Not a Blank Cheque: An Analysis on Legitimate Interest for Lawful Data Processing in Ghana

Introduction

In recent times the conversation on lawfulness of data processing has come up once more especially during Ghana’s electioneering period in 2024, professionals have argued that the sharing of electoral data consisting of personal information of voters, between the Electoral Commission and political parties through which some political parties have processed personal data for political party marketing cannot be justified under legitimate interest.

The concept of legitimate interest has emerged as one of the most debated lawful basis for the processing of personal data under modern data protection regimes. It offers organisations a degree of flexibility in processing personal data without explicit consent from data subjects. However, it also imposes a responsibility to ensure that such processing does not infringe upon the fundamental rights and freedoms of individuals. In Ghana, the Data Protection Act, 2012 (Act 843) provides the legal framework for the collection, use, and processing of personal data, with legitimate interest appearing as one of the grounds for lawful data processing. This article examines the scope of legitimate interest within the Ghanaian data protection regulatory regime, its legal foundations, the conditions under which it may be lawfully applied, and the inherent challenges that arise in balancing organisational needs with individual privacy rights.

As Ghana continues to advance in digital governance, business operations, and electoral processes, the interpretation and application of legitimate interest have become increasingly relevant. Whether in the context of financial services, electoral data management, corporate data processing, or public administration, organisations are often faced with the question of whether their data processing activities can be justified on the basis of legitimate interest. The issue becomes even more critical when considering sectors where the processing of personal data involves sensitive information such as biometric data, health records, financial transactions, or voter registration details. The central question, therefore, is whether an organisation can claim legitimate interest as a justification for processing personal data in a manner that does not override the rights of data subjects.

This article will provide an in-depth legal analysis of the application of legitimate interest in Ghana, drawing from statutory provisions, regulatory perspectives, and international best practices. In doing so, it will explore the various conditions that must be met before a data controller or processor can successfully rely on legitimate interest as a lawful basis for processing personal data.

The Legal Foundations of Legitimate Interest in Ghana

The Data Protection Act, 2012 (Act 843) serves as Ghana’s principal legal framework governing the protection of personal data. The Act mandates that all processing of personal data must be conducted lawfully, fairly, and in a manner that ensures the privacy rights of data subjects are protected. Under Section 20(1)(e) of Act 843, personal data may be processed without the prior consent of the data subject where such processing is necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied, this is one of the six (6) grounds offered for lawful data processing activities by the Act. However, the application of this provision is not absolute. The Act further provides that where the data subject objects to the processing of their personal data, the data controller must cease such processing unless there is an overriding legal justification for continuing the data processing activity.

A core principle underlying legitimate interest in Ghana is that data processing must be done in a reasonable and necessary manner. This principle is enshrined in Section 18 of Act 843, which states that personal data must be processed without infringing on the privacy rights of the data subject, in a lawful manner, and in a way that is proportionate to the intended purpose. This provision aligns closely with international data protection principles, including those found in the European Union’s General Data Protection Regulation (GDPR), particularly Article 6(1)(f), which recognises legitimate interest as a lawful basis for data processing provided it does not override the fundamental rights and freedoms of the data subject.

The minimality principle, as set out in Section 19 of Act 843, further restricts the scope of legitimate interest by requiring that personal data may only be processed if the purpose for which it is being processed is necessary, relevant, and not excessive. This provision acts as a safeguard against the arbitrary use of legitimate interest to justify the processing of data that is not essential for achieving a stated objective.

?

The Three-Part Test for Legitimate Interest

For an organisation to successfully rely on legitimate interest as a lawful basis for processing personal data, a three-part test must be satisfied. This test, which has been widely adopted in data protection jurisprudence, ensures that data controllers carefully assess whether the processing meets legal and ethical requirements.

The first step in the three-part test is the Purpose Test, which requires the data controller to identify a specific, lawful, and legitimate interest that justifies the processing of personal data. This interest may be commercial, legal, operational, or related to public safety. However, it must be substantially beneficial either to the organisation or to a wider section of society. For instance, a financial institution may have a legitimate interest in processing customer data to prevent fraud, just as an employer may have a legitimate interest in monitoring employee activities to ensure workplace security. In both cases, the interest must be genuine and clearly defined.

The second step is the Necessity Test, which requires the data controller to demonstrate that the processing is necessary to achieve the legitimate interest and that no less intrusive means are available. This means that the processing of personal data should be proportionate to the purpose being pursued. If the same objective can be achieved through a different method that has a lesser impact on data subjects, then legitimate interest cannot be relied upon. For example, if an online retailer seeks to process customer data for personalised marketing, it must show that such processing is essential for business operations and that alternative means—such as obtaining explicit consent—are either impractical or insufficient.

The final step is the Balancing Test, which requires an evaluation of whether the interests, rights, and freedoms of the data subject override the legitimate interest being pursued. If the processing is likely to cause harm, distress, or an undue privacy intrusion, then it cannot be justified under legitimate interest. In cases where data subjects would not reasonably expect their data to be processed in a particular manner, the balancing test is likely to favour the individual’s privacy rights. For example, if a hospital were to use patient medical records for marketing health-related products, such use would likely fail the balancing test as it would be deemed an excessive invasion of patient privacy.

?

The Challenges of Applying Legitimate Interest in Data Processing

Despite the flexibility it provides, legitimate interest is not a blanket justification for unrestricted data processing. One of the major challenges in applying this principle is the subjectivity involved in assessing the balancing test. Unlike consent, which is explicit and clear, legitimate interest requires organisation's to engage in a case-by-case analysis to determine whether processing is justified. This can create uncertainty, particularly in sectors where the impact on individual privacy is not immediately quantifiable.

Another challenge arises in cases where data subjects are unaware that their data is being processed under legitimate interest. While Ghanaian law requires that individuals be informed of how their data is being used, many organisation's fail to provide clear and comprehensive privacy policies, making it difficult for individuals to object to such processing.

The lack of detailed regulatory guidance on legitimate interest in Ghana further complicates its application. While the Data Protection Commission (DPC) is tasked with overseeing compliance with Act 843, there is currently no standardised framework for conducting a legitimate interest assessment (LIA). In contrast, jurisdictions such as the United Kingdom have clear guidelines from the Information Commissioner’s Office (ICO), which help organisation's determine when legitimate interest is appropriate.

?

Recommendations

Legitimate interest is a valuable tool for organisations seeking to process personal data in a manner that is lawful, necessary, and proportionate. However, its application must be carefully controlled to prevent undue interference with individual privacy rights. The Data Protection Act, 2012 (Act 843) provides a foundation for determining when legitimate interest may apply, but organisations must ensure that they meet the three-part test before relying on this basis for processing.

To enhance legal certainty and promote responsible data processing, the Data Protection Commission (DPC) should issue clear guidelines on how organisations should conduct legitimate interest assessments. Additionally, businesses and public institutions should implement transparency measures, ensuring that individuals are fully informed about how their data is processed.

Ultimately, the balancing of legitimate interest against privacy rights requires a nuanced approach, one that takes into account both the needs of organisations and the fundamental rights of individuals. By adhering to established data protection principles, Ghana can foster a responsible data governance culture that supports both economic growth and the protection of personal data.

Endnotes

Data Protection Act, 2012 (Act 843), Section 20(1)(e).

GDPR, Article 6(1)(f).

Information Commissioner's Office (ICO) Guidance on Legitimate Interests.

?

The Writer

Desmond Israel Esq. founder of Information Security Architects Ltd and he is a lecturer of Law & Technology, and e-Commerce Law at the Ghana Institute of Management and Public Administration (GIMPA) Law School. He is also a lawyer and technology law expert with an LL.M in National Security and Cybersecurity from George Washington University as a GWLaw Merit Scholar. He was a former fellow with the Center for AI and Digital Policy in Washington DC. Email: desmond.israe