Independent Supervisory Bodies


Is there an independent authority in place that effectively holds government offices accountable for handling issues of data protection and privacy?

An independent and effective data protection authority exists.
The Data Protection Inspectorate (DPI) is responsible for protecting citizens’ privacy and personal data, and ensuring transparency of public information. The inspectorate works under the framework of the Personal Data Protection Act and the Public Information Act. Since May 2018, the inspectorate is responsible for ensuring compliance with the European Union’s GDPR. The inspectorate has about 20 staff members and is led by a director general. The director general has can impose legally binding decisions and law enforcement measures, and delegate powers to other officers of the inspectorate. The director general reports directly to the Constitutional Committee of the Riigikogu and to the chancellor of justice. As a law enforcement agency, the DPI can issue proposals or recommendations to terminate infringements, issue binding precepts, impose coercive payments or fines, or apply for criminal proceedings. In addition, the DPI acts as an educator and consultant, answering citizens’ queries and contributing to public awareness of data use.
Annual Report of Director General 2017. (accessed 25.10.2018)
There are two data protection authorities in Finland: the Data Protection Board and the Data Protection Ombudsman. Affiliated to the Ministry of Justice, the Data Protection Board is the most important decision-making agency concerning personal data issues. The Data Protection Ombudsman supervises the processing of personal data according to the objectives of the Personal Data Act 1999. The ombudsman office has 25 employees. The office can be called for guidance in private matters or to advise organizations.
Ministry of Justicy, “The Data Protection Board”,
Finlex “Personal Data Act (523/1999)”,
The Data Protection Ombudsman,
Data protection in France has a rather long history. The extremely active CNIL (Commission Nationale Informatique et Libertés) dates back to 1978. Its board of 17 members is appointed by the two chambers of the parliament. The board then elects its president. The CNIL enjoys the status of an Independent Regulatory Agency. It has five main functions, namely to: inform the public on personal data protection; support any person in relation to personal data protection; advise the legislator; control the use of personal data by private companies and public services; plan and prepare for the impact of technological developments on personal data. The CNIL has been very effective over the past 40 years, and its role is widely supported by the public and political elites. Since May 2018, a European regulation states that every company or public body dealing with personal data has to appoint a “data protection advisor.” There is not yet information about the actual implementation of this obligation.
The Icelandic Data Protection Authority (Persónuvernd) is a state-run authority, which monitors the processing of data to which the Act on Data Protection and the Processing of Personal Data No. 90/2018 apply. The authority deals with specific cases requested by public authorities or private individuals, or on its own initiative.
The Icelandic Data Protection Authority (Persónuvernd), Accessed 22 December 2018.
Article 13 of the constitution establishes that every citizen must be protected against the abuse of data. Since 1993, a law for data protection has been in force. There is a Federal Officer for Data Protection (Eidgenössischer Datenschutzdelegierter, EDÖB). A 2011 evaluation of the Federal Data Protection Law attests to the effectiveness, independence and transparency of the EDÖB.

