Tanzania’s Personal Information Protection Act: Overview, Key Takeaways, and Context
On November 27 2022, the President of Tanzania signed the Personal Information Protection Act, 2022 (PIPA) after it garnered unanimous Parliamentary support following its September 2022 introduction during the 8th Parliamentary sitting. The Act’s passage makes the United Republic of Tanzania (henceforth referred to as “Tanzania”) the 35th country in Africa to enact a standalone data protection law and effectively extends data protection safeguards to more than 63 million people. The law is in Swahili.
Prior to the passage of PIPA, Tanzania made several unsuccessful attempts to pass a data protection law. The 2003 National ICT Policy called for policy changes to facilitate enactment of a specific and effective legislative instrument on privacy after the initial recognition of a right to privacy as part of the 1984 Constitution’s Bill of Rights, which followed failed attempts to include the right in previous iterations of the constitution. Data protection reforms for a comprehensive data protection law began in 2013 in connection with the African Union’s Harmonization of ICT Policies in Sub-Saharan Africa (HIPSSA) project. Tanzania received financial and technical support from the International Telecommunication Union (ITU) and the European Commission to develop its first comprehensive data protection law, which was ultimately unsuccessful. The second attempt at a draft of a comprehensive data protection bill began in August 2022 when a draft was released for public consultation; this bill ultimately became PIPA.
The commencement date of PIPA will be determined by the Minister of Communications through a gazette notice (Section 1). The stated objectives of PIPA are laid out in Section 4 and include:
- Controlling collection and processing of personal data;
- Ensuring the collection and processing of personal data is guided by the principles laid down in the law;
- Protecting the privacy of individuals; and
- Establishing legal and institutional mechanisms for protecting personal information.
Overview of Key Features: From Recognizing Broad Categories of Sensitive Data, to Specifically Allowing Monetization of Personal Data
PIPA establishes a data protection framework for Tanzania that provides obligations related to processing of personal data. Specifically, it defines the forms of personal data covered under the law, covered actors and extent of application of the law, registration requirements of controllers and processors, and obligations of controllers and processors towards data subjects. The structure and provisions of PIPA coincide with laws in other parts of the world, however, there are unique provisions under PIPA that differentiate Tanzania from other countries.
For example, the law contains broad provisions on categories of sensitive personal data and imposes a mandatory requirement on all controllers and processors to appoint a data protection officer. Further, the law establishes unique situations where it is not applicable, including, among others, situations where processing is carried out for the purpose of identifying and preventing tax evasion, investigating embezzlement of public funds, or performing due diligence prior to appointment in a public service position.
Interestingly, the law has an obligation for controllers to collect personal data directly from data subjects with priority. Only where this is not possible can they collect personal data from third parties, under specific conditions which are akin to “lawful grounds for processing”.
With regards to using a data subject’s personal data for commercial advertising, the law specifically allows the monetization of personal data by permitting a data subject to enter into a contract with the data controller, on the basis of which the controller may process the data subject’s personal data for financial gain.
Another unique feature of the law relates to how data subjects exercise their rights. The law mediates the relationship between a data subject and a controller in certain cases. For example, a request by a data subject to have a controller or processor to modify, block, delete, or destroy incorrect personal data relating to them must be first made to the Personal Information Protection Commission (the data protection authority established by the law) for onward transmission to the controller or processor.
The structure of the Commission to be created also carries unique features, especially the creation of a board to oversee the conduct of the Commission. With regards to cross border data transfers, the Commission and the Minister of Communications maintain wide discretion on whether a transfer can be made, even upon fulfilling the conditions stipulated in the law.
Territorial Application, Covered Actors, and Data: Introducing a Limited Extraterritorial Scope and “Data Collectors”
Per express language in Section 2, PIPA shall apply to mainland Tanzania, as well as in Zanzibar. In Zanzibar, the law shall only apply to Union matters. The First Schedule of the Constitution of Tanzania enumerates the “union matters” that includes the Constitution of Tanzania and the government of the United Republic. Laws passed by the Union Parliament can only apply to Zanzibar where there is an express provision declaring so, or the law relates to Union affairs and is in compliance with the provisions of the Union Constitution.
