FACULTY OF LAW

(FoL)

RESEARCH PROPOSAL ON

ANALYSIS OF THE LAW AND PRACTICE GOVERNING PERSONAL DATA

PROTECTION IN TANZANIA; A CASE STUDY OF MWANZA REGION

BY

ELISHA SAMWEL MACHUGU

REG.NO. 1236113/T.23

Tel; +255757684906

Email: [email protected]

SUPERVISOR: DR. JANUARY NKOBOGO

A COMPULSORY RESEARCH PROPOSAL SUBMITTED TO THE FACULTY OF LAW

FOR THE REQUEST OF PERMISSION TO UNDERTAKE THE FIELD STUDY.
 TABLE OF CONTENTS

CHAPTER 1 .................................................................................................................................................. 1

1.0 INTRODUCTION ................................................................................................................................... 1

1.2. BACKGROUND OF THE PROBLEM ................................................................................................. 2

1.3. STATEMENT OF THE PROBLEM ......................................................................................................5

1.4. RESEARCH OBJECTIVES ...................................................................................................................6

1.4.1 General objectives ................................................................................................................................ 6

1.4.2 Specific objectives ................................................................................................................................6

1.5. RESEARCH QUESTIONS .................................................................................................................... 6

1.6. SIGNIFICANCE OF THE STUDY ....................................................................................................... 7

CHAPTER TWO ...........................................................................................................................................9

1.7. LITERATURE REVIEW ....................................................................................................................... 9

CHAPTER THREE ..................................................................................................................................... 16

1.8. RESEARCH DESIGN AND METHODOLOGY ................................................................................16

1.8.1 Sample size ......................................................................................................................................... 16

1.8.2 Sample Population ..............................................................................................................................16

1.8.2.1 Sampling Strategy ........................................................................................................................... 16

1.8.3 Data Collection methods .................................................................................................................... 16

1.8.3.1 Primary data collection ....................................................................................................................16

1.8.3.2 Secondary data collection ................................................................................................................17

1.9. Data presentation and analysis. ............................................................................................................ 17

1.10 LIMITATION OF THE STUDY ........................................................................................................ 17

CHAPTER 4 ................................................................................................................................................ 18

1.11.0 CHAPTER OUTLINE ......................................................................................................................18

1.12.0 CONCLUSION ................................................................................................................................ 18

APPENDIX 1 .............................................................................................................................................. 19

A sample of interview guide ........................................................................................................................19

APPENDIX 2: ............................................................................................................................................. 22

I
QUESTIONAIRE SCHEDULE .................................................................................................................. 22

BIBLIOGRAPHY ....................................................................................................................................... 26

II
 TABLE OF ABBREVIATION

A.G: Attorney General

AU: African Union
CAP: Chapter
DCCPs: Datagram Congestion Control Protocol
EAC: East African Community
EPOCA: Electronic and Postal Communications Act
EU: European Union
GDPR: General Data Protection Regulation
IOs: International Organisations
OECD: Organisation for Economic Co-operation and Development
PDPA: Personal Data Protection Act
PDPC: Personal Data Protection Commission
Qn: Questions

III
 CHAPTER 1

1.0 INTRODUCTION

The right to personal data protection is about to safeguarding and upholding the dignity of
individuals when collecting, processing and storing their personal data, and is closely linked to
the right to privacy provided in the Constitution of United Republic of Tanzania1. It is key in
building trust between people and organizations, particularly in a digital age. Personal data
protection regulatory frameworks ensure that personal information is processed in a fair,
transparent, and responsible manner, and that people maintain control over who, how, why, and
when their data is processed2.
Government and private institutions are collected many individual data through various
programs and purpose through physical files3. Advancement of information technology not only
making greater evolution on the aspect of collecting, storing and processing of data collected but
also amount of data collected stored and processed. Due to such factors new legislation
addressing data protection is inevitable.
Data protection laws typically include essential principles and provisions designed to ensure that
personal data is managed fairly, equitably and lawfully4. These principles serve as the main
guiding principles for organizations and establish the rights and protections afforded to
individuals with the fundamental principles of lawfulness, fairness, equity, transparency and
openness play a key role in many data protection legislation5.

1
[CAP 2 R.E 2008]
2
C Cuijpers, ‘A Private Law Approach to Privacy: (Mandatory Law Obliged?’ 2007 4/4 Scripted 304–18,) at page
312.
3
P De Hertz and E Schreuders, ‘The Relevance of Convention, (Proceedings of the Council of Europe Conference
on Data Protection, Warsaw, 19–20 November 2001) page no.108, 33, 42.
4
37th International Conference of Data Protection and Privacy Commissioners, ‘Resolution on Privacy and
International data protection of the United Nations, GDPR Humanitarian Action (27 October 2015)
<http://globalprivacyassembly.org/wpcontent/uploads/2015/02/Resolution-on-Privacy-and-International-
Humanitarian-Action.pdf> accessed 25th April 2025;
5
Glenn Greenwald, Ewen MacAskill and Laura Poitras, ‘Edward Snowden: The Whistleblower Behind the NSA
Surveillance Revelations’, (The Guardian 11 April 2025)
<https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsawhistleblower-surveillance> accessed 27th
April 2025.

1
The enactments of Personal Data Protection Act6 in 2022 which came into effect on 1st May
2023 and the Personal Data Protection (Personal Data Collection and Processing) Regulations7
in Tanzania, is a result of regional and international efforts, among other things this Act become
a fundamental Legislation dealing with the manner individual data will be collected, stored and
processed. In line with the right to individual information to be protected by the law as required
by article 16(1) of the Constitution8.
This research will be designed to make an analysis of the Laws and practices on protection of
personal data, its challenges and legal conflict as well as to provides effective recommendations
on those problems so as to strength personal information protection and the right of privacy as
provided by the constitution.

