European Commission complaint made about GDPR enforcement

A complaint was filed on 27 April 2020 to the European Commission on the basis that European Union Member States have failed to take sufficient steps to ensure that data protection supervisory authorities (DPAs) are capable of enforcing the General Data Protection Regulation (the GDPR).

The complaint was made by the company Brave, which has been active in filing complaints about data protection issues. For example, the company also filed a complaint in relation to how Google processes personal data, alleging that certain of Google’s activities do not comply with the purpose limitation principle that is set out in the GDPR.

The complaint - alleged breach of the GDPR by Members States

The specific allegation is that Member States are in breach of Article 52(4) of the GDPR. This sets out that:

“Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources for the effective performance of its tasks and exercise of its powers”.

A report prepared by Brave sets out some key findings in relation to the human, technical and financial resources that have been provided to DPAs, and it is on the basis of these that the complaint has been made. Specifically, the report identified a lack of tech specialists working in each DPA, suggesting that there are insufficient investigators working to uncover GDPR infringements. In addition, the report noted that the increase in funding for DPAs was slowing and so, even where DPAs do identify wrongdoing, they may hesitate to use their powers due to the potential costs of legally defending their decisions.

Key findings of the Report

While the complaint sets out the full details of the alleged lack of resources, the key findings were as follows:

• only six of the DPAs had more than ten special technology
  investigation staff and seven of them had fewer than two. Brave’s
  argument is that these individuals are critical to understanding the
  complex issues surrounding data protection online;

• while the UK’s Information Commissioner’s Office (ICO) is one of the
  biggest and most expensive DPAs (it has a budget of €61m per
  year), it only has 22 technology specialists which is just over 3% of
  the total workforce; and

• there is a focus on the Irish Data Protection Commission. The Irish
  DPA has a heavy enforcement workload, given that a number of
  technology groups like Facebook and Google are based in Ireland.
  However, the Irish DPA only has 21 specialist tech investigators and
  the increases to the DPA’s budget and staff count that had occurred
  with the introduction of the GDPR have now slowed.

Initial Response from Data Protection Authorities

It will be interesting to see whether the complaint leads to further investments being made in DPAs by Member States, specifically in relation to ensuring there is a sufficient level of technical expertise. Both the ICO and Irish Data Protection Commission have responded, highlighting their commitment to growing their staff and ensuring they have a sufficient number of technical specialists.