1. GOVERNING TEXTS

1.1. Legislation

The United Republic of Tanzania, comprising mainland Tanzania formerly known as Tanganyika ('Mainland Tanzania'), and Zanzibar (Unguja Island, Pemba Island and several small islands) ('Zanzibar'), has separate regulatory regimes depending on whether the sector is a union or non-union matter.

Cybersecurity falls under the telecommunications sector, which is a union matter, and, therefore, a single regulatory regime applies equally across Mainland Tanzania and Zanzibar. However, there are specific laws that may apply separately on Mainland Tanzania and Zanzibar.

Prior to 2015, Tanzania did not have any specific cybersecurity legislation, and several pieces of legislation provided for activities which would be considered cybercrime-related offences.

General Legislation

We set out below a list of statutes relating to cybersecurity issues pre-2015:

• The Constitution of the United Republic of Tanzania of 1977 ('the Constitution'): The Constitution includes data protection principles which focus on confidentiality or preventing data disclosure. Article 16(1) of the Constitution provides that individuals are entitled to the respect and protection of their person, the privacy of their own person, their family, and of their matrimonial life, and the respect and protection of their residence and private communications. Article 16(2) of the Constitution further states that, for the purpose of preserving the person's right in accordance with Article 16, the Government of Tanzania will lay down legal procedures regarding the circumstances, manner, and extent to which the right to privacy, security of persons, their property, and residence may be encroached upon without prejudice to these provisions of Article 16 of the Constitution. While Article 16 of the Constitution does not directly relate to cybersecurity, it is the basic provision protecting personal information whether collected in soft or hard copy and violated by cyber or any other means. The Constitution does not provide for criminal penalties for breach of Article 16 of the Constitution. However, individuals who have had their right to privacy under the Constitution violated can make a civil claim. Article 30(3) of the Constitution permits individuals who have had their constitutional rights violated to commence proceedings for redress in the High Court of Tanzania ('the High Court').
• The Mutual Assistance in Criminal Matters Act of 2002 ('MACMA'): MACMA provides for mutual assistance in criminal matters between Tanzania and Commonwealth countries. Assistance under MACMA covers issues relating to the service of documents, evidence collection, search and seizure, arrest and transfer of suspects, enforcement of provision for cross border evidence-sharing, and other criminal issues. Though not specific to cybercrimes, MACMA is pivotal statute as it provides the platform for assistance among commonwealth states, particularly in criminal matters. Moreover, cross-border cybercrimes require interstate coordination and the provisions of MACMA.
• The Penal Code Act of 2002 ('the Penal Code'): Prior to the enactment of the Cybercrimes Act No. 14 of 2015 ('the Cybercrimes Act'), the Penal Code was the principal statute for criminal offences and, therefore, the Cybercrimes Act follows the principles of the Penal Code for online offences. The Penal Code applies extraterritorially, in that it confers jurisdiction over Tanzanian courts to try offences committed in or outside Tanzania against the United Republic of Tanzania or offences committed on board an aircraft or ship registered in Tanzania.
• The Electronic and Postal Communication Act of 2010 ('EPOCA'): EPOCA was enacted, in March 2010, with the objective of providing a comprehensive regulatory regime for electronic and postal communication services and in a bid to keep the Tanzanian communications sector up to date with the electronic communications industry. EPOCA provides for the licensing of service providers, infrastructural requirements, and content regulation of the electronic and postal communication sector.

