Ghana Media Law Guide

GHANA MEDIA LAW GUIDE

Defamation, privacy, and data protection in Ghana

Contributor: Yorm Abledu (Senior International Attorney – Centurion Law Group)

Defamation in Ghana is governed by two legal regimes; customary law and common law tort principles. Customary laws are defined in the Constitution of Ghana as “the rules of law, which by custom are applicable to particular communities in Ghana”.[1]

According to customary law, defamation is limited to the spoken word, i.e. slander. Customary law does not recognise libel because the courts have held that writing is not known to customary law. Under the common law regime, however, defamation can be categorised as either slander or libel.

Ghanaians may therefore choose to bring an action for defamation either under common law or customary law.
There are a number of factors that may inform the choice, e.g. the damage occasioned by the defamatory words or the defences available. Under customary law, the truth of the defamatory words is no defence; while at common law, the fact that the words are true may serve as a defence to a defendant in a defamation suit. The popular choice with many lawyers is to institute the action under the common law rather than under customary law.

Libel was a criminal offence under Ghanaian law until 2001, when Parliament passed the Criminal Code (Repeal of the Criminal and Seditious Laws – Amendment) Act 2001, to de-criminalise criminal libel. Libel is now only a civil action, for which civil remedies like damages may be sought.

The Ghanaian courts continue to highlight and expound on the common law principles of defamation.
Legal rights and remedies

A plaintiff who successfully proves defamation would be entitled to claim damages for the harm suffered as a result of the defamatory statement. The courts may also award equitable remedies such as an injunction or an order compelling the defendant to rectify the defamatory statement. These equitable reliefs are granted at the discretion of the courts, and so plaintiffs are not entitled to them as of right.

What does the plaintiff have to show to prove the claim?

• The plaintiff must first prove that the statement is defamatory, i.e. that the statement lowers the plaintiff in the eyes of right-thinking members of society
• The plaintiff must also prove that the defamatory statement refers to or can be direct-ly linked to the plaintiff
• The plaintiff must prove that the defamatory statement has been published, i.e. made known to a person or persons other than the plaintiff himself
• Where the plaintiff is claiming slander, the plaintiff would be required to prove that they have suffered some damage as a result of the slander

Defences

Where the defamation action is brought under common law, the following defences are available:

1. Truth: if the defendant can prove that the statement in question is true, then they cannot be held liable for defamation.
2. Fair comment: if the statement is a comment or opinion on a matter of public interest, and it is made fairly and honestly, then the defendant may be able to rely on the defence of fair comment.
3. Privilege: if the statement was made in the course of official duties, such as in a court proceeding or in a parliamentary debate, then the defendant may be able to rely on the defence of privilege.
4. Consent: if the plaintiff consented to the publication of the statement, then the defendant may be able to rely on the defence of consent.

Where the defamation action is brought under customary law, the above defences with the exception of truth are available to the defendant.

Invasion of privacy

The right to privacy is protected under the 1992 Constitution of Ghana.

Article 18(2) of the Constitution states that “no person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime, or for the protection of the rights or freedoms of others.”
The Constitution also establishes the right to access information held by public institutions, subject to exemptions that are necessary for the protection of public safety, defense, public order, public morality, or the privacy of an individual.

The Constitution allows for the enforcement of these rights by way of an action in the High Court where the right has been, is being, or is likely to be violated by the act of another person.

Ghana also has a Data Protection Act 2012 (Act 843), which regulates the collection, pro-cessing, storage, use, and disclosure of personal information. The Act requires data controllers to obtain consent from individuals before collecting and processing their personal information and to ensure that the information is accurate, relevant, and not excessive for the purpose for which it is collected.

In addition to these laws, the courts in Ghana have recognised the right to privacy as a fundamental human right and have been known to award damages in cases where individuals’ privacy rights have been violated.

Limitation Period

Where the action being brought is to claim damages for slander, there is a limitation period of 2 years from the date on which the cause of action accrued. This limitation period does not apply to libel. The libel law was repealed in 2001 and there is no provision of a limitation period for libel in any legislation.

