Ghana’s journey toward digital transformation has made cybersecurity both a national priority and a civic necessity. As public institutions, banks, and private operators increasingly depend on digital infrastructure, the need to protect networks from cyber threats has never been more urgent. Yet the proposed Cybersecurity (Amendment) Bill, 2025, currently before Parliament, has triggered legitimate unease within Ghana’s policy and legal community. The Institute for Liberty and Policy Innovation (ILAPI) has issued a detailed submission that welcomes the Bill’s intentions but raises serious constitutional and governance concerns. The Institute’s analysis is not an indictment of regulation but a reminder that good cybersecurity policy must always coexist with civil liberties, fiscal prudence, and rule-of-law safeguards.
At the heart of ILAPI’s concern is a structural question: should a regulatory authority that was created to coordinate, advise, and build resilience now assume the powers of the police, prosecutor, and judge? The proposed amendments, if passed without reform, could re-engineer the Cyber Security Authority into an entity with powers far beyond its original mandate. The Institute warns that this would not only distort the purpose of Ghana’s Cybersecurity Act, 2020 (Act 1038), but could also weaken the very legitimacy on which cybersecurity enforcement depends.
- Blurring the Line Between Regulation and Law Enforcement
The first and most far-reaching issue arises from the Bill’s proposed Sections 59A and 59B, which empower the Cyber Security Authority to conduct criminal investigations, prosecute cybercrimes, and recover assets. On its face, this seems efficient—a single body both detects and punishes offences. But ILAPI argues that such concentration of power breaches a constitutional firewall that has long safeguarded Ghana’s justice system. Article 88 of the 1992 Constitution vests the exclusive right to prosecute criminal offences in the Attorney-General, who acts as the guardian of legality in all prosecutions. Any institution exercising prosecutorial powers must do so under a written delegation from the Attorney-General.
The Bill, as drafted, bypasses this requirement entirely. It allows the Authority to prosecute cyber offences and to institute civil asset recovery actions on its own initiative. This dual role risks undermining the neutrality of enforcement by converting a technical regulator into a coercive law enforcement agency. The Authority’s fundamental identity—as a civilian, coordinating, and capacity-building institution—would be replaced with a security-style apparatus operating outside established oversight channels. ILAPI contends that this shift would not only violate the Constitution but could chill private-sector cooperation, deter innovation, and invite political manipulation under the guise of cybersecurity enforcement.
To preserve balance, ILAPI recommends explicit statutory language requiring all prosecutions to proceed only under written fiat from the Attorney-General, supported by Memoranda of Understanding with the Police and the Economic and Organised Crime Office. Such coordination would preserve professional boundaries, ensure evidentiary integrity, and protect the Authority from accusations of overreach. Ghana’s cybersecurity framework, in ILAPI’s view, must remain civilian in character, technical in function, and constitutional in execution.
- The Dangers of Warrant-less Power and the Erosion of Due Process
ILAPI’s second and perhaps most powerful intervention targets Section 59J, which authorises inspectors from the Authority to enter and audit premises with only seven days’ written notice—no warrant required. The clause excludes domestic premises, which is commendable, but its reach remains alarmingly wide. Under this draft, any organisation operating a computer system or infrastructure deemed critical could be subject to unannounced inspection, document seizure, or data review by the Authority’s officers.
Such warrant-less entry, ILAPI warns, is constitutionally indefensible. Article 18(2) of Ghana’s Constitution guarantees the right to privacy of home, property, and correspondence, allowing interference only when necessary for public safety or national security under due legal authority. Routine inspections without judicial authorisation cannot be justified as “necessary” within the meaning of the Constitution. They expose private companies, banks, and even state agencies to arbitrary intrusion, disrupt business continuity, and risk compromising sensitive or privileged data.
In response, ILAPI has drafted an alternative version of Section 59J that should serve as a model for the legislative drafters. In the Institute’s proposal, judicial warrants become the default requirement, with warrant-less entry allowed only in narrowly defined life-or-safety emergencies. The redrafted section defines “reasonable belief” with precision, requiring specific and articulable facts rather than vague suspicion. It also mandates written reports to be filed with both the Authority and the courts within forty-eight hours of any emergency entry, ensuring accountability through judicial review.
