Africa
On 14 November 2025, the Cyber Security Authority (CSA) closes the public consultation on the Draft Cybersecurity (Amendment) Bill. The Bill amends the Cybersecurity Act, 2020, to expand the role and functions of the CSA. It defines the CSA’s objectives as regulating cybersecurity activities, preventing and responding to threats, overseeing critical information infrastructure and cybersecurity professionals, combating cybercrime, facilitating the confiscation of cybercrime proceeds, fostering collaboration across sectors, raising public awareness, and engaging internationally. New functions include investigating and prosecuting cybercrime, setting and certifying security standards for emerging technologies, including Artificial Intelligence, cloud services, blockchain, and quantum computing, accrediting cybersecurity institutions and professionals, promoting online protection for vulnerable groups, and safeguarding digital rights. The Bill expands the composition and governance of the Joint Cybersecurity Committee, introducing rules for membership, vacancies, and coordination with sectors to identify risks, develop policies, share information, combat cybercrime, and evaluate cybersecurity measures.
On 31 October 2025, the Ministry of Communication, Digital Technology, and Innovations closes its consultation on the Ghana Domain Name Registry Act. The Act would require all legally registered or operating entities in Ghana to register and maintain an active .gh domain name for official public-facing websites and digital platforms, and to use it for official digital correspondence and transactions. Entities not currently using .gh domains would be required to transition within six months of the Act's entry into force. Entities could be eligible for exemptions if they have digital presences hosted exclusively outside the Republic, not targeting Ghanaian users, or operate as multinational organisations subject to foreign digital jurisdiction. Non-compliance would carry administrative penalties, potential suspension or revocation of business and regulatory licences, and disqualification from public procurement processes, with monitoring carried out by a Domain Compliance Unit.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes a consultation on the Misinformation, Disinformation, Hate Speech and Publication of Other Information (MDHI) Bill, 2025 including content moderation regulation. The Bill aims to prevent the publication, dissemination, and commercialisation of hate speech, misinformation, and disinformation, as well as regulate the public disclosure of private information, and establishes the conditions for liability for publishing such information. It bans the communication of hate speech and indecent expressions, defining hate speech as any expression that vilifies, humiliates, or incites hatred or violence against groups based on identity factors such as race, ethnicity, religion, or sex. This includes content presented as entertainment. Indecent expressions that may provoke violence are also prohibited. Individuals, institutions, and public officials may all be held liable, and hate speech that incites genocide or aggravated violence is criminalised. Courts determine whether communication qualifies as hate speech based on context, tone, reach, and intent. Internet intermediaries are not liable for third-party content unless they create, modify, or control it, and they are not required to proactively monitor or assess content legality. Only intermediaries regulated in Ghana fall under the Bill, and their moderation policies must comply with its provisions. Content restriction can only occur following a Court or Division order confirming that the material breaches the Act. Orders must specify the unlawful content, provide evidence, and set a timeframe, and cannot compel intermediaries to delete user accounts. Individuals may, however, flag illegal content. Intermediaries and media houses must conduct annual human rights due diligence on their algorithmic systems and annual misinformation and disinformation risk assessments. Media houses, journalists, internet intermediaries, digital advertising intermediaries, and content creators must also establish fact-checking processes and obtain annual fact-checking certification to maintain their licences. Regular bi-annual training on misinformation is mandatory for public institutions, media houses, and intermediaries. Content creators, influencers, and digital advertisers are required to ensure that paid content complies with the Bill. The Minister will issue regulations on content restriction, algorithmic moderation, cooperation with institutions, decision-making procedures, and codes of practice to ensure effective implementation. The Bill also introduces an access blocking order, enabling the court or the Division to direct the communications authority to order internet service providers to block access to online locations disseminating misinformation, disinformation, or hate speech. Such orders may be issued if a person fails to comply with a previous directive and the content harms Ghana’s diplomatic relations or misrepresents it as breaching international law. Internet service providers that ignore an access blocking order after three warnings face administrative penalties and potential suspension or revocation of their licences.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes its consultation on the Data Protection Act, 2025, including data localisation requirements. The Act would require data localisation if personal data is critical to national security, concerns national ID and civil registration systems, or involves children's data, biometric data, health records, and genetic data. While there is no general requirement for localising personal data, controllers would be required to make reasonable efforts to localise data, provided that it does not impair business or operations.
