In 2019, the Dutch Data Protection Authority (AP) received 27,871 complaints about organizations in the Netherlands that do not comply with the law. With a staff of just over 180 people – employees who also have many other tasks on their plates – that is hardly possible to keep up. Reports remain unanswered, complaints are not investigated, Argos discovered.
According to researcher and privacy lawyer Axel Arnbak, the AP does not receive enough funding. “The following applies to the Dutch Data Protection Authority: as the technology advances, their range of tasks increases enormously. But the growth of the organization is completely disproportionate. 180 employees is far too little and that is a big problem.”
The Netherlands is not the only country where the supervisor cannot handle the work. “The supervisors have absolutely insufficient resources,” said Sophie in “t Veld, a MEP who was involved in the realization of the new privacy law.
According to her, almost all European supervisors have “too little money, too little manpower and too little technical knowledge. If you add up the budgets of all those supervisors, you will end up with between 300 and 350 million a year. That is what Facebook has to digest in two weeks. So that’s a completely uneven battle. Enforcement is really problematic. “
In order to prevent the Privacy Act from becoming a paper tiger, drastic measures are therefore necessary, according to In ‘t Veld. “Strictly speaking, the national governments are in violation of the GDPR, because the GDPR prescribes that they must provide sufficient resources. We are now two years after the GDPR came into force and I would say: now just pruning all those Member States to court and impose a big fine! “
The AP acknowledges the lack of manpower. “We have serious backlogs,” said Chairman Aleid Wolfsen. Together with the Ministry of Justice and Security, he has commissioned independent research. This should show how much the supervisor needs to expand in order to properly perform his task. “I would be very surprised if it did not work out that we had to grow strongly,” says Wolfsen. According to him, it is then up to the ministry to come up with an appropriate budget.
Two years after its introduction, municipalities are still struggling with the implementation of the GDPR. A survey conducted this fall by Master’s students in Journalism shows that 84 of the 110 municipalities surveyed do not meet the requirements of the GDPR at that time.
In addition, at least 26 municipal supervisors combine their position with another job within the municipality. A construction that both the Dutch Data Protection Authority (AP) and the Dutch Municipalities Association (VNG) consider undesirable.
More than 40 percent of the supervisors interviewed say that their municipality does not take sufficient measures to protect the personal data of citizens. 20 percent even say they are actively opposed by their own organization and are concerned about the protection of personal data.
More journalistic detective work?
Argos is the investigative journalistic program of VPRO and HUMAN. You can hear Argos on Saturday from 2 pm to 3 pm on NPO Radio 1. You can listen back via your favorite podcast app or via the Argos website. Follow Argos also on Facebook and Twitter.