Is there an independent authority that effectively holds government offices accountable for their handling of data protection and privacy issues?
An independent and effective data protection authority exists.
10
France
The country’s national data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), is an independent regulatory authority with several core functions. It advises the government regarding data privacy and the proper implementation of EU regulations in this area (such as the General Data Protection Regulation, or GDPR). It can take the initiative to inspect data controllers to monitor compliance. Finally, individuals can appeal to the CNIL in instances of data privacy infringements. The CNIL can issue warnings and fines, and can even order data controllers to cease their activity. It is thus well equipped to pursue its goals. Despite a modest staff of 225 employees (in 2020) with a budget of €17 million, the CNIL is today a highly respected institution that received 13,585 complaints in 2020 (an increase of more than 60% following the adoption of the EU regulations), leading to a total of 9,057 inquiries.
In practice, the CNIL has not refrained from taking on powerful adversaries, such as Google or Facebook. It has been very effective over the past 40 years and showed particular strengths during the COVID-19 crisis. Its role is widely supported by the public and political elites. In 2020, the authority conducted 247 review processes and imposed 14 penalties entailing financial sums amounting to nearly €140 million. Perhaps the most visible recent example of the CNIL’s power is a €50 million fine imposed in January 2019 against Google for the violation of GDPR principles.
The primary limits to the CNIL data privacy protection efforts are its limited means and the challenges presented by a constantly changing information landscape.
In practice, the CNIL has not refrained from taking on powerful adversaries, such as Google or Facebook. It has been very effective over the past 40 years and showed particular strengths during the COVID-19 crisis. Its role is widely supported by the public and political elites. In 2020, the authority conducted 247 review processes and imposed 14 penalties entailing financial sums amounting to nearly €140 million. Perhaps the most visible recent example of the CNIL’s power is a €50 million fine imposed in January 2019 against Google for the violation of GDPR principles.
The primary limits to the CNIL data privacy protection efforts are its limited means and the challenges presented by a constantly changing information landscape.
Citations:
CNIL. 2021. “La CNIL en bref.” https://www.cnil.fr/fr/cnil-direct/question/la-cnil-cest-quoi
CNIL. 2021. “La CNIL en bref.” https://www.cnil.fr/fr/cnil-direct/question/la-cnil-cest-quoi
Sweden
The public agency tasked with protecting individual privacy in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY in Swedish). The data protection regulatory reform associated with the implementation of the EU’s General Data Protection Regulation (GDPR) in 2018 expanded the agency’s remit, which includes protecting citizens’ personal information, such as health and financial data (IMY, 2024a). Consequently, the IMY has seen significant growth in budget allocation and staff in recent years. By December 2023, the number of employees had reached 132 (109 full-time equivalents), compared to just over 30 employees in 2007 (IMY, 2022, 2024b).
The agency audits both public and private sector organizations – from municipalities to H&M – at all levels of governance. These reports are independent, used as legitimate evidence in court decisions, and reported as such in the media (IMY, 2024c).
The agency audits both public and private sector organizations – from municipalities to H&M – at all levels of governance. These reports are independent, used as legitimate evidence in court decisions, and reported as such in the media (IMY, 2024c).
Citations:
IMY. 2022. “Integritetsskyddsmyndighetens budgetunderlag 2023–2025.” https://www.imy.se/globalassets/dokument/ovrigt/imys-budgetunderlag-2023-2025.pdf
IMY. 2024a. “Our Mission.” https://www.imy.se/en/about-us/swedish-authority-for-privacy-protections-assignment/
IMY. 2024b. “Integritetsskyddsmyndighetens budgetunderlag 2025–2027.” https://www.imy.se/globalassets/dokument/ovrigt/imys-budgetunderlag-2025-2027.pdf
IMY. 2024c. “Audit reports and decisions.” https://www.imy.se/tillsyner/
IMY. 2022. “Integritetsskyddsmyndighetens budgetunderlag 2023–2025.” https://www.imy.se/globalassets/dokument/ovrigt/imys-budgetunderlag-2023-2025.pdf
IMY. 2024a. “Our Mission.” https://www.imy.se/en/about-us/swedish-authority-for-privacy-protections-assignment/
IMY. 2024b. “Integritetsskyddsmyndighetens budgetunderlag 2025–2027.” https://www.imy.se/globalassets/dokument/ovrigt/imys-budgetunderlag-2025-2027.pdf
IMY. 2024c. “Audit reports and decisions.” https://www.imy.se/tillsyner/
Switzerland
Article 13 of the constitution mandates that every citizen must be protected against the abuse of data. Data protection legislation has been in force since 1993. “The Federal Data Protection and Information Commissioner (FDPIC) is the authority responsible for data protection in the case of data processing by private parties (e.g., companies) and by federal bodies. Data processing by municipal and cantonal authorities is the responsibility of the data protection supervisory authorities of the cantons or municipalities. The FDPIC has the following tasks in particular in the area of data protection:
• It supervises data processing by the federal administration and federal-related companies … as well as by private parties (e.g., companies),
• It advises citizens, companies and private organizations as well as the federal administration and federal-related companies.
• It comments on federal legislative projects,
• It exchanges information with domestic and foreign data protection authorities and cooperates with them on a case-by-case basis,
• It raises awareness and informs the public” (FDPIC 2024).
The Federal Data Protection Law was revised in 2020, taking into account the General Data Protection Regulation of the European Union, a regulation that Switzerland had already signed. The Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDOEB) had 41 employees in 2023 (FDIP 2023: 101). A 2011 evaluation of the Federal Data Protection Law attested to the effectiveness, independence and transparency of the EDOEB (Bolliger et al. 2011).
• It supervises data processing by the federal administration and federal-related companies … as well as by private parties (e.g., companies),
• It advises citizens, companies and private organizations as well as the federal administration and federal-related companies.
• It comments on federal legislative projects,
• It exchanges information with domestic and foreign data protection authorities and cooperates with them on a case-by-case basis,
• It raises awareness and informs the public” (FDPIC 2024).
The Federal Data Protection Law was revised in 2020, taking into account the General Data Protection Regulation of the European Union, a regulation that Switzerland had already signed. The Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDOEB) had 41 employees in 2023 (FDIP 2023: 101). A 2011 evaluation of the Federal Data Protection Law attested to the effectiveness, independence and transparency of the EDOEB (Bolliger et al. 2011).
Citations:
Christian Bolliger, Marius Feìraud, Astrid Epiney, and Julia Hänni. 2011. Evaluation des Bundesgesetzes über den Datenschutz. Schlussbericht im Auftrag des Bundesamts für Justiz. Bern/Freiburg: Büro Vatter/Institut für Europarecht, Universität Freiburg.
FDPIC. 2023. “30th Annual Report 2022/2023.” https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/taetigkeitsberichte.html
Federal Data Protection Commissioner, Eidgenössischer Datenschutz- und Oeffentlichkeitsbeauftragter. 2024. “Data Protection.” https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/auftragundaufgaben-DS.html
Christian Bolliger, Marius Feìraud, Astrid Epiney, and Julia Hänni. 2011. Evaluation des Bundesgesetzes über den Datenschutz. Schlussbericht im Auftrag des Bundesamts für Justiz. Bern/Freiburg: Büro Vatter/Institut für Europarecht, Universität Freiburg.
FDPIC. 2023. “30th Annual Report 2022/2023.” https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/taetigkeitsberichte.html
Federal Data Protection Commissioner, Eidgenössischer Datenschutz- und Oeffentlichkeitsbeauftragter. 2024. “Data Protection.” https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/auftragundaufgaben-DS.html
9
Australia
The Office of the Australian Information Commissioner (OAIC) supports privacy regulation. The agency is independent and effective, despite challenges posed by recent high-profile data breaches highlighting weaknesses in the information protection architecture across private and public sector organizations (Tran 2023).
Citations:
Tran, D. 2023. “Data Breaches Affecting Millions of Australians Are on the Rise, Information Commissioner Says.” ABC News March 1. https://www.abc.net.au/news/2023-03-01/data-breaches-revealed-by-australian-information-commissioner/102039710
Tran, D. 2023. “Data Breaches Affecting Millions of Australians Are on the Rise, Information Commissioner Says.” ABC News March 1. https://www.abc.net.au/news/2023-03-01/data-breaches-revealed-by-australian-information-commissioner/102039710
Austria
Since 2013, the Austrian Data Protection Authority (ADPA) has existed, replacing the former Data Protection Committee. In 2018, the ADPA was restructured, and its staff has been continuously increased since then. The office is headed by a chairperson appointed by the Data Protection Council.
The office and its chairperson are not dependent on the government – they are not obliged to follow any specific government directive. The independence of the office has never been seriously questioned. In recent years, there have been several occasions on which the ADPA demonstrated its willingness to block planned government laws if deemed inappropriate, such as its veto against the use of algorithms by public authorities when dealing with job-seekers in 2020.
More generally, the ADPA has exercised its right to take positions in legislative processes widely and effectively. In 2023, it criticized various aspects of the suggested ORF reform bill (Der Standard 2023). The key focus of the ADPA’s annual agenda in 2023 was on the financial sector (Fonds professionell 2023).
The proliferation of anonymized administrative data for researchers in Austria remains underdeveloped. While the Austrian Micro Data Center (AMDC) at Statistics Austria provides a platform for accessing some of this data, most governmental administrative data have yet to be delivered to the AMDC.
The office and its chairperson are not dependent on the government – they are not obliged to follow any specific government directive. The independence of the office has never been seriously questioned. In recent years, there have been several occasions on which the ADPA demonstrated its willingness to block planned government laws if deemed inappropriate, such as its veto against the use of algorithms by public authorities when dealing with job-seekers in 2020.
More generally, the ADPA has exercised its right to take positions in legislative processes widely and effectively. In 2023, it criticized various aspects of the suggested ORF reform bill (Der Standard 2023). The key focus of the ADPA’s annual agenda in 2023 was on the financial sector (Fonds professionell 2023).
The proliferation of anonymized administrative data for researchers in Austria remains underdeveloped. While the Austrian Micro Data Center (AMDC) at Statistics Austria provides a platform for accessing some of this data, most governmental administrative data have yet to be delivered to the AMDC.
Citations:
https://www.data-protection-authority.gv.at/
Der Standard. 2023. “Datenschutzbehörde äußert ernste Bedenken zu ORF-Beitrag.” https://www.derstandard.at/story/3000000034792/datenschutzbehoerde-aeussert-ernste-bedenken-zu-orf-beitrag
https://www.fondsprofessionell.at/news/recht/headline/datenschutzbehoerde-prueft-den-finanzsektor-225930/
https://www.data-protection-authority.gv.at/
Der Standard. 2023. “Datenschutzbehörde äußert ernste Bedenken zu ORF-Beitrag.” https://www.derstandard.at/story/3000000034792/datenschutzbehoerde-aeussert-ernste-bedenken-zu-orf-beitrag
https://www.fondsprofessionell.at/news/recht/headline/datenschutzbehoerde-prueft-den-finanzsektor-225930/
Czechia
The Office for the Protection of Personal Data (Úřad pro ochranu osobních údajů, ÚOOÚ) was first established in June 2000. Its chair is chosen by the Senate and confirmed by the president, ensuring independence from the government of the day. The EU Global Data Protection Directive of May 25, 2018, was enshrined in the Personal Data Processing Act 2019 (110/2019). This act implements the EU’s new legal framework, with the ÚOOÚ responsible for its implementation. The ÚOOÚ also handles data processing that does not fall within EU law, such as immigration-related matters. It sets out requirements for processing personal data for criminal law enforcement purposes and some aspects of national security. The intelligence services are required to comply with internationally recognized data protection standards.