On 31 October 2025, the Ministry of Communication, Digital Technology, and Innovations closes its consultation on the Data Protection Act, 2025, including cross-border data transfer regulation. The Act would allow personal data transfers outside Ghana only under certain conditions. These include obtaining the data subject’s written, free, explicit, and informed consent after they have been made aware of potential risks. Transfers would also be permitted when necessary for recognised purposes, such as fulfilling a contract, exercising legal claims, or protecting a data subject’s vital interests. In addition, transfers would require an assessment to ensure adequate safeguards are in place, such as approved contractual clauses, binding corporate rules, or other mechanisms authorised by the Data Protection Authority. Transfers involving large-scale data or children’s data, biometric data, health records, and genetic data require additional authorisation by the Authority. The Authority can require processors to demonstrate the effectiveness of safeguards and the existence of legitimate interests. Finally, transfers by controllers processing large-scale data, likely to pose real risks to data subject rights, must conduct a transfer impact assessment, subject to approval by the Authority.
On 31 October 2025, the Ministry of Communication, Digital Technology, and Innovations closes its consultation on the Data Protection Act, 2025, including business registration requirements. The Act would require data controllers to register in a Data Protection Register maintained by the Data Protection Authority. Unregistered data controllers would not be permitted to process personal data. Registration would be valid for twelve months.
On 31 October 2025, the Ministry of Communication, Digital Technology, and Innovations closes its consultation on the Data Protection Act, 2025, including data protection authority governance. The Act would establish the Data Protection Authority as the responsible agency for protecting personal privacy, ensuring efficient management of personal data, establishing standards for local processing and cross-border transfers, and regulating the personal data digital economy. To this end, the Authority would be empowered to issue guidelines and directives, conduct investigations into alleged breaches of data protection regulations, accredit data protection service providers, mediate disputes, and issue penalties and corrective measures. The Authority would have the power to issue enforcement notices, respond to assessment requests and individual complaints, and carry out compliance audits.
On 31 October 2025, the Ministry of Communication, Digital Technology, and Innovations closes its consultation on the Data Protection Act, 2025, including cybersecurity regulation. The Act would require data controllers and processors to adopt technical and organisational measures to prevent loss, damage, unauthorised destruction, unlawful access, or unlawful processing of personal data. Such measures include identifying risks and implementing regularly updated safeguards against them. Data controllers would have to provide contractually for the compliance of data processors. Upon breach, data controllers would be required to notify the Data Protection Authority within 72 hours. Controllers would be required to notify affected subjects to the extent necessary to take protective measures, including, if known, the identity of the unauthorised person.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes its consultation on the Data Protection Act, 2025, including operational license requirements. The Act would require data protection service providers to obtain a license from the Data Protection Authority prior to operation. Data protection services cover activities designed to provide technical tools for personal data management, and explicitly exclude legal, compliance, and policy consultancy services. A data protection service license would be valid for twelve months.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes a consultation on the Misinformation, Disinformation, Hate Speech and Publication of Other Information (MDHI) Bill, 2025 including fair marketing and advertising practice requirement. The Bill would require digital advertising intermediaries, celebrities and influencers to fact-check information prior to publication and take reasonable steps to ensure that publishing paid content does not result in non-compliance with the Bill's provisions.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes a consultation on the Misinformation, Disinformation, Hate Speech and Publication of Other Information (MDHI) Bill, 2025 including content moderation authority governance. The Bill would create a new Division on Misinformation, Disinformation, Hate Speech and Publication of Other Information responsible for enforcing its provisions. In this capacity, the Division would investigate complaints, with the power to issue sanctions and require corrections, removal, access blocking, and license revocations. In general, the Division is required to refrain from imposing monitoring requirements or intermediary liabilities on intermediaries and allow them to make decisions according to their own content moderation policies. However, it may issue a Removal of Account Request to an intermediary if a specific user has failed to comply follow Compliance Warnings three times. Intermediaries are also only required to restrict content if the third-party publisher fails to comply first and the content in question negatively impacts Ghana's diplomatic interests or friendly relations with other countries.
