Introduction
Tanzania is among the 55 African countries that adopted the African Union Convention on Cyber Security and Personal Data Protection, also referred to as the Malabo Convention on 27 June 2014 at the 23rd African Union (AU) Assembly of Heads of States and Governments (Malabo Convention). Though adopted in 2014, the implementation of the Malabo Convention was delayed by ratification of the Convention by the AU members states. In terms of Article 36, the Malabo Convention will come into force 30 days after receipt of the 15th instrument of ratification by the AU Chairperson. This milestone was achieved on 8 June 2023 following Mauritania's ratification of the Malabo Convention and deposit of the ratification instrument with the Chairperson of the AU on 9 May 2023.
The adoption of the Malabo Convention marked a significant milestone in development of cybersecurity and data protection as African states came together to address these significant issues and agreed on the need for the AU to provide a comprehensive legal framework for, among other things, cybersecurity, data protection and electronic commerce.
Tanzania's legislative response
Even though Tanzania is yet to ratify the Malabo Convention, it already has a Personal Data Protection Act, 2022 (PDPA) which was enacted by Parliament on 1 November 2022 and assented into law by the President on 27 November 2022. The PDPA is reflective of the Malabo Convention as it contains the main provisions for the protection of personal data and rights of data subjects, and establishes mechanisms for transparency, accountability and guidance on cross-border data transfer as set out in the Malabo Convention. Notably, Tanzania has also taken great strides in setting up a data protection authority, following the establishment of the Personal Data Protection Commission (the Commission) on 1 May 2023 and its inauguration by the President on 3 April 2024. Remarkably, Tanzania has also enacted laws on cybersecurity and cybercrime, as well as laws to govern electronic transactions, thus covering the three thematic areas of the Malabo Convention.
The Malabo Convention offers a holistic approach for harmonisation of the cybersecurity, personal data protection and electronic transactions legal framework within the AU member states. Seen from this perspective, the Malabo Convention could be likened to the European Union's General Data Protection Regulation (GDPR) which harmonises national data privacy throughout the European Union (EU). However, the GDPR goes further to enhance the protection of personal data of all EU residents outside the borders of the EU. This last point differentiates the GDPR and the Malabo Convention in the sense that the GDPR is extra-territorial in nature and applies outside the borders of the EU as it imposes obligations on organisations anywhere, as long as they target or collect data from EU data subjects. This is regardless of where the data processing takes place and even if the data controller or processor is not established in the EU.
The Malabo Convention on the other hand remains territorial and is premised on, among other principles, the commitment of the AU member states to preserve fundamental freedoms and human rights as contained in the African Charter on Human and Peoples' Rights as well as the United Nations Universal Declaration on Human Rights, and the establishment of a regulatory framework on cybersecurity and personal data protection. In terms of Article 8 of the Malabo Convention, each member state commits to establish "a legal framework aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and to punish any violation of privacy without prejudice to the principle of free flow of personal data."
Legal challenges and analysis of the court's judgment
It is in this context that Tanzania, like other AU member states, enacted the PDPA in 2022 and more recently established the Commission to oversee its implementation. These efforts notwithstanding, the PDPA has already been put to test in the matter between Tito Magoti v. The Attorney General1on grounds that certain provisions of the PDPA are unconstitutional and violate the basic rights and freedoms enshrined in the Constitution of the United Republic of Tanzania (the Constitution). In this case, Tito Magoti (the Petitioner) challenged the constitutionality of sections 8(1)-(3), 11(1), 14(5), 19, 20, 22(3), 23(3)(c)-(e), 25(e)-(f), 26, 30(5), 33(2) and 34 for violating Articles 12, 13(1)(2)(6)(a), 16(1), 21(2) and 29(1) of the Constitution and prayed to the court to not only declare the above cited provisions of the PDPA unconstitutional but also expunge these provisions from the PDPA.
The court delivered its judgment on this matter on 8 May 2024 in which it held that all the aforementioned provisions of the PDPA are constitutional and do not offend the Constitution, save for sections 22(3) and 23(3)(c) and (e) of the PDPA which the court found to be vague, ambiguous and unclear. The court ordered that the Attorney General must amend these provisions within one year from the date of the judgment, failing which the said provisions would be struck out of the PDPA.
