Senior International Attorney - Centurion Law Group
Defamation, Privacy and Data Protection
Contributor: Yorm Abledu (Senior International Attorney – Centurion Law Group)
According to customary law, defamation is limited to the spoken word, i.e. slander. Customary law does not recognise libel because the courts have held that writing is not known to customary law. Under the common law regime, however, defamation can be categorised as either slander or libel.
Ghanaians may therefore choose to bring an action for defamation either under common law or customary law.
There are a number of factors that may inform the choice, e.g. the damage occasioned by the defamatory words or the defences available. Under customary law, the truth of the defamatory words is no defence; while at common law, the fact that the words are true may serve as a defence to a defendant in a defamation suit. The popular choice with many lawyers is to institute the action under the common law rather than under customary law.
Libel was a criminal offence under Ghanaian law until 2001, when Parliament passed the Criminal Code (Repeal of the Criminal and Seditious Laws – Amendment) Act 2001, to de-criminalise criminal libel. Libel is now only a civil action, for which civil remedies like damages may be sought.
The Ghanaian courts continue to highlight and expound on the common law principles of defamation.
Legal rights and remedies
A plaintiff who successfully proves defamation would be entitled to claim damages for the harm suffered as a result of the defamatory statement. The courts may also award equitable remedies such as an injunction or an order compelling the defendant to rectify the defamatory statement. These equitable reliefs are granted at the discretion of the courts, and so plaintiffs are not entitled to them as of right.
What does the plaintiff have to show to prove the claim?
Where the defamation action is brought under common law, the following defences are available:
Where the defamation action is brought under customary law, the above defences with the exception of truth are available to the defendant.
The right to privacy is protected under the 1992 Constitution of Ghana.
Article 18(2) of the Constitution states that “no person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime, or for the protection of the rights or freedoms of others.”
The Constitution also establishes the right to access information held by public institutions, subject to exemptions that are necessary for the protection of public safety, defense, public order, public morality, or the privacy of an individual.
The Constitution allows for the enforcement of these rights by way of an action in the High Court where the right has been, is being, or is likely to be violated by the act of another person.
Ghana also has a Data Protection Act 2012 (Act 843), which regulates the collection, pro-cessing, storage, use, and disclosure of personal information. The Act requires data controllers to obtain consent from individuals before collecting and processing their personal information and to ensure that the information is accurate, relevant, and not excessive for the purpose for which it is collected.
In addition to these laws, the courts in Ghana have recognised the right to privacy as a fundamental human right and have been known to award damages in cases where individuals’ privacy rights have been violated.
Where the action being brought is to claim damages for slander, there is a limitation period of 2 years from the date on which the cause of action accrued. This limitation period does not apply to libel. The libel law was repealed in 2001 and there is no provision of a limitation period for libel in any legislation.
Also, where the action is for the enforcement of the constitutional right to privacy, the action must be brought within 6 months of the occurrence of the alleged contravention or within 3 months of the applicant becoming aware that the contravention is occurring or is likely to occur.
The High Court has jurisdiction to deal with matters involving the enforcement of human rights as enshrined under Article 33(1) of the 1992 Constitution of Ghana. The High Court also has jurisdiction to deal with matters of defamation, both under common law and under customary law.
For enforcement of human rights, the matter must be commenced with an originating motion on notice, while defamation actions are commenced by writ.
There is no jury for either action, and costs are awarded at the discretion of the judge.
The Data Protection Act 2012 (‘Act 843’) in Ghana regulates the control and processing of data, which applies not only to entities that collect and process data, but also to third parties such as developers who provide platforms that may come into contact with the data of consumers.
According to the long title of Act 843, it was passed to establish the Data Protection Commission, to protect the privacy of individuals and personal data by regulating the processing of personal information, to provide the processes to obtain, hold, use or disclose personal information, and for other related matters.
The enactment of this Act is one of the ways in which Ghana’s Parliament has given effect to the constitutional right to privacy enshrined in Article 18(2) of Ghana’s 1992 Constitution.
It is important to consider the distinction between data privacy and data protection. Data protection deals with the processes involved when it comes to safeguarding important information to ensure that it is not accessed by unauthorised persons. Data privacy, on the other hand, focuses on the rights of the individual concerned, the manner in which the personal data of an individual is collected, processed and stored.
To have good data protection, one must ensure that there is data privacy, even though good data privacy on its own does not completely guarantee a good data protection system.
