By Beverly Kroduah
In a landmark decision in Data Protection Commissioner v Meta Platforms Ireland Limited dated May 12th, 2023, Ireland’s supervisory authority fined Meta €1.2 billion (US$1.3 billion) and ordered it to halt the transfer of Facebook user data from the EU/EEA to the United States.
This decision marks the largest fine ever imposed under the General Data Protection Regulation (GDPR) and underscores the European Union’s firm stance on data privacy violations and cross-border data transfers.
In today’s digital world, the seamless transfer of data across borders is crucial for trade, communication, technological innovation and human development. Cross-border data transfers are defined as the movement of data from one jurisdiction to the other. Directly or indirectly, every sector relies on data and its global transfer, making cross-border data transfers central to the global digital economy and a key driver of international trade.
However, cross-border data transfers raise significant legal and security concerns including potential data breaches and privacy violations, particularly regarding personal information.
Ghana has not been exempted from these data privacy challenges. In 2022, Bolt Ghana was ordered by the Adenta Circuit Court in the case of Justice Noah Adade v Bolt Ghana Limited to pay damages of GH¢1.9 million for identity theft.
The Plaintiff in the suit, Justice Noah Adade, a lecturer and CEO of a software solutions company in Ghana, discovered that his name, picture and other personal information had been used by someone else to list him as a driver on the Bolt app—a serious lapse in data security that the company failed to detect.
Data protection is essential, not only for safeguarding individual freedom but also for preventing discrimination, identity theft, financial loss and reputational damage.
The right to privacy is widely recognized as a fundamental human right and this is apparent in various international treaties including the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR). As a result, many countries have implemented regulations to govern how the personal data of their citizens is collected, stored and transferred across jurisdictions.
Ghana recognizes the significance of data protection and has implemented a legal framework to regulate it. Ghana has various laws that cumulatively work to ensure some level of privacy protection for its citizens. The 1992 Constitution enshrines the citizen’s right to privacy specifically under article 18(2). To reinforce this protection, Ghana enacted the Data Protection Act of 2012 (Act 843) whose introduction marked a pivotal moment in Ghana’s efforts to provide a comprehensive legal framework to safeguard data privacy.
While the Act provides general obligations for data controllers and processors, it sorely lacks adequate provisions on cross-border data transfers. This gap creates legal uncertainties, posing challenges for businesses and multinational organizations operating within its jurisdiction.
In contrast, the European Union’s General Data Protection Regulation (GDPR) imposes strict conditions on data transfers outside the European Union. The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) sets regional standards for data governance. As Ghana strengthens its digital economy and attracts foreign investments, aligning its data protection framework with global standards becomes increasingly necessary.
This article aims to shed light on Ghana’s approach to cross-border data protection analyzing its alignment with international standards and the opportunities to strengthen Ghana’s data protection regime, boost cross-border business and ensure the security of the personal data of citizens in an increasingly interconnected world.
Legal framework for data protection specifically cross-border data transfer laws in Ghana
The primary legislation governing data protection in Ghana is the Data Protection Act, 2012 (Act 843). Other legislations that contribute to data protection in Ghana include the Electronic Communications Act, 2008 (Act 775), Electronic Communications Regulations, 2011 (LI 1991), Credit Reporting Act, 2007 (Act 726), Public Health Act, 2012 (Act 851) and the Children’s Act, 1998 (Act 560).
Some key provisions of the Data Protection Act, 2012 (Act 843) include:
- Broad scope and extra-applicability of the Act: The Act has extra-territorial applicability as it applies to foreign entities that process data originating from Ghana. The Act applies to a data controller established in Ghana whose data is processed in Ghana, any data controller not established in Ghana but uses equipment or a data processor carrying on business in Ghana to process the data or processing is in respect of information which originates partly or wholly from Ghana under section 45.
- Establishment of the Data Protection Commission: This independent regulatory and enforcement body established under section 1 plays a crucial role in enforcing data protection measures. Its objectives are to protect the privacy of the individual and personal data by regulating the processing of personal information and providing the process to obtain, hold, use or disclose personal information and related matters.
