On Nov. 1, Tanzanian Parliament passed the Personal Data Protection Act. In September, Tanzania's Information and Communication Technologies Minister Nape Nnauye announced that the cabinet had approved a provision for Data Protection Law and that the bill would be tabled in parliament for debate. The bill proposed the enactment of the Personal Data Protection Act and provided for the establishment of a Personal Data Protection Commission. It also spelt out a directive for data processors and handlers to appoint a personal data protection officer, as well as criminal sanctions and fines for those who breach the legislation.
Now that it has been passed, the law has catapulted Tanzania into the ranks of its East Africa Community (EAC) peers, Kenya, Uganda, and Rwanda, that have Data Protection Acts in place. Additionally, it guarantees the right to privacy and personal safety of individuals, as enshrined in Chapter 16 of Tanzania (United Republic of) Constitution (1977).
The minister’s remarks in September drew reactions from various stakeholders. Stakeholders welcomed the move, albeit cautiously.
A Tanzanian Twitter influencer @yose_hoza posted:
Tunaipongeza serikali kwa kuleta muswada wa sheria ya ulinzi wa taarifa (Data protection bill) ambayo
1. Italinda taarifa za mtu
2. Itapunguza matukio ya udukuzi
3. Itachochea makampuni kuja kuwekeza nchini #DigitalRightsTz #BeOnline pic.twitter.com/dRzRZWN3Mr
— Holy (@yose_hoza) October 20, 2022
We congratulate the government for approving the Data Protection Bill. The Bill will protect one's personal information; reduce incidences of surveillance/hacking, and will encourage companies to pitch camp and invest in the country (Tanzania).
Yose added: “This Bill needs improvements and suggestions from various stakeholders in order to bring a better law for the protection of personal information (Data Privacy).”
Speaking to a local daily in Tanzania, Maxence Melo, the founder of Jamii Forums — a popular Tanzanian-based whistleblowing platform advocating for digital rights — felt that it had been a long time coming, considering that the dream for the bill stretches back to 2014. Melo added that it would be vital to foster data residency, meaning that personal data collected and processed, is stored in a particular geographic region in accordance with data laws and or regulatory requirements imposed on such data in the region it resides, as a measure to ensure the data met regional and international data privacy standards.
In a Twitter post, Carol Ndosi, a prominent Tanzanian digital rights advocate, posed the question:
Question – Ungekua una mamlaka ya kutengeneza
1. Sheria ya kulinda Right to Privacy yaani haki ya faragha
2. Data Protection – Ulinzi wa Taarifa..
ungehakikisha nini kinazingatiwa?
— Ndosi (@CarolNdosi) October 16, 2022
Swali – If you had the authority to make
1. The law to protect the right to privacy
2. Data Protection law – Protection of Information
What would you ensure was considered?
In response, one Twitter user commented: “I would have a framework on the Right to be forgotten, I understand it's a complicated aspect but we can start discussing it now and build a clear framework little by little.”
While the Data Protection Act offers hope when it comes to safeguarding the privacy of personal data, it nonetheless raises serious concerns in some key areas. For instance, part two of the act provides for a data protection authority, referred to as a Data Protection Commission. The independence and impartiality of this commission are however not guaranteed, since its board members are handpicked by the president of the United Republic of Tanzania. This grants a loophole for the board to be fired at the president’s discretion, and without the National Assembly’s input.
Part five of the act addresses data transfer, but the clause is opaque on the aspect of data subjects granting their consent to bodies that collect, process, store, or use personal data outside Tanzania’s borders. As data subjects have not been accorded the “power of consent,” it means that their data may be prone to misuse.
Part six of the act is ambiguous. Section 34 (4), for example, gives full legal rights to an heir apparent, meaning that they could consent to the processing of private information on behalf of any other party not capable of granting such consent. It however lacks a legal interpretation rationale, as it does not clearly spell out which “party” — whether alive, incapacitated, and/or deceased. This section may be prone to abuse, as an heir may not meet the legal threshold to consent on behalf of someone else due to reasons such as being underage, coercion, and/or other technicalities.
Section 35 prohibits the processing of personal data for direct commercial advertising purposes. Despite the prohibition, it still remains unclear whether the section data handlers can trade the personal data of their data subjects.
The act also falls short when it comes to the security breach notification front. Procedures for handling data breaches ought to be outlined in the Data Protection Regulation, in order to compel data handlers to give data subjects advance notice of any security breaches involving their personal information, its effects, and the remedial action taken. The obligation for data breach notification would be greatly strengthened by a directive for data processors and collectors to notify affected data subjects within a stipulated time of becoming aware of data breaches.
While Tanzania is on the right path as far as enacting a Data Protection Act is concerned, the government needs to embrace public participation in the making of this legislation, as stated in Article 21 of the Constitution. This way, it will allow the public’s views to be identified and incorporated into the bill. As such, it will make it possible to come up with a Data Protection Act that meets the privacy threshold as envisioned by Tanzanians, one capable of dealing with the key issues identified and raised by digital rights activists, as was the case when the government implemented the Digital ID program, and the biometric SIM card registration initiative.