We set out below a list of statutes relating to cybersecurity issues post-2015 :

• The Cybercrimes Act: The Cybercrimes Act entered into force on 1 April 2015. The objective of the Cybercrimes Act, among other things, is to criminalise offences related to ICT and computer systems, such as computer-related forgery, illegal data interference, and illegal system interference, as well as to provide for investigation, collection, and use of electronic evidence. The Cybercrimes Act applies extraterritorially in that it would cover offences committed in Tanzania, on-board a ship or aircraft registered in Tanzania, and offences committed by a Tanzanian national whether in Tanzania or a foreign country. Save for Article 50 of the Cybercrimes Act which relates to the compounding of offences, the Cybercrimes Act applies to both Mainland Tanzania and Zanzibar.
• The Electronic Transactions Act No. 13 of 2015 ('the Electronic Transactions Act'): The Electronic Transactions Act entered into force on 1 September 2015. The objective of the Electronic Transactions Act, among other things, is to provide the legal recognition of electronic transactions, e-government services, the use of information and communication technologies in the collection of evidence, admissibility of electronic evidence, and to provide for the facilitation of use of secure electronic signatures and other related matters. The Electronic Transactions Act was a result of the recognition of electronic evidence by Tanzanian courts since 2000, when in Trust Bank Ltd. v. Le-marsh Enterprises Ltd., Joseph Mbui Magari, Lawrance Macharia (Commercial Case No.4 of 2000), the High Court at Dar es salaam ruled for the first time in favour of electronic evidence. Nsekela J stated, 'the important point to note is that the law must keep abreast of technological changes as they affect the way of doing business. Tanzania is not an island by itself, the country must move fast to integrate itself with the global banking community in terms of technological changes and the manner in which banking business is being conducted the courts must take cognizance of the technological revolution that have engulfed the world.' Furthermore, in the case of Lazarus Mirisho Mafie and M/S Shidolya Tours & Safaris v. Odilo Gasper Kilenga and Alias Moiso Gasper, the High Court, at Arusha held that 'electronic evidence is relevant and admissible as other evidence before the court, and it is as genuine as any other kind of evidence.' Save for the specific provision, the Electronic Transactions Act applies to both Mainland Tanzania and Zanzibar.
• The Anti-Money Laundering (Electronic Funds Transfer and Cash Transactions Reporting) Regulations, 2019 ('the AML Electronic Funds and Cash Transactions Reporting Regulations'): The AML Electronic Funds and Cash Transactions Reporting Regulations introduce the concept of reporting electronic fund transactions to the Financial Intelligence Unit ('FIU') based on the prescribed threshold.
• The Electronic and Postal Communications (Online Content) Regulations, 2020 ('the Online Content Regulations'). These regulations were issued for purposes of prohibiting publication of certain contents online including contents in relation to personal privacy and respect to human dignity, sexuality and decency, public security, violence and national safety, criminal activities and illegal trade activities, protection of intellectual property rights, public information that may cause public havoc and disorder, and requirements for obtaining licenses for publishing contents online.

Sectoral legislation

Further, there are some of the industrial-specific laws that include the Media Services Act, 2016 and the Banking and Financial Institutions Act, 2006 ('the Banking and Financial Institutions Act'), alongside codes of conduct for specific professions, such as medical and dental practitioners.

1.2. Regulatory authority

Various regulatory authorities and government institutions have been vested with the power to investigate or prosecute cyber-related crimes in Tanzania:

The TCRA

The Tanzania Communications Regulatory Authority ('TCRA') is responsible for the supervision, monitoring, and licensing of stakeholders in the telecommunications industry, and for enforcing cyber-related activities.

With the advancement of financial technology and particularly the growth in mobile money use in Tanzania, there has been an increasing number of cybercrimes and the TCRA, FIU, and the Police Department cooperate to ensure that cybersecurity is enforced.

The FIU

The FIU is an extra-ministerial department in the Ministry of Finance which was created under Section 4 of the Anti-Money Laundering Act, 2006 ('Anti-Money Laundering Act').

The FIU is responsible for receiving, analysing, and disseminating suspicious transaction reports and other information regarding potential money laundering or terrorist financing received from the reporting persons and other sources from within and outside Tanzania.

The National CERT

National Computer Emergency Response Team ('the National CERT') was established under Section 124 of EPOCA and its main function is to coordinate and respond to cybersecurity incidents at the national level.

