Is GDPR At Risk Of Failing? Brave Accuses Governments Of Underfunding Regulators

According to a new report by Brave, Europe’s data protection regulators are under-funded and under-staffed. The tech company argues the lack of resources severely impacts the regulator’s abilities to perform their duties. This relates to their capability to investigate infringement on GDPR and enforce the regulation against major tech companies.  

Aside from publishing the report, Brave also filed a complaint at the end of April against 27 member states of the EU. The company is requesting the European Commission to launch an infringement procedure against the governments.

Key findings from the report

Small BudgetLack of specialist investigation staff
Half of all national DPAs receive €5 million or less in annual budget from their governmentsOnly 6 of Europe’s 28 national GDPR enforcers have more than 10 tech specialists
Budget is decelerating for the Irish Data Protection Commission. Despite being the lead authority for handling complaints against Facebook, Google and other large tech companiesThe UK’s Information Commissioner’s  Officer (reportedly the largest and most expensive regulator) has only 3% of its 680 staff focused on tech issues
Governments have slowed increases to budgets for Data Protection AuthoritiesDespite having the highest caseload in the EU, the Irish DPA only has 21 tech experts to deal with investigations


Brave’s chief policy officer Johnny Ryan said the following, 

If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities. Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech,’ and act without fear of vexatious appeals, but the national governments of European countries have not given them the resources to do so. The European Commission must intervene.

GDPR vs Big Tech

At the heart of Brave’s filed complaint is Article 52 (4) of GDPR which states the following: 

Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

Looking at Brave’s research, it is evident that the lack of resources to support data protection authorities impacts their ability to enforce the regulation. As it stands, Big Tech companies with billions in revenue have financial resources that supersede that of GDPR regulators. Without sufficient financial backing, this impacts the regulator’s ability to hold Big Tech to account. It limits investigation capabilities and curtails the ability to invest in court cases when necessary. 

Is enforcement working? The biggest GDPR fines so far
  1. British Airways was issued a statement of intent for a fine of €204.6 million for failing to protect the personal data of over 500,000 customers.
  2. Marriott International was also issued with a statement of intent for a fine of €110.3 million over a data breach where the personal data of 339 million guests was stolen. 
  3. Google Inc was fined €50 million by the French data regulator for not providing enough information to users on how their personal data would be processed. 

The significant observation from major fines issued is that most have been due to incidents that happened before GDPR was introduced. The data breach from British Airways and Marriott International both happened in 2018. 

The first GDPR fine issued by the ICO is actually to Doorstep Dispensaree. The London-based pharmacy was fined £275,000 for careless storage of patient data.

Recommendations to save GDPR

To enhance the enforcement powers of regulators, Brave makes the following recommendations. This includes developing an EU unit to assist DPAs in tech investigations, expanding tech specialist teams, and funding DPAs to fight Big Tech in court whenever necessary to defend enforcement decisions.

Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website or calling us on 0330 022 9009.