What is a data protection authority?
Privacy, security and identity
A data protection authority (DPA) is an independent public body that supervises and enforces a country's data protection law. It investigates complaints, audits organisations, issues guidance and imposes corrective measures and fines. DPAs are deliberately kept free from government instruction so they can hold both the state and private companies to account. Because most artificial intelligence relies on personal data, DPAs are often the first regulators to enforce AI-relevant rules in practice.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
A data protection authority is the referee for the rules on how personal data may be collected and used. Data protection law sets the rules; the DPA is the institution that monitors compliance, handles complaints from the public, and takes action when those rules are broken. In the European Union and the wider European Economic Area these bodies are called supervisory authorities under the General Data Protection Regulation, and they are commonly known as DPAs. The UK has the Information Commissioner's Office, France has the CNIL, and almost every country with a data protection law has an equivalent.
The defining feature of a DPA is independence. The law requires it to act free from external influence and to neither seek nor take instructions from government or industry. This matters because a DPA must be able to investigate public bodies and powerful companies without political interference. A DPA is usually funded through a public budget or fees, led by a commissioner or board appointed for a fixed term, and required to report publicly on its work.
A DPA is not the same thing as the government department that writes data law, and it is not, in most countries, a dedicated AI regulator. It is a standing institution with statutory powers, sitting between the people whose data is processed and the organisations that process it.
Why it matters
DPAs matter for AI because most AI systems are built on and run on personal data, so the rules a DPA already enforces apply to AI by default. A DPA does not need a separate AI statute to act: if an AI system scrapes, trains on or generates personal data, the DPA can investigate it under existing data protection law. This makes DPAs the first enforcers of AI-relevant rules in many countries.
The pattern is already visible. When generative AI tools reached the mass market, it was DPAs, not bespoke AI regulators, that moved first. In the EU, data protection authorities coordinated their work and issued binding guidance on how AI models intersect with the GDPR. In the EU's AI Act framework, the European Data Protection Board has argued that DPAs should take a leading enforcement role for high-risk AI because of their independence and their existing expertise in fundamental rights.
For organisations building or buying AI, the practical message is that the data regulator is the regulator they are most likely to encounter first. For individuals, the DPA is the body they can complain to when an automated system uses their data unfairly. Understanding what a DPA can and cannot do is therefore central to understanding how AI is actually governed today.
How it works
What a DPA is, and what it is not
A DPA is an independent public authority created by law to monitor and enforce data protection rules. It is distinct from two things it is often confused with. First, it is not a government ministry. A ministry or department sets policy and drafts legislation; the DPA applies and enforces that legislation independently of the minister. Second, it is not, in most jurisdictions, a dedicated AI regulator. A DPA's mandate is personal data, whatever technology is involved. Where it acts on AI, it does so because AI processes personal data, not because it has a free-standing remit over all AI.
Powers: investigation, correction and fines
Under the GDPR, a supervisory authority's powers fall into three groups. Investigative powers let it order organisations to provide information, carry out audits and data protection reviews, and obtain access to premises and equipment. Corrective powers let it issue warnings and reprimands, order an organisation to comply with the law, order data to be rectified or erased, impose temporary or permanent bans on processing, and impose administrative fines. Advisory and authorisation powers let it issue opinions, approve binding corporate rules and authorise certain data transfer arrangements.
Fines are the most visible power. The GDPR sets two tiers. Less severe, mainly procedural infringements carry a maximum of EUR 10 million or 2 percent of total worldwide annual turnover, whichever is higher. The most serious infringements, including breaches of the core processing principles and of data subject rights, carry a maximum of EUR 20 million or 4 percent of total worldwide annual turnover, whichever is higher. The turnover basis is what gives the largest fines their scale, because it is calculated against the whole corporate group.
Independence: the defining requirement
Independence is not a slogan; it is a hard legal requirement with a clear meaning. The GDPR requires each supervisory authority to act with complete independence, free from external influence, neither seeking nor taking instructions from anybody. Member states must give each authority its own staff, premises and budget, subject to financial control that does not compromise its independence. The Council of Europe's modernised Convention 108+ contains a parallel requirement that supervisory authorities act with complete independence and impartiality.
The Court of Justice of the European Union has given this teeth. In Commission v Germany (Case C-518/07) it held that even the risk that a government could exercise political influence over a DPA is enough to undermine the required independence. In Commission v Austria (Case C-614/10), the Grand Chamber held on 16 October 2012 that Austria's Datenschutzkommission failed the complete-independence requirement because its office was integrated with the Federal Chancellery and its managing member was a federal official. Independence is balanced by accountability: a DPA must publish annual activity reports, those reports go to the national parliament and government, and its decisions can be challenged in court.