On 31 October 2025, the National Information Technology Agency closes its consultation on the Electronic Transactions Act, 2025, which includes an age verification requirement. The Act would require service providers directed at or likely to be accessed by children to implement age verification mechanisms and prohibit targeted advertising on the basis of the personal information of children.
On 31 October 2025, the National Information Technology Agency closes its consultation on the Electronic Transactions Act, 2025, which includes operational license requirements. The Act would create a licensing regime for encryption and authentication service providers operating in Ghana. The Agency would be the responsible institution for issuing licensing, as well as for monitoring, compliance, and maintaining a digital and electronic signature repository and license holder registry. License holders are required to ensure reliability, security, and maintain liability insurance of a minimum of GHS 10'000'000.
On 31 October 2025, the National Information Technology Agency closes its consultation on the Electronic Transactions Act, 2025, which includes fair marketing and advertising practice requirements. The Act would prohibit the sending of unsolicited electronic communications to customers, while requiring those sending electronic communications to provide the option to unsubscribe from a mailing list and to identify the source of the customer's contact information upon request. Breaching the prohibition on unsolicited electronic communications and continuing to send communications after cancellation of subscriptions would be subject to a monetary penalty and potential imprisonment. Further, platforms and service providers using automated decision-making, algorithmic curation, and recommendation systems are required to disclose key parameters, provide meaningful information to users about how such systems affect services, and allow customers to opt out of personalised recommendations.
On 31 October 2025, the National Information Technology Agency closes its consultation on the Electronic Transactions Act, 2025, which includes content moderation regulation. The Act would provide for the liability of intermediaries. Specifically, intermediaries acting as "mere conduit" or for the automatic, intermediate and temporary storage of electronic records on their systems for the purpose of more efficient onward transmission would be exempt from liability for transmitting electronic records provided that they do not modify the record. Intermediaries providing hosting services would not be liable provided that they have no actual knowledge that stored information infringes on the rights of third parties, are unaware of facts from which infringement could be inferred, and act expeditiously to remove information on receipt of a takedown notification. Hosts would only be exempt from liability if they provide the means to receive and process such notifications. Intermediaries are not generally required to monitor the content of information records. Additional obligations apply to Very Large Online Platforms and Very Large Online Search Engines with an average of 45 million monthly users, with a significant role in the dissemination and visibility of online information. These service providers must conduct annual risk assessments, submit their risk management practices to third-party audits every two years, and publish biannual transparency reports detailing content moderation actions, the use of automated tools for content moderation, and algorithmic disclosure.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes a consultation on the draft National Information Technology Authority Bill, including merger control regulation. The Bill would establish a National Information Technology Authority, responsible for regulating and promoting information and communications technologies (ICT) and digital services. ICT service providers would be required to obtain the Authority's approval prior to entering into agreements for the sale or alteration of their business. ICT is broadly defined to include digital hardware and software systems, information systems and digital applications, data centres, hosting facilities, electronic and cloud-based infrastructure, digital innovation, platforms, and emerging technologies deployed in the public sector, and associated standards, architecture, and interoperability frameworks.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes the consultation on the draft National Information Technology Authority Bill, including operational license requirements. The Act would establish a National Information Technology Authority, responsible for regulating and promoting information and communications technologies (ICT) and digital services. Businesses would be required to obtain a license from the Authority prior to engaging in ICT infrastructure installation, ICT development, or the provision of ICT products and services. ICT is broadly defined to include digital hardware and software systems, information systems and digital applications, data centres, hosting facilities, electronic and cloud-based infrastructure, digital innovation, platforms, and emerging technologies deployed in the public sector, and associated standards, architecture, and interoperability frameworks.