The Petitioner's argument is that, by granting the President powers to appoint the chairperson and vice-chairperson of the Commission, sections 8(1)-(3) of the PDPA violate Articles 12, 13(1)(2)(6)(a), 16(1), 21(2) and 29(1) of the Constitution. Sections 8(1) and (2) of the PDPA provide for the establishment of the Board of the Commission which shall consist of seven members including the chairperson, vice-chairperson and five other members, with the chairperson and vice-chairperson being appointed by the President, and the five members being appointed by the Minister responsible for Communication (Minister). It was the Petitioner's argument that these provisions offend Article 12, 13(1)(2)(6)(a), 16(1), 21(2) and 29(1) of the Constitution. Article 12 of the Constitution provides for equality of human beings and the right of each human being to recognition and respect of their dignity. Articles 13(1) and (2) of the Constitution provide for equality before the law and prohibit enactment by any authority of any law that shall have discriminatory provisions either in itself or in its effect. Article 13(6)(a) further places an obligation on the state to make appropriate procedures or take into account the rights and duties of any person being determined by the court or any other agency, that such person shall be entitled to a fair hearing and to a right of appeal or other legal remedy against the decision of the court or concerned agency. Article 16(1) on the other hand provides for the right to respect and protection of personal privacy, including privacy to family, matrimonial life, residence and private communication. Article 21(2) on the other hand provides for the right and freedom of every citizen to participate fully in the process leading to the decision on matters affecting them, their wellbeing and nation while Article 29(1) provides for the right of every person to enjoy fundamental human rights and to enjoy the benefits accruing from the fulfilment by every person of their duty in society.
The Petitioner's argument is that the cited section 8(1) of the PDPA subjects the process of appointment of the Commission's board chairperson and vice-chairperson to bias which, in turn, undermines the powers of the Commission. It is noteworthy that Article 11 of the Malabo Convention requires each state to establish a personal data protection authority as an independent administrative authority and, in terms of Article 11.3, each state has the right to determine the composition of the national personal data protection authority. Without attempting to delve into the detail on the arguments by the parties, the Petitioner's view was that the lack of clear guidelines on the qualifications of the chairperson and the vice-chairperson violates the right of equality and the right to be heard. The Petitioner also argues that the provision giving powers to the Minister to appoint the Commissioner's board members violates the Constitution as it does not provide guidelines or procedures for such appointment.
Though it is questionable whether sections 8(1) and (2) of the PDPA violate Articles 12, 13(1)(2)(6)(a), 16(1), 21(2) and 29(1) of the Constitution as claimed by the Petitioner, it may be worthwhile for the relevant authorities to provide guidelines on the appropriate qualifications for the chairperson and vice-chairperson of the Commission's board. Section 8(3) of the PDPA specifies, albeit minimally, the qualifications of the five board members of the Commission. The legislature could borrow a leaf from this and spell out the minimum qualifications for the board chairperson and vice-chairperson in similar fashion. It is also worth appreciating the approach taken in other jurisdictions where the specific qualifications of the members of the personal data protection authority have been spelt out in finer detail. Additionally, in the spirit of Article 7(a) of the Malabo Convention, the legislature should consider making express provisions shielding members of the Commission from receiving instructions from any other authority in the performance of their duties.
The Petitioner also challenges the constitutionality of section 11(1) of the PDPA which provides for the appointment of the Director General of the Commission (Director General) by the President on grounds that the power vested on the President to make such appointment does not allow for competitive selection and transparency. It is noteworthy that section 11(2) of the PDPA spells out the qualifications for appointment of the Director General which ensures competence and transparency of the appointment. This provision should in fact be emulated to fill in the obvious gap in the applicable qualifications for the appointment of the Commission's chairperson and vice-chairperson. Given the specifications provided under section 11(2) of the PDPA, it is difficult to fault this provision of the PDPA for being in violation of the Constitution.
Section 14(5) of the PDPA has also been challenged on grounds that it does not specify the timeline for registration, rejection and issuance of any notification to applicants who have applied for registration as data controllers and data processors. The timelines for registration and notification of rejection of any application for registration of data controllers and processors are specified within the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023 (PDP Regulations). In terms of regulation 5(1) of the PDP Regulations, the Commission is required to verify any application submitted for registration of a data controller or data processor within seven days from the date of receiving the application. Whilst the PDP Regulations do not specify the timeline for issuance of the registration certificate once an application for registration as a data controller or data processor has been accepted by the Commission, where the application for registration is rejected, the Commission is required to notify the applicant within 14 days from the date of the Commission's decision, informing the applicant of the reasons for the rejection. It is arguable that the Commission is not time-bound to issue the certificate of registration where an application has been verified and accepted, which is a lacuna that the legislature could once again seek to address.
The Petitioner further faults section 19 of the PDPA for being ambiguous which, in turn, violates the right to fair hearing and right to privacy enshrined in Articles 13(6)(a) and 16(2), respectively. Section 19 of the PDPA criminalises violation of the PDPA and furnishing false or misleading information to the Commission during the registration or renewal of registration of a data controller or data processor. Where one is found to be guilty of contravening the provisions of the PDPA in respect of registration or renewal of registration of a data controller or data processor, they shall be liable upon conviction to a fine of not less than TZS 100,000 and not more than TZS 5 million, or to imprisonment for a term not exceeding five years, or to both a fine and imprisonment. The Petitioner's argument is premised on the lack of clarity in the wording of section 19 of the PDPA, which establishes an offence even without the intention for commission or omission of the offence (mens rea). It is important to point out that the commission or omission of an act constituting an offence cannot be established where either one of the primary ingredients of an offence is missing, namely mens rea (the intention to commit an offence) and actus reus (the act or omission constituting the offence).
