A Thought Framework For ‘Developing’ Data Protection Authorities: Peering Into The Next Decade

Rashmin Kansal


Abstract

Following an increased focus on data protection and the success of the General Data Protection Regulation (‘GDPR’), developing countries around the world have been seeking to enact data privacy laws, modelled on the GDPR, followed by the creation of data protection authorities. The United States and the European Union (‘EU’) have led the way in setting the benchmark for data protection globally since these states have decades of jurisprudence on data protection. However, the lack of cogent jurisprudence is an often-ignored issue plaguing developing countries that are setting up data protection authorities of their own.

This article seeks to highlight the issue and propose a unique framework for building data protection authorities specially to address the unique challenges faced by developing countries. A model framework based on international best practices has been suggested to balance industry needs with individual rights and to ensure smooth regulation by domestic data protection authorities at the same time.


I. Introduction

Digital transformation is an essential and inevitable process that nations around the world are undertaking in order to implement their development agendas. Generally, three key pillars have been identified as focus points, namely, the development of digital government, digital economy and digital society. Several national programs on digital transformation (for example: in Singapore, the United Kingdom and Australia) have already been constituted as part of a strategy towards the enactment of these pillars. This strategy is vital as it serves to provide guidelines for global progress throughout the next decade which the United Nations has termed as the ‘Decade of Action’. Consequently, this digital age– often called the Fourth Industrial Revolution– will lead to an increased focus on data protection.

Admittedly, debates surrounding the need for data protection laws have almost been settled. 128 countries have laws in force and another 20 have draft laws ready to enact, thereby implying that the conversation will shift to enforcement of these laws, i.e., to data protection authorities (DPAs) soon. DPAs can be simply defined as independent public agencies that monitor the enforcement of the data protection law via the use of their probative and remedial powers. Among other roles, DPAs offer knowledgeable counsel on data protection concerns and address grievances regarding infringements of the national data protection laws. A separate and independent body to regulate data protection is important for both individuals and companies since it ensures consistency in compliance, easy access to enforce data protection rights and acts free from any undue influence. In the near future, DPAs will implement these laws and will act as national regulators and expert bodies on regulation of upcoming digital technologies. Therefore, it is now largely a public administration and conflict resolution issue rather than a question of legislation today.

The idea that individuals should have data protection rights enforced by an independent regulatory body has been gaining ground worldwide. The Indian Supreme Court has also recognised the importance of protecting personal privacy as an element of human dignity in K.S. Puttaswamy v. Union of India (‘Puttaswamy’). In Europe, this idea is shared through the GDPR. The GDPR seeks to create a level-playing field and ensures smooth data flows within and beyond Europe while guaranteeing data protection. The European Data Protection Board was established to enforce the GDPR in the region to strengthen national data protection laws by providing independent regulation. The board also seeks to promote new technologies within the boundaries of data protection and ensuring harmonised enforcement of the GDPR with national laws. However, as demonstrated below, the creation of a DPA is a continuing quest for developing countries.


II. Widening Disparity: A Cause for Concern

The Center for Global Development recently released a series of policy papers, the first of which is titled “Governing Data for Development: Trends, Challenges, and Opportunities”. During the course of the project, the researchers interviewed more than 100 data policy experts outside the EU, China and the United States to better understand global ideas around data protection since these three regions have dominated technology and data regulation. The following commonalities were observed in the collected responses:

(a) funding issues;

(b) concerns around political interference; and

(c) lack of technical expertise and regulatory uncertainty.

The effect of regulatory uncertainty is key since the idea of data protection has come to the fore in the last decade. Undeniably, the GDPR is a leading legislation on data protection, however, it is very complex and implementing it may be a challenge for resource-constrained states which do not have jurisprudence around data protection like the EU. Worryingly, wide disparities exist in terms of the level of resources allocated for data protection across the globe, for instance, the United Kingdom’s data protection office has 800 permanent members whereas in African countries, such as Ghana, the number is skeletal in comparison. Multiple studies have shown that resource constraints imply that not only low and middle income countries but also certain European nations are forced to have short-staffed DPAs. Consequently, this may have the effect of disincentivizing useful data innovation among both companies and individuals in countries which have enacted new data protection laws. This affects a country’s economic and digital development thereby hindering progress. Therefore, a systematic approach has to be followed to streamline data protection procedures and ensure effective protection along with public trust.


