Part 11: Enforcement Structure and Complaint Mechanisms
By Benedict Alex Ishabakaki
A good law in the books of statutes is nothing until when is implemented. Every data protection law must contain a proper and effective enforcement mechanism. Enforcement ensures compliance with Legislation, regulations, rules, standards, and social norms.[i] In designing an enforcement mechanism, the first thing which comes into one’s mind is, an enforcement body or authority. This is true even in data protection law. There must be put in place an authority that is mandated to enforce the provisions of the law. The authority may be named variously such as data protection authority, commission, office, bureau and so forth. The nomenclature is not that very relevant.
11.2 Models of Data Protection Authority
There are two models of data protection authority. The first one is the adoption of existing authority and the other is an establishment of the new authority. Therefore, the model of data protection authority will depend on each country’s legal regime or the presence of existing organs that govern and control digital and cyber-Legislation. Some countries will adopt an existing authority while others will establish a new one. Furthermore, the decision to adopt either model is dictated by factors such as financial and human resources. Once established, data protection authority is vested with powers to enforce the law, investigate, determine complaints and issue decision (s) with respect to data breach complaints.
As stated earlier above, the model of the data protection authorities may vary. For instance, in Europe, under the GDPR, a one-stop-shop mechanism is established. This means that cross-border enforcement under the GDPR is organized by the lead supervisory authority and the authority of the Member State where the data controller or processor has its main establishment.[ii]
In Kenya, section 5 of the Kenya Data Protection Act[iii] establishes the office of the Data Protection Commissioner. The authority is a body corporate with perpetual succession. It is an independent authority and is designated as a State Office in accordance with the provisions of article 260 (q) of the Kenya Constitution[iv]. The authority is headed by the Data Commissioner who is appointed by the Chief Registrar of the Judiciary. Other staffs of the authority are appointed by the Data Commissioner. Among others, the duties of the Data Commissioner involve receiving and investigating any complaint by any person on infringements of the rights under the Data Protection Act, overseeing the implementation of and enforcement of the Act.
On the other hand, Uganda employs a different approach. An existing authority known as the National Information Technology Authority has been designated as the data protection authority. Data protection officer is appointed under section 4 of the Act. [v]The duties of the data protection officer include receiving and investigating any complaint by any person on infringements of the rights under the Data Protection Act, overseeing the implementation of and enforcement of the provisions of the Act.
As perfectly stated earlier, the choice to use an existing authority or establish a new one, is largely dictated by the governing Legislation and other existing organs relating to cyber-Legislation.
11.3 Independence of the Data Protection Authorities
Data as a sensitive property must be put under the custodian of an impartial authority. It is a trite principle under GDPR and the Convention on Cyber Security and Data Protection of the African Union (Malabo Convention)[vi] that, data protection authority must be fully independent and autonomous. This independence may enable the authority to effectively exercise its duties. The independence has two broad dimensions, personal/institutional independence and financial independence.
Personal or institutional independence entails two things. First, the personnel must be independent. This means that their manner of appointment or recruitment should ensure that they are independent in discharging their functions. The best practice is for these personnel to be recruited through a competitive recruitment process rather than being appointed by the political authority. Minimally that ensures their independence in the execution of their duties. Second, the institution (Data protection authority) shall be independent of any other authority. The functions and powers of the data protection authority shall not be subjected to the direction or interference of any other authority. In order to ensure this is independence is safeguarded; interference of any kind with the functions or powers of the authority is considered an offence.
By financial independence, we mean that, these authorities shall be financially independent. To achieve that, the authorities must have their own sustainable sources of income. In some jurisdictions, the funds generated from registration fees of the data collector, processor or controller, annual membership fees and fines have been used as sources of the authority fund. The Government’s financial intervention must be reduced as much as possible in order to avoid real or potential interference with the independence of the data protection authority.
11.4 Complaints handling mechanism
The complaints handling procedure is vital in data protection Legislation. One of the powers which data protection authority must be vested with, is the power to receive complaints from data subject or data processor, determine the same and issue administrative sanctions.[vii] These may include power to issue monetary sanctions. However, it is a good practice not to vest data protection authority with all powers. For instance, the power to prosecute certain offenses can be vested with the national prosecution agency or power to hear and determine complaints from the claimant in certain circumstances must be determined by a competent court of law. Each data protection law must stipulate circumstances or type of complaints that require court intervention. This position is reflected under Article 12 (e) of the Malabo Convention where the intervention of the judiciary in certain circumstances is entertained. Court’s intervention is necessary especially when data protection authority is not given a clear mandate to conduct necessary enforcement actions or when there is lack of the technical expertise needed to carry out Legislation effectively.
11.5 Data Protection Audit
Data protection authorities are also empowered to conduct data protection audits on controllers to check that they comply with data protection law. [viii]Essentially, a data protection audit is a process of determining the extent of compliance with the data protection legislation. A compliance audit involves an auditor from the data protection authority verifying the data controller’s compliance with the law.[ix]
Normally, an audit may look at a number of areas such as data protection governance, the structures, policies and procedures to ensure compliance with data protection legislation, the processes for managing files containing personal data, the processes for responding to any request for personal data, the measures in place to ensure the security of personal data stored, and the provision of staff data protection training and staff awareness of data protection requirements.[x]
This current article encompasses the eleventh part of the data protection and privacy articles series. The next part which is titled the LEGAL CONSEQUENCES OF DATA PROTECTION & PRIVACY NON-COMPLIANCE will be released on 17TH August 2022.
This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.
[i] See Black’s Law Dictionary, Enforcement (2d ed. 1910).
[ii] The DSA Enforcement Framework, Lessons Learned from the GDPR https://eulawenforcement.com/?p=8038 , accessed on 18th November 2021.
[iii] The Data Protection Act No.24 of 2019.
[iv] Section 5(2) of the Data Protection Act No.24 of 2019.
[v] The Data Protection & Privacy Act, 2019.
[vi] Article 11.1 of The Convention on Cyber Security and Data Protection of the African Union (known as the Malabo Convention, 2000.
[vii] Article 12 (b) (e) (f).
[viii]https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjG4fTg4e31AhURGwKHbktC7AQFnoECAUQAQ&url=https%3A%2F%2Fico.org.uk%2Ffor-organisations%2Faudits%2F&usg=AOvVaw2C2b2Xoho68CajS-cAeQBo, accessed on 6th October 2021.
[x]https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjG4fTg4e31AhURG-wKHbktC7AQFnoECAUQAQ&url=https%3A%2F%2Fico.org.uk%2Ffor-organisations%2Faudits%2F&usg=AOvVaw2C2b2Xoho68CajS-cAeQBo, accessed on 6th October 2021