The National CERT implements the cooperation between regional and international entities involved in the management of cybersecurity incidents.

The Ministry of Home Affairs

The Department of Police of the Ministry of Home Affairs ('the Police') is vested with the investigative, search and seizure, and arrest powers of cybercrime-related offences. Once a matter is reported to the respective regulatory authority such as the TCRA, the regulatory body will report the matter to the Police for purposes of undertaking the investigation of the offence, including search and seizure, arrest, and interviewing suspects and victims.

The information collected by the Police will then be presented in the form of a court case and submitted to the Director of Public Prosecution ('DPP') for analysis whether the matter should be prosecuted.

The DPP

The Ministry of Constitution and Legal Affairs ('DPP') is appointed by the president and is responsible to institute, prosecute, and supervise all criminal prosecutions in Tanzania.

The process flow for the various regulators involved in cybercrime activities is as follows:

• Complainant;
• Service provider (including mobile network service providers where applicable);
• Regulator (including TCRA, FIU, National CERT, DPP, or Police);
• Police Department; and
• Court of law.

1.3. Regulatory authority guidance

The Anti-Money Laundering Guidelines to CMSA Licensees, ('the AML CMSA Guidelines'), apply to licensed market players and intermediaries in the Tanzanian securities industry, including licensed dealing members, investment advisors, and custodians of securities, promoters, nominated advisors, fund managers, and investment management companies, and were created to ensure that the securities industry takes adequate measures to prevent its misuse by money launderers and terrorists.

The AML CMSA Guidelines require CMSA licensees to implement policies and procedures to address any specific risks associated with the use of new technologies and non‐face‐to‐face business relations or transactions.

The FIU has issued its Anti-Money Laundering and Counter-Terrorist Financing Guidelines to Insurers ('AML Insurers Guidelines') to ensure that the securities sector takes adequate measures to prevent its misuse.

The AML Insurers Guidelines require insurers to put in place policies and procedures to address any specific risks associated with the use of new technologies and non‐face‐to‐face business relations or transactions.

2. SCOPE OF APPLICATION

The Cybercrimes Act 2015 applies to natural persons (individuals) and legal persons (companies and other entities with legal personality) where the offence is committed wholly or partly:

• within the United Republic of Tanzania;
• on a ship or aircraft registered in the United Republic of Tanzania;
• by a national of the United Republic of Tanzania in the United Republic of Tanzania;
• by a national of the United Republic of Tanzania who resides outside the United Republic of Tanzania, if the act or omission would equally constitute an offence under a law of that country; or
• by any person, irrespective of his nationality, citizenship or location, when the offence is committed using a computer system, device or data within the United Republic of Tanzania or directed against a computer system, device, data or person in the United Republic of Tanzania.

The Cybercrimes Act applies to all sorts of information/data including personal data, processing for specific purposes or by automated means, anonymous data, restrictions under the Cybercrimes Act  apply to all computer data. The term computer data is defined under the Cybercrimes Act to include any representation of facts concepts, information or instructions, in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.

3. DEFINITIONS

Information security program: Not applicable.

Database: The Cybercrimes Act does not directly define this term, but may be equivalent to the term data storage medium which is defined as any device, article or material from which computer data or information is capable of being stored or reproduced, with or without the aid of any other device or material;

Cybersecurity incident: This is not defined under the Cybercrimes Act, 2015

Cybersecurity / information security officer: there is no definition of this term in the Cybercrimes Act however the term Enforcement Officer which may be equivalent to the cybersecurity or information officer is defined under the Cybercrimes Act to include a police officer of the rank of Assistant Inspector or above or an investigator of equivalent rank of inspector and above, member of Tanzania Intelligence Service, prosecutor, or any authorized officer of the authority responsible for regulation of communication or any other person authorised in any written law.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

The Bank of Tanzania (Consumer Protection) Regulations, 2019 places the requirement to the financial institutions to put in place appropriate data protection measures and staff training programs to prevent unauthorised access, alteration, disclosure, accidental loss or destruction of consumer data.

