Independent Supervisory Bodies


Is there an independent authority in place that effectively holds government offices accountable for handling issues of data protection and privacy?

An independent and effective data protection authority exists.
The Data Protection Inspectorate (DPI) is responsible for protecting citizens’ privacy and personal data, and ensuring transparency of public information. The inspectorate works under the framework of the Personal Data Protection Act and the Public Information Act. The inspectorate is also responsible for ensuring compliance with the European Union’s GDPR. The director general has can impose legally binding decisions and law-enforcement measures, and delegate powers to other officers of the inspectorate. The director general reports directly to the Constitutional Committee of the Riigikogu and to the chancellor of justice. As a law-enforcement agency, the DPI can issue proposals or recommendations to terminate infringements, issue binding precepts, impose coercive payments or fines, or apply for criminal proceedings. In addition, the DPI acts as an educator and consultant, answering citizens’ queries and contributing to public awareness of data use.
AKI 2021. Compliance with the Public Information Act and Ensuring the Protection of Personal Data in 2020. (accessed 03.01.2022)
There are two data protection authorities in Finland: the Data Protection Board and the Data Protection Ombudsman. Affiliated to the Ministry of Justice, the Data Protection Board is the most important decision-making agency concerning personal data issues. The Data Protection Ombudsman supervises the processing of personal data according to the objectives of the Personal Data Act 1999. The office has about 40 employees, and can be called upon for guidance in private matters or to advise organizations.

The Office of the Data Protection Ombudsman safeguards data protection rights. The office was fully operational during 2020 and 2021. The Data Protection Ombudsman is a national supervisory authority which supervises compliance with data protection legislation. The Data Protection Ombudsman is an autonomous and independent authority, with the ombudsman appointed by the government. The ombudsman’s term of office is five years (Office of the Data Protection Ombudsman 2020).

The Office of the Data Protection Ombudsman has resources to effectively advocate data protection and privacy issues vis-à-vis the government and has continued to do so during the coronavirus crisis. Publication of COVID-19-related data that cannot be used to identify individuals (e.g., anonymized statistics), is not prohibited by the data protection legislation.

Data protection has been an issue in Finland. In 2020, a private mental healthcare provider (Vastaamo) was blackmailed by online hackers who got access to electronic records containing sensitive health information. This case was not related to COVID-19, but it brought large-scale public attention to the issue of data protection.
Ministry of Justicy, “The Data Protection Board,”
Finlex “Personal Data Act (523/1999),”
The Data Protection Ombudsman,

Office of the Data Protection Ombudsman, 2020. The Office of the Data Protection Ombudsman safeguards
your data protection rights- Accessed, 28.12. 2020.
Data protection in France has a rather long history. The extremely active CNIL (Commission Nationale Informatique et Libertés) dates back to 1978. Its board of 17 members is appointed by the two chambers of the parliament. The board then elects its president. The CNIL enjoys the status of an Independent Regulatory Agency. It has five main functions, namely to: inform the public on personal data protection; support any person in relation to personal data protection; advise the legislator; control the use of personal data by private companies and public services; plan and prepare for the impact of technological developments on personal data. The CNIL has a relatively modest staff (215 persons), with a budget of €17 million, and received 13,585 complaints in 2020 (an increase of more than 60% following the adoption of the EU regulations). The body has been very effective over the past 40 years and in particular during the coronavirus crisis. Its role is widely supported by the public and political elites. A European regulation that went into effect in May 2018 states that every company or public body dealing with personal data has to appoint a “data protection adviser.” In 2020, the authority conducted 247 review processes and imposed 14 penalties entailing financial sums amounting to nearly €140 million.
The Icelandic Data Protection Authority (Persónuvernd) is a state-run authority, which monitors the processing of data to which the Act on Data Protection and the Processing of Personal Data No. 90/2018 apply. The authority deals with specific cases requested by public authorities or private individuals, or on its own initiative.
The Icelandic Data Protection Authority (Persónuvernd), Accessed 29 December 2021.
Article 13 of the constitution establishes that every citizen must be protected against the abuse of data. Data protection legislation has been in force since 1993. The Federal Data Protection Law was revised in 2020, taking into account the General Data Protection Regulation of the European Union, a regulation that Switzerland had already signed. There is the Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB), which had 32 employees in 2020/2021 (EDÖB 2021: 101). A 2011 evaluation of the Federal Data Protection Law attests to the effectiveness, independence and transparency of the EDÖB.

Christian Bolliger, Marius Féraud, Astrid Epiney, Julia Hänni (2011). Evaluation des Bundesgesetzes über den Datenschutz. Schlussbericht im Auftrag des Bundesamts für Justiz. Bern/Freiburg: Büro Vatter/Institut für Europarecht, Universität Freiburg.

EDÖB, 2021: 28. Tätigkeitsbericht 2020/21. available at–taetigkeitsbericht-2020-2021.html

