Ethical and legal digitalisation: Protecting our personal data and unsolicited messages

By  Kofi Anokye OWUSU-DARKO(Dr)

In Adam Smith’s traditional economy, the primary factors of production are land, labour, capital, and entrepreneurship. In today’s digital economy, these factors have evolved into information, skill, capital, and entrepreneurship, with personal data (digital asset) becoming a crucial asset for wealth creation. It is therefore imperative to protect personal data rigorously.

Digitalization has become a new way of life, bringing transformative business models alongside significant ethical and legal considerations. The use of Information and Communication Technologies (ICT) is limited only by the innovation and skill associated with digital transformation. However, the mere capability to implement certain technologies does not imply ignoring ethical or legal justification for their use, similar to limitations in medical science innovation and capabilities.

The true value of digital devices like the Ghana Card lies not in the card itself but in the information it holds, which should be used to enhance our lives through innovation, efficiency, and productivity in the digital world. Personal data should be protected by law and used only for executing the contract between the service provider, as data controller, and the consumer, as the data subject with any exceptions prescribed by law.

On my daughter’s birthday, who is of voting age, she received an unsolicited message, not from her service provider—which would have been a fair use of subscriber information—but from a third party. The message read:

“Happy Birthday (name). Another year is a rare gift of life from God. I wish you the fondest and lasting memories as you enjoy this day with your family, friends, and loved ones. You are special. It is Possible. — Dr. Bawumia.”

The above message, though on the face of it, coming from the Vice-President of the Republic of Ghana, ordinarily looks “cool” and touching has ethical and legal consideration with respect to data protection, particularly the aspect of “It is possible”, which is a campaign slogan. This politically motivated direct marketing message raises concerns about how her personal information was obtained by a third party without her consent. The origin of this data—whether from the telecommunication service provider’s system, the National Identification System, or the Voters’ Register—remains unclear. Effective political targeting requires knowledge of voter registration, suggesting a potential breach of the data from the voters’ register.

As an advocate for digital rights and consumer protection in the digital world, I find it troubling when personal data is abused or not adequately protected, exposing consumers to unsolicited messages from marketing companies or political entities. Such practices are not only digitally unethical but also illegal without the data subject’s explicit consent.

Have you ever received an unsolicited message that made you wonder how your personal information was accessed? How did it make you feel, and what actions did you take?

This article will explore the legal framework regulating the unauthorized use of personal data and unsolicited messages in Ghana and emphasize the need for responsible entities to uphold their duty to protect Ghanaian citizens in the digitalisation agenda.

Unsolicited Electronic Communication

To begin with, unsolicited electronic communication (UEC) refers to an electronic message sent to individuals without their prior consent. Such communications are not only a nuisance and annoying but also an intrusion of the recipient’s privacy and the right to be left alone.

First, let’s examine the key laws addressing unsolicited electronic communication (UEC) in Ghana.

• Section 50 (1) of the Electronic Transactions Act, 2008, Act 772

The above section of Act 772, makes it an offence liable on summary conviction to a fine of not more than five thousand penalty units or a term of imprisonment of not more than ten years or to both, if a person sends unsolicited electronic communications to a consumer without obtaining the prior consent of the consumer . This shows how serious the laws of Ghana take UECs.

It also requires that consumers are given the option to cancel any subscription to a mailing list and, upon request, identify the source from which the consumer’s personal information was obtained.

The custodian of Act 772 is the Minister responsible for Communication and Digitalisation, who is mandated to implement the provisions of the Act.

• Regulations 32 (1)(e) of the Electronic Communications Regulations, 2011 (L.I. 1991)

The above requires a person who wishes to send or cause another to send an unsolicited communication to a subscriber for direct marketing purposes by means of text messaging to first obtain the consent of the subscriber.

 

It also requires that should an unsolicited communication be sent, even with prior consent of the subscriber, the name, address or telephone number of the person sending must be included in the message. Where this is by electronic mail the sender must ensure that the identity is not concealed and must provide a valid address to which the subscriber can end a request.

The National Communications Authority (NCA) is the custodian of L.I.1991 and the Authority mandated to implement the Regulations.

• Unsolicited Electronic Communication Code of Conduct

The NCA in 2016 developed a very comprehensive code of conduct for UEC. The purpose is to regulate not only the transmission of UCE but limit the inconvenience of receiving UCE as well as eliminate the practice of sending UECs.

It admonishes service providers from using existing lists of phone numbers for purposes of sending messages to subscribers unless they have the explicit consent of the subscribers to join. It also requires that the process of obtaining consent by service providers is clear and transparent and that such consent, “opt-in”, from recipients in joining the messaging subscriber list must be in writing, documented and saved.

The above laws are in line with international best practice and once enforced will be able to protect the Ghanaian citizen from unsolicited electronic communication. We have yet to see the law being made to bite.

Do you know your rights regarding unsolicited electronic communications? Have you ever exercised these rights by unsubscribing from a mailing list or requesting the source of your information?

