Independent Supervisory Bodies


Is there an independent authority in place that effectively holds government offices accountable for handling issues of data protection and privacy?

An independent and effective data protection authority exists.
The Data Protection Inspectorate (DPI) is responsible for protecting citizens’ privacy and personal data, and ensuring transparency of public information. The inspectorate works under the framework of the Personal Data Protection Act and the Public Information Act. The inspectorate is also responsible for ensuring compliance with the European Union’s GDPR. The director general has can impose legally binding decisions and law-enforcement measures, and delegate powers to other officers of the inspectorate. The director general reports directly to the Constitutional Committee of the Riigikogu and to the chancellor of justice. As a law-enforcement agency, the DPI can issue proposals or recommendations to terminate infringements, issue binding precepts, impose coercive payments or fines, or apply for criminal proceedings. In addition, the DPI acts as an educator and consultant, answering citizens’ queries and contributing to public awareness of data use.
Annual Report of Director General 2018. Executive summary (accessed 22.10.2019)
There are two data protection authorities in Finland: the Data Protection Board and the Data Protection Ombudsman. Affiliated to the Ministry of Justice, the Data Protection Board is the most important decision-making agency concerning personal data issues. The Data Protection Ombudsman supervises the processing of personal data according to the objectives of the Personal Data Act 1999. The office has about 40 employees, and can be called upon for guidance in private matters or to advise organizations.
Ministry of Justicy, “The Data Protection Board,”
Finlex “Personal Data Act (523/1999),”
The Data Protection Ombudsman,
Data protection in France has a rather long history. The extremely active CNIL (Commission Nationale Informatique et Libertés) dates back to 1978. Its board of 17 members is appointed by the two chambers of the parliament. The board then elects its president. The CNIL enjoys the status of an Independent Regulatory Agency. It has five main functions, namely to: inform the public on personal data protection; support any person in relation to personal data protection; advise the legislator; control the use of personal data by private companies and public services; plan and prepare for the impact of technological developments on personal data. The CNIL has a relatively modest staff (215 persons), with a budget of €17 million, and received 8,360 complaints in 2017. The body has been very effective over the past 40 years, and its role is widely supported by the public and political elites. Since May 2018, a European regulation states that every company or public body dealing with personal data has to appoint a “data protection adviser.” As of the date of writing, no information was available regarding fulfillment of this obligation.
The Icelandic Data Protection Authority (Persónuvernd) is a state-run authority, which monitors the processing of data to which the Act on Data Protection and the Processing of Personal Data No. 90/2018 apply. The authority deals with specific cases requested by public authorities or private individuals, or on its own initiative.
The Icelandic Data Protection Authority (Persónuvernd), Accessed 20th October 2019.
Article 13 of the constitution establishes that every citizen must be protected against the abuse of data. Data protection legislation has been in force since 1993. There is a Federal Officer for Data Protection (Eidgenössischer Datenschutzdelegierter, EDÖB) whose office employed 24 people in 2018/19 (EDÖB 2019: 72). A 2011 evaluation of the Federal Data Protection Law attests to the effectiveness, independence and transparency of the EDÖB.

Christian Bolliger, Marius Féraud, Astrid Epiney, Julia Hänni (2011). Evaluation des Bundesgesetzes über den Datenschutz. Schlussbericht im Auftrag des Bundesamts für Justiz. Bern/Freiburg: Büro Vatter/Institut für Europarecht, Universität Freiburg.

EDÖB, 2019: 26. Tätigkeitsbericht 2018/19. available at–taetigkeitsbericht-2018-20190/epaper-tb-26.html
Since 2013, an office for data protection has existed, which replaced the former Data Protection Committee. The office is headed by a chairperson appointed by the data protection council. The office and its chairperson are not dependent on the government – they are not obliged to follow any specific government directive. Over the last few years, the independence of the office has never seriously been questioned. In 2018, following the European Union’s GDPR taking effect, the data protection authority was restructured and scaled up. Currently, the data protection authority has about 40 staff members and additional assistants to carry out its tasks.
Canada’s data protection authority is the Office of the Privacy Commissioner of Canada. The legislation governing federal government use of private data is the Privacy Act. As an officer of parliament, the commissioner can audit suspected government breaches of the Privacy Act and act as an ombudsmen in relation to individual violations. Analogous structures exist at the provincial and territorial level.
Denmark has an independent data protection authority (Datatilsynet), which monitors the implementation and enforcement of data protection rules. The authority also deals with complaints, and gives advice to government institutions and companies. The council has a chairperson and six other members appointed by the minister of justice. The council first of all takes decisions about cases of a principal nature concerning personal data and the law concerning public institutions treatment of personal information.
The agency takes part in international cooperation, including in the European Union, and monitors the handling of data in relation to Schengen and Europol cooperation.
Since 25 May 2018, when the European Union’s General Data Protection Regulation (GDPR) entered into force, the Datatilsyn’s director represents Denmark in the new European Data Protection Board (EDPB).
Website: (Accessed 8 October 2018).

