The European Union’s leading data regulator has found an overwhelming majority of data protection authorities (DPAs) believe they are under-resourced to deal with the demands of the General Data Protection Regulation (GDPR).
Only four of the 29 DPAs based in the European Economic Area (EEA)—Austria, Hungary, Liechtenstein, and Cyprus—say they have adequate resources to handle caseloads; the others explicitly state they do not.
Following a request from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, the European Data Protection Board (EDPB) has this week published an overview of 2021 funding and enforcement activity for EU DPAs. Among its chief conclusions, the EDPB noted “robust supervision” is necessary and “can only exist where the supervisory authorities are appropriately equipped with staff and resources.”
Based on figures for 2020 and 2021, most EEA supervisory authorities found their budgets either stayed largely static or were cut slightly, despite most countries experiencing sharp rises in the number of enforcement cases since the first year the GDPR came into force.
Only Italy, Germany, and Austria have received significant boosts in resources in the past financial year.
Ireland—the main regulator for most of the world’s largest Big Tech firms—saw its budget increase to €19.1 million from €16.9 million, but privacy campaigners—as well as the Irish Data Protection Commissioner herself—have long said such a figure is inadequate to police the likes of Google, Twitter, and Facebook for all cross-border EU complaints.
Some 22 of the 29 regulators have budgets below €10 million, with half of those having budgets of less than €2 million. Germany’s combined €94.8 million budget for all 18 of its data supervisors is nearly three times that of Italy’s and nearly four times that of the Netherlands, the next two best-resourced countries.
Germany is also by far the best-resourced supervisory authority, with a combined enforcement headcount of 717; the number of such staff for all other DPAs put together is just 975.
There are concerns many DPAs do not have sufficient competence in specialist areas, namely IT. Just six DPAs have more than 10 dedicated IT specialists (even Ireland only has five).
The number of multi-jurisdictional cases also continues to rise. Between May 25, 2018, and May 31, 2021, 1,615 cross-border cases were registered (with many still waiting to be resolved).
Germany has acted as lead supervisory authority for 183 of them, with Ireland not far behind at 164—27 of which involve Big Tech firms. France, Spain, and the Netherlands are each heading up over 100 cross-border investigations, too.
The EDPB’s research also shows there is often a serious lag in cases being finalized if they require cooperation with other DPAs.
France and the Netherlands, for example, showed substantial differences in settling national cases and those where other supervisory authorities were involved. In France, a national case takes on average five months to finalize, compared to 22 months for one where cooperation is necessary. In the Netherlands, it is eight months to finalize a national case, compared to 24 months with cooperation.
The EDPB does not provide any explanation why such delays are occurring or if steps are being taken to quicken the process.
However, it does point out the sheer volume of work DPAs need to perform is likely to be taking its toll on some. In addition to complaint handling and carrying out investigations, the GDPR requires DPAs to review organizations’ data protection impact assessments, assess codes of conduct, examine data transfer mechanisms such as binding corporate rules and standard contractual clauses, and contribute to the work of the EDPB.