Analysis of a Decade of Israeli Judicial Decisions Related to Data Protection (2012-2022)

Adv. Rivki Dvash with the assistance of Mr. Guy Zomer¹

Background

The Future of Privacy Forum’s office in Tel Aviv (Israel Technology Policy Institute – ITPI) sought to examine the judicial decisions in civil actions under Israel’s Privacy Law, which includes rules that regulate data protection. We examined the extent to which the general public demands protection of the right to privacy through judicial proceedings. We also analyzed the privacy and data protection issues that concern the public enough to appeal to the court, as well as identified any patterns in the appeals.

It is important to note that there is a contradiction inherent in taking civil actions to remedy privacy and data protection violations since appealing to judicial bodies brings attention to and publicly catalogs the disputes. ² As such, there is an occasional interest to not pursue these matters in order to prevent additional publication or exposure of information that could increase the harm of the initial violation of privacy. Accordingly, the data gathered in this analysis does not necessarily reflect the complete interest and desire the public has in protecting privacy, but rather the cases in which individuals chose to seek judicial remedy under the Privacy Law.

In order to examine all of these cases, we asked Mr. Guy Zomer of Octopus – Public Information for All (R.A.) – which works to make public information, including that related to judicial proceedings, accessible through the Tolaat Hamishpat – to compile all the rulings since 2012 that mention privacy violations and retrieve relevant metadata for our analysis.

The overview below highlights the information and insights gathered from the metadata.

Methodology

Collection of rulings from the Nevo website

In order to locate rulings related to privacy violations, we queried all published rulings issued from January 1, 2012, to December 31, 2022 to find those that included reference to Section 2 of the Privacy Law, 5741-1981 (from now on referred to as “the Law”), which defines an invasion of privacy and what constitutes a civil tort (and a criminal offense). The dataset only includes rulings issued in ordinary courts (magistrate, district, and supreme), and not those issued in special courts such as the Family Court and the Labor Court.

Initial screening

Since we wanted to concentrate on civil proceedings to discover common patterns, we removed criminal judgments and appeal proceedings from the dataset. We also chose to examine and compare decisions related to class actions separately from other civil proceedings.

We identified a total of 293 judgments issued in civil lawsuits and 29 judgments in class actions that referred to privacy violations.

Data collection

The dataset of civil claim decisions related to privacy violations initially only contained primary data such as the opening and closing dates of proceedings and the amount of the claims. We then added the following secondary data:

1. The additional grounds in the civil lawsuit (defamation,  spam, etc.), if any;
2. The specific grounds for which the claim was filed (in other words, which subsection of Section 2 is used), even if the court did not recognize the requested cause or all the grounds for which the claim was filed;
3. The relationship between the plaintiff and the defendant (neighbor, employer-employee³, family, etc.);
4. Whether the plaintiff claimed concrete damage or compensation without proof of damage;
5. Whether the court recognized defense claims (this refers to the acceptance of defense claims in a judicial decision, and not to the fact that the defending party raised them);
6. Who won the lawsuit;
7. The amount of compensation mandated due to the violation of privacy;
8. The amount of expenses that have been mandated; and
9. The total amount of compensation that was mandated, including expenses or other grounds.

We examined class action cases separately from civil lawsuits since class actions focus more on potential harm to a group of people rather than an individual and the monetary compensation is structured differently with three components: individual winnings, group winnings, and lawyer fees, which are higher than is usually customary and serve as an incentive to file class actions.

Preliminary research findings

1) It should be noted that the data we examined only related to published judgments. We have yet to learn about the number of relevant claims in which the proceedings were stopped for various reasons (such as a settlement or lack of legal proceedings by the plaintiff or closed-door proceeding). Given that there is no labeling of privacy protection procedures in the Net HaMishpat (the computerized system for managing court cases in Israel), it is impossible to locate such information.

2) There is a small number of verdicts related to privacy violations and there are only several dozen privacy cases yearly. In comparison, in 2019, about 200,000 cases were closed in the Magistrates’ and District Courts. ⁴ Furthermore, in 2020, about 192,400 cases were closed in these courts. ⁵ In other words, the judgments in matters of privacy in Israel are a negligible percentage of all civil proceedings.

3) We looked at the approximate weight of published privacy violation claims as a percentage of total published civil lawsuits over several years to see whether there are any patterns. Although this method is not statistically accurate, it is still useful to examine the variable ratio between all judgments and privacy judgments published in Nevo.

However, even in the test mentioned above, we could not locate or indicate a clear trend, as seen below.

Findings

Civil Lawsuits

1. In all the cases, except for one,⁷ the plaintiffs preferred to claim compensation without proof of damage under section 29A of the Law.

2. The most common issue in civil lawsuits is the photographing of a person and placing of cameras in public, and sometimes even private spheres, accounting for 5.1% of claims. 

3. We did not find any civil lawsuits for torts from privacy violations in databases. The initial assumption was that such claims are found in class actions (see below).

4. Civil lawsuits for privacy violations were generally connected to legal claims for other torts. Less than 20% of the claims filed for privacy violations were filed as a single damage (17%).

5. 19.8% of plaintiffs chose to file their claim in “Small Claims Courts,” which allow for relatively quick and no-frills compensation in an amount limited to up to NIS 36,400 (roughly USD 10,000).

6. The main ground for civil lawsuits is the “spying on or tracing of a person,” or other harassment. This ground appears in 36.9% of civil court rulings. For context of how dominant this cause is, the second most common ground (photographing a person without their permission) is cited in only 16% of all judgments.

7. The most common relationship between plaintiffs and defendants is a consumer relationship (24%) or a neighbor’s dispute (21.8%). A citizen’s claims against the authorities account for 8.9% of all claims, with the leading cause of action for this type of relationship being a breach of the confidentiality obligation established by the Law (40%).

8. Although privacy violations from media exposure create significant harm due to their broad exposure of information, only a low percentage of filed claims are due to this type of violation (7.5%). Additionally, claims due to this type of violation are always accompanied by a civil lawsuit for other claims such as defamation. Generally, defamation claims appear next to privacy violation claims (52%).

9. 9.9% of privacy claims also involved spam claims filed under Section 30A of the Communications Law. This finding is interesting because during the legislative process for spam regulations, it was determined that they should be incorporated into the Communications Law instead of the Privacy Law. Regardless, even in decisions that recognized both privacy and spam violations, the compensation amounts remained extremely low (no more than a few thousand shekels).

10. In most cases (57.3%), the plaintiff won the claim, compared to 34.4% of cases in which the defendant won (in the other claims, there was no definitive decision). However, a deeper examination of these claims shows that only 46.7% of them were compensated for the privacy violation. In other words, sometimes the plaintiff won the case, but not on the grounds of the privacy violation, or general compensation was provided without specifically referring to the privacy violation.

11. In almost a quarter of the rulings (24.5%), the court recognized legal defense protections under the Law. ⁹ The most recognized protection (40.3%) is in the case of “legitimate personal interest” (section 18(2)(c)).

Class Actions

12. Class actions related to privacy violations  (29 cases) account for a small number of all class actions (6493 cases). However, the relative share (4.5%) is larger than the ratio of civil privacy violation claims compared to all civil claims (about 0.09%). This larger relative share is even more significant given that  privacy violation class actions in Israel are more limited tools than civil lawsuits since class actions can only apply to the specific types of claims listed in the second addendum to the Class Actions Law, 5766-2006. ¹⁰

13. Most of the class actions that include grounds for privacy violations are also related to consumer protection.

14. Spam violations constitute the additional (or, more precisely, the primary) ground in a significant share of privacy violation class actions (69%). Four cases (15.4%) also mentioned the issue of registering the databases that are the subjects of the claims.¹¹ Furthermore, in four cases (15.4%), it was claimed that the information security of the databases in question were compromised.

15. In 17.2% of privacy violation cases the court rejected the motion to file a class action.

16. Of the 29 cases in which a judgment was given (including court rejection to form a class action), in 41.4% of cases, the court approved the settlement, and in 37.9% of cases, the court approved the plaintiff’s motion for leave.

17. 69.2% of claims ended in favor of the plaintiff, and only about 26.9% of the decisions favored the defendant, with plaintiffs liable for expenses in only four cases (15.4%).

Conclusion

Despite the difficulty in getting clear insights into privacy violation civil lawsuits and class actions due to the scarcity of rulings in this area, it is still necessary to examine these decisions.