III. Challenges in Developing Economies vis-à-vis the Developed World

1. The Case of Brazil: Fragmented Confusion

Brazil is an interesting case-study to realise the challenges in creation of DPAs facing countries where the concept of data protection is still nascent. Brazil had to undertake almost a decade of discussions before the national data protection law was enacted. Before this law, the situation was very fragmented and different approaches were followed for regulation by various government bodies at both federal (Supreme Court) and provincial levels (consumer bodies/municipalities). Approval of the law was key to clarify business activities that were legitimate and to delineate responsibilities of the bodies that regulate data protection in Brazil. The law is strongly inspired by the GDPR, as in most countries. There was no legal framework historically in place and inspiration has been sought from other sources to prepare a strategic plan. Resultantly, Brazil had to take major steps to create a robust protection-intensive legal environment by recognising the right to individual self-determination in Supreme Court decisions and subsequent Constitutional amendments recognising the right to data protection. The Brazilian DPA was recently formed in October 2020, two years after the domestic law, i.e., the Lei Geral de Proteção de Dados Pessoais (‘LGPD’), was enacted in 2018.

2. The EU’s First-Mover Advantage: Simpler Roadblocks

Per contra, within the EU – which has a rich data protection history – the situation was different. Austria, for instance, already had a regulatory body in place in 1978; much before the GDPR came into existence. The increased awareness of individual rights of data protection generated over a long period of time led to a subsequent increase in filing of protection-related matters (for instance, in NYOB v. Google LLC before the Austrian DPA, more than 100 complaints were filed in the light of the Schrems II decision). With the entry of the GDPR, few challenges arose as compared to the ones emerging economies are facing today since major issues had already been addressed in the preceding decades of evolution of the EU data protection jurisprudence. One of these simpler roadblocks included the fact that there was only one interlocutor on both the complainant and the companies’ sides, as seen in Google LLC v. CNIL. Hence, industry personnel at times were not aware of the interpretation of the GDPR since that individual had an idea of global practices and not of specific legislation requirements. This led to a divergence of approaches in terms of decision-making. This issue was resolved through dialogue and invitations for public consultations as seen in Ireland. The positive outcome of this approach to resolve even minor challenges is that the EU-DPA has resolved around 1615 cross border disputes (between 25 May 2018 until 31 May 2021). This number is especially relevant, since these disputes could have also been resolved domestically thereby demonstrating the success of the GDPR amidst its widened enforcement. Comparatively, there are far greater issues for newer DPAs with multiple concerns at play vis-à-vis the EU Data Protection Board which has had a relatively smoother ride in terms of challenges to GDPR enforcement.


IV. A Proposed Thought Framework

1. Proposals to Demystify Enforcement based on International Best Practices

Digital transformation is driven by data processed by states. How does the DPA ensure that the government is also complying with these regulations? DPA must have the final authority to interpret, however, the risk of conflicting interpretation exists in such countries (and even in the United States and the EU). Thus, these nations must work on cross-harmonisation between regulatory bodies. Comparatively, similar to other national DPAs, the Brazilian DPA deals with data breaches, imposition of fines, ensuring compliance with the law and regulating international data transfers inter alia (LGPD, Chapter VII-IX). The focus must importantly be on being “selective to be effective”. This approach implies the need for DPAs to assess risks or conflicting issues with the prevailing laws and accordingly modify their response. For instance, issues of intergovernmental cooperation (LGPD Art. 55-J ¶¶ 3, 4 and GDPR Art. 61-62), which plagued dispute settlement, were prioritised to simplify past procedures and ensure consistency in interpretation of the data protection law. Similarly, the government cannot be fined in Brazil (LGPD Art. 52 ¶¶ 1, 4; Art. 53) but the DPA can instead use alternative approaches such as investigating officials or imposing bans (LGPD Art. 52). In sum, the approach assumed here has to be responsive and on the presumption that the people may not be aware of the law. Therefore, nations could seek to resolve disputes through dialogue and measures such as potential extension of time frame to bring business activities in line with the data protection law. Public bodies can correspondingly also be investigated by the judiciary (GDPR Art. 58).

