Tech firm: GDPR ‘in danger of failing’ due to lack of resources

While increases to DPA budgets peaked in the year GDPR came into force, EU governments have now slowed this increase in spending, despite data privacy requests spiking in several countries.

Brave says that its research shows “just how few expert tech investigators are working to uncover private sector GDPR infringements,” and that, “even when wrongdoing is clear, DPAs hesitate to use their powers against major tech firms because they cannot afford the cost of legally defending their decisions against Big Tech legal firepower.”

According to the report, called “Europe’s Governments are Failing the GDPR,” annual increases to DPA budgets peaked at 24 percent in 2019 for the application of the GDPR but have now slowed to 15 percent. Some EU countries have made drastic cuts: Portugal, for example, reduced the budget of its DPA by €203,000 (U.S. $223,000) between 2018 and 2020.

Only the United Kingdom, Germany, Italy, and France have budgets of over €20 million (U.S. $22 million). Half of the EU’s DPAs have annual budgets of under €5 million (U.S. $5.5 million). Three—Estonia, Malta, and Cyprus—have budgets of less than €1 million ($1.1 million).

Article 52(4) of the GPDR says national governments must give DPAs the human and financial resources necessary to perform their tasks.

The budgets that DPAs have to tackle GDPR complaints, however, as well as regulate Big Tech, are chickenfeed compared to the size of the legal teams and funds that firms like Google and Facebook (whose annual revenues push U.S. $155 billion and U.S. $70 billion, respectively) have at their disposal. For example, Luxembourg, which is responsible for regulating Amazon, had a budget of roughly €5.7 million (U.S. $6.3 million) last year—equivalent to the online retailer’s sales achieved in just 10 minutes.

The report’s author, Brave’s chief policy officer, Dr. Johnny Ryan, wants the European Commission to intervene by launching an infringement procedure against EU member states for failing to provide DPAs with adequate budgets—even referring them to the European Court of Justice, if necessary.

He also suggests that the European Data Protection Board, the EU body charged with overseeing how member states oversee and enforce the GDPR, should develop an EU unit to assist national DPAs in tech investigations.

“Robust, adversarial enforcement is essential,” says Dr. Ryan. “GDPR enforcers must be able to properly investigate Big Tech and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

Brave says that its research shows “just how few expert tech investigators are working to uncover private sector GDPR infringements,” and that, “even when wrongdoing is clear, DPAs hesitate to use their powers against major tech firms because they cannot afford the cost of legally defending their decisions against Big Tech legal firepower.”

For example, only six of Europe’s 28 national DPAs have more than 10 tech specialists (Germany, Spain, France, United Kingdom, Ireland, and Greece), while seven authorities have just two tech specialists (or fewer). And although the U.K.’s Information Commissioner’s Office is Europe’s largest DPA in terms of headcount, only 3 percent of its 680 staff are focused on tech privacy issues. In fact, almost a third of the EU’s total tech specialists work for one of Germany’s 16 Länder (regional) or its two federal DPAs.

The Irish Data Protection Commission is the lead GDPR regulator in Europe for some of the world’s biggest tech firms—notably Apple, Facebook, Google, LinkedIn, and Twitter—and has 21 tech specialists out of a total headcount of 140. The country is also responsible for leading some 127 GDPR-related investigations—more than any other country in Europe. But its resources are woefully outgunned compared to the companies it is meant to regulate.

Last October, Ireland’s Commissioner for Data Protection, Helen Dixon, expressed disappointment that her office received just €1.6 million (U.S. $1.8 million) extra cash (less than a third of that requested) to contend with a workload that had increased by 75 percent on the previous year, including 21 (now 23) open investigations into Big Tech firms. The DPA’s annual budget now stands at €16.9 million (U.S. $19 million). According to research by law firm DLA Piper, Ireland is ranked second in Europe (after the Netherlands) for data breach notifications.

Of the ongoing 23 investigations into tech firms, 11 relate to Facebook (seven to Facebook’s Irish subsidiary and one to the parent company, two to WhatsApp, and one to Instagram); three each to Apple and Twitter; two to Google; and one each to Verizon, Quantcast, Microsoft (relating to LinkedIn), and Tinder’s owner, MTCH. Dixon’s office has previously said that the first decisions—whenever they might be—would be related to WhatsApp and Twitter.

Speaking with the New York Times, Dixon said that while she was frustrated by the budget restrictions, she defended the work of her office, grading its performance as an “A for effort” but a “C-plus/B-minus in terms of output.”

As the second anniversary of the GDPR approaches, critics—including fellow data commissioners—have been quick to point out that Ireland has been too slow to hand out its first fines under the regulation, especially regarding Big Tech. Other EU DPAs, such as France and Sweden, for example, have already hit Google with multimillion euros fines.

Earlier this year, Germany’s Federal Commissioner for Data Protection, Ulrich Kelber, said Ireland’s inaction was “unbearable” and called for a new EU-wide data authority to replace the “one-stop-shop” idea. The Irish Data Protection Commission has said such criticism isn’t fair, as the cases are complicated—like the bureaucracy.

Under the GDPR, regulators must respond to every complaint filed—in Ireland’s case, more than 12,000 since May 2018. It is also widely reported that Big Tech firms have managed to slow the investigatory process down by asking a slew of procedural legal questions that must be responded to before cases can advance.

Ireland’s DPA, however, has tackled Facebook quickly when it could more easily do so. In February it forced the tech firm to postpone the rollout of a new dating feature the social media giant had planned to launch for Valentine’s Day because the regulator had not seen a data protection impact assessment or the decision-making processes that were undertaken as part of its development.