Christian Bolliger, Marius Féraud, Astrid Epiney, Julia Hänni (2011). Evaluation des Bundesgesetzes über den Datenschutz. Schlussbericht im Auftrag des Bundesamts für Justiz. Bern/Freiburg: Büro Vatter/Institut für Europarecht, Universität Freiburg.
Since 2013, an office for data protection has existed, which replaced the former Data Protection Committee. The office is headed by a chairperson nominated by the federal government and appointed by the federal president for a period of five years. Despite the nomination by the government, the office and its chairperson is not dependent on the government – it is not obliged to follow any specific government directive. Over the last few years, the independence of the office has never seriously been questioned. In 2018, following the European Union’s GDPR taking effect, the data protection authority was restructured and scaled up.
Canada’s data protection authority is the Office of the Privacy Commissioner of Canada. The legislation governing federal government use of private data is the Privacy Act. As an officer of parliament, the commissioner can audit suspected government breaches of the Privacy Act and act as an ombudsmen in relation to individual violations. Analogous structures exist at the provincial and territorial level.
Denmark has an independent data protection authority (Datatilsynet), which monitors the implementation and enforcement of data protection rules. The authority also deals with complaints, and gives advice to government institutions and companies. The council has a chairperson and six other members appointed by the minister of justice. The council first of all takes decisions about cases of a principal nature concerning personal data and the law concerning public institutions treatment of personal information.
During 2017, the agency took part in 391 cases of law preparation, received 1,511 questions and complaints about private companies and other data-responsible actors, and received 702 questions and complaints about public authorities. The agency initiated 73 cases and there were 255 international cases.
The agency takes part in international cooperation, including in the European Union, and monitors the handling of data in relation to Schengen and Europol cooperation.
Since 25 May 2018, when the European Union’s General Data Protection Regulation (GDPR) entered into force, the Datatilsyn’s director represents Denmark in the new European Data Protection Board (EDPB).
Website: (Accessed 8 October 2018).

Datatilsynet, Datatilsynets årsberetning 2017 (September 2018), (Accessed 8 October 2018).

Datatilsynets Årsrapport 2017, (Accessed 8 October 2018)

Databeskyttelsesrådet (EDPB), (Accessed 9 October 2018).

Niels Fenger (red.), Forvaltningsret. København: Jurist- og Økonomforbundets Forlag, 2018.
At the national level, there is the “Bundesbeauftragter für den Datenschutz und die Informationsfreiheit” (BfDI), which has a long history dating back to the end of the 1970s. Since January 2016, this institution has been an independent federal authority subject only to parliamentary and judicial control but no longer under the authority of the minister of the interior. Independence of the authority’s head is highly protected. A dismissal is only possible with reasons similar to those that apply to the dismissal of a lifetime judge. The authority’s budget and number of staff have considerably increased. From 2015 to 2017, its staff has increased from 90 to 160 positions and a further increase is planned. The authority’s task is to control federal institutions’ compliance with national and European data protection rules.
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (2017): 26. Tätigkeitsbericht zum Datenschutz für die Jahre 2015 und 2016, Bonn.
The Greek independent data protection office is the Hellenic Data Protection Authority (HDPA). The HDPA, established in 1997 through law 2472/1997, is also protected by the constitution. The HDPA grants individuals certain rights and imposes certain responsibilities on entities that process and store personal data. The president of HDPA (a high-ranking judge) and members of the authority are selected by the parliament for a four-year term. Generally, it is not a government-controlled authority. The HDPA implements EU and Greek law on personal data protection and has been very active in carrying out its tasks.
Ιnformation on the Hellenic Data Protection Authority in English is available at,40911&_dad=portal&_schema=PORTAL
The Irish Data Protection Act 2018 was signed into law on 24 May 2018 to coincide with the implementation of the General Data Protection Regulation (GDPR) on the following day, 25 May 2018. The GDPR replaced the existing data protection framework defined under the EU Data Protection Directive. The GDPR emphasizes transparency, security and accountability by data controllers and processors, while also standardizing and strengthening the right of European citizens to data privacy. In Ireland, the Data Protection Commission has been established to ensure the enforcement of the GDPR.
An independent and effective data protection authority exists in Lithuania. The State Data Protection Inspectorate is responsible for the supervision and control of enforcement of legal protections for personal data. The status of the government agency gives the agency the legal and policy independence necessary for making regulatory decisions. With experience exceeding 20 years and a staff of about 30, the agency has adequate capacities and resources to focus on the implementation of the General Data Protection Regulation that came into force in 2018. However, despite the allocation of two additional positions, the State Data Protection Inspectorate was unable to recruit new staff in 2017 due to a shortage of financial resources.
The task of the National Data Protection Commission (CNPD) is to control and check the legality of personal data processing. The CNPD is legally required to carry out a number of duties, including: supervising and checking the legality of data collection and use, and informing relevant parties of their legal obligations for data processing; ensuring the observance of personal freedoms and fundamental rights, particularly with regard to privacy, and informing the public of their rights; receiving and examining complaints and requests for checks on the legality of data processing; and advising the government on the subject of data protection. The commission is also responsible for the application of the provisions of the amended act of 30 May 2005 on the protection of privacy in the electronic communications sector and of the regulations stemming from that act.