- Provides for data subject rights: The Act emphasizes the requirement for consent from individuals to process their data. These guaranteed rights include the right to be informed under Sections 23 and 27, right to give and withdraw consent under Section 20, the qualified right to erasure under Section 33, right to compensation under Section 43, right to complain under Section 41, rights to automated decision making and profiling, right to object under Section 20(2), 39. 40. 41, right to prevent processing for direct marketing, right to rectification under Section 33(1)(a) and right of access under Section 35. These rights are, however, subject to some exceptions.
In addition to statute law, the right to data privacy has been further upheld in the 2023 case of Francis Kwarteng Arthur v Ghana Telecom Co. Ltd., Scancom PLC (MTN Ghana), Kelni GVG Ltd., National Communications Authority, and The Attorney General where the High Court held that the request from the President to the telecommunication networks to provide details of all subscribers’ information on international roaming breached the constitutional right to privacy as guaranteed by Article 18(2) of the 1992 Constitution. This ruling was a significant step in protecting citizens’ rights to privacy in the digital space.
Despite these provisions, Ghana’s legal framework lacks explicit guidelines on cross-border data transfers raising concerns about compliance with international standards. The Act neither defines ‘cross-border data transfer’ or ‘transborder data flow’ nor does it contain specific provisions regulating such transfers. In other words, there are no restrictions on cross-border data transfers.
Under the Act, the processing of personal data originating entirely or partially from Ghana must be done by the provisions of the Act. A data controller must obtain prior consent from the data subject for the processing of the personal data under section 20.
With foreign data subjects, a data controller or processor must ensure that the data is processed in accordance with the data protection legislation of the foreign jurisdiction of that subject as stated under section 18.
While the combined effect of these provisions establishes a requirement for compliance with foreign data protection laws, the Act does not provide a structured framework for cross-border transfers.
However, it is the usual practice when transferring data out of the jurisdiction to submit a letter to the Data Protection Commission notifying them of the intended transfer and requesting clearance. This letter typically includes details such as the scope of the transfer, the duration, the purpose. This requirement is not explicitly stated in the Act.
International standards on cross-border data transfers
Various international frameworks have been developed to set best practices for data protection, ensuring that personal data is transferred in a way that upholds privacy rights and prevents privacy violations. Ghana, like many other countries, must align its data protection policies with these global standards to facilitate international trade, attract investment and strengthen its regulatory credibility.
The General Data Protection Regulation (GDPR): The GDPR enacted by the European Union (EU) in 2018 is one of the most influential data protection laws in the world. The GDPR has had a profound impact on global data protection laws, serving as a benchmark for many countries in shaping their regulatory frameworks. It sets strict guidelines for the collection, processing and transfer of personal data, both within the EU and internationally.
Under the GDPR, cross-border data transfers are only permitted if the recipient country has an adequate level of data protection, as determined by the European Commission.
When assessing the adequacy of the level of protection, the European Commission considers elements like rule of law, respect for human rights and fundamental freedoms, as well as whether or not data subjects’ rights are effective and enforceable, the existence and effective functioning of an independent data protection authority in the non-EEA country and the international commitments the country or international organization has entered into as stated based on article 45(2) of the GDPR.
Ghana is yet to secure an adequacy decision from the EU. The effect of this is that Ghana must provide further safeguards before personal data can flow from the EU. The European Commission has the power to determine whether a country has an adequate level of protection based on article 45 of Regulation EU 2016/679 of the European Parliament and of the Council.
While EU member states have their own national data protection laws, most have either amended them to align with the GDPR or enacted supplementary laws to support the implementation of the GDPR. As a result, the GDPR serves as a unifying framework across the EU, making it a relevant point of comparison with Ghana’s data protection regime
African Union Convention on Cyber Security and Personal Data Protection of 2014 (Malabo Convention): Recognizing the need for a unified approach to data protection across Africa, the African Union (AU) adopted the Malabo Convention for the regional harmonization of cyber security and data protection governance on the continent.
The Malabo Convention requires signatory states to adhere to the basic principles governing the processing of personal data.
The Convention further allows each signatory state to commit itself to establishing a legal framework ensuring that any form of data processing respects the fundamental freedoms and rights of natural persons.
Although the Malabo Convention provides a strong foundation for data governance in Africa and has been ratified by many African countries including Ghana, its implementation has been slow within the jurisdiction.
