This historical moment ushered in a framework that brought solutions to solve some of Tanzania's most complex problems in data governance, such as poor handling of personal information, claw-back clauses in several legislations, and the lack of a data protection authority. For many years, civilian information was governed by cyber crime legislation, electronic communication laws, tax laws, and other similar laws.

There are two main reasons behind the formulation of the Act. Firstly, the COVID-19 pandemic created a great shift in how people met and worked together in Tanzania. The country saw dynamic changes from physical interactions to online engagements, and the digitization of certain government services which resulted in a push to strengthen digital skills and enact structures that will govern people's personal information, whether online or offline.

Secondly, Tanzania as a member of the East African Community (EAC) regional bloc, joined other East African member states who already had data protection acts, such as Kenya, Uganda, Rwanda, and the Democratic Republic of Congo, in the advancement of technology and innovation in the region.

Overview of the Act

The Act has been divided into nine sections, namely:

• the introduction;

• the establishment of the Personal Data Protection Commission (the Commission);
• registration of data collectors and processors;
• the collection, use, and analysis of personal data;
• cross-border data transfer;
• the basic rights of data subjects;
• complaints and investigations;
• financial regulations; and
• extra regulations.

This insight will address five key components of the Act – the Commission, rights of the data subject, cross-border data transfers, investigations of complaints, and fines/penalties.

The Commission

The Act establishes Tanzania's first data protection authority, the Commission, whose main function is to regulate all data collection and analysis processes in the country. The Commission is set to be an independent and legal entity with a seven-member board appointed by the President and Minister of Information, Communication and Technology. The Commission will be in charge of registering all data collectors and processors, upon which successful applicants will receive a certificate of registration, renewable every five years. Note that Government institutions are exempt from this registration process and are free to operate as before the coming of the Act. 

Data subject rights

The basic rights of the data subjects under the Act include the right to know exactly which data processor will be analyzing one's personal information (throughout all stages of the data analysis process). A data subject is also entitled to compensation in the event of mishandling of their information. Lastly, they have the right to be forgotten where, if they so wish, they can request to have their personal information amended, removed, or destroyed. The right to be forgotten serves as an important component of one's right to their identity, often in the sphere of reputation, security, sanity, and privacy.

Cross-border data transfers

Cross-border data transfers have been prohibited under the Act, save for a few exceptional cases: (i) where the recipient state also has a data protection law in place; and (ii) for a recipient state that does not have a data protection law, transfer will be permitted depending on the type of information being shared, the data-transfer mechanisms in place, the purpose and proposed length of data processing, the recipient state, its legal frameworks, and its security and privacy principles. Note that cross-border data transfers must receive consent from the owner of the personal information that is subject for transfer.

Investigations of complaints

Any dispute or complaint regarding data collection and processing in Tanzania will now be addressed to the Commission, which will aim to investigate and resolve the dispute in 90 days. Since the Act was specifically formed for the protection of people's personal information, Section 7: Investigation of Complaints only addresses complaints issued by the data subject against the data collectors and processors. There is no mention of complaints issued by data users or how said complaints can be resolved by the Commission.

Fines and penalties

At the end of the investigation, the Commission shall issue a warning or punishment notice to a data collector/processor, requiring them to comply with the decision reached - failure to do so will result in a fine worth TZS 100 million (approx. $42,000). Further, any individual data collector/processor who discloses personal information illegally and without the data subject's consent will be liable to a fine of TZS 20 million (approx. $8,400) and TZS 5 billion (approx. $2 milllion) for a data institution/company. For general violations of the Act, a party will be liable to pay a maximum of TZS 5 million (approx. $ 2,000), serve a sentence of five years, or both.

What is next for Tanzania and the Act

The Act officially came into force on May 1, 2023 through Government Notice No. 326 of 2023. Whilst its regulations have yet to be completed and the Commission yet to be formed, the Act is now operational in Tanzania.

The creation of the Act will steer the country into a more positive and regulatory path in raising awareness on how to protect one's personal information. In this respect, the Commission is set to work with different authorities and groups to determine what data subjects would want the law to yield for them and how best to meet those needs.

The Act is now officially recognized as the national data protection law, supplementing all other laws providing for data protection in Tanzania, including the Constitution, the Electronic and Postal Communications Act and all its subsidiary regulations, the Cybercrimes Act, and the National Payment System Act, among others.

Rachel Magege Lawyer and Project Associate
[email protected]
Pollicy, Dar es Salaam