GDPR in practice – Experiences of data protection authorities (2024)

Inadequate resources risk undermining the implementation of data protection authorities’ mandate and their independence

With the GDPR’s entry into force, DPAs have been assigned more tasks and their powers have been strengthened. Article57 of the GDPR lists a number of tasks that DPAs must carry out, such as providing advice to different stakeholders, raising awareness, handling complaints and investigating data protection breaches on their own initiative and when requested.

This research confirms FRA’s findings on the role of DPAs published in 2010 and 2014, and findings published as part of the 2020 and 2021 Fundamental Rights Reports, which emphasised that DPAs face difficulties in fulfilling the entirety of their mandate due to a lack of resources.

This research acknowledges Member States’ efforts to increase DPAs’ overall budgets and staffing when the GDPR entered into force. Nonetheless, an overwhelming majority of interviewees stated that DPAs’ workloads also increased significantly with the introduction of the GDPR. They repeatedly highlighted the mounting workloads that DPAs need to manage with limited staff and inadequate funding.

Concerns expressed by interviewees relate mainly to the extremely large and growing number of individual complaints being submitted, including minor complaints, which DPAs are obliged to handle within a reasonable time under Article57(1)(f) of the GDPR. This report shows that, because DPAs find themselves underfunded and understaffed, many are obliged to prioritise complaints handling over other regulatory tasks that the GDPR has entrusted to them– such as promoting awareness among public administration bodies and the private sector of their obligations under the GDPR, raising people’s awareness on the right of data protection and providing high-quality advice to public institutions on legislative proposals. Some interviewees pointed out that, due to a lack of resources, their DPA was not able to undertake on its own initiative investigations of data processing operations that could pose risks for data subjects. This limitation would appear to hinder DPAs’ ability to provide independent oversight, including oversight of public institutions and other bodies. Moreover, insufficient resources have been reported to undermine DPAs’ ability to contribute effectively to the EDPB’s increasing volume of activities and to take part in external cooperation mechanisms established under ChapterVII of the GDPR.

In addition, several respondents emphasised that new EU legislation, adopted after the GDPR entered into force, has tasked DPAs with additional duties and responsibilities, extending their workload further, even though the level of resources remains the same. Some interviewees mentioned that EU law requires DPAs to supervise the implementation of new, large-scale EU information technology (IT) systems in the area of migration and border control. These include the Entry/Exit System, which will process the biometric data of hundreds of millions of people at borders coming to the EU for short-term visits as of the end of 2024. Some respondents indicated that new supervisory roles may also arise in the context of the development of AI-driven technologies, with the pending adoption of the Artificial Intelligence Act.

To effectively carry out their duties in evolving and complex technical areas, DPAs need qualified legal and IT professionals with data protection knowledge. However, several interviewees indicated that recruiting professionals with the appropriate legal and technical expertise is a challenge, especially given that DPAs have to compete with the private sector. Some respondents also emphasised that, in their Member State, the recruitment process is conducted through public service competitions, which tend to attract generalists. This has limited DPAs’ autonomy to select and recruit qualified staff, meaning that training on the job has been required, negatively affecting the quality and timeliness of DPAs’ work.

Hence, a large majority of interviewees emphasised that inadequate financial and human resources are a major obstacle to their DPA carrying out the full extent of the tasks required under the GDPR under Article52 and recital121 of the GDPR.

Article52 of the GDPR stipulates elements of DPAs’ independence that Member States should safeguard. These elements include freedom from external influence and enabling them to ensure that their human, financial and technical resources are adequate for performing their mandatory tasks. FRA research published in 2010 and 2014, as well as FRA’s Fundamental Rights Report– 2021 and FRA’s Bulletin2 on the fundamental rights implications of the COVID-19 pandemic, found that external political pressure was exerted on some DPAs, particularly during the COVID-19 pandemic. This was reported less often during the current fieldwork research. A few interviewees suggested that a DPA’s independence might be at risk if that DPA’s budgetary proposal has to be approved by a ministry that manages a large number of databases that process personal data in various fields. Under-resourcing may also negatively affect DPAs’ perceived independence, by limiting their ability to conduct investigations on their own initiative and to duly oversee governments and public authorities when acting as data controllers.

