Data privacy has increasingly become important both for investors and advertisers but also for the regulators. Data protection is made to be taken seriously now and companies are paying hefty fines from British Airways who was fined USD 230 million for a data breach which affected information of 500,000 people. Google faced a GBP 44 million fine for non-compliance with FDPR and we all remember the Cambridge Analytica scandal where Facebook had to pay a fine of USD 5 billion.
Tanzania decided to join the ranks of its fellow EAC Members namely Kenya, Rwanda, and Uganda and enact the Personal Data Protection Law. Prior to this legislation, the protection of data was found in various pieces of legislations such as the Electronic Postal Communication Act of 2010, Cyber Crimes Act of 2015, Banking and Financial Services Act of 2006, etc and of course the guarantee of the right of privacy under Article 16 of the Constitution of the United Republic of Tanzania.
This is good news for Tanzania as increasingly consumers in Tanzania have been complaining of the lack of robust rules protecting their data, particularly when it comes to telecommunication companies or gaming companies who are known to trade this data at the detriment of the customer.
For companies or individuals processing personal data, the law contains a host of requirements namely being registered as a data processor but also a directive for data processors to appoint a personal data protection officer.
The law is applicable in both Tanzania and Zanzibar, save for non-union matters. The law creates a Data Protection Commission which constitutes of board members appointed by the President of the United Republic of Tanzania Furthermore, the Commission is designated as the registrar of data collectors and processors; the investigator into personal data matters; the advisor to the Government of Tanzania and the adjudicator of data protection disputes. This all brings into question the independence and impartiality of this authority.
On the question of data transfer, which is a big one for companies like gaming and technology that trade and monetise the database of personal information collected through the life of a business, the Act is silent on the question of data owner and subjects granting their consent to bodies that collect, process, store, or use personal data outside Tanzania’s borders. Therefore, since the power of consent is not clearly stipulated, we may interpret this that data transfer is permitted irrespective of consent of the data subject. The only condition that the law provides is that the country where the data is transferred to must sufficient protections of personal data. Although advantageous to companies who trade personal data, this does create an avenue of abuse or misuse of data.
The processing of personal data for direct commercial advertising purposes is prohibited, however an the data subject may consent to such use and may even enter into a commercial arrangement and get monetary compensation.
With regards to data subjects, they have the right to be informed about the collection and processing of their data and what their data will be used for. Equally, the law provides that they have the right to access the data and also to rectify the data to ensure accuracy. The law also provides that the data subject can at any time exercise its right to erase the data through application to the Commission and they can also opt out of the data processing. The data subject has a right not to be subjected to automated decision making.
The Personal Data Protection Act provides for fines where the law has been violated. Where provisions related to disclosure have been violated TZS 100,000 and not exceeding TZS 20 million (that is between USD 40 to USD 9,000) or imprisonment for a term not exceeding ten years, or to both fine and imprisonment. The fine for a body corporate is minimum TZS 1 million and not exceeding TZS 5 billion (that is between USD 400 and USD 2.1 million).
Where provisions related to destruction, erasure, concealment, or modification of personal data have been violated upon conviction the offences are punishable by fine of not less than TZS 100,000 and not more than TZS 10 million (between USD 40 and 4,000) or to imprisonment for a term not exceeding five years, or to both fine and imprisonment.
The Minister is to provide for the regulations and we look forward to reading the regulations related to breach of security which is becoming an ever growing concern as cyber attacks are increasingly threatening people and businesses around the world.
On the question of whether the Law is good or bad for investors? My answer is “good for investors” since Tanzania joins the ranks of countries that take data protection seriously. The law in place are fair as it provides protection to data subjects and does not create too many compliance requirements to data processors and collectors. Also, one can tell that the drafting of this law had technology companies in mind since the law does not prohibit trading and transfer of data which we know is the real currency of tech companies today.