Austria's DPA Overwhelmed by Data Breaches, Calls for More Resources
The Austrian Data Protection Authority (DPA) faces a significant workload increase, with 1,216 national security breaches reported in 2024 alone. Justice Minister Anna Sporrer has confirmed that no new positions can be created at the DPA due to budget constraints. Meanwhile, lawyer Axel Anderl suggests the DPA should have the power to reject or dismiss obviously abusive mass requests.
The DPA's workload has surged eightfold since 2017, making it difficult for the authority to respond to every reported data breach. In response to this overload, the DPA has announced that it will only initiate administrative proceedings if there is a sufficiently concrete suspicion of a serious violation of the GDPR or the DPA from an external complaint.
Max Schrems, founder of noyb (None of Your Business), has announced that his organization, along with epicenter.works, will file a complaint against the Republic of Austria with the EU Commission. This move comes as the DPA struggles to keep up with the increasing number of data breaches and lacks immediate feedback on whether it agrees with the measures taken by companies in response to these breaches.
The DPA's current situation highlights the need for additional resources and clearer guidelines on handling data breaches. While the DPA's new approach to administrative proceedings aims to prioritize serious violations, lawyer Axel Anderl's suggestion to dismiss obviously abusive mass requests could further help the authority manage its workload. The issue will be discussed in relevant committees in the near future, with the hope of finding a solution to the DPA's overwhelming workload.