UNAUTHORISED USE OF DATA AND DATA PROTECTION

Moving on to the broader context of data protection, the right to privacy is fundamental. In the era of digitalization, this right is more pertinent than ever and extends to the protection of personal data. There are laws that are supposed to protect our personal data as an extension of our right to privacy.

• International Covenant on Civil and Political Rights (ICCPR) 1966

Article 17 of the ICCPR states:

“No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence, nor to unlawful attacks on his honour and reputation.”  (emphasis mine)

“Everyone has the right to the protection of the law against such interference or attacks.”

This provision underscores the importance of protecting individual privacy against unlawful intrusions. The use of personal data without consent of the data subject, subject to legal exception, for purposes not related to the reason for which the data was collected is an invasion of privacy.

Constitution of Ghana

• Article 18(2) of the Ghanaian Constitution asserts:

“No person shall be subjected to interference with the privacy of his home, property, correspondence, or communication except in accordance with law…” (emphasis mine)

In the digital world, data subjects own their data and information as personal property, and its protection is an extension of the fundamental right to privacy. The use of personal data without consent of the owner of the data is an interference with the privacy of their property.

Data Protection Act 2012 (Act 843)

The recognition of the right to privacy concerning the processing of personal data led to the enactment of Act 843, further guaranteeing the right to privacy enshrined in Article 18(2) of the 1992 Constitution.

• Section 22: Telecommunication Service Providers and other data controllers such as the Electoral Commission, National Identification Authourity, are allowed to collect personal data for specific, explicit, and lawful purposes related to their functions.

This means that no data controller should collect data for purposes of their mandate and allow it to be used for other unrelated purposes. They are obliged to secure any data collected from unauthorized access.

• Section 20: Personal data should not be processed without the data subject’s prior consent, unless it is in the legitimate interest of the data subject, authorized or required by law, necessary for a contract involving the data subject, consumer or for the performance of a statutory duty.

This means that no data controller should process data collected for purposes not within their mandate or allow it to be processed for other unrelated non statutory purposes unless they have prior consent of the data subject, the citizens.

• Section 40: Prevents Telecommunication Service Providers and other data controllers such as the Electoral Commission, National Identification Authority from using or making available consumer information for direct marketing without the prior consent of the consumers.

This means that no data controller should themselves uses data collected, sell or make available personal data collected for purposes of direct marketing unless they have the prior consent of the data subjects, the citizens.

Section 23: Mandates that data controllers must ensure that data subjects are aware of the purpose for collecting their data. In this regard, the best practice is for the data controller to provide “opt-in” clauses for the consumer should there be the need for the data to be used by third parties.

This means that data controllers should tell the persons on whom data is being collected the purpose and use of the data for them to know what they are signing up for. Any other use would therefore require an express consent or be deemed illegal use. The use must be within the mandate of the data controller with the data subject being given the option to “opt-in” to other non-related uses, that is you are “out” unless you want to be part.

The practice of “opt-out” to other non-related uses of personal data collected, that is you are automatically “part” unless you want to be out is therefore not encouraged.

The Data Protection Commission (DPC) is the authority mandated to regulate the processing of personal information, ensuring the proper collection, use, and disclosure of personal data.

Cybersecurity Act 2020 (Act 1038)

Under Section 94 of Act 1038, retrieving subscriber information without lawful authority is an offense. Those found guilty are liable on summary conviction to fines ranging from two thousand five hundred to fifteen thousand penalty units or imprisonment for two to five years, or both. The Cybersecurity Authority is tasked with protecting subscribers of telecommunication services and that of other service providers under this Act.

This means that anyone who unlawfully accesses information of consumers who have subscribed to services from any service providers commits an offense.

The relevant sections of the above laws, ICCPR, the Constitution, Act 843 and Act 1038 once enforced will be able to protect the Ghanaian citizen from unathourised use and abuse of personal data.

Are you aware of the legal protections available to you regarding your personal data? What steps did you take once you believed your data has been misused?

CONCERNS  

The digital age has ushered in unprecedented opportunities and conveniences, but it has also brought significant concerns regarding the protection of personal data and the regulation of UEC. The example of my daughter receiving a politically motivated birthday message from a third party, the sitting Vice-President and flagbearer of a political party, starkly illustrates the need for the protection of personal data and the regulation of UEC. This brings to the fore the following related concerns:

1. Unauthorized Access to Personal Data:

• Data Breaches: The unsolicited message implies that personal data was accessed or made available and used without consent of my daughter. This raises concerns about how third parties, including political entities, acquire such data. Potential sources of data breaches include telecommunication service providers, the National Identification System, or the Voters’ Register.
• Lack of Transparency: It is often unclear how personal data is collected, stored, and used, leading to mistrust among consumers with data controllers.

