Emmanuel Kwasi Gadasu 

CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||

When Silence Becomes Complicity in Cyber Harassment by Loan Apps

I was outraged when the Cyber Security Authority on the May 31, 2025 issued a PUBLIC ALERT titled: Resurgence in Cyberbullying by Digital Lending Mobile Application Owners – Ref: CSA/CERT/MPA/2025-05/01. I had no option than to write this piece to register my displeasure about how most government agencies would wait till the worse happens before taking action – government institutions are known to be REACTIVE instead of being PROACTIVE . I hope this piece gets to the

It is 2025, and yet, Ghana finds itself under siege—not from foreign adversaries or economic collapse, but from a silent, growing crisis festering in the digital ecosystem: cyberbullying, extortion, and harassment spearheaded by illegal digital lending mobile applications. And yet, what do we have to show for it?

A public notice. Not a crackdown. Not an arrest. Not a coordinated digital sweep. Just another warning to the Ghanaian people, as if warnings ever protected anyone from predators.

Between January and May 2025, the Cyber Security Authority (CSA) received 377 reports of abuse linked to these apps, up from 218 cases for the entirety of 2024. That alone is alarming. But what’s more horrifying is the silence of the very institutions we fund to act. The Bank of Ghana, the Data Protection Commission (DPC), National Communications Authority (NCA), NITA, the Ministry of Communications and Digitalization, and even the National Security Secretariat seem content watching from the sidelines.

This is not a technical glitch. This is a national disgrace.

A Blatant Violation of Multiple Laws

These predatory apps violate:

• Act 930: The Banks and Specialised Deposit-Taking Institutions Act, which governs financial operations. Most of these apps are not licensed or registered.

•Act 843: The Data Protection Act, 2012, which requires that data controllers (including digital loan apps) register with the DPC and outline how they use personal data. Not one of these apps has complied.

•Cybersecurity Act, 2020: The Act empowers the CSA to investigate and coordinate cybersecurity responses. Yet, where is the enforcement?

•Criminal Offences Act, 1960: These apps engage in criminal extortion, blackmail, and fraud.

Despite this, the perpetrators roam freely, manipulating digital loopholes while ordinary Ghanaians suffer.

When Data Becomes a Weapon

Here is how they operate:

1. A user installs the app.

2. Without explicit consent or action, a small loan is deposited.

3. A week later, the extortion begins:

o Fake nude photos

o Threats of exposure

o Public shaming

o Harassment of friends and family

Even after repayment, harassment continues. It’s not a financial service; it’s a criminal enterprise cloaked as fintech. Where do these apps get their access to your photos, contacts, and ID? YOU grant it during installation—sometimes unknowingly—and they use that data to wage psychological warfare.

Global Lessons Ignored

•India: Multiple suicides have been linked to these practices. In 2021 alone, several deaths across Andhra Pradesh and Telangana were reported due to loan app harassment. India cracked down, banned several apps, and jailed operators.

•Nigeria: The Federal Competition and Consumer Protection Commission (FCCPC) shut down illegal digital lenders, arrested operators, and collaborated with Google to remove them.

•Uganda: Authorities detained individuals operating illegal loan apps and permanently banned several platforms from the Google Play Store.

Ghana has all the legal frameworks. What we lack is political will and institutional courage.

Who Is Accountable?

Let’s name the institutions that must act:

• Bank of Ghana: Why are these apps operating financial services without licenses?

• Data Protection Commission: Where is the enforcement of data controller registration?

• Cyber Security Authority: Why no arrests? Why no shutdowns?

• National Communications Authority: How are these apps still online?

• NITA: Where are the guidelines for app hosting and enforcement?

• Ministry of Communications and Digitalisation: Where is the policy action?

•National Security: If blackmail and psychological abuse aren’t security issues, what is?

Immediate Steps

1. Immediate removal of all listed apps from the Google Play Store and Apple App Store.

2. Public database of unregistered or non-compliant apps.

3. Investigations and prosecution of operators of these platforms.

4. Freeze the bank and mobile money accounts associated with these apps.

5. Public enforcement update every 30 days.

6. Public education campaign warning citizens of the risks.

7. Joint task force activation under the Cybersecurity Act to coordinate all actions.

History Is Repeating Itself

We’ve been here before:

• Menzgold: Silence led to mass loss of investments.

• DKM Microfinance: State inaction caused thousands of livelihoods to collapse.

•Collapsed Banks: Regulators ignored early signs.

If we let this fester, the next tragedy is inevitable. It may not be financial—it could be emotional, psychological, or even loss of life.

A National Call to Action

To the CSA, DPC, BoG, NCA, and every regulator responsible: You are not doing us a favor. You are doing your job. We, the people of Ghana, fund your operations with our taxes. We deserve more than a warning. Let us not wait for a life to be lost or a protest to erupt before action is taken. These institutions have the authority, the legal backing, and the tools. What is missing is the will. The time to act is not tomorrow. It is today.

