Legal Research in Tanzania, by Ragab

MZUMBE UNIVERSITY
FACULTY OF LAW
RESEARCH REPORT
ON
THE EFFICACY OF LEGAL FRAMEWORK ON DATA PROTECTION IN

TANZANIA MAINLAND
BY: MARK-SILAS A. MALEKELA
SUPERVISOR: MR. EDWARD PROSPER LAIZER
RESEARCH REPORT SUBMITTED IN PARTIAL FULFILLMENT OF THE

REQUIREMENTS FOR AN AWARD OF THE BACHELOR OF LAWS (LLB)
DEGREE OF MZUMBE UNIVERSITY
2022
DECLARATION AND CERTIFICATION
I, MARK-SILAS ASHERY MALEKELA, do hereby declare that this Research
Report entitled “THE EFFICACY OF LEGAL FRAMEWORK ON DATA
PROTECTION IN TANZANIA MAINLAND” is my own original work and it has
not been submitted for a similar or any other degree in any other University prior to
this date of submission, at Mzumbe University.
Signature
…………………………………………
MARK-SILAS ASHERY MALEKELA
Date…………………………………….
I, ………………………………………………... do hereby certify that, I have read

this work and hereby recommend for acceptance by Mzumbe University.
Supervisor’s Signature
…………………………………………
MR. EDWARD PROSPER LAIZER
Supervisor
Date…………. Day of………………...2022
i
COPYRIGHT
This report is a copyright material protected under the Berne Convention of 1886,
the Copyright Neighboring Rights Act, No. 7 of 1999 [CAP 218, R.E. 2002] and
any other relevant laws on intellectual property. It may not be reproduced by any
means in full or in part, except for short extracts in fair dealings, for research or
private study, critical scholarly review or discourse with an acknowledgement,
without prior permission of the author or Mzumbe University on that behalf.
MARK-SILAS ASHERY MALEKELA
MZUMBE UNIVERSITY
2022
ii
ACKNOWLEDGEMENT
First and foremost, I praise and thank God who has been gracious to me and His
favour has made it possible to complete the research work successfully. His grace
and endless blessings gave me good health, mental calmness and strength which have
helped me succeed in this Report.
Secondly, I sincerely express my deepest and sincere gratitude to my supervisor MR.

EDWARD PROSPER LAIZER for allowing me the opportunity to research on the
topic and providing his intellectual advises, invaluable guidance, and regular
constructive criticisms, that has moulded this work to be the way it is. It was a great
privilege and honour to work and study under his guidance and supervision.
Besides my supervisor, I express gratitude to my ICT Law lecturers, Hon. Dr. Ubena
J, and Dr. Tupokigwe for the stimulating discussions that enlightened me and their
constructive support on the research topic.
I extend my sincerely gratitude to my dearest parents Mr & Mrs Ashery Malekela for
their challenge to critically learn and adopt analytical skills, and most importantly,
their sacrifices for educating and preparing me for my future. Also, I express my
thanks to my sister and friends for their support.
Lastly, I appreciate and recognize the contributions of all other persons who have
contributed in one way or another in making this study successful.
iii
DEDICATION
I dedicate this Research Report to my entire Family including my father Mr. Ashery
Malekela, my mother Mary A. Malekela, and my lovely sister Anne-Marie Malekela
for your moral support during the entire period of preparing this Research Report.
iv
LIST OF ABBREVIATIONS
CHRAGG - Commission for Human Rights and Good Governance
CHRAGGA - Commission for Human Rights and Good Governance Act, 2001
CIPESA - Collaboration on International ICT Policy in East & Southern

Africa
CURT - United Republic of Tanzania Constitution of 1977
EAC - East African Community
E-Government - Electronic Government
e-Id - Electronic Identity Card.
EPOCA - Electronic and Postal Communications Act, 2010
EU - European Union
GDPR - General Data Protection Regulation, 2018
GN - Government Notice
HIPSSA - Support for the Harmonisation of ICT Policies in Sub-Saharan

Africa
Ibid - Ibidem (In the same place)
ICCPR - International Covenant on Civil and Political Rights, 1966
ICT - Information Communication Technology
ID - Identity Card.
ITU - International Telecommunication Union
OECD - Organization for Economic Cooperation and Development
PDP - Personal Data Protection Directive (Directive 95/46)
TCRAA - Tanzania Communication Regulatory Authority Act, 2003
TCRA - Tanzania Communications Regulatory Authority
v
WSP - Wireless Service Providers
vi
TABLE OF CONTENTS
DECLARATION AND CERTIFICATION ............................................................. i
COPYRIGHT ............................................................................................................. ii
ACKNOWLEDGEMENT ........................................................................................ iii
DEDICATION ........................................................................................................... iv
LIST OF ABBREVIATIONS ................................................................................... v
TABLE OF CONTENTS ......................................................................................... vii
ABSTRACT ............................................................................................................... xi
LIST OF INTERNATIONAL LEGAL INSTRUNMENTS................................. xii
CHAPTER ONE ........................................................................................................ 1
DATA PROTECTION IN TANZANIA MAINLAND ........................................... 1
1.0 Introduction ............................................................................................................ 1
1.1 Background of the Problem ................................................................................... 2
1.2 Statement of the Problem ....................................................................................... 6
1.3 Research Objectives ............................................................................................... 8
1.3.1 General Objective................................................................................................ 8
1.3.2 Specific Objectives.............................................................................................. 8
1.4 Research Questions ................................................................................................ 8
1.5 Significance of the Study ....................................................................................... 8
1.6 Literature Review ................................................................................................... 9
1.7 Research Design and Methodology ..................................................................... 11
1.7.1 Scope of the Study ............................................................................................ 12
1.7.3 Data Collection Methods .................................................................................. 12
1.7.3.1 Collection of Primary Data ............................................................................ 12
1.7.3.2 Collection of Secondary Data ........................................................................ 12
1.7.3.3 Data Collection Instruments........................................................................... 13
1.7.4 Data Analysis and Presentation ......................................................................... 13
1.8 Limitation of the Study ........................................................................................ 13
1.9 Conclusion ........................................................................................................... 13
vii
CHAPTER TWO ..................................................................................................... 14
CONCEPTUAL FRAMEWORK FOR DATA PROTECTION IN TANZANIA
MAINLAND ............................................................................................................. 14
2.1 Introduction .......................................................................................................... 14
2.2 The Concept of Privacy ........................................................................................ 14
2.3 The Concept of Information or Data Privacy ....................................................... 16
2.4 Data Protection ..................................................................................................... 17
2.5 Personal Data ....................................................................................................... 18
2.6 Data Subject ......................................................................................................... 19
2.7 Data Controller ..................................................................................................... 20
2.8 Data Processor ...................................................................................................... 21
2.9 Data Processing .................................................................................................... 22
2.10 Data Protection principles .................................................................................. 22
2.11 Privacy in relation to Data Protection ................................................................ 23
2.12 Conclusion ......................................................................................................... 25
CHAPTER THREE ................................................................................................. 26
LEGAL AND INSTITUTIONAL FRAMEWORK ON DATA PROTECTION26
3.1 Introduction .......................................................................................................... 26
3.2 The Legal and Institutional framework governing Data Protection..................... 26
3.2.1 The Constitution of the United Republic of Tanzania ...................................... 26
3.2.2 The Electronic and Postal Communications Act .............................................. 27
3.2.3 The Electronic and Postal Communications Act (Consumer Protection)
Regulations................................................................................................................. 27
3.2.4 The Electronic and Postal Communications Act (Sim-Card Registration)
Regulations................................................................................................................. 28
3.2.5 The EPOCA (Online Content) Regulations ...................................................... 29
3.2.5 The Cybercrimes Act ........................................................................................ 29
3.2.6 The Electronic Transactions Act ....................................................................... 30
3.2.7 Access to Information Act ................................................................................ 30
3.2.8 The Registration and Identification of Persons Act .......................................... 31
viii
3.2.9 The International Covenant on Civil and Political Rights (ICCPR) ................. 31
3.2.10 Convention for the protection of individuals with regard to the Automatic
Processing of Personal Data ....................................................................................... 31
3.2.11 The EU General Data Protection Regulation .................................................. 32
3.2.12 The Institutional framework on Data Protection ............................................. 33
3.2.12.1 The TCRA .................................................................................................... 33
3.2.12.2 The Judiciary ................................................................................................ 33
3.2.12.3. Tanzania Computer Emergency Response Team (TZ – CERT) ................. 33
3.2.12.4 The Commission for Human Rights and Good Governance (CHRAGG) ... 34
3.2.12.5 National Identification Authority (NIDA) ................................................... 34
3.2.12.6 Organization for Economic Co-operation and Development (OECD) ........ 35
3.2.12.7 The Human Rights Committee..................................................................... 35
3.3 The Legal and Institutional framework at Regional Level .................................. 35
3.3.1 The South African Development Community Model Law on Data Protection
(SADC Model Law) ................................................................................................... 36
3.3.2 The African Union Convention on Cyber security and Personal Data Protection
.................................................................................................................................... 36
3.3.3 The African Declaration on Internet Rights and Freedoms (AfDec) ................ 37
3.3.4 Collaboration on ICT Policy in East and Southern Africa (CIPESA) .............. 38
3.7 Conclusion ........................................................................................................... 39
CHAPTER FOUR .................................................................................................... 40
DATA PRESENTATION AND FINDINGS .......................................................... 40
4.1 Introduction .......................................................................................................... 40
4.2 Data Presentation and Analysis............................................................................ 40
4.3 The legal framework on data protection in Tanzania Mainland .......................... 40
4.3.1 The right to privacy and personal data protection ............................................. 41
4.3.1.2 Communication Surveillance and absence of legal safeguards in SIM-Card
Registration ................................................................................................................ 42
4.3.1.3 Access of personal data on Online Contents .................................................. 43
4.3.1.4 Protection against illegal data interference .................................................... 44
ix
4.3.1.5 Processing of personal data for identification and registration is not protected
by law ......................................................................................................................... 45
4.4 Tanzania Mainland’s Data Protection Legal Framework fails to adequately
protect personal data .................................................................................................. 46
4.4.1 The protection of personal data in National Identification (NIDA) Registration
.................................................................................................................................... 47
4.4.2 Protection of personal data in registration of SIM Cards .................................. 48
4.4.3 Effectiveness of the TCRA in protection of personal data ............................... 52
4.5 Conclusion ........................................................................................................... 55
CHAPTER FIVE...................................................................................................... 56
CONCLUSION AND RECOMMENDATIONS ................................................... 56
5.1 Introduction .......................................................................................................... 56
5.2 Conclusion ........................................................................................................... 56
5.3 Recommendations ................................................................................................ 57
5.3.1 Recommendations to the Government of the United Republic of Tanzania .... 58
5.3.1.1 Exploration of financial mechanisms for a data protection authority ............ 58
5.3.3.2 Development of the Policy on data protection ............................................... 58
5.3.2 Recommendations to Civil Societies ................................................................ 58
5.3.2.1 Raising legal awareness on protection of personal data................................. 58
5.3.2.2 Comprehensive research on data protection and privacy ............................... 59
BIBLIOGRAPHY .................................................................................................... 60
x
ABSTRACT
The Tanzanian Constitution provides for the right to privacy. However, despite
several pieces of legislations addressing on privacy, Tanzania does not yet have a
single, comprehensive data protection legislation which provides for detailed
provisions on how data is to be collected, processed and protected. The main
objective of this Research was to examine the efficacy of the existing data protection
legal framework in Tanzania mainland.
The study employed library research methodology that involved the review of
various laws and literatures on data privacy and protection to determine what is the
current legal framework on data protection in Tanzania mainland and to what extent
is the existing legal framework sufficient in protection of personal data. Findings
have shown that there are pieces of legislations each attempting to provide for data
and privacy protection for specific purpose as enacted. However, there is lacuna in
the legislations touching upon data and privacy protection in Tanzania mainland as
there is no comprehensive legislation enacted to exclusively deal with data protection
and privacy matters.
Therefore, the current regulatory framework for data protection does not sufficiently
cater for data protection since if resort is made to the existing laws that to some
extent cover on the protection of personal data as discussed, the legal framework
does not sufficiently guarantee personal data privacy and protection in the
cyberspace in Tanzania Mainland.
The study recommended the government of Tanzania to explore mechanisms and

viable solutions that will help to educate citizens and raising awareness on data
protection and privacy before enacting the law as this will ensure a balanced
relationship where all parties are aware of their rights and responsibilities;
establishing a data protection authority and finally enacting a comprehensive data
protection and privacy legislation for Tanzania mainland.
xi
LIST OF INTERNATIONAL LEGAL INSTRUNMENTS
African Declaration on Internet Rights and Freedoms (AfDec), 2014
Convention for the protection of individuals with regard to the Automatic Processing
of Personal Data, CETS No. 108 0f 1980
EU Data Protection Directive 95/46/EC
General Data Protection Regulation (GDPR), 2018
The African Union Convention on Cybersecurity and Personal Data Protection, 2014
(AUCC)
The Convention for the Protection of individuals concerning Automatic Processing

of Personal Data, ETS No. 108.
The International Covenant on Civil and Political Rights of 1966
The South African Development Community Model Law on Data Protection (SADC
Model Law), 2013
LIST OF LEGISLATIONS
The Constitution of the United Republic of Tanzania, [1977], (2008 Edition as
amended).
Access to Information Act, No. 9 of 2016
Cybercrimes Act, 2015
Data Protection Act, 1984 (United Kingdom)
Data Protection Act, 2018 (Kenya)
Data Protection and Privacy Act, 2019 (Uganda)
Information and Communication Technology Act, 2016 (Rwanda)
Tanzania Intelligence and Security Service Act, 1966
The CHRAGG Act, [CAP 391, R.E. 2002]
The Cybercrimes Act, (2015).
xii
The Electronic and Postal Communications (Consumer Protection) Regulations,
(2018).
The Electronic and Postal Communications Act (SIM Card Registration)

Regulations, G.N. No. 112 of 2020
The Electronic and Postal Communications Act, (2010).
The Electronic Transactions Act, 2015
The EPOCA (Consumer Protection) Regulations, 2018
The EPOCA (SIM-Card Registration) Regulations, 2020.
The Registration and Identification of Persons Act, [CAP 36, R.E. 2012]
The Tanzania Communications Regulatory Authority (Act No.12 of 2003)
LIST OF CASES
Abdallah Shabani Madege v. The Republic, Crim Appeal No. 101 OF 2020 [19th
April 2021] TZHC, (Unreported).
Common Services Agency v. Scottish Information Commissioner, [2008] UKHL 47
Data Protection Registrar v. Griffin, [1994] Privacy Law Policy Reporter 37
Deogras John Mhando v. Managin Director Tanzania Beijing Huayuan Security

