wordpress blog stats
Connect with us

Hi, what are you looking for?

What to do with violators of privacy laws? Examining criminal sanctions, fines, and more #PrivacyNama2021

Current and former data protection commissioners discuss building cases and imposing sanctions on offenders of the law.

“I won’t be happy jailing too many people because that means I failed in building resilience; that means we failed in promoting a culture (of data protection); that means we failed in impressing (upon) the companies…,” Raymund Liboro, the Chairman of the Philippines’ National Privacy Commission said while talking about the powers of a data protection authority in conducting criminal investigations against those found to be in violation of a country’s data protection law.

Liboro along with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Teki Akuetteh Falconer, the former Executive Director of Ghana’s Data Protection Commission made these comments in a conversation with Malavika Raghvan (Future of Privacy Forum) at PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7.

In India, the subject of a platform’s liability is under the scanner after the Indian government brought in the Information Technology (IT) Rules, 2021. The rules state that any significant social media intermediary (platform with more than 5 million users) that does not comply with the rules can be held liable for the content on its platform. The draft Personal Data Protection Bill, which may be tabled in the Parliament during the Winter Session, also has provisions of criminal liability.

Here’s what current and former data protection commissioners from Ghana, Germany, and Philippines had to say on the intersection of data legislation and law enforcement.

Criminals sanctions are very difficult to navigate and enforce

  • Initially, even police did not have capacity to take on multitude of data protection cases: Falconer recounted the time when Ghana’s DPA did not have the powers to issue administrative fines. Instead, the DPA could then just issue notices. After realising the need for DPAs to have administrative powers, and ensure enforcement, Ghana’s DPA collaborated with the Attorney General’s office. However, with that came another hurdle: “The first few prosecutions took us close to three months or more to enforce, and they were like just two prosecutions. So you can imagine if you have a list of non-complying organisations in the thousands…I do not even think the police had that capacity,” Falconer said. 
  • Special Courts were formed to take on data protection issues: “We had spoken to the judiciary that had created some special courts around IT and had allocated certain courts to address data protection issues. So the then-Chief Justice was very helpful enough to give us a special court which helped in a number of ways. The judges were trained,” Falconer said.
  • Requested attorney general to set up prosecution unit within DPA: “The criminal sanctions have always been a very, very difficult challenge to navigate and enforce; and that in a way actually undermines the effective operationalisation of law enforcement strategies. At some point, the board had suggested and to the attorney general and a number of institutions to setup a unit within our organisation that had a prosecutor,” Falconer said. Subsequently, Ghana’s DPA was given a special license to prosecute cases pertaining to lower courts.

However, despite the challenges, Falconer believed that the enforcement of laws (by issuing fines, etc) is necessary. “The enforcement of the laws is the catalyst to compliance; it is the catalyst to making sure that people respect the laws. If they dishonour or disrespect the law, and if there are no consequences, then the impunity will grow. So that was one of the biggest challenges that we had. And in order to deal with that, you really have to ensure that you bring aboard all the government agencies.”

Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.

Reserve your DPA’s strongest powers for those who are wilfully non-compliant

In response to whether it is necessary for a DPA to have the power to prosecute, Liboro said that the DPA should reserve its strongest powers for those bodies that are willfully violating the law. “There are two types, compliant companies or non-compliant companies. Let me begin with non-compliant companies: First, there are those who are not compliant because they don’t understand the law or they are probably hearing about the concept for the first time. They may have no intention of violating the law, so one has to consider that,” Liboro said.

Among companies that are complying, Liboro said that some of them could just be compliant on paper. “They have registered a DPO but they are not promoting privacy. They are just waiting for authority to guide them,” he added.

So how to make companies comply willfully?

  • Liboro also said that the Data Protection Authority should be responsible for “paving the way” for a company to be compliant to the rules. For instance, Liboro gave the example of www.privacy.gov.ph, wherein one can know more about privacy, can comply and complain. “So if you are a company, if you wish to comply, you can go there and we will provide you with all the information,” he said.
  • Another way, Liboro said having a “compliance and accountability compliance formula” also helps in the process. “. So we keep our messaging very simple for companies; appoint the DPO, know your risk, demonstrate your… come up with a plan, the privacy plan, number four is demonstrate your privacy for conspiracy nobody says, and fifth, be prepared for breach,” said Liboro while expanding on this said formula.

So keep your concepts simple because the law itself is so difficult, but keep again focus on the customers, your companies, your customers, keep your messages simple to them and the instructions, and naturally they will know the way of compliance because you are paving the way and providing them an easier ground for complying — Liboro

Ghana’s Teri Akuetteh Falconer also said that she observed many government agencies were also incapacitated in terms of resources. “They did not have enough resource and knowledge to be able to comply,” she said.  So Falconer decided to come up with an approach that positioned data protection not as a legal obligation but as something that will help public and private sectors help with their credibility.

I remember we started a campaign around the importance of data protection and how it can even eliminate corruption and bring up openness and transparency. And that really helped to bring the ear of all the critical governments such as to listen a bit more and to put in methods..to ensure transparency and openness — Falconer

Administrative powers more useful than prosecuting powers

“Our most important power I think is the administrative order to change something. Powers like to order that the data processing has to be changed in order to be compliant or the data subjects have to be notified because it’s the law, or the files have to be deleted because there is no legal baseline for that,” Hensen said.

Hansen said that as for her, she does not want to issue fines to those who are found in violation of the European Union General Data Protection Rules (GDPR) because companies have started accounting for these fines in their annual budget.

I don’t want to issue fines. Each year they pay 50 euros or 50,000 euros, and account for the sum in their as part of risk calculation. That is not the risk calculation I would like to see. Some of them even account for how likely it is for them to be investigated, how likely there may be a huge fine, or even calculate curbs. I don’t like that. I want administrative powers for every DPA to say you have to change something,” Hensen said.

‘Naming and shaming’, the last resort

Falconer and Hensen were unanimous in their opinion that ‘naming and shaming’ has been an effective way of dealing with those non-compliant entities, governmental or private, against whom no other way of approach has proved to be fruitful.

Hansen said, “If our letters of our administrative orders are ignored, then we have a flaw in our law which indirectly says that we (the authority) can be ignored by a public entity. And then the naming and shaming starts, as it is the last resort. We cannot do anything else. Otherwise, we don’t do any naming and shaming if we see that really a change is happening.”

“Naming and shaming really helps while dealing with the public sector as for public sector it’s all about the image,” Falconer said.

MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).

Comments have been edited for the purposes of clarity and brevity.

Also read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

Free Reads


In its submission, the Interior Ministry said the decision to impose a ban was "made in the interest of upholding national security, maintaining public...


Among other things, the security requirements include data encryption and regular review and updated access permissions to reflect personnel changes.


the NTIA had earlier sought comments on the risks, benefits, and potential policy related to dual-use foundation models for which the model weights are widely...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