EDÖB, 2021: The new Data Protection Act from the FDPIC’s perspective.
Since 2013, the Austrian Data Protection Authority (ADPA) has existed, which replaced the former Data Protection Committee. In 2018, the ADPA was restructured and, since then, its staff has been continuously increased. The office is headed by a chairperson appointed by the Data Protection Council. The office and its chairperson are not dependent on the government – they are not obliged to follow any specific government directive. The independence of the office has never seriously been questioned. In recent years, there were several occasions on which the ADPA demonstrated its willingness to block planned government laws if deemed inappropriate, such as its veto against the use of algorithms by public authorities when dealing with job-seekers in 2020.
Canada’s data protection authority is the Privacy Commissioner of Canada. The legislation governing federal government use of private data is the Privacy Act. As an officer of parliament, the commissioner can audit suspected government breaches of the Privacy Act. The Privacy Commissioner of Canada is also responsible for complaints linked to the treatment of personal information in the private sector under the Personal Information Protection and Electronic Documents Act. Analogous structures exist at the provincial and territorial levels.
Denmark has an independent data protection authority (Datatilsynet), which monitors the implementation and enforcement of data protection rules. The authority also deals with complaints, and gives advice to government institutions and companies. The council has a chairperson and six other members appointed by the minister of justice. The council first of all takes decisions about cases of a principal nature concerning personal data and the law concerning public institutions treatment of personal information.
The agency takes part in international cooperation, including in the European Union, and monitors the handling of data in relation to Schengen and Europol cooperation.
Since 25 May 2018, when the European Union’s General Data Protection Regulation (GDPR) entered into force, the Datatilsyn’s director represents Denmark in the new European Data Protection Board (EDPB).
Website: (Accessed 8 October 2018).

Datatilsynet, Datatilsynets årsberetning 2017 (September 2018), (Accessed 8 October 2018).

Datatilsynets Årsrapport 2017, (Accessed 8 October 2018)

Databeskyttelsesrådet (EDPB), (Accessed 9 October 2018).

Niels Fenger (red.), Forvaltningsret. København: Jurist- og Økonomforbundets Forlag, 2018.
The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI) has a long history that dates back to the end of the 1970s. Since January 2016, this institution has been an independent federal authority subject only to parliamentary and judicial control, and is no longer under the authority of the minister of the interior. The independence of the authority’s head is highly protected. A dismissal is possible only with good reason, with standards similar to those that apply to the dismissal of a judge with lifetime tenure. The authority’s budget and staff numbers have increased over time. Since 2016, its staff has increased from 90 to 250 positions (BfDI 2021) by the end of 2020, and further increases are expected. The authority’s task is to oversee the extent to which federal institutions comply with national and European data protection rules.
As one of the strictest countries in Europe regarding data protection, Germany enjoys a solid reputation in this regard (Heydata 2021). However, critics complain that the law is sometimes too narrowly interpreted and that the coexistence of 16 Commissioners for Data Protection (one for each federal state) makes compliance difficult for companies.
BfDI (2021): Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, 29. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit.

Heydata (2021): Europa im Datenschutz-Ranking, (accessed 13 February 2022)
The Hellenic Data Protection Authority (HDPA) is Greece’s independent data protection office. The HDPA, established in 1997, enjoys constitutional guarantees. The HDPA grants individuals certain rights and imposes certain responsibilities on entities that process and store personal data. The president of HDPA (a high-ranking judge) and members of the authority are selected by the parliament for a four-year term. Generally, it is not a government-controlled authority. The HDPA implements EU and Greek law on personal data protection and has been very active in carrying out its tasks.
Ιnformation on the Hellenic Data Protection Authority in English is available at,40911&_dad=portal&_schema=PORTAL
The law establishing the HDPA is Law 2472/1997.
The HDPA is included in article 9A of the Constitution of Greece.
The Irish Data Protection Act 2018 was signed into law on 24 May 2018 to coincide with the implementation of the General Data Protection Regulation (GDPR) on the following day, 25 May 2018. The GDPR replaced the existing data protection framework defined under the EU Data Protection Directive. The GDPR emphasizes transparency, security and accountability by data controllers and processors, while also standardizing and strengthening the right of European citizens to data privacy. In Ireland, the Data Protection Commission has been established to ensure the enforcement of the GDPR.
An independent and effective data protection authority exists in Lithuania. The State Data Protection Inspectorate (VDAI) is responsible for the supervision and control of enforcement of legal protections for personal data. The status of the government agency gives the agency the legal and policy independence necessary for making regulatory decisions. With experience exceeding 25 years and a staff of about 30, the agency has adequate capacities and resources to focus on the implementation of the General Data Protection Regulation that came into force in 2018. However, despite the allocation of two additional positions, the State Data Protection Inspectorate was unable to recruit new staff in 2017 due to a shortage of financial resources. In 2020, 31 positions out of 38 were filled. In addition, some observers argue that the Inspectorate should provide more information and advisory services regarding the management of personal data in public sector organizations and business enterprises.

The pandemic presented the Inspectorate with a number of challenges; for instance, it was tasked with advising government institutions and the private sector on how to organize their activities in a new environment. There were additional important tasks related to the increasing level of digitalization and the need to protect personal data. According to the Inspectorate, the pandemic “expanded the Inspectorate’s scope of activity and demanded quick decisions.”
VDAI, Valstybės duomenų apsaugos inspekcijos 2020 metų veiklos ataskaita, 2021,
The National Data Protection Commission (Commission Nationale pour la Protection des Données, CNPD) is an independent public institution. It is financially and administratively autonomous. It is tasked with assessing the legality of personal data processing, and additionally ensures that personal freedoms and fundamental rights are respected with regard to issues of data protection and privacy.

The legal framework under which the CNPD operates is based on the General Data Protection Regulation (GDPR); the Act of 1 August 2018 on the organization of the National Data Protection Commission and the general data protection framework; the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters; the Act of 30 May 2005 regarding the specific rules for the protection of privacy in the sector of electronic communications, as well as other texts containing specific provisions on the protection of personal data.

The CNPD operates as a public institution under the supervision of the government minister responsible for data protection. However, it does not have the power to oversee the processing of personal data carried out by courts or the public prosecutor (ministère public), or by national administrative agencies acting in a judicial capacity.