Under the amended act of 2 August 2002, the CNPD has the power to investigate, which grants it access to processed data. Consequently, the CNPD can demand direct access to the premises, excluding residential premises, where the data was processed and to the processed data.

Furthermore, the CNPD publishes an annual report regarding its performance, which is submitted to the government, parliament, European commission, and European committee on data protection. The CNPD is a collegiate body with three permanent and three substitute members.

It operates as a public institution under the supervision of the government minister responsible for data protection. Nevertheless, it is independent in the exercise of its functions.
Commission nationale pour la protection des données. Accessed 23 Oct. 2018.
Norway has a special body, the Norwegian Data Protection Authority (DPA), to hold the government accountable for data protection and privacy issues, and protect individuals’ privacy rights. The DPA is a public authority that was established in 1980. The main legislation directing the DPA’s work is the Personal Data Act, which sets out the general principle that individuals should be able to control how their personal data is used. Through information, dialogue, the handling of complaints and inspections, the DPA monitors and ensures that public authorities, companies, non-governmental organizations and individuals follow data protection legislation.
Following the establishment of the Information Commissioner on 31 December 2005, Slovenia has an independent and effective data protection authority. The commissioner supervises the protection of personal data and access to public information. The office is led by Mojca Prelesnik, previously the general secretary to the parliament. The competencies of the Information Commissioner include: deciding on appeals against decisions by another body to refuse or dismiss a request for information; deciding on alleged violations of the right to access or re-use public information; supervising the implementation of legislation regulating the processing and protection of personal data; acting as an appellate body on individual complaints regarding a refusal to make personal information available to the respective individual.

There is also a government Office for the Protection of Classified Information. The office monitors the classification and protection of information, and ensures the development and implementation of classified information protection standards across government agencies, local community agencies, holders of public authorizations, NGOs and commercial companies that hold classified information. The office also issues permissions to access classified information and security certificates to legal persons.
The Information Commissioner 2018 (
The Swedish Data Protection Agency (Datainspektionen) is charged with the task of protecting personal integrity. To that end, it handles complaints as well as conducts its own inquiries and inspections. It works closely with similar agencies in other EU countries and with the EU’s institutions.
An independent and effective data protection authority exists, but its role is slightly limited.
In May 2018, the Belgian federal government instituted the Data Protection Authority (Autorité de protection des données/Gegevensbeschermingsautoriteit). The authority’s mission is to ensure that individual’s privacy is respected when personal data is processed. To improve efficiency, various pre-existing but dispersed authorities and services were regrouped under and are now coordinated by the Data Protection Authority. The new authority is accountable to the lower house (House of Representatives) and its board of directors are politically appointed for 6-year terms.

