Challenging the Constitutionality of the Personal Data Protection Act: Tito Magoti v Attorney General

The Personal Data Protection Act (CAP 44 of 2023) (hereinafter “PDPA”) represents a significant legislative effort by Tanzania to establish robust principles for the protection of personal data. Further the Act is an important stride in fulfilling the requirements of Article 16 of the Constitution of the United Republic of Tanzania (CURT).¹ Inter alia, the Act sets minimum requirements for the collection and processing of personal data and establishes the Personal Data Protection Commission (PDPC).²

In a landmark case, Tito Magoti, the petitioner, petitioned the court to examine the constitutionality of the PDPA for the first time.³ Indeed, the petitioner appeared to have various qualms against the Act – twelve to be precise- arguing that they were unconstitutional. He claimed that the impugned provisions were, in some respects, broad, ambiguous, and egregious in how they disaffected various rights, including the right to privacy, as enshrined in the CURT.

In response, the Hon. Attorney General, the respondent, addressed the petitioner’s claims and, on her part, requested that the court dismiss the petition for, among other reasons, want of basis. It was her considered view that the PDPA was enacted to respect the right to privacy. In any case, by virtue of Article 16 of the CURT, rights can be limited where they meet the test – that is, the limitation is prescribed by law, necessary and proportionate to the purpose sought to be achieved.

The Court found two issues requiring keen disposition:

1. Whether the provisions of sections 8 (1)(2)(3), 11(1), 14(5), 19, 20, 22 (3), 23(3)(c) (d)(e), 25(2)(e)(f), 26, 30, 31(2), 33(2) and 34 of the PDPA are unconstitutional for being contrary to the provisions of Article 12(1)(2), 13(1)(2)(6)(a), 16(1), 21(2) and 29(1) of the CURT.

2. Whether any remedies are available for the parties

This blog will delve into the intricacies of the case, exploring the arguments presented by both sides and the potential implications for data protection and constitutional rights in Tanzania.

PDPA Sections Challenged by the Petitioner

The petitioner challenged sections 8 (1) (2)(3), 11(1), 14(5), 19, 20, 22 (3), 23(3)(c) (d)(e), 25(2)(e)(f), 26, 30, 33(2) and 34 the PDPA claiming they were unconstitutional. Regarding section 8 (1), (2), (3), the petitioner argued that the provision allowing the President to appoint the Chairman and Vice Chairman of the PDPC without prescribing any qualifications or procedures violated various constitutional provisions, including Articles 12, 13, 16, and 21. The petitioner claimed this could lead to arbitrary appointments. In response, the court found these concerns speculative, noting that the lack of explicit procedures does not inherently render the provisions unconstitutional.

For section 11 (1), the petitioner contended that the President’s power to appoint the Director General of the PDPC without interviews, transparency, competition, or security of tenure violated the rights to equality, non-discrimination, and privacy. The court, however, accepted the respondent’s argument that security of tenure is provided in section 12, deeming the petitioner’s claims speculative and premature. Thus, section 11 was upheld as constitutional.

Turning to section 14 (5), the petitioner challenged it for being overly broad and ambiguous, potentially violating the right to be heard and to a fair trial. The court dismissed this argument, pointing out that time limits are provided in the corresponding regulations, maintaining the constitutionality of section 14 (5). With respect to section 19, the petitioner argued that it was vague and unclear, infringing upon the rights to a fair hearing, a fair trial, and privacy due to the lack of specific mens rea and a clear definition of the offence. The court sided with the respondent, who clarified that section 19 requires proof of both the guilty act and mind, thus not creating strict liability offences. Consequently, section 19 was upheld as constitutional.

Regarding section 20, the petitioner claimed it was unconstitutional as it allowed appeals from the PDPC to the Minister, who is perceived to have influence over the PDPC, without clear procedures or timeframes for appeals. This was argued to violate the right to a fair trial and the right to be heard. The court disagreed, noting that the Minister is not involved in the PDPC’s operations and that decisions are subject to judicial review, ensuring fairness. Section 20 was deemed constitutional.

Conversely, the court declared section 22 (3) unconstitutional due to its ambiguous definition of “unlawful means,” which could violate privacy rights. Concerning sections 23 (3) (c), (d), and (e), the petitioner argued that these exceptions to obtaining consent for data collection were unclear and violated privacy rights. The court found sections 23 (3) (c) and (e) unconstitutional due to their lack of clarity but upheld section 23 (3) (d) as it conformed to international standards.

Moreover, the petitioner claimed that sections 25 (2) (e) and (f), allowing personal data to be used beyond its original intent, and section 26, permitting data disclosure without prescribed procedures, violated privacy rights. The court found these provisions constitutional when considered in context. The petitioner also argued that section 30 (5), which restricts processing sensitive personal data except under specific exceptions, was unconstitutionally vague. The court disagreed, stating the exceptions were clear and necessary for public health, safety, and legal interests, thus upholding section 30 (5).

