What is AI regulation in Ghana?
AI regulation: countries and regions
Ghana has no standalone artificial intelligence statute. AI is governed indirectly through existing law, chiefly the Data Protection Act, 2012 (Act 843) and its Data Protection Commission, plus the Cybersecurity Act, 2020 (Act 1038). On top of this sits the National Artificial Intelligence Strategy (2025-2035), launched in April 2026, which is policy rather than binding law. A Data Protection Bill, 2025 would add explicit duties for automated decision-making, but it remains a bill, not an enforceable Act.
What this means
AI regulation in Ghana means the mix of laws, institutions and policy that shape how AI systems may be built and used in the country. There is no dedicated AI Act. Instead, anyone deploying AI that touches personal data, critical systems or electronic transactions falls under general statutes that pre-date the current AI wave.
The backbone is data protection. The Data Protection Act, 2012 (Act 843) regulates how personal data is collected, used and shared, and sets duties that bite directly on most AI use cases, because AI typically runs on personal data. The Cybersecurity Act, 2020 (Act 1038) adds security and incident duties for critical systems, and the Electronic Transactions Act, 2008 (Act 772) governs e-records and e-signatures.
Layered above the statutes is national strategy and soft law. Ghana launched its National Artificial Intelligence Strategy in 2026, aligned with the UNESCO Recommendation on the Ethics of Artificial Intelligence and the African Union Continental AI Strategy. This sets direction and proposes a coordinating body, but it does not by itself create enforceable AI rules.
Why it matters
For organisations, the practical point is that the absence of a dedicated AI law does not mean the absence of legal duty. If your AI processes personal data about people in Ghana, Act 843 already applies: you must have a lawful basis, register with the Data Protection Commission, secure the data, and respect data-subject rights. If your system is part of designated critical information infrastructure, the Cybersecurity Act adds registration, audit and incident-reporting duties.
The direction of travel matters too. The Data Protection Bill, 2025 would, for the first time, write explicit AI-relevant duties into statute: decisions made by automated systems would have to be explainable, contestable and subject to human oversight, with periodic audits for high-stakes sectors such as health, finance and energy. Leaders who build governance now around transparency, human oversight and documented impact assessment will be ahead of where the law is heading rather than scrambling to retrofit it. Getting this wrong carries real exposure: under Section 56 of Act 843, intentional misuse or unlawful disclosure of personal data can attract fines and imprisonment of up to four years, while failing to comply with an enforcement notice carries a fine or up to one year in prison. The regulator has also made its stance plain. At the launch of Data Protection Month in Accra on 26 January 2026, DPC Executive Director Dr Arnold Kavaarpuo stated that "2026 will be a year of enforcement" and that "compliance with the Data Protection Act, 2012, is non-negotiable for any organisation that handles the data of Ghanaian citizens."
How it works
The constitutional and statutory base
The right to privacy is anchored in Article 18(2) of Ghana's 1992 Constitution. The Data Protection Act, 2012 (Act 843) gives that right practical effect. It was assented to on 10 May 2012 and came into force on 16 October 2012. It sets eight data-protection principles (including accountability, lawfulness, purpose specification, data quality, openness and security safeguards), creates data-subject rights, and establishes the Data Protection Commission (DPC) as an independent regulator. The principles are broadly comparable to OECD guidelines and the EU's older Data Protection Directive, which makes Act 843 familiar to anyone who knows the UK GDPR lineage.
Registration, duties and enforcement
Act 843 runs on a mandatory registration regime. Under Section 27, any entity processing personal data must register with the DPC as a data controller, and registration must be renewed every two years. Controllers must process data lawfully, secure it, notify the DPC and affected individuals of breaches, and honour access and correction requests. The DPC can investigate complaints, conduct audits, and issue enforcement notices; failure to comply with an enforcement notice is an offence. Penalties are expressed in penalty units (one penalty unit equals GHS12). Under Section 56, selling or offering to sell personal data is an offence punishable by a fine of up to two thousand five hundred penalty units, imprisonment of up to five years, or both, while broader unspecified offences can attract up to five thousand penalty units or ten years. To raise the profile of compliance, the DPC, led by Executive Director Dr Arnold Kavaarpuo, launched a DPC Privacy Seal in December 2025: a visible certification carrying a scannable QR code, with nationwide enforcement beginning in January 2026 and organisations urged to regularise compliance by 31 December 2025.
