Part 12: Legal Consequences of Data Protection and Privacy Non-Compliance
By Benedict Alex Ishabakaki
Legal remedy or redress mechanisms can be categorized according to their nature or purposes. Under the first categorization, there are judicial remedies and quasi-judicial remedies while on the other, there are civil, administrative and criminal remedies. Data protection may provide all or some of these remedies, there are no standards set for inclusion.
12.2 Quasi-Judicial Remedies
These are remedies that are provided for by the data protection authorities or other sanctioned administrative bodies. These bodies are empowered to receive complaints, investigate and issue administrative sanctions necessary to ensure compliance with the law or redress the victims of the data protection breach.
12.3 Judicial Remedies
These are remedies that are provided by the courts of law. They may be civil or criminal in nature. As seen above, courts are given an avenue to entertain certain types of complaints emanating from the data protection legislation. The domain is not exclusively vested in the data protection authority. For instance, the GDPR allows data subjects to institute court proceedings under Article 76 if their rights have been unduly infringed. Interestingly, the said article opens door to a class action by pressure groups on the basis that compensatory claims are deemed appropriate in respect of particularly damaging breaches.[i]
12.4 Civil Remedies
As the name suggests, these are remedies that are civil in nature. Data processing breaches may attract civil sanctions in form of what is known as units. Units are used to define the sum which shall be charged with respect to a certain data breach. It is not mandatory that each data protection must adopt or use the unit’s system. Countries such as Venezuela and Uganda employ this system. The remedies can be offered by both data protection authorities and courts of law.[ii]
However, based on the complexity of data protection some countries have enacted legislation that vest powers to determine damage suffered by the data subject only to the competent courts, for instance, section 33 of the Uganda Data & Privacy Act.[iii] In other jurisdictions, the powers to determine damage are vested in both authority and the court, but the latter is only with respect to appeal.
Civil remedies are the most common and preferred remedies. The reasons are obvious as they are easy to enforce and execute. Civil remedies which are mostly claimed by the data subject include damages for distress and/or loss caused by wrongful usage or processing of personal data, declaratory remedies, or restitution orders.
12.5 Criminal Remedies
Some breaches or non-compliance with the data protection law may amount to criminal offences. When there are criminal offences, criminal sanctions are invoked. Criminal sanctions are normally imprisonment for a specified term or payment of a fine as prescribed by the statute.
Criminal sanctions are also common legal remedies in data protection law. However, in most jurisdictions criminal cases are handled by a separate authority that has been given the power to enforce the law. For instance, in Tanzania, the Constitution has established a special office of the National Prosecution Services (NPS), which among other things, is mandated to prosecute criminal offences.
Other legislations have gone further to set standards for fines on offenses committed by corporations. For example, Uganda has enacted some specific provisions to be used where the data breach involves a corporation. The fine for such a breach is to be paid based on the annual turnover of the corporation.[iv]
12.6 Administrative Remedies
These are remedies that are granted by the administrative bodies, and in our context, data protection authorities. Since these are the authorities with the primary mandate to enforce the provisions of the data protection legislation, are given the power to offer several remedies in case of no compliance or violation of the rights of data subjects. These remedies include the imposition of a temporary or indefinite ban on processing of data, order to comply with the data subject’s requests; order to provide any information; warning or admonition; order of rectification, erasure or delete and enforcement notices in general. Each data protection legislation may specify the powers or administrative remedies which the respective data protection authority is empowered to give.
For instance, section 56 of the Data Protection Act of Kenya[v] gives power to the Data Commissioner to receive a complaint to investigate and make a decision by issuing an enforcement notice to a person who failed to comply with the provisions of the Act. The enforcement notice contains measures to be taken within 21 days. Failure to comply is a criminal offence with a punishment of a fine of not more than Kenyan Shillings five million or imprisonment for a term not exceeding two years[vi].
Additional Administrative sanctions can be penalties for breach or failure to observe the provision of a certain section in the data protection law. It should be noted that, the fines paid goes to the data protection authority and not the victim of the data breach. Nevertheless, there are some data protection Legislation that allow damages to be issued administratively to the victim. For instance, section 62 of the Data Protection Act of Kenya[vii] entitles a data subject who suffers damage by reason of a contravention of a requirement of the Act to seek compensation from the data controller or processor. The Data Protection Commissioner is empowered to issue a compensation order for the distress caused to a data subject. In Uganda, such power is given to the court of law under section 32 of the Data Protection & Privacy Act.[viii]
From the practical point of view, it is ideal that the data protection authority shall be given powers to prosecute offences or compound the same. This is feasible because of the nature of the underlying subject and the fact that big corporations are likely violators of the data protection Legislation. It should be noted that, the question of whether the adopted mechanism will be effective is best answered by the set-up of the legal system of each country.
12.7 Independent Dispute Resolution Mechanism
With the development of Alternatives Dispute Resolution (ADR), voluntary arbitration schemes and other alternative dispute settlements mechanisms can be adopted. Some countries have gone extra mile by allowing independent dispute resolution mechanism. This mechanism is used in lieu of a judicial mechanism. Under this mechanism, individuals can bring a complaint directly to the independent dispute resolution body designated by an organization to investigate and resolve individual complaints. The designated body is also empowered to provide appropriate recourse free of charge to the individual[ix].
This current article encompasses the twelfth part of the data protection and privacy articles series. The next part which is titled the REGULATION OF CROSS-BOARDER DATA TRANSFER will be released on 23rd August 2022.
This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.
[i]https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjw_JCg4u31AhXCOuwKHcR8AeQQFnoECAUQAQ&url=https%3A%2F%2Fwww.pwc.com.cy%2Fen%2Fpublications%2Fassets%2Fgdpr-breaches-remedies-liability-and-sanctions1.pdf&usg=AOvVaw2nM92IEVRLJXuufDR_4ZNn, accessed on 6th October 2021.
[iii] The Data Protection & Privacy Act, 2019
[iv] Section 38 of the Data Protection & Privacy Act, 2019.
[v] The Data Protection Act, No.24 of 2019.
[vi] Section 58(3), ibid.
[vii] The Data Protection Act No.24 of 2019.
[viii] The Data Protection & Privacy Act, 2019.
[ix] https://seersco.com/law/redress-mechanisms-complaint-handling-and-enforcement/#_ftn2 accessed on 5th October 2021.