![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
Across many domains, the European Union relies on a system of regulatory network-based enforcement. National agencies work with peers to carry out on-the-ground implementation of supranational law. Network-based enforcement, however, raises concerns including regulatory capture and shirking. We explore how a novel governance tool – arbitrage mitigation mechanisms – may address some of these issues. These mechanisms are formal institutional procedures, which attempt to generate equivalent application of EU law for cross border regulation, and include horizontal checks among regulatory peers as well as vertical checks that allow civil society to voice accountability concerns. To demonstrate the validity of our argument, we examine the General Data Protection Regulation (GDPR) and European privacy enforcement. Our study contributes to the understanding of enforcement and compliance in European regulatory networks and offers a more fine grained understanding of when and how European citizens’ civil liberties will be upheld.
Acknowledgements
We are grateful to the reviewers as well as Dorte Sindbjerg Martinsen, Ellen Mastenbroek, and Reini Schrama and the participants of the Copenhagen Workshop on European Administrative Networks. We also received exceptional research support from Naz Gocek.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 Notable exceptions include Poncibò (Citation2011).
2 Here, we draw on Grant and Keohane (Citation2005), who identify a horizontal peer channel and a public reputational channel of accountability.
3 We follow Eckstein (Citation1992, p. 147)’s definition of a plausibility probe: a “stage of inquiry preliminary to testing” a hypothesis, in which an initial theory is examined for its “potential validity”.
4 Complete guide to GDPR compliance. Accessed February 2021. Link: https://gdpr.eu/
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Accessed February 2021. Link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
6 Recital 135 of the GDPR that clarifies article 63. Accessed February 2021. Link: https://www.activemind.legal/legislation/gdpr/recital-135/
7 Article 60 of the GDPR. Accessed February 2021. Link: https://www.activemind.legal/legislation/gdpr/article-60/
8 Peter Hustinx, European Data Protection Supervisor. June 15, 2012. “The Reform of EU Data Protection: towards more effective and more consistent data protection across the EU1.” Accessed November 2021. Link: https://edps.europa.eu/sites/default/files/publication/13-01-15_speech-fribourg_en.pdf
9 About EDPB. Accessed February 2021. Link: https://edpb.europa.eu/about-edpb/about-edpb_en
10 Consistency findings, EDPB. Accessed February 2021. Link: https://edpb.europa.eu/our-work-tools/consistency-findings_en
11 According to the EDPB’s first overview on the implementation of the GDPR (EDPB, Citation2019, p. 6), “For some type of decisions, the national SAs have to require an opinion of the EDPB before being entitled to adopt its decision. This applies for instance to the approval of cross-border codes of conducts, the adoption of standardized contractual clauses, or the adoption of national lists describing the type of processing that must be subject to a Data Protection Impact Assessment.”
12 Consistency findings, EDPB.
13 EC press release. June 24, 2020. “Commission report: EU data protection rules empower citizens and are fit for the digital age.” Accessed February 2021. Link: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1163
14 The Register of Article 60 Final Decisions can be accessed here: https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
15 Author calculations based on the Register.
16 Germany has a federated data protection structure with state level data authorities acting as lead supervisory authorities in charge of cases. This includes the DE BB SA (2 cases), DE BE SA (26 cases), DE BW SA (2 cases), DE HE SA (3 cases), DE NW SA (1 case), and DE SL SA (1 case).
17 “‘We have a huge problem’: European regulator despairs over lack of enforcement.” POLITICO.
18 These supervisory authorities include AT SA, DE SA (represented by the DE-Hamburg SA), DK SA, ES SA, FR SA, HU SA, IT SA and NL SA.
19 The ES SA withdrew its objection in part. The DK SA withdrew its objection.
20 Jonathan Keane. March 29, 2021. “Big Tech’s data watchdog in Europe is facing accusations of bureaucracy and lethargy.” CNBC. Accessed April 2021. Link: https://www.cnbc.com/2021/03/29/apple-google-data-watchdog-in-europe-facing-accusations.html
21 Mark Scott, Vincent Manancourt and Elisa Braun. January 22, 2021. “WhatsApp facing up to €50M privacy fine.” Politico. Accessed February 2021. Link: https://www.politico.eu/article/whatsapp-privacy-fine-data-protection-europe-50-million/
22 European Data Protection Board. July 28. 2021. “Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR.” Accessed November 2021. Link: https://edpb.europa.eu/system/files/2021-09/edpb_bindingdecision_202101_ie_sa_whatsapp_redacted_en.pdf
23 Sam Schechner. June 10, 2021. “Amazon Faces Possible $425 Million EU Privacy Fine.” The Wall Street Journal. Accessed November 2021.