Guard Service Co. Ltd, Civil Appeal No. 110 of 2018 (2020).
Google Spain v. Mario Costeja Gonzalez, CJEU ruling No. C-131/12
Irene Uwoya v. Global Publishers Ltd and Others, Civil Cause No. 83 of 2013, High
Court of Tanzania, Dar es Salaam, (Unreported).
Jamii Media Company Ltd v. The Attorney General and Inspector General of Police,
Misc. Civil Cause No. 9 of 2016, High Court of Tanzania (Main Registry).
Jebra Kambole v. Attorney General, Misc. Civil Case No. 32 of 2015, High Court
(Main Registry).
Lindqvist v. Kammaraklagaren, November 6, 2003. ECJ Case C-101/01
xiii
National Media Ltd v. Jooste [1996] 3 SA 262 (A) 271.
Republic v. Hassan Bwire Hassan and three others, Economic Case No. 16 of 2021
xiv
CHAPTER ONE
DATA PROTECTION IN TANZANIA MAINLAND
1.0 Introduction
Personal data protection is a right derived from the right to privacy.1 In the current
digital age, personal data protection is of utmost importance for the safeguard of the
right to privacy.2 Tanzania guarantees the right to privacy in the Constitution.3 The
Constitutional right to privacy is however, not absolute and its implementation
depends of other pieces of legislation to provide for the substance of the right
enforcement mechanism as clearly stated in Sub-articles 2 to Articles 16 and 15 of
the Constitution.4
The government and private bodies physically collect a great volume of personal
data for various purposes through physical files. In respect with the upsurge of
technology, many African countries, including Tanzania, are continually trying to
upgrade their national identification systems to include the use of biometrics.5 This
increased data collection and processing raises attention the safety of personal data
owing to the absence of appropriate safeguards to storage and processing of personal
data which calls for a need to examine the laws that protect personal data that will be
contained in these databases.6
The growths of technology make the privacy of personal information become an

important issue in most countries, including Tanzania. Personal data is utilized in
most of our activity and in that; the advancement of technology cannot neglect the
privacy and protection of personal data.7
1
Deogras John Mhando v. Managin Director Tanzania Beijing Huayuan Security Guard Service Co.
Ltd, Civil Appeal No. 110 of 2018 (2020). Page 11
2
Makulilo, A. (Ed). (2016). African Data Privacy Laws. Page 165
3
Article 16 (1) (a) of the Constitution of the United Republic of Tanzania, 1977. (2008 as amended).
4
Ibid
5
CIPESA, (2018). State of Internet Freedom in Africa: Privacy and Personal Data Protection in
Tanzania. Page 2
6
Tanzania. Page 2
7
Tanzania. Page 4
1
Abusing of personal data could leak the information that exists within this data to the
public.8 One of the cases related to personal data abuse is registration of mobile
phone SIM cards using one person’s personal information without the consent of
personal data owner or the data subject.
Therefore, the importance of privacy and data protection has reportedly gained
attention in recent years as there has been an upsurge in the use of personal data in
Tanzania; which leads to the need for better rules on data protection.9 It is therefore
an undeniable fact that there is an immense amount of information extracted from the
people within this Jurisdiction, which calls for an effective mechanism to protect
such information from any abuse or improper use.10
1.1 Background of the Problem

Data Protection concerns have gained importance in modern societies following the
rise of the computer and development of information and communication
technologies. Threats to privacy spread to almost every corner of the globe.11 The
earliest formal international legal framework for data protection includes; the OECD
(Privacy Guidelines) and the Convention for the Protection of Individuals with
regard to the Automatic Processing of Personal Data, 1981 of the Council of Europe.
The rules in those laws provide principles that require that personal data must be
obtained fairly and lawfully, used only for the specified purpose.12
In 1990, the United Nations Guidelines for the Regulation of Computerized Personal
Data Files and the EU Directive 95/46/EC were adopted. The Data Protection
Directive set a benchmark for national law harmonizing law throughout the European
Union. It became the most influential law in the privacy law reforms in non-EU
countries as exerted by its article 25 which imposes an obligation on EU member
states to ensure that personal information relating to European citizens is covered by
8
Makulilo, A. (Ed). (2016). African Data Privacy Laws. Page 176-178
9
Victoria Nyawira Gitau and Louisa Ochilo. (2017). Data Protection in East Africa. Page 2-3
10
Melamari, N. (2013). The challenges and the need of legal framework for data protection in
Tanzania: case study of Tanzania national identification authority (NIDA). Page 4
11
Makulilo, A.B.(Ed), (2016). African Data Privacy Laws. Bremen, Germany: Springer International
Publishing. Page 3
12
Publishing. Page 18
2
law when it is exported to and processed in countries outside Europe. In turn, this
became a major reason as to why African countries have adopted or plan to adopt
comprehensive data protection laws to secure better chances for off-shoring business
from Europe.13
In East Africa, Rwanda enacted a data protection legislation, the Information and
Communication Technology Act, 2016; Uganda enacted the Data Protection and
Privacy Act, 2019; and Kenya enacted the Data Protection Act, 2018 which address
among other issues, the export of personal data outside to the EU as recommended
under the GDPR that organisations use approved codes of conduct that address on
the transfer of personal data outside to the European Union14 since non-EU
organizations will be subject to the GDPR were personal data about EU data subjects
is processed when offering of goods and services or businesses is conducted with the
EU member states.15
However, the established data protections from these countries cannot be simply
copied to Tanzania due to the difference in societal and cultural contexts, as personal
privacy and data protection is determined by the individual or societal culture in a
specific area. In the Tanzanian context, the concept of privacy and data protection is
relatively new as Tanzania is mentioned to have a difficult history of the right to
privacy despite its inclusion of the Bill of Rights after her independence to an
unsuccessful enactment of the right to privacy and data protection law. 16 In Deogras
John Marando v. Managing Director, Tanzania Beijing Huayuan Security Guard
Service Co. Ltd17, the Court stated that privacy rights are not much well established
in our jurisdiction.
13
Publishing. Page 18
14
Information Commissioner’s Office. (2nd August 2018). Guide to the General Data Protection
Regulation (GDPR). Page 200
15
The Citizen. (Saturday, 20th April 2019). Reforming Tanzania Data Privacy and Protection Regime.
Available at: Accessed on 3rd November, 2021.
16
17
Deogras John Marando v. Managing Director, Tanzania Beijing Huayuan Security Guard Service
Co. Ltd, Civil Appeal No.110 of 2018 (27th March 2019). Page 11
3
In 1984, the Constitution of the United Republic of Tanzania was amended for the
fifth time giving the Bill of Rights force of law and in March 1988, the Bill of Rights
became operational with the right to privacy among the guaranteed and protected
rights, as provided under Article 16(1) (2) of the Constitution of the United Republic
of Tanzania.18 The right to privacy and data protection is not absolute and its
implementation depends on other legislation to provide for the substance of the
right.19
As of 2013, the laws in place to provide for data protection were the Constitution of
the United Republic of Tanzania, the Electronic and Postal Communications Act,
2010, and the Consumer Protection Regulations. Other laws included, the
Cybercrimes Act, 2015 and the Tanzania Intelligence and Security Services Act,
1996 which appear to protect privacy right on one hand and allow for surveillance of
personal information and communication without safeguards against infringements
on privacy and data protection right.20 Tanzania introduced a Draft Privacy and Data
Protection Bill which marked the beginning of reforms in the sphere of data
protection legal regulation. No substantive law on the right to privacy has ever been
enacted to provide context or substance of the rights.21
Tanzania received support through the Harmonisation of ICT Policies in Sub-

Saharan Africa (HIPSSA) project including financial, technical and expert support
from the International Technology Union (ITU) and the European Union.22 As of
2014, the Bill applying to Tanzania mainland only was renamed upon agreement to
‘Draft Data Protection Bill’ which incorporated the SADC Model Law on Data
Protection and the GDPR which emphasise on the central role of the data subject’s
18
The Constitution of the United Republic of Tanzania, 1977 (as amended, 2008); Makulilo, A. (Ed).
(2016). African Data Privacy Laws. Page 168.
19
Article 16(2) of The Constitution of the United Republic of Tanzania, 1977 (as amended, 2008).
20
Tanzania: Challenges and Trends. Page 4
21
Publishing. Page 170
22
Publishing.Page173
4
consent to legitimise processing activities.23 The attempt to pass the Draft Data
Protection Bill failed since it omitted consent as a condition for processing personal
data as it amounts to tort or breach of the right to privacy if one uses another’s
personal data without his or her consent.24 In turn, the Draft Data Protection Bill was
criticised as effectively inoperable despite its similarities to data protection
legislation in other countries.25
In 2014, the government also expanded its nationwide programme of issuing

biometric National Identity Cards to its citizens and residents where in 2015; the
Biometric Voters Registration System was introduced.26 In 2015, Tanzania enacted
the Cybercrimes Act, 2015 which under Section 32 empowers police officers to
demand the disclosure of personal data of internet users from internet service
providers or online content providers such as bloggers and owners of online
platforms.27 Furthermore in 2018, the government passed new regulations which
pose as a threat to the right to privacy and data Protection as The Tanzania
Communication Regulatory Authority demanded that all telecom operators start
registering their subscribers by using biometric data, which are fingerprints.28
Despite the good intention of the government in the value and use of biometric
technology to identify its citizens, the absence of proper safeguards and
comprehensive data privacy and protection law means that data collected is at risk of
being abused.29 Furthermore, following the rapid advancement of technology and the
23
Publishing. Page 176, 185
24
Co. Ltd, Civil Appeal No.110 of 2018 (27th March 2019). Page 8 – 9
25
Bryant, J. (13th March 2020). Fact Sheet: Tanzania. Page 1, Available at https: // data protection.
africa/ Accessed on 14th November 2021.
26
Tanzania: Challenges and Trends. Page 4
27
Section 32 of the Cybercrimes Act, 2015; CIPESA (2018). State of Internet Freedom in Africa:
Privacy and Personal Data Protection in Tanzania: Challenges and Trends. Page 5.
28
The Electronic and Postal Communications Act (SIM Card Registration) Regulations, G.N. No. 112
of 2020; CIPESA, (2018). State of Internet Freedom in Africa: Privacy and Personal Data Protection
in Tanzania: Challenges and Trends. Page 5
29
Tanzania: Challenges and Trends. Page5
5
growing demand for privacy, it is against this background that this study is focused
on the efficacy of the legal framework on data protection in Tanzania Mainland.
1.2 Statement of the Problem

Data Privacy may be translated to an individual condition of life involving exclusion
from publicity, all those personal facts which the person himself at the relevant time
determines to be excluded from the knowledge of outsiders.30 The Constitution of the
United Republic of Tanzania provides for the right of privacy under Article 16, and
requires the State under Article 16(2), to pass the necessary legal procedures under
which the enjoyment of the right to privacy may be limited.31 Despite the Tanzanian
Constitution providing for the right to privacy, Tanzania does not yet have a single,
comprehensive data protection legislation which provides for detailed provisions on
how data is to be collected, retained and handled. As a result, many people end up
airing their grievances, and concerns in blog discussions and other interactive social
media on their right to privacy.32
The existing provisions on data protection found in a number of legislations include;

The Electronic and Postal Communications Act (EPOCA), (2010) which imposes a
duty of confidentiality of information on network service licensees or operators,
agents and customers and it prohibits disclosure of information without
authorization.33 The EPOCA (Consumer Protection) Regulations, (2018) which
require a licensee to protect consumer information against improper or accidental
30
Blume, P. (2010). Data Protection and Privacy. P. Wahlgren. (Ed). Information & Communication
Technology Legal Issues. Scandinavian Studies in Law Vol 56, Page 153. See also, Makulilo, A. (Ed).
(2016). African Data Privacy Laws. Page 16-17.
31
Article 16 of The Constitution of the United Republic of Tanzania, [1977], (2008 Edition as
amended).
See also, Makulilo, A. (Ed). (2016). African Data Privacy Laws. Page 18
32
Article 16 of The Constitution of the United Republic of Tanzania, [1977], (2008 Edition as
amended).
See also, Makulilo, A. (Ed). (2016). African Data Privacy Laws. Page 18,171. In East Africa, Rwanda
enacted a data protection legislation, the Information and Communication Technology Act, 2016;
Uganda enacted the Data Protection and Privacy Act, 2019; and Kenya enacted the Data Protection
Act, (2018).
33
Sections 98 & 99 of The Electronic and Postal Communications Act, (2010).
6
disclosure.34 The EPOCA (Online Content) Regulations, (2020) which imposes a
duty on any person holding users’ information to not disclose the information except
to a law enforcement agency when required to do so under the Regulations or the
EPOCA and the Cybercrimes Act, (2015) which provides for protection against
illegal data interference.35 The EPOCA (SIM Card Registration) Regulations
necessitate for a data protection legislation applicable to the situation, and its
compliance,36 due to the extraction of personal and sensitive information from all
persons in Tanzania.
The pieces of legislations referred above are devoid of clear provisions on,
individuals’ power of access to their personal data; and on an individual’s right to be
forgotten even if the information was legitimately captured and recorded making
them not sufficient to account for and regulate the dynamic nature of handling
personal data in the modern digital world.37
In turn, with the registration of SIM Cards, for example, as shown in the case of
Abdallah Shabani Madege v. The Republic,38 where mobile operators or their agents
collect information from their customers; identity theft has become common in
Tanzania since criminals hack and ‘steal’ personal data stored in operators’ databases
and use them by blocking the user of communication services for a limited time and
use the services at data subject’s expenses or using data subject’s credentials and
phone number to fraudulently collect money on data subject’s name or behalf
implicating data subjects.39
34
Regulation 6 of the Electronic and Postal Communications (Consumer Protection) Regulations,
(2018).
35
Section 7 of the Cybercrimes Act, (2015).
36
Regulation 17 (c) of The Electronic and Postal Communications Act (SIM Card Registration)
Regulations, G.N. No. 112 of 2020
37
The Citizen. (Saturday, 20th April 2019). Reforming Tanzania Data Privacy and Protection Regime.
Available at: https://www.thecitizen.co.tz/tanzania/oped/-reforming-tanzania-data-privacy-and-
protection-regime-2678022 Accessed on 3rd August 2021. See also, Robertson, T. (14 th January 2020).
Senegal to Review Data Protection Law. Available at: https://cipesa.org/2020/01/senegal-to-review-
data-protection-law/ Accessed on Tuesday, 10th Aug 2021.
38
Abdallah Shabani Madege v. The Republic, Crim Appeal No. 101 of2020 [19th April 2021] TZHC,
(Unreported).
39
Regulations, G.N. No. 112 of 2020 necessitates for a detailed data protection and privacy legislation
7
This situation necessitates a study to be undertaken to assess the efficacy of the
current legal framework on data protection in Tanzania mainland on, individuals’
power over the information that they supply; and on an individual’s right to demand
the anonymity and deletion of his information that has been captured and recorded.
1.3 Research Objectives

The researcher was guided by the following General and Specific objectives:
1.3.1 General Objective

The Main objective of this research was to examine the efficacy of the existing data
protection legal framework regime in Tanzania mainland in protection of personal
data.
1.3.2 Specific Objectives

i. To assess the efficiency of the data protection legal framework in Tanzania
mainland.
ii. To examine privacy and data protection laws in Tanzania.
iii. To assess the effectiveness of data protection enforcement machinery or

institutions in Tanzania.
1.4 Research Questions

The Research sought to answer the following questions:
i. What is the current data protection legal framework in Tanzania mainland?
ii. To what extent is the existing legal framework on data protection sufficient in
protection of personal data?
1.5 Significance of the Study

The study assists the improvements of our Data Protection laws since personal data
deserves protection of the law as it concerns with privacy. Data Protection laws have
to be legally recognized so that every individual enjoys their exclusive right to
applicable in the situation. See also, State of Internet Freedom in Africa, (2018). Privacy and Personal
Data Protection in Tanzania: Challenges and Trends. Page 13-14. See also, ISS Africa. (1st July
2020). More Questions than Answers: Tanzania’s mandatory SIM Card registration. Available at:
https://issafrica.org/iss-today/more-questions-than-answers-tanzanias-mandatory-sim-card-registration
Accessed on 5th August 2021.
8
protect his/her information as has also been given adequate protection in other
common law jurisdictions like Kenya and Nigeria.
The study serves the purpose of providing an in-depth understanding of the critical
issues surrounding Data Protection in Tanzania mainland and individuals’ exclusive
right to protection of their personal data and abuse by third parties and contributing
on the movement for having an efficient Personal Data Protection Legal Framework
in Tanzania mainland.
The research emphasizes and exposes the legal issues surrounding data protection
and inadequacy in data protection policies and laws, promoting and protecting the
right to personal data protection as development and technology cannot be separated;
at the same time the rights of the users of such technology cannot be jeopardized for
the sake of enhancing the development. Therefore, the right of privacy and data
protection must be legally recognized and protected.
1.6 Literature Review

To start with, Alex B. Makulilo40 states in his article that the concept of protection of
personal data is concerned with the concept of information privacy. The term ‘data
protection’ is used to refer to “information privacy” and thus the terms
interchangeably refer to protection of personal data. The author portrays that data
protection and privacy have similar objectives discussing on protecting a person’s
information to secure privacy rights. The author has not shown the distinction
between the obligation to disclose personal data and the privacy rights.
The report of Collaboration on ICT Policy in East and Southern Africa