On 31 October 2025, the Ministry of Communication, Digital Technology, and Innovations closes its consultation on the Data Protection Act, 2025, including data protection regulation. The Act would establish a set of data protection principles to be observed by controllers and processors, including accountability, lawfulness, data quality, and data subject participation. Explicit data subject consent is required for processing. The Act would further mandate limits on data retention, enshrine data subject ownership, require data protection impact assessments where processing is likely to pose risks to data subjects, legitimate interest assessments, and data protection by design. The Act would also establish a range of data subject rights, including access, data portability, erasure, and specific rights in relation to direct marketing, election campaigns, and automated decision-making. Processing a child’s personal data would require the consent of a parent or legal guardian. Special personal data, including data belonging to children and pertaining to religious, ethnic, or other sensitive categories, would be prohibited unless specific requirements set out by the Act were met. Data controllers would be required to appoint a data protection officer.
On 31 October 2025, the Ministry of Communication, Digital Technology and Innovations closes its consultation on the Emerging Technologies Bill, 2025. The Bill proposes to establish an Emerging Technologies Agency, which includes an Artificial Intelligence (AI) Division, with the objective of advancing the adoption of emerging technologies , including AI, blockchain-based technology, Internet of Things (IoT), cloud technology, and quantum computing promoting research and deploying these technologies to boost social and economic productivity. The Agency would provide a set of rules on emerging technology with the aim of securing their efficient and safe deployment. The Bill also outlines general guiding principles which apply to the development and use of emerging technologies, including principles on preventing algorithmic biases and discrimination, ensure transparency and human oversight, and requiring clear labelling and informed consent for consumers. Furthermore, the principles addresses the spread of misinformation and disinformation and outline environmental safeguards for technologies with high energy consumption or electronic waste generation.
On 21 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Ghana Domain Name Registry Act, until 31 October 2025. The Act would require all legally registered or operating entities in Ghana to register and maintain an active .gh domain name for official public-facing websites and digital platforms, and to use it for official digital correspondence and transactions. Entities not currently using .gh domains would be required to transition within six months of the Act's entry into force. Entities could be eligible for exemptions if they have digital presences hosted exclusively outside the Republic, not targeting Ghanaian users, or operate as multinational organisations subject to foreign digital jurisdiction. Non-compliance would carry administrative penalties, potential suspension or revocation of business and regulatory licences, and disqualification from public procurement processes, with monitoring carried out by a Domain Compliance Unit.
On 21 October 2025, the Ministry of Communication, Digital Technology and Innovations opened a consultation on the Misinformation, Disinformation, Hate Speech and Publication of Other Information (MDHI) Bill, 2025 including fair marketing and advertising practice requirement, until 31 October 2025. The Bill would require digital advertising intermediaries, celebrities and influencers to fact-check information prior to publication and take reasonable steps to ensure that publishing paid content does not result in non-compliance with the Bill's provisions.
On 21 October 2025, the Ministry of Communication, Digital Technology and Innovations opened a consultation on the Misinformation, Disinformation, Hate Speech and Publication of Other Information (MDHI) Bill, 2025 including content moderation authority governance, until 31 October 2025. The Bill aims to prevent the publication, dissemination, and commercialisation of misinformation, disinformation, and hate speech, as well as regulate the public disclosure of private information, and establishes the conditions for liability for publishing such information. The Bill would create a new Division on Misinformation, Disinformation, Hate Speech and Publication of Other Information responsible for enforcing its provisions. In this capacity, the Division would investigate complaints, with the power to issue sanctions and require corrections, removal, access blocking, and license revocations. In general, the Division is required to refrain from imposing monitoring requirements or intermediary liabilities on intermediaries and allow them to make decisions according to their own content moderation policies. However, it may issue a Removal of Account Request to an intermediary if a specific user has failed to comply follow Compliance Warnings three times. Intermediaries are also only required to restrict content if the third-party publisher fails to comply first and the content in question negatively impacts Ghana's diplomatic interests or friendly relations with other countries.
