About us

Victory Attorneys & Consultants is a pre-eminent corporate and commercial law firm providing top-notch legal service across all sectors. The firm, amongst other things, specializes in data protection and privacy law through providing expert legal services.  We provide services centred on data protection and privacy compliance advisory, development of privacy policies for companies and organizations.

We boast a team of experts who conduct data protection and privacy compliance audits and draft Data Transfer and Third-Party Data Sharing Agreements for local and international corporations. The firm also represents individuals and corporations in privacy and personal data related disputes.

Data Protection & Privacy Law Expertise

Our notable experience on data protection and privacy-related matters includes.

• Drafted a Model Law on Data Protection and Privacy to cater for the United Republic of Tanzania;
• Trained stakeholders in ICT Law and Policy in Tanzania on engagement CIPESA;
• Facilitated trainings on the State of Internet Freedom in Tanzania on engagement by CIPESA & Jamii Forums;
• Facilitated Digital Trainings and Security Management Courses to over 200 members of THRDC;
• Researched on Digital Rights in Tanzania on engagement by the Centre for Strategic Litigation.
• Conducted a one-year study on Internet Freedom in Tanzania (2016-2018) on engagement by CIPESA.
• Provided opinions and commentaries on more than 40 Bills tabled in the Parliament of Tanzania; including provisions of Alternative Bills on digital rights.
• Provided thorough analyses and recommendations on the Media Services Act, 2016, Access to Information Act, 2016 and Regulations made thereunder on engagement by the Media Council of Tanzania (MCT).
• Prepared a comprehensive Compendium of Media-Related Governing Laws on engagement by the Media Council of Tanzania (MCT).
• Analyzed the Cybercrimes Act 2015, on challenging its Constitutionality on engagement by THRDC and Jamii Forums.
• Challenged the constitutionality of the Electronic and Postal Communications (Online Content) Regulations, 2018 before the High Court of Tanzania on engagement by a number of CSOs∙          

Having worked on several projects, cases, researches and trainings around the topic, we have been inspired to write, albeit brief, on data protection and privacy laws.

Why Data Protection and Privacy?

Every natural person is primarily a data subject, whereas every individual, entity or government institution is potentially a data collector, data processor or data controller.  This qualifies personal as one of the most powerful tools in the fourth industrial revolution.

In the Tanzanian context, there is limited comprehension and literature on the concepts surrounding data protection and privacy and the ideals of data protection and privacy legal and institutional framework. Consequently, the articles will be published with the paramount aim of raising awareness and understanding on data protection and privacy-related matters.

About the articles

The articles set forth an overview of legal and institutional frameworks on data protection and privacy, also addressing in detail the best practices of such frameworks on a global and regional scale. The articles further explore several key aspects of data protection principles, data subjects’ rights, data controllers’ obligations, cross-border data transfers and privacy-related matters. The articles also provide an in-depth understanding the lawful process of collecting, processing, and use of personal data.

It is our genuine hope that this series of articles, will be of great significance in highlighting the eminent need for effective data protection and privacy legal and institutional frameworks in Tanzania. Accordingly, we hope that this series will be instrumental in proving inspirational guidance for the development of a data protection and privacy bill and later law, amendment of existing laws. We also hope that the articles shall provide guidance to institutions and corporations in crafting their data protection and privacy policies or protocols.

We are cordially delighted to present our series of articles on data protection and privacy law consisting of twelve chapters. The series has been developed through thorough research and analyses on various data protection laws, regional frameworks, international principles and best practices on data protection and privacy.

Targeted audience

The articles are intended for data subjects; data collecting, processing and controlling individuals and entities including;

• Government Institutions;
• Policy Makers;
• Legal Practitioners;
• Banking and Financial Institutions;
• Health and Medical Institutions;
• Mobile Network Operators;
• Non-For-Profit Organizations;
• Fintech companies;
• Educational Institutions;
• Religious Institutions;
• The Judiciary;
• Business Entities;
• Academicians and Researchers;
• The General Public

Terminologies

This part provides definitions of Data protection-related terms and concepts as defined in different data protection Legislation or used in this series. 

Anonymization: means the process of modifying Personal Data by either removing identifiers or other peculiar features so that the Data Subject is no longer identifiable or linked to the Personal Data;

Big data analytics: is a set of computer-enabled analytics methods, processes and disciplines of extracting and transforming raw data into meaningful insight, new discovery and knowledge that helps make more effective decision making.  