1.2. BACKGROUND OF THE PROBLEM

Data protection under the right of privacy is a Western concept which has evolved over the years.
Bennett observes that record keeping on individuals (one of the reasons why data privacy laws
partly emerged to regulate) is as old as civilization itself. The Roman Empire, for example,
maintained an extensive system of taxation records on its subjects, who were identified through
census taking9. The same principle applied during medieval time in Europe where monarch
records and religious sacred texts were protected from unauthorized accession. However, the
modern conception of privacy and data protection may be traced from Warren and Brandeis’s
seminal article “The right to privacy”, published in the Harvard Law Review in 1890. This
article indeed is increasingly acknowledged by commentators as the official birth date of the
right to privacy in the world10.

It is worth noting that in the 1960s and 1970s concrete privacy and data protection regulations
emerged in North America and Europe11. This is not surprising as the rise of computer
technology around that time increased many possibilities with which Organisation, both public

6
[CAP 44]
7
G.N No. 449 Published on 2023
8
[CAP 2 R.E 2008]
9
SD Warren & LS Brandeis ‘The right to privacy’ (Harvard Law Review 1890)193-195.
10
LA Bygrave, ‘The Place of Privacy in Data Protection Law’ 24/1 (University of New South Wales Law Journal
(2001) 277–283, at 282) available at, http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html. accessed 26
April 2025 at 07:05.
11
Ibin n. 3

2
and private, as well as individuals could process personal information in ways that could
interfere with an individual’s privacy12. The legal response to the rise of computer technology
with respect to the protection of an individual’s privacy had been to enact data protection
legislation. The earliest formal International legal framework were OECD’s privacy and data
guidelines13 and the convention for protection of individual with regard to the automatic
processing of data of 1981 of the council of Europe14. The rules in those laws provides the
foundation principles in almost all data protection legal framework that data must be obtained
fairly and lawfully used only for the specified purpose15.

Adaptation of the United Nations Guidelines for Regulation of Computerized Personal Data
Files16 and the EU Directive 95/46/EC set a benchmark for national law (of European countries)
and harmonizing law on data protection throughout the European Union17. It became the most
influential law in the privacy law reforms in non-EU members countries including African
countries especially its article 25 which imposed an obligation of members countries to ensure
that personal information relating to European citizen is covered by law when it exported and
possessed in countries outside Europe. In fact, this became among reasons as why African
countries have adopted or plan to adopted comprehensive data protection laws to secure better
chances for off-shoring business from Europe18.

In East Africa, East African countries have fundamentally lagged in the development of data
protection regulations until 2019, when both Uganda and Kenya introduced data protection laws.
12
Alex Boniface Makulilo; Privacy and data protection in Africa: a state of the art (Faculty of Law, University of
Bremen, Germany 2020)
13
The preamble of Council of Europe Modernised Convention for the Protection of Individuals with Regard to the
Processing of Personal Data 1985, ETS No 108.
14
The first data protection law in the world was adopted by the German Land of Hesse in October 1970. Then
followed Sweden (1973); the United States (1974); Germany (1977); France, Denmark and Austria (1978);
Luxemburg (1979); New Zealand (1982); the United Kingdom (1984); Finland (1987); Ireland, Australia, Japan and
The Netherlands (1988). Today almost all Western countries have adopted data protection legislation.
15
LA Bygrave Data protection law: Approaching its rationale, logic and limits (Cambridge University press, 2002)
Ch 6.
16
37th International Conference of Data Protection and Privacy Commissioners, ‘Resolution on Privacy and
International Humanitarian Action’, (27 October 2015) <http://globalprivacyassembly.org/wp-
content/uploads/2015/02/Resolution-on-Privacy-and-International-Humanitarian-Action.pdf> accessed 28th April
2025 at 05: 45 P.M
17
D Banisar; ‘Privacy and data protection around the world’ (Conference proceedings of the 21st International
Conference on Privacy and Personal Data Protection, Hong Kong, 13 September 1999,) pg. 2
http://www.pcpd.org.hk/english/infocentre/conference.html (accessed 29th April 2025). at 07:18 P.M
18
EU Study on the Legal Analysis of a Single Market for the Information Society, (DLA PIPER, UK, November
2009, Ch. 4,) at page 4

3
Notably, these laws are heavily influenced by the GDPR. Rwanda followed suit by enacting its
law in 2021, while Tanzania also has the specific Act for personal data protection. The EAC has
required its member states to enact data protection legislation whereas initiatives include the
adoption of a Bill of Rights for the EAC in 2012. Unlike the African Charter on Human and
Peoples’ Rights, this Bill incorporates an explicit right to privacy. Its enforcement, however,
awaits the approval of the EAC Heads of State.

Such a journey of data protection laws began in Kenya to enacted the Data Protection Act in
2018 and Uganda in 2019 followed by Rwanda and Tanzania in 2021 and 2022 respectively19
which address the legal requirement of consent to collect, processing and storing of data and the
export of personal data under the basis on the GDPR which use approved codes of conduct that
address on the transfer of personal data outside to the European Union20.

In Tanzania, the Constitution was amended in 1984 for the fifth time giving the Bill of rights
force of law, in march 1988 the Bill of rights became operational with the right to privacy
guaranteed and protected under the provision of article 16(1) (2) of the Constitution of United
Republic of Tanzania21. Since then, the data protection was administered by various laws
including Electronic and Postal Communication Act of 2010, Consumer Protection
Regulations22, Cybercrime Act23, the Tanzania Intelligence and Security Service Act24, National
Security Act25. Those Acts of parliament provided for the need of protection of personal privacy
in one hand and allow for surveillance of personal information and communication without
safeguards against infringements on privacy and data protection right.