Cybersecurity and electronic transactions
The Cybersecurity Act, 2020 (Act 1038) was passed on 6 November 2020, assented on 29 December 2020, and the Cyber Security Authority (CSA) began operations on 1 October 2021. It regulates critical information infrastructure (CII), licenses cybersecurity service providers, accredits practitioners, and mandates incident reporting within 24 hours to the relevant Computer Emergency Response Team. A Cybersecurity (Amendment) Bill, 2025 went out for public consultation, extending the CSA's powers. The Electronic Transactions Act, 2008 (Act 772) gives legal recognition to electronic records and digital signatures, sets consumer-protection rules for e-commerce, and tasks the National Information Technology Agency (NITA) with facilitating a Certifying Agency.
The National AI Strategy as soft law
Ghana's National Artificial Intelligence Strategy (2025-2035) was released by the Ministry of Communication, Digital Technology and Innovations on 12 December 2025 and formally launched by President John Dramani Mahama on 24 April 2026 at the Labadi Beach Hotel in Accra, having been reviewed and approved by Cabinet after the Mahama administration took office in January 2025. The strategy is built around eight pillars and 73 corresponding key policy recommendations, with eight target sectors: healthcare, transportation, agriculture, energy, financial services, culture, lands and natural resources, and the environment and circular economy. It proposes an independent, well-resourced Responsible AI Authority (RAI Authority), to be established within the first year, modelled on Singapore's National AI Office, Egypt's National AI Council and the United Kingdom's Office for AI. Crucially, the RAI Authority is framed as a coordinating, implementation and monitoring body, not as an enforcement regulator with statutory powers. The strategy is fully aligned with the UNESCO Recommendation on the Ethics of Artificial Intelligence and relies on existing data-protection and cybersecurity law plus disseminated ethics guidance rather than proposing a new binding AI statute or an EU-style risk-tiered regime. It is backed by financial commitments: at the launch President Mahama confirmed a 250 million US dollar national AI computing centre, and the document sets out a National AI Fund that will start with GH5 billion (2025-2030) before scaling to GH15 billion (2030-2035), alongside a target of GH200 billion in foreign and private investment and a GH500 billion contribution to GDP by 2035.
The Data Protection Bill, 2025: where binding AI duties may appear
The clearest move toward statutory AI duties is the Data Protection Bill, 2025, published as an early draft for stakeholder consultation in October 2025 and championed by the Minister for Communication, Digital Technology and Innovations at the 2026 Data Protection Conference in March 2026. The Bill would repeal and replace Act 843, rename the regulator the Data Protection Authority, and introduce explicit obligations for automated decision-making: such decisions would have to be explainable, contestable and subject to human oversight, with periodic audits for AI in critical sectors. It would also add a cross-border transfer regime, data-localisation rules for sensitive categories, and a data-ownership concept. It is a bill, not yet law, and could change before passage.
The regional and continental layer
Ghana sits inside several overlapping frameworks. It ratified the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on 3 June 2019; the Convention entered into force on 8 June 2023. Ghana is also bound by the ECOWAS Supplementary Act on Personal Data Protection (2010), now under revision. At continental level, the AU Continental AI Strategy was endorsed by the AU Executive Council at its 45th Ordinary Session, held in Accra on 18-19 July 2024, and takes a development-focused, ethics-led approach that leans heavily on data governance rather than prescriptive AI rules.
Sector regulators and sandboxes
Sectoral regulators fill gaps. The Bank of Ghana launched a Regulatory and Innovation Sandbox in February 2021, developed with EMTECH, to let fintech firms test innovative products under supervision; it has admitted cohorts including firms working on virtual assets. This sandbox model is the closest Ghana currently has to a structured, supervised testing environment for data-driven and AI-enabled financial products.
Examples
A fintech lender using an AI credit-scoring model on Ghanaian customers must register with the Data Protection Commission as a data controller, process applicant data lawfully and securely, and respond to breaches. Under the Data Protection Bill, 2025, if enacted, it would additionally have to make automated lending decisions explainable and contestable and provide human review. It may also test a novel model inside the Bank of Ghana Regulatory Sandbox before full launch.
A hospital deploying an AI diagnostic tool processes special-category health data, triggering heightened care under Act 843 and, if its systems are designated critical information infrastructure, registration and 24-hour incident reporting to the Cyber Security Authority under Act 1038. Health is named among the critical sectors that would face periodic AI audits under the proposed Data Protection Bill, 2025.
