The Personal Data Protection Act, 2022 (“the Act”), which became effective on 1 May 2023, marks a significant stride in the preservation of our constitutional right to privacy. The Personal Data Protection Commission is a new entity with the mandate of ensuring adherence to the Act.
Even before 1 May 2023 Tanzanians were not completely devoid of privacy rights, as several pre-existing laws (besides our constitution) addressed certain aspects of privacy concerns.
However, despite this, there remained a glaring void in terms of a centralized system defining what personal data entails, data subjects' rights, how to enforce these rights, obligations on a data controller (a person who determines the purpose and means of processing of personal data) and a data processor (a person who processes personal data for and on behalf of the controller and under the data controller’s instruction). This void is what the Act aims to bridge.
The Act’s protective umbrella extends to all individuals as long as their data was processed in Tanzania or where the data controller is domiciled in Tanzania.
This inclusive scope aims at giving confidence to investors and fostering a better business environment.
On the side of the public there are several expectations from this Act, including: privacy assurance; control over personal data; transparency; consent; accountability; compensation for marketing use; profiling protection; international data flow.
Privacy assurance is an aspect where the Act imposes several obligations on the data controller and processor including the obligation to ensure the personal data is held in confidence, and is protected by such security and safeguards that are reasonable in the circumstances.
Control over personal data, data subjects’ expectation is to have more control over their own data.
This includes the ability to access, rectify, and, in some cases, delete their personal information held by organizations.
Transparency. People expect organizations to be transparent about how they collect, process, and use personal data.
Several obligations are imposed under the Act to ensure the data subject is aware of the purposes of data collected and who is the recipient.
Consent, the expectation from individuals is of the right to provide informed consent before their data is collected, and the option to opt out if they do not wish to share their data.
The Act not only covers this but also imposes an additional obligation when processing “sensitive” personal data; such data cannot be processed without obtaining prior written consent of the data subject.
Accountability applies to data controllers and processors for any mishandling of personal data.
The Act provides for several remedies including fine, payment of damages, data rectification, blocking usage of data, data erasure and destruction.
Compensation where personal data is used for marketing purposes is also addressed.
The Act allows a data subject to instruct a data controller to stop processing his personal data for purposes of direct marketing unless an agreement is in place for the data subject’s financial compensation.
Protection from profiling, in particular protection from automated decision-making processes, is also addressed.
Where a decision which significantly affects a data subject is based solely on automated processing, the Act requires the data controller, as soon as practicable, to notify the data subject that the decision was taken on that basis and the data subject may require the data controller to reconsider the decision.
International data flow regulation is another challenge in the context of a globalised world.
In this regard, the Act imposes conditions for transfer of personal data outside Tanzania including that such transfer can only be done to countries with relevant laws governing personal data protection and where there is necessity of such transfer and after the data controller has made necessary evaluation of the purpose necessitating the transfer and the purpose of the transfer can be verified.
Overall, data protection laws are expected to provide a framework that empowers individuals, holds organizations accountable, and balances the need for data-driven innovation with the protection of personal privacy.
The initial primary focus revolves around the commencement of the Data Protection Commission's operations.
The timely establishment of a functional Commission will be important not least so as to ensure effective implementation of the law. However, even without an operational Commission, the rights and duties outlined in the law remain in effect.
As such, it is expected that entities should have initiated compliance efforts starting from 1 May 2023, with the exception of obligations directly contingent on the Commission involvement such as registration and report filings (if any).
As a nation, we have taken significant steps in developing a robust data protection framework, but it's imperative for all of us to maintain vigilance in this ever-evolving digital landscape.