EU General Data Protection Regulation Sanctions in Theory and in Practice

37 Santa Clara High Tech. L.J. 1 (2021)

97 Pages Posted: 24 Sep 2020 Last revised: 13 Jan 2021

See all articles by W. Gregory Voss

W. Gregory Voss

TBS Business School; Toulouse Business School; University of Toulouse - Toulouse Business School

Hugues Bouthinon-Dumas

ESSEC Business School

Date Written: January 1, 2021

Abstract

Prior to the application of the EU General Data Protection Regulation (GDPR), one of the results of the relatively-low-level of legislatively permitted data protection violation administrative fines was, arguably, a lack of compliance by U.S. Tech Giants, among others. At least on paper, this changed under the GDPR. This study approaches the issue of GDPR sanctions, not through the lens of a future catastrophe, but though a development first of the theoretical grounds for sanctions, prior to a view of the practical side of them. In doing so, it is somewhat unique and adds to the GDPR literature. Furthermore, it engages the legal strategy and compliance literature to bring its results home to inform companies as to the risks involved and to provide strategic recommendations both for companies and for regulators.

Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and the other hand, truly dissuasive administrative fines must be issued in order for the sanctions to have their necessary deterrence effect.

Keywords: GDPR sanctions, sanctions, GDPR, General Data Protection Regulation, data protection, data privacy, privacy, deterrence, Tech Giants, GAFAM, administrative fines, supervisory authorities, regulators, data protection authorities, GDPR compliance, DPAs, one-stop-shop, legal strategy

JEL Classification: K2, K23, K42

Suggested Citation

Voss, W. Gregory and Bouthinon-Dumas, Hugues, EU General Data Protection Regulation Sanctions in Theory and in Practice (January 1, 2021). 37 Santa Clara High Tech. L.J. 1 (2021), Available at SSRN: https://ssrn.com/abstract=3695473

W. Gregory Voss (Contact Author)

TBS Business School ( email )

1 Place Alphonse Jourdain
CS 66810
Toulouse Cedex 7, Occitanie 31068
France

Toulouse Business School ( email )

20, bd Lascrosses
Toulouse, 31068
France

University of Toulouse - Toulouse Business School ( email )

20, bd Lascrosses
BP 7010
Toulouse, 31068
France

Hugues Bouthinon-Dumas

ESSEC Business School ( email )

3 Avenue Bernard Hirsch
CS 50105 CERGY
CERGY, CERGY PONTOISE CEDEX 95021
France

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
354
Abstract Views
2,389
Rank
129,052
PlumX Metrics