FRA’s report ‘GDPR in practice – Experiences of data protection authorities’ highlights key issues, showcases best practices and suggests solutions:

• Lack of resources—Underfunding and a lack of staff hamper the authorities from fully carrying out their mandates. New EU laws, such as the AI Act or EU border management systems, will create additional tasks for them. These will be difficult to implement without appropriate resources. EU countries should secure the necessary financial and human technical resources to allow data protection authorities to fulfil their role.
• Supervisory powers—Data protection authorities already have investigative powers, but they need more tools to strengthen their supervisory capacity. These include the ability to conduct undercover investigations or the possibility of fineing organisations that refuse to cooperate. The European Commission and the European Data Protection Board (EDPB) should assess which tools are needed and reinforce the legal framework if necessary.
• Exchange of best practices—Lacking resources, data protection authorities often need to prioritise complaint handling over other tasks. To better support authorities processing a large number of complaints, the EDPB should provide more guidance and facilitate the exchange of best practices. This may also require granting the EDPB more resources.
• Consultation and providing advice—Data protection authorities are often not consulted on new legislation or given tight deadlines. Some public authorities do not consult with data protection authorities before launching a data processing operation. To ensure that data protection principles are considered in legislative proposals, EU countries should consult with data protection authorities and seek their advice in advance. They should also encourage public institutions to consult with data protection authorities more systematically.
• Raising awareness—People do not fully understand their right to personal data. Organisations that process personal data struggle to identify and prevent data protection risks, especially regarding AI systems. That is why there are very few data protection impact assessments. EU institutions and EU countries should promote awareness of data protection rules and obligations. The EDPB should develop specific guidance on data processing involving new technologies.
• Access to data for research—Researchers still struggle to access data, although EU data protection rules allow data processing for scientific purposes. The EDPB should develop specific guidance and clarify what is possible under EU law.
• New technologies—The GDPR provides useful tools to deal with new technological challenges, but many data protection authorities struggle to regulate them properly. Together with data protection authorities, the EDPB should identify specific technology-related areas where more clarity is needed. Data protection authorities should work more closely together when advising on new technologies.

Ahead of the second GDPR evaluation, the European Commission requested that FRA collect data on data protection authorities' experiences, challenges, and practices.

This report is based on 70 interviews conducted by FRA with representatives of data protection authorities from all 27 EU Member States between June 2022 and June 2023.

Since 2014, the Centre for Peace Studies has been part of the multidisciplinary research network FRANET of the EU Agency for Fundamental Rights, together with the organisations BaBe—Be Active. Be Emancipated. and Human Rights House Zagreb.