There’s one problem: many of the regulators who will police it say they aren’t ready yet.
The pan-EU law comes into effect this month and will cover companies that collect large amounts of customer data including Facebook (FB.O) and Google (GOOGL.O). It won’t be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-nation bloc.
Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.
“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview.
She, like some other regulators, was pressing her government for a substantial increase in resources and staff.
Many watchdogs lack powers because their governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect on May 25.
Most respondents said they would react to complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.
Their responses suggest the GDPR enforcement regime will be weaker than the bloc's anti-trust authority run directly by the European Commission, the EU executive, which hit Google here with a 2.4-billion-euro ($2.9 billion) fine last year.
The launch of GDPR comes as data privacy is making headlines, with Facebook facing intense scrutiny over the leak of 87 million users’ personal data to Cambridge Analytica, a political consultancy that advised U.S. President Donald Trump’s election campaign.
The law aims to give EU citizens more rights to control over their online information. It has a slew of technically demanding requirements, and threatens fines of up to 4 percent of a company’s annual revenue for serious infringements.
Companies, for example, must be able to provide European customers with a copy of their personal data, and under some circumstances delete it at their behest. They should also report serious data breaches within 72 hours.
The industries most affected will be those that collect large amounts of customer data, including technology companies, retailers, healthcare providers, insurers and banks.
Reuters sent all the regulators a four-question survey about how they would handle their responsibilities. Eighteen national authorities replied, plus data protection officers in six of the 16 German federal states who are responsible for enforcement.
Only five in total said the necessary data protection laws and funding in their jurisdiction were in place. Of the 17 who said they did not have the necessary funding and legislation, 11 expected both to be provided in future.
The new law calls for national watchdogs to assume the lead role in overseeing companies headquartered within their borders.
It does however create a central body, the European Data Protection Board (EDPB), in an attempt to ensure the law is applied consistently across the bloc. The panel would serve both as a forum for regulators and issue binding rulings in disputes.
In the recent Facebook breach case, most regulators have not taken an active role because the firm’s EU headquarters is in Ireland, falling under the country’s Data Protection Commissioner (DPC). Cambridge Analytica is being investigated by the UK Information Commissioner’s Office (ICO).
The DPC of Ireland, which is also home to Google, Apple and Twitter, was among those who declined to take part in the survey, citing the complexity of the issues, as did the UK ICO.
The Irish authority did, however, say its budget and staffing had been ramped up in preparation for GDPR. Yet its funding this year, at 11.7 million euros, works out at less than one-thousandth of Facebook’s annual net income of $15.9 billion.
Johannes Caspar, the data protection commissioner in the German city-state of Hamburg, told Reuters he had had many differences of opinion with the Irish regulator in the past over its handling of Facebook, without giving details.
He also did not see the data protection board as an adequate forum to address issues, calling it “a cumbersome – and for outsiders certainly opaque – exercise”.
Italy’s data protection chief Antonello Soro welcomed the pan-European rules as a “guarantee against companies opening ‘convenience’ establishments in countries”. But its 2018 budget of just under 25 million euros and 122 active staff were inadequate to fulfill its responsibilities, and it would require double the funding and 300 staff.
Regulators largely did not specify what duties might be affected by a lack of resources. Experts expect oversight to be inconsistent at first, with regulators facing tough choices on whether to prioritize outreach work to encourage compliance, or enforcement actions against violators. Working smoothly as a group in the EDPB could also be a challenge.
“I think it will work but it will take time for companies and data protection authorities,” said Joerg Hladjk, counsel for cybersecurity, privacy and data protection at law firm Jones Day. “They need to try this out in practice.”
Estonia, known as a pioneer of e-governance, had backed a stronger regime enforced by the Commission.
Viljar Peep, head of the Estonian Data Protection Inspectorate, said the quality of enforcement under the chosen local system risked being inconsistent and would depend on the “administrative culture” of officials, which varied widely.
Some countries, like Estonia, took a broad view of data privacy, engaging with business and society to ensure the new rules are understood and respected, whereas others took a far narrower view, he added.
“Are we supposed to be proactive?” he asked.
Additional reporting by Hans-Edzard Busemann; Writing by Douglas Busvine; Editing by Jonathan Weber and Pravin Char