Tanzania: Seamless Data Flows: Overcoming PDPA Challenges in Cross Border Transfers.

Introduction?

In today's digital economy, data flows transcend physical borders, unlike traditional checkpoints at airports, digital data moves freely, creating a gap that data protection laws must address. Grounded in the protection of fundamental human rights, the PDPA sets out rules for cross border data transfers.?

In this article I will simplify the legal language of the PDPA and its Regulations on this topic. The following terms will also be used interchangeably i.e. “Data Exporter” refers to the Data Controller or Processor sending data outside Tanzania, while “Data Importer” refers to the recipient. I will explore the legal framework, practical implications, and compliance tips for controllers and processors.?

?

Legal Framework for Cross Border Data Transfers Under the PDPA?

The PDPA has laid down some requirements that Controllers and Processors must follow before and during conducting cross border transfers. Provision on Cross border data flows are found in the PDPA under Part V, sections 31 and 32 and the procedure for transferring personal data are under Part IV, sections 20 to 22 of the Personal Data Protection (Personal Data Collection and Processing) Regulations.?

Pre cross border transfer considerations?

First and foremost, the PDPA prohibits transferring personal data outside Tanzania without first obtaining a permit from the Commission. This section focuses on situations where an export is necessary. To avoid permit denial, you must conduct a thorough internal assessment and answer the following questions before applying:?

• Is exporting the data essential to fulfilling our business purpose or a public interest??
• Can the recipient verify the necessity of this export??
• Do we have a lawful purpose under the PDPA that aligns with our business objectives??
• Can we guarantee that data subjects’ rights will be maintained during and after the export??
• Does the destination country have an adequate legal framework to protect personal data (e.g., it is not a warzone or a country with poor human rights records)??
• If not, can the recipient ensure data protection and process the data strictly as per our instructions??
• Has the destination country signed an agreement with Tanzania to protect data subjects’ rights, or do we have a binding agreement with the recipient??

To demonstrate accountability, Section 31(3)(2) of the PDPA requires data exporters to conduct a transfer impact assessment. Controllers should either draft a form covering all the above questions or utilize automated compliance tools. For data transfers to countries without an adequacy decision, an additional assessment is required, addressing:?

• The circumstances surrounding the transfer?
• The purpose and duration of the processing?
• The recipient country’s applicable laws?
• The professional standards and security measures in place in that country?

This comprehensive assessment ensures that data exports are justified, compliant, and minimize risks to data subjects.?

?

Application process and requirements?

Once you have completed your internal assessments and are satisfied that you can justify the transporting data outside Tanzania, you can submit an application with the Commissioner as directed in the Regulations under Part IV. The information to be submitted with the application is also listed in the Regulation which include details of the applicant, personal data types, purpose, security in the recipient country, consent, date and time of sending and any other information.??

?

Managing Expectations?

All businesses need to be aware of all inherent risks and manage their expectations. The PDPA has been quite pre-emptive by having provisions that show you potential outcomes. Controllers and Processors need to pay special attention to the following;?

1. The Commission? reserves the right to prohibit transfer of personal data outside the country, which means the application can be approved or denied. If the application is denied you will be notified in writing.??
2. The Commission will take at least 14 days to review and give a decision on your application?
3. Transfer is restricted to the recipient mentioned in the permit and shall not be disclosed to any other party without permission from the Commission.?
4. The application should include date and time of sending the data (I am adding this here because it's quite controversial and will need careful consideration).?
5. The minister may specify categories of processing that are prohibited to be transferred outside the country, so it's important to assess the relevance of the personal data to achieving your business goals.?

?

Special Circumstances and flexibilities?

The PDPA is strict on cross border data transfers but does offer some flexibility. The Commission may permit transfers to a country without an adequacy decision if the Controller can demonstrate one or more of the following:?

1. There are robust legal, security, and contractual measures in place to protect the data, ensuring that fundamental rights and the ability to exercise data subject rights are upheld.?
2. The data will be processed strictly in accordance with the Controller’s instructions.?
3. The data subject has provided explicit consent for the transfer.?
4. The transfer is necessary for the performance of a contract with the data subject or for implementing precontractual measures requested by the data subject.?
5. The transfer is essential for concluding or performing a contract that benefits the data subject.?
6. The transfer is required on public interest grounds, for the functioning of a public institution, or is necessary for the trial or defence of legal claims.?
7. The transfer protects the legitimate interests of the data subject.?
8. The transfer is made in accordance with the law, intended to provide information to the public, and is open for consultation by anyone who can demonstrate a legitimate interest.?

