- Introduction
- The Roles, Responsibilities, and Power of Data Protection Authorities
- Major Fines Imposed by DPAs
- Relationship with data controllers & processors
- Appointment of DPAs & which DPA to contact
- Data Protection Authority in the US
- Data Protection Authority in the UK
- India’s proposed Data Protection Authority
Introduction
There has been a rapid escalation in the need for data protection and regulation surrounding the protection and misuse of personal information of citizens in various countries, especially since the enforcement of the GDPR by the European Union. With data protection laws becoming commonplace worldwide, it’s more important than ever to understand what data protection authorities are and how their roles and responsibilities unfold.
Also called Supervisory Authorities, Data Protection Authorities, or DPAs, are independent public authorities that exercise investigative and corrective powers to monitor and supervise the application of data protection laws in their respective regions. They provide expert advice on data protection issues and handle unconstitutional and illegal practices by data controllers and processors — thereby ensuring compliance with data protection laws.
In order to work seamlessly and get consistent application of the GDPR, it needs the collaboration of all stakeholders that include the DPA (Data Protection Authority) of each state, member states, Controllers and Processors, Data Subjects (Citizens), the European Commissions and the European Data Protection Board (EPDB).
One important point to note here is that there is a stark difference between data protection authorities and data protection officers. While data protection officers are appointed by companies that process large amounts of users’ personal data, data protection authorities uphold data protection rights across their territories. Not all companies are required to appoint data protection officers, but every nation or member state in the EU has at least one data protection authority.
The Roles, Responsibilities, and Power of Data Protection Authorities
Out of many duties, their main role unfolds into ensuring businesses across their respective region of influence adhere to the obligations set out in the national data protection law. If not for them in place, businesses would fail to comprehend how state or national laws affect them.
The roles and responsibilities of a DPA are broad. Article 57 of the GDPR even includes the catch-all task of fulfilling ‘any other tasks related to the protection of personal data.’ Under GDPR (Article 57), DPAs are assigned the following roles and responsibilities:
- Mediate
- Interpret EU law
- Authorize model clauses
- Cooperate with other DPAs
- Handle fines and other penalties
- Enforce data protection laws in their area
- Promote public awareness regarding data protection
- Maintain a list of prohibited data processing activities
- Monitor developments within the remit of data protection
- Investigate complaints filed by a data subject or a data controller
- Educate businesses, government, and individuals on data protection protocols
- Assist data controllers with conducting a Data Protection Impact Assessment (DPIA)
- Handle reports of data breaches and provide monitoring reports of their own activities
DPAs have the power to investigate a data controller or a processor against whom it receives a breach of compliance complaint. They can demand such a data controller or processor to provide any information required to carry out their investigation.
Depending on the severity of a breach, DPAs can exercise their power to correct breaches of data protection law. Based on the condition, a DPA may issue a warning or reprimand. Honing the data subject rights, they can act on behalf of an individual’s complaint to force a data controller or data processor to comply with the individual’s request.
One most substantial power of DPA (Article 83) is the enforcement of fines, which can go as high as €20 million or up to 4% of a company’s annual turnover — whichever is higher.
Major Fines Imposed by DPAs
Since the implementation of GDPR from 2018, there has been over 800 fines issued across the EEA and EU and UK. Though the enforcement of the fines is slow but there has been a sizeable increase in the number of fines that is being levied for the violation of EU GDPR. The Luxembourg DPA has fined Amazon a record amount of Euro 746 million. This has come to light when Amazon made its financial records public on 30th July 2021.
We would like to cover some of the fines imposed by the Norway DPA and Luxembourg DPA:
-
The toll ring company Ferde AS was transferring data about
passages in toll to rings to a data processor in China. On the
basis of this, Norway DPA decided to carry out the due
diligence on compliance of Ferde AS to the EU GDPR since the
data was being transferred to China. However, during the
investigations the Norway DPA found out that Ferde AS did not
have any data processing agreement, a risk assessment and a
legal basis for processing and transferring personal data
about motor drivers to China.
One of the critical findings is that the Norway DPA stated and established that the license plates are personal data. Further the processing of images of a license plate is considered processing of personal data and that Ferde AS is the data controller. After the through investigation, Norway DPA decided to impose a fine of Euro 5 million on Ferde AS on breach of GDPR Articles 28(3), Article 32(2), cf Article 5(1)(f) and Article 5(2) and Article 44.
Source : The Norwegian Data Protection Authority: Ferde AS fined | European Data Protection Board (europa.eu)
-
On 16th July,2021, the Luxembourg National Commission for Data
Protection (CNDP) or the Luxembourg DPA created history and
issued the biggest fine for the breach and violation of the EU
GDPR to the tune of Euro 746 million or USD $888 million to
Amazon Europe Core S.a.r.l.
In May 2018, 10,000 people filed a complaint in CNDP against Amazon Europe, through a French privacy rights group that promotes and defends fundamental freedoms in the digital world. The name of the French privacy rights group is La Quadrature du Net.
After a thorough investigation in to the process of data privacy practices for customers being followed by Amazon Europe, the CNDP found that Amazon Europe was violating the GDPR through its advertising targeting system. The customers were being targeted and were being provided advertisements without their proper consent to the process.
Source : Amazon hit with $886m fine for alleged data law breach - BBC News
For more GDPR related major fines, kindly read our blog at Major Fines After EU GDPR Coming Into Force Since 2018 - DATA SECURE
Relationship with data controllers & processors
To comply with laws governing data collection and handling, businesses should understand their relationship with DPAs. Corporations must know who their DPAs are and under what circumstances the DPA may choose to contact a company.
Businesses should take DPAs as statutory bodies, like a court, with legal jurisdiction powers over them. For example, DPAs can issue fines to private organizations and public bodies that they find violating data protection laws.
An organization may need to interact directly with a DPA in cases if it:
- Is subject to a complaint;
- Needs advice on some critical issue;
- Need help with carrying out a DPIA;
- Requires authorization for a high-risk data processing activity;
- Needs to report a data breach within 72 hours of the occurrence of the breach.
Appointment of DPAs & which DPA to contact
As per Article 53, EU GDPR, the appointment of Supervisory Authorities or Data Protection Authority by the Member State will be done through a transparent procedure by :
- Their Parliament
- Their Government
- Their Head of State or
- An independent body entrusted with the appointment under Member State Law
The European Data Protection Board, headquartered in Brussels, has been devised with the purpose of bringing together data protection authorities of different member states and organizing a conference that addresses data privacy concerns relevant across borders. The theme behind such get-together is to cooperate and learn practices from their counterparts, hash out the betterment of law enforcement, carry out joint initiatives, and strategize on techniques to create awareness.
Article 53 of the GDPR states criteria for choosing members of supervisory authority:
- Be chosen clearly and transparently;
- Should be equipped with adequate qualifications and skills to carry out the role;
- Be subject to proper secrecy and confidentiality.Their Head of State or
The same criteria apply across the EU member states to ensure properly qualified individuals are chosen as DPAs.
In general, where an organization is based, the DPA of that particular member state acts as the main contact point for questions on data protection. For example, if a company is located in Portugal and it only processes the data of Portuguese citizens, its DPA would be the CNPD.
However, the effective DPA changes in cases where an organization processes data in some different EU member states or is a part of a group of companies established in the different EU member states. In such cases, the ‘one-stop-shop mechanism’ helps decide the Lead Supervisory Authority. The company will be required to deal with only one DPA as opposed to dealing with several DPAs across multiple member states.
The main DPA for a company will be decided based on the company’s main establishment. For example, if a company processes data of individuals based across the UK, Finland, France, and Spain, but it’s headquartered in London, then its Lead Supervisory Authority would be the UK’s DPA, the ICO.
The list of data protection authorities in EU is available at Our Members | European Data Protection Board (europa.eu)
Data Protection Authority in the US
As the US lacks a single, comprehensive federal-level data protection law, it has no single national data protection authority. In fact, various bodies enforce privacy regulations in specific areas. For example, FTC (Federal Trade Commission) covers enforcement action against materially unfair privacy and data security practices by commercial entities in areas like telemarketing, commercial mail, children’s privacy, etc.
State Attorneys General exercise enforcement authority in their respective regions. For example, the California Attorneys General has the authority to enforce the California Consumer Privacy Act (CCPA), California’s data protection law, in California state.
State Attorneys General can initiate action in circumstances it finds a business:
- Failure to implement adequate security measures
- Conducting unfair and deceptive business practices
- Violating consumer privacy rights
Additionally, there are sector-specific regulators, such as healthcare (HHS’ Office for Civil Rights), finance (FTC & CFPB), etc., with authority to enforce privacy and security regulations over data processing entities in their respective jurisdictions.
Data Protection Authority in the UK
The UK data privacy and dat a protection regime is regulated by the Data Protection Act 2018 and the EU GDPR has been re-written into the UK law as UK GDPR.
The Data Protection Act 2018 and UK GDPR establish that the Information Commissioner’s Office, UK), ICO is the Supervisory Authority in the UK that is responsible for upholding information rights. It also deals with the Privacy and Electronics Communication (EU Directive) Regulation 2003, Freedom of information Act 2000 and the Environmental Information Regulations 2004. It is an independent body. It reports directly to the Parliament of United Kingdom.
The Commissioner’s mission is to “uphold information rights in the public interest promoting openness for public bodies and data privacy for individuals.”
For more information on ICO, kindly visit Home | ICO
India’s proposed Data Protection Authority
India’s Personal Data Protection Bill (renamed to Data Protection Bill), 2019, chapter 10, establishes a Data Protection Authority consisting of a chairperson and six members, with at least 10 years of experience in the field of data protection and information technology.
The DPA is entitled to do the following:
- Initiate steps to protect the interests of individuals;
- Prevent misuse of personal data;
- Ensure compliance with the bill.Violating consumer privacy rights
It is mandated that once the PDPB 2019 or Data Protection Bill 2019 is passed into Act then the DPA will be appointed within six months of its getting enacted as an Act or a law.
The Bill lacks any clear guideline on the establishment of regional offices, which complicates the envisaged Authority. In addition, the Central Government is given the power to decide terms and conditions of employment, removal of members, and grants of money, raising concerns in regards to the freedom the Authority will practically have.
Source : General Data Protection Regulation(GDPR) – DPO India (dpo-india.com)
Source : UK Data Protection Act 2018 – DPO India (dpo-india.com)
We at Data Secure(www.datasecure.ind.in) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe.
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at dpo@dpo-india.com or info@datasecure.ind.in
For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE - Privacy Automation Solution