The ÚOOÚ has a role in electronic communications and regulates bulk commercial communication and advertising. It supervises compliance with any unsolicited advertising disseminated via electronic means and is involved in cooperation between national authorities responsible for enforcing consumer protection laws.
The new law mandates a range of new activities, and difficulties in recruiting qualified specialists have been identified as factors limiting its effectiveness. The annual report for 2022 indicates that 1,528 complaints and 664 suggestions were handled. The primary complaints involved using data for marketing purposes, making personal details public, and camera monitoring. Nearly all complaints were resolved through communication with the concerned parties, with very few advancing further. Thirty fines were issued for passing on commercial information, resulting in a total revenue of CZK 948,000. A few cases were referred to the courts. For example, a CZK 40,000 fine against a hospital for handling electronic health documentation was upheld by the court.
Data protection issues are covered by the media on a regular basis , and the ÚOOÚ frequently comments on legislation, including that regarding personal identity cards. These cards display an identification number that includes the date of birth and sex, which is necessary for various purposes such as opening a bank account. The ÚOOÚ argued that this information should not be on a document from which it could be easily copied. However, private businesses have complained about the cost of transitioning to a different numbering system.
The ÚOOÚ has a role in electronic communications and regulates bulk commercial communication and advertising. It supervises compliance with any unsolicited advertising disseminated via electronic means and is involved in cooperation between national authorities responsible for enforcing consumer protection laws.
The new law mandates a range of new activities, and difficulties in recruiting qualified specialists have been identified as factors limiting its effectiveness. The annual report for 2022 indicates that 1,528 complaints and 664 suggestions were handled. The primary complaints involved using data for marketing purposes, making personal details public, and camera monitoring. Nearly all complaints were resolved through communication with the concerned parties, with very few advancing further. Thirty fines were issued for passing on commercial information, resulting in a total revenue of CZK 948,000. A few cases were referred to the courts. For example, a CZK 40,000 fine against a hospital for handling electronic health documentation was upheld by the court.
Data protection issues are covered by the media on a regular basis , and the ÚOOÚ frequently comments on legislation, including that regarding personal identity cards. These cards display an identification number that includes the date of birth and sex, which is necessary for various purposes such as opening a bank account. The ÚOOÚ argued that this information should not be on a document from which it could be easily copied. However, private businesses have complained about the cost of transitioning to a different numbering system.
Citations:
https://uoou.gov.cz/media/vyrocni-zpravy/dokumenty/uoou-vz2022-el.pdf
https://uoou.gov.cz/media/vyrocni-zpravy/dokumenty/uoou-vz2022-el.pdf
Denmark
Denmark has an independent authority, the Danish Data Protection Agency (Datatilsynet), which monitors the implementation and enforcement of data protection rules. The agency is led by a chairman and six other members appointed by the minister of justice, and its task is to supervise compliance with personal data protection rules. It also provides guidance and advice, handles complaints, and conducts inspections.
The agency primarily addresses cases of principal importance concerning personal data and the laws governing public institutions’ treatment of personal information. It can sanction companies and bureaucracies with fines or demand the cessation of specific programs. For instance, it intervened when a municipality provided insufficiently secure Chromebooks to primary school students (Datatilsynet 2022).
Major recent issues concern the implementation of General Data Protection Regulation (GDPR).
The agency participates in international cooperative efforts, including within the European Union, and oversees data handling in relation to Schengen and Europol cooperation. Since 25 May 2018, when the European Union’s GDPR went into effect, the agency’s director has represented Denmark on the new European Data Protection Board (EDPB).
The agency primarily addresses cases of principal importance concerning personal data and the laws governing public institutions’ treatment of personal information. It can sanction companies and bureaucracies with fines or demand the cessation of specific programs. For instance, it intervened when a municipality provided insufficiently secure Chromebooks to primary school students (Datatilsynet 2022).
Major recent issues concern the implementation of General Data Protection Regulation (GDPR).
The agency participates in international cooperative efforts, including within the European Union, and oversees data handling in relation to Schengen and Europol cooperation. Since 25 May 2018, when the European Union’s GDPR went into effect, the agency’s director has represented Denmark on the new European Data Protection Board (EDPB).
Citations:
Datatilsynet. 2022. “Datatilsynet nedlægger behandlingsforbud i Chromebook-sag.” https://www.datatilsynet.dk/afgoerelser/afgoerelser?categorizations=22717
Datatilsynet. 2022. “Datatilsynet nedlægger behandlingsforbud i Chromebook-sag.” https://www.datatilsynet.dk/afgoerelser/afgoerelser?categorizations=22717
Finland
Finland has two independently operating data protection authorities: the Data Protection Board and the Data Protection Ombudsman. Affiliated with the Ministry of Justice, the Data Protection Board is the primary decision-making agency concerning personal data issues. The Data Protection Ombudsman supervises the processing of personal data in accordance with the objectives of the Personal Data Act of 1999. The Ombudsman’s office has about 40 employees and can be called upon for guidance in private matters or to advise organizations.
The Office of the Data Protection Ombudsman safeguards data protection rights. It is a national supervisory authority that ensures compliance with data protection legislation. This autonomous and independent entity has its ombudsman appointed by the government for a term of five years (Office of the Data Protection Ombudsman 2023).
The Office of the Data Protection Ombudsman has the resources to effectively advocate for data protection and privacy issues in relation to the government.
Data protection has been a significant issue in Finland. In 2020, a private mental healthcare provider, Vastaamo, was blackmailed by online hackers who gained access to electronic records containing sensitive health information. The case is currently being processed in court, with 14,000 charges (YLE 2023).
The data protection authorities have the necessary capacities, structural framework and personnel resources to effectively advocate for data protection and privacy issues in relation to the government. The authorities have the statutory power to access all necessary information and question officials and witnesses to fulfill their mandate. The head of the national data protection authority is appointed in a manner that ensures independence.
The legislature has final consent authority for the removal of the head of the national data protection authority. The financial and personnel resources allocated to the national data protection authority are consistent with the resources it needs to fulfill its mandate. However, decisions regarding these resources are beyond the executive’s discretion.
The activities of the national data protection authority lead to adequate follow-up by the executive branch. The findings of the data protection authority are actively reported in the media and are used by the legislature.
The Office of the Data Protection Ombudsman safeguards data protection rights. It is a national supervisory authority that ensures compliance with data protection legislation. This autonomous and independent entity has its ombudsman appointed by the government for a term of five years (Office of the Data Protection Ombudsman 2023).
The Office of the Data Protection Ombudsman has the resources to effectively advocate for data protection and privacy issues in relation to the government.
Data protection has been a significant issue in Finland. In 2020, a private mental healthcare provider, Vastaamo, was blackmailed by online hackers who gained access to electronic records containing sensitive health information. The case is currently being processed in court, with 14,000 charges (YLE 2023).
The data protection authorities have the necessary capacities, structural framework and personnel resources to effectively advocate for data protection and privacy issues in relation to the government. The authorities have the statutory power to access all necessary information and question officials and witnesses to fulfill their mandate. The head of the national data protection authority is appointed in a manner that ensures independence.
The legislature has final consent authority for the removal of the head of the national data protection authority. The financial and personnel resources allocated to the national data protection authority are consistent with the resources it needs to fulfill its mandate. However, decisions regarding these resources are beyond the executive’s discretion.
The activities of the national data protection authority lead to adequate follow-up by the executive branch. The findings of the data protection authority are actively reported in the media and are used by the legislature.
Citations:
Finlex. 1999. “Personal Data Act (523/1999).” https://www.finlex.fi/en/laki/kaannokset/1999/en19990523_20000986.pdf
The Data Protection Ombudsman, https://tietosuoja.fi/en
YLE. 2023. “Vastaamo Hacking Suspect Faces 14,000 New Data Breach Charges.” https://yle.fi/a/74-20051571
Finlex. 1999. “Personal Data Act (523/1999).” https://www.finlex.fi/en/laki/kaannokset/1999/en19990523_20000986.pdf
The Data Protection Ombudsman, https://tietosuoja.fi/en
YLE. 2023. “Vastaamo Hacking Suspect Faces 14,000 New Data Breach Charges.” https://yle.fi/a/74-20051571
Germany
Following chapter four of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the national data protection authority in Germany is the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI). The BfDI is considered a supreme federal authority responsible for protecting the fundamental right of informational self-determination. It functions as both a supervisory body and an advisor to the Bundestag regarding data protection issues. Additionally, the commissioner is independent in the performance of tasks and the exercise of power, thus free from both direct and indirect external influence (Article 10 BDSG).
While the BfDI operates independently and can choose which audits to undertake, citizens have the right to file a complaint with the commissioner if they believe their rights regarding data protection or access to information have been infringed (BfDI, n.d.). Furthermore, the BfDI has access to all necessary information, as each public authority is obligated to provide all data or information needed by the commissioner to fulfill the relevant tasks (Article 16 BDSG).
The BfDI is elected, without prior debate, by the Bundestag with more than half of the parliament’s statutory members at the proposal of the federal government. To be eligible for election, the candidate for the commissioner’s office must be at least 35 years old and possess sufficient qualifications, experience, and skills in the domain of data protection. If elected, the BfDI serves for five years; however, reelection for one additional term is possible. Although the dismissal of the federal commissioner is possible, the standards for removal are high. Thus, removal from office is only possible at the request of the president of the Bundestag due to the commitment of serious misconduct or by no longer fulfilling the necessary requirements (Article 11f. BDSG).
Similar to the previously examined Federal Court of Audit, the BfDI, as a federal body, is financed by the federal budget, with the final amount of financial resources depending on political considerations. For the financial year 2024, the federal commissioner is allocated €45 million, making up 0.01% of the total federal budget (Bundesmisterium der Finanzen, 2023). With 50 additional positions added in 2022, the BfDI had a personnel budget for 396.4 positions. Eighty percent of these positions were filled, meaning that 301 people worked for the BfDI in 2022 (BfDI, 2023). (Note that additional data protection authorities exist in each federal state, which significantly increases the budget and the number of people employed in this area)
The BfDI submits an annual report (Tätigkeitsreport) detailing its work to the federal government, parliament, and council. The report is also available to the public on the BfDI’s website. Additionally, the authority published 13 press releases in 2022. The media can also submit inquiries to the BfDI. In 2022, the commissioner responded to 413 requests by email and 406 by telephone.
Furthermore, in 2022, the authority was involved in 119 draft laws, 109 regulations, 33 directives, and 12 additional projects initiated either by the European Union or at the national level. While the commissioner criticized the often untimely inclusion of the BfDI, overall inclusion increased by almost 50% (BfDI, 2023a). However, as of April 2022, many recommendations made by the BfDI in his annual report have not been fully implemented or have not been implemented at all (BfDI, 2023b). Specifically, in his 2022 report, the BfDI criticized that none of the recommendations from the 2021 report were fully implemented. Regarding the legislature, the commissioner serves as an advisor to the parliament. This means the BfDI is included as an expert on data protection in parliamentary committees and supports the parliamentary consultation process through detailed statements on relevant issues (BfDI, 2023).
While the BfDI operates independently and can choose which audits to undertake, citizens have the right to file a complaint with the commissioner if they believe their rights regarding data protection or access to information have been infringed (BfDI, n.d.). Furthermore, the BfDI has access to all necessary information, as each public authority is obligated to provide all data or information needed by the commissioner to fulfill the relevant tasks (Article 16 BDSG).
The BfDI is elected, without prior debate, by the Bundestag with more than half of the parliament’s statutory members at the proposal of the federal government. To be eligible for election, the candidate for the commissioner’s office must be at least 35 years old and possess sufficient qualifications, experience, and skills in the domain of data protection. If elected, the BfDI serves for five years; however, reelection for one additional term is possible. Although the dismissal of the federal commissioner is possible, the standards for removal are high. Thus, removal from office is only possible at the request of the president of the Bundestag due to the commitment of serious misconduct or by no longer fulfilling the necessary requirements (Article 11f. BDSG).
