- To apply in both Mainland Tanzania & Tanzania Zanzibar except for non-union matters.
- Mandatory registration for all data collectors and data processors.
- Establishment of the Personal Data Protection Commission.
- Data processors and collectors are required to appoint data protection officers.
- Penalty for unlawful disclosure for companies to range from 1 million to 5 billion.
- Data collectors must make policies/codes on the processing of personal data and submit them to the commissioner for approval.
The long-awaited Bill on personal data protection was tabled in Parliament for the first reading last week. We applaud the government for bringing into existence the proposed legal framework on data protection that is intended to guard the right to privacy, as already enshrined in Article 16 of the Constitution of the United Republic of Tanzania(URT). According to the public notice issued the proposed law is aimed at protecting personal data and setting minimum conditions for the collection and processing of personal data. The Bill also proposes to establish a Personal Data Protection Commission that will be responsible for registering data processors and data collectors as well as monitoring personal data processing in the country. The Bill is divided into nine parts as highlighted below:
PART 1: PRELIMINARY PROVISIONS (Section 1-4)
This part contains the introductory and preliminary provisions which are the name of the Bill, the effective date of the Law, its application and the interpretation section for terms as used in the proposed Bill. The first part also stipulates the principles of personal data protection such as lawfulness, fairness, transparency, purpose limitation, adequacy and accuracy, storage limitation, data minimization and data security. The bill also states the objectives of the proposed Act among others to include privacy protection, provision of data subject rights and ensuring lawful processing of personal data.
Our Remarks
- The Bill does not define some of the most fundamental terms or concepts in the proposed law such as consent, Anonymization, what constitutes “public interest” and “public record/data”.
- The Bill fails to clearly provide or distinguish a data controller from a data processor and/or data collector.
- The Bill does not provide for the principle of accountability which is one of the core principles of data protection.
PART 2: PERSONAL DATA PROTECTION COMMISSION (Section 16-13)
The Second Part of the Bill deals with the establishment and structure of the Personal Data Protection Commission, the appointment of the Board members, Chairperson and the Director General. This section also provides for the duties of the commission and the board.
Core duties of the Personal Data Protection Commission among others include:
- To register data collectors and data processors of personal data.
- To receive, investigate and process complaints about alleged violations of of personal data and people’s privacy.
- To investigate and take action against anything that the Commission deems to affect the protection of personal information and privacy of people.
- To conduct research and monitor the development of technology related to information processing;
- To establish a cooperation mechanism with the authorities of other countries that manage the protection of personal data and advise the Government on various issues related to the implementation of this Law.
Board composition: The board shall have seven members whereby the Chairman and Vice Chairman shall be appointed by the President of URT (if the Chairman is from one side of the United Republic, the Vice Chairman will be from the other side of the United Republic) and the other five members with qualifications and experience in the area of IT, law, engineering, finance or administration shall be appointed by the responsible minister. The director general shall also be appointed by the president from a person with the qualification and experience in IT, engineering, law, economics, finance or administration for over 10 years. The Director General shall serve as a secretary to the board of the commission.
Our Remark
The board composition and structure raise concerns with regard to institutional independence to execute its mandate effectively under the new law all appointees of the board are appointed by the executive arm as pointed out above.
PART 3: REGISTRATION OF DATA COLLECTORS AND PROCESSORS (Section 14-21)
This section of the Bill deals with the conditions for the registration of data collectors and data processors. It also specifies the conditions for registration certificates, an inspection of registered information and the registration period. In addition, the commission shall establish and maintain a register for data collectors and data processors that shall be open and available to the public. Other noteworthy matters in this part include:
- The registration period of data controllers and data processors shall be 5 years and the registration is to be renewed 3 months prior to expiration.
- The Commission can reject an application for registration in writing with reasons. Any person aggrieved with this decision shall have a right to appeal to the Minister responsible.
- The Commission may cancel the registration as per procedures to be stated in the regulation.
- Failure to register or provides false or misleading information during registration or renewal shall amount to an offence.
- Public institutions dealing with the collection and processing of personal information will be deemed to have been registered under this Law once this Law comes into force.
PART 4: COLLECTION, USE, DISCLOSURE & RETENTION OF PERSONAL DATA (Section 22-30)
The Fourth Part of the Bill sets out provisions regarding the procedure for the collection, use and storage of personal data. This part further specifies the circumstances under which personal data may be processed for another purpose other than the one communicated to the data subject. This section also sets specific conditions regarding the security of personal information, where each collector must establish an effective system for storing personal information that will take into account changes in technology and the type of information stored. Other highlights of this part include:
- The Bill proposes to cover the Processing of personal data either by electronic or non-electronic means.
