EDITORIAL

 

Data protection law: Lessons from Tanzania for South Africa?

 

 

M Malekela^I; D Thaldar^II

^ILLM; School of Law, University of KwaZulu-Natal, Durban, South Africa
^IIPhD; School of Law, University of KwaZulu-Natal, Durban, South Africa

 

 

Imagine navigating a maze with walls that shift unpredictably. This was the state of Tanzania's personal data protection laws until Tito Magoti's landmark legal victory clarified the path. Magoti, a dedicated human rights activist, challenged ambiguous provisions of the Personal Data Protection Act (PDPA) in the High Court of Tanzania and on 8 May 2024, the court ruled in his favour.^[1] This ruling not only resonated in Tanzania but also holds significant implications for South Africa's (SA) research community, particularly in the realm of data privacy.

Tanzania and SA, as members of the Southern African Development Community (SADC), participate in regional initiatives aimed at coordinating data protection legislation. To foster cross-border research cooperation and data sharing within the area, the Magoti verdict may have an impact on debates about developing precise and uniform standards for data processing in research.

The ambiguity in Tanzania's PDPA

Magoti's case centred on the vagueness of certain sections of the PDPA. For instance, section 22(3) prohibited the collection of personal data by 'unlawful means' without defining what those means were. Similarly, section 23(3) allowed exceptions to data subject consent, such as when compliance is 'not reasonably practicable' or would 'prejudice the lawful purpose of the collection' but failed to specify what those terms meant. The court found these provisions too ambiguous, leaving them open to interpretation and potential misuse.

As the ruling noted, the lack of clarity in the PDPA would raise concerns among, for instance, health researchers about potential legal risks and barriers to conducting vital studies involving sensitive personal health data. Health researchers may encounter difficulties getting the permissions they need, overcoming legal ambiguities and guaranteeing compliance with data privacy rules until such explanations are given, thereby impeding significant research.^[1]

The decision thus emphasises the necessity of PDPA modifications or additional rules to give clear instructions on the processing of personal data, including health data for research, by defining required permission requirements and safety measures. Health researchers may encounter difficulties getting the permissions they need, overcoming legal ambiguities and guaranteeing compliance with data privacy rules until such explanations are given, thereby impeding significant research endeavours.

Implications for SA's research community

Why should the SA research community pay attention? SA's Protection of Personal Information Act (POPIA) has similar provisions. Section 27(1)(d) of POPIA permits the processing of special personal information, including genomic data, if obtaining consent is 'impossible or would involve a disproportionate effort'. However, what constitutes a 'disproportionate effort'? This lack of clarity mirrors the issues in Tanzania's PDPA, raising concerns about potential constitutional challenges based on the rights to privacy and freedom of scientific research.

Following the Tanzanian court's reasoning, it is plausible that a SA court could also demand more precise definitions within POPIA. This demand for clarity would ensure that exceptions to consent are not abused and that personal data are protected adequately, aligning with constitutional rights.

The role of ASSAf and voluntary compliance

The Academy of Science of South Africa (ASSAf) intended to develop a code of conduct for research in SA.^[2] However, the document that was developed will now likely serve as a Voluntary Compliance Framework for Research, rather than a binding code of conduct.^[3] ASSAf's document touches on section 27(1)(d) of POPIA and states that, given the inherent sensitivity of special personal information, it must be 'virtually impossible, as opposed to merely impractical or costly, to obtain POPIA Consent before this legal justification applies'. In other words, it interprets 'disproportionate effort' as 'virtually impossible. This seems to set the benchmark higher than intended by the legislature-and it does not assist in creating clarity. What exactly is the meaning of 'virtually impossible'?

Call for action

To address this concern, the South African Information Regulator should consider issuing a guidance note that clarifies what 'disproportionate effort' means in the context of research. This note should include everyday examples and practical scenarios to help researchers understand the thresholds and ensure compliance with the law while still advancing scientific knowledge. Moreover, such a guidance note would significantly reduce the ambiguity surrounding section 27(1)(d) of POPIA and likely pre-empt potential constitutional challenges against it. By providing clear, actionable guidelines, the Information Regulator can support both legal clarity and the continued progress of valuable research initiatives.

 

Conclusion

Tito Magoti's victory is a reminder of the delicate balance between advancing scientific research and protecting individual privacy. In order to prevent potential abuse or illegal access, Magoti's case demonstrated the necessity of clear protections and permission requirements when processing personal information for research. To guarantee that scientific progress does not jeopardise people's basic right to privacy and the protection of their personal information, it is imperative to strike the correct balance. As SA navigates its own legal landscape with POPIA, the research community must advocate for clarity and precision in the law. Ensuring robust data protection mechanisms not only fosters public trust but also safeguards the integrity of scientific endeavours.

In conclusion, the implications of Tito Magoti's case extend far beyond Tanzania's borders. While the Magoti ruling directly impacts Tanzania's legal framework, its emphasis on clarity, balance, regional harmonisation and accountability resonates with SA's data privacy landscape. For SA researchers, it serves as a call to critically examine and, if necessary, challenge vague legal provisions that could hinder ethical and lawful research practices. By doing so, SA can continue to be a leader in both scientific innovation and the protection of personal information.

Acknowledgements. ChatGPT4 was used to improve language and readability.

Author contributions. Both authors conceptualised and contributed to the writing of the editorial.

Funding. Work on this article was supported by the US National Institute of Mental Health and the US National Institutes of Health (award number U01MH127690) under the Harnessing Data Science for Health Discovery and Innovation in Africa (DS-I Africa) programme. The content of this article is solely our responsibility and does not necessarily represent the official views of the US National Institute of Mental Health or the US National Institutes of Health.

Conflicts of interest. None.

 

References

1. Tito Magoti v Hon. Attorney General (Misc. Civil Cause No. 18 of 2023). TZHC 1939 (8 May 2024). https://tanzlii.org/akn/tz/judgment/tzhc/2024/1939/eng@2024-05-08

2. Academy of Science of SA. [Proposed] POPIA Code of Conduct for Research, 2023. https://www.assaf.org.za/wp-content/uploads/2023/12/Government-Gazzette-dated-12-May-.pdf

3. Academy of Science of South Africa. Update on the draft Code of Conduct for Research and introduction of the ASSAf POPIA Compliance Framework, 2024. https://www.assaf.org.za/wp-content/uploads/2024/02/ASSAf-Communication-to-Stakeholders-regarding-the-Framework_February-2024.pdf