Similar to the previously examined Federal Court of Audit, the BfDI, as a federal body, is financed by the federal budget, with the final amount of financial resources depending on political considerations. For the financial year 2024, the federal commissioner is allocated €45 million, making up 0.01% of the total federal budget (Bundesmisterium der Finanzen, 2023). With 50 additional positions added in 2022, the BfDI had a personnel budget for 396.4 positions. Eighty percent of these positions were filled, meaning that 301 people worked for the BfDI in 2022 (BfDI, 2023). (Note that additional data protection authorities exist in each federal state, which significantly increases the budget and the number of people employed in this area)
The BfDI submits an annual report (Tätigkeitsreport) detailing its work to the federal government, parliament, and council. The report is also available to the public on the BfDI’s website. Additionally, the authority published 13 press releases in 2022. The media can also submit inquiries to the BfDI. In 2022, the commissioner responded to 413 requests by email and 406 by telephone.
Furthermore, in 2022, the authority was involved in 119 draft laws, 109 regulations, 33 directives, and 12 additional projects initiated either by the European Union or at the national level. While the commissioner criticized the often untimely inclusion of the BfDI, overall inclusion increased by almost 50% (BfDI, 2023a). However, as of April 2022, many recommendations made by the BfDI in his annual report have not been fully implemented or have not been implemented at all (BfDI, 2023b). Specifically, in his 2022 report, the BfDI criticized that none of the recommendations from the 2021 report were fully implemented. Regarding the legislature, the commissioner serves as an advisor to the parliament. This means the BfDI is included as an expert on data protection in parliamentary committees and supports the parliamentary consultation process through detailed statements on relevant issues (BfDI, 2023).
Citations:
BfDI. 2023. “Tätigkeitsbericht 2022, 31. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit.”
BfDI. 2023. “Nicht vollständig umgesetzte Empfehlungen des BfDI aus älteren Tätigkeitsberichte.” https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Taetigkeitsberichte/Ausz%C3%BCge/alte-Empfehlungen.html
BfDI. n.d. “Aufgaben und Befugnisse des BfDI.” https://www.bfdi.bund.de/DE/DerBfDI/Inhalte/DerBfDI/AufgabenBFDI.html
Bundesministerium der Finanzen. 2023. “Sollwerte des Haushaltsjahres 2024.” https://www.bundeshaushalt.de/DE/Bundeshaushalt-digital/bundeshaushalt-digital.html
BfDI. 2023. “Tätigkeitsbericht 2022, 31. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit.”
BfDI. 2023. “Nicht vollständig umgesetzte Empfehlungen des BfDI aus älteren Tätigkeitsberichte.” https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Taetigkeitsberichte/Ausz%C3%BCge/alte-Empfehlungen.html
BfDI. n.d. “Aufgaben und Befugnisse des BfDI.” https://www.bfdi.bund.de/DE/DerBfDI/Inhalte/DerBfDI/AufgabenBFDI.html
Bundesministerium der Finanzen. 2023. “Sollwerte des Haushaltsjahres 2024.” https://www.bundeshaushalt.de/DE/Bundeshaushalt-digital/bundeshaushalt-digital.html
Greece
Greece has a nationally recognized independent data protection authority, the Hellenic Data Protection Authority (DPA 2024), which is acknowledged by the constitution (Article 9A) and tasked with upholding citizens’ rights to personal data protection. Established in 1997 and updated in 2019, the DPA operates in line with corresponding EU Directives and European Council Regulations.
The DPA is empowered to issue decisions that the government and public administration must comply with. It has the necessary resources, organizational structure, and personnel to effectively advocate for data protection and privacy. The DPA independently determines which cases to audit and has the authority to request all necessary information and question officials.
The head of the DPA is selected through a process designed to guarantee independence, as provided by the constitution (Article 101A). The selection process is conducted by a parliamentary committee consisting of the speaker, vice presidents, and other heads of parliamentary committees (the “Conference of Parliamentary Chairmen”). This committee votes by a reinforced majority on the new head of the DPA.
Typically, the DPA is led by a retired high-ranking judge, and its decisions are binding on the government and public administration, although there may be delays in their implementation.
The DPA publishes an annual report, which it submits to parliament. While these findings are sometimes reported in the media and utilized in parliamentary debates, this occurs infrequently.
The DPA is empowered to issue decisions that the government and public administration must comply with. It has the necessary resources, organizational structure, and personnel to effectively advocate for data protection and privacy. The DPA independently determines which cases to audit and has the authority to request all necessary information and question officials.
The head of the DPA is selected through a process designed to guarantee independence, as provided by the constitution (Article 101A). The selection process is conducted by a parliamentary committee consisting of the speaker, vice presidents, and other heads of parliamentary committees (the “Conference of Parliamentary Chairmen”). This committee votes by a reinforced majority on the new head of the DPA.
Typically, the DPA is led by a retired high-ranking judge, and its decisions are binding on the government and public administration, although there may be delays in their implementation.
The DPA publishes an annual report, which it submits to parliament. While these findings are sometimes reported in the media and utilized in parliamentary debates, this occurs infrequently.
Citations:
DPA. 2024. “The Hellenic DPA.” https://www.dpa.gr/en
The laws regulating the DPA are Law 2472/1997 and 4624/2019.
DPA. 2024. “The Hellenic DPA.” https://www.dpa.gr/en
The laws regulating the DPA are Law 2472/1997 and 4624/2019.
Israel
The Privacy Protection Authority, located within the Ministry of Justice, enforces the Privacy Protection Act (1981) and the Digital Signature Act (2001). It regulates and enforces privacy and personal data issues. According to the Privacy Protection Law, the authority is granted regulatory and enforcement power over personal data. It is responsible for protecting all personal information held in digital databases. The regulation includes administrative and criminal enforcement, and applies to all entities (public and private) in Israel that hold or process personal data.
In January 2024, the European Union categorized Israel’s privacy protections as adequate.
The authority has full discretion over the investigations it conducts. Although its budget is part of the Ministry of Justice’s budget, it is managed separately to ensure independence. The chair of the authority must hold qualifications that make them suitable to be appointed as a judge and have no criminal record or indictment. The chair is appointed for a single six-year tenure. These measures ensure independence.
De facto, the findings of the authority are reported mostly in niche media that handle issues of data and privacy, and do not reach the broader public agenda. The authority has the legal tools needed to initiate criminal investigations and uses these tools when necessary.
In January 2024, the European Union categorized Israel’s privacy protections as adequate.
The authority has full discretion over the investigations it conducts. Although its budget is part of the Ministry of Justice’s budget, it is managed separately to ensure independence. The chair of the authority must hold qualifications that make them suitable to be appointed as a judge and have no criminal record or indictment. The chair is appointed for a single six-year tenure. These measures ensure independence.
De facto, the findings of the authority are reported mostly in niche media that handle issues of data and privacy, and do not reach the broader public agenda. The authority has the legal tools needed to initiate criminal investigations and uses these tools when necessary.
Lithuania
An independent and effective data protection authority exists in Lithuania. The State Data Protection Inspectorate supervises and controls the enforcement of legal protections for personal data. As a government agency, it has the legal and policy independence necessary to make regulatory decisions. The agency has the discretion to decide which audits it will undertake, planning them regularly based on risk assessments and responding to reported incidents in state and private organizations. For instance, in 2022, it conducted 44 planned audits (compared to 16 in 2021) and 12 audits in response to reported incidents (State Data Protection Inspectorate, 2023).
With more than 25 years of experience and a staff of about 43 in 2022 – an increase of 14 positions compared to 2021 – the agency has the capacity and resources to focus on implementing the EU’s General Data Protection Regulation, which came into force in 2018 (State Data Protection Inspectorate 2023). According to the organization’s 2022 activities report, its key performance indicator – the share of individuals who contacted the Inspectorate and rated its services very positively or positively – reached 92%, exceeding the target of 82%.
With more than 25 years of experience and a staff of about 43 in 2022 – an increase of 14 positions compared to 2021 – the agency has the capacity and resources to focus on implementing the EU’s General Data Protection Regulation, which came into force in 2018 (State Data Protection Inspectorate 2023). According to the organization’s 2022 activities report, its key performance indicator – the share of individuals who contacted the Inspectorate and rated its services very positively or positively – reached 92%, exceeding the target of 82%.
Citations:
State Data Protection Inspectorate. https://vdai.lrv.lt/en/
State Data Protection Inspectorate. https://vdai.lrv.lt/en/
Norway
The Norwegian Data Protection Authority (DPA) is responsible for holding the government accountable for data protection and privacy issues, and for safeguarding individuals’ privacy rights. Established in 1980, the DPA currently has 68 employees. Although the Director is appointed by the government, the DPA operates with legally granted autonomy. The primary legislation guiding the DPA’s work is the Personal Data Act (PDA), which establishes the general principle that individuals should be able to control how their personal data is used. The PDA implements the EU GDPR in Norwegian legislation.
Through information, dialogue, the handling of complaints, and inspections, the DPA monitors and ensures that public authorities, companies, NGOs, and individuals comply with data protection legislation. For example, the DPA effectively halted the use of a COVID-19 contact-tracing application due to inadequate personal data protection relative to infection numbers at the time. In 2023, the DPA imposed a substantial fine (NOK 20 million) on the Labor and Welfare Administration for failing to operate the legally required procedures for handling sensitive personal data. Media attention to data protection is generally high, especially when public bodies fail to comply with their legal obligations.
Nevertheless, the number of cases that the Norwegian DPA must manage has increased in recent years. These cases relate both to transparency issues, where companies, media, and individuals request access to documentation about the agency’s work, as well as data leaks and privacy incidents in public and private organizations. This has forced the agency to prioritize some matters over others, as it simply does not have the resources to follow up on all cases and conduct as many inspections as desired.
Through information, dialogue, the handling of complaints, and inspections, the DPA monitors and ensures that public authorities, companies, NGOs, and individuals comply with data protection legislation. For example, the DPA effectively halted the use of a COVID-19 contact-tracing application due to inadequate personal data protection relative to infection numbers at the time. In 2023, the DPA imposed a substantial fine (NOK 20 million) on the Labor and Welfare Administration for failing to operate the legally required procedures for handling sensitive personal data. Media attention to data protection is generally high, especially when public bodies fail to comply with their legal obligations.
Nevertheless, the number of cases that the Norwegian DPA must manage has increased in recent years. These cases relate both to transparency issues, where companies, media, and individuals request access to documentation about the agency’s work, as well as data leaks and privacy incidents in public and private organizations. This has forced the agency to prioritize some matters over others, as it simply does not have the resources to follow up on all cases and conduct as many inspections as desired.
Citations:
Norwegian Data Protection Authority. https://www.datatilsynet.no/en/
Norwegian Data Protection Authority. https://www.datatilsynet.no/en/
Slovenia
The Office of the Information Commissioner, an autonomous institution that also ensures and monitors personal data protection, was established in 2005. The current Information Commissioner has extensive experience in this area, having held office since 2014 (her second term began in 2019) and previously served as deputy commissioner from 2003 – 2008. The commissioner has a five-year mandate and is appointed by the National Assembly on the proposal of the president of the republic.
The funds for the commissioner’s work are allocated from the state budget once the National Assembly determines them based on the commissioner’s proposal. The institution’s functions in data protection include monitoring the implementation of laws regulating the processing and protection of personal data and acting as an appeal body in the event of complaints from individuals about refusals to provide personal data.
Personal data protection is addressed in several other laws, resulting in a wide range of initiatives and complaints from various areas. For example, in 2022, the commissioner received 1,030 requests or initiatives for introducing the inspection procedure and 160 complaints regarding violations of individuals’ rights. Additionally, the office received 12 cases of unauthorized disclosure or other unauthorized processing of patients’ personal data, dealt with 81 complaints from individuals about breaches of the right to access their data, and received 22 complaints about violations of the right to erasure of their data.
