Enforcement: To Be Effective, One Needs to be Selective

Richard Thomas, when he was Information Commissioner of the United Kingdom, said: “To be effective as a regulator, one needs to be selective.”  I suggest that regulatory clarity also is helpful.

The IAF has been working on model fair information legislation for the past three years.  Many difficult issues are raised by this effort, but a particularly difficult issue has been enforcement and active oversight, and this issue has not perplexed only the IAF.  Enforcement, and its effectiveness, has been an issue in all of the states considering legislation.  Who enforces the law, what is it exactly that will be enforced, and will the resources be available to protect the public through enforcement?  Additionally, if enforcement resources are limited, should enforcement be through private rights of action?

Complaints about enforcement exist across the globe.  Enforcement in Europe is too slow, and European equivalents to class actions are pending.  Regulators are being flooded with individual complaints, and in the EU, regulators must investigate every individual complaint.  There is active debate in Brazil regarding how the new data protection law, LGPD, will be enforced and who will enforce it.  Also, in Canada, the powers of the Federal Privacy Commissioner are being revisited, including whether there should be a new oversight tribunal.

Yet, there is one voice of clarity.  The Singapore Personal Data Protection Commission (PDPC) has issued the Guide on Active Enforcement (Guide).  The Guide, in 32 pages with very large type, lots of white space, and informative graphics, makes clear the PDPC’s enforcement objectives, how those objectives will be put into effect, the PDPC’s expected timelines, and the role of monetary penalties.  The Guide follows three years where the PDPC built out a maturity model for accountability and advised the government on how to amend Singapore’s existing data protection law for greater flexibility dependent on mature accountability.

Singapore is a small country with a unique political, administrative and legal culture.  It enforces data protection as a consumer interest rather than as a fundamental right.  The Personal Data Protection Act (PDPA) is based on the OECD Guidelines and is modeled after the Canadian private sector privacy law.  Lastly, the PDPC is aligned with the government agency that encourages digital growth.  Significantly, the Guide’s clarity of direction and clear communication on objectives and methods is transferable to other locations.

The Guide begins with three key objectives:

  1. To respond effectively to breaches of the PDPA where the focus is on those that adversely affect large groups of individuals and where the data involved are likely to cause significant harm to the affected individuals.
  2. To be proportionate and consistent in the application of enforcement action on organisations that are found in breach of the PDPA; where penalties imposed serve as an effective deterrent to those that risk non-compliance with the PDPA; and
  3. To ensure that organisations that are found in breach take proper steps to correct gaps in the protection and handling of personal data in their possession and/or control.

A major sticking point on enforcement is when to resolve differences between the organization and individuals and when to enforce.  The PDPC makes clear that its preference is mediation and facilitation rather than investigations, but that enforcement is key: “Notwithstanding, the PDPC will not hesitate to send a clear message of wrongdoing where necessary.” 

The Guide goes on to describe the investigatory process clearly.  It discuses when voluntary undertakings might replace a full investigation, and what happens if the PDPC is disappointed with voluntary undertakings.  Where monetary penalties are warranted, it describes how fine levels will be determined.

As stated earlier, the Guide should be seen in the context of the PDPC’s overall strategy.  Singapore has an accountability maturity model, and the PDPC has used regulatory sandboxes, has guided the government in creating exemptions for consent, and has recognized a certification program.

California is in the early stages of creating a new privacy agency, Virginia has given new responsibilities to its Attorney General, and Washington state may pass legislation in the next few weeks.  All of these states could learn from the systematic approach in Singapore.

Private rights of action, agency structure and powers, and the right to cure are being debated in Washington, DC.  The IAF has spent a great deal of time deliberating how the FTC would transition from a pure enforcement agency to one equipped to conduct oversight.  In the end, it comes down to confidence that the agency will conduct its role in a clear and transparent way.

So, the UK and Richard Thomas taught that to be effective, it is necessary to be selective.  More recently, Singapore teaches the importance of an overall strategy with a clear definition of the enforcement role. 

The IAF will explore the topics of matching resources and capabilities to challenges on Summit Days 1 and 3 on April 13 and 15 and oversight and enforcement on Day 2 of its Summit on April 14.  All these topics will be explored in future policy calls.  Contact Stephanie Pate at spate@informationaccountability.org if you would like to attend.