Data protection as command and control regulation
Chapter 2 demonstrates that data protection can be understood as command and control regulation by applying the three constitutive elements of regulation (standard setting, monitoring, behaviour control) thereto. If one wants to understand the modus operandi of newer models of regulation as applied to data protection (namely risk-based model of regulation), one must first understand the basis. That is, how data protection can be understood as regulation in the first place. This standpoint has another corollary. Since newer models of regulation are featured in contemporary statutes (with the GDPR as a prime example), an understanding of data protection as command and control regulation entails to study less contemporary statutes. The prime case study will therefore be the EU Data Protection Directive, which, even though not in force anymore is considered a suitable case for analysis as it embodies earlier models of regulation. Because this chapter is retrospective in scope (i.e. looking at previous data protection statutes in order to better understand the current ones), it often refers to historical sources of data protection (e.g. statutes and literature).