While political appointments may partially limit its autonomy, the authority is designed to be an independent body that communicates advice and recommendations to the chamber. For instance, the authority issued negative advice regarding the government’s proposal to incorporate citizens’ fingerprint data into the Belgian electronic ID card.
Citations: (in French, with more information) (in English, with limited information)
Data protection rests with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), an independent body set up under a law passed in 2000 to supervise the observance of the legal obligations laid down for processing personal data; to maintain the register of notified data processing operations; to deal with initiatives and complaints from citizens concerning any breach of the law; and to provide consultancy in personal data protection. The president of the republic appoints the president of the office at the proposal of the president of the upper house of parliament (Senate). The scope of the ÚOOÚ’s activities has widened in the context of the adopted European legislation on the protection of personal data. In the period under review, the implementation of the EU’s General Data Protection Regulation featured prominently on the agenda of the ÚOOÚ. In 2017, the ÚOOÚ received 1,684 infringement complaints.
The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority set up by the so-called Privacy Law (Law No. 675 of 31 December 1996). Its four members are elected by the parliament for non-seven year terms. They cannot be re-elected. The authority has extensive powers and enjoys a high degree of independence
Malta has an information and data-protection commissioner who is appointed by the prime minister in consultation with the leader of the opposition. This figure heads the Data Protection Authority, which is both effective and independent. The authority’s website provides information about the protection the office provides in various fields. It also provides assistance to citizens who believe their privacy has been invaded. Malta also abides by EU legislation and decisions by the Advocate General of the European Court in this area, and in May 2018 transposed the EU General Data Protection Regulation (GDPR) into law. Since the law has taken effect, 100 breaches of the data protection act have been reported, with 17 of these leading to a fine. Maltese courts can also be called upon to adjudicate complaints relating to data privacy infringements. A recent ruling by the Information and Data Protection Appeals Tribunal clarified that the data protection commissioner has the right to issue enforcement orders when a government ministry fails to issue certain information – in the case under review, information relating to government consultants’ contracts.
Data Commissioner has right to access contracts of government consultants - appeals tribunal
Economy Minister loses legal challenge. Times of Malta 29/01/19
DLA Piper GDPR data breach survey: February 2019
In May 2018, a new act on data protection entered into force. This replaced the 1997-era law, and is supposed to help implement the EU General Data Protection Regulation. The law has also introduced a new supervisory authority in Poland, the Office of Personal Data Protection, which replaced the Inspector General for Personal Data Protection. The president of this office is appointed for a four year term by the Sejm, with consent of the second chamber, the Senate.
The Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) is a public authority that acts fully independently of the public administration. According to Organic Law 15/1999, the director of this body is to exercise his or her functions independently and objectively, and is not to be subject to any instructions. The Advisory Board is made up of two members of parliament, a representative of the central administration, representatives of the autonomous regions that have their own data protection agencies, a local-administration representative, a member of the Royal Academy of History, an expert, a member representing users and consumers, and a representative from the private business sector. The AEPD carries out its investigations primarily at the request of citizens, although it is also empowered to initiate its own investigations. The agency communicates to the government through the Ministry of Justice. So far there is no evidence that the agency is incapable of holding government offices accountable. Being integrated in a wider international and subnational network of agencies, the AEPD has the capacities and personnel resources to advocate data protection and privacy issues vis-à-vis the government and against vested interests.
ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

Google Spain SL, Google Inc. v Angencia Espanola de Proteccion de Datos.” Court of Justice of the European Union. May 13, 2014.
The United Kingdom was among the early adopters of personal data protection legislation. The Data Protection Act 1984 set standards for the use of digital data by the government, private businesses and individuals. Since 1998 (following the Data Protection Act 1998), the data protection regime has been shaped by EU law. The United Kingdom has adopted the European Union’s General Data Protection Regulations (GDPR) into primary law (through the Data Protection Act 2018) meaning that the approach to data protection and information governance developed by the GDPR will be maintained after the United Kingdom leaves the European Union.

The central body authorized to enforce data protection legislation in the United Kingdom is the Information Commissioner’s Office (ICO). The ICO is a non-departmental public body which reports directly to parliament and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). The office has a wide array of data protection responsibilities defined by the Data Protection Act, the Freedom of Information Act and the General Data Protection Regulations, among other legislation. Given the devolution of powers, a similar function also operates in Scotland. The ICO publishes its actions and fines. The ICO recently received a lot of media attention for its inquiry into the business practices of the data processing firm Cambridge Analytica. However, the ICO has no authority over any security agency in the United Kingdom, which are rumored to be proactively collecting a wide-range of UK citizens’ personal data.

In October 2018, Elizabeth Denham, the UK Information Commissioner, was appointed the Chair of the International Conference of Data Protection and Privacy Commissioners.
The Office of the Australian Information Commissioner (OAIC), an independent statutory agency within the attorney general’s portfolio, has responsibility for data protection and privacy as per the Privacy Act and other laws. Its responsibilities include conducting investigations, handling complaints and providing advice to the public, government agencies and businesses.