The CNPD publishes an annual report regarding its performance, which is submitted to the government, parliament, the European Commission and the European Data Protection Board.
National Commission for Data Protection. Grand Duchy of Luxembourg. Accessed 14 January 2022.
Norway has a special body, the Norwegian Data Protection Authority (DPA), that is tasked with holding the government accountable for data protection and privacy issues, and with protecting individuals’ privacy rights. The DPA is a public authority that was established in 1980. The main legislation directing the DPA’s work is the Personal Data Act, which sets out the general principle that individuals should be able to control how their personal data is used. Through information, dialogue, the handling of complaints and inspections, the DPA monitors and ensures that public authorities, companies, non-governmental organizations and individuals follow data protection legislation. In a recent illustrative example, the DPA effectively stopped the use of a COVID-19 contact-tracing smartphone application due to an insufficient level of personal data protection.
Following the establishment of the Information Commissioner on 31 December 2005, Slovenia has an independent and effective data protection authority. The commissioner supervises the protection of personal data and access to public information. The office is led by Mojca Prelesnik, previously the general secretary to the parliament, who was reelected for a second term in June 2019. The competencies of the Information Commissioner include deciding on appeals against decisions by another body to refuse or dismiss a request for information; deciding on alleged violations of the right to access or reuse public information; supervising the implementation of legislation regulating the processing and protection of personal data; acting as an appellate body on individual complaints regarding a refusal to make personal information available to the respective individual. The ruling coalition criticized and applied some political pressure to the commissioner during the pandemic, regarding her rigid position on the protection of personal data.

There is also a government Office for the Protection of Classified Information. The office monitors the classification and protection of information, and it ensures the development and implementation of classified information protection standards across government agencies, local community agencies, holders of public authorizations, NGOs and commercial companies that hold classified information. The office also issues permissions to access classified information and security certificates to legal persons.
The Information Commissioner 2021 (
The Spanish Data Protection Agency (AEPD) is a public authority that acts fully independently of the public administration. Being integrated in a wider international and subnational network of agencies, the AEPD has the capacities and personnel resources to advocate data protection and privacy issues vis-à-vis the government and against vested interests. However, in December 2021, the selection of new top-level staff at the Data Protection Agency led to criticism from the European Data Protection Supervisor, which did not rule out intervening in the event that the candidates agreed by PSOE and PP were finally elected.
On 5 December 2018, the Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights was approved. With 93% parliamentary support, the law aligns Spanish law with the European Union’s General Data Protection Regulation (GDPR), and introduces new mechanisms for informing citizens about the processing of their personal data.
In 2021, the AEPD set a new record in the number of sanctions implemented, amounting to 32 million (up from only 3 million in 2020). This increase was partly due to the effect of the abovementioned Law 3/2018.
Business Insider (2021): “Protección de Datos multa un 1.000% más y convierte a España en el sexto país europeo en sanciones por vulnerar el RGPD,” Available at:
The public agency charged with protecting individual privacy in Sweden was previously the Swedish Data Protection Authority (Datainspektionen; DPA). In January 2021, this agency changed its name to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten; IMY). The data protection regulatory reform in 2018 increased this agency’s remit, which is today to protect citizens’ personal information, including health and financial data. It works closely with similar agencies in other EU member states and with EU institutions, especially with regard to the dynamic issues produced by increasing digitalization (Integritetsskyddsmyndigheten 2021).
Integritetsskyddsmyndigheten. 2021. “Om IMY.”
An independent and effective data protection authority exists, but its role is slightly limited.
Data protection responsibilities rest with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), an independent body established under a law passed in 2000. It is tasked with supervising the observance of the legal obligations laid down for personal data processing, maintaining the register of notified data processing operations, dealing with initiatives and complaints from citizens concerning any breach of the law, and advising the government on issues relating to personal data protection. The president of the republic appoints the president of the office, with candidates being nominated by the president of the Senate, the upper house of parliament. The office regularly publishes an annual report on its website detailing its activities. In 2019, the Personal Data Processing Act 2019, the country’s second data protection act, sought to implement the European Union’s GDPR. As a result, the scope of ÚOOÚ’s activities has widened. During the COVID-19 pandemic, the ÚOOÚ has provided answers to the most frequently asked questions on personal data processing on its website and has not refrained from criticizing the government.
The Italian data protection authority (Garante per la protezione dei dati personali) is an independent administrative authority set up under the Privacy Law (Law No. 675 of 31 December 1996). It has powers of inquiry and authorization, and can redress grievances. It can moreover inflict pecuniary sanctions.

Its four members are elected by the parliament for non-renewable seven-year terms. They cannot be re-elected. The authority has extensive powers and enjoys a high degree of independence.
Malta has an information and data protection commissioner who is appointed by the prime minister in consultation with the leader of the opposition and who heads the country’s data protection authority, the IDPC, which is both effective and independent. As of March 2020, the IDPC is comprised of a total of 12 officers, including a commissioner, a deputy commissioner, a head compliance officer, the head of the legal unit, two legal counsels, one legal officer, an executive officer, a senior technical officer, a case officer, an administration and accounts officer, a projector administrator and two general-duty officers. The IDPC is not subject to the Public Administration Act.