Ghana’s Data Protection Act can be broken down into 4 main themes:
The first part of the Act establishes the Data Protection Commission with the object of protecting the privacy of individuals and personal data by regulating the processing of personal information, and providing the process to obtain, hold, use, or disclose personal information, per Section 2 of the Data Protection Act. According to Section 4(2) of the Data Protection Act, the Commission has a Board as its governing body, whose members are to be appointed by the President in accordance with Section 70 of the Constitution. The Act further provides for how the Board is to exercise its powers and how other administrative matters for the Commission must be handled.
The second part of the Act makes provision for the privacy of the individual and lays out rules when it comes to the collection and processing of the data. The Act stipulates the following as data protection principles (Section 17 of the Data Protection Act):
The third part that deals with the processes for obtaining, holding, using, or disclosing personal information contains different rules that data processors and data controllers must abide by to avoid breaching the provisions of the Act. For example, under section 21 of the Data Protection Act, a data controller or processor must collect personal data directly from an individual (the data subject), except where certain circumstances arise.
There are special rules for the processing of what is known as special personal data. Special personal data is defined as information relating to any of the following:
The Act further gives the data subject the rights: to prevent the processing of their personal data ; to prevent the processing of their personal data for direct marketing purposes; to re-quire that any decisions significantly affecting the data subject are not based solely on auto-mated means of processing ; and other rights relating to exempt manual data. The data subject is also entitled to compensation where they suffer damage or distress from a breach of the data protection laws by a data controller that affects the data subject.
The fourth part creates a Data Protection Register, which is to contain the names of registered data controllers. All data controllers are mandated to register with the Data Protection Commission and have their names entered into this register.
The Act further provides for circumstances under which the processing of personal data is exempt from the provisions of the Act. Some of these circumstances include national security, matters of crime and assessment of tax and regulatory activity, among others.
The Act confers enforcement powers on the Commission. The Commission is authorised to issue enforcement notices to defaulting data controllers, request that an assessment of the data processing methods of an organisation be carried out, and to impose a fine or a term of imprisonment where the data controller or processor fails to comply with an enforcement no-tice or an information notice.
Act 843 protects the privacy of individuals and applies to personal data. Personal data is broadly defined to mean “data about an individual who can be identified:
Act 834 applies to data controllers in relation to data where:
The exception to obtaining consent includes where processing of the personal data is necessary for a contract to which the data subject is a party, authorised by the required law, necessary for the proper performance of a statutory duty, necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.
The data controller is also required to take reasonable measures to identify and forestall any reasonably foreseeable risks and ensure that any safeguards put in place are effectively implemented and updated continually.
Further, the data controller must observe generally acceptable information, security practices, and procedures.
A data processor is required to ensure that their processing of the personal data of a data subject is done without infringing on the privacy rights of the subject and in a lawful and reasonable manner.
Also, where the data controller or processor deals with personal data of foreign data subjects, they must ensure that the personal data is processed in compliance with the data protection legislation of the foreign jurisdiction from which the subject originates.
A data processor is also required to procure the prior consent of the data subject before processing their personal data, unless the purpose for which the data is being processed is:
In addition to this, personal data must be collected directly from the subject, except in certain circumstances. Personal data must be collected for a specific purpose and the data subject is to be made aware of the purpose for which their data is being collected.
Where the data controller intends to retain the personal data for reasons that are not historical, statistical, or for research, the Act provides that they may only retain the personal data for a period that is necessary to achieve the purpose for which it was collected, unless they can show that the retention is:
The Act further mandates that data controllers who process personal data to ensure that the data is complete, accurate, up-to-date and not misleading, considering the purpose for which the data is being collected or processed.
To further comply with the provisions of the Act, all data controllers who intend to process personal data must register with the Data Protection Commission.  Data controllers must also take the necessary steps to ensure the security of all personal data in their possession. And where there is a data breach or the security of personal data in their possession has been compromised, the data controller must notify both the data subject and the Data Protection Commission of this fact and take steps to ensure that the integrity of their system is restored.
Contributor: Yorm Abledu
Centurion Law Group (Ghana)
74 Church Crescent
(Behind Cal Bank)
The material in this Guide is for general information only and does not constitute legal advice. The content of this page is accurate as of January 2024.
SEE MORE INTERNATIONAL MEDIA LAW GUIDES