(CIPESA)41 issued in 2015 stated that many African countries have some outdated
provisions which place restrictions on the types of information that can be disclosed.
It observed that Tanzania’s Constitution42 states under Article 16 and 18 about the
protection of privacy and personal data but yet there are no laws which are set forth
for implementing such rights. Despite the delivery of the CIPESA report, the report
40
Makulilo, A.B, Privacy and Data Protection in Africa: State of the art, International Data Privacy
Law Journal Vol. 2(3) (2012) pp. 163-178
41
An organization which deals with the protection and promotion of the right to privacy and catalyses
the access to information in the United Republic of Tanzania.
42
The Constitution of the United Republic of Tanzania, 1977 (as amended, 2008)
9
has not provided for the major measures to be undertaken to ensure the
implementation and enforcement of the rights to privacy and data protection in
Tanzania.
Ubena John43 in his article states that Tanzania as a state is behind in protection of
the right to privacy and data protection. The author examined the legal system of
Tanzania regarding to the protection of the right to privacy and how it is treated as a
right. The author condemns the tendency of the Tanzanian legal system to refer the
right to privacy as a mere tortuous liability thus it is seen as a matter with no strict
concern. However, the author has not assessed how protection of personal data is
executed and enforced without infringing an individual’s right to privacy.
Sathe, S. P44 states that data protection collides with the right to privacy, arguing that
they may bring about a legal action and thus the need of the laws of privacy being
compatible with the right to data protection and freedom of speech and information.
The author has focused on how different laws are in conflict with the right to privacy
and has not examined how to establish a stability of ensuring the enforcement of the
right to privacy and data protection.
Patricia Boshe45 in her article states that the right to privacy is provided for under
Article 16 of the Constitution of the United Republic of Tanzania guarantees for a
private life against unwarranted interceptions. The author argues that the provision
only provides a shadow in protection of right to privacy and not explicitly to personal
data and prohibition against interceptions of communication. The author has
illustrated that even though the provision is the only resort in securing privacy and
protection of personal data, the provision has never been interpreted by Tanzanian
courts in relation to protection of personal data.
43
Dr. Ubena, J., Privacy – a forgotten right in Tanzania, Tanzania Lawyer, 1/2JTLS 2012, pp. 72-114
44
Sate, S.P. (2006). Right to information, 1st Edition. New Delhi India: LexisNexis Butterworth’s.
45
Boshe, P, (2013)., Interceptions of communications and the right to privacy: Commentary on Zitto
Zuberi Kabwe’s political saga, Open University Law Journal, Vol. 4, No.2:1-5
10
Patricia Boshe46 in a Chapter on ‘Data Privacy Law Reforms in Tanzania’ states
that the right to protection of personal data is derived from the individual right to
privacy. The author explores the background of the protection of privacy and
comments that the attitude in most Tanzanians does display prudence in neither data
protection nor personal privacy; individuals post personal data on social media
without assessing the implications of their actions to their privacy and protection of
personal data. The author states that by 2013 Tanzania decided to reform her
framework for the protection of personal data and individual privacy by introducing
the Draft Personal Data Protection Bill where the author analysed it and describes the
weakness of the Draft Personal Data Protection Bill, 2014 which led to its criticism
by omitting one condition for processing and adding a condition to Commissioner’s
duties which are not usually found in data protection codes. However, despite a great
analysis on the data privacy law reforms in Tanzania and the weakness of the Draft
Data Protection Bill, 2014, the author has not provided for the major measures to be
undertaken to ensure the implementation and enforcement of the rights to privacy
and data protection in Tanzania.
1.7 Research Design and Methodology

This is qualitative research based on library research design, through which the
researcher conducted his study on the efficacy of legal framework on Data Protection
in Tanzania Mainland. Tools and other instruments involved in collecting data which
are relevant and with good quality and efficiency were applied.
The study involved literature and documentary review where these research
instruments enabled the collection of data to ensure good and proper organization of
sources through which the research is based.
The methodology of the study is library research. Library research involved reading
books, articles, journals, statutes, Conventions, regulations, court decisions and other
materials on Data Protection in Tanzania. Also, reading various literatures that have
been written on personal data protection in Europe, Africa and East Africa.
46
Makulilo, A.B.(Ed), (2016). African Data Privacy Laws; Data Privacy Law Reforms in Tanzania.
Bremen, Germany: Springer International Publishing. Pp. 161-186
11
1.7.1 Scope of the Study
The scope simply means the boundary of the study showing the limits or coverage of
study in terms of subjects, methods, objectives, facilities, area, time frame, and the
issues to which the research is focused.47 The study was conducted in the field of
Constitutional law and ICT law specifically focusing on the right to privacy and
protection of personal data through examination of the laws governing privacy rights
and data protection in Tanzania mainland and the efficacy of the legal framework on
data protection. The researcher examined several laws enacted from 2013 addressing
the recognition of the right to privacy and data protection up to date. This time frame
enabled the researcher to conduct a study that shows the emergence of privacy and
data protection debates and enactment of provisions of various laws to protect
privacy and personal data in Tanzania so as to fulfil the desired objectives of the
study.
1.7.3 Data Collection Methods

In the course of conducting the research, primary and secondary sources of data were
used to obtain the required data through literature and documentary review. Primary
sources of data included several legislations and case law while secondary sources of
data included journal articles, books, published reports, and websites.
1.7.3.1 Collection of Primary Data

The study employed documentary review method in collection of primary data.
These included cases which are reported or unreported, principal and subsidiary
legislation as well as conventions. For reported cases, the study used the Tanzania
Law Reports and the yearly index of cases including Tanzlii database were used for
unreported cases, and legislations.
1.7.3.2 Collection of Secondary Data

The study employed literature review method in collecting data from books, journals,
articles, reports and newspapers, as secondary data. The study involved collection of
secondary data from sources like published and unpublished resources materials
47
Msabila, D.T. & Nalaila, S.G. (2013). Research Proposal and Dissertation Writing: Principles and
Practice. Dar es Salaam: Nyambari Nyangwine Publishers. Page 20
12
which cover the area of Data Protection in Tanzania and worldwide such as books,
published reports, journals, articles and websites.
This method enabled the researcher to get more knowledge on the problem to be
researched and also to know what has been addressed by other researchers to avoid
repetition of the research.
1.7.3.3 Data Collection Instruments

The study used literature review as an instrument of data collection which enabled
the researcher to analyse the data. The study was mainly be conducted by the use of
documentary review on Laws, Regulations, and literature review on articles, reports
and other researchers works. Documents and Literature regarding Data Protection
were reviewed and important information gathered assisted in explanation of finding.
1.7.4 Data Analysis and Presentation

Qualitative data analysis technique was used to analyse data collected. The
Qualitative data relevant to the study was given in an analytical reporting manner
that indicates major findings and analysis, discussion and recommendations.
1.8 Limitation of the Study

Data protection laws are not indigenous of any African nation since they originated
from Western nations. However, being framed as a broad right, it has not been well
enforced. There is little case law based on constitutional right to privacy and data
protection in Tanzania. So far there is little case law developed around data
protection and it is not clearly known how this right is exercised in practice.
1.9 Conclusion
This chapter contains all the necessary components in conducting a research study.
As such, a reader can properly understand the problem that exists by reviewing this
chapter. This chapter is also advantageous to the researcher as it acts like a roadmap,
guiding the researcher on the proper way on tackling the problem and in the event the
researcher has lost track, this chapter serves as a reminder on how to best approach
the research problem.
13
CHAPTER TWO
CONCEPTUAL FRAMEWORK FOR DATA PROTECTION IN TANZANIA
MAINLAND
2.1 Introduction
The study covers on the efficacy of the legal framework on data protection in
Tanzania mainland. This chapter provides an understanding of different concepts on
privacy, information privacy on personal data, data protection, data subjects, data
controllers, data processors, and privacy in relation to data protection. This chapter
gives the reader a view on what really is data protection, how an individual’s
personal data is legally protected and why it is currently relevant and important to the
society as well as the effectiveness of the legal framework on data protection to meet
the objective of this study.
2.2 The Concept of Privacy

Privacy is a contextual term since several societies or nations have a diversity on
what privacy is and who is entitled to privacy as well as what constitutes to an
invasion of privacy. It is a complex task to have a clear and uniform definition of
privacy. A clear understanding of privacy and specifically in relation to information
sets a benchmark for understanding data protection. In simple terms, the word
privacy can be defined as a right to some individual independence and control of an
individual’s physical space and their immaterial life. In that, privacy is concerned
with the relationship between an individual and other people where an individual has
some autonomy or independence besides being part of the community.48
Various scholars have tried to explain and define privacy. According to Blume49,
privacy is concept about a right to make decisions concerning the role of the
individual in the physical space and provides protection of the ideas and information
related to the individual person.
48
Bygrave, A. L. (2010). Privacy and Data Protection in an International Perspective. P, Wahlgren.
(Ed). (2010). Information &Communication Technology Legal Issues; Data Protection and Privacy.
Page 152
49
Blume, P. (2015). Data Protection and Privacy. Scandinavian Studies in Law, Vol 56. Page 153
14
Judge Cooley50, defined privacy as ‘the right to be left alone’ which has also been
opined by Ian Lloyd51 and Warren and Brandeis.52
Westin53also explained privacy as a right of the people to be secure in their persons,

houses, papers, and effects, against unreasonable searches and seizures that shall not
be violated. It means the claim of individuals, groups or institutions to determine for
them when and how and to what extent information about them is communicated to
others.
Neethling54 also attempted to define privacy and his theory is that, privacy is an
individual condition of life characterized by the exclusion from publicity. The
Supreme Court of Appeal of South Africa also cited Neethling’s definition of privacy
in the case of National Media Ltd v. Jooste.55 This definition also falls under the
class of definitions that relate to what was termed as information control as
propounded by Westin and Blume.56
Modern technologies and globalization have raised concerns of privacy in the world.
Privacy therefore centres at providing protection of the ideas and information related
to individuals since the integrity of persons may not be violated when others use
information related to them.57
The concept of privacy therefore concerns with an individual’s ability to control his
or her information and things related to their situations, issues or activities besides
being part of the community.
50
Martin, E.A. (1997). Oxford Dictionary of Law, 4th Edition: London: Oxford University Press, Page
354.
51
Lloyd, I. (2017, 8th Edition). Information and Technology Law. Page 24
52
Warren & Brandeis. (1890). The Right to Privacy: Harvard Law Review, IV (5)
53
Westin, A.F. (1967). Privacy and Freedom. London: Bodley Head.
54
Neethling. (2005). Vol. 122, No. 1, at Page 19
55
National Media Ltd v. Jooste [1996] 3 SA 262 (A) 271.
56
57
Wahlgren, P. (Ed). (2010). Information & Communication Technology Legal Issues; Data
Protection and Privacy. Page 153
15
2.3 The Concept of Information or Data Privacy
Information or data may be defined as any information that is recorded in a material
form or not, from which the identity or an individual is apparent or when put together
with other information would lead to a certain identification of an individual.58
Information privacy or data privacy refers to the protection on the collection, use,
and disclosure of personal information. Information privacy concerns with the right
to live a free life from the attention of others or monitoring and control on the use of
a sought information and to what extent it is disseminated by a third party.59
Ubena60 points out information privacy includes the confidentiality of personal

information that identifies or may identify or could lead to the identification of a
particular person. He further asserts that, for a clear understanding on the concept of
information or data privacy, it is inevitable to consider other jurisdictions and their
legislative documents on data privacy.
The General Data Protection Regulations (GDPR)61 provides that personal data, that
is, an individual’s personal information is what shall be protected. The definition of
personal data in the GDPR expounds that personal information is protected by the
law. The rationale behind information privacy is to maintain people’s integrity or
tranquillity since it is important that people are un-interfered.62
Information privacy is therefore considered a subset of general privacy as it

specifically focuses on the aspect of privacy that relates to information as opposed to
other forms like territorial privacy, bodily privacy and others. Data or information
privacy deals with the rules that govern the collection and handling of personal data,
which includes information that identifies a natural living individual.63
58
Mwakilasa, T. (2018). The right of Privacy and duty to disclose information in Tanzania. Page 32
59
Mwakilasa, T. (2018). The right of Privacy and duty to disclose information in Tanzania. Page 17.
60
Ubena John, Privacy-a forgotten right in Tanzania, Tanzania Lawyer, 1/2JTLS, 2012, pp.72-114at
Page 6
61
Article 2 of the GDPR, 2018
62
Ibid
63
Makulilo, A. (2016). (Ed). African Data Privacy Laws. Page 17
16
2.4 Data Protection
Data protection is information or data privacy in the digital technology age where
there is an increase in the capacity to access data through the use of computers which
make it possible to merge and mix data. Data Protection refers to the legal rules and
principles that are aimed at regulating the extent and under which conditions
personal data may be used and processed.64 Currently data protection has become
necessary because of the development of science and technology in a globalized
world which accounts for the regulation of the dynamic nature of handling personal
data in the modern digital world.
Authors Gitau and Ochilo65 state that data protection is greatly aimed at safeguarding
the right to privacy which is of utmost importance in the current digital age. They
assert that a proper understanding of the right to privacy is ideal in safeguarding data
protection in the digital age. Sieghart66 also defines data protection as simply
meaning that the right people only get the right information for the right purposes
since everyone has the right to the protection of personal data concerning him or her.
In Europe, the data protection regime evolved and reformed since the 1970s, leading
to the adoption of the General Data Protection Regulation (GDPR) that came into
effect in May 2018. This landmark development brought significant changes to the
scope of data protection across the globe where the momentum on data protection
and privacy is increasing worldwide due to data and privacy breaches which usher a
wave of data protection legislations although most African countries still do not have
such kind of legislation.67
64
Makulilo, A. (2016). (Ed). African Data Privacy Laws. Page 17
65
Gitau, V & Ochilo, L. (2017). Data Protection in East Africa. Page 2
66
Sieghart, P. Legislation and Data Protection Proceedings of the Rome Conference on problems
relating to the development and application of legislation on data protection. Page 16
67
Centre for Human Rights, University of Pretoria. (2020). Call for Abstracts: Privacy and Data
Protection Law and Practice in Africa – Challenges and prospects. Retrieved from
https://www.chr.up.ac.za/tech4rights-news/2144-call-for-abstracts-privacy-and-data-protection-law-
and-practice-in-africa-challenges-and-prospects Page 2
17
2.5 Personal Data
Personal data is simply any information relating to an identified or identifiable
natural person.68 Lloyd69 asserts that, the state of a natural person is arguably
continuing even after the individual’s death since there are circumstances in which
the data concerning a deceased person may also have implications for living
individuals. For instance, data indicating a mother’s health condition will convey
information about the medical condition of any male children in certain diseases in
their active form, like haemophilia.
Personal data is key aspect of data protection law which regulate that such data
applied for a specific purpose should be kept secure and used only for that purpose.70
Personal data can be acquired, merged, used and shared.71
The context of using or holding personal data is considered far more important than
the data itself in data protection instruments or laws. Data protection laws recognise
categories of personal data which possess a degree of sensitivity known as sensitive
data, which are subjected to more stringent controls than would be applicable.72 A
list of names or addresses would not normally be considered sensitive.
Sensitive personal data are classified to include, generic data, data related to children,
offences, biometric data, data revealing racial or ethnicity of individuals, political
opinions, religious or philosophical beliefs, affiliation, gender, health or sex life.73In
the current digital age, passports and visas are issued through collection and use of
biometric data which falls under the aspect of personal data. Biometric data includes
fingerprints, face and iris recognition as part of the physiological characteristics of an
individual and behavioural characteristic relating to the manner in which a person
act.74
68
Article 2 of the DPR, 2018
69
Lloyd, I. (2017, 8th Edition). Information Technology Law. Page 57
70
Common Services Agency v. Scottish Information Commissioner, [2008] UKHL 47
71
Turkington, R & Allen, A. (2002). Privacy Law; Cases and Materials. 2nd Edition. Page 400
72
Lindqvist v. Kammaraklagaren, November 6, 2003. ECJ Case C-101/01
73
S. 2 of The Data Protection Act, 1984
74
18
Purtova75 argues that the problem with the concept of personal data goes beyond
simple identifiability, because the second essential element of the concept of
‘personal data’, that is, the relation of information to a person, is problematic as well.
Schwartz and Solove76 point out that, Recital 26 of the GDPR makes the GDPR
concept of ‘personal data’ suitable for ‘a tailored, context-specific analysis for
deciding whether or not personal data is present’77 whereas, to establish the status of
information as personal data, whether or not this information relates to a person has
to be considered first, even prior to the identifiability analysis.
The scope of personal data entails an individual’s information that identifies them in
a record. Personal data therefore refers to the individual’s information that relates to
their identity, characteristics or behaviour or information used to influence the way
that person is treated or evaluated.
2.6 Data Subject

