Legal Consequences of Data Protection and Privacy Non-Compliance (Article 10)
August 17, 2022

Part 12: Legal Consequences of Data Protection and Privacy Non-Compliance

By Benedict Alex Ishabakaki

 

12.1  Introduction

Legal remedy or redress mechanisms can be categorized according to their nature or purposes. Under the first categorization, there are judicial remedies and quasi-judicial remedies while on the other, there are civil, administrative and criminal remedies. Data protection may provide all or some of these remedies, there are no standards set for inclusion.

12.2  Quasi-Judicial Remedies

These are remedies that are provided for by the data protection authorities or other sanctioned administrative bodies.  These bodies are empowered to receive complaints, investigate and issue administrative sanctions necessary to ensure compliance with the law or redress the victims of the data protection breach.

12.3  Judicial Remedies

These are remedies that are provided by the courts of law. They may be civil or criminal in nature. As seen above, courts are given an avenue to entertain certain types of complaints emanating from the data protection legislation. The domain is not exclusively vested in the data protection authority. For instance, the GDPR allows data subjects to institute court proceedings under Article 76 if their rights have been unduly infringed. Interestingly, the said article opens door to a class action by pressure groups on the basis that compensatory claims are deemed appropriate in respect of particularly damaging breaches.[i]

12.4 Civil Remedies

As the name suggests, these are remedies that are civil in nature. Data processing breaches may attract civil sanctions in form of what is known as units. Units are used to define the sum which shall be charged with respect to a certain data breach.  It is not mandatory that each data protection must adopt or use the unit’s system. Countries such as Venezuela and Uganda employ this system.  The remedies can be offered by both data protection authorities and courts of law.[ii]

However, based on the complexity of data protection some countries have enacted legislation that vest powers to determine damage suffered by the data subject only to the competent courts, for instance, section 33 of the Uganda Data & Privacy Act.[iii] In other jurisdictions, the powers to determine damage are vested in both authority and the court, but the latter is only with respect to appeal.

Civil remedies are the most common and preferred remedies. The reasons are obvious as they are easy to enforce and execute. Civil remedies which are mostly claimed by the data subject include damages for distress and/or loss caused by wrongful usage or processing of personal data, declaratory remedies, or restitution orders.

12.5  Criminal Remedies

Some breaches or non-compliance with the data protection law may amount to criminal offences. When there are criminal offences, criminal sanctions are invoked.  Criminal sanctions are normally imprisonment for a specified term or payment of a fine as prescribed by the statute.

Criminal sanctions are also common legal remedies in data protection law. However, in most jurisdictions criminal cases are handled by a separate authority that has been given the power to enforce the law.  For instance, in Tanzania, the Constitution has established a special office of the National Prosecution Services (NPS), which among other things, is mandated to prosecute criminal offences.

Other legislations have gone further to set standards for fines on offenses committed by corporations.  For example, Uganda has enacted some specific provisions to be used where the data breach involves a corporation. The fine for such a breach is to be paid based on the annual turnover of the corporation.[iv]

12.6  Administrative Remedies

These are remedies that are granted by the administrative bodies, and in our context, data protection authorities.  Since these are the authorities with the primary mandate to enforce the provisions of the data protection legislation, are given the power to offer several remedies in case of no compliance or violation of the rights of data subjects. These remedies include the imposition of a temporary or indefinite ban on processing of data, order to comply with the data subject’s requests; order to provide any information; warning or admonition; order of rectification, erasure or delete and enforcement notices in general. Each data protection legislation may specify the powers or administrative remedies which the respective data protection authority is empowered to give.

For instance, section 56 of the Data Protection Act of Kenya[v] gives power to the Data Commissioner to receive a complaint to investigate and make a decision by issuing an enforcement notice to a person who failed to comply with the provisions of the Act.  The enforcement notice contains measures to be taken within 21 days. Failure to comply is a criminal offence with a punishment of a fine of not more than Kenyan Shillings five million or imprisonment for a term not exceeding two years[vi].

