Tanzania Recording Laws: Privacy Rules and Penalties (2026)

Overview of Tanzania Recording Laws

Tanzania does not have a single, clear statute that tells you whether recording a conversation is legal. Instead, the rules are scattered across multiple laws passed over a 15-year period, none of which were written with personal recording devices in mind.

The primary legislation is the Electronic and Postal Communications Act (EPOCA) of 2010, which criminalizes interception of communications without lawful authority. The Cybercrimes Act of 2015 adds a second layer of criminal liability for intercepting electronic transmissions. The Personal Data Protection Act of 2022 introduced consent requirements for collecting and processing personal data, which would include audio recordings.

What makes Tanzania's framework genuinely difficult to navigate is the gap between what these laws say and what they fail to address. None of them explicitly discuss whether you can record your own phone calls. None define what happens when you press record during a face-to-face conversation. And no Tanzanian court has issued a ruling that clarifies any of these questions.

For anyone living in, traveling through, or conducting business in Tanzania, the safest interpretation is that recording another person without their knowledge carries real legal risk. The statutes are broad enough to support prosecution, and the absence of clear exceptions makes relying on unstated rights a gamble.

Constitutional Right to Privacy

Tanzania's privacy protections start at the highest level of law. Article 16 of the Constitution of the United Republic of Tanzania (1977) establishes the foundational right:

"Every person is entitled to respect and protection of his person, the privacy of his own person, his family and of his matrimonial life, and respect and protection of his residence and private communications."

Article 16(2) directs state authorities to establish legal procedures governing when and how privacy rights may be limited. This constitutional mandate is the basis for all subsequent legislation dealing with communications interception and surveillance.

The specific mention of "private communications" is significant. It signals that the framers of Tanzania's Constitution intended to protect not just physical privacy but also the content of conversations and correspondence. Any law permitting interception or recording must satisfy the constitutional requirement that limitations on privacy follow established legal procedures.

In practice, however, enforcement of this constitutional guarantee has been uneven. Privacy International has documented that Tanzania's institutional capacity to protect communications privacy has lagged behind the constitutional promise, particularly as digital surveillance tools have become more accessible to both government agencies and private actors.

EPOCA 2010: The Primary Interception Prohibition

The Electronic and Postal Communications Act (EPOCA) of 2010, revised in 2022, is Tanzania's principal law governing telecommunications. Section 120 contains the core prohibition on unauthorized interception.

What Section 120 Prohibits

Section 120 makes it an offense for any person to, without lawful authority under EPOCA or any other written law:

• Intercept, attempt to intercept, or procure any other person to intercept or attempt to intercept any communications
• Disclose or attempt to disclose to any other person the contents of any communications, knowingly or having reason to believe the information was obtained through unlawful interception
• Use or attempt to use the contents of any communications, knowingly or having reason to believe the information was obtained through unlawful interception

The prohibition covers three distinct acts: the interception itself, the disclosure of intercepted material, and the use of intercepted material. Each is a separate offense.

Penalties Under EPOCA Section 120

A person convicted under Section 120 faces a minimum fine of TZS 5,000,000 (approximately USD 1,900) or imprisonment for a minimum term of 12 months, or both. These are floor penalties. Courts have discretion to impose higher fines or longer sentences depending on the circumstances.

The penalty structure is notable because it sets minimums rather than maximums. This signals legislative intent to treat unauthorized interception as a serious offense rather than a minor regulatory violation.

Who Can Lawfully Intercept

Section 120 creates an exception for interception conducted with "lawful authority under this Act or any other written law." In practice, this means interception authorized under the Investigation Regulations, the Prevention of Terrorism Act, or by the Tanzania Intelligence and Security Service.

The Tanzania Communications Regulatory Authority (TCRA) oversees the telecommunications sector and works with law enforcement agencies to facilitate lawful interception. Only public officers or TCRA-appointed officers authorized by the Ministry of Science and Technology and the Ministry of Home Affairs may conduct authorized interceptions.

Cybercrimes Act 2015: Digital Interception

The Cybercrimes Act of 2015 adds a parallel set of criminal provisions targeting electronic communications. While EPOCA focuses on telecommunications broadly, the Cybercrimes Act specifically addresses computer systems and digital transmissions.

