On 24 June 2024, the EU Agency for Fundamental Rights (FRA) published a report looking at the experiences - in practice - of data protection authorities (DPAs) with the General Data Protection Regulation (GPDR). It comes in response to a request from the European Commission seeking data on implementation experiences, challenges, and practices.

For this purpose, FRA conducted 70 qualitative interviews with DPA representatives from all 27 EU Member States between June 2022 and June 2023. Interviewees were asked about their experiences in areas such as DPA independence, the institutional capacity of DPAs, modern technological challenges, raising public awareness, DPA investigatory powers, sanctions for GDPR violations, cooperation between EU DPAs and the GDPR consistency mechanism, cooperation with other national regulators, and the protection of personal data and competing fundamental rights.

Some of the key findings of the report include the following points:

• Inadequate resources can undermine the implementation of DPAs' mandates and their independence: While DPAs are given more tasks and powers under the GDPR and other related EU legislation, their funding and human resources are not increasing at the same rate, which may hamper their ability to provide independent oversight. It also undermines their ability to conduct investigations on their own initiative, to properly supervise governments and public authorities acting as data controllers, and to contribute effectively to the European Data Protection Board (EDPB). In addition, the recruitment of professionals with appropriate legal and technical expertise is reported to be a challenge, especially in view of competition with the private sector for skilled personnel.
• Obstacles hamper the DPA’s supervision: While supervision is considered to be a core function of DPAs, there is a need for additional tools to strengthen their supervisory capacity.
• The large number of complaints: This is a major challenge and should be addressed as a matter of priority.
• A large number of trivial or unfounded complaints: The awareness of the general public of the existence of data protection laws does not necessarily mean that they are truly understood. DPAs also receive very few requests for consultation from data controllers in advance, suggesting that even data controllers may not be aware of data protection risks, much less fully understand what those risks entail or what they can do to identify and prevent them.
• Due to mistrust and misunderstanding about the competences of DPAs, advising and supervising public authorities acting as data controllers remains a challenge.
• While the majority of DPAs believe that the requirements and tools provided in the GDPR are adequate in theory, most respondents highlighted that the GDPR remains ill-equipped to regulate new technologies in practice.
• While the work of the EDPB is generally viewed positively, it creates additional work for the DPAs, which could be reduced by restructuring the way in which the EDPB works and its internal procedures.

To address these issues, the report describes some promising practices and outlines a number of views on how the EU legislator, the European Commission, the EU institutions, the EU Member States, and the EDPB could assist DPAs.

The Commission is currently preparing its second evaluation report on the GDPR.