The IDPC website provides information about the protection the office provides in various fields. It also provides assistance to citizens who believe their privacy has been invaded. Malta also abides by EU legislation and decisions by the Advocate General of the European Court in this area, and in May 2018 transposed the EU General Data Protection Regulation (GDPR) into law. Maltese courts can also be called upon to adjudicate complaints relating to data privacy infringements. A recent ruling by the Information and Data Protection Appeals Tribunal clarified that the data protection commissioner has the right to issue enforcement orders when a government ministry fails to issue certain information. In 2021, the office investigated 40 data-subject complaints, the largest share of which had to do with the unauthorized disclosure of personal information. The office also received 104 personal-data breach this year. The office can issue fines, reprimands and warnings. As part of its regulatory function, the office is also responsible for the enforcement of the freedom of information legislation.
A recent ministerial decree introduced the right to be forgotten. Since 2013, the decree has enabled 86 judgments to be anonymized or removed from the law courts public database. As a result, the decree has proven to be controversial, with several media organizations and lobby groups objecting to the rules.
Data Commissioner has right to access contracts of government consultants – appeals tribunal
Economy Minister loses legal challenge. Times of Malta 29/01/19
DLA Piper GDPR data breach survey: February 2019
Information and Data Commissioner. Annual Report 2018
Inside Privacy 26/11/18 Right to be forgotten controversially introduced into Maltese law
Malta Today 07/12/21 Courts publish rights to be forgotten guidelines despite mounting opposition from press
The United Kingdom was among the early adopters of personal data protection legislation. The Data Protection Act 1984 set standards for the use of digital data by the government, private businesses and individuals. Since 1998 (following the Data Protection Act 1998), the data protection regime has been shaped by EU law. The United Kingdom has adopted the European Union’s General Data Protection Regulations (GDPR) into primary law (through the Data Protection Act 2018) meaning that the approach to data protection and information governance developed by the GDPR will be maintained now that the United Kingdom has left the European Union.

The central body authorized to enforce data protection legislation in the United Kingdom is the Information Commissioner’s Office (ICO). The ICO is a non-departmental public body which reports directly to parliament and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). The office has a wide array of data protection responsibilities defined by the Data Protection Act, the Freedom of Information Act and the General Data Protection Regulations, among other legislation. Given the devolution of powers, a similar function also operates in Scotland. The ICO publishes its actions and fines. The ICO recently received a lot of media attention for its inquiry into the business practices of the data processing firm Cambridge Analytica. However, the ICO has no authority over any security agency in the United Kingdom, which are rumored to be proactively collecting a wide range of UK citizens’ personal data.

In October 2018, Elizabeth Denham, the UK Information Commissioner, was appointed the Chair of the International Conference of Data Protection and Privacy Commissioners. In January 2022, she was succeeded by John Edwards, the former New Zealand privacy commissioner. An online safety bill is in preparation, which will, inter alia, seek to curb various abuses on social media, although the bill faces opposition due to the perceived threat it poses to freedom of speech.
The Office of the Australian Information Commissioner (OAIC), an independent statutory agency within the attorney-general’s portfolio, has responsibility for data protection and privacy as per the Privacy Act and other laws. Its responsibilities include conducting investigations, handling complaints and providing advice to the public, government agencies and businesses.

The OAIC was established in 2010 by the Labor government. The Abbott government sought to abolish the agency on coming into office in 2013, but could not secure the support of the Senate. Coalition governments instead reduced the resources available to OAIC, resulting in its diminishing size and efficacy over time. However, since 2016, there has been a reversal in the coalition government’s position on OAIC and corresponding increases in funding in each successive budget. In part, the funding increases are intended to support the expansion of the OAIC’s functions, such as oversight of the Consumer Data Right and My Health Record system from 2021 as part of the Australian government’s Digital Economy Strategy.
There are several authorities that are accountable for handling technical issues of data protection and privacy. First, there is the State Comptroller, who can inspect and scrutinize all governmental bodies in the respect to data protection and privacy, and has powers to hold government bodies to account if necessary. Though these powers for scrutiny are only occasionally exercised. Second, civilian sector operations are initiated and regulated by the Management of Security in Public Corpora Act 1998, which introduced a strong cybersecurity apparatus.

An additional body is the Authority for the Protection of Privacy (APP), which is located within the Ministry of Justice, and reports to the Ministry of Justice and the Knesset. According to the Protection of Privacy Act, one of the APP’s roles is to monitor the compliance of public institutions with information security and privacy regulations. In addition, the APP manages the Information Databases Registrar, which registers and records databases, and ensures their compliance with the law and information security regulations.

Nevertheless, according to the State Comptroller, the APP lacks the resources to properly accompany governmental projects. Since 2011, the APP has not been able to ensure the full compliance of public institutions with some of the Protection of Privacy Act’s regulations concerning inter-institutional information transfers (i.e., public institutions must report to the APP if they transfer information between themselves). Consequently, the APP has limited authority to penalize non-compliance.
“About the Authority for the Protection of Privacy | The Authority for the Protection of Privacy.” In the Authority for the Protection of Privacy’s official website.. Last updated: August 15th, 2019. (Hebrew)

Ministry of Justice, “The Privacy Protection Authority,”

Israel. The Prime Minister’s Office. Promotion of National Regulation and Governmental Guidance in Cyber Defense. Government Decision number 2443. February 15th, 2015. (Full text: (Hebrew)

Israel. The State Comptroller. “Aspects in the Protection of the Privacy in Information Databases,” Annual Report, 69(2), 2019, Jerusalem, vol. 1, pp. 3-88. Retrieved from (Hebrew)

Israel. The State Comptroller. “Aspects in the State’s Preparations in Defense of the Cyber Space,” Annual Report, 67(1), 2018, Jerusalem, vol. 1, pp. 3-10. (Hebrew) (Also available here:

Israel. The State Comptroller. “The Preparedness [lit. arrangement, deployment] of Essential Organizations [lit. bodies] for Cyber Defense,” Annual Report, 69(2), 2019, Jerusalem, vol. 4, pp. 2065-2073. Retrieved from (Hebrew)

Aridor-Hershkovitz, Rachel and Tehilla Shwartz Altshuler, Privacy Protection Bill, 2019-5779. Summary, Israel Democracy Institute, Jerusalem November 2019,

Solomon, Shoshanna, “Data is up for grabs under outdated Israeli privacy law, think tank says,” ToI, 31.01.2019,

Goichman, Rafaela. “A Hacker Attack or Just an Amateurish Website? What Brought Down the Website Made for the Elections Day,” TheMarker, November 1st, 2018, p. 2. (Hebrew).

