The third workshop of the Data Privacy Learning Series took place on February 1st, 2022, and discussed the challenges in creating and maintaining independent data protection authorities in the ADAPT partner countries, some having passed comprehensive data protection legislation and others currently discussing it. The choice of subject for the workshop was validated by talks conducted with the partners prior to the start of the series, during which it became clear that, regardless of the stage of regulation of each country, organizations share concerns about lack of independence of either existing or proposed authorities.
The independence of data protection authorities has proven difficult to attain in countries in the Global South, especially in contexts of incipient data protection culture and a lack of resources and/or political will. There are several obstacles which civil society invariably face when pushing for independent oversight authorities, from passing a data protection law that provides for the creation of an entity tasked with regulating and enforcing it, to pushing for the creation of this new entity and definition of specific administrative provisions that ensure independence, to financial and functional autonomy. Not limited to that, there are several other processes after the entity has been successfully installed, like appointing its board and promoting transparency mechanisms, and other instruments that allow for plural and democratic participation in the decision-making processes.
The workshop aimed to focus on more general concerns and challenges that exist regardless of stage in the advocacy lifecycle. To do that, the workshop started with three brief talks, led by Data Privacy Brasil Research, KICTANet (Kenya), and Fundación Ciudadanía y Desarrollo (FCD- Ecuador) followed by an open discussion that brought other elements and experience from these countries and the other participants.
The main goals for the workshop were:
- To present and debate cases that reveal concrete legal, institutional and political challenges, as well as successful and failed efforts by civil society in creating and maintaining an independent national data protection authority in ADAPT partner’s countries;
- To gain insights into the similarities and/or differences of challenges faced by ADAPT partners on the subject and reflect on the strategies adopted by civil society groups navigating them.
Regulation and institutionalization must walk together: the Brazilian experience
The presentation led by Data Privacy Brasil summarized the ongoing Brazilian experience of establishing a national DPA with actual independence. To do so, they focused first on the lawmaking process that resulted in the enactment of the Brazilian General Data Protection Law in 2018, then on the years since and the struggle to materialize many of its provisions.
From 2010 to 2015, there was no consensus among stakeholders regarding the structure, or even the necessity, of a data protection authority. After two long public consultations, a rough consensus was reached in which an independent data protection authority, structured as an autarchy with financial and functional autonomy, would be included in the final version of the draft. However, even though LGPD (the Brazilian law) was passed unanimously by both House and Senate, the provisions related to the DPA were subject to a presidential veto and later substituted by a public body subordinated to the Presidency, a structure that remains today.
While this arrangement was determined by a Provisional Measure issued by the Executive which altered LGPD, the Brazilian Constitution determines that this type of measure must be later validated by the Legislature. This provided a new opportunity to discuss LGPD provisions and, therefore, new disputes and power struggles. Even though the broad coalition that had formed to push for the passage of LGPD did not “regroup” for this new phase of the legislative debate, the consensus around the need for a strong Authority remained. Thus civil society, the private sector and the government were able to reach a mediated solution: to include in the law that the newly created Authority may be turned into an autonomous autarchy in up to 2 years after the approval of its internal regulations.
The lessons learned from this long process, shared with all participants, were the following:
- The path towards an independent and functional data protection authority is a long one and can begin long before the passage of a comprehensive data protection law. It is one of the most relevant topics of discussion and negotiation during the lawmaking process, as decisions about the design and structure of such an entity often need to go through the scrutiny of the Legislative due to budgetary implications;
- This process is also not over once a law is enacted, regardless of the format defined for its regulation and oversight: an entity that is provided by law must be materialized, often through specific Executive measures that also require public pressure and negotiations.
- The importance of multi stakeholder alliances around the issue of DPA independence cannot be overstated, as obstacles such as lack of resources and political will are more easily dealt with when multiple interest groups are engaged and focused towards a common goal.
Shifts in priorities and lack of discussions around DPA independence: the Ecuadorian experience
FCD outlined the Ecuadorian experience with the still ongoing process of establishing a data protection authority after the enactment of its first comprehensive data protection law in 2021. For context, the passage of the “Ley Orgánica de Protección de Datos Personales” was “fast-tracked” after an unprecedented data breach resulted in the personal data of up to 20 million people, more than the country’s entire population, becoming available online in 2019.
