Court orders changes to Tanzania’s data protection law

The High Court of Tanzania has ruled that some provisions of the country’s Personal Data Protection Act (PDPA) 2022 be amended to provide more clarity so as to prevent a situation of legal uncertainty in the future and to guarantee full consent for personal data collection.

The ruling was handed down on May 8 by the High Court in Dar es Salaam in a case brought before it by human rights advocate Tito Magoti against the Attorney General of the United Republic of Tanzania.

Magoti had filed a petition challenging the constitutionality of thirteen Sections of the Act, saying they contravene certain provisions of the country’s constitution of 1977 and its subsequent amendments, and that they be immediately expunged from the law in the spirit of protecting the fundamental human rights of citizens.

While the court determined that some provisions of the Act challenged by the petitioner were indeed constitutional, it adjudged that others were not, and called for their revision.

In its judgement, the three-member panel of judges found issues with Sections 22(3) and 23(3)(c)(e) of the Act which were deemed vague and likely to create legal problems or infringe on the rights to data privacy and consent.

“Looking at Section 22(3) of the PDPA, it is our view that the ‘unlawful means’ for collecting and processing personal data ought to be enlisted in the Act because of the offence created even if the regulated fields are multifarious and change with technology changes,” a section of the ruling reads.

“Clarity is thus lacking in the impugned provision. It ought to have stated what unlawful means are, and where are they to be found either in the Act itself or in the regulations. It is hard to tell if the listing of unlawful means has been left to the minister to formulate. We therefore hold the impugned provision to be wide and vague.”

On the Section that provides for exceptions to a data subject’s consent in the collection and processing of their data, the court found some of the petitioner’s challenge pertinent. It ruled that Section 23(3)(c)(e) of the Act “is ambiguous, unclear and without prescribed procedures.”

The ruling orders that the amendments be done within a year from the date of the judgement “with a view to providing certainty as to what acts or omissions shall be regarded as unlawful.”

“Failure to do so, these provisions will be struck out of the statute book. This is geared towards upholding fundamental rights and freedoms as enshrined under the Articles of the CURT [Constitution of the United Republic of Tanzania].”

Petitioner welcomes ruling with mixed feelings

Contacted by Biometric Update for comments after the ruling, the petitioner, Toti Magoti, said it is a welcome development, although just part of their challenge was granted by the court.

“The ruling is welcome with mixed feelings because we partly managed to convince the court and two provisions were found unconstitutional,” Magoti said in a voice message.

“They relate to collection of personal data in an unlawful means – a provision which was not clearly defined and it was going to be susceptible to abuse. The other one has to do with consent in terms of data collection. The circumstances warranting data collection without consent from the data subject were not clearly defined and the court agreed with us.”

To Magoti, the ruling is a success in many ways. “One, it raises awareness across multiple audiences about this newly enacted legislation in Tanzania which ties with contemporary technological advancements that necessitate the protection of personal data and information.”

“It also looks into the role of the state as a regulator and facilitator, but also the role of individuals in making sure that they protect their personal data, and also adhere to the standards of data protection.”

He adds that the ruling is also a call to corporations like mobile telecommunications companies and banking institutions which handle personal data that “they are supposed to make sure they do not deal with them [data] in a manner that violates privacy rights, among other rights.”

Tanzania’s President, early in April, inaugurated the Personal Data Protection Commission as the country prepares to roll out a digital ID program.

Article Topics

Africa  |  biometric data  |  biometrics  |  data collection  |  data privacy  |  data protection  |  Digital Personal Data Protection (DPDP) Act  |  legislation  |  Tanzania