DATA PROTECTION LAW UPDATE : INTRODUCTION OF THE GENERAL DATA PROTECTION REGULATION AND ITS IMPLICATIONS ON COMPANIES WITH CITIZENS OF THE EUROPEAN UNION
- Overview of the General Data Protection Regulation with regards to enhancement of data protection and privacy
- Analysis of the Legal Framework for Data Protection and Privacy in Tanzania
- Assessment of the impact and challenges of compliance with GDPR
Amidst the rise of digital revolution, it is increasingly becoming clear that the handling of personal data in a globally connected world is considerably very complex. The existing regulations are not sufficient to account for and regulate the dynamic nature of the digital world and what it can do or carry.
Companies must transform in order to deliver on their customers ever-growing expectations and data is going to be the competitive differentiator for businesses. Something of such importance should be kept safe and protected. This calls for a data protection strategy (both law and technology infrastructure) that acknowledges the current landscape because it is likely that customers will need to continue supporting their current environments as well as transform for next generation infrastructure initiatives.
Most businesses are managing their data and applications in multiple places with differing requirements. Some businesses use offshore Cloud Services for storage of data while others engage in outsourcing data storage services. This confirms the need for a unified regulation on data protection across all consumption models. The Corporate and Commercial Department of Breakthrough Attorneys highlights the General Data Protection Regulations (GDPR) and their impact to businesses that fall under its regime.
2.0 The General Data Protection Regulation (GDPR) [Regulation EU 2016/679]
The GDPR is a regulation that was passed to strengthen and unify data protection within the European Union (EU). The GDPR serves as a replacement to the Data Protection Directive of 1995. It was adopted on 27th April 2016 and will become operational from 25th May 2018.
The GDPR addresses the export of personal data outside the EU. It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Unlike the Data Protection Directive, GDPR does not require national governments to pass any enabling legislation and is thus directly binding and applicable.
The GDPR will serve as a single set of rules to apply uniformly to all EU member states. Each member state will establish an independent supervisory authority that will receive and investigate complaints and sanction administrative offences. The supervisory authority in each member state will cooperate with others and provide mutual assistance and organizing joint operations.
In addition, the GDPR acknowledges that data protection rights are not absolute and must be balanced proportionately with other rights.
2.1 Scope of application
2.1.1 Territorial Scope
The regulation applies to organizations that collect data from EU residents (data controller) or an organization that processes data on behalf of data controller (data processor) or when the data subject (person) is based in the EU.
Non-EU established organizations will be subject to the GDPR where they process personal data about EU data subjects in connection with the offering of goods or services to the EU or monitors behavior of EU citizens irrespective of whether it has a presence in Europe.
2.1.2 Material Scope
The Regulation applies to the processing of “personal data,” which is defined to mean any information relating to an identified or identifiable natural person (a “data subject”).
According to the European Commission, personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. This may be in form of a name, home address, photos, email addresses, bank details, and posts on social networking websites, medical information, or a computer’s IP address.
3.0 Analysis of the Legal Framework for Data Protection and Privacy in Tanzania.
Tanzania does not have a compounded piece of Legislation that governs matters of data protection and privacy. The government intended to enact a personal data protection law that would require all local firms and people to keep their data lawfully. The plan materialised by the Tanzania Data Protection and Privacy Bill of 2014. However, the Bill has not been passed to-date.
Despite the absence of a data protection law, there are a number of laws which may loosely be deemed to govern data protection in Tanzania.
|The Constitution of the United Republic of Tanzania of 1977
|Article 16(1) provides that “Every person is entitled to respect and protection of his person, the privacy of his own person, his family and of his matrimonial life, and respect and protection of his residence and private communications.”|
|The Electronic and Postal Communications Act of 2010
|Section 98 and 99 of the Act of the Act imposes the duty of confidentiality of information upon network service licensee or operator, agents and customers.
The law further prohibits disclosure of information without authorization.
|The Electronic and Postal Communication (Consumer protection) Regulations, GN. No. 427 of 2011
|Section 6 of the Act provides for the protection of consumer information.
The information obtained shall not be transferred to any party except as permitted by any terms and conditions agreed with the consumer or as permitted by the Authority or laws.
|The Cybercrimes Act,2015
|Section 7 of the Act provides for protection against illegal data interference.
A person who communicates, discloses or transmits any computer data, program, access code or command to an unauthorized person commits an offence under the Act.
|The Registration and Identification of Persons Act, CAP 36 R:E 2012
|The law provides that the Registrar, a registration officer and any immigration officer performing functions under this Act shall not disclose or supply copies of photographs, fingerprints or particulars furnished without written permission.|
|The Records and Archives Management Act, No. 3 of 2002||Section 16 of this Act imposes the “Thirty (30) years rule” which allows for records or archives to be destroyed after they attain the period of thirty years since their creation.|
|Access to Information Act No.9 of 2016
|The Act provides for instances where information may be exempted from being disclosed. Furthermore, under section 6(1) (b) an information holder may withhold information where he determines in accordance with the Act that the disclosure is not justified in the interest of the public.
