PRIVACY AND DATA PROTECTION IN TANZANIA (PART 1)
The right to privacy has been recognised in Tanzania ever since the introduction of the Bill of Rights into the Constitution of the United Republic of Tanzania, 1977 (the Constitution) in 1984. Article 16 of the Constitution calls for the enactment of law that stipulates how privacy rights may be protected, pursued or interfered with by the government.
The importance of the subject of privacy and data protection has gained unprecedented attention in recent years, requiring better and more elaborate rules of protection. Individuals are sometimes exposed to possible abuse and even to harmful consequences as a result of the developments in information and communication technology (ICT) and the role it plays in the collection of personal information, and the tendency of companies and business enterprises to collect and use personal information in making business decisions. It is therefore not surprising that many countries in the west enacted comprehensive legislation on data protection some time ago. Europe in particular, through the recently passed General Data Protection Regulation, 2016, is heading towards the harmonisation of data protection laws in order to have consistency within the region.
In East Africa, countries have only just awoken to that need and are heading in the same direction.
Uganda and Kenya already have draft Bills on privacy and data protection. Tanzania does not yet have a specific law, and there are reports that the Government is drafting a Bill to be tabled before the Parliament for discussion, but it is not yet clear when it will be published. As such, the existing privacy and data protection requirements in Tanzania are to be found to varying degrees in various pieces of legislation in different sectors. This includes those relating to privileged information obtained through relationships such as doctor-patient, banker-customer, electronic service licensee-customer, and employer-employee interaction.
The bulk of the existing regulations on privacy and data protection are found in the banking, electronic and telecommunications sectors. The focus of this article is on data protection requirements in electronics and telecommunications. Regulations in the banking sector are dealt with in a separate article.
Policy recognises benefits and risks of ICT
In the information age in which we live, ICT increasingly drives and influences the socio-economic and political aspects of life. The Tanzanian ICT Policy of 2016 recognises ICT as the bedrock of national economic development and the country’s efforts to become a middle-income country by 2025.
In its ICT Policy of 2003, and more recently in the ICT Policy of 2016, Tanzania recognised the need for a legal and regulatory framework that would allow it to harness ICT’s development potential while limiting the risks that come with it. Most of the rules on privacy and data protection in Tanzania are to be found in the ICT sector because of the risk of information theft or abuse when individuals share personal information on the internet and various communication devices and applications. In this context, the main laws providing protection are the Electronic and Postal Communications Act and its supporting regulations, the Cybercrimes Act and the Electronic Transactions Act.
The Electronic and Postal Communications Act, 2010
The Electronic and Postal Communications Act (EPOCA) governs all electronic and postal communications and telecommunications in Tanzania, and is administered by the Tanzania Communications and Regulatory Authority (TCRA). Various supporting regulations have been made, including the Electronic and Postal Communication (Consumer Protection) Regulations, GN. No. 427 of 2018, the Electronic and Postal Communications (Investigation) Regulations, 2017 and the Electronic and Postal Communications (Computer Emergency Response Team) Regulations, 2018.
EPOCA and its supporting regulations apply predominantly to licencees such as telecommunication companies, internet service providers and other entities which interact and deal with such companies.
The Act defines electronic communication as radio communication or, the communication of information in the form of speech or other sound, data, text or images, by means of guided and unguided electromagnetic energy. Section 98 of EPOCA imposes the duty of confidentiality of information upon licensees, and section 99 of the Act prohibits disclosure of information without authorisation. A licensee is any person who has obtained a Network Facilities Licence, Network Services Licence, Application Services Licence or Content Services Licence under EPOCA.
Regulation 6(1) of the Consumer Protection Regulations provides that a licensee may collect and maintain consumers’ or subscribers’ information where it is reasonably required for business purposes.
Rule 4 of the Electronic and Postal Communications (Investigation) Regulations, 2017 guard against the violation of any person’s entitlement to respect and protection of his person, the privacy of his own person, his family and of his matrimonial life, and respect and protection of his residence and private communications. Furthermore, under Rule 6(1), no person shall intercept, attempt to intercept, authorise or instruct any other person to intercept or attempt to intercept any communication at any place in the United Republic except as warranted under the Regulations.
