GDPR – Europe’s General Data Protection Regulation has been billed as the biggest shake-up of data privacy laws since the birth of the web.

There’s one problem: many of the regulators who will police it say they aren’t ready yet.

The pan-EU law comes into effect this month and will cover companies that collect large amounts of customer data including Facebook and Google. It won’t be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-nation bloc.

Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.

“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview.

She, like some other regulators, was pressing her government for a substantial increase in resources and staff.

Many watchdogs lack powers because their governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect on May 25.

Most respondents said they would react to complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.

Their responses suggest the GDPR enforcement regime will be weaker than the bloc’s anti-trust authority run directly by the European Commission, the EU executive, which hit Google here with a 2.4-billion-euro ($2.9 billion) fine last year.

The launch of GDPR comes as data privacy is making headlines, with Facebook facing intense scrutiny over the leak of 87 million users’ personal data to Cambridge Analytica, a political consultancy that advised U.S. President Donald Trump’s election campaign.

HEAVYWEIGHTS IN IRELAND

The law aims to give EU citizens more rights to control over their online information. It has a slew of technically demanding requirements, and threatens fines of up to 4 percent of a company’s annual revenue for serious infringements.

Companies, for example, must be able to provide European customers with a copy of their personal data, and under some circumstances delete it at their behest. They should also report serious data breaches within 72 hours.

The industries most affected will be those that collect large amounts of customer data, including technology companies, retailers, healthcare providers, insurers and banks.

Reuters sent all the regulators a four-question survey about how they would handle their responsibilities. Eighteen national authorities replied, plus data protection officers in six of the 16 German federal states who are responsible for enforcement.

Only five in total said the necessary data protection laws and funding in their jurisdiction were in place. Of the 17 who said they did not have the necessary funding and legislation, 11 expected both to be provided in future.

The new law calls for national watchdogs to assume the lead role in overseeing companies headquartered within their borders.

It does however create a central body, the European Data Protection Board (EDPB), in an attempt to ensure the law is applied consistently across the bloc. The panel would serve both as a forum for regulators and issue binding rulings in disputes.

In the recent Facebook breach case, most regulators have not taken an active role because the firm’s EU headquarters is in Ireland, falling under the country’s Data Protection Commissioner (DPC). Cambridge Analytica is being investigated by the UK Information Commissioner’s Office (ICO).

The DPC of Ireland, which is also home to Google, Apple and Twitter, was among those who declined to take part in the survey, citing the complexity of the issues, as did the UK ICO.

The Irish authority did, however, say its budget and staffing had been ramped up in preparation for GDPR. Yet its funding this year, at 11.7 million euros, works out at less than one-thousandth of Facebook’s annual net income of $15.9 billion.

Johannes Caspar, the data protection commissioner in the German city-state of Hamburg, told Reuters he had had many differences of opinion with the Irish regulator in the past over its handling of Facebook, without giving details.

He also did not see the data protection board as an adequate forum to address issues, calling it “a cumbersome – and for outsiders certainly opaque – exercise”.

‘CONVENIENCE ESTABLISHMENTS’

Italy’s data protection chief Antonello Soro welcomed the pan-European rules as a “guarantee against companies opening ‘convenience’ establishments in countries”. But its 2018 budget of just under 25 million euros and 122 active staff were inadequate to fulfill its responsibilities, and it would require double the funding and 300 staff.

Regulators largely did not specify what duties might be affected by a lack of resources. Experts expect oversight to be inconsistent at first, with regulators facing tough choices on whether to prioritize outreach work to encourage compliance, or enforcement actions against violators. Working smoothly as a group in the EDPB could also be a challenge.

“I think it will work but it will take time for companies and data protection authorities,” said Joerg Hladjk, counsel for cybersecurity, privacy and data protection at law firm Jones Day. “They need to try this out in practice.”

Estonia, known as a pioneer of e-governance, had backed a stronger regime enforced by the Commission.

Viljar Peep, head of the Estonian Data Protection Inspectorate, said the quality of enforcement under the chosen local system risked being inconsistent and would depend on the “administrative culture” of officials, which varied widely.

Some countries, like Estonia, took a broad view of data privacy, engaging with business and society to ensure the new rules are understood and respected, whereas others took a far narrower view, he added.

Dutch Tax Authority not fully GDPR-compliant as deadline approaches

This is not the first time the tax authority has raised concerns about its GDPR compliance, having done so in its previous bi-annual report in November 2017.

The report, which outlined the overall state of the tax authority, mentioned the GDPR in just a few paragraphs, saying it aims to take a short and a long approach to the new law. “The short approach means we accelerate the phasing out of outdated processes,” a spokesperson said. “By 25 May, we will also have a comprehensive overview of all processes and authorisations, and a roadmap of when those will be compliant.”

The long approach, the report said, is to “transition the tax authority to a durable compliance with the law”. It added: “That means that by the end of May, the tax authority will not be fully compliant with the GDPR.”

Computer Weekly recently spoke to Aleid Wolfsen, chairman of the AP, the Netherlands’ privacy watchdog, who stressed that no organisation would get special treatment. “After 25 May, wrong is wrong,” he said.

That means there will be no exception made for the tax authority, said a spokesperson for the AP. “The tax authority collects an exceptionally large amount of information on citizens,” the spokesperson said. “Institutes like these are not above the law and will be treated equally after 25 May.”

The tax authority has been reprimanded by the Dutch courts several times before when it was found to have violated citizens’ privacy. In one case, the organisation had wrongly supplied private data to a housing organisation.

The tax authority said it is in talks with the privacy watchdog, as is mandatory under current Dutch law and under the GDPR. However, the talks so far amount to little more than a notification to the watchdog.

It is still unclear what will happen in the Netherlands after 25 May. Theoretically, the AP can conduct investigations and hand out fines, but the watchdog has previously been criticised for not taking action. Wolfsen has complained about the organisation being under-staffed, so it remains to be seen whether fines will be imposed.

Critics are not surprised by the news. “This shows exactly how the Dutch government views privacy,” said Reinout Barth of PrivacyBarometer, a site that follows privacy developments in the Netherlands. “It is an obstacle, not something that is inherent in its systems. You can’t change that in a few months.”

READ ALSO: GDPR – Austria accused of undermining new EU data law

GDPR Watchdog: We are not surprised despite that DPA’s have had at least a year to prepare for May 25th. This is exactly the reason we have sent questions to all of them in order to rate DPA’s in the interest of the new consumer privacy regulations. Anyway the delay by some countries do NOT change the EU data subjects rights under the General Data Protection Regulation. No matter the readiness of the DPA’s, their citizens, under the EU regulation have the right to know how personal data is used or if deleted by local companies (see “KNOW YOUR RIGHTS” in the menu bar). GDPR Watchdog recommend data subjects who are not able to get this information should contact us for assistance.

This article is sponsored by:

GDPR certified

Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit  GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!