Understaffed data regulators putting GDPR at risk of collapse

Complaint singles out UK's ICO for dedicating only 3% of its 680 staff to tech privacy

GDPR is at risk of failing almost two years after coming into effect because governments have failed to give data regulators the resources they need to properly enforce it.

Only five of Europe’s 28 data protection authorities (DPAs) have more than ten specialists examining the tech industry, which means they don’t have the capacity to probe potential violations by the biggest companies.

Advertisement - Article continues below

Only a handful of experts are working to uncover GDPR infringements by tech giants, research by web browser maker Brave claims. Even when wrongdoing is clear, DPAs hesitate to use powers because they can’t afford the cost of legally defending their decisions.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Brave’s chief policy and industry relations officer Dr Johnny Ryan.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

The issues are exclusively the fault of national governments, Brave insists, although the report does single out the UK’s Information Commissioner’s Office (ICO) for dedicating just 3% of its 680 staff focus on tech privacy issues. This is despite the ICO being Europe’s largest regulator, and the most expensive to run.

Advertisement - Article continues below
Advertisement - Article continues below

The budget and headcount of Ireland’s Data Protection Commission, meanwhile, which is the ‘lead authority’ on probes against major companies like Google and Facebook, is not growing fast enough to keep up with its rising caseload.

With regards to staff count, the report revealed the German data regulator has dedicated the most specialists to examine tech issues, 101, which accounts for 29% of Europe’s experts. 

The German authorities are followed by Spain’s regulator, which recruits 36, and the French authorities that recruit 28. The UK’s ICO recruits just 22 tech experts, despite, as mentioned, being the largest and most expensive DPA to run.

The ICO’s budget has doubled between 2018 and 2020, from €30 (£26.2 million) to €61 million (£53.3 million). The German DPA has a budget of €58.9 million (£51.4 million) for 2020, with the next best-funded regulator, the Italian authorities, enjoying a budget of almost half these two DPAs at €30.1 million (£26.3 million).

Advertisement - Article continues below

“The ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy,” a spokesperson told IT Pro.

Related Resource

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

Download now

This was in response to the claim that, should it make a modest investment in tech specialists in proportion to its budget, the ICO could make a significant impact on its capacity to properly engage with tech-related issues.

“While we are not yet at the level of capacity and capability we are planning for,” the spokesperson added, “we will continue to invest significantly in this area.”

To save GDPR, Brave has recommended that governments invest far more in tech specialists, and pay competitive salaries to attract the best talent. Governments, meanwhile, should provide financing to allow DPAs to pursue enforcement, and defend decisions against expensive legal appeals by major tech companies. 

The EU, meanwhile, should urgently establish a tech investigative unit to support national DPAs, with substantial permanent staff and a small rotating temporary staff capacity from national DPAs.

The European Commission should also launch an infringement procedure against EU countries that fail to implement Article 52(4) of the GDPR, which states member states should ensure each DPA is provided with the human, technical and financial resources, premises and infrastructure required to perform their tasks.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020