4.3 Enforcement Bodies Around the World

A privacy law without an enforcement body is a suggestion. Enforcement bodies — variously called Data Protection Authorities (DPAs), Privacy Commissioners, or Information Regulators — are the institutions that give privacy law its teeth. Understanding who they are and what they can do is essential to exercising your rights.

What a Data Protection Authority dös

DPAs are independent public bodies tasked with monitoring compliance with data protection law, investigating complaints, and taking enforcement action. Their core powers typically include:

• Investigation: auditing organisations, issuing information orders (requiring companies to explain their practices), and conducting sector-wide reviews.
• Corrective powers: ordering organisations to stop processing, to delete data, to comply with an individual's rights request, or to implement security improvements.
• Fines: imposing administrative penalties. Under GDPR, fines can reach €20 million or 4% of global annual turnover.
• Advice and guidance: publishing codes of practice, guidelines, and opinions — both for organisations seeking to comply and for individuals seeking to understand their rights.
• Complaint handling: receiving and investigating complaints from individuals who believe their rights have been violated.

DPAs typically operate independently of government, though their funding and appointments come from the state. Independence matters: a DPA that can be dismissed for investigating a government ministry is not genuinely independent.

Key bodies: a global tour

European Data Protection Board (EDPB) — Not a national body but an EU-level coordination mechanism. The EDPB brings together the national DPAs of all 27 EU member states to ensure consistent interpretation and application of the GDPR. It issues binding decisions in cross-border cases and publishes inflüntial guidelines. Website: edpb.europa.eu

National DPAs in EU member states — Each EU country has its own DPA. Major ones include: the CNIL in France, the Datenschutzkonferenz (DSK) in Germany (coordinated), the Garante in Italy, the AEPD in Spain, and the DPC (Data Protection Commission) in Ireland — where many large tech companies are headquartered for EU purposes, making it particularly significant.

Information Commissioner's Office (ICO) — United Kingdom — The UK's DPA, operating under the UK GDPR and Data Protection Act 2018 (which essentially ported the EU GDPR into UK law post-Brexit). The ICO has issued landmark fines — including a £20 million penalty against British Airways (2020) following a data breach. Website: ico.org.uk

Federal Trade Commission (FTC) — United States — Not a dedicated privacy authority, but the main federal body enforcing privacy-related consumer protection. The FTC acts against deceptive and unfair data practices under its Section 5 authority. It has brought major actions against Facebook, Google, and others, but lacks the power to issue comprehensive privacy regulations without Congressional action. Website: ftc.gov

Office of the Privacy Commissioner of Canada (OPC) — Canada's federal privacy commissioner oversees PIPEDA (private sector) and the Privacy Act (public sector). The OPC can investigate complaints and make recommendations but generally cannot impose fines directly (though Canada's modernised Bill C-27 proposes stronger powers). Website: priv.gc.ca

Office of the Australian Information Commissioner (OAIC) — Australia's privacy regulator, overseeing the Privacy Act 1988 and the Australian Privacy Principles (APPs). The OAIC handles complaints, conducts investigations, and can accept enforceable undertakings. Website: oaic.gov.au

Information Regulator — South Africa — Established under POPIA (Protection of Personal Information Act, 2013, effective 2021), South Africa's Information Regulator is one of the most significant privacy authorities in Africa. It can investigate, issue enforcement notices, and impose fines. Website: inforegulator.org.za

How to find your relevant authority

For most purposes, your relevant DPA is the one in the country where you reside (for exercising your rights as an individual) or where your organisation is established (for compliance). The IAPP maintains a global tracker of all DPAs at iapp.org, and the EDPB lists all EU member DPAs. Module 5 covers how to make a complaint to your DPA in detail.

Your takeaway

DPAs are not bureaucratic abstractions — they are your institutional ally when your rights are violated. Knowing which one covers you, and understanding what powers it holds, is practical knowledge.