This specification is necessary due to the fact that Tanzania was formed from the 1964 merger of two formerly sovereign states: Republic of Tanganyika and People’s Republic of Zanzibar. The 1964 union did not throw out Zanzibar’s sovereignty, and, as such, the unified state maintains two governments. Zanzibar retains its own constitution and governs itself with regard to non-Union matters while the Union government based in Dodoma (the united republic’s capital) maintains power over the entire territory with regards to Union matters. Zanzibar’s House of Representatives has legislative powers limited to non-Union matters as stipulated in the 1984 Constitution.
PIPA applies extraterritorially, but in a more limited way than other data protection laws like the EU’s General Data Protection Regulation (GDPR) or Indonesia’s Personal Data Protection Act. According to the law, Section 4 of PIPA shall apply to processing of personal information carried out by a controller residing in Tanzania or in a place where the laws of Tanzania are applied in accordance with international laws, as well as to any processing of personal information carried out by a controller or processor residing outside the United Republic if the processing has taken place in the country and not for the purpose of transferring personal information to another country (Section 22(b) and (c)). The condition that the processing takes place in the country to trigger the extraterritoriality of the law limits its reach. However, by specifying that extraterritoriality does not apply when personal data is transferred outside of the country to be processed there, the law solves a common conundrum appearing with other data protection laws between extraterritorial effect and the rules governing international data transfers.
Like many other African personal data protection laws, PIPA exempts processing of personal data for household purposes (Section 58(2)(a)). Other exemptions under Section 58 include where processing is:
- Carried out in accordance with other laws;
- Pursuant to a court order and in furtherance of national security or public security; and
- Carried out for the purpose of preventing crime, identifying and preventing tax evasion, investigating embezzlement of public funds, or performing due diligence prior to appointment in a public service position.
The Minister of Communications is empowered to expand the list of exempt circumstances and the means of implementing such exemptions are provided in Section 58(3). However, these exemptions do not preclude a data collector (defined below) from complying with the principles relating to collection and processing of personal information or the security safeguards requirement of the law (Section 58(1)).
Opting to use the term “data collectors”1 to refer to data controllers, PIPA applies to data controllers, processors, and recipients, which may be individuals, private entities, or public entities that process personal data.
The Act defines a controller as a person, individual institution, or public institution that alone or together with other institutions determines the purposes and methods of personal information processing; and where the purposes and methods of processing are specified in the law, the controller is a person, entity, or public institution appointed in accordance with the law and will include its representative.
A processor is defined as a person, individual entity, or public entity that processes personal information for and on behalf of the controller and under the instructions of the controller, except for persons who under the direct authority of the controller are permitted to process personal information, including their representatives. A recipient is defined as a person, entity, public institution, or any other person who receives personal information from the controller.
Covered Data: Broad definition of “sensitive data”
PIPA covers personal data that is defined as information about an identifiable person that is maintained in any form, including (Section 3):
- Race, color, ethnicity, religion, age, and marital status of an individual;
- Education, medical history, criminal data, and employment information;
- Any identification number or any other mark that identifies an individual;
- Address, fingerprints, and blood group of an individual;
- Name of individual that appears in the personal information of another person related to them or where such disclosure will reveal the personal data of the data subject; and
- Personal data that is sent to a data controller by a person where it is clear that such data is personal or confidential and responses to the information may reveal the content of the previous information and the view or opinion of any other person about the data subject.
PIPA further lists the following as “sensitive personal data”:
- Genetic data, defined as personal data resulting from genetic analysis;
- Children’s data (child has the same meaning assigned to it as under the law concerning children in Tanzania, which defines a “child” as a person below the age of 18);
- Criminal records;
- Financial transactions; and
- Biometric information.
Beyond the categories listed above, PIPA creates a broad definition of categories of sensitive personal data. According to Section 3 of the law, personal data becomes sensitive if, or when, processed it reveals the race, ethnicity, political ideologies, religious or philosophical beliefs, trade union associations, gender, health data, or sexual relationships of a data subject. Sensitive personal data also includes “any personal information that, according to the laws of Tanzania, is considered to have a significant impact on the rights and interests of a data subject.” “Significant impact” is not defined in the law but could potentially be clarified at a later time through the Minister’s power to create regulations (Section 64(1)).