#ProtectOurData #GhanaDeservesBetter #LoanAppHarassment #WhereAreTheRegulators #CyberSecurityNow

Emmanuel Kwasi Gadasu

CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||

Published May 23, 2025

The recent news about Jennifer Lopez reportedly being sued for sharing a picture she didn’t hold the copyright to highlights a fascinating and often misunderstood intersection of law: copyright, privacy, and personal data. While the image itself undeniably depicts her, a data subject under data protection laws (GDPR), the act of sharing it can trigger an entirely different legal framework. This article will delve into what copyright and privacy entail, their fundamental differences, and at what point the sharing of personal data by the data subject themselves can become a copyright issue.

What is Copyright?

Copyright is a legal right that grants the creator of an original work exclusive rights to use and distribute that work. This means only the copyright holder can reproduce, publish, perform, display, or create derivative works from the original. Copyright protects a wide range of creative expressions, including literary works, musical compositions, artistic creations (like photographs), and software. Crucially, copyright protects the expression of an idea, not the idea itself.

For a work to be copyrighted, it must be original and fixed in a tangible medium. In the context of a photograph, the moment the shutter clicks, if the image is original, copyright automatically vests in the photographer (or their employer, if taken in the course of employment, or whoever they assign the copyright to). The subject of the photograph, even if they are a famous celebrity, generally does not hold the copyright to the image itself.

What is Privacy?

Privacy, in a broad sense, refers to the right of individuals to control their personal information and to be free from unwanted intrusion. It encompasses various aspects, including informational privacy (control over personal data), physical privacy (freedom from surveillance), and autonomy (freedom to make personal decisions).

From a data protection perspective, particularly under the General Data Protection Regulation (GDPR) and most national data protection laws, privacy is primarily concerned with personal data. Personal data is any information relating to an identified or identifiable natural person (data subject). This includes names, addresses, identification numbers, location data, online identifiers, and, critically, images of individuals. The data protection laws (GDPR and many others) grant data subjects significant rights over their personal data, including the right to be informed, the right to access, the right to rectification, and the right to erasure (the “right to be forgotten”). Organizations that process personal data must have a lawful basis for doing so and must adhere to principles of data minimization, accuracy, and security.

 The Key Differences: Copyright vs. Privacy

While both copyright and privacy deal with control and rights, their focus and scope are distinct.

• Subject Matter Copyright protects works of authorship (e.g., a photograph, a song, an article). Privacy protects personal information about an individual (e.g., an individual’s face in a photograph, their name, their address).
• Beneficiary Copyright primarily benefits the creator of the work. Privacy primarily benefits the individual whose data is being processed.
• Nature of Right Copyright is a property right, granting exclusive control over the use and distribution of a creative work. Privacy is a fundamental human right, protecting an individual’s autonomy and control over their personal life.
• Enforcement Copyright infringement often leads to civil lawsuits seeking damages or injunctions. Privacy violations under data protection laws (GDPR and other laws) can result in significant fines imposed by data protection authorities, as well as individual claims for damages.

 When Personal Data Becomes a Copyright Issue (Even for the Data Subject)

This is where the Jennifer Lopez case becomes particularly instructive. While a picture of Jennifer Lopez is undoubtedly her personal data, the copyright to that picture belongs to the photographer who captured it.

Here’s how a personal data (an image) shared by the data subject can become a copyright issue

1. The Photographer Owns the Copyright: When a photographer takes a picture, they generally own the copyright to that image. This is true even if the subject is a celebrity or if the picture is taken at a public event.
2. Using the Image Without Permission: If the data subject (Jennifer Lopez in this case) then takes that copyrighted image and shares it on their social media, publishes it, or uses it for commercial purposes without a license or permission from the copyright holder, they are infringing on the photographer’s copyright.
3. No Automatic Transfer of Copyright: The fact that the image depicts an individual (making it their personal data) does not automatically transfer copyright ownership to that individual. Data protection laws (i.e. GDPR) gives data subjects rights over their data, not over the copyright of the creative work that contains their data.
4. Licensing and Waivers: To avoid copyright infringement, individuals would need to obtain a license from the photographer, which grants them specific rights to use the image. In some cases, a photographer might waive their copyright or assign it to the subject, but this is not the default.
5. Commercial Use vs. Personal Use: While the specifics of “fair use” or “personal use” exceptions can vary by jurisdiction, generally, sharing an image that is publicly available for personal, non-commercial purposes might fall under certain exceptions. However, when a celebrity shares an image on their highly visible social media channels, it can often be seen as a form of promotion or commercial use, even if not directly monetized. This significantly increases the risk of a copyright infringement claim.

In essence, while an image of you is your personal data, and you have privacy rights concerning its processing, the image itself as a creative work is subject to copyright law, which typically vests in the photographer. You have a right to control how your image is used in terms of privacy (e.g., consent for its processing, right to erasure), but you do not automatically have the right to reproduce or distribute the image without the copyright holder’s permission.