Perhaps most importantly, ILAPI introduces a “corrective-action plan” mechanism that transforms the inspection process from one of punishment to one of compliance support. After each inspection, the Authority must issue written findings and give the inspected entity an opportunity to contest conclusions or propose remedial steps within thirty days. This approach mirrors best practices in administrative law and international cybersecurity regulation—from the United Kingdom’s Network and Information Systems Regulations to Singapore’s Cybersecurity Act—and reaffirms that regulation must first guide before it punishes.
By advocating for procedural safeguards, ILAPI is not weakening enforcement; it is fortifying its legitimacy. In a constitutional democracy, enforcement is only as strong as the fairness with which it is exercised. Warrant-less powers, undefined discretion, and absent reporting obligations are not hallmarks of strength; they are symptoms of administrative fragility. Ghana can build cybersecurity resilience without building a surveillance state.
- Oversight, Fiscal Accountability, and the Spirit of Democratic Regulation
Beyond prosecutorial and inspection powers, ILAPI’s submission draws attention to the creeping fiscal and institutional autonomy embedded in several amendments. The proposed reforms to the Cybersecurity Fund, accreditation powers, and certification of emerging technologies risk turning the Authority into a self-financing super-regulator without clear parliamentary control. Under the current draft, revenue streams include administrative penalties, service fees, and a share of fines—mechanisms that directly conflict with the Public Financial Management Act, 2016 (Act 921). Allowing a regulator to retain a portion of fines it imposes creates a perverse incentive structure, where enforcement becomes a source of revenue rather than a tool of compliance.
ILAPI insists that all funds collected under the Act should be paid into the Consolidated Fund, audited by the Auditor-General, and re-appropriated through Parliament. This not only preserves fiscal discipline but also aligns with Article 173 of the Constitution, which centralises public revenue. The Institute also warns against the creeping securitisation of the Authority’s personnel and benefits, proposed under Section 20A, which seeks to align staff conditions with those of intelligence and security services. Such a move, it argues, blurs the Authority’s civilian identity and could lead to opaque financial management outside the reach of conventional public-sector accountability systems.
The submission further critiques the Authority’s growing mandate over the certification of innovative technologies like artificial intelligence, quantum computing, and blockchain. While the intention to ensure secure technology deployment is commendable, ILAPI argues that this field already falls within the mandates of the Ghana Standards Authority, the National Communications Authority, and the Bank of Ghana. Duplicating these roles creates regulatory congestion and increases compliance costs for innovators and small businesses. The Institute therefore calls for Regulatory Impact Assessments before introducing any new licensing or certification regime, ensuring that rules are proportionate, evidence-based, and economically justified.
Underlying all these fiscal and institutional concerns is a deeper constitutional principle: the rule of law demands bounded power, transparent finance, and public oversight. When regulators operate without checks, they risk losing public confidence. ILAPI’s call for redress is therefore not adversarial but restorative—it seeks to align cybersecurity governance with the constitutional fabric of Ghana’s democracy.
Conclusion: Security with Liberty, Power with Accountability
The cybersecurity conversation in Ghana must not be reduced to a choice between safety and freedom. True security lies in upholding the rule of law even in the face of digital threats. ILAPI’s intervention in the Cybersecurity (Amendment) Bill, 2025, captures this delicate equilibrium. The Institute recognises that cybersecurity is a public good, but it insists that it must be pursued through lawful means that respect privacy, procedural fairness, and fiscal transparency.
The proposed amendments, if passed without modification, could unintentionally weaken the constitutional foundations of Ghana’s digital governance. By empowering a regulatory body with prosecutorial and inspection powers that bypass judicial oversight, the Bill risks turning cybersecurity enforcement into a domain of unchecked authority. ILAPI’s alternative vision—rooted in judicial warrants, Attorney-General supervision, and fiscal accountability—offers a blueprint for reform that both strengthens national resilience and protects civil liberty.
As Parliament considers the Bill, policymakers must remember that the digital future of Ghana will not be secured by force of power but by fidelity to principle. Every statute that touches the digital domain should reflect the same constitutional care that underpins the physical one. The Institute for Liberty and Policy Innovation’s recommendations remind the nation that even in cyberspace, law remains the strongest firewall.