Any contravention of this rule is an offence punishable by a fine of not less than five million Tanzanian Shillings or imprisonment for a term of not less than one year or to both fine and imprisonment.
The right and duty to collect personal information
Despite the prohibitions under sections 98 and 99 of EPOCA, data collection has in certain instances not only been allowed but required under the law as a matter of a regulatory compliance.
Pursuant to section 84 of EPOCA, the regulator, the TCRA, is required to establish and maintain a Central Equipment Identification Register (CEIR) with information on all devices that licensees use in their networks. Licensees must supply every subscriber number and its unique International Mobile Equipment Identity (IMEI) code.
In parallel with that, the operator is obliged to maintain a sub-register of all the information submitted to the CEIR and to maintain subscribers’ information, which must be submitted to TCRA once every month.
This means that for the users of SIM cards to be allowed to connect to telecommunications networks, they are required by law to register with the operator their full details, names, residence, occupation or business, verified by producing an identify card or, in the case of companies, business registration documents.
In dealing with consumers, information must be fairly and lawfully collected and processed, according to Regulation 6 of the Consumer Protection Regulations. Consumer information must be processed for identified purposes; it must be accurate; it must be processed in accordance with the consumer’s other rights; it must be protected against improper or accidental disclosure; and it must not be transferable except with the permission of the individual who supplied the information or as permitted under any law.
For the purposes of the Computer Emergency Response Team Regulations, the TCRA has developed what is called a Computer Emergency Response Team (CERT). The CERT’s role is to protect people against abuse and other risks related to ICT by responding to computer emergencies and dealing with security risks. These regulations require internet service providers, telecommunications operators and other service providers to provide a secure environment against information security threats. The term ‘information security’ means the administrative and technical measures taken to ensure that data is only accessible by those who are entitled to use it.
The Cybercrimes Act
The Cybercrimes Act, 2015 is a penal statute intended to deter or discourage privacy and data protection abuses and violations. Being a penal statute, the application of the Cybercrimes Act is not restricted as long as the offences were committed within the United Republic of Tanzania, including on vessels or aircrafts registered in Tanzania. The Act would also apply to Tanzanian nationals residing abroad if the act committed is an offence both in Tanzania and under the laws in the host country. Further, the Act applies to any person, regardless of nationality, if the abuse or violation (i) is committed using a computer system, device or data located within Tanzania; or (ii) directed against a computer system, device, data or person located in the Republic.
It is an offence to access or cause a computer system to be accessed without permission. Anyone who commits this offence will be liable to imprisonment for not less than a year or to a fine of not less than three million Tanzanian Shillings, or to both fine and imprisonment. It is an offence to intentionally and unlawfully remain in a computer system or to continue to use a computer system after the expiration of the time which one was allowed. Doing so is punishable by imprisonment of not less than one year or to a fine of not less than one million Tanzanian Shillings or to both.
Similarly, it is an offence to intercept personal communications and interfere with data by damaging, deleting, altering, obstructing and interrupting it. The penalty is a fine of not less than ten million Tanzanian Shillings, or three times the value of undue advantage received by the offender, whichever is greater, or to imprisonment for a term of not less than three years.
Further, the Cybercrimes Act prohibits operators and other service providers from monitoring activities or data being transmitted in their systems. However, they are also shielded from being held liable for illegal activity that takes place within their networks or systems through the actions of third parties.
The Electronic Transactions Act
The Electronic Transactions Act gives legal recognition to the use of electronic transactions to do business. It has also allowed for the Government to interact with its citizens and to offer certain services by electronic means. Although there are no direct and comprehensive provisions on privacy and data protection, there are some provisions which are relevant. One is the requirement that suppliers of goods and services by electronic means must disclose all information pertaining to themselves and their businesses, and the goods or services they are offering. Before placing an order, the consumer must be allowed to review the transaction and have the discretion to withdraw from it. Further, suppliers are prohibited from interfering with an individual’s privacy. They are also prohibited from sending unsolicited commercial communications unless the consumer consents to this. As such, it is a requirement under this Act that the sender must from the outset disclose his identify and the purpose of the communication, and the consumer should be given the option to opt out of the communication.
