How the EU's Data Protection Authorities handle GDPR application

These reports, to be issued every four years, highlight the challenges faced by EU citizens, businesses, national Data protection authorities (DPAs), and EU institutions.

The EU's DPA's have launched over 20,000 own-initiative investigations and collect 100,000 complaints per year, 20,000 of which have been resolved over amicable settlements. Over 6,688 fines, amounting to €4,2 billion, have been imposed.

Challenges

The GDPR application process remains challenging due to several factors, including insufficient funding for national DPAs and a shortage of specialists. As a result, the process is often lengthy—most countries, except for Denmark, Spain, Greece, Ireland, and Estonia, take 3 to 12 months to handle complaints.

A report by the European Union's Agency for Fundamental Rights highlights concerns from some stakeholders who believe the current GDPR application can be overly restrictive. They argue that some DPAs and the EDPB stray away from the GDPR's risk-based approach, which limits both media freedom and the growth of the digital economy. Overly strict interpretations are especially problematic in topics such as the handling of anonymization, the basis for legitimate interest and consent, and exceptions to rules on automated decision-making.

Perfecting the application of GDPR is a work in progress. Both the EDPB and national DPAs are at the crossroads, having to both ensure the legitimate interests of EU citizens AND avoid placing an excessive burden on EU businesses.

Although comprehensive data on Member States' DPA approaches is not publicly available, some elements in the report showcase differences in approaches to potential GDPR infringements.

Country group 1: business and consumer-friendly, low (or no) fines, fast resolve

Denmark, Estonia, and Lithuania stand out as resolving complaints quickly, focus ing on guidance and corrective measures, and refraining from heavily fining businesses.

Denmark resolves complaints the fastest, with an average processing of just one month. Denmark imposes no fines but is proactive in applying other corrective measures.

The Estonian DPA resolves GDPR complaints within an average of 3 months, has issued 332 corrective measures, and focuses on guidance, not penalties. Estonia's total penalty sum is among the lowest in Europe, at €201,000.

The Lithuanian DPA follows a similar approach, having issued 308 corrective measures were issued, with a total penalty sum of €435,000. Like Denmark and Estonia, Lithuania prioritizes guidance and corrections over heavy fines.

Country group 2: focus on settlement, some fines

Austria, Hungary, and Luxembourg all emphasize amicable settlements but are prepared to issue fines when necessary. The Austrian DPA has imposed a total of €19 million in fines, while the Hungarian DPA has issued €15 million in penalties. Luxembourg stands out with a total of €746 million in fines.

Country group 3: high complaint turnover, a large number of corrective decisions, and fines

Spain, Italy, Germany, and France, the countries with the largest markets in the EU, can be grouped as countries with a high complaint resolution turnover and plenty of fines imposed.

Spain stands out for resolving complaints the fastest—in an average of 1.5 months. The Spanish DPA has issued 774 corrective decisions and imposed 1596 fines, amounting to €29 million.

The German DPA issued 3261 corrective measures and imposed 2106 fines, amoungting to €49 million. In Italy, authorities handled over 30 880 complaints in 2022 and imposed fines totaling €197 million. The French DPA handled 12,193 complaints and imposed €131 million in fines.

Irish case

Ireland is a global tech hub in Europe, hosting multiple multinational tech corporations, and their results are affected accordingly. On average, the Irish DPA resolves GDPR complaints in 3 months and proactively issues corrective decisions. The total sum of imposed fines is a whopping €2.8 billion.