The Act imposes restrictions on the processing of these forms of sensitive personal data. PIPA prohibits processing sensitive personal data without the written consent of the data subject (Section 30(1)). A data subject may withdraw consent at any time, without reason and at no cost (Section 30(2)). Additionally, the Minister has regulatory discretion to designate circumstances where the prohibition on processing sensitive personal data may not be lifted even with a data subject’s written consent (Section 30(3)). Section 30(5) also gives circumstances where a data controller or processor does not need a data subject’s written consent to process sensitive personal data, including when the:
- Processing is necessary to comply with other laws;
- Processing is necessary to protect the important interests of the data subject or of another person, if the data subject cannot give their consent or is not represented by a legal representative;
- Processing is necessary for the filing, operation, or defense of legal claims;
- Processed personal information has been disclosed to the public by the data subject;
- Processing is necessary for the purposes of scientific research and the Commission has provided specific guidelines defining the circumstances where such processing can take place; and
- Processing is necessary for medical purposes in the interest of the data subject, and the sensitive personal information involved is processed under the supervision of a health professional in accordance with the law governing such services.
Obligations of Controllers and Processors: From Old School Registration Obligations, to Compulsory Appointment of DPOs
Registration as Data Controllers and Processors
PIPA, like many other African data protection laws, requires data controllers and processors to register with the data protection authority before collecting and processing personal data (Section 14). The Communications Minister recently released draft regulations on the registration of data controllers and processors that provide the conditions for registration. These requirements have similarities to those in other African jurisdictions, such as Kenya. Upon fulfilling the conditions for registration a controller or processor receives a certificate of registration (Section 14(3)), which is valid for 5 years after it is issued (Section 15(2)).
Unlike Kenya’s Data Protection Act, 2019, PIPA does not provide a threshold for registration as a data controller or processor. This lack of a threshold implies that all individuals and private entities acting as controllers or processors are required to register with the authority, regardless of their size. Furthermore, PIPA’s certificates of registration are good for 5 years, in contrast to Kenya’s which are valid for 2 years. Interestingly, PIPA assumes that upon commencement of the law, public bodies shall be automatically registered as controllers and processors, and no action is required from them (Section 21).
Compliance with the Principles of Data Processing: From purpose limitation to security safeguards
Section 5 of PIPA requires controllers and processors to process personal data in accordance with the principles set forth under the law, including:
- Lawfulness, fairness, and transparency;
- Specified, legitimate purpose and purpose limitation;
- Adequate and relevant for the purpose of the intended processing;
- Retention in a manner that allows for identification for a period not exceeding the purpose of processing;
- Processing with regards to the rights of data subjects;
- Maintaining security safeguards during processing, including protection against unauthorized processing, loss, damage, or other harm using appropriate technical and administrative measures; and
- Transferring personal data out of the country in compliance with the law.
All Data Controllers and Processors Must Appoint Data Protection Officers
Section 27(3) of PIPA requires controllers and processors to appoint a Data Protection Officer (DPO). There are no thresholds or criteria that trigger appointment of a DPO, which means that all data controllers and processors must have a DPO.
Collection of Personal Data: An Obligation to Prioritize Collection Directly from the Data Subjects
According to Section 23(1) of PIPA, data controllers are generally required to collect personal data directly from the data subject. Prior to such direct collection of personal data, a controller shall ensure that a data subject (Section 23(2)):
- Recognizes the purpose for which the personal data is collected;
- Understands that collection of personal data is for an authorized purpose; and
- Knows the recipients of the personal data.
This obligation to collect personal data directly from a data subject is not commonly found in other regional or global frameworks, but a similar provision can be found in Kenya’s Data Protection Act, 2019.
