wordpress blog stats
Connect with us

Hi, what are you looking for?

What to do with violators of privacy laws? Examining criminal sanctions, fines, and more #PrivacyNama2021

Current and former data protection commissioners discuss building cases and imposing sanctions on offenders of the law.

“I won’t be happy jailing too many people because that means I failed in building resilience; that means we failed in promoting a culture (of data protection); that means we failed in impressing (upon) the companies…,” Raymund Liboro, the Chairman of the Philippines’ National Privacy Commission said while talking about the powers of a data protection authority in conducting criminal investigations against those found to be in violation of a country’s data protection law.

Liboro along with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Teki Akuetteh Falconer, the former Executive Director of Ghana’s Data Protection Commission made these comments in a conversation with Malavika Raghvan (Future of Privacy Forum) at PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7.

In India, the subject of a platform’s liability is under the scanner after the Indian government brought in the Information Technology (IT) Rules, 2021. The rules state that any significant social media intermediary (platform with more than 5 million users) that does not comply with the rules can be held liable for the content on its platform. The draft Personal Data Protection Bill, which may be tabled in the Parliament during the Winter Session, also has provisions of criminal liability.

Here’s what current and former data protection commissioners from Ghana, Germany, and Philippines had to say on the intersection of data legislation and law enforcement.

Criminals sanctions are very difficult to navigate and enforce

  • Initially, even police did not have capacity to take on multitude of data protection cases: Falconer recounted the time when Ghana’s DPA did not have the powers to issue administrative fines. Instead, the DPA could then just issue notices. After realising the need for DPAs to have administrative powers, and ensure enforcement, Ghana’s DPA collaborated with the Attorney General’s office. However, with that came another hurdle: “The first few prosecutions took us close to three months or more to enforce, and they were like just two prosecutions. So you can imagine if you have a list of non-complying organisations in the thousands…I do not even think the police had that capacity,” Falconer said. 
  • Special Courts were formed to take on data protection issues: “We had spoken to the judiciary that had created some special courts around IT and had allocated certain courts to address data protection issues. So the then-Chief Justice was very helpful enough to give us a special court which helped in a number of ways. The judges were trained,” Falconer said.
  • Requested attorney general to set up prosecution unit within DPA: “The criminal sanctions have always been a very, very difficult challenge to navigate and enforce; and that in a way actually undermines the effective operationalisation of law enforcement strategies. At some point, the board had suggested and to the attorney general and a number of institutions to setup a unit within our organisation that had a prosecutor,” Falconer said. Subsequently, Ghana’s DPA was given a special license to prosecute cases pertaining to lower courts.

However, despite the challenges, Falconer believed that the enforcement of laws (by issuing fines, etc) is necessary. “The enforcement of the laws is the catalyst to compliance; it is the catalyst to making sure that people respect the laws. If they dishonour or disrespect the law, and if there are no consequences, then the impunity will grow. So that was one of the biggest challenges that we had. And in order to deal with that, you really have to ensure that you bring aboard all the government agencies.”

Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.

Advertisement. Scroll to continue reading.

Reserve your DPA’s strongest powers for those who are wilfully non-compliant

In response to whether it is necessary for a DPA to have the power to prosecute, Liboro said that the DPA should reserve its strongest powers for those bodies that are willfully violating the law. “There are two types, compliant companies or non-compliant companies. Let me begin with non-compliant companies: First, there are those who are not compliant because they don’t understand the law or they are probably hearing about the concept for the first time. They may have no intention of violating the law, so one has to consider that,” Liboro said.

Among companies that are complying, Liboro said that some of them could just be compliant on paper. “They have registered a DPO but they are not promoting privacy. They are just waiting for authority to guide them,” he added.

Administrative powers more useful than prosecuting powers

“Our most important power I think is the administrative order to change something. Powers like to order that the data processing has to be changed in order to be compliant or the data subjects have to be notified because it’s the law, or the files have to be deleted because there is no legal baseline for that,” Hensen said.

Hansen said that as for her, she does not want to issue fines to those who are found in violation of the European Union General Data Protection Rules (GDPR) because companies have started accounting for these fines in their annual budget.

I don’t want to issue fines. Each year they pay 50 euros or 50,000 euros, and account for the sum in their as part of risk calculation. That is not the risk calculation I would like to see. Some of them even account for how likely it is for them to be investigated, how likely there may be a huge fine, or even calculate curbs. I don’t like that. I want administrative powers for every DPA to say you have to change something,” Hensen said.

‘Naming and shaming’, the last resort

Falconer and Hensen were unanimous in their opinion that ‘naming and shaming’ has been an effective way of dealing with those non-compliant entities, governmental or private, against whom no other way of approach has proved to be fruitful.

Hansen said, “If our letters of our administrative orders are ignored, then we have a flaw in our law which indirectly says that we (the authority) can be ignored by a public entity. And then the naming and shaming starts, as it is the last resort. We cannot do anything else. Otherwise, we don’t do any naming and shaming if we see that really a change is happening.”

Advertisement. Scroll to continue reading.

“Naming and shaming really helps while dealing with the public sector as for public sector it’s all about the image,” Falconer said.

MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).

Comments have been edited for the purposes of clarity and brevity.

Also read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

Click to comment

You must be logged in to post a comment Login

Leave a Reply

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