Demystifying the modernized European data protection regime: cross-disciplinary insights from legal and regulatory governance scholarship

Research output: Contribution to journalArticlepeer-review

Standard

Harvard

APA

Vancouver

Author

Bibtex

@article{38a39acdc5bc4903bafcbf1087c54dd9,
title = "Demystifying the modernized European data protection regime: cross-disciplinary insights from legal and regulatory governance scholarship",
abstract = "This article critically examines fundamental aspects of the recently reformed European regime for protection of personal data, focusing on the General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016. Although the GDPR is now a central concern for many organizations across multiple sectors, many complain that it is arcane, confusing, and complex. By combining knowledge from two disciplinary perspectives – from regulatory governance scholarship, on the one hand, with legal scholarship from the fields of data protection law, constitutional law, and fundamental rights, on the other hand – this article seeks to “demystify” the key elements of the regime's architecture and approach in light of the significant uncertainties concerning the nature of its requirements. In particular, this article examines the tension between the regime's pronounced “risk-based” approach to compliance and its basic objective of safeguarding fundamental rights, and the challenges facing data protection authorities in providing timely clarifications of the regime's norms. We argue that, despite its complex and arcane character and continuing uncertainty about the precise scope of its requirements, the regime is an innovative hybrid with a significant degree of in-built “future-proofing” that should help render it more resistant to being rapidly overtaken or outpaced by organizational–technological developments. The secondary aim of this article is to demonstrate how academic insights from two distinct but related disciplinary perspectives – legal scholarship and regulatory governance studies – offer a potentially fruitful approach to enrich understandings of the European data protection regime in particular, and of the mechanics, efficacy, and legitimacy of regulatory governance regimes more generally.",
keywords = "data protection, data protection authorities, fundamental rights, regulatory governance, risk management",
author = "Karen Yeung and {Lee A}, Bygrave",
note = "Publisher Copyright: {\textcopyright} 2021 The Authors. Regulation & Governance published by John Wiley & Sons Australia, Ltd.",
year = "2021",
month = may,
day = "4",
doi = "10.1111/rego.12401",
language = "English",
journal = "Regulation & Governance",
issn = "1748-5983",
publisher = "Blackwell-Wiley",

}

RIS

TY - JOUR

T1 - Demystifying the modernized European data protection regime

T2 - cross-disciplinary insights from legal and regulatory governance scholarship

AU - Yeung, Karen

AU - Lee A, Bygrave

N1 - Publisher Copyright: © 2021 The Authors. Regulation & Governance published by John Wiley & Sons Australia, Ltd.

PY - 2021/5/4

Y1 - 2021/5/4

N2 - This article critically examines fundamental aspects of the recently reformed European regime for protection of personal data, focusing on the General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016. Although the GDPR is now a central concern for many organizations across multiple sectors, many complain that it is arcane, confusing, and complex. By combining knowledge from two disciplinary perspectives – from regulatory governance scholarship, on the one hand, with legal scholarship from the fields of data protection law, constitutional law, and fundamental rights, on the other hand – this article seeks to “demystify” the key elements of the regime's architecture and approach in light of the significant uncertainties concerning the nature of its requirements. In particular, this article examines the tension between the regime's pronounced “risk-based” approach to compliance and its basic objective of safeguarding fundamental rights, and the challenges facing data protection authorities in providing timely clarifications of the regime's norms. We argue that, despite its complex and arcane character and continuing uncertainty about the precise scope of its requirements, the regime is an innovative hybrid with a significant degree of in-built “future-proofing” that should help render it more resistant to being rapidly overtaken or outpaced by organizational–technological developments. The secondary aim of this article is to demonstrate how academic insights from two distinct but related disciplinary perspectives – legal scholarship and regulatory governance studies – offer a potentially fruitful approach to enrich understandings of the European data protection regime in particular, and of the mechanics, efficacy, and legitimacy of regulatory governance regimes more generally.

AB - This article critically examines fundamental aspects of the recently reformed European regime for protection of personal data, focusing on the General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016. Although the GDPR is now a central concern for many organizations across multiple sectors, many complain that it is arcane, confusing, and complex. By combining knowledge from two disciplinary perspectives – from regulatory governance scholarship, on the one hand, with legal scholarship from the fields of data protection law, constitutional law, and fundamental rights, on the other hand – this article seeks to “demystify” the key elements of the regime's architecture and approach in light of the significant uncertainties concerning the nature of its requirements. In particular, this article examines the tension between the regime's pronounced “risk-based” approach to compliance and its basic objective of safeguarding fundamental rights, and the challenges facing data protection authorities in providing timely clarifications of the regime's norms. We argue that, despite its complex and arcane character and continuing uncertainty about the precise scope of its requirements, the regime is an innovative hybrid with a significant degree of in-built “future-proofing” that should help render it more resistant to being rapidly overtaken or outpaced by organizational–technological developments. The secondary aim of this article is to demonstrate how academic insights from two distinct but related disciplinary perspectives – legal scholarship and regulatory governance studies – offer a potentially fruitful approach to enrich understandings of the European data protection regime in particular, and of the mechanics, efficacy, and legitimacy of regulatory governance regimes more generally.

KW - data protection

KW - data protection authorities

KW - fundamental rights

KW - regulatory governance

KW - risk management

UR - http://www.scopus.com/inward/record.url?scp=85104993702&partnerID=8YFLogxK

U2 - 10.1111/rego.12401

DO - 10.1111/rego.12401

M3 - Article

JO - Regulation & Governance

JF - Regulation & Governance

SN - 1748-5983

ER -