Pursuant to Regulations 4 and 5 of the Electronic and Postal Communications (Investigation) Regulations, any individual's communications may be intercepted by the Director General of the Tanzania Intelligence and Security Service or the Director of Criminal Investigations for purposes including, but not limited to, the preservation or protection of national security, and the safeguarding of public safety, economic well-being, or the interests of the country. In accordance with Regulations 8 and 12, where the Director of Criminal Investigations intends to intercept communications, they are required to apply for a warrant from the Inspector General of Police, but not from a judge.

The Cybercrimes Act (2015) establishes a safe harbour regime for intermediaries for copyright infringements. Pursuant to Sections 39-44 of the Act, service providers are exempt from liability for information stored, transmitted, hyperlinked on their networks, or accessed through their search engines, provided they comply with certain conditions. These conditions require that the service provider neither initiates the transmission nor selects or modifies the information. Furthermore, if a service provider becomes aware of illegal content on their platform through means other than an order from a public authority, they are obligated to promptly notify the relevant authority. Additionally, upon becoming aware of such illicit content or receiving a takedown notice, the provider must take immediate action to remove or restrict access to the information. These provisions aim to protect intermediaries while encouraging the responsible management of illegal content on their platforms.

The Cybercrimes Act (2015) establishes a safe harbour regime for intermediaries beyond copyright infringements. Pursuant to Sections 39-44 of the Act, service providers are exempt from liability for information stored, transmitted, hyperlinked on their networks, or accessed through their search engines, provided they comply with certain conditions. These conditions require that the service provider neither initiates the transmission nor selects or modifies the information. Furthermore, if a service provider becomes aware of illegal content on their platform through means other than an order from a public authority, they are obligated to promptly notify the relevant authority. Additionally, upon becoming aware of such illicit content or receiving a takedown notice, the provider must take immediate action to remove or restrict access to the information. These provisions aim to protect intermediaries while encouraging the responsible management of illegal content on their platforms.

Pursuant to Sections 93 and 94 of the Electronic and Postal Communications Act, individuals wishing to acquire and use a mobile telephone with either a detachable or embedded SIM card must provide identity verification documentation before purchase.

According to Section 13 of the Online Content Regulations (2020), amending the Electronic and Postal (Online Content) Regulations 2018, internet cafe operators are required to keep a proper service user register and ensure every person using internet service is registered upon showing a recognised identity card; and install surveillance cameras to record and archive activities inside the cafe.

According to the Electronic and Postal (Online Content) Regulations 2018 (last amended in 2020), the application service licensee holders are required to terminate or suspend the subscriber account within two hours after being reported for sharing prohibited content (Section 11.3). While the previous regulation required online platforms to take down alleged illegal content within 12 hours, the current regulation forces license holders — such as the hosts of discussion forums — to remove prohibited content immediately. When a subscriber to a forum uploads alleged illegal content, the license holder must notify the subscriber within two hours. If the subscriber fails to take down content within two hours of getting the notice, the license holder must revoke the subscriber’s access to the platform.

It has been reported that, as of March 2023, Tanzania began restricting access to Grindr, the world's largest social networking application for gay, bisexual, transgender, and queer individuals. Furthermore, there have been widespread accounts of the prohibition of Clubhouse, a widely used social media platform for live audio discussions, since February 2023.

The Electronic and Postal Communications (Online Content) Regulations require providers of online content services to have a license and pay fees periodically. According to Section 9.d, providers are required to use moderating tools to filter prohibited content. Bloggers have condemned the regulations to temper the freedom of expression. For instance, according to the BBC, Jamii Forum (the famous forum for online discussions in the country) was shut down for 21 days in 2018, forced to comply with harsh new online content regulations.

Guideline 10 (g) of the Outsourcing Guidelines for Banks and Financial Institutions stipulates that banks and financial institutions are prohibited from outsourcing their primary data centres to locations outside the country. In addition, Art. 42 of the Payment Systems Licensing and Approval Regulations requires a payment system provider to place its primary data centre in relation to payment system services in Tanzania.

Sections 31 and 32 of the Personal Data Protection Act permit the transfer of personal data outside Tanzania only on the following circumstances: a) to a country with an adequate personal data protection legal system (i.e. essentially equivalent levels of protection to that within Tanzania) provided the recipient has proven (i) such transfer is necessary for important reasons of public interest or any other legitimate purpose or (ii) the importance of the transfer and there is no reason to assume that the transfer or processing in the recipient country may prejudice the subject's legitimate interests. The data collector or processor must carry out a prior data protection impact assessment on the need to transfer personal data and ensure the recipient of the data only processes the relevant information in the data and for the purpose for which the data was transferred; b) to any other country with appropriate safeguards on the security and protection of personal data provided the data is transferred to be processed for a purpose approved by the data subject, unless the data subject has consented to such transfer, or the transfer is necessary:
- For the performance of a contract between the data subject and the data collector or the implementation of pre-contractual measures taken at the request of the data subject.
- For the conclusion or performance of a contract concluded or to be concluded in the interest of the data subject between the collector and another person.
- For any public interest or the establishment, exercise or defence of a legal claim.
- To protect the vital interests of the data subject.
- In accordance with a law aimed at giving information to the public, which affords an opportunity for public consultation in general or anyone with a legitimate interest to submit their comments in accordance with a procedure laid down by law.

Tanzania has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Personal Data Protection Act provides a comprehensive regime of data protection in Tanzania. It contains detailed provisions imposing obligations on data controllers and data processors, including requirements associated with data security and international data transfers, and establishes the Personal Data Protection Commission.

Section 13 of the Online Content Regulations (2020) requires internet cafe operators to:
- keep a proper service user register and ensure every person using internet service is registered upon showing a recognised identity card;
- install surveillance cameras to record and archive activities inside the cafe.
The images recorded by a surveillance camera and the register of users recorded shall be kept for a period of 12 months.

According to the Electronic and Postal Act of 2010, the licensee of a telecommunications licence is required to store subscriber communication data for one month, after which the data must be submitted to the Tanzania Communications Regulatory Authority. Section 91 specifies that: "(1) There shall be a database kept within the Authority in which all Subscriber Information shall be stored. (2) The Authority shall be responsible for monitoring and supervising the information stored under sub-section (1). (3) Every application services licensee shall be required to submit to the Authority, once a month, a list containing its subscribers' information. (4) The Authority shall issue guidelines on the details of subscriber information to be submitted."

Section 22 of the Electronic and Postal Communications (Licensing) Regulations stipulates that foreign investment in the telecommunications sector is restricted to a maximum of 75%