“Be selective to be effective” has to be the mantra to follow, i.e., the DPA should pick and choose cases to shape precedents and not adopt an interfering approach. For instance, India did not have tangible data protection jurisprudence until the Puttaswamy judgment. It is important to note the difference between privacy and data protection; leading to few precedents in these nations. However, there seems to be an urgency to create DPAs around the world following the lead of the GDPR. Instead, the need of the hour is to be measured. Nations must allocate proper resources to DPAs and the DPAs must focus on building precedents selectively. There is a risk to being path-dependent and most nations have already taken this approach since their legislations are largely based on the GDPR. This is problematic because, as explained above, Europe has 30 years of jurisprudence which even precedes the age of Big Data. These nations are just starting out so basing the law on European precedent is not an ideal first step. Each nation functions in a unique environment facing its own cultural and local issues. Developing newer DPAs based on the EU’s lead (or based on the American or the Chinese laws) would circumvent these localised issues and give birth to more problems such as difficulty in interpretation and regulatory confusion. The genesis of the law and creation of the new DPAs in developing countries must be based on an individual assessment of the localised issues sought to be resolved and subsequently taking steps to remedy these issues. Suggestively, nations must evolve a techno-legal approach as seen in the context of portability frameworks in the financial sector in India.

The willingness of the regulators has to be to learn what companies’ existing practices are, to ensure that they become compliant with data protection laws and avoid disputes. As a result, among regulators, the focus must also be to rely on subject matter experts in academia or industry professionals. For example, the United Kingdom recently invited proposals for collaboration in creating an age-appropriate design code and specific regulations were enforced. Another instance is in Brazil where the DPA is also legally bound to issue public consultations on the draft bill (LGPD Art. 55-J ¶2). To meet this challenge pre-formal comments are invited by the DPA from experts to help dive deeper into issues which the public comments may specifically address. Alternatively, developing countries can also incorporate a multi-stakeholder board, as done in Brazil, to deal with issues of lack of jurisprudence. The Brazilian DPA is composed of both lawyers and people from diverse backgrounds such as civil servants, subject matter experts and people with experience in public administration such as economists, anti-trust, and regulatory professionals.


2. Incorporating Stakeholder Interest into the Enforcement Framework

In this context, it is also important that due consideration is also given to recognise legitimate concerns and expectations of industry leaders here since it is these companies which will dictate the success of the implementation of any proposed mechanism. Three points are crucial for the success of DPAs in any jurisdiction from an industry perspective:

(a) building awareness and understanding of the law;

(b) facilitating compliance by providing actionable interpretation; and

(c) enforcement based on actual industrial and technical realities.

Thus, a plan to ensure the success of the DPA must be composed of three tiers: promotion of data protection culture; harmonising existing regulatory frameworks and detailing the institutional structure of the DPA. Agreeably, the best solutions are achieved through collaboration and building trust. Therefore, the same principles should be followed through means such as discussions with companies, public consultations and co-regulatory models.

A suggestive mode of collaboration may include, first, “regulatory sandboxes” as seen in the United Kingdom and Singapore, that not only promise innovations, but also help both the DPA and the companies navigate murky waters.

Second, the presence of a wide range of tools to achieve the ends of DPAs such as consumer-business education, soliciting information by public consultations to develop deeper understanding of industry issues and providing actionable interpretation to help understand obligations under the new data protection laws.

Third, focus on expertise is important to build, from the start, an enforcement of the data protection law that is cognizant of industry realities and bridges the gap between practice and theory of the law.

Accordingly, efforts may be undertaken to harmonise regulatory approaches across jurisdictions in the same country (for instance, between competition regulators and DPAs; and as proposed recently by the EU Data Act, 2022) and internationally to make it easier for companies to plan for the future. Stress may also be laid upon best practices, information sharing and standardisation of the data protection law.

V. Conclusion

The developing world has to find quicker ways to resolve, regulate and legislate data protection. One can make use of principle-based legislations such as the GDPR by utilising regulatory bodies to implement guidelines and directives for businesses. This approach will provide businesses the regulatory certainty they demand. However, at the same time individual codes of practices must be developed to offer an opportunity to move towards specificity from principle-based regulations. The principles can talk about how the law will apply across sectors.

Further, states should encourage the creation of self-regulatory organisations that can look at the interests of a particular sector and propose a framing of the regulations. This simplifies the task of the DPA which is a general body to deal with complex technological issues. DPAs must be encouraged to use these set of regulations formed by subject-matter experts and incorporate them into law enforcement. The DPA must also be flexible to realise that technology evolves over time and these regulations may also have room for amendments in response to newer technologies of the future.

Recent