Data Subjects are identifiable individuals subject to personal data. The GDPR and
the UK Data Protection Act provide that, a data subject is an individual who is the
subject of personal data.78 Data subjects are conferred rights as imposed under the set
Data Protection legislation. They have an important right of obtaining access to data
held by controllers and securing the correction of any errors in such data. It is such
rights that are protected by data protection legislations due to the processing of
personal data.
Lloyd79 opines that data subjects are identifiable individuals subject to personal data
and that an individual has to be identifiable from the manner in which data is
collected, processed, or used for threats of privacy to exist and justification as to the
application of data protection legislation controls. That means anonymous data that
does not relate to an identifiable person or to personal data in such a manner that the
75
Nadezhda Purtova (2018) The law of everything. Broad concept of personal
data and future of EU data protection law, Law, Innovation and Technology, 10:1, 40-81, DOI:
10.1080/17579961.2018.1452176 at Page 42
76
Schwartz, P and Solove, D. (2011). ‘The PII Problem: Privacy and a New Concept of Personally
Identifiable Information’ (2011) 86 N.Y.U. L. Rev. 1814, 1877.
77
Ibid
78
S. 1(1) of the Data Protection Act, 1984
79
19
data subject is no longer or not identifiable cannot amount to threats to privacy and
the justification as to the application of data protection legislations.
2.7 Data Controller

Data controllers are the natural or legal persons, public authority, or any other body
which determines the purposes and means of processing of personal data.80 Data
controllers relate to the ability to determine the nature and extent of data processing
which is to be carried out. Anyone who processed data on behalf of clients would be
regarded as a data controller when he or she processed any control or discretion
concerning the manner in which the processing was carried out would be regarded as
a data controller.81
According to Ubena,82 a ‘Data controller’ is a person or organization or a company

that collects and or process data subjects’ personal data. The definition of the concept
opines to the Directive’s conceptualization in that, a legal or natural person who
collects and determines the purposes for the processing of personal data is considered
as a data controller.
The Convention for the Protection of individuals concerning Automatic Processing

of Personal Data83 had defined a data controller as a natural or legal person, public
authority or any other body that is competent according to the national law to decide
on what should be the purpose of the automated data files, which categories of
personal data should be stored and which operations should be applied to them. The
controller is required to process data under a legal obligation connected to a specific
and lawful purpose.84
A data controller is responsible in determining the reasons as to why individual or

personal data is being processed since personal data is collected for specified and
legitimate purposes and not otherwise. Data controllers are therefore obliged to
80
EU Directive 95/46/EC
81
Data Protection Registrar v. Griffin, [1994] Privacy Law Policy Reporter 37
82
83
ETS No. 108, The Convention for the Protection of individuals concerning Automatic Processing of
Personal Data
84
Inacio, I & Silva, V. (2020). The Liability of Data Controllers and Data Processors. Page 5.
Retrieved from https://ssrn.com/abstract=3952767 Accessed on 10th December 2021.
20
ensure the safety and integrity of the data processing whereas; activities requiring
data processing must comply with the data protection regulation in order to protect
data subject rights.85
The GDPR also sets out that the data controller will be liable to compensate data
subjects for the losses arising from processing of personal data if its processing is not
in compliance with the GDPR.86
2.8 Data Processor

Data Processor refers to any person other than an employee of the data controller
who processes the data on behalf of the data controller.87 A data processor collects
data for the controller, for instance through market research survey using a pen and
paper. The processor has to be an external organization, completely independent
from the controller. There is also no limitation of actors that can be as a data
processor.88
A data controller and data processor work closely together in processing personal
data and thus, a legally binding agreement governs the relationship between a data
controller and a data processor, whereas, the terms must be followed and the
activities to be performed regarding data processing must be taken into account to
accurately identify the controller and processor.89 The rationale behind a legally
binding agreement is that the controller is to select a processor who can provide
satisfactory guarantees on security.
The GDPR90 provides that a processor can only process personal data on behalf of
the controller according to the defined purposes and essential means by the
controller. The processor shall thereby be considered a data controller and to comply
with all obligations of a data controller if the processor processes data for its
85
Inacio, I & Silva, V. (2020). The Liability of Data Controllers and Data Processors. Page 10.
Retrieved from https://ssrn.com/abstract=3952767 Accessed on 10th December 2021. See also, Google
Spain v. Mario Costeja Gonzalez, CJEU ruling No. C-131/12
86
Article 82 (2) of the GDPR, 2018
87
EU Directive 95/46/EC; GDPR, 2018
88
Blume, P. (2015). Data Protection and Privacy. Scandinavian Studies in Law, Vol 56 at Page 7-8
89
Article 28(2) of the GDPR, 2018
90
Article 28 (10) of the GDPR, 2018
21
purposes and not according to the defined purposes and essential means by the
controller.
The GDPR further sets out that data processors are also liable for the damage caused
by processing only where it has not complied with the obligations set out by the
GDPR on processors.91
2.9 Data Processing

Data processing involves all forms of activities that constitute carrying out of
operations on data by a computer so as to retrieve, transform, or clarify information.
The General Data Protection Regulation92 provides that data processing includes any
operation performed upon personal data, such as, collection, recording, organization,
storage, adaptation or alteration, disclosure by transmission, dissemination, blocking,
erasure or destruction.93
The EU Data protection Directive94 covers all potential forms of data processing and
controls how such data are processed. This is because; the processing of data relating
to individuals constitutes a threat to the subject’s rights and freedoms. Article 2(1) of
the GDPR provides that it is when personal data is processed that the data protection
principles apply.95 Hence, all activity using personal data, from its collection, use and
distribution demonstrates data processing and will therefore have to comply with the
rules and principles for data protection.
2.10 Data Protection principles

Data protection principles are the principles that lie at the heart of processing
personal data as set out in the General Data Protection Regulations, (GDPR).96 Data
protection principles do not give hard and fast rules, but rather embody the spirit of
the general data protection regime with very limited exceptions. Compliance with the
91
92
General Data Protection Regulation, GDPR (2018).
93
GDPR
94
Ibid
95
Article 2(1) of the GDPR, 2018
96
Information Commissioner’s Office. (August 2018). Guide to the General Data Protection
Regulation, GDPR. Page 14
22
spirit of these key principles is therefore a fundamental building block for good data
protection practice.
Failure to comply with the data protection principles may leave one open to
substantial fines. Article 83(5)(a) of the GDPR states that infringements of the basic
principles for processing personal data are subject to the highest tier of
administrative fines.97
The GDPR, sets out six data protection principles, which largely cover the eight data
protection principles set out in the EU Data Protection Act 1998 as ‘Lawfulness,
fairness and transparency’– which provides that personal data must be processed
lawfully, fairly and in a transparent manner. ‘Purpose limitation’– is another
principle which provides that personal data must be obtained for specified, explicit
and legitimate purposes and not further processed in a manner that is incompatible
with those purposes. Further processing is allowed for archiving, scientific, statistical
and historical research purposes.
‘Data minimisation’– which provides that personal data processed must be adequate,
relevant and limited to what is necessary. ‘Accuracy’– which also provides that
personal data must be accurate and, where necessary, kept up to date. ‘Storage
limitation’ – that, personal data must not be kept longer than is necessary (but data
processed for archiving, scientific, statistical and historical research purposes can be
kept longer subject to safeguards). Finally, ‘Integrity and confidentiality’– where
appropriate technical and organisational measures must be put in place to guard
against unauthorised or unlawful processing, loss, damage or destruction.98
2.11 Privacy in relation to Data Protection

Privacy and data protection are societal concepts that convey the idea that an
individual is something in his own right and not just an aspect of society. The
individual is therefore entitled to autonomy and protection with respect to their
personal life.99 Patricia Bosche100 cements that privacy is contextual depending with
97
GDPR, 2018
98
Article 5 of the GDPR, 2018; Data Protection & Research: Guidance for MRS Members and
Company Partners 2018 Part 1 (v0418) at Page 9
99
23
the societal attitudes on privacy and data protection since individual attitudes
determine the personal privacy and data protection situation in a specific area. This
means that what is regarded in a South African society and setting as privacy is not
necessarily the same in a Tanzanian or Kenyan society and setting. In Western
Europe, individuals are more concerned with privacy than those in the developing
countries since, in an African context as according to African scholars, the
individual’s identity is relative to the society and defined by the society and hence
privacy being of little importance.101
Traditionally, data protection was assumed to refer or connote to many facets of

privacy and thus being translated to information privacy. However, data protection is
in many ways not closely attached to the right to privacy but rather specifically
related to the legal rules and principles that regulate to which extent and under which
conditions personal data may be used.102 Hence, privacy as related to the immaterial
life of the individual with respect to information has been developed to special
regulations termed as data protection.
According to Wahlgren,103 data protection as a legal regime or set or rules concerns

with the processing of personal data and its protection so as to make it possible to use
personal data in an acceptable manner. Despite these differences in the two concepts,
privacy and data protection have formed some kind of unity a related since both
targets to ensure the customary and personal integrity.
Privacy and data protection basically depend on the society’s perception or ideology
and organization. According to Blume,104 the two concepts are not absolute rights, a
fact also opined by Ubena105 and thus it is not surprising that there are parts of the
world where privacy and data protection have little meaning or an issue for the rich
100
101
102
Ibid
103
104
105
Ubena John, Privacy-a forgotten right in Tanzania, Tanzania Lawyer, 1/2JTLS, 2012, pp.72-114at
Page 8
24
and privileged. The political ideology that dominates a specific society also stresses
on the value and importance of privacy and data protection.
Makulilo106 also considers privacy, information privacy and correspondingly data

protection laws have a great difference. He states that, basically data or information
privacy is an aspect of privacy that relates to information identifying a natural person
and data protection regulates the processing of data at all or most stages including
how personal data is collected, stored, exploited or disseminated.
Data protection is born on the basis that the general privacy rules are not sufficient to
guarantee protection of individuals’ personal data. Privacy on the other hand is a
right to individuals that establishes data protection. In essence, personal data
processing is legitimised for the purpose of protecting personal integrity and
regulating the processing of personal data. Hence, data protection is inseparable from
privacy and since both depend on society and technology applied, they have to
conform to the current times so as to ensure that the protection of an individual’s
personal integrity is upheld in the society.107
2.12 Conclusion
This Chapter has been specifically set forth by the researcher to present the key
concepts within the research title. This chapter further explains upon the importance
of having an efficient legal framework on Data Protection within the society for
protection of personal data and information of data subjects. This part gives the
reader a view on what really is data protection, how an individual’s personal data is
legally protected and why it is currently relevant and important to the society. Hence
highlighting what will be discussed in detail within the following chapters.
106
107
25
CHAPTER THREE
LEGAL AND INSTITUTIONAL FRAMEWORK ON DATA PROTECTION
3.1 Introduction
This chapter of the study enlightens the readers on the law that governs data privacy
and protection in Tanzania mainland. This involves both, legal and institutional
frameworks that provide for data privacy and protection. The legal and institutional
frameworks refer to the enacted laws and legally established organs that deal with
data privacy and protection. This chapter is concerned with analysing the laws and
regulations that govern data privacy and protection as well as the established
institutions.
3.2 The Legal and Institutional framework governing Data Protection

3.2.1 The Constitution of the United Republic of Tanzania
The Constitution is the mother law of the country that sets the foundation principles
for which the state should be governed with. The Constitution of the United Republic
of Tanzania (CURT)108 provides for the basic rights and duties of the citizens. Article
16 (1) of the CURT states that every person is entitled to respect and protection of
his person, and the privacy of his own person, family and his matrimonial life, and
respect and protection of his residence and private communications.109
This Article therefore states that the right to privacy in general including information
or data privacy is to be observed and valued by each and every Tanzanian citizen.
Further Article 16(2) of the Constitution limits the state authorities when laying
down any legal proceedings to avoid infringing an individual’s privacy rights and
thus making the right to privacy not absolute. Therefore, the Constitution ensures the
right to privacy is protected by all legislations.
The provision for the right of privacy under Article 16 arguably protects data and
personal information. Article 18 (c) of the Constitution also provides for the right to
freedom of expression and protection from interference from private
communications.
108
The Constitution of the United Republic of Tanzania, 1977 (2008 as amended).
109
Article 16(1) of The Constitution of the United Republic of Tanzania, 1977 (2008 as amended).
26
3.2.2 The Electronic and Postal Communications Act
The Electronic and Postal Communications Act (EPOCA),110 does not expressly
provide for data or information privacy and interceptions of communication. The Act
was mainly established to deal with the growing technology of telecommunication.
However, with relation to privacy, under Section 98(1) and (2) of the Act, the law
provides that a member or employee of the service licensee or its agent has a duty of
confidentiality of any information received in accordance with the provisions of the
Act, and that no person shall disclose the content of information of any customer
received.111
Section 120 of the Act states that “no person, without lawful authority under the Act
or any other written law, can intercept, attempt to intercept, or procure any other
person to intercept or attempt to intercept any communications.” 112 This means that,
in order to intercept communication, there must be an application. The application
must be made under “any other law” to the Director of Public Prosecutions (DPP) for
authorisation to intercept or listen to any customer communication transmitted or
received.
However, it is only public officers, or an officer appointed by the Tanzania

Telecommunications Regulatory Authority (TCRA), who is duly authorised by the
Ministry of Science & Technology, as well as the Ministry of Home Affairs, who
may be permitted to intercept such communications. The TCRA as an authority thus
directs and guides the telecommunication companies’ authorities to protect the
privacy of the users or service subscribers which includes their personal data or
information.
3.2.3 The Electronic and Postal Communications Act (Consumer Protection)

Regulations
The EPOCA (Consumer Protection) Regulations113 provide for consumer protection
regulations which need to be followed by service providers and stakeholders while
110
The EPOCA, 2010
111
Section 98(1) of the EPOCA, 2010
112
Ibid
113
The Electronic and Postal Communications (Consumer Protection) Regulations, 2018
27
dealing with consumers’ telecommunications.114 The Regulation deals with
consumers who are having problems with licensed service providers described in the
Electronic and Postal Communications Act, 2010 or operations under regulation 3.
This means that, the regulation therefore deals with users of phone and internet
services and products; however, e-consumers are not covered.
The regulation sets out an obligation in relation to privacy to all consumers or service
subscribers under regulation 10(3) to register SIM cards or built-in SIM Card where
a lot of personal information or subscribers’ data is being collected for the sake of
registration and unknowingly on what it will be used for apart from security
purposes.
3.2.4 The Electronic and Postal Communications Act (Sim-Card Registration)

Regulations
The EPOCA (Sim-Card Registration) Regulations115 regulate on the registration of
all pre-paid SIM-Cards. In 2009, the TCRA directed for the registration of all SIM-
Cards where every SIM registration becomes a personal identifier and in 2010 the
government enacted the EPOCA, 2010 Act and the mandatory SIM registration
requirement to give the directive a legal effect.116
The Regulations were published on 7th February 2020 to provide and make it
mandatory for all SIM Card users in Tanzania to register their SIM Cards
biometrically by presenting their National Identification ID (NIDA) to the service
provider followed by fingerprint verification online or electronically. Further, the
regulations limit for the number of SIM cards to be owned by individuals, companies
or institutions.
In relation to privacy and data protection, the regulations require customers to

provide their valid personal information and the service providers to keep details of
the registered SIM Card users which in turn has led to wide communication
surveillance, and processing of personal data for purposes unknown and
uncommunicated to data subjects; including the storing of communication details on
114
115
The EPOCA (Sim-Card) Regulations, 2020
116
28
behalf of the police and security agencies.117 However, regulation 17 (c), necessitates
for a data protection legislation applicable to the situation and its compliance since
they do not expressly cover and deal with personal data processing and protection.118
3.2.5 The EPOCA (Online Content) Regulations

