How many GDPR complaints so far?

Excerpts from the International Association of Privacy Professionals (IAPP) | by Christine Baird, Clarus Tech Partners | 27 June 2018

As a member of IAPP, the go-to source for everything GDPR, I was curious about the initial fall-out after the EU General Data Protection Regulation (GDPR) penalties went into effect just a month ago on May 25th.

During the past month, GDPR already has a global impact, from multiple U.S. based news sites, including the LA Times and the Chicago Tribune, that restricted access to European users, and privacy advocacy groups filing complaints against the practices of big tech companies, including Google, Facebook, WhatsApp and Instagram.

On the one-month anniversary, the IAPP contacted Data Protection Authorities (DPAs) of each of the 28 member states to check in and discuss how many complaints they had received since May 25th.

Here are the results from IAPP’s John Choudhari, for The Privacy Advisor:

GDPR complaints received by EU member states since May 25

Includes Staff Data from 2016, Annual Budget Data from 2017, cited from the IDCPPC 2017 Census

Austria Complaints Received: 81 Span of Days: 20 Staff (2016): 24 Annual Budget (2017): N/A The Austrian Data Protection Authority has been receiving just over four complaints per day since the GDPR went into effect, with 81 total complaints coming in during the first 20 days of the new regulation.

Belgium Complaints Received: 3 Span of Days: 26 Staff (2016): 56 Annual Budget (2017): $9,639,000 The Belgian Data Protection Authority received just three complaints during the first 26 days of the GDPR. The Belgian DPA has 56 staff members, which averages out to nearly 20 staff members per complaint received. Their annual budget breaks down to $686,000 in the 26-day span.

Bulgaria Complaints Received: 91 Span of Days: 28 Staff (2016): 87 Annual Budget (2017): $1,402,394 The Commission for Personal Data Protection of Bulgaria received 91 complaints in the first 28 days of the GDPR, averaging out to just over three complaints per day. The Bulgarian DPA has 87 total staff members, which averages out to nearly 27 staff per daily complaint. Their annual budget breaks down to just over $50,000 for the 28-day span, which averages out to $550 per complaint received.

Czech Republic Complaints Received: Approximately 400 Span of Days: 26 Staff (2016): 104 Annual Budget (2017): $6,975,834 The Office for Personal Data Protection of the Czech Republic received approximately 400 complaints in the first 26 days of the GDPR, with an average of over 15 complaints per day being received during this span. The Czech Republic’s annual DPA budget breaks down to slightly over $19,100 per day, which would allot about $1,275 per complaint received. With a staff of 104, the Czech Republic’s DPA has an average of seven staff members to handle each of the 15 daily complaints.

Denmark Complaints Received: 13 Span of Days: 15 Staff (2016): 36 Annual Budget (2017): $3,440,000 The Danish Data Protection Agency received 13 complaints in the first 15 days of the GDPR, averaging under one complaint received per day. The Danish DPA daily budget breaks down to approximately $9,400, with a staff of 36 to handle the single complaint per day that they have been receiving.

Estonia Complaints Received: 7 Span of Days: 14 Staff (2016): 18 Annual Budget (2017): $833, 877 The Estonian Data Protection Inspectorate received seven complaints in the first 14 days of the GDPR, with an average of one complaint being received every two days. The Estonian DPA daily budget is $2,284, which breaks down to $4,569 per complaint received in this 14-day span.

France Complaints Received: 426 Span of Days: 24 Staff (2016): 195 Annual Budget (2017): $22,253,000 The National Commission on Informatics and Civil Liberties (aka, the CNIL) of France received 426 complaints in the first 24 days of the GDPR, with an average of approximately 18 complaints being received per day in this span. With a staff of 195, the CNIL has an average of nearly 11 staff members per complaint received. With a daily budget of $60,967, this averages just over $3,400 per complaint received.