On 21 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Misinformation, Disinformation, Hate Speech, and Publication of Other Information (MDHI) Bill, 2025, including content moderation regulation, until 31 October 2025. The Bill aims to prevent the publication, dissemination, and commercialisation of hate speech, misinformation, and disinformation, as well as regulate the public disclosure of private information, and establishes the conditions for liability for publishing such information. It bans the communication of hate speech and indecent expressions, defining hate speech as any expression that vilifies, humiliates, or incites hatred or violence against groups based on identity factors such as race, ethnicity, religion, or sex. This includes content presented as entertainment. Indecent expressions that may provoke violence are also prohibited. Individuals, institutions, and public officials may all be held liable, and hate speech that incites genocide or aggravated violence is criminalised. Courts determine whether communication qualifies as hate speech based on context, tone, reach, and intent. Internet intermediaries are not liable for third-party content unless they create, modify, or control it, and they are not required to proactively monitor or assess content legality. Only intermediaries regulated in Ghana fall under the Bill, and their moderation policies must comply with its provisions. Content restriction can only occur following a Court or Division order confirming that the material breaches the Act. Orders must specify the unlawful content, provide evidence, and set a timeframe, and cannot compel intermediaries to delete user accounts. Individuals may, however, flag illegal content. Intermediaries and media houses must conduct annual human rights due diligence on their algorithmic systems and annual misinformation and disinformation risk assessments. Media houses, journalists, internet intermediaries, digital advertising intermediaries, and content creators must also establish fact-checking processes and obtain annual fact-checking certification to maintain their licences. Regular bi-annual training on misinformation is mandatory for public institutions, media houses, and intermediaries. Content creators, influencers, and digital advertisers are required to ensure that paid content complies with the Bill. The Minister will issue regulations on content restriction, algorithmic moderation, cooperation with institutions, decision-making procedures, and codes of practice to ensure effective implementation. The Bill also introduces an access blocking order, enabling the court or the Division to direct the communications authority to order internet service providers to block access to online locations disseminating misinformation, disinformation, or hate speech. Such orders may be issued if a person fails to comply with a previous directive and the content harms Ghana’s diplomatic relations or misrepresents it as breaching international law. Internet service providers that ignore an access blocking order after three warnings face administrative penalties and potential suspension or revocation of their licences.
On 21 October 2025, the Ministry of Communication, Digital Technology and Innovations opened a consultation on the Emerging Technologies Bill, 2025 until 31 October 2025. The Bill proposes to establish an Emerging Technologies Agency, which includes an Artificial Intelligence (AI) Division, with the objective of advancing the adoption of emerging technologies , including AI, blockchain-based technology, Internet of Things (IoT), cloud technology, and quantum computing promoting research and deploying these technologies to boost social and economic productivity. The Agency would provide a set of rules on emerging technology with the aim of securing their efficient and safe deployment. The Bill also outlines general guiding principles which apply to the development and use of emerging technologies, including principles on preventing algorithmic biases and discrimination, ensure transparency and human oversight, and requiring clear labelling and informed consent for consumers. Furthermore, the principles addresses the spread of misinformation and disinformation and outline environmental safeguards for technologies with high energy consumption or electronic waste generation.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including data localisation requirements, until 31 October 2025. The Act would require data localisation if personal data is critical to national security, concerns national ID and civil registration systems, or involves children's data, biometric data, health records, and genetic data. While there is no general requirement for localising personal data, controllers would be required to make reasonable efforts to localise data, provided that it does not impair business or operations.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including cross-border data transfer regulation, until 31 October 2025. The Act would allow personal data transfers outside Ghana only under certain conditions. These include obtaining the data subject’s written, free, explicit, and informed consent after they have been made aware of potential risks. Transfers would also be permitted when necessary for recognised purposes, such as fulfilling a contract, exercising legal claims, or protecting a data subject’s vital interests. In addition, transfers would require an assessment to ensure adequate safeguards are in place, such as approved contractual clauses, binding corporate rules, or other mechanisms authorised by the Data Protection Authority. Transfers involving large-scale data or children’s data, biometric data, health records and genetic data require additional authorisation by the Authority. The Authority can require processors to demonstrate the effectiveness of safeguards and the existence of legitimate interests. Finally, transfers by controllers processing large-scale data, likely to pose real risks to data subject rights must conduct a transfer impact assessment, subject to approval by the Authority.