The Electronic and Postal Communications (Online Content) Regulations119 provides
under regulation 5 (1) (e) to compel the online content providers and users to identify
the sources of their information or content. This means that in some instances, online
content providers may be ordered to disclose the identity of their source of content or
information which may jeopardise the privacy of the persons who wish to contribute
or share content anonymously.
Regulation 11 imposes a duty of any part holding users’ information to not disclose
the information unless to law enforcement agencies when required under the auspices
of the Regulations or the Act. Online Content Regulations do not clearly go out to
protect data privacy as much as it seems to give authority for law enforcement
agencies to access any such data. The access of personal data by agencies seems to
be the mischief intended rather than the general need for right to privacy by
individuals.
3.2.5 The Cybercrimes Act

The Cybercrimes Act120 is established for providing procedural and substantive law
of the crimes committed in the cyberspace within Tanzania. It is against offences that
happen in the digital cyber world. In relation to the privacy and data protection, the
Act faces a number of criticisms regarding its applicability to matters of the right to
privacy.121
The Act does not expressly deal on privacy and data protection but rather provides
for protection against illegal data interference under Section 7 of the Act. The
117
118
119
The EPOCA (Online Content) Regulations, 2018
120
The Cybercrimes Act, 2015
121
PART IV of the Cybercrimes Act, 2015
29
provision avers that disclosure, transmission or communication of any computer
data, program, access code or command to an unauthorized person is an offence.
3.2.6 The Electronic Transactions Act

The Electronic Transactions Act122 provides for the legal recognition of electronic
transactions, e-Government services, the use of Information and Communication
Technologies in collection of evidence, admissibility of electronic evidence and
facilitation of the use of secure electronic signatures. The Act recognizes privacy on
several of its provisions but not expressly stating on personal data protection and
processing.
Section 3123 explains on protection of an individual’s information including

electronic documents and signatures by transforming them into an unreadable format,
a process termed as ‘cryptography’. Further, Section 33 gives power to the Minister
responsible for information and Communication Technology to designate a
government institution to be a regulator of Cryptographic and Certification Services,
whereas in relation to privacy, the Minister is obliged to prescribe the security
standards for electronic signatures and cryptography for protection of confidential
information of the user or individual.124
3.2.7 Access to Information Act

The Access to Information Act125 provides for the instances where information may
be exempted from being disclosed. Section 6(1) (b) provides that an information
holder may withhold information where he determines in accordance with the Act
that the disclosure is not justified in the interest of the public. Further, Section 22 of
the Act provides for the offences of alteration, defacement, blocking and erasure of
information.126
122
The Electronic Transactions Act, 2015
123
Ibid
124
Section 33, 34 (a), (b), (c), (d) and (e) of the Electronic Transactions Act, 2015
125
Access to Information Act, No. 9 of 2016
126
Section 6(1) (b) of the Access to Information Act, No. 9 of 2016
30
Despite the Act relating to privacy of information, it still does not clearly and
expressly provide for the restrictions and manner of processing or storage of any type
of data for individuals
3.2.8 The Registration and Identification of Persons Act

The Registration and Identification of Persons Act127 provides for the Registrar, a
registration officer and any immigration officer performing functions under the Act
not to disclose or supply copies of information including fingerprints, or particulars
furnished without written permission.128 It also does not clearly and expressly
provide on data processing and protection as with the GDPR.
3.2.9 The International Covenant on Civil and Political Rights (ICCPR)

Article 17 of the ICCPR129 declares that no one is to be interfered with neither his
privacy nor any attack on his honour or reputation, emphasising privacy to every
citizen in a way that nobody is to interfere with someone’s life, respect, residence
and private communications.130 Tanzania has ratified the ICCPR which helps in
protecting the civil and political rights of the citizens. However, the ICCPR does not
explicitly state on data protection but rather as a human rights instrument, it
recognizes privacy as a right.
3.2.10 Convention for the protection of individuals with regard to the Automatic
Processing of Personal Data
The Convention131 for the protection of individuals with regard to the Automatic
Processing of Personal Data is one of the earliest international instruments which lay
the legal framework for data protection. The Convention provides rules and key data
privacy principles under Chapter II requiring that personal data must be fairly and
lawfully obtained, used for the original and specific purpose and destroyed after its
127
128
129
130
Ibid
131
Convention for the protection of individuals with regard to the Automatic Processing of Personal
Data, CETS No. 108 0f 1980
31
purpose is completed. It also requires the establishment of a supervisory authority to
enforce the data protection principles.132
The Convention is for all members of Europe but also non-council members who can
be bound through formal ratification or accession. In Africa, Senegal, and Mauritius
have acceded to the Convention while Morocco, Tunisia and Cape Verde have also
been invited by the European Council to accede to the Convention.133
3.2.11 The EU General Data Protection Regulation

The EU General Data Protection Regulations (GDPR)134 is a regulation adopted on
27 April 2016 and became operational from 25May 2018 so as to strengthen and
unify data protection within the European Union (EU). The GDPR serves as a
replacement to the Data Protection Directive of 1995.135
The GDPR addresses the export of personal data outside the EU. Under Article 4 and
7 the GDPR136aims primarily to give control back to citizens and residents over their
personal data and to simplify the regulatory environment for international business
by unifying the regulation within the EU.
Unlike the Data Protection Directive, GDPR does not require national governments
to pass any enabling legislation and is thus directly binding and applicable. The
GDPR serves as a single set of rules to apply uniformly to all EU member states.
Each member state is to establish an independent supervisory authority that will
receive and investigate complaints and sanction administrative offences. The
supervisory authority in each member state will cooperate with others and provide
mutual assistance and organizing joint operations.
In addition, the GDPR acknowledges that data protection rights are not absolute and
must be balanced proportionately with other rights.
132
133
Ibid
134
General Data Protection Regulation, (EU) 2016/679, 2018
135
DPD 1995
136
General Data Protection Regulation, (EU) 2016/679, 2018
32
3.2.12 The Institutional framework on Data Protection
3.2.12.1 The TCRA
The TCRA is an authority responsible for the regulation of communications and
broadcast departments in Tanzania. Section 4 of the TCRAA137 establishes the
Authority for the purpose of regulating the electronic communications, postal
services, broadcasting sectors and management of the national frequency spectrum in
the United Republic of Tanzania.
The Authority is important in ensuring that the provisions of the TCRAA are adhered
by various communications and broadcast companies and therefore enforcing the
right to privacy.
3.2.12.2 The Judiciary

The Judiciary is an arm of the state with the authority to dispense justice in the
United Republic of Tanzania as provided under Article 107 (A) of the CURT. 138 The
Judiciary in Tanzania mainland consists of the Court of Appeal, the High Court, the
Resident Magistrates Courts, District Courts and Primary Courts where Judges
adjudicate in the Court of Appeal and the High Court while Magistrates adjudicate in
Resident Magistrates Courts, District Courts and Primary Courts.
The Judiciary dispenses justice in Tanzania mainland in relation to privacy and

protection of personal information through interpretation of the laws on various
claims and charges brought before it.
3.2.12.3. Tanzania Computer Emergency Response Team (TZ – CERT)

TZ-CERT is a team that coordinates response to cyber security incidents at the
national level and corporate with regional and international entities involved with
management of cyber security incidents as established under Section 124 of the
EPOCA. The response team protects the information privacy of a Tanzanian
individual in the cyber world.
137
The Tanzania Communications Regulatory Authority (Act No.12 of 2003).
138
33
3.2.12.4 The Commission for Human Rights and Good Governance (CHRAGG)
Article 129 (1) of the CURT139 establishes the Commission for Human Rights and
Good Governance in Tanzania to deal with the promotion and protection of human
rights and governance in Tanzania. Section 6 of the CHRAGG Act140 sets out the
functions of the CHRAGG which includes ensuring that the government and its
entities do adhere to the principles of human rights and promotion of equality.
3.2.12.5 National Identification Authority (NIDA)

The National Identification Authority (NIDA) is an institution established in 2008 for
the purpose of implementing the registration and identification of persons in
Tanzania as required under the Registration and Identification of Persons Act.141 The
Authority was established so as to implement the National Identification system in
Tanzania as proposed by the Feasibility Study Report on how to effectively introduce
and implement the National Identification System in Tanzania.142
NIDA has implemented the National ID system through creating the National
population Register, creating various registration centres in the Country registering
and identifying Citizens, Refugees and Legal Residents in Tanzania since 2012. The
Authority started issuing Identity Card to citizens of Tanzania immediately after the
launching of the first Identity Card by the President of the United Republic of
Tanzania in 2013.143
NIDA operates as Data Processor functioning as the Creator and Controller of the
Database of the National population Register interfaced with other stakeholders,
some Government Institutions and other Private Institutions. Hence, the protection of
the interfaced Data containing personal information of Tanzanian citizens is
139
140
The CHRAGG Act, [CAP 391, R.E. 2002]
141
The Registration and Identification of Persons Act, [CAP 36, R.E. 2012]; Melamari, N. (2013). The
challenges and the need of legal framework for data protection in Tanzania: case study of Tanzania
national identification authority (NIDA). (Master’s Thesis, The Open University of Tanzania). Page, 2
142
Gotham International Ltd, (2006), “Feasibility Study Report for National Identification and
Registration of persons Program for the Government of the United Republic of Tanzania”, Dar es
Salaam, Tanzania, at P.48
143
Balile, D. (7th Febr 2013). Tanzania to Begin Issuing of National Identity Cards. Retrieved from:
https://allaafrica.com/stories/201302080 Accessed on 4th February 2022.
34
paramount and necessary since information on identity of persons contains a set of
information about a person that is considered, sensitive personal data.
3.2.12.6 Organization for Economic Co-operation and Development (OECD)

The OECD is an organization where governments work together to address the
social, economic and environmental challenges of globalisation. For a long time, the
OECD has played a great role in promoting respect of privacy and the free flow of
personal data across borders where in 2013 the OECD Council adopted privacy
guidelines144 known as Guidelines Governing the Protection of Privacy and
Transborder Flows of Personal Data.145
3.2.12.7 The Human Rights Committee

Article 28 of the ICCPR146 establishes the Human Rights Committee as a body of
independent experts who monitor the implementation of the ICCPR by its state
parties. This includes Tanzania as well as a State party of the ICCPR. The
Committee monitors States’ compliance with Article 40 of the ICCPR so as to make
sure that reports regarding how human rights are being implemented in their states
are being submitted for the purpose of reviewing and questioning in case of any
difficulties.147
3.3 The Legal and Institutional framework at Regional Level

Tanzania is member of the East African Community (EAC), the South African
Development Community (SADC) and the African Union (AU). The EAC
framework does not provide any model law or framework for member states on the
harmonization of data protection law of member states. However, the EAC merely
gives recommendations for member states to reform their legal frameworks on data
protection and privacy based on international best practice.148 On the other hand,
144
OECD Privacy Guidelines Governing the Protection of Privacy and Transborder Flows of Personal
Data, 1980 (Revised 2013)
145
OECD. (2013). OECD Privacy Framework. OECD Publishing. Page 3
146
147
Mwakilasa, T. (2018). The right of Privacy and duty to disclose information in Tanzania. Page 46
148
EAC TASK Force. (2008). Legal Framework for Cyber Crimes; Phase I – Recommendations on e-
Transaction, Cybercrimes, Consumer Protections, Data Protection and Privacy. Recommendation 19
35
SADC has adopted the SADC Model Law on Data Protection with the main
objective of harmonizing data protection law of member states.
3.3.1 The South African Development Community Model Law on Data

Protection (SADC Model Law)
The SADC Model Law149 provides for a comprehensive legal framework on data
protection similar to that of the EU Directive, currently the GDPR as of 2018 for the
purpose of harmonization of data protection law of member states based on
international best practice. The SADC Model Law sets out that the main objective of
any data protection legislation of any member state shall be to combat the violations
of data likely to arise from the collection, processing, transmission, storage and use
of personal data.150
The SADC Model Law applies to any processing of personal data performed by
automated means, and to the processing of personal data otherwise than by
automated means. However, Section 2 (4) of the SADC Model Law 151 provides that
it does not apply to the processing of personal data by a natural person in the course
of purely personal or household activities and it cannot restrict the ways of
production of information which are available according to a national law and the
power of the judiciary to constrain a witness to testify or produce evidence.
The SADC Model Law establishes a protection regime of personal data that accounts
for social and religious customs as well as existing policies to achieve its goal of
protection and harmonization in order to foster compliance with the law and
protection of privacy in general.
3.3.2 The African Union Convention on Cyber security and Personal Data
Protection
The African Union Convention on Cyber security and Personal Data Protection152
was adopted by the African Union on 27th June 2014 to cover electronic transactions,
149
The South African Development Community Model Law on Data Protection (SADC Model Law),
2013.
150
HIPSSA. (2013). Data Protection: SADC Model Law. Page 3
151
Ibid
152
The African Union Convention on Cyber security and Personal Data Protection, 2014
36
personal data protection and cybercrimes. It is noteworthy that the Convention had
not yet come into force up until 2019 and thus making the General Data Protection
Regulation as the main influential privacy policy in privacy in reform in Africa.153
Currently, Senegal, Mauritius, Namibia, Guinea, Angola, Ghana, Mozambique, and
Rwanda have ratified the framework where Article 36 of the Convention requires a
minimum of 15 ratifications for it to enter into force. Bearing the explosions of
information and communication technologies that could affect the right to the
protection of personal data, the increasing trend of personal data and combating
cyber threats, there is hope that other African States, including Tanzania will follow
suit.154
Articles 8 to 23 of the Convention155 covers data protection and is similar to the

General Data Protection Regulation.156The Convention enshrines the fundamental
rights of the data subject as well as setting out the obligations for businesses and
organisations that collect, process and store individuals’ personal data, such as
lawfulness, fairness and transparency, purpose limitation, and data minimisation. The
Convention also accommodates the processing of sensitive data, transfer of personal
data outside the country and retention of personal data for legitimate reasons.
The AU Convention requires member State parties to have a data protection law
which regulates the collection, processing, storing, and sharing of personal data and a
data protection authority which will start to implement the data protection legislation
once it is in place.
3.3.3 The African Declaration on Internet Rights and Freedoms (AfDec)

The African Declaration on Internet Rights and Freedoms157 was developed in 2014
following the 2013 African Internet Governance Forum in Nairobi Kenya158 in
153
154
Nkusi, F. (1st July 2019). Ratifying Malabo Convention is a great step to protecting personal data.
The New Times; Rwanda’s Leading Daily. Retrieved from
https://www.newtimes.co.rw/opinions/ratifying-malabo-convention-great-step-protecting-personal-
data Accessed on 12th December 2021.
155
The African Union Convention on Cybersecurity and Personal Data Protection, 2014
156
GDPR, 2018
157
African Declaration on Internet Rights and Freedoms, 2014. Retrieved from:
https://africaninternetrights.org/en/about Accessed on 2nd January 2021
37
response to the need in urgent resolution in the digital age on how to protect human
rights and freedoms on the internet in Africa. It was developed to promote human
rights standards and principles of openness in internet policy formulation and
implementation in Africa by developing a set of principles that would inspire policy
and legislative processes on Internet rights and freedoms in Africa.
Article 3 of the Declaration159 provides for amongst other principles, the principle of
privacy personal data protection in African countries in that individuals have a right
to communicate anonymously on the internet using appropriate technology that
ensures the protection and securing of personal and anonymous communication.
The Declaration stipulates that, personal data protection and the right to privacy may
be restricted subject to any restrictions provided by law that are for a legitimate aim.
In that, the collection, retention and use of personal data must comply with a
transparent privacy policy that allows individuals to know what data is collected
about them, to correct or erase inaccurate data and protection of personal data from
unauthorised disclosure.160
3.3.4 Collaboration on ICT Policy in East and Southern Africa (CIPESA)

