How is data protection organised in a federal or in a highly decentralised state? And is it as effective in a federal state as it is in a centralised state?

How is data protection organised in a federal or in a highly decentralised state? And is it as effective in a federal state as it is in a centralised state?

How is data protection organised in a federal or in a highly decentralised state? And is it as effective in a federal state as it is in a centralised state?

article précédent

article suivant

The protection of personal data has had a particular importance at an international level, hence, ever since 2006, every January 28th is dedicated to data protection according to the Committee of Ministers of the Council of Europe.

This desire to protect can be explained by social changes, but also by legislative changes. In this respect, data protection involves reconciling different legislations, which is even more difficult because different parameters such as the supervisory authority and the form of state must be taken into account.

This comparative study will demonstrate that data protection is a global issue, especially because of the influence of the GDPR, and an influence that is not limited to a European level. Moreover , the study is carried out in comparison with France to highlight the differences between the legislative frameworks of states with a high degree of decentralization or with a strong federal organization and, finally, states that do not have this specificity.

What institutional form does data protection take in highly decentralized or federal states?

One of the first aspects that may be useful to compare is the creation of the agency and its date of creation to see the interest of each country in data protection. For example, in France, the CNIL ^[National Commission for Information Technology and Civil Liberties]was created following the SAFARI project, which was perceived as a violation of freedom. Thus, some agencies are the result of the need to protect data from social and technological changes. Other agencies have had to adapt to legislative needs, as the case of Belgium demonstrates. The current authority is the Data Protection Authority, which replaces the Privacy Commission created in 1983. This new authority created in 2017 is the result of a legislative adaptation that has made it possible to expand the powers of this new authority. This authority is an independent supervisory body. However, the issue of independence has been discussed by the European Commission, which gave Belgium a deadline to restore the Agency’s independence.

The Belgian agency has its own characteristics as a federal state. There are other protection authorities in Belgium: the police information control body (COC), the permanent committee for the control of intelligence services (CPR) and the permanent committee for the control of police services (CPP).

Like Belgium, the Spanish authority has its own characteristics due to its autonomous communities. The Spanish Data Protection Agency, in charge of data protection in Spain, is an independent public authority which status is regulated by a Royal Decree por el que se aprueba el Estatuto de la Agencia de Protección de Datos. created in 1992, and its operation in 1994. There are also 3 other autonomous data protection agencies: The Catalan Data Protection Authority, the Basque Data Protection Agency and the Council for Transparency and Data Protection of Andalusia.

Data protection authorities in Mexico and Argentina are more recent. Indeed, the Agency for Access to Public Information, in Argentina, was created in 2000. Law 27.275 created the agency as an entity as an autarkic entity that will operate with functional autonomy within the scope of the national Executive Branch. According to Article 19 of Decree 746/2017 the Agency for Access to Public Information will act as the enforcement authority of the Personal Data Protection Law No. 25.326.
More recently, it was created in Mexico in 2002, the Federal Institute of Access to Information and Protection of Personal Data which has been replaced by the INAI^[National Institute of Transparency, Access to Information and Protection of Personal Data
] in 2014.

The comparative study shows that the authority’s missions in these four countries are practically the same. For example, Spain and Belgium have investigative, supervisory and sanctioning powers. Similarly, the Argentine and French agencies have, for example, sanctioning and investigative powers. Finally, as far as Mexico is concerned, the Agency must guarantee the rights of individuals to public information and to the protection of their personal data.

What is interesting to point out , in addition to the missions of the authorities, are the different policies and visions of the authorities. For example, in Mexico the vision is very much focused on transparency, as the name of the Agency indicates. To achieve this goal, the Authority will promote, among other things, the exercise of data protection rights and transparency of public institutions, and also promote an institutional model of public service focused on results, from a human rights and gender equality perspective. Likewise, the Belgian Authority has a vision focused on the protection of citizens’ data and their fundamental rights. In France, the CNIL informs citizens about their rights, for example by participating in conferences and press releases, while taking an ethical stance and organizing public debates. The same is true of Spain, which cooperates with various international organizations and European Union data protection bodies, and represents Spain in international forums.

However, these are only light shades and no significant differences are noted between the missions of the authorities in these countries. They all have information, advisory and protection of rights in the field of personal data, but also have sanctioning powers.

Structuring and articulation of legal systems: risk of contradiction or reinforcement of protection?

For countries in which there are different authorities, such as Belgium or Spain, it seems necessary to articulate protection in order to avoid any risk of contradiction. In this respect, for the different Belgian authorities, there is a [cooperation protocol ](protocole-de-cooperation-entre-les-autorites-de-controle-federales-belges-en-matiere-de-protection-des-donnees.pdf (
)that allows the sharing of competences.
As for Spain, there are specific laws in the autonomous communities, such as the Law on the Catalan Data Protection Authority, the Law on public transparency in Andalusia, or the law on publicly-owned personal data files and the creation of the Basque Data Protection Agency.

There are national laws that guarantee this protection, as all the countries surveyed allow for data protection. It should be noted that the legal framework will be studied in a non-exhaustive manner for each country.