The small number of claims in this area may indicate the public’s lack of interest in exercising its right to compensation when privacy violations occur. Part of this disinterest is likely due to the desire to prevent additional publication or exposure of information that could increase the harm from the initial privacy violation.  Interestingly, the larger amount of privacy violation class actions as a percentage of all class action lawsuits (compared to civil lawsuits) indicates that given a larger financial incentive and decreased risk of exposure of individuals’ personal information, the desire to file lawsuits may increase. This tentative hypothesis is supported by the higher numbers of class action and civil lawsuits related to spam violations, both of which have high compensation potential and do not reveal additional personal information about plaintiffs. However, given the small absolute number of both class action and civil lawsuits related to privacy violations, more research is needed to fully examine the motivations of plaintiffs.

Even with the small number of claims, there are still several interesting findings, including clarity into the types of privacy violations that concern the public. For example, it is evident that plaintiffs mostly bring violations related to neighbor disputes and placement of cameras in public spaces for surveillance. The research also shows that despite the higher potential for privacy violations from state authorities or the greater harm from violations of database-related provisions of the Law, there are almost no lawsuits concerning these issues. One potential hypothesis for the lack of these claims is that there are power gaps between citizens and authorities, as well as data subjects and database owners, that disincentivize lawsuits.  Although class actions can strengthen the power of the consumer, they still require proof of damage and also cannot be filed against the state.

In conclusion, it is impossible to point to a change or a clear trend of citizens exercising their right to privacy in civil lawsuits over the past decade.

Editor: Isabella Perera

This text has been translated and adapted into English from the original report published on January 30, 2023, available in Hebrew following this link.

---

¹ Thanks to Adv. Limor Shmerling-Magazanik, former Director of ITPI, for her comments on this report.

² In Israel, the default is that legal proceedings are published stating the parties’ names.

³ It should be noted that even in civil proceedings in ordinary courts (not the Labor Court), we still found claims related to employee-employer relationships.

⁴ See Annual Report 2019 – Court Administration (in Hebrew), pp. 25 and 37. In the district courts, 8,278 civil cases were closed, and in magistrates’ courts, 191,444 such cases were closed.

⁵ See Annual Report 2020 – Court Administration (in Hebrew), pp. 25 and 37. In the district courts, 7,578 civil cases were closed, and in magistrates’ courts, 184,874 such cases were closed.

⁶ We did not include 2022 because there was a change in the classification of cases in civil lawsuits that altered how the selected group was sampled.

⁷ Civil Action (Magistrate court – Haifa) 54043-11-12 Naor v. Clal Pension and Provident Fund Ltd. (11/4/2014) (in Hebrew), in which the plaintiff lost.

⁸ As of January 2023.

⁹ Section 18 of the Privacy Law.

¹⁰ Such as dealers, banking corporations, financial services providers, etc.

¹¹ In Israel, there is still an obligation to register databases.

A New Paradigm for Consumer Health Data Privacy in Washington State

The Washington ‘My Health, My Data’ Act (MHMD or the Act) establishes a fundamentally new legal framework within U.S. law to regulate the collection, use, and transfer of consumer health data. Signed into law by Governor Inslee on April 27, MHMD was introduced by request of the Washington Attorney General in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (2022) (Dobbs).

While drafting quirks have caused uncertainty around the effectiveness dates of some of MHMD’s provisions, in general the Washington Legislature seems to intend for MHMD’s substantive data privacy requirements to come into effect on March 31, 2024 (or June 30, 2024 for small businesses). Other provisions, including the Act’s sections on geofencing and enforcement, will take effect in 90 days time. 

This post highlights six aspects of MHMD that could have paradigm-shifting consequences for data privacy regulation. For a more in-depth analysis of the Act, check out the Future of Privacy Forum’s MHMD Policy Brief.

1. ‘My Health, My Data’ applies to organizations that collect, process, or transfer covered data in any way that touches Washington State:

MHMD will impact a broad range of entities, both within and outside of Washington State. The Act imposes obligations on regulated entities that do business in Washington or that “target” products or services at Washington consumers. Such targeting likely includes actions as simple as making a business website available to access from within Washington or advertising in Washington.​​ In addition, MHMD applies to businesses and nonprofit organizations of any size that collect, hold, or transfer consumer data that has “any operation” performed on it in the state at any point. Significantly, MHMD defines “consumer” as any natural person whose health data is processed in “any manner” within the state. Therefore, if customer health data is at any point accessed in, travels through, or is stored in Washington State, MHMD is likely to apply. Unlike many other U.S. privacy laws, the Act does not exempt entities covered by other legal regimes, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Family Educational Rights and Privacy Act of 1974 (FERPA), but instead only the data regulated thereby. 

2. ‘My Health, My Data’ defines “health data” far more broadly than any other U.S. privacy framework:

MHMD regulates collection and transfers of “consumer health data,” defined as any form of “personal information” that “identifies the consumer’s past, present, or future physical or mental health status.” The Act provides a non-exhaustive list of 13 categories of information that constitute de facto “health status” under the Act, including biometric data, “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies,” and health information that is inferred from non-health data. This definition of health data is far broader than the definitions established by other contemporary legal frameworks, and will encompass information that is not typically treated as health data. Any entity with a nexus to individually-identifying health information should assess potential operational impacts of MHMD.

While more expansive than other legislative frameworks, one significant aspect of MHMD’s definition of “consumer health data” aligns with the Federal Trade Commission’s (the Agency) approach to health information in its recent enforcement actions against GoodRx and BetterHelp. In its complaint against BetterHelp, the Agency alleged that the company wrongfully disclosed consumer information, including email addresses, IP addresses and unique advertising IDs, that revealed that consumers had accessed a website seeking mental health care services. Similarly, MHMD’s definition of “personal information” includes “data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier.” These definitions demonstrate an emerging regulatory attention to ways in which common online activities and user data can be processed to reveal sensitive health information.

3. ‘My Health, My Data’ establishes recurring, notice and consent obligations for the collection, transfer, sale, and secondary use of health data:

MHMD requires businesses to make disclosures and obtain separate consumer consent for any collection and transfer of health data beyond what is necessary to provide a consumer-requested product or service. For the “sale” of health data, the Act requires regulated entities to obtain “valid authorization,” a more exacting form of consent that expires after one year. MHMD defines “sale” broadly to include exchanges for valuable consideration, and will likely implicate current digital advertising practices for covered entities. 

While MHMD’s opt-in framework will provide individuals with increased ability to control how their health data is collected and transferred, users will likely face a significant increase in the volume of notices and pop-ups when accessing many common products and services. Furthermore, since MHMD relies on a “notice and consent” framework rather than creating new baseline rules around how entities may collect, use and transfer covered health data, the efficacy of the Act’s framework will depend on whether users are able to successfully navigate this new menu of consent options while obtaining desired products and services. 

4. ‘My Health, My Data’ creates consumer rights of access and deletion that go beyond those established by other state privacy laws:

MHMD creates several consumer rights that have become standard in global privacy laws, including the right to know how an organization uses personal data, the right to access that data, and the right to have covered health data deleted. However, MHMD does not contain common exemptions for these rights such as for protecting trade secrets or for complying with legal obligations. 

Furthermore, the Act’s rights of access and of deletion are significantly different from comparable state laws, and will require modifications to organizations’ compliance programs. For example, MHMD’s right to access not only gives users the right to obtain a copy of their data, but also to procure a list of the names and email addresses of third-parties with whom their data was shared or sold. The Act’s deletion right gives individuals the right to delete their health data from all records managed by a regulated entity, including from archived or backup systems and from within the records of processors, contractors, and other third parties, with no exception for data that is retained in order to comply with deletion requests on an ongoing basis. 

5. ‘My Health, My Data’ places novel restrictions on the geofencing of wide-ranging set of facilities that provide in-person “health care services:” 

MHMD forbids both covered entities and individual actors from geofencing physical “health care facilities” in order to identify individuals, collect health data, or send health data or health-service related messages to consumers. This restriction may impact several common practices, including security operations and the use of push notifications for advertising consumer goods. Furthermore, MHMD’s far-reaching definition of “health care services” means these restrictions could include geofencing conducted in order to collect data from or advertise to individuals visiting gyms, complexes that include healthcare offices, and general consumer goods stores.

6. ‘My Health, My Data’ provides for enforcement through a private right of action:

MHMD gives the Washington Attorney General authority to enforce the Act and also creates a private right of action by establishing that a violation of the Act is an unfair or deceptive trade practice under the Washington Consumer Protection Act (WCPA). While MHMD’s inclusion of a private right of action sets it apart from many other state privacy laws, entities should note that MHMD does not provide for statutory damages. Instead, MHMD grants plaintiffs the right to sue to recover for any injury to their “business or property” caused by a violation of the Act, and gives courts the discretion to award treble damages up to $25,000. While the Washington Attorney General’s office can likely issue interpretive guidance, the opportunity for private litigation suggests that Judges are likely to resolve drafting ambiguities. 

Conclusion

MHMD will set new standards for the protection of non-HIPAA covered personal health data. The Act’s broad scope and exacting requirements could create compliance hurdles for a wide range of covered entities, and its private right of action provides a private enforcement mechanism not usually available under U.S. privacy laws. Organizations of all sizes, even those who operate outside of Washington State, should investigate whether they are, or could become, covered by the Act and understand MHMD’s requirements. Likewise, individuals should determine when their data is covered by MHMD and what rights they are afforded under the Act. Finally, policymakers working on these issues should consider not only the scope of new health privacy legislation, but also how new regulations will interact with existing frameworks, including the sensitive data protections established under the various state comprehensive privacy laws.

FPF Announces Recipients of the Third Annual Award for Research Data Stewardship

Today, the Future of Privacy Forum (FPF) — a global non-profit focused on data protection headquartered in Washington, D.C. — announced the winners of the third annual Award for Research Data Stewardship. 

FPF is a long-standing advocate for privacy-protective data sharing by industry to the research community to advance scientific insights and drive progress in medicine, public health, education, social science, and many other fields. FPF established the Award for Research Data Stewardship in 2020 to recognize companies and academics that demonstrate innovative approaches and best practices for sharing private, corporate data to advance scientific knowledge. 

With the third-annual Award for Research Data Stewardship, FPF honors two teams of researchers and corporate partners for their commitment to privacy and ethical uses of data in their efforts to help with emergencies related to diseases and natural disasters. The winning team is a collaboration between the Mayo Clinic researchers led by Rozalina McCoy, MD, MS, and health services company Optum. The honorable mention is a collaboration between Assistant Professor Xilei Zhao, PhD, at the University of Florida and location intelligence company Gravy Analytics. These partnerships were awarded based on the strength of their research, adherence to privacy protection in the sharing process, and the company’s commitment to supporting academic research. 

“Our panel of judges were incredibly impressed reading through each meaningful and forward-thinking data-sharing partnership,” said Shea Swauger, FPF’s Senior Researcher for Data Sharing and Ethics. “Data plays a significant role in social progress. When companies share data responsibly with academic researchers, they can unlock new scientific insights, expand human knowledge and provide solutions to society’s most difficult challenges.”

Winner: Mayo Clinic and Optum:
“Predicting the Risk of Severe Hypoglycemic and Hyperglycemic Events in Adults with Diabetes”

• Diabetes affects more than 37 million people across the United States, making it the country’s most common and costly chronic disease. Despite advances in the science of diabetes therapy, rates of diabetes complications have not improved over the past decade, especially as it relates to garnering glycemic control to avoid severe hypoglycemia and hyperglycemia. With little research about acute hypoglycemic and hyperglycemic diabetes complications available, many clinicians lack a practical and reliable means to identify patients at the highest risk for severe hypoglycemia and hyperglycemia, preventing the ability of the patient to individualize glycemic goals and therapy. Winners Mayo Clinic and Optum addressed these critical gaps in diabetes management by examining the epidemiology of severe hypoglycemia and hyperglycemia in the U.S. through risk prediction models using real-world data from Optum to emulate clinical trials of interventions to improve glycemic control and reduce risks of severe hypoglycemia and hyperglycemia.

Honorable Mention: University of Florida Transportation Institute Partnership with Gravy Analytics: “Using Location Analytics to Enhance Natural Disaster Emergency Response Planning and Management”

• To gain insight into the evacuation behaviors of those impacted by the 2019 Kincade Fire, UFTI researchers worked with Gravy Analytics to secure trusted human mobility data for their study. Gravy Analytics provided UFTI researchers with its Observations Data-as-a-Service (DaaS) product for mobile devices seen in the evacuation zone and surrounding area during the period of the wildfire. With Gravy Observations data, UFTI researchers were able to isolate the human mobility data and examine the movement of local residents before, during, and after the fire.

The Award is a part of FPF’s “Corporate Data Sharing for Research: Next Steps in a Changing Legal and Policy Landscape” project to accelerate the safe and responsible sharing of privacy-protected data between companies and academic researchers. This project is supported by the Alfred P. Sloan Foundation, a non-profit grantmaking institution whose mission is to enhance the welfare of all through the advancement of scientific knowledge.

FPF’s Award Ceremony will be held virtually on May 10, 2023, and is free for anyone interested in learning more about these winning programs and data sharing. Register for the event here to RSVP.

FPF at the 2023 IAPP Global Privacy Summit

Earlier this month, IAPP held its annual Global Privacy Summit (GPS) in Washington, DC. FPF played a major role in bringing together a team of seven renowned privacy experts on 11 panel discussions and varying peer-to-peer roundtables ranging from U.S. privacy law to AI tech and regulation to regional contractual frameworks for data transfers. FPF remained active through these expert discussions and engaged with FPF members at networking events and meetings, as well as at our expo booth during the three-day conference.

Most notably, our CEO Jules Polonetsky was the recipient of the 2023 IAPP Leadership Award, given to individuals who “demonstrate an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues, and advancing the growth and visibility of the profession.” Jules has served as FPF’s CEO for the last 15 years.

“The Privacy Leadership Award is an incredible recognition, I am honored. I thank the team at IAPP for the award and my staff at FPF, who continue serving as global privacy leaders and publishing influential scholarship that is imperative to advancing privacy safeguards, protections, and policy.”

Jules Polonetsky, CEO, FPF

On the first day of the conference, FPF, in partnership with GW Law, hosted a reception featuring Chairperson Haksoo Ko of the Personal Information Protection Commission (PIPC) to welcome privacy professionals to Washington, D.C. In a packed room, Jules offered opening remarks and Chairperson Ko a keynote address to guests.

U.S. Privacy Law at a Crossroads: The Past, Present and Future

In an engaging conversation, FPF CEO Jules Polonetsky was joined alongside an expert panel of speakers, including Elliot Golding (Partner, McDermott Will & Emery), Alastair Mactaggart (Board Member, California Privacy Protection Agency; Board Chair, Founder, Californians for Consumer Privacy), and Lydia de la Torre (Board Member, California Privacy Protection Agency; Partner, Golden Data Law). GPS attendees heard the panel discuss relevant issues such as U.S. employment laws and data, state legislation from California and Utah (notably Utah’s social media bill), children’s privacy, and more.

“We need to get legislation done in the responsible ways that California did; otherwise we lean towards a poorer direction”

Jules Polonetsky, CEO, FPF

What Are the Long-term Implications of the Trans-Atlantic Data Privacy Framework

Former FPF Senior Counsel Sebastião Barros Vale discussed the long-term implications of the Trans-Atlantic Data Privacy Framework (TADPF) alongside experts Paul Breitbarth (Senior Fellow, Maastricht University Faculty of Law; Data Protection Lead, Catawiki), Caitlin Fennessy (Vice President & Chief Knowledge Officer, IAPP), and Alexander Joel (Tech, Law & Security Program, American University Washington College of Law). In this discussion, they touched on how the TADPF is an important chapter in the ongoing story of trans-Atlantic data flows, why privacy professionals should seek to enhance mutual understanding among governments, companies, and the public to help lay the groundwork for potential solutions, and more. View the presentation.

Great Expectations: Will the EU’s Data Strategy Laws Change the Digital World?

This panel moderated by FPF VP for Global Privacy Dr. Gabriela Zanfir-Fortuna, discussed the state of play in Brussels with regard to the EU’s new generation of data laws such as the DMA, DSA, DGA, Data Act, and the AI Act. She was joined by renowned global experts Brando Benifei (Member of the European Parliament, co-Rapporteur of the AI Act), Irene Roche Laguna (Deputy Head of Unit, Digital Services, European Commission), and Wojciech Wiewiórowski (European Data Protection Supervisor). 

Attendees learned how the GDPR interacts with the EU’s new generation of data laws and how these data laws coming from Brussels may impact jurisdictions around the world.

“Law is as good as its enforcement is”

Dr. Gabriela Zanfir-Fortuna, VP for Global Privacy, FPF

Oh, the Places We Might Go: U.S. Privacy Law and Regulation

In this standing-room-only, Dr. Seuss-themed panel, FPF Senior Counsel Tatiana Rice discussed the Washington, D.C. data privacy and security landscape as it relates to significant movement in privacy in 2022 and assessing developments from the FTC, Congress, the White House, the Supreme Court, and more. Tatiana was joined by D.C. privacy experts Brandon Pugh (Director and Senior Fellow, R Street Institute, Cyber and Emerging Threats Team), Divya Sridhar, Ph.D., (Director of Privacy Initiatives, BBB National Programs), and Cobun Zweifel-Keegan (Managing Director, D.C., IAPP). 