Ireland Complaints Received: 547 Data Breach Notifications, 386 Complaints Span of Days: 32 Staff (2016): 64 Annual Budget (2017): $5,640,600 The Irish Data Protection Commission received 547 Data Breach Notifications and 386 complaints in the first month of the GDPR. 403 of the data breach notifications and 89 of the complaints are considered under the GDPR. The 2016 staff of 64 would average out to over 29 daily complaints and notifications per staff member, with the 2017 annual budget breaking down to $530 per complaint. As reflected in the Editor’s Note, the IAPP has updated the Irish DPC’s GDPR complaints data since the original publication of this piece. The IAPP also received updated 2018 staff and budget numbers for Ireland. In 2018, the Irish DPC currently boasts a staff of 100, with a plan to increase that number to 140 by the end of the year. The 2018 annual budget for the Irish DPC has increased to $13,648,382.

Malta Complaints Received: 8 Span of Days: 24 Staff (2016): 10 Annual Budget (2017): $404,600 The Office of the Information and Data Protection Commissioners of Malta has received 8 total complaints in the first 24 days of the GDPR. Their 24-day budget breaks down to $26,600, with an average of $3,325 per complaint received in this span.

Netherlands Complaints Received: 170 Span of Days: 14 Staff (2016): 75 Annual Budget (2017): $9,743,720 The Data Protection Authority of The Netherlands received 170 complaints over the first 14 days of the GDPR. With an average of 12 complaints daily and a staff of 75, this averages out to just over six staff members per daily complaint. The Dutch DPA’s budget breaks down to approximately $374,000 during this 14-day span, which averages out to $2,198 per complaint received.

Romania Complaints Received: 145 Span of Days: 14 Staff (2016): 36 Annual Budget (2017): $1,261,260 The National Supervisory of Authority for Personal Data Processing of Romania received 145 complaints in the first 14 days of the GDPR, averaging just over 10 daily complaints. With a staff of 36, this averages out to nearly four staff members per daily complaint, and the Romanian DPA’s budget breaks down to just over $333 per complaint received during this 14-day span.

Slovakia Complaints Received: 4 Span of Days: 24 Staff (2016): 38 Annual Budget (2017): $1,176,821 The Office for Personal Data Protection of the Slovak Republic received four complaints in the first 24 days of the GDPR. With a staff of 38, this averages out to nearly 10 staff members per complaint received in this span. The Slovak DPA’s budget breaks down to $77,380 for the 24-day span, with an average of $19,345 per complaint received.

Slovenia

Complaints Received: 102 Span of Days: 25 Staff (2016): 32 Annual Budget (2017): $1,589,194 The Office of the Information Commissioner of Slovenia received 102 complaints in the first 25 days of the GDPR, with an average of just over four daily complaints. With a staff of 32, the Slovenian DPA averaged eight staff members per daily complaint received in this 25-day span. Their annual budget breaks down to $108,848 in this span, averaging approximately $1,067 per complaint received.

Sweden Complaints Received: 2 Span of Days: 18 Staff (2016): 50 Annual Budget (2017): $6,329,570 The Data Inspection Board of Sweden received just two complaints in the first 18 days of the GDPR, averaging one complaint every nine days. With a staff of 50, the Swedish DPA has 25 staff members per complaint received. Their annual budget breaks down to $312,143 over this 18-day span, averaging over $156,000 per complaint received.

Out of all 28 EU member states that the IAPP requested information from related to complaints received, the following 14 member states did not respond to our inquiry or did not have official data to provide by the time of our publication: Croatia, Cyprus, Finland, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Luxembourg, Poland, Portugal, Spain and the United Kingdom. Editor’s Note: As we were publishing this piece, we heard back from the U.K.’s Information Commissioner’s Office: “Up to and including the 18 June, the ICO had received 1,106 data protection complaints or concerns since 25 May 2018.

Christine Baird, CEO of Clarus Tech Partners, has a team of IT, legal, cybersecurity, and compliance experts who advise and implement GDPR Compliance assessments and readiness solutions.