However, a data controller is not obliged to directly collect personal data under certain circumstances (Section 23(3)), including if:
- Personal data is publicly available;
- The data subject has consented to collection of personal data from another source or person;
- It is impossible to directly collect personal data from a data subject;
- The law allows for collection of personal data indirectly; or
- Direct collection may affect the purpose of collecting personal data.
Notably, the law does not define what “publicly available” means in the context of personal data collection. However, it is possible that this definition will be provided at a later time through the Minister’s power to create regulations (Section 64(1)).
Duty to Ensure Accuracy of Data
PIPA requires a data controller to take steps that ensure that the information is complete, correct and consistent with the intended purpose of processing, and is not misleading before any processing occurs (Section 24).
Further Processing of Personal Data Beyond the Initial Purpose
Section 25(2) of PIPA sets the conditions for when further processing of personal data is permitted, including when:
- The data subject has consented to the new purpose;
- Use of personal information for the new purpose is authorized or required by law;
- The purpose for which personal information has been used is directly related to the purpose of collecting that information;
- The personal data is used in a manner that does not disclose the identity of the data subject;
- The personal data is used for statistical or research purposes in a manner that will not identify the data subject; or
- The controller believes for reasonable reasons that the use of personal information for that other purpose is necessary to prevent or reduce harm to the life or health of the person concerned or another person, or to the health or safety of society.
Establishing a Data Processing Agreement
PIPA requires that the relationship between a controller and processor be mediated by a data processing agreement (Section 27(4)). Activities of the processor must be governed by a contract that specifies the relationship between the processor and the controller and includes the controller’s instructions to the processor.
A controller is required to consider the existing laws that stipulate data retention periods for various data processing activities or develop a retention policy consistent with forthcoming regulations (Section 28(1)).
Security and Data Breach Processes
PIPA obligates controllers to take necessary steps to safeguard personal data (Section 27(1)). A processor has a duty to adhere to the levels of security stipulated under the Act (Section 27(4)). In the event of a security breach relating to data processed on behalf of the controller by a data processor, the data controller is obliged to inform the data protection authority (Section 27(5)). This implies that a processor is obligated to inform the controller in the event of a security breach. However, there is no obligation for controllers under the law to notify data subjects in the event of a data breach.
Creation of Codes of Ethics
Controllers are required to develop codes of ethics for processing personal data in compliance with the provisions of the law and submit to the Commission for review and approval. Where the Commission deems fit, it may seek the input of data subjects or their representatives before approval (Section 65). The Act does not specifically mention that each controller must develop their own code of ethics; the broad provision gives leeway for controllers to either do so independently or as a group.
Data Subject Rights: From Absolute Opt-Out of Commercial Advertising, to The Right not to be Subject to Solely Automated Decision-Making
Part 6 of PIPA enumerates the rights of data subjects that controllers must adhere to – the right to access personal data, the right to restriction of processing, an absolute opt-out from commercial advertising – which might have important consequences for online advertising in the country, a right not to be subject to solely automated decision-making, and a right to have personal data modified, blocked, deleted, or destroyed. Protection of rights of data subjects is one of the principles of data protection under PIPA, which may support interpretation of the legal provision towards enhancing protections for individuals exercising their rights.
Under Section 33, data subjects are entitled to know that their personal data is being processed and the details of the processing, including:
- What personal data that is being processed;
- The purpose of processing;
- Any recipients of the data; and
- Where a decision with significant impact on the data subject has been made solely on the basis of an evaluation derived from the automatic processing of their personal data, as well as the rationale behind the decision.
However, a data controller is not obliged to provide the above information to a data subject if the information is incorrect, if it is being used in an investigation in accordance with the law, or if it is withheld by court order. Notably, data subjects must convince the Commission that data held by a controller is incorrect in order to exercise their right to deletion or modification of that data under Section 38.
As for the right to restriction of processing, where a processing activity “may cause serious harm” to the data subject or any other person, the data subject has the right to ask the data controller to not initiate the processing or to stop the processing. The methodology to restrict processing shall be stipulated in regulations to be issued by the Minister of Communications.
