Report Privacy Violations

Once you are informed on your local privacy laws, it's important to get familiar with the process to report violations of the law. Submitting an official complaint is often simple, and can have a significant impact both for yourself and for your community.

Here's why and how you should report violations of your local privacy laws:

International variations

There are hundreds of privacy regulations currently in effect in the world. Moreover, each country might have multiple privacy laws protecting different regions/states/provinces, and different types of data (health data, children's data, employees' data, etc.).

This tip cannot cover each regulation individually. There will be variations for each privacy law applicable. Read this tip as a general advice and a starting point to guide you through your own regional research.

Why reporting violations matters

For many (if not most) privacy regulations, there isn't a mechanism to systematically audit every single organization collecting data from people located in its jurisdiction.

Unless the enforcing authority decides to investigate an especially important abuse, the process often relies on individual complaints reporting violations of data subject rights in order to trigger an investigation.

If you believe that your privacy rights have been violated by an organization, infringing your local privacy regulations, you can likely report this violation to the entity responsible for enforcing the law, the Data Protection Authority (DPA).

What is a Data Protection Authority?

Again, different laws might use different terms for this, depending on the region. For example, in Canada the enforcing authority for a privacy law is often called a Privacy Commissioner. In Europe, the term used is a Data Protection Authority. In the state of California in the United States, the entity responsible for enforcing the California Consumer Privacy Act (CCPA) is the California Privacy Protection Agency.

This text will use Data Protection Authority or DPA as an umbrella term to refer to any authorities mandated to enforce a privacy regulation.

Reporting even small violations can help improve privacy rights not only for yourself but for everyone else as well.

Often, reporting is simple and can make a big difference down the line, especially in number.

Once an organization is ordered to bring corrective changes or is sanctioned for malpractice by a DPA, this can have many beneficial effects at the individual and collective level:

A delinquent organization might be mandated by law to correct the problem. For example, a company without a clear privacy policy might be ordered to publish one.
You might be able to get personal data that you were unable to delete before finally deleted with the help of your DPA (and similarly for access requests).
An abusive organization might be banned from operating in your country entirely.
Individual complaints can create a legal precedent that could speed up enforcement for similar violations in the future.
Strong sanctions that are made public can send a powerful warning to other organizations to avoid making the same mistakes, and adopt corrective privacy-protective measures preventively.
Cases and sanctions that are publicized can notify the public about potential problems, and potential solutions.
If a DPA receives multiple complaints targeting a single organization, they might decide to launch a larger investigation and order the organization to improve its privacy practices more broadly.

When you can report a violation

You can submit a complaint any time your local privacy rights have been violated by an organization required to comply with the law, and you weren't able to resolve the issue on your own.

To report a privacy law violation, first ask yourself these questions:

Following the criteria described in your local privacy regulation, is the organization obligated to comply with this law?
Is your affected information considered personal information under the law?
Which article(s) of the law has the organization breached?

When in doubt, never hesitate to send any questions you have to your local DPA.

The people working at your local DPA are the best specialists to contact to get the most accurate information specific to your local privacy protections.

How to report a violation

Most regulations will have a clear process to submit an official complaint.

Once you've found the official documentation for your local privacy law(s), read through it to find who is responsible for enforcing the law (who is your DPA), and what the complaint process is.

Before submitting a complaint, you may want to:

1. Document everything you can

Try to collect as much information as possible to support your case.

Save copies of your email communication with the organization, take screenshots of the organization's chatbot replies to you, print to PDF the organization's privacy policy, etc.

2. Try contacting the organization directly

Depending on the context and violation, some legislations will require that you first contact the organization to attempt to resolve the problem directly.

For example, let's say you want to delete your account's data but cannot find a way to do this within the application. You could then contact the organization's privacy officer to request data deletion. If you don't receive any replies after a certain number of days (usually around 30 or 45 days, depending on regulations), you can then submit a complaint to your DPA to help you resolve this issue, if your local laws include a Right to Erasure/Delete or equivalent.

This is applicable for any other data subject rights.

3. File an official complaint with your Data Protection Authority

On the website of your local DPA, you should be able to find either a form to submit a complaint or an email address you can contact with the details.

When sending an official complaint, make sure to:

Follow the complaint process as described in the law or on the DPA's website.
Have the name and contact information of the organization you want to report.
Have a precise summary of the privacy violation and the steps you have taken so far to try resolving the issue.
Be mindful of the information you share in your complaint.

This information could get shared with the organization you are complaining against, or even partially published later on. Read the DPA's privacy policy about complaint information, and do not hesitate to ask your DPA questions from an anonymous email address beforehand if needed.

Be ready to share additional evidences if your DPA requests it.

This might include screenshots of the infraction, email communication with the delinquent organization, link to the organization's privacy policy, or any other evidences related to your case.

More resources

European Union Member States Data Protection Authorities - List and Map (EDPB)

Complaint form and process examples (region/law/DPA)

Функция "цифрового наследия": Термин "цифровое наследие" подразумевает под собой набор функций, который позволяет вам регулировать права доступа других людей к вашей информации после того, как вы умрете

Вы читаете Русский перевод сайта Privacy Guides, выполненный нашей невероятной командой переводчиков на платформе Crowdin. Если вы заметили ошибку или непереведенные части на этой странице, пожалуйста, помогите нам! Перейти на Crowdin

You're viewing the Russian copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out!