Population: 59,734,213
Capital: Dodoma

President: Samia Suluhu Hassan

2021 Freedom House Score: 34/100

Data protection law? Yes, with no data protection authority yet appointed

Privacy enshrined in Constitution: Yes, the Constitution of the United Republic of Tanzania guarantees the right to privacy under Article 16.

DPA legislation: Yes, in November 2022 the Parliament of Tanzania passed the Personal Information Protection Act 11, 2022, and on 1 May 2023 it came into effect. However, as only a Kiswahili version of the Act is currently available, we have been unable to provide an analysis of its provisions. It appears that board members of the Data Protection Commission have not yet been appointed.

In 2010, Tanzania also implemented the Electronic and Postal Communications Act (EPOCA). While it was being drafted, civil society expressed concern over provisions that they argued would threaten privacy— such as the establishment of the Central Equipment and Identification Register (CEIR) and a mandatory SIM registration requirement. SIM registration has allegedly led to widespread communication surveillance, location monitoring, and personal data processing for purposes unknown and uncommunicated to data subjects. Police and security agencies are alleged to store communication details using the CEIR.

Concern has also been raised about the lack of a requirement of judicial authorisation for interception of communications. In 2015, the President signed the Tanzanian Cybercrimes Act, which went into effect with minimal changes despite public criticism. The Act was unsuccessfully challenged in domestic courts on the grounds that several provisions allow law enforcement to search and seize computer systems, data, and information without a court order, eroding the constitutional right to privacy. The Act also permits the police to use invasive surveillance methods such as keylogging devices or software that records keystrokes in real time, without judicial authorisation or oversight.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Unknown.

Applies to juristic persons: Unknown

Applies to public entities: Unknown

Domestic/personal purposes exclusion: Unknown

National security exclusion: Unknown

Law enforcement exclusion: Unknown

Cabinet or Executive Council exclusion: Unknown

Judicial functions exclusion: Unknown

Journalistic, literary or artistic purposes exclusion: Unknown

Temporary copies exclusion: Unknown

Other exclusion(s): Unknown

Broad or vague exclusions: Unknown

Applies to foreign entities: Unknown

Excludes foreign entities that only transit personal data through the country: Unknown

EPOCA guards against the violation of any person’s entitlement to respect and protection of person, the privacy of their own person, their family and matrimonial life, and respect and protection of their residence and private communications. Provisions in the new Personal Information Protection Bill are presently unknown.

The Consumer Protection Regulations provide that a licensee may collect and maintain consumers’ or subscribers’ information where it is reasonably required for business purposes.

The Cybercrimes Act prohibits operators and other service providers from monitoring activities or data being transmitted in their system, and as such, these providers are shielded from being held liable for illegal activity that takes place within their networks or systems through the actions of third parties. It is, however, lawful for officers, employees, or agents of these providers to intercept, disclose, or use communications transmitted while engaged in any activity necessary to the performance of services or to protect the rights or property of the provider.

Notification that data is being processed: Unknown

Notification to DPA in event of data breach: Unknown

Notification to data subject in event of data breach: Unknown

Timeframe for notification is specified: Unknown

Exceptions exist to breach notifications: Unknown

Requires a data processing register: Unknown

Register is publicly available: Unknown

Provides for terms of service icons: Unknown

DPA must submit at least annual report: Unknown

DPA report is made public: Unknown

Explicit provision for civil liability: Unknown

Established/designates a Data Protection Authority: Unknown

DPA is empowered to investigate: Unknown

DPA is empowered to subpoena or request evidence: Unknown

Law provides for criminal penalties: Unknown

Law provides for administrative penalties: Unknown

DPA is independently structured (does not exist within or receive instructions from another public body): Unknown

DPA receives funding directly from the state budget/legislative body: Unknown

DPA may receive some forms of external funding/own revenue: Unknown

Adequate protections against undue removal: Unknown

Number of members in DPA: Unknown

Maximum term length for members of the DPA (years): Unknown

Right of data subject to access a copy of their personal data: Unknown

Right of data subject to request a correction of data: Unknown

Right of data subject to request deletion of data: Unknown

Justification required for a request for deletion: Unknown

Defines the requirements for consent: Unknown

DPA is mandated to participate in policy formulation: Unknown

In terms of SIM card data, EPOCA prohibits network service agents from disclosing information unless the information is required by law enforcement, a court of law, or other lawfully constituted tribunal.

Provisions in the new Personal Information Protection Bill are presently unknown.

Provides a right not to be subject to automated decision-making: Unknown