2. Inadequate Enforcement of Legal Frameworks:

• Existing Laws: Ghana has adequate laws such as the Electronic Transactions Act 2008 (Act 772), the Electronic Communications Regulations 2011 (L.I. 1991), and the Data Protection Act 2012 (Act 843) that are designed to protect personal data and regulate unsolicited communications.
• Enforcement Gaps: Despite these laws, enforcement remains weak. Regulatory bodies often fail to hold violators accountable, especially when breaches involve powerful political interests. In my daughter’s case who is going to investigate the breach of her right to property, personal information and privacy with respect to the right to be left alone through the unsolicited birthday message.

Ghana is yet to see case laws initiated by the regulatory bodies with respect to violations of the above laws especially by the executive arm of government to determine the extent of their independence.

3. Fragmented Regulatory Oversight:

Ghana currently faces challenges with a fragmented regulatory regime governing its digital ecosystem. This fragmentation involves three primary regulators, each with its own mandate to address specific aspects of digital regulation:

1. • Data Protection Commission (DPC): Focuses on protecting the rights and privacy of individuals as data subjects and protection of personal data.
   • National Communications Authority (NCA): Regulates the provision of communication services, including the enforcement of codes of conduct related to unsolicited electronic communications.
   • Cybersecurity Authority (CSA): Ensures the security and resilience of Ghana’s digital infrastructure.

The mandates of these regulatory bodies could lead to duplicated efforts, role conflict and blurred lines of responsibility with respect to data breaches, which can hinder effective enforcement and resource allocation.

For example, an issue like the unsolicited birthday message received by my daughter could fall under the jurisdiction of the DPC for privacy protection, the NCA for a breach of the code of ethics, and the CSA if there are concerns about data security leading to a breach. This raises the question: who is ultimately responsible?

Additionally, all the regulators report to a political figure, the Minister for Communication and Digitalization. Dealing with private sector breaches of the laws might not be an issue, but this reporting line practically makes them ineffective in dealing with data breaches or unsolicited electronic messages when coming from the executive arm of government itself and not under the allowable legal exceptions of being in the interest of public, public safety, public morality, public order and national security as with the example of the message to my daughter. A case of reporting a boss to the subordinate. What can be done?

4. Consumer Vulnerability:

• Informed Consent: Many consumers are unaware of their rights regarding breach of their personal data and UEC. This lack of awareness makes them vulnerable to data exploitation and unsolicited communications.
• Redress Mechanisms: The processes for consumers to report and seek redress for data breaches and unsolicited communications are not clear.

Recommendation

To address these challenges, the following steps are recommended:

1. 1. Establish a Constitutional Body (Digital Authority/Commission): Create a unified regulatory body similar to the National Commission for Civic Education (NCCE), the Commission on Human Rights and Administrative Justice (CHRAJ), or the Electoral Commission (EC). This Digital Authority or Commission would oversee Ghana’s digital transformation, including all digital regulatory functions, data protection, digital communication, and the safety of digital infrastructure, ensuring a streamlined and cohesive governance without turf wars.

This governance model will provide operational autonomy and independence from political interference, enabling impartial enforcement of laws, regardless of whether violations originate from private or government entities. By consolidating existing bodies under one umbrella, coordination will improve, leading to more effective and efficient sharing of information and resources, particularly specialized human capital.

For these reforms to succeed, it is essential for the relevant authorities to demonstrate a strong commitment to building trust and ensuring the ethical and legal use of digital technologies.

1. 1. Strengthen Legal and Policy Frameworks: Review and update existing laws to close any gaps that may exist in the protection of personal data and the regulation of unsolicited communications. This review should include clearer definitions of responsibilities and stricter penalties for violations.
   2. Increase Public Awareness and Engagement: Launch public awareness campaigns to educate citizens about their digital rights and the mechanisms available to report and address breaches. An informed public is crucial for the successful implementation and enforcement of data protection laws and for data subjects to know what steps to take should there be a breach leading to unsolicited electronic messages.

By taking these steps, Ghana can create a more robust and efficient regulatory environment that better protects its citizens’ personal data and uphold their digital rights.

 CONCLUSION

Digitalisation, while transformative, carries significant ethical and legal responsibilities. Just because something is possible with ICT does not mean it should be done without considering these limits. The example of my daughter receiving a political message underscores the issue of unauthorized access or use to personal information. In this campaign season, no political party should be given access to our personal data to send unsolicited campaign messages. Citizens have the right to be left alone.

Privacy is a fundamental human right protected by various international and national laws. In the digital age, this right extends to the protection of personal data. Although Ghana has comprehensive laws designed to protect personal data and regulate unsolicited communications, enforcement by the mandated institutions remains a significant challenge when the abuse is not form the private sector.

The Data Protection Commission, the National Communications Authority, and the Cybersecurity Authority, all under the Minister responsible for Communication and Digitalization, share the collective obligation to protect consumers from the abuse of their digital persona. However, these regulatory bodies either condone the abuse or lack the political will to address it, especially when the violations come from public sector entities or the government itself. For operational autonomy and an effective regulatory landscape, it would be desirable to put them under one constitutional body as a Digital Authority or Commission.

 The author  holds an EMBA (IT Management) an LLB and LLM (IT & Telecommunication) (visit : Kofianokye.blogspot.com; contact: [email protected])