On 24 May 2016, the Data Protection Regulation has entered into force. From 25 May 2018 it will be directly applicable in all European Member States. Not only companies or authorities therefore now have two years to adapt their data processing activities to future requirements. The national legislature must consider the applicable data protection regulations in its Member State for compliance with the future regulations.
Against this background, the conference of the independent German data protection authorities (“conference”), in a resolution of 25 May 2016 (German), calls on the German legislator to provide the data protection authorities with more staff and financial resources so they can effectively meet their assigned duties.
The German authorities refer to the obligations of each Member State under the Data Protection Regulation which requires Member States to ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the future European data protection board (Art. 52 para 4).
In the view of the conference, it is necessary to provide enhanced human and financial resources for the data protection authorities in Germany. This already applies to the now ongoing preparatory phase.
If you already look at the current situation, this demand by the German supervisory authorities is certainly justified. It will be interesting to see if, in case the German regulatory authorities are not equipped with the necessary resources and the necessary personnel, with the applicability of the Data Protection Regulation, the European Commission might sue a Member State by means of an infringement proceeding under Art. 258 TFEU. For example, such an infringement action was already brought before the Court of Justice of the European Union under the current data protection directive in Case C‑614/10.
Another interesting aspect of the resolution is that the Bavarian authorities have abstained from voting on the adoption of this resolution. Both the Bavarian State Commissioner for Data Protection and the Data Protection Authority of Bavaria for the Private Sector thus seem at least not to share all the positions of the other supervisory authorities.