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including business registration requirements, until 31 October 2025. The Act would require data controllers to register in a Data Protection Register maintained by the Data Protection Authority. Unregistered data controllers would not be permitted to process personal data. Registration would be valid for twelve months.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including data protection authority governance, until 31 October 2025. The Act would establish the Data Protection Authority as the responsible agency for protecting personal privacy, ensuring efficient management of personal data, establishing standards for local processing and cross-border transfers, and regulating the personal data digital economy. To this end, the Authority would be empowered to issue guidelines and directives, conduct investigations into alleged breaches of data protection regulations, accredit data protection service providers, mediate disputes, and issue penalties and corrective measures. The Authority would have the power to issue enforcement notices, respond to assessment requests and individual complaints, and carry out compliance audits.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including cybersecurity regulation, until 31 October 2025. The Act would require data controllers and processors to adopt technical and organisational measures to prevent loss, damage, unauthorised destruction, unlawful access, or unlawful processing of personal data. Such measures include identifying risks and implementing regularly updated safeguards against them. Data controllers would have to provide contractually for the compliance of data processors. Upon breach, data controllers would be required to notify the Data Protection Authority within 72 hours. Controllers would be required to notify affected subjects to the extent necessary to take protective measures, including, if known, the identity of the unauthorised person.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including operational license requirements, until 31 October 2025. The Act would require data protection service providers to obtain a license from the Data Protection Authority prior to operation. Data protection services cover activities designed to provide technical tools for personal data management, and explicitly exclude legal, compliance, and policy consultancy services. A data protection service license would be valid for twelve months.
On 20 October 2025, the National Information Technology Agency opened a consultation on the Electronic Transactions Act, 2025, which includes an age verification requirement. The Act would require service providers directed at or likely to be accessed by children to implement age verification mechanisms and prohibit targeted advertising on the basis of the personal information of children.
On 20 October 2025, the National Information Technology Agency opened a consultation on the Electronic Transactions Act, 2025, which includes operational license requirements, until 31 October 2025. The Act would create a licensing regime for encryption and authentication service providers operating in Ghana. The Agency would be the responsible institution for issuing licensing, as well as for monitoring, compliance, and maintaining a digital and electronic signature repository and license holder registry. License holders are required to ensure reliability, security, and maintain liability insurance of a minimum of GHS 10'000'000.
On 20 October 2025, the National Information Technology Agency opened a consultation on the Electronic Transactions Act, 2025, which includes fair marketing and advertising practice requirements, until 31 October 2025. The Act would prohibit the sending of unsolicited electronic communications to customers, while requiring those sending electronic communications to provide the option to unsubscribe from a mailing list and to identify the source of the customer's contact information upon request. Breaching the prohibition on unsolicited electronic communications and continuing to send communications after cancellation of subscriptions would be subject to a monetary penalty and potential imprisonment. Further, platforms and service providers using automated decision-making, algorithmic curation, and recommendation systems are required to disclose key parameters, provide meaningful information to users about how such systems affect services, and allow customers to opt out of personalised recommendations.
On 20 October 2025, the National Information Technology Agency opened a consultation on the Electronic Transactions Act, 2025, which includes content moderation regulation, until 31 October 2025. The Act would provide for the liability of intermediaries. Specifically, intermediaries acting as "mere conduit" or for the automatic, intermediate and temporary storage of electronic records on their systems for the purpose of more efficient onward transmission would be exempt from liability for transmitting electronic records provided that they do not modify the record. Intermediaries providing hosting services would not be liable provided that they have no actual knowledge that stored information infringes on the rights of third parties, are unaware of facts from which infringement could be inferred, and act expeditiously to remove information on receipt of a takedown notification. Hosts would only be exempt from liability if they provide the means to receive and process such notifications. Intermediaries are not generally required to monitor the content of information records. Additional obligations apply to Very Large Online Platforms and Very Large Online Search Engines with an average of 45 million monthly users, with a significant role in the dissemination and visibility of online information. These service providers must conduct annual risk assessments, submit their risk management practices to third party audits every two years, and publish biannual transparency reports detailing content moderation actions, the use of automated tools for content moderation, and algorithmic disclosure.