The OAIC was established in 2010 by the Labor government. The Abbott government sought to abolish the agency on coming into office in 2013, but could not secure the support of the Senate. Coalition governments instead reduced the resources available to OAIC, resulting in its diminishing size and efficacy over time. Since 2016, there has been some reversal in the Coalition government’s position on OAIC and correspondingly marginal increases in funding.
The Personal Data Protection Commission was established in 2002. Bulgarian legislation treats all personal data administrators (from both the public and the private sector) similarly and the commission has equal powers with respect to both. The commission can regulate the implementation of the law, review personal data administrators’ activities, provide critical assessments, propose changes and in case of infringements temporarily suspend administrator’s privileges. It can also be addressed by citizens with complaints about infringements of personal data rights by government and private bodies. However, the factual protection of citizens against infringements on their privacy rights lags behind the significant formal powers of the commission.
The Croatian Personal Data Protection Agency established in 2004 was based on the Personal Data Protection Act adopted in parliament in 2003, by which the protection of personal data in the Republic of Croatia was regulated for the first time. The agency is a supervisory body tasked primarily with overseeing personal data protection. The agency monitors those who gather personal data collections that process personal data and warns them of unauthorized processing of personal data. The agency has the authority to order the removal of irregularities, it can temporarily prohibit the processing of personal data, order the deletion of personal data and prohibit their removal from the Republic of Croatia. The Croatian Law on Implementation of General Data Protection Regulation (GDPR) was passed in April 2018 in parliament. The new law prescribes the agency’s duty to publish website final and binding decisions, without anonymization of the offender’s data, if a data breach is committed in relation to data on children, special categories of personal data, an automated individual decision, in cases of profiling or if an offender is charged in excess of HRK 100,000. In order to get companies and state institutions to implement and reach compliance with the GDPR regulation, the agency organized in 2018 more than 30 advisory activities, involving nearly 2,000 representatives of the processing manager and personal data protection officers. In its annual report to the parliament, the agency pointed out that a large number of companies essentially ignore GDPR compliance. As a result, it requested that the Croatian Employers’ Association be more intensively involved in implementing the GDPR.
Israel’s cyber security policy in the civilian sector has evolved over the past two decades, starting with the Management of Security in Public Corpora Act of 1998. The act detailed the security requirements for information systems belonging to entities defined as “essential” to the state’s function, such as companies operating and maintaining national level infrastructure. In 2002, the government decided that the National Authority for Information Security in the Israeli Security Agency (in Hebrew “Shabak”) would direct these essential entities. In 2011, the government decided to develop its national cyber capabilities further by establishing the National Cyber Headquarters in the Prime Minister’s Office, charged with, among other things, the responsibility for managing the national cyber policy and strategy, and developing the national cyber capabilities. In 2015, the government established another cyber-related unit in the Prime Minister’s Office named the National Cyber Security Authority, whose role is to defend the civilian cyber space in general and critical state assets more specifically. Lastly, in 2018, the authority and the headquarters were conjoined to form the National Cyber Directorate, which reports directly to the prime minister.

The National Cyber Directorate and the Authority for the Protection of Privacy are distinct in character and operation. The former has a more active character, actively defending the Israeli cyberspace and fighting hostile or criminal elements. The latter, on the other hand, has a more passive character, concerns first and foremost with the protection of citizen privacy, and secondly with how individuals and organizations should ensure the security of information they hold.