4.2. Cybersecurity risk assessments

There are no specific risk assessment requirements in relation to cybersecurity, the laws on banking, gaming, telecommunication etc. provides for general requirement on conducting risk assessments for consumer protection purposes and general operations.

4.3. Vendor management

There are no provisions in relation to management of vendors cybersecurity. However, for banks and financial institution, the Outsourcing Guidelines for Banks and Financial Institutions, 2021 requires banks to take steps to ensure that the service provider employs the same standard of care in performing the services as would be employed by the bank or financial institution if the activities were conducted within the bank or financial institution and not outsourced, which includes adherence to the requirement on cybersecurity.

4.4. Accountability/record keeping

Not applicable.

5. DATA SECURITY

Under the Online Content Regulations, an obligation is posed to the online content providers such as using passwords to protect any user equipment, access equipment, or hardware to prevent unauthorised access or use by unintended persons and the use of moderating tools to filter prohibited content.

Further, though not specific to cybersecurity, the Anti-Money Laundering Act requires persons reporting thereunder to undertake the following as means of taking security precautions to curb money laundering and terrorist funding activities:

• verification of customer identity in order to satisfy the true identity of any applicant seeking to enter into a business relationship or to carry out a transaction or series of transactions;
• establishment and maintenance of records of all transactions of such amount of currency or its equivalent in foreign currency to be carried out by an individual;
• establishment and maintenance of internal reporting procedures by designating an anti-money laundering officer who shall be responsible for receiving money laundering reports from other employees and reporting the same to the FIU once satisfied that sufficient reasons exist; and
• provision of awareness training to employees to ensure awareness of domestic laws relating to money laundering and terrorist financing and the internal procedures and policies relating to the same.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

The Anti-Money Laundering Act requires persons reporting to notify the FIU of any transaction which they suspect, or have grounds to suspect, involves funds that are the proceeds of or related to crime, or to be used for commission or continuation of a predicate offence, or if they have knowledge of a fact or activity that may be an indication of money laundering or a predicate offence.

7. REGISTRATION WITH AUTHORITY

There is no requirement for a computer user or a user of a technology device to be registered with a regulatory authority.

However, service providers will need to be registered and obtain licensing from different regulatory authorities, depending on the service offered.

The TCRA requires a Network Facility Licence for the following services:

• ownership and control of electronic communication infrastructure including, but not limited to, earth stations, fixed links and cables, public payphone facilities, radio communications transmitters and links, satellite hubs, satellite control stations, space stations, submarine cable landing centres, switching centres, towers, poles, ducts, and pits used in conjunction with other network facilities; and
• operation of electronic communication networks in order to deliver services such as bandwidth services, broadcasting distribution services, cellular mobile services, access applications service, and space segment services.

The TCRA requires an Application Service Licence for the resale or procurement of services from network service operators, such as internet providers, virtual mobile providers, payphone service providers, providers of public cellular services, public payphone service, or public switched data services.

Furthermore, the Online Content Regulations requires a person who intends to provide online content services to obtain online content license from the TCRA. The categories of online content licences include the following:

• licence for provision of predominant news and current affairs issued to an online content service provider whose content covers news, events, and current affairs;
• licence for the provision of predominant entertainment content issued to an online content service provider whose content covers music, movies, series, plays, drama, comedy, sports, and any other related entertainment content;
• licence for provision of predominant education and religious content issued to an online content service provider whose content covers religious information and content that aims at educating; and
• simulcasting licence issued to mainstream broadcasting licensee with national coverage rights.

The Bank of Tanzania requires an Electronic Money Issuance Licence for the issuance of electronic money and a Payment System Licence is required to operate payment systems (Payment Systems Act of 2015).

