Understaffed data regulators putting GDPR at risk of collapse

Complaint singles out UK's ICO for dedicating only 3% of its 680 staff to tech privacy

GDPR is at risk of failing almost two years after coming into effect because governments have failed to give data regulators the resources they need to properly enforce it.

Only five of Europe’s 28 data protection authorities (DPAs) have more than ten specialists examining the tech industry, which means they don’t have the capacity to probe potential violations by the biggest companies.

Only a handful of experts are working to uncover GDPR infringements by tech giants, research by web browser maker Brave claims. Even when wrongdoing is clear, DPAs hesitate to use powers because they can’t afford the cost of legally defending their decisions.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Brave’s chief policy and industry relations officer Dr Johnny Ryan.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

The issues are exclusively the fault of national governments, Brave insists, although the report does single out the UK’s Information Commissioner’s Office (ICO) for dedicating just 3% of its 680 staff focus on tech privacy issues. This is despite the ICO being Europe’s largest regulator, and the most expensive to run.

The budget and headcount of Ireland’s Data Protection Commission, meanwhile, which is the ‘lead authority’ on probes against major companies like Google and Facebook, is not growing fast enough to keep up with its rising caseload.

With regards to staff count, the report revealed the German data regulator has dedicated the most specialists to examine tech issues, 101, which accounts for 29% of Europe’s experts. 

The German authorities are followed by Spain’s regulator, which recruits 36, and the French authorities that recruit 28. The UK’s ICO recruits just 22 tech experts, despite, as mentioned, being the largest and most expensive DPA to run.

The ICO’s budget has doubled between 2018 and 2020, from €30 (£26.2 million) to €61 million (£53.3 million). The German DPA has a budget of €58.9 million (£51.4 million) for 2020, with the next best-funded regulator, the Italian authorities, enjoying a budget of almost half these two DPAs at €30.1 million (£26.3 million).

“The ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy,” a spokesperson told IT Pro.

Related Resource

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

Download now

This was in response to the claim that, should it make a modest investment in tech specialists in proportion to its budget, the ICO could make a significant impact on its capacity to properly engage with tech-related issues.

“While we are not yet at the level of capacity and capability we are planning for,” the spokesperson added, “we will continue to invest significantly in this area.”

To save GDPR, Brave has recommended that governments invest far more in tech specialists, and pay competitive salaries to attract the best talent. Governments, meanwhile, should provide financing to allow DPAs to pursue enforcement, and defend decisions against expensive legal appeals by major tech companies. 

The EU, meanwhile, should urgently establish a tech investigative unit to support national DPAs, with substantial permanent staff and a small rotating temporary staff capacity from national DPAs.

The European Commission should also launch an infringement procedure against EU countries that fail to implement Article 52(4) of the GDPR, which states member states should ensure each DPA is provided with the human, technical and financial resources, premises and infrastructure required to perform their tasks.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

Why you should prioritise privileged access management
Sponsored

Why you should prioritise privileged access management

9 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
Microsoft makes CRM a "priority" in bid to challenge Salesforce
Business strategy

Microsoft makes CRM a "priority" in bid to challenge Salesforce

21 Oct 2020