The Collaboration on International ICT Policy in East and Southern Africa is an
institution established in 2004 under the funding of the UK’s department for
International Development with focus on facilitation of the use of ICT in support of
development and poverty reduction. It is a leading centre for research and analysis of
information on ICT policy issues through production and publication of
commentaries, briefing papers and newsletters on selected international ICT Policy
for development issues relevant to Africa.161
CIPESA has played a critical role through its research and analysis of information on
ensuring privacy and data protection concerns are addressed in Africa. CIPESA has
158
African Declaration on Internet Rights and Freedoms. Retrieved from: https://africaninternetrights.
org/en/about Accessed on 2nd January 2021
159
African Declaration. (2014). African Declaration on Internet Rights and Freedoms. Page 12
160
African Declaration Coalition. (2014). African Declaration on Internet Rights and Freedoms. Page
22
161
Retrieved from: https://www.africaportal.org/content-partners/collaboration-international-ict-
policy-east-and-southern-africa-cipesa/ Accessed on 2nd January 2022.
38
published reports, policy briefs and legal analysis among others so as to insist
African States on the need for data protection and privacy legal frameworks.162
For instance, in its latest summary report publication titled “Mapping and Analysis of
Privacy Laws and Policies in Africa – Summary Report”163 CIPESA addresses how
the enacting of privacy laws and adopted policies that facilitate increased
surveillance and collection of biometric data interferes with various rights and
freedoms in African countries and therefore undermining privacy related rights,
including the right protection of personal data.
3.7 Conclusion
This Chapter explains the laws and the institutions that are related to privacy and
data protection. The objective of this part of the research report is to analyse different
legal and institutional frameworks and see whether they address or affect data
privacy and protection in one way or another in Tanzania mainland. The laws and
legally established institutions that deal with data privacy and protection partly
address on processing and protection of personal data.
162
Centre For Human Rights, UP. (May 2021). Privacy and personal data protection in Africa: A
rights-based survey of legislation in eight countries. African Declaration on Internet Freedoms
Coalition. Page 287
163
CIPESA. (16th Jul 2021). Mapping and Analysis of Privacy Laws and Policies in Africa – Summary
Report. Retrieved from: https://www.africaportal.org/publications/mapping-and-analysis-privacy-
laws-and-policies-africa-summary-report/ Accessed on 2nd January 2022.
39
CHAPTER FOUR
DATA PRESENTATION AND FINDINGS
4.1 Introduction
This Chapter presents the research findings and the discussion of findings on the
efficacy of the legal framework on data protection in Tanzania mainland. The study
has set forth to answer research questions which are: what is the current legal
framework on data protection in Tanzania mainland? And to what extent is the
existing data protection legal framework sufficient in protection of personal data?
For the purposes of attaining the objective of the research which is to examine the
efficacy of the existing legal framework on data protection, the study analysed and
presents data collected through documentary and literature review, which answers
the research questions made for the study.
The study finds that, a number of provisions in a number of legislations which

identify when data should be collected for what purpose under the piece of
legislation but do not specifically fill the need for personal data protection by
addressing on the conditions and manner of lawful processing of personal data. The
current legal framework on personal data protection is not entirely sufficient due to
the absence of a legislation that controls processing of personal data in Tanzania
mainland.
4.2 Data Presentation and Analysis

The study was conducted through literature and documentary review. That was done
by collecting primary sources of law and secondary data. Literature review and
documentary review was done to gather response from the research questions; what
is the current data protection legal framework in Tanzania mainland? And to what
extent is the existing legal framework on data protection sufficient in protection of
personal data? The responses are presented and discussed herein below.
4.3 The legal framework on data protection in Tanzania Mainland

The study found a provision in the CURT on privacy and a number of provisions in a
number of legislations which identify when data should be collected for what
purpose under the piece of legislation but do not specifically fill the need for
40
personal data protection by addressing on the conditions and manner of lawful
processing of personal data. To begin with, the following is the discussion of
findings from the laws though not entirely focused on data protection and privacy but
do address some specific privacy and data protection concerns.
4.3.1 The right to privacy and personal data protection

Article 16 (1) of the CURT provides that every person is entitled to respect and
protection of his person, and the privacy of his own person, family and his
matrimonial life, and respect and protection of his residence and private
communications.164
This Article thus provides that the right to privacy in general including information
or data privacy is to be observed and valued by each and every Tanzanian citizen. It
is from this provision that courts interpret the law on privacy and protection of
personal data including identity of persons as in Deogras John Marando v.
Managing Director, Tanzania Beijing Huayuan Security Guard Service Co.Ltd.165
Article 16(2) of the Constitution further limits the state authorities when laying down
any legal proceedings to avoid infringing an individual’s privacy rights and thus
making the right to privacy not absolute. Therefore, the Constitution ensures the right
to privacy is protected by all legislations.
The provision for the right of privacy under Article 16 arguably protects data and
personal information. Article 18 (c) of the Constitution also provides for the right to
freedom of expression and protection from interference from private
communications. Conclusively, though the right to privacy has been thoroughly
stated in the Tanzanian Constitution, the many limitations imposed in unto its
absoluteness and its enjoyment as for instance under Article 30(2) of the Constitution
may render it non-existent to the judgement that it has not been provided for within
the Constitution.166
164
165
Co. Ltd, Civil Appeal No. 110 of 2018, HC of Tz at Dar es Salaam, (27th March 2019).
41
The Electronic and Postal Communications Act (EPOCA)167 does not expressly
provide for data or information privacy and interceptions of communication.
However, with relation to protection of personal information or data, under Section
98(1) and (2) of the Act, the law provides that a member or employee of the service
licensee or its agent has a duty of confidentiality of any information received in
accordance with the provisions of the Act, and that no person shall disclose the
content of information of any customer received.168
Section 120 of the Act provides that “no person, without lawful authority under the
Act or any other written law, can intercept, attempt to intercept, or procure any other
person to intercept or attempt to intercept any communications.” 169 This means that,
in order to intercept communication, there must be an application but it is only public
officers, or an officer appointed by the Tanzania Telecommunications Regulatory
Authority (TCRA), who is duly authorised by the Ministry of Science & Technology,
as well as the Ministry of Home Affairs, who may be permitted to intercept such
communications.
The study finds that even though the TCRA as an authority directs and guides the
telecommunication companies’ authorities to protect the privacy of the users or
service subscribers which includes their personal data or information, the Act does
not explicitly provide for the procedures and manner of controlling and processing of
personal data as per the GDPR.
4.3.1.2 Communication Surveillance and absence of legal safeguards in SIM-

Card Registration
The EPOCA (Sim-Card Registration) Regulations170 regulate on the registration of
all pre-paid SIM-Cards. In 2009, the TCRA directed for the registration of all SIM-
Cards where every SIM registration becomes a personal identifier and in 2010 the
166
See the cases of Kukutia Ole Pumbun v Attorney General [1993] T.L.R. 159; Julius Ishengoma
Francis Ndyanabo v Attorney General, Civil Appeal No.64 of 2001, Court of Appeal of Tanzania, at
Dar es Salaam (Unreported); and Legal and Human Rights Centre v Attorney General, Miscellaneous
Civil Cause No.77 of 2005, High Court of Tanzania, at Dar es Salaam (Unreported).
167
The EPOCA, 2010
168
The EPOCA, 2010
169
Ibid
170
The EPOCA (Sim-Card Registration) Regulations, 2020
42
government enacted the EPOCA, 2010 Act and the mandatory SIM registration
requirement to give the directive a legal effect.171
The Regulations provide and make it mandatory for all SIM Card users in Tanzania
to register their SIM Cards biometrically by presenting their National Identification
ID (NIDA) to the service provider followed by fingerprint verification online or
electronically. Further, regulation 18 (1) limits for the number of SIM cards to be
owned by individuals, companies or institutions.
The finding in relation to privacy and data protection is that, the regulations require
customers to provide their valid personal information and the service providers to
keep details of the registered SIM Card users which in turn has led to wide
communication surveillance, and processing of personal data for purposes unknown
and un-communicated to data subjects; including the storing of communication
details on behalf of the police and security agencies.172 However, regulation 17 (c),
necessitates for a data protection legislation applicable to the situation and its
compliance but for the sole purpose of fraud prevention and not protection of
personal data.
The study found that SIM Card registration regulations do not expressly cover and
deal with personal data processing and protection in terms of the procedures to be
followed in the control and securing of personal data availed to the service
providers.173
4.3.1.3 Access of personal data on Online Contents

The EPOCA Online Content Regulations174 apply to online content including
application services licensees, bloggers, internet cafes, online forums, online radios
or televisions, social media, subscribers amongst others. The study finds that, the
Online Content Regulations do not clearly go out to protect data privacy as much as
it authorises law enforcement agencies to access any such data.
171
172
173
174
The EPOCA Online Content Regulations, 2020
43
Regulation 5 (1) (e) of Online Content Regulations compels the online content
providers and users to identify the sources of their information or content in which in
some instances, online content providers may be ordered to disclose the identity of
their source of content or information which may jeopardise the privacy of the
persons who wish to contribute or share content anonymously.
Regulation 11 imposes a duty of any part holding users’ information to not disclose
the information unless to law enforcement agencies when required under the auspices
of the Regulations or the Act.
The study finds that, access of personal data by agencies may be the mischief
intended under the Online Content Regulations rather than the general need for right
to privacy and protection of personal data by individuals.
4.3.1.4 Protection against illegal data interference

The Cybercrimes Act175 makes it an offence to intercept personal communications
and interfere with data by damaging, deleting, altering, obstructing and interrupting
it.176
The finding in this is that the Cybercrimes Act does not expressly deal on privacy
and data protection but rather provides for protection against illegal data interference
under Section 7 of the Act. The Cybercrimes Act prohibits operators and other
service providers from monitoring activities or data being transmitted in their
systems while also providing an exception for investigation purposes for the
disclosure of information, which leaves room for undermining of rights under the
pretence of investigations.177The provision avers that disclosure, transmission or
communication of any computer data, program, access code or command to an
unauthorized person is an offence.
175
The Cybercrimes Act, 2015
176
PART IV of the Cybercrimes Act, 2015
177
Coalition. Page 274
44
There are some data subjects’ rights provided for under the Cybercrimes Act within
its scope. Section 45 of the Act178 provides that, the data subject has the right
“through a take-down notification, to notify the service provider of any data or
activity infringing their rights.
The survey by the Centre for Human Rights,179 also elaborated that data subjects
under the Cybercrimes Act also have the right to correct their information or data
collected by a provider of services, including change of SIM Card number, although
this is stated more as an obligation than a right in the respective legislation.
4.3.1.5 Processing of personal data for identification and registration is not

protected by law
The study finds that, the Registration and Identification of Persons Act 180 is devoid
of provisions with respect to data processing, principles applied in the processing of
personal data for registration and identification of persons.
The Registration and Identification of Persons Act181 provides for the Registrar, a
registration officer and any immigration officer performing functions under the Act
not to disclose or supply copies of information including fingerprints, or particulars
furnished without written permission.182
As far as the Act provides for specific protection of persons’ identities, Provision IV
of this Act empowers the minister with broad powers to decide on exceptions for
sharing personal data. It provides that “the registrar and registration officer and any
immigration officer performing functions under this act shall not produce for
inspection or supply copy the photograph, of any person registered under this act or
his fingerprints or disclose or supply a copy of particulars furnished under section 7
and 9 except and unless with the written permission of the minister.”183
178
Cybercrimes Act, 2015
179
Coalition. Page 284
180
181
Ibid
182
183
Ibid
45
There are no provisions that cover data processing, principles applied in the
processing of personal data for registration and identification of persons and the
rights to individuals on the control of their processed personal data. Therefore, the
Act does not clearly and expressly provide on data processing and protection as with
the GDPR.
Therefore, it came to the attention of this study that, despite the lack of a clear
legislation that covers personal data protection, the study found the existing laws as
analysed impact the privacy and personal data protection in Tanzania mainland, in
both positive ways and negatively such as to interfere with privacy rights through
increased surveillance and interceptions.184 These Acts and regulations provide some
key definitions that to some extent address data protection and privacy.
The EPOCA (Consumer Protection) Regulations185 for instance describes a consumer

as any person who uses electronic communications or postal products or services.
Identifying users as consumers and not specifying them as data subjects could be
changed if a specific legislation on personal data protection was in place to protect
personal information or data and privacy. Regulation 5 (1) (a) of the EPOCA SIM
card regulations186 also require individuals to undertake individual biometric SIM
card registration whereby SIM cards are to be used solely by a customer for personal
use and thus compelling individuals to provide personal data for the purposes of
registration.
4.4 Tanzania Mainland’s Data Protection Legal Framework fails to adequately

protect personal data
The study analysed the provisions on data protection laws and on the notable aspects
and institution that associate with vivid use and application of personal data in
Tanzania mainland to determine the efficacy of the legal framework on data
protection in Tanzania mainland. The analysis revolved around an analytical question
that, if resort is made to the existing laws that to some extent cover on the protection
184
Coalition. Page 273
185
186
The EPOCA (SIM-Card Registration) Regulations, 2020
46
of personal data as discussed above; are they sufficiently guaranteeing personal data
privacy and protection in the cyberspace? And as well, are the laws making a good
attempt to contain trading in personal data or some specific legislation that caters on
data privacy and protection is required?
The finding in this area as discussed hereunder opined that at a large extent, the
current legal framework on personal data protection is not entirely sufficient due to
the absence of a legislation that controls processing of personal data in Tanzania
mainland. The existing laws do not explicitly address protection in processing of
personal data as from the principles established in the General Data Protection
Regulation and thus failing to adequately protect personal data.
4.4.1 The protection of personal data in National Identification (NIDA)

Registration
The Registration and Identification of Persons Act (RIPA)187 establishes the National
Identification Authority (NIDA) through the National Identification Authority
(Establishment) Instrument, 2008 with the mandate to register and issue identity
cards to Tanzanian citizens and eligible residents who are non-citizens aged 18 years
and above.
Registration of persons under the Act requires the collection of personal information
such as names, date of birth as well as biometric data such as fingerprints to be
enrolled in the system and provided for a national identification number commonly
referred to as NIDA number which also mandatory for one to register a SIM card or
to open a bank account or gain access to public services.188
According to Melamari,189 Section 18 of the Act190 imposes an obligation on the part

of a Registration Officer or any other officer undertaking registration of persons not
to disclose any personal information that is gathered and failure to do so may invite
187
RIPA, [Act. No. 11 of 1986, R.E. 2012]
188
Coalition. Page 278
189
Tanzania: case study of Tanzania national identification authority (NIDA). (Master’s Thesis, The
Open University of Tanzania).
190
RIPA, Act No. 11 of 1986
47
some jail terms by law. However, Section 19 of the Registration and Identification of
Persons Act allows the Minister to disclose such person information upon certain
reasons and conditions. It is also noted from the Act that, there are no restrictions for
Data Controllers and Processors in situations where the collected personal
information falls under the hands of third parties apart from the National
Identification Authority (NIDA) of Tanzania. 191
4.4.2 Protection of personal data in registration of SIM Cards

