Cybersecurity or Cyber Control? Why Ghana’s Cybersecurity (Amendment) Bill, 2025 Demands a Rethink Before Enactment

Imagine being compelled to hand over your password to state investigators simply because you are under suspicion or being required to surrender 30% of your professional earnings to a regulator that offers you no clear benefit. Imagine a digital system where your data can be recorded, preserved, or seized without a judge’s approval all in the name of “cyber hygiene”.

This is not fiction. It’s part of what Ghana’s Cybersecurity (Amendment) Bill, 2025 proposes. While the intention to strengthen national cyber resilience is commendable, several sections of this Bill if passed as they currently stand, could mark a worrying departure from democratic governance in the digital age.

Ghana’s Cyber Security Authority (CSA) and the Ministry of Communications and Digitalisation have called for public contributions on the Bill. That invitation must not be taken lightly. Every cybersecurity professional, policy analyst, journalist, and civic-minded citizen should read, understand, and respond to this draft before it quietly becomes law.

1. The 30% Revenue Levy: An Economic and Ethical Concern
Section 57C(4) of the Bill mandates that 30% of all revenue earned by certified cybersecurity professionals or service providers under the “cyber hygiene certification scheme” be paid into the cybersecurity fund.

At face value, this looks like a sustainability measure, but it raises serious economic and ethical issues. Cyber professionals already bear high costs for international certifications, annual membership fees, and compliance standards. To introduce an additional 30% levy especially in a developing market with few cybersecurity jobs and limited institutional support, risks crippling small firms and discouraging skilled practitioners from local certification altogether.

More importantly, it blurs the line between regulation and revenue collection. A regulator that financially benefits from those it regulates loses impartiality. Professionals begin to see compliance not as a patriotic duty but as coerced contribution. In principle, state authorities should provide tangible value such as policy enforcement, job frameworks, protective infrastructure before demanding revenue.

2. Surveillance and Data Recording: The Privacy Dilemma
Sections 59B-59J empower the CSA to preserve, record, and seize digital data in the course of investigations. These powers can be exercised without prior judicial authorization and can extend to any interconnected systems.

On paper, these provisions are meant to combat cybercrime. In practice, they create an open field for unchecked digital surveillance. Ghana’s Constitution guarantees privacy of communication under Article 18(2). That right is not absolute, but any interference must be lawful, necessary, and proportionate. The Bill’s broad powers risk converting cybersecurity enforcement into routine data collection.

This type of administrative access is a red flag for democracy. The absence of judicial mediation means investigators can act as both accuser and adjudicator. In democratic systems, judicial warrants exist to ensure that national security never becomes a pretext for state overreach. Ghana should not trade away that safeguard for administrative convenience.

3. Compelled Password Disclosure: A Step Too Far
Perhaps the most invasive feature of the Bill is found in Sections 59C-59D, which empower the Authority or an authorised officer to demand passwords, decryption keys, or technical assistance from any person under investigation.

This means that even if you are merely suspected of wrongdoing, you could be legally forced to hand over your login credentials. Refusing could result in penalties.

Globally, compelled decryption is a deeply contested issue. In the United States, the famous Apple v. FBI case (2016) was mediated through the courts, openly debated, transparently argued, and ultimately resolved without undermining encryption standards. In the United Kingdom, similar requests require court orders and are subject to privilege protections. Ghana’s draft, however, offers no judicial safeguard, no privilege protection, and no appeal process.

Compelled decryption does not only infringe privacy, but it also undermines the very foundation of secure digital communication. Encryption is meant to protect citizens, companies, and governments alike. Weakening it for convenience exposes everyone.

4. What This Means for Democracy
Taken together, these provisions; financial extraction, administrative surveillance, and forced disclosure, signal a slow drift from democratic governance toward bureaucratic control of cyberspace.

Democracy is defined not only by elections but by limitations on power. When a state agency can regulate, investigate, and profit from the same ecosystem without oversight, it creates a closed loop of authority which is a system accountable only to itself.

Ghana’s reputation as a model democracy in West Africa has been earned through decades of transparency, civil participation, and respect for constitutional rights. This Bill risks eroding that legacy in the name of security. The digital future we build should not sacrifice liberty on the altar of efficiency.

5. A Better Path Forward: Constructive Reforms
Reform, not rejection, should be the national goal. Cybersecurity legislation is necessary, but it must be anchored in constitutional principles and democratic accountability. Here are practical recommendations:

A. Judicial Oversight: All data access, preservation, or decryption orders should require judicial authorization. No exception.
B. Remove or Reduce the 30% Levy: Replace it with the transparent annual licensing fee or percentage cap that reflects actual administrative costs.
C. Independent Oversight and Reporting: Establish an independent committee to audit CSA operations and publish annual transparency reports.
D. Public Consultation as Ongoing Process: The public engagement on this Bill should not be treated as a formality. It must be part of a continuous democratic dialogue on digital rights and national security.

6. A Call to Action
The Ministry of Communications and Digitalisation has invited stakeholders to submit comments on the Cybersecurity (Amendment) Bill, 2025. This is a rare opportunity to shape the legal and democratic future of Ghana’s digital space.

Every contribution matters especially from those working in cybersecurity, law, technology, and academia. Silence now will only entrench the very control structures many are already warning about.

Ghana stands at a crossroads. One path leads to a secure, transparent digital democracy. The other, to a system where the government openly controls digital life under the guise of safety. The choice depends on how boldly we speak, write, and act today.

Visit the official site provided to stakeholders to submit comments on the Cybersecurity (Amendment) Bill, 2025: https://csa.gov.gh/public_document.php