Link: https://www.wsj.com/articles/amazon-faces-possible-425-million-eu-privacy-fine-11623332987
24 Vincent Manacourt and Mark Scott. September 2, 2021. “With WhatsApp fine, Europe’s privacy regime splutters into life.” Politico. Accessed November 2021.
25 Jennifer Baker. April 20, 2021. “Irish DPC in hot water with civil liberties MEPs.” NOYB Newsletter. Accessed April 2021. Link: https://newsletter.noyb.eu/x/105742/text/r2s7Nm2gM8/63838454
26 Derek Scally. February 3, 2020. “German regulator says Irish data protection commission is being 'overwhelmed'.” The Irish Times. Accessed February 2021. Link: https://www.irishtimes.com/business/financial-services/german-regulator-says-irish-data-protection-commission-is-being-overwhelmed-1.4159494 and Mark Scott. May 25, 2020. “Hamburg privacy boss calls for overhaul of EU privacy rules.” POLITICO. Accessed February 2021. Link: https://www.politico.eu/article/johnannes-caspar-gdpr-data-protection-privacy/
27 Dietmar Neuerer. January 28, 2020. “Datenschützer Kelber bringt neue EU-Behörde gegen Facebook & Co. ins Spiel” (Data protection activist Kelber brings new EU authority against Facebook & Co. into play). Accessed February 2021. Link: https://www.handelsblatt.com/politik/deutschland/datenschutz-verstoesse-datenschuetzer-kelber-bringt-neue-eu-behoerde-gegen-facebook-und-co-ins-spiel/25479302.html?ticket=ST-4924241-uWSSSd6fgMe1cTlBOEoK-ap1
28 “German regulator says Irish data protection commission is being 'overwhelmed'.” The Irish Times. “Hamburg privacy boss calls for overhaul of EU privacy rules.” POLITICO.
29 NOYB is styled from “none of your business”.
30 See the open letter at https://noyb.eu/en/open-letter.
31 Nicholas Vinocur. December 27, 2019. “‘We have a huge problem’: European regulator despairs over lack of enforcement.” POLITICO. Accessed February 2021. Link: https://www.politico.eu/article/we-have-a-huge-problem-european-regulator-despairs-over-lack-of-enforcement/
32 Max Schrems. September 2, 2021. “Irish DPC issued €225 million fine against WhatsApp/Facebook.” Accessed November 2021. Link: https://noyb.eu/en/statement-dpc-issues-eu-225-million-fine-whatsapp
33 Vincent Manancourt. December 5, 2021. “'Contrary to everything we believe in': Irish data watchdog lobbied for business-friendly GDPR.” POLITICO PRO. Accessed December 2021. Link: https://pro.politico.eu/news/143625
34 Derek Scally. April 9, 2021. “Irish approach to data protection ‘Kafkaesque’, says Schrems.” The Irish Times. Accessed April 2021. Link: https://www.irishtimes.com/business/technology/irish-approach-to-data-protection-kafkaesque-says-schrems-1.4533257
35 Samuel Stolton. March 26, 2021. “Digital Brief, powered by Facebook: Europol’s decryption platform, Bundeskartellamt Vs Facebook, Section 230.” Euractiv. Accessed April 2021. Link: https://www.euractiv.com/section/digital/news/digital-brief-powered-by-facebook-europols-decryption-platform-bundeskartellamt-vs-facebook-section-230/
36 See more at La Quadrature du Net’s webpage: https://www.laquadrature.net/about/.
37 “‘We have a huge problem’: European regulator despairs over lack of enforcement.” POLITICO.
38 Natasha Lomas. September 2, 2021. “WhatsApp faces $267M fine for breaching Europe’s GDPR.” TechCrunch. Accessed November 2021. Link: https://techcrunch.com/2021/09/02/whatsapp-faces-267m-fine-for-breaching-europes-gdpr/
39 See for example the ECN+ Directive established in 2018. See more information on the CPC network here: https://ec.europa.eu/info/live-work-travel-eu/consumer-rights-and-complaints/enforcement-consumer-protection/consumer-protection-cooperation-network_en
40 Figure partially based on the EDPB’s One-Stop-Shop Leaflet, which can be accessed at: https://edpb.europa.eu/our-work-tools/our-documents/one-stop-shop-leaflet_en
Additional information
Notes on contributors
Siyao Li
Siyao Li is a Ph.D. Candidate in Political Science at the University of Pennsylvania.
Abraham L. Newman
Abraham L. Newman is a professor in the Edmund A. Walsh School of Foreign Service and Government Department at Georgetown University.