Understaffed data regulators putting GDPR at risk of collapse

Complaint singles out UK's ICO for dedicating only 3% of its 680 staff to tech privacy

GDPR is at risk of failing almost two years after coming into effect because governments have failed to give data regulators the resources they need to properly enforce it.

Only five of Europe’s 28 data protection authorities (DPAs) have more than ten specialists examining the tech industry, which means they don’t have the capacity to probe potential violations by the biggest companies.

Advertisement - Article continues below

Only a handful of experts are working to uncover GDPR infringements by tech giants, research by web browser maker Brave claims. Even when wrongdoing is clear, DPAs hesitate to use powers because they can’t afford the cost of legally defending their decisions.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Brave’s chief policy and industry relations officer Dr Johnny Ryan.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

The issues are exclusively the fault of national governments, Brave insists, although the report does single out the UK’s Information Commissioner’s Office (ICO) for dedicating just 3% of its 680 staff focus on tech privacy issues. This is despite the ICO being Europe’s largest regulator, and the most expensive to run.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The budget and headcount of Ireland’s Data Protection Commission, meanwhile, which is the ‘lead authority’ on probes against major companies like Google and Facebook, is not growing fast enough to keep up with its rising caseload.

With regards to staff count, the report revealed the German data regulator has dedicated the most specialists to examine tech issues, 101, which accounts for 29% of Europe’s experts. 

The German authorities are followed by Spain’s regulator, which recruits 36, and the French authorities that recruit 28. The UK’s ICO recruits just 22 tech experts, despite, as mentioned, being the largest and most expensive DPA to run.

The ICO’s budget has doubled between 2018 and 2020, from €30 (£26.2 million) to €61 million (£53.3 million). The German DPA has a budget of €58.9 million (£51.4 million) for 2020, with the next best-funded regulator, the Italian authorities, enjoying a budget of almost half these two DPAs at €30.1 million (£26.3 million).

Advertisement - Article continues below

“The ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy,” a spokesperson told IT Pro.

Related Resource

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

Download now

This was in response to the claim that, should it make a modest investment in tech specialists in proportion to its budget, the ICO could make a significant impact on its capacity to properly engage with tech-related issues.

“While we are not yet at the level of capacity and capability we are planning for,” the spokesperson added, “we will continue to invest significantly in this area.”

To save GDPR, Brave has recommended that governments invest far more in tech specialists, and pay competitive salaries to attract the best talent. Governments, meanwhile, should provide financing to allow DPAs to pursue enforcement, and defend decisions against expensive legal appeals by major tech companies. 

The EU, meanwhile, should urgently establish a tech investigative unit to support national DPAs, with substantial permanent staff and a small rotating temporary staff capacity from national DPAs.

The European Commission should also launch an infringement procedure against EU countries that fail to implement Article 52(4) of the GDPR, which states member states should ensure each DPA is provided with the human, technical and financial resources, premises and infrastructure required to perform their tasks.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020