Section 13.46(1) of the Liberia Electronics Transaction Law (2002) states that: “a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Law shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person”. However, Section 13.46(2) of the Act provides that the above-quoted provision of Sub-section 1 does not apply to disclosure:
- Which is necessary for performing or assisting in the performance of a function under or for the purposes of this Law;
- For the purpose of any criminal proceedings in Liberia or elsewhere;
- For the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Liberia or elsewhere; or
- Under the direction or order of a court.
Data Privacy Protection Laws.
Definition of Personal Data
Personal Data is not defined by existing laws. Data is however, defined variously by different statutes and legal instrument in Liberia as follows:
- Financial Intelligence Unit Act of 2012: “Data" means: representations, in any form, of information or concepts”.
- Central Bank of Liberia (“CBL”) E-Payment Regulation: “Data integrity” means “the assurance that information that is in-transit or in storage is not altered without authorization”
- The ECOWAS Supplemental Act of which, Liberia is a signing member defines personal data as “any information relating to an identified individual or who may be directly identifiable by reference to an identification number or one or several elements related to their physical, physiological, genetic, psychological, cultural, social, or economic identity”. Accordingly, it can be concluded that that (i) cards numbers and (ii) account numbers from which a person can be directly identified qualify as sensitive personal information / data.
Definition of Sensitive Personal Data
There is no Liberian law that defines sensitive persona data.
No specific national data protection agency or authority exists in Liberia, and besides a broad statement in the Liberian Constitution that “no person shall be subjected to interference with his privacy of person, family, home or correspondence except by order of a court of competent jurisdiction”, there is no dedicated privacy law whether of person or in respect of data, not to mention any dedicated data protection authority.
Admittedly, Liberia is a signatory to The ECOWAS Supplemental Act of which, requires member States, including Liberia, to establish National Data Authority within their jurisdiction. However, Liberia has not yet established such authority.
In terms of “Spatial Data”, Liberia Institute of Statistics and Geo-Information Services (LISGIS) is the public agency responsible for the collection of statistical and geographic information that are used to produce maps."
However, entity(ies) whose business requires the collection of data are required to register and receive the requisite permit / license from the government entity controlling / overseeing the sector in which the entity(ies) would be conducting business. Every permit / license issued by the requisite government authority is renewable.
There is no known or publicly designated Protection Officer, or Officers in Liberia. In the same vein, there is no law requiring the appointment or creation of such posts whether in public or private entities dealing with data.
Section 5.15.1 of the National Information and Communications Technology Policy of 2019 regulates the lawful processing of personal data. Its states that:
- Personal data will be processed fairly and lawfully;
- Personal data will be obtained only for one or more specified and lawful purposes, and will not be further processed in any manner incompatible with their purpose or those purposes;
- Personal data will be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- Personal data will be accurate and where necessary, kept up to date;
- Personal data processed for any lawful purpose or purposes will not be kept for longer than is necessary for that purpose or those purposes;
- Appropriate technical and organizational measures will be taken against unauthorized or unlawful processing of personal data and the protection of children;
- Data collectors will be required to disclose use of personal data to consumers.
- Collected personal data will be rigorously protected from unauthorized access by any Parties.
Section 51(5) of the Telecommunication Act states that “Service providers shall ensure that customer information and customer communications are protected by security safeguards that are appropriate to their sensitivity”.
Section 3.1.1 of the 2017 AML / CFT Regulations for Financial Institutions in Liberia states that “financial institutions shall obtain and maintain documentary records for each client or customer to verify by reliable and independent source documents (such as a passport, a driver’s license, or national identification documents)”.
Section 3.1.7 of the 2017 AML / CFT Regulations for Financial Institutions in Liberia provides that the required KYC information must be collected before financial institutions establish any relationship with a person. That is, prior to opening a bank account or performing walk in transactional services for non-account holders
The transfer of data out of Liberia is not specifically addressed by any Liberian law. However, Article 36 of the ECOWAS Act, as relied on in Liberia as a secondary source of law, restricts data controller from transferring personal data outside an ECOWAS country except said non-member ECOWAS country provides “an adequate level of protection for privacy, freedoms and the fundamental rights of individuals in relation to the processing or possible processing of such data”. In such a case, the data controller shall notify the Data Protection Authority, which is the Liberia Telecommunications Authority (LTA), prior to transferring any personal data.
Section 9(c) of the CBL E-Payment Regulation (though governing the Banking and Finance sector of Liberia, provides that “the system (used or being used) should be hosted locally to provide ease of support and guarantee data ownership; however, if the system is hosted in another jurisdiction, licensed institutions shall ensure that the information requested are provide promptly and that the CBL has unfettered access to reports generated by the system”.
Section 9.1 of the CBL Regulations Concerning the Licensing and Operations of Electronic Payment Services in Liberia (“E-Payment Regulation”) provides as follows:
- “All e-payment service providers shall ensure that personal information of customers obtained during the course of operations is used, disclosed, retained and protected as agreed”; and
- “They shall ensure the security, Integrity, Confidentiality and Availability of data and services by adopting prevailing international standard(s) as well as those prescribed by Central Bank of Liberia from time to time.”
There is generally no breach notification requirement, nor any dedicated agency or entity to which such notification must be made.
Mandatory breach notification
Whenever a private action is contemplated through the courts, it is mandatory that the accused is apprised of the matter in order to inform the prospective defendant of the allegation against him or her. This is usually accomplished through the issuance of the appropriate Writ issued by the court which is served upon the Defendant.
Enforcement is generally by a private right of action, but there are few administrative sanctions under some statutes and regulations, such as regulations governing the financial, insurance and telecommunications sectors, for violation of customer privacy by divulging confidential information without authorization.
Section 13.46(1) of the Liberia Electronics Transaction Law (2002) states that: “a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Law shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person”. However, Section 13.46(2) of the Act provides that the above-quoted provision of Sub-section 1 does not apply to disclosure:
- Which is necessary for performing or assisting in the performance of a function under or for the purposes of this Law;
- For the purpose of any criminal proceedings in Liberia or elsewhere;
- For the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Liberia or elsewhere; or
- Under the direction or order of a court.
There are no specific provisions under Liberian laws relating to on-line privacy. However, data collectors are required to exercise the maximum protection of consumer’s protection and shall not disclose any information about a consumer to a third party except where (i) the institution is required by law to disclosed such information, or (ii) the disclosure is made with the expressed consent of the consumer. Data collectors are required to ensure the integrity and adequacy of their IT and Security system.