The panel explored data minimization, a principle likely to appear in state and federal law and regulations, as well as federal agency action and enforcement trends. Notably, speakers discussed protecting vulnerable populations, specifically kids and teens, as attendees heard discussion surrounding age-appropriate design codes. View the presentation here.

The Tip of the AI Iceberg: Views on Bias, Digital Discrimination & Data Rights

On day three, attendees joined an early-morning panel with FPF Senior Policy Counsel Bertram Lee as he discussed views on bias, digital discrimination, and data rights with moderator Anupam Chander (Scott K. Ginsburg Professor of Law and Technology, Georgetown Law), Yvette Badu-Nimako (Interim Executive Director, VP, Policy, National Urban League, Washington Bureau), Travis Hall (Acting Deputy Associate Administrator, National Telecommunications and Information Administration), and Ben Winters (Senior Counsel, Electronic Privacy Information Center (EPIC)). 

Attendees heard Bertram and the expert panel explore AI systems’ risks to privacy, biases and discriminatory outcomes of algorithms, and responsible AI systems, bringing a local D.C. angle to the conversation by discussing how District housing authorities and law enforcement utilize AI systems in their work that is inherently biased and harmful to underserved areas of the city.

“I believe that AI will change the world for the better, but that doesn’t mean that it shouldn’t be accountable to the many communities, and particularly underserved communities, that are impacting their lives. It’s important for us to think about that in the privacy community – how do we mitigate those harms? How do we design responsibly to offset those harms?”

Bertram Lee, Senior Policy Counsel, FPF

Preparing for the Next Generation of AI Tech and Regulation as Privacy Pros

In FPF Senior Policy Counsel Bertram Lee’s second panel of the day, he was joined by Nia Castelly (Co-Founder, Legal Lead, Google), Che Chang (Deputy General Counsel, OpenAI), and Filippo Raso (Senior Associate, Hogan Lovells). In another standing-room-only session, Bertram and the panelists discussed the latest on AI research and development, recent developments on AI commercialization, AI regulatory policy developments, and implementing AI governance.

“AI regulation is not going anywhere. It’s only here to stay”

Bertram Lee, Senior Policy Counsel, FPF

Not-so-standard Contractual Clauses: Comparing Global Data Transfer Tools

An engaging discussion moderated by FPF Senior Counsel for Global Privacy Lee Matheson on trans-border data flows took place on day three of the conference. Lee was joined by Mariano Peruzzotti (Partner, Ojam Bullrich Flanzbaum), Isabelle Vereecken (Head of Secretariat, European Data Protection Board), and Yeong Zee Kin (Deputy Commissioner, Personal Data Protection Commission of Singapore). This global panel covered three different model regional contractual frameworks for data transfers, the Ibero-American model clauses, Association of Southeast Asian Nations (ASEAN) MCCs and other SEA national rules, and the EU’s SCCs. 

When asked by an attendee about “the best scenario for what can be achieved in a dialogue between the EU and other regions,” the panelists offered differing perspectives. There may never be “one set of clauses to rule them all” because of cultural and legal differences, but the dialogue reveals that, at least in some ways, data protection principles related to transfers are moving towards convergence. There can be valid discussions about interoperability for different regional sets without having to agree on one set that will apply everywhere. View a recording of the session here.

A Conversation with the U.S. Ambassador for Cyberspace and Digital Policy

To close off this exciting conference, FPF CEO Jules Polonetsky sat down with Ambassador Nathaniel Fick, U.S. Ambassador for Cyberspace and Digital Policy, in a conversation highlighting several topics, including U.S. digital policy priorities globally, AI systems’ risks to privacy, biases and discriminatory outcomes of algorithms, responsible AI systems, and more.

“Data protection is increasingly becoming the law of everything.”

Jules Polonetsky, CEO, FPF

We hope you enjoyed this year’s IAPP Global Privacy Summit as much as we did! If you missed us at our booth, visit FPF.org for all our reports, publications, and infographics. Follow us on Twitter, LinkedIn, and subscribe to our newsletter for the latest.

Tenn. Makes Nine? ‘Tennessee Information Protection Act’ Set to Become Newest Comprehensive State Privacy Law

On Friday April 21, Nashville lawmakers approved the Tennessee Information Protection Act (TIPA) following unanimous votes. Tennessee now joins Iowa, Indiana, and Montana as the four states in 2023 that have advanced baseline privacy legislation governing the collection, use, and transfer of consumer data.

TIPA is closely modeled on the Virginia Consumer Data Protection Act (VCDPA) that was enacted in March 2021 and went into effect on January 1 of this year. The frameworks share key definitions, business obligations, and core consumer rights. For example, TIPA and the VCDPA both require companies to obtain consent for the processing of sensitive personal data and allow consumers to opt out of data sales, targeted advertising, and significant profiling decisions.

Nevertheless, the Tennessee proposal contains several unique deviations that will make it an overall less protective privacy regime than Virginia’s landmark law. Below, we highlight the key ways that TIPA differs from the VCDPA.

• Unique coverage thresholds: TIPA will likely apply to a narrower range of businesses than the VCDPA by covering companies that make $25 million in annual revenue and that process that data of 175,000 or more state residents.
• Broad carve-outs for pseudonymous data: Unlike the VCDPA, TIPA’s carveout for pseudonymized information extends to the consumer right to opt-out of data sales, targeted advertising, and significant profiling decisions. Depending on how the definition of “pseudonymous data” is interpreted and enforced, this approach could significantly narrow the impact of consumers’ opt-out rights.
• Insurance industry exemption: TIPA establishes a blanket, entity-level carveout for licensed insurance companies.
• Longer right to cure: Tennessee and Virginia both require the Attorney General to give a business an ‘opportunity to cure’ any alleged violation of the Act. However, Tennessee provides a 60-day cure period, rather than 30 days.
• NIST ‘Safe Harbor’ Defense: TIPA establishes a first-of-its-kind affirmative defense against enforcement for businesses that “reasonably conform[]” to the NIST Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” Given that the NIST Framework is intended to provide a flexible way for organizations to identify and manage risks within diverse environments, it is unclear what ‘reasonable conformity’ to the framework would entail or how invoking this affirmative defense would work in litigation.

Not every distinction in the Tennessee proposal is weaker than the VCDPA. For instance, while Tennessee and Virginia both allow the Attorney General to recover $7,500 in civil penalties for each violation of the law, in Tennessee a court may award treble damages for willful or knowing violations. Should TIPA be enacted, it will take effect on July 1, 2025.

The ‘Montana Consumer Data Privacy Act’ Reminds us that Privacy is Bipartisan

On Friday, April 21st, the Montana State Legislature approved the ‘Montana Consumer Data Privacy Act’ (MCDPA) to be sent to the Governor’s desk. If enacted by Governor Gianforte, Montana would join the 6 states that have adopted comprehensive privacy frameworks. Notably, at almost every stage of the legislative process, the MCDPA received unanimous bipartisan support and strengthening amendments.

The MCDPA includes what would be the strongest baseline consumer privacy rights and protections of any Republican-led U.S. state, comparable in substance and scope to leading privacy frameworks in Connecticut and Colorado. Furthermore, the MCDPA is unlikely to require significant modifications to the compliance programs of organizations that are already subject to either of these existing state laws.

Significant privacy-protective elements of the MCDPA include:

• Wide Applicability: In recognition of Montana’s status as only the 43rd most populous state, the MCDPA would apply to businesses that handle the personal information of 50,000 or more residents (rather than the typical 100,000 threshold).
• Broad definition of data “sales”: If enacted, Montana will be the first Republican-led state to define the sale of personal information as encompassing transfers for both monetary and “other valuable consideration.” The other states with laws adopting this definition are California, Colorado, and Connecticut.
• Potent Opt-Out Rights: Consumers’ right to opt out of targeted advertising, data sales, and significant profiling decisions will extend to pseudonymous data, would be able to be exercised through authorized agents, and could not be ignored by businesses, even if the request is unable to be authenticated.
• Opt-Out Preference Signals: If enacted, Montana will join California, Colorado, and Connecticut in allowing individuals to exercise certain rights by default, through the use of technological mechanisms such as browser-level signals.
• Right to Cure Sunsets: The MCDPA would offer organizations an opportunity to cure prior to the Attorney General taking enforcement action; however, this provision would expire two years after taking effect.