Under Section 35(1), a data subject, through procedures that shall be specified in future regulations, has the right to ask the data controller to stop processing their personal data for the purpose of commercial advertisements (i.e., presentation, in any form, of a commercial advertisement addressed to a particular person). This provision seemingly equates to an absolute opt-out of any processing of personal data for “commercial advertising”, which could potentially be interpreted much broader than the GDPR’s “direct marketing”.
As per Section 35(2), a data subject may, with regards to commercial advertising, execute a contract with the data controller, on the basis of which the controller may process the data subject’s personal data for financial gain.
According to Section 36(1), data subjects have the right to ask the controller, through procedures that will be stipulated by regulations, to ensure that no decision based solely on automated means is made, where that decision has a significant impact on the data subject. The way the right is drafted indicates a departure from the GDPR’s approach to consider it a prohibition with exceptions rather than a right that must be actively exercised by data subjects. Where the data controller proceeds to make a decision solely on the basis of automated means, the controller must, as soon as possible, inform the data subject that a decision was made based on automated processing and have the right to request that the automated decision be reconsidered (Section 36(2)). However, these rights shall not apply if a decision based on automated processing is necessary to enter into or enforce a contract between the data controller and the data subject, if it is permitted by any law, or if the data subject has given their consent (Section 36(3)).
Lastly, Section 38 provides that the data subject may ask the Commission to make an order to a controller or processor to modify, block, delete, or destroy personal data relating to them if the personal data is incorrect, even if the controller or processor received this data as part of an accurate record given to them by the data subject or another person.
Cross Border Data Transfers and Data Localization: A Three-Tiered Approach to Data Transfers
Part 5 begins by providing that, in consideration with the provisions of PIPA, the Commission may prevent the export of personal data out of Tanzania (Section 31(1)). Such a restriction notwithstanding, personal data may be transferred out of Tanzania to other countries considered to have an adequate level of protection under certain circumstances, including (Section 31(2)) when the recipient determines:
- The personal data is necessary for the performance of a duty in the public interest;
- Such a transfer is in accordance with the legitimate interests of the data controller; or
- The necessity of transferring the personal data and there is no reason to believe that the legitimate interests of the data subject may be affected by the transfer or processing in the receiving country.
In transferring the personal data to an adequate country, the controller is required to conduct an initial assessment of the importance of transferring the personal data and the recipient is required to ensure that the necessity of such a transfer is ascertainable at a future date (Section 31(3) &(4)). The controller is required to ensure that the recipient processes personal data only for the purpose for which the data was transferred (Section 31(5)).
Personal data may also be transferred to a country without an adequate level of protection if adequate protection is guaranteed and personal data is transferred for the purpose of processing that is allowed by the controller (Section 32(1)). Criteria for assessing whether adequate protection is offered by a country include (Section 32(2)):
- All the circumstances relating to the transfer of relevant personal data;
- Type of personal data;
- Purpose and duration of the proposed processing;
- The country of the recipient;
- Relevant laws applicable to the country; and
- Professional regulations in use and the security measures observed in the recipient’s country.
Despite the provisions on transferring personal data to countries without adequate protection and the conditions to be fulfilled in this respect, the Minister of Communications is required, after consulting with the Commission and through regulations, to specify the type of processing and the circumstances under which the export of personal information to countries without adequate protections will not be allowed (Section 32(3)). In other words, the Minister of Communications will have the discretion to ban transfers in certain situations and for certain purposes.
Notwithstanding the provision under Section 32(3), personal data may be transferred to non-adequate jurisdictions when:
- The data subject has consented;
- The transfer is necessary for the performance of a contract or fulfillment of pre-contractual requirements between a data subject and a controller; or
- The transfer is necessary for entering into or executing a contract entered into or to be entered into between the controller and another person in the interest of the data subject.
Finally, the Commission may affirmatively permit specific transfers of personal data to a country without adequate protection (even if the other adequacy criteria cannot be fulfilled) where the controller assures the Commission that there are adequate security safeguards in place, there is a guarantee of the rights and freedoms of the data subject in the domestic laws of the recipient’s country, there is an ability to enforce the rights of data subjects, and that the protection can be implemented through adequate legal, security, and regulatory measures.
