by Fatma Ceren Morbel
The European Union’s General Data Protection Regulation (“GDPR”) applies to all organizations that handle personal information related to citizens and residents of the European Union since 2018.
The regulation enhanced the rights of data subjects, redefined the scope and application of the right to privacy as a fundamental right to data protection, and harmonized national legal frameworks across the EU. It has also strengthened the duties, responsibilities, and powers of data protection authorities (“DPAs”).[1]
According to Article 97 of the GDPR, the European Commission is required to conduct regular evaluation reports of the law itself. The first evaluation report was published in June 2020, while on 25 July 2024, the Commission released its second report.[2]
Throughout this blogpost, we will examine the second report of the Commission in tandem with the European Union Agency for Fundamental Rights’ (“FRA”) report, which includes interviews with national data protection authorities.
The FRA conducted a total of 70 interviews with representatives of the DPAs in all 27 EU Member States. The interview results indicated that the DPA representatives encountered challenges in maintaining independence, exercising supervisory and advisory functions, and cooperating with other domestic regulators.
As the result of the GDPR’s implementation in the EU, DPAs have been assigned more responsibilities and powers, such as providing advice to different stakeholders, promoting awareness, handling complaints, and investigating data protection breaches than they had before the GDPR was brought into effect. Based on the interviews, the most prominent concern was the substantial increase in workload associated with the handling of a large volume of complaints and notifications. Since the workload has increased significantly, DPAs are unable to accomplish their full mandate due to lack of resources. As a result, they find themselves underfunded and understaffed, despite DPA budgets being increased following GDPR implementation. Because of resource constraints, some DPAs were unable to fulfill their entire mandate and had to prioritize certain tasks over others. It was shown in the report that for DPAs to effectively carry out their duties in increasingly complex technical areas, they need legal and IT professionals with expertise in data protection.[3]
The FRA report asserts that EU Member States must ensure adequate financial, human, and technical resources for DPAs, and also effective supervision requires thorough investigation. While several interviewees find the GDPR’s investigatory measures appropriate, they suggest additional tools could further enhance supervisory capacity.
Interviewees highlighted that DPAs are obligated under the GDPR to respond to every complaint, yet they often lack the time and human resources needed to meet this requirement. The FRA observed that this challenge is exacerbated by insufficient harmonization and collaboration among DPAs, which undermines their ability to address these issues effectively. The FRA also emphasized the importance of cooperation with different authorities and promoting awareness and understanding of data subjects’ rights and data controllers’ obligations among the public.
The second report published by the European Commission highlighted significant enforcement activity by DPAs over the past few years including landmark fines for the infringement of the lawfulness and security of processing, the infringement of processing of special categories of personal data, and the failure to comply with individuals’ rights.[4]
Similar to the FRA’s report, the Commission’s report also demonstrated that although budgets and staff resources have been increased for data protection authorities, the authorities have been noted to struggle in handling consumer complaints and have adopted divergent interpretations of the GDPR.[5]
According to the Commission’s report, it is necessary to focus on the following areas in order to guarantee both strong protection for individuals and free movement of personal data within the EU and safe data flows outside the EU; strong enforcement of the GDPR, support from DPAs for stakeholders’ compliance efforts, a consistent interpretation and application of the GDPR throughout the EU, a coordinated effort between national and EU regulators to ensure consistent and coherent implementation of the growing body of digital rules within the EU, and advancing the Commission’s international data protection strategy.[6]
As in the FRA’s report, the Commission’s report also highlighted the importance of effective cooperation with other sectoral regulators on data protection since data protection issues intersect with competition law, consumer law, and digital market rules. Especially after the enactment of the Digital Markets Act, the Data Governance Act, and the Digital Services Act, effective cooperation has become imperative.
As part of the cooperation procedure, national DPAs will have the opportunity to communicate their views to the lead supervisory authority, and cooperation tools provided by the GDPR will be used to facilitate early consensus in investigations.[7]
While some efforts have been made to foster cooperation, such as joint workshops, it remains necessary to take a more structured approach involving Member States in order to improve dialogue between data protection authorities and other regulators.[8]
[1] https://fra.europa.eu/en/publication/2024/gdpr-experiences-data-protection-authorities
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2024%3A357%3AFIN&qid=1721897017650
[3] https://fra.europa.eu/en/publication/2024/gdpr-experiences-data-protection-authorities
[4] https://www.dataguidance.com/news/eu-commission-publishes-second-report-application-gdpr
[5] Ibid.
[6] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2024%3A357%3AFIN&qid=1721897017650
[7] https://www.consilium.europa.eu/en/press/press-releases/2024/06/13/data-protection-council-agrees-position-on-gdpr-enforcement-rules/
[8] Ibid.