Data Protection (Compliance and Enforcement) Regulations 2021: Key Considerations
In April 2021, the Office of the Data Protection Commissioner (ODPC) issued draft guidelines and invited comments from the public before the adoption of the regulations. These regulations include theData Protection (General) Regulations, the Data Protection (Registration of Data Controllers & Data Processors) Regulations, and the Data Protection (Compliance and Enforcement) Regulations. The ODPC oversees a range of persons and entities and as such, upholding fundamental rights and freedoms particularly the right to privacy and rolling out an efficient system for filing complaints is key to enforcement. The Data Protection (Compliance and Enforcement) Regulations 2021 simplify the process of lodging complaints against data processors and controllers to ensure that the rights and freedoms of data subjects are upheld without fail. The pertinent issues that arise from these regulations include transparency and accountability, enforcement measures on the international personal data transfer (IPDT) and the imposition of administrative fines.
Transparency and accountability in the complaints process
Regulatory and enforcement actions involve filing complaints, issuing penalty notices, enforcement notices, assessment notices and publishing the outcome of investigations. The process requires utmost transparency when availing relevant and detailed information to the complainants, data controllers and processors, and the general public. The ODPC can ensure transparency by keeping an up-to-date register of complaints, unadmitted complaints and discontinued complaints. The register can also include details of the nature of cases handled and the outcomes. This information will be important in determining the impact and outcome that the set regulatory and enforcement measures have on the protection of fundamental rights and freedoms. It can also be used in learning when case study examples are published.
The ODPC can also apply principles on the fair administration of justice by involving the complainant in the complaints procedure. Transparency and accountability can encourage compliance and self-regulation by data controllers and processors.
Enforcement measures on IPDT
Part VI of the DPA requires data controllers and processors that intend on conducting IPDTs to provide evidence of adequate safeguards and to submit proof that the recipient countries possess commensurate data protection laws. Section 49 (3) of the DPA further provides that the Data Commissioner may prohibit or suspend the transfer of personal data outside Kenya to protect the rights and fundamental freedoms of data subjects. The regulations need to provide clear measures on the suspension of data flow to a recipient country or an international organization and set out what qualifies as ‘appropriate safeguards.’ Defining clear steps that will be taken to ensure enforcement will assist in investigations, provide mutual aid and secure appropriate regulatory outcomes. This approach may also assist in creating a checklist of appropriate safeguards that can restrict or suspend data transfer.
In enforcing the transfer of data outside Kenya, the ODPC needs to identify international regulatory and supervisory authorities to liaise with when it comes to breach of IPDT and how differently joint regulatory or investigative work will be handled. This will assist the complainants in understanding the mode of communication, time frame of investigation and expected outcomes. IPDT is an emerging issue that needs to be adequately covered within the regulations and in compliance with Sections 48, 49, and 50 of the DPA.
Imposition of administrative fines
The imposition of administrative fines is a key factor in ensuring compliance and enforcement of the regulations. Administrative fines need to be dissuasive, effective, and proportionate. The factors that may be considered include the nature, gravity and duration of the infringement, actions taken to mitigate the damage suffered, and any relevant previous infringement. The UK’s Information Commissioner’s Office (ICO) Regulatory Action Policy provides viable ideas on how the imposition of administrative fines can be adequately covered. The policy lists factors that may be considered and these include: categories of personal data and the level of privacy intrusion, the number of individuals affected, the degree of intrusion to privacy, whether the issues raised are new or repeated, and the duration of the breach.
In imposing administrative fines, it is also important to consider the aggravating and mitigating factors. The ICO policy differentiates the two factors. Aggravating factors include: intentional, wilful or negligent approach to data protection, prior regulatory history, the state and nature of protective and preventive measures, and how the breach became known. Mitigating factors include: early notification of the breach by the data controllers and processors and the actions taken to mitigate the breach. A regulatory approach that presents clarity on the scope of penalties, the factors that determine the imposition of penalties, and differentiates the factors will enable a better understanding of the issue and ease the assessment process.
The ODPC holds significant power in ensuring that data subjects’ rights are upheld by data controllers and processors. In undertaking its regulatory power in regards to compliance and enforcement, the Office should consider the mentioned issues to encourage lawful, fair and transparent complaints management. The regulations also need to clearly reflect that infringement of and failure to uphold the provisions of the DPA will be handled with transparency, consistency and proportionality.