GDR analysis: European regulators buckling under Schrems pressure

Understaffed and under-resourced European data protection authorities are likely to struggle with the new responsibilities handed to them by the Schrems II decision, GDR has found. 

In response to questions sent by GDR to all EU data protection authorities – including German regional authorities – 20 regulators said they expect the European Court of Justice’s decision will create more work for them, while 14 said they do not have the resources to carry out that work.

Only one regulator said the Schrems II decision will not increase their workload, and just two said they already have the resources required to carry out the work necessitated by the decision. Not all regulators responded, while some said it is still too early to say what the effect of the ruling will be.

The findings reflect one of the most commonly cited problems with the GDPR since it came into force two years ago: that the regulators responsible for enforcing the law do not have the resources to do so. 

Past research carried out by GDR found that European data protection authorities sometimes have very small budgets for each case they deal with, often paling in comparison to the resources of the companies they regulate. The problem is particularly stark for Ireland’s Data Protection Commission, which regulates many of the largest technology companies. Its chief Helen Dixon has publicly denounced previous small funding increases handed out by the Irish government.

The July decision in the European Court of Justice said that while it is the primary responsibility of data exporters to ensure transfers are safe, authorities must be prepared to also assess transfers and the data protection regime of their destination country. GDR’s research suggests that regulators expect this to be a significant burden. 

In an interview earlier this year, head of the Bavarian regulator Michael Will told GDR that he was “worried” about how his authority would deal with any new obligations created by the Schrems II decision. Following the decision, other enforcers now appear to share those fears, with a spokesperson for the Belgian authority, for example, telling GDR that more work “seems inevitable”, and noting that the regulator has asked the country’s parliament for more staff.

A spokesperson for the Berlin regional authority told GDR that the decision is likely to cause “an enormous amount of work”, but stressed that the primary responsibility lies with data controllers. The Brandenburg regulator, meanwhile, said that the extra work will slow processing times, describing this as “unpleasant not only for citizens, but also unsatisfactory for us as an authority”. 

Johannes Caspar, the outspoken head of the Hamburg data authority, told GDR that the ruling will push the resources of the authority “to the limit”. Caspar highlighted the “contradiction” between the regulator’s assigned task of protecting data rights while budgets stagnate. Another German watchdog said it is already “barely possible” to perform all of its tasks in a satisfactory way and warned that the situation will only get worse.

Many of the regulators highlighted the need for a joint response from the European Data Protection Board (EDPB) as a way of pooling resources and consistently applying the principles laid out in the decision. The EDPB has so far published several resources online and held meetings about the decision, but until any enforcement action takes place, it is unclear what role the EDPB will play.

The ruling seems to have had little effect on data transfers in practice, with the largest cloud providers maintaining that they will continue to use standard contractual clauses to transfer data to the US, despite the ruling throwing doubt on the use of those mechanisms.