In June, The Privacy Advisor asked global data protection authorities to reveal how many GDPR complaints had been filed thus far. The numbers they provided varied widely, from 756 in Poland and 1,124 in the U.K., to just two in Sweden, and only three in Belgium.
So what is at the heart of such a discrepancy? Are citizens in some countries uninformed? Are some DPAs under-reporting? Are statistics lagging behind?
The best answer seems to be that different DPAs define complaints differently.
Take the Belgian DPA, which cited the second-lowest number of complaints.
“A little more clarification is needed on our internal registration process of all incoming requests,” said Simon Van Haele at the Belgian DPA. “In short, a distinction has to be made between a complaint, a request for mediation and a request for information."
In order for a request to be registered as a complaint, Van Haele explained, it has to meet relatively strict criteria. If those criteria are not met, the request will be registered as a "request for mediation." But the majority of incoming requests are, in fact, a request for information.
“Of course, it is possible for a request for information to evolve into a request for mediation or even a complaint, as well as a request for mediation being requalified to a complaint," said Van Haele. "This process, however, can take up to several weeks or months."
When it comes to requests for mediation, contact with a third party (often an adversary company) is usually required to solve the problem. This takes time and correspondence, “therefore it usually takes some time before a request for information is requalified to a request for mediation,” he continued.
Lastly, complaints. These are cases strictly defined by Belgian law, which will be dealt with by the DPA’s Litigation Chamber. A perfect example of this category is the complaint filed by NOYB against Instagram.
“Due to our classification system, it is safe to assume that the number of actual complaints will never reach the same level other DPAs report. This might however also mean that these numbers do not properly indicate the impact of the GDPR on our organization,” added Van Haele.
The cases in Belgium do show a spike in May and June 2018 — more than 700 each month compared to about 350 per month in May and June 2016.
The Estonian Data Protection Inspectorate also makes distinctions between complaints, requests for information and data breach notifications. “Requests involve an application to get information about some question. But when there is an infraction of law and intervention is necessary, then this will be handled as a complaint. The distinction comes from the content of the appeal and from the domestic legislation,” explained the inspectorate.
To date, the Estonian Inspectorate has received approximately 30 data breach notifications since May 25. Unfortunately, statistics about complaints or requests of information are not yet available.
Like the Belgian and Estonian authorities, the Danish DPA makes a clear distinction between complaints and requests for information. Between May 25 and August 22, it received 615 complaints and 1,140 requests for information.
The U.K. Information Commissioner’s Office said that it doesn’t sort its work streams by regulation, so it is difficult to give exact figures for GDPR-specific cases. An ICO spokesperson said: “It’s early days and we will collate, analyze and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organizations. Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”
The ICO received 2,165 complaints in April, 2,310 in May, 3,098 in June and 4,214 in July.
Elsewhere, the French DPA, CNIL, also saw an increase in complaints received: 1,804 between May 25 and July 31 compared to 1,132 for the same period last year. However, the CNIL wasn’t prepared to speculate on the reasons its figures differ from other DPAs: “The CNIL is not able to explain the difference between DPAs regarding the number of complaints registered,” said press officer Yohann Brunet.
The Spanish DPA, AEPD, also said it couldn’t comment on trends in different member states as “this matter has not been jointly discussed by the supervisory authorities and we lack the necessary information to come to a conclusion.
“The fact that some of the member states that received a significant number of complaints before the application of the GDPR have maintained similar levels (this is the case of Spain, for instance, but also France, The Netherlands and the U.K.) might indicate that there has not been yet enough time for the GDPR to have an impact on the data protection culture of countries where citizens were not used to seek[ing] redress before data protection authorities. But this is just a possible explanation,” said the DPA press office.
The GDPR sets a number of procedural guarantees for handling formal complaints. But it does not exclude other possible means of communication between citizens and supervisory authorities, particularly if those means are foreseen in national laws.
The Slovene Information Commissioner’s office, likewise, said it was “difficult to comment on the work of other DPAs” because “the Slovene Information Commissioner's competences in the area of data protection in relation to the individuals’ rights are various” and not all requests are based on the GDPR.
However, in general, the Slovene Information Commissioner reports seeing a significant uptick in contact from its public.
“Since May 25, we have noted a significant increase in both, particularly in the number of questions and queries which we are receiving daily (both by mail, email and phone). Detailed statistics are not available, but the numbers have more than doubled compared to last year,” said a spokesperson.
It is important to note that even prior to May 25, the Slovene Information Commissioner already had very strong procedural and investigative powers, including the competence to issue fines. “Therefore, for individuals in Slovenia the perception of changes in this respect has not been so drastic. The most significant formal and procedural change in this context is the establishment of the European Data Protection Board and its competences,” said the press officer.
For now, even the European Data Protection Board itself is not really able to answer the question conclusively.
“The GDPR does not contain a clear definition on the nature of complaints for reasons of inclusiveness," said Sarah Hanselaer, junior information and communication officer at the European Data Protection Board. "At this moment, no further guidance is foreseen. As the DPAs are fully independent, we cannot say which factors influenced the number of complaints per DPA."
The EDPB is only consulted on cross-border cases and confirmed to The Privacy Advisor that currently around 100 such complaints are under investigation. But given that Florence Raynal of the CNIL recently predicted that around one-third of the cases in France will concern cross-border issues, that number is likely to increase.
Given the discrepancies in how they're classified, it's too difficult for now to compare national GDPR complaints, but one thing is for sure: There should be a slow steady rise in figures across the board, any way they're tabulated.
photo credit: loonyhiker 12/28/15 Complaint Dept via photopin (license)