EU General Data Protection Regulation Sanctions in Theory and in Practice

37 Santa Clara High Tech. L.J. 1 (2021)

97 Pages Posted: 24 Sep 2020 Last revised: 13 Jan 2021

Date Written: January 1, 2021


Prior to the application of the EU General Data Protection Regulation (GDPR), one of the results of the relatively-low-level of legislatively permitted data protection violation administrative fines was, arguably, a lack of compliance by U.S. Tech Giants, among others. At least on paper, this changed under the GDPR. This study approaches the issue of GDPR sanctions, not through the lens of a future catastrophe, but though a development first of the theoretical grounds for sanctions, prior to a view of the practical side of them. In doing so, it is somewhat unique and adds to the GDPR literature. Furthermore, it engages the legal strategy and compliance literature to bring its results home to inform companies as to the risks involved and to provide strategic recommendations both for companies and for regulators.

Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and the other hand, truly dissuasive administrative fines must be issued in order for the sanctions to have their necessary deterrence effect.

Keywords: GDPR sanctions, sanctions, GDPR, General Data Protection Regulation, data protection, data privacy, privacy, deterrence, Tech Giants, GAFAM, administrative fines, supervisory authorities, regulators, data protection authorities, GDPR compliance, DPAs, one-stop-shop, legal strategy

JEL Classification: K2, K23, K42

Suggested Citation

Voss, W. Gregory and Bouthinon-Dumas, Hugues, EU General Data Protection Regulation Sanctions in Theory and in Practice (January 1, 2021). 37 Santa Clara High Tech. L.J. 1 (2021), Available at SSRN:

W. Gregory Voss (Contact Author)

Toulouse Business School ( email )

20, bd Lascrosses
Toulouse, 31068

Hugues Bouthinon-Dumas

ESSEC Business School ( email )

3 Avenue Bernard Hirsch
CS 50105 CERGY

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics