8.1 Data Protection and Privacy on E-transactions

8.1.1 The Electronic Transactions Act, [Cap 442 R.E 2022]

This principal law governing e-transactions on goods and services does not directly address data protection and privacy, however it prohibits unsolicited communication on goods or services  from the supplier to the consumer (Section 32);

32.-(1) A person shall not send unsolicited commercial communication on goods or service unless-

(a) the consumer consents to the communication;

(b) at the beginning of the communication, the communication discloses the identity of sender and its purpose; and

(c) that communication gives an opt-out option to reject further communication.

(2) The consent requirement is deemed to have been met where-

(a) the contact of the addressee and other personal information were collected by the originator of the message in the course of a sale or negotiations for a sale;

(b) the originator only sends promotional messages relating to its similar products and services to the addressee;

(c) the originator offered the addressee the opportunity to opt-out and the addressee declined to opt-out; and

(d) an opportunity to opt-out is provided by the originator to the addressee with every subsequent message.

(3) An originator who contravenes this section commits an offence and shall, upon conviction, be liable to a fine of not less than ten million shillings or to imprisonment for a term not less than one year or to both.

8.2 Data Protection and Privacy under Cyber Criminal Law

8.2.1 Cyber Crimes Act, 2015

The law governing cybercrimes in Tanzania does not directly regulate data protection and privacy, it does however criminalize certain acts that could violate personal data and privacy of persons. This is pursuant to Sections 4, 5, 6 and 7 of the Act which prohibits illegal access into a computer system without permission, illegal remaining into a computer system after the expiry of permission to make sure use, illegal interception and illegal data interference, the commission of these crimes attracts criminal sanctions.

8.3 Data Protection and Privacy for Mobile Network Operators, Internet Service Providers Online Content Creators and Netizens

There does not exist a distinct data protection law governing this sector in Tanzania; however, data protection and privacy obligations are embedded in the text of the Electronic and Postal Communications Act (EPOCA) and Regulations made under.

8.3.1 Electronic and Postal Communications Act, [Cap 446. R.E 2022]

Section 98 and 99 of the EPOCA which govern the confidentiality of customers’ information and utilization of such information for designated purpose only.

98.-(1) A person who is member, employee of application service licensee, or its agent, shall have a duty of confidentiality of any information received in accordance with the provisions of this Act.

(2) No person shall disclose the content of information of any customer received in accordance with the provisions of this Act, except where such person is authorised by any other written law.

99. A person shall not disclose any information received or obtained in exercising his powers or performing his duties in terms of this Act except –

(a) where the information is required by any law enforcement agency, court of law or other lawfully constituted tribunal;

(b) notwithstanding the provision of this section, any authorized person who executes a directive or assist with execution thereof and obtains knowledge of information of any communication may;

(i) disclose such information to another law officer to the extent that such disclosure is necessary for the proper performance of the official duties of the authorized person making or the law enforcement officer receiving the disclosure; or

(ii) use such information to the extent that such use is necessary for the proper performance of official duties.

8.3.2 Electronic and Postal Communications (SIM Cards Registration) Regulations, 2020

Misuse of customers’ data/information is a crime that attracts punishment under Regulation 20 of the Electronic and Postal Communications (SIM Cards Registration) Regulations, 2020;

20. Any licensee, dealer or agent who misuses information of a customer for SIM Card registration commits an offence and upon conviction shall be liable to a fine of not less than five million Tanzanian shillings or imprisonment for a term not less than twelve months or to both.

8.3.3 Electronic and Postal Communications (Licensing) Regulations, 2018

Cognizance must be made of the confidentially requirement regulation by TCRA under Regulation 33 of the Electronic and Postal Communication (Licensing) Regulations, 2018;

33.-(1) A licensee shall use all reasonable measures to ensure non- disclosure of confidential information obtained in the course of its business from any person to whom it provides the licensed services.

(2) A licensee shall establish and implement reasonable procedures for maintaining confidentiality of such information subject to any requirement under the law; and

(3) A licensee shall maintain sufficient information in its confidentiality procedures to satisfy the Authority, on request, that the requirements of sub regulation (1) and (2) are being met.

8.3.4 Electronic and Postal Communications (Consumer Protection) Regulations, 2018

In securing the protection of consumer privacy, Regulation 6 of the Electronic and Postal Communications (Consumer Protection) Regulations, 2018 provides;

6.-(1) A licensee may collect and maintain information on individual consumers where it is reasonably required for its business purposes.

(2) The collection and maintenance of information on individual consumers shall be:-

(a) fairly and lawfully collected and processed;

(b) processed for identified purposes;

(c) accurate;

(d) processed in accordance with the consumer’s other rights;

(e) protected against improper or accidental disclosure; and

(f) not transferred to any party except as permitted by any terms and conditions agreed with the consumer, as permitted by any permission or approval of the Authority, or as otherwise permitted or required by other applicable Legislation.

8.3.5 Electronic Communications (Investigation) Regulations, 2017

On regulating the investigation through interception of communications, Regulation 4(1) in guaranteeing the privacy of those being investigated stemming from the text of the constitution provides that;

Every person’s respect and protection to his person, the privacy of his own person, his family and of his matrimonial life, and respect and protection of his residence and private communications shall not be violated.

8.4 Data Protection and Privacy for Banking and Financial Institutions

Equally, there is no distinct law or regulations governing data protection and privacy in the banking sector. The duty to personal data protection and privacy safeguard are borne out of banking Legislation and regulations.

8.4.1 The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019

Regulation 36 obliges banks and financial institutions to protect consumers’ information by putting forth security measures essential for protecting such consumers’ personal data and privacy;

36. Every financial service provider shall be require-

 (a) to put in place appropriate security and control measures to protect consumers’ financial and personal information;

(b) not share consumers’ information with a third party except with consumer’s consent or as required by the law.

Further Regulations 37 and 38 govern the collection and use of data by banks and financial institutions and the confidentiality and security of consumers’ information respectively.

8.4.2 Bank of Tanzania (Credit Reference Bureau) Regulations, 2012

Regulation 27 obliges all credit reference bureaus to establish a consumer relations centre to receive data subjects’ requests with regard to the data subjects’ information stored in the credit reference bureau database. Further Regulation 28 addresses the rights of a data subject with regard to the information and data stored in the credit reference bureau’s database;

28. (1) A data subject shall have the right to –

(a) know the type of information shared or to be shared in the credit reference system;

(b) have access to a credit report related to that specific data subject;

(c) request a free copy of data subject’s credit report once every twelve months; and

(d) challenge information contained in the credit report.

(2) The request may be completed via fax, telephone, mail, internet and in person indicating proper identification to the credit reference bureau.

(3) The credit report from the credit reference bureau shall be in hard copy or uneditable electronic format.

(4) The credit reference bureau shall furnish a copy of requested credit report within five working days of the date of request.

Moreover, Regulation 29 provides for the right of the data subject to challenge the information contained in the database.

8.5 The Inconsistencies

The lack of specific law on personal data protection and privacy with the latter being regulated by sector specific Legislation creates an unbalanced regulation environment, the different sector specific Legislation have different data protection  and privacy considerations, thresholds, offences and sanctions under the offences. This creates room for confusion and uncertainty on the regulation of personal data and privacy.

This current article encompasses the eight parts of the data protection and privacy articles series. The next part which is titled the DATA AS PROPERTY will be released on 13^th July 2022.