While the directorate appears to be mostly entrusted with the regulation and defense of essential infrastructure, the services it offers extend to the individual citizen too. The directorate’s official website provides advice and information concerning cyber activity and security, including contact details (phone and email) in the event of a cyber assault. The directorate is also entrusted with training and certifying professionals across different cyber-related professions, and lately announced the launch of a first course to train certified inspectors. In addition, in light of the upcoming Israeli national elections, the directorate has also published a guide for safe behavior in and management of cyberspace, which aims to strengthen the integrity of the electoral process. The guide is targeted at individuals as well as organizations, and details common cyber assault methods, and practical advice for protection and safety.
Israel. The State Comptroller. “Aspects in the State’s Preparations in Defense of the Cyber Space,” Annual Report, 67(1), 2018, Jerusalem, vol. 1, pp. 3-10. (Hebrew) (Also available here:

Goichman, Rafaela. “A Hacker Attack or Just an Amateurish Website? What Brought Down the Website Made for the Elections Day,” TheMarker, November 1st, 2018, p. 2. (Hebrew).

Goichman, Rafaela. “‘There Was No Internet Reception’: the Crashed Elections Results’ Website Still Isn’t Back Running.” In TheMarker website. November 1st, 2018. (Hebrew).

Memorandum for the Cyber Security and the National Cyber Directorate Act, 2018. (Hebrew). Full text:

Siboni, Gabi, and Ido Sivan-Sevilla. Cyber Regulation. Memorandum 180. Tel Aviv: The Institute for National Security Studies, 2018. (Hebrew).

“The Government ICT Authority | About the Government ICT Authority.” In the Government ICT Authority’s official website. Last updated: May 2nd, 2015. (Hebrew).

“The National Cyber Directorate | About the National Cyber Directorate.” In the Israel National Cyber Directorate’s official website. Last updated: October 24th, 2018. (Hebrew).

“The National Cyber Directorate.” In the Israel National Cyber Directorate’s official website (main page). Last seen: November 1st, 2018. (Hebrew).

“The National Cyber Directorate | The Directorate is Happy to Announce the Opening of the First Course for the Training of Certified Inspectors in the Market [lit. economy].” In the Israel National Cyber Directorate’s official website. September 12th, 2018. (Hebrew).

Ziv, Amitai, ‘A Shin Bet Puppet.’ What Went Wrong With Israel’s Cybersecurity Agency, Ha’aretz, 29.8.2018:
New Zealand
The Privacy Act 1993 came into force in July 1993. The Privacy Principles in the act may be superseded by a code issued by the Privacy Commissioner for particular sectors. There are currently six codes in operation: the Civil Defense National Emergencies (Information Sharing) Code, the Credit Reporting Privacy Code, the Health Information Privacy Code, the Justice Sector Unique Identifier Code, the Superannuation Schemes Unique Identifier Code and the Telecommunications Information Privacy Code.

The Privacy Commissioner administers the Privacy Act 1993. In recent years, both the New Zealand Law Commission and the Office of the Privacy Commissioner have made recommendations for particular areas of reform (including mandatory breach notification and stronger enforcement powers) to bring New Zealand’s privacy law in to line with other jurisdictions. The minister of justice introduced a bill amending the current Act on 20 March 2018. The proposal includes stronger powers for the privacy commissioner, mandatory reporting of privacy breaches, new offenses and increased fines.
Data Protection New Zealand.—new-zealand
Office of the Privacy Commissioner 2018. Privacy Law Reform.
Based on the 2013 Act on Personal Data Protection, the Office for Personal Data Protection was established in 2014. Headed by Soňa Pőtheová, the office contributes to the protection of the fundamental rights and freedoms by supervising how personal data is processed. The effectiveness of the office has been limited by a lack of resources and a lack of clarity and differing interpretations of individual parts of Slovak data protection legislation. The amendment of the act on personal data protection in January 2018, which has aimed at incorporating the EU’s General Data Protection Regulation, has further aggravated the problems.
Numerous laws govern the handling of information by U.S. government agencies – in the interests of maintaining citizens’ privacy, protecting proprietary information of businesses, preventing identity theft, and for other purposes. Overall, these regimes may be relatively strict. However, while there is no national data protection authority, the U.S. Federal Trade Commission (FTC) over the past several years has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC took enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.