So far in 2023 three states, including Montana, have passed privacy legislation through their legislative branch, and one state, Iowa, has seen privacy legislation signed into law. If enacted, the MCDPA will take effect on October 1, 2024.

Tanzania’s Personal Information Protection Act: Overview, Key Takeaways, and Context

On November 27 2022, the President of Tanzania signed the Personal Information Protection Act, 2022 (PIPA) after it garnered unanimous Parliamentary support following its September 2022 introduction during the 8th Parliamentary sitting. The Act’s passage makes the United Republic of Tanzania (henceforth referred to as “Tanzania”) the 35th country in Africa to enact a standalone data protection law and effectively extends data protection safeguards to more than 63 million people. The law is in Swahili.

Prior to the passage of PIPA, Tanzania made several unsuccessful attempts to pass a data protection law. The 2003 National ICT Policy called for policy changes to facilitate enactment of a specific and effective legislative instrument on privacy after the initial recognition of a right to privacy as part of the 1984 Constitution’s Bill of Rights, which followed failed attempts to include the right in previous iterations of the constitution. Data protection reforms for a comprehensive data protection law began in 2013 in connection with the African Union’s Harmonization of ICT Policies in Sub-Saharan Africa (HIPSSA) project. Tanzania received financial and technical support from the International Telecommunication Union (ITU) and the European Commission to develop its first comprehensive data protection law, which was ultimately unsuccessful. The second attempt at a draft of a comprehensive data protection bill began in August 2022 when a draft was released for public consultation; this bill ultimately became PIPA.

The commencement date of PIPA will be determined by the Minister of Communications through a gazette notice (Section 1). The stated objectives of PIPA are laid out in Section 4 and include:

• Controlling collection and processing of personal data;
• Ensuring the collection and processing of personal data is guided by the principles laid down in the law;
• Protecting the privacy of individuals; and
• Establishing legal and institutional mechanisms for protecting personal information.

Overview of Key Features: From Recognizing Broad Categories of Sensitive Data, to Specifically Allowing Monetization of Personal Data

PIPA establishes a data protection framework for Tanzania that provides obligations related to processing of personal data. Specifically, it defines the forms of personal data covered under the law, covered actors and extent of application of the law, registration requirements of controllers and processors, and obligations of controllers and processors towards data subjects. The structure and provisions of PIPA coincide with laws in other parts of the world, however, there are unique provisions under PIPA that differentiate Tanzania from other countries.

For example, the law contains broad provisions on categories of sensitive personal data and imposes a mandatory requirement on all controllers and processors to appoint a data protection officer. Further, the law establishes unique situations where it is not applicable, including, among others, situations where processing is carried out for the purpose of identifying and preventing tax evasion, investigating embezzlement of public funds, or performing due diligence prior to appointment in a public service position. 

Interestingly, the law has an obligation for controllers to collect personal data directly from data subjects with priority. Only where this is not possible can they collect personal data from third parties, under specific conditions which are akin to “lawful grounds for processing”.

With regards to using a data subject’s personal data for commercial advertising, the law specifically allows the monetization of personal data by permitting a data subject to enter into a contract with the data controller, on the basis of which the controller may process the data subject’s personal data for financial gain. 

Another unique feature of the law relates to how data subjects exercise their rights. The law mediates the relationship between a data subject and a controller in certain cases. For example, a request by a data subject to have a controller or processor to modify, block, delete, or destroy incorrect personal data relating to them must be first made to the Personal Information Protection Commission (the data protection authority established by the law) for onward transmission to the controller or processor. 

The structure of the Commission to be created also carries unique features, especially the creation of a board to oversee the conduct of the Commission. With regards to cross border data transfers, the Commission and the Minister of Communications maintain wide discretion on whether a transfer can be made, even upon fulfilling the conditions stipulated in the law.

Territorial Application, Covered Actors, and Data: Introducing a Limited Extraterritorial Scope and “Data Collectors”

Territorial Scope

Per express language in Section 2, PIPA shall apply to mainland Tanzania, as well as in Zanzibar. In Zanzibar, the law shall only apply to Union matters. The First Schedule of the Constitution of Tanzania enumerates the “union matters” that includes the Constitution of Tanzania and the government of the United Republic. Laws passed by the Union Parliament can only apply to Zanzibar where there is an express provision declaring so, or the law relates to Union affairs and is in compliance with the provisions of the Union Constitution. 

This specification is necessary due to the fact that Tanzania was formed from the 1964 merger of two formerly sovereign states: Republic of Tanganyika and People’s Republic of Zanzibar. The 1964 union did not throw out Zanzibar’s sovereignty, and, as such, the unified state maintains two governments. Zanzibar retains its own constitution and governs itself with regard to non-Union matters while the Union government based in Dodoma (the united republic’s capital) maintains power over the entire territory with regards to Union matters. Zanzibar’s House of Representatives has legislative powers limited to non-Union matters as stipulated in the 1984 Constitution.

PIPA applies extraterritorially, but in a more limited way than other data protection laws like the EU’s General Data Protection Regulation (GDPR) or Indonesia’s Personal Data Protection Act. According to the law, Section 4 of PIPA shall apply to processing of personal information carried out by a controller residing in Tanzania or in a place where the laws of Tanzania are applied in accordance with international laws, as well as to any processing of personal information carried out by a controller or processor residing outside the United Republic if the processing has taken place in the country and not for the purpose of transferring personal information to another country (Section 22(b) and (c)). The condition that the processing takes place in the country to trigger the extraterritoriality of the law limits its reach. However, by specifying that extraterritoriality does not apply when personal data is transferred outside of the country to be processed there, the law solves a common conundrum appearing with other data protection laws between extraterritorial effect and the rules governing international data transfers.

Like many other African personal data protection laws, PIPA exempts processing of personal data for household purposes (Section 58(2)(a)). Other exemptions under Section 58 include where processing is:

• Carried out in accordance with other laws; 
• Pursuant to a court order and in furtherance of national security or public security; and 
• Carried out for the purpose of preventing crime, identifying and preventing tax evasion, investigating embezzlement of public funds, or performing due diligence prior to appointment in a public service position.

The Minister of Communications is empowered to expand the list of exempt circumstances and the means of implementing such exemptions are provided in Section 58(3). However, these exemptions do not preclude a data collector (defined below) from complying with the principles relating to collection and processing of personal information or the security safeguards requirement of the law (Section 58(1)).

Covered Actors

Opting to use the term “data collectors”¹ to refer to data controllers, PIPA applies to data controllers, processors, and recipients, which may be individuals, private entities, or public entities that process personal data.

The Act defines a controller as a person, individual institution, or public institution that alone or together with other institutions determines the purposes and methods of personal information processing; and where the purposes and methods of processing are specified in the law, the controller is a person, entity, or public institution appointed in accordance with the law and will include its representative.

A processor is defined as a person, individual entity, or public entity that processes personal information for and on behalf of the controller and under the instructions of the controller, except for persons who under the direct authority of the controller are permitted to process personal information, including their representatives. A recipient is defined as a person, entity, public institution, or any other person who receives personal information from the controller.

Covered Data: Broad definition of “sensitive data”

PIPA covers personal data that is defined as information about an identifiable person that is maintained in any form, including (Section 3):

• Race, color, ethnicity, religion, age, and marital status of an individual;
• Education, medical history, criminal data, and employment information;
• Any identification number or any other mark that identifies an individual;
• Address, fingerprints, and blood group of an individual;
• Name of individual that appears in the personal information of another person related to them or where such disclosure will reveal the personal data of the data subject; and
• Personal data that is sent to a data controller by a person where it is clear that such data is personal or confidential and responses to the information may reveal the content of the previous information and the view or opinion of any other person about the data subject.

PIPA further lists the following as “sensitive personal data”:

• Genetic data, defined as personal data resulting from genetic analysis; 
• Children’s data (child has the same meaning assigned to it as under the law concerning children in Tanzania, which defines a “child” as a person below the age of 18);
• Criminal records;
• Financial transactions; and
• Biometric information.

Beyond the categories listed above, PIPA creates a broad definition of categories of sensitive personal data. According to Section 3 of the law, personal data becomes sensitive if, or when, processed it reveals the race, ethnicity, political ideologies, religious or philosophical beliefs, trade union associations, gender, health data, or sexual relationships of a data subject. Sensitive personal data also includes “any personal information that, according to the laws of Tanzania, is considered to have a significant impact on the rights and interests of a data subject.” “Significant impact” is not defined in the law but could potentially be clarified at a later time through the Minister’s power to create regulations (Section 64(1)).

