Published 08 May 2020

A new report from Brave, which developed the privacy-oriented web browser of the same name, has made the case that the EU General Data Protection Regulation (GDPR) has been made effectively impotent in many countries due to a lack of funding and specialist staff.

According to Dr Johnny Ryan, Brave’s chief policy officer:

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities. Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

The GDPR clearly sets out expected privacy protections and gives national regulators the power to issue steep fines in the most egregious cases, up to a maximum of 4% of global revenue or €20m, whichever is highest. Over the past two years, though, very few large penalties have been issued, with the largest so far being £99m for the Marriott hotel chain and £183 million for British Airways, both of which were issued by the UK Information Commissioner’s Office (ICO). It is also worth noting that neither of these cases are final, and both have been recently deferred by the ICO in the wake of the coronavirus pandemic.

Funding and staffing levels seem to vary widely across the block, with their being a particular shortage of technical experts to adequately investigate potential GDPR breaches. Indeed, half of European data regulators had five or fewer such staff.

Germany’s regulator appears to be the best resourced, with both the highest total number of staff and greatest number of technical experts (101 or 13% of total staff). It also appears to receive the most funding, although this is divided over federal and regional levels.

With many technologies choosing to base their European operations in Ireland, the country has a heavy workload as lead body on 127 cases. Its regulator seems relatively understaff and underfunded, however, although the Irish Data Protection Commission points that its staffing level and budget has been growing in recent years and will continue to do so in the coming years.

The UK fares reasonably well in terms of funding and total staff, coming second only to Germany’s combined values, but it lags behind in the number of specialist, coming fifth with 22 specialists.

In a statement, the ICO said it recognises the importance of technical expertise when investigating privacy and data protection issues, adding:

“…while we are not yet at the level of capacity and capability we are planning for, we will continue to invest significantly in this area.”

While there are clearly some problems with resourcing GDPR enforcement in some European countries, the regulation is likely here to stay. At Pro-Networks, we help organisations to achieve GDPR compliance through our IT support and services, not least because this brings benefits in itself, such as a culture of sound practices and better cybersecurity.

 

Please share this post using any of the following share buttons.

Read similar posts to this article

Marriott being sued over 2018 breac...

Oracle and Salesforce sued for brea...

GDPR fines total more than €150m