Data Privacy Authorities (DPAs) 2017: Growing Significance of Global Networks
(2017) 146 Privacy Laws & Business International Report, 14-17
8 Pages Posted: 28 Jun 2017 Last revised: 13 Jul 2018
Date Written: March 15, 2017
This article considers the roles of data protection authorities (DPAs), or as they are sometimes called 'privacy enforcement agencies' (PEAs), and the associations they form. The article is based on data from the 2017 Global Tables of Data Privacy Laws and Bills at http://ssrn.com/abstract=2992986.
The DPA Hall of Shame is reserved for countries which, having undertaken in their data privacy legislation to appoint a data protection authority, fail to do so. There are three important escapees in 2015-16, but at least five countries remain there after quite some years. Twelve data privacy Acts don’t provide for a specialised data protection authority at all, but leave data privacy enforcement up to other State institutions.
The remaining 100 countries from the 120 with data privacy laws, all have functioning data protection authorities (DPAs). This article analyses the networks and associations of various types, of which these DPAs are members, and their expansion since 2015. The article analyses such networks as being of three types.
First is policy-oriented networks, of which there are many regional examples (but a few regions without them), including a new African association. In addition, the ICDPPC (International Conference of Data Protection and Privacy Commissioners), the longest established DPA organisation, now has as members approximately 90% of national DPAs globally that are eligible to have joined.
There are also enforcement networks, of which GPEN, the Global Privacy Enforcement Network, is the largest with members from 47 countries. There is also an APEC enforcement network, and one which is a sub-network of ICDPPC.
The third category is networks under some international agreements, of which the largest such grouping is the Consultative Committee of Council of Europe Convention 108, and the most significant is the EU’s Article 29 Working Party.
There are seven DPAs that are not part of any of these networks, and Canada is the most prolific ‘joiner’. The article concludes with some observations about the accountability of DPAs and ways in which it can be measured.
Keywords: Privacy, Data Protection, DPAs
Suggested Citation: Suggested Citation