The European Commission must force member states to increase investment in GDPR enforcement – and even refer them to the European Court of Justice if necessary – or risk the regulation being seen as dead in the water before it even reaches its second anniversary.
That is the stark conclusion of a new report published by tech start-up Brave in the run-up to the regulation’s second birthday next month. It exposes a catalogue of failures across Europe in implementing GDPR, which not that long ago was hailed as the biggest shake-up of data protection in a generation.
The report, “Europe’s governments are failing the GDPR”, reveals that only six of the EU’s 28 national GDPR enforcers have more than ten tech investigators, and insists that data protection authorities simply do not have the capacity to investigate big technology companies.
It goes on to claim that EU governments have not given their regulators the capacity to defend their decisions against big tech companies in court on appeal, with half of EU GDPR enforcers having budgets of under €5m (£4.4m).
The Irish Data Protection Commission is Google and Facebook’s lead authority GDPR regulator in Europe. But while the number of complaints it deals with is accelerating, increases to its budget and headcount are decelerating, the report argues.
Privacy expert Daragh O’Brien, managing director of data governance company Castlebridge, recently claimed that the Irish DPC will be forced to make cutbacks in systems, technology and external legal advisory services following the Irish Government’s decision to increase its budget by €1.6m (£1.3m) compared to the €5.9m (£4.9m) it was seeking.
It has been well documented that the regulator has a huge backlog of GDPR cases but has yet to make a single ruling, despite claims of looming “blockbuster” fines against WhatsApp and Twitter.
Even Europe’s biggest regulator, the UK Information Commissioner’s Office – which has a a budget of over £50m and 680 staff – does not escape criticism from the Brave study, due to the fact only 3% of its staff are focused on tech privacy problems. Brave is also one of a tripartite group threatening the ICO with legal action over its failure to crack down on the adtech sector.
Brave insists that almost a third of all of the EU’s tech investigators work for one of Germany’s Länder (regional) or federal data protection authorities; all other EU countries are far behind Germany.
Following the publication of the report, Brave has filed a complaint to the European Commission against 27 member states for failing to adequately implement GDPR by under-resourcing their data protection authorities.
The company is calling on the Commission to launch an infringement procedure against the European member state governments, and refer them to the European Court of Justice if necessary.
Brave chief privacy officer Dr Johnny Ryan said: “If GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities. Robust, adversarial enforcement is essential.
“GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
BA and Marriott block £282m GDPR fines – yet again
Top EU data cop cutback threat triggers EU complaint
WhatsApp and Twitter facing first major GDPR rulings
ICO faces legal challenge over failure to tackle adtech
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott