protection Act applies to Zanzibar only with respect to matters which are prescribed under the Constitution as Union Matters.

Article 16 (2) of the Constitution is subject to a limitation clause in some circumstances and the Personal Data Protection Act has directed that personal information be collected where necessary and for a legitimate purpose to ensure accuracy of information and maintenance of a proper security system ensuring that the data collected is not destructed, converted, accessed or processed in any way without authorisation.

The person whose information is being collected is entitled to be informed of the data collection and processing as well as the purpose involved. This person is further entitled to have access to the data collected and processed as well as being afforded the right to rectify personal data to ensure its accuracy. If there is any violation of the principles governing personal data protection, the person whose information is being collected can file a complaint against the data collector to the Personal Data Protection Commission (hereinafter referred to as ‘the Commission’) where he will have the right to compensation.

The Commission has mandate to administer and enforce the Data Personal Protection Act which places an obligation on data collectors and processors to lawfully collect personal data for a legitimate purpose which has been disclosed to the data subject and making sure that the personal data is kept in a manner that ensures security of the data and safeguards against unauthorised processing of data contrary to law.

Further, the Commission may punish on the unconsented disclosure of personal data by an individual by a fine of not less than TZS 100,000 and not more than TZS 20,000,000  or to imprisonment for a term not exceeding ten years or both, for a body corporate fine of not less than TZS 1,000,000 and not more than TZS 5,000,000,000 and on the offence of unlawful destruction, deletion, concealment or conversion of personal data is punishable by a fine of not less than TZS 100,000 and not more than TZS 10,000,000 or to imprisonment for a term not exceeding five years or both, on a body corporate it poses a direct liability on all officers who intentionally authorised or allowed the commission of such an offence. Where the offence is not specifically provided, there is a general fine of not less than TZS 100,000 and not more than TZS 5,000,000 or to imprisonment for a term not exceeding five years, or both.

In that respect, data collected may only be disclosed in circumstances where the data subject has consented to such disclosure, where authorised or required by law, where disclosure is directly related to the purpose for which such data was collected, where such disclosure would preserve health or reduce harm to another person or the society, where the data subject is not identified or for statistical or research purposes, where it is guaranteed that such data will not be published in a manner that will identify the data subject and where disclosure is necessary in compliance with the law.

Conclusion:

We, as a society, should be aware that there are always limitations to the protection of personal information or data by collectors thereof. This is why, it is high time that Tanzania enacted the Personal Data Protection Act. This said, at the time of writing this article, we are yet to clearly observe the implementation and practicality of this legislation, especially considering that the advancement in information technology is moving at rapid speed worldwide which will undoubtedly put this legislation to the test in terms of protecting personal details of individuals for being misused. 

Nuru Mwandambo - Legal Intern

Note: This is not a legal opinion and the contents hereof are not meant to be relied upon by any recipient unless our written consent is sought and explicitly obtained in writing.