Europe's General Data Protection Regulation (GDPR) is unable to function properly and give mandated protections because EU member states have failed to adequately fund and staff their data protection authorities, a new report from privacy-focused web browser company Brave argued this week.
On the basis of the report, Brave, where Irish data privacy activist Johnny Ryan is chief policy officer, has filed a formal complaint against all 27 member states to the European Commission, because a key legal requirement of the GDPR is that states supply the resources needed to enforce this important piece of legislation.
The report places needed meat on the bones of the ongoing suspicions of pretty much anyone with concerns about personal privacy and data protection online and offline. Complaints are filed, but too often little seems to be done, not just with high profile cases against very large companies but also with smaller scale accusations made against employers, the government, local authorities or small companies.
Many national data protection authorities, including our own Office of the Data Protection Commission (DPC) and the UK's Information Commission Office (ICO), note that investigations, especially against larger entities, take time. But an awful lot of them seem to take an awful lot of time. And going on some cases shared with me, many complaints don't get what the complainants and their legal advisers consider to be an adequate or timely response.
The Brave report suggest that such issues are not the regulators’ fault, but are due to underfunding and therefore, understaffing – specifically, of the people with the technology expertise needed to investigate complaints rooted in technology-based issues.
Only six national data protection authorities have more than 10 specialist tech investigation staff, according to the report, and seven EU states have just one or two. Half of all regulators receive less than €5 million in funding from their state governments, a pittance, especially when many complaints are filed against companies, including multinationals, protected by teams of in-house lawyers.
The report also notes: "The Irish Data Protection Commission is Google and Facebook's 'lead authority' GDPR regulator in Europe. But while the number of complaints it deals with is accelerating, increases to its budget and headcount are decelerating."
Such funding problems are not new concerns. The additional burden Ireland would carry, once the GDPR came into effect, was obvious years before it was enacted in 2018. I noted in February 2012 – over six years before we finally got GDPR – that "the proposed regulations will have more significant impact here. The State's policy of actively seeking multinational internet and telecommunications companies for inward investment means Ireland will be the data protection authority regulating them for all of Europe, and will carry new, resource-demanding responsibilities."
The under-resourcing of technical specialists is indeed a significant factor in slowing investigations, or causing them not to happen at all. Exposing this issue, as Brave’s detailed report has done, must provide serious consideration for all EU states, and for the Commission.
But lack of technical expertise is not the only issue. Regulators also require qualified and experienced lawyers, capable of taking on well-funded armies of in-house lawyers at some of the world’s most powerful technology companies.
And yet, our DPC hires lawyers at a modest civil service grade, trivial in comparison to private legal salaries. Last year, solicitor and director of Data Compliance Europe, Simon McGarr, noted in a series of tweets that the DPC was only offering €60,000-€70,000 for a lead lawyer who “will be regulating the richest companies in the world”.
Individual regulators also make choices about the complaints they take on, prioritise, and litigate, and how they fine. This is only in part influenced by their budgets.
And where they do impose fines, to date even the largest fines by European data protection authorities for egregious behaviour by key multinationals have been minuscule “punishments” in the context of those companies’ vast revenues. Why? In Ireland, several lawyers I have spoken to say they are waiting months, in some cases, more than a year, for responses on clients’ domestic complaints. Are they given lower priority? Why?
Handling complaints against multinationals may be the showy, high profile end of the complaint spectrum. But it is important that domestic complaints receive equal focus and attention. And many domestic concerns demand legal and civil rights expertise, not technical knowledge, such as those involving the increasing presence of poorly justified CCTV surveillance, the growth of a commercial industry around gathering DNA, and proposals for fresh, Covid-era mass societal surveillance, such as tracking apps and policing by drone.
Back in 2012, I wrote, “We must fund our data protection office appropriately to give it the ability to deal promptly and comprehensively when appeals involving these multinationals land here . . . but also to ensure we do not then neglect our own data protection and privacy cases to cater primarily to the multinationals.”
This is true now more than ever.