On 20 October 2025, the Ministry of Communication, Digital Technology and Innovations opened a consultation on the draft National Information Technology Authority Bill, including merger control regulation until 31 October 2025. The Bill would establish a National Information Technology Authority, responsible for regulating and promoting information and communications technologies (ICT) and digital services. ICT service providers would be required to obtain the Authority's approval prior to entering into agreements for the sale or alteration of their business. ICT is broadly defined to include digital hardware and software systems, information systems and digital applications, data centres, hosting facilities, electronic and cloud-based infrastructure, digital innovation, platforms, and emerging technologies deployed in the public sector, and associated standards, architecture, and interoperability frameworks.
On 20 October 2025, the Ministry of Communication, Digital Technology and Innovations opened a consultation on the draft National Information Technology Authority Bill, including operational license requirements until 31 October 2025. The Act would establish a National Information Technology Authority, responsible for regulating and promoting information and communications technologies (ICT) and digital services. Businesses would be required to obtain a license from the Authority prior to engaging in ICT infrastructure installation, ICT development, or the provision of ICT products and services. ICT is broadly defined to include digital hardware and software systems, information systems and digital applications, data centres, hosting facilities, electronic and cloud-based infrastructure, digital innovation, platforms, and emerging technologies deployed in the public sector, and associated standards, architecture, and interoperability frameworks.
On 20 October 2025, the Ministry of Communication, Digital Technology, and Innovations opened a consultation on the Data Protection Act, 2025, including data protection regulation, until 31 October 2025. The Act would establish a set of data protection principles to be observed by controllers and processors, including accountability, lawfulness, data quality, and data subject participation. Explicit data subject consent is required for processing. The Act would further mandate limits on data retention, enshrine data subject ownership, require data protection impact assessments where processing is likely to pose risks to data subjects, legitimate interest assessments, and data protection by design. The Act would also establish a range of data subject rights, including access, data portability, erasure, and specific rights in relation to direct marketing, election campaigns, and automated decision-making. Processing a child’s personal data would require the consent of a parent or legal guardian. Special personal data, including data belonging to children and pertaining to religious, ethnic, or other sensitive categories, would be prohibited unless specific requirements set out by the Act were met. Data controllers would be required to appoint a data protection officer.
On 16 October 2025, the National Communications Authority opened a consultation on the Electronic Communications Act, 2025, which includes provisions for unilateral conduct regulation until 14 November 2025. Electronic communications and broadcasting service providers would be prohibited from engaging in conduct with the purpose or effect of substantially lessening competition, including predatory pricing, refusal to supply essential facilities, bundling services to disadvantage competitors, and abuse of a dominant position. The Authority would be empowered to impose structural or behavioural remedies to address anti-competitive concerns.
On 16 October 2025, the National Communications Authority opened a consultation on the Electronic Communications Act, 2025, which includes provisions for quality of service requirements until 14 November 2025. The Authority would be responsible for determining the telecommunications services to which universal service requirements apply, considering public needs, affordability, and technological advancements. At a minimum, universal service would require a high-quality telephone service would includes a free telephone directory, operator-assisted information, free access to emergency numbers, telecommunications services, and provisions for persons with disability to make and receive calls. Universal access provisions would include affordable and high-quality community-based broadband information and communication services with broad geographic coverage, and access to these services by educational and health facilities, telecentres, and other public or private community centres.
On 16 October 2025, the National Communications Authority opened a consultation on the National Communications Authority Act, 2025, until 14 November 2025. The Act would establish the National Communications Authority to regulate, promote, and develop communication services across the country. Its core functions would include overseeing radio frequency spectrum, ensuring the quality of communication services, and fostering fair competition among service providers. One aspect of its mandate would involve consumer protection, with provisions for investigating and resolving disputes related to harmful frequency interference, user rates, billing, and overall service provision, as well as facilitating relief when consumers fail to obtain redress directly from providers. The Act would also provide for the option to introduce regulations requiring pre-licensing approval for new telecom services involving personal data processing, such as AI-powered customer service applications, following a joint assessment with the Data Protection Commission.