Datatilsynet, Datatilsynets årsberetning 2017 (September 2018), (Accessed 8 October 2018).

Datatilsynets Årsrapport 2017, (Accessed 8 October 2018)

Databeskyttelsesrådet (EDPB), (Accessed 9 October 2018).

Niels Fenger (red.), Forvaltningsret. København: Jurist- og Økonomforbundets Forlag, 2018.
The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI) has a long history, dating back to the end of the 1970s. Since January 2016, this institution has been an independent federal authority subject only to parliamentary and judicial control, no longer under the authority of the minister of the interior. The independence of the authority’s head is highly protected. A dismissal is possible only with good reason, with standards similar to those that apply to the dismissal of a judge with lifetime tenure. The authority’s budget and staff numbers have increased over time. Since 2016, its staff has increased from 90 to nearly 200 positions, with further increase expected. The authority’s task is to oversee federal institutions’ compliance with national and European data-protection rules.
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (2019): 27. Tätigkeitsbericht zum Datenschutz für die Jahre 2017/2018, Bonn.
The Hellenic Data Protection Authority (HDPA) is Greece’s independent data protection office. The HDPA, established in 1997 through law 2472/1997, is also protected by the constitution. The HDPA grants individuals certain rights and imposes certain responsibilities on entities that process and store personal data. The president of HDPA (a high-ranking judge) and members of the authority are selected by the parliament for a four-year term. Generally, it is not a government-controlled authority. The HDPA implements EU and Greek law on personal-data protection and has been very active in carrying out its tasks.
Ιnformation on the Hellenic Data Protection Authority in English is available at,40911&_dad=portal&_schema=PORTAL
The Irish Data Protection Act 2018 was signed into law on 24 May 2018 to coincide with the implementation of the General Data Protection Regulation (GDPR) on the following day, 25 May 2018. The GDPR replaced the existing data protection framework defined under the EU Data Protection Directive. The GDPR emphasizes transparency, security and accountability by data controllers and processors, while also standardizing and strengthening the right of European citizens to data privacy. In Ireland, the Data Protection Commission has been established to ensure the enforcement of the GDPR.
An independent and effective data protection authority exists in Lithuania. The State Data Protection Inspectorate is responsible for the supervision and control of enforcement of legal protections for personal data. The status of the government agency gives the agency the legal and policy independence necessary for making regulatory decisions. With experience exceeding 20 years and a staff of about 30, the agency has adequate capacities and resources to focus on the implementation of the General Data Protection Regulation that came into force in 2018. However, despite the allocation of two additional positions, the State Data Protection Inspectorate was unable to recruit new staff in 2017 due to a shortage of financial resources. In addition, some observers argue that the Inspectorate should provide more information and advisory services regarding the management of personal data in public sector organizations and business enterprises.
The task of the National Data Protection Commission (CNPD) is to control and check the legality of personal data processing. The CNPD is legally required to carry out a number of duties, including: supervising and checking the legality of data collection and use, and informing relevant parties of their legal obligations for data processing; ensuring the observance of personal freedoms and fundamental rights, particularly with regard to privacy, and informing the public of their rights; receiving and examining complaints and requests for checks on the legality of data processing; and advising the government on the subject of data protection. The commission is also responsible for applying the provisions of the amended act of 30 May 2005 on the protection of privacy in the electronic communications sector, as well as the regulations deriving from that act.

Under the amended act of 2 August 2002, the CNPD has the power to investigate, which grants it access to processed data. Consequently, the CNPD can demand direct access to the premises, excluding residential premises, where the data was processed and to the processed data.

Furthermore, the CNPD publishes an annual report regarding its performance, which is submitted to the government, parliament, the European Commission and European Data Protection Board. The CNPD is a collegiate body with three permanent and three substitute members.

It operates as a public institution under the supervision of the government minister responsible for data protection. Nevertheless, it is independent in the exercise of its functions.
Commission nationale pour la protection des données. Accessed 23 Oct. 2019.
Norway has a special body, the Norwegian Data Protection Authority (DPA), to hold the government accountable for data protection and privacy issues, and protect individuals’ privacy rights. The DPA is a public authority that was established in 1980. The main legislation directing the DPA’s work is the Personal Data Act, which sets out the general principle that individuals should be able to control how their personal data is used. Through information, dialogue, the handling of complaints and inspections, the DPA monitors and ensures that public authorities, companies, non-governmental organizations and individuals follow data protection legislation.
Following the establishment of the Information Commissioner on 31 December 2005, Slovenia has an independent and effective data protection authority. The commissioner supervises the protection of personal data and access to public information. The office is led by Mojca Prelesnik, previously the general secretary to the parliament, who was reelected for a second term in June 2019. The competencies of the Information Commissioner include: deciding on appeals against decisions by another body to refuse or dismiss a request for information; deciding on alleged violations of the right to access or reuse public information; supervising the implementation of legislation regulating the processing and protection of personal data; acting as an appellate body on individual complaints regarding a refusal to make personal information available to the respective individual.