- This part of the Bill also proposes to have an extra-territorial application to include data collectors or processors residing outside the URT in certain circumstances or where URT laws are applicable under international law/treaty.
- Collection of personal data to be directly from the data subject unless in certain circumstances as exempted by the law.
- Personal data collected must be complete, correct, consistent with the content and not misleading.
- Limit disclosure of personal data unless consent is obtained, permitted by law, legitimate interest, compatible purpose, research, statistics or where data is anonymized.
- Requires personal data to be accurate and in circumstances of incorrect/inaccurate data, the data subject is to be afforded the right to rectification.
- Prohibit processing of personal sensitive data unless in circumstances as provided under the law.
Our Remarks
- Where personal data is a matter of public record it does not mean that it is available for further processing, and ‘public’ availability should not be construed as consent nor as another legal basis for further processing. The law should not blankly allow the further processing of personal data on the mere ground of public record.
- No exemption is provided with regard to retention of personal data under Section 28 of the Act. The Act needs to clearly provide for exemptions such as research or statistical purposes where the retention period can be exempted.
- The obligation to notify the commission on breaches of personal data is only imposed on the collector under section 27(5).
PART 5: TRANSFER OF PERSONAL DATA OUTSIDE TANZANIA (Section 31-32)
The Fifth Part of the Bill deals with the conditions for cross-border data transfer where the concept of adequacy is used as a criterion for countries that can receive personal data from Tanzania. This part also provides that:
- The commission can prohibit the transfer of personal data outside the country.
- Transfer of personal data to only be in a country with a legal framework for personal data protection which ensures adequate security for personal data.
- The recipient shall justify the need for the transfer of personal data from Tanzania.
- Data processor to conduct an assessment of the importance/need to transfer personal data outside the country, prior to the transfer of personal data.
- Data processor to ensure that the recipient uses the personal data for the specific purposes for transfer of the data.
Our Remarks
- The law does not set the requirement for data subjects to consent for their personal data to be transferred outside the country.
- The Bill fails to include binding corporate rules (BCRs) as one of the mechanisms for the cross-border transfer of personal data.
PART 6: RIGHTS OF DATA SUBJECTS (SECTION 33-38)
This part of the Bill specifies the rights of the data subject, including the right to access personal data, the right to restrict processing, the right to object to the processing of their personal data for commercial advertisement, the right to rectification, the right to not be subjected to Automated individual decision making that may affect the data subject. Further, the Bill provides that data subjects shall be entitled to compensation for damage suffered due to the unlawful processing or collection of their personal data. It also provides that if the Commission is satisfied after the data subject request that the personal data is not accurate, the Commission may order the collector or processor to modify, block, delete or destroy such information.
Our Remarks
- The Bill under Section 34 (4) proposes that an heir can consent to the processing of sensitive data on behalf of any other person not capable of consenting. Did the law mean a deceased person or a missing person? We are not sure since the provision is not clear. Nevertheless, under international standards, it is Ideal for the said person to be a legal representative under the transmission of rights and not an heir.
- The Bill restricts the processing of personal data for commercial advertisement under Section 35. However, it is silent with regard to processing personal data for other commercial use by controllers/processors.
- The Bill seems to impose a negative obligation (duty) on the data subject to make a request to the data processor or collector to stop processing their personal data for the purpose of commercial advertisements. The said provision does not with clarity and certainty restrict the processing of personal data for commercial advertisement by collectors and processors.
PART 7: COMPLAINT INVESTIGATIONS (SECTION 39-50)
Part Seven of the Bill deals with the provisions for dealing with complaints regarding the violation of statutory obligations. In accordance with the provisions of this part, it is recommended that the Commission be empowered to receive complaints, investigate them and give a decision within 90 days based on the principles specified in the Law. This part also provides for the powers of the commission in investigating complaints.
Additionally, the Commission is also recommended to be given the authority to issue administrative fines when it is satisfied based on the level of violations committed. Along with the provisions of punishment, this Section also lays down provisions enabling the victim of actions resulting from the violation of this Law to be compensated for the harm they will suffer. This section also provides an opportunity to appeal for a person who is not satisfied with the decision of the Commission. The appeal shall be made to the High Court.
