In the judgment C-416/23, the Austrian Data Protection Authority (DSB) received a slap in the face from the CJEU. The authority has – arbitrarily – set the number of complaints that data subjects can file at a maximum of two per month, even if one is affected by GDPR violations almost daily. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the DSB. Unfortunately, DPAs trying to get rid of complaints isn't just an Austrian problem. Our figures show an EU-wide problem with DPA inactivity.
Dismissing and discontinuing en masse. For years, the DSB has developed various ‘techniques’ to discontinue proceedings against companies as much as possible. For example, data subjects are often threatened with the discontinuation of proceedings after each statement made by a company, if they do not object within two weeks. The DSB also discontinues proceedings on a large scale if a company (after years of dispute) complies with the GDPR at the last minute. The latest ‘trick’ was to limit the number of complaints to two per month – even though users are sometimes affected by GDPR violations every hour. This ‘trick’ has now been cancelled by the CJEU after a citizen brought a case against the DSB that was escalated all the way to the CJEU – but the other ways of getting rid of complaints are still in use.
Max Schrems: “You always have fundamental rights – not just twice a month. If the DSB consistently punished violations, there would also be fewer complaints. Instead, the authority uses various techniques to get rid of complainants. Companies have learned that there are no consequences. With various procedural tricks, a large proportion of complaints are averted – and companies happily continue to break the law."
Only 1.36% of all proceedings result in a fine. The DSB currently states that in 2023 it conducted 4,030 proceedings (2,389 national complaints, 876 cross-border complaints and 765 ex officio proceedings). However, only 55 fines were imposed in the entire year. This means that statistically, only 1.36% of all proceedings end with a fine. By way of comparison: 8.34 million traffic fines were issued in Austria in 2021. At peak times in 2023, more than 7,000 fines for incorrectly parked e-scooters were issued per month in Vienna. Statistically, it would take the DSB 127 years to issue these 7,000 penalties. However, many GDPR violations are as trivial as parking offences. User requests are simply not processed, consent is not obtained, or data is not deleted.
Max Schrems: “At peak times, up to 7,000 monthly fines were issued in Vienna alone for illegally parked e-scooters. In contrast, the data protection authority only imposed 55 penalties in 2023. The average parking offender has more to fear than corporations that misuse personal data by the millions. In more than 98% of all cases before the DSB, there are no penalties. Companies that comply with the law are left looking stupid.”
Not only an Austrian problem. This problem isn't unique to Austria, but concerns data protection authorities across Europe. In 2022 (the last year with EU-wide numbers), all European DPAs had a combined number of 140,106 proceedings – but only issued 1819 fines against companies. This means that in only 1.3% of cases there was a serious consequence. This clearly shows that there is an EU-wide problem with DPA inactivity and authorities dragging out proceedings.
Max Schrems: “We see that data protection authorities do not really take action throughout the EU. The Court of Justice has now repeatedly told them that they have to get their act together, but the statistics do not reflect that."
Procedures take years – instead of months. According to § 73 AVG, the DSB must decide within 6 months. In reality, procedures almost always take significantly longer. For example, 3 years for a decision on an illegal cookie banner is no exception. The noyb statistics for Austria show many cases that wait well over 6 months for a decision. Further appeals to the Federal Administrative Court also take several years instead of the 6 months provided by law. As a result, law enforcement in Austria is in no way compliant with EU law.
Max Schrems: "I have never seen a DSB procedure that was decided within the legal deadline. Instead of the planned six months, we are often talking about three years or more, even in the case of completely trivial cases such as an illegal cookie banner. The DSB is structurally unable to enforce the law efficiently."
Budget problems? A Google fine would pay for the Brenner Base Tunnel. The Austrian Data Protection Authority (DSB) has been asking for a higher budget for years. Since 2020, the number of staff has been increased from 43 to 60. It would be well worth it for the state to provide the necessary resources: the DSB is not only directly responsible for companies in Austria, but also for many international corporations, including Google USA. A single penalty imposed on Google could amount to as much as €6 billion – that is more than Austria's share of the Brenner Base Tunnel or a good portion of the current budget deficit of €15 to 23 billion.
Max Schrems: “If the DSB finally woke up from its slumber and received a decent budget for doing so, it could quickly pay off. A GDPR penalty against Google, for example, is more than our share of the Brenner Base Tunnel – just to give you an idea of the scale. But the DSB also needs to become more efficient. You can't just ask for a bigger budget and then continue to fail to process cases structurally.”
