Smart Regulation and the General Data Protection Regulation

Research output: Contribution to journalArticle (Academic Journal)peer-review

169 Downloads (Pure)


Data protection and privacy practitioners are waiting anxiously for the official adoption of the GDPR. The latest indication from the European Commission is that the GDPR will officially be adopted in June/July 2016 and in force as from June/July 2018.

Since political agreement was reached on the GDPR in December 2015, we have a fairly good idea of some of the main aspects of the official legislation, such as the statutory recognition of an 'accountability' principle, a risk-based approach to data protection (eg data protection/privacy impact assessments, privacy by design, breach notification), and enhanced individual rights (eg new right of data portability and right to be forgotten).

Once the GDPR is in force, the litmus test for success will be the consistent implementation, interpretation and enforcement of the Regulation. Many commentators have already warned that the GDPR's promise of harmonization may be more fiction than fact due to the vague and ambiguous provisions of the GDPR (eg legitimate interests provision) as well as the so-called 'open clauses'. 'Open clauses' refer to GDPR provisions where implementation is left to the member-states.

But looking beyond the immediate parapet of the rules, the GDPR is also heralding a move to smart regulation. One aspect of smart regulation is that it involves interactions between diverse stakeholders, such as law-makers, EU DPAs, European Data Protection Board, European Commission, data controllers, data processors, and quasi-regulators (eg third-party certification bodies). Some of these stakeholders, such as EU DPAs and the companies they regulate, used to interact with one another in the pre-GDPR era. However, a move towards smart regulation can often impact on these existing relationships.

In this article, I explore what smart regulation may mean for the relationships between EU DPAs and the companies they regulate. I draw on some of the findings of my recent empirical research project, where I have analysed how some EU DPAs are starting to embrace smart regulation during their investigations of multinational cloud providers, to suggest four potential key aspects of a smart regulatory relationship between EU DPAs and their regulatees. These four points are mere starting points when reflecting on what smart regulation may look like for the relationships between EU DPAs and the companies they oversee. As noted below, much more work needs to be done to flesh out how such relationships will be developed in practice.
Original languageEnglish
Pages (from-to)9-11
Number of pages3
JournalComputers & Law
Publication statusPublished - 30 Mar 2016


Dive into the research topics of 'Smart Regulation and the General Data Protection Regulation'. Together they form a unique fingerprint.

Cite this