The Cybersecurity (Amendment) Bill, 2025, presented as a technical reform to strengthen Ghana’s cyber resilience, is in reality a sweeping power shift that could endanger digital rights, undermine democratic oversight, and stifle innovation.
On October 21, Ghana’s Cyber Security Authority took to social media to announce a public consultation strategy for the proposed draft amendment. The idea is to rack up public review and commentary until October 31, after which measures will be taken to get it passed.
However, a close examination of the Bill’s provisions reveals a troubling pattern of power concentration, excessive discretion, financial overreach, and weak accountability. Beneath the surface of “modernization” hides the framework of a digital security state with wide-reaching control over information, technology, and even private innovation.
READ ALSO:
The bill’s 50 sections show that it could hand sweeping powers to the Cyber Security Authority (CSA), weaken oversight, and create opportunities for abuse.
What does this mean for you?
The Bill allows the Cyber Security Authority to demand access to your digital information, freeze your assets, or copy data from your phone, computer, or online account, even before a court reviews it.
New offences like “cyberbullying” or “spreading false information” come with penalties of up to 10 years in prison, meaning a simple online argument, joke, or parody post could be treated as a crime.
The Bill directs portions of the Communications Service Tax, corporate tax, and fines into a Cybersecurity Fund managed by the Authority, with no clear public or parliamentary oversight.
Many have taken to X [Formerly Twitter] to share their views on how draconian it would be if passed.
The Authority Becomes Police, Prosecutor, and Judge
The Bill’s most consequential change lies in Sections 20B and 59A–59B, which authorize the Cyber Security Authority (CSA) to exercise “the powers of a Police Officer, including the powers of arrest, search and seizure” and to “investigate and prosecute cybercrime on the authority of the Attorney-General.”
This single clause transforms the Authority from a regulator into an enforcement agency, granting it the authority to arrest, exercise prosecutorial discretion, and wield judicial-style powers to freeze property, confiscate proceeds, and initiate civil actions.
While Section 59B(7) mentions judicial confirmation within 14 days after a property is frozen, the CSA is empowered to direct the freezing of assets by itself in writing before any court order is issued. The result is a regulator with police, prosecutorial, and financial powers.
Broad Powers to Access, Search, and Seize Digital Information
From Sections 59C to 59I, the Bill introduces extensive mechanisms for digital intrusion:
-
The Authority may “require a person to attend at a specified place” and “furnish information related to a matter under investigation.”
-
Investigative officers may apply ex parte to the High Court for production orders, search warrants, or preservation orders to collect or access computer data.
-
These warrants allow the Authority to copy, remove, or render data inaccessible and even extend searches across connected computer systems.
Although judicial authorization appears in certain steps, the Bill allows the CSA to initiate freezing, access, and seizure before or without notice, creating potential for abuse or overreach.
Ordinary citizens, companies, and even public institutions may be compelled to surrender digital records on broad and undefined grounds of “cybersecurity” or “contravention of the Act.”
A Financial Empire Without Parliamentary Control
Section 31 of the Bill creates a Cybersecurity Fund with vast and unprecedented revenue sources:
-
12% of the Communications Service Tax annually;
-
9% of corporate tax annually;
-
50% of all fines collected under the Act;
-
and a share of fees charged on all government electronic services.
Additionally, the Fund may receive “grants, gifts, donations, and other voluntary contributions.”
The combination of statutory taxes, fines, and voluntary payments turns the Authority into a self-financing body, largely insulated from annual parliamentary scrutiny or the Ministry of Finance’s budget controls.
The Bill provides no detailed mechanism for independent auditing, public disclosure, or parliamentary approval of the Fund’s usage. This poses a clear risk of financial abuse and undermines public accountability.
Unclear and Excessive Penalties for Online Conduct
Sections 67A and 67B on Cyberbullying, Online Harassment, and Cyberstalking attempt to protect users from online harm, which appears noble, but the drafting language is vague and sweeping.
For instance, the Bill criminalizes:
-
“Sending a rude or unwanted message,”
-
“Persistently making contact with another person,” or
-
“Creating a false identity or fake social media profile.”
These offences attract fines of up to 25,000 penalty units and prison terms of up to 10 years.
The absence of precise definitions for “harassment,” “unwanted contact,” or “lewd message” means legitimate digital expression, satire, parody, criticism, or political speech could be criminalized.
The same clause also prohibits “spreading false or misleading information,” a provision open to subjective interpretation and possible misuse.
Politicization and Lack of Independence
Section 15A vests appointment of the Deputy Directors-General of the CSA directly in the President, with no mention of parliamentary vetting, fixed tenure, or transparent recruitment.
This arrangement risks politicizing the leadership of the Authority, making it susceptible to executive influence, particularly when combined with its investigative and prosecutorial powers.
The lack of structural independence undermines public trust in what should be a neutral technical body.
Overregulation and Control of Innovation
Sections 4A(b–c) and 58A give the Authority the mandate to:
“Establish standards for certifying the security of innovative products, Artificial Intelligence, cloud technology, quantum computing, big data, Internet of Things (IoT), blockchain-based technology and any other emerging technologies.”
The same section allows the Authority to “certify” these technologies itself and to accredit institutions and professionals that deal with them.
By giving the cybersecurity regulator unilateral control over emerging technologies, the Bill risks making the CSA the gatekeeper of innovation.
Start-ups, researchers, and private firms will require approval, certification, or accreditation before deploying or marketing technological products.
Without clear timelines, standards, or appeal mechanisms, the provision invites bureaucratic bottlenecks and innovation censorship.
Weak Safeguards and Oversight
Throughout the Bill, no explicit mechanisms ensure accountability for the Authority’s expanded powers.
There are no:
-
Reporting requirements to Parliament,
-
Independent oversight committees,
-
Citizen complaint procedures,
-
Nor clear limits on data retention, storage, or destruction.
The Authority can inspect premises, conduct audits, demand documents, and require cooperation under Section 59J, yet the Bill explicitly excludes “domestic premises” only, leaving all business and institutional operations exposed to warrantless inspection with just seven days’ notice.
The Cybersecurity (Amendment) Bill, 2025, may represent one of the most expansive transfers of power to a single regulatory authority in Ghana’s recent legislative history.
Its flaws are not technical oversights; they are structural:
-
The blurring of investigative and prosecutorial functions (Sections 20B, 59A–59B);
-
The power to compel information and freeze assets without prior court oversight (Section 59C–59E);
-
The establishment of a financially independent fund beyond normal budgetary control (Section 31).
-
The imposition of vague and severe criminal penalties on online behavior (Sections 67A–67B);
-
And the ability to regulate all emerging technologies through certification (Section 4A).
If passed in its current form, the Bill risks turning Ghana’s digital space into a highly monitored, highly restricted environment, where innovation, privacy, and speech are all subject to administrative discretion.
We are therefore calling for the:
-
Removal of prosecutorial and police powers from the CSA (Sections 20B, 59A–59B);
-
Judicial pre-authorization for all data access and seizure;
-
Independent auditing and parliamentary oversight of the Cybersecurity Fund;
-
Clear, narrow definitions for online offences to prevent abuse; and
-
Institutional independence for the CSA is insulated from executive control.
Without these corrections, the Cybersecurity (Amendment) Bill, 2025, could easily become a constitutional and civil liberties disaster disguised as a digital reform.
X [Formerly Twitter] Reacts
It’s important you leave a review but before you do, know this, if Ghana’s Cybersecurity (Amendment) Bill, 2025 gets passed, this is will happen ( this is a breakdown) 10 things you need to know 👇🏾 https://t.co/HPV9dlqZ82
— Nana B. (@koboateng) October 23, 2025
Naaa this Cyber security bill at some points is just demonic
— Kojovi Madeit (@2miludo) October 28, 2025
Take, for instance, section 67B of the Cyber Security Bill
1. That section says that a person who uses the internet or a social network site to “create” false information about a person commits an offense and can be subject to imprisonment of not less than one year and not more… pic.twitter.com/mds2fQXUBb
— Timothy Selikem Donkor (@DonkorST) October 26, 2025