Biometric data: means personal data resulting from specific technical processing based on physical, physiological or behavioral characterization including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning and voice recognition;

Consent: means a free express manifestation of the Data Subject’s wishes which may either be by a statement or a clear affirmative action, signifying his consent to the collection, processing, retention or disclosure of his/her Personal Data;

Corporate binding rules: are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. It enables free movement of data within a corporate group Promotes best practice data protection processes and transparency.

Data cleaning: is the process of fixing or removing incorrect, corrupted, incorrectly formatted, duplicate, or incomplete data within a dataset to ensure that data is correct, consistent and usable. Generally, data cleaning is the process of removing inaccurate data from the dataset to ensure that the data is complete and accurate. 

Data controller: means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data. The word control entails two elements; physical control of the data and equipment used for the processing and the discretion as to how data is used, and the legal control of the nature of the processing.

Data localization: requires a data controller or processor to store, process and handle personal data within the country’s borders.  Some data protection Legislation normally require certain data to be stored on physical servers within a country’s physical border. This concept advocates for local data flow and conflicts with cloud adoption systems.

Data mining: is the process of analyzing a massive volume of data to discern trends, patterns or correlations for purposes of extracting valuable information. Data mining is mostly used to solve business problem or predict future outcomes of a certain phenomenon.

Data ownership: is the act of having legal rights and complete control over a single piece or set of data elements. Data ownership includes both the possession and responsibility for the information being held. The data owner has the ability to assign, share or surrender rights and liability of the data. 

Data portability: is the ability to move data from one data controller to another or to the subject matter through a different application, program, computing environment or cloud service. Data portability allows data subjects to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

Data Processing: means any operation or sets of operations which is performed on Personal Data or on sets of Personal Data whether or not by automated means to include collection, recording, transmission, retrieving, organization, combination, structuring, storage, adaptation, erasure or destruction.

Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. A data processor does so basing on instructions of the data controller and the obligation to ensure data processors abide by data-protection Legislation and principles is normally imposed on the data controller who has to enter into a written contract with the data processor.

Data residency: refers to the physical or geographical location of an organization’s data or information.

Data sovereignty: this is a concept in the data protection regime that requires personal data to be subject to the Legislation of the country in which it is physically stored.

Data Subject: means a natural person whose Personal Data has been either requested, collected, collated, processed, retained or stored.

Internet of Things: is the term used to describe the numerous objects and devices that are connected to the Internet and that send and receive data.

Personal data: means any information relating to an identified or identifiable natural person. Personal data is said to be a very crucial element of identity in information security; thus its usage has to be regarded with utmost care.

Sensitive Personal Data: means data revealing the natural person’s race, physical or mental health status, ethnic social origin, conscience, religious belief, philosophical belief, genetic data, biometric data, financial details, filiation, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the Data Subject.

Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s race, sex, pregnancy, marital status, health status, ethnic social origin, colour, age, disability, religion, conscience, belief, culture, dress, language or birth; personal preferences, interests, behavior, location or movements

Privacy notes: a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information.

This article encompasses the first and second part of the data protection and privacy articles series. The next part which is titled the guiding principles on data protection and privacy will be released on 9^th May 2022.

PART 1: GENERAL BACKGROUND ON DATA PROTECTION

(By Edith Michael Mtweve)

The History of Data Protection

Data as a concept goes hand in hand with human development, throughout history man has been creating data from the considerately rudimentary information recording and preservation mean dating as early as 19,000 BC to the current contemporary data conception and storage means. The importance of preserving data throughout all eras of human development even before the evolution of writing has been prominent in an effort to keep track of important events and in passing down knowledge and experiences.^[1]

The concept of Data protection came about in the 1970s Europe as a solution to the rise in the use of computers, where at the time European countries had agreed that the then existent specific Legislation and the general privacy Legislation would not be able to cater to data protection, particularly data risks associated with automated data processing through computers.^[2]

As early as 1973 and 1974 the Council of Europe realizing this eminent data protection threat aided greatly in the development of data protection jurisprudence in Europe through some major resolutions which to date have laid the foundation to the modern-day data protection principles.