Section 6: Illegal Interception

Section 6 of the Cybercrimes Act makes it an offense to intentionally and unlawfully intercept, by technical or other means:

• Non-public transmissions to, from, or within a computer system
• Non-public electromagnetic emissions from a computer system
• Non-public connected computer systems

The section also criminalizes circumventing protection measures implemented to prevent access to non-public transmission content.

The Act defines "interception" broadly to include "acquiring, viewing, listening or recording any computer data communication through any other means of electronic or other means, during transmission." That definition explicitly includes recording as a form of interception.

Penalties Under the Cybercrimes Act

A person convicted of illegal interception under Section 6 faces a minimum fine of TZS 5,000,000 or imprisonment for a minimum term of one year, or both. For offenses involving critical information infrastructure, penalties escalate sharply to a minimum fine of TZS 100,000,000 (approximately USD 38,000) or three times the loss caused, with a minimum prison term of five years.

Section 8: Data Espionage

Section 8 addresses obtaining computer data that is protected against unauthorized access. This provision could apply to accessing recorded communications stored on devices or servers. The penalty is a minimum fine of TZS 20,000,000 or three times the value of the undue advantage gained, with a minimum prison term of five years.

Overlap with EPOCA

There is a recognized overlap between EPOCA and the Cybercrimes Act. A single act of recording a phone call transmitted over digital networks could theoretically violate both statutes. Legal commentators in Tanzania have noted that this creates uncertainty about which law prosecutors would invoke and which penalty structure would apply.

The 2017 Investigation Regulations: A Narrow Exception

The Electronic and Postal Communications (Investigation) Regulations of 2017, issued under EPOCA, provide the most detailed framework for lawful interception in Tanzania. They also contain a provision that is central to any discussion of personal recording.

Rule 5: The Participant Exception

Rule 5 of the Investigation Regulations permits interception under the following circumstances:

• The person is a party to the communication
• The person has the consent of the person sending the communication
• The person is the intended recipient of the communication
• The person is authorized by law
• The interception is bona fide, for purposes of providing, installing, maintaining, or repairing a communications service

The first three items on that list suggest that a participant in a conversation may record it without committing an offense under the Regulations. If you are a party to a phone call, Rule 5 appears to allow you to record that call.

Why This Exception Is Uncertain

Before relying on Rule 5 as blanket permission to record, consider several problems.

First, regulations are subordinate to the parent Act. If EPOCA Section 120 is interpreted to prohibit all non-authorized interception, a regulation cannot create exceptions that the Act does not contemplate. No Tanzanian court has ruled on whether Rule 5's participant exception survives scrutiny under Section 120.

Second, Rule 5 exists within the Investigation Regulations, a framework designed primarily for law enforcement interception. The participant exception may have been intended to cover cooperating witnesses working with police, not private citizens recording personal conversations.

Third, Rule 4 of the same Regulations restates the constitutional privacy protection from Article 16, suggesting the drafters intended privacy to remain the default position.

Fourth, Rule 6(1) separately states that "no person shall intercept, attempt to intercept, authorise or instruct any other person to intercept or attempt to intercept any communication at any place in the United Republic except as warranted under the Regulations." This language suggests that even participant recording may require a warrant.

Law Enforcement Interception

For government agencies, the pathway is clearer. The Director-General of the Tanzania Intelligence and Security Service or the Director of Criminal Investigations may intercept communications after obtaining a warrant from the Inspector General of Police. Telecommunications providers are required under Section 22 of the Regulations to maintain technical capabilities for "lawful interceptions at all times" and provide "real-time and full-time monitoring facilities."

The warrant serves as a disclosure order against any person with access to encrypted or protected information.

Personal Data Protection Act 2022

Tanzania's Personal Data Protection Act (PDPA), enacted in 2022 with accompanying regulations effective July 4, 2023, adds another layer to the recording analysis.

How the PDPA Applies to Recording

The PDPA defines personal data broadly to include any information relating to an identified or identifiable individual. A recording of someone's voice, statements, or image falls within this definition. Processing personal data, which includes collection, storage, and use, requires a lawful basis.

The Act establishes six principles for data processing:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Security

Recording a conversation without the other party's knowledge would likely violate the transparency principle. Using that recording for a purpose other than what was disclosed would violate purpose limitation.

Consent Under the PDPA

For sensitive personal data, which includes information revealing political opinions, religious beliefs, health status, or sexual life, the PDPA requires explicit written consent that can be withdrawn at any time. If a recorded conversation touches on any of these topics, the consent threshold is higher than for ordinary personal data.