In 1st November 2022, 38 years later since the inclusion of the right to privacy in a constitution
the Parliament of Tanzania passed a Personal Data Protection Act26 (PDPA) a new law to deals
with the protection of individual data to govern how data will be collected, processed and stored
among other thing the new law established an institution known as Personal Data Protection

19
Alex Boniface Makulilo; Privacy and data protection in Africa: a state of the art (Faculty of Law, University of
Bremen, Germany)
20
Ndemo, B., Ndung’u, N., Odhiambo, S. & Shimeles, A. (Eds), Data Governance and Policy in Africa, (Palgrave
Macmillan, London, 2023) doi: 10.1007/978-3-031-24498-8.
21
[CAP 2 R.E 2008]
22
G.N No. 325 of 2001
23
Act No. 4 of 2015
24
Act No.15 of 1996
25
Act No. 3 of 1970
26
[CAP 44]

4
Commission (PDPC) which is responsible for protecting personal data. This marked significant
step to the reforms in the sphere of personal data protection in Tanzania.

1.3. STATEMENT OF THE PROBLEM

Development of information technology and the demands of international standards, necessitate

Tanzania to having its own competent legislation governing protection of individual data which
manage collection storing and processing of personal data27. Enactment of the Personal Data
Protection Act28 in 2022 and the making of Personal Data Protection (Personal Data Collection
and Processing) Regulations29 of 2023, in line with the establishment of Personal Data
Protection Commission (PDPC) seems as a game changer in protection of individual information
in Tanzania since it embodied international standards as those addressed in the UN’s supported
General Data Protection Regulations (GDPR) of 2010 which became a precedent standard of the
Data Protection legislation in Africa30.
Despite the enactment of the Act, its implementation on various circumstances raised a concern
especially when it comes a matter of recruitment for work, Court proceedings and security which
raises fundamental questions about the interaction between the Personal Data Protection Act and
the existing laws. Some of its provisions especially section 22(3) and section 23(3)(c) has been
declared to be ambiguous by the court as in the case of Tito Magoti V. Attorney General31. The
lack of clarity in these provisions open the door to arbitrary interpretation and potential abuse by
authorities and data controllers. PDPA emphasize on consent of individual on his or her data,
however it’s unclear on whether data subject must give explicit consent before the data is
transferred internationally32. The only condition set is that the receiving country must have
“sufficient protection” excluding consent requirement which exposes personal data to the risk

27
Alex Boniface Makulilo; Privacy and data protection in Africa: a state of the art (Faculty of Law, University of
Bremen, Germany 2019)
28
[CAP 44]
29
G.N No. 449C of 2023
30
Mutimukwe, C., Kolkowska, E. & Gro¨nlund, A.; “Information privacy practices in e-government in an African
least developing country, (The Electronic Journal of Information Systems in Developing Countries, Vol. 85 No.
22019), p. e12074. (Accessed on 30th May 2025 at 05:23 PM)
31
Miscellaneous civil cause No. 18 of 2023
”, Liverpool Law Review, Vol. 38 No.2,pp.105-134, doi:10.1007/ s10991 (Accessed on 30th May 2025 at 05:25PM)

5
misuse.33 These identified gaps suggests a demand of critical analysis of the Laws and practice
relating to Personal Data Protection and its enforcement.

1.4. RESEARCH OBJECTIVES

1.4.1 General objectives

To critically analyze the legal framework and practical implementation of personal data
protection in Tanzania, with a focus on assessing the effectiveness of the Personal Data
Protection Act, 2022 and its subsidiary regulations in safeguarding individuals' privacy rights,
ensuring compliance by organizations, and addressing emerging challenges in the digital era.

1.4.2 Specific objectives

(1) To examine the legal framework established by the Personal Data Protection Act, 2022
(PDPA) and its regulations, focusing on the principles, rights, and obligations concerning
the collection, processing, and transfer of personal data in Tanzania.
(2) To assess the practical implementation and enforcement of the PDPA by the Personal
Data Protection Commission (PDPC), including registration compliance by data
controllers and processors, and the effectiveness of regulatory oversight in protecting data
subjects' privacy rights in Tanzania

1.5. RESEARCH QUESTIONS

(1) How effective is the Legal and regulatory framework governing personal data protection
in Tanzania in safeguard individuals’ privacy and data rights
(2) How does the implementation of PDPA compare to international data protection standards
such as the GDPR in terms of principles like lawfulness, fairness, transparency and data
subject rights

33
African Union (2022), “AU data policy framework”, available at:
https://au.int/sites/default/files/documents/42078-doc-au-data-policy-framework-eng1.pdf (accessed in 30th May
2025 at 06:34 PM)

6
 (3) What are the key provisions and principles of the Personal Data Protection Act, 2022
(PDPA) and its regulations regarding the collection, processing, storage, and transfer of
personal data in Tanzania
(4) How effective are the enforcement mechanisms and remedies available for breaches of
personal data protection laws in Tanzania
(5) What are the roles, responsibilities, and challenges faced by data controllers, data
processors, and the Personal Data Protection Commission under the current Tanzanian
legal framework
(6) What are the main gaps, challenges, and risks identified in the practical enforcement of
personal data protection laws, particularly regarding fragmented oversight and sector-
specific regulations
(7) How do sector-specific laws, such as the Electronic and Postal Communications Act
(EPOCA) and the National Payment System Act, interact with the PDPA in regulating
personal data in Tanzania

1.6. SIGNIFICANCE OF THE STUDY

This study will help to understand how current laws, such as the Personal Data Protection Act
(PDPA) of 2022, protect individuals' constitutional right to privacy and personal data security,
which is crucial in preventing identity theft, financial loss, and reputational damage. It evaluates
the effectiveness of Tanzania’s evolving legal framework, including the PDPA, the Electronic
and Postal Communications Act (EPOCA), and related regulations, in regulating data collection,
processing, and transfer, ensuring compliance with both local and international standards like the
GDPR

The study will shed light on the role and impact of the newly established Personal Data
Protection Commission (PDPC), which oversees registration, compliance, enforcement, and
complaint handling, thus fostering accountability and transparency in data management practices.