There is also a government Office for the Protection of Classified Information. The office monitors the classification and protection of information, and it ensures the development and implementation of classified information protection standards across government agencies, local community agencies, holders of public authorizations, NGOs and commercial companies that hold classified information. The office also issues permissions to access classified information and security certificates to legal persons.
The Information Commissioner 2019 (
The Swedish Data Protection Agency (Datainspektionen) is charged with the task of protecting personal integrity. To that end, it handles complaints as well as conducts its own inquiries and inspections. It works closely with similar agencies in other EU member states and with EU institutions.
An independent and effective data protection authority exists, but its role is slightly limited.
In May 2018, the Belgian federal government instituted the Data Protection Authority (Autorité de protection des données/Gegevensbeschermingsautoriteit). The authority’s mission is to ensure that individual’s privacy is respected when personal data is processed. To improve efficiency, various pre-existing but dispersed authorities and services were regrouped under and are now coordinated by the Data Protection Authority. The new authority is accountable to the lower house (House of Representatives) and its board of directors are politically appointed for 6-year terms.

While political appointments may partially limit its autonomy, the authority is designed to be an independent body that communicates advice and recommendations to the chamber. For instance, the authority issued negative advice regarding the government’s proposal to incorporate citizens’ fingerprint data into the Belgian electronic ID card.
Citations: (in French, with more information) (in English, with limited information)
Data protection responsibilities rest with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), an independent body established under a law passed in 2000. It is tasked with supervising the observance of the legal obligations laid down for processing personal data; maintaining the register of notified data processing operations; dealing with initiatives and complaints from citizens concerning any breach of the law; and advising the government on issues relating to personal data protection. The president of the republic appoints the president of the office, with candidates being nominated by the president of the Senate, the upper house of parliament. The office regularly publishes an annual report on its website detailing its activities. Its effectiveness is limited by its relatively small budget and relatively small staff. In 2019, the Personal Data Processing Act 2019, the country’s second data protection act, sought to implement the EU’s GDPR. As a result, the scope of the ÚOOÚ’s activities has widened. In October 2019, the ÚOOÚ proposed the introduction of a General Impact Assessment on Personal Data Protection (DPIA). This proposal was posted on its website for public discussion.
The Italian data protection authority (Garante per la protezione dei dati personali) is an independent administrative authority set up under the Privacy Law (Law No. 675 of 31 December 1996). It has powers of inquiry and authorization, and can redress grievances. It can moreover inflict pecuniary sanctions.

Its four members are elected by the parliament for non-renewable seven-year terms. They cannot be re-elected. The authority has extensive powers and enjoys a high degree of independence.
Malta has an information and data-protection commissioner who is appointed by the prime minister in consultation with the leader of the opposition and who heads the country’s data-protection authority, the IDPC, which is both effective and independent. As of March 2020, the IDPC is comprised of a total of 12 officers, including a commissioner, a deputy commissioner, a head compliance officer, the head of the legal unit, two legal counsels, one legal officer, an executive officer, a senior technical officer, a case officer, an administration and accounts officer, and two general-duty officers. The IDPC is currently recruiting a project administrator to manage an EU project on digital-protection awareness issues. The project will be funded by the European Commission. The IDPC is not subject to the Public Administration Act.
The IDPC website provides information about the protection the office provides in various fields. It also provides assistance to citizens who believe their privacy has been invaded. Malta also abides by EU legislation and decisions by the Advocate General of the European Court in this area, and in May 2018 transposed the EU General Data Protection Regulation (GDPR) into law. Since the law has taken effect, 100 breaches of the data-protection act have been reported, with 17 of these leading to a fine. Maltese courts can also be called upon to adjudicate complaints relating to data privacy infringements. A recent ruling by the Information and Data Protection Appeals Tribunal clarified that the data-protection commissioner has the right to issue enforcement orders when a government ministry fails to issue certain information – in the case under review, information relating to government consultants’ contracts. In 2018, the office investigated 76 data-subject complaints, the largest share of which had to do with the unauthorized disclosure of personal information. The office also received 113 personal-data breach notifications that year. The office can issue fines, reprimands and warnings. As part of its regulatory function, the office is also responsible for the enforcement of the freedom of information legislation. In 2018, 22 complaints were received in this area, primarily from journalists.
Data Commissioner has right to access contracts of government consultants – appeals tribunal
Economy Minister loses legal challenge. Times of Malta 29/01/19
DLA Piper GDPR data breach survey: February 2019
Information and Data Commissioner. Annual Report 2018
The Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) is a public authority that acts fully independently of the public administration. According to Organic Law 15/1999, the director of this body is to exercise his or her functions independently and objectively, and is not to be subject to any instructions. The Advisory Board is made up of two members of parliament, a representative of the central administration, representatives of the autonomous regions that have their own data protection agencies, a local-administration representative, a member of the Royal Academy of History, an expert, a member representing users and consumers, and a representative from the private business sector. The AEPD carries out its investigations primarily at the request of citizens, although it is also empowered to initiate its own investigations. The agency communicates to the government through the Ministry of Justice.

