The Balkanization of Data Privacy Regulation
46 Pages Posted: 17 Apr 2021
Date Written: March 1, 2020
The General Data Protection Regulation (GDPR), a comprehensive EU Data Privacy Regulation in force since May 2018, has led U.S. companies interested in transatlantic business to a unique awareness and compliance with data protection regulation made in the heart of Europe. According to the predictive model known as the “Brussels effect,” such companies have been spontaneously complying with European rules which are significantly more stringent than those required by U.S. regulators. At the same time, U.S. State legislatures have taken important new measures to regulate consumer privacy, particularly via the California Consumer Privacy Act (CCPA), which provided a narrower consumer protection model than the GDPR. However, because the U.S. federal government is far from taking a comprehensive regulatory path like the GDPR, some States have committed to raising the data privacy protections by following the “California effect” spreading rapidly across U.S. jurisdictions. To better understand the emerging “Balkanization”3 of data privacy regulation, this article relies on three different lenses of analysis: the different cultural and administrative law attitudes of regulators; the diverse political economy regimes in which regulations are implemented; and finally, the path dependencies existing in technological innovation that are reflected by each regulatory regime. This threefold analysis highlights two interrelated phenomena. First, the Balkanization of data privacy regulation does not only lead to costly compliance, but it also leads to essential regulatory experimentation. Second, in the course of such experimentation, public enforcement is increasingly being replaced by privatized oversight, as businesses, rather than courts, are put in charge of monitoring privacy law compliance. In light of this evidence, we claim that the Balkanization of data privacy regulation and the ensuing possibility for experimentation need to be sustained by a heightened degree of public enforcement. Governments should prioritize the role of courts in enforcing privacy rules so as to secure a more egalitarian digital economy and a democratic digital public sphere.
Keywords: GDPR; Data protection; privacy
Suggested Citation: Suggested Citation