The consent requirement is deemed to have been met where the contact details of the addressee and other personal information were collected in the following settings:
- by the originator of the message in the course of a sale or negotiations for a sale;
- when the originator only sends promotional messages relating to its similar products and services to the addressee;
- the originator offered the addressee the opportunity to opt-out and the addressee declined; and
- an opportunity to opt-out is provided by the originator to the addressee with every subsequent message.
Violation of these requirements is an offence punishable by a fine of not less than ten million Tanzanian Shillings or to imprisonment for not less than one year or to both fine and imprisonment.
Data disclosure when a crime is suspected
The disclosure of data for the purposes of a criminal investigation or the prosecution of an offence is dealt with in Section 32 of the Cybercrimes Act. In such instances, a police officer in charge of a police station or a law enforcement officer of a similar rank may issue an order to any person in possession of such data compelling him or her to disclose it. It may happen, however, that there is resistance from the party holding data of evidential value. Similarly, it may be impossible to obtain the data without the use of force. In these circumstances, the law enforcement officer may apply to court for an order of disclosure or preservation.
Section 22 of the Cybercrimes Act makes it an offence to intentionally and unlawfully prevent the execution of an order under the Act, as well as to fail to comply with such an order. On conviction, the penalty is a fine of not less than three million Tanzanian Shillings or imprisonment for not less than one year, or both fine and imprisonment. This power was recently invoked against the directors of JamiiForums blog, an online forum where people engage in discussions on a wide variety of issues, including politics, while remaining anonymous. The JamiiForums directors were arrested and charged with an offence under section 22(2) for obstructing investigations after failing to comply with an order from a Zonal Crimes Officer to disclose information about offensive material used on the blog.
Then there are the interception provisions under the Postal and Electronic Communications (Investigation) Regulations. In terms of these Regulations, law enforcement officers have a mandate to obtain access to and intercept personal communication. Rule 5 of these Regulations provides that the interception may be done by the Director-General of Tanzanian Intelligence and Security Service, or the Director of Criminal Investigations, upon obtaining a warrant from the Inspector General of Police. This warrant will serve as a disclosure order against any person with access to encrypted or protected information.
Apart from these two officials, any other person is allowed to intercept communication under Rule 5 of the Investigation Regulations under the following circumstances: if the person is a party to the communications; has the consent of the person who is sending it; is the person to whom the communication is sent; is authorised by law; or is a bona fide interception of communications for purposes of provision, installation, maintenance or repair of the communications service.
Many gaps still to be closed
The lack of a comprehensive statute has left many gaps in respect of privacy and data protection. For example, among the laws discussed in this article, there is no express provision on data ownership and whether individuals whose information has been released have any power over it once it is under the control of third parties. There is also no provision relating to whether data can be transferred to a destination outside Tanzania with or without consent of the subjects. Neither is it clear if an individual has the right to demand their personal information be deleted from the records of the parties who collected it, even if this was for legitimate reasons.
Then there is the fact that the legal provisions are embodied in separate instruments, resulting in discrepancies, especially in relation to punishments. Under the Cybercrimes Act, an offence of interception of a private communication is punishable by a fine of 10 million Tanzanian Shillings, or to imprisonment for a term of three years, while under the Investigation Regulations of 2017, the punishment for the same offence is a fine of 5 million Shillings, or imprisonment for one year. Under the Cybercrimes Act, an order of disclosure of information can be made by a police officer in charge of a police station, while under the Investigation Regulations of 2017, an order of disclosure of protected information must be made by the Inspector General of Police.
What is clear is that there is a need for a comprehensive statute on privacy and data protection. It is hoped that the Tanzanian Government can expedite the ongoing efforts at preparing the much-anticipated Bill on data privacy and protection.