In Tanzania, like in any other country, there is a growing appetite for personal data among private individuals, enterprises and state apparatus.
Each of these groups is in need of your personal information for various reasons such as making informed business decisions, public security and safety as well as, sometimes, for mischievous motives because who knows?
At some point in your life, you have knowingly or unknowingly given out a whole lot of your personal information through customer databases, online transaction processing systems, medical records, Mobile Apps and internet clicks.
You might as well have done so to voluntary and mandatory governmental and non-governmental registries such as social security agencies, crimes prevention agencies, telecommunication service providers as well as educational institutions.
This information may include nationality, age, marital status, education level, identification number, identity data, biometric data, health data and other sensitive personal information.
Despite the fact that your right to privacy and personal security has been guaranteed under Article 16 of the Constitution of the United Republic of Tanzania, it is so unfortunate that you cannot protect such individual and personal information due to a number of reasons.
One, this right is limited under the sub-article two of the Article referred above in a sense that the state authority is empowered to lay down legal procedures regarding the circumstances, manner and extent to which this right may be encroached upon without prejudice to this provision.
Two, in Tanzania there is no law that specifically regulates the collection and processing of personal information or data. In this country, authorities are so powerful that they can encroach on your personal privacy for convenience purposes and there is nothing you can do about it.
Also, when it comes to non-governmental institutions and private entities who already are in possession of a lot of our personal information they might use them, or cause them to be used, for malicious intentions without you having a legal recourse against them.
This is because as a data subject, you have no legislation giving effect to the constitutional right above when it comes to data subjects’ rights and the obligations of data collectors, controllers and processors.
One might argue that there are various pieces of legislation in Tanzania with provisions regarding data protections such as the Electronic and Postal Communications Act, 2010, which governs electronic, telecommunications and postal communications in the country.
Others are the Cybercrimes Act, 2015, which provides for offences related to violations of privacy against or using a computer system located in Tanzania and the Electronic Transactions Act, 2015, which, among other things, prohibits suppliers from interfering with an individual’s privacy and others.
However, there is narrow applicability of these laws as far as the right to privacy and personal security is concerned.
These laws were not in any way intended to provide for the rights and obligations of data subjects, processors, collectors and controllers. They were made to facilitate certain government conveniences, leaving away a fundamental right to privacy and personal security.
So, what happens when unscrupulous individuals use other people’s personal data for malicious motives? What happens upon breach of sensitive personal data by state agencies?
Stakeholders in Tanzania have been demanding the government come up with a dedicated statute which provides answers to these fundamental questions.
Actors in the area want the law to address issues like security of data, rights of data subjects and complaints against data breaches.
The law should also address the question of whether or not data can be transferred outside Tanzania with or without consent of the data subjects as well as grounds for processing sensitive personal data.
Lessons from elsewhere
In Kenya, for instance, the country’s Data Protection Act, 2019 gives effect to the provision of their Constitution, 2010, specifically Article 30 (c)(d), which provides for the right not to have information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communications infringed.
Likewise in Uganda, the dedicated comprehensive Data Protection and Privacy Act, 2019, gives effect to Article 27 of their Constitution, 1995, which provides for the right to privacy of the person, including their home, correspondence and communication.
Unlike in Tanzania, all these laws have given answers to most of the pertinent questions regarding the protection of personal data and privacy.
It is understood that back in 2014 efforts were made by the Ministry of Communication, Science and Technology which prepared a draft Data Protection Bill, the process which has not yet been finalized.
However, it is argued that even if the government chose to go on with the process with this 2014 Bill, without changes or modifications, the bill might not fulfil the adequacy requirement of the European Union General Data Protection Regulation (GDPR).
Coming into force in 2018, GDPR has inspired many governments around the world, including Kenya and Uganda, which their respective data protection laws were enacted in 2019, immediately after GDPR.
The GDPR replaced the Data Protection Directive 95/46/EC from which this Tanzanian draft bill on data protection was hugely rooted.
One of the reasons why this 2014 bill might not be adequate is simply that since 2014 a lot has happened in terms of technology related to data and personal information and even the definition of personal data or information has itself evolved.
It is therefore imperative to have in place an updated and comprehensive data protection statute in Tanzania so as to give effect to the provision of the Constitution but also to provide for the rights and obligations of the concerned parties.
This law will prevent the revealing of personal data for state convenience as well as protect those data from individuals with malicious motives.
Emmanuel Mwesiga is experienced in commercial and corporate law transactions and advisory. He can be reached at email@example.com or follow him on Twitter at @EsquireMK. These are the writer’s own opinions and do not necessarily reflect the viewpoint of The Chanzo Initiative. Want to publish in this space? Contact our editors at firstname.lastname@example.org for further inquiries.