A public-sector body piloting AI for service delivery falls under Act 843 (each government department is treated as a data controller) and under the National AI Strategy's call for procurement standards, documentation and auditability, with the proposed Responsible AI Authority intended to coordinate such pilots across ministries.
Common misunderstandings
"Ghana has an AI law." It does not. There is no standalone AI Act in force; AI is governed through data-protection, cybersecurity and electronic-transactions statutes plus national strategy.
"The National AI Strategy is binding regulation." It is policy and soft law. It sets direction and proposes institutions, but it does not create enforceable AI rules or penalties on its own.
"No AI law means no compliance duty." Wrong. If your AI touches personal data, Act 843 already imposes registration, lawful-basis, security and data-subject duties today.
"The Responsible AI Authority will police AI." As described in the strategy, it is a coordination, implementation and monitoring body, not a statutory enforcement regulator. Enforcement still runs through the DPC and CSA.
"The Data Protection Bill, 2025 is already in force." It is a bill out for consultation. The operative law remains Act 843 until Parliament passes a replacement.
Risks and boundaries
The main boundary is legal status. Ghana's AI governance is a patchwork of general law plus non-binding strategy, not a comprehensive AI code. That creates uncertainty: duties for AI specifically (explainability, human oversight, audits) live mainly in a bill that has not passed and could change. Treating the National AI Strategy or the proposed Responsible AI Authority as if they were enforceable regulation is a misapplication; they are policy instruments.
There are also internal inconsistencies in the public record. Some sources label the national strategy "2023-2033" (the original draft timeframe under the previous administration) while the launched December 2025 document is titled "2025-2035." Similarly, the coordinating body is most precisely the "Responsible AI Authority," though some commentary calls it the "Responsible AI Office." Cross-border transfer rules under Act 843 are thin, with explicit transfer and localisation regimes only proposed in the 2025 Bill. None of this is legal advice; organisations should verify current effective dates and obligations against primary sources and qualified Ghanaian counsel.
What to do next
First, treat data protection as the live obligation now: confirm DPC registration, renew every two years, document your lawful basis, and run a data-protection impact assessment for any AI that processes personal data. Second, map whether your systems are critical information infrastructure under the Cybersecurity Act, and if so put incident reporting and audit readiness in place. Third, build AI governance to where the law is heading: explainability, human oversight and contestability for automated decisions, plus periodic review for high-stakes use, which mirrors the Data Protection Bill, 2025. Fourth, if you are in financial services, consider the Bank of Ghana Regulatory Sandbox for novel models. Fifth, track three triggers that should change your plan: passage of the Data Protection Bill, 2025; establishment and empowerment of the Responsible AI Authority; and any move from strategy to binding AI regulation signalled by Parliament.
FAQs
Does Ghana have a dedicated AI law?
No. As of mid-2026 there is no standalone AI statute in force. AI is regulated indirectly through the Data Protection Act, 2012 (Act 843), the Cybersecurity Act, 2020 (Act 1038) and the Electronic Transactions Act, 2008 (Act 772), supported by national strategy.
Has Ghana's National AI Strategy been formally adopted?
Yes. It received Cabinet approval and was formally launched by President Mahama on 24 April 2026. It is policy and soft law, aligned with the UNESCO ethics recommendation, not binding AI regulation.
Who regulates data and AI-related processing in Ghana?
The Data Protection Commission enforces Act 843, and the Cyber Security Authority enforces the Cybersecurity Act. The proposed Responsible AI Authority would coordinate AI implementation, not enforce.
What would the Data Protection Bill, 2025 change for AI?
It would replace Act 843, rename the regulator the Data Protection Authority, and require automated decisions to be explainable, contestable and subject to human oversight, with audits for critical sectors. It remains a bill.
Must my company register to use AI on personal data?
If you process personal data in Ghana you must register with the Data Protection Commission as a data controller and renew every two years, regardless of whether AI is involved.
Is Ghana part of regional AI and data frameworks?
Yes. Ghana ratified the AU Malabo Convention, is bound by the ECOWAS Supplementary Act on data protection, and the AU Continental AI Strategy was endorsed in Accra in July 2024.
Is there a sandbox for AI products?
The Bank of Ghana operates a regulatory sandbox for fintech innovation. There is no general cross-sector AI sandbox in force, though the National AI Strategy calls for AI sandboxing environments.