Criminal Liability for Routine Operations

This provision criminalizes "obtaining" or "disclosing" personal data with penalties including imprisonment up to 2 years, but provides no explicit exemptions for legitimate business operations. Data processors receiving data from controllers, service providers accessing customer information to deliver services, and analytics companies processing datasets could face criminal prosecution for routine activities. Unlike GDPR's administrative fines, the criminal penalties create disproportionate risk that will deter investment and market entry, particularly for data-driven businesses and foreign companies considering Ghana operations.