Enforcement of EU data privacy rules is being stifled by a lack of resources across national authorities, according to a new study published today (25 May), on the second anniversary of the EU’s landmark general data protection regulation (GDPR).
The report, published by the advocacy group Access Now, finds that due to a significant disparity in the funding of national data protection authorities, larger firms could try and use their economic wherewithal to potentially circumvent privacy provisions laid out in the GDPR.
“Companies could leverage DPAs’ lack of resources, using it to get around the application of the GDPR, or at least significantly delay its effect,” the document states, referencing a recent claim by the Irish Data Protection Commission that ‘procedural queries’ had been delaying decisions on first fines.
Moreover, the number of employees working in Data Protection Authorities across the EU has barely increased from 2019, according to the report, which cites recent comments from the European Data Protection Board (EDPB).
And those figures are unlikely to increase substantially during 2020. In response to a EDPB survey earlier this year, a majority of EU member states including Germany, France and Spain, noted that they had not been allocated sufficient resources to carry out their competences effectively.
Moreover, in terms of financing, the report notes “significant disparities” in budget allocations for national data protection authorities across the bloc, with the UK’s budget twice bigger than Italy’s and three times bigger than France’s.
“The inadequate budget provided to DPAs means that our rights may not be effectively protected,” the report states. “In fact, it may create a negative incentive for DPAs investigating large tech companies to agree on settlements that may be more favourable to the companies,” it adds in reference to the UK’s settlement with Facebook after the Cambridge Analytica scandal, which may have been hastened by the financial cost of entering into legal proceedings.
In a letter to Justice Commissioner Didier Reynders, the European Parliament’s Chair for the Civil Liberties committee, MEP Juan Fernando López Aguilar, has called for infringement proceedings to be enacted against member states who consistently fail to resource their DPAs.
The Irish dilemma
Some of the world’s largest tech firms including Facebook, Google and Twitter all have their European headquarters in Ireland, meaning that the country’s data protection authority is responsible for dishing out fines for breaches to such companies.
However, there has long been concerns that the authority would struggle to meet the demands of overseeing the world’s most dominant players in the online ecosystem.
Such worries came to a head towards the end of 2019, when Irish Data Protection Commissioner, Helen Dixon, said that she was “disappointed” by the Government’s 2020 budget allocation for the authority, which represented less than a third of the funding that the DPC had requested.
In February, Germany’s federal data commissioner, Ulrich Kelber, described the Irish DPC as “overwhelmed” with the task at hand of regulating some of the world’s most dominant platforms, according to The Irish Times.
However, in what could be a bid to mark today’s GDPR anniversary the Irish data protection commission submitted a draft decision just before the close of last week on a data breach by Twitter to other EU member states.
Under the GDPR, national data protection authorities are required to send draft decisions on data breach inquiries to DPAs all across the bloc. The views of other DPAs are taken into account as part of any final decision.
Ireland’s Deputy Commissioner Graham Doyle also indicated on Friday (22 March), that decisions on transparency breaches by WhatsApp were in the pipeline as well.
More generally, Access Now’s report found that between May 2018 and March 2020, 231 fines had been put forward, with 144,373 complaints having been filed between May 2018 and May 2019.
Spain is the country which produced the highest quantity of fines, while the UK’s €204 million slap on the wrist of British Airways is the largest to date, although the fine has been delayed.
A review of the GDPR is due to be presented by the European Commission on June 3.
(Edited by Frédéric Simon)