This analysis aims to capture and cluster different post-GDPR enforcement styles by Data Protection Authorities (DPAs) across the EU to better understand why enforcement over data protection issues vary across borders.
Advancements in computation, along with a permissive political economy, have been creating significant financial benefits for data exploitation, raising the importance of data in both the economic and social realms. This has led to the framing of data as the “most important asset of the 21st century.” Current market structures and prevailing business models position data as a dominant source of revenue, especially data about people. Companies sell and buy data, utilizing data to improve their services or to predict and influence the behavior of others.
Our growing data-capitalist economy, which exploits personal data in greater orders of magnitude than ever before, is threatening privacy in new and acute ways that require our urgent attention. The pervasive collection of data about individuals, the far-reaching analysis techniques, and the classification and categorization of data subjects by private and public authorities often come at the expense of privacy. Data subjects are being watched, tracked, identified, analyzed, and discriminated against by public and private actors. Individuals have very little control and understanding of the opaque ways their data can be used to inform decisions about their lives. Personal data can be used to limit free choice, manipulate consumers by attacking individual autonomy, manage how individuals are judged by others, disrupt appropriate social boundaries, or undermine trust between individuals and institutions. Privacy has long been viewed as an important component of any flourishing community. It is an enabler of other rights such as anonymity, liberty, and freedom of speech. With data collection and data mining outpacing the technological barriers for data exploitation, society has been left with policy frameworks, governance structures, and courts as the last standing gatekeepers against attacks on privacy.
The European Union (EU) has been responding to the challenge. Positing privacy as a fundamental human right, Member States created their own domestic data protection laws over the course of the 1970s. In response to the need for “free movement of personal data within the internal market,” the data protection regime was ‘Europeanized’ for the first time in 1995 through the Data Protection Directive. This new European policy regime was created when Internet and global communications began re-shaping the significance of information flows in the economy, and its design reflected significant political compromises. The Directive, furthermore, was inconsistently implemented and loosely enforced across the Union, leading the EU Commission to offer an updated and inclusive privacy regulation – the General Data Protection Regulation (GDPR). The GDPR was considered a remarkable and promising achievement, creating novel institutional structures and injecting a combination of concepts and ideas to the European Data Protection Regime such as: fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and accountability. Especially notable was the GDPR’s sanctions regime, which requires “effective, proportionate, and dissuasive penalties” and empowered Data Protection Authorities (DPAs) in Member States to an unprecedented degree.
But three years after the GDPR became effective, it is rather unclear whether it has lived up to its promise. Despite expectations for strict enforcement that are derived from the EU policy implementation literature, enforcement trends seem to vary. We witness how some DPAs are reluctant to coercively enforce the law for serious violations, while others choose to pose unprecedented fines on data controllers. These conflicting trends demonstrate how data protection enforcement is a strategic and selective process that requires a closer understanding. Even though the GDPR might be very promising ‘on the books,’ enforcement of the law ‘on the ground’ and the de-facto protection of privacy for EU citizens remains unclear. To fill this gap, this study asks: how and why do DPAs’ enforcement styles vary post-GDPR?
Bringing together the literature on enforcement styles, regulatory agencies, and data protection, three hypotheses for variations in enforcement can be derived. The first and probably one of the most common explanations about the lack of effective GDPR enforcement relates to the organizational capacities of DPAs. Variations in financial resources and technical expertise are likely to lead to different enforcement approaches across the Union. As sanctioning and investigation processes take time and require technical experts, these organizational capacities seem crucial for proper GDPR enforcement (H1). A second hypothesis looks into the different levels of saliency of data protection issues across Member States, arguing that they are likely to create variations in GDPR enforcement styles. A salient issue is one that is high on the political agenda and is likely to influence enforcement and compliance practices. As we observe different levels of ‘importance’ assigned by the media to different DPAs based on the companies they regulate in their jurisdictions, as well as high levels of issue saliency following privacy scandals in certain Member States, the expectation is that the saliency of data protection issues will vary among nations, creating different kinds of pressure on DPAs to act, and ultimately leading to different levels of strictness in DPAs’ enforcement styles (H2). A third hypothesis for variations in DPA enforcement styles investigates the level of independence of any given enforcement agency. According to the enforcement literature, independent, “stand-alone” agencies with weak ties to central government are more aggressive toward the regulated. Many skeptics question whether independence of DPAs is really possible against the backdrop of pressures to maintain a business-friendly environment and foreign investment. Still, the impact of agency-independence on enforcement style remains to be seen. According to Schütz (2012), the levels of formal independence of DPAs might vary and should be carefully assessed to ensure that no political pressure is channeled via DPA Commissioners to impact DPA enforcement style. DPAs that are less independent and prone to political and private influence might adopt a laxer approach to enforcement due to external pressures. Since the level of independence of DPAs post-GDPR is likely to vary, there is a range in how stringent DPAs are likely to be when enforcing the law (H3).
When comparing the actions taken by DPAs since GDPR became effective, we can see how DPAs substantially differ in the frequency with which they investigate and fine data controllers (see Figure 1, below). For each DPA, the average amount of a fine (in Euros) determines the size of that DPA’s point in the graph.
Figure 1: Classification of fifteen DPAs based on their enforcement actions.
Enforcement actions, however, tell a rather blurry story about DPA enforcement styles. Looking solely at enforcement actions limits our ability to compare DPAs or fully understand their enforcement approaches for two main reasons: (1) DPAs under a heavy burden might not be able to express their style through the enforcement outputs they produce. For instance, do the low tendencies of the Dutch DPA to investigate cases and fine data controllers demonstrate a weak enforcer? Or does the workload of the Dutch authority prevent it from expressing its intended enforcement style? (2) We might be exposed to selection bias in the type of complaints DPAs deal with. Not all violations are equally distributed among DPAs, as some face more serious and significant cases of GDPR violations than others. However, such selection bias is challenging to measure given the lack of data on the distribution of serious cases between DPAs.
Therefore, to understand DPAs’ enforcement choices and realize their style of enforcement, a scale of data protection enforcement strategy is suggested. Following interviews with current and former DPA employees across the Union, several phases within the enforcement process have emerged, illustrating how DPAs adopt different levels of (1) breadth in their monitoring & supervision approach and (2) coercion in their sanctioning approach. The enforcement process is likely to begin with a complaint, leaving room for each DPA to adopt its own complaint-handling process: (i) DPAs can choose a ‘selective-to-be-effective’ approach and refrain from handling all complaints. (ii) DPAs can alternately decide to accept complaints only from those data subjects affected by the ostensible violation rather than any interested party. This can shape the circumstances under which DPAs potentially launch an enforcement process. Next, DPAs also design their own regularities in the investigation/inspection process: (iii) They can choose to be pro-active and start investigations based on their own initiatives and concerns, or work only on complaints submitted to them; (iv) They can also choose to expand an investigation as they see fit beyond the boundaries of the complaint in question. These four items capture the level of breadth in monitoring and supervision efforts that DPAs choose to adopt in the enforcement process, ranging from narrow to wide.
In their sanctioning approach, DPAs have ample room for maneuvering as well. (i) They can give a second or third chance to companies before issuing a fine; (ii) decide to officially issue a warning before imposing a fine to ensure they exercise their powers in accordance with the principle of proportionality; (iii) apply a soft approach in a pre-defined, initial, GDPR implementation phase; and (iv) engage in naming and shaming by publishing the names of data controllers under investigation during or after an enforcement decision has been finalized. These four items capture the level of coercion that DPAs choose to adopt in the enforcement process, ranging from low to high and constituting the second dimension of DPA enforcement style. Figure 2 below presents how DPAs are clustered based on these two dimensions. Out of 31 DPAs, eighteen responded to the questionnaire sent. Survey data were coupled with reports on GDPR implementation from the European Data Protection Law Review’s “GDPR Implementation Series,” the 2-year GDPR evaluation questionnaire conducted by EDPB, and the questionnaire conducted by the International Federation for European Law (FIDE) on data protection in the EU in 2020.