Additional Administrative sanctions can be penalties for breach or failure to observe the provision of a certain section in the data protection law. It should be noted that, the fines paid goes to the data protection authority and not the victim of the data breach. Nevertheless, there are some data protection Legislation that allow damages to be issued administratively to the victim. For instance, section 62 of the Data Protection Act of Kenya[vii] entitles a data subject who suffers damage by reason of a contravention of a requirement of the Act to seek compensation from the data controller or processor. The Data Protection Commissioner is empowered to issue a compensation order for the distress caused to a data subject. In Uganda, such power is given to the court of law under section 32 of the Data Protection & Privacy Act.[viii] 

From the practical point of view, it is ideal that the data protection authority shall be given powers to prosecute offences or compound the same. This is feasible because of the nature of the underlying subject and the fact that big corporations are likely violators of the data protection Legislation. It should be noted that, the question of whether the adopted mechanism will be effective is best answered by the set-up of the legal system of each country.

12.7  Independent Dispute Resolution Mechanism

With the development of Alternatives Dispute Resolution (ADR), voluntary arbitration schemes and other alternative dispute settlements mechanisms can be adopted. Some countries have gone extra mile by allowing independent dispute resolution mechanism. This mechanism is used in lieu of a judicial mechanism. Under this mechanism, individuals can bring a complaint directly to the independent dispute resolution body designated by an organization to investigate and resolve individual complaints. The designated body is also empowered to provide appropriate recourse free of charge to the individual[ix].

 

This current article encompasses the twelfth part of the data protection and privacy articles series. The next part which is titled the REGULATION OF CROSS-BOARDER DATA TRANSFER will be released on 23rd August 2022.

 

DISCLAIMER

This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.  

[i]https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjw_JCg4u31AhXCOuwKHcR8AeQQFnoECAUQAQ&url=https%3A%2F%2Fwww.pwc.com.cy%2Fen%2Fpublications%2Fassets%2Fgdpr-breaches-remedies-liability-and-sanctions1.pdf&usg=AOvVaw2nM92IEVRLJXuufDR_4ZNn, accessed on 6th October 2021.

[ii] Ibid.

[iii] The Data Protection & Privacy Act, 2019

[iv] Section 38 of the Data Protection & Privacy Act, 2019.

[v] The Data Protection Act, No.24 of 2019.

[vi] Section 58(3), ibid.

[vii] The Data Protection Act No.24 of 2019.

[viii] The Data Protection & Privacy Act, 2019.

[ix] https://seersco.com/law/redress-mechanisms-complaint-handling-and-enforcement/#_ftn2 accessed on 5th October 2021.

Victory Attorneys & Consultants © 2024

Augustine Dominic Shio

Managing Partner

Augustine Dominic Shio is also known as Mr Shio is a highly sought-after and widely recognized criminal law expert with more than 30 years of experience advising and assisting corporations and individuals charged with white-collar crimes.

Overview

Before founding the firm Mr Shio held several positions in the public sector, he served as a Principal State Attorney at the Attorney General’s Chambers, Legal Advisor at the President’s Office (Commission for Enforcement of the Leadership Code), Director of Legal Services and Complaints at the Ministry of Home Affairs and retired as a Deputy Director of Public Prosecutions at the Directorate of the Public Prosecutions.

Mr Shio is a recipient of the Presidential Medal for his distinctive public services and ethics of the highest order. His distinguished aptitude in handling complex criminal cases, particularly money laundering, economic and organized crimes has enabled the firm to handle high profile criminal cases in Tanzania.

Practice Focus

As the firm’s head of the Financial & Organized Crimes Department, Mr Shio represents corporations and individuals in the telecoms, media & ICT, mining, oil & gas and banking sectors in high profile criminal cases. He has advised and prepared legal compliance models and for large scale agribusiness operators, public listed companies and securities dealers and brokers in line with sector-specific laws.

He possesses vast experience in advising multinational corporations on money laundering and tax evasion throughout the life span of their commercial transactions.

Mr Shio has represented clients in major plea bargaining negotiations at the office of the Director of Public Prosecutions. He is renowned for closing some of the best pleas deals in the country on behalf of many locals and expatriates charged with money laundering, economic and organized crimes and cybercrimes. Additionally, Mr Shio consults and assists criminally charged individuals to secure pre-trail and post-trial bail on serious criminal charges.

Education

Mr Shio holds a Bachelor’s Degree (LL.B Hons) from the University of Dar es Salaam, Certificate in Criminal Justice and Treatment of Offenders from the United Nations Institute (Fuchu, Japan). He is a certified criminal law expert in Money Laundering and Terrorism.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest legal updates, events announcements and many more.

You have Successfully Subscribed!

Share This