EU General Data Protection Regulation Sanctions in Theory and in Practice
37 Santa Clara High Tech. L.J. 1 (2021)
97 Pages Posted: 24 Sep 2020 Last revised: 13 Jan 2021
Date Written: January 1, 2021
Prior to the application of the EU General Data Protection Regulation (GDPR), one of the results of the relatively-low-level of legislatively permitted data protection violation administrative fines was, arguably, a lack of compliance by U.S. Tech Giants, among others. At least on paper, this changed under the GDPR. This study approaches the issue of GDPR sanctions, not through the lens of a future catastrophe, but though a development first of the theoretical grounds for sanctions, prior to a view of the practical side of them. In doing so, it is somewhat unique and adds to the GDPR literature. Furthermore, it engages the legal strategy and compliance literature to bring its results home to inform companies as to the risks involved and to provide strategic recommendations both for companies and for regulators.
Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and the other hand, truly dissuasive administrative fines must be issued in order for the sanctions to have their necessary deterrence effect.
Keywords: GDPR sanctions, sanctions, GDPR, General Data Protection Regulation, data protection, data privacy, privacy, deterrence, Tech Giants, GAFAM, administrative fines, supervisory authorities, regulators, data protection authorities, GDPR compliance, DPAs, one-stop-shop, legal strategy
JEL Classification: K2, K23, K42
Suggested Citation: Suggested Citation