Europe’s General Data Protection Regulation (GDPR) has been billed as the biggest shake-up of data-privacy laws since the birth of the web.
There’s one problem: Many of the regulators who will police it say they aren’t ready yet.
The pan-European Union law comes into effect this month and will cover companies that collect large amounts of customer data including Facebook and Google. It won’t be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-member bloc.
Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.
“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview.
She, like some other regulators, was pressing her government for a substantial increase in resources and staff.
Many watchdogs lack powers because their governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect on May 25.
Most respondents said they would react to complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.
Their responses suggest the GDPR enforcement regime will be weaker than the bloc’s antitrust authority run directly by the European Commission, the EU executive, which hit Google with a €2.4-billion ($2.9 billion) fine last year.