New stringent legislation threatens data privacy and surveillance protection in Tanzania

Image from Pixabay, used under a Pixabay license.

Tanzania's efforts to implement a legal identity system have been fraught with complications for decades, and the latest initiative that includes compiling mass biometric data is no different.

Tanzania embarked on a plan to create a system of legal identity for its citizens after independence in 1961. This plan was however short-lived as the government lacked the financial capacity to implement the exercise. Decades later, the enacting of the Registration and Identification of Persons Act in 1986, and its subsequent revised edition (2012), would however pave the way for the establishment of the National Identification Authority (NIDA), a body responsible for registering Tanzanian citizens and legal residents and issuing them National Identification Cards.

In 2013, the plan to provide a biometric legal identity to Tanzanians was revived. This plan was supported by the World Bank, in line with UN SDG Goal target 16.9, which by 2030, seeks to provide legal identity for all. Besides digital identity verification and fraud prevention, the National Identification (NID), also known as National Identification Number (NIN), allows the police, immigration, revenue authority, and other government agencies to share information and differentiate between Tanzanians and foreigners.

Six million residents in mainland Tanzania and Zanzibar were reported to have registered for the biometric ID as of 2015, with approximately 2.7 million of the registered residents reported to have received their biometric ID cards. Seeking to capitalise on this, Tanzania Communications Regulatory Authority (TCRA) in March 2018, in collaboration with NIDA, launched a pilot project to register SIM cards for new subscribers using biometric technology. The deadline for mobile subscribers in Tanzania to comply with the requirement was that very same month: March 2018.

In 2020, TCRA published the Electronic and Postal Communications (SIM Card Registration) Regulations – EPOCA (the SCR Regulations). These regulations required Tanzanian nationals and residents with existing SIM cards to register their SIM cards through the new biometric registration system launched by the communications authority. During registration, new subscribers are required to provide fingerprints, with this information being directly linked to a subscriber’s identification card.

These government efforts — the biometric identity and EPOCA SIM card registration regulations — came at a time when Tanzania had no data protection legislation in place. At the time of publishing this piece, the draft Data Protection Bill had been unanimously approved by the Tanzanian parliament and was awaiting the president’s assent. The lack of an active privacy law culminated in criticism from various stakeholders, who were of the belief that the rollout of Digital IDs put citizen privacy at risk. Stakeholders had urged the Tanzanian government to regulate digital ID privacy before rolling out the process.

Further, with the enforced biometric SIM card regulation, it was feared that the absence of privacy legislation could create a void, allowing state security bodies to collude with telecommunications companies to intercept communication under the pretext of criminal investigations or national security. A case in point is the terrorism case against Tanzania’s main opposition leader Freeman Mbowe, where a witness from Tigo — a telco — confessed during cross-examination in court that the telco’s compliance with Tanzanian authorities’ demands was of a higher priority to them than customer data privacy, which provoked heated debates on various platforms in Tanzania. A review of the privacy policies of other telcos such as Vodacom Tanzania and Airtel Tanzania indicates that they both share personal data with third parties, among them law enforcement agencies and regulatory authorities as “it may be required for compliance by the Tanzanian judicature.” Halotel, on its part, does not have a privacy policy statement published on its portal.

The total disregard for users’ privacy by telcos could be attributed to the EPOCA (Investigation) Regulations, 2017. Section 22 directs that a communication service provider shall ensure that its postal or communications systems are technically capable of supporting lawful interceptions at all times, ensure its services are capable of rendering real-time and full-time monitoring facilities for the interception of communications, ensure all call-related information is provided in real-time or as soon as possible upon call termination, ensure it provides one or more interfaces from which the intercepted communications shall be transmitted to the interface management facility, and that the intercepted communications are transmitted to the monitoring centre through physical links. Law enforcers, on the other hand, are granted express interception powers under section 5 of the regulations. The Director-General of Tanzanian Intelligence and Security Service (TISS), and or the Director of Criminal Investigations (DCI) for instance, can intercept communication on any telco upon obtaining a warrant as a disclosure order from the Inspector General of Police (IGP).

While Chapter 16 of the Tanzanian Constitution guarantees the right to privacy and personal safety of individuals, the country still does not have effective laws to protect its citizens’ privacy in this digital era. This will aid put the country at par with its East Africa Community peers that have Data Protection Acts in place, and thus foster data residency or the storage of personal data within the borders of the country, in efforts to ensure that personal data is collected, processed, and stored in a way that meets regional and international data privacy standards.

Please visit the project page for more pieces from the Unfreedom Monitor.

 

Start the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.