Some Believe That the GDPR Is Failing, and These Are the Reasons Why

• The enforcement of the GDPR has been somewhat hesitant, and the situation is getting worse.
• DPA offices are seeing their budgets cut, and their employees fired, so they are deprived of the power to enforce the GDPR.
• Another key element is the failure to employ enough tech experts who know how to investigate big tech firms.

Brave is among those who believe that the enforcement of the GDPR (General Data Protection Regulation) is already failing hard, and its report is putting down the reasons for the flop. The main causes are: the national data protection agencies employ a small number of tech specialists, they are generally under-budgeted, and do not fully comprehend matters of privacy or even the very articles of GDPR. Moreover, they have no powerful means of enforcement on a national level. Two years after the introduction of GDPR, we’re on the verge of seeing the law pass into the sphere of inapplicability, which is the worst-case scenario.

These are the key reasons for failure, as Brave identifies them in its report:

• Only five out of a total of 28 of Europe’s Data Protection Authorities (DPAs) count more than ten tech experts. Seven DPAs have two tech specialists or less. This makes the practical aspect of investigating big tech companies hard or even impossible.

• Half of all DPAs receive €5 million (around $5,420,000) or less per year, so they are underfunded. One of the most prolific investigators, the Irish DPA, is called to handle an increasing amount of cases involving Big Tech firms, but its budget and employees are both thinning.

• The UK’s Information Commissioner’s Office, which is also a high-profile office, employs very few tech specialists. The actual percentage is 3%, making it hard for them to evaluate the cases, identify the violations, and enforce the applicable laws.

DPA budgets peaked with the introduction of GDPR, and are now gradually getting axed. This happened before DPA offices could establish a strong presence and pose a compelling regulatory force in their respective countries, so their role is undermined and downgraded by their own governments.

The only nation that is doing relatively well in the enforcement of the GDPR is Germany, which employs 29% of all of Europe’s DPA tech specialists. Germany is leading the way, but all of the rest seem to be unable to follow. In terms of investing in the DPAs, Germany is also very high in the list, with €58.9 million annually, while the UK ICO tops with €61 million. Cyprus, Malta, and Estonia, on the other side, are spending less than one million EUR for the same purpose.

So, what can be done for the GDPR to be saved? Governments need to get more serious about its enforcement, investing more in them while also ensuring that more DPA officers have a deep and vast knowledge around matters of tech. As we enter an age of extreme recession, it will get tough for European countries to justify these expenditures, so the responsibility will pass over to the private entities and, eventually, the citizens.