According to conventional wisdom, data privacy regulators in the European Union are unreasonably demanding, while their American counterparts are laughably lax. Many observers further assume that any privacy enforcement without monetary fines or other punishment is an ineffective “slap on the wrist.” This Article demonstrates that both of these assumptions are wrong. It uses the simultaneous 2011 investigation of Facebook’s privacy practices by regulators in the United States and Ireland as a case study. These two agencies reached broadly similar conclusions, and neither imposed a traditional penalty. Instead, they utilized “responsive regulation,” where the government emphasizes less adversarial techniques and considers formal enforcement actions more of a last resort.
When regulators in different jurisdictions employ this same responsive regulatory strategy, they blur the supposedly sharp distinctions between them, whatever may be written in their respective constitutional proclamations or statute books. Moreover, “regulatory friending” techniques work effectively in the privacy context. Responsive regulation encourages companies to improve their practices continually, it retains flexibility to deal with changing technology, and it discharges oversight duties cost-efficiently, thus improving real-world data practices.'Statutory Regulation of Professional Journalism Under European Data Protection: Down But Not Out?' (University of Cambridge Faculty of Law Research Paper No. 35/2016) by David Erdos comments
European data protection aims to protect the privacy and related rights of individuals, purposes which come into tension with the free speech of professional journalism. Moreover, statutory Data Protection Authorities (DPAs) act as the ‘guardians’ of the data protection framework across the European Economic Area. In light of this, this article explores through both a DPA questionnaire and a DPA website review the enforcement efforts of these critical regulators in this sector. The results indicate that, notwithstanding stringent statutory provisions enforceable by DPAs in many Member States, activity has been patchy even in areas which raise limited free speech concern (e.g. action against significant inaccuracy). Nevertheless, many DPAs do engage in this area especially when sensitive or importantly confidential information is involved. The stringency of local law also positively correlates with the extent of enforcement, whilst the level of resourcing surprisingly does not. The article proposes action by both Member States and DPAs to ensure more regulatory coherence under the forthcoming General Data Protection Regulation.