Your image, your consent: Personal Data Protection under Tanzanian Law

In today’s digital age, the sharing of personal data has become immediate, broadly accessible, and often difficult to reverse. Social media platforms such as LinkedIn, Instagram, and Facebook have increasingly blurred the boundary between private and public life, leading individuals and entities to share personal data with limited reflection on the legal implications. As a result, what appears to be a harmless post may, in fact, give rise to legal and regulatory consequences where personal data is published without consent.

In Tanzania, the legal framework governing personal data protection, including the Personal Data Protection Act, Chapter 44 (Revised Edition 2023) (the PDP Act) and the Personal Data (Collection and Processing) Regulations, Government Notice No. 449C of 2023 (the Collection and Processing Regulations), has developed significantly. This framework imposes clear obligations on how personal data is collected, used, and shared, while also granting individuals enforceable rights over their personal information. As awareness of these rights continues to grow and regulatory oversight continues to strengthen, the unauthorised publication of personal data poses an increasing risk for both individuals and entities.

This legal update examines how Tanzanian data protection law regulates the publication of personal data, addresses the use of images in public settings, outlines the rights of data subject, and highlights practical compliance considerations for individuals and entities.

What constitutes “personal data” in published images and content?

Under section 2 of the PDP Act, personal data is defined as any data relating to an identifiable individual, regardless of the form in which it is recorded. The definition of personal data under the PDP Act is technology neutral, as it applies equally to written records, audio visual material, digital content, and online publications, including images, videos, and social media posts. Section 2 of the PDP Act defines personal data to include:

• personal data relating to the race, national or ethnic origin, religion, age or marital status of the individual;
• personal data relating to the education, the medical, criminal or employment history;
• any identifying number, symbol or other particular assigned to the individual;
• fingerprints or blood type of the individual;
• the name of the individual appearing on personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual; and
• correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence, and the views or opinions of any other person about the data subject.

In practice, images, videos, and online content constitute personal data under the PDP Act where an individual can be identified, whether directly or indirectly. Identifiability may arise not only from facial features, but also from associated information such as captions (example, text describing who appears in the image), tags or links to personal accounts, location data, workplace identifiers (such as uniforms), or other contextual details.

Public vs private spaces: common misconceptions

A common misconception is that personal data protection obligations do not apply where images or content are captured in public spaces. However, the PDP Act does not distinguish between personal data collected in public and private settings. The key consideration is whether the information relates to an identifiable individual and whether it is processed lawfully, fairly, and for a specific purpose. 

While capturing a photograph in a public place may be lawful, the subsequent publication or sharing of that image constitutes a separate processing activity and must comply with the requirements of the PDP Act. Accordingly, the public nature of a location does not, in itself, remove the obligation to consider consent, lawful purpose, and the rights of the data subject, particularly where images are published on social media or used for promotional or commercial purposes.

Rights of data subjects under the PDP Act

Part VI of the PDP Act sets out a range of rights available to a data subject whose personal data is processed without consent or other lawful justification. These rights are particularly relevant where personal data such as images or videos are published on social media or other public platforms without the individual’s consent. Under the PDP Act, a data subject has the following rights:

• right to access personal data;
• right to prevent processing likely to affect data subjects;
• right to prevent processing of personal data for direct marketing;
• rights in relation to automated decision making;
• right to compensation; and
• right to rectification, blocking, erasure and destruction of personal data.

Practical guidance on how to stay compliant

To minimise legal and regulatory risks when publishing images and other personal data, individuals and organisations should take a proactive and structured approach to comply with the PDP Act and the Collection and Processing Regulations. In practice, this includes:

• obtaining clear and informed consent before publishing images or other personal data, particularly where content is shared publicly or used for promotional, marketing, or commercial purposes;
• clearly defining and communicating the purpose for which images are collected and used;
• limiting publication to what is necessary and proportionate to the stated purpose;
• implementing internal review and approval processes for social media posts and other public communications involving personal data;
• responding promptly to data subject requests, including requests for removal, correction, or erasure of published content;
• providing regular training to staff and content managers on data protection obligations;
• maintaining appropriate records demonstrating compliance, including consent documentation and the rationale for publication.

Conclusion

Unlawful sharing of personal data constitutes a serious breach of the PDP Act and the Collection and Processing Regulations. Individuals who contravene these laws may be liable to fines ranging from Tanzanian Shillings (TZS) 100,000 (approximately USD 39) to TZS 20,000,000 (approximately USD 7,743), to imprisonment for a term of up to ten (10) years, or to both the fine and imprisonment. In addition, entities face the risk of fines between TZS 1,000,000 (approximately USD 387) and TZS 5,000,000,000 (approximately USD 1,937,000), with senior officers and other responsible persons potentially held personally liable for non compliance.