So far there is no evidence that the agency is incapable of holding government offices accountable. Being integrated in a wider international and subnational network of agencies, the AEPD has the capacities and personnel resources to advocate data protection and privacy issues vis-à-vis the government and against vested interests.
On 5 December 2018, the Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights was approved. With 93% parliamentary support, the law aligns Spanish law with the European Union’s General Data Protection Regulation (GDPR) and introduces novelties regarding the way in which citizens are informed about the processing of their personal data.

At the beginning of November 2019, the AEPD published guidelines on the use of internet browser cookies. The guidelines were drafted with the help of leading organizations in the marketing and online advertising industries. The AEPD requires that a person’s consent be renewed at least once every 24 months.
Agencia Española de Protección de Datos,

Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights
The United Kingdom was among the early adopters of personal data protection legislation. The Data Protection Act 1984 set standards for the use of digital data by the government, private businesses and individuals. Since 1998 (following the Data Protection Act 1998), the data protection regime has been shaped by EU law. The United Kingdom has adopted the European Union’s General Data Protection Regulations (GDPR) into primary law (through the Data Protection Act 2018) meaning that the approach to data protection and information governance developed by the GDPR will be maintained after the United Kingdom leaves the European Union.

The central body authorized to enforce data protection legislation in the United Kingdom is the Information Commissioner’s Office (ICO). The ICO is a non-departmental public body which reports directly to parliament and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). The office has a wide array of data protection responsibilities defined by the Data Protection Act, the Freedom of Information Act and the General Data Protection Regulations, among other legislation. Given the devolution of powers, a similar function also operates in Scotland. The ICO publishes its actions and fines. The ICO recently received a lot of media attention for its inquiry into the business practices of the data processing firm Cambridge Analytica. However, the ICO has no authority over any security agency in the United Kingdom, which are rumored to be proactively collecting a wide range of UK citizens’ personal data.

In October 2018, Elizabeth Denham, the UK Information Commissioner, was appointed the Chair of the International Conference of Data Protection and Privacy Commissioners.
The Office of the Australian Information Commissioner (OAIC), an independent statutory agency within the attorney-general’s portfolio, has responsibility for data protection and privacy as per the Privacy Act and other laws. Its responsibilities include conducting investigations, handling complaints and providing advice to the public, government agencies and businesses.

The OAIC was established in 2010 by the Labor government. The Abbott government sought to abolish the agency on coming into office in 2013, but could not secure the support of the Senate. Coalition governments instead reduced the resources available to OAIC, resulting in its diminishing size and efficacy over time. Since 2016, there has been some reversal in the coalition government’s position on OAIC and correspondingly marginal increases in funding.

In its 2016 – 2017 budget, the government announced that it would provide the OAIC with funding totaling AUD 15.4 million over the subsequent four years from. This represented a substantial increase over funding levels in 2014 – 2015 and 2015 – 2016, but was nonetheless considerably less than the AUD 10.4 million annual budget provided in 2013 – 2014. Consequently, current funding is unlikely to be adequate to provide effective advocacy for data protection and privacy issues given their growing importance in the digital era.
Based on the Act on the Protection of Personal Information, a Personal Information Protection Commission was established in January 2016. The commission is a cross-sectoral, independent government body overseeing the implementation of the act. The body’s chairperson and commissioners are appointed by the prime minister, with the consent of both chambers of parliament. It is still difficult to judge whether this commission will be able to maintain independence from the government, and ultimately whether it will be effective. Recently, the Commission proposed tightening existing rules in a planned revision of the Personal Information Protection Law, for instance by making firms such as Google comply with the interests of Japanese citizens in the area of personal data protection.
Akemi Suzuki and Tomohiro Sekiguchi, Data Protection & Privacy Japan, Getting the Deal Through lawyer and law firm network, September 2018,

A step toward the restoration of privacy (Editorial), The Japan Times, 30 May 2018,

Fumiko Kuribayashi, Users in Japan to get more rights to stop abuse of personal data, The Asahi Shimbun, 26 April 2019,
New Zealand
The Privacy Act 1993 came into force in July 1993. The Privacy Principles in the act may be superseded by a code issued by the Privacy Commissioner for particular sectors. There are currently six codes in operation: the Civil Defence National Emergencies (Information Sharing) Code, the Credit Reporting Privacy Code, the Health Information Privacy Code, the Justice Sector Unique Identifier Code, the Superannuation Schemes Unique Identifier Code and the Telecommunications Information Privacy Code.