This flexibility allows Controllers some leeway, provided they can clearly justify the transfer and put in place appropriate safeguards.?

?

?Challenges in Interpretations & Compliance?

While the PDPA clearly outlines the parameters for transferring personal data to other jurisdictions, several practical challenges remain for Controllers:?

• Monitoring Compliance in a Third Country: How can a Controller effectively monitor who accesses the data once it’s transferred abroad? In cases of breach or non-compliance, enforcing contractual terms or pursuing legal claims in a third country can be highly problematic and costly which exposes the Controller to potential breach of this requirement.?

• Particulars of the Data Subject (S.20.2.c): The regulation requires applicants to submit detailed particulars (e.g., name, address, ID number) for every data subject. This requirement assumes that personal data is always in a readable format and that the number of data subjects is manageable. Considering a telecom company handling data for over 10 million subscribers, it becomes virtually impossible to comply with such granular documentation. This not only questions the Commission’s capacity to review massive applications but also conflicts with the principle of data minimization.?
• Stating the Date and Time of Transfer (S.20.2.h): Whether data is transferred digitally or manually, the requirement to specify the exact date and time of transfer is challenging. Controllers cannot determine these details in advance without a permit. Moreover, the law seems to assume that data transfers occur as one-time or scheduled events, which contrasts with the continuous and complex nature of digital data flows today.?
• Consent Requirement for Cross Border Transfers: Although the PDPA recognizes several legal bases for processing personal data, it explicitly requires consent for cross border transfers. This creates ambiguity for Controllers who initially processed data under a legal basis such as legitimate interest. They now face the question of whether they must obtain additional consent solely for transferring data outside Tanzania.?

?These challenges underscore the complexity of applying a traditional risk-based and prescriptive approach to the dynamic and large-scale digital economy. Addressing these issues will require both practical solutions from Controllers and potential clarifications or revisions from the regulatory Commission.?

?

Recommendations for Alternative Approaches and Regulatory Guidance?

Controllers should explore alternative strategies that enable them to meet their business objectives without necessitating cross border data transfers. For instance, transferring aggregated or anonymized data can often achieve the desired outcomes without exposing individual data subject details. This approach not only mitigates risk but also aligns more closely with data minimization principles.?

At the same time, the Commission should consider issuing detailed guidelines to clarify complex requirements and address scenarios that may currently be excluded from the framework. Such guidance would help practitioners better navigate the intricacies of cross border data transfers and ensure that all compliance obligations are met in a practical, effective manner.?

Conclusion?

While the PDPA sets strict conditions for cross border data transfers, it does provide flexibility for Controllers who can demonstrate robust safeguards, secure necessary consent, or establish a clear lawful basis for the transfer. By conducting thorough risk assessments and implementing strong legal and security measures, Controllers can ensure that even when data moves beyond national borders, the fundamental rights and interests of data subjects remain protected.

?????????????????????

?????? ?????????????????????? ???????????????? ???? ???????? ?????????????? ???? ?????? ?????????????? ?????????????????????????? ???????????????? ???????? ?????? ???????? ?????? ???????????????????? ?????????? ???? ???????????????????????? ????????????. ?????????? ?? ???????????? ???? ???????????? ?????? ???????????????? ?????? ?????????????????? ???? ?????? ??????????????, ???? ???? ?????? ?? ???????????????????? ?????? ???????????????? ???????????? ???????????????? ???? ???????? ????????????????????????’?? ???????????? ?????????????????????????? ???? ???????????????????? ??????????.?

?????? ???????????????? ???????????????????????? ???????????????? ???? ???????????????????????? ???????????? ???? ???????? ???????????????????? ???????????????????? ?????????? ?????? ???????????????? ???????????????? ???????? ???????????????????? ?????? (????????) ?????? ?????????????? ??????????????????????, ?? ?????????? ???????????????????????? ?????????????????????? ???? ?? ???????????????? ??????????. ???????????? ???????? ???????? ???? ?????????? ?????? ???? ?????? ?????????????? ?????????????????????? ????????????????????.??

?