8. APPOINTMENT OF A SECURITY OFFICER

A money laundering reporting officer ('MLRO') must be appointed by reporting persons including banks and financial institutions, cash dealers, accountants, real estate agents, dealers in precious stones, works of art or metals, regulatory authorities, customs offices, attorneys, notaries, and other independent legal professionals.

The MLRO's responsibilities include (Section 18 of the Anti-Money Laundering Act):

• receipt of reports of all suspicious transactions as reported by employees and report such transactions to the FIU; and
• ensuring that all employees are aware of domestic laws and internal procedures relating to money laundering and terrorist financing.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services

The Banking and Financial Institutions Act and its regulations restrict banks and financial institutions to divulge any information relating to its customers or their affairs except in circumstances in which, in accordance with the law or practices and usages customary among bankers, it is necessary or appropriate for the bank or financial institution to divulge such information.

Health

The HIV and AIDS (Prevention and Control) Act, 2008 provides under section 17 that, all health practitioners, workers, employers, recruitment agencies, insurance companies, data recorders, sign language interpreters, legal guardians, and other custodians of any medical records, files, data, or test results shall observe confidentiality in handling of all medical information and documents, particularly the identity and status of persons living with HIV and AIDS.

The Code of Ethics and Professional Conduct For Medical and Dental Practitioners In Tanzania, 2005, provides for various principles including confidentiality to the clients information whereas the medical practitioners and dentists are required to maintain secrecy and security of client's private information, use professional judgment and responsibility in sharing the client's confidential information among colleagues, and ensure that subordinate and any other member of staff observe confidentiality.

Telecommunications

The Electronic and Postal Communications Act, 2010 imposes a duty of confidentiality of any information received by licensees or agents of the licensee under telecommunication including postal and mobile communication services, except where such person is authorised by any other written law to divulge information.

Employment

Codes of conduct for specific professions impose confidentiality and access-restriction requirements on client data. Failure to comply with the codes of conduct, for example medical and dental practitioners and lawyers, can lead to disqualification of the practitioners.

There are no specific guidelines on cyber security under the Employment and Labour Relations Act, 2004 ('the Employment Act') which is the principal legislation governing the employment and labour relation in Tanzania. However, it is an offence for any person to disclose any information relating to the financial or business affairs of another person if that information was acquired in the performance of any function or the exercise of any power under the Employment Act. The restrictions will not apply if the information is disclosed incompliance with the Employment Act:

• to enable a person to perform a function or exercise a power under the Employment Act;
• in accordance with any written law;
• for the purpose of the proper administration of the Employment Act; and
• for the purposes of the administration of justice.

Education

Not applicable.

Insurance

Insurance Act, 2009 requires all insurers an insurer shall not divulge any information so taken to any person or body of persons and shall take all action which may be necessary to ensure the confidentiality of that information.

The Code of Conduct and Ethics for Insurance Intermediaries, 2009, requires the insurance intermediary (i.e., brokers, agents, surveyor, loss adjustor, settling agent, risk surveyor and members of Insurance Institute of Tanzania treat all information supplied by the client as completely confidential and deploy security measures to confidential documents in their possession.

10. PENALTIES

Penalties for cybercrimes in Tanzania may involve monetary or administrative sanctions.

Penalties under the Cybercrimes Act

It is an offence to intentionally and unlawfully damage, delete, alter, or render computer data meaningless, useless, or ineffective, and to obstruct, interrupt, or interfere with the lawful use of computer data or obstruct, interrupt, or interfere with any person in the lawful use of computer data, as well as to deny access to computer data to any person authorised to access. The penalty for unlawful and intentional data interference is a fine of no less than TZS 2,000,000 (approx. €750) to TZS 20,000,000 (approx. €7,508) or three times the value of the undue advantage received, whichever is greater, or imprisonment for a term no less than one to five years.

It is an offence to intentionally and unlawfully hinder or interfere with the functioning of a computer system or the usage or operation of a computer system. The penalty for illegal system interference is a fine of no less than TZS 2,000,000 (approx. €750) or three times the value of the undue advantage received, whichever is greater, or to imprisonment for a term of no less than one year or both.