Also, where the action is for the enforcement of the constitutional right to privacy, the action must be brought within 6 months of the occurrence of the alleged contravention or within 3 months of the applicant becoming aware that the contravention is occurring or is likely to occur.

Legal Process

The High Court has jurisdiction to deal with matters involving the enforcement of human rights as enshrined under Article 33(1) of the 1992 Constitution of Ghana. The High Court also has jurisdiction to deal with matters of defamation, both under common law and under customary law.

For enforcement of human rights, the matter must be commenced with an originating motion on notice, while defamation actions are commenced by writ.

There is no jury for either action, and costs are awarded at the discretion of the judge.

Data Protection

The Data Protection Act 2012 (‘Act 843’) in Ghana regulates the control and processing of data, which applies not only to entities that collect and process data, but also to third parties such as developers who provide platforms that may come into contact with the data of consumers.

According to the long title of Act 843, it was passed to establish the Data Protection Commission, to protect the privacy of individuals and personal data by regulating the processing of personal information, to provide the processes to obtain, hold, use or disclose personal information, and for other related matters.

The enactment of this Act is one of the ways in which Ghana’s Parliament has given effect to the constitutional right to privacy enshrined in Article 18(2) of Ghana’s 1992 Constitution.

It is important to consider the distinction between data privacy and data protection. Data protection deals with the processes involved when it comes to safeguarding important information to ensure that it is not accessed by unauthorised persons. Data privacy, on the other hand, focuses on the rights of the individual concerned, the manner in which the personal data of an individual is collected, processed and stored.

To have good data protection, one must ensure that there is data privacy, even though good data privacy on its own does not completely guarantee a good data protection system.

Key Highlights of the Regulation

Ghana’s Data Protection Act can be broken down into 4 main themes:

1. Establishing the Data Protection Commission.
2. Protecting the privacy of individuals and their personal data by regulating the processing of personal data.
3. Providing processes and regulations for obtaining, holding, using, or disclosing personal information.
4. Providing for other related matters like administrative processes, exemptions from the rules, enforcement methods, and other related matters.

The first part of the Act establishes the Data Protection Commission with the object of protecting the privacy of individuals and personal data by regulating the processing of personal information, and providing the process to obtain, hold, use, or disclose personal information, per Section 2 of the Data Protection Act. According to Section 4(2) of the Data Protection Act, the Commission has a Board as its governing body, whose members are to be appointed by the President in accordance with Section 70 of the Constitution. The Act further provides for how the Board is to exercise its powers and how other administrative matters for the Commission must be handled.

The second part of the Act makes provision for the privacy of the individual and lays out rules when it comes to the collection and processing of the data. The Act stipulates the following as data protection principles (Section 17 of the Data Protection Act):

• accountability in the processing of personal data
• the lawfulness of the processing
• specification of the purpose of processing
• the compatibility of further processing with the purpose of collection
• ensuring the quality of information in processing
• openness in processing
• data security safeguards in processing
• the participation of the data subject

The third part that deals with the processes for obtaining, holding, using, or disclosing personal information contains different rules that data processors and data controllers must abide by to avoid breaching the provisions of the Act. For example, under section 21 of the Data Protection Act, a data controller or processor must collect personal data directly from an individual (the data subject), except where certain circumstances arise.

There are special rules for the processing of what is known as special personal data.  Special personal data is defined[2] as information relating to any of the following:

• the race, colour, ethnicity or tribal origin of the data subject
• the political opinion of the data subject
• the religious beliefs, or other beliefs of a similar nature, of the data subject
• the physical, medical, mental health or mental condition, or DNA of the data subject
• the sexual orientation of the data subject
• the commission or alleged commission of an offence by the individual
• proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings, or the sentence of any court in the proceedings

The Act further gives the data subject the rights: to prevent the processing of their personal data ; to prevent the processing of their personal data[3] for direct marketing purposes[4]; to re-quire that any decisions significantly affecting the data subject are not based solely on auto-mated means of processing[5] ; and other rights relating to exempt manual data.[6] The data subject is also entitled to compensation where they suffer damage or distress from a breach of the data protection laws by a data controller that affects the data subject.[7]

The fourth part creates a Data Protection Register, which is to contain the names of registered data controllers. All data controllers are mandated to register with the Data Protection Commission and have their names entered into this register.[8]

The Act further provides for circumstances under which the processing of personal data is exempt from the provisions of the Act. Some of these circumstances include national security[9], matters of crime and assessment of tax[10] and regulatory activity[11], among others.

