Ghana’s Data Protection Bill, 2025: A Comparative Analysis, Policy Assessment, and Strategic Recommendations

Introduction

Data protection regulation has become a cornerstone of modern governance, digital trade, and human rights protection. Ghana’s Data Protection Bill, 2025 (“the Bill”) represents a significant legislative evolution from the Data Protection Act, 2012 (Act 843) (“the Act”), responding to emerging technologies, cross-border data flows, and heightened global privacy standards. This article analyses, compares and gives recommendations on the new Data Protection Bill, 2025, having regard to the current Data Protection Act 2012 (Act 843) and the EU’s General Data Protection Regulation (GDPR).

Institutional Framework and Independence of the Data Protection Authority (DPA)

The Bill establishes the Data Protection Authority (DPA) under section 3 as an independent corporate body with perpetual succession and a common seal. The Authority has full legal capacity to sue and be sued, acquire and dispose of property, and undertake actions necessary for the performance of its functions,  which has not been highlighted in the current DPA, Act 2012.

Theoretically, Section 5 of the Bill strongly affirms institutional independence, insulating the Authority from external direction, including government interference. However, a critical examination of sections 18 and 19 appears to contradict the claims of independence given to the Authority. The President’s appointment powers over Board members, the Director-General, and staff, anchored by Article 195 of Ghana’s 1992 Constitution, create a latent tension between formal independence and practical autonomy. While this mirrors the board and staff arrangements under Act 843, the expanded enforcement role of the Bill heightens the risk of perceived or actual political influence.

Therefore, while the Bill strengthens the DPA’s institutional powers, it fails to resolve persistent concerns about executive influence in regulatory appointments fully. Implementing a clear, structured, and transparent appointment process for all personnel could mitigate these concerns.

Rights of Data Subjects: Expansion and Modernisation

Sections 54 to 66 of the Bill significantly expand and strengthen data subjects’ rights. These include the Data portability, rights relating to automated decision-making, control over political and election-related data processing, and enhanced rights to erasure and objection.

A comparison of the Bill to Act 843 reflects a rights-based regulatory philosophy closer to the GDPR. The inclusion of rights relating to manual data and emerging technologies also demonstrates responsiveness to Ghana’s hybrid digital–paper administrative systems.

In effect, the Bill moves data protection beyond procedures and gives individuals stronger, meaningful control over their personal data.

 Enforcement Powers and Penalty Regime

Under the Bill, it is proposed that enforcement responsibility rests primarily with the Data Protection Authority. The Authority is authorised to issue enforcement notices requiring data controllers to cease unlawful processing, rectify or erase data, notify third parties of improper disclosures, or take specified remedial steps. It also has the power to investigate complaints, conduct compliance audits, prescribe compensation, and impose penalties, including criminal sanctions and substantial fines.

The Bill introduces stringent penalties for non-compliance, including substantial fines of up to fifty thousand penalty units (GHS 600,000), imprisonment, or both, for offences such as failure to comply with enforcement notices, providing false information, unlawful sale of personal data, false registration, and breach of accreditation rules.  Compared to the Act, the penalty regime in the Data Protection Bill is more detailed and deterrent-oriented.

Nonetheless, the reliance on penalty units without contextual guidance on proportionality or turnover-based fines may weaken deterrence against large multinational data controllers hence the penalties must reflect the financial size or capacity of offenders.

Definitions and Alignment with Global Standards

A central strength of the Bill is its detailed and largely GDPR-aligned definitions. The Bill’s definitions of personal data, data controller, data processor, profiling, and consent substantially align with the GDPR. The definition of personal data is expansive, covering direct and indirect identifiers, online identifiers, pseudonymized data, and identity-related attributes. This breadth ensures that modern digital identifiers and emerging data forms are adequately protected.  There is a subtle but important divergence between the requirements for consent under the Bill and the GDPR. The Bill requires informed and explicit consent, whereas the GDPR standard of consent is “freely given” and easily withdrawable.
The Data Protection Bill largely aligns with global definition standards, except for the subtle differences in how consent is defined and managed.

Lawful Basis for Processing vs Consent

Data processing is carried out by both the Data Controller and the Data Processor. The basis for processing Data is that it should be necessary, relevant and not excessive. Unlike the GDPR, section 38 of the Bill places strong primacy on consent, with limited statutory exceptions. While the Bill strengthens individual control, it risks operational rigidity for public bodies and businesses engaged in legitimate, non-consensual processing (e.g., fraud prevention, compliance).