Our Remarks
- The current wording of the bill on powers vested in the commissioner under Section 42(1) (c )and (d)[i] may create room for abuse.
- Section 40 provides that the Commission shall issue an investigation notice before commencing an investigation of data subject complaints. This seems to be strange.
PART 8: FINANCIAL PROVISIONS (SECTION 51-57)
Part eight of the Bill lays down the financial provisions. These conditions include the Commission’s sources of income and the procedure for auditing the Commission’s accounts. All expenditures of the commission are to be approved by the board. The sources of income proposed in this include
- Money to be allocated by the parliament
- Money to be obtained from providing services, consultation and any other payment.
- Funds derived from donations, gifts or grants
- Loans
- Other income to be derived from the performance of the commission’s activities under this act
PART 9: MISCELLANEOUS PROVISION ( SECTION 58-65)
Part Nine of the Bill deal with miscellaneous provisions that have been deemed necessary to be included in the proposed Law. Among the important issues in this Section are the Minister’s authority to make regulations under the proposed Act, offenses and penalties. And the provisions regarding the circumstances that are proposed to be excepted from the scope of the Law which are:
- Processing of personal data by data subjects for personal activity.
- Processing of personal data is required any law or by an order of the court.
- Processing of personal data is national security or public interest.
- Processing is for the prevention or detection of crime.
- Processing is for the prevention or detection of tax evasion
- Processing is done in the process of investigating /inspecting of misuse/embezzlement of public funds
- Processing of personal data is done for the purpose of appointing public officials/servants.
- The specific offenses established under this part include
- unlawful disclosure of personal data. If the disclosure is made by an individual the fine shall range from Tsh 100,000 – Tsh 20,000,000/= or imprisonment for a term not more than 10 years or both. For companies or entities, the fine shall range from Tsh 1,000,000 to Tsh 5,000,000,000.
- Destruction, deletion, concealing or making changes to personal data contrary to the law. The fine shall range from Tsh 100,000 – Tsh 10,000,000/= or imprisonment for a term not more than 5 years or both
- The commissioner can request the court to issue an expeditious preservation order of personal data whereby there is a likelihood of the data being lost or changed.
- Every officer of the company or entity who with the knowledge or purpose authorizes or allows violation of this law shall be personally liable.
- The Bill proposes that every data collector shall prepare codes or policies on how to handle and process personal data. The said policies or code shall also be submitted for approval to the commissioner.
Our Remarks
- The obligation to make guidelines or policies on the processing of personal data is not obliged for data processors.
- The exemptions provided for in this part are too broad and in particular terms such as “national security” and “public order “which are not defined.
GENERAL COMMENTS AND RECOMMENDATIONS ON THE BILL
- We suggest the name of the bill be “ Data Protection and Privacy Act” (to include privacy).
- The right to erasure (be forgotten), right to be informed and right to data portability be added to the bill.
- The bill should impose an obligation on processors and processors to notify the data subject in case of breaches
- The law needs to specifically address the processing of personal data relating to a child. (It only provides for the processing of sensitive personal data of a child.)
- The Bill to provide for Data protection impact assessment in detail.
- Grounds for lawfully processing are scattered in the Bill and not clearly explained. We propose a specific section be inserted for the grounds of processing personal data.
- The reference to processors or collectors across the bill is not consistent and creates a certain confusion.
- The seizure and search powers of the commission are to be reviewed and well elaborated on so that they are in line with the constitution and other rights.
- Improper Disposal of Personal Data to be specifically criminalized in the law.
- We suggest an overriding provision be inserted into the law that gives the Act precedence on matters of personal data protection over other Acts.
- Certain offenses such as Unauthorized Access to Personal Data to be included in the law and be heavily penalized.
- We propose the law to include Voluntary Dispute Resolution Schemes between the data subject and processor/controller/collector such as Independent Alternative Dispute Resolution.
Conclusion
We hope that the Bill shall attract wider public and stakeholder engagement to deliberate on different areas which raise certain concerns about the protection of personal data. We believe that the flagged areas from this brief analysis should be considered as recommendations for the Bill that are geared toward ensuring that personal data is effectively and adequately protected in Tanzania.
[i] Power to enter any building owned by the data collector to assess if the building has sufficient requirements for security and powers to leave with any object with personal data at any building entered as aforementioned herein. stipulated above.