Ghana’s Data Protection Bill, 2025 represents a significant overhaul of the country’s data privacy framework. It seeks to repeal and replace the Data Protection Act 2012, (Act 843), introducing new obligations, expanded individual rights, and enhanced enforcement powers. This comparative analysis highlights the key organizational changes and new provisions introduced by the Bill, focusing on how they differ from the 2012 Act.
- Organizational and Regulatory Changes
The Bill introduces a fundamental change in nomenclature and structure. While Act 843 established the Data Protection Commission, the 2025 Bill creates the Data Protection Authority, signalling a broader mandate and presumed increase in scope. Similarly, the head of administration evolves from an Executive Director under Act 843 to a Director-General in the 2025 Bill, with the additional role of a Deputy Director-General. Perhaps most significantly, the Bill enshrines the Authority’s independence through a new section, explicitly stating that it shall not be subject to the direction, control, influence, or pressure of any person or government authority in performing its functions. This contrasts with the 2012 Act, where the Minister could give directives to the Board on policy matters. The Bill also clarifies that ministerial directives cannot interfere with specific technical or operational matters, thereby providing a statutory guarantee of operational autonomy.
Internal compliance roles have similarly evolved. Act 843 referenced a Data Protection Supervisor, whereas the Bill introduces the role of a Data Protection Officer with defined certification requirements, explicit duties, and penalties for non-compliance. Another key development is the expanded definition of personal data. While Act 843 focused on data that identifies individuals directly or indirectly, the 2025 Bill significantly broadens this to include biometric information, indirect identifiers such as location data and voice recordings, online identifiers including IP addresses and cookies, and pseudonymised data. This broadening ensures coverage of modern digital identifiers, reflecting the increasing complexity of data-driven business operations.
The Bill also introduces new sections and requirements absent in Act 843. Its scope extends to external data controllers who offer goods and services in Ghana or monitor individuals within the country. Foreign entities processing large-scale data, sensitive personal data, or data relating to criminal offences must designate a local representative, ensuring accountability and enabling direct enforcement. For government entities, the Bill requires registration with the Authority before engaging in personal data processing. It also designates key officials such as the Chief of Staff, Clerk to Parliament, and Judicial Secretary as default data controllers for their respective branches. These measures aim to ensure that both public and private sector data processing meets clear, enforceable standards.
The Bill expands the objects, powers, and duties of the regulatory body. It introduces new objectives, including preventing data exploitation, establishing standards for cross-border data transfers, and regulating the personal data digital economy. The Authority is empowered to issue market conduct regulations, facilitate dispute resolution through conciliation and mediation, and impose administrative fines or corrective measures. Board accountability is enhanced, with explicit fiduciary duties, indemnification provisions, and a requirement that the Board include at least three women. Financial provisions under the Bill enhance the Authority’s independence by permitting tax exemptions and borrowing powers. In parallel, strict disclosure limitations prevent the unlawful release of intelligence data or special categories of personal information.
- Rights, Principles, and Enforcement
Enforcement mechanisms are more robust under the 2025 Bill. A detailed complaints redress procedure allows data subjects to lodge complaints, outlines fair investigation processes, and authorizes the Authority to prescribe compensation for harm or distress. Compliance audits may now include warrantless entry where urgent circumstances exist, provided law enforcement supervises. Security breach notifications must be made within 72 hours, and penalties for failure to comply are substantially increased, with fines for non-registration reaching up to 100,000 penalty units. The Bill also establishes an internal review mechanism, allowing data controllers to challenge Authority decisions within specified timeframes.
Data protection principles and individual rights are strengthened. The Bill asserts that personal data remains the property of the data subject and cannot be claimed by any other person or entity solely by virtue of processing. Data Protection Impact Assessments are mandatory for processing likely to pose significant risks to rights and freedoms, while Legitimate Interest Assessments are required for processing based on organizational interests. The principles of data protection by design and by default are codified, mandating pseudonymisation, encryption, and other safeguards throughout data lifecycle processes.
Individual rights are explicitly detailed, including the right to grant and withdraw consent, the right to data portability, and the right to be forgotten. The latter requires that personal data be removed from all systems and public domains within thirty days, with cost-sharing arrangements if necessary. Specific provisions address election campaigns, automated decision-making, and children’s data, requiring parental consent and age verification mechanisms. The Bill also includes emerging technology requirements, ensuring that AI, blockchain, and other advanced systems are explainable, contestable, and subject to human oversight, particularly in critical sectors such as health, finance, and energy.
Cross-border data transfer rules are entirely new and detailed. The Bill encourages localization of data unless it impairs business, with specific requirements for critical data such as biometric information, health records, and national identity systems. Data controllers must conduct Transfer Impact Assessments for large-scale data transfers posing risks to rights, subject to the Authority’s approval.
Finally, the Bill introduces accreditation and certification frameworks. Individuals and institutions providing data protection services must obtain licenses from the Authority, and professionals are required to undergo training and certification. The Director-General is empowered to establish certification standards, seals, and marks to encourage compliance and provide clear benchmarks for organizational data protection practices.
In conclusion, the Data Protection Bill, 2025 represents a comprehensive and forward-looking regulatory framework, significantly strengthening organizational obligations, individual rights, and enforcement mechanisms compared to the Data Protection Act, 2012 (Act 843). Businesses, government entities, and other data controllers must adapt to these changes to ensure compliance, protect the rights of data subjects, and mitigate the substantial penalties associated with non-compliance. The Bill reflects a proactive approach to modern data governance, emphasizing accountability, transparency, and the responsible use of personal information in Ghana’s digital economy.
ABOUT THE AUTHOR
DENNIS AKWABOAH is an Associate at Sustineri Attorneys PRUC, advising clients across corporate and commercial practice, intellectual property, transactions, tax, startups, trade, regulatory compliance, and entertainment and media law. He provides tailored legal solutions to clients in diverse industries, with a focus on aligning legal strategy to business outcomes and innovation. He welcomes views on this article via a.dennis@sustineriattorneys.com
