Applicability of Ghana's Data Protection Act, 2012

Introduction

Ghana's Data Protection Act, 2012 (DPA 2012) establishes a comprehensive framework for data protection in the country. This analysis examines the law's applicability based on material and territorial factors.

Material Applicability Factors

The DPA 2012 includes several exemptions and specific purposes that affect its material applicability. These include:

1. Exemption for Specific Purposes of Processing
2. National Security and Law Enforcement Exemption
3. Personal and Domestic Use Exemption
4. Government and Public Agency Exemption
5. Central Bank and Financial Institutions Exclusion

Exemption for Specific Purposes of Processing

The DPA 2012 provides exemptions for certain data processing activities related to public protection, financial services, taxation, and national honors.

DPA 2012 Art.63(1a)(iii):

"(1) The provisions of this Act do not apply to the processing of personal data for protection of members of the public (a) against loss or malpractice in the provision of (iii) investment,"

DPA 2012 Art.70(b):

"Personal data processed to (b) confer a national honour, is exempt from the subject information provisions of this Act."

DPA 2012 Art.63(1e):

"(1) The provisions of this Act do not apply to the processing of personal data for protection of members of the public (e) to protect non-working persons against the risk to health or safety arising out of or in connection with the action of persons at work."

DPA 2012 Art.61(1c):

"(1) The processing of personal data is exempt from the provisions of this Act for the purposes of (c) the assessment or collection of a tax or duty or of an imposition of a similar nature."

These exemptions allow for more flexible data processing in specific sectors, such as financial services, taxation, and public safety, while balancing data protection with other important public interests.

National Security and Law Enforcement Exemption

The DPA 2012 provides broad exemptions for national security and law enforcement activities.

DPA 2012 Art.60(1):

"The processing of personal data is exempt from the provisions of this Act for the purposes of (a) public order, (b) public safety, (c) public morality, (d) national security, or (e) public interest."

DPA 2012 Art.61(1):

"The processing of personal data is exempt from the provisions of this Act for the purposes of (a) the prevention or detection of crime, (b) the apprehension or prosecution of an offender, or (c) the assessment or collection of a tax or duty or of an imposition of a similar nature."

DPA 2012 Art.69:

"Personal data is exempt from the subject information provisions where the application of the provisions is likely to prejudice the combat effectiveness of the Armed Forces of the Republic."

These exemptions allow government agencies and security forces greater flexibility in data processing for national security and law enforcement purposes, potentially limiting individual rights in these contexts.

Personal and Domestic Use Exemption

The DPA 2012 exempts personal data processing for domestic purposes from its provisions.

DPA 2012 Art.67:

"Personal data which is processed by an individual only for the purpose of that individual's personal, family or household affairs is exempt from the data protection principles."

This exemption ensures that the law does not interfere with individuals' private lives and everyday activities, applying only to purely personal or domestic contexts.

Government and Public Agency Exemption

The DPA 2012 provides exemptions for certain government and public agency activities.

DPA 2012 Art.60(1a):

"(1) The processing of personal data is exempt from the provisions of this Act for the purposes of (a) public order,"

DPA 2012 Art.63(2b):

"(2) The processing of personal data is exempt from the subject information provisions of this Act if it is for the discharge of a function conferred by or under an enactment on (b) a local government authority,"

These provisions allow government agencies and public bodies to process personal data without being subject to the full provisions of the DPA 2012 when necessary for maintaining public order or fulfilling statutory functions.

Central Bank and Financial Institutions Exclusion

The DPA 2012 provides limited exclusions for central banks and financial institutions.

DPA 2012 Art.63(1a)(iv):

"(1) The provisions of this Act do not apply to the processing of personal data for protection of members of the public (a) against loss or malpractice in the provision of (iv) other financial services, or"

DPA 2012 Art.63(1a)(i):

"(1) The provisions of this Act do not apply to the processing of personal data for protection of members of the public (a) against loss or malpractice in the provision of (i) banking,"

These exemptions allow financial institutions, including the central bank, to process personal data for protecting the public against loss or malpractice in banking and other financial services.

Territorial Applicability Factors

The DPA 2012's territorial applicability is determined by several factors:

1. Doing Business in Jurisdiction
2. Entity's Link or Presence in Jurisdiction
3. Processing by Local Establishment
4. Processing by Entity Registered or Incorporated in Jurisdiction
5. Use of Equipment Within Jurisdiction
6. Processing in Jurisdiction

Doing Business in Jurisdiction

The DPA 2012 applies to data controllers doing business in Ghana, even if not established there.

DPA 2012 Art.45(1b):

"(1) Except as otherwise provided, this Act applies to a data controller in respect of data where (b) the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data, or"

DPA 2012 Art.45(3e):

"(3) For the purposes of this Act the following are to be treated as established in this country: (e) any person who does not fall within paragraphs (a),(b), (c) or (d) but maintains an office, branch or agency through which business activities are carried out in this country."

These provisions extend the law's applicability to entities with a commercial presence or engaging in economic activities within Ghana, regardless of their formal establishment.

Entity's Link or Presence in Jurisdiction

The DPA 2012 considers various forms of presence or link to Ghana as factors for applicability.

DPA 2012 Art.45(3e):

"(3) For the purposes of this Act the following are to be treated as established in this country: (e) any person who does not fall within paragraphs (a),(b), (c) or (d) but maintains an office, branch or agency through which business activities are carried out in this country."

DPA 2012 Art.45(3d):

"(3) For the purposes of this Act the following are to be treated as established in this country: (d) an unincorporated joint venture or association operating in part or in whole in this country; and"

DPA 2012 Art.45(2):

"(2) A data controller who is not incorporated in this country shall register as an external company."

These provisions ensure that entities with various forms of presence or operations in Ghana are subject to the country's data protection regulations.

Processing by Local Establishment

The DPA 2012 applies to data processing by entities established in Ghana.

DPA 2012 Art.45(3c):

"(3) For the purposes of this Act the following are to be treated as established in this country: (c) a partnership, persons registered under the Registration of Business Names Act, 1962 (Act 151) and the Trustees (Incorporation) Act, 1962 (Act 106);"

This provision extends the law's applicability to various forms of business entities and partnerships registered under specific Ghanaian laws.

Processing by Entity Registered or Incorporated in Jurisdiction

The DPA 2012 explicitly includes incorporation or registration within Ghana as a factor for applicability.

DPA 2012 Art.45(3b):

"(3) For the purposes of this Act the following are to be treated as established in this country: (b) a body incorporated under the laws of this country;"

This provision clearly extends the Act's applicability to all companies incorporated under Ghanaian law.

Use of Equipment Within Jurisdiction

The DPA 2012 applies to data controllers using equipment or data processors within Ghana.

DPA 2012 Art.45(1b):

"Except as otherwise provided, this Act applies to a data controller in respect of data where [...] (b) the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data, or"

This provision extends the law's territorial scope to foreign entities that process data using local resources.

Processing in Jurisdiction

The DPA 2012 applies to data processing activities occurring within Ghana.

DPA 2012 Art.45(1a):

"(1) Except as otherwise provided, this Act applies to a data controller in respect of data where (a) the data controller is established in this country and the data is processed in this country,"

This provision sets a clear territorial scope for the law's applicability based on the data controller's establishment in Ghana and the processing of data within the country.

Conclusion

Ghana's Data Protection Act, 2012 has a broad scope of applicability, covering both local and foreign entities processing data in Ghana or using Ghanaian resources. The law provides specific exemptions for national security, law enforcement, and certain public and private sector activities. Organizations operating in or connected to Ghana should carefully assess their data processing activities to ensure compliance with the DPA 2012.