Privacy & Cybersecurity Law Blog

On October 6, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on “Organizational Accountability in Data Protection Enforcement – How Regulators Consider Accountability in their Enforcement Decisions” (the “Paper”).

The Paper elaborates on a key recommendation made in CIPL’s 2018 white paper “Incentivising Accountability: How Data Protection Authorities and Law Makers Can Encourage Accountability.” Among other recommendations, the 2018 paper had urged Data Protection Authorities (“DPAs”) to use demonstrable organizational accountability measures as mitigating factors in enforcement. This would have the effect of clarifying to organizations the value of implementing comprehensive privacy compliance programs and other accountability measures. In 2020, CIPL decided to further explore this issue together with Professor Christopher Hodges of Oxford University and to conduct a survey of global DPAs. (The survey also included regulators in other regulatory areas, but their responses are not the focus of the Paper.)

Specifically, the survey sought answers to the following questions:

• Do DPAs have a policy of considering accountability in an enforcement context?
• Are DPAs, in fact, considering accountability in their enforcement actions?
• Are DPAs, like other global regulators in other fields, adopting a more outcomes-based approach to regulatory oversight that includes ex ante engagement and encouragement of best practices and accountability?
• Are DPAs giving organizations credit for their good faith efforts to implement accountability when establishing fines for privacy violations?
• Are DPAs following a consistent approach globally and across regions, thereby facilitating globally consistent compliance and accountability measures?
• Do DPAs clearly state their expectations with respect to accountability?

The Paper considers the survey responses in the context of an ongoing global shift in the approach to regulatory oversight across regulatory areas towards a more cooperative and outcomes-based approach that emphasizes ex ante engagement and incentives rather than relying only on deterrence and punishment. The Paper concludes that while most global DPAs do consider demonstrated accountability as a mitigating factor in enforcement to some extent, and thus are at least partially aligned with an outcomes-based approach, there remains some room for improvement on a number of specific issues, such as consistency among DPAs and transparency. The Paper captures these issues in a number of specific recommendations to global DPAs.