Enforcement: New Data Protection Authority, Processes, and International Cooperation
Data Protection Authority
Section 6(1) of the Act establishes the Personal Information Protection Commission. The Commission shall be headed by a Director General who shall be appointed by the president (Section 11(1)) and will have the following duties:
- Monitoring the implementation of the Act;
- Registering controllers and processors;
- Receiving, investigating, and processing complaints;
- Investigating and taking action against a matter that the Commission deems to affect the protection of personal information and privacy of people;
- Raising awareness;
- Establishing a cooperation mechanism with the authorities of other countries;
- Advising the Government with regard to the implementation of this Act; and
- Performing other duties required for the effective implementation of the Act.
The management of the Commission shall be overseen by a seven-member Board (Section 8) with a Chairperson, vice chairperson, and five at-large members. The Chairperson and the vice-chairperson shall be appointed by the president of Tanzania; if the Chairperson is from Tanzania, the vice chairperson shall be appointed from Zanzibar, and vice versa. The Board shall, among other functions, oversee the activities and performance of the Commission (Section 9(2)(b)) and approve and oversee financial management procedures and service rules (Section (9)(g)). The board may form committees to conduct its functions (Section 10).
Per Section 51, funding for the Commission includes an amount set by the Parliament, along with paid fines, donations, gifts or grants, loans, and any other income derived from the Commission’s activities. The Act also describes the internal mechanisms for management of the Commission’s financial resources, the role of the Board and the Director General, and the Commission’s accountability duties. Annual budgets must be approved by the Minister of Communications, who has the power to ask the Commission to adjust a proposed budget. Additionally, the Director General must submit an annual report to the Minister, who will in turn submit it to the Parliament (Section 57). The Act does provide for the Minister or the Parliament to otherwise intervene in the Commission’s activities.
Initiating a Complaint
Data subjects may issue complaints to the Commission on the basis of violation of the Act by a controller and/or a processor (Section 39(1)). Upon receipt of a complaint, the Commission shall notify the data controller or processor of the complaint and its intention to conduct investigations (Section 40). Investigations shall be conducted and completed within 90 days from when the complaint was submitted (Section 39(3)). The Commission may, depending on the circumstances of the investigation, extend an investigation up to a maximum of another 90 days (Section 39(4)). The investigation process shall be done confidentially and with all security requirements in place.
Commission’s Authority During Investigations
Section 42 enumerates the Commission’s investigatory powers, including to:
- Summon and require a person to appear before the Commission;
- Receive evidence;
- Enter buildings to ascertain that it meets the security requirements;
- Examine and obtain copies of records that it deems necessary and relevant from controllers’ and/or processors’ premises; and
- Interrogate people and collect evidence.
The Commission will also receive submissions from the complainants and the data controller or processor. The Commission may engage other individuals or authorities to assist in enforcement of the law (Section 44). The Commission may apply to the courts for preservation orders when personal data involved in an investigation is at the risk of loss or alteration (Section 59).
Section 43 of PIPA makes it an offense to obstruct the Commission during performance of its investigations. The offense of obstructing the Commission attracts a fine between 100,000 and 5,000,000 Tanzania Shillings (approximately between 42 and 2,130 US Dollars) or imprisonment for not more than two years, or both.
Outcome of Investigations
If the Commission concludes that there has been a violation of the Act, the Commission may issue an enforcement notice requiring the controller and/or processor to take appropriate measures to remedy the violation (Section 45). Where the controller or processor fails to comply with the enforcement notice issued by the Commission, the Commission may, based on certain factors, issue a penalty notice and require that the controller or processor pay an administrative fine (Section 46). The elements to be taken into account by the Commission when deciding whether to issue a penalty notice and the fine to be paid are enumerated under Section 46(2). Where the Commission decides to issue a penalty notice, the law sets the maximum fine to 100,000,000 Tanzania Shillings (approximately 42,600 US Dollars) (Section 47).