By analyzing the law and practice, the study will inform how data protection regulations enhance
trust among people encouraging a better protection of individual information. The study will
identify gaps and challenges in the current data protection regime, including registration

7
requirements for data controllers and processors, limitations on data disclosure, and enforcement
mechanisms, contributing to recommendations for legal and policy improvements

Overall, this study is significant for policymakers, legal practitioners, businesses, and the public
to ensure robust protection of personal data in Tanzania’s digital age, aligning the country with
global data protection trends and safeguarding individual rights.

8
 CHAPTER TWO

1.7. LITERATURE REVIEW

The protection of personal data has become a critical issue globally, with countries enacting laws
to regulate the collection, processing, and use of personal information. Tanzania has recently
made significant strides in this area through the enactment of the Personal Data Protection Act,
2022 (PDPA), which came into force on 1 May 2023. This review examines the legal framework
established by the PDPA and its associated regulations, the role of the Personal Data Protection
Commission (PDPC), and the practical challenges and developments in implementing data
protection in Tanzania34.

Makulilo A.B35, in his article known as Privacy and Data Protection in Africa asserted that, The
privacy protection laws is the cornerstone of Tanzania’s data protection regime. Which set out
comprehensive principles and conditions for the lawful processing of personal data. Key
principles under section 5 of the PDPA include lawful, fair, and transparent processing;
collection for explicit and legitimate purposes, accuracy and correction of data to includes data
minimization and restrictions on data transfer outside.

The Personal Data Protection Act36

The Personal Data Protection Act of Tanzania which enacted in 2022 and effective from May 1,
2023, introduces a comprehensive legal framework to safeguard personal data and privacy rights.
On the clear interpretation made by the high court in the case Tito Magoti V. Attorney General
when the Court agreed that;

“Understandably, the PDPA is a general law applicable to all sectors: health, education,
finance, administration of justice, and others”.

The Act also mandates that personal data must be collected directly from the data subject unless
specific exceptions apply, such as when the data is already public or the subject consents to

34
Greenleaf, G. and Cottier, B, “International and regional commitments in African data privacy laws: a
comparative analysis”, (Computer Law & Security Review, Vol. 44, 2022) p. 10,
35
Makulilo A.B, (2023), “The Privacy and Data Protection in Africa”, (Government Information Quarterly, Vol. 35
No. 4,2023) pp. 669-674.
36
[CAP 44]

9
third-party collection. Data controllers are required to inform data subjects about the purpose of
data collection, authorized use, and recipients of the data, ensuring transparency and informed
consent.

Section 5 of the Act provides for the Principles of Data Processing in which mandated that
personal data be processed lawfully, fairly, transparently, and securely, respecting the data
subject’s privacy. Data must be collected for explicit, legitimate purposes, be accurate, adequate,
and retained no longer than necessary. It also prohibits unauthorized transfer of personal data
outside Tanzania unless specific conditions are met. These principles align with international
best practices including the GDPR and establish a strong foundation for protecting personal data
integrity and privacy. The clear articulation of these principles is crucial for guiding data
controllers and processors in responsible data handling.

Provision of part VI of the Act provides for the Rights of Data Subjects in which among other
things the Act grants data subjects key rights including:

(i) Right to access their personal data;

(ii) Right to object to processing that may cause adverse effects;
(iii) Right to rectify inaccurate data;
(iv) Right not to be subjected to automated decision-making without safeguards.

The said provision of part VI Empowering individuals with these rights is essential for
transparency and control over personal information. These rights enhance trust in data processing
activities and provide mechanisms for redress.

Part III of the Act provides for compulsory Registration of Data Controllers and Processors, in to
the effects that All entities collecting or processing personal data must register with the Personal
Data Protection Commission (PDPC). In which Non-compliance attracts penalties up to TZS 5
million or imprisonment up to five years, or both. Mandatory registration promotes
accountability and enables regulatory oversight. The penalties serve as deterrents against
unlawful data processing, though effective enforcement is key to realizing these benefits.

Part IV of the Act placed a compulsory requirement of consent of the data subject in all aspect of
his or her individual information, Data controllers must collect personal data directly from the
data subject, ensuring the subject is informed about the purpose of data collection, authorized use,

10
and recipients. Consent must be informed and easily withdrawable. This provision upholds
transparency and autonomy, ensuring data subjects understand and control how their data is used.
It addresses common privacy concerns around uninformed data collection.

In the same part, the Act emphasized on Security of Personal Data, that, data controllers and
processors are required to implement reasonable security safeguards to protect personal data
from loss, unauthorized access, destruction, or alteration. The same part prohibits data controllers
from processing sensitive personal data without prior consent of the data subject. This provision
adds an extra layer of protection for highly sensitive information, reducing risks of misuse or
discrimination.

Part V of the Act puts Restrictions on Cross-Border Data Transfers outside Tanzania unless the
recipient country has adequate data protection laws or other justified conditions are met This
protects Tanzanian data subjects from exposure to weaker foreign data regimes, aligning with
global data sovereignty trends.

Part II of the Act Establish the Personal Data Protection Commission (PDPC) which is mandated
to oversee implementation, registration, compliance monitoring, and enforcement of the PDPA

Lastly, Part IX of the Act establishes Offences relating to the breach of personal Data protection
and its Penalties, among other things, The Act criminalizes unlawful disclosure, destruction, or
alteration of personal data, with penalties including fines and imprisonment. These sanctions
reinforce the seriousness of data protection obligations and provide legal remedies for violations.

