When we speak about General Data Protection Regulation (GDPR) deadlines we typically look at it from the GDPR compliance perspective of organizations. But what about the readiness of national data protection authorities (DPAs) in EU member states? As it appears many will not be ready at all. GDPR DPA readiness in practice.
When the European Commission detailed its ‘concerted efforts’ in the next steps of GDPR initiatives end January 2018, whereby all stakeholders nicely would need to work together (“the concerted effort”) to make the GDPR a success, it essentially mentioned all steps that various stakeholders, including data protection authorities and member states, on top of data controllers, processors and also data subjects, the European Data Protection Board and the Commission itself had ahead of them.
The ‘concerted effort’ message from the Commission came with a clear call for member states to step up the pace and a statement that hit media headlines: only two EU member states had adopted the relevant national legislation, 4 months ahead of the ‘GDPR deadline’.
As we repeated in that article and previously mentioned in a post on GDPR and consent, quote, “many national supervisory authorities were already underfunded (and by the looks of it in some countries with the GDPR that isn’t about to rapidly change which of course comes with consequences regarding the enforcement of the GDPR)“.
Now, if you want to protect personal data and understand to which degree that will effectively happen and thus also impact organizations two parameters are of course crucial: 1) to what extent will EU citizens exercise their rights (and more) and 2) how efficient (and independent and more) will data protection authorities be able to work. With regards to the latter it’s clear that member states and DPAs need to be ready for GDPR and properly equiped to do what is expected.
With two Member States ready for GDPR what about GDPR DPA readiness?
It’s a public secret that several national data protection authorities are not just underfunded (and, as said, have been in the past) but also that in practice in general DPAs are not and will not be ready for GDPR by May 25 2018.
After the announcement and de facto criticism of the European Commission that only two member states were ‘ready’, some member states reacted. Note: Germany and Austria are the two that were ready, with Germany and German companies leading by far on all possible fronts and aspects of GDPR and related topics: Germany leads in cloud data protection and German organizations by far lead in GDPR compliance as recent forensic data analytics research with a focus on regulatory compliance risks shows.
One of the countries that reacted to the criticism of the European Commission was Belgium where collaborators of the State secretary for the Fight against Social Fraud, Privacy and North Sea, stated they would be ready, had reformed the existing Commission for the Protection of Privacy (including a name change) into the (Belgian) Data Protection Authority and had announced an additional budget of 1.6 Million Euros whereby everything would be in place by May 25.
On January 10th the law, which concerns the setting up the data protection authority, whereby this new Data Protection Authority that replaces the Commission for the Protection of Privacy on the day the GDPR applies, indeed was published in the Belgian official journal (PDF in Dutch and French).
The law, which is just one of legal duties in the scope of GDPR, gives the DPA a new structure and tackles it powers. The Belgian DPA has relatively active in the past and still is (by way of an example: on February 16 2018, a Belgian Court of First Instance followed the view of the Commission for the Protection of Privacy that Facebook is in breach with privacy regulation and ordered Facebook to stop tracking Belgian users AND delete all unlawfully gathered data until the law is respected, Facebook appeals)
Now, setting up a new DPA by law is one thing, making it work of course another. In practice a lot will depend on the means it has to ‘exercise’ its broader powers whereby the new structure and budget of course make the difference between having a newly named and restructured DPA and its abilities to seriously follow up on the GDPR.
And here comes the crux of the matter, whether DPAs will be ready for GDPR or not.
The President of a DPA speaks up on GDPR DPA readiness
In an interview, published on February 16 (the same day as the Facebook court decision indeed), again a bit closer to the ‘GDPR deadline’ the President of the Commission for the Protection of Privacy, Willem Debeuckelaere, stated that the current Commission for the Protection of Privacy nor its successor, the Belgian DPA, are or will be ready for GDPR at all.
In the Dutch interview, which you can read (using Google Translate, for example) here, Debeuckelaere doesn’t spare his criticism. Although being among those being most prepared, he says, the Commission for the Protection of Privacy has been stating that it’s nonsense to prepare for the major change in personal data protection law which the GDPR is.
Debeuckelaere states that, while originally the goal was that first national data protection authorities would reorganize themselves and fully ‘digest’ the GDPR (which is more than just a massive text) and work in a gradual way, the European Commission dismissed the idea, to say the least. He also is highly critical about how the Regulation has been drafted, pushing the actual application to the national data protection authorities. Another main point of criticism is that the European Commission would help DPAs with topics such as certification. However, the Commission only starts doing so…..in May; indeed: that month.
Another example: the European Commission, as mentioned in a previous article, aims to fund specific initiatives for specific industries in the scope of GDPR. DPAs prepared their suggestions but when decisions will be made as to which projects get funded, we’ll be way past May 2018.
In the interview he repeatedly stresses the pressure his organization is under. While there are ever more demands about GDPR and with extended powers come additional responsibilities, resources are scarce. Moreover needed additional budgets really lack as politicians state there will be more financial means due to the restructuring, which the President of the Commission for the Protection of Privacy essentially calls nonsense and wishful, theoretical, thinking.
How prepared are EU member states and their DPAs for GDPR? Hard to tell but it’s far from over
There is far more in the interview with Debeuckelaere so do read it.
As to when he thinks the DPA will be really fully ready for GDPR (which doesn’t mean that where needed actions in the scope of measures of course won’t be taken) he estimates it will take 1 to 2 more years.
What does all this mean for organizations? Strictly speaking not that much. GDPR is not going away nor are data subject rights, the duties of data controllers and data processors or the essential personal data processing principles, legal grounds for lawfully processing personal data, the GDPR fines, new subject rights such as data portabilty and so much more.
What the interview, common sense, political discussions and all the mentioned signs make clear, however, is that ‘the concerted effort’ which the European Commission wants to see sounds great in theory but in the field is not that concerted, on multiple levels.
And how else could it be with this ambitious game-changing personal data protection mastodont whereby ample guidelines are still being published and planned to clarify it and take an advisory position towards, among others DPAs, as the WP29 did and keeps doing as we pointed out previously as well (which doesn’t mean they don’t work hard but shows how hard it is and, let’s be frank, how late it is when looking at the dates?
We should also remind that ample organizations won’t be ready either, yet it does seem that the EU and its member states might have some issues to solve themselves.
Whether Belgium is at the top of countries where DPAs are prepared or more in the middle doesn’t even matter that much.
The question is what about those other EU member states where the DPA heads are perhaps less vocal. Sure, larger countries such as Germany, France, the UK, Ireland and The Netherlands might be ahead and de facto might have to deal with most requests (not just data subject requests of course; think about the fact that DPAs have work in guiding large international organizations on the path of binding corporate rules, requests for data protection impact assessments, tasks regarding codes of conduct, a role in personal data breaches and personal data breach notifications, a duty to collaborate with other DPAs, report, meet with the EDPB of which they are part and far more) but as consistency is key and the EU does have ample more member states we wonder how GDPR-ready other DPAs and member states themselves are.
And then we even only looked at one part of the EU data protection law reform package with the ePrivacy Regulation coming next, after the GDPR – for which many companies and DPAs won’t be ready – applies or the other activities organized by data protection authorities.
Top image: Shutterstock – Copyright: gotphotos. All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.