Finally, the petitioner argued that sections 33 (2) (a) and (b) were overly broad and vague, violating privacy rights. The court upheld these sections, finding them clear and necessary for balancing privacy with crime prevention and public interest. The petitioner also claimed that section 34 (2) was unconstitutional due to its broad terms. However, the court ruled it constitutional, noting that the exceptions were clearly defined and appropriately balanced individual privacy with public interest.

Assessment of the court’s ratio decidendi

The upshot of the decision was that, save for sections 22 (3) and 23 (c) and (e), the petitioner’s claims had no merit. Keen perusal of the ratio decidendi reveals some problematic conclusions. The most glaring indictment may result from an apparently contradictory stance. The court accused the petitioner of making speculative claims. To wit, it pronounced that: “It is our overall observation that the petition was prompted with fear or speculation without any actual proof of how most of the impugned provisions violate the provisions”.⁴ While it is well within its prerogative to do so, the problem arises in the fact that it itself engaged in speculation or adopted a stance of hypothetical concern in some instances when it decided to deem certain provisions unconstitutional.

Throughout its deliberations, the Court consistently rejected the petitioner’s concerns as speculative, particularly when addressing issues related to potential abuse of executive discretion and the broad, ambiguous nature of certain provisions. For instance, in the case of section 8, the petitioner contended that granting the President the authority to appoint key officials without clear qualifications might lead to arbitrary appointments. However, the Court dismissed this argument as speculative, asserting that mere potential for abuse is insufficient grounds for declaring a law unconstitutional.

The Court also dismissed the petitioner’s concerns about section 11 and Section 25, deeming them speculative.⁵ It is evident from the array of examples that the Court underscored a fundamental principle: for a provision within properly enacted legislation to be deemed unconstitutional, mere speculative concerns are insufficient. This principle finds its roots in established legal precedent, as exemplified by cases such as Nathaniel Alphonce Mapunda and Benjamin Alphonce Mapunda v. R.⁶ Furthermore, the court’s own acknowledgment reinforces this stance, asserting that a provision cannot be constitutionally impugned unless it is demonstrated to contravene the Constitution in actuality. This legal doctrine is buttressed by the ruling in Christopher Mtikila vs Attorney General, wherein the Court emphasized that mere inference alone does not suffice to invalidate a law for constitutional irregularities.⁷

In adjudicating upon sections 22(3) and 23(3)(c) and (e) in the present case, the Court arrived at its determinations as follows: In relation to section 22(3), the Court deemed the provision, which prohibits the collection of personal data by “unlawful means,” excessively vague and potentially conducive to legal uncertainty and abuse. Concerning section 23(3)(c) and (e), the Court found these provisions to be unduly ambiguous regarding the delineation of “reasonably practicable” compliance or “lawful purposes,” thereby potentially engendering confusion and abuse.

A mere recitation of the Court’s findings may reveal a discernible disjunction which leads one to question: if a provision is unconstitutional because it is “open for abuse”, then why is it that the Court could not declare another provision unconstitutional “based on the possibility of being abused”? What is the difference between “open for abuse” and “possibility of being abused”. There is no clear difference.

It therefore begs the question about what the difference between the petitioner’s case and the court’s finding is – after all, they both appear to speculate a potential eventuality. The ramifications of this equivalence are profound. It suggests that the court either fully validates or entirely dismisses the merits of the petitioner’s case. Ironically, by dismissing the petitioner’s speculative concerns while simultaneously relying on speculative reasoning to strike down certain sections, the court undermines its own credibility, creates legal uncertainty, and fails to adequately protect constitutional rights.

In addition to the aforementioned concerns, the decision also suffers from a lack of depth in its examination of the issues raised. The court’s approach appears overly superficial, often leaning towards straightforward refutations offered by the respondent without delving into the nuanced implications of the provisions in question. This lack of rigorous analysis is evident in the repeated dismissal of the petitioner’s arguments as speculative, without a thorough exploration of the potential real-world impacts and constitutional violations that could arise from the broad and ambiguous terms of the PDPA.

For instance, the Court’s treatment of section 8, regarding the President’s appointment powers, and section 11, concerning the appointment of the Director General, largely sidesteps the broader context of executive overreach. By not engaging enough with these factors and the historical context, the court’s decision comes off as cursory, failing to provide a precedent that thoroughly addresses the complexities of data protection and constitutional rights. This superficial handling diminishes the decision’s credibility and undermines the judiciary’s role in safeguarding constitutional principles against potential legislative overreach.

Conclusion

In conclusion, the court’s decision in Tito Magoti vs. Attorney General has largely validated the PDPA. Despite the petitioner’s extensive concerns, the Court dismissed most of the claims as speculative and unsupported by concrete evidence, underscoring the need for actual proof of constitutional violations. However, the Court found sections 22(3) and 23(3)(c) and (e) unconstitutional due to their vague and ambiguous language, which could potentially lead to legal uncertainty and abuse. This stance, however, highlights a contradiction in the Court’s reasoning, as it simultaneously dismissed the petitioner’s concerns about other sections based on speculative abuse.

The judgment is a landmark in its own right. It is the first to challenge the constitutionality of provisions within the PDPA. Indeed, this is a step in the ongoing evolution of data protection laws in Tanzania.

Image is by microsoft ai image generator