Abstract:
This article explores whether design of enforcement mechanisms in data privacy laws influences the types of privacy harms addressed by them through evaluating evidence of enforcement from four jurisdictions. It uses three of the foundational design principles identified by Cavoukian to examine if each category of data privacy (data quality, access rights, use, disclosure, security and so forth) should be addressed through enforcement tools suited to their characteristics. The evidence supports the need for proactive regulator-led enforcement, rather than reactive litigation by complainants in relation to some areas. Such enforcement also has an educative function aligning with the principle of transparency. Where full functionality necessitates mechanisms for individuals to litigate complaints, the research found that specialist tribunals were more sympathetic to complainants than were courts. It also discovered that litigation by individuals tended to be linked to disputes between the parties unrelated to privacy and addressed only harms that came to light through complainants’ prior knowledge. Finally, the evidence from each jurisdiction studied provides useful lessons for other jurisdictions as to both the conduct targeted and the need for substantive rules such as erasure or the right to be forgotten.