Once the Commission has made a decision, two actions may follow:
- It can, on its own discretion or on request by a party to the complaint, refer back to its decision where it can reverse, change, or suspend its decision or instructions (Section 48); or
- For a party that is dissatisfied with the administrative action of the Commission against it, they have a right to appeal to the High Court (Section 49).
The Commission may order a controller and/or processor to compensate a data subject for harm caused by violations of the Act’s provisions, in addition to other penalties and with regard to Section 37 on the right to compensation.
Offenses, Sanctions, and Compensation: From the Offense of Obstruction to Wide Penalty Bands for Different Offenses
Civil and Criminal Liability
Beyond the offense of obstructing the Commission during investigations mentioned above, PIPA creates an offense for the disclosure of personal data for any reasons other than the intended purpose, and for selling personal data obtained contrary to the law (Section 60). Individuals may be punished by a fine between 100,000 and 10,000,000 Tanzania Shillings (approximately between 42 and 4,260 US Dollars), imprisonment for up to 10 years, or both. Companies or organizations may be fined between 100,000,000 and 5 billion Tanzania Shillings (approximately between 42,600 and 2,130,000 US Dollars) (Section 60(6)).
The law also prohibits the destruction, deletion, concealment, misrepresentation, or alteration of personal information in violation of the law (Section 61). These offenses attract a fine between 100,000 and 10,000,000 Tanzania Shillings (approximately between 42 and 4,260 US Dollars), imprisonment for up to 5 years, or both. Where an offense is committed by a company, the company and every officer of the company who knowingly and intentionally violates the law shall be held liable (Section 62). The law creates a “general punishment” for offenses not specifically stipulated that still amount to a violation under the Act (Section 63). The penalty for an offense not specified under the law is between 100,000 and 5,000,000 Tanzania shillings (approximately between 42 and 2,130 US Dollars), imprisonment for up to 5 years, or both.
Compensation Under PIPA
Section 37(1) provides that a data subject who suffers harm due to the violation of the Act’s provisions by a controller or processor is entitled to compensation. A data subject shall be entitled to compensation on condition that (Section 37(2)):
- The complainant or their representative (in the case of a child or person of unsound mind) is the affected data subject;
- Rights of the data subject have been violated due to a breach of the law; and
- The effects of the violation(s) are related to the processing of personal data contrary to the provisions of the Act.
Where the Commission is satisfied that a data subject has suffered harm under compensable circumstances and there is risk of further violations, it may order the data controller to modify, block, delete, or destroy personal data. Once the Commission has made an order, it may also make an order requiring the controller and processor to inform any third parties that had received the personal data of the order to correct, block, delete, or destroy that data (Section 37(4)). When making such an order, the Commission will consider the number of people to be notified (Section 37(5)).
Section 50 specifies the relative liability of the data controller and the data processor. The controller is conditionally responsible for the results of the processing. The processor is responsible in two cases: (1) if they have not complied with the duties specifically addressed to them under the Act or (2) if they have acted contrary to the controller’s instructions. The controller and/or the processor may only avoid liability if they can prove that they were not involved in any way in the event that caused harm.
Finally, Section 64 stipulates the various regulations required for the implementation of the Act, including but not limited to:
- Regulations on circumstances excluded from the scope of the law;
- Regulations detailing duties of a data protection officer; and
- Procedures for storing and disposing personal information.
As stated previously, the Minister has already released draft regulations that cover registration of data controllers, cross border data transfers, and the handling of complaints.
Tanzania’s adoption of this legislation is a significant development for data protection in the country. The Act reflects common provisions found in many other regional and global data protection frameworks, and also includes unique provisions, particularly related to the governance of the new data protection authority. Tanzania’s differing approach can also be seen in provisions dealing with cross border data transfers. As the country awaits the commencement of the Act and the publication of regulations, Tanzania remains a jurisdiction to watch for those interested in African data protection.
1 The Act uses “data collector” throughout the Act. The definition of a “data collector” provided under the law is similar to that of a “data controller” in many other data protection laws. However, in laws like Uganda, a “data collector” is differentiated from a “data controller”. Thus since, the definition of “data collector” provided under PIPA is similar to that of a controller in many other laws, we use “data controller” throughout the blog.