What Does Consent Look Like Under the Tanzania Personal Data Protection Laws?

In today’s interconnected digital landscape, protecting personal data is no longer just an ethical responsibility; it is a legal requirement. The rapid expansion of digital platforms and social media has increased the risks of unauthorised collection, use, and disclosure of personal data, making data privacy an important legal issue that requires attention.

Recognising the growing challenges to data privacy, Tanzania has taken decisive action by establishing a comprehensive legal framework to address these challenges. The enactment of the Personal Data Protection Act, Cap 44 R.E 2023  (the PDP Act), the Personal Data Protection (Personal Data Collection and Processing) Regulations GN No. 499C of  2023 (the Collection and Processing Regulations) and the Personal Data Protection (Complaints Settlement Procedures) Regulations GN No. 449B of 2023 provide clear and comprehensive safeguards to uphold and enforce individuals’ right to privacy. This framework places specific obligations on data controllers and processors to obtain informed and voluntary consent from data subjects before collecting or processing personal data.

The following key terms have been defined in the relevant legislation which are applicable to this legal update:

"Data controller" means a natural person, legal person or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, "data controller" is a natural person, legal person or public body designated as such by that law and it includes his representative;

"Data processor" means a natural person, legal person or public body which processes personal data for and on behalf of the data controller and under the data controller’s instructions, except for the persons who, under the direct authority of the data controller, are authorised to process the personal data, and it includes his representative;

“Data subject” means the subject of personal data which are processed under the PDP Act;

“Personal data” means data about an identifiable person that is recorded in any form, including:

• any identifying number, symbol or other particular assigned to the individual;
• correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence, and the views or opinions of any other person about the data subject;
• personal data relating to the education, the medical, criminal or employment history;
• personal data relating to the race, national or ethnic origin, religion, age or marital status of the individual;
• the address, fingerprints or blood type of the individual; and
• the name of the individual appearing on personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual.

“Sensitive data” includes:

• genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data;
• if they are processed for what they reveal personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and
• any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject.

“The Commission” means the Personal Data Protection Commission established under section 6 of the PDP Act.

Consent under the PDP Act and the Collection and Processing Regulations

Consent is a cornerstone of the data protection framework, reflecting data subjects’ fundamental right to control how their personal data is collected and processed. The PDP Act and the Collection and Processing Regulations impose clear duties on data controllers and processors to ensure consent is voluntarily given and the data subject is fully informed at every stage of data collection and/or processing. Similarly, a person shall not process sensitive personal data without obtaining prior written consent of the data subject.

In addition to consenting to the collection and processing of personal data, the data subject should have an understanding of what he/she has consented to in accordance with the principle of lawfulness provided under regulation 25(d) of the Collection and Processing Regulations.

Moreover, data controllers and processors must ensure that data subjects understand who will receive their data and that their personal data will only be used for authorised purposes. In cases of transfer of personal data outside Tanzania, data controllers and processors must ensure that the data subject has consented to the proposed transfer. Sharing personal data with third parties without explicit consent of the data subject is prohibited. Additionally, the PDP Act and the Collection and Processing Regulations require the process for withdrawing consent to be simple and accessible at any time and without any explanation or charges.

Where the data subject from whom consent is sought is a minor, a person of unsound mind or any other person unable to consent, such person’s consent shall be sought from his/her parents, guardian, heirs, attorneys or any other person recognised by law to be acting on behalf of the person whose consent is to be sought.

In spite the above, prior written consent when processing personal data shall not be required if:

• the processing is necessary for compliance with other written laws;
• the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is incapable of giving his/her consent or is not represented by his/her legal representative;
• the processing is necessary for the institution, trial or defence of legal claims;
• the processing relates to personal data which has apparently been made public by the data subject;
• the processing is necessary for the purposes of scientific research and the Commission has, by special guidelines specified the circumstances under which such processing may be carried out; or
• the processing is necessary for the purposes of medical reasons in the interest of the data subject, and the sensitive personal data concerned, is processed under the supervision of a health professional in accordance with the law governing such health care services.

The Naumanga Case

The recent decision by the Commission in the case of Abdul Said Naumanga (the Complainant) v. Mi Casa Company Limited (the Respondent), Complaint No. 08 of 2024, underscores the critical importance of strict compliance with consent requirements under the PDP Act and the Collection and Processing Regulations. In this case, the Commission ruled in favor of the complainant after finding that his personal data had been published in the media without his consent which is a clear violation of the PDP Act and the Collection and Processing Regulations. As a result, the respondent was ordered to pay monetary compensation of Tanzanian Shillings (TZS) 20,000,000.

This landmark decision sends a clear message to all data controllers and processors handling personal data that compliance with the PDP Act and the Collection and Processing Regulations is mandatory. It also affirms the legal necessity of obtaining explicit consent before processing or publishing personal information, thereby safeguarding data subjects’ privacy rights and upholding personal data protection standards.

Legal consequences for non-compliance

Under the PDP Act and the Collection and Processing Regulations, unauthorised disclosure of personal data is an offense punishable by a fine of not less than TZS 100,000 and not more than TZS 20,000,000, or imprisonment for a term not exceeding ten (10) years. In some cases, both a fine and imprisonment may be imposed.

For corporates, the penalties for unauthorised disclosure can be significantly higher. The law prescribes a fine of not less than TZS 1,000,000 and up to TZS 5,000,000,000 for unauthorised disclosure of personal data. Additionally, officers who intentionally authorise or allow the offense to occur may also be held personally liable.

Conclusion

Consent is a legal safeguard that upholds the fundamental right to privacy. It is essential for organisations and individuals to ensure that consent is informed, freely given, specific, and revocable. The Commission’s enforcement actions clearly demonstrate that breaches will result in substantial penalties, highlighting the critical importance of proactive compliance with the PDP Act and the Collection and Processing Regulations.