GDPR ‘At Risk Of Failing’ Due To Lack Of Resources

As the GDPR approaches its second anniversary, European member states have been accused of leaving the data protection rules “at risk of failing” due to lack of technical and financial resources.

Brave, which makes a privacy-oriented browser, urged the European Commission to launch an infringement procedure against the governments of member states, which it accused of leaving data protection offices without the “human and financial resources necessary to perform their tasks”.

Brave said that half of Europe’s data protection regulators have only five technical experts, leaving them incapable of evaluating GDPR complaints, while 14 countries’ regulators have budgets of less than 5 million euros (£4.3m).

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Brave chief policy officer Johnny Ryan.


Germany leads in the number of technical specialists, employing 101 at its data regulators, about 13 percent of total headcount, followed by Spain, France and the UK.

Brave noted that Spain and France both employ more specialists than the UK, in spite of the fact that their regulators have a total staff less than one third that of the UK’s Information Commissioner’s Office (ICO).

The ICO’s 22 technical specialists comprise about 3 percent of its total staff.

The ICO has a budget of 61m euros for this year, but most EU data regulators have budgets of less than 10m euros, and Portugal actually cut funding by 203,000 euros from 2018 to 2020.

The Irish data protection authority (DPA) has the heaviest caseload, being lead authority on 127 cases, due to the fact that large tech firms such as Facebook and Google are headquartered there.

But with 21 specialists it ranks fifth in Europe and Brave said increases in budget and staff are slowing.

“GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals,” Brave’s Ryan said.  “But the national governments of European countries have not given them the resources to do so.”

Corrective powers

The Irish DPA, the Data Protection Commission, said its staff have grown to 140 with more increases planned to bring the total to 170 by the end of this year.

“This growth in staff must continue over the next few years,” the Data Protection Commission said.

The UK’s ICO acknowledge the role of technical specialists was “vitally important”.

“While we are not yet at the level of capacity and capability we are planning for, we will continue to invest significantly in this area,” the ICO said.

The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) referred to their recent evaluation of the GDPR in which they point out that from May 25, 2018 to November 30, 2019, 22 DPAs made use of various corrective powers under the GDPR, including a total of 785 fines, although 110 of the financial penalties relate to pre-GDPR infringements.

“Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future,” the European agencies say in the review.

The biggest fines to date under the GDPR have been levied in the UK, which said last year it intended to fine British Airways £183m and hotel chain Marriott £99m for data protection infringements.

France’s CNIL last year fined Google 50m euros under the new regulations.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AWS re:Invent Conference Welcomes Back Crowds

Over 27,000 attendees and members of the press (including Silicon) attend Amazon Web Services worldwide…

58 mins ago

Head Of Car Giant Stellantis Issues Electric Vehicle Cost Warning

The car manufacturing industry cannot sustain the costs from government demands to shift to electric…

2 hours ago

SpaceX’s Elon Musk Warns Of Bankruptcy Risk Over Engine Issue

SpaceX CEO Elon Musk warns of “disaster” concerning production of Starship Raptor engine that puts…

4 hours ago

Twitter To Remove Photos Tweeted Without Permission

Privacy overstep? Personal photos and videos of private individuals tweeted without the consent of the…

5 hours ago

Facebook Cryptocurrency Executive David Marcus To Leave

Executive in charge of Meta's cryptocurrency efforts, confirms he is leaving after seven years at…

7 hours ago

NY AG Seeks Overseer For Amazon Worker Safety

New York's attorney general asks US judge to appoint someone who will oversee worker safety…

7 hours ago