According to the Information Commissioner, she has faced many problems and challenges due to legal confusion in this area. However, the new Law on Personal Data Protection, adopted at the end of 2022, along with other laws and regulations, represents an improvement in Slovenia’s regulatory system for better personal data protection.
Decisions and statements by the commissioner regarding personal data protection have often been labeled as rigid positions under pressure from politicians and the media. During the COVID-19 pandemic, government representatives even blamed the commissioner for vaccination problems in Slovenia. Nevertheless, the Information Commissioner proved to be an independent state institution, and the public recognized this.
Two government offices handle data protection, among other responsibilities. The Government Office for Information Security focuses on enhancing information security. Its primary goal is to increase resilience to cyber threats that endanger individuals, businesses, the government, and society. Meanwhile, the Government Office for the Protection of Classified Information handles the classification and protection of sensitive information. It ensures the development and implementation of standards for safeguarding classified information within government agencies, local authorities, public license holders, non-governmental organizations, and commercial companies that manage classified data. The office also grants authorizations for legal entities to access classified information and issues security certificates.
The funds for the commissioner’s work are allocated from the state budget once the National Assembly determines them based on the commissioner’s proposal. The institution’s functions in data protection include monitoring the implementation of laws regulating the processing and protection of personal data and acting as an appeal body in the event of complaints from individuals about refusals to provide personal data.
Personal data protection is addressed in several other laws, resulting in a wide range of initiatives and complaints from various areas. For example, in 2022, the commissioner received 1,030 requests or initiatives for introducing the inspection procedure and 160 complaints regarding violations of individuals’ rights. Additionally, the office received 12 cases of unauthorized disclosure or other unauthorized processing of patients’ personal data, dealt with 81 complaints from individuals about breaches of the right to access their data, and received 22 complaints about violations of the right to erasure of their data.
According to the Information Commissioner, she has faced many problems and challenges due to legal confusion in this area. However, the new Law on Personal Data Protection, adopted at the end of 2022, along with other laws and regulations, represents an improvement in Slovenia’s regulatory system for better personal data protection.
Decisions and statements by the commissioner regarding personal data protection have often been labeled as rigid positions under pressure from politicians and the media. During the COVID-19 pandemic, government representatives even blamed the commissioner for vaccination problems in Slovenia. Nevertheless, the Information Commissioner proved to be an independent state institution, and the public recognized this.
Two government offices handle data protection, among other responsibilities. The Government Office for Information Security focuses on enhancing information security. Its primary goal is to increase resilience to cyber threats that endanger individuals, businesses, the government, and society. Meanwhile, the Government Office for the Protection of Classified Information handles the classification and protection of sensitive information. It ensures the development and implementation of standards for safeguarding classified information within government agencies, local authorities, public license holders, non-governmental organizations, and commercial companies that manage classified data. The office also grants authorizations for legal entities to access classified information and issues security certificates.
Citations:
Informacijski pooblaščenec. 2023. “Letno poročilo Informacijskega pooblaščenca 2022.” https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/LP2022.pdf
The Slovenia Times. 2021. “Vaccination Coordinator Blames Info Commissioner For Vaccination Problems.” https://sloveniatimes.com/23954/vaccination-coordinator-blames-info-commissioner-for-vaccination-problems
Informacijski pooblaščenec. 2023. “Letno poročilo Informacijskega pooblaščenca 2022.” https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/LP2022.pdf
The Slovenia Times. 2021. “Vaccination Coordinator Blames Info Commissioner For Vaccination Problems.” https://sloveniatimes.com/23954/vaccination-coordinator-blames-info-commissioner-for-vaccination-problems
Spain
The Spanish Data Protection Agency (AEPD) is a public authority that operates independently of the public administration. Integrated into a broader international and subnational network of agencies, the AEPD possesses the capacity and personnel to advocate for data protection and privacy issues against the government and vested interests. The AEPD has the autonomy to choose which audits to conduct.
The workload and relevance of claims have increased significantly over the past 30 years – from 81 complaints in 1994 to more than 15,000 in 2023. The findings of the data protection authority are quite impactful and often publicized in the media, particularly in cases involving Google or ChatGPT. Additionally, the agency actively promotes rights against the unlawful publication on the internet of photographs, videos or audio with sexual or violent content and calls for stronger regulation from the legislature in this regard.
There are also data protection agencies in Catalonia and the Basque Country.
According to the Organic Law on Data Protection, the appointment of the president of the AEPD is the responsibility of the government upon the proposal of the Ministry of Justice. A public competition of candidates must first be called, and their “merit, capacity, competence and suitability” must be assessed. The president and the deputy can only cease to hold office before the end of their term either at their own request or by removal by the Council of Ministers. The AEPD prepares and approves its own budget and sends it to the government, which includes it in the General State Budget.
The workload and relevance of claims have increased significantly over the past 30 years – from 81 complaints in 1994 to more than 15,000 in 2023. The findings of the data protection authority are quite impactful and often publicized in the media, particularly in cases involving Google or ChatGPT. Additionally, the agency actively promotes rights against the unlawful publication on the internet of photographs, videos or audio with sexual or violent content and calls for stronger regulation from the legislature in this regard.
There are also data protection agencies in Catalonia and the Basque Country.
According to the Organic Law on Data Protection, the appointment of the president of the AEPD is the responsibility of the government upon the proposal of the Ministry of Justice. A public competition of candidates must first be called, and their “merit, capacity, competence and suitability” must be assessed. The president and the deputy can only cease to hold office before the end of their term either at their own request or by removal by the Council of Ministers. The AEPD prepares and approves its own budget and sends it to the government, which includes it in the General State Budget.
UK
After Brexit, the UK maintained the same data protection policies it had as an EU member, including the General Data Protection Regulation (GDPR). The relevant legislation is the Data Protection Act, which has been periodically revised since its enactment in 1998.
The Information Commissioner’s Office (ICO) is tasked with upholding information rights. Its main office is in England, with separate offices in Northern Ireland, Scotland, and Wales. The ICO is an executive non-departmental public body with operational independence. The Commissioner oversees various data-related legislation, including the Data Protection Act, the Freedom of Information Act, and privacy and electronic communications regulations. Formally, the Commissioner is a crown appointment based on a recommendation from the ministry and is subject to scrutiny by the corresponding parliamentary committee. The ICO’s decisions and interventions are often reported in the media.
After a long period of development and much debate, the Online Safety Act was passed in late October 2023. Its purpose is to place obligations on social media companies to protect users’ safety, with an emphasis on shielding children from harmful content. OFCOM, the regulator of broadcasters, telecommunications companies, and postal services, is charged with enforcing the Act..
The Information Commissioner’s Office (ICO) is tasked with upholding information rights. Its main office is in England, with separate offices in Northern Ireland, Scotland, and Wales. The ICO is an executive non-departmental public body with operational independence. The Commissioner oversees various data-related legislation, including the Data Protection Act, the Freedom of Information Act, and privacy and electronic communications regulations. Formally, the Commissioner is a crown appointment based on a recommendation from the ministry and is subject to scrutiny by the corresponding parliamentary committee. The ICO’s decisions and interventions are often reported in the media.
After a long period of development and much debate, the Online Safety Act was passed in late October 2023. Its purpose is to place obligations on social media companies to protect users’ safety, with an emphasis on shielding children from harmful content. OFCOM, the regulator of broadcasters, telecommunications companies, and postal services, is charged with enforcing the Act..
An independent and effective data protection authority exists, but its role is somewhat limited.
8
Latvia
The Data State Inspectorate was established in 2001 and now operates under the Personal Data Processing Law (2018). Its independent status is provided for in Article 52 of the Data Regulation. The inspectorate aims to protect fundamental human rights and freedoms in data protection. Therefore, its legal status ensures its operational independence.
The inspectorate is supervised by the Ministry of Justice and financed from the state budget.
The Cabinet of Ministers appoints the director of the inspectorate for a five-year term upon the recommendation of a selection committee. The director of the inspectorate can serve up to two consecutive terms.
Once a year, the inspectorate submits its operational report to the Saeima, the government, the Supreme Court of Latvia, the European Commission, and the European Data Protection Board and makes it available on its website.
Since 2022, the inspectorate has had the right to provide an opinion on draft legislation directly, without additional confirmation from the Ministry of Justice (Data State Inspectorate, 2023).
The inspectorate is supervised by the Ministry of Justice and financed from the state budget.
The Cabinet of Ministers appoints the director of the inspectorate for a five-year term upon the recommendation of a selection committee. The director of the inspectorate can serve up to two consecutive terms.
Once a year, the inspectorate submits its operational report to the Saeima, the government, the Supreme Court of Latvia, the European Commission, and the European Data Protection Board and makes it available on its website.
Since 2022, the inspectorate has had the right to provide an opinion on draft legislation directly, without additional confirmation from the Ministry of Justice (Data State Inspectorate, 2023).
Citations:
Personal Data Processing Law. https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law
Data State Inspectorate. 2023. “Annual Report 2022.” https://www.dvi.gov.lv/lv/media/2202/download?attachment
Personal Data Processing Law. https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law
Data State Inspectorate. 2023. “Annual Report 2022.” https://www.dvi.gov.lv/lv/media/2202/download?attachment
New Zealand
The Office of the Privacy Commissioner serves as an independent authority responsible for overseeing and enforcing privacy laws, as well as holding government offices and other entities accountable for data protection and privacy issues.
The office has several key functions – most importantly, investigating complaints from individuals regarding privacy breaches, issuing compliance notices to entities that fail to comply with privacy laws, providing guidance to organizations and government agencies on complying with privacy laws, and educating the public about privacy-related matters.
The process of appointing the privacy commissioner is designed to uphold the commissioner’s independence. The privacy commissioner is appointed by the governor-general, based on the recommendation of the minister of justice, following the criteria set out in the Privacy Act 2020.
The work of the Office of the Privacy Commissioner is regularly reported in the news media. For example, in 2023, the privacy commissioner publicly raised concerns about a significant increase in serious data breaches (1News 2023a) and weighed in on debates about the use of artificial intelligence by private and public entities (RNZ 2023). The privacy commissioner’s investigation into the role of Latitude Financial in New Zealand’s largest-ever data breach was also widely covered in the news (1News 2023b).
Māori have long criticized New Zealand’s data protection regime, raising difficult questions about data sovereignty and arguing that “the rightful authority for Indigenous data is not with the state, but with Indigenous people.” Some activists have demanded a Māori equivalent of the Office of the Privacy Commissioner (Mathias 2022). Additionally, the Royal Society of New Zealand has sought to increase awareness of issues of data sovereignty (RSNZ 2023). Independent Māori organizations Te Mana Raraunga (TMR 2023), the Māori Data Sovereignty Network and Ngā Toki Whakarururanga (NTW 2023), a by-Māori for Māori collective dedicated to advancing and protecting Māori interests – including with regard to data and digital and intellectual property – are also active in this space.
The office has several key functions – most importantly, investigating complaints from individuals regarding privacy breaches, issuing compliance notices to entities that fail to comply with privacy laws, providing guidance to organizations and government agencies on complying with privacy laws, and educating the public about privacy-related matters.
The process of appointing the privacy commissioner is designed to uphold the commissioner’s independence. The privacy commissioner is appointed by the governor-general, based on the recommendation of the minister of justice, following the criteria set out in the Privacy Act 2020.
The work of the Office of the Privacy Commissioner is regularly reported in the news media. For example, in 2023, the privacy commissioner publicly raised concerns about a significant increase in serious data breaches (1News 2023a) and weighed in on debates about the use of artificial intelligence by private and public entities (RNZ 2023). The privacy commissioner’s investigation into the role of Latitude Financial in New Zealand’s largest-ever data breach was also widely covered in the news (1News 2023b).
