Wednesday, November 18, 2020
Voss and Bouthinon-Dumas on the EU General Data Protection Regulation Sanctions in Theory and In Practice @wgvoss @BouthinonH
W. Gregory Voss, Toulouse Business School, and Hugues Bouthinon-Dumas, ESSEC Business School, are publishing EU General Data Protection Regulation Sanctions in Theory and in Practice in volume 37 of the Santa Clara High Tech. L.J. (2020). Here is the abstract.
Prior to the application of the EU General Data Protection Regulation (GDPR), one of the results of the relatively-low-level of legislatively permitted data protection violation administrative fines was, arguably, a lack of compliance by U.S. Tech Giants, among others. At least on paper, this changed under the GDPR. This study approaches the issue of GDPR sanctions, not through the lens of a future catastrophe, but though a development first of the theoretical grounds for sanctions, prior to a view of the practical side of them. In doing so, it is somewhat unique and adds to the GDPR literature. Furthermore, it engages the legal strategy and compliance literature to bring its results home to inform companies as to the risks involved and to provide strategic recommendations both for companies and for regulators. Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and the other hand, truly dissuasive administrative fines must be issued in order for the sanctions to have their necessary deterrence effect.
Download the article from SSRN at the link.