Understaffed data regulators putting GDPR at risk of collapse

GDPR is at risk of failing almost two years after coming into effect because governments have failed to give data regulators the resources they need to properly enforce it.

Only five of Europe’s 28 data protection authorities (DPAs) have more than ten specialists examining the tech industry, which means they don’t have the capacity to probe potential violations by the biggest companies.

Only a handful of experts are working to uncover GDPR infringements by tech giants, research by web browser maker Brave claims. Even when wrongdoing is clear, DPAs hesitate to use powers because they can’t afford the cost of legally defending their decisions.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Brave’s chief policy and industry relations officer Dr Johnny Ryan.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

The issues are exclusively the fault of national governments, Brave insists, although the report does single out the UK’s Information Commissioner’s Office (ICO) for dedicating just 3% of its 680 staff focus on tech privacy issues. This is despite the ICO being Europe’s largest regulator, and the most expensive to run.

The budget and headcount of Ireland’s Data Protection Commission, meanwhile, which is the ‘lead authority’ on probes against major companies like Google and Facebook, is not growing fast enough to keep up with its rising caseload.

With regards to staff count, the report revealed the German data regulator has dedicated the most specialists to examine tech issues, 101, which accounts for 29% of Europe’s experts.

The German authorities are followed by Spain’s regulator, which recruits 36, and the French authorities that recruit 28. The UK’s ICO recruits just 22 tech experts, despite, as mentioned, being the largest and most expensive DPA to run.

The ICO’s budget has doubled between 2018 and 2020, from €30 (£26.2 million) to €61 million (£53.3 million). The German DPA has a budget of €58.9 million (£51.4 million) for 2020, with the next best-funded regulator, the Italian authorities, enjoying a budget of almost half these two DPAs at €30.1 million (£26.3 million).

“The ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy,” a spokesperson told IT Pro.

This was in response to the claim that, should it make a modest investment in tech specialists in proportion to its budget, the ICO could make a significant impact on its capacity to properly engage with tech-related issues.

“While we are not yet at the level of capacity and capability we are planning for,” the spokesperson added, “we will continue to invest significantly in this area.”

To save GDPR, Brave has recommended that governments invest far more in tech specialists, and pay competitive salaries to attract the best talent. Governments, meanwhile, should provide financing to allow DPAs to pursue enforcement, and defend decisions against expensive legal appeals by major tech companies.

The EU, meanwhile, should urgently establish a tech investigative unit to support national DPAs, with substantial permanent staff and a small rotating temporary staff capacity from national DPAs.

The European Commission should also launch an infringement procedure against EU countries that fail to implement Article 52(4) of the GDPR, which states member states should ensure each DPA is provided with the human, technical and financial resources, premises and infrastructure required to perform their tasks.