Māori have long criticized New Zealand’s data protection regime, raising difficult questions about data sovereignty and arguing that “the rightful authority for Indigenous data is not with the state, but with Indigenous people.” Some activists have demanded a Māori equivalent of the Office of the Privacy Commissioner (Mathias 2022). Additionally, the Royal Society of New Zealand has sought to increase awareness of issues of data sovereignty (RSNZ 2023). Independent Māori organizations Te Mana Raraunga (TMR 2023), the Māori Data Sovereignty Network and Ngā Toki Whakarururanga (NTW 2023), a by-Māori for Māori collective dedicated to advancing and protecting Māori interests – including with regard to data and digital and intellectual property – are also active in this space.
Citations:
1News. 2023a. “41% increase in ‘serious’ data breaches – Privacy Commissioner.” https://www.1news.co.nz/2023/01/12/41-increase-in-serious-data-breaches-privacy-commissioner/
1News. 2023b. “Privacy Commissioner to Investigate NZ’s Largest Data Hack.” https://www.1news.co.nz/2023/05/10/privacy-commissioner-to-investigate-nzs-largest-data-hack/
Mathias, S. 2022. “Inside the Fight for Māori Data Sovereignty.” The Spinoff, July 29. https://thespinoff.co.nz/internet/29-07-2022/indigenous-data-sovereignty-will-make-the-internet-a-better-place-for-maori
NTW. 2022. “Ngā Toki Whakarururanga.” https://www.ngatoki.nz/who-we-are
RNZ. 2023. “AI in Politics: Law Expert Urges Transparency from Political Parties, More Regulation.” https://www.rnz.co.nz/news/political/490690/ai-in-politics-law-expert-urges-transparency-from-political-parties-more-regulation
RSNZ. 2023. “Mana Ruraunga, Data Sovereignty.” Royal Society/Te Apārangi.
https://www.royalsociety.org.nz/what-we-do/our-expert-advice/all-expert-advice-papers/mana-raraunga-data-sovereignty/
TMR. 2023. “Te Mana Raraunga.” https://www.temanararaunga.maori.nz
1News. 2023a. “41% increase in ‘serious’ data breaches – Privacy Commissioner.” https://www.1news.co.nz/2023/01/12/41-increase-in-serious-data-breaches-privacy-commissioner/
1News. 2023b. “Privacy Commissioner to Investigate NZ’s Largest Data Hack.” https://www.1news.co.nz/2023/05/10/privacy-commissioner-to-investigate-nzs-largest-data-hack/
Mathias, S. 2022. “Inside the Fight for Māori Data Sovereignty.” The Spinoff, July 29. https://thespinoff.co.nz/internet/29-07-2022/indigenous-data-sovereignty-will-make-the-internet-a-better-place-for-maori
NTW. 2022. “Ngā Toki Whakarururanga.” https://www.ngatoki.nz/who-we-are
RNZ. 2023. “AI in Politics: Law Expert Urges Transparency from Political Parties, More Regulation.” https://www.rnz.co.nz/news/political/490690/ai-in-politics-law-expert-urges-transparency-from-political-parties-more-regulation
RSNZ. 2023. “Mana Ruraunga, Data Sovereignty.” Royal Society/Te Apārangi.
https://www.royalsociety.org.nz/what-we-do/our-expert-advice/all-expert-advice-papers/mana-raraunga-data-sovereignty/
TMR. 2023. “Te Mana Raraunga.” https://www.temanararaunga.maori.nz
7
Estonia
Estonia has a Data Protection Inspectorate (AKI) that operates under the purview of the Ministry of Justice. The AKI is financed from the state budget, and its budget is adopted and monitored by the minister of justice. In its daily operations, AKI is independent and has the discretion to decide which audits to undertake. The inspectorate works under the framework of the Personal Data Protection Act and the Public Information Act. It is also responsible for ensuring compliance with the European Union’s General Data Protection Regulation (GDPR).
The director general of the AKI is appointed by the government upon the proposal of the minister of justice for a five-year term. The legislative branch (Riigikogu) or judiciary (Supreme Court) do not have the authority to interfere in the appointment or removal of the head of the national data protection authority. The director general reports directly to the Constitutional Committee of the Riigikogu and to the chancellor of justice. AKI currently has 33 staff positions, which is roughly consistent with its needs to fulfill its mandate.
AKI is responsible for protecting citizens’ privacy and personal data and ensuring the transparency of public information. As a law-enforcement agency, AKI can issue proposals or recommendations to terminate infringements, issue binding precepts, impose coercive payments or fines, or apply to initiate criminal proceedings. Additionally, AKI acts as an educator and consultant, answering citizens’ queries and contributing to the public awareness of data use.
Overall, issues with cybersecurity are an increasing concern in data protection. In December 2023, hackers downloaded the health data of more than 10,000 people from a private company’s server (AKI 2023). AKI, together with the prosecutor’s office, initiated an investigation of the incident. The first reaction of the director general of AKI was that the responsibility lies with private companies as the data holders and users, and that no legislative amendments were needed.
Findings of the data protection authority are occasionally covered in the media, usually when a data breach or leak has occurred. In August 2023, AKI arguably failed to check properly before allowing access to sensitive data used for a sociological survey on women’s reproductive behavior (Nagel, 2023). Both incidents are so recent that it is too early to judge whether they will lead to executive or legislative action.
The director general of the AKI is appointed by the government upon the proposal of the minister of justice for a five-year term. The legislative branch (Riigikogu) or judiciary (Supreme Court) do not have the authority to interfere in the appointment or removal of the head of the national data protection authority. The director general reports directly to the Constitutional Committee of the Riigikogu and to the chancellor of justice. AKI currently has 33 staff positions, which is roughly consistent with its needs to fulfill its mandate.
AKI is responsible for protecting citizens’ privacy and personal data and ensuring the transparency of public information. As a law-enforcement agency, AKI can issue proposals or recommendations to terminate infringements, issue binding precepts, impose coercive payments or fines, or apply to initiate criminal proceedings. Additionally, AKI acts as an educator and consultant, answering citizens’ queries and contributing to the public awareness of data use.
Overall, issues with cybersecurity are an increasing concern in data protection. In December 2023, hackers downloaded the health data of more than 10,000 people from a private company’s server (AKI 2023). AKI, together with the prosecutor’s office, initiated an investigation of the incident. The first reaction of the director general of AKI was that the responsibility lies with private companies as the data holders and users, and that no legislative amendments were needed.
Findings of the data protection authority are occasionally covered in the media, usually when a data breach or leak has occurred. In August 2023, AKI arguably failed to check properly before allowing access to sensitive data used for a sociological survey on women’s reproductive behavior (Nagel, 2023). Both incidents are so recent that it is too early to judge whether they will lead to executive or legislative action.
Citations:
AKI. 2023. “News.” https://www.aki.ee/uudised/geneetilise-testimisega-tegeleva-ettevotte-andmebaasist-laaditi-ebaseaduslikult-alla
Nagel, Hannes. 2023. “Isikuandmete väljapetmine seab ohtu meie kõigi turvalisuse.” ERR News, August 14. https://www.err.ee/1609062242/hannes-nagel-isikuandmete-valjapetmine-seab-ohtu-meie-koigi-turvalisuse
AKI. 2023. “News.” https://www.aki.ee/uudised/geneetilise-testimisega-tegeleva-ettevotte-andmebaasist-laaditi-ebaseaduslikult-alla
Nagel, Hannes. 2023. “Isikuandmete väljapetmine seab ohtu meie kõigi turvalisuse.” ERR News, August 14. https://www.err.ee/1609062242/hannes-nagel-isikuandmete-valjapetmine-seab-ohtu-meie-koigi-turvalisuse
Italy
The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, or GPDP) was established in 1996 by Law 675 and further regulated by Legislative Decree 196/2003, which provided a comprehensive data protection framework. In 2018, the GPDP underwent significant changes following Legislative Decree 101/2018, which implemented the GDPR in Italy.
The GPDP is responsible for protecting the privacy of individuals in Italy. It monitors compliance with data protection laws, examines complaints, provides feedback to the government, and issues opinions on new legislation. Additionally, the GPDP offers advice to institutions on applying data protection laws.
The GPDP has a wide range of powers, including adopting guidelines and codes of conduct, conducting on-site inspections, imposing administrative sanctions, and ordering the rectification or deletion of personal data. A four-member board governs the GPDP. The members are elected by the Chamber of Deputies and the Senate from a pool of candidates who submit their applications through a public selection process. The board’s term is seven years and cannot be renewed.
Although the GPDP is intended to operate independently of political influence, the appointment of its board members often reflects political considerations rather than professional expertise. This, along with the GPDP’s limited financial resources and staffing, can hinder its effectiveness. However, the relatively short tenure of Italian governments compared to the board’s term of office and the increasing influence of European data protection regulations provide the GPDP with some degree of autonomy and influence.
The GPDP is responsible for protecting the privacy of individuals in Italy. It monitors compliance with data protection laws, examines complaints, provides feedback to the government, and issues opinions on new legislation. Additionally, the GPDP offers advice to institutions on applying data protection laws.
The GPDP has a wide range of powers, including adopting guidelines and codes of conduct, conducting on-site inspections, imposing administrative sanctions, and ordering the rectification or deletion of personal data. A four-member board governs the GPDP. The members are elected by the Chamber of Deputies and the Senate from a pool of candidates who submit their applications through a public selection process. The board’s term is seven years and cannot be renewed.
Although the GPDP is intended to operate independently of political influence, the appointment of its board members often reflects political considerations rather than professional expertise. This, along with the GPDP’s limited financial resources and staffing, can hinder its effectiveness. However, the relatively short tenure of Italian governments compared to the board’s term of office and the increasing influence of European data protection regulations provide the GPDP with some degree of autonomy and influence.
Citations:
Financial resources (2022): https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9906258
Staff. 2022. “https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9845410”
Financial resources (2022): https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9906258
Staff. 2022. “https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9845410”
Portugal
The National Data Protection Commission (Comissão Nacional de Proteção de Dados – CNPD) serves as the primary authority responsible for overseeing and ensuring compliance with the General Data Protection Regulation (Regulamento Geral sobre a Proteção de Dados – GDPR). The GDPR aims to safeguard the protection and lawful processing of individuals’ personal data while facilitating its free movement.
Moreover, CNPD operates independently, diligently pursuing its responsibilities and competencies while enjoying administrative and financial autonomy. This autonomy is also reflected in the status of CNPD members and their respective roles within the organization.
The latest activity report from CNPD, published in 2022, reveals a substantial increase in their workload. The Commission investigated and initiated more inquiries (1,785) and tripled the number of prosecution cases (251) compared to the previous year (CNPD, 2022). The total fines imposed also significantly increased, surpassing €4.8 million, primarily due to a €4.3 million fine imposed on the National Institute of Statistics (INE) concerning the 2021 Census, which is currently under appeal (Público, 2023).
However, CNPD faces a concerning structural shortage of human resources. At the end of 2022, CNPD had only 28 employees, a modest increase from 25 workers in 2021. This number remains far from sufficient to meet all demands, as stated in their own assessment (CNPD, 2022). This shortage, coupled with a high number of requests for information and participation (8,310) and increased procedural activities, continues to pose significant obstacles to CNPD’s effectiveness.
Moreover, CNPD operates independently, diligently pursuing its responsibilities and competencies while enjoying administrative and financial autonomy. This autonomy is also reflected in the status of CNPD members and their respective roles within the organization.