Clyde & Co has noted that the PDPA requires data controllers to provide a "simplified means to withdraw their consent," suggesting that consent must be ongoing and revocable, not a one-time permission.

PDPA Penalties

The Personal Data Protection Commission enforces the Act through both administrative and criminal channels:

• Administrative fines up to TZS 100,000,000 (approximately USD 38,000)
• Criminal penalties for unauthorized disclosure: individuals face fines up to TZS 20,000,000 or imprisonment up to 10 years
• Corporate penalties: fines up to TZS 5,000,000,000 (approximately USD 1.9 million)
• Compensation awards with no statutory ceiling

These penalties apply alongside, not instead of, the penalties under EPOCA and the Cybercrimes Act. A single unauthorized recording could theoretically trigger liability under all three statutes.

Phone Recording in Tanzania

Tanzania's laws do not draw a clear line between recording phone calls and other forms of interception. Here is how the legal framework applies to telephone recording specifically.

Recording Your Own Calls

The Investigation Regulations Rule 5 suggests that a party to a communication may intercept it. If this provision applies to personal phone recording, then recording a call you are participating in might be lawful under the Regulations.

But the PDPA's transparency requirement creates a separate obligation. Even if the interception itself is permitted under Rule 5, failing to inform the other party that you are recording may violate data protection law. The safest course is to inform the other party before pressing record.

Recording Someone Else's Calls

Recording a phone conversation to which you are not a party is unambiguously illegal under both EPOCA Section 120 and Cybercrimes Act Section 6. There is no exception for family members, employers, or anyone else who is not a participant in the call.

Call Recording by Businesses

Businesses that record customer calls face obligations under the PDPA in addition to the interception statutes. At minimum, businesses must notify callers that the call is being recorded, state the purpose of the recording, provide a mechanism for callers to opt out, secure the recorded data, retain recordings only as long as necessary, and register as a data controller with the Personal Data Protection Commission.

The PDPA requires registration of all data controllers and processors with the Commission. Operating a call recording system without registration is itself an offense.

In-Person Recording

The legal framework for recording face-to-face conversations in Tanzania is even less defined than for phone calls.

Private Conversations

Article 16 of the Constitution protects "private communications" without limiting that phrase to electronic or telephone communications. A private, in-person conversation qualifies. Recording such a conversation without consent could violate constitutional privacy rights.

The PDPA's requirements for lawful processing, transparency, and consent apply regardless of the medium. Recording someone's voice during a private meeting and storing that recording constitutes processing of personal data.

The Practical Gap

Neither EPOCA nor the Cybercrimes Act was written with in-person recording in mind. EPOCA addresses telecommunications interception. The Cybercrimes Act addresses computer systems and digital transmissions. A person recording a face-to-face conversation on a smartphone occupies a legal gray area where the interception statutes may not technically apply, but the constitutional right to privacy and the PDPA almost certainly do.

This gap is not unusual for East African legal systems, but it creates real uncertainty. Until a court addresses the question or Parliament passes targeted legislation, the legal status of in-person recording in Tanzania remains unresolved.

Recording in Public Places

Tanzania has not enacted specific legislation governing recording in public spaces. The analysis turns on general privacy principles.

In genuinely public settings such as markets, streets, and transportation hubs, the expectation of privacy is reduced. CCTV systems operate in many public areas in Tanzania, and the TCRA has not treated their operation as inherently unlawful.

However, the PDPA treats images and recordings captured in public as personal data if they identify or could identify specific individuals. Organizations operating CCTV in public-facing locations must comply with the PDPA's registration and processing requirements.

Private conversations that happen to take place in public, such as a discussion at a restaurant or in a hotel lobby, may still carry a reasonable expectation of privacy. Recording such conversations without consent could trigger both constitutional and PDPA liability.

Workplace Recording and Surveillance

Tanzanian employers who monitor employees through recording or surveillance must navigate both employment law and data protection law.

Employer Obligations

Under the Employment and Labour Relations Act (ELRA), employers have confidentiality obligations regarding information obtained during the employment relationship. Section 102 of ELRA addresses unauthorized disclosure of financial and business information.

The PDPA classifies employers as data controllers when they collect, store, and process employee personal data. Clyde & Co has analyzed that employers using CCTV, biometric systems, or electronic monitoring tools must comply with the full range of PDPA obligations, including the requirement that personal data be "collected and processed lawfully, fairly and transparently."

