(United States) Brave, an internet browser company, has launched official complaints with the European Commission over what it says is woeful enforcement of the GDPR by national governments in the EU. TechCrunch reports as follows:
Brave, a maker of a pro-privacy browser, has lodged complaints with the European Commission against 27 EU Member States for under resourcing their national data protection watchdogs.
It’s asking the European Union’s executive body to launch an infringement procedure against Member State governments, and even refer them to the bloc’s top court, the European Court of Justice, if necessary.
“Article 52(4) of the GPDR [General Data Protection Regulation] requires that national governments give DPAs the human and financial resources necessary to perform their tasks,” it notes in a press release.
Brave has compiled a report to back up the complaints — in which it chronicles a drastic shortage of tech expertise and budget resource among Europe’s privacy agencies to enforce the region’s data protection framework.
Lack of proper resource to ensure the regulation’s teeth are able to clamp down on bad behavior — as the law drafters’ intended — has been a long standing concern.
In the Irish data watchdog’s annual report in February — AKA the agency that regulates most of big tech in Europe — the lack of any decisions in major cross-border cases against a roll-call of tech giants loomed large, despite plenty of worthy filler, with reams of stats included to illustrate the massive case load of complaints the agency is now dealing with.
Ireland’s decelerating budget and headcount in the face of rising numbers of GDPR complaints is a key concern highlighted by Brave’s report.
Per the report, half of EU data protection agencies have what it dubs a small budget (sub €5M), while only five of Europe’s 28 national GDPR enforcers have more than 10 “tech specialists”, as it describes them.
“Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs,” it warns. “All other EU countries are far behind Germany.”
“Europe’s GDPR enforcers do not have the capacity to investigate Big Tech,” is its top-line conclusion.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Dr Johnny Ryan, Brave’s chief policy & industry relations officer, in a statement. “Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
(Privacy press clipping sourced via TechCrunch)
Jurisdiction: United States
This isn’t a new theme. Critics have previously said that, in practice, the GDPR is “toothless” going by the fines and penalties handed out in the first two years. Particular attention has been given to big tech companies and Ireland, where many such companies have their home for regulatory purposes.
Johnny Ryan, with the internet browser Brave, is quick to point out that data protection authorities are significantly underfunded. Brave’s report, for example, states that more than half of Europe’s data protection authorities have an annual budget of less than 5 million euros. Few staff at regulators are focused on tech companies, according to Ryan, meaning their ability to investigate complex cases in the sector is weakened. This sits behind Brave’s complaint to the European Commission, filed on April 27, 2020, and which names 26 Member States as having failed in their duties to fund their regulators properly.
Ireland always comes up in these types of discussions. It has yet to issue a single GDPR fine and is sitting on some big tech investigations. Helen Dixon, who leads Ireland’s Data Protection Commission, has long said that resourcing is an issue to be overcome. She also points out that fines are just one output of regulatory activity and can be a overly superficial focus for commentators. Brave and Ryan, however, see things in more stark terms and describe a data protection framework in the GDPR that is at risk of collapsing due to non-implementation, i.e. the failure to enforce the law as it is written to technology companies.