New data on GDPR enforcement agencies reveal why the GDPR is failing
New data from Brave show that European governments have not equipped their national authorities to enforce the GDPR.
Brave presents Europe’s governments are failing the GDPR, a report on data protection authorities’ (DPAs) capacity to enforce against tech infringements of the GDPR.
Two years after the GDPR was first applied, the GDPR is now in danger of failing. Today, Brave reveals why: the governments of EU Member States have not given data protection authorities (DPAs) the tools they need to enforce the GDPR.
Brave has examined the number of tech specialists working in each DPA in the European Economic Area. (These are tech investigators who have training or roles that are principally technical.) Our data reveal just how few expert tech investigators are working to uncover private sector GDPR infringements. Even when wrongdoing is clear, DPAs hesitate to use their powers against major tech firms because they can not afford the cost of legally defending their decisions against ‘Big Tech’ legal firepower.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities”, said Dr Johnny Ryan of Brave.
“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
- The Brave report shows that only six of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.
Europe’s GDPR enforcers do not have the capacity to investigate Big Tech.
- Half of EU GDPR enforcers have small budgets (under €5 million).
EU governments have not given their GDPR enforcers the not have the capacity to defend their decisions against ‘big tech’ companies in court on appeal.
- The UK Government’s privacy watchdog is Europe’s largest and most expensive to run. But only 3% of its 680 staff is focussed on tech privacy problems.
- The Irish Data Protection Commission is Google and Facebook’s ‘lead authority’ GDPR regulator in Europe. But while the number of complaints it deals with is accelerating, increases to its budget and headcount are decelerating.
- European governments have failed to equip their national regulators to enforce the GDPR. Now, Brave calls on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR.
- Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs. All other EU countries are far behind Germany.
Today, Brave filed a complaint to the European Commission against 27 Member States for failing to adequately implement the GDPR by under resourcing their DPAs. Brave is requesting that the European Commission launch an infringement procedure against the European Member State Governments, and refer them to the European Court of Justice if necessary.
Article 52(4) of the GPDR requires that national governments give DPAs the human and financial resources necessary to perform their tasks.
Note for media:
This note analyses additional granular data from Dutch publisher NPO, and presents lessons for the publishing industry about privacy and revenue based on six months of data from a publishing group that removed 3rd party tracking.
This note shares new data on publisher revenue impact from switching off 3rd party ad tracking.
Following a court decision on Friday, it is now highly likely that California will introduce legislation that curtails adtech tracking.