10.1 The Concept of Permissible Data Protection and Privacy Breaches
Data protection and privacy cannot be absolute, there are circumstances which call for disregard to some data protection and privacy principles.
10.2 International Instruments
Essentially the GDPR[i] provides for the material scope of inapplicability of the Regulation on the following amongst others;
Processing of personal data by a natural person on purely personal or household activities;
Processing by competent authorities with regard to criminal offences, on their prevention, investigation, detection and/or prosecution; or in the implementation/execution of criminal sanctions with the inclusion of safeguarding and preventing threats posed to public security.
The Malabo Convention[ii] also provides areas where the principles of data protection under the Convention shall not be applicable;
This Convention shall not be applicable to:
- a) Data processing undertaken by a natural person within the exclusive context of his/her personal or household activities, provided however that such data are not for systematic communication to third parties or for dissemination;
- b) Temporary copies produced within the context of technical activities for transmission and access to a digital network with a view to automatic, intermediate and temporary storage of data and for the sole purpose of offering other beneficiaries of the service the best possible access to the information so transmitted.
The SADC Model[iii] provides for limitations of the applicability of the rights and obligations with regard to data protection with regard to implementing/safeguarding the following;
- State security
- Defence;
- Public safety;
- Criminal offences’ prevention, investigation, or proof, criminal offenders’ prosecution or criminal sanctions’ executions or in undertaking security measures or on issues of violation to professional codes of conduct for regulated professions;
- Regulatory activities;
- Literary and artistic works; and
- Professional journalism, pursuant to journalism ethical rules.
10.3 African Legislation
The Kenyan law allows data processing and control with a disregard to the data principles in the event where such processing is;
- Meant to cater for purely personal or household activities;[iv]
- Necessary for national security or public interest;[v]
- Warranted necessary disclosures under any written law or under a court order;[vi]
- Meant for publication of a literary work, where such data controller reasonably believes that the publication shall be for public interest, additionally such data control ad processing is subject to compliance with an applicable code of ethics governing the publication in question;[vii]
- Meant for research , history and statistics;[viii]
- Exemptions as prescribed by the Data Commissioner;[ix]
The Ghanaian law provides exemptions in the applicability of the provisions of the Act on data processing on the following issues;
- National security[x]: which has also been sub-categorized to include instances of; public order, public safety, public morality, national security, or public interest.
- Crime and taxation: [xi]which has further been qualify to involve instances of; the prevention or detection of crime, the apprehension or prosecution of an offender, or the assessment or collection of a tax or duty or of an imposition of a similar nature.
- Health, education and social work[xii]
- Data protection regulatory activities[xiii]
- Journalism, literature and art[xiv]
- Research, history and statistics[xv]
- Disclosure required by law or made in connection with a legal proceeding[xvi]
- Domestic purposes[xvii]
- Confidential references given by data controller[xviii]
- Armed Forces[xix]
- Judicial appointments and honours[xx]
- Public service or ministerial appointment[xxi]
- Examination marks[xxii]
- Examination scripts[xxiii]
- Professional privilege[xxiv]
10.3 Permissible Personal Data and Privacy Breaches under Tanzanian Legislation
Despite the fact that Tanzania does not have a specific law on data protection and privacy, the existent sector specific Legislation
10.3.1 The Constitution
Article 16 (1) of the Constitution in guaranteeing personal privacy rights in Tanzania, is subjected to a claw-back clause which makes the right not absolutely guaranteed pursuant to Article 16(2). The right to privacy may not be absolute under state enacted Legislation addressing the manner and extent to which the right to privacy may be infringed.
10.3.2 The Cybercrimes Act, 2015
Section 37 of the law warrants the use of forensic tools in obtaining evidence with regard to a suspect or persons of interest on cyber related crimes, these could be used to obtain a person’s personal data without regard to their right to privacy guaranteed under the Constitution.
10.3.3 The Anti-terrorism Act, 2002
Section 31 of the law warrants the interception of personal information with regard to interception of communications by an individual under investigation for terrorism related offences.
10.2. 4 The Way Forward
It is now inevitable for Tanzania to devise a sound data protection policy and to equally enact a comprehensive data protection and privacy law drawing inspiration to the existent international instruments and local legislations and customizing the law to meet the current and developing aspects peculiar to Tanzania and its international relations and undertakings.
[i] Ibid., GDPR, Article 2(2)
[ii] Ibid., Malabo Convention, Article 9(2)
[iii] Ibid., SADC Model Law, Article 42(1) and (2)
[iv] Section 51 of the Kenyan Data Protection Act, 2019
[v] Id.
[vi] Id.
[vii] Ibid., Section 52
[viii] Ibid., Section 53
[ix] Ibid., Section 54
[x] Section 60(1) of the Ghanaian Data Protection Act, 2012
[xi] Ibid., Section 61
[xii] Ibid., Section 62
[xiii] Ibid., Section 63
[xiv] Ibid., Section 64
[xv] Ibid., Section 65
[xvi] Ibid., Section 66
[xvii] Ibid., Section 67
[xviii] Ibid., Section 68
[xix] Ibid., Section 69
[xx] Ibid., Section 70
[xxi] Ibid., Section 71
[xxii] Ibid., Section 72
[xxiii] Ibid., Section 73
[xxiv] Ibid., Section 74