As of January 2020, 155 countries in Africa are reported by Privacy International192
to have enacted mandatory. For an individual to activate or purchase a pre-paid SIM
card, the user is required to provide personal information as well as a valid national
identification card (ID) for Security and fighting crime purposes as justifications.
Service providers at a high rate capture personal information upon the purchase of a
pre-paid SIM card and keep the records, sharing information with government
agencies on demand. 81% of countries with mandatory SIM registration laws are
reported use this approach in registration of SIM-Cards.193
In Tanzania mainland, the study found from Regulation 5 (1)(a)(iii) of the EPOCA
SIM Card Regulations, 2020 that all service providers who may be referred to as data
controllers are obliged to keep and secure the details of all who register their SIM
cards.194 These service providers, dealers and whoever is involved in collecting or
processing such data, upon any misuse of information of a customer for SIM card
registration, are considered to commit an offence and upon conviction shall be liable
to a fine or imprisonment or both. However, such protection of privacy is for the SIM
card customers and the only data being protected is data of the person related to SIM
card registration only.
191
Tanzania: case study of Tanzania national identification authority (NIDA). (Master’s Thesis, The
Open University of Tanzania). Page 63
192
Privacy International. (2020). SIM-Card Registration. Retrieved from:
https://privacyinternational.org/learn/sim-card-registration Accessed on 8th October 2021. Privacy
International is
193
Ibid
194
The EPOCA SIM Card Regulations, 2020
48
The information required in all biometric SIM card registration categories must be
valid and the service providers shall keep details of the registered SIM card users. A
service provider shall not activate a SIM card before registering customer details as
provided under the SIM-Card Regulations and SIM card registration must be verified
through the NIDA database. Un-verified SIM-Card through the NIDA database shall
be considered as unregistered and will be deactivated.195
Customers are required, under regulation 12 of the SIM-Card Regulations, to report a

change of ownership of a SIM card to the service provider. The new owner of a SIM
card must register the SIM card with their name within 15 days from the date they
assumed ownership.196 Regulation 13 of SIM-Card Regulations demands that the
owner of a SIM card must report loss, theft or destruction of the SIM card to the
police within seven days from the date of such incident. Upon reporting, the owner
will be issued with a loss report or preliminary investigation report which shall be
required by the service provider in a request to replace the SIM card.197
Regulation 6 of the SIM-Card regulations provides exemption on data collection but

astonishingly on to government agents and institutions, as such, “A customer from
Government institution or an authorized agent of the Government who requires an
exemption of biometric SIM Card registration shall apply the following procedure:
(a) A customer shall write a letter to the Authority to obtain approval for
fingerprint exemption and shall provide details for such exception;
(b) A customer shall be required to present his NIDA identity and the Authority
approval to the service provider for SIM Card registration; and
(c) The service provider shall register SIM Cards as per the approval of the
Authority at customer centres, service providers’ shops, or agents’ shops only.”198
In this, even though at such specific instance in which an individual can request to be
exempted from providing their information, it does not cut across and touch all
195
Clyde & CO. (29th July 2020). SIM-Card Registration in Tanzania. Retrieved from:
https://clyde.com Accessed on 3rd January 2022.
196
The EPOCA (SIM-Card) Regulations, 2020
197
Ibid
198
Ibid
49
individuals but rather only to agents of the government and government institutions
who can apply for exemption to provide sensitive personal data obtained
biometrically and leaves out the rest at the option of providing their biometric data in
registration of SIM-Cards. All human beings and not only government agents and
officials have unique fingerprints which can be assessed to see if they match a saved
sample, to make human identification possible.
Owing to the sensitive nature of biometric data, it ought to be given a more stringent
standard of protection than other categories of personal data especially when it
comes to NIDA and SIM-Card registration. It is therefore very important that the
legal framework adopts more stringent protection of biometric data captured through
SIM-CARD registration as it requires and as widely used by individuals for other
purposes in accessing phones, software applications and verification of identity,
premises, and rooms.199
This may show that, mandatory SIM card registration is a way for the government to
build identity systems to support their needs to administer, govern, and profit but on
the other hand, they are being used to facilitate targeting, profiling and
surveillance.200
Quite recently in November 2021, a Tanzanian Mobile Operator known as MIC

Tanzania Public Limited Company (Tigo Tanzania) was reported in The Citizen201
and Mwananchi202 to disclose individual information as its lawyer, one Fred Kapara
was one of the witnesses in an ongoing court case, Republic v. Hassan Bwire Hassan
and three others.203
199
Salami, E. (August 2020). Fingerprint Generated Data: An Evaluation of the Efficacy of the
Nigerian Data Protection Regulation. Computer Telecommunications Law Review. Volume 26, 7,
p.184-191. Available at: https://ssrn.com/abstract=3688450 Accessed on 3rd January 2022
200
https://privacyinternational.org/learn/sim-card-registration Accessed on 8th October 2021.
201
The Citizen. (Sat, 6th Nov. 2021). Data Privacy under Scrutiny amid legal vacuum in Tanzania.
Retrieved from: https://www.thecitizen.co.tz/tanzania/news/-data-privacy-under-scrutiny-amid-legal-
vacuum-in-tanzania-3609960 Accessed on 4th January 2022.
202
Mwananchi. (Tuesday, 2nd Nov 2021). Mwanasheria Tigo atoa ushahidi kesi ya kina Mbowe.
Retrieved from: https://www.mwananchi.co.tz/mw/habari/kitaifa/mwanasheria-tigo-atoa-ushahidi-
kesi-ya-kina-mbowe-3605270?view=htmlamp Accessed on 3rd January 2022.
203
Republic v. Hassan Bwire Hassan and three others, Economic Case No. 16 of 2021.
50
During examination of witnesses, the said Fred Kapara was reported to have
confidently made a statement that, for matters relating to privacy and data protection,
Tigo Tanzania’s paramount duty is not to protect the customer’s affairs, privacy,
confidentiality and information but rather to respect the Directives of Authorities in
the country more, that is, compliance. Further, that in so doing, Tigo Tanzania is
willing to disclose the customers’ information and data to any Authority requesting
for the same.204
Also, in Abdallah Shabani Madege v. The Republic,205 the appellant on 4th day of
March 2020 at about 18:35 at Nangurukuru village within Kilwa District in Lindi
Region, unlawfully did interfere with the functioning of a computer system to wit
mobile phone, fraudulently causing loss of Tshs 800,000/= property of one
Ramadhan s/o Mohamed Salum, contrary to Section 12 (1) (b) of the Cybercrimes
Act, 2015.
In this case, the facts were to the effect that; the appellant described himself as an
agent of Tigo with the intention of registering lines with PW1. At that time, the
appellant had identification marks of Tigo, so PW1 gave him his password and later
was told to turn off his phone for one hour. His line was inactive when he opened it.
Therefore, he went to NMB agent to check his amount of money. The print out
showed that there was a transaction of Tshs 800,000/= when the appellant had the
complainant’s mobile phone.
According to PW3 and PW2, while both were eye-witnesses, the appellant confessed
to having committed the offence before police according to the caution statement.
PW4 testified that the appellant had cash money of Tshs 855,000/=, two mobile
phones, one small phone and several lines attached to his Airtel Sim-Card. The NMB
Mobile 0686826000 PIN number 2000 was connected to his Airtel Sim-Card.
204
Msando Law Office to MIC Tanzania Public Limited Company (Tigo Tanzania). (4th November,
2021), in Re: Recent Statements Issued by one Fred Kapara Being your officer before the High Court
of the United Republic of Tanzania – Corruption and Economic Crimes Division of Tanzania in
Economic Case No. 16 of 2021. REF NO: MLO/TIGO.2021/11/04 (Dar es Salaam: Msando Law
Office), Page 2
205
Abdallah Shabani Madege v. The Republic, Crim Appeal No. 101 OF 2020 [19th April 2021]
TZHC, (Unreported).
51
The appellant gave the accused the PIN number when he asked him to do so, and he
switched off the line on 03/03/2020. The bank statement showed a transaction of
drawing Tshs 800,000/= at 18:37 at Nangurukuru restaurant on the same date.
The implication from the case in relation to SIM-Card Registration is that personal
data that goes with SIM-Card registration processes are sensitive and the extraction
of them is to be handled with care following the data privacy and protection laws
available. Mobile operators or their agents collect information from their customers;
identity theft has become common in Tanzania since criminals hack and ‘steal’
personal information stored in operators’ databases and use them by blocking the
user of communication services for a limited time and use the services at data
subject’s expenses or using data subject’s credentials and phone number to
fraudulently collect money on data subject’s name or behalf implicating data
subjects.206
Therefore, the finding in this area is that unfortunately, Tanzania has no

comprehensive legislation and effective mechanism on data privacy and protection
with detailed provisions on how data is to be collected, processed, controlled or
maintained and, handled in relation to data protection principles so as to ensure
prevailing data protection and privacy on SIM-Card Registration is to be observed
and complied for.
4.4.3 Effectiveness of the TCRA in protection of personal data

The authority in charge of all the laws that somehow cover on protection of personal
information and privacy, is the Tanzania Communications Regulatory Authority
(TCRA) established under the Tanzania Communications Regulatory Authority
Act.207 The functions of the TCRA amongst others include, issuance and renewal of
licences, enforcement of licence conditions, establishing standards for regulated
206
Regulations, G.N. No. 112 of 2020 necessitates for a detailed data protection and privacy legislation
applicable in the situation. See also, CIPESA, (2018). State of Internet Freedom in Africa: Privacy
and Personal Data Protection in Tanzania: Challenges and Trends. Page 13-14. See also, ISS Africa.
(1st July 2020). More Questions than Answers: Tanzania’s mandatory SIM Card registration.
Available at: https://issafrica.org/iss-today/more-questions-than-answers-tanzanias-mandatory-sim-
card-registration Accessed on 5th August 2021.
207
Tanzania Communications Regulatory Authority Act No.12 of 2003.
52
goods and services, regulating rates and charges, type approving electronic
communication equipment and managing frequency spectrum.
According to the TCRA Enforcement Guidelines 2012,208 the TCRA has the duty to
ensure there is compliance with the provisions of the TCRA Act, 2003 and the
EPOCA, 2010 including that of the duty of confidentiality of personal information
collected and processed by service providers and operators. The Guidelines also
portray the national areas of enforcement in ensuring compliance to include,
licensing requirements, quality of service, interconnection, fair competition, SIM-
Card Registration, digital broadcasting, rollout obligations, consumer protection to
ensure confidentiality of consumer information and data protection, and others.209
A recent survey by the Centre for Human Rights at University of Pretoria210

discussed about the effectiveness of the TCRA in ensuring protection of privacy and
personal data and stated that “since Tanzania does not yet have a specific piece of
legislation that mandates an establishment of a data protection authority, that duty
currently in some ways falls under the authority of TCRA.” The TCRA has a great
and heavy task with many responsibilities from licensing to control of the digital
landscape including data.211
TCRA Enforcement Guidelines 2012 expound that what the TCRA does in enforcing
compliance on consumer or individuals and organizations data protection is
monitoring, inspection and sanctioning procedures and processes. This is contrary to
what the GDPR envisages on a special established data protection authority which as
per Article 55 and 56(6) of the GDPR,212 the authority established in a member state
is solely concerned with the supervision of data processing operations in the State
and an interlocutor of the controller or processor in cases of cross-border processing.
208
Tanzania Communications Regulatory Authority Enforcement Guidelines, November 2012
209
Tanzania Communications Regulatory Authority Enforcement Guidelines, November 2012
210
Coalition. Page 285
211
Coalition. Page 281
212
The GDPR, 2018
53
The difference between the TCRA and the data protection authority as envisaged in
the GDPR is that, whilst the TCRA takes a wide scope and range of enforcement
areas, the data protection authority is to solely and only supervise and enforce data
processing in a State and across borders. In that, the scope of data protection and
privacy is broad and needs a specific law and a data protection authority to handle its
issues specifically. The survey by the Centre for Human Rights at University of
Pretoria notes that, “with various legislations in place addressing data protection and
privacy, TCRA finds itself as the middle man that has to be able to address each
specific legislation’s approach towards data protection and enforce it.”213
In that, TCRA is burdened with the duty to protect the interests of consumers which
includes the TCRA and companies licensed to offer services being bound to protect
personal information unless disclosure is allowed by law as provided under Section
98 of Electronic and Postal Communications Act, 2010.214
The survey by the Centre for Human Rights at University of Pretoria215 further
analysed that, since the establishment of the TCRA,216 it has been instrumental in
providing oversight in the communications sector serving as the body that oversees
the implementation of policies, legislations and regulations that apply to its mandate.
The report argues and expounds that, issues such as data protection and privacy fall
on its lap only because there is neither specific legislation nor policy established for
this purpose therefore making the handling of privacy and data protection a
challenge.217
The study also finds that as the preparation to seek approval to enact a data
protection and privacy Act is still ongoing in Tanzania mainland,218 the GDPR has
213
Coalition. Page 285 - 286
214
EPOCA, 2010
215
Ibid, Page 285
216
https://www.tcra.go.tz/about-tcra/tcra-profile
217
Coalition. Page 286
218
The Citizen. (Sat, 6th Nov. 2021). Data Privacy under Scrutiny amid legal vacuum in Tanzania.
Retrieved from: https://www.thecitizen.co.tz/tanzania/news/-data-privacy-under-scrutiny-amid-legal-
vacuum-in-tanzania-3609960 Accessed on 4th January 2022.
54
been acknowledged and the thinking in place is to ensure that the proposed
legislation adopts or is in-line with the GDPR so as to enable effective supervision of
trans-border personal data flow by the respective authority to be established and to
avoid unnecessary legislative contradictions.
The finding in this area is that, it is evident that the current regulatory framework
does not cater for data protection sufficiently because of the absence of a legislation
that restricts the processing or storage of personal data in Tanzania and outside of its
jurisdiction or the security of data for individuals. In essence, if resort is made to the
existing laws that to some extent cover on the protection of personal data as
discussed above; they will not be sufficiently guaranteeing personal data privacy and
protection in the internet.
4.5 Conclusion
This Chapter presented data collected from various legal sources. From the
presentation, this study found that the existing legal framework on data protection in
Tanzania mainland does not fill the need for protection of personal data and remain
to be a problem to the extent of not addressing conditions for the lawful processing
of personal data. The study found that there is a need for proper mechanisms for
collecting personal data and ensuring the safety of personal data and thus some
specific legislation that caters on data privacy and protection is necessary and
required.
55
CHAPTER FIVE
CONCLUSION AND RECOMMENDATIONS
5.1 Introduction
This chapter gives a general conclusion and recommendation basing on the findings
of this study. The study reports on the efficacy of the legal framework on protection
of personal data in Tanzania Mainland. The finding of the study was carried out
through documentary and literature review. The conclusion herein below is
mannered by the general overview of the study and the findings presented in the
previous chapter. The recommendations are present the solutions that the study came
up with to address the problems relating to the efficacy of the legal framework on
protection of personal data in Tanzania Mainland.
5.2 Conclusion
The study has revealed that the legal framework on data protection and privacy in
Tanzania mainland is not entirely sufficient and does not fill the need for data
protection and privacy. The existing laws do not address on conditions and
procedures for the lawful processing of personal data but only identify when personal
data can be collected and processed for a purpose as specified in the respective
legislation. The absence of data protection laws creates a risk of personal data being
exposed thus leading to the infringement of information privacy rights.
Tanzania mainland’s legal framework on data protection yet demands for a

comprehensive data protection legislation that not only identifies when personal data
can be collected and processed but also addresses on the requirements and
procedures for the lawful processing of personal data in line with Tanzanian and
African values to data protection and privacy steadfastly set in recognition and
pursuit of human rights, in particular the right to privacy, specifically, information or
data privacy.
The extant legal framework on data privacy and protection in Tanzania is far from
ideal on data protection principles. The legislations touching on data privacy
concerns analysed in this research lack clear provision on data ownership and
whether individuals have power over the information that they supply to and comes
56
under the control of third parties; and on an individual’s right to demand the deletion
of his information that has been captured and recorded even if the information was
legitimately captured and recorded.
Data protection in a Tanzanian setting is a difficult proposition, in particular for

public security matters since collection and processing of personal data may be
disastrous to individuals’ control of their personal data in order to secure important
and legitimate public interests. The study exposes a lesson from the findings that
every individual is entitled to the right of access to personal data, prevention of
processing personal data likely to affect them and the right to be forgotten and
measures should be taken to address these issues in the new technology. However,
the challenge for data protection is the growing use of personal data for reasons of
public interest.219
Data privacy and protection is necessary for ensuring human dignity and autonomy.
The essence of data privacy and protection is to keep personal data from any
interferences and disclosure in any means, unless the data subject consents or allows
its disclosure and processing. This is within the scope of the CURT220 that the
government has to adhere to lay down legal procedures regarding the circumstances,
manner and extent to which the right to privacy may be encroached upon. Thus,
protection of personal data protects the reputation, dignity and autonomy of the
people in Tanzania mainland.
5.3 Recommendations
There has been a rapid growth of ICT over the years with the inclusion of the use of
sensitive biometric data for various purposes that necessitate for sufficient laws that
address data privacy and protection of personal data in Tanzania mainland, both
online and offline.
Since the study found that, the legislations touching on data privacy concerns
analysed lack clear provision on data ownership and individuals’ right of access to
219
Cortez, E. (2020). Data Protection Around the World: Privacy Laws in Action. Information
Technology Law Series, Vol 33. T.M.CC. Asser Press, The Hague, Netherlands. Page 191
220
Article 16 (2) of The Constitution of the United Republic of Tanzania, 1977 (2008 as amended)
57
personal data; and on an individual’s right to be forgotten even if his information was
legitimately captured and recorded, the study recommends on the following:
5.3.1 Recommendations to the Government of the United Republic of Tanzania
5.3.1.1 Exploration of financial mechanisms for a data protection authority

