Data protection: 80% of national authorities underfunded, EU bodies “unable to fulfil legal duties”

Topic
Country/Region
EU

It won’t come as a surprise to anyone familiar with the work of data protection authorities (DPAs): they are chronically underfunded and lack the staff and resources to do their jobs properly. Figures released earlier this month show the scale of the problem for national authorities, and EU authorities have taken the unprecedented step of calling on the European Parliament not to approve the budget proposed for them for 2023 by the European Commission.

Over 80% of national data protection authorities say the budget allocated to them is insufficient to carry out their statutory activities, and 86% say staffing levels are below what is necessary to carry out their tasks, according to a study (pdf) released by the European Data Protection Board (EDPB, which brings together national authorities to aid in enforcement of the General Data Protection Regulation, GDPR).

The limited budget of national DPAs is negatively affecting staffing levels – in Italy, for example, 61 posts have still to be filled. The report states that one of the main obstacles in staff recruitment is low salaries in comparison with the private sector.

An open letter (pdf) to Roberta Metsola MEP (president of the Eureopan Parliament) and Edita Hrdá (head of the Czech permanent representation to the EU) published earlier this month said that that EDPB's secretariat is:

“…currently understaffed and at risk of no longer being able to fulfil its legal duties at the service of the EDPB and of the GDPR. Should this happen, the enforcement of individuals’ data protection rights would be weakened and the credibility of the GDPR undermined.”

The press release, which was published jointly with the European Data Protection Supervisor (EDPS, responsible for data protection supervision and advice for EU bodies) marks the first time that the two bodies have called on the Council of the EU and the European Parliament to approve their own budget proposal, rather than that put forward by the Commission.

Earlier this year the EDPS made two budget proposals, covering also the activities of the EPDB, both of which were rejected by the Commission.

In their open letter the EDPS and the EPDB remark that they “continue to receive new tasks from the legislator,” with their supervision and coordination role for the EU’s large-scale information systems and EU agencies continuously expending.

The two bodies also state that they are receiving a growing number of requests to give their opinions in legal proposals:

In 2021, the total volume of legislative consultations requests received by the EDPS essentially tripled in comparison to 2020, a trend which is expected to remain and grow in the future.

These concerns echo those expressed by DPAs across the EU. The EPDB’s early September report notes that national supervisory authorities are facing financial and staff shortages at the same time as experiencing an increase in individual complaints and new tasks due to regulatory developments.

Despite this, the report shows that some national authorities had their budgets substantially reduced from 2020 to 2021: Greece (a cut of nearly €300,000); Hungary (a cut of over €1 million); Luxembourg (over €467,000); and Slovakia (a reduction of almost €220,000).

With regard to the budgets of the EDPS and EDPB, the ball is now in the European Parliament’s and Council’s respective courts. They will decide on the budget proposal in the upcoming months.

It appears that EU and national institutions want to live in the ‘information society’, but aren’t willing to stump up the money needed to ensure that it is regulated according to the law they themselves like to trumpet as being a world-class example of data protection legislation.

Documentation

Further reading


Image: Tom Dennis Radetzki, CC BY-NC 2.0

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error