Things are so bad, Brave's research claims, that the European Commission now needs to investigate member countries for not equipping data watchdogs with people, tools and financing to properly implement GDPR.
Johnny Ryan is famed for raising GDPR alarm bells about how digital advertising works -- particularly RTB -- which have led to a full investigation of the industry. As a result, the ICO has revealed that many of the concerns that have been raised are being addressed, and it is keeping an eye on the sector.
The main issues were content categories being widely recorded -- even though they related to data that should only be collected with specific permission from the viewer -- such as sites dealing with sexuality, health and political views -- and that privacy by design needed to be built into RTB systems to prevent too much personally identifiable information from being collected and seen by those without permission to view it.
Last June, the ICO gave the industry six months to deal with these issues. At the beginning of 2020, it offered the above summary that work was progressing on meeting the privacy challenges raised.
Today, however, just three months later, Brave is setting the cat among the proverbial pigeons again. It claims that GDPR is at risk of failing not so much because the privacy watchdogs are asleep on the job but rather because Governments -- excluding Germany -- have not equipped them with the necessary budget, head count and technical skills and tools to implement the law.
The new report is summarised here (where it can also be downloaded), and the main assertion is clear. Budget was increased for privacy watchdogs until GDPR became law, but it has decreased since its introduction two years ago.
Whether or not the increase before the law became enforceable and was enough to allow EU privacy organisations to rise to the challenge is a matter for debate. What Brave is asserting is that right now, too few have been given the finance needed to invest in the the technology tools and skills to enforce the Regulation.
For example, it claims that the EU's largest data privacy watchdog -- the ICO in the UK -- saw its budget double in the couple of years running up to GDPR. However, the researchers claim that of its 680 staff, just 3% are focussed on technical investigations.
In fact, the research goes on to claim that of the EU's 28 enforcement organisations, only five have more than 10 technology specialists. Nearly one in three who are equipped to carry out technology investigations into GDPR breaches work in just one country, Germany.
Thus, Brave is making the bold assertion that the European Commission should investigate EU members for failing to comply with the GDPR, which mandates all Governments must equip their data privacy watchdogs with the necessary human and financial resources to enforce GDPR.
It's an interesting plea that will probably raise more headlines than enforcement action. However, the report does tally with what I have been increasingly hearing over the past few months.
It is hard to quantify, but there appears to a general feeling that outside of massive fines for multinationals self-reporting cyber breaches, there generally does not seem to be the flurry of enforcement action that was expected.