Section 19 of the PDPA provides that an offence is occasioned by contravention of Part III of the PDPA which deals with the registration and renewal of registration of data controllers and data handlers or providing misleading information to the Commission during the registration or renewal of registration of data controllers and data processors. The wording of section 19 of the PDPA provides for both elements of an offence, actus reus and mens rea. Moreover, the sanctions for committing an offence under the PDPA have also been articulated with the same provision and these can only be imposed following conviction. This alleviates any fear that one can be subjected to the sanctions without fair trial contrary to Article 13(6) or in breach of the right to privacy contrary to Articles 13(6)(a) and 16(2), respectively.
Section 20 of the PDPA has also been faulted for allowing appeals from the decisions of the Commissioner to be made to the Minister on the basis that the Minister is not a neutral party. This could prejudice the appellant and hence infringe the constitutional rights on equality of human beings enshrined in Article 12(1), the right to equality before the law enshrined in Article 13(1) and the right to fair trial enshrined in Article 13(6) of the Constitution. The doctrine of separation of powers requires the three arms of government to function independently to safeguard rights and guard against tyranny. Borrowing the words of Montesquieu: "There is no liberty if the powers of judging is not separated from the legislative and executive...there would be an end to everything, if the same man or the same body...were to exercise those powers."2 In addition to the above, the PDPA does not provide procedural safeguards to guard against abuse and arbitrariness. Separation of powers is critical as it provides a robust mechanism for checks and balances which are necessary for accountability and transparency. By vesting the Minister with the powers to determine appeals against decisions of the Commission and not providing the necessary mechanisms to control against abuse of such powers, section 20 of the PDPA is to be found wanting in all respects and should be revisited, particularly in light of the recent decision of the Court of Appeal in Joran Lwehabura Bashange v. The Minister for Constitutional and Legal Affairs and Another3 where the Court of Appeal held section 44 of the Law of Limitation Act4 to be unconstitutional as it lacks clear procedural safeguards to control the exercise of the powers of the Minister responsible for legal affairs which poses a risk that the powers may be exercised arbitrarily and hence violate the Constitution.5
The Petitioner's resentment towards section 22(3) of the PDPA is based on similar grounds to those raised in respect of section 19 of the PDPA, namely that the provision is ambiguous as it prohibits collection of personal data by unlawful means without specifying what constitutes "unlawful means". Whilst this cannot be said to be a clear violation of the Constitution, the court emphasised the importance of clarity and conceded with the Petitioner that the said section is vague and could be open to abuse. The court directed that this provision is amended, failing which the said provision would be struck out of the PDPA. The court made a similar finding in respect of sections 23(3)(c) and (e) of the PDPA, and held that these provisions are ambiguous, do not provide prescribed procedures and hence are unconstitutional. Briefly, section 23 places an obligation on a data controller to collect personal data directly from the data subject and to inform the data subject of the purposes for which the data is being collected, the fact that the data collection is for authorised purposes and to disclose the intended recipients of the personal data. Section 23(3)(c) exempts a data controller from observing the above conditions where non-compliance is necessary for the purposes of compliance with other written laws, while it exempts compliance with the above-mentioned requirements where compliance would prejudice the lawful purpose of the data collection.
It is interesting to note that, in terms of Article 13 of the Malabo Convention, the processing of personal data is considered to be legitimate where the data subject has consented to the process. This provision also sets out circumstances where the requirement for consent of the data subject may be waived. These include circumstances where processing the personal data is necessary for compliance with a legal obligation to which the data controller is subject, performance of a task carried out in the interest of the public or in the exercise of official authority vested in the data controller, or protection of vital interests or fundamental rights and freedoms of the data subject. It is likely that the drafters of the PDPA intended sections 23(3)(c) and (e) to cover the circumstances stated under Article 13 of the Malabo Convention, but the wording of sections 23(c) and (e) is too wide and calls for streamlining. In implementing the order of the court for the amendment of sections 23(3)(c) and (e), the legislature should ensure that the circumstances for which the waiver for consent of the data subject applies are clearly articulated and limited only to the circumstances specified under the Malabo Convention. In addition to the above, there is also a need to reconsider section 23(3)(d) which, even though the court found was not problematic, is too wide and subject to abuse of interpretation.
