Tanzania - Data Protection Overview
1. Governing Texts
Tanzanian law on data protection is still embryonic as there is not yet a comprehensive legislation on the area, although it is understood that a draft data protection bill ('the Draft Bill') is on the horizon and will soon be unveiled. Therefore, whatever data protection provisions there are, they are to be found to varying degrees in a number of legislations, especially from the banking, electronic, and telecommunications sectors, as well as penal statutes. In particular, the nature of such provisions have generally been focused on protecting confidentiality and privacy, without any detailed provisions on how data is to be collected, maintained, and handled.
Tanzanian law is based on common law tradition, as such, whatever vacuum there is may be filled by the substance of the common law, the doctrines of equity, and the statutes of general application in force in England on 22 July 1920 by virtue of the Judicature and Application of Laws Act Cap. 358 of 2002. In such regard, the common law principles relating to private information or confidence are relevant and enforceable under Tanzanian law.
The main legislations which will be addressed in this overview are:
- The Constitution of the United Republic of Tanzania ('the Constitution');
- The Electronic and Postal Communications Act, 2010 ('EPOCA');
- The Banking and Financial Institutions Act, 2006 ('the Banking and Financial Institutions Act'); and
- The Cybercrimes Act, 2015 ('the Cybercrimes Act').
Such protection is recognised under the broader meaning of the right to privacy which is enshrined under Article 16 of the Constitution. The same provides that every person is entitled to respect and protection of his/her person, the privacy of his/her own person, his/her family, and of his/her matrimonial life, and respect and protection of his/her residence and private communications.
However, the protection conferred under Article 16 of the Constitution is subject to the limitations prescribed under Article 30 of the Constitution, namely:
- the rights and freedoms provided are not to be exercised in a manner which infringes on the freedoms of other persons or public interest; and
- the rights and freedoms provided for do not render unlawful any law or any act done pursuant to such law for the purpose of ensuring that the rights and freedoms of other people or the interests of the public are not prejudiced, ensuring defence, public safety, public peace, public morality, etc., to name just a few.
Therefore, under certain circumstances the right to privacy can be abrogated, but according to procedure laid down by law, as is the case for the Electronic and Postal Communications (Investigation) Regulations, 2017 ('the EPOCA Investigation Regulations') which empowers the state law enforcement organs to tap into private telecommunications for purposes of investigation, upon obtaining a warrant for that purpose.
The Cybercrimes Act
This is a penal statute intended to deter and discourage privacy and data protection abuses. The Cybercrimes Act applies to offences committed within the United Republic of Tanzania, including on vessels or aircrafts registered in Tanzania. It also applies to Tanzanian nationals residing abroad if they commit an offence under the Cybercrimes Act, which is also an offence under the laws of the host country. Further, the Cybercrimes Act applies to any person, regardless of nationality, if the act:
- is committed using a computer system, device, or data located within Tanzania; or
- directed against a computer system, device, data, or person located in Tanzania.
It is an offence to access or cause a computer system to be accessed without permission. Any persons convicted of this offence will be liable to imprisonment for not less than one year or to a fine of not less than TZS 3 million (approx. €1,130), or to both a fine and imprisonment. It is an offence to intentionally and unlawfully remain in a computer system or to continue to use a computer system after the expiration of the time which one was allowed to do so. Doing so is punishable by imprisonment of not less than one year or to a fine of not less than TZS 1 million (approx. €380), or to both.
Similarly, it is an offence to intercept personal communications and interfere with data by damaging, deleting, altering, obstructing, and interrupting it. The penalty is a fine of not less than TZS 10 million (approx. €3,760), or three times the value of undue advantage received by the offender, whichever is greater, or to imprisonment for a term of not less than three years.
The Cybercrimes Act also prohibits operators and other service providers from monitoring activities or data being transmitted in their systems. However, they are also shielded from being held liable for illegal activity that takes place within their networks or systems through the actions of third parties.
The Electronic and Postal Communications Act
The EPOCA, is the principal legislation governing electronic, telecom, and postal communications. The Tanzania Communications and Regulatory Authority ('TCRA') is the authority empowered to enforce the EPOCA.
Pursuant to Section 84 of the EPOCA, the TCRA maintains a Central Equipment Identification Register ('CEIR') with information on all devices that licensees use in their networks. Furthermore, the licensees are obliged to maintain a sub-register of the information submitted to the CEIR and to maintain subscribers' information, which must be submitted to TCRA once every month. This means that for the users of SIM cards to be allowed to connect to telecommunications networks, they must disclose their full details, names, residence, occupation, or business, verified by producing an identify card or, in the case of companies, business registration documents.
However, Section 98 of the EPOCA imposes a duty of confidentiality upon the TCRA and companies licensed to offer services pursuant to the TCRA, unless disclosure is allowed by law.