Many state attorneys generally have similar enforcement authority over unfair and deceptive business practices, including the failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states. In addition, a wide range of sector-specific regulators, particularly those in the health care, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.
see: International Association of Privacy Professionals (2019): The U.S. Doesn’t Have a National Data Protection Authority? Think Again…
The Office of the Commissioner for the Protection of Personal Data was established in 2002. Law 125(I)/2018 updated the legislation in accordance with EU regulations and directives. The Council of Ministers appoints the commissioner upon the recommendation of the minister of justice and public order. She/he must have the qualifications for appointment as a judge of the Supreme Court, which is, however, somewhat vague. The commissioner’s authority is extended to both public and private persons, except on processing operations by courts when acting in their judicial capacity.

Violations of personal data by various agents, including the authorities, politicians and political parties, has always been an issue of concern. Massive numbers of SMS and other messages to citizens during election campaigns prompted a limited number of complaints, with fines imposed on senders. No independent report exists evaluating the effectiveness of the office.
1. Law on the Protection of Personal Data, L.125(I)/2018$file/Law%20125(I)%20of%202018%20ENG%20final.pdf
The National Authority for Data Protection and Freedom of Information is responsible for supervising and defending the right to the protection of personal data and freedom of information under the Act CXII of 2011. So far, the office has not played a major role in the public debate, and there is no experience yet with the new European regulation in the field. The data protection issue has emerged from time to time at elections. It is well-known that Fidesz has collected data on the political orientation of citizens (the so-called Kubatov list on those who are supporting Fidesz) for campaign use. Rumor has it there is also a list of Fidesz’s “political enemies,” but it is unclear to what extent systematic data collection is involved in this case.
Pursuant to the terms of the recently amended and now fully effective Act on the Protection of Personal Information, a Personal Information Protection Commission (PPC) was established in January 2016. The commission is a cross-sectoral, independent government body oversees the implementation of the act. Its chairperson and commissioners are appointed by the prime minister with the consent of both chambers of parliament. It is too early to judge whether this commission will in fact be able to maintain independence from the government, and whether it will be effective. The current public discussion is still dominated by the difficulties of how to implement the act under complex real-world conditions.
Akemi Suzuki and Tomohiro Sekiguchi, Data Protection & Privacy Japan, Getting the Deal Through lawyer and law firm network, September 2018,

N.N., A step toward the restoration of privacy (Editorial), The Japan Times, 30 May 2018,
Since 1994, Portugal has had a National Authority for Data Protection (Comissão Nacional de Protecção de Dados, CNPD). The CNPD plays an active role in data protection issues. However, budgetary restrictions, under the previous and current governments, are limiting the CNPD’s ability to carry out its tasks. Indeed, the introduction to the most recent CNPD 2016 activity report noted that the authority has faced “increasing difficulties” due to budgetary restraints and limitations on public sector hiring.
Comissão Nacional de Protecção de Dados, Relatório de Atividades 2016, available online at:
A data protection authority exists, but both its independence and effectiveness are strongly limited.
The Data State Inspectorate, established in 2001, operates in accordance with the Personal Data Protection Law and is based on a cabinet regulation of 2013, Regulations on the Data State Inspectorate. A new version of the law was proclaimed in 2018. The main goal of the inspectorate is to protect the fundamental rights and freedoms of citizens, particularly the privacy of individuals with regard to the processing of personal data. The law describes the Data State Inspectorate as an independent institution. Nevertheless, the inspectorate is subject to the supervision of the Ministry of Justice and the Cabinet of Ministers, and is financed from the state budget.
1. Personal Data Processing Law (2018) Available at:, Last assessed: 06.01.2019

