Supervisory Authority
Independent public body empowered to investigate and enforce data protection laws
A Supervisory Authority (SA), also called a Data Protection Authority (DPA), is an independent public body empowered to investigate and enforce data protection laws. Under GDPR, SAs hold substantial powers including the ability to issue administrative fines up to 4% of global turnover or €20 million—and more critically, to ban data processing entirely.
GDPR's One-Stop-Shop mechanism allows cross-border companies to deal with a single Lead Supervisory Authority (LSA) based on their main establishment. Since most U.S. Big Tech firms (Meta, Google, Microsoft) are headquartered in Dublin, the Irish Data Protection Commission (DPC) has become the de facto regulator for much of the world's data. The DPC has issued over €2.8 billion in fines since 2018—over 60% of all GDPR fines by value.
SA powers under GDPR Article 58 include investigative powers (dawn raids, compelled access to algorithms and premises), corrective powers (administrative fines, processing bans, data deletion orders), and advisory powers. Processing bans—"stop orders" like Italy's temporary ChatGPT ban—are often more damaging than fines, as they can shut down business lines entirely.
In the United States, the FTC serves as the primary federal privacy enforcer, using Section 5 of the FTC Act to prosecute "unfair or deceptive" practices. The California Privacy Protection Agency (CPPA), established in 2020, is the first dedicated U.S. state privacy regulator. Unlike Attorneys General who balance many duties, the CPPA focuses exclusively on privacy, leading to rigorous rulemaking and enforcement sweeps. State Attorneys General enforce other state privacy laws (VCDPA, CPA, CTDPA).
Enforcement culture varies significantly across regulators. "Hawkish" authorities like the Irish DPC and Texas Attorney General issue massive fines and pursue aggressive litigation. "Swarming" authorities like Spain's AEPD issue hundreds of smaller fines, creating a "death by a thousand cuts" risk. "Technocratic" authorities like France's CNIL focus on technical compliance (cookies, AI).
For liability quantification, the specific SA overseeing a dataset acts as a jurisdictional multiplier. A company regulated by the Irish DPC faces significantly higher potential exposure than one regulated by less aggressive authorities.