Supervision is key, but would be more effective if supported by additional tools

Interviewees highlighted that supervision is their core task. Supervision includes all mandatory tasks aimed at investigating potential GDPR breaches (Article58 of the GDPR), either on the DPA’s own initiative or following a complaint. A thorough investigation is a precondition for effective supervision. For some DPAs, these investigatory and supervisory tasks should take precedence over any other function (notably in relation to advising), as investigating GDPR breaches is an obligation established in the GDPR. However, several interviewees highlighted various challenges that prevent DPAs from conducting their supervisory and investigatory tasks effectively. Several respondents explained that investigatory measures listed in the GDPR are appropriate but could be complemented with other tools to reinforce their supervisory capacity, such as concrete techniques to identify data controllers of digital services, or investigatory measures allowing for undercover investigations. These should be complemented by more in-depth and technical tools. Interviewees discussed difficulties in launching ex officio investigations, the importance of being able to expand the scope of an investigation based on preliminary findings and the difficulty in assessing electronic evidence collected during investigations. Another recurring challenge mentioned by interviewees relates to the difficulties some may face regarding data controllers’ cooperation with the DPA during the investigation, as such cooperation is not mandatory in many Member States.

In addition, as highlighted above, human resource shortages may force DPAs to concentrate resources on complaints, not leaving enough time for ex officio investigations. Moreover, in most interviews, DPA staff highlighted that they are still adapting to the broadened mandate DPAs were entrusted with by the GDPR, identifying the most efficient way to deal with the high number of complaints.

Large numbers of complaints are a major challenge and should be addressed by data protection authorities as a priority

Most interviewees highlighted that the GDPR requires them to respond to every complaint that has been lodged but that they lack the time and human resources to do so. Complaints concern issues of unequal gravity and some can be petty and repetitive. DPAs have developed a wealth of practices to address complaints more effectively, through prioritisation, grouping, templates, automation or standard replies. However, FRA findings show that there is still no harmonisation and no sufficient exchange of such practices among DPAs to effectively tackle such challenges.

Furthermore, some respondents emphasised that, 5years after the entry into force of the GDPR, DPAs’ decisions in GDPR investigations and lack of timely response to complaints are increasingly challenged in courts at the EU and national levels. Defending themselves against these challenges is costly and resource intensive for DPAs.

Awareness among the general public of the existence of data protection laws does not necessarily mean that they actually understand these laws

While the majority (69%) of people in the EU-27 have heard about the GDPR, as FRA’s Fundamental Rights Survey on data protection and privacy showed in 2020, the large number of trivial or unfounded complaints received by DPAs indicates that a proper understanding of what the right to personal data entails is lacking. However, for most DPAs, despite their wish to provide advice and raise awareness among data subjects and the general public, doing so is challenging given their lack of resources.

As reported to FRA, DPAs receive very few requests for prior consultation from data controllers based on Article36 of the GDPR, which requires data controllers to consult their DPA when the result of a data protection impact assessment (DPIA) shows that the risk to the protection of personal data is high. The limited number of prior consultation requests and of DPIAs gives rise to concerns about the actual understanding of the data protection implications of processing operations among data controllers. The low number of prior consultation requests and the low number of DPIAs suggests, according to interviewees, that, even if data controllers are aware of data protection risks, they do not fully understand what these risks entail or what they should do to identify and prevent them. Interviewees considered the lack of knowledge of data controllers on the application of data protection provisions especially striking when it comes to the development of AI systems.

Providing scientific researchers with advice is a challenge for some data protection authorities

Most of the respondents interviewed by FRA did not recall any practical experience of providing advice to researchers in the field of scientific research, apart from during the COVID-19 pandemic. Those interviewees who did recall giving advice identified three main challenges that DPAs face when advising researchers. First, some DPAs reported that researchers found Article89 of the GDPR– which provides for safeguards and derogations when data are processed for research purposes (including statistical, scientific or historical purposes)– to be a complex provision. This is reinforced by the fact that researchers also reported to DPAs that the number of applicable EU and national laws confuses them when attempting to identify the correct legal basis for processing data for scientific and statistical purposes, and DPAs would welcome further field-specific guidance to enable them to properly advise researchers.