The Petitioner further challenges sections 25(2)(e), (f) and 26 of the PDPA on grounds that these provisions violate the right to privacy enshrined in the Constitution. Sections 25(2)(e) and (f) require that personal data is used only for the purpose for which it is intended and waives this requirement where the data controller believes that the use of personal data is necessary to prevent or lessen a serious threat to life or health of the data subject, or to public health and safety, or that the use of personal data in the manner used is necessary for compliance with law. Section 26 restricts disclosure of personal data by a data controller except in the circumstances stipulated under section 25 of the PDPA. The court, being in disagreement with the Petitioner, appreciated the extensiveness of sections 25(2)(e) and (f) of the PDPA and held that these provisions are in line with recital 15 of the GDPR which embraces technology neutrality. The technology neutrality principle, which is also embraced in the Malabo Convention, proposes that "legislation should define the regulation to be achieved and should neither impose or discriminate in favour of the use of a particular type of technology to achieve its objectives".6 The waiver under sections 25(e), (f) and 26 makes it even more important for data controllers to ensure that they have the necessary code of ethics or policy in place and that the same is complied with during collection and/or processing of personal data as specified under section 65.
The issues raised by the Petitioner in challenging the constitutionality of section 30(5) of the PDPA are similar to those raised in respect of sections 25(e) and (f) as discussed above. Section 30 prohibits processing sensitive data without prior written consent of the data subject. The exceptions to this prohibition are provided under section 30(5) which negates prior consent of the data subject where such processing is necessary for compliance with other laws, for protection of the vital interests of the data subject or other person where the data subject is incapable of giving their consent, such processing is necessary for institution of trial or defence of legal claims, where the data is in the public domain, where processing is necessary for scientific research or medical reasons. The court determined this issue based on the same reasons attributed to section 25. The court also held that the fundamental right to privacy enshrined under Article 16 of the Constitution is not absolute as articulated in Article 30(2) of the Constitution and, on this basis, held that section 30(5) of the PDPA does not violate the Constitution as claimed by the Petitioner.
Sections 33(2)(a) and (b) were also put to the test on grounds that they permit access to personal data and deny a data subject the right to be informed of the use of their personal data. These provisions provide for circumstances where a data controller is not obliged to inform the data subject of the access or use of the data subject's personal data, namely where the personal data is not accurate and where the personal data is involved in any investigations in accordance with the law. Similar contentions were made by the Petitioner in respect of section 34(2) of the PDPA which provides for the right to prevent data processing likely to affect a data subject except where there are exceptions provided under the PDPA. The court disagreed with the Petitioner's argument that the exceptions stipulated under sections 33(2)(a), (b) and 34(2) are wide and ambiguous, and compared these to the exceptions stipulated under Article 30(2) of the Constitution.
Conclusion
The case of Tito Magoti v. The Attorney General highlights significant legal and constitutional challenges within the PDPA. While the court upheld most of the PDPA's provisions, it identified critical ambiguities and potential violations of constitutional rights, particularly concerning sections 22(3) and 23(3)(c) and (e). These findings underscore the necessity for clearer guidelines and amendments to ensure the PDPA aligns with constitutional guarantees and provides robust data protection.
The judgment reinforces the importance of transparency, accountability and the need for precise legislative drafting to prevent potential abuses and ensure the effective protection of personal data. The court's directive to amend vague provisions within a specified timeframe signifies a proactive approach to strengthening the PDPA and ensuring its compatibility with constitutional standards.
This case also reflects broader themes in data protection law, such as the balance between state authority and individual rights, the importance of independent regulatory bodies and the necessity of clear, enforceable legal frameworks. As Tanzania continues to develop its data protection landscape, lessons from the PDPA's challenges and the court's rulings will be crucial in shaping future legislation and ensuring the protection of personal data in the digital age.
Ultimately, the PDPA's ongoing refinement and the establishment of the Personal Data Protection Commission signal positive steps towards comprehensive data protection in Tanzania. However, continuous vigilance and adjustments will be necessary to address emerging challenges and uphold the rights enshrined in the Constitution and international agreements like the Malabo Convention.
Footnotes
1 Miscellaneous Civil Case No. 18 of 2023.
2 Montesquieu, Charles de Secondat, baron de. The Spirit of Laws (c.1748). Translated and edited by Anne Cohler, Basia Miller, Harold Stone (New York: Cambridge University Press, 1989).
3 Miscellaneous Civil Case No. 12 of 2023 [2024] TZHC 774 (13 March 2024).
4 [Cap 89 RE 2019].
5 As also held in Kukutia Ole Pumbun & Another v. Attorney General & Another, Civil Appeal No. 32 of 1992 [1993]TLR 159 (CA).
6 See European Commission (1999) Towards a New Framework for Electronic Communications Infrastructure and Associated Services. Brussels: European Commission, p. 539.
Originally published 27 June 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.