The Balkanization of Data Privacy Regulation

46 Pages Posted: 17 Apr 2021

See all articles by Fernanda Nicola

Fernanda Nicola

American University - Washington College of Law

Oreste Pollicino

Bocconi University - Department of Law

Date Written: March 1, 2020


The General Data Protection Regulation (GDPR), a comprehensive EU Data Privacy Regulation in force since May 2018, has led U.S. companies interested in transatlantic business to a unique awareness and compliance with data protection regulation made in the heart of Europe. According to the predictive model known as the “Brussels effect,” such companies have been spontaneously complying with European rules which are significantly more stringent than those required by U.S. regulators. At the same time, U.S. State legislatures have taken important new measures to regulate consumer privacy, particularly via the California Consumer Privacy Act (CCPA), which provided a narrower consumer protection model than the GDPR. However, because the U.S. federal government is far from taking a comprehensive regulatory path like the GDPR, some States have committed to raising the data privacy protections by following the “California effect” spreading rapidly across U.S. jurisdictions. To better understand the emerging “Balkanization”3 of data privacy regulation, this article relies on three different lenses of analysis: the different cultural and administrative law attitudes of regulators; the diverse political economy regimes in which regulations are implemented; and finally, the path dependencies existing in technological innovation that are reflected by each regulatory regime. This threefold analysis highlights two interrelated phenomena. First, the Balkanization of data privacy regulation does not only lead to costly compliance, but it also leads to essential regulatory experimentation. Second, in the course of such experimentation, public enforcement is increasingly being replaced by privatized oversight, as businesses, rather than courts, are put in charge of monitoring privacy law compliance. In light of this evidence, we claim that the Balkanization of data privacy regulation and the ensuing possibility for experimentation need to be sustained by a heightened degree of public enforcement. Governments should prioritize the role of courts in enforcing privacy rules so as to secure a more egalitarian digital economy and a democratic digital public sphere.

Keywords: GDPR; Data protection; privacy

Suggested Citation

Nicola, Fernanda Giorgia and Pollicino, Oreste, The Balkanization of Data Privacy Regulation (March 1, 2020). West Virginia Law Review, Vol. 123, No. 61, 2020, Available at SSRN:

Fernanda Giorgia Nicola

American University - Washington College of Law ( email )

4300 Nebraska Avenue, NW
Washington, DC 20016
United States

Oreste Pollicino (Contact Author)

Bocconi University - Department of Law ( email )

Via Roentgen, 1
Milan, Milan 20136

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics