This study explores the divergence in data protection enforcement strategies among national agencies. Whereas the literature on cross-national enforcement practices is scarce, this study develops a scale for data protection enforcement strategies and measures and compares enforcement choices across agencies. Based on survey responses from 18 DPAs, interviews with DPA employees, and secondary sources on GPDR implementation, the paper clusters DPAs based on enforcement strategies, analyzes cross-national variations, and investigates misalignments between strategy and actions. Using Fuzzy-Set Qualitative Comparative Analysis, the paper tests how bureaucratic and political contextsorganizational capacities, budget sources, and issue saliencyimpact enforcement choices. Almost half of studied DPAs reflect high deterrence by their strategy, but for many of them, lack of resources and expertise inhibits the translation of strategy into practice. This study provides a starting point for understanding the national impacts of Europeanization post-GDPR, adding empirical support for theorizing about enforcement across the EU.
Recent data protection laws in the EU institutionalize NGO engagement with regulators and enable new mechanisms for bottom-up policy implementation. We study thirteen European NGOs and map their contribution to policy implementation based on a novel typology for understanding their scope (national vs. transnational) and goals (direct vs. strategic) of actions. We ask how NGOs vary in their contribution to data privacy implementation in Europe? What are the implications of those variations for differentiated policy implementation and EU problem-solving capacity? Through analyses of NGOs’ news articles and GDPR complaints, we find that NGOs converge toward privileging a transnational strategic civic enforcement model, using pan-European privacy cases to alter policy implementation, over individual citizen advocacy and empowerment at the national level. Civic engagement has served to mitigate cross-border policy implementation disparities, while preserving considerable regulatory discretion nationally. Integrating NGOs into the analysis of differential policy implementation of data protection helps shed light on the evolving nature of civil liberties in Europe.
How does the U.S. balance privacy with national security? This article analyzes how the three regulatory regimes of information collection for criminal investigations, foreign intelligence gathering, and cybersecurity have balanced privacy with national security over a 50‐year period. A longitudinal, arena‐based analysis is conducted of policies (N = 63) introduced between 1968 and 2018 to determine how policy processes harm, compromise, or complement privacy and national security. The study considers the roles of context, process, actor variance, and commercial interests in these policy constructions. Analysis over time reveals that policy actors’ instrumental use of technological contexts and invocations of security crises and privacy scandals have influenced policy changes. Analysis across policy arenas shows that actor variance and levels of transparency in the process shape policy outcomes and highlights the conflicting roles of commercial interests in favor of and in opposition to privacy safeguards. While the existing literature does address these relationships, it mostly focuses on one of the three regulatory regimes over a limited period. Considering these regimes together, the article uses a comparative process‐tracing analysis to show how and explain why policy processes dynamically construct different kinds of relationships across time and space.
Despite promises by European Union (EU) policymakers to “fundamentally change” cybersecurity certification, they have recently created a regime that is strikingly similar to already existing certification arrangements. How can we explain this puzzle? Through a process-tracing analysis based on 41 documents and 18 interviews, this article traces the development of the EU cybersecurity certification regime over the past two decades. It deconstructs certification into standardisation, accreditation, certification, and evaluation; analyses how each regime component changed over time; and discusses to what extent causal mechanisms that are derived from classic theories of EU integration explain the limited nature of policy change. The observed dynamics uncover a “Europeanization on Demand” model that allows national authorities to completely control the extent of integration. This study challenges the dichotomous understanding portrayed by EU integration literature, of mutually exclusive dynamics of market or core state powers integration, highlighting intriguing political dynamics in EU cybersecurity policymaking.
In January 2019, Google was slapped with a $50 million dollar fine by the French Data Protection Authority, the Commission Nationale de l'Informatique et des Libertés (CNIL). The CNIL found that the company had failed to provide adequate transparency around how data was authorized and collected from users of its Android operating system. In addition to being one of the first major penalties levied under Europe's signature data privacy law, the General Data Protection Regulation (GDPR), the case is notable because it was initiated collectively by two NGOs, the French La Quadrature du Net (LQDN) and the Austrian None of Your Business (nyob). Since the Google case, NGOs have been behind some of the largest GDPR fines in
Regulation in cyberspace is an emerging challenge. It is a complex and dynamic domain that is largely driven by the business-civilian sector and has the potential to cause significant damage to national security. This essay surveys the unique characteristics of cyberspace and the various strategies adopted in other countries in order to manage cyber risk. It proposes a multilayered regulatory model together with concrete recommendations for the regulation of the business-civilian sector in cyberspace. The resilience of the private sector in cyberspace is directly related to national security. The private sector usually constitutes the weak point where a cyber-attack develops. Nonetheless, the survey of regulation in cyberspace in Western countries, including Israel, points to the lack of an appropriate response to this weakness. This essay attempts to fill that gap and, in order to do so, it makes use of the regulatory principles used by other countries— the United States, Britain, France, Germany, and the European Union—and also learns from other regulated domains, namely environmental protection and nuclear energy. National approaches, the variety of regulatory tools, and the systems of incentives used in the attempts to regulate cyberspace worldwide, together with models for collaboration between the public and private sectors and state compensation mechanisms that were observed in environmental protection and nuclear energy domains, have contributed to the development of an innovative regulatory model for cyberspace in the business-civilian sector in Israel.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.