On 16 October 2025, the National Communications Authority opened a consultation on the Electronic Communications Act, 2025, which includes provisions for operational licence requirements until 14 November 2025. The Act would require persons wishing to operate an electronic communications, broadcasting service or network to obtain a license from the authority. Licensees would be required to provide services according to the necessary standards of quality, meet universal service and universal access requirements, and comply with cybersecurity requirements, among other points.
On 16 October 2025, the National Communications Authority opened a consultation on the Electronic Communications Act, 2025, which includes provisions for data protection regulation until 14 November 2025. The National Communications Authority, in consultation with the Data Protection Commission, would be empowered to issue sector-specific data protection guidelines. Service providers could only retain metadata as required by law for national security or billing purposes, with a maximum retention period defined by the Authority. Telecommunication service providers would need to implement subscriber verification systems interoperable with national identity databases, while biometric data collection would require a prior data protection impact assessment in accordance with the Data Protection Act.
On 16 October 2025, the National Communications Authority opened a consultation on the Electronic Communications Act, 2025, which includes provisions for cybersecurity regulation until 14 November 2025. Electronic communications and broadcasting service providers would be required to implement technical and organisational measures for network and service security, in line with cybersecurity regulator standards. They would be required to report cybersecurity incidents affecting network integrity or causing service disruption to the Authority and the national cybersecurity regulator within twenty-four hours of detection. Network breaches involving subscriber data would have to be reported to the National Communications Authority within twenty-four hours, with a parallel notification to the Data Protection Commission if personal data is compromised. The Authority, in consultation with the cybersecurity regulator, would enforce minimum cybersecurity standards applicable to all operators and service providers.
On 30 August 2025, the Ministry of Trade and Industry closes its public consultation on the Draft E-Commerce National Strategy of Ghana (2025–2029). The consultation, which opened on 1 May 2025, invited feedback on the draft strategy outlining strategic orientations and objectives for e-commerce development in Ghana. The draft includes a situational analysis, an assessment of Ghana’s e-commerce readiness, an overview of the digital ecosystem, and a SWOT analysis. Focus areas include strengthening institutional coordination, promoting trust in e-commerce transactions, supporting e-commerce market participants, and adapting the strategic framework to improve inclusivity. The strategy also proposes a governance structure comprising a high-level Steering Committee chaired by the Ministry of Trade and Industry and a dedicated e-commerce Directorate responsible for implementation and coordination.
On 31 July 2025, the Ministry of Communication, Digital Technology and Innovations announced the establishment of an Emerging Technologies Agency under the forthcoming Emerging Technology Act as part of a comprehensive legislative reform. The ETC will serve as a specialised governance body overseeing artificial intelligence, machine learning, large language models, blockchain, cryptocurrencies, virtual reality, and augmented reality in education. The Agency will be structured into divisions dedicated to each technology domain, allowing seamless integration of future technologies without requiring new legislation. The Ministry will simultaneously introduce fifteen new pieces of legislation to modernise the national digital framework, including the Innovation and Startups Bill, which defines criteria and registration processes for startups, incubators, and accelerators, and the Data Harmonisation Act, which seeks to unify government data systems.
On 2 May 2025, Ghana’s Minister for Communication, Digital Technology, and Innovation announced the development of the National Digital Transformation and Emerging Technology Strategy, with a focus on Artificial Intelligence (AI). The strategy is intended to guide the ethical and secure deployment of AI and other digital tools for national development, ensuring inclusivity and appropriate governance frameworks. A component involves digitising essential national datasets to train AI systems on local data, thereby preserving cultural context and protecting digital sovereignty. The Ministry has established strategic partnerships with the British High Commission, UNESCO, and other international organisations to support the formulation of Ghana’s National AI Strategy.
Last updated: 14/11/2025