This delay is due to the need for legislative reforms as the Act predates the Convention. Aligning Ghana’s data protection framework with the Malabo Convention could enhance regional cooperation by harmonizing cybersecurity and data protection laws across Africa.
However, this Convention serves more as a broad regional guideline, lacking detailed rules and procedures. Furthermore, the Convention fails to adequately address the critical issue of cross-border data transfers.
The AU Data Policy Framework: This policy framework was endorsed by the AU Executive Council in February 2022, outlining recommendations pertaining to cross-border data transfer.
Firstly, the evaluation of data localization should consider its potential impact on human rights. In addition, when deciding on a particular cross-border data protection approach, a delicate equilibrium must be maintained between advancing balanced economic growth and ensuring sufficient data security.
Lastly, data protection authorities are also encouraged to embrace international and regional collaboration practices while recognizing the varying degrees of implementation and enforcement across Member States. These have been expanded under Chapter 5 of the policy framework.
The African Continental Free Trade Area (AfCFTA): AfCFTA presents an opportunity for African countries to establish a unified approach to Cross-border Transfer Data.
A harmonized agreement would enhance enforcement both within and outside the region. Without such an agreement, the vision of a single market could be compromised.
The AfCFTA framework could also facilitate intra-African data transfers while restricting transfers outside the region to countries without adequate data protection.
These agreements reflect the global effort to balance seamless data transfers in commerce with the fundamental right to data privacy, a balance Ghana must also strive to achieve.
Challenges in aligning Ghana’s data protection framework with global standards
Despite Ghana’s progress in establishing a legal framework for data protection, several challenges hinder its alignment with international best practices.
One of the primary challenges in Ghana’s data protection framework is the absence of a structured adequacy assessment process for determining whether its jurisdiction and foreign jurisdictions provide a comparable level of data protection.
Unlike the GDPR, which relies on formal adequacy decisions issued by the European Commission, the Act fails to impose an adequacy requirement for recipient jurisdictions, define specific criteria for assessing adequacy and establish a formal review mechanism for evaluating foreign legal systems.
This gap creates uncertainty for businesses and organizations engaged in international data transfers and also, uncertainty in ensuring the protection of personal data transferred outside Ghana.
Factors that are generally considered in determining adequacy in other jurisdictions include legal framework on data protection in the foreign country, its public security measures, specific characteristics and duration of data processing, and the nature, origin, and destination of data.
Without a standardized regulatory framework, companies operating in Ghana must rely on contractual agreements and individual consent mechanisms, leading to inconsistencies in compliance.
The absence of detailed adequacy requirements also limits Ghana’s ability to negotiate data-sharing agreements with international partners, making it difficult to facilitate seamless data transfers with regions that demand higher levels of protection such as the European Union.
Countries with weaker data protection legal frameworks experience reduced data transfers to and from EU countries because of the stringent European data privacy legal system. This consequently has an impact on the development of economic ties between Ghana and the European Union.
Another area where Ghana’s framework falls short is the lack of a definite timeline in the data breach notification system. Many global frameworks, including the GDPR and the California Consumer Privacy Act (CCPA), require organizations to notify regulatory authorities promptly and affected individuals in the event of data breach.
For example, under Article 33 of GDPR, the data controller shall notify personal breaches not later than 72 hours after having become aware of it. Ghana’s laws do not impose strict breach notification timelines or specify the exact procedures businesses must follow when responding to a data security incident, potentially leaving consumers vulnerable to harm.
An additional challenge is ensuring compliance among businesses and public institutions. Many organizations, especially small and medium-sized enterprises (SMEs) lack awareness of their legal obligations under the Act.
Without regular audits, clear compliance guidelines and stringent penalties for violations, data controllers and processors may fail to implement necessary safeguards, increasing the risk of data breaches and unauthorized transfers.
A strong legal framework for data protection is most effective when supported by a robust cybersecurity system. Ghana’s Tier 1 status in the 2024 Global Cybersecurity Index reflects its commitment to securing its cyberspace.
This achievement positions Ghana as a leader in sub-Saharan Africa. However, sustaining this progress requires continuous investment, particularly in capacity development to enhance cybersecurity resilience. Strengthening Ghana’s cybersecurity infrastructure will not only protect sensitive data but also ensure compliance with global digital trade standards.