Goichman, Rafaela. “‘There Was No Internet Reception’: the Crashed Elections Results’ Website Still Isn’t Back Running.” In TheMarker website. November 1st, 2018. (Hebrew).

Memorandum for the Cyber Security and the National Cyber Directorate Act, 2018. (Hebrew). Full text:

Siboni, Gabi, and Ido Sivan-Sevilla. Cyber Regulation. Memorandum 180. Tel Aviv: The Institute for National Security Studies, 2018. (Hebrew).

“The Government ICT Authority | About the Government ICT Authority.” In the Government ICT Authority’s official website. Last updated: May 2nd, 2015. (Hebrew).

“The Ministry of Justice – About.” In the Privacy Protection Council’s official website.. Last seen: October 24th, 2019. (Hebrew)

“The National Cyber Directorate | About the National Cyber Directorate.” In the Israel National Cyber Directorate’s official website. Last updated: July 14th, 2019. (Hebrew).

“The National Cyber Directorate.” In the Israel National Cyber Directorate’s official website (main page). Last seen: November 1st, 2018. (Hebrew).

“The National Cyber Directorate | The Directorate is Happy to Announce the Opening of the First Course for the Training of Certified Inspectors in the Market [lit. economy].” In the Israel National Cyber Directorate’s official website. September 12th, 2018. (Hebrew).

The Protection of Privacy Act, 1981. (Hebrew; full text:

Ziv, Amitai, ‘A Shin Bet Puppet.’ What Went Wrong With Israel’s Cybersecurity Agency, Haaretz, 29.8.2018:
Based on the Act on the Protection of Personal Information, a Personal Information Protection Commission was established in January 2016. The commission is a cross-sectoral, independent government body overseeing the implementation of the act. The body’s chairperson and commissioners are appointed by the prime minister, with the consent of both chambers of parliament. It is still difficult to judge whether this commission will be able to maintain independence from the government and, ultimately, whether it will prove effective. A tightening of existing rules proposed by the commission found its way into the mid-2020 revision of the Personal Information Protection Law. The amended law requires firms and the like to better take into account the personal data protection interests and preferences of Japanese citizens.
Akemi Suzuki and Tomohiro Sekiguchi, Data Protection & Privacy Japan, Getting the Deal Through lawyer and law firm network, September 2018,

A step toward the restoration of privacy (Editorial), The Japan Times, 30 May 2018,

Fumiko Kuribayashi, Users in Japan to get more rights to stop abuse of personal data, The Asahi Shimbun, 26 April 2019,

Hiroyuki Tanaka and Noboru Kitayama, Japan enacts Amendments to the Act on the Protection of Personal Information, International Association of Privacy Professionals,
New Zealand
The Privacy Act 1993 came into force in July 1993. The Privacy Principles in the act may be superseded by a code issued by the Privacy Commissioner for particular sectors. There are currently six codes in operation: the Civil Defense National Emergencies (Information Sharing) Code, the Credit Reporting Privacy Code, the Health Information Privacy Code, the Justice Sector Unique Identifier Code, the Superannuation Schemes Unique Identifier Code and the Telecommunications Information Privacy Code.

The Labour government revised the Privacy Act in 2020, with the aim of strengthening protections for personal information in the digital age. The updated rules create new obligations for businesses and organizations with regard to keeping personal information safe – including that of customers, clients and employees (Newshub 2020).

The Privacy Commissioner administers the Privacy Act. In the first four months of the new Privacy Act’s operation, the number of privacy breach notifications received by the Privacy Commissioner (OPC) increased by 97% compared to the previous six months. The most common category of privacy breaches were email errors (25%), with emails containing sensitive information going to the wrong person. Other common types of breaches were the unauthorized sharing of personal information (21%) and unauthorized access to information (17%).

The government’s Chief Data Steward and the government agency Statistics NZ are participating in the design of a Māori data governance (MDG) model along with the Data Iwi (tribal area) Leaders Group (DILG) of the National Iwi Chairs Forum (NICF). The aim is to provide the New Zealand government with an opportunity to develop an approach to data governance that reflects Māori needs and interests (Data Govt NZ 2021)
Data Govt NZ (2021) (2020) “What you need to know about the Privacy Act 2020.”

Privacy Commissioner (2021) Reported privacy breaches double after new Privacy Act takes effect.
Portugal has had a National Authority for Data Protection (Comissão Nacional de Protecção de Dados, CNPD) since 1994.

The CNPD plays an active role in data protection issues. However, budgetary restrictions under previous and current governments have limited the CNPD’s ability to carry out its tasks. While its staff increased during the review period relative to the previous period, from 20 workers at the end of 2018 to 24 at the end of 2020, this does not appear to be sufficient to meet demands.

Indeed, the introduction to the most recent CNPD activity report, dealing with the years 2019 and 2020, notes it receives an average of more than 6,000 requests per year, and that these cannot all assessed within a reasonable time giving the CNPD’s current staff levels. This issue came to the fore in 2021, when the creators of a COVID-19 contact tracing app accused the CNPD of delaying an update due to the organization’s approval process, thus holding up the app’s implementation and limiting its success.
Comissão Nacional de Protecção de Dados, Relatório de Atividades 2017-2018, available online at:

Comissão Nacional de Protecção de Dados, Relatório de Atividades 2019-2020, available online at:
Numerous laws govern the handling of information by U.S. government agencies – in the interests of maintaining citizens’ privacy, protecting proprietary information of businesses, preventing identity theft, and for other purposes. Overall, these regimes may be relatively strict. However, while there is no national data protection authority, the U.S. Federal Trade Commission (FTC) over the past several years has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices.