In 1981 the Council had invited European countries for signatures on the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data “Convention 108”.^[3]

The invention of the internet in late 1990 saw mass developments like the launch of the Google search in 1997^[4] in the United States of America, this was said to be the point where data became in the hands of anyone with computer access. This pushed for Convention 108 to expand the scope of data protection to cover filing systems.^[5]

The European Data Protection Law is an influence on present global data protection legal and regulatory regimes aimed at controlling what computers could learn about their users, what they ought to forget about their users, the purposes for which they could learn and know their users, the decisions for which they could make for their users and how they could explain all these processes to their users on one hand. On the other hand, the law aimed at granting specific rights to data subjects that could be over and above the control of a data subject’s personal data by the data processors and controllers.^[6]

Generally, the European stance in devising a specific law on data protection had come up to protect individuals from data risks that could be associated with the use of a definite form of technology which was the use of computers. This was also coupled with the reason that the lawmakers then wanted to ensure that such information begotten from such computers could be used ethically and for the purpose of serving mankind for the better and not the other way round.^[7]

European Union’s Personal Data Protection and Privacy Framework

Data protection in the European Union draws its legitimacy primarily from the Charter of Fundamental Rights of the European Union^[8] which provides;

1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”

The Charter has basically laid the foundation for the General Data Protection Regulation (GDPR). The GDPR is applicable at a European Union member state level for effective data protection through the enactment of specific data protection Legislation at the member state level. Further discussion of the GDPR shall be made under Part 5 of this series.

Another source of data protection law in the European Union comes from case Legislation. There is a plethora of relevant case Legislation at the level of the European Union through the European Court of Justice and at the level of individual member states.^[9]

Asia-Pacific’s Personal Data Protection and Privacy Framework

The Asia-Pacific Economic Cooperation (APEC) developed the APEC Privacy Framework, 2004 (as updated in 2015 pursuant to the in an effort to ensure the protection of privacy without affecting necessary information flow within the Asia-Pacific economies and with the Asia-Pacific states with their commercial partners.

The main mischief behind the development of the Framework is highlighted under Article 8 of the Framework’s Preamble^[10];

 “8. The Framework was developed and updated in recognition of the importance of:

• Implementing appropriate privacy protections for personal information, particularly from the harmful consequences of intrusions and the misuse of personal information;
• The free flow of information to trade, and to economic and social growth in both developed and developing market economies;
• Enabling global companies that collect, access, use or process data in APEC member economies to develop and implement uniform approaches within their organizations for global access to and use of personal information;
• Empowering Privacy Enforcement Authorities to fulfill their mandate to protect individual privacy;
• Advancing international and regional mechanisms, including the APEC Cross Border Privacy Rules (CBPR) system, to promote and enforce privacy and to maintain the continuity of information flows among APEC economies and with their trading partners;
• Encouraging organizations to be accountable for all personal information under their control; and
• Promoting interoperability between the Framework, and its implementing measures such as the CPEA and CBPR system, and privacy arrangements in other regions.”

Additionally, over the years AOEC had various developments in the data protection regulatory framework. These include amongst others the APEC Data Privacy Pathfinder of 2007 aimed at achieving a responsible flow of data within the APEC region through the APEC Cross-Border Privacy Rules (CBPR) system, of 2011. APEC has also devised the APEC Privacy Recognition for Processors System (PRP) of 2016 in supporting personal data processors to assist personal data controllers to comply with applicable privacy obligations.^[11]

Currently, 8 out of the 21 APEC member economies have allied their privacy Legislation pursuant to the APEC Privacy Framework. These economies include; Australia^[12], Canada, Japan, Republic of Korea, Mexico, Chinese Taipei, Singapore and the United States.^[13]

Further discussion of the APEC Privacy Framework shall be made under Part 5.

African Personal Data Protection and Privacy Framework

Just like the rest of the world, the development of information technology has necessitated data protection jurisprudence development consensus amongst African countries. Notwithstanding the ineficacy of most African Union member states’ policies, AU member states have shown progress in drafting data protection legislation at the member state level as part of continuous efforts in strengthening the regulation and governance of personal data in the Africa continent. In 2014 the AU member states made progress in devising the Malabo Convention on Cybersecurity and Personal Data Protection to cater to a regional framework on data protection.^[14]

The scope of data protection under the Convention is covered under Article 9 (1);

“1. The following actions shall be subject to this Convention:

1. Any collection, processing, transmission, storage or use of personal data by a natural person, the State, local communities, and public or private corporate bodies;
2. Any automated or non-automated processing of data contained in or meant to be part of a file, with the exception of the processing defined in Article 9.2 of this Convention;
3. Any processing of data undertaken in the territory of a State Party of the African Union;
4. Any processing of data relating to public security, defence, research, criminal prosecution or State security, subject to the exceptions defined by specific provisions of other extant Legislation.

Further discussion of the Malabo Convention on cybersecurity and personal data protection shall be made under Part 5.