Further provisions are to be found under the Regulations made under the EPOCA. Rule 6 of the Electronic and Postal Communications (Consumer Protection) Regulations, 2018 ('the EPOCA Consumer Protection Regulations') prescribes restrictions under which customer's information may be collected and used by the licensee companies. It provides that a licensee may collect and maintain information on individual consumers where it is reasonably required for its business purposes.
The EPOCA Consumer Protection Regulations further provide that the collection and maintenance of information on individual consumers shall be:
- fairly and lawfully collected and processed;
- processed for identified purposes;
- processed in accordance with the consumer's other rights;
- protected against improper or accidental disclosure; and
- not transferred to any party except as permitted by any terms and conditions agreed with the said consumer, as permitted by any permission or approval of the TCRA, or as otherwise permitted or required by other applicable laws.
The above-mentioned section seems to be broad in scope and the supporting regulations do not provide details or elaboration as to the proper scope for the said provisions. For example, the word 'fairly' as used under paragraph (a) has not been elaborated what exactly it means in the context of information collection.
The Electronic and Postal Communications (Online Content) Regulations, 2020 ('the EPOCA Online Content Regulations') provide that subscribers and users of online content shall be responsible and accountable for the information they post in an online forum, social media, blog, and any other related media, and are required to ensure that their posts do not contravene the provisions of the EPOCA Online Content Regulations or any other written law. Under Rule 17, prohibits any disclosure of any information obtained by the TCRA in the course of their duties or exercise of their functions under the EPOCA Online Content Regulations. A similar restriction is found under Rule 20 of the Electronic and Postal Communications (SIM Card Registration) Regulations, 2020 ('the SIM Card Registration Regulations').
The EPOCA Investigation Regulations prohibits any person from intercepting any communication at any place in the country except as provided under the Regulations. Under Rule 4 the EPOCA Investigation Regulations repeat the provisions of Article 16 of the Constitution. However, it further provides that any person's communications may be intercepted for the purpose of:
- preservation or protection of national security;
- preservation of public safety, economic well-being, or interest of the country;
- the preservation, investigation, or proof of criminal offences; and
- prosecution of offenders or the execution of criminal sentences or security measures.
Lawful interception shall be done by the Director General of Tanzania Intelligence and Security Service; or the Director of Criminal Investigations, under a warrant duly applied for and granted by the issuing authority. The issuing authority for purposes of issuing warrants under these regulations is the Inspector General of Police and not a court of law as is ordinarily the case under the penal statutes.
The effect of the warrant is to serve as a disclosure order to any person in possession of a key to disclose the protected information to the holder of an interception warrant. The warrant entitles the person in possession of the key to obtain access to the protected communications and requires the person to disclose the protected communications in an intelligible form. Failure to comply with a warrant is an offence punishable by imprisonment for a term of not less than 12 months, or a fine of not less than TZS 5 million (approx. €1,880), or both fine and imprisonment.
In addition, any person may intercept communications if he/she is:
- party to the communications;
- has the consent of the person who is sending, the person to whom it is sent, or a party to the communication;
- is authorised by law; or
- is bona fide intercepting communications for the purpose of or in connection with the provision, installation, maintenance, or repair of the communications service.
Rule 7 prohibits any person from developing or possessing interception technology. Contravening this Rule is an offence punishable by a fine of not less than TZS 10 million (approx. €3,760), or to imprisonment for a term of not less than two years, or both fine and imprisonment.
The Banking and Financial Institutions Act, 2006
Section 48 of the Banking and Financial Institutions Act prohibits banks from divulging their customer's affairs and information, unless required by law. Under the Bank of Tanzania (Credit Reference Bureau) Regulations, 2012 ('the Credit Reference Bureau Regulations'), banks and financial institutions must surrender credit information of their customers to the Credit Reference Databank maintained by the Bank of Tanzania, which shares said information to licensed companies operating as credit reference bureaus who are allowed to share such information to banks and financial institutions who process customer's loans. The credit information being surrendered contains borrower's information and their credit history.
The Credit Reference Bureau Regulations prohibit credit reference bureaus from maintaining any information relating to the borrower's race, creed, colour, ancestry, ethnic origin, religious or political affiliation, state of health, or criminal record except financial fraud and other similar types of offences. Additionally, a credit reference bureau is prohibited from keeping information relating to:
- information as to judgment six years after the judgment was filed unless the borrower confirms that it remains unpaid in whole or in part and such information appear in the credit history;
- information as to any judgment against a person unless mention is made of the name and where available, the address of the judgment creditor as given at the date of entry of the judgment, and the amount;
- information as to the bankruptcy or liquidation of a person, after six years from the date of the bankrupt's discharge or liquidations finalisation;
- information regarding any judgment, collection, or debt that is statute barred after six years unless it is accompanied by evidence appearing in the credit history that recovery is not barred by the expiration of a limitation period;
- information as to the payment or non-payment of taxes and lawfully imposed fines after six years;
- information as to writs that were issued against the person more than 12 months after their issuance;
- any adverse information where more than six years have expired since the adverse information was placed in the database or last reaffirmed; or
- any other information as may be prescribed by the Bank of Tanzania.
