European Digital Rights (EDRi), a digital user rights non-for-profit organisation, on 25 October 2018, launched an online platform, ‘GDPR Today’. In its first edition of the GDPR Today, the EDRi published statistics collected from eight EU Member States (France, Germany, Ireland, Italy, Poland, Romania, Sweden and the United Kingdom). The statistics show that since the GDPR’s entry into force on 25 May 2018, data protection authorities (DPAs) have received thousands of complaints from EU individuals on the implementation of the GDPR by businesses and other organisations. Of note, the United Kingdom’s DPA, the UK Information Commissioner’s Office (ICO), has topped the list of complaints received, with nearly 15,000 complaints. Germany and France follow in the rankings, with 6,555 complaints and 3,767 complaints received, respectively. However, the UK figure includes complaints filed with the ICO prior to the GDPR’s effective date.
The European Data Protection Board, the EU-wide independent data protection authority, has stated that more than 42,230 data protection complaints have been filed across Europe. However, the EDRi notes that as the GDPR grants EU citizens the authority to bring cases directly to the courts of Member States, this total figure may be even higher.
In relation to breach notifications, the UK’s ICO has received 5,992 data breach notifications from businesses and other entities since 25 September 2018, far exceeding the 1,831 complaints and 1,308 complaints received by the Polish and Irish DPAs, respectively. The UK figure also includes data breach notifications filed under the previous UK Data Protection Act 1998.
It will be important to closely monitor whether and how this high volume of complaints translates into enforcement actions and trends in the coming months, as well as whether the insights that may be derived from such a volume of complaints may result in additional clarifying guidance from the EDPB or other data protection authorities.