New data on GDPR enforcement agencies reveal why the GDPR is failing

New data from Brave show that European governments have not equipped their national authorities to enforce the GDPR. 

Brave presents Europe’s governments are failing the GDPR, a report on data protection authorities’ (DPAs) capacity to enforce against tech infringements of the GDPR.

Two years after the GDPR was first applied, the GDPR is now in danger of failing. Today, Brave reveals why: the governments of EU Member States have not given data protection authorities (DPAs) the tools they need to enforce the GDPR.

Brave has examined the number of tech specialists working in each DPA in the European Economic Area. (These are tech investigators who have training or roles that are principally technical.) Our data reveal just how few expert tech investigators are working to uncover private sector GDPR infringements. Even when wrongdoing is clear, DPAs hesitate to use their powers against major tech firms because they can not afford the cost of legally defending their decisions against ‘Big Tech’ legal firepower.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Dr Johnny Ryan of Brave.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

Quick Facts: 

  • The Brave report shows that only six of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.
    Europe’s GDPR enforcers do not have the capacity to investigate Big Tech.
    Tweet this 
  • Half of EU GDPR enforcers have small budgets (under €5 million).
    EU governments have not given their GDPR enforcers the not have the capacity to defend their decisions against ‘big tech’ companies in court on appeal.
    Tweet this
  • The UK Government’s privacy watchdog is Europe’s largest and most expensive to run. But only 3% of its 680 staff is focussed on tech privacy problems.
    Tweet this
  • The Irish Data Protection Commission is Google and Facebook’s ‘lead authority’ GDPR regulator in Europe. But while the number of complaints it deals with is accelerating, increases to its budget and headcount are decelerating.
    Tweet this
  • European governments have failed to equip their national regulators to enforce the GDPR. Now, Brave calls on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR.
    Tweet this 
  • Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs. All other EU countries are far behind Germany.
    Tweet this

Today, Brave filed a complaint to the European Commission against 27 Member States for failing to adequately implement the GDPR by under resourcing their DPAs. Brave is requesting that the European Commission launch an infringement procedure against the European Member State Governments, and refer them to the European Court of Justice if necessary.

Article 52(4) of the GPDR requires that national governments give DPAs the human and financial resources necessary to perform their tasks.

Note for media: 

Download and reuse video: 4K animated sample of selected data.
Contact johnny@brave.com for comment.

Related articles

Why Brave Disables FLoC

Brave opposes FLoC, a recent Google proposal that would have your browser share your browsing behavior and interests by default with every site and advertiser with which you interact.

Read this article →

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web faster, safer, and less cluttered for people all over the world.