Reforming Tanzania data privacy and protection regime

The Constitution of the United Republic of Tanzania, 1977 (“the Constitution”) guarantees the right to privacy under Article 16. Data privacy and protection has become the subject of great concern as businesses aim to capture data about their customers to meet strategic and marketing objectives, exposing individuals to the risk of potential abuse or even fatal consequences from outside forces.

It is little wonder then that Rwanda enacted a data protection legislation, the Information and Communication Technology Act, 2016; Uganda enacted the Data Protection and Privacy Act, 2019; and Kenya drafted the Data Protection Bill, 2018. The European Union also recently enacted the General Data Protection Regulation (EU) 2016/679 (“GDPR”) which addresses, among others, the export of personal data outside the EU.

Despite the constitutional guarantee of the right to privacy Tanzania does not yet have a single, comprehensive data privacy and protection legislation. The government is reported to be crafting a Bill, however, it’s unclear when the Bill will be published. In essence, the existing Tanzanian statutory requirements for data privacy and protection are scattered across various pieces of legislation which are synopsised below.

The Electronic and Postal Communications Act 2010 (“the EPOCA”) imposes a duty of confidentiality of information on network service licensees or operators, agents and customers and it prohibits disclosure of information without authorization (Sections 98 and 99). Made under the EPOCA, the Electronic and Postal Communications (Consumer Protection) Regulations 2018 require a licensee to protect consumer information against improper or accidental disclosure (Regulation 6).

Also made under the EPOCA, the Electronic and Postal Communications (Online Content) Regulations 2018 impose a duty on any person holding users’ information to not disclose the information except to a law enforcement agency when required to do so under the Regulations or the EPOCA (Regulation 11). These regulations are the subject of a weighty discussion.

Other pieces of legislation on data privacy and protection include the Cybercrimes Act 2015 which provides for protection against illegal data interference (Section 7); the Registration and Identification of Persons Act Cap 36 which prohibits the disclosure or supply of copies of photographs, fingerprints or particulars furnished under the Act without written permission; the Records and Archives Management Act 2002 which provides for the destruction of records or archives thirty years after their creation (Section 16); and the Access to Information Act 2016 which provides for non-disclosure of information in the interest of the public (Section 6(1)(b)).

Furthermore, there’s the much-talked-about Statistics Act 2015 which imposes a restriction on disclosure of information published under the Act while permitting limited disclosure of certain details.

It is utterly apparent that the extant legal and regulatory regime on data privacy and protection in Tanzania is far from ideal. The absence of a single, comprehensive legislation has left multiple lacunae (Latin for: gaps) in data privacy and protection. For reasons of space, I will highlight just a few of the gaps.

The pieces of legislation synopsised in this piece are devoid of a clear provision (i) on data ownership and whether individuals have power over the information that they supply to and comes under the control of third parties; (ii) on restriction of the transfer of data outside of the Tanzanian jurisdiction; and (iii) on an individual’s right to demand the deletion of his information that has been captured and recorded even if the information was legitimately captured and recorded.

The security of employees’ data is governed by the employer company’s policies and guidelines; the Tanzania Communications Regulatory Authority (TCRA)’s chief mandate is to regulate the postal, broadcasting and electronic communications industries—it does not regulate the security of employees’ data or companies undertaking business activities in say, the agricultural sector.

Moreover, the current trend in disclosure of bank customers’ dealings under compulsion of law is threatening banking confidentiality, the rock on which the banker-customer relationship is based.

If Tanzania is to catch up on data privacy and protection, the need for reform is quite apparent. Ideally, the government can take inspiration from the GDPR and hasten the ongoing efforts for crafting and introducing a Bill in Bunge that will pave the way for a single, comprehensive data privacy and protection legislation.

Paul Kibuuka ([email protected]) is a tax and corporate lawyer, tax policy analyst and the chief executive of Isidora & Company.