In July, the European Commission urged European countries to allocate sufficient human, financial and technical resources to national data protection authorities.

That's because the introduction of the EU General Data Protection Regulation has placed an increased burden on already-stretched authorities. In its first published stock-taking exercise since the implementation of the GDPR, the commission said that “while most data protection authorities have benefited in the past year from increased resources, there still remain great differences between member states.”

The commission believes it is essential for authorities to be sufficiently provided for in order to ensure their “effective independence.”

One way the commission sees of dealing with any shortfall is to use the resources of the European Data Protection Board. “The possibilities for data protection authorities to pool their efforts on issues affecting more than one member state, for instance to carry out joint investigations and enforcement measures, can mitigate resources’ constraints,” says the report.

However, the EDPB points out that daily efforts to facilitate cooperation involves numerous exchanges — written and oral — and “these cooperation duties lead to extra workloads, additional time dealing with cases and have an impact on the budget of the regulators.

“Under the new legal framework, supervisory authorities wear two hats. They not only deal with their enhanced enforcement powers, but are required to become more engaged, which implies the need for more budget and staff,” continued the EDPB.

Earlier this year the organization compiled its own report based on information provided by supervisory authorities from 26 European Economic Area countries and the European Data Protection Supervisor.

It should come as no surprise that Ireland has added the highest number of employees in the last year — an increase of 31% — but both Denmark and Finland increased the percentage of their employees by 35% and 44% respectively. Iceland increased its employees by 54% but still remains the second smallest DPA after Malta.

Eight countries did not increase their staff numbers, and the Czech Republic, in fact, reduced the number of people working for the DPA by 5%. Meanwhile, according to estimates, both Romania and Slovakia need to more than double their employees to meet demand.

In terms of budget, only Austria, Belgium and Latvia did not increase their budget in the last year, while both Poland and the Czech Republic cut budgets by 15% and 6% respectively.

In the first three cases, the lack of change is down to biannual plans for this period of time.

Germany has the largest budget overall — which it also boosted between 2018 and 2019 — by 28%, followed by Italy, France, Spain and Ireland. Despite having one of the largest budgets, Italy estimates that it will still need another 37% to meet demand. Sixteen other countries also reported that they continue to need an increase in their budget, with Latvia reporting the largest shortfall.

Despite this need for budgetary increases to meet the larger workload, almost none of them received the requested amount, according to the EDPB. Despite the increase in the number of cases in recent months, most authorities reported that the workload is manageable for the moment.

However, an EDPB spokesperson sounded a warning note about comparing supervisory authorities' resources: “Some countries have more than one supervisory authority; in addition the scope of the supervisory authorities mandate can differ. Finally, please note that the figures in the report do not reflect the fact that there was potentially an increase just before the entry into application of the GDPR.” Indeed, in Germany, data protection supervision of private sector companies (apart from telecommunications and postal services) falls under the responsibility of the 16 federal states’ DPAs.

EDPB Chair Andrea Jelinek pointed out: “The European Commission is in charge of monitoring whether supervisory authorities are being allocated enough resources." She said Commissioner for Justice, Consumers and Gender Equality Věra Jourová "has always been very attentive and proactive in this regard and we trust that the commission will continue to stay vigilant.”

As well as putting pressure on member states to appropriately fund their DPAs, the commission also provides direct financial grants to data protection authorities. In 2018, 2 million euros were allocated to nine data protection authorities in Belgium, Bulgaria, Denmark, Hungary, Lithuania, Latvia, the Netherlands, Slovenia and Iceland.

“The Irish DPC is undoubtedly one of the global data protection authorities that has undergone the most significant growth and transformation in the last few years,” Data Protection Commissioner for Ireland Helen Dixon told The Privacy Advisor. “From a modest base of about 27 staff at the end of 2014 and a budget of 1.89 million euros, to an office of 140 staff today (and still recruiting) and a 2019 budget of in excess of 15.2 million euros, the DPC has evolved to meet the demands of the new legal framework under which we operate.”

The DPC budget has increased annually since 2014 in preparation for May 2018 and the GDPR, Dixon added. “The budget increases were granted by government on foot of budgetary submissions made annually by the DPC setting out the imperative for increased resources. What was ultimately granted in terms of budget increase each year reflected a reality in terms of how rapidly a regulatory organization can expand (particularly in terms of specialist skills) and its absorptive capacity,” she continued.

“The role of the Irish DPC as lead supervisory authority for many global multinationals with [Europe, the Middle East and Africa] headquarters here has been understood by government as requiring the DPC to take on particular responsibilities at EU level that necessitate a level of resources commensurate with that task,” she added, referring to the unenviable task of a smaller member state policing companies such as Google and Facebook, whose own revenue easily outstrips several nation states.

The 2018 Data Protection Act in Ireland now makes provision for the Irish DPC to become its own “accounting officer” within the context of the Irish public sector system. “This means we will have our own separate ring-fenced and dedicated budget line voted to us by Parliament, and for which I will be directly accountable to Parliament,” Dixon explained. “While the DPC did always in reality have a ring-fenced budget, it was voted to the DPC by Parliament via the Department of Justice and Equality and administered overall as part of the budget of that department. From the start of 2020, it will be entirely separate.”

Photo by Chiara Daneluzzi on Unsplash