Act No. 2004-63, Tunisian Privacy Protection
Tunisia’s Organic Act No. 2004-63 of 27 July 2004 on the Protection of Personal Data, also known as Act No. 2004-63 for short, is a data protection law that was passed in Tunisia in 2004. As one of the many countries in the world that has a somewhat outdated level of data protection, the Tunisian government has been trying to update its privacy legislation for the last ten years. Despite this fact, Act No. 2004-63 does provide privacy protection for data subjects within the country, albeit with a limited scope and application when compared to many landmark legislative policies such as the EU’s GDPR Law or Australia’s Consumer Data Right or CDR. Subsequently, Act No. 2004-63 sets forth the legal framework for personal data protection and privacy within Tunisia.
What is the scope and application of Act No. 2004-63?
As it pertains to the personal scope of the law, Act No. 2004-63 states that “every person has the right to the protection of personal data related to their privacy”, in accordance with the Constitution of Tunisia. Alternatively, Act No. 2004-63 contains no territorial scope, as the law only applies to data processing activities that occur within Tunisia. In terms of the material scope of the law, “The processing of personal data covers all automated as well as non-automated processing of personal data carried out by a natural or legal person”. What’s more, the law defines personal data to mean any operation in relation to the use of such data, indexes, directories, data files, or their interconnection.
What are the obligations of data controllers and processors under Act No. 2004-63?
As is the case with many other privacy policies, Act. No. also established various principles as it relates to the safeguarding of personal information. These principles include the following:
- The processing of personal data must be done in a manner that upholds the dignity, privacy, and public liberties of data subjects.
- The processing of personal data must not harm the human rights protected by the laws and rules in force, irrespective of the origins or methods of said personal data.
- Data controllers and processors are prohibited from using personal data with the aim of infringing on the rights of data subjects, or damaging the reputation of data subjects.
- Data controllers and processors must ensure that the collection, process, and use of personal data is carried out for lawful and specified purposes.
- Data controllers and processors must ensure that personal data in their possession is accurate, precise, and up to date at all times.
Moreover, as it relates to the collection and processing of special categories of personal data, Act No. 2004-63 states that “the processing of personal data that reveals, directly or indirectly, the racial and genetic origins, religious beliefs, political, philosophical and trade union belonging or health is prohibited”. Data controllers and processors are also responsible for providing data breach notifications to all affected data subjects in the event of a data breach, retaining data for no period longer than is needed to fulfill the purpose for which it was collected, and data subjects with data processing notifications.
What are the rights of data subjects under the law?
Act No. 2004-63 does not guarantee data subjects within Tunisia the same level of data privacy rights as many other privacy policies that have been passed in recent years. To illustrate this point further, Tunisian citizens are not afforded the right to object or opt-out of the collection or processing of their information, nor are they given the right to data portability. Furthermore, the law does not provide data subjects the right not to be subject to data processing activities that are conducted solely on the basis of automated decision-making. On top of all this, while data subjects are given the rights to access, rectification, erasure, and to be informed, the latter is considered to be the same as consent, as the law offers no specific right to consent.
In relation to the punishments that can be levied against data controllers and processors who are found to be in non-compliance with the law, Act No. 2004-63 is enforced by the National Authority of Data Protection, or the INPDP for short. As such, the INPDP has the authority to punish violators of the law through the means of both monetary fines and sanctions, as well as criminal liability. For example, “processing data without fulfilling the prior notification requirements is punishable by imprisonment for one year and a fine of TND 5,000 ( $1,739)”. Additionally, The Law states that a penalty of two years imprisonment and a fine of TND 10,000 ($3,000) are applicable for the violation of provisions on processing sensitive data”.
While advancements that have been made to privacy legislation in both the private and public sectors have made many of the provisions of Act No. 2003-63 somewhat outdated, the law nevertheless stands to provide data subjects within Tunisia with some modicum of data protection and in turn, personal privacy. To this end, Act No. 2003-63 can serve as the foundation for future privacy policies that could be potentially passed and implemented within the country. In this way, the country can ensure that they are doing everything possible to put data protection and privacy at the forefront in the midst of the current internet-based age.