Figure 2: Eighteen DPAs classified based on their enforcement styles. The line in each axis is the mid-range value on that axis.
As Figure 2 demonstrates and in sharp contrast to the corresponding Figure 1, almost half of the DPAs apply a wide monitoring & supervision strategy coupled with a high level of coercion in their sanctioning approach. There is no clear correlation between DPAs’ sanctioning approach and their tendency to fine. Nor is there a correlation between DPAs’ wide monitoring and supervision efforts and their tendency to investigate. We can see that DPAs are spread out based on the two dimensions, but there is an emerging tendency wide monitoring & high coercion strategy (among 45% of DPAs understudy) that, in most cases, does not meet enforcement actions.
To explore the influence of organizational capacity (H1), issue saliency (H2), and DPA independence (H3) on features of enforcement style, this study utilized the configurational approach of Fuzzy Set Qualitative Comparative Analysis (fsQCA). Applying conservative benchmarks for the analysis, several findings are worth highlighting.
H1, referring to DPAs’ organizational capacity, played a significant role in explaining the mismatch between DPAs’ intended enforcement approach and actions. Resources and expertise were sufficient for explaining wide monitoring strategy by a certain set of DPAs (UK, France, and Poland), and highlighted the inability of others (Belgium, The Czech Republic, The Netherlands, Romania, and Slovakia) to match enforcement approach with actions. H2, representing the link between issue saliency and enforcement style, was not associated with any specific style or the match between style and actions. The question of to what extent the politicization of data protection issues affects enforcement choices is left unanswered. H3, reflecting the connection between DPA budget autonomy and enforcement actions, was ultimately tested based on a single connection between DPA budget and fines collected, hypothesizing that this link undermines DPA independence and impacts enforcement behavior. The Bulgarian DPA with questionable independence and an external motive to fine, demonstrated a discrepancy between the enforcement strategy and actions. Narrow monitoring & supervision alongside low levels of coercion surprisingly correlate with a high tendency to investigate and fine. This is a puzzling finding – the Bulgarian DPA, which lacks resources and generally exhibits medium-low levels of inclusiveness and hierarchy, is able to investigate and fine data controllers at very high levels. This external motivation for this DPA to impose fines is probably contributing to its practice of going above and beyond its approach.
Overall, this study provides a starting point for understanding the impacts of Europeanization on national enforcement strategies post-GDPR. It remains to be seen whether the divergence in DPAs’ enforcement strategies will erode over time. Previous accounts on convergence in DPAs’ regulatory style can now be updated: when it comes to their enforcement strategy, national divergence arises, questioning how truly pan-European the post-GDPR data protection regime really is, but a trend toward increasing deterrence among almost half of DPAs under study was revealed. Still, when the rubber hits the road, the EU data protection regime post-GDPR is still far from being Europeanized. While it is not surprising that organizational capacity is related to DPAs’ breadth of monitoring & supervision for some and to the disagreement between strategy and actions for others, this study shows the context in which resources and expertise matter, disentangling their various effects on DPAs’ operations. While forum shopping by data controllers was and still is a concern, the continuous trend of understaffed and under-financed DPAs might make it even worse, allowing data controllers to escape the EU’s data protection regime altogether. This questions the EU’s readiness to manage the age of artificial intelligence, for which data protection is a key factor arena for balancing risks and benefits for EU citizens. Ultimately, enforcement is a power struggle, and this study empirically shows how, by and large, DPAs are ill-equipped for this battle.
The opinions expressed in this text are solely that of the author/s and do not necessarily reflect the views of the Heinrich Böll Stiftung Tel Aviv and/or its partners.