Many state attorneys generally have similar enforcement authority over unfair and deceptive business practices, including the failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states. In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.
see: International Association of Privacy Professionals (2019): The U.S. Doesn’t Have a National Data Protection Authority? Think Again…
The Croatian Personal Data Protection Agency (AZOP) established in 2004 was based on the Personal Data Protection Act adopted in parliament in 2003, by which the protection of personal data in the Republic of Croatia was regulated for the first time. The agency is a supervisory body tasked primarily with overseeing personal data protection. The agency monitors those who gather personal data collections that process personal data and warns them of unauthorized processing of personal data. The agency has the authority to order the removal of irregularities, it can temporarily prohibit the processing of personal data, order the deletion of personal data and prohibit their removal from the Republic of Croatia. The Croatian Law on Implementation of General Data Protection Regulation (GDPR) was passed in April 2018 in parliament. The new law prescribes the agency’s duty to publish website final and binding decisions, without anonymization of the offender’s data, if a data breach is committed in relation to data on children, special categories of personal data, an automated individual decision, in cases of profiling or if an offender is charged in excess of HRK 100,000. In order to get companies and state institutions to implement and reach compliance with the GDPR regulation, the agency organized in 2018 more than 30 advisory activities, involving nearly 2,000 representatives of the processing manager and personal data protection officers. In its annual report to the parliament, the agency pointed out that a large number of companies essentially ignore GDPR compliance. This is mostly observable in the tourism and healthcare sectors. As a result, it requested that the Croatian Employers’ Association be more involved in implementing the GDPR. Overall, AZOP remains rather ineffective in data protection since it is overwhelmed with administrative tasks and the processing of a large number of questions on behalf of various state agencies, which lack competent GDPR compliance officers. Therefore, due to the lack of enforcement capacity, serious offenders have been able to avoid financial penalties for breaching data privacy.
The Office of the Commissioner for the Protection of Personal Data was established in 2002. Law 125(I)/2018 updated the legislation in accordance with EU regulations and directives. The Council of Ministers appoints the commissioner upon the recommendation of the minister of justice and public order. The qualifications for appointment are those required for a judge of the Supreme Court, a “lawyer of high professional and moral standard.” The commissioner’s authority is extended to both public and private persons, except on processing operations by courts when acting in their judicial capacity. Under the Law on Access to Information, L. 184(I)/2017, the commissioner is also the commissioner for information, who is tasked with monitoring compliance with the law.

Violations of personal data by the authorities, politicians and political parties has always been an issue of concern. However, very few decide to file a complaint. In the latest available report from the commissioner (2019), there is no indication of proactive action.
1. Commissioner for the Protection of Personal Data – Activity Report 2019,$file/Annual%20Report%202019.pdf
In May 2018, a new act on data protection entered into force. The law has renamed the supervisory authority in Poland, the Office of Personal Data Protection (Urzędu Ochrony Danych Osobowych, UODO), which replaced the Inspector General for Personal Data Protection. The president of this office is appointed for a four-year term by the Sejm, with the consent of the second chamber, the Senate. The current president, Jan Nowak, came into office in May 2019. While a lack of resources has limited the effectiveness of the UODO, Nowak, like his predecessor, has acted quite independently. In August 2019, the UODO initiated ex officio proceedings against the Ministry of Justice and the National Council of the Judiciary, following accusations that the bodies had collected and processed the personal data of judges and their families and had shared the data with third parties.

During the COVID-19 pandemic, however, the UODO has played a limited role. When containment measures were introduced in March 2020, the UODO issued a statement on data processing during the lockdown and the implications for dealing with personal data, which was widely perceived as too vague. In May 2020, the UODO did not challenge the Chief Sanitary Inspectorate’s controversial instructions on the collection of employee health data by companies. Nor did the UODO join the debate about the data protection issues prompted by the originally planned contact-tracing app. Thus, it was the commissioner for citizens’ rights, ombudsman Adam Bodnar, rather than the UODO who spoke out against violations of data protection and privacy issues during the pandemic, as well as against the government’s use of Pegasus spyware.
Based on the 2013 Act on Personal Data Protection, the Office for Personal Data Protection was established in 2014. The office contributes to the protection of the fundamental rights and freedoms by supervising how personal data is processed. The effectiveness of the office has been limited by a lack of resources and a lack of clarity and differing interpretations of individual parts of Slovak data protection legislation. The amendment of the act on personal data protection in January 2018, which has aimed at incorporating the European Union’s General Data Protection Regulation, has further aggravated the problems. The nomination of Soňa Pőtheová, the head of the Office for Personal Data Protection from 2015 until 2020, raised some public concerns, as she had been close to senior Smer-SD figures and companies owned by discredited oligarchs. In 2020, she was criticized for threatening Czech journalists. Moreover, the investigations of the Kuciak and Kušnírová murders revealed a close relationship between the controversial businessman Marian Kočner and Pőtheová. The new government dismissed her in April 2020. The position has remained vacant as possible candidates have found the resources of the Office for Personal Data Protection wanting.
A data protection authority exists, but both its independence and effectiveness are strongly limited.
In May 2018, the Belgian federal government instituted the Data Protection Authority (Autorité de protection des données/Gegevensbeschermingsautoriteit). The authority’s mission is to ensure that individual’s privacy is respected when personal data are processed. To improve efficiency, various pre-existing but dispersed authorities and services were regrouped under (and are now coordinated by) the Data Protection Authority. The new authority is accountable to the lower house (House of Representatives) and its board of directors are politically appointed for 6-year terms.

