https://orcid.org/0000-0003-2194-5006
![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
The study explores the divergence in data protection enforcement strategies among national agencies. Whereas the literature on cross-national enforcement practices is scarce, this study develops a scale for data protection enforcement strategies and measures and compares enforcement choices across agencies. Based on survey responses from 18 DPAs, interviews with DPA employees, and secondary sources on GPDR enforcement, the paper clusters DPAs based on enforcement strategies, analyzes cross-national variations, and investigates misalignments between strategy and actions. Using Fuzzy-Set Qualitative Comparative Analysis, the paper tests how bureaucratic and political contexts – organizational capacities, budget sources, and issue saliency – impact enforcement choices. Almost half of the studied DPAs reflect high deterrence by their strategy, but for many of them, lack of resources and expertise inhibits the translation of strategy into practice. This study provides a starting point for understanding the national impacts of Europeanization post-GDPR, adding empirical support for theorizing about enforcement across the EU.
Acknowledgements
I am grateful for the community at the 2021 Privacy Law Scholars Conferences (PLSC) who workshopped the paper and provided wonderful comments. I am thankful for the panelists at the 2021 workshop on ‘Governing European Values Inside Data Flow’ at the University of Amsterdam. I want to express my gratitude to all the experts who devoted their time to discuss data protection enforcement with me and provided meaningful comments and suggestions on how to improve the paper. A partial list includes Rik Joosen, Abraham Newman, Francesca Bignami, Wolfie Christl, Zach Edwards, Yoram Hacohen, Markus Kaulartz, Natasha Lomas, Romain Robert, Johnny Ryan, Philip Schütz, Mark Scott, Limor Shmerling, Omer Tene, Joris van Hoboken, and Gabriella Zanfir-Fortuna. I would like to thank the editors of the special issue on AI Governance for the Journal of European Public Policy: Tim Büthe, Christian Djeffal, Christoph Lütge, Sabine Maasen, and Nora von Ingersleben-Seip for their constructive feedback along the way and the felxibility to publish this study through a regular JEPP issue. I am also grateful for the valuable contribution of three Cornell Tech MA students: Wenyi Chi, Rain Liang, and Jiyu Xu who helped with data visualization and web scraping in earlier versions of this work. I would also like to thank the CMS law firm for making their data on GDPR fines open and accessible and the all the DPAs' representatives that devoted their time and energy to answer my on-going questions and survey.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 This assumption is based on conversations with DPAs’ representatives that highlighted how outsourcing expertise is for specific efforts and can be equivalent to no more than four experts working continuously for three months over the course of a year.
2 Accessed was granted through Cornell University. For Cyprus, Latvia, and Slovenia, only three media sources were available. For Iceland, only two.
3 One of GDPR's purposes was to shield DPAs from politicians undermining their independence, including aspects of Commissioners’ appointments that should take place transparently by elected officials (Article 52). In addition, there should be no overlap in personnel between governments and DPAs, as it could lead to direct influence on the latter, nor should there be any influence on DPAs by ‘expert groups’ at the national level.
4 For the Belgian and Dutch DPAs, data were based on actions from the year of 2019. For the French DPA, the tendency to investigate was only based on data from the year 2019.
5 Since number of investigations reported does not distinguish between proactive investigations and commissioned ones.
6 also provides information on variations in the average size of fine posed by each agency. On average, France poses much higher fines than all the rest, with Sweden and the DPAs in Hamburg, Germany, and the Netherlands following behind. This might be an attractive source for national comparison, but since the size of fines is specifically determined under GDPR (Articles 83 & 84), the choice for DPAs in this space is somewhat limited. The size of a fine is determined by the seriousness of the violation and is not subject to strategic decisions on how to conduct enforcement. At the same time, the tendency of DPAs to choose fines in the first place over other enforcement outputs is much more related to their strategic sanctioning approach, providing a better assessment for their actions.
7 Analysis was done on R based on the ‘QCA’ package (2021), v3.11, by Adrian Dusa. Code and results are available here:https://rpubs.com/idonibrasco/821246
8 Interestingly, based on the third hypothesis, I found that for a few DPAs, budget is linked to fines collected. For others, it is a state/public budget, not attached to a government ministry. Data in show how in Bulgaria, Hamburg, and Slovakia, budget autonomy is based on the fines they pose. The UK also enjoys significant budgetary autonomy by collecting data protection fees from data controllers, but its budget is unrelated to the fines levied.
9 The thresholds for calibration of issue saliency also ensures that Iceland, with very few overall articles related to data protection from only two available sources, is less likely to produce more than 10 articles per year with the hypothetical examination of two additional sources. Likewise, Cyprus, Latvia, and Slovenia, with three instead of four available sources to examine, are less likely, according to their numbers, to cross the mark of 52 articles on average, even if additional source would have been examined for those countries (see ).
10 The Irish DPA posed a 225 million Euros fine on WhatsApp (Facebook) and the DPA of Luxembourg posed a 746 million Euros fine on Amazon. These fines are not finalized yet.