The PDPA of Tanzania incorporates necessary provisions that reflect international standards and
address local data protection needs. Its comprehensive approach covering principles, data subject
rights, registration, consent, security, cross-border transfers, enforcement, and penalties which
provides a framework for personal data protection.

Agatho J, in the Case of Tito Magoti V. Attorney General37, addressed ambiguities and
constitutional issues within the Personal Data Protection Act itself. The petitioner Mr. Tito
Magoti challenged thirteen sections of the Personal Data Protection Act, arguing that they
violated constitutional rights to privacy and fair hearing. The High Court found some provisions,
notably Sections 22(3) and 23(3)(c) and (e), to be vague and ambiguous, particularly regarding

37
Miscellaneous civil cause No. 18 of 2023

11
what constitutes "unlawful means" of data collection and exceptions to consent requirements.
The court decided that;

If the “unlawful means” mentioned in the PDPA were to be enlisted in the Regulations
the legislature should have made that clear. Since the impugned provision creates an
offence, it is our observation that the same should have been narrow and clear. Looking
at Section 22(3) of PDPA, it is our view that the “unlawful means” for collecting and
processing personal data ought to be enlisted in the Act because of the offence created
even if the regulated fields are multifarious and change with technology changes. Clarity
is thus lacking in the impugned provision. It ought to have stated what unlawful means
are, and where are they to be found whether in the Act itself or in the Regulations. It is
hard to tell if the listing of unlawful means has been left to the Minister to formulate in
the Regulations. We therefore hold the impugned provision to be wide and vague

On the second issue of the interpretation of the term unlawful means the High Court was decided
that;

Although we viewed that the impugned provision as saving the interest of the Petition as
a data subject because it bars the data controller from collecting personal data by
unlawful means, these unlawful means will certainly vary from field to other, the PDPA
therefore ought to have disclosed them. Undisputedly, the law allows collection of
personal data with data subject’s consent or under the exceptions. Thus, collection or
processing of data may be for lawful purpose, but what happens if the said data was
collected by the so-called unlawful means? What is the implication? Clarity is essential
here. Indeed, ambiguity arises because the unlawful means are unknown. For the
foregoing reason, we find merit in the allegation that the absence of definition for
unlawful means creates ambiguity, vagueness and open for abuse.

The court ordered amendments to these provisions to prevent legal uncertainty and potential
abuse, reinforcing the need for clarity in data protection laws to align with constitutional
guarantees in which up to now no any amendments published. This case underscores ongoing
legal refinement in Tanzania’s data protection regime

12
Makulilo M38. explore the interaction between the PDPA and the Existing laws which affects
personal privacy, in his article he observes that the development and overlap of parallel systems
which governing personal data processing by states, and by IOs operating on the territory of
these states (and elsewhere), gives rise to fundamental questions as to the coexistence and
interaction between these regulatory frameworks. More specifically, how do these different legal
orders come into interaction and tension with each other, and how are these tensions addressed in
the law and practice of IOs to ensure seamless functioning and harmonious.

Tanzania, in turn, has limited degree of transparency and openness in the selection of its
supervisory body, called the Personal Data Protection Commission. This commission is vital for
ensuring compliance, registering DCCPs and resolving disputes. The lack of an open vetting
process may affect how independent or effective the regulatory authority is perceived to be.

Since The Personal Data Protection Act of Tanzania recognizes the rights of the data subject that
are: the right to access personal data, rights related to automated decision-making, the right to
prevent the processing of personal data that may affect the data subject, the right to prevent the
processing of personal data for direct marketing purpose, the right to compensation and the right
to correction, blocking, deletion and destruction of personal data

Yussuf & Adekoya (2024)39 emphasized on the problems related to enforcement of these newly
personal data legislation they asserted that although many countries have taken steps to
strengthen their data privacy laws, enforcement mechanisms remain a challenge, particularly in
African countries. Enforcement mechanisms for ensuring compliance with data privacy laws
have been the subject of extensive scholarly inquiry.

Baloyi and Kotzé (2024)40, study on guidelines for data privacy compliance highlights one
common approach involves regulatory agencies such as PDPC with the authority to investigate
and penalise non-compliant organisations. These agencies play a pivotal role in monitoring and
enforcing data privacy regulations, in their comprehensive review of enforcement strategies in

38
Makulilo A.B, “Comparison of personal information de-identification policies and laws within the EU, the US,
Africa, (Government Information Quarterly, Vol. 40 No. 2, 2023) p. 1018.
39
Yussuf M & Adekoya, D. (2023), “Assessment of independence of regulatory structures governing data
protection and privacy in East Africa: a case study of Kenya and Tanzania”, (International Journal of Law and
Politics Studies, Vol. 5 No. 6, 2023) pp. 10-17
40
Muhangi, K., “Overview of the data protection regime in Tanzania”, (Journal of Data Protection & Privacy, Vol.
3 No. 1, 2019) pp. 82-92.

13
various African countries such as Tanzania. Additionally, the growing importance of data
protection has led to the development of stringent legal frameworks, such as the European
Union’s General Data Protection Regulation (GDPR), which imposes substantial fines on
members or organisations found in breach of data privacy rules.

Scholz, (2023)41 argue that private litigation mechanisms are crucial in ensuring compliance, as
they empower individuals to seek legal remedies for data breaches. These various mechanisms
collectively contribute to a multifaceted approach aimed at safeguarding individuals’ privacy
rights and promoting adherence to data protection laws.

Prinsloo Kaliisa, (2022)42 highlights several challenges facing the enforcement of the Personal
Data Protection Laws she asserted that; Several challenges confronting African countries in the
compliance and enforcement of data privacy laws, one of the foremost challenges lies in the
dearth of public awareness and education regarding data privacy issues in Tanzania, Namibia,
Zimbabwe Mozambique and Uganda. Moreover, study on leadership and trust issues as keys to
smart governance, emphasizes the urgent need for comprehensive awareness campaigns and
concerted involvement of African leaders to bridge the knowledge gap and empower individuals
and entities to navigate the evolving data privacy landscape effectively. A dissection of
Tanzania’s state on data privacy laws revealed present-day challenges of fraud, cyber-attacks,
and increasing organized crime and political chaos.

