It’s sad, but unsurprising, that digital privacy regulations introduced in Europe over two years ago are in danger of failing because regulators are under-resourced.
As we mark the second anniversary of the introduction of the GDPR, a report by Brave – makers of a pro-privacy browser –found that “European governments have failed to equip their national regulators to enforce GDPR”. The report found that only five of Europe’s 28 national enforcers of the GDPR have more than 10 tech specialists each, and that half of EU enforcers of the GDPR have a small annual budget of €5 million or less.
Why was GDPR introduced?
To understand the seriousness of these findings, let us cast our minds back to when the GDPR was introduced. On May 25th 2018, years of preparation resulted in the long-planned data protection reforms that came into force across Europe. The GDPR modernised the laws that protect the personal information of individuals and updated previous data protection rules that were two decades old – with some of them being first drafted in the 1980s, such as the UK’s Data Protection Act (DPA).
According to the EU, the GDPR was designed to harmonise data privacy laws across its member states, give greater rights to individuals, and allow for large fines to be handed out to organisations in breach of the rules.
What has happened since 2018?
Over two years on, it seems that many of the countries that signed up to the GDPR still have their heads in the sand when it comes to enforcement. For instance, the UK Government’s privacy watchdog is Europe’s largest and most expensive to run, yet only 3% of its 680 staff is focused on tech privacy problems. We can only assume that the root of this is under-resourcing.
The lack of funding and staff dedicated to tech privacy problems may help to explain why there have been few fines handed out to businesses that have experienced data breaches in recent years. The biggest penalties in the UK so far have only been issued as intentions to fine, which are for British Airways (£183m) and Marriott (£99m), and both are under appeal. British Airways is also facing a potential compensation pay-out which could amount to as much as £3 billion.
These substantial but incomplete fines have failed to act as a deterrent. This year alone, we’ve seen Travelex and Loqbox experience high-profile data breaches. More recently, Virgin Media left the personal details of 900,000 individuals accessible online for 10 months. This included full names, email addresses, dates of birth, contact numbers, and details that linked some customers to explicit websites. Like British Airways, Virgin Media could be facing a substantial compensation bill estimated to be up to £4.5bn.
And now, in the month of the second anniversary of the GDPR, airline EasyJet announces a monumental data breach affecting 9 million of its customers. It is clear that lessons are not being learned and there is a distinct lack of deterrent for organisations to act in accordance with the law. Perhaps when a significant regulatory fine is issued, or where a multi-billion pound compensation settles, we may finally see real changes. Until then, we anticipate more breaches taking place.
What are the consequences of the lack of funding for tech privacy?
It will be interesting to see how the fines progress for each of the above data breaches. The lack of funding and attention outlined in the Brave report could mean that it takes years for these fines to be handed out.
This, in turn, could diminish the GDPR’s authority over the approach of businesses to cybersecurity. A continued lack of funding for data protection watchdogs and a lack of swift execution of fines could mean that businesses fail to take the required steps to properly protect data – resulting in the personal information of more consumers being exposed.
Going forward, it is vital that more staff and funding is dedicated to the enforcement of the GDPR. It’s no good having rules and laws in place if regulators lack the resources to enforce them. We are currently at a crossroads where European governments have the opportunity to boost their cybersecurity capabilities and enforce the rules they signed up to two years ago. If we continue down the road we are currently on, it’s likely we will see more organisations fail to protect personal information and more consumer data could be exposed to hackers.