Ghana is racing to fortify its cyber defenses by amending its cybersecurity laws.
The Cyber Security Authority (CSA), Ghana’s digital watchdog, recently released the draft Cybersecurity (Amendment) Bill, 2025, on October 1, inviting public comments until October 24.
The 32-page document seeks to update the 2020 Cybersecurity Act, addressing emerging threats like artificial intelligence-driven scams, blockchain vulnerabilities, and harassment campaigns targeting vulnerable groups, including women and the elderly.
The updated bill is considered a vital step to shield critical infrastructure — from banks to power grids — against attacks that cost the country millions in losses last year.
However, the language expressed in the draft grants sweeping powers to regulators and law enforcement, with scant checks on potential abuses.
Provisions allowing warrantless inspections, asset freezes without immediate judicial review, and broad definitions of “cyberbullying” could result in privacy erosion and suppressed speech, all of which raise ethical concerns about balancing security with civil liberties.
Broad Surveillance Powers
The bill expands the definition of “critical information infrastructure” to encompass not just utilities and financial systems but also “digital services” and entire “supply chain ecosystems.”
In Sections 10, 11, 45 of the draft, owners of such assets — potentially including social media platforms, e-commerce sites, or even nonprofit networks — would face mandatory registration, audits, and rapid incident reporting, with penalties for noncompliance reaching up to 100,000 penalty units, equivalent to millions of cedis, or a decade in prison.
The draft bill also grants investigative powers vested in the CSA to act as de facto police. Officers could seek ex parte court orders — without notifying targets — to access data, seize devices, or freeze assets for up to 180 days.
While judges must weigh proportionality, the lack of adversarial hearings or mandatory notifications raises concerns of unchecked surveillance.
The bill’s language (in Sections 35 and 36) also criminalizes “unwanted contact,” “false information” or “obscene messages” with up to five years’ imprisonment. The terms are broad enough to ensnare satirical posts or investigative reporting.
Cyberbullying provisions, while aimed at protecting children and the marginalized, lack clear thresholds, potentially criminalizing everyday online spats.
Combatting Cybercrimes
This isn’t Ghana’s first brush with cyber policy pitfalls. The 2020 act, while pioneering in Africa for mandating data breach notifications, has been criticized for lax enforcement and overlapping jurisdictions with police and the attorney general.
With internet penetration nearing 70 percent and mobile money transactions exceeding $150 billion annually, cyber incidents have proliferated.
This year alone, the CSA reported that the country had lost GHC 19 million due to cybercrime. The new bill aims to give the Authority more teeth and to reduce cybercrimes.
Possible Recommendations
This bill, if enacted as is, could position Ghana as a regional cybersecurity leader but at the cost of eroding trust in digital spaces—ironically fueling the very threats it seeks to combat.
The bill could introduce sunset clauses and periodic reviews for surveillance powers. It could also strengthen independent oversight, like a Privacy Commissioner veto on bulk requests.
Overall, the current draft tilts toward state control rather than balanced protection. Urgent amendments are needed to prevent it from becoming a tool for repression rather than resilience.
This article was edited with AI and reviewed by human editors