The Privacy Commissioner administers the Privacy Act 1993. Between July 2018 and June 2019, the Privacy Commissioner responded to almost 8,000 public enquiries. During the 2018/19 reporting year, 894 investigation files were closed – a 26% increase on the 2017/2018 period. Some 87% of investigation files were closed within six months

In recent years, both the New Zealand Law Commission and the Office of the Privacy Commissioner have made recommendations for particular areas of reform (including mandatory breach notification and stronger enforcement powers) to bring New Zealand’s privacy law in to line with other jurisdictions. The minister of justice introduced a bill amending the current Act in March 2018. The proposal includes stronger powers for the privacy commissioner, mandatory reporting of privacy breaches, new offenses and increased fines. The bill passed its second reading in early August 2019.
Data Protection New Zealand.—new-zealand
Office of the Privacy Commissioner 2018. Privacy Law Reform.
Privacy Commissioner (2019) Annual Report of the Privacy Commissioner 2019. (
In May 2018, a new act on data protection entered into force. This replaced the 1997-era law, and is supposed to help implement the EU General Data Protection Regulation. The law has renamed the supervisory authority in Poland, the Office of Personal Data Protection, which replaced the Inspector General for Personal Data Protection. The president of this office is appointed for a four year term by the Sejm, with consent of the second chamber, the Senate. The new president, Jan Nowak, came into office in May 2019. Like his predecessor, Nowak has acted quite independently. In August 2019, the president initiated ex officio proceedings against the Ministry of Justice and the National Council of the Judiciary, following accusations that the bodies had collected and processed the personal data of judges and their families, and had shared the data with third parties. The effectiveness of the Office of Personal Data Projection has been limited by a lack of resources.
Since 1994, Portugal has had a National Authority for Data Protection (Comissão Nacional de Protecção de Dados, CNPD).

The CNPD plays an active role in data protection issues. However, budgetary restrictions, under the previous and current governments, are limiting the CNPD’s ability to carry out its tasks. Indeed, the introduction to the most recent CNPD activity report for 2017 and 2018 notes that the authority “cannot ensure the full execution of its tasks” with the conditions it has been facing. One of the main reasons for this pertains to human resources. The CNPD has seen its staff numbers fall from 26 in 2016 to 22 in 2017 to 20 in 2018.

Though the problem has now been recognized and a new law on this issue was introduced in June 2019.
Comissão Nacional de Protecção de Dados, Relatório de Atividades 2016, available online at:

Comissão Nacional de Protecção de Dados, Relatório de Atividades 2017-2018, available online at:…/parlamento-aprova-lei-sobre-aplicacao-do-regulamento-geral-da
Based on the 2013 Act on Personal Data Protection, the Office for Personal Data Protection was established in 2014. The office contributes to the protection of the fundamental rights and freedoms by supervising how personal data is processed. The effectiveness of the office has been limited by a lack of resources and a lack of clarity and differing interpretations of individual parts of Slovak data protection legislation. The amendment of the act on personal data protection in January 2018, which has aimed at incorporating the European Union’s General Data Protection Regulation, has further aggravated the problems. The nomination of Soňa Pőtheová, the head of the Office for Personal Data Protection since 2015, raised some public concerns, as she had been close to senior Smer-SD figures and companies owned by discredited oligarchs. Since coming to office, however, she has acted independently.
Numerous laws govern the handling of information by U.S. government agencies – in the interests of maintaining citizens’ privacy, protecting proprietary information of businesses, preventing identity theft, and for other purposes. Overall, these regimes may be relatively strict. However, while there is no national data protection authority, the U.S. Federal Trade Commission (FTC) over the past several years has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC took enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
Many state attorneys generally have similar enforcement authority over unfair and deceptive business practices, including the failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states. In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.
see: International Association of Privacy Professionals (2019): The U.S. Doesn’t Have a National Data Protection Authority? Think Again…
The Croatian Personal Data Protection Agency (AZOP) established in 2004 was based on the Personal Data Protection Act adopted in parliament in 2003, by which the protection of personal data in the Republic of Croatia was regulated for the first time. The agency is a supervisory body tasked primarily with overseeing personal data protection. The agency monitors those who gather personal data collections that process personal data and warns them of unauthorized processing of personal data. The agency has the authority to order the removal of irregularities, it can temporarily prohibit the processing of personal data, order the deletion of personal data and prohibit their removal from the Republic of Croatia. The Croatian Law on Implementation of General Data Protection Regulation (GDPR) was passed in April 2018 in parliament. The new law prescribes the agency’s duty to publish website final and binding decisions, without anonymization of the offender’s data, if a data breach is committed in relation to data on children, special categories of personal data, an automated individual decision, in cases of profiling or if an offender is charged in excess of HRK 100,000. In order to get companies and state institutions to implement and reach compliance with the GDPR regulation, the agency organized in 2018 more than 30 advisory activities, involving nearly 2,000 representatives of the processing manager and personal data protection officers. In its annual report to the parliament, the agency pointed out that a large number of companies essentially ignore GDPR compliance. This is mostly observable in the tourism and healthcare sectors. As a result, it requested that the Croatian Employers’ Association be more involved in implementing the GDPR. Overall, AZOP remains rather ineffective in data protection since it is overwhelmed with administrative tasks and the processing of a large number of questions on behalf of various state agencies, which lack competent GDPR compliance officers. Therefore, due to the lack of enforcement capacity, serious offenders have been able to avoid financial penalties for breaching data privacy.
The Office of the Commissioner for the Protection of Personal Data was established in 2002. Law 125(I)/2018 updated the legislation in accordance with EU regulations and directives. The Council of Ministers appoints the commissioner upon the recommendation of the minister of justice and public order. The qualifications for appointment are those required for a judge of the Supreme Court, a “lawyer of high professional and moral standard.” The commissioner’s authority is extended to both public and private persons, except on processing operations by courts when acting in their judicial capacity.