Both its independence and effectiveness have rapidly revealed significant limitations. In October 2019, two members of the Data Protection Authority (DPA) warned the lower house of the body’s inefficiency, mainly due to the conflicts of interest held by several of its members who also hold public offices. Complaints were filed to the European Commission, which took action against Belgium saying that “some members of the Belgian Data Protection Authority cannot currently be considered free of external influence, as they either report to a management committee dependent on the Belgian government, have participated in government projects to trace COVID-19 contacts, or are members of the Information Security Committee.” The Commission gave Belgium until 12 January 2022 to address this issue. Failure to respond would result in a reference of the matter to the European Court of Justice. Belgium thus risked becoming the first state convicted of violating the GDPR.

The problem is in some senses deeply rooted, since the individuals indirectly designated by the European Commission were appointed as DPA members by the lower house of parliament, even though their conflicts of interest were already known. The measures taken as of the time of writing appeared unlikely to satisfy the Commission, as Belgium’s lower house decided in mid-December to revoke the mandate of only one of the three individuals indirectly designated by the Commission’s report (citing serious misconduct) while also, for purposes of regional balance, to revoke the mandate of one of the two whistleblowers (the other had already resigned). The irony is that the European directive aimed at protecting whistleblowers took full effect in Belgium that same week. Further action should include the drafting of a new law on the matter, on which the secretary of state for privacy (Mathieu Michel) had already started working.
Citations: (in French, with more information) (in English, with limited information)
The Personal Data Protection Commission was established in 2002. Bulgarian legislation treats personal-data administrators from the public and the private sectors similarly, and the commission has equal powers with respect to both. The commission can regulate the implementation of the law, review personal-data administrators’ activities, provide critical assessments, propose changes and, in the event of infringements, temporarily suspend administrator’s privileges. It can also be addressed by citizens with complaints about infringements of personal-data rights by government and private bodies.

While the competencies of the commission are thus relatively broad, it has limited resources in terms of funding and staff. The massive data breach experienced by the National Revenue Agency, which affected as many as half of the country’s citizens and was revealed in July 2019, revealed severe limitations in government agencies’ ability to protect personal data, while additionally exposing the ineffective nature of the commission’s oversight.

A similar data breach took place in 2020 that involved tens of thousands of bank accounts at Bulgaria’s largest retail bank.
The Data State Inspectorate, established in 2001, operates in accordance with the Personal Data Protection Law and is based on a cabinet regulation of 2013, Regulations on the Data State Inspectorate. A new version of the law was proclaimed in 2018. The main goal of the inspectorate is to protect the fundamental rights and freedoms of citizens, particularly the privacy of individuals with regard to the processing of personal data. The law describes the Data State Inspectorate as an independent institution. Nevertheless, the inspectorate is subject to the supervision of the Ministry of Justice and the Cabinet of Ministers, and is financed from the state budget.
1. Personal Data Processing Law (2018) Available at:, Last accessed: 10.01.2022.

2. Data State Inspectorate (2018) Annual Report 2018, Available at:, Last accessed: 10.01.2022.
Legislation on data protection in Mexico has been ineffective since 2010. The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) is an autonomous constitutional body that oversees data protection. Implementation of data protection is limited, especially in remote areas, for poor and uneducated people, and where security issues are involved. Thus, while there is an adequate institutional framework and organizational setup, the reality of data protection, particularly at the lower levels of government, is sobering. In general, President López Obrador intends to reform the constitution to limit the number and competences of independent and autonomous bodies, with the goal of concentrating competences in the executive. The debates over the issue and the stated intention to bring about the change have already limited the oversight function exerted by independent bodies.
Romania updated its data protection legislation in accordance with European Union’s GDPR policy in May 2018. The responsibility for protecting personal data rests with the National Authority for the Supervision of Personal Data Processing (DPA), which has limited resources. The position of the DPA’s vice-president remained vacant until April 2019, when Mirela Nistoroiu was appointed by the ruling Social Democrat Party, in spite of her lack of specialized skills. The DPA President Ancuța Gianina Opre, named in 2013, has languished under corruption charges dating from 2009 when she was working for the National Authority for the Restitution of Properties.
South Korea
South Korea’s comprehensive Personal Information Protection Commission was established in September 2011, and aims to protect the privacy rights of individuals by deliberating on and resolving personal data-related policies. Data protection is regulated by the Personal Information Protection Act (PIPA). Compared to the European Union’s General Data Protection Regulation (GDPR), data protection rules are weak, and the issue remains a problem particularly in the private sector. For example, PIPA lacks the right to be forgotten and the right to refuse profiling. Maximum fines for violations are also much lower in Korea, set at €40,000 as compared to €20 million under the GDPR. Concerns about personal data privacy came to a head in 2020 during the COVID-19 pandemic. South Korea’s legislation allows authorities to access personal data without court approval during pandemics. This facilitated South Korea’s successful COVID-19 contact-tracing system, which relies on personal data from mobile phones, GPS, credit cards and CCTV footage. Initially, much of this data was made available to the public, leading to discrimination against infected persons and sometimes against entire groups such as churches and the LGBTQ+ community, because they were linked to specific infection clusters. Following critique by Korea’s National Human Rights Commission, the government has since limited the amount of information it publicizes so as to protect personal privacy.

