Chapter 3 shows that a number of the issues that data protection has encountered and which have served as the impetus for the GDPR reform process can be understood from the regulatory viewpoint. More in particular, they amount to the traditional criticism addressed against command and control rulemaking. It is possible to argue that the command and control model of regulation is based upon two assumptions. First, enforcement is operated through sanctions or the threat thereof—what is referred to as deterrencedeterrence|, and it is assumed that such deterrence always works. Second, it is assumed that the regulatory goalsregulatory goals| (and the standards and safeguards they lead to) are somewhat unproblematic. This last set of issues is multi-dimensional insofar as it affects the determination of what counts as an adequate standard and safeguard, but it also affects the implementation in practice of these standards. Just as determining what is the behaviour that will lead to the achievement of regulators is less than obvious, so is the concrete implementation and compliance with the various rules that are meant to lead to such behaviour. This is encapsulated for instance in the data controllers’ uncertainty on how exactly to apply certain data protection provisions, or in the inefficiency of a number of mechanisms such as notification obligations. Finally, due notice should be paid to technological evolutions, which can aggravate these issues.
A discussion on the resilience of command and control regulation within regulatory behavior theories
