Octopus Cybercrime Community

Ghana adopted the Electronic Transactions Act (“ETA”) in 2008. ETA is a comprehensive legislation that provides for many cybercrime offences and procedural powers with respect to handling of electronic evidence.

Other legislation such as the Economic and Organised Crime Act, 2010 (“EOCA”) and Security and Intelligence Agencies Act, 1996 (“SIAA”) also provide procedural powers with respect to investigation of cybercrime.

Ghana also adopted the Data Protection Act in 2012 to protect the privacy and personal data of individuals. It regulates the process of how personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non-compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

Another policy is the National Cyber Security Policy, that was adopted in 2015 and revised in 2019 and has nine policy pillars and includes effective governance, legal framework, technology framework, response readiness and international cooperation.

By the instrumentality of the National Cyber Security Policy five special initiatives have been included in the first five year strategic plan. These initiatives includes establishment of institutional frameworks, creating awareness, ensuring coordination of cyber security initiatives and enforcement of cyber standards in Ghana. When fully implemented, Ghana will have a solid cyber security base framework to address its cyber needs.

The definition of cybercrime across the board is focused primarily on financial fraud and SIM Box offences and not on other serious cybercrimes such as illegal access, illegal interception, data interference and system interference.

ETA provides for many of the definitions required by the Budapest Convention. The definition of computer system, for instance, which is based upon the Commonwealth Model Law, is largely consistent with Budapest Convention. However, certain integral definitions are either technically problematic or missing from ETA. For instance, there is a general lack of distinction in the law between the different forms of data, namely content data, traffic data and subscriber information.

ETA provides for an offence for unauthorised access to “protected computer” or to without authority or permission access (or intercept) any “electronic record”. However, it does provide for an offence that extends to unauthorised access to computer systems in general.

The definition of “access” under ETA conflicts with the definition of “unauthorised access” and is redundant.

ETA criminalizes access or interception of any electronic record without authority or permission.

There is no specific section that criminalizes system interference, i.e. the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or supressing computer data. Although certain provisions may be inferred to extend to this offence of system interference, they do not cover all these elements and are hence limited in their scope.

Ghana’s legislation is missing specific dedicated provisions relating to computer-related fraud and computer-related forgery. Rather, the ETA extends Ghana’s already-existing legislation relating to traditional forgery (Criminal Offences Act, 1960) to acts of forgery committed by use of an electronic medium or in electronic form. The Criminal Offences Act 1960 does not cover inauthentic data being relied upon, and only does with corporal matters and physical property.

ETA has a comprehensive provision criminalizing the act of publishing, producing, procuring or possessing child pornography through or in a computer system.

With regard to offences related to infringements of copyright and related rights, the Ghana Copyright Act, 2005 extends to programs and software (i.e. source code) but does not offer protection to computer data generally, and therefore appears to exclude digital images and literature from protection as copyrighted work.

The Data Protection Act (2012) provides 8 principles that data processors have to take into account in processing data, in order to protect the privacy of individuals, and are similar to the OECD Guidelines and Data Protection Directive of the European Union.

ETA generally provides for sufficient procedural safeguards with respect to the procedural powers provided therein, and to that extent is compliant with Article 15 of the Budapest Convention.

With respect to preservation and partial disclosure of traffic data, ETA does not have any corresponding provisions to the Budapest Convention. Due to the absence of any distinction between traffic data and content data, although traffic data may be preserved under the ETA, Ghanaian law enforcement agencies may not request for partial disclosure of traffic data without obtaining a warrant.

ETA enables law enforcement officers to execute production orders and to that extent it is consistent with the Budapest Convention. However, it is framed in terms of ordering production of a computer rather than computer data.

EOCA also provides law enforcement officers with the power to apply to court for production orders. However, any application for a production order must state that a person specified in the application is subject to investigation pending confiscation of that person’s property or for committing a serious offence. “Prohibited cyber activity” does not fall under the definition of “serious offence” and thus this power may not be used with respect to ordinary cybercrimes that do not otherwise fall under the definition of “serious offence” under EOCA.

ETA provides a comprehensive framework for seizure of stored computer data which provides for sufficient powers and judicial safeguards. EOCA also provides powers to law enforcement officials to conduct search and seizure but again, this power is restricted to serious offences.

With respect to electronic evidence, there are no guidelines in place, statutory or otherwise, that provide how electronic evidence is to be treated for the purposes of court. Moreover, there are no rules relating to admissibility and inadmissibility of electronic evidence in court.

Chapter 5 of the 1992 Constitution of Ghana upholds Fundamental Human Rights and Freedoms.

Electronic Transactions Act (“ETA”), 2008

Data Protection Act (“DPA”), 2012

Economic and Organised Crime Act, 2010 (“EOCA”)

Security and Intelligence Agencies Act, 1996 (“SIAA”)

Anti-Money Laundering Act, 2008 (“AMLA”)

Mutual Legal Assistance Act, 2010 (“MLAA”)

National Cyber Security Policy

Police prosecutors can prosecute cybercrime cases in Ghana. However, as a matter of practice, SIM box fraud cases are usually sent to the Attorney General’s Department (AGD) for prosecution before High Court.

Generally international police-to-police cooperation on cybercrime and digital evidence falls under the realm of the Cybercrime Unit of the Police CID.

All police cooperation is handled through the INTERPOL National Central Bureau which is physically and organisationally situated with the Ghana Police Service Criminal Investigations Division.

Police-to-police requests come through the 24/7 secure network.