Consolidating the Right to Data Protection in the Information Age: A Comparative Appraisal of the Adoption of the OECD (Revised) Guidelines into the EU GDPR, the Ghanaian Data Protection Act 2012 and the Kenyan Data Protection Act 2019

The proliferation of ICTs and computational power in processing personal information has long been documented to expose individuals to risks of privacy violations and other fundamental rights abuses. This prompted calls, about five decades ago, for the development of legal regimes laying specific rules to follow when processing personal information, especially with the use of ICTs, in order to protect fundamental individual rights. Deliberations in this direction were undertaken at the OECD, and led to the adoption of the OECD Guidelines of Privacy Protection in September 1980 (revised in July 2013), which listed eight principles of data processing on which national and supranational regimes were expected to build personal data processing laws.

This paper attempts a comparative review on how these principles are consolidated in relevant European and African legislation: that is, between the EU’s GDPR on the one hand and the Ghana and Kenyan data protection instruments on the other. Being a more advanced legal regime in terms of data protection, the GDPR serves here as a measuring rod to examine how the basic OECD Principles are reflected in the personal data processing rights and obligations provided in the Ghana Data Protection Act of 2012 and the Kenyan Data Protection Act of 2019. The paper concludes with a general note that while the Kenyan legislation appears mostly copied from and consolidates OECD data protection principles more or less exactly like the GDPR, the Ghanaian Act offers comparatively less rigorous protection in some areas.