Cross-border cooperation
Data flows across borders, so DPAs cooperate. In the EU and EEA the GDPR builds in a one-stop-shop mechanism: for cross-border processing, a lead supervisory authority in the country of the organisation's main establishment leads the case, working with the other concerned authorities. A consistency mechanism keeps interpretations aligned, and where authorities cannot agree, the European Data Protection Board can issue a binding decision. Globally, the OECD's 2007 Recommendation on cross-border cooperation in the enforcement of laws protecting privacy set a framework for cooperation between privacy enforcement authorities, and the Global Privacy Assembly connects authorities worldwide.
Institutional models: single, sectoral and federated
There is no single global template. Three broad models exist. The single national regulator model gives one authority responsibility for the whole economy, as with the UK's ICO or France's CNIL. The federated model layers national authorities under a coordinating body: in the EU, national DPAs sit on the European Data Protection Board, an independent EU body that ensures consistent application of the GDPR and can issue binding decisions in cross-border disputes. Some member states are themselves internally federated, most notably Germany, which has a federal authority plus separate authorities for each of its states. The sectoral model spreads responsibility across several regulators rather than one. The United States is the leading example: it has no single national DPA, and privacy oversight is split across bodies such as the Federal Trade Commission and sector-specific and state-level regulators.
Examples
The examples below are current as of June 2026 and are included to illustrate how DPAs act in practice. Specific enforcement actions can be appealed and overturned, so treat the detail as a snapshot rather than settled law.
A single DPA acts first on a generative AI tool
On 30 March 2023 Italy's DPA, the Garante, imposed a temporary limitation on OpenAI's processing of Italian users' data, effectively suspending ChatGPT in Italy; the limitation was lifted on 28 April 2023 after OpenAI complied with measures in the Garante's order of 11 April 2023. After a longer investigation, on 20 December 2024 the Garante fined OpenAI EUR 15 million over the way ChatGPT handled personal data, including the lack of an adequate legal basis for training and weak age verification, and ordered a public information campaign. OpenAI said it would appeal. This shows a national DPA using existing data protection law to act on AI before any dedicated AI regulator was operational.
Federated coordination across borders
After Italy moved, other European authorities opened their own inquiries, and on 13 April 2023 the European Data Protection Board created a dedicated ChatGPT task force, in its words, to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities; the task force's report was adopted on 23 May 2024. The Board later adopted Opinion 28/2024 on 17 December 2024, at the request of Ireland's Data Protection Commission, on how data protection principles apply to AI models, including when a model can be treated as anonymous and when legitimate interest can be a lawful basis. This is the federated model in action: national authorities enforce, while a central body steers consistency.
A DPA shaping its future AI role
In Statement 3/2024, adopted on 16 July 2024, the European Data Protection Board recommended that national DPAs be designated as market surveillance authorities under the EU AI Act for the highest-risk uses. It stated that, under Article 74(8) of the AI Act, DPAs must be designated as such for high-risk systems in Annex III point 1 (biometrics) where used for law enforcement, and for points 6, 7 and 8 (law enforcement, migration and border control, and administration of justice and democratic processes), citing their full independence and their expertise in assessing risks to fundamental rights. Member states had to appoint market surveillance authorities before 2 August 2025. The UK's ICO, working within existing law rather than a new AI statute, has published a strategic approach to AI and treats AI oversight as a data protection question. Both illustrate DPAs positioning themselves as front-line AI regulators.
Common misunderstandings
"A DPA is part of the government"
It is a public body, but it is deliberately independent of government. The law requires it to act without instruction from ministers, precisely so it can investigate public bodies and ruling-party allies. Courts have struck down arrangements that gave governments too much influence over a DPA.
"Every country has a single DPA"
Not so. Some countries have one whole-economy regulator; some, like Germany, are internally federated with federal and state authorities; and some, like the United States, have no single national DPA at all and instead spread oversight across sectoral and state regulators.
"DPAs only deal with data breaches and spam"
Breach reports and marketing complaints are part of the work, but a DPA's remit covers the whole of how personal data is processed, including profiling, automated decisions and, increasingly, AI systems.
"There is no AI regulator, so AI is unregulated"
In most countries the data regulator already reaches AI that uses personal data. A DPA can investigate, order changes to or even ban an AI system under data protection law without any AI-specific statute.
