Demystifying the modernized European data protection regime: cross-disciplinary insights from legal and regulatory governance scholarship

Research output: Contribution to journalArticlepeer-review


Colleges, School and Institutes


This paper critically examines fundamental aspects of the recently revamped European regime for protection of personal data, focusing on the General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016. Although the GDPR is now a central concern for many organisations across multiple sectors, many complain that it is confusing, unclear and complex. By combining knowledge from two disciplinary perspectives – regulatory governance scholarship on the one hand and legal scholarship from the fields of data protection law, constitutional law and fundamental rights on the other – this paper seeks to ‘demystify’ key aspects of the regime’s architecture and approach in light of the significant uncertainties concerning the nature and scope of its requirements. In particular, the paper examines potential tension between the regime’s pronounced ‘risk-based’ approach to compliance and its basic objective of safeguarding fundamental rights, and the challenges facing data protection authorities in providing timely clarifications of the regime’s norms. We argue that, despite its complex and arcane character and continuing uncertainty about the precise scope of its requirements, the regime is an innovative hybrid with a significant degree of in-built ‘future-proofing’ that should help render it more resistant to being rapidly overtaken or outpaced by organisational-technological developments. A secondary aim of the paper is to demonstrate how academic insights from two distinct but related disciplinary perspectives – legal scholarship and regulatory governance studies – offer a potentially fruitful approach to enrich understandings of the European data protection regime in particular, and of the mechanics, efficacy and legitimacy of regulatory governance regimes more generally


Original languageEnglish
JournalRegulation & Governance
Early online date4 May 2021
Publication statusE-pub ahead of print - 4 May 2021


  • data protection, data protection authorities, fundamental rights, regulatory governance, risk management