The latest activity report from CNPD, published in 2022, reveals a substantial increase in their workload. The Commission investigated and initiated more inquiries (1,785) and tripled the number of prosecution cases (251) compared to the previous year (CNPD, 2022). The total fines imposed also significantly increased, surpassing €4.8 million, primarily due to a €4.3 million fine imposed on the National Institute of Statistics (INE) concerning the 2021 Census, which is currently under appeal (Público, 2023).
However, CNPD faces a concerning structural shortage of human resources. At the end of 2022, CNPD had only 28 employees, a modest increase from 25 workers in 2021. This number remains far from sufficient to meet all demands, as stated in their own assessment (CNPD, 2022). This shortage, coupled with a high number of requests for information and participation (8,310) and increased procedural activities, continues to pose significant obstacles to CNPD’s effectiveness.
Citations:
CNPD. 2022. “Relatório de Atividades 2022.” https://www.cnpd.pt/media/tutpevyh/relato-rio_2022.pdf
Law No. 58/2019, of August 8, Personal Data Protection Law (Lei da Proteção de Dados Pessoais). 2019. Available at https://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?artigo_id=3118A0001&nid=3118&tabela=leis&pagina=1&ficha=1&so_miolo=&nversao=#artigo
Público. 2023. “Apesar das condicionantes dos ciberataques, Protecção de Dados averiguou e acusou mais.” https://www.publico.pt/2023/03/15/sociedade/noticia/apesar-condicionantes-ciberataques-proteccao-dados-averiguou-acusou-2042209
CNPD. 2022. “Relatório de Atividades 2022.” https://www.cnpd.pt/media/tutpevyh/relato-rio_2022.pdf
Law No. 58/2019, of August 8, Personal Data Protection Law (Lei da Proteção de Dados Pessoais). 2019. Available at https://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?artigo_id=3118A0001&nid=3118&tabela=leis&pagina=1&ficha=1&so_miolo=&nversao=#artigo
Público. 2023. “Apesar das condicionantes dos ciberataques, Protecção de Dados averiguou e acusou mais.” https://www.publico.pt/2023/03/15/sociedade/noticia/apesar-condicionantes-ciberataques-proteccao-dados-averiguou-acusou-2042209
6
Ireland
The Irish Data Protection Act 2018 was signed into law on 24 May 2018, coinciding with the implementation of the General Data Protection Regulation (GDPR). The Data Protection Commission (DPC) is Ireland’s national independent authority responsible for upholding the fundamental right of individuals in the European Union (EU) to have their personal data protected. The DPC’s functions and powers also relate to other regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive (LED). The DPC’s European role is crucial, given the large number of data and social media multinational corporations (MNCs) with European headquarters based in Ireland, which fall under Irish data protection oversight. International bodies are incorporated into this legislation. An independent process appoints the head of the DPC, and the body is allocated financial and personnel resources consistent with its mandate. The executive branch follows up on DPC findings, which are extensively reported in the media and utilized by the legislature.
Many international social media MNCs, and hence social media regulation at the EU level, fall under the remit of the Irish data protection office, increasing the demand for effective regulation and enforcement. The European Data Protection Board (EDPB) has intervened in Irish data protection decisions to increase sanctions and strengthen remedies (EDPB, 2023). The EDPB concluded that Irish data protection decisions have been insufficient to remedy GDPR breaches, suggesting a reluctance by the Irish authority to appropriately regulate social media multinationals. This is particularly significant for wider Europe due to the prevalence of European continental hubs of social media and technology multinationals in Ireland, under Irish authority.
Many international social media MNCs, and hence social media regulation at the EU level, fall under the remit of the Irish data protection office, increasing the demand for effective regulation and enforcement. The European Data Protection Board (EDPB) has intervened in Irish data protection decisions to increase sanctions and strengthen remedies (EDPB, 2023). The EDPB concluded that Irish data protection decisions have been insufficient to remedy GDPR breaches, suggesting a reluctance by the Irish authority to appropriately regulate social media multinationals. This is particularly significant for wider Europe due to the prevalence of European continental hubs of social media and technology multinationals in Ireland, under Irish authority.
Citations:
Data Protection Commission. 2023. “www.dataprotection.ie” www.dataprotection.ie
McIntyre, T. J. 2021. “Regulating the Information Society; Data Protection and Ireland’s Internet Industry.” In Policy Analysis in Ireland, eds. J. Hogan and M. P. Murphy, 702-718. Bristol: Policy Press.
MacCartaigh, M. 2021. “The Changing Policy Analysis Capacity of the Irish State.” In Policy Analysis in Ireland, eds. J. Hogan and M. P. Murphy. Bristol: Policy Press, 47-62.
IGEES. 2019. “Irish Government and Evaluation.” https://www.gov.ie/en/organisation-information/8f949-irish-government-economic-and-evaluation-service-igees/#about-igees/
Ruane, F. 2019. “The Changing Patterns of Production and Consumption of Official Statistics in Ireland.” Journal of the Statistical and Social Inquiry Society of Ireland 43 (1): 223-240.
European Commission. 2022. “eGovernment Benchmark 2022, 2021-2022 data.” https://op.europa.eu/en/publication-detail/-/publication/a7d80ca2-3895-11ed-9c68-01aa75ed71a1/language-en/format-PDF/source-291321135
European Commission. 2022. “European Data Portal, 2022.” https://data.europa.eu/en/publications/open-data-maturity/2022
Boyle, R., O’Leary, F., and O’Neill, J. 2022. Public Sector Trends. Dublin: IPA.
Data Protection Commission. 2023. “www.dataprotection.ie” www.dataprotection.ie
McIntyre, T. J. 2021. “Regulating the Information Society; Data Protection and Ireland’s Internet Industry.” In Policy Analysis in Ireland, eds. J. Hogan and M. P. Murphy, 702-718. Bristol: Policy Press.
MacCartaigh, M. 2021. “The Changing Policy Analysis Capacity of the Irish State.” In Policy Analysis in Ireland, eds. J. Hogan and M. P. Murphy. Bristol: Policy Press, 47-62.
IGEES. 2019. “Irish Government and Evaluation.” https://www.gov.ie/en/organisation-information/8f949-irish-government-economic-and-evaluation-service-igees/#about-igees/
Ruane, F. 2019. “The Changing Patterns of Production and Consumption of Official Statistics in Ireland.” Journal of the Statistical and Social Inquiry Society of Ireland 43 (1): 223-240.
European Commission. 2022. “eGovernment Benchmark 2022, 2021-2022 data.” https://op.europa.eu/en/publication-detail/-/publication/a7d80ca2-3895-11ed-9c68-01aa75ed71a1/language-en/format-PDF/source-291321135
European Commission. 2022. “European Data Portal, 2022.” https://data.europa.eu/en/publications/open-data-maturity/2022
Boyle, R., O’Leary, F., and O’Neill, J. 2022. Public Sector Trends. Dublin: IPA.
Japan
Personal data protection in Japan is regulated by the Act on the Protection of Personal Information (APPI) from 2003, which was revised in 2017. The APPI was the first non-EU legal regime recognized in an adequacy decision after the European Union’s General Data Protection Regulation (GDPR) came into force. Data protection is managed by the Personal Information Protection Commission, established in 2016. Its chairperson and members are nominated for five-year terms by the prime minister with the consent of both houses of parliament. Apart from bureaucracy, commission members originate from academia and business, which ensures a certain degree of independence and impartiality. The commission enjoys high discretion in conducting audits. It can issue cease-and-desist orders, though it cannot directly impose administrative fines. Business operators who refuse to follow the commission’s orders, however, may be imprisoned for up to one year. In some cases, the reaction of the commission to reports concerning the leaking of important personal data has been slow.
The controls conducted by the Personal Information Protection Commission and its administrative guidance issued to governmental institutions occasionally draw the media’s attention. For instance, in July 2023, the commission inspected the Digital Agency due to problems with implementing the My Number system – individual numbers allocated to all residents that facilitate the administration of benefits and other issues. It was revealed that many numbers had been linked to the wrong bank accounts.
In its report from November 2022, the UN Human Rights Committee expressed concern over the lack of sufficient safeguards, such as independent judicial oversight, against arbitrary surveillance and access to personal data by state institutions in Japan.
The controls conducted by the Personal Information Protection Commission and its administrative guidance issued to governmental institutions occasionally draw the media’s attention. For instance, in July 2023, the commission inspected the Digital Agency due to problems with implementing the My Number system – individual numbers allocated to all residents that facilitate the administration of benefits and other issues. It was revealed that many numbers had been linked to the wrong bank accounts.
In its report from November 2022, the UN Human Rights Committee expressed concern over the lack of sufficient safeguards, such as independent judicial oversight, against arbitrary surveillance and access to personal data by state institutions in Japan.
Citations:
DLA Piper. 2022. “Data Protection Laws of the World, Japan.” https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=JP
European Commission. 2019. “European Commission Adopts Adequacy Decision on Japan, Creating the World’s Largest Area of Safe Data Flows.” https://ec.europa.eu/commission/presscorner/detail/en/IP_19_421
Personal Information Protection Commission, Japan. “Commission.” https://www.ppc.go.jp/en/aboutus/commission/
Watanabe, Junki, and Shuhei Shibata. 2023. “Commission to Probe Digital Agency over My Number Mishaps.” The Asahi Shimbun, July 7. https://www.asahi.com/ajw/articles/14950982
U.N. Human Rights Committee. 2022. “Concluding Observations on the Seventh Periodic Report of Japan.” https://docstore.ohchr.org/SelfServices/FilesHandler.ashx?enc=6QkG1d%2FPPRiCAqhKb7yhsuBJT%2Fi29ui%2Fb4Ih9%2FUIJO87S0HPMR1PnCPt3LQO6EolLe709268JsfEokJ6QyNqFgswSBy1rovzRJaQqYHclTttywUvvrbUCI%2F6iBnTGHkY
DLA Piper. 2022. “Data Protection Laws of the World, Japan.” https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=JP
European Commission. 2019. “European Commission Adopts Adequacy Decision on Japan, Creating the World’s Largest Area of Safe Data Flows.” https://ec.europa.eu/commission/presscorner/detail/en/IP_19_421
Personal Information Protection Commission, Japan. “Commission.” https://www.ppc.go.jp/en/aboutus/commission/
Watanabe, Junki, and Shuhei Shibata. 2023. “Commission to Probe Digital Agency over My Number Mishaps.” The Asahi Shimbun, July 7. https://www.asahi.com/ajw/articles/14950982
U.N. Human Rights Committee. 2022. “Concluding Observations on the Seventh Periodic Report of Japan.” https://docstore.ohchr.org/SelfServices/FilesHandler.ashx?enc=6QkG1d%2FPPRiCAqhKb7yhsuBJT%2Fi29ui%2Fb4Ih9%2FUIJO87S0HPMR1PnCPt3LQO6EolLe709268JsfEokJ6QyNqFgswSBy1rovzRJaQqYHclTttywUvvrbUCI%2F6iBnTGHkY
Poland
Data protection in Poland is governed by the EU General Data Protection Regulation or GDPR (Regulation (EU) 2016/679) and the Act of May 10, 2018 on the Protection of Personal Data. The same act also established a new data protection authority, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). The powers of the UODO include the ability to conduct compliance audits, issue administrative decisions, disclose decisions in the public interest, request disciplinary or legal proceedings against violators, and mandate the timely notification of the outcomes of implemented actions.
The Personal Data Protection Office may: require data controllers and processors or their representatives to provide information deemed necessary; gain access to the premises of data controllers and processors, as well as to equipment and tools used for processing personal data; and obtain from data controllers or processors access to all personal data and any information necessary for the performance of the authority’s tasks.
The follow-up by the executive branch on the actions of the UODO has been limited, as most of the legislation in this area is governed by EU laws. However, the UODO cooperates closely with other public institutions, such as the Chief Pharmaceutical Inspectorate, the Environmental Protection Inspectorate, the Office of Competition and Consumer Protection, the National Council of Legal Advisers, and the Office of Electronic Communications.