Cottier, (2020)43, have pointed out, that countries with stable political environments and
unwavering dedication to data privacy exhibit more effective enforcement mechanisms. That is
to say that effectiveness of the law on protection of personal privacy depends so much in
existence of political stability, peace and commitments. Collectively, would control challenges
underscore the intricate nature of data protection issues in Africa and emphasized the need for

41
Ohm, SCholz. (2024). “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.”
UCLA Law Review, Vol. 57, last revised 22 February 2015. https://papers.ssrn.com/sol3/papers.cfm?abstract_
(accessed on 10th June 2025 at 07:30 AM)
42
Prinsloo Kaliisa. (2022). “Beyond Consent: A New Paradigm for Data Protection.” Discussion Document 2017-
03. Bangalore: Takshashila Institution. https://takshashila. org.in/discussion-document-beyond-consent-
newparadigm-data-protection (accessed on 5th June 2025 at 05:45 PM)
43
Paul Cottier, (2023, September). The role of open data in enabling fiscal transparency and accountability in
municipalities in Africa: Tanzania as case studies. In Proceedings of the 13th International Conference on Theory
and Practice of Electronic Governance (pp. 410-418).

14
concerted efforts to address these impediments and strengthen data privacy protection across the
continent.

According to Manda (2021)44, The lack of a common development agenda often leads to poor
compliance, especially in cases where such decisions are not considered a priority, particularly
by developing countries that lag in social and economic development. It is worth noting that
these core reasons contribute to varying and consistently low compliance levels among entities
regarding data privacy laws in African countries across the continent, while some businesses and
organisations have made substantial efforts to align with data privacy regulations, many others
struggle with the implementation of robust compliance measures.

Cases from different African countries highlight this disparity: Higher education institutions in
Tanzania find it difficult to ensure compliance with legislation and regulatory frameworks to
ensure student data privacy. In Tanzania, despite the presence of the Protection of Personal
Information Law Manda reiterate concerns about the incapability of the government to enforce
compliance. In the same way, in Uganda and Rwanda, despite the existence of the Data
Protection laws compliance challenges persist due to limited awareness, inadequate enforcement
mechanisms, and resource constraints.

Ademola Adeyoju, (2023)45 explored leadenness of African Government leaders toward Data
Protection Laws to be a potential challenge in implementation of those law since many countries
in Africa provide constitutionally guaranteed rights to privacy, one of the major obstacles to
establishing DPAs involves convincing political elites that data protection should be a national
priority. This represents a significant challenge especially in Africa, where developmental issues
and economic growth have historically taken precedence over other concerns, concurrently,
governments view data protection bills with caution.

44
Manda, M. I. (2021). Leadership and trust as key pillars in “smart governance” for inclusive growth in the 4th
Industrial Revolution (4IR): Evidence from South Africa. ACM International Conference Proceeding Series, 308–
315. https://doi.org/10.1145/3494193.3494235 (accessed on 10th June 2025 at 07:58 P.M)
45
Ademola Adeyeju., Educational data mining in higher education in sub-Saharan Africa: A systematic literature
review and research agenda. In Proceedings of the 2nd International Conference on Intelligent and Innovative
Computing Applications 2023. (pp. 1-7).

15
 CHAPTER THREE

1.8. RESEARCH DESIGN AND METHODOLOGY

The research will be conducted in Mwanza region including various offices such as the Personal
Data Protection Commission, Magistrate of the district court of Ilemela, Police centers to
mention few. The research will use both primary and secondary methods.

1.8.1 Sample size

Since the research is qualitative research few numbers of people who would possess some
information related to the problem will be included.

1.8.2 Sample Population

The targeted population in institutions study will be magistrates and lawyers, government
officials especially IT and Data Management staff, employee from both government and non-
government institutions, police, university students, Civil society groups like Human rights
defenders and some common people (general public) who particular found in Mwanza region

1.8.2.1 Sampling Strategy

This research will employ Purposive sampling technique since it may includes different
specialized groups of people who possess necessary information such as legal experts, regulators
civil society etc. to ensure that knowledgeable individual are included.

1.8.3 Data Collection methods

1.8.3.1 Primary data collection

In collection of primary data, two methods will be employed, which are Interview and
questionnaire. Interview will involve face to face interaction between the respondents and the
researcher to get clear and concise information direct from the respondents. Lastly questionnaire
which will help the researcher to deal with the problem of access to the respondents.

16
1.8.3.2 Secondary data collection

A systematic search of the literature will be the cornerstone of this study, allowing us to define
the problem and explore the landscape of data privacy laws and compliance. This will include
literature review, media and internet sources where by the researcher will visit and construe
published materials about personal data protection.

1.9. Data presentation and analysis.

Data will be presented by using qualitative means, to mean that after searching, a great deal of
attention will be paid to making sure that the findings were reliable and of high quality. The
study will employ a standardizing quality assessment tool to do this. To be able to assess the
findings by using this technique according to their methodological soundness, availability of data,
and significance to our main research issue.

1.10 LIMITATION OF THE STUDY

The researcher expects to face challenges and obstacle while conducting the research. One of the
challenges is that the some of the respondent mighty be unable to provides necessary information
relates to their practice relating to protection of individual data.

17
 CHAPTER 4

1.11.0 CHAPTER OUTLINE

Five chapters will be used in this study or research. The first chapter consists of proposal of the
study, including the background of the study, analysis of the statement of the problem,
hypothesis or research question, objectives; main and specific objectives, significance of the
study, methods of data collection, and scope of the study, limitation of the study and literature
review.

