Europe’s data protection regulators are woefully under-staffed with technology experts and financial resources, meaning they can’t adequately enforce the GDPR against Big Tech’s legal firepower, according to new data from Brave.
The web browser company claimed in a new report this week that Europe’s governments have failed to arm their data protection authorities (DPAs) with the tools they need to enforce the GDPR — which is an obligation under Article 52(4) of the regulation.
As a result, it has filed a complaint with the European Commission against 27 member states, requesting it launch an infringement procedure against them.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Brave chief policy officer, Johnny Ryan.
“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech,’ and act without fear of vexatious appeals, but the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
The report argued that only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists, while half have budgets of under €5m. The UK’s ICO, which is said to be the largest and most expensive watchdog to run, has only 3% of its 680 staff focused on tech issues.
Almost a third of the EU’s tech specialists work for one of Germany’s regional DPA’s, while in Ireland, whose DPA handles Facebook and Google complaints, budget and headcount are “decelerating,” it claimed.
In fact, the Irish Data Protection Commission (DPC) has the highest caseload of any DPA in the EU, but just 21 tech experts to deal with investigations and a budget around a quarter of the UK’s.
Brave argued that this lack of resources mean infringements by tech giants are either not investigated or limited because the DPAs don’t have the capacity to defend their decisions in court.