The Act imposes restrictions on the processing of these forms of sensitive personal data. PIPA prohibits processing sensitive personal data without the written consent of the data subject (Section 30(1)). A data subject may withdraw consent at any time, without reason and at no cost (Section 30(2)). Additionally, the Minister has regulatory discretion to designate circumstances where the prohibition on processing sensitive personal data may not be lifted even with a data subject’s written consent (Section 30(3)). Section 30(5) also gives circumstances where a data controller or processor does not need a data subject’s written consent to process sensitive personal data, including when the:

• Processing is necessary to comply with other laws;
• Processing is necessary to protect the important interests of the data subject or of another person, if the data subject cannot give their consent or is not represented by a legal representative;
• Processing is necessary for the filing, operation, or defense of legal claims;
• Processed personal information has been disclosed to the public by the data subject;
• Processing is necessary for the purposes of scientific research and the Commission has provided specific guidelines defining the circumstances where such processing can take place; and
• Processing is necessary for medical purposes in the interest of the data subject, and the sensitive personal information involved is processed under the supervision of a health professional in accordance with the law governing such services.

Obligations of Controllers and Processors: From Old School Registration Obligations, to Compulsory Appointment of DPOs

Registration as Data Controllers and Processors

PIPA, like many other African data protection laws, requires data controllers and processors to register with the data protection authority before collecting and processing personal data (Section 14). The Communications Minister recently released draft regulations on the registration of data controllers and processors that provide the conditions for registration. These requirements have similarities to those in other African jurisdictions, such as Kenya. Upon fulfilling the conditions for registration a controller or processor receives a certificate of registration (Section 14(3)), which is valid for 5 years after it is issued (Section 15(2)). 

Unlike Kenya’s Data Protection Act, 2019, PIPA does not provide a threshold for registration as a data controller or processor. This lack of a threshold implies that all individuals and private entities acting as controllers or processors are required to register with the authority, regardless of their size. Furthermore, PIPA’s certificates of registration are good for 5 years, in contrast to Kenya’s which are valid for 2 years. Interestingly, PIPA assumes that upon commencement of the law, public bodies shall be automatically registered as controllers and processors, and no action is required from them (Section 21).

Compliance with the Principles of Data Processing: From purpose limitation to security safeguards

Section 5 of PIPA requires controllers and processors to process personal data in accordance with the principles set forth under the law, including:

• Lawfulness, fairness, and transparency;
• Specified, legitimate purpose and purpose limitation;
• Adequate and relevant for the purpose of the intended processing;
• Correctness; 
• Retention in a manner that allows for identification for a period not exceeding the purpose of processing;
• Processing with regards to the rights of data subjects;
• Maintaining security safeguards during processing, including protection against unauthorized processing, loss, damage, or other harm using appropriate technical and administrative measures; and
• Transferring personal data out of the country in compliance with the law.

All Data Controllers and Processors Must Appoint Data Protection Officers

Section 27(3) of PIPA requires controllers and processors to appoint a Data Protection Officer (DPO). There are no thresholds or criteria that trigger appointment of a DPO, which means that all data controllers and processors must have a DPO. 

Collection of Personal Data: An Obligation to Prioritize Collection Directly from the Data Subjects

According to Section 23(1) of PIPA, data controllers are generally required to collect personal data directly from the data subject. Prior to such direct collection of personal data, a controller shall ensure that a data subject (Section 23(2)):

• Recognizes the purpose for which the personal data is collected;
• Understands that collection of personal data is for an authorized purpose; and
• Knows the recipients of the personal data.

This obligation to collect personal data directly from a data subject is not commonly found in other regional or global frameworks, but a similar provision can be found in Kenya’s Data Protection Act, 2019.

However, a data controller is not obliged to directly collect personal data under certain circumstances (Section 23(3)), including if:

• Personal data is publicly available;
• The data subject has consented to collection of personal data from another source or person;
• It is impossible to directly collect personal data from a data subject;
• The law allows for collection of personal data indirectly; or
• Direct collection may affect the purpose of collecting personal data.

Notably, the law does not define what “publicly available” means in the context of personal data collection. However, it is possible that this definition will be provided at a later time through the Minister’s power to create regulations (Section 64(1)).

Duty to Ensure Accuracy of Data

PIPA requires a data controller to take steps that ensure that the information is complete, correct and consistent with the intended purpose of processing, and is not misleading before any processing occurs (Section 24).

Further Processing of Personal Data Beyond the Initial Purpose

Section 25(2) of PIPA sets the conditions for when further processing of personal data is permitted, including when:

• The data subject has consented to the new purpose;
• Use of personal information for the new purpose is authorized or required by law;
• The purpose for which personal information has been used is directly related to the purpose of collecting that information;
• The personal data is used in a manner that does not disclose the identity of the data subject;
• The personal data is used for statistical or research purposes in a manner that will not identify the data subject; or
• The controller believes for reasonable reasons that the use of personal information for that other purpose is necessary to prevent or reduce harm to the life or health of the person concerned or another person, or to the health or safety of society.

Establishing a Data Processing Agreement

PIPA requires that the relationship between a controller and processor be mediated by a data processing agreement (Section 27(4)). Activities of the processor must be governed by a contract that specifies the relationship between the processor and the controller and includes the controller’s instructions to the processor. 

Data Retention

A controller is required to consider the existing laws that stipulate data retention periods for various data processing activities or develop a retention policy consistent with forthcoming regulations (Section 28(1)).

Security and Data Breach Processes

PIPA obligates controllers to take necessary steps to safeguard personal data (Section 27(1)). A processor has a duty to adhere to the levels of security stipulated under the Act (Section 27(4)). In the event of a security breach relating to data processed on behalf of the controller by a data processor, the data controller is obliged to inform the data protection authority (Section 27(5)). This implies that a processor is obligated to inform the controller in the event of a security breach. However, there is no obligation for controllers under the law to notify data subjects in the event of a data breach.

Creation of Codes of Ethics

Controllers are required to develop codes of ethics for processing personal data in compliance with the provisions of the law and submit to the Commission for review and approval. Where the Commission deems fit, it may seek the input of data subjects or their representatives before approval (Section 65). The Act does not specifically mention that each controller must develop their own code of ethics; the broad provision gives leeway for controllers to either do so independently or as a group.

Data Subject Rights: From Absolute Opt-Out of Commercial Advertising, to The Right not to be Subject to Solely Automated Decision-Making

Part 6 of PIPA enumerates the rights of data subjects that controllers must adhere to – the right to access personal data, the right to restriction of processing, an absolute opt-out from commercial advertising – which might have important consequences for online advertising in the country, a right not to be subject to solely automated decision-making, and a right to have personal data modified, blocked, deleted, or destroyed. Protection of rights of data subjects is one of the principles of data protection under PIPA, which may support interpretation of the legal provision towards enhancing protections for individuals exercising their rights.

Under Section 33, data subjects are entitled to know that their personal data is being processed and the details of the processing, including:

• What personal data that is being processed;
• The purpose of processing;
• Any recipients of the data; and
• Where a decision with significant impact on the data subject has been made solely on the basis of an evaluation derived from the automatic processing of their personal data, as well as the rationale behind the decision.

However, a data controller is not obliged to provide the above information to a data subject if the information is incorrect, if it is being used in an investigation in accordance with the law, or if it is withheld by court order. Notably, data subjects must convince the Commission that data held by a controller is incorrect in order to exercise their right to deletion or modification of that data under Section 38. 

As for the right to restriction of processing, where a processing activity “may cause serious harm” to the data subject or any other person, the data subject has the right to ask the data controller to not initiate the processing or to stop the processing. The methodology to restrict processing shall be stipulated in regulations to be issued by the Minister of Communications. 

Under Section 35(1), a data subject, through procedures that shall be specified in future regulations, has the right to ask the data controller to stop processing their personal data for the purpose of commercial advertisements (i.e., presentation, in any form, of a commercial advertisement addressed to a particular person). This provision seemingly equates to an absolute opt-out of any processing of personal data for “commercial advertising”, which could potentially be interpreted much broader than the GDPR’s “direct marketing”. 

As per Section 35(2), a data subject may, with regards to commercial advertising, execute a contract with the data controller, on the basis of which the controller may process the data subject’s personal data for financial gain.