Section 22 of the Act provides for offences of alteration, defacement, blocking and erasure of information.
|The Statistics Act, No. 9 of 2015
|Section 25(1) of the Act imposes a restriction on disclosure of information. Certain information shall not be published, admitted in evidence or shown to any person not employed in the execution of a duty under the Act unless prior consent in writing thereto has been obtained from the person making such return in accordance with the Act.|
|The Electronic and Postal Communications (Online Content) Regulations, 2018
|Regulation 11 imposes a duty of any part holding users’ information to not disclose the same unless to law enforcement agency (ies) when required under the auspices of the Regulations or the Act. However this Regulation does not clearly go out to protect data and privacy thereto as much as it seems to be a rubberstamp for law enforcement agencies to access any such data. The access of data by the agencies seems to be the mischief intended rather than the general need for right to privacy by individuals.
Please see our Article on analyzing GN No. 133 of 2018
TELECOMMUNICATION & PRIVACY LAW PUBLICATION OF THE NEW TANZANIA’S ONLINE CONTENT REGULATIONS, 2018.
Having seen the various legislation that govern data protection and privacy in Tanzania, it is evident that the current regulatory framework does not cater for data protection sufficiently.
There is no law in Tanzania that restricts the processing or storage of any type of data outside of its jurisdiction or the security of data for individuals in an organisation. The issue of security is dictated with Company policies and guidelines. The Tanzania Communications Regulatory Authority (TCRA) is mainly established to regulate consumer and telecommunication services and does not extend to private individuals or organizations such as the Company.
4.0 Assessment of the impact of GDPR and challenges for its implementation
Companies with data subjects who are EU citizens [especially global Companies with offices/branches in EU countries] will face a major shift in their business as they have to put mechanisms in place to ensure compliance with the stringent rules of the GDPR.
4.1 Improvement of IT infrastructure
The GDPR sets out specific processes for companies to adopt. It intends to help companies structure and formalize certain subject areas like risk assessment and decision making. By putting these structured processes in place, companies can work more efficiently and achieve compliance with the privacy rules.
For instance, a data protection impact assessment (PIA) becomes a mandatory pre-requisite before engaging in any data processing that may result in a high risk to the rights and freedoms of individuals.
4.2 Increase of Human Resources
The GDPR requires businesses outside of the EU that fall under its regime (because of its activities with regard to citizens of EU member states) to appoint a representative in that member state unless processing of data is occasional and does not include large scale processing of sensitive data such as health data, genetic data, criminal records, etc.
New roles will be created such as the Data Protection Officer (DPO). Appointing a DPO can be mandatory, for example for businesses engaging in profiling or tracking online behavior or for biomedical companies that process health data. Thus, companies also need to increase human resources which may be costly.
4.3 Upgrade of record management
GDPR imposes an obligation on companies to keep internal records of their data protection activities. Also, data breaches must not only be notified without undue delay but must also be documented, explain the underlying facts, the effects, and the remedial action taken.
4.4 Fines and Sanctions
The GDPR could have huge financial impact for companies failing to comply. The supervisory authorities can take one or more measures listed in the GDPR, such as
- Issue a warning or impose a temporary or definitive ban on processing personal data, or
- Impose a fine up to EUR 20,000,000 or 4% of the total worldwide turnover, depending on the circumstances of each individual case.
4.5 Change of business approach by companies
Due to the implications of GDPR, companies may need to adopt a project-based approach to implementation across the company. Fact finding, objective gap analysis, realistic milestones, clearly defined roles, tasks and responsibilities will help break down the process of GDPR implementation into easily manageable units.
The GDPR intends to increase accountability among corporations that process personal data of individuals. It therefore imposes a huge responsibility and requires demonstration of compliance therewith at all times.
In the absence of a similar and comprehensive regulatory framework on data protection, companies are unfamiliar with the requirements of GDPR. This poses difficulty in implementation of GDPR as organizations are expressly encouraged to certify their data processing with a supervisory authority or an approved certification body.
Additional guidance on the GDPR is still forthcoming. Certain terminologies under the regulations need to evolve into individual market practices and require further clarification from Courts of law and regulatory authorities. That being the case, some requirements of the GDPR may remain difficult to implement for some time until a complete layout of the regulation is provided.
The Corporate and Commercial department at Breakthrough Attorneys calls upon the Tanzanian government and Regional Integration bodies to craft comprehensive laws that regulate and protect the privacy of their members/citizens. Additionally, all Companies and Corporations with employees who are EU citizens are urged to take a proactive approach in ensuring implementation of the GDPR to avoid being sanctioned for non-adherence to the regulations.