Conclusion

The case of Jennifer Lopez underscores the complex interplay between copyright and privacy in the digital age. While data protection laws (GDPR, Act 843, among others) empower individuals with significant control over their personal data, it does not override intellectual property rights. Before sharing any image, even one depicting oneself, it’s crucial to consider not only privacy implications but also the underlying copyright ownership. Understanding these distinct legal frameworks is essential for navigating the increasingly intricate landscape of digital content and personal rights.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
Published Jun 9, 2025

We are living in a transformative era where generative artificial intelligence (AI) is rapidly reshaping how we work, create, and communicate. From drafting documents and generating images to automating conversations and solving complex problems, these tools offer what once felt like science fiction—on demand. But beneath the marvel of this innovation lies a less-glamorous, often-overlooked truth: generative AI is built to remember, not to forget. For years, I’ve urged individuals and organizations alike to pause before feeding these systems their most personal, sensitive, or proprietary information. Not out of fear of the future, but out of understanding of the present: once data enters a generative AI model, it’s nearly impossible to guarantee where it goes, how it’s used, or who can access it. That caution was once a theoretical concern. Now it has legal teeth. In a landmark development, a federal court in the case of New York Times v. OpenAI has made clear what many of us in the data privacy world have known all along: AI systems remember more than they should—and often in ways that challenge ownership, accountability, and ethical stewardship.

 The Machine That Doesn’t Forget

At their core, generative AI systems function by learning from vast datasets—millions of articles, conversations, codebases, images, and yes, sometimes even confidential or copyrighted material. These systems are trained to detect patterns, replicate linguistic nuance, and generate content that mimics what humans might say or write. But unlike humans, AI doesn’t forget. A fleeting input—a confidential business strategy, an internal memo, a personal confession—may seem like a drop in the digital ocean. But once it’s entered, it’s no longer fleeting. It becomes part of a system designed to optimize based on accumulated information. And while companies implement privacy policies, redaction tools, and training filters, absolute deletion or isolation of such inputs is nearly impossible after training. This isn’t just a software limitation. It’s a fundamental design principle of how machine learning works.

 The Illusion of Control

Many users—especially in organizations—assume that using AI tools is as secure as using an internal knowledge base. The user interface feels simple. Clean. Trustworthy. But here’s the truth: your data does not disappear when the chat ends. It can be retained in logs, potentially reused for training (depending on terms of service), or even inadvertently surface in future outputs—particularly if systems are misconfigured or improperly deployed. For companies, this can mean accidental exposure of trade secrets. For individuals, a permanent record of personal details they never intended to share publicly. And for society, it raises troubling questions about digital consent, ownership, and long-term consequences. This was precisely the concern raised in New York Times v. OpenAI. The court’s findings signal a new chapter in our reckoning with AI: we can no longer pretend that AI is neutral or forgetful. It isn’t. And it doesn’t.

 We Must Rethink Trust in the Age of AI

The heart of the issue is trust. Not just in AI companies, but in the entire ecosystem that surrounds the development and deployment of generative models. Trust requires transparency: How is the data used? Where does it go? What safeguards are in place? Trust requires consent: Did the individual or organization knowingly agree to have their data absorbed, memorized, and potentially regenerated? Trust requires accountability: If harm is done—if data is leaked, plagiarized, or misused—who is held responsible? Currently, our answers to these questions are murky at best. That’s not just a policy failure—it’s an ethical crisis.

 The Path Forward: Responsible Use, Not Reactive Regulation

We cannot turn back the clock on generative AI. Nor should we. The benefits are real: educational equity, creative empowerment, productivity gains, and access to knowledge at unprecedented scale.

But we must build better guardrails—and fast.

1. Data Minimization by Default: AI tools should collect the bare minimum information required for functionality, and delete transient data wherever possible.
2. Privacy-Aware Design: Privacy must be embedded into the AI lifecycle—from design and data collection to model training and deployment.
3. Organizational Governance: Companies must develop internal AI usage policies that prohibit the input of sensitive data into generative tools and mandate regular audits.
4. User Empowerment: Individuals should be educated not just on what AI can do, but on what it remembers—and how to keep their data safe.
5. Clear Consent and Control: Users must have the right to know if their data was used to train a model—and the ability to opt out.

 Conclusion: A Call to Conscious Use

The age of generative AI is here—and it’s not going away. But neither should our commitment to privacy, ethics, and digital dignity. When we use generative tools, we are not just leveraging convenience—we are participating in a system that collects, remembers, and sometimes reuses what we give it. Let us not confuse innovation with immunity. Let us not confuse access with safety. Let us instead choose to be vigilant, informed, and intentional. Because in the end, what AI remembers is only as responsible as what we choose to teach it. And we all play a role in shaping what it learns.