The Act confers enforcement powers on the Commission. The Commission is authorised to issue enforcement notices to defaulting data controllers,[12] request that an assessment of the data processing methods of an organisation be carried out,[13] and to impose a fine or a term of imprisonment where the data controller or processor fails to comply with an enforcement no-tice or an information notice.[14]

Scope

Act 843 protects the privacy of individuals and applies to personal data. Personal data is broadly defined to mean “data about an individual who can be identified:

• from the data
• from the data or other information in the possession of or likely to come into the possession of the data controller”

Act 834 applies to data controllers in relation to data where:

• The data controller is established in Ghana, and the data is processed in Ghana
• The data controller is not established in Ghana but uses equipment or a data processor carrying on business in Ghana to process the data
• The processing is in respect of information that originates partly or wholly from Ghana

Key Points

1. Consent – The basic rule under section 20 of Act 843 is that the data controller cannot process the personal data of the data subject without the prior consent of the data subject. There is no prescribed form of consent.

The exception to obtaining consent includes where processing of the personal data is necessary for a contract to which the data subject is a party, authorised by the required law, necessary for the proper performance of a statutory duty, necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

1. Security – Under Section 28 of Act 843, the data controller must take appropriate reason-able, technical, and organisational measures to prevent loss, damage or unauthorised destruction, unlawful access or authorised processing of personal data.

The data controller is also required to take reasonable measures to identify and forestall any reasonably foreseeable risks and ensure that any safeguards put in place are effectively implemented and updated continually.

Further, the data controller must observe generally acceptable information, security practices, and procedures.

Compliance requirements

A data processor is required to ensure that their processing of the personal data of a data subject is done without infringing on the privacy rights of the subject and in a lawful and reasonable manner.

Also, where the data controller or processor deals with personal data of foreign data subjects, they must ensure that the personal data is processed in compliance with the data protection legislation of the foreign jurisdiction from which the subject originates.[15]

A data processor is also required[16] to procure the prior consent of the data subject before processing their personal data, unless the purpose for which the data is being processed is:

• necessary for the purpose of a contract to which the data subject is a party
• authorised or required by law
• to protect a legitimate interest of the data subject
• necessary for the proper performance of a statutory duty
• necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied

In addition to this, personal data must be collected directly from the subject, except in certain circumstances.[17] Personal data must be collected for a specific purpose[18] and the data subject is to be made aware of the purpose for which their data is being collected.[19]

Where the data controller intends to retain the personal data for reasons that are not historical, statistical, or for research, the Act[20] provides that they may only retain the personal data for a period that is necessary to achieve the purpose for which it was collected, unless they can show that the retention is:

• required or authorised by law
• reasonably necessary for a lawful purpose related to a function or activity
• required by virtue of a contract between the parties to the contract
• consented to by the data subject

The Act further mandates that data controllers who process personal data to ensure that the data is complete, accurate, up-to-date and not misleading, considering the purpose for which the data is being collected or processed.[21]

To further comply with the provisions of the Act, all data controllers who intend to process personal data must register with the Data Protection Commission. [22] Data controllers must also take the necessary steps to ensure the security of all personal data in their possession.[23]  And where there is a data breach or the security of personal data in their possession has been compromised, the data controller must notify both the data subject and the Data Protection Commission of this fact and take steps to ensure that the integrity of their system is restored.

Contributor: Yorm Abledu
Centurion Law Group (Ghana)
74 Church Crescent
(Behind Cal Bank)
Labone, Accra
Ghana
The material in this Guide is for general information only and does not constitute legal advice.  The content of this page is accurate as of  January 2024.