Violations of personal data by the authorities, politicians and political parties has always been an issue of concern. Though massive numbers of persons are affected by unsolicited messages and other encroachments, very few decide to file a complaint. Fines imposed on wrongdoers do not appear to deter repetition. The latest available activity report of the commissioner states that she received 346 complaints in 2017.
1. Commissioner for the Protection of Personal Data – Activity Report 2017,$file/Ετήσια Έκθεση 2017.pdf
There are several authorities that are accountable for handling technical issues of data protection and privacy. First, there is the State Comptroller, who can inspect and scrutinize all governmental bodies in the respect to data protection and privacy, and has powers to hold government bodies to account if necessary. Though these powers for scrutiny are only occasionally exercised. Second, civilian sector operations are initiated and regulated by the Management of Security in Public Corpora Act 1998, which introduced a strong cybersecurity apparatus.

As concerns over the protection of information (specifically, personal and private information) have grown, the Protection of Privacy Act 1981 was introduced detailing legal requirements and standards regarding information databases safety and security. Among other things, the act established the role of the Information Databases Registrar. The registrar is charged with officially registering and recording the different databases, and ensures that the owners of the databases comply with the law, and the relevant data and information security regulations. In 1986, the Public Council for the Protection of Privacy (also known as the Privacy Protection Council) was established. The council works with the registrar to publish an annual report on the activities and achievements of previous years, and consults on legislation. In 2006, the registrar’s role was enhanced, and the registrar was made head of the newly established Legal Authority of Information Technologies and Privacy Protection (renamed the Authority for the Protection of Privacy, APP, in 2017). Administratively, the APP is located within the Ministry of Justice, and reports to the Ministry of Justice and the Knesset. According to the Protection of Privacy Act, one of the APP’s roles is to monitor the compliance of public institutions with information security and privacy regulations.

As stated in the State Comptroller’s latest report, the APP lacks the resources to properly accompany governmental projects. Since 2011, the APP has not been able to ensure the full compliance of public institutions with some of the Protection of Privacy Act’s regulations concerning inter-institutional information transfers (i.e., public institutions must report to the APP if they transfer information between themselves). Consequently, the APP has limited authority to penalize non-compliance. In 2017, the Ministry of Justice proposed an amendment to the law to strengthen the APP. However, this initiative has been criticized by the National Cyber Directorate (NCD), which claims that the initiative would compromise the NCD’s authority and undermine Israel’s cyber defense operations. In addition, this initiative contradicts government policy, which is meant to make it the sole guiding national institution in the cyber defense field. While an amendment to the Protection of Privacy Act was passed following its first reading in the plenum in 2018, the comptroller’s report attests that there have been no significant developments since then.
“About the Authority for the Protection of Privacy | The Authority for the Protection of Privacy.” In the Authority for the Protection of Privacy’s official website.. Last updated: August 15th, 2019. (Hebrew)

Ministry of Justice, “The Privacy Protection Authority,”

Israel. The Prime Minister’s Office. Promotion of National Regulation and Governmental Guidance in Cyber Defense. Government Decision number 2443. February 15th, 2015. (Full text: (Hebrew)

Israel. The State Comptroller. “Aspects in the Protection of the Privacy in Information Databases,” Annual Report, 69(2), 2019, Jerusalem, vol. 1, pp. 3-88. Retrieved from (Hebrew)

Israel. The State Comptroller. “Aspects in the State’s Preparations in Defense of the Cyber Space,” Annual Report, 67(1), 2018, Jerusalem, vol. 1, pp. 3-10. (Hebrew) (Also available here:

Israel. The State Comptroller. “The Preparedness [lit. arrangement, deployment] of Essential Organizations [lit. bodies] for Cyber Defense,” Annual Report, 69(2), 2019, Jerusalem, vol. 4, pp. 2065-2073. Retrieved from (Hebrew)

Aridor-Hershkovitz, Rachel and Tehilla Shwartz Altshuler, Privacy Protection Bill, 2019-5779. Summary, Israel Democracy Institute, Jerusalem November 2019,

Solomon, Shoshanna, “Data is up for grabs under outdated Israeli privacy law, think tank says,” ToI, 31.01.2019,

Goichman, Rafaela. “A Hacker Attack or Just an Amateurish Website? What Brought Down the Website Made for the Elections Day,” TheMarker, November 1st, 2018, p. 2. (Hebrew).

