“I won’t be happy jailing too many people because that means I failed in building resilience; that means we failed in promoting a culture (of data protection); that means we failed in impressing (upon) the companies…,” Raymund Liboro, the Chairman of the Philippines’ National Privacy Commission said while talking about the powers of a data protection authority in conducting criminal investigations against those found to be in violation of a country’s data protection law.
Liboro along with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Teki Akuetteh Falconer, the former Executive Director of Ghana’s Data Protection Commission made these comments in a conversation with Malavika Raghvan (Future of Privacy Forum) at PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7.
In India, the subject of a platform’s liability is under the scanner after the Indian government brought in the Information Technology (IT) Rules, 2021. The rules state that any significant social media intermediary (platform with more than 5 million users) that does not comply with the rules can be held liable for the content on its platform. The draft Personal Data Protection Bill, which may be tabled in the Parliament during the Winter Session, also has provisions of criminal liability.
Here’s what current and former data protection commissioners from Ghana, Germany, and Philippines had to say on the intersection of data legislation and law enforcement.
Criminals sanctions are very difficult to navigate and enforce
- Initially, even police did not have capacity to take on multitude of data protection cases: Falconer recounted the time when Ghana’s DPA did not have the powers to issue administrative fines. Instead, the DPA could then just issue notices. After realising the need for DPAs to have administrative powers, and ensure enforcement, Ghana’s DPA collaborated with the Attorney General’s office. However, with that came another hurdle: “The first few prosecutions took us close to three months or more to enforce, and they were like just two prosecutions. So you can imagine if you have a list of non-complying organisations in the thousands…I do not even think the police had that capacity,” Falconer said.
- Special Courts were formed to take on data protection issues: “We had spoken to the judiciary that had created some special courts around IT and had allocated certain courts to address data protection issues. So the then-Chief Justice was very helpful enough to give us a special court which helped in a number of ways. The judges were trained,” Falconer said.
- Requested attorney general to set up prosecution unit within DPA: “The criminal sanctions have always been a very, very difficult challenge to navigate and enforce; and that in a way actually undermines the effective operationalisation of law enforcement strategies. At some point, the board had suggested and to the attorney general and a number of institutions to setup a unit within our organisation that had a prosecutor,” Falconer said. Subsequently, Ghana’s DPA was given a special license to prosecute cases pertaining to lower courts.
However, despite the challenges, Falconer believed that the enforcement of laws (by issuing fines, etc) is necessary. “The enforcement of the laws is the catalyst to compliance; it is the catalyst to making sure that people respect the laws. If they dishonour or disrespect the law, and if there are no consequences, then the impunity will grow. So that was one of the biggest challenges that we had. And in order to deal with that, you really have to ensure that you bring aboard all the government agencies.”
Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.
Reserve your DPA’s strongest powers for those who are wilfully non-compliant
In response to whether it is necessary for a DPA to have the power to prosecute, Liboro said that the DPA should reserve its strongest powers for those bodies that are willfully violating the law. “There are two types, compliant companies or non-compliant companies. Let me begin with non-compliant companies: First, there are those who are not compliant because they don’t understand the law or they are probably hearing about the concept for the first time. They may have no intention of violating the law, so one has to consider that,” Liboro said.
Among companies that are complying, Liboro said that some of them could just be compliant on paper. “They have registered a DPO but they are not promoting privacy. They are just waiting for authority to guide them,” he added.
Administrative powers more useful than prosecuting powers
“Our most important power I think is the administrative order to change something. Powers like to order that the data processing has to be changed in order to be compliant or the data subjects have to be notified because it’s the law, or the files have to be deleted because there is no legal baseline for that,” Hensen said.
Hansen said that as for her, she does not want to issue fines to those who are found in violation of the European Union General Data Protection Rules (GDPR) because companies have started accounting for these fines in their annual budget.
I don’t want to issue fines. Each year they pay 50 euros or 50,000 euros, and account for the sum in their as part of risk calculation. That is not the risk calculation I would like to see. Some of them even account for how likely it is for them to be investigated, how likely there may be a huge fine, or even calculate curbs. I don’t like that. I want administrative powers for every DPA to say you have to change something,” Hensen said.
‘Naming and shaming’, the last resort
Falconer and Hensen were unanimous in their opinion that ‘naming and shaming’ has been an effective way of dealing with those non-compliant entities, governmental or private, against whom no other way of approach has proved to be fruitful.
Hansen said, “If our letters of our administrative orders are ignored, then we have a flaw in our law which indirectly says that we (the authority) can be ignored by a public entity. And then the naming and shaming starts, as it is the last resort. We cannot do anything else. Otherwise, we don’t do any naming and shaming if we see that really a change is happening.”
“Naming and shaming really helps while dealing with the public sector as for public sector it’s all about the image,” Falconer said.
MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).
Comments have been edited for the purposes of clarity and brevity.
- What Makes An Effective Data Protection Authority Tick? #PrivacyNama2021
- How To Be A Chief Privacy Officer – #PrivacyNama2021
- Digital Sovereignty: Will it actually drive economic value and will that compromise privacy? #PrivacyNama2021
- The chasm between passing a data protection law vs actually implementing it – #PrivacyNama2021
- How is China’s data protection law different from EU’s GPDR? #PrivacyNama2021
- What It Means To Have ‘Adequate’ Data Protections In The Eyes Of The EU #PrivacyNama 2021
Have something to add? Subscribe to MediaNama here and post your comment.