Although the European Court of Justice mandates that the head of the national data protection authority should be independent and impartial, in Poland, the appointment and removal of the president rest with the political majority in both chambers of the parliament. As a result, in 2019, Jan Nowak, a former member of the Law and Justice party, was elected to serve a four-year term. Due to his visible political engagement, the Polish upper chamber – the Senate, dominated by the opposition – refused in May 2023 to approve his second term in office. The president had failed to discuss and influence legislation on urgent issues like tracking technologies, international data transfers and artificial intelligence. He had also failed to engage in educational campaigns directed toward all citizens.
The Personal Data Protection Office may: require data controllers and processors or their representatives to provide information deemed necessary; gain access to the premises of data controllers and processors, as well as to equipment and tools used for processing personal data; and obtain from data controllers or processors access to all personal data and any information necessary for the performance of the authority’s tasks.
The follow-up by the executive branch on the actions of the UODO has been limited, as most of the legislation in this area is governed by EU laws. However, the UODO cooperates closely with other public institutions, such as the Chief Pharmaceutical Inspectorate, the Environmental Protection Inspectorate, the Office of Competition and Consumer Protection, the National Council of Legal Advisers, and the Office of Electronic Communications.
Although the European Court of Justice mandates that the head of the national data protection authority should be independent and impartial, in Poland, the appointment and removal of the president rest with the political majority in both chambers of the parliament. As a result, in 2019, Jan Nowak, a former member of the Law and Justice party, was elected to serve a four-year term. Due to his visible political engagement, the Polish upper chamber – the Senate, dominated by the opposition – refused in May 2023 to approve his second term in office. The president had failed to discuss and influence legislation on urgent issues like tracking technologies, international data transfers and artificial intelligence. He had also failed to engage in educational campaigns directed toward all citizens.
Citations:
Data Guidance. 2023. “Poland – Data Protection Overview.” https://www.dataguidance.com/notes/poland-data-protection-overview
Data Guidance. 2023. “Poland – Data Protection Overview.” https://www.dataguidance.com/notes/poland-data-protection-overview
Slovakia
Law 18/2018 governs the protection of personal data in Slovakia, establishing rights and responsibilities for data processing and defining the role and organization of the Office for Personal Data Protection of the Slovak Republic.
The Office for Personal Data Protection is an independent body with a budget set annually by the State Budget Law. In 2021, it had 45 employees and a budget of €1,738,043.75. The office monitors compliance with data protection laws and has the authority to obtain information and question officials. Its president is elected by the National Council of the Slovak Republic via secret ballot, while the government nominates the vice-president based on the president’s proposal (Law 18/2018).
The Office’s direct control activities are limited; its 2023 control plan covers only three central ministries and one central state administration body. It maintains a relatively low profile, attracting media attention primarily when publishing annual reports on fines. Information on follow-up actions is not publicly available.
The Office for Personal Data Protection is an independent body with a budget set annually by the State Budget Law. In 2021, it had 45 employees and a budget of €1,738,043.75. The office monitors compliance with data protection laws and has the authority to obtain information and question officials. Its president is elected by the National Council of the Slovak Republic via secret ballot, while the government nominates the vice-president based on the president’s proposal (Law 18/2018).
The Office’s direct control activities are limited; its 2023 control plan covers only three central ministries and one central state administration body. It maintains a relatively low profile, attracting media attention primarily when publishing annual reports on fines. Information on follow-up actions is not publicly available.
Citations:
Zákon 18/2018 o ochrane osobných údajov. https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2018/18/20220330
https://dataprotection.gov.sk/uoou/sk
Zákon 18/2018 o ochrane osobných údajov. https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2018/18/20220330
https://dataprotection.gov.sk/uoou/sk
A data protection authority exists, but both its independence and effectiveness are considerably limited.
5
Belgium
In May 2018, the Belgian federal government established the Data Protection Authority (DPA – Autorité de protection des données/ Gegevensbeschermingsautoriteit). The DPA’s mission is to protect individual privacy during personal data processing. To enhance efficiency, several pre-existing authorities and services were consolidated under the DPA. The restructured authority, accountable to the House of Representatives, appoints its board of directors politically for six-year terms. Belgium was also one of the first countries to create the function of Secretary of State for Privacy in 2015 (De Busser 2021).
However, the DPA has faced issues related to transparency, conflicts of interest, and governance errors. Notably, the European Commission initiated a serious infringement procedure against Belgium due to DPA member Frank Robben’s dual role as the head of a public body handling social security and health-related data. The complaint was withdrawn following Robben’s resignation from the DPA in early 2022.
Robben’s resignation did not resolve the DPA’s issues. In 2020, two whistleblowers alerted parliament about conflicts of interest and governance errors within the DPA, particularly concerning member David Stevens. Parliament eventually dismissed Stevens and one of the whistleblowers. Since then, the secretary of state for data protection has attempted to reform the body, but without success to date.
However, the DPA has faced issues related to transparency, conflicts of interest, and governance errors. Notably, the European Commission initiated a serious infringement procedure against Belgium due to DPA member Frank Robben’s dual role as the head of a public body handling social security and health-related data. The complaint was withdrawn following Robben’s resignation from the DPA in early 2022.
Robben’s resignation did not resolve the DPA’s issues. In 2020, two whistleblowers alerted parliament about conflicts of interest and governance errors within the DPA, particularly concerning member David Stevens. Parliament eventually dismissed Stevens and one of the whistleblowers. Since then, the secretary of state for data protection has attempted to reform the body, but without success to date.
Citations:
https://www.dataprotectionauthority.be/
https://www.lecho.be/economie-politique/belgique/federal/demission-de-l-adp-frank-robben-n-est-que-le-sommet-de-l-iceberg/10365250.html
https://www.lesoir.be/492667/article/2023-02-02/critique-torpille-sabote-le-projet-de-loi-apd-de-mathieu-michel-va-une-nouvelle
https://www.lesoir.be/438557/article/2022-04-27/lapd-est-inoperante-un-et-demi-dalertes-de-ses-deux-codirectrices
De Busser, E. 2021. “Data Protection Around the World: Belgium.” Data Protection Around the World: Privacy Laws in Action 7-21.
https://www.dataprotectionauthority.be/
https://www.lecho.be/economie-politique/belgique/federal/demission-de-l-adp-frank-robben-n-est-que-le-sommet-de-l-iceberg/10365250.html
https://www.lesoir.be/492667/article/2023-02-02/critique-torpille-sabote-le-projet-de-loi-apd-de-mathieu-michel-va-une-nouvelle
https://www.lesoir.be/438557/article/2022-04-27/lapd-est-inoperante-un-et-demi-dalertes-de-ses-deux-codirectrices
De Busser, E. 2021. “Data Protection Around the World: Belgium.” Data Protection Around the World: Privacy Laws in Action 7-21.
Hungary
The right to personal data protection and information freedom is regulated under the Act CXII of 2011, which was amended in 2018 to implement the EU’s General Data Protection Regulation (GDPR). Since then, the GDPR has been incorporated into various sectoral laws, such as the labor code. In 2023, a “whistleblower law” came into force, introducing the EU’s 2019/1937 Whistleblower Directive into the Hungarian legal system. The 2014 law was found to be insufficient, as evidenced in the lead-up to the 2023 corruption trial against former Secretary of State Völner in the Ministry of Justice. However, the European-induced modification has faced criticism for a controversial article interpreted as enabling citizens to anonymously report same-sex families to authorities. This aspect of the legislation was particularly contentious, and led President Katalin Novák to veto the proposed law. Novák stated that the article weakened rather than strengthened the protection of fundamental values. This move was unusual for Novák, who generally supports Prime Minister Viktor Orbán. The law was revised after the veto, especially as the European Union Commission announced it would otherwise take legal action. The National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság, NAIH) is responsible for supervising and defending the data protection rights of Hungarian citizens. While it has not played a significant role in the public debate, there is still little experience with the new European regulation in this field. The NAIH has challenged the government in some COVID-19-related cases. For instance, it has criticized the fat that sensitive data required to register for vaccination is collected and saved not by the government but by a Fidesz-allied firm, IdomSoft Zrt. However, the NAIH has failed to speak out against the misuse of public data for Fidesz’s election campaigns, and has not addressed the Pegasus surveillance scandal, in which the government used Pegasus spyware to target opposition politicians and public figures. Additionally, the NAIH has been reluctant to take proactive measures on freedom of information practices, whereby the government routinely classifies documents of strategic importance for national security reasons, and fails to respond to public information queries from independent journalists (see Láncos 2019).
Citations:
Láncos, P.L. 2019. “Freedom of Information in Hungary: A Shifting Landscape.” In Dragos, D.C., Kovač, P., and Marseille, A.T., eds., The Laws of Transparency in Action. Governance and Public Management. Cham: Palgrave Macmillan. https://doi.org/10.1007/978-3-319-76460-3_10
Láncos, P.L. 2019. “Freedom of Information in Hungary: A Shifting Landscape.” In Dragos, D.C., Kovač, P., and Marseille, A.T., eds., The Laws of Transparency in Action. Governance and Public Management. Cham: Palgrave Macmillan. https://doi.org/10.1007/978-3-319-76460-3_10
USA
There is no single national authority for data protection. With some exceptions, such as banks, credit unions, and insurance companies, the Federal Trade Commission has jurisdiction over most commercial entities. It has the authority to issue and enforce federal privacy regulations, including those for telemarketing, email marketing, and children’s privacy, and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including the failure to implement reasonable security measures and violations of consumer privacy rights, which harm consumers in their states.
Because the costs of varying privacy protections by state can be prohibitively expensive, many businesses follow the rules set by the state with the highest standards, which is currently California. This follows the California Consumer Privacy Act of 2018, subsequently amended by the California Privacy Rights Act of 2020 (Shatz and Chylik 2020). The Californian legislation gives consumers robust protections against businesses holding their data, and many companies, especially those that do business on the internet with clients in California, now follow this standard (Pardau 2018). The California legislation also created the California Privacy Protection Agency, the first state agency dedicated to the protection of consumer privacy rights (Harding et al 2019).
At the federal level, there is the Federal Privacy Council, created by an executive order in 2016 by President Barack Obama. The order requires agency heads to designate a Senior Agency Official for Privacy who must maintain an agency-wide data privacy program. The federal government also has a body known as the Chief Information Officers (CIO) Council, a collection of CIOs who come together to improve IT practices across the federal government (Hyman and Kovacic 2019).
Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including the failure to implement reasonable security measures and violations of consumer privacy rights, which harm consumers in their states.
Because the costs of varying privacy protections by state can be prohibitively expensive, many businesses follow the rules set by the state with the highest standards, which is currently California. This follows the California Consumer Privacy Act of 2018, subsequently amended by the California Privacy Rights Act of 2020 (Shatz and Chylik 2020). The Californian legislation gives consumers robust protections against businesses holding their data, and many companies, especially those that do business on the internet with clients in California, now follow this standard (Pardau 2018). The California legislation also created the California Privacy Protection Agency, the first state agency dedicated to the protection of consumer privacy rights (Harding et al 2019).
At the federal level, there is the Federal Privacy Council, created by an executive order in 2016 by President Barack Obama. The order requires agency heads to designate a Senior Agency Official for Privacy who must maintain an agency-wide data privacy program. The federal government also has a body known as the Chief Information Officers (CIO) Council, a collection of CIOs who come together to improve IT practices across the federal government (Hyman and Kovacic 2019).
Citations:
David Hyman and William Kovacic. 2019. “State Enforcement in a Polycentric World.” Brigham Young University Law Review.
Sanford Shatz and Susan Cylik. 2020. “The California Consumer Privacy Act of 2018.” Business Lawyer.
