by Ben Taylor
In late 2022, the parliament of Tanzania enacted the Personal Data Protection Act – broadly an equivalent to the General Data Protection Regulation (GDPR) of the European Union and the UK Data Protection Act. The Act spells out the responsibilities for any organisation that handles personal data of private individuals in Tanzania and provides for the establishment of a Personal Data Protection Commission.
The law is yet to come into force, however, as it requires both Presidential assent and for the Minister of Information, Communication and Information Technology to publish notice in the official government gazette stating the date when the Act will take effect.
The new law means Tanzania joins her East Africa Community (EAC) peers, Kenya, Uganda, and Rwanda, that already had Data Protection Acts in place. It will help the country participate in the global digital economy, as many countries have restrictions on doing business in jurisdictions that lack protections for data privacy.
Among other things, the law requires that all data processors and handlers must appoint a personal data protection officer, and outlines criminal sanctions and fines for those who breach the legislation.
The Personal Data Protection Commission established by the Act is tasked with registration of data collectors and processors, monitoring the compliance of data collectors and processors with the Act, handling complaints on the breach of data protection and the right to privacy, and researching and monitoring technological development in relation to data processing.
Any person or organisation that intends to collect or process data in Tanzania will need to be registered by the Commission. The Act also specifies that personal information may only be collected where necessary and for a legitimate purpose. To ensure accuracy of information, the Act places a duty on data collectors to take necessary steps to confirm that data collected is complete, correct and consistent with the purpose for which it was collected.
Disclosure of personal data without consent is punishable by a fine of up to TSh 5 billion (approx. USD $2.1m) for the institution responsible, and/or imprisonment for up to ten years for the individuals – including responsible officers within an institution.
The Act does not prohibit the transfer of personal data to jurisdictions outside the country, provided that such jurisdictions have a reliable legal system for the protection of personal data, and the transfer is necessary for a legitimate or public interest.
The Act also lays out the rights of individuals with respect to data held about them. This includes the right to be informed of data collection and processing as well as the purpose involved, the right to access the data collected and processed, the right to object the processing of personal data collected where such processing will lead to adverse impacts, the right to rectify personal data to ensure its accuracy, and the right not to be subject to automated decision making.
Stakeholders have given a cautious welcome to the new law. Maxence Melo, the founder of Jamii Forums, a popular Tanzanian online forum, said the law had been a long time coming, considering that the dream for the bill dates back to 2014. Melo added that it is important to foster data residency, meaning that personal data should be stored within the country, as a measure to ensure the data met regional and international data privacy standards.
However, others have expressed concerns that the law does not require the subjects of data security breaches to be notified, and that it imposes unnecessarily heavy restrictions on even small organisations handling small amounts of data about – for example – job applicants, beneficiaries of charitable work, or school students.