Ecuador explicitly guarantees the right to data protection in its Constitution and started the process to regulate the issue broadly in 2017. The law that was approved some 4 years later is inspired by its European counterpart, including a thorough Preamble, which contextualizes the legislation and provides clarifications regarding some of its provisions.
Among the many topics covered by the new law, such as scope of application, principles, special categories of data, data sharing and international transfer, is the creation of a Data Protection Authority, with the status of Superintendency, whose chair must be appointed in line with the Constitution and whose roles, responsibilities and procedures must be detailed in a specific regulation. To date, however, no Superintendent has been appointed and the law as a whole lacks enforceability due to a lack of specific regulation.
Among the many concerns, FCD highlighted the new authority’s general autonomy and financial status, as well as the lack of more precise delimitation of its powers and functions. While there was a joint political effort to approve a comprehensive data protection legislation, with over 70 provisions and a very progressive Preamble, the same level of priority has not been extended to the “after” period and to making these provisions enforceable. Considering this scenario, FCD expressed the necessity to join forces with other groups and organizations, and to keep exchanging successful experiences in order to help with their efforts in Ecuador.
Lack of resources and prioritization: the Kenyan experience
KICTANet similarly provided a broad overview of the Kenyan data protection legal landscape and specific provisions that are relevant to the independence of a data protection authority. In sum, the right to data protection was included in the Kenyan Constitution in 2010 and after that there were several pieces of legislation discussed that were never enacted due to a lack of political will. The 2019 Data Protection Act builds on these previous experiences, draws inspiration from GDPR, and, among other things, introduces the Office of the Data Protection Commissioner (ODPC).
In terms of concrete challenges towards not just independence of said entity, but also its efficiency in materializing the rights, duties and responsibilities provided by the law, KICTANet points out a few specific problems, all interrelated.
The first is the legal nature of ODPC itself, which lacks appropriate financial independence: it reports to the Ministry of Information, Communication and Technology (ICT), from which it also has to draw funds. The Ministry has the power to remove the Commissioner from office on recommendation of the Parliamentary Service Commission. Parliament, on its turn, can vet ODPC nominations. The bureaucracy and political nature of the process helps explain why the current Commissioner was appointed a year after the enactment of the law.
The second aspect, related to the issue of independence, is budgetary deficiencies that result in insufficient resources and a lack of technical capacity. The presentation highlighted how, when it first started operating, the ODPC did not have office space or furniture and employed only a “skeleton staff” of just 10 employees. While staffing has been steadily improving, insufficient funding is still a major problem and concern for the ability of the entity to fulfill its many roles.
One of the key takeaways from the Kenyan experience is that budget allocation is, in many cases, inherently political and must therefore be a priority in terms of organizations’ advocacy efforts. At the same time, as pointed out during the open discussion, navigating the different actors and technicalities related to budget is not something that digital rights organizations tend to be familiar with and can be, in fact, very difficult.
This leaves an open question for organizations: how can capacity to advocate around budget issues be strengthened so that years of political engagement and victories – for example with the enactment of protective legal frameworks – are not made ineffective due to ‘’technical’’ issues?
Conclusions and open questions
Lack of resources, specific legal provisions and/or political will to either create a new entity or ensure its independence is a common challenge across Africa and Latin America.
Particularly in light of the pandemic which understandably dominated national priorities, time, and resources of governments all over the world, organizations shared their difficulties in keeping data protection a priority of decision-makers at all levels, which for some countries results in slower lawmaking processes to pass a law, and for others, in difficulties attaining DPA independence and sufficient resources.
This raises questions on how to communicate these issues broadly and in ways that show their profound relations to all aspects of social life, as well as the importance of creating deeper connections with organizations in local, regional and global networks. The issue of DPA independence has proven itself to be extremely relevant not in just one stage of the advocacy lifecycle, but rather in all of them – passing a good law is not enough in terms of securing its enforcement and the capacity of the oversight body to act in accordance with its roles and responsibilities. Therefore, planning from the very beginning and understanding that this is an ongoing process is central for organizations working towards better data protection frameworks.