The Bill should consider providing the considerable flexibility found in Act 843 and the GDPR.

Data Localisation and Cross-Border Transfers

Data controllers are required to make reasonable efforts to store personal data in Ghana, provided this does not unduly hinder business operations. Mandatory localisation applies to data involving national security, identity systems, voter databases, and highly sensitive categories such as children’s data, biometric data, health records, and genetic information. While this aligns with sovereignty and security objectives, the standard of “reasonable effort” is undefined, creating significant subjectivity and difficulty in enforcement. Cross-border transfers also require informed consent and, in some cases, DPA approval, echoing GDPR adequacy and safeguard principles but with a more centralised approval model.

Compared with the GDPR and Act 843, the data localisation and cross-border transfer requirements in the Bill are more restrictive, favouring state oversight over market flexibility.

Regulatory Overlaps

The Bill interacts with several existing statutes, creating potential regulatory overlaps. Notably, the Cybersecurity Act, 2020 (Act 1038) and the Electronic Communications Act, 2008 impose data retention and interception obligations on telecommunications and service providers. These requirements may conflict with the Bill’s principles of data minimisation, purpose limitation, and lawful processing unless clear exemptions or harmonisation mechanisms are provided.

Similarly, the Right to Information Act, 2019 (Act 989) promotes transparency and public access to information, while the Data Protection Bill prioritises privacy and protection of personal data. Public institutions may therefore face tensions between disclosure obligations and privacy safeguards, underscoring the need for careful balancing and clear interpretative guidance.

The conflict of the provisions of the Bill with the Cybersecurity Act 2020, the Electronic Communications Act, 2008 (Act 786) (ECA), and the Right to Information Act, 2019 (Act 989) (RTI) is a critical concern. Mandatory data retention and interception obligations may directly contradict data minimisation and purpose limitation principles.

Recognition of Emerging Technologies

 Section 53 of the Bill explicitly recognises emerging technologies and automated decision-making systems. Data processors using advanced technologies must ensure that decisions affecting data subjects are explainable, contestable and subject to human oversight.

The Authority is empowered to regulate such technologies, conduct risk assessments, and impose penalties for non-compliance. Controllers deploying these systems must implement safeguards against discrimination, unauthorised access, and unethical use, while employing privacy-enhancing technologies to ensure transparency and accountability.

This places Ghana ahead of many African jurisdictions and aligns conceptually with emerging EU AI governance norms. However, the DPA’s enforcement capacity and technical expertise remain unaddressed, which will make its implementation in practice challenging.

Is the Data Protection Bill Future-Proof?

The Bill can be described as future-proof for several reasons. While it is expansive in scope and responds to technological advances, it also strengthens the consent requirement before processing data of Data subjects, thereby positioning Ghana to regulate evolving data processing practices effectively.

 

Recommendations

The authors recommend that a recognised nomination process for Board appointments be adopted and that financial autonomy be secured through statutory budgetary guarantees. There is a need to expand lawful bases beyond consent to include legitimate interest, subject to strict balancing tests, and to clarify the legal effect and operational consequences of withdrawing consent.

Further, the Bill should define “reasonable effort” to provide a clear guide and introduce sector-specific localisation exemptions where risks are low. There must be a reconciliation of obligations under the Cybersecurity Act, ECA, and RTI Act, and the provision of statutory supremacy or exemption clauses to guide compliance. The authors recommend that the Bill introduce turnover-based administrative fines for large-scale or systemic breaches and develop transparent guidelines for assessing penalties.

Lastly, the Bill should mandate specialist AI and cybersecurity units within the Data Protection Authority, as it proposes, and encourage regulatory sandboxes for innovation-compliant data use.

 

 Conclusion

The Data Protection Bill, 2025, represents a decisive step toward modern, rights-centred data governance in Ghana. It improves significantly on Act 843, aligns closely with global standards, and anticipates technological change. Yet, its long-term success will depend on addressing institutional independence, regulatory overlap, and operational clarity. With targeted reforms and effective implementation, the Bill has the potential to position Ghana as a regional leader in data protection and digital trust.

 

References
  • Data Protection Act, 2012 (Act 843)
  • Data Protection Bill, 2025
  • EU General Data Protection Regulation (GDPR)
  • Cybersecurity Act, 2020 (Act 1038)
  • Electronic Communications Act, 2008 (Act 786)

 

Share

Facebook
Twitter
LinkedIn
WhatsApp
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Legal & Industry Updates
Sign up to receive Oaks Legal Insights and updates.

Join Us

+233 (0) 555 526 811

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Read More