1.3. Case Law
The petitioner was an operator of a website which provided users a platform to anonymously post and engage in discussions of social, economic, or political significance. Pursuant to the Cybercrimes Act, the police had issued orders demanding the disclosure of information regarding the users of the platform, threatening to prosecute the petitioner if they did not comply.
The petitioner filed a petition to challenge Sections 32 and 38 of the Cybercrimes Act as unconstitutional for offending Articles 13(6)(a), 16, and 18(1) and 2) of the Constitution. The Petitioner's contention was that Section 32 takes away the right to privacy and Section 38 offends the right to be heard.
The High Court held that Section 32 was within permissible national and international proportional limits and that it was not unreasonable for people in possession of relevant data to disclose it to investigators.
2. Scope of Application
The Constitution and the Cybercrimes Act apply generally to all persons as elaborated above. However, the sectoral legislations, for example the EPOCA, its supporting Regulations, and the Banking and Financial Institutions Act, apply to licensees and banks respectively.
The laws discussed above apply in the whole of United Republic of Tanzania.
3.1. Main regulator for data protection
There is no single data protection authority. It is the authorities established under the specific sectoral legislations which have the mandate to administer the data protection provisions under which they are established. As such, the TCRA is responsible for administering the electronic and postal communications sector, similarly, the Bank of Tanzania is responsible for the Banking and Financial Institutions Act.
The Cybercrimes Act, being a penal statute, is enforced by the criminal law enforcement authorities of the State.
3.2. Main powers, duties and responsibilities
4. Key Definitions
Personal data: There is no definition of personal data under the laws mentioned above. However, there is a definition of the term 'Computer Data' under the Cybercrimes Act which is defined as 'any representation of facts, concepts, information or instructions, in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.'
The EPOCA Investigation Regulations define the term 'data' in relation to any communication to mean:
- any information identifying or purporting to identify any person;
- apparatus or location to or from which the communication is or may be transmitted;
- any information identifying or selecting, or purporting to identify or select an apparatus by or through which the communication is or may be transmitted;
- any information comprising signals for the actuation of the apparatus used for the purposes of a communications system effecting whole or part of the transmission of any communication;
- any representation of facts, information, or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function;
- includes any computer data relating to a communication by means of a computer system generated by a computer system that formed a part in the chain of communication indicating the communication's origin, destination, root, time, date, size, duration, or type of underlying service; and
- content of communication.
5. Legal Bases
The protection of privacy under Article 16 of the Constitution is universal, therefore it is implied, as a general rule, that consent is needed in order to obtain personal data. Even in the context of EPOCA, the Banking laws, and Money Laundering Regulations, there is an underlying consent which exists at the establishment of the relationship between the data subject and the data collector.
This is an important legal basis as contractual obligations are binding and enforceable pursuant to the Law of Contract Act, 2019. A person may validly allow access to personal data under a contract.
There are numerous instances where statutory obligations require both data collection and data protection, for example the SIM Card Registration Regulations which require licensees to collect personal information with an overriding obligation to keep such information confidential. The same also applies to banks under the Banking and Financial Institutions Act, and the Credit Reference Bureau Regulations. The Anti Money Laundering Act, 2006 and Anti Money Laundering Regulations of 2012 require a reporting person to collect personal information of the persons they engage in business with the aim of reporting to the Financial Intelligence Unit ('FIU') which monitors money laundering.
Data collection is in some cases carried out in the public interest, an example of which is the requirement for SIM Card registration which empowers telephone companies to collect personal data for the broader public interest of curbing crime through the use of mobile phones. The collection of data under the EPOCA Investigation Regulations or the Cybercrimes Act is also in the public interest in order to assist in investigation of crimes.
This is a legal basis which is implied by the very nature of certain relationships, for example, between a bank or a telecommunication company and its customer, there is a minimum of personal information which must be disclosed for proper delivery of services.
7. Controller and Processor Obligations
The age of consent is 18 years, however, there is no provision regulating the processing of children's data generally other than the general prohibition under the Cybercrimes Act which prohibits publishing, making available, or facilitating access to child pornography.
8. Data Subject Rights
Under the Cybercrimes Act, the data subject has a right not to have his/her information published in a misleading manner with intent to defame, threaten, abuse, insult, or otherwise deceive or mislead the public.
For publishing child pornography the penalty is a fine of not less than TZS 50 million (approx. £18,800), or three times of the value the advantage obtained from committing the crime; or imprisonment for not less than seven years, or to both fine and imprisonment.
For publishing misleading information, penalty is a fine not exceeding TZS 5 million (approx. £1,880), or imprisonment of not less than three years, or both fine and imprisonment.