National data protection authorities seem to get the most attention when they impose fines and penalties for violations of data protection laws and regulations. Consider, for example, the Italian DPA, which imposed the highest privacy fine ever issued by a European authority — in the amount of 5,880,000 euros — on a U.K. company for its violation of Italian laws on consent. Or France’s CNIL, which, in May 2017, levied a fine of 150,000 euros on social networking site Facebook for its breach of the French Data Protection Act. And, in February of this year, the U.S. Federal Trade Commission and New Jersey Division of Consumer Affairs reached a $2.2 million settlement with VIZIO, Inc., for allegedly installing data-gathering software on TV devices it sold without the knowledge of its customers.
These examples certainly help catch privacy professionals’ attention, and can even help them convince their leadership to invest in privacy – the hefty penalty scheme under the forthcoming General Data Protection Regulation (up to 4 percent of global turnover) is eye-catching to say the least. But these fines can also create the impression that a DPA’s primary role is to yield the enforcement club.
There are, however, many other ways in which the activities of national or regional DPAs can positively and directly affect businesses. This year, the International Conference on Data Protection & Privacy Commissioners conducted its first census of member DPAs to, among other things, shed light on their varying activities. The IAPP was granted access to data in the census results, and this article summarizes some of the findings on DPAs’ activities.
DPAs respond to complaints but also educate
According to the census, the most common role for a DPA to engage in is to handle complaints. Almost all DPAs encourage people who believe that their data have been illegally collected or misused to file a complaint directly with them, and many offer forms on their website enabling users to do so freely. Over the past several years, the number of complaints received by DPAs has risen by double-digits, even doubling in some countries.
Most DPAs are also involved in compliance, investigations, and enforcement of privacy and data protection laws and regulations. Ireland’s Data Protection Commissioner (DPC), for example, has authority under the section 10 of the Data Protection Acts of 1998 and 2003 to “launch investigations on her own initiative.” According to the results of the ICDPPC’s member census, DPAs accepted an average of around 1,400 cases for investigation in 2016. The clear leader of the pack was the U.K.’s Information Commissioner’s Office (ICO), which reported taking on more than 17,000 individual concerns and more than 2,000 self-reported incidents.
DPAs also carry out audits and inspections, which can be used as tools for ensuring compliance and are usually done during an investigation. DPA investigations are anything but symbolic activities: The results of the ICDPPC study also reveal that most DPAs (approximately 80 percent) have the power to make binding decisions in individual cases. Of the ones that do not, most of them (approximately 90 percent) can refer the case to another authority with decision-making power.
DPAs have different methods for determining which entities to inspect. The European Data Protection Supervisor, for example, makes its inspection decisions using risk analysis. This approach is in line with a draft protocol recently circulated by the Centre for Information Policy Leadership, which recommends that “DPAs should take an evidence-based approach to determining the priority risks in their area of responsibility, and should allocate resources where they would be most effective in addressing those priority risks.”
A large majority of DPAs also report engaging in some form of public outreach or education, maintaining open lines of communication with and providing information to members of the public. Virtually all DPAs have a digital presence online, from websites to Twitter accounts, Facebook pages, and YouTube channels. In addition, nearly all DPAs publish an annual report, while most (64 percent) also report publicly on the cases they have handled.
Beyond these activities, many DPAs also take additional steps to educate members of the public about privacy and data protection issues. An exemplar in this regard is Norway’s Datatilsynet, which teamed up with the Norwegian Ministry of Education and Research to highlight children’s right to privacy, as established by the United Nations Convention on the Rights of the Child. Aiming mainly at parents and staff in kindergartens, the Norwegian DPA produced school posters (in Norwegian), an instructional video for parents (in English), and a music video for children (with English subtitles) to inform them about issues of consent around photography and photo-sharing. Other pieces of the educational campaign included organizing a seminar and launching a website and a blog to coincide with Safer Internet Day, which occurs on February 6. (This initiative also took home one of this year’s inaugural ICDPPC Global Privacy and Data Protection Awards.)
The large majority of DPAs also report playing a role in advocating for privacy rights and legislation, while about two-thirds of them are engaged in registry activities. Meanwhile, fewer than half of DPAs worldwide are involved in some form of mediation or arbitration, which is the least common role amongst those examined in the ICDPPC’s member census. DPAs that are involved in mediation tend to work in collaboration with other bodies. Singapore’s Personal Data Protection Commission, for example, has reached an understanding with the Consumers Association of Singapore (CASE) and the Singapore Mediation Centre (SMC) in which data protection cases are referred to these bodies when both the individual and the organization consent.
Lastly, about half of DPAs conduct some form of policy-related research. A prominent example of this comes from the Information and Privacy Commissioner of Ontario, which produced a series of reports on the critical topic of de-identification. Notable research has also been carried out by Canada’s Office of the Privacy Commissioner, which explored potential enhancements to consent in a discussion paper.
Beyond their power to impose fines and sanctions, DPAs play a variety of roles in the governance of privacy and data protection. A better understanding of these roles — from how they handle complaints, launch investigations, and carry out inspections, to how they seek to engage with and educate members of the public — can help businesses to mitigate uncertainty in a world where even the unlikeliest of privacy and data protection risks can carry severely harmful consequences.
Many DPAs participate in the ICDPPC (the “Conference”), joining working groups and committees, and often working on Resolutions to guide privacy and data protection policy globally. A summary of those Resolutions, by topic, can be found here.
If you want to comment on this post, you need to login.