EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Overview >Oversight and Privacy and Data Protection Commissioners|
An essential aspect of any privacy protection regime is oversight. In most countries with an omnibus data protection or privacy act, there is an official or agency that oversees enforcement of the act. The powers of these officials, Commissioner, Ombudsman or Registrar, vary widely by country. Several countries, including Germany and Canada, also have officials or offices on a state or provincial level.
Under Article 28 of the EU Data Protection Directive, all European Union countries must have an independent enforcement body. Under the Directive, these agencies are given considerable power: governments must consult the body when the government draws up legislation relating to the processing of personal information; the bodies also have the power to conduct investigations and have a right to access information relevant to their investigations; impose remedies such as ordering the destruction of information or ban processing, and start legal proceedings, hear complaints and issue reports. The official is also generally responsible for public education and international liaison in data protection and data transfer. Many authorities also maintain the register of data controllers and databases. They must approve licensing for data controllers.
Several countries that do not have a comprehensive act still have a commissioner. A major power of these officials is to focus public attention on problem areas, even when they do not have any authority to fix the problem. They can do this by promoting codes of practice and encouraging industry associations to adopt them. They also can use their annual reports to point out problems. For example, in Canada, the Federal Privacy Commissioner announced in his 2000 report the existence of an extensive database maintained by the federal government. Once the issue became public, the Ministry disbanded the database.
In several countries, this official also serves as the enforcer of the jurisdiction's Freedom of Information Act. These include Hungary, Estonia, Thailand, Germany and the United Kingdom. On the sub-national level, many of the German Lund Commissioners have recently been given the power of information commissioner, and most of the Canadian provincial agencies handle both data protection and freedom of information.
A major problem with many agencies around the world is a lack of resources to adequately conduct oversight and enforcement. Many are burdened with licensing systems, which use much of their resources. Others have large backlogs of complaints or are unable to conduct significant number of investigations. Many that started out with adequate funding find their budgets cut a few years later.
Independence is also a problem. In many countries, the agency is under the control of the political arm of the government or part of the Ministry of Justice and lacks the power or will to advance privacy or criticize privacy invasive proposals. In Japan and Thailand, the oversight agency is under the control of the Prime Minister's Office. In Thailand, the director was transferred in 2000 after conflicts with the Prime Minister's Office. In 2001, Slovenia amended its Data Protection Act in order to establish an independent supervisory authority and thereby ensure compliance with the Data Protection Directive. This was previously the responsibility of the Ministry of Justice.
Finally, in some countries that do not have a separate office, the role of investigating and enforcing the laws is done by a human rights ombudsman or by a parliamentary official.