Second, some data controllers tend to be unwilling to provide access to data for research-related purposes. Lastly, several interviewees emphasised how the shift to an accountability system (from the pre-GDPR authorisation scheme) has affected their ability to advise researchers. These respondents indicated that they did not appreciate that DPAs are no longer responsible for authorising the processing of sensitive data. While general guidance has been developed by the EDPB and the European Data Protection Supervisor (EDPS), most interviewees emphasised that what they are lacking is field- and technology-specific guidance to enable them to appropriately advise researchers.

Advising and supervising public bodies acting as data controllers remains a challenge due to mistrust and misunderstanding of data protection authorities’ competencies

According to Article57(1)(c) of the GDPR, DPAs shall provide advice to national institutions and bodies on legislative measures that relate to the protection of personal data. Some interviewees reported specific difficulties concerning advising public bodies acting as data controllers. Interviewees indicated cases where, due to either fear or distrust of the DPA, public bodies did not consult with the authority before launching a data processing operation.

Similarly, several interviewees noted both mistrust and misunderstandings from the executive when it comes to consulting with the DPA, although lawmakers agreed on the importance of providing adequate comments on draft laws to ensure effective implementation of data protection principles, which is prescribed by Article57(1)(c) of the GDPR. In some instances, DPAs’ opinions were not considered in final draft legislation, while in other instances DPAs were not consulted or were given tight deadlines. Some interviewees also highlighted how staff shortages can negatively impact DPAs’ ability to advise public institutions, as DPAs lack the expert knowledge in-house needed to provide administrative bodies with exhaustive and detailed analysis on questions that are sometimes very technical or sector specific. Several interviewees reported to FRA that mistrust of data protection principles (often perceived as globally hampering the effectiveness of proposed legislation), combined with a misunderstanding of DPAs’ competencies, were the main reasons for not consulting DPAs on draft legislation.

Several interviewees reported difficulties when investigating public administrations because some institutions competent in human rights or national security issues are sometimes granted a general derogation from certain obligations contained in the GDPR under national law, under Article23 of the GDPR.

The general data protection regulation is perceived as insufficient when it comes to concretely addressing the challenges posed by new technologies

FRA research shows that, while the majority of interviewees believe that the requirements and tools provided in the GDPR are, in theory, adequate, most interviewees also highlighted that in practice the GDPR remains insufficient to regulate new technologies. Several interviewees said that DPAs are mostly unprepared when it comes to understanding and supervising new technologies (e.g. the implementation of AI-based systems). Some respondents emphasised the importance of dedicating more time and resources to the development of regulatory approaches for testing technologies, such as sandboxes (schemes used to test innovations in a controlled environment). Several interviewees expressed concern over the lack of clarity on the role their authority may have to play in the enforcement of data-related EU acts that have been proposed or adopted since the entry into force of the GDPR, in particular the proposed Artificial Intelligence Act.

Strengthening cooperation between data protection authorities may require strengthening the European Data Protection Board

FRA interviews confirmed that strong cooperation between DPAs will ensure swift enforcement and a harmonised interpretation of the GDPR. According to recital123 of the GDPR, reinforced and harmonised cooperation between DPAs is a key objective of the GDPR, and the EDPB was provided with a broader mandate than its predecessor to fulfil this objective. The EDPB’s broad mandate described in Article70 of the GDPR can greatly support DPAs and reduce their workload by ensuring cooperation and consistency and by developing guidance. Interviewees were mostly positive about the EDPB, recognising the quantity of work performed by an institution that many recognise to be understaffed. However, interviewees did identify room for improvement. Some interviewees argued that, although the work of the EDPB is welcome, it has led to significant additional work for DPAs, notably in their participation in working groups and numerous meetings. In this context, several DPAs identified a need to restructure the way in which the EDPB operates and its internal procedures.