Open source web browser Brave has directed weighty criticism towards European Governments for failing to equipment data protection agencies and enforcing GDPR rules.
With the release of a white paper and the filing of a complaint to the European Commission, Brave has directed weighty criticism to all Governments and agencies involved in upholding the privacy and data protection rights afforded through the implementation of GDPR. In short, the Governments are not directing enough money towards the data protection authorities to enforce GDPR.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Johnny Ryan, Chief Policy & Industry Relations Officer at Brave.
“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
Brave does of course benefit from disruption to the status quo of the internet economy, though there are some valid points being made. Aside from a few examples, there rhetoric from posturing politicians and boresome bureaucrats on the importance of data protection does not seem to have translated into action.
For all the good work which has been done in creating a regulatory framework to elevate data protection and privacy in today’s society, if the relevant authorities are not enforcing the rules it means nothing.
As Brave points out in the complaint, Article 52(4) of the GDPR (Regulation 2016/679/EU) and Article 41(1) of the Law Enforcement Directive (Directive 2016/680/EU) require that national governments give data protection authorities the human and financial resources necessary to perform their tasks.
Looking at the research presented by Brave, it would appear Governments are failing to adhere to these rules.
|How well funded are the data protection agencies?|
|Nation||Budget (2019/20)||Nation||Budget (2019/20)|
|UK||€61 million||Spain||€16.5 million|
|Italy||€30.1 million||Estonia||€0.8 million|
|Germany||€26.8 million||Sweden||€10.3 million|
|Ireland||€16.9 million||Greece||€3.1 million|
|Poland||€9.4 million||Austria||€2.3 million|
|Netherlands||€18.6 million||Romania||€1.3 million|
This is just a snapshot of the budgets which across the continent. Some countries might look suitably funded, but this is perhaps just a comparison to the other end of the scale. However, it does appear some of these agencies are somewhat of a profit centre for Governments.
In the UK, for example, the data watchdog the Information Commissioner’s Office (ICO) is funded by data protection fees, a fee which is applicable to every organisation or sole trader who processes personal information in the UK. For 2019/20, the ICO budget from these fees totalled £46,560,000. The authority is also the recipient of £4,626,000 of Government funding.
What is worth noting, however, is that any fine which is given by the ICO for data protection or privacy violations is directly paid to Her Majesty’s Treasury. None of these funds are used to further enhance the powers of the ICO or employ additional experts. The ICO currently employs 22 technology specialists of a total staff of more than 600.
So far, the ICO has issued some substantial fines:
|Cathay Pacific||£500,000||Data breach|
|DSG Retail||£500,000||Lack of security during cyber-attack|
|Life at Parliament View||£80,000||Inadequate cybersecurity|
|Bounty||£400,000||Sharing personal information illegally|
These are the relevant fines from the last 12 months, though it should also be noted that they were all cases where the incident occurred before the introduction of GDPR, and the maximum fine was £500,000. In the Cathay Pacific incident, if the breach was after the introduction it could have been fined up to 4% of annual revenues, some £460 million.
Currently, the ICO has 56 cases under investigation, one of the busier data protection authorities, but by no means the busiest. That crown is offered to Ireland, where the annual budget of the data protection authority, the DPC, is €16.9 million.
The DPC in Ireland currently has 21 staff who are specialist tech investigators to evaluate the 127 cases which are running. The DPC is the lead data protection authority for complaints against the likes of Facebook, Google, Apple, Intel, IBM and numerous other tech giants owing to their corporate HQ being in Dublin.
€16.9 million should not be seen as an adequate budget to over see that many GDPR cases or hold the internet giants accountable. These companies could lodge numerous appeals or filings to prolong the legal proceedings, bleeding the DPC dry and severely inhibiting its ability to maintain GDPR principles in Ireland, as well as ensuring the internet giants are held accountable.
In this example, it is very difficult to levy all of the criticism towards Ireland. As the DPC is being asked to be the champion for all of Europe, fighting against some of the companies who are presumably the worst data protection and privacy offenders, contributions should be enforced from other member states to build this authority. €16.9 million is quite frankly pathetic when the DPC is effectively being asked to take on Silicon Valley.
Across Europe, the Brave research suggests there are only 305 technology specialists working for the data protection authorities. Only six have more than 10 specialist tech investigation staff, seven have two specialists or less and half of all authorities have annual budgets less than €5 million.
EU GDPR was a regulatory evolution which was very much needed in 2018. It created rules which were fit-for-purpose in the current digital society, but this means nothing if Governments are not doing what they should to create the agencies to enforce the rules.
Brave might be looking to throw a cat amongst the bureaucratic pigeons for its own gain, but it is not wrong. Governments are failing.