Goichman, Rafaela. “‘There Was No Internet Reception’: the Crashed Elections Results’ Website Still Isn’t Back Running.” In TheMarker website. November 1st, 2018. (Hebrew).

Memorandum for the Cyber Security and the National Cyber Directorate Act, 2018. (Hebrew). Full text:

Siboni, Gabi, and Ido Sivan-Sevilla. Cyber Regulation. Memorandum 180. Tel Aviv: The Institute for National Security Studies, 2018. (Hebrew).

“The Government ICT Authority | About the Government ICT Authority.” In the Government ICT Authority’s official website. Last updated: May 2nd, 2015. (Hebrew).

“The Ministry of Justice – About.” In the Privacy Protection Council’s official website.. Last seen: October 24th, 2019. (Hebrew)

“The National Cyber Directorate | About the National Cyber Directorate.” In the Israel National Cyber Directorate’s official website. Last updated: July 14th, 2019. (Hebrew).

“The National Cyber Directorate.” In the Israel National Cyber Directorate’s official website (main page). Last seen: November 1st, 2018. (Hebrew).

“The National Cyber Directorate | The Directorate is Happy to Announce the Opening of the First Course for the Training of Certified Inspectors in the Market [lit. economy].” In the Israel National Cyber Directorate’s official website. September 12th, 2018. (Hebrew).

The Protection of Privacy Act, 1981. (Hebrew; full text:

Ziv, Amitai, ‘A Shin Bet Puppet.’ What Went Wrong With Israel’s Cybersecurity Agency, Haaretz, 29.8.2018:
A data protection authority exists, but both its independence and effectiveness are strongly limited.
The Personal Data Protection Commission was established in 2002. Bulgarian legislation treats personal-data administrators from the public and the private sector similarly, and the commission has equal powers with respect to both. The commission can regulate the implementation of the law, review personal-data administrators’ activities, provide critical assessments, propose changes and in case of infringements temporarily suspend administrator’s privileges. It can also be addressed by citizens with complaints about infringements of personal-data rights by government and private bodies.

While the competencies of the commission are thus relatively broad, it has limited resources in terms of funding and staff. The massive data breach experienced by the National Revenue Agency, which affected as many as half of the country’s citizens and was revealed in July 2019, revealed severe limitations in government agencies’ ability to protect personal data, while additionally exposing the ineffective nature of the commission’s oversight.
The National Authority for Data Protection and Freedom of Information is responsible for supervising and defending the right to the protection of personal data and freedom of information under the Act CXII of 2011. So far, the office has not played a major role in the public debate, and there is no experience yet with the new European regulation in the field. The data protection issue has emerged from time to time at elections. It is well-known that Fidesz has collected data on the political orientation of citizens (the so-called Kubatov list on those who are supporting Fidesz) for campaign use. Rumor has it there is also a list of Fidesz’s “political enemies,” but it is unclear to what extent systematic data collection is involved in this case.
The Data State Inspectorate, established in 2001, operates in accordance with the Personal Data Protection Law and is based on a cabinet regulation of 2013, Regulations on the Data State Inspectorate. A new version of the law was proclaimed in 2018. The main goal of the inspectorate is to protect the fundamental rights and freedoms of citizens, particularly the privacy of individuals with regard to the processing of personal data. The law describes the Data State Inspectorate as an independent institution. Nevertheless, the inspectorate is subject to the supervision of the Ministry of Justice and the Cabinet of Ministers, and is financed from the state budget.
1. Personal Data Processing Law (2018) Available at:, Last assessed: 05.11.2019

2. Data State Inspectorate (2018) Annual Report 2018, Available at:, Last assessed: 05.11.2019
Legislation on data protection in Mexico has been ineffective since 2010. The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) is an autonomous constitutional body that oversees data protection. Implementation of data protection is limited, especially in remote areas, for poor and uneducated people, and where security issues are involved. Thus, while there is an adequate institutional framework and organizational setup, the reality of data protection, particularly at the lower levels of government, is sobering.
Romania updated its data protection legislation in accordance with EU GDPR policy in May 2018. The responsibility for protecting personal data rests with the National Authority for the Supervision of Personal Data Processing (DPA), which has limited resources. The position of the DPA’s vice-president remained vacant until April 2019, when Mirela Nistoroiu was appointed by the ruling Social Democrat Party, in spite of her lack of specialized skills. The DPA President Ancuța Gianina Opre, named in 2013, has languished under corruption charges dating from 2009 when she was working for the National Authority for the Restitution of Properties.
South Korea
South Korea’s comprehensive Personal Information Protection Commission was established on 30 September 2011, and aims to protect the privacy rights of individuals by deliberating on and resolving personal data-related policies. Data protection is regulated by the Personal Information Protection Act (PIPA). Compared to the European Union’s General Data Protection Regulation (GDPR), data protection rules are weak, and the issue remains a problem particularly in the private sector. For example, PIPA lacks the right to be forgotten and the right to refuse profiling. Maximum fines for violations are also much lower in Korea, set at €40,000 as compared to €20 million under the GDPR. Data security in the private sector remains a significant problem in Korea, where companies have been slow to adapt to international security and encryption standards. In November 2019, Korea started a trial run of an “open banking” system that would make it easier and cheaper for financial institutions to exchange information; however, some observers have raised concerns about the potential for data leaks.
The Dutch Data Protection Agency (Authoriteit Persoonsgegens, DPA) succeeded the “College Bescherming Persoonsgegevens” (CBP) in 2016, and simultaneously saw its formal competencies enhanced by the right to fine public and private organizations in violation of Dutch and since mid-2018 European data protections laws (the General Data Protection Regulation, GDPR).