According to Section 36(1), data subjects have the right to ask the controller, through procedures that will be stipulated by regulations, to ensure that no decision based solely on automated means is made, where that decision has a significant impact on the data subject. The way the right is drafted indicates a departure from the GDPR’s approach to consider it a prohibition with exceptions rather than a right that must be actively exercised by data subjects. Where the data controller proceeds to make a decision solely on the basis of automated means, the controller must, as soon as possible, inform the data subject that a decision was made based on automated processing and have the right to request that the automated decision be reconsidered (Section 36(2)). However, these rights shall not apply if a decision based on automated processing is necessary to enter into or enforce a contract between the data controller and the data subject, if it is permitted by any law, or if the data subject has given their consent (Section 36(3)).

Lastly, Section 38 provides that the data subject may ask the Commission to make an order to a controller or processor to modify, block, delete, or destroy personal data relating to them if the personal data is incorrect, even if the controller or processor received this data as part of an accurate record given to them by the data subject or another person. 

Cross Border Data Transfers and Data Localization: A Three-Tiered Approach to Data Transfers

Part 5 begins by providing that, in consideration with the provisions of PIPA, the Commission may prevent the export of personal data out of Tanzania (Section 31(1)). Such a restriction notwithstanding, personal data may be transferred out of Tanzania to other countries considered to have an adequate level of protection under certain circumstances, including (Section 31(2)) when the recipient determines:

• The personal data is necessary for the performance of a duty in the public interest;
• Such a transfer is in accordance with the legitimate interests of the data controller; or
• The necessity of transferring the personal data and there is no reason to believe that the legitimate interests of the data subject may be affected by the transfer or processing in the receiving country.

In transferring the personal data to an adequate country, the controller is required to conduct an initial assessment of the importance of transferring the personal data and the recipient is required to ensure that the necessity of such a transfer is ascertainable at a future date (Section 31(3) &(4)). The controller is required to ensure that the recipient processes personal data only for the purpose for which the data was transferred (Section 31(5)).

Personal data may also be transferred to a country without an adequate level of protection if adequate protection is guaranteed and personal data is transferred for the purpose of processing that is allowed by the controller (Section 32(1)). Criteria for assessing whether adequate protection is offered by a country include (Section 32(2)):

• All the circumstances relating to the transfer of relevant personal data;
• Type of personal data;
• Purpose and duration of the proposed processing;
• The country of the recipient;
• Relevant laws applicable to the country; and
• Professional regulations in use and the security measures observed in the recipient’s country.

Despite the provisions on transferring personal data to countries without adequate protection and the conditions to be fulfilled in this respect, the Minister of Communications is required, after consulting with the Commission and through regulations, to specify the type of processing and the circumstances under which the export of personal information to countries without adequate protections will not be allowed (Section 32(3)). In other words, the Minister of Communications will have the discretion to ban transfers in certain situations and for certain purposes. 

Notwithstanding the provision under Section 32(3), personal data may be transferred to non-adequate jurisdictions when:

• The data subject has consented;
• The transfer is necessary for the performance of a contract or fulfillment of pre-contractual requirements between a data subject and a controller; or 
• The transfer is necessary for entering into or executing a contract entered into or to be entered into between the controller and another person in the interest of the data subject.

Finally, the Commission may affirmatively permit specific transfers of personal data to a country without adequate protection (even if the other adequacy criteria cannot be fulfilled) where the controller assures the Commission that there are adequate security safeguards in place, there is a guarantee of the rights and freedoms of the data subject in the domestic laws of the recipient’s country, there is an ability to enforce the rights of data subjects, and that the protection can be implemented through adequate legal, security, and regulatory measures.

Enforcement: New Data Protection Authority, Processes, and International Cooperation

Data Protection Authority

Section 6(1) of the Act establishes the Personal Information Protection Commission. The Commission shall be headed by a Director General who shall be appointed by the president (Section 11(1)) and will have the following duties:

• Monitoring the implementation of the Act;
• Registering controllers and processors;
• Receiving, investigating, and processing complaints;
• Investigating and taking action against a matter that the Commission deems to affect the protection of personal information and privacy of people;
• Raising awareness;
• Establishing a cooperation mechanism with the authorities of other countries;
• Advising the Government with regard to the implementation of this Act; and
• Performing other duties required for the effective implementation of the Act.

The management of the Commission shall be overseen by a seven-member Board (Section 8) with a Chairperson, vice chairperson, and five at-large members. The Chairperson and the vice-chairperson shall be appointed by the president of Tanzania; if the Chairperson is from Tanzania, the vice chairperson shall be appointed from Zanzibar, and vice versa. The Board shall, among other functions, oversee the activities and performance of the Commission (Section 9(2)(b)) and approve and oversee financial management procedures and service rules (Section (9)(g)). The board may form committees to conduct its functions (Section 10).

Financial Resources

Per Section 51, funding for the Commission includes an amount set by the Parliament, along with paid fines, donations, gifts or grants, loans, and any other income derived from the Commission’s activities. The Act also describes the internal mechanisms for management of the Commission’s financial resources, the role of the Board and the Director General, and the Commission’s accountability duties. Annual budgets must be approved by the Minister of Communications, who has the power to ask the Commission to adjust a proposed budget. Additionally, the Director General must submit an annual report to the Minister, who will in turn submit it to the Parliament (Section 57). The Act does provide for the Minister or the Parliament to otherwise intervene in the Commission’s activities.

Initiating a Complaint

Data subjects may issue complaints to the Commission on the basis of violation of the Act by a controller and/or a processor (Section 39(1)). Upon receipt of a complaint, the Commission shall notify the data controller or processor of the complaint and its intention to conduct investigations (Section 40). Investigations shall be conducted and completed within 90 days from when the complaint was submitted (Section 39(3)). The Commission may, depending on the circumstances of the investigation, extend an investigation up to a maximum of another 90 days (Section 39(4)). The investigation process shall be done confidentially and with all security requirements in place.

Commission’s Authority During Investigations

Section 42 enumerates the Commission’s investigatory powers, including to:

• Summon and require a person to appear before the Commission; 
• Receive evidence; 
• Enter buildings to ascertain that it meets the security requirements;
• Examine and obtain copies of records that it deems necessary and relevant from controllers’ and/or processors’ premises; and
• Interrogate people and collect evidence.

The Commission will also receive submissions from the complainants and the data controller or processor. The Commission may engage other individuals or authorities to assist in enforcement of the law (Section 44). The Commission may apply to the courts for preservation orders when personal data involved in an investigation is at the risk of loss or alteration (Section 59).

Section 43 of PIPA makes it an offense to obstruct the Commission during performance of its investigations. The offense of obstructing the Commission attracts a fine between 100,000 and 5,000,000 Tanzania Shillings (approximately between 42 and 2,130 US Dollars) or imprisonment for not more than two years, or both.

Outcome of Investigations

If the Commission concludes that there has been a violation of the Act, the Commission may issue an enforcement notice requiring the controller and/or processor to take appropriate measures to remedy the violation (Section 45). Where the controller or processor fails to comply with the enforcement notice issued by the Commission, the Commission may, based on certain factors, issue a penalty notice and require that the controller or processor pay an administrative fine (Section 46). The elements to be taken into account by the Commission when deciding whether to issue a penalty notice and the fine to be paid are enumerated under Section 46(2). Where the Commission decides to issue a penalty notice, the law sets the maximum fine to 100,000,000 Tanzania Shillings (approximately  42,600 US Dollars) (Section 47).

Once the Commission has made a decision, two actions may follow:

• It can, on its own discretion or on request by a party to the complaint, refer back to its decision where it can reverse, change, or suspend its decision or instructions (Section 48); or
• For a party that is dissatisfied with the administrative action of the Commission against it, they have a right to appeal to the High Court (Section 49).

The Commission may order a controller and/or processor to compensate a data subject for harm caused by violations of the Act’s provisions, in addition to other penalties and with regard to Section 37 on the right to compensation.

Offenses, Sanctions, and Compensation: From the Offense of Obstruction to Wide Penalty Bands for  Different Offenses

Civil and Criminal Liability

Beyond the offense of obstructing the Commission during investigations mentioned above, PIPA creates an offense for the disclosure of personal data for any reasons other than the intended purpose, and for selling personal data obtained contrary to the law (Section 60). Individuals may be punished by a fine between 100,000 and 10,000,000 Tanzania Shillings (approximately between 42 and 4,260 US Dollars), imprisonment for up to 10 years, or both. Companies or organizations may be fined between 100,000,000 and 5 billion Tanzania Shillings (approximately between 42,600 and 2,130,000 US Dollars) (Section 60(6)).

