[This blog is part of a series on the pandemic. The introduction to the series can be found here.]
Two types of data enjoy freedom of movement within cyberspace networks: public data and personal data. On the one hand, at the international level, public data have been subjected to a policy of openness and spontaneous dissemination, mainly since the adoption of the G8 Open Data Charter in 2013 and the International Open Data Charter in 2015. On the other hand, personal data are generally governed by fundamental rights, namely the protection of privacy and personal data (Article 7 and 8 EU Charter of Fundamental Rights, EU-Charter). Public data are not unrelated to the guarantee of fundamental rights, especially if they are private (Lanna, 2018). Accordingly, the collection, processing and re-use of data by public or private actors is regulated by law. (more…)
European data protection authorities (EU DPAs) play crucial roles in protecting personal data rights. However, many EU DPAs do not have adequate access to resources in order to be effective data privacy protectors. Although the data privacy law literature recognizes that many EU DPAs operate within such constraints, to date, there has been a dearth of empirical studies on how limited resources can impact on enforcement. A new article* makes a modest attempt to address this empirical gap by analysing selected empirical findings of a recent project which examined the investigations of multinational cloud providers by EU DPAs (Cloud Investigations).
This article draws on the fields of socio-legal studies and regulation to interpret these empirical findings and advances three arguments. First, due to their fiscal constraints, some EU DPAs often have to make tactical enforcement decisions about initiating Cloud Investigations as well as the foci and methods of Cloud Investigations. The decision-making process can be very complex for some EU DPAs as they have to not only consider but also at times balance a broad range of factors including external pressures, law and enforcement styles. Second, hybrid forms of data governance can often emerge during Cloud Investigations as EU DPAs delegate their regulatory tasks to private and governmental (other than EU DPAs) actors due to the limited resources. Finally, this article suggests that hybrid data governance needs to be carefully designed in order to ensure effective and robust data governance. Suggestions are made on how the ‘regulatory space’ can be designed in order to promote accountability, trust, robust data protection and effective multi-actor collaboration.