Access Now raises the alarm over weak enforcement of the EU GDPR on the two-year anniversary

Brussels, BE — Today, Access Now releases a report which finds critical flaws in the enforcement of the EU flagship data protection law.

Two years after the General Data Protection Regulation (GDPR) went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to enforce the GDPR adequately. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press. 

Our report provides data, case studies, and analysis on how the GDPR has been enforced over the past two years. The GDPR’s first two years have been marked by crisis,  whether internal, external, political, geopolitical, or administrative. Beyond enforcement challenges, our report explores how these crises have impacted the protection of personal data in the EU, taking a close look at both Brexit and the COVID-19 outbreak.

“Through this report, we raise the alarm to the EU institutions and Data Protection Authorities that it’s high time to act to enforce the GDPR and condemn its misuses,” said Estelle Massé, Senior Policy Analyst and Global Data Protection Lead at Access Now. “The European Union may have the best law in the world for the protection of personal data, but if it is not enforced, it risks being as useful as a chocolate teapot.” 

Access Now has advocated for the adoption of the GDPR since it was first proposed by the EU Commission in 2011. Since then, we have worked for its passage and continue to be involved in its application in our role as permanent member of the European Commission Expert Group on the implementation of the GDPR. 

For the law’s second birthday, we hoped for a more positive celebration. Still, the GDPR remains a strong framework, and if authorities take urgent action, it can go a long way in defending people’s fundamental rights. In our report, we present recommendations to EU institutions, DPAs, and Member States to address the challenges identified and fulfill the GDPR’s promise. 

Key findings:

  • From May 2018 to March 2020, authorities levied 231 fines and sanctions while as many as 144,376 complaints were filed between May 2018 and May 2019.  
  • Out of 30 DPAs from all 27 EU countries, the United Kingdom, Norway, and Iceland, only nine said they were happy with their level of resourcing. The inadequate budget provided to DPAs means that our rights may not be effectively protected. In fact, it may create a negative incentive for DPAs investigating large tech companies to agree on settlements that may be more favourable to the companies. This is reinforced by the huge disparity of resources between data protection authorities and companies they oversee:

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);


  • In Poland, Romania, Hungary, and Slovakia, courts and authorities have been abusing the GDPR to curtail investigative journalism or target civic tech NGOs by trying to force outlets to reveal their sources.  
  • The GDPR is a robust tool to guide officials and public health authorities in the response to the COVID-19 crisis. We condemn Hungary’s disproportionate decision to limit the application of GDPR rights during the COVID-19 crisis as it gravely endangers people’s right to data protection at a time when our personal information, including our health data, is being collected perhaps more than ever.
  • Enforcement challenges and the UK’s insistence on lowering current standards through the Brexit talks have implications for any future negotiations of a so-called adequacy decision between the EU and the UK that would authorise the transfer of data between the two jurisdictions.

Key Recommendations:

  1. Governments across the EU must increase the financial and human resources allocated to Data Protection Authorities, including technical staff, so that they can function properly and be able to address the large number of complaints.
  2. The European Commission should launch infringement procedures against EU states :
    • When they do not provide sufficient resources to Data Protection Authorities, or
    • When they do not guarantee the Data Protection Authority independence in status and in practices, or
    • Where Data Protection Authorities or courts misuse the GDPR to restrict freedom of the press or stifle civil society’s work.
  3. Data Protection Authorities must not misuse the GDPR, as they hold much of the responsibility for the GDPR’s success or failure. It is absolutely unacceptable that DPAs misuse the GDPR to undermine civil society, restrict freedom of the press, or otherwise violate human rights.