Second chapter will consist of conceptual framework on personal data protection

Third chapter will consist of the critique on legal and regulatory framework on personal data
protection laws in Tanzania

The fourth chapter is going to cover and comprise a presentation of findings and data analysis;
hence, it will focus on the challenges arising on the implementation of different laws and policies,
which will enhance personal data protection

In addition, on the last chapter, it will include the conclusion and recommendations by
highlighting on, measures to be taken by the government and what to be done to resolve the
existing legal problem.

1.12. CONCLUSION

In sum, many African countries have acknowledged and responded to the need to have modern
and appropriate data protection and privacy laws that provide adequate protection to their
citizens and incentivize them to adopt digital technology without fear of harm. Nevertheless, the
authors’ assessment of existing laws relative to the GDPR reveals that many of them require
significant revisions to make them suitable to the dynamics of the digital market and to achieve
their primary objectives.

18
 APPENDIX 1

A sample of interview guide

Dear sir/Madam.

I, Elisha S. Machugu, LLB student at Mzumbe university, Morogoro Campus. I am conducting

research titled “Analysis of The Law and Practice Governing Personal Data Protection in
Tanzania” as for partial fulfillment of Bachelor of laws. I wish to have your opinion to the
following questions. Moreover, your name will not be mentioned in either of the report unless if
you wish it to be so.

Questions on Background and Awareness

(i) Can you describe your role and experience related to personal data protection in
Tanzania?
(ii) How familiar are you with the Personal Data Protection Act No. 11 of 2022 (PDPA)
and its regulations?
(iii) What is your understanding of the key principles of personal data protection under the
PDPA?

Questions on analysis of Legal Framework

i. How effective do you find the PDPA in regulating the collection, processing, storage, and
use of personal data?
ii. Are you aware of the obligations imposed on data controllers and processors under the
PDPA and its Regulations?
iii. How does the PDPA align with other sector-specific laws like the Electronic and Postal
Communications Act or the National Payment System Act?
iv. What are the main challenges or gaps you see in the current legal framework for data
protection in Tanzania?

Questions on Compliance

i. What is your experience with the mandatory registration of data controllers and
processors with the Personal Data Protection Commission (PDPC)?

19
 ii. How has the extension of the registration deadline impacted compliance among
organizations?
iii. What penalties or enforcement mechanisms exist for non-compliance, and how effective
are they?

Questions on Practical Implementation

i. How do organizations ensure lawful, fair, and transparent processing of personal data in
practice?
ii. What measures are typically taken to secure personal data and protect the rights of data
subjects?
iii. Are there common challenges faced by organizations in implementing the PDPA
requirements?
iv. How is consent for data collection and processing obtained and managed in practice?

Questions on Rights of Data Subjects

i. How aware are data subjects in Tanzania of their rights under the PDPA?
ii. What mechanisms exist for data subjects to exercise their rights, such as withdrawing
consent or requesting data erasure?
iii. Are there any notable cases or examples where data subjects have enforced their rights
successfully?

Questions on Recommendations

i. What improvements would you suggest for the legal framework governing personal data
protection in Tanzania?
ii. How can enforcement and compliance be strengthened?
iii. What role should the government, private sector, and civil society play in enhancing data
protection?
iv. How do you see the future of personal data protection evolving in Tanzania?

Questions during Closing

i. Is there anything else you would like to add regarding personal data protection laws and
practices in Tanzania?

20
Expressing Gratitude

Thanks in Advance, at the end of this research, researcher will prepare report and copy of it will
be provided to you.

21
 APPENDIX 2:

QUESTIONAIRE SCHEDULE

Dear sir/ Madam.

I, Elisha S. Machugu, a LL. B student at Mzumbe University Morogoro Campus conducting

research titled “Analysis of The Law and Practice Governing Personal Data Protection in
Tanzania” as for the requirement for partial fulfillment of Bachelor of Laws, I wish to have your
opinion to the following questions. Your name will not be mentioned in either of the report
unless if you wish it to be.

This questionnaire is designed to collect data for research on the laws and practical
implementation of personal data protection in Tanzania. The questions are structured to capture
both legal awareness and practical compliance among organizations and individuals, in line with
the Personal Data Protection Act No. 11 of 2022 and related regulations.

Questions determining Demographic Information

(i) Name of Respondent (optional):

(ii) Organization/Institution (if applicable)
(iii)Position/Title
(iv)Sector;
 Government
 Private
 NGO
 Other (please specify)
(v) Years of Experience in Data Management, Information Technology and Legal Affairs

Questions to determine Awareness of Data Protection Laws

(1) Are you aware of the Personal Data Protection Act No. 11 of 2022 in Tanzania?

22
  Yes
 No
(2) How did you learn about data protection laws in Tanzania?
 Media
 Training or Seminars
 Workplace Policy
 Other (please specify)
(3) Are you aware of any sector-specific laws or regulations that supplement the main Act
(e.g., EPOCA, Banking and Financial Institutions Act)?
 Yes
 No

If yes, please list them.

Organizational Practices

(1) Has your organization registered as a data controller or processor with the Personal Data
Protection Commission (PDPC) as required by law?
 Yes
 No
 Not Sure
(2) Does your organization have a designated Data Protection Officer?
 Yes
 No
 Not Sure
(3) What measures does your organization take to ensure the security of personal data?
(Select all that apply)
 Encryption
 Access Controls
 Regular Audits
 Staff Training
 Other (please specify)

23
4. How often does your organization conduct data protection training for staff?