2. Data State Inspectorate (2016) Annual Report 2016, Available at:, Last assessed: 06.01.2019
Legislation on data protection in Mexico has been ineffective since 2010. The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) is an autonomous constitutional body that oversees data protection. Implementation of data protection is limited, especially in remote areas, for poor and uneducated people, and where security issues are involved. Thus, while there is an adequate institutional framework and organizational setup, the reality of data protection, particularly at the lower levels of government, is sobering.
Romania updated its data protection legislation in accordance with EU GDPR policy in May 2018. The responsibility for protecting personal data rests with the National Authority for the Supervision of Personal Data Processing (DPA) established in 2005. With a staff of about 50 and an operating budget of little more than €1 million, the DPA’s resources are limited. The position of the DPA’s vice-president has remained vacant for some time, and the position of Ancuța Gianina Opre, the DPA’s president since 2013, has languished under corruption charges dating from 2009 when she was working for the National Authority for the Restitution of Properties.
South Korea
South Korea’s comprehensive Personal Information Protection Commission (PIPC) was established on 30 September 2011, and aims to protect the privacy rights of individuals by deliberating on and resolving personal data-related policies. Data protection is regulated by the Personal Information Protection Act (PIPA). Compared to the European Union’s General Data Protection Regulation (GDPR), data-protection rules are weak, and the issue remains a problem particularly in the private sector. For example, PIPA lacks the right to be forgotten and the right to refuse profiling. Maximum fines for violations are also much lower in Korea, at €40,000 compared to €20 million under the GDPR. Data security in the private sector remains a significant problem in Korea, where companies have been slow to adapt to international security and encryption standards.
The Dutch Data Protection Agency (Authoriteit Persoonsgegens, DPA) succeeded the “College Bescherming Persoonsgegevens” (CBP) in 2016, and simultaneously saw its formal competencies enhanced by the right to fine public and private organizations in violation of Dutch and since mid-2018 European data protections laws (the General Data Protection Regulation, GDPR).

Effective data protection is practically impossible since 2016 for a number of reasons: many capable personnel have left the DPA, even though the number of staff has increased; the new leadership is considered to be in disarray; the organization is under-financed; hardly any consequential fines have been imposed; “naming and shaming” appears to work, but oversight capacity is lacking; laws and regulations are frequently changing, and consequently monitoring and jurisprudence are constantly “in the making.” It looks like the DPA is evolving from a supervisory body to an organization that advises both public and private organizations, and individual citizens on privacy issues, and on how to deal with personal data in ways that (more or less) comply with ever changing regulations and interpretations. All in all, the DPA operates in self-contradictory ways (as both a “hard” inspectorate, and a “soft” advisory body that “names and shames,” and advises commercial and public data-users and data-providers) in a technologically turbulent environment.

Volkskrant, Tweede kamer is gerommel by Autoriteit Persoonsgegevens zat, 13 July, 2018
In 2016, the country ratified the Council of Europe Convention 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional protocol dated 1981. The Personal Data Protection Authority is now operational and its nine-member board has been appointed. Of the nine members, five were appointed by the parliament and four by the president. Law No. 6698 on Protection of Personal Data dated 2016 does not fully align with the EU acquis. This concerns the powers of the Data Protection Authority, the balancing of data protection with the right to freedom of expression and information.
European Commission Turkey Report 2018,…/sites/…/20180417-turkey-report.pdf, (accessed 27 October 2018)
Kişisel Verilerin Korunması Kanunu, (accessed 1 November 2018)
İ. Korkmaz, “Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme,” TBB Dergisi, 124, 2016: 81-152.
There is no effective and independent data protection office.
To date, Chile lacks effective data protection, despite Article 19 of the constitution guaranteeing a right to privacy. As stated by the International Comparative Legal Guides, there is no data protection authority established by law. Therefore, the enforcement of the law is delivered by the courts of justice with those affected enforcing their rights individually.
During the period under review, a draft law has been elaborated which would transform the Chilean Transparency Council (Consejo para la Transparencia) into the Chilean Council for Transparency and Personal Data Protection (Consejo para la Transparencia y Protección de Datos Personales). It´s effectiveness will have to be evaluated once the new law is enacted.

Chilean Constitution:

On data protection in Chile:

International Comparative Legal Guides:
Back to Top