Effective data protection is practically impossible since 2016 for a number of reasons: many capable personnel have left the DPA, even though the number of staff has increased; the new leadership is considered to be in disarray; the organization is under-financed; hardly any consequential fines have been imposed; “naming and shaming” appears to work, but oversight capacity is lacking; laws and regulations are frequently changing, and consequently monitoring and jurisprudence are constantly “in the making.” It looks like the DPA is evolving from a supervisory body to an organization that advises both public and private organizations, and individual citizens on privacy issues, and on how to deal with personal data in ways that (more or less) comply with ever changing regulations and interpretations. All in all, the DPA operates in self-contradictory ways (as both a “hard” inspectorate, and a “soft” advisory body that “names and shames,” and advises commercial and public data-users and data-providers) in a technologically turbulent environment. In 2019, the DPA found that most data leaks are caused through sloppiness in addressing documents and emails; that this occurs more in institutions of care than anywhere else; and that victims are usually individuals rather than entire categories of people. One exception led to a €460,000 fine for a hospital that had failed to protect its patient files sufficiently. Also in 2019, the DPA received an additional €3.4 million in funding for enforcement of the General Decree for Data Protection (Algemene Verordening Gegevensbescherming, AVG) and EU privacy rules.

Volkskrant, Tweede kamer is gerommel by Autoriteit Persoonsgegevens zat, 13 July, 2018, Onderzoek Autoriteit Persoonsgegegeven: Messte datalekken vinden plaats vanwege fouten in adressering (, accessed 4 November 2019)

Tweakers, 12 June 2019. Authorities Persoonsgegeven krijgt extra geld voor handhaving AVG. (, accessed 4 November 2019)
Chile still lacks an effective data-protection framework, although Article 19 of the constitution guarantees the right to privacy. In August 2019, the Commission of the Senate on Constitution, Legislation, Justice and Regulations gave the Chilean Transparency Council (Consejo para la Transparencia) responsibility for the issue of data protection. The related modifications to Law No. 19,628 on the protection of private life are expected to enter into force in 2020. As stated by the International Comparative Legal Guides, the Transparency Council is responsible for ensuring public sector compliance with data-privacy laws, but there is no regulatory authority in Chile that monitors private sector compliance. Thus, enforcement of the law is in this respect carried out by the courts, with affected individuals seeking to uphold their rights or win redress for violations on an individual basis.
Commission of the Senate on Constitution, Legislation, Justice and Regulations: ex.php?mo=comisiones&ac=listado

Chilean Transparency Council:

Chilean Constitution:

On data protection in Chile:

International Comparative Legal Guides:
In 2016, the country ratified the Council of Europe Convention 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional protocol dated 1981. The Personal Data Protection Authority is now operational and its nine-member board has been appointed. Of the nine members, five were appointed by the parliament and four by the president. Law No. 6698 on Protection of Personal Data dated 2016 does not fully align with the EU acquis. This concerns the powers of the Data Protection Authority, the balancing of data protection with the right to freedom of expression and information.

Regarding the protection of personal data, the Personal Data Protection Authority is now operational and its board has been appointed, but no legislative changes have taken place to ensure that the law is harmonized with the EU acquis, in particular the EU General Data Protection Regulation 2016/679 and Law Enforcement Directive 2016/680, which entered into force in May 2018. This concerns inter alia the application of data protection in law enforcement and the powers of the Data Protection Authority. Turkey has not signed or ratified the 2018 protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, CETS No 223).
European Commission, Turkey 2019 Report, Brussels, 29.5.2019, report.pdf (accessed 1 November 2019)

Kişisel Verilerin Korunması Kanunu, (accessed 1 November 2018)

N.D. Yıldırım et al., “Türkiye’deki Kişisel Verileri Koruma Mevzuatının Avrupa Birliği Mevzuatı Karşısındaki Yeri ve Uygulamadaki Durum,” February 2019, (accessed 1 November 2019)
There is no effective and independent data protection office.
Back to Top