What Employers Must Do

Employers who record or monitor employees should inform employees in writing about any monitoring or recording practices, state the specific purpose for each monitoring tool, limit monitoring to what is necessary for the stated purpose, secure all recorded data against unauthorized access, retain recordings only as long as needed, and register as a data controller with the Personal Data Protection Commission.

Penalties for Employer Violations

Non-compliance carries significant risk. PDPA penalties range from TZS 1,000,000 to TZS 5,000,000,000, and individual officers may face personal liability. ELRA violations carry fines up to TZS 1,000,000 for unauthorized disclosure of employment-related information.

Penalties Summary

Tanzania's penalty structure for unauthorized recording and interception reflects the seriousness with which the legal system treats communications privacy.

Offense	Statute	Minimum Fine	Minimum Prison Term
Unauthorized interception	EPOCA s.120	TZS 5,000,000	12 months
Illegal interception (digital)	Cybercrimes Act s.6	TZS 5,000,000	1 year
Data espionage	Cybercrimes Act s.8	TZS 20,000,000	5 years
Critical infrastructure interception	Cybercrimes Act	TZS 100,000,000	5 years
Unauthorized data disclosure (individual)	PDPA	Up to TZS 20,000,000	Up to 10 years
Unauthorized data disclosure (corporate)	PDPA	Up to TZS 5,000,000,000	N/A
Administrative data violation	PDPA	Up to TZS 100,000,000	N/A

These penalties can stack. A single act of unauthorized recording that involves intercepting a phone call, storing the recording, and sharing it with a third party could trigger prosecution under EPOCA, the Cybercrimes Act, and the PDPA simultaneously.

Business Compliance Checklist

Organizations operating in Tanzania that record communications or conduct surveillance should take the following steps:

• Register with the Personal Data Protection Commission as a data controller before beginning any recording activity
• Appoint a Data Protection Officer as required by the PDPA
• Obtain informed consent before recording any call or conversation, with clear disclosure of the purpose
• Provide a mechanism for individuals to withdraw consent at any time
• Implement technical security measures to protect recorded data
• Limit data retention to the minimum period necessary for the stated purpose
• Post visible notices in any area where CCTV or audio recording equipment operates
• Conduct regular compliance audits against PDPA requirements
• Train staff on Tanzania's interception and data protection laws
• Maintain records of all data processing activities for regulatory inspection

Telecommunications companies face additional obligations. Under the Investigation Regulations, providers must maintain technical capabilities for lawful interception and cooperate with warranted requests from law enforcement.

The Legal Gaps

Tanzania's recording law framework has several unresolved questions that create practical difficulties.

First, the relationship between Rule 5's participant exception and EPOCA Section 120's broad prohibition has not been tested in court. A person recording their own call may or may not have a valid defense.

Second, in-person recording falls outside the explicit scope of both EPOCA and the Cybercrimes Act. The PDPA and the Constitution provide some coverage, but without targeted legislation, enforcement is inconsistent.

Third, the overlap between EPOCA and the Cybercrimes Act creates prosecutorial discretion that can produce inconsistent outcomes. The same conduct can be charged under either statute, with different penalty structures.

Fourth, the Personal Data Protection Commission is still building institutional capacity. Researchers have noted that implementation remains constrained by "vague statutory provisions, overlapping institutional mandates, weak regulatory capacity, and limited public awareness."

Fifth, Tanzania lacks specific legislation addressing CCTV in public spaces, workplace audio monitoring, and the use of recordings as evidence in court. Each of these areas operates in a regulatory vacuum.

Recent Developments

Tanzania's legal landscape for recording and privacy has shifted notably in recent years.

The passage of the Personal Data Protection Act in 2022 was the most significant development. Before the PDPA, Tanzania was one of the few East African nations without a dedicated data protection law. The Personal Data Protection Commission was established to oversee implementation, and the Collection and Processing Regulations took effect in July 2023.

The SIM Card Registration Regulations of 2020 under EPOCA require biometric registration for all mobile subscribers, linking phone use directly to verified identities. This makes anonymous phone recording effectively impossible in Tanzania.

The investigation framework under the 2017 Regulations expanded law enforcement surveillance capabilities, requiring telecommunications providers to maintain real-time monitoring infrastructure. Global Voices has reported that these provisions raise concerns about proportionality and oversight.