“A lot of us come from environments where our governments are very quick to pass these (data protection) laws. And invariably it’s a lot easier to push for legislations to be passed. But then, when we setup these institutions, one thing we find is that we do not resource them,” said former Executive Director of Ghana’s Data Protection Commission, Teki Akuetteh Falconer.
Falconer along with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Raymund Liboro, the Chairman of the Philippines’ National Privacy Commission, made these comments in a conversation with Malavika Raghvan (Future of Privacy Forum) at PrivacyNama 2021, a global conference on privacy regulations held on October 6 and 7.
India’s proposed Personal Data Protection Bill has provisions for setting up data protection authorities. Since the bill will be passed sooner or later, it is important to note the kind of problems countries with data protection authorities have faced while trying to set up these institutions. Here’s what the panelists had to say about what makes a DPA tick:
First, get your leadership right
“One of the key recommendations that I will make is that, beyond the passage of the laws, we need the right political buy-in leadership, and by political leadership, I’m not just talking about the executive leaders, but it is also very important to put in place a framework that actually helps operationalise the laws,” said Falconer.
She said it is important to have the right person at the top because a data protection authority would essentially be a new institution and very few people would familiar with it. “We also need the right institutional leadership and, this is very important for a new institution that is being set up. You actually need it to encompass the embodiments of the individuals that are going to actually push and drive other institutions because nobody knows the institution,” Falconer added.
Giving an example from her time in Ghana’s Data Protection Commission, Falconer said:
In our case we had a very good driving chair that was a retired Supreme Court justice that was highly respected with a lot of knowledge around human rights issues. We had people like the government, statisticians sitting on our board, and it really gave a lot of credence to the organisation that they created.
Without going into specifics, Liboro said, “There is no particular playbook in organising data protection authority. However for starters, as an authority, you have to assert your leadership. So many of your constituents will be looking to you for leadership and clarity. So really I think the aim always of the DPA is to provide clarity, and that includes now, again breaking down these concepts from really theoretical concepts into something that they can see some benefit from.”
Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.
Resources, resources, and more resources
Falconer recounted how it took more than three years since 2012 before Ghana’s DPA got the first approval to hire permanent staff for the institution. This was mostly because there was not enough financial backing for the institution back then, and also because there was a lack of human resources.
She said, “We started operations somewhere in 2012 and it took us more than three years for final approvals to come through for hiring permanent staff. This affected a number of things. We did not have the adequate financial resources that we needed to equip the organization.”
“Another challenge that you are going to face, is regarding the human resource capacity that is needed. We did not even have the adequate resources to even hire people that had the knowledge and skillset to be able to help us. Putting in place the right resources is really going to help enable the organization,” she said.
How to solve the constraint of resources?
- Strategise: She said one has to strategise and prioritise the “most important things”.
- Learning from others: She also said that it is important to learn form others.
In our case the ICO, Information Commissioner’s Office of the UK offered tremendous support to us. And we chose them predominantly because we had similar legal systems and structures. So you could actually see how implementation would work and all that. And we took a lot of learning from then and even tried to have some kind of exchange, and they were very supportive. So, you need to identify the right community and identify somebody that has done it, has done it well, and don’t be afraid to learn from them — Teri Akuetteh Falconer
- Cooperation and collaboration: Falconer recounted how signing up for a global privacy assembly gave her the chance to meet other people in similar domains and develop relationships.
I remember I was quite elated in our first meeting of the international conference in Mauritius, where I met the Mauritian DPA who was almost as young as me and she shared her own experiences… So finding like-minded people that have gone through similar experiences and sharing with them, even on an informal level, helps. And the Global Privacy Assembly at that time… the Information Commissioner’s conference, really helped module the kind of DPA that we wanted. — Teri Akuetteh Falconer
Make sure your work is visible
Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein who started working in this field from the 1990s said initially DPAs did not have much power. “They were rather a complaint handling body to de-escalate. During this time there were not high fines, and no big compliance risks.”
She said that this changed in 2018 with the European Union’s General Data Protection Rules, and with that powers of DPAs have improved. “It also changed the perception of privacy among citizens. Everybody knew they had rights, that they wanted data protection authorities to help them,” Hansen said.
And therefore, you have to tell the stories, you have to be visible, you have to make sure that both privacy disasters are understood and hopefully prevented. It’s my job to prevent disasters, still, if there are no disasters it seems that people don’t learn. And on the other hand, show also the solutions — Marit Hansen
Hansen said that it gets harder for a DPA to work without visibility. “So, make visible what is happening, make visible the risk, and then also make sure that there are solutions, that they present them, and that people have the feeling they can do something and don’t give up. And without visibility it’s much much harder,” she added.
Give time for companies to be compliant
While responding to a question on time needed for companies to be compliant, Falconer said Ghana took at least 5-10 years to ensure operationalisation of the law. “One of the things we realized at that time with a staff of five was that there was no way we could register all data controllers across the country manually. So we had to leverage on technology. But of course we gave ourselves the first 3-4 years of awareness creation and then use the last part of those 3-4 years to start the registration exercise.”
Hensen said since Germany already had a privacy directive prior to the GDPR, and also similar to the GDPR in place since 1995, two years were given for compliance. “I think the two years were fair for the GDPR especially because we had… from 1995 already a directive in principle not so different. So everybody should have had all their safeguards already in place perhaps an another way of phrasing,” she said.
Build awareness to make data privacy legislations more humane
“What we did in the Philippines is that we came up in a very first year with a very strong awareness campaign… Complaints will not happen overnight, Nikhil. It will gradually build up because people become more aware,” Liboro said while explaining the importance of taking out an awareness campaign to kickstart a DPA.
He added that while these awareness drives are being carried out, one can use that time to build capacity and train personnel. “That’s why here in the Philippines what we did was really promote the role of data protection officers. We understand that we will never have enough sufficient resources to enforce our law, so we need allies, we need deputies. So we had to deputize, and we did that,” Liboro said.
You have to push in a lot of awareness in demystifying the subjects from the technical point of view to a more humane, a more human-centric environment where people can now personally identify with the data protection issues. That also helps with creation of more awareness and dissemination — Falconer
Falconer also reiterated the need to spread awareness but with the help of media. “We did not have any resources at all, and so we had to even leverage on traditional media, and they become like our partners in disseminating and identifying public issues around data protection, and we always use those opportunities to further heighten awareness,” she said.
Decrease friction with other regulators and reduce turf wars
When one or two government institutions have similar rules, or their functioning clashes with each other, it often turns into a powerplay issue. This is not very uncommon in governments and as Falconer pointed out, it could have very well been possible during her stint in Ghana’s data protection commission if the right appointments had not been made at the beginning.
One of the best ways of handling those power role issue and powerplay challenges around the leadership and institutional drive is to ensure that most of those people in critical institutions had place in the governing structure of the regulator. So, for instance, our regulator had a key institutional role. — Falconer
She further explained, “We had the communications regulator on our board; we had the ICT authority on our board; we had the central bank representative on our board; we even had ICT institutional reps, association reps on our board. And what that meant is that we were then able to, at the board level, create a system of buy-in from these critical sectors and institutional people to actually help push and disseminate the importance of the decisions that we had taken in the board room which was then going to come up.”
MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).
- How To Be A Chief Privacy Officer – #PrivacyNama2021
- How Is China’s Data Protection Law Different From EU’s GPDR? #PrivacyNama2021
- The Chasm Between Passing A Data Protection Law Vs Actually Implementing It – #PrivacyNama2021
- Digital Sovereignty: Will It Actually Drive Economic Value And Will That Compromise Privacy? #PrivacyNama2021
Update, October 20, 12.40: Added more details
Have something to add? Subscribe to MediaNama here and post your comment.