"A DPA can do whatever it wants"
Its powers are defined by statute, its fines are capped and must be proportionate, and its decisions can be appealed to the courts. Independence comes paired with accountability to parliament and the public.
Risks and boundaries
A DPA's reach has limits. Its jurisdiction is personal data, so processing that genuinely involves no personal data falls outside its core remit, even if it raises other concerns. Where an AI model can be shown to be truly anonymous, data protection law may not apply to its operation, which is why claims of anonymity are tested carefully.
Resources are a real constraint. Authorities vary enormously in budget and headcount, and investigations into large, well-resourced companies can take years. Cross-border cases add complexity: the one-stop-shop concentrates lead responsibility in one authority, which can create bottlenecks and disagreements between authorities, sometimes resolved only by a binding decision from the central board.
Independence is a standard that must be maintained, not assumed. Reductions in funding, political pressure or attempts to direct a DPA's priorities can erode it, and the strength of independence varies between jurisdictions. Finally, a DPA is one regulator among several. AI, competition, consumer protection, online safety and financial conduct may all involve other authorities, and DPAs must coordinate with them to avoid gaps and conflicting decisions.
What to do next
First, identify your lead DPA. Work out which authority supervises you, based on where your organisation is established and where your users are. For cross-border operations in the EU and EEA, establish which authority is your lead under the one-stop-shop. The benchmark for action: if you process personal data in more than one country, you need this mapped before any incident, not during one.
Second, treat AI as a data protection matter. Assume that any AI system touching personal data is within your DPA's reach. Document your lawful basis, complete data protection impact assessments for higher-risk uses, and keep records of how training data was obtained. If you cannot evidence a lawful basis for AI training data, treat that as a priority gap.
Third, read your DPA's published guidance and watch its priorities. DPAs signal enforcement direction in advance through annual reports, strategies and opinions. When your regulator names a focus area, such as AI models or web scraping, treat that as a forward indicator of enforcement within the next year or two.
Fourth, prepare for engagement. Know your breach-notification deadlines, keep your records of processing current, and be ready to respond to information requests. The presence or absence of this documentation is often what determines whether a regulator's contact becomes a remediation order or a fine.
Fifth, monitor structural change. If your jurisdiction is reforming its regulator, changing its funding or designating it as an AI market surveillance authority, reassess your exposure. A DPA gaining formal AI powers is a signal to review your AI governance, not just your data compliance.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
What is the difference between a data protection authority and a data protection officer?
A data protection authority is the external public regulator that enforces the law across many organisations. A data protection officer is an individual appointed inside an organisation to advise on compliance. The officer works for the organisation; the authority oversees it.
Is a data protection authority the same as a supervisory authority?
In practice, yes. The GDPR uses the term supervisory authority for the independent bodies in EU and EEA countries, and data protection authority, or DPA, is the common name for the same institution. Outside the EU the equivalent body may be called a commissioner, agency or commission.
Can a data protection authority actually ban an AI system?
It can restrict or suspend processing where the law is breached. Italy's Garante temporarily suspended ChatGPT in 2023 by limiting OpenAI's processing of personal data, which took the service offline in Italy until changes were made. Such measures must be proportionate and can be appealed.
Does every country have a data protection authority?
Most do. According to UNCTAD's Data Protection and Privacy Legislation Worldwide tracker, 137 of 194 countries, around 71 percent, have adopted data protection and privacy legislation, with a further 9 percent holding draft laws, and in nearly all of these a commission or authority oversees enforcement. A notable exception is the United States, which has no single national DPA and instead uses a sectoral patchwork of regulators.
How are data protection authorities funded, and does that affect independence?
Funding varies. Some authorities are financed from the public budget, others partly through registration fees paid by organisations. The law requires that financial control must not compromise independence, and each authority must have its own budget. Inadequate funding is a recognised risk to effective enforcement.
Who holds a data protection authority accountable if it is independent?
Independence is paired with accountability. A DPA must publish annual reports that go to the national parliament and government, its leadership is typically appointed for a fixed term through a formal process, and its decisions can be challenged before the courts.
What is the one-stop-shop mechanism?
It is the EU and EEA system for cross-border cases. An organisation operating in several countries deals mainly with a single lead authority in the country of its main establishment, which coordinates with other concerned authorities. Disputes can be settled by a binding decision of the European Data Protection Board.
Will a dedicated AI regulator replace data protection authorities?
It is unlikely to replace them. New AI laws create additional oversight bodies, but because AI so often involves personal data, DPAs retain a central role. In the EU, the European Data Protection Board has argued that DPAs should be among the lead enforcers for high-risk AI.