Firstly, the Government of Tanzania should explore financial support mechanisms
and viable solutions that will help to bear any financial burdens of the bill and the
data protection authority that is to be established. Since the TCRA takes a wide scope
and range of enforcement areas, the data protection authority will solely and only
function to supervise and enforce data processing in Tanzania mainland and across
borders. It is important for the government to either allocate a budget or identify a
source of financial support for realisation of a personal data protection authority and
clear policy on data protection.
5.3.3.2 Development of the Policy on data protection

The study recommends that the Government of Tanzania should develop a policy on
data protection, so as to ensure regional harmony on data protection and privacy in
Africa; so as to hasten the domestication process. The framework of the bill on
personal data protection should gain its foundation from international and regional
human rights laws and frameworks, to fully embrace what Tanzania signs up for.
This may include ratification of the Malabo Convention on cyber security and data
protection and motivating other African countries for the same.
5.3.2 Recommendations to Civil Societies
5.3.2.1 Raising legal awareness on protection of personal data

The study further recommends that, Civil Societies in cooperation with the
Government of Tanzania should ensure that citizens are aware and educated on data
protection and privacy as this will ensure a balanced relationship where all parties are
aware of their rights and responsibilities. This is because, as argued by Boshe,221
personal privacy and data protection is determined by the individual or societal and
legal culture in a specific area. This in turn, affects the courts’ interpretation of the
221
Publishing. Page 162
58
laws on data privacy and protection leading to few cases or absence of case laws on
privacy and data protection since if individuals are illiterate on the specific area of
law, then it will be hard for their knocking of the court doors for courts’
interpretation and development of the laws on data privacy and protection.
5.3.2.2 Comprehensive research on data protection and privacy

As awareness and literacy on data privacy and protection is raised in the society, the
study also recommends civil societies, legal researchers, freelancers, and
organisations to support and conduct comprehensive research on data protection and
privacy needs in Tanzania mainland as it will help drive a policy development
process which is demand driven, catering for the need for privacy and personal data
protection.
5.3.3 Recommendations to the Tanzanian Parliament

Finally, the study recommends that the Tanzanian legislature enacts a comprehensive
data protection and privacy legislation so as to hasten the process and make the bill
available for comments to the general public before it is passed into law. This is
because, collection of personal data various purposes like registration of citizens, and
SIM-Cards in Tanzania mainland without any comprehensive data protection law can
allow certain parties to abuse the personal data record.
59
BIBLIOGRAPHY
LIST OF BOOKS
Centre For Human Rights, UP. (May 2021). Privacy and personal data protection in
Africa: A rights-based survey of legislation in eight countries. African
Declaration on Internet Freedoms Coalition.
Lloyd, I. (2017, 8th Edition). Information and Technology Law. New York, United
States: Oxford University Press.
Makulilo, A.B. (Ed), (2016). African Data Privacy Laws. Bremen, Germany:
Springer International Publishing.
Martin, E.A. (1997). Oxford Dictionary of Law, 4th Edition: London: Oxford
University Press.
Msabila, D.T. & Nalaila, S.G. (2013). Research Proposal and Dissertation Writing:
Principles and Practice. Dar es Salaam: Nyambari Nyangwine Publishers.
Turkington, R & Allen, A. (2002). Privacy Law; Cases and Materials. 2nd Edition.
Wahlgren, P. (Ed). (2010). Information & Communication Technology Legal Issues.

Stockholm, Stockholm Institute for Scandinavian Law.
Westin, A.F. (1967). Privacy and Freedom. London: Bodley Head.
LIST OF JOURNAL ARTICLES
Blume, P. (2015). Data Protection and Privacy. Scandinavian Studies in Law, Vol
56.
Boshe, P, (2013). Interceptions of communications and the right to privacy:

Commentary on Zitto Zuberi Kabwe’s political saga, Open University Law
Journal, Vol. 4, No.2:1-5
Data Protection & Research: Guidance for MRS Members and Company Partners
2018 Part 1 (v0418).
60
Salami, E. (August 2020). Fingerprint Generated Data: An Evaluation of the
Efficacy of the Nigerian Data Protection Regulation. Computer
Telecommunications Law Review. Volume 26, 7, p.184-191. Available at:
https://ssrn.com/abstract=3688450 Accessed on 3rd January 2022.
Gitau, V & Ochilo, L. (2017). Data Protection in East Africa.
Makulilo, A.B, Privacy and Data Protection in Africa: State of the art, International
Data Privacy Law Journal Vol. 2(3) (2012)
Nadezhda Purtova. (2018). The law of everything. Broad concept of personal data
and future of EU data protection law, Law, Innovation and Technology, 10:1,
40-81, DOI:10.1080/17579961.2018.1452176
Neethling. (2005). The Concept of Privacy in South African Law. Vol. 122, No. 1
Schwartz, P and Solove, D. (2011). ‘The PII Problem: Privacy and a New Concept
of Personally Identifiable Information’ (2011) 86 N.Y.U. L. Rev. 1814, 1877.
Ubena John, Privacy-a forgotten right in Tanzania, Tanzania Lawyer, 1/2JTLS,

2012, pp.72-114
Warren & Brandeis. (1890). The Right to Privacy: Harvard Law Review, IV (5).
LIST OF DISSERTATIONS & REPORTS
CIPESA, (2018). State of Internet Freedom in Africa: Privacy and Personal Data
Protection in Tanzania: Challenges and Trends. CIPESA. Kampala, Uganda.
EAC TASK Force. (2008). Legal Framework for Cyber Crimes; Phase I –
Recommendations on e-Transaction, Cybercrimes, Consumer Protections,
Data Protection and Privacy. Recommendation 19
EAC TASK Force. (2008). Legal Framework for Cyber Crimes; Phase I –
Recommendations on e-Transaction, Cybercrimes, Consumer Protections,
Data Protection and Privacy. Recommendation 19
HIPSSA. (2013). Data Protection: SADC Model Law. Information

Telecommunication Union
61
HIPSSA. (2013). Data Protection: SADC Model Law. Information
Telecommunication Union
Information Commissioner’s Office. (August 2018). Guide to the General Data

Protection Regulation, GDPR. Information Commissioner’s Office.
Information Commissioner’s Office. (August 2018). Guide to the General Data

Protection Regulation, GDPR. Information Commissioner’s Office.
Melamari, N. (2013). The challenges and the need of legal framework for data
protection in Tanzania: case study of Tanzania national identification
authority (NIDA). (Master’s Thesis, The Open University of Tanzania).
Melamari, N. (2013). The challenges and the need of legal framework for data
protection in Tanzania: case study of Tanzania national identification
authority (NIDA). (Master’s Thesis, The Open University of Tanzania).
Msando Law Office to MIC Tanzania Public Limited Company (Tigo Tanzania). (4th
November, 2021), in Re: Recent Statements Issued by one Fred Kapara
Being your officer before the High Court of the United Republic of Tanzania
– Corruption and Economic Crimes Division of Tanzania in Economic Case
No. 16 of 2021. REF NO: MLO/TIGO.2021/11/04 (Dar es Salaam: Msando
Law Office).
Msando Law Office to MIC Tanzania Public Limited Company (Tigo Tanzania). (4th
November, 2021), in Re: Recent Statements Issued by one Fred Kapara
Being your officer before the High Court of the United Republic of Tanzania
– Corruption and Economic Crimes Division of Tanzania in Economic Case
No. 16 of 2021. REF NO: MLO/TIGO.2021/11/04 (Dar es Salaam: Msando
Law Office).
Mwakilasa, T. (2018). The right of Privacy and duty to disclose information in

Tanzania. Undergraduate Research Report, Mzumbe University.
Mwakilasa, T. (2018). The right of Privacy and duty to disclose information in

Tanzania. Undergraduate Research Report, Mzumbe University.
62
OECD (2019), Enhancing Access to and Sharing of Data: Reconciling Risks and
Benefits for Data Re-use across Societies, OECD Publishing,
Paris, https://doi.org/10.1787/276aaca8-en.
OECD (2019), Enhancing Access to and Sharing of Data: Reconciling Risks and
Benefits for Data Re-use across Societies, OECD Publishing,
Paris, https://doi.org/10.1787/276aaca8-en.
OECD Privacy Guidelines Governing the Protection of Privacy and Transborder

Flows of Personal Data, 1980 (Revised 2013)
OECD Privacy Guidelines Governing the Protection of Privacy and Transborder

Flows of Personal Data, 1980 (Revised 2013)
OECD. (2013). OECD Privacy Framework. OECD Publishing, Paris.
OECD. (2013). OECD Privacy Framework. OECD Publishing, Paris.
Sieghart, P. Legislation and Data Protection Proceedings of the Rome Conference on

problems relating to the development and application of legislation on data
protection.
Sieghart, P. Legislation and Data Protection Proceedings of the Rome Conference on

problems relating to the development and application of legislation on data
protection.
State of Internet Freedom in Africa, (2018). Privacy and Personal Data Protection in
Tanzania: Challenges and Trends. CIPESA. Kampala, Uganda.
LIST OF ONLINE SOURCES
African Declaration. African Declaration on Internet Rights and Freedoms.

Retrieved from: https://africaninternetrights.org/en/about Accessed on 2nd
January 2021
Balile, D. (7th Febr 2013). Tanzania to Begin Issuing of National Identity Cards.
Retrieved from: https://allaafrica.com/stories/201302080 Accessed on 4th
February 2022.
63
Centre for Human Rights, University of Pretoria. (2020). Call for Abstracts: Privacy
and Data Protection Law and Practice in Africa – Challenges and prospects.
Retrieved from https://www.chr.up.ac.za/tech4rights-news/2144-call-for-
abstracts-privacy-and-data-protection-law-and-practice-in-africa-challenges-
and-prospectsAccessed on 10th December 2021
CIPESA. (16th Jul 2021). Mapping and Analysis of Privacy Laws and Policies in
Africa -Summary Report. Retrieved from:
https://www.africaportal.org/publications/mapping-and-analysis-privacy-
laws-and-policies-africa-summary-report/ Accessed on 2nd January 2022.
Clyde & CO. (29th July 2020). SIM-Card Registration in Tanzania. Retrieved from:
https://clyde.com Accessed on 3rd January 2022.
Collaboration of international ICT Policy in East and Southern Africa (CIPESA).

Retrieved from: https://www.africaportal.org/content-partners/collaboration-
international-ict-policy-east-and-southern-africa-cipesa/ Accessed on 2nd
January 2022.
Inacio, I & Silva, V. (2020). The Liability of Data Controllers and Data Processors.
Page 5. Retrieved from https://ssrn.com/abstract=3952767 Accessed on 10th
December 2021.
ISS Africa. (1st July 2020). More Questions than Answers: Tanzania’s mandatory
SIM Card registration. Available at: https://issafrica.org/iss-today/more-
questions-than-answers-tanzanias-mandatory-sim-card-registration Accessed
on 5th August 2021.
Mwananchi. (Tuesday, 2nd Nov 2021). Mwanasheria Tigo atoa Ushahidi kesi ya kina
Mbowe. Retrieved from:
https://www.mwananchi.co.tz/mw/habari/kitaifa/mwanasheria-tigo-atoa-
ushahidi-kesi-ya-kina-mbowe-3605270?view=htmlamp Accessed on 3rd
January 2022.
Nkusi, F. (1st July 2019). Ratifying Malabo Convention is a great step to protecting
personal data. The New Times; Rwanda’s Leading Daily. Retrieved from
64
https://www.newtimes.co.rw/opinions/ratifying-malabo-convention-great-
step-protecting-personal-data Accessed on 12th December 2021.
Pisa, M & Nwankwo, U. (August, 2021). Are Current Models of Data Protection Fit
for Purpose? Understanding the Consequences for Economic Development:
Roundtable Summary. Independent Research for Global Prosperity. CGD
Brief. Retrieved from: https://www.cgdev.org/sites/default/files/are-current-
models-data-protection-fit-purpose-understanding-consequences-
economic.pdf Accessed on 27th December 2021.

https://privacyinternational.org/learn/sim-card-registration Accessed on 8th
October 2021.
Robertson, T. (14th January 2020). Senegal to Review Data Protection Law.

Available at: https://cipesa.org/2020/01/senegal-to-review-data-protection-
law/ Accessed on Tuesday, 10th Aug 2021.
The Citizen. (Sat, 6th Nov. 2021). Data Privacy under Scrutiny amid legal vacuum in
Tanzania. Retrieved from: https://www.thecitizen.co.tz/tanzania/news/-data-
privacy-under-scrutiny-amid-legal-vacuum-in-tanzania-3609960 Accessed
on 4th January 2022.
The Citizen. (Saturday, 20th April 2019). Reforming Tanzania Data Privacy and
Protection Regime. Available at: https://www.thecitizen.co.tz/tanzania/oped/-
reforming-tanzania-data-privacy-and-protection-regime-2678022
Accessed on 3rd August 2021.
65

Legal Research in Tanzania, by Ragab

Uploaded by

Copyright:

Available Formats

You might also like

Legal Research in Tanzania, by Ragab

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Legal Research in Tanzania, by Ragab

Uploaded by

Copyright:

Available Formats

MZUMBE UNIVERSITY

THE EFFICACY OF LEGAL FRAMEWORK ON DATA PROTECTION IN

BY: MARK-SILAS A. MALEKELA

SUPERVISOR: MR. EDWARD PROSPER LAIZER

RESEARCH REPORT SUBMITTED IN PARTIAL FULFILLMENT OF THE

MARK-SILAS ASHERY MALEKELA

I, ………………………………………………... do hereby certify that, I have read

MR. EDWARD PROSPER LAIZER

Date…………. Day of………………...2022

MARK-SILAS ASHERY MALEKELA

Secondly, I sincerely express my deepest and sincere gratitude to my supervisor MR.

CIPESA - Collaboration on International ICT Policy in East & Southern

CURT - United Republic of Tanzania Constitution of 1977

EAC - East African Community

E-Government - Electronic Government

e-Id - Electronic Identity Card.

EPOCA - Electronic and Postal Communications Act, 2010

GDPR - General Data Protection Regulation, 2018

HIPSSA - Support for the Harmonisation of ICT Policies in Sub-Saharan

Ibid - Ibidem (In the same place)

ICCPR - International Covenant on Civil and Political Rights, 1966

ICT - Information Communication Technology

ITU - International Telecommunication Union

OECD - Organization for Economic Cooperation and Development

PDP - Personal Data Protection Directive (Directive 95/46)

TCRAA - Tanzania Communication Regulatory Authority Act, 2003

TCRA - Tanzania Communications Regulatory Authority

The study recommended the government of Tanzania to explore mechanisms and

EU Data Protection Directive 95/46/EC

General Data Protection Regulation (GDPR), 2018

The Convention for the Protection of individuals concerning Automatic Processing

The International Covenant on Civil and Political Rights of 1966

Access to Information Act, No. 9 of 2016

Cybercrimes Act, 2015

Data Protection Act, 1984 (United Kingdom)

Data Protection Act, 2018 (Kenya)

Data Protection and Privacy Act, 2019 (Uganda)

Information and Communication Technology Act, 2016 (Rwanda)

Tanzania Intelligence and Security Service Act, 1966

The CHRAGG Act, [CAP 391, R.E. 2002]

The Cybercrimes Act, (2015).

The Electronic and Postal Communications Act (SIM Card Registration)

The Electronic and Postal Communications Act, (2010).

The Electronic Transactions Act, 2015

The EPOCA (Consumer Protection) Regulations, 2018

The EPOCA (SIM-Card Registration) Regulations, 2020.

The Tanzania Communications Regulatory Authority (Act No.12 of 2003)

Common Services Agency v. Scottish Information Commissioner, [2008] UKHL 47

Data Protection Registrar v. Griffin, [1994] Privacy Law Policy Reporter 37

Deogras John Mhando v. Managin Director Tanzania Beijing Huayuan Security

Google Spain v. Mario Costeja Gonzalez, CJEU ruling No. C-131/12

Lindqvist v. Kammaraklagaren, November 6, 2003. ECJ Case C-101/01

The growths of technology make the privacy of personal information become an

1.1 Background of the Problem

Tanzania received support through the Harmonisation of ICT Policies in Sub-

In 2014, the government also expanded its nationwide programme of issuing

1.2 Statement of the Problem

The existing provisions on data protection found in a number of legislations include;