With these developments several African states have made initiatives to enact data protection and privacy legislation, these include amongst others Mauritius, Togo, Nigeria, Equatorial Guinea, South Africa, Algeria, Kenya, Uganda, Egypt and Rwanda.^[15] Some African countries such as Ghana, Mali, and Morocco had already enacted data protection legislation prior to the enactment of the Malabo Convention and even prior to the coming into existence of the GDPR.^[16]

Southern African Development Community (SADC) Data Protection and Privacy Framework

SADC as a regional integration just as the rest of Africa has been part of the HIPSSA Project^[17] which has currently developed a SADC Model Law on Data Protection in 2013. The Model law has drawn inspiration from the GDPR and as such has addressed some major data protection and privacy issues.

Naturally, the applicability of the model law has been addressed under Article 2;

“2.(1) This model law is applicable to any processing of personal data performed wholly or partly by automated means, and to the processing of personal data otherwise than by automated means which forms part of a filing system or is intended to form part of a filing system.

(2) This model law is applicable:

(a) to the processing of personal data carried out in the context of the effective and actual activities of any controller permanently established on [given country] territory or in a place where [given country] law applies by virtue of international public law;

(b) to the processing of personal data by a controller who is not permanently established on [given country] territory, if the means used, which can be automatic or other means is located in [given country] territory, and is not the same as the means used for processing personal data only for the purposes of transit through [given country] territory.

(3) In the circumstances referred to in the previous paragraph (2) b, the controller shall designate a representative established in [given country] territory, without prejudice to legal proceedings that may be brought against the controller.

(4) This model law does not apply to the processing of personal data by a natural person in the course of purely personal or household activities.

(5) This model law cannot restrict:

(a) the ways of production of information which are available according to anational law or as permitted in the rules that govern legal proceedings;

(b) the power of the judiciary to constrain a witness to testify produce evidence.”

Further discussion on the model law shall be made under Part 5.

Personal Data Protection and Privacy in the United Republic of Tanzania

Currently, there has not been developed specific laws to govern and regulate data protection and privacy in Tanzania. Tanzania has also not ratified the Malabo Convection. Nevertheless, Personal data protection and privacy regime is in Tanzania is guaranteed under the Article 16 (1) of the Tanzanian Constitution^[18];

 “16.-(1) every person is entitled to respect and protection of his person, the privacy of his own person, his family and of his matrimonial life, and respect and protection of his residence and private communications.”

Data protection and privacy are further governed by specific legislation, amongst others they include;

• The Cyber Crimes Act, 2015;
• The Electronic Transactions Act, 2015;
• The Electronic and Postal Communications Act, 2010;
• The Electronic and Postal Communications (SIM Cards Registration) Regulations, 2020;
• The Electronic and Postal Communications (Licensing) Regulations, 2018;
• The Electronic and Postal Communications (Central Equipment Identification Register) Regulations, 2018;
• The Electronic and Postal Communications (Consumer Protection) Regulations, 2018;
• The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019;
• The Bank of Tanzania (Credit Reference Bureau) Regulations, 2012; and
• The Electronic Communications (Investigation) Regulations, 2017.

Moreover, the ICT Policy^[19] on addressing the Legal and Regulatory Environment acknowledges that developments in ICT require a proactive legal framework to address data access, privacy protection, security and privacy of e-transactions amongst others.^[20] Further discussion on the Tanzanian framework is be made in Part 5 of these articles.

PART 2: MODERN SIGNIFICANCE DATA PROTECTION & PRIVACY

(By Fatma Haruna Songoro)

Introduction

There is a universal consensus that data protection and data privacy are critical and essential matters in this digital era. The terms data protection and data privacy are usually used synonymously as they are interrelated however the two are not the same.^[21] Data privacy defines who accesses the data while data protection actually provides tools and mechanisms to restrict access. Broadly defined, data privacy is a right of a person over their information and freedom from intrusion or interference of the information. While Data protection is commonly defined as the law designed to protect personal data.^[22]

Data protection is a legal mechanism that aims to minimize intrusion into one’s privacy caused by the collection, storage and dissemination of data. It has been suggested that the right to data protection is derived from the right to privacy.^[23] Nevertheless, data protection laws normally go a step further than what might be considered a privacy matter or issue. To put it is a simple language, data privacy deals with a person’s private life whereas data protection provides for the machinery and control of personal data.