Stuart Pardau. 2018. “The California Consumer Privacy Act: Towards a European-Style Privacy Regime in the United States?”
Elizabeth Harding, Jarno Vanto, Reece Clark, Hannah Ji, and Sara Ainsworth. 2019. “Understanding the Scope and Impact of the California Consumer Privacy Act of 2018.” Journal of Data Protection and Privacy.
David Hyman and William Kovacic. 2019. “State Enforcement in a Polycentric World.” Brigham Young University Law Review.
Sanford Shatz and Susan Cylik. 2020. “The California Consumer Privacy Act of 2018.” Business Lawyer.
Stuart Pardau. 2018. “The California Consumer Privacy Act: Towards a European-Style Privacy Regime in the United States?”
Elizabeth Harding, Jarno Vanto, Reece Clark, Hannah Ji, and Sara Ainsworth. 2019. “Understanding the Scope and Impact of the California Consumer Privacy Act of 2018.” Journal of Data Protection and Privacy.
4
Canada
Most provinces and the federal government have privacy acts that protect much data. However, there is no generalized data protection office or legislation, as there is in Europe.
Canada does not have a comprehensive federal-level data protection law similar to the European Union’s General Data Protection Regulation (GDPR). Instead, it has a patchwork of privacy laws and regulations that govern the protection of personal information in specific sectors and industries.
Most of this legislation applies to the public sector, but the Personal Information Protection and Electronic Documents Act (PIPEDA) extends these protections to private-sector organizations engaged in commercial activities across Canada. It sets out principles for the collection, use, and disclosure of personal information and requires organizations to obtain consent for the collection and handling of personal data. PIPEDA applies to businesses such as banks, telecommunications companies, and private-sector organizations engaged in interprovincial or international trade.
Several provinces in Canada have enacted their own privacy laws for organizations within their jurisdictions. For instance, Alberta, British Columbia, and Quebec have private-sector privacy laws that apply to organizations operating within those provinces.
The absence of a federal law with broad jurisdiction has led to discussions and calls for reform to enhance privacy protections, especially in light of the evolving digital landscape and increasing concerns about data breaches and online privacy (Canada – Data Protection Overview).
This led to the introduction of Bill C-27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, also known as the Digital Charter Implementation Act, 2022. The bill passed second reading in 2023 and is currently under committee review. It is not yet in effect and may not pass.
The Consumer Privacy Protection Act is Part 1 of the Digital Charter Implementation Act, 2022. The act would repeal parts of the Personal Information Protection and Electronic Documents Act and replace them with a new legislative regime governing the collection, use and disclosure of personal information for commercial activity in Canada. This would maintain, modernize and extend existing rules and impose new rules on private sector organizations for the protection of personal information. The act would also continue and enhance the role of the Privacy Commissioner in overseeing organizations’ compliance with these measures. Provisions of the Personal Information Protection and Electronic Documents Act addressing electronic alternatives to paper records would be retained under the new title of the Electronic Documents Act.
Part 2 of the Digital Charter Implementation Act, 2022, includes the Personal Information and Data Protection Tribunal Act. This act establishes a new administrative tribunal to hear appeals of orders issued by the Privacy Commissioner and to implement a new administrative monetary penalty regime created under the Consumer Privacy Protection Act.
Part 3 of the Digital Charter Implementation Act, 2022, the Artificial Intelligence and Data Act, outlines new measures to regulate international and interprovincial trade and commerce in artificial intelligence systems. It establishes common requirements for the design, development, and use of artificial intelligence systems, including measures to mitigate risks of harm and biased output. It also prohibits specific practices with data and artificial intelligence systems that may cause serious harm to individuals or their interests.
(“Department of Justice – Statement of Potential Charter Impacts).
Canada does not have a comprehensive federal-level data protection law similar to the European Union’s General Data Protection Regulation (GDPR). Instead, it has a patchwork of privacy laws and regulations that govern the protection of personal information in specific sectors and industries.
Most of this legislation applies to the public sector, but the Personal Information Protection and Electronic Documents Act (PIPEDA) extends these protections to private-sector organizations engaged in commercial activities across Canada. It sets out principles for the collection, use, and disclosure of personal information and requires organizations to obtain consent for the collection and handling of personal data. PIPEDA applies to businesses such as banks, telecommunications companies, and private-sector organizations engaged in interprovincial or international trade.
Several provinces in Canada have enacted their own privacy laws for organizations within their jurisdictions. For instance, Alberta, British Columbia, and Quebec have private-sector privacy laws that apply to organizations operating within those provinces.
The absence of a federal law with broad jurisdiction has led to discussions and calls for reform to enhance privacy protections, especially in light of the evolving digital landscape and increasing concerns about data breaches and online privacy (Canada – Data Protection Overview).
This led to the introduction of Bill C-27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, also known as the Digital Charter Implementation Act, 2022. The bill passed second reading in 2023 and is currently under committee review. It is not yet in effect and may not pass.
The Consumer Privacy Protection Act is Part 1 of the Digital Charter Implementation Act, 2022. The act would repeal parts of the Personal Information Protection and Electronic Documents Act and replace them with a new legislative regime governing the collection, use and disclosure of personal information for commercial activity in Canada. This would maintain, modernize and extend existing rules and impose new rules on private sector organizations for the protection of personal information. The act would also continue and enhance the role of the Privacy Commissioner in overseeing organizations’ compliance with these measures. Provisions of the Personal Information Protection and Electronic Documents Act addressing electronic alternatives to paper records would be retained under the new title of the Electronic Documents Act.
Part 2 of the Digital Charter Implementation Act, 2022, includes the Personal Information and Data Protection Tribunal Act. This act establishes a new administrative tribunal to hear appeals of orders issued by the Privacy Commissioner and to implement a new administrative monetary penalty regime created under the Consumer Privacy Protection Act.
Part 3 of the Digital Charter Implementation Act, 2022, the Artificial Intelligence and Data Act, outlines new measures to regulate international and interprovincial trade and commerce in artificial intelligence systems. It establishes common requirements for the design, development, and use of artificial intelligence systems, including measures to mitigate risks of harm and biased output. It also prohibits specific practices with data and artificial intelligence systems that may cause serious harm to individuals or their interests.
(“Department of Justice – Statement of Potential Charter Impacts).
Citations:
DataGuidance. 2022. “Canada – Data Protection Overview.” https://www.dataguidance.com/notes/canada-data-protection-overview
Government of Canada, Department of Justice. 2022. “Department of Justice – Statement of Potential Charter Impacts.” https://www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c27_1.html
DataGuidance. 2022. “Canada – Data Protection Overview.” https://www.dataguidance.com/notes/canada-data-protection-overview
Government of Canada, Department of Justice. 2022. “Department of Justice – Statement of Potential Charter Impacts.” https://www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c27_1.html
Netherlands
The Dutch Data Protection Authority (DPA) succeeded the College Bescherming Persoonsgegevens (CBP) in 2016, and simultaneously saw its formal competencies somewhat enhanced by the right to fine public and private organizations that are in violation of Dutch law, or, since mid-2018, European data protection laws (e.g., the General Data Protection Regulation, GDPR). Pursuant to Article 7 of the General Data Protection Regulation Implementation Act, the organization’s chair was reappointed (in August 2023) for a term of five years. This was done by royal decree on the recommendation of the minister of justice and security. The independence of the organization seems to be in order, despite the fact that right-wing political parties in particular keep insisting on replacing chair Aleid Wolfsen. So far, this push against independent monitoring has been curbed.
Really effective data protection is practically impossible for a number of reasons. The authority is understaffed, even though the number of staff has increased, and is underfinanced. Hardly any consequential fines have been imposed. “Naming and shaming” appears to work, but comprehensive oversight capacity is lacking. It looks like the DPA is evolving from a supervisory body into a Janus-faced organization that also advises public and private organizations and individual citizens on privacy issues, including on how to deal with personal data in ways that (more or less) comply with ever-changing regulations and interpretations.
Compliance with and enforcement of the GDPR still leave much to be desired. The privacy authority has handed out no more than 36 fines since the GDPR went into effect in 2018. The chances of catching offenders is too low. This is due to the organization’s limited number of employees, about 180 in total plus several dozen temporary staff. The authority now has a budget of €35 million euros, but supervision obviously is not keeping pace with digitalization. The number of complaints in the first years of the GDPR quickly rose to 25,590 in 2020, but then began a decline to 18,914 in 2021 and 13,113 in 2022 – “in part because the DPA was forced to reduce the opening hours of the telephone consultation hours,” according to a statement from the organization itself. Staff shortages play a role in this. At the end of 2022, a total of 5,723 complaints were still pending at the DPA, which may include complaints from earlier than 2022 that take longer to resolve.
Digital civil rights organization Bits of Freedom is dissatisfied with GDPR compliance at most Dutch government agencies. A survey it conducted last year among the 10 largest municipalities showed that only one (Utrecht) scored “satisfactory.” Municipalities appeared to be insufficiently aware of what data they had and how they protected it, and citizens were not given access to their own data quickly enough. Incidentally, citizens themselves are also often ignorant about how to better protect their personal data.
Really effective data protection is practically impossible for a number of reasons. The authority is understaffed, even though the number of staff has increased, and is underfinanced. Hardly any consequential fines have been imposed. “Naming and shaming” appears to work, but comprehensive oversight capacity is lacking. It looks like the DPA is evolving from a supervisory body into a Janus-faced organization that also advises public and private organizations and individual citizens on privacy issues, including on how to deal with personal data in ways that (more or less) comply with ever-changing regulations and interpretations.
Compliance with and enforcement of the GDPR still leave much to be desired. The privacy authority has handed out no more than 36 fines since the GDPR went into effect in 2018. The chances of catching offenders is too low. This is due to the organization’s limited number of employees, about 180 in total plus several dozen temporary staff. The authority now has a budget of €35 million euros, but supervision obviously is not keeping pace with digitalization. The number of complaints in the first years of the GDPR quickly rose to 25,590 in 2020, but then began a decline to 18,914 in 2021 and 13,113 in 2022 – “in part because the DPA was forced to reduce the opening hours of the telephone consultation hours,” according to a statement from the organization itself. Staff shortages play a role in this. At the end of 2022, a total of 5,723 complaints were still pending at the DPA, which may include complaints from earlier than 2022 that take longer to resolve.
Digital civil rights organization Bits of Freedom is dissatisfied with GDPR compliance at most Dutch government agencies. A survey it conducted last year among the 10 largest municipalities showed that only one (Utrecht) scored “satisfactory.” Municipalities appeared to be insufficiently aware of what data they had and how they protected it, and citizens were not given access to their own data quickly enough. Incidentally, citizens themselves are also often ignorant about how to better protect their personal data.
Citations:
Juurd Eijsvoogel. 2023. “Foto’s niet meer zomaar in de schoolgids – hoe bevalt de AVG?” NRC, May 26.
Rijksbreed AVG. 2022. Deelrapport van bevindingen ministerie BZK, December 6.
Autoriteit Persoonsgegevens. 2023. “Actueel Nieuwsbrief.” 5 jaar AVG May 26.
N. Benaissa. 2022. “De staat van privacy bij gemeenten.” https://bitsoffreedom.nl
Juurd Eijsvoogel. 2023. “Foto’s niet meer zomaar in de schoolgids – hoe bevalt de AVG?” NRC, May 26.
Rijksbreed AVG. 2022. Deelrapport van bevindingen ministerie BZK, December 6.
Autoriteit Persoonsgegevens. 2023. “Actueel Nieuwsbrief.” 5 jaar AVG May 26.
N. Benaissa. 2022. “De staat van privacy bij gemeenten.” https://bitsoffreedom.nl
3
---
---
There is no effective and independent data protection office.
2
---
---
1
---
---