GDPR at risk of failing due to underfunding of regulators, study finds

Complaint filed over failure of EU member states to properly resource regulators

Digital privacy regulations introduced in Europe nearly two years ago are in danger of failing because regulators have not been properly resourced, a new report claims.

As the second anniversary of the introduction of General Data Protection Regulation (GDPR) nears, the study claims regulators are not being given the tools they need to enforce it.

The result, according to the study carried out by web browser Brave, is that even when wrongdoing is obvious, data protection authorities are wary of using their powers because they fear the legal costs associated with defending infringements by "big tech" companies such as Facebook and Google.

Brave, which has developed an open source, privacy-based web browser, on Monday filed a complaint to the European Commission against all 27 Member States for failing to adequately implement the GDPR by under-resourcing their regulators.



Article 52(4) of the GDPR requires that national governments give regulators the necessary resources to perform their tasks, something which Brave said is not happening.

"If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities", said Dr Johnny Ryan, chief policy officer at Brave.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene,” he added.

According to the company, half of Europe’s data protection authorities have an annual budget under €5 million.

In addition, just five national regulators currently employ more than 10 investigators, while seven data protection authorities only have two tech specialists or fewer.

Data protection authorities in Europe issued fines worth over €400 million to organisations last year for violations but none originated in the Republic of Ireland, despite it being home to many of the world’s biggest technology companies.


The Irish data protection commission is the lead EU regulator for companies including Google, Facebook, Microsoft and Twitter under the "one-stop-shop" mechanism, which was introduced with GDPR.

It has a budget of €16.9 million – the sixth highest among EU states – and more than 20 investigations ongoing into big tech companies but is yet to issue any fines. Delays have been blamed on complications that arise from pursuing companies which operate cross-border.

Last year, the commission received less than one-third of the €5.9 million in additional funding it sought in Budget 2020 to cope with the increased workload it now has due to GDPR. Its last annual report shows a 71 per cent rise in reported data security breaches in 2019 versus the preceding year.

Under GDPR, data regulators have the power to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.

Charlie Taylor

Charlie Taylor

Charlie Taylor is a former Irish Times business journalist