Currently, violation of privacy and data breach cases have increased to alarming levels.^[24] More distressing is the fact that on several occasions the violation of data privacy or data breach goes undetectable or unnoticeable by the data subject. Further, emerging technologies and sophisticated cybercrimes pose a great threat to the digitization move. It is without a doubt that the enactment of legislation and policies on data protection and data privacy is necessary now more than ever in order to prevent crimes, safeguard individuals’ privacy and promote social justice. 

Why Data Protection laws?

As stated above, the globe is fast moving into a digital era whereby government activities, commerce, social engagement and political activities are being done through online platforms. This means an enormous amount of data is being generated through e-government systems (such as e-passport, e-permit or e-health), e-commerce and social media engagement. The growth and use of these online platforms have made data a big asset with high value in the digital economy. This raises deep concerns about how data is being handled from when it is collected, stored, processed, transferred, managed and disposed of. The above concerns are what necessitate the need to have data protection mechanisms and legislation in place.

Additionally, there is normally a power imbalance and knowledge gap between the users or consumers and the data processors or data controllers whereas the latter possess technical information and skills that can easily be used to gain an unfair advantage over the former. This is another factor that has necessitated the need to hold data collectors, data processors and data controllers accountable and demand transparency from their end through data protection laws and principles.

The enactment of legislation on data protection will create a favorable environment for the growth of the digital economy and investment in the country. Generally, data protection mechanisms ensure that data collection, processing and management are done in accordance with the principles laid down by law.  The enactment of data protection law is essential for the following reasons;

1. Safeguards an individual’s right to privacy: The right to privacy is a fundamental human right. This right guarantees that a person’s private affairs are not arbitrarily interfered with, unjustified disclosed or unwarranted publicized. Data protection helps safeguard the right to privacy by regulating data processing and ensuring that only necessary personal data is collected for a lawful purpose in a fair and transparent manner.^[25] This ensures that the right to privacy is not violated through acts like sharing data with third parties, data surveillance, data monitoring, data exploitation or spying. Furthermore, data protection legislation protects the individual rights of persons by holding data controllers or processors accountable and afford the data subjects their rights such as the right to access, rectification, restriction, erasure (be forgotten) and data portability which are crucial in relation to the right of privacy.
2. Helps to prevent the commission of cybercrime: Cybercrime is a major threat to all internet users and personal data is one of the primary targets of cybercriminals^[26]. Data protection mechanisms and regulations protect data against data theft, data corruption or data manipulation which can result in crimes such as identity theft, scam, financial fraud, blackmailing and others. Most crucially data protection holds the custodian of data “data controller or data processor” accountable and demands transparency from them. In addition to that, data protection legislation requires security measures to be kept in place by data controllers or processors in order to avoid loss, damage or unlawful access of personal data. This by large reduces data breaches or loss which subsequently prevents cybercrime.
3. Help in the growth of the digital economy and business: A country with properly defined data protection mechanisms and enforcement attracts investors to do their business and invest in the country. Data protection legislation is one of the crucial aspects that some investors consider before investing in a country. Data protection legislation provides guidelines to businesses on how to deal and handle personal data. The legislation is important as it assists businesses to thrive, exchange or transfer personal data easily without any trouble as the procedures will be laid down in the data protection Legislation.
4. Protection of consumers: Consumers are increasingly embracing digital technology whereby they provide a lot of data to the business. These data are termed as consumer data. They may include account details, mobile numbers, emails, location tracking, purchasing history and more. Consumer data are by large comprised of personal data which are very sensitive and with high value to big tech corporations.^[27] Data protection legislation is important because it prevents the exploitation of consumer data and put in place guidelines for how personal data should be collected, handled and secured. 
5. Prevent misuse of data: Data misuse happens when data are used in ways that it was not intended for. An example of misuse of personal data is the selling of email addresses to advertisers or other service providers for marketing purposes. Data protection legislation help set conditions for how data can be collected, processed and stored. Data protection legislation requires personal data to be processed for specified purposes and on the basis of the consent of the person concerned or on some other legitimate basis laid down by law.^[28] This limits the processing of personal data and consequently ensures that personal data are used in relevant ways within the confinement of the law. In order to avoid misuse of personal data, the data controllers and data processors need to be limited and regulated by legislation on how to handle personal data.

Conclusion

Data protection laws are more important today than ever, and businesses are highly concerned with data protection and privacy issues. There are several legislation and international instruments which restrict entities from doing business in a country without data protection regulation. Tanzania is one of the countries without data protection legislation. Needless to say, it lacks specific legislation to address the current uses and abuses of personal data.