Opportunities for strengthening Ghana’s compliance with international standards
With the significant challenges in aligning Ghana’s data protection framework with global standards highlighted in the previous section, there are several opportunities to enhance compliance and establish a more robust regulatory system for cross-border data transfers. With these reforms, Ghana can position itself as a trusted jurisdiction for data governance in Africa and beyond.
There must be a balance between data safeguards and data restrictions to ensure proper cross-border data transfer. While restricting cross-border data transfers can enhance citizens’ privacy and strengthen national security, excessive restrictions may hinder economic competitiveness and global trade. A balanced and proportionate approach is thus essential.
A key reform is the establishment of a structured adequacy decision framework for assessing whether foreign jurisdictions provide a comparable level of data protection. This framework, similar to the GDPR’s adequacy decisions, would offer greater legal certainty to businesses and facilitate seamless international data transfers.
Also, the Act should mandate that organizations report data breaches to the Data Protection Commission (DPC) within a specific timeframe and notify affected individuals where there is a risk of harm.
Strict reporting timelines and penalties for non-compliance would enhance accountability and strengthen cybersecurity resilience. To deter non-compliance, Ghana should introduce stricter penalties for companies that fail to comply with the Act.
This could include higher fines, suspension of data processing rights, or even criminal liability for severe infractions, similar to the GDPR’s approach.
Moreover, to ensure lawful cross-border data transfers, Ghana should introduce legally recognized contractual mechanisms that allow businesses to transfer data while maintaining compliance with global standards.
Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and ad hoc contracts would provide organizations with standardized, enforceable obligations to protect personal data when transferring it to jurisdictions without an adequacy decision.
The government and private sector should continue to collaborate to provide regular training programs on data protection compliance, including courses tailored for Information Technology professionals, legal teams and corporate executives.
Certification programs can also help enhance industry-wide expertise on international data protection laws. Incentives such as tax breaks for companies investing in data security could also encourage greater corporate participation in strengthening data protection.
Crucially, Ghana should continue to engage in international policy discussions on data protection including, initiatives led by organizations such as the United Nations, the Organisation for Economic Co-operation and Development, the Federal Ministry For Digital and Transport and the World Trade Organization.
By participating in these global conversations, Ghana can help shape data governance policies that reflect its national interests. AfCFTA serves as an opportunity for African countries including Ghana to actively engage in regional negotiations to create mechanisms for cross-border data transfers for digital trade.
Ghana can also establish clear and precise data classification policies. Data classification policies aid in clearly distinguishing secret and confidential data belonging to the government and other non-sensitive data that can be shared on a global and transparent basis.
Stakeholders, including the government, legal professionals, businesses, civil society, academia and policy makers have critical roles to play. Government plays a critical role in creating the legislative framework and ensuring its proper enforcement.
It must provide the Data Protection Commission with sufficient resources and actively participate in international and regional data governance initiatives to influence the creation of global standards that are beneficial to Ghana.
Businesses, particularly those involved in cross-border data transfers, must also take responsibility for compliance with data protection laws.
They should invest in data protection training, adopt best practices such as International Organization for Standardization (ISO) certification and integrate data protection into their overall risk management strategies.
Finally, legal professionals must be at the forefront of advocating for reforms and ensuring that businesses are aware of their data protection obligations. Lawyers can assist organizations in negotiating and drafting Standard Contractual Clauses (SCCs) and provide guidance on compliance with both domestic and international data protection laws.
Conclusion
While Ghana’s current framework provides a good foundation, addressing its gaps and inconsistencies is crucial to aligning with international standards and establishing a comprehensive system for governing cross-border data transfers. The challenges identified hinder Ghana’s full participation in international data transfers posing both economic and legal consequences.
By implementing these reforms and establishing explicit adequacy requirements, Ghana can modernize its data protection framework, create a business-friendly regulatory environment to attract foreign investment and improve its ability to engage in global data-sharing agreements overall.
This will enhance Ghana’s data protection framework and create a more secure, transparent and internationally recognized legal environment for handling personal data.
>>>The writer is a pupil at Koranteng & Koranteng Legal Advisors. Contact: [email protected]
The post Navigating cross-border data protection: Evaluating our legal framework against international standards appeared first on The Business & Financial Times.
Read Full Story
Facebook
Twitter
Pinterest
Instagram
Google+
YouTube
LinkedIn
RSS