 Never
 Annually
 Semi-annually
 Quarterly

5. Are there written policies and procedures for handling personal data breaches?

 Yes
 No
 Not Sure

Questions on Data Subject Rights and Consent

1. Are individuals informed about the collection and use of their personal data?

 Always
 Sometimes
 Never

2. Is explicit consent obtained before collecting sensitive personal data?

 Always
 Sometimes
 Never

3. Are data subjects informed of their rights (e.g., access, rectification, erasure, objection)?

 Yes
 No
 Not Sure

4. How can individuals exercise their rights in your organization? (Open-ended)

24
Questions on Challenges and Compliance

1. What challenges does your organization face in complying with data protection laws? (Select
all that apply)

 Lack of awareness
 Limited resources
 Complexity of regulations
 Technology limitations
 Other (please specify)

2. Has your organization experienced any data breaches in the past 12 months?

 Yes
 No
 Not Sure

If yes, how was it handled?

3. Are there any areas where you feel the law is unclear or difficult to implement? (Open-ended)

Question suggests Recommendations

1. What improvements would you suggest for the laws or their enforcement to enhance personal
data protection in Tanzania?

2. What additional support or resources would help your organization comply with data
protection requirements?

Closing

Thank you for your participation. Your responses will contribute to a better understanding of the
effectiveness and challenges of personal data protection in Tanzania.

25
 BIBLIOGRAPHY

The Constitution of the United Republic of Tanzania [CAP 2 R.E 2008]

TABLE OF STATUTES

The personal Data Protection Act [CAP 44]

The Cybercrime Act No. 18 of 2015

The Electronic and Postal Communication Act No.15 of 1996

SUBSIDIARY REGISLATION

The Personal Data Protection Act (Regulations) G.N No. 449 Published on 2023

TABLE OF CASES

Tito Magoti V. Attorney General Miscellaneous civil cause No. 18 of 2023

JOURNAL AND ARTICLES

Ademola Adeyeju., Educational data mining in higher education in sub-Saharan Africa: A

systematic literature review and research agenda. In Proceedings of the 2nd International
Conference on Intelligent and Innovative Computing Applications 2023..
Alex Boniface Makulilo; Privacy and data protection in Africa: a state of the art (Faculty of
Law, University of Bremen, Germany 2020)
C Cuijpers, ‘A Private Law Approach to Privacy: (Mandatory Law Obliged?’ 2007 4/4 Scripted
304–18,)
EU Study on the Legal Analysis of a Single Market for the Information Society, (DLA PIPER,
UK, November 2009, Ch. 4,)
Greenleaf, G. and Cottier, B, “International and regional commitments in African data privacy
laws: a comparative analysis”, (Computer Law & Security Review, Vol. 44, 2022)
Muhangi, K., “Overview of the data protection regime in Tanzania”, (Journal of Data
Protection & Privacy, Vol. 3 No. 1, 2019)
P De Hertz and E Schreuders, ‘The Relevance of Convention, (Proceedings of the Council of
Europe Conference on Data Protection, Warsaw, 19–20 November 2001)

26
Paul Cottier, (2023, September). The role of open data in enabling fiscal transparency and
accountability in municipalities in Africa: Tanzania as case studies. In Proceedings of the 13th
International Conference on Theory and Practice of Electronic Governance.
SD Warren & LS Brandeis ‘The right to privacy’ (Harvard Law Review 1890)
The preamble of Council of Europe Modernised Convention for the Protection of Individuals
with Regard to the Processing of Personal Data 1985, ETS No 108.
Yussuf M & Adekoya, D. (2023), “Assessment of independence of regulatory structures
governing data protection and privacy in East Africa: a case study of Kenya and Tanzania”,
(International Journal of Law and Politics Studies, Vol. 5 No. 6, 2023)

INTERNET SOURCES
37th International Conference of Data Protection and Privacy Commissioners, ‘Resolution on
Privacy and International data protection of the United Nations, GDPR Humanitarian Action
(27 October 2015) <http://globalprivacyassembly.org/wpcontent/uploads/2015/02/Resolution-
on-Privacy-and-International-Humanitarian-Action.pdf>.
African Union (2022), “AU data policy framework”, available at:
https://au.int/sites/default/files/documents/42078-doc-au-data-policy-framework-eng1.pdf
D Banisar; ‘Privacy and data protection around the world’ (Conference proceedings of the 21st
International Conference on Privacy and Personal Data Protection, Hong Kong, 13 September
1999,) pg. 2 http://www.pcpd.org.hk/english/infocentre/conference.html.
Glenn Greenwald, Ewen MacAskill and Laura Poitras, ‘Edward Snowden: The Whistleblower
Behind the NSA Surveillance Revelations’, (The Guardian
<https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsawhistleblower-
surveillance>
LA Bygrave, ‘The Place of Privacy in Data Protection Law’ 24/1 (University of New South
Wales Law Journal (2001) 277–283, at 282) available at,
http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html. accessed 26 April 2025 at 07:05.
Liverpool Law Review, Vol. 38 No.2,pp.105-134, doi:10.1007/ s10991
Manda, M. I. (2021). Leadership and trust as key pillars in “smart governance” for inclusive
growth in the 4th Industrial Revolution (4IR): Evidence from South Africa. ACM International
Conference Proceeding Series, 308–315. https://doi.org/10.1145/3494193.3494235

27
Mutimukwe, C., Kolkowska, E. & Gro¨nlund, A.; “Information privacy practices in e-
government in an African least developing country, (The Electronic Journal of Information
Systems in Developing Countries, Vol. 85 No. 22019), p. e12074.
Ohm, SCholz. (2024). “Broken Promises of Privacy: Responding to the Surprising Failure of
Anonymization.” UCLA Law Review, Vol. 57, last revised 22 February 2015.
https://papers.ssrn.com/sol3/papers.cfm?abstract_
Prinsloo Kaliisa. (2022). “Beyond Consent: A New Paradigm for Data Protection.” Discussion
Document 2017-03. Bangalore: Takshashila Institution. https://takshashila. org.in/discussion-
document-beyond-consent-newparadigm-data-protection

28