GDPR is two years old but still lacking resources

Regulators have been hamstrung due to a lack of resources and administrative hurdles

GDPR was meant to change everything in terms of data privacy. But as the second anniversary of the much-hyped data protection rules are marked, a key question is whether it has been a success or not.

Yes and no, would seem to be the answer. Undoubtedly the introduction of the European Union’s General Data Protection Regulation has forced companies to take the issue of how they handle customer data more seriously. This has been the case, not just in Europe, where the rules apply, but also farther afield where GDPR is viewed as the basis for the introduction of similar legislation.

If nothing else, GDPR has served to show that authorities across the globe are at the very least trying to get to grips with the issue of data protection. But the reality is that few have succeeded in doing so.

A new study published yesterday to coincide with the second anniversary of GDPR, reveals that data protection authorities have to date been unable to enforce the regulation adequately.


The report, from the non-profit group Access Now, suggests that regulators have been hamstrung due to a lack of resources and administrative hurdles. Worse, in some situations, authorities have been found to have “grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press”.


According to the report, just 231 fines and sanctions were levied between May 2018 and March 2020. Ireland and Luxembourg, which are the main authorities dealing with cases involving Amazon, Facebook, WhatsApp, Twitter, PayPal, Instagram, Microsoft, Google, and others, have issued zero fines against these tech giants to date.

As the study reveals, only a handful of regulators feel they are properly resourced to take on such behemoths. The Data Protection Commissioner, Helen Dixon, went so far as to publicly disclose her disappointment over her office not getting the funding it had asked for last year.

Her office, which has been under continual scrutiny, came under fire again this week with Austrian privacy campaigner Max Schrems accusing it of among other things, operating a go-slow on his complaint against Facebook.

The regulator has said a number of its investigations are close to completion. But without it and other national authorities being properly resourced, it is unlikely that big companies have much to fear. For now, at least.