The law also prohibits the destruction, deletion, concealment, misrepresentation, or alteration of personal information in violation of the law (Section 61). These offenses attract a fine between 100,000 and 10,000,000 Tanzania Shillings (approximately between 42 and 4,260 US Dollars), imprisonment for up to 5 years, or both. Where an offense is committed by a company, the company and every officer of the company who knowingly and intentionally violates the law shall be held liable (Section 62). The law creates a “general punishment” for offenses not specifically stipulated that still amount to a violation under the Act (Section 63). The penalty for an offense not specified under the law is between 100,000 and 5,000,000 Tanzania shillings (approximately between 42 and 2,130 US Dollars), imprisonment for up to 5 years, or both.

Compensation Under PIPA

Section 37(1) provides that a data subject who suffers harm due to the violation of the Act’s provisions by a controller or processor is entitled to compensation. A data subject shall be entitled to compensation on condition that (Section 37(2)):

• The complainant or their representative (in the case of a child or person of unsound mind) is the affected data subject;
• Rights of the data subject have been violated due to a breach of the law; and
• The effects of the violation(s) are related to the processing of personal data contrary to the provisions of the Act.

Where the Commission is satisfied that a data subject has suffered harm under compensable circumstances and there is risk of further violations, it may order the data controller to modify, block, delete, or destroy personal data. Once the Commission has made an order, it may also make an order requiring the controller and processor to inform any third parties that had received the personal data of the order to correct, block, delete, or destroy that data (Section 37(4)). When making such an order, the Commission will consider the number of people to be notified (Section 37(5)).

Section 50 specifies the relative liability of the data controller and the data processor. The controller is conditionally responsible for the results of the processing. The processor is responsible in two cases: (1) if they have not complied with the duties specifically addressed to them under the Act or (2) if they have acted contrary to the controller’s instructions. The controller and/or the processor may only avoid liability if they can prove that they were not involved in any way in the event that caused harm.

Expected Regulations

Finally, Section 64 stipulates the various regulations required for the implementation of the Act, including but not limited to:

• Regulations on circumstances excluded from the scope of the law; 
• Regulations detailing duties of a data protection officer; and 
• Procedures for storing and disposing personal information.

As stated previously, the Minister has already released draft regulations that cover registration of data controllers, cross border data transfers, and the handling of complaints.

Conclusion

Tanzania’s adoption of this legislation is a significant development for data protection in the country. The Act reflects common provisions found in many other regional and global data protection frameworks, and also includes unique provisions, particularly related to the governance of the new data protection authority. Tanzania’s differing approach can also be seen in provisions dealing with cross border data transfers. As the country awaits the commencement of the Act and the publication of regulations, Tanzania remains a jurisdiction to watch for those interested in African data protection.

Editors: Lee Matheson and Isabella Perera

¹  The Act uses “data collector” throughout the Act. The definition of a “data collector” provided under the law is similar to that of a “data controller” in many other data protection laws. However, in laws like Uganda, a “data collector” is differentiated from a “data controller”. Thus since, the definition of “data collector” provided under PIPA is similar to that of a controller in many other laws, we use “data controller” throughout the blog.

Whither Indiana? Somewhere in the Middle for Consumer Privacy Protection 

On April 13, 2023, Indiana Senate Bill 5 unanimously cleared the state legislature. If enacted by Governor Holcomb, Indiana will become the seventh state to enact a baseline consumer privacy law.

To help stakeholders assess where Indiana fits into the expanding U.S. state privacy landscape, the Future of Privacy Forum has released a chart comparing SB 5 to the Connecticut Data Privacy Act (“CTDPA”), which currently stands as one of the most protective baseline state privacy laws, and the recently-enacted Iowa SF 262 (“IPA”), which stands as one of the narrowest. 

Indiana SB 5 adopts a similar framework for protecting consumer privacy as both the Iowa and Connecticut privacy laws. However, in the scope of its consumer rights, business obligations, and enforcement mechanisms, Indiana lies somewhere between these two existing regimes. In particular, our chart shows that: 

1. Indiana SB 5 applies to a roughly equivalent range of covered entities as both the CTDPA and IPA.
2. Indiana SB 5 covers much of the same data as the CTDPA and IPA, though aligning more closely with the IPA by: (a) not recognizing data that reveals mental or physical health “condition” absent a diagnosis as sensitive information; (2) defining “biometric data” with a broad exclusion for data generated from photographs, video, or audio; and (3) explicitly excluding aggregate data from its scope. 
3. Indiana SB 5 establishes similar consumer rights as the CTDPA, including the rights to access, correct, and delete personal data and to consent to the processing of sensitive personal information. However, SB 5 provides slightly narrower rights of both access and correction and does not provide heightened protections for adolescents’ data.
4. Indiana SB 5 creates opt-out rights for targeted advertising, profiling, and the sale of personal data, consistent with the CTDPA. However, like the IPA, “sale” is narrowly defined to only include exchanges for “monetary consideration.” 
5. Like most comprehensive U.S. state privacy laws, Indiana SB 5 would require businesses to limit the amount of personal data they collect, to disclose their data processing practices, and to conduct data protection impact assessments for certain processing activities. 
6. Indiana SB 5 would be exclusively enforced by the State Attorney General. Like the IPA, businesses would have a non-sunsetting right to “cure” any alleged violations of the Act, though SB 5’s timeframe to cure is much shorter than both the CTDPA and the IPA.

Indiana’s SB 5 has a substantial compliance on-ramp and will not take effect until January 1, 2026.

FPF CEO Jules Polonetsky Receives IAPP’s Prestigious Privacy Leadership Award

The Future of Privacy Forum (FPF) congratulates Jules Polonetsky on being named the recipient of the International Association of Privacy Professionals (IAPP) 2023 Privacy Leadership Award. Polonetsky received the award during the IAPP Global Privacy Summit 2023 in Washington, D.C.

The IAPP Leadership Award is given annually to individuals who “demonstrate an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues, and advancing the growth and visibility of the profession.”

Previous recipients of the award include former US Deputy CTO Nicole Wong, European Data Protection Supervisor Giovanni Buttarelli, Professor Peter Swire of Georgia Tech’s Scheller College of Business, former FTC Commissioner Julie Brill, UK Information Commissioner Elizabeth Denham, Hogan Lovells’ (and FPF founder) Christopher Wolf and a host of others.

“The Privacy Leadership Award is an incredible recognition, I am honored,” said Jules, who has served as FPF’s CEO for the last 15 years. “I thank the team at IAPP for the award and my staff at FPF, who continue serving as global privacy leaders and publishing influential scholarship that is imperative to advancing privacy safeguards, protections, and policy.”

Considered one of the leading Internet and data privacy experts, Jules served on the founding board of the IAPP and was co-editor of the “Cambridge Handbook of Consumer Privacy”.

Jules was previously the CPO of AOL and of DoubleClick. At both companies, Jules worked with clients to ensure trust, build best practices in product development and implement privacy policies that complied with global data protection requirements. 

Building on his public service experience as a former state legislator, congressional staffer and Commissioner of the New York City Department of Consumer Affairs, Jules has testified in Congress, assisted with drafting data protection legislation, and presented expert testimony with global agencies and legislatures.

In addition to leading a global non-profit, he remains active in the larger privacy community by being a member of The George Washington University Law School Privacy and Security Advisory Council and serving on the Advisory Boards of Harvard University’s Privacy Tools Project, Open DP and the University of California Privacy Lab.

Congratulations as well to Stephen Reynolds, winner of the Diversity in Privacy Award, Peggy Eisenhauer, winner of the Global Vanguard Award – North America and Marcos Semola, winner of the Global Vanguard Award – Latin America.

FPF Files Comments to Inform New California Privacy Rulemaking Process

On Monday March 27, the Future of Privacy Forum (FPF) filed comments with the California Privacy Protection Agency to inform the Agency’s forthcoming rulemaking to implement the California Privacy Rights Act amendments to the California Consumer Privacy Act’s provisions on cybersecurity audits, risk assessments, and automated decisionmaking.

FPF’s comments are directed towards ensuring that individuals are able to effectively exercise new consumer rights under the CCPA while maximizing clarity for both individuals and businesses and promoting interoperability with emerging U.S. and global privacy frameworks.

Specifically, FPF recommended the Agency adopt regulations concerning automated decisionmaking and risk assessments that:

1. Govern automated decisionmaking systems that produce “legal or similarly significant effects”
2. Clarify how the California Consumer Privacy Act will apply to automated decisions and profiling subject to varying degrees of human oversight
3. Support meaningful access rights with respect to automated decisionmaking systems
4. Provide guidance that supports context-appropriate flexibility in developing and conducting data protection assessments
5. Are informed by existing best practices for data protection assessments