TANZANIA SET TO ENACT THE FIRST DATA PROTECTION LAW IN 2022

Tanzania is set to enact the first Personal Data Protection Law in 2022

By Sunday Godfrey Ndamugoba

Key Points:

• The proposed Act shall apply to Mainland Tanzania and Tanzania Zanzibar.
• There shall be established a Commission for the Protection of Personal Data.
• There are procedures for the collection, use, and storage of personal data.
• A Requirement to Appoint Personal Data Protection Officer
• Data Collectors shall be registered and a license to be valid for a period of 5 years
• Deals with the provisions for dealing with complaints relating to the violation of legal obligations.
• The Commission is proposed to be given also the authority to issue administrative fines when it is satisfied with depending on the level of violation committed
• Victims of the violation to be compensated in damages
• A person who reveals data of a person shall be fined TZS 100,000 /= (50 USD) to a maximum of TZS 20,000,000/= (5,000 USD) or 10 years of imprisonment or both if a company shall be fined between TZS 1,000,000 91,000 USD) and TZS 5,000,000,000 (2.5 M USD)
• Fine for violations to be imposed minimum is TZS 100,000 /= (50 USD) to a maximum of TZS 10,000,000/= (5,000 USD) or 5 years of imprisonment or both
• Compounding offenses – Fine for violations to be imposed minimum is TZS 100,000 /= (50 USD) to a maximum of TZS 5,000,000/= (2,500 USD) or 5 years of imprisonment or both.
• If a violation is by a company, then all responsible officers involved shall be accountable.

The Personal Data Protection Bill of 2022 will be Tanzania’s first comprehensive set of rules relating to personal data protection, covering both electronic and non-electronic personal data forms. The Bill was published in the Special Gazette of the United Republic of Tanzania No.34. Vol. 103 dated 31st August 2022.

The new law goes further by introducing criminal sanctions for certain personal data breaches. In this way, the government is sending a strong message to both individuals and corporations that personal data protection is now being taken seriously in Tanzania.

The bill was crafted in response to online services selling citizens’ personal data without their consent.

This bill proposes the enactment of the Personal Data Protection Act of Tanzania, 2022 with the aim of:

1. Setting the basic conditions for the protection of personal data in order to keep the collection and processing requirements to a minimum of personal data,
2. Establishing the Commission for the Protection of Personal Data;
3. Promote the protection of personal data processed by Government agencies and private agencies as well as other related issues.
4. We set out below our initial observations on the key issues we have identified in the Personal Data Protection Law of Tanzania.

This bill is divided into Nine Parts.

Part One of the Bill lays down the introductory provisions which are the name of the Bill, the effective date of the Law, its use, and the definition of words and vocabularies used in the proposed Law.

Subject to the provisions of this Section, the proposed Act shall apply to Mainland Tanzania and Tanzania Zanzibar. This section also lays down provisions regarding the objectives of the proposed Law and the principles of personal data protection.

Among those goals is to ensure the processing of personal data.

The Second Part of the Bill deals with the conditions for the establishment and structure of the Commission for the Protection of Personal Data, the appointment of the Board, and the Director General.

This section also specifies the duties of the Commission where among The Commission’s primary duties are to register data collectors and processors personally for the purpose of identifying, receiving, and investigating complaints from to data parties and provide education to the public related to the use of signature of personal data. The objective of this Section is to establish an effective framework for an institution that will manage the control of incorrect use of personal data.

Part Three of the Bill deals with the conditions for the registration of collectors and personal data processors. This section also sets out the conditions for certification registration, an inspection of registered data, and the registration period for the purpose of ensuring consistent management of people involved in data processing personally. In addition, to enable the Commission to identify all the people involved with the collection and processing of personal data, the Commission is recommended to be given the authority to establish and maintain a register that will contain all the data of basis in relation to those people.

The Fourth Part of the Bill sets out provisions regarding the procedure for the collection, use, and storage of personal data. In addition, this Section outlines the circumstances under which personal data may be disclosed. For In accordance with this Section, the collector may use or disclose personal data if the subject of the data has authorized the use or disclosure of his data to someone else. Also, the collector may disclose personal data if he is required to do so according to the law. This part too sets specific conditions regarding the security of personal data where each collector should put in place an effective system for storing personal data which you will consider changes in technology and the type of data stored.

The provisions of this Section also prevent the processing of sensitive personal data without written consent from the subject of the data. Sensitive personal data referred to in this Section includes data about children, data biometrics, political ideology data and health data.

Part Five of the Bill deals with the conditions for the transfer of personal data abroad where the concept of adequacy will be used as a criterion for the country which may receive personal data from the country. The concept of sufficiency in accordance with the proposed conditions it requires the transmission of data personally involving countries with adequate legal systems for the protection of data personally.

Part Six of the Bill sets out the rights of the subject of personal data including the right to access his data, to correct such data, the right to block processing that may affect the data subject, and the right to block the processing of personal data for the purpose of commercial use against and the wishes of the subject.

Part Seven of the Bill deals with the provisions for dealing with complaints relating to the violation of legal obligations. According to the conditions of this Section, it is recommended that the Commission be empowered to receive specified in the Act. In this Section, the Commission is proposed to be given also the authority to issue administrative fines when it is satisfied depending on the level of violation committed. In addition, in accordance with the conditions of punishment, This section also sets conditions enabling the victim of actions resulting from the violation of this Law to be compensated for damages that he will get. This section also provides an opportunity for appeal to a person who is not satisfied and the decision of the Commission. The purpose of the provisions of this Part is to have a framework specifically for the handling of complaints regarding personal data.

Part Eight of the Bill lays down the financial provisions. Those conditions are as well as the Commission’s sources of income and the procedure for auditing the accounts of the Commission. One of the sources of income suggested in this Section is the amount of money that will be allocated by the Parliament for the implementation of duties of the Commission.

Part Nine of the Bill deals with other provisions that have been seen it is also important to be included in the proposed Law. Among The important issues in this Section are the provisions regarding the circumstances which are recommended to be removed from the scope of the Law. That environment is as well as the processing of personal data for protection and security purposes of the Nation, to prevent or identify crime and tax evasion, an inspection of embezzlement of public funds, and conduct of search for appointments in public service positions. The aim of the proposed provisions is to do so Law not to be an obstacle to the implementation of important activities of the Government and society. Other provisions in this Part are the Minister’s authority to make regulations under the proposed Act, offenses and penalties including those carried out by companies, and the wishes of the collectors of data to prepare ethical principles for the protection of personal data.

Conclusion

This welcome regulatory development will lead to a higher level of personal data protection in Tanzania’s growing digital economy. The bill is more closely aligned with international data privacy standards. We at ABC Attorneys being that our practice revolves around clients that deal with technology are excited about the enactment.

The Bill can be downloaded here : TANZANIA DATA PROTECTION BILL 2022