For example, in Spain, the law regulating data protection is the Organic Law 3/2018 of 5 December 2018.

In Belgium, the law regulating this protection is the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. This law is not applicable in the private sphere, e.g. for images placed online but with limited access and scope.

In Mexico, the general federal law is the Ley Federal de Protección de Datos Personales en Posesión de Particulares of 5 July 2010. There are also other sources of protection such as the Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, or the General Law on Transparency and Access to Public Information. There is also the Code of Ethics of the National Institute for Transparency, Access to Information and Protection of Personal Data

In Argentina, the main sources are Law 25.326 and Law 26.951, of the National No Call Registry. According to Articles 2 and 3 of the aforementioned law, this registry is created within the framework of the National Directorate for the Protection of Personal Data to protect users of telephone services against abuses, for example in the context of advertising. There are also decrees, such as the regulatory decree 1558/2001 on the protection of personal data.

Finally, in the case of France, the regulatory law is Law No. 78-17 of 1978.

It can be seen that all these countries allow the protection of personal data. The specificities remain chosen by the federated states. Therefore, these countries have articulated these different legal systems.

As for the EU countries studied, the GDPR has allowed a harmonisation of legislation, while leaving room for manoeuvre to the member states. In terms of EU and non-EU countries, there are differences in legislation. For example, « One of the biggest differences between the Mexican legal framework and the GDPR is the concept of « legitimate interest for the processing of personal data ». The Mexican legal provisions refer to tacit consent, but sensitive personal data such as: the life of the person or whose misuse could generate discrimination or imply a serious risk for the data subject , which may reveal elements such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral convictions, trade union membership, political opinions, sexual preference, etc., and the GDPR specifically requires such legitimate interest« ^[].

The GDPR has also led to a change in the number of data protection officers (DPOs), as shown in the comparative graph below.


Source : Figures Spain ^[Figures Spain :]

Source : Figures France^[Figures France :]

The interest in data protection has led to the creation of professional associations of DPDs or other professionals in the sector, such as the APCPD^[Asociación Profesional de Consultores en Protección de Datos]
and the Asociación Española de Delegados de Protección de Datos, in Spain. In Belgium it is the Union Professionnelle de DPD and in France it is the AFCDP.

Finally, the notable difference between Argentinian and Mexican legislation lies in the guarantees for the transfer of personal data. Indeed, unlike Mexico, Argentina has a 2003 adequacy decision on the protection of personal data.

What are the penalties for breaching the legal framework for data protection?

Figures show that in 2020, Spain was the country with the most GDPR breaches, with 128 breaches. In 2020, France was the country with the highest number of GDPR fines, with a total of 138.3 millions.

As for Argentina,  » under Law 26.951, 91 resolutions were signed, of which 59 rejected appeals and 32 imposed sanctions for a total amount of $93,035,100″. In the framework of Law 25.326, « a total of 13 sanctioning resolutions were issued for a total amount of $1,226,305. In addition, 2 warning decisions, 6 decisions dismissing complaints, 7 decisions dismissing appeals and 2 decisions estimating appeals were issued, for a total of 30 decisions« ^[]. These include sanctions against Google. The first one was on the basis of article 14 on the refusal of the right of access of the LPDP. The second was for obstructing the work of the National Directorate of Personal Data. As mentioned above, there are two main sources of legislation in Argentina. In 2018, 98% of the sanctions were based on Law 26.951 on the National “Do Not Call Register”.

In 2020, as far as Mexico is concerned, the total sanctions were 39 millions 324 thousand pesos, on the violation of the 2010 law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

What influence does the GDPR have on sanctions? In the case of EU countries, a large number of sanctions are related to the violation of this regulation. The GDPR may also have an impact on the legislation of non-EU countries to the point of wanting to change the legislation. In this regard, the director of the Argentinean Agency, Eduardo Bertoni, stated that « compared to the sanctions imposed in Europe, in our country the sanctions provided for by law are economically low. Consequently, updating our Personal Data Protection Law is an increasingly evident necessity”^[] .


On the authority and its missions, the major difference is in the organisation of the authority. Indeed, Spain and Belgium have a main body and specific bodies, but these structures can be reconciled and share areas of competence. Thus, in the case of Belgium, citizens can directly address the main entity and if the request does not correspond to the correct entity, it will be transmitted to the right one without them worrying about it. This illustration underlines that authorities tend to want to simplify the enforcement of citizens’ rights while still protecting them.

The policies for protecting citizens’ rights seem to be broadly the same, although there are some shades in terms of the angle of protection.
Finally, the legal framework on which the protection authority depends allows for a protection of personal data that seems to be effective. The GDPR has strengthened this protection at the European level, but its impact is global.

Eloïse Quinzin

Eloïse Quinzin

décembre 10, 2022

Ne ratez plus aucune actualité sur la conformité RGPD et ses bonnes pratiques

Inscrivez-vous à notre newsletter

Recevez notre newsletter à la pointe de la protection des données tout en étant pédagogue