Brave, a maker of a pro-privacy browser, has lodged complaints with the European Commission against 27 EU Member States for under resourcing their national data protection watchdogs.
It’s asking the European Union’s executive body to launch an infringement procedure against Member State governments, and even refer them to the bloc’s top court, the European Court of Justice, if necessary. “Article 52(4) of the GPDR [General Data Protection Regulation] requires that national governments give DPAs the human and financial resources necessary to perform their tasks,” it notes in a press release. Brave has compiled a report to back up the complaints — in which it chronicles a drastic shortage of tech expertise and budget resource among Europe’s privacy agencies to enforce the region’s data protection framework. Lack of proper resource to ensure the regulation’s teeth are able to clamp down on bad behavior — as the law drafters’ intended — has been a long standing concern. In the Irish data watchdog’s annual report in February — aka the agency that regulates most of big tech in Europe — the lack of any decisions in major cross-border cases against a roll-call of tech giants loomed large, despite plenty of worthy filler, with reams of stats included to illustrate the massive case load of complaints the agency is now dealing with. Ireland’s decelerating budget and headcount in the face of rising numbers of GDPR complaints is a key concern highlighted by Brave’s report. Per the report, half of EU data protection agencies have what it dubs a small budget (sub €5M), while only five of Europe’s 28 national GDPR enforcers have more than 10 “tech specialists”, as it describes them. “Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs,” it warns. “All other EU countries are far behind Germany.” “Europe’s GDPR enforcers do not have the capacity to investigate Big Tech,” is its top-line conclusion. “If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Dr Johnny Ryan, Brave’s chief policy & industry relations officer, in a statement. “Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.” It’s worth noting that Brave is not without its own commercial interest here. It absolutely has skin in the game, as a provider of privacy-sensitive adtech. Ryan has also been a key instigator of a number of strategic GDPR complaints — such as those filed against certain widespread adtech industry practices. Enforcement against programmatic advertisement’s use of real-time bidding would very likely be of commercial benefit to Brave, given its engineered to operate a different model. But such commercial interest in robust and active GDPR enforcement doesn’t undermine Brave’s core beef — aka: that regulatory inaction is linked to DPA under-resourcing. Indeed, the UK’s ICO has itself, er, blogged multiple times about the systemic problem of unlawful adtech — repeatedly calling for the industry to reform. But not actually doing anything when it doesn’t. It’s just this sort of ‘soft soap’ from regulators — words, instead of firm GDPR enforcement — that’s in Brave’s sights. Nor is it alone in complaining about the lack of GDPR ‘bite’; independent privacy campaigns and researchers have dubbed ongoing regulatory inaction as a “disastrous” failure that’s undermining the rule of law. We reached out to the Irish Data Protection Commission, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and the European Commission for comment on Brave’s report and to ask whether they believe GDPR is functioning as intended. A major milestone is looming with the regulation’s two year birthday falling next month — which will be concentrating minds within EU institutions. A spokesman for the EDPS pointed us to this joint document with the EDPB — which was adopted in mid February, ahead of this wider evaluation process for GDPR. In a section of the document on enforcement the assessment finds “increased attention and effort toward enforcement of data protection laws by most SAs” [supervisory authorities], with the EDPB noting that: “The new enforcement tools provided by the GDPR and the SAs made use of a wide range of corrective measures, i.e. not only administrative fines but also warnings and reprimands”.
On fines specifically, the evaluation notes that between May 25, 2018 and November 30, 2019, a total of 22 EU/EEA data protection agencies made use of this corrective power — with 785 fines issued overall (although around 110 of which relate to infringements that predate GDPR coming into force).
“Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future,” they further note.
In terms of what fines have been issued for, the write that most related to principles relating to processing of personal data (Art. 5 GDPR); lawfulness of processing (Art. 6 GDPR); valid consent (Art. 7 GDPR); processing of special categories of personal data (Art. 9 GDPR); transparency and rights of the data subjects (Art. 12 to 22 GDPR); security of processing and data breaches (Art. 32 to 34 GDPR).
We’ll update this report with any other responses to Brave’s report. We’ve also asked the Commission if it will be instigating infringement proceedings against any Member States.