Data security in the private sector remains a significant problem in Korea, where companies have been slow to adapt to international security and encryption standards. In November 2019, Korea started a trial run of an “open banking” system that would make it easier and cheaper for financial institutions to exchange information; however, some observers have raised concerns about the potential for data leaks.
Park, June. “Striking a Balance between Data Privacy and Public Health Safety: A South Korean Perspective.” The National Bureau of Asian Research, April 29, 2021.
The Dutch Data Protection Agency (Authoriteit Persoonsgegens, APG) succeeded the “College Bescherming Persoonsgegevens” (CBP) in 2016, and simultaneously saw its formal competencies somewhat enhanced by the right to fine public and private organizations in violation of Dutch and since mid-2018 European data protections laws (the General Data Protection Regulation, GDPR).

Effective data protection is practically impossible since 2016 for a number of reasons: many capable personnel have left the DPA, even though the number of staff has increased; the organization is underfinanced; hardly any consequential fines have been imposed; “naming and shaming” appears to work, but comprehensive oversight capacity is lacking; laws and regulations are frequently changing, and consequently monitoring and jurisprudence are constantly “in the making.” It looks like the DPA is evolving from a supervisory body to an organization that advises both public and private organizations, and individual citizens on privacy issues, and on how to deal with personal data in ways that (more or less) comply with ever changing regulations and interpretations. All in all, the DPA operates in self-contradictory ways (as both a “hard” inspectorate, and a “soft” advisory body that “names and shames,” and advises commercial and public data-users and data-providers) in a technologically turbulent environment. In 2019, the DPA found that most data leaks are caused through sloppiness in addressing documents and emails; that this occurs more in institutions of care than anywhere else; and that victims are usually individuals rather than entire categories of people. In 2019, the DPA received an additional €3.4 million in funding for enforcement of the General Decree for Data Protection (Algemene Verordening Gegevensbescherming, AVG) and EU privacy rules. During the coronavirus crisis, the APG appeared to play a more prominent role as an advisor on coronavirus-related privacy issues. Yet, it is calculated that only 0.15% of cases are investigated. The organization’s leader admits its inefficacy and asserts that it is underfinanced (€66 billion is needed instead of €45 billion at present), and still grossly understaffed (400 full-time employees are needed, rather than the organization’s current 180).
Citations:, Onderzoek Autoriteit Persoonsgegegeven: Meeste datalekken vinden plaats vanwege fouten in adressering (, accessed 4 November 2019)

Tweakers, 12 June 2019. Authorities Persoonsgegeven krijgt extra geld voor handhaving AVG. (, accessed 4 November 2019)

Volkskrant, Verhagen, 16 July 2020. Hoe effectief is de corona app? En hoe zit het met de privacy.

NOS Nieuws, Damen and Bouma, 25 March 2021 De Privacywet wordt tamper gehandhaafd, is meer geld de oplossing?
Chile still lacks an effective data protection framework, although Article 19 of the constitution guarantees the right to privacy. In August 2019, the Senate Committee on the Constitution, Legislation, Justice and Senate Regulations (Comisión de Constitución, Legislación, Justicia y Reglamento del Senado de Chile) gave the Chilean Transparency Council (Consejo para la Transparencia) responsibility for the issue of data protection. The Transparency Council is responsible for ensuring public sector compliance with data-privacy laws, but there is no regulatory authority in Chile that monitors private sector compliance. Thus, enforcement of the law is in this respect carried out by the courts, with affected individuals seeking to uphold their rights or win redress for violations on an individual basis.

In 2018, the Senate gave general approval to a draft law amending Law No 19,628 on the Protection of Private Life. The draft law’s purpose is to raise the level of protection afforded to personal data to the same level contained in the European General Data Protection Regulation (GDPR). The law would also create a Personal Data Protection Agency with the ability to monitor and sanction breaches of the law. Although the Senate has emphasized the urgency of this issue, the law has not been enacted to date.
On the draft law and modification of Law No. 19,628:
Deloitte, “Protección de datos personales en Chile, October 2020,, last accessed: 13 January 2022.

Library of the National Congress of Chile (Biblioteca del Congreso Nacional de Chile, BCN),, last accessed: 13 January 2022.
The National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság, NAIH) is responsible for supervising and defending the right to the protection of personal data and freedom of information under the Act CXII of 2011. So far, the office has not played a major role in the public debate, and there is still little experience with the new European regulation in the field. The NAIH has challenged the government in some COVID-19 related cases. For instance, it has criticized the fact that the sensitive data required to register for a vaccination are collected and saved not by the government, but by a Fidesz-friendly firm (IdomSoft Zrt). However, the NAIH has failed to speak out against the misuse of public data for the use of Fidesz’s election campaigns and has not addressed the Pegasus surveillance scandal.
Before 2016, Turkey had no specific legislation mandating oversight of personal data protection. In April 2014, the Constitutional Court ruled that new regulations must be made to protect personal data, which is often used for marketing purposes. In 2016, Turkey ratified the Council of Europe Convention 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional protocol dated 1981. The Personal Data Protection Authority is now operational and its nine-member board has been appointed. Of the nine members, five of them are appointed by the legislature and four by the president. Law No. 6698 on Protection of Personal Data dated 2016 does not fully conform to the EU acquis, especially relating to the powers of the Data Protection Authority, the balancing of data protection with the right to freedom of expression and information.

Turkey has not signed the 2018 protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, CETS No 223). The lack of harmonization with the EU acquis hinders possible cooperation with Eurojust and Europol. The EU Commission (2020) has raised concerns regarding the exceptions for law enforcement and the independence of the Data Protection Authority.
KVKK. “100 Soruda Kişisel Verilerin Korunması Kanunu.”

European Commission. “Turkey Report 2021. Commission Staff Working Document.” October 19, 2021.
There is no effective and independent data protection office.
Back to Top