It is an offence to cause the loss of property to another person by any input, alteration, deletion, delaying transmission or suppression of computer data or any interference with the functioning of a computer system, with fraudulent or dishonest intent. The penalty for computer-related fraud is a fine of no less than TZS 20,000,000 (approx. €7,508) or three times the value of undue advantage received, whichever is greater, or to imprisonment for a term of no less than seven years or both.

It is an offence to use a computer system with intent to violate intellectual property rights protected under any written law. For non-commercial infringements, the penalty is a fine of no less than TZS 5,000,000 (approx. €1,877) or imprisonment for a term of no less than three years or both. For commercial infringements, the penalty is a fine of no less than TZS 20,000,000 (approx. €7,508) or imprisonment for a term of no less than five years or both, and to pay compensation to the victim of the crime as the court may deem just.

Service providers will not be held liable for information stored, accessed, published, linked, or transmitted by a user provided such information was disabled or removed after the provider was notified, ordered, or became aware of such information or activity. As such when it comes to the attention of the service provider that the data uploaded is unauthorised, the service provider is required by law to remove or disable access such data, then notify the relevant authorities.

It is an offence to publish information, data or facts presented in a picture, symbol, or any other form in a computer system that are deceptive, misleading, or inaccurate. The penalty is a fine no less than TZS 3,000,000 (approx. €1,126) or imprisonment for a term of no less than six months or both.

If a corporate body is convicted of an offence, every person who, at the time of commission of the offence was a director, officer, or is otherwise concerned with the management of the corporate body or knowingly authorised or permitted the act or omission constituting the offence, is deemed to have committed the same offence and may be proceeded against and punished accordingly, unless it is proved that the commission of the offence took place without their consent or that they exercised due diligence to prevent it.

The Cybercrimes Act grants the power to law enforcement officers to seize and search electronic devices and disclose data without a court order. Law enforcement officers include police officers of the rank of Assistant Inspector or above, investigators of the rank equivalent to inspector and above, members of Tanzania Intelligence Service, prosecutors, any authorised officer of the authority responsible for the regulation of communication, or any other person authorised in any written law.

11. OTHER AREAS OF INTEREST

We understand that there are numerous of cases cybersecurity incidents have been reported through media, however there are official reported cases in this regard. Please note offences related to the breaching of Cybercrime Act have dropped drastically to 3000 cases, currently, compared to more than 7000 problems reported in 2018 due to awareness on compute related crimes and usage of online content.

Network and Information Systems

The Cybercrimes Act defines a computer system to mean device or combination of devices, including network, input and output devices capable of being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that perform logic, arithmetic data storage and retrieval communication control, and other functions.

The Cybercrimes Act prohibits the following with respect to computer systems:

• illegal access to a computer system;
• illegally remaining in a computer system or continued use of a computer system after expiration of the time which approval to access a computer was issued; and
• illegal interception by technical means or any other means to a computer system or circumvention of protective measures set up to prevent access to the content of a non-public transmission.

Digital Service Providers

The Cybercrimes Act defines a 'digital service provider' as a person or party that makes information system services available to third parties. Service providers are classified in various categories depending on the specific service rendered to third parties.

We set out below the different types of service providers recognised under the Cybercrimes Act:

• access providers: persons who provide electronic data transmission services by transmitting information provided by or to a user of the service in a communication network or providing access to a communication network;
• caching providers: persons who provide an electronic data transmission service by automatic, intermediate, or temporary storing information, for the purpose of making more efficient the information's onward transmission to other users of the service upon their request; and
• hosting providers: persons who provide an electronic data transmission service by storing information provided by a user of the service.

Dominic Rebelo Partner
[email protected]
Samiath Mohamed Senior Associate
[email protected]
A&K, Dar Es Salaam