Almost a year into GDPR implementation, people across the EU are continuing to exercise their data protection rights and raise issues with national enforcement authorities.
Countries covered in this edition
For this edition, we were able to obtain comprehensive data on DPA activity from ten EU Member States. This was fewer than the last edition. Some countries indicated that they were unable to supply data in the request time-frame due to preparation of annual reports. We are disappointed not to have a wider dataset for this edition but expect to be able to obtain data on more countries in future issues.
The charts below present statistical data provided by the DPAs from Austria, Cyprus, Germany, Greece, Ireland, Italy, Poland, Romania*, Sweden and the United Kingdom. We did not have data for Austria, the United Kingdom, Ireland or Hungary in the previous issue.
The reference dates covered for each of the countries differs slightly (see details below for individual countries), but overall this data covers 25 May 2018 to 1 March 2019.
We are presenting statistics about:
- the total number of complaints received, and
- the total number of data breach notifications received.
Getting the data – what are the challenges?
Collecting comparable data across the EU for this publication is a resource-intensive process, which we currently struggle to accomplish due to insufficient resources. It is made additionally complex by the lack of consistency in how national DPAs record, store and supply GDPR data. Some countries such as Ireland simply refer us to officially published reporting. In other cases, it is possible to request data directly from national DPAs. Even then, DPA responses vary, which makes comparative analysis difficult.
Germany presents a particular challenge for data collection, since it has a separate data protection authority for each of its 16 federal states. This means we would need to obtain data from each federal DPA to accurately report on GDPR compliance across the country as a whole. However, some federal states, including the highly populated state of Bavaria, have yet to provide any data about the number of complaint or data breach notifications they have received since the GDPR came into effect in 2018. This means any reporting on Germany is likely to be undercounting, potentially significantly, the true number of complaints and data breach notifications across the general population.
We again ask the European Data Protection Board (EDPB) to develop protocols which require and explain how national DPAs should publicly report specifically comparable figures at frequent and regular intervals. Ad hoc and annual reporting is not precise enough to properly analyse the impact of GDPR.
The numbers show that a significant numbers of complaints have been filed across the EU. Every country where we have previous data has had new complaints in this reporting cycle.
Putting the number in context
The data shows that the United Kingdom’s DPA is receiving vastly more complaints than other countries in terms of raw numbers. However, looking at this against the number of individuals in the country (per capita), the UK has had roughly 51 complaints per 100,000 people. Looking at this against other per capita data presents a different picture of the UK DPAs activity.
Ireland has had relatively few complaints overall, but has had roughly 57 complaints per 100,000 people. This is higher than the UK. The reporting period for Ireland was around two months shorter than the other countries in this report, however, so there is some undercounting here. Hungary has had an average of approximately 10 complaints per day in this reporting period and around 29 complaints per 100,000 people. This is higher than Poland, for example, which had more complaints overall but on a per capita basis had around 15 complaints per 100,000 people.
As with complaints, the UK DPA received the most breach notifications – an average of around 42 per day over the course of the reported period. Ireland had many fewer notifications in terms of raw numbers, but had around 70 notifications per 100,000 people over their reporting period. This is possibly due to the large number of businesses which have their headquarters in Ireland. Sweden is also receiving a relatively large number of breach notifications – 33 per 100,000 people.
The absence of the Netherlands in this dataset skews the UK’s position as against other countries, since in the last reporting cycle, the Netherlands had 12,763 breach notifications, over 1000 more than the UK.
The conclusions above are based on a very small data sample. However, they are supported by other published reporting. The EDPB gave a figure of over 95,000 complaints in its first overview report on the implementation of the GDPR. Law firm DLA Piper also reported a total of over 59,000 data breaches in this February 2019 survey. Taken together, these figures indicate that even in this “transition year” (a term used by French regulation Mathias Moulin at a recent conference) the notification element in the GDPR is working well.
Public data is important. Transparency helps to increase consistency, and other countries, particularly the United States, are watching to see how GDPR performs and where its strengths and weaknesses lie. As GDPR reaches its first birthday in May, DPAs across the EU will be preparing annual reports, which should give us a wider picture of compliance. We’re particularly interested in seeing how Slovakia, Bulgaria, Croatia, Estonia and Lithuania are performing, as data on these countries is currently scarce.
GDPR Today will be collecting statistical information from DPAs in bi-monthly rounds – Stay up to date!
DETAILS CONCERNING DATA COLLECTION IN INDIVIDUAL COUNTRIES
Austria– 25 May 2018 to 1 March 2019; figures gathered by NOYB
Cyprus– 25 May 2018 to 1 March 2019; figures gathered by Homo Digitalis
Germany– The period covered varies by federal state. For most states, the time frame is 25 May 2018 to around 1 March 2019; figures gathered by Panoptykon Foundation
Greece– 25 May 2018 to 1 March 2019; figures gathered by Homo Digitalis
Hungary– 25 May 2018 to 1 March 2019; figures gathered by Access Now
Italy– 25 May 2018 to 1 March 2019; figures gathered by NOYB
Ireland– 25 May – 31 December 2018; figures gathered from Ireland’s Data Protection Commission Annual Report for 2018
Poland– 25 May 2018 – 28 February 2019; figures gathered by Panoptykon Foundation
Romania– 25 May 2019 – 1 March 2019: figures gathered by APTI*
Sweden– 25 May 2018 to 18 March 2019; figures gathered by Data Skydd
United Kingdom– 25 May 2018 to 31 January 2019; figures gathered by Open Rights Group
* added post-publication