Narrowing Data Protection's Enforcement Gap

60 Pages Posted: 22 Mar 2021 Last revised: 26 May 2024

See all articles by Filippo Lancieri

Filippo Lancieri

ETH Zurich Center For Law and Economics; Stigler Center

Date Written: March 10, 2022


The rise of data protection laws is one of the most profound legal changes of this century. Yet, despite their nominal force and widespread adoption, available data indicates that these laws recurrently suffer from an enforcement gap—that is, a wide disparity between the stated protections on the books and the reality of how companies respond to them on the ground. Indeed, Annex I to this Article introduces a novel literature review of twenty-five studies that analyzed the impact on the ground of the GDPR and the CCPA: none found a meaningful improvement in citizen's data privacy. This raises the question: what accounts for this gap and what can be done to improve the performance of these laws?

This Article begins by describing three core building blocks of data protection regimes in the United States and Europe—namely, market forces, tort liability and regulatory enforcement—that these jurisdictions combine in different ways to ensure that companies act in accordance consumers’ privacy preferences. It then identifies two key reasons—particularly deep information asymmetries between companies and consumers/regulators, and high levels of market power in many data markets—that enable companies to behave strategically to protect private interests and undermine legal compliance.

The conclusion looks at the institutional design of antitrust and anti-fraud laws, two regulatory regimes that face similar challenges in their implementation, to argue that an effective online privacy regulatory system should be built around three key principles. First, the system must multiply monitoring and enforcement resources, and antitrust demonstrates how litigation can fund sophisticated civil-society intermediaries that safeguard consumers. Second, the system must bring violations to light, and anti-fraud policies demonstrate the importance of establishing effective whistleblower programs for data protection. Third, the system must increase governmental accountability, and antitrust provides examples on how to promote public transparency without sacrificing enforcement capacity.

Keywords: Data Protection, Privacy, Enforcement, GDPR, CCPA, Institutional design

JEL Classification: K20, K23, K42

Suggested Citation

Lancieri, Filippo, Narrowing Data Protection's Enforcement Gap (March 10, 2022). 74 Maine Law Review, Issue 1 (2022), Available at SSRN: or

Filippo Lancieri (Contact Author)

ETH Zurich Center For Law and Economics ( email )

ETH-Zentrum SEW E 26
CH-8092 Zurich, Zurich 8006

Stigler Center ( email )

Walker Hall
Chicago, IL 60637
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics