As GDPR approaches its second anniversary (on May 25) European Commission chiefs have urged member states to provide adequate resources to their data protection authorities to make effective use of their enforcement powers, admitting that regulators have yet to reach their “full capacities”.
In a joint statement in the run up to Monday, Věra Jourová, vice-president for values and transparency, and Didier Reynders, commissioner for justice, praised GDPR for “not only shaping the way we deal with our personal data in Europe”, but for becoming “a reference point at global level on privacy”.
However they added: “GDPR has changed the landscape in Europe and beyond. Nonetheless, compliance is a dynamic process and does not happen overnight.
“The national data protection authorities, as the competent authorities to enforce data protection rules, have often not yet reached their full capacities. We therefore call upon member states to equip their data protection authorities with the adequate human, financial and technical resource to make effective use of their enforcement powers.”
The statement is a tacit admission that all is not well and follows growing claims that GDPR’s future is under threat due to the mass under-funding of most national DPAs.
Out of all the critics, the Germans have been the most vocal, insisting that the “one-stop shop” model – which makes the Irish Data Protection Commission the top regulator in the EU – is flawed because the Irish DPC does not have the necessary resources.
Privacy expert Daragh O’Brien, managing director of Castlebridge, has gone one further and lodged an official complaint with the Commission, claiming the Taoiseach’s decision to limit the Irish DPC’s budget increase is seriously affecting its ability to enforce the law, especially against giant US companies.
Tech start-up Brave – which has been a long term critic of the likes of Facebook and Google – has also waded into the debate by revealing that under-funding is an EU-wide problem.
Its report, “Europe’s governments are failing the GDPR”, showed that only six of the EU’s 28 national DPAs have more than ten tech investigators, and insisted that they simply do not have the capacity to investigate big technology firms.
Brave has called on the Commission to force member states to increase investment in GDPR enforcement – and even refer them to the European Court of Justice if necessary – or risk the regulation being seen as dead in the water.
Enforcement of GDPR has been mixed at best. According to analysis by European privacy advocates, there have been 273 finalised penalties issued so far for a total of €153m (£137m), ranging from Google’s €50m (£45m) fine to a €90 ($81) penalty for a Hungarian hospital for unlawfully charging patients a copy fee to access their information.
Other than Google, tech and advertising giants have largely escaped so far. Telecom firms, utilities, national post organisations, property companies, and insurance firms are among the most heavily fined organisations. Meanwhile hospitals, government representatives, Youtubers and welfare organisations have received the more modest penalties. The UK Information Commissioner’s Office and the Irish DPC have only issued one fine each.
However, the most recent GDPR ruling, in the Netherlands, has probably caused the biggest stink. It follows a court ruling forcing a woman to delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission – despite numerous requests by her estranged daughter to do so.
The woman has now been ordered to take down the pictures or pay a fine of €50 (£45) for every day that she fails to comply with the order, up to a maximum fine of €1,000.
Decoded Legal technology lawyer Neil Brown told the BBC: “I think the ruling will surprise a lot of people who probably don’t think too much before they tweet or post photos. Irrespective of the legal position, would it be reasonable for the people who’ve posted those photos to think, ‘Well, he or she doesn’t want them out there anymore’?”
“Actually, the reasonable thing – the human thing to do – is to go and take them down.”
Meanwhile, Jourová and Reynders concluded: “Our key priority for the months to come is to continue ensuring the proper and uniform implementation of GDPR in the member states. We will continue our close collaboration with the European Data Protection Board and national data protection authorities, as well as businesses and civil society to accompany and facilitate the implementation of the new rules.”
Irish data regulator issues first GDPR ruling in two years
Fresh delay to Marriott and BA fines fuels ICO criticism
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise
Top EU data cop cutback threat triggers EU complaint
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Google hit for €50m as French issue first GDPR fine
GDPR one year on: Data is now a major boardroom issue