Ghana’s latest cyber law may protect citizens - but it also watches them more closely

The new amendments, according to authorities, promise to make the digital space safer, but they also hand the Cyber Security Authority (CSA) unprecedented powers that could affect how every Ghanaian uses the internet.

While the bill aims to strengthen national resilience against hacking, fraud, and online abuse, there are concerns that some provisions could blur the line between regulation and surveillance and limit online freedoms.

Prior to the drafting of the amendment bill, the Ministry of Communication, together with the Cyber Security Authority, invited public input.

Here’s what you need to know about the Bill:

• The CSA can now investigate, arrest, and prosecute

The CSA’s proposed investigative, arrest and prosecutorial power may perhaps be one of the biggest and concerning changes in the Amendment Bill. This means that the Cyber Security Authority, which was originally set up as a regulator, can now investigate and prosecute cybercrime on the authority of the Attorney-General. It can even exercise police powers, including arrest, search, and seizure. Under the existing law, the Authority could only enforce compliance through administrative means and recommend prosecutions. However, now, the Authority may now prosecute cybercrime cases directly, apply for confiscation orders, and freeze assets under section 59B, which states that: “(1) The Authority shall, upon the occurrence of a cybersecurity incident or a cybercrime, conduct criminal investigations and prosecute the same. (2) The Authority shall have the jurisdiction to prosecute all offences under the Electronic Transactions Act, 2008 (Act 772)." 

• The CSA can confiscate assets linked to cybercrime

Under the new Section 59B, the CSA can seize and confiscate property, money, or assets believed to be connected to cybercrime. Even if a criminal case fails, the Authority may still pursue civil recovery, meaning your assets could be taken without a conviction if linked to an alleged offence. Section 59B (3) states, “Where a person is convicted of a cybercrime under this Act, the Authority may apply to the Court for an order to confiscate moneys, proceeds, benefits, properties, and assets purchased by a person with proceeds derived from or in the commission of the cybercrime.” The act goes on in subsection (5) that: “In relation to subsection (6), if criminal prosecution fails, civil asset recovery should still proceed, and confiscation orders should have the effect of a civil judgment appealable from the High Court to the Court of Appeal.” Under the existing law, the CSA has no power to confiscate proceeds of crime; this power is reserved for the Attorney General’s office and the Economic and Organised Crime Office (EOCO).

• The authority can demand information and access data

New provisions under sections 59C - 59I give the CSA powers to compel individuals, service providers, or companies to hand over data, including computer records and personal information. Investigators can apply ex parte, without notifying the affected person, to obtain search and preservation orders over data stored on computers or servers. Section 59C(1) states; “The Authority may, for the purposes of carrying out an investigation in respect of a contravention of the Act, Regulations, or any other relevant enactment by the owner of a critical information infrastructure, a licensee, a service provider or any other person, by notice in writing, require a person to: attend at a time and place specified in the notice; and furnish the Authority with information related to a matter relevant to the investigation.”  The goal is to make it easier to investigate cybercrime, but this raises issues about the possibility of opening the door to mass data access and unwarranted surveillance.

• AI, blockchain, and emerging technologies come under regulation

For the first time, Ghana’s cyber law explicitly covers Artificial Intelligence (AI), blockchain, Internet of Things (IoT) devices, cloud technology, and quantum computing. The CSA will now set security standards and certify emerging technologies before they are deployed, from banking algorithms to smart home systems, under sections 4A(a) – (c), 58A. In addition, the authority shall accredit non-profit cybersecurity institutions under section 58B. This could help ensure safer technology use, but it also places innovation under state control. In this regard, the CSA becomes Ghana’s tech certifier, which invariably expands its remit from cybersecurity to technology governance.

• New offences on cyberbullying, stalking, and “false information”

The Bill introduces new online offences under Sections 67A and 67B, targeting cyberbullying, stalking, and online harassment, especially of children. However, it also makes it a crime to “deliberately spread false or misleading information” online. The problem? The law doesn’t define what counts as “false or misleading.” This vagueness could criminalise legitimate reporting, satire, or political commentary. Penalties range from fines of up to five thousand penalty units to 25 thousand penalty units to three to five years’ imprisonment and not more than ten years, depending on the offence.

• Funding streams for the authority

The amendments create new funding streams for the CSA, including: 12% of Ghana’s Communication Service Tax, 9% of corporate tax, and 50% of fines collected under the Act. Under the existing law, the authority relies on parliamentary allocations, donor support, and service fees for funding.

• Tougher penalties and administrative fines

Failure to register critical infrastructure, report cyber incidents, or comply with CSA directives could now attract hefty fines of up to 50,000 penalty units. The proposed amendment raises penalties up to 25,000 penalty units, 50,000 penalty units, and 5 - 10 years imprisonment. The monetary value of one penalty unit in Ghana is GHC 12, which means the monetary value of 50,000 penalty units is GHC 600,000 (approximately US$55,000).

Generally, for Ghanaian citizens who use the internet for diverse purposes, including social media, e-commerce and banking, the Amendment Bill, once passed, would regulate online behaviour, digital data, social media content (particularly that considered fake or misleading), devices, and workplace systems. With the intent to sanitise and make Ghana’s cyberspace safer.