The European Data Protection Board (EDPB) has carried out a survey of European supervisory authorities in terms of financial and human resources and their quantity of data protection cases. The main objective is to show the status of the supervisory authorities and if they are able to fulfil their tasks three years after the entry into force of the General Data Protection Regulation (GDPR). However, the survey also suggests other findings, such as how useful it can be to take action against fines imposed by the authorities.
Financial and human resources
First of all, the financial and human resources available to the supervisory authorities play an important role. Without these resources, it would simply not be possible to process their tasks under the GDPR. What is interesting to note is that the resource-rich countries in particular are dissatisfied with the available funds.
- In terms of both staff and finances, Germany is at the top of the list of available resources, but the supervisory authorities are not satisfied with regard to financial funds; there are, however, sufficient staff.
- The French supervisory authority Commission Nationale de l’Informatique et des Libertés (CNIL) is also one of the most resourced authorities, although a lack of funding has also been reported.
- Where there are fewer funds and staff available, such as in Hungary or the Czech Republic, the survey shows that there are no financial problems, but a shortage of staff.
However, these figures should not be considered in isolation but always related to inquiries from data subjects and the processing of notified data breaches. The more that inquiries and notifications of data breaches are filed or ex officio investigations increase, the more necessary resource quantity becomes in order to be able to follow up on these tasks in a professional, timely and accurate manner.
Data subject complaints pursuant to Art. 77 GDPR
Art. 77 GDPR provides data subjects with the right to turn to the supervisory authorities in the case they believe that the processing of their personal data is contrary to the requirements of the GDPR. The survey found that, once again, Germany leads with the most requests, with 40,309 complaint cases in 2020 alone. In comparison, the French supervisory authority, which has the second most complaints, has only 13,585 such cases to deal with in 2020. The Irish supervisory authority, for example, reported 5,014 complaints in 2020.
These figures are already considerable in themselves, but by adding the processing status, they provide further insights concerning the duration of such procedures, for example.
- The Irish authority has currently concluded 14,500 such proceedings (incorporating complaint notifications since 2018 to 31 May 2021), with a decision pending in 2,672 cases.
- In France, CNIL reports the closure of 32,009 complaint procedures since the introduction of the GDPR, with 10,103 cases still open.
- The German supervisory authorities are again in the lead in terms of the number of cases still pending: 19,752 complaints still need to be brought to a decision, and 25,849 cases have already been closed.
Putting these figures in percentages, the picture becomes even clearer.
- 56% of Irish complainants are still awaiting a decision.
- In France, the outstanding proceedings amount to 23.99%.
- On the other hand, almost half, i.e. 43.31% of the complaint cases in Germany, have not yet been decided.
The respective procedural law of the Member States and the resources described above certainly also play a role in time and quantitative processing. In any case, this list clearly shows where the parties of such complaints have to be prepared for a longer procedure.
Ex officio investigation
A completely different picture emerges in the case of ex officio investigations, i.e. when supervisory authorities initiate data protection investigations in companies without a prior notification of data breaches or filed complaints by data subjects. In some Member States, this right under Art. 58 GDPR is exercised much more often than elsewhere. In 2020, 398 ex officio investigations were initiated and also concluded in Romania. Companies in Austria and France should also be prepared for ex officio investigations: respectively, 337 and 247 ex officio investigations were carried out, although some proceedings have not yet been decided. By comparison, the Spanish supervisory authority initiated only 26 proceedings last year. Figures from the German supervisory authorities are not available on this subject.
Data protection breaches
Another focus of the survey was the notification of data breaches. Both German (27,652 in 2020) and Dutch (24,055 in 2020) controllers face proceedings following such a notification. In contrast, the supervisory authorities in France (12 for 2020) and Spain (81 for 2020) record significantly fewer notifications. However, there is no evidence that these figures indicate more frequent data breaches in Germany or the Netherlands. It is more likely that the design of the notification channels and the ex officio investigations have an impact.
Judicial decisions on fines
For data controllers, the list of the status of court appeals against fines is likely to be of particular interest. Since the enforcement of the GDPR in Germany, companies have challenged 65 fines in court proceedings, none of which has yet been upheld in court. 42 of these proceedings are still pending, whilst the others have been dismissed or adjusted.
The Italian courts have so far adjusted or dismissed 39 of the 233 cases, but 144 decisions are still pending. In Spain, too, fines do not always stand up in court. Here, 266 proceedings were initiated, and in about one third (90 proceedings) the fine did not remain in its original form. The Belgian courts have had to deal with the most data protection fines to date, with a total of 328 proceedings, of which only two are still pending. Here, too, the fine was reduced or rejected altogether in about one third of the cases.
The conclusion to be drawn from these figures across all countries is that legal proceedings can certainly be worthwhile for controllers facing a fine. A reduction or even complete rejection of a fine has so far been achieved in every Member State, at least in a good proportion of the cases brought before the courts. These statistical values should therefore always be taken into account when deciding whether to accept a fine or to proceed against it.
Conclusion: Importance of GDPR compliance increases
The EDPB’s survey of supervisory authorities has not only provided clear figures but also many related insights for businesses and stakeholders. For all the topics surveyed, there has been an increase year after year across all Member States. Data subjects are increasingly exercising their right under Art. 77 GDPR, and ex officio investigations are also becoming more common. At the same time, the resources of the authorities are increasing in order to be able to continue to drive such procedures forward.
Companies should therefore always comply with their obligations under data protection law, such as maintaining an up-to-date record of their processing activities in accordance with Art. 30 GDPR. However, it should also be noted that legal proceedings against fines could be worthwhile in all Member States.