Ghana's Data Protection Act, 2012 (DPA 2012) extends its applicability to data controllers not established in Ghana but using equipment or data processors within the country to process personal data.

Text of Relevant Provisions

DPA 2012 Art.45(1b):

"Except as otherwise provided, this Act applies to a data controller in respect of data where [...] (b) the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data, or"

Analysis of Provisions

The DPA 2012 applies to data controllers who are not established in Ghana but utilize equipment or engage data processors operating within the country to process personal data. This provision extends the law's territorial scope beyond Ghana's borders, capturing foreign entities that process data using local resources.

The key elements of this provision are:

1. "data controller is not established in this country": This targets foreign entities that do not have a physical presence or legal establishment in Ghana.
2. "uses equipment or a data processor": The law applies if the foreign entity either directly uses equipment located in Ghana or engages a data processor based in the country.
3. "carrying on business in this country": This phrase emphasizes that the equipment or data processor must be actively operating within Ghana's jurisdiction.
4. "to process the data": The use of local resources must be for the purpose of data processing, not merely for data transit or other non-processing activities.

Implications

This provision has significant implications for international businesses and organizations that process personal data:

1. Foreign companies using cloud services or data centers located in Ghana may fall under the DPA 2012's jurisdiction, even if they have no other presence in the country.
2. Multinational corporations outsourcing data processing activities to Ghanaian companies must comply with the DPA 2012, regardless of their primary location.
3. Organizations must carefully consider the location of their data processing equipment and the residency of their data processors to determine whether they are subject to Ghanaian data protection law.
4. Foreign entities may need to register as external companies in Ghana if they fall under this provision, as stipulated in Article 45(2) of the DPA 2012.
5. Companies not established in Ghana but using local equipment or processors for data transit purposes may still be exempt from the Act's application, as per Article 45(4).

This factor effectively expands the territorial reach of Ghana's data protection law, ensuring that foreign entities cannot circumvent local regulations by simply processing data remotely while utilizing Ghanaian resources. It aligns with similar provisions in other jurisdictions, reflecting a global trend towards comprehensive data protection that addresses the realities of cross-border data flows and international data processing practices.