The absence of specific legislation on data protection is hindering economic and digital growth in Tanzania. It is clear that the general protection from the constitution or other pieces of legislation are inadequate in the increased evolution of data and their values.  Consequently, data protection regulations, institutional framework and protection mechanisms must be put in place to empower data subjects, restrict unlawful processing, restrain damaging practices, safeguard the rights and dignity of persons. Without these legal protections and procedural safeguards in place, it is difficult to control and govern how personal data are being collected, processed, used and stored.

1. Think Automation, “The History of Data”, Parker Software, available at https://www.thinkautomation.com/histories/the-history-of-data/ , (accessed on 15^th September, 2021).

2. Golden Data Law, “What is Data Protection Law?”, Golden Data, p. 2, 9^th November, 2018, available at https://medium.com/golden-data/what-is-data-protection-law-4371581bf8ee , (accessed on 15^th September, 2021).

3. Ibid, p.2.

4. Think Automation, Op. Cit, p. 4.

5. Golden Data Law, Op. Cit., p.3

6. Ibid.

7. Ibid. p. 4.

8. Article 8 of the Charter of Fundamental Rights of the European Union, (2007/C 303/01).

9. Some of the most recent relevant decisions includes that in the case of Bundesverband der Verbraucherzentralen und Verbraucherverbände  – Verbraucherzentrale Bundesverband eV v  Planet49 GmbH, the case originated from the Germany on the validity of internet users’ consent through preselected box determining the extent of data control by an internet service provider.  The Court of Justice of the EU was of the decision that that internet users’ consent to the storage of, or access to, information in the form of cookies installed on a website is not validly constituted if given by way of a pre-checked checkbox, regardless of the fact  the information in question constitutes personal data or not. The Court further elaborated that information that a service provider must give to an internet user necessary information such as the time frame of the cookies’ operation and if third parties may access such cookies. 

10. APEC Privacy Framework, 2015.

11. Asia Pacific Economic Development, https://www.apec.org/groups/committee-on-trade-and-investment/digital-economy-steering-group , (accessed on 30^th January, 2022).

12. In 2018 Australia also joined the APEC Cross-Border Privacy Rules (CBPR) system.

13. Singapore and the United States of America are currently the only APEC member economies which have subscribed to the APEC Privacy Recognition for Processors System (PRP) of 2016.

14. African Union Convention on Cyber Security and Personal Data Protection, 2013 came about due to the need to cater for the strengthening of the existent member states’ legal framework on ICT and as a reiteration of the already existent African Information Initiative (AISI) and the Regional Action Plan on the Knowledge Economy (ARAPKE).

15. Daigle B., “Data Protection Legislation in Africa: A Pan-African Survey and Noted Trends”, Journal of International Commerce and Economics, United States International Trade Commission, February, 2021, pp. 2-3, available at https://www.usitc.gov/journals  (accessed on 12th September, 2021)

16. Ibid., pp. 9-16; The Ghanaian Data Protection Act was enacted 2012, the Malian Law No. 2013-015 on the Protection of Personal Data being enacted in 2013, in  Moroccan the Processing of Personal Data,  Law No. 09-08 was enacted in 2008.

17. The Harmonization of ICT Policies in Sub-Saharan Africa (HIPSSA Project) was birthed as a way towards developing a developed and integrated communications system through harmonizing the policies, legal and regulatory frameworks at the African regional and continental levels in an effort to promote trade and investment.

18. The Constitution of the United Republic of Tanzania, 1977 (as amended from time to time).

19. The National ICT Policy, 2016.

20. Ibid, Paragraph 2.1.2.

21. https://www.ipswitch.com/blog/data-privacy-vs-data-protection

22. A Guide for Policy Engagement on Data Protection: The Keys to Data Protection available at https://privacyinternational.org/sites/default/files/2018-09/Data%20Protection%20COMPLETE.pdf (last accessed on 16^th December 2021)

23. Guidelines for Judicial Actors on Privacy and Data Protection” published by UNESCO  available at https://unesdoc.unesco.org/ark:/48223/pf0000381298 (last accessed on 20th April 2022)

24. https://www.identityforce.com/blog/2021-data-breaches

25. Guide to the General Data Protection Regulation (GDPR) available at https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf, accessed on 17^th November 2021.

26. Holt,T.  Bossler, A. &, Seigfried-Spellar, A., “Cybercrime and Digital Forensics an Introduction” London: Routledge, 2017.

27. Consumer Data Rights and Competition available at pdf (oecd.org)

28. Guide to the General Data Protection Regulation (GDPR) available at https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf