Section 13.46(1) of the Liberia Electronics Transaction Law (2002) states that: “a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Law shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person”. However, Section 13.46(2) of the Act provides that the above-quoted provision of Sub-section 1 does not apply to disclosure:
- Which is necessary for performing or assisting in the performance of a function under or for the purposes of this Law;
- For the purpose of any criminal proceedings in Liberia or elsewhere;
- For the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Liberia or elsewhere; or
- Under the direction or order of a court.
Data Privacy Protection Laws.
Definition of Personal Data
Personal Data is not defined by existing laws. Data is however, defined variously by different statutes and legal instrument in Liberia as follows:
- Financial Intelligence Unit Act of 2012: “Data" means: representations, in any form, of information or concepts”.
- Central Bank of Liberia (“CBL”) E-Payment Regulation: “Data integrity” means “the assurance that information that is in-transit or in storage is not altered without authorization”
- The ECOWAS Supplemental Act of which, Liberia is a signing member defines personal data as “any information relating to an identified individual or who may be directly identifiable by reference to an identification number or one or several elements related to their physical, physiological, genetic, psychological, cultural, social, or economic identity”. Accordingly, it can be concluded that that (i) cards numbers and (ii) account numbers from which a person can be directly identified qualify as sensitive personal information/data.
Definition of Sensitive Personal Data
There is no Liberian law that defines sensitive persona data.
No specific national data protection agency or authority exists in Liberia, and besides a broad statement in the Liberian Constitution that “no person shall be subjected to interference with his privacy of person, family, home or correspondence except by order of a court of competent jurisdiction”, there is no dedicated privacy law whether of person or in respect of data, not to mention any dedicated data protection authority.
Admittedly, Liberia is a signatory to The ECOWAS Supplemental Act of which, requires member States, including Liberia, to establish National Data Authority within their jurisdiction. However, Liberia has not yet established such authority.
In terms of “Spatial Data”, Liberia Institute of Statistics and Geo-Information Services (LISGIS) is the public agency responsible for the collection of statistical and geographic information that are used to produce maps."
However, entity(ies) whose business requires the collection of data are required to register and receive the requisite permit/license from the government entity controlling/overseeing the sector in which the entity(ies) would be conducting business. Every permit/license issued by the requisite government authority is renewable.
There is no known or publicly designated Protection Officer, or Officers in Liberia. In the same vein, there is no law requiring the appointment or creation of such posts whether in public or private entities dealing with data.
As used in the National Information and Communications Technology Policy of 2019, the term “data collector” refers to any entity, institution or person – governmental or private – that gathers information of an individual/a consumer for the use and identification of the individual/consumer in its business/line of work.
In respect of the processing of data, the Central Bank of Liberia “E-Payment Regulation” states in 19.1 that “All e-payment service providers shall maintain privacy and confidentiality of customer information and data, unless sharing customer information and data is authorized by the customer or on a court order or in keeping with the AML/CFT Regulations for Financial Institutions in Liberia.”
Section 19.2 provides that the conditions under which customer information and data will be kept shall be disclosed before the customer enters into agreement with the Authorized Institution while Section 19.3 states that “Provisions of data protection including confidentiality shall be in tandem with all relevant laws”.
The CBL Act restricts the unauthorized transfer of customer’s information. Section 3.3 of the Central Bank of Liberia (“CBL”) Regulation Concerning Consumer Protection and Market Conduct provides that: “a relevant financial institution shall exercise the maximum protection of consumer’s information and shall not disclose any information about a consumer to a third party except where (i) the institution is required by law to disclosed such information, or (ii) the disclosure is made with the expressed consent of the consumer”. It also provides that “each relevant financial institution shall have in place information security guidelines or policies, a secured database, and procedures for handling of customers’ information. The guidelines or policies shall cover the information technology (IT) risk management system with respect to customer’s information protection.”
Section 9.1 of the CBL Regulations Concerning the Licensing and Operations of Electronic Payment Services in Liberia (“E-Payment Regulation”) provides as follows:
- “All e-payment service providers shall ensure that personal information of customers obtained during the course of operations is used, disclosed, retained and protected as agreed”; and
- “They shall ensure the security, Integrity, Confidentiality and Availability of data and services by adopting prevailing international standard(s) as well as those prescribed by Central Bank of Liberia from time to time.”
There is generally no breach notification requirement, nor any dedicated agency or entity to which such notification must be made.
Mandatory breach notification
Whenever a private action is contemplated through the courts, it is mandatory that the accused is apprised of the matter in order to inform the prospective defendant of the allegation against him or her. This is usually accomplished through the issuance of the appropriate Writ issued by the court which is served upon the Defendant.
Enforcement is generally by a private right of action, but there are few administrative sanctions under some statutes and regulations, such as regulations governing the financial, insurance and telecommunications sectors, for violation of customer privacy by divulging confidential information without authorization.
Section 13.46(1) of the Liberia Electronics Transaction Law (2002) states that: “a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Law shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person”. However, Section 13.46(2) of the Act provides that the above-quoted provision of Sub-section 1 does not apply to disclosure:
- Which is necessary for performing or assisting in the performance of a function under or for the purposes of this Law;
- For the purpose of any criminal proceedings in Liberia or elsewhere;
- For the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Liberia or elsewhere; or
- Under the direction or order of a court.
There are no specific provisions under Liberian laws relating to on-line privacy. However, data collectors are required to exercise the maximum protection of consumer’s protection and shall not disclose any information about a consumer to a third party except where (i) the institution is required by law to disclosed such information, or (ii) the disclosure is made with the expressed consent of the consumer. Data collectors are required to ensure the integrity and adequacy of their IT and Security system.