Understaffed data regulators putting GDPR at risk of collapse

Complaint singles out UK's ICO for dedicating only 3% of its 680 staff to tech privacy

GDPR is at risk of failing almost two years after coming into effect because governments have failed to give data regulators the resources they need to properly enforce it.

Only five of Europe’s 28 data protection authorities (DPAs) have more than ten specialists examining the tech industry, which means they don’t have the capacity to probe potential violations by the biggest companies.

Only a handful of experts are working to uncover GDPR infringements by tech giants, research by web browser maker Brave claims. Even when wrongdoing is clear, DPAs hesitate to use powers because they can’t afford the cost of legally defending their decisions.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Brave’s chief policy and industry relations officer Dr Johnny Ryan.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

The issues are exclusively the fault of national governments, Brave insists, although the report does single out the UK’s Information Commissioner’s Office (ICO) for dedicating just 3% of its 680 staff focus on tech privacy issues. This is despite the ICO being Europe’s largest regulator, and the most expensive to run.

The budget and headcount of Ireland’s Data Protection Commission, meanwhile, which is the ‘lead authority’ on probes against major companies like Google and Facebook, is not growing fast enough to keep up with its rising caseload.

With regards to staff count, the report revealed the German data regulator has dedicated the most specialists to examine tech issues, 101, which accounts for 29% of Europe’s experts. 

The German authorities are followed by Spain’s regulator, which recruits 36, and the French authorities that recruit 28. The UK’s ICO recruits just 22 tech experts, despite, as mentioned, being the largest and most expensive DPA to run.

The ICO’s budget has doubled between 2018 and 2020, from €30 (£26.2 million) to €61 million (£53.3 million). The German DPA has a budget of €58.9 million (£51.4 million) for 2020, with the next best-funded regulator, the Italian authorities, enjoying a budget of almost half these two DPAs at €30.1 million (£26.3 million).

“The ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy,” a spokesperson told IT Pro.

Related Resource

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

Download now

This was in response to the claim that, should it make a modest investment in tech specialists in proportion to its budget, the ICO could make a significant impact on its capacity to properly engage with tech-related issues.

“While we are not yet at the level of capacity and capability we are planning for,” the spokesperson added, “we will continue to invest significantly in this area.”

To save GDPR, Brave has recommended that governments invest far more in tech specialists, and pay competitive salaries to attract the best talent. Governments, meanwhile, should provide financing to allow DPAs to pursue enforcement, and defend decisions against expensive legal appeals by major tech companies. 

The EU, meanwhile, should urgently establish a tech investigative unit to support national DPAs, with substantial permanent staff and a small rotating temporary staff capacity from national DPAs.

The European Commission should also launch an infringement procedure against EU countries that fail to implement Article 52(4) of the GDPR, which states member states should ensure each DPA is provided with the human, technical and financial resources, premises and infrastructure required to perform their tasks.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Most Popular

Microsoft 365 prices to soar by 20% for pay monthly subscribers
Managed service provider (MSP)

Microsoft 365 prices to soar by 20% for pay monthly subscribers

7 Dec 2021
CTO job description: What does a CTO do?
Business strategy

CTO job description: What does a CTO do?

6 Dec 2021
VMware Cloud workload migration tools

VMware Cloud workload migration tools

3 Dec 2021