Europe’s flagship data law has been left toothless by a lack of enforcement and inadequate resources at national regulators, according to a complaint to the European Commission on Monday.
Two years after the General Data Protection Regulation (GDPR) came into force, governments across Europe have failed to give data protection agencies “the human and financial resources necessary to perform their tasks”, according to Brave, a privacy-focused web browser that made the complaint.
The GDPR gave governments the power to impose fines of up to 4 per cent of a company’s global revenues and has been the model for data protection regulations elsewhere in the world, including California.
But few fines have so far been handed out. The biggest have been in the UK, which said last year it intended to fine British Airways £183m and Marriott, the hotel chain, £99m for failing to keep customer data safe from hackers.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Johnny Ryan, chief policy officer at Brave, which has previously tussled with Google over its data practices.
He said the number of technical specialists on the staff of regulators across Europe varied significantly. In the lead was Germany, which had 101 specialists at its data regulators, roughly 13 per cent of the total headcount.
Half of Europe’s data regulators have only five technical experts or fewer, leaving them without the expertise to investigate potential breaches of the GDPR effectively or to examine how personal and sensitive data is being used
The UK’s Information Commissioner’s Office ranked fourth in terms of specialists with 22 such roles — just over 3 per cent of its total staffing. Spain and France both had more specialists, despite their regulators being less than a third the size of the UK’s by number of staff.
Funding was equally varied across the bloc. While the UK’s ICO has a budget of €61m for this year, the majority of regulators across the EU have budgets of less than €10m, and 14 having less than €5m.
In some cases, funding has fallen since the GDPR came into force: Portugal reduced its budget by €203,000 between 2018 and 2020.
The Irish Data Protection Commission has the heaviest enforcement workload, since several Big Tech firms including Facebook and Google are headquartered in Dublin.
The Irish DPA is the lead authority for 127 cases, and has 21 specialist tech investigators, ranking fifth. But Brave said that, despite dealing with high-profile companies, increases in the Irish DPA’s budget and staff count are slowing.
“The Data Protection Commission’s budget and staff numbers have grown in recent years to 140 staff at present. This year we will recruit an additional 30 staff, bringing staff numbers to 170 by the end of 2020. This growth in staff must continue over the next few years,” said the Irish DPA.
“The ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy,” said a spokesperson for the UK’s ICO. “And while we are not yet at the level of capacity and capability we are planning for, we will continue to invest significantly in this area.”
The European Commission did not immediately respond to a request for comment.