GDPR ‘At Risk Of Failing’ Due To Lack Of Resources

As the GDPR approaches its second anniversary, European member states have been accused of leaving the data protection rules “at risk of failing” due to lack of technical and financial resources.

Brave, which makes a privacy-oriented browser, urged the European Commission to launch an infringement procedure against the governments of member states, which it accused of leaving data protection offices without the “human and financial resources necessary to perform their tasks”.

Brave said that half of Europe’s data protection regulators have only five technical experts, leaving them incapable of evaluating GDPR complaints, while 14 countries’ regulators have budgets of less than 5 million euros (£4.3m).

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Brave chief policy officer Johnny Ryan.

Resources

Germany leads in the number of technical specialists, employing 101 at its data regulators, about 13 percent of total headcount, followed by Spain, France and the UK.

Brave noted that Spain and France both employ more specialists than the UK, in spite of the fact that their regulators have a total staff less than one third that of the UK’s Information Commissioner’s Office (ICO).

The ICO’s 22 technical specialists comprise about 3 percent of its total staff.

The ICO has a budget of 61m euros for this year, but most EU data regulators have budgets of less than 10m euros, and Portugal actually cut funding by 203,000 euros from 2018 to 2020.

The Irish data protection authority (DPA) has the heaviest caseload, being lead authority on 127 cases, due to the fact that large tech firms such as Facebook and Google are headquartered there.

But with 21 specialists it ranks fifth in Europe and Brave said increases in budget and staff are slowing.

“GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals,” Brave’s Ryan said.  “But the national governments of European countries have not given them the resources to do so.”

Corrective powers

The Irish DPA, the Data Protection Commission, said its staff have grown to 140 with more increases planned to bring the total to 170 by the end of this year.

“This growth in staff must continue over the next few years,” the Data Protection Commission said.

The UK’s ICO acknowledge the role of technical specialists was “vitally important”.

“While we are not yet at the level of capacity and capability we are planning for, we will continue to invest significantly in this area,” the ICO said.

The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) referred to their recent evaluation of the GDPR in which they point out that from May 25, 2018 to November 30, 2019, 22 DPAs made use of various corrective powers under the GDPR, including a total of 785 fines, although 110 of the financial penalties relate to pre-GDPR infringements.

“Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future,” the European agencies say in the review.

The biggest fines to date under the GDPR have been levied in the UK, which said last year it intended to fine British Airways £183m and hotel chain Marriott £99m for data protection infringements.

France’s CNIL last year fined Google 50m euros under the new regulations.