Context and Background

Tanzania, officially the United Republic of Tanzania, is a federal constitutional republic comprising Mainland Tanzania and Zanzibar. According to the 2022 National Housing and Population Census, the country had a population of 61,741,120, which has continued to grow. As of January 2025, Tanzania recorded over 48 million internet users, reflecting rapid digital uptake across sectors.

As noted in the 2024 analysis, Tanzania's digital expansion has been accompanied by increased data generation through telecommunications, financial services, online platforms, and government systems. While not all privacy concerns are internet-based, the digital ecosystem has become the principal medium for the collection, processing, and transfer of personal data both lawfully and unlawfully.

The 2024 assessment emphasized the transition from fragmented sectoral privacy protections to a unified statutory regime. That transition remains central in 2025. The enactment of the Personal Data Protection Act (PDPA) marked a structural shift in Tanzania's governance framework, positioning data protection as a cross-cutting regulatory priority rather than a sector-specific concern. However, the key issue moving into 2025 is no longer legislative absence but effective implementation, transparency, and regulatory maturity.

Positive Developments and Emerging Issues

A major development retained from the 2024 review is the operationalisation of the Personal Data Protection Act, 2022, which came into effect on 1 May 2023. The formal launch of the Personal Data Protection Commission (PDPC) on 3 April 2024 marked a critical institutional milestone. The 2024 analysis highlighted Tanzania's progress in establishing registration mechanisms for data controllers and processors, initiating awareness campaigns, and developing subsidiary regulations including the Personal Data Protection (Personal Data Collection and Processing) Regulations and the Complaints Settlement Procedures. These foundational steps remain valid indicators of institutional commitment in 2025.

However, several emerging and continuing issues persist: limited public access to a comprehensive and searchable register of data controllers and processors, minimal publicly available enforcement statistics (complaints received, investigations conducted, penalties imposed), broad statutory exemptions relating to national security and law enforcement raising proportionality concerns, and expanding surveillance-related data systems, including subscriber databases and equipment registers, which heighten privacy risks.

The rapid growth of digital finance, mobile services, and data-driven public administration in 2025 further intensifies the need for proactive oversight, particularly in high-risk sectors such as telecommunications, banking, and health services.

Legal and Institutional Framework

The constitutional foundation for privacy in Tanzania is found in Article 16 of the Constitution of the United Republic of Tanzania, which guarantees the right to privacy, family life, residence, and private communications. However, Article 16(2) permits statutory limitations where prescribed by law, establishing a qualified not absolute right. Prior to the PDPA, privacy protections were dispersed across sectoral statutes, including the Electronic and Postal Communications Act, 2010 (EPOCA), the Cybercrimes Act, the Banking and Financial Institutions Act, and related regulations. The PDPA consolidated these fragmented provisions into a comprehensive regime governing personal data processing across public and private entities. The PDPA incorporates core data protection principles aligned with global standards (including GDPR-inspired principles), such as lawfulness, fairness, and transparency; purpose limitation; data minimisation and accuracy; security safeguards; and accountability.

The Act applies to data controllers and processors established in Tanzania, as well as extraterritorial entities processing personal data within Tanzania. Its application extends to Zanzibar only in respect of Union matters, consistent with the constitutional structure. The PDPA provides mandatory registration of controllers and processors, consent-based processing requirements, enhanced safeguards for sensitive personal data (e.g., biometric, financial, genetic, political, religious, health-related data), rights of data subjects (access, rectification, erasure, objection to direct marketing, restriction, compensation), and regulation of cross-border data transfers based on adequacy or safeguards.

Tanzania is a State Party to the International Covenant on Civil and Political Rights (ICCPR), which protects the right to privacy under Article 17. The Human Rights Committee's General Comment No. 16 further affirms that personal data collection and storage must be regulated by law and subject to safeguards, reinforcing Tanzania's domestic obligations.

The primary data protection regulator is the Personal Data Protection Commission, established under Section 6 of the PDPA. The Commission is mandated to monitor compliance, register controllers and processors, investigate complaints, conduct public awareness, advise government, and promote international cooperation. The Commission is headed by a Director General appointed by the President, while the Minister of ICT appoints members of its Board and hears appeals relating to registration decisions.

Other relevant institutions include the Tanzania Communications Regulatory Authority (TCRA), which regulates telecommunications and maintains the Central Equipment Identification Register (CEIR); the TCRA Content Committee, which addresses consumer complaints under Online Content Regulations; the Tanzania Police Force Cybercrimes Unit, enforcing the Cybercrimes Act; and the Ministry of ICT, responsible for sectoral policy oversight.

Compared to 2024, the institutional architecture remains intact. The PDPC is now formally operational, but its regulatory footprint remains in an early stage of consolidation.

Enforcement Dynamics and Challenges

The central continuity between 2024 and 2025 is the limited visibility of enforcement outcomes. As in the previous assessment, efforts were undertaken to engage with Tanzania's data protection regulator, the Personal Data Protection Commission, to obtain direct insights into key regulatory areas including registration of data controllers and processors, enforcement actions, institutional capacity, public engagement, and compliance monitoring. However, direct outreach to secure specific data and detailed updates on enforcement trends and supervisory activities was unsuccessful. The absence of substantive responses from the Commission limited the ability to comprehensively evaluate enforcement effectiveness, regulatory priorities, and the overall progress of implementation under Tanzania's data protection framework.

Although Tanzania has established a comprehensive statutory framework and an operational regulator, enforcement transparency remains constrained. Key retained challenges include:

• Transparency Deficits – There is limited publicly accessible data on registration statistics, complaint volumes, investigations, or sanctions.
• Regulatory Capacity – Limited publicly available information on staffing levels, technological resources, and budget allocations makes it difficult to assess enforcement readiness.
• Broad Exemptions – National security and law enforcement carve-outs may undermine proportionality if not narrowly interpreted.
• Surveillance Concerns – Provisions requiring subscriber data retention and centralised equipment identification databases raise risks of overreach.
• Limited Proactive Oversight – There is little public evidence of systematic audits or risk-based compliance reviews in high-risk sectors.

While Tanzania's legal foundation remains robust and largely unchanged from 2024, the 2025 status quo suggests that implementation maturity is still evolving. The transition from legislative establishment to consistent enforcement reporting, audit activity, and public accountability will determine whether the PDPA achieves its intended protective impact.

To consolidate gains, priority actions for 2026 include publishing periodic enforcement and compliance reports, establishing a fully accessible public registry of data controllers and processors, clarifying operational guidelines and sector-specific codes of conduct, strengthening institutional capacity and inter-agency coordination, and enhancing stakeholder engagement and international cooperation.

Sustained improvements in transparency and enforcement practice will be critical to building public trust and positioning Tanzania as a credible data governance leader within the region.