Regulation of European Data Protection Officers as Regulatory Intermediaries: Between Public and Transnational Private Regulation

By: Rotem Medzini

The increased use of information as a capital asset and an item for consumption – a phenomenon known as “information capitalism” – has won both praise and criticism from politicians, academia, civil society, and IT companies. Specific concerns are, for instance, linked to one manifestation of information capitalism, “platform capitalism” – an economy based on IT companies that provide others (consumers and producers) with the hardware and software foundations on which they operate. On the one hand, platforms are praised as enablers of the commons (Wikipedia and YouTube), a means to benefit from underused private property as a source to create income (Airbnb and Uber), and a place for marginalized groups to organize around social justice causes (#MeToo and #BlackLivesMatter). On the other hand, platforms are criticized for entrenching existing inequalities, reducing the bargaining power of workers, and using their market share and power to block competition. Both sides respond with calls for regulation: state regulation on the one hand and self-regulation on the other. Into this political debate over regulation my research on internet regulatory intermediaries enters.

In my research I investigate the utilization of regulatory intermediaries by both public and private actors, seeking to understand how and why actors from both the public and private sectors rely on them for regulation. Specifically, in my current research project, I am interested in the role of data protection officers (DPOs) under the European data protection policy. Data protection policy is vital to the regulation of information capitalism, as privacy is considered an enabling right, a mechanism against tyranny, and a method of control against unintended consequences of breaches into our personal realms. In practice, data protection policy places several implementation requirement on rule-takers. For example, rule-takers must ensure safe international data transfers (model contractual clauses and binding corporate rules), build privacy into processing operations (Privacy-by-Design), lower risks (data protection certifications and impact assessments), and notify rule-makers and rule-beneficiaries (data breach notification and communication). To ensure correct implementation, European policymakers placed DPOs across the European data protection regime and provided them with regulatory roles.

DPOs can be found in most European public authorities, including law enforcement agencies, as well as in private companies whose core activities are either to monitor data-subject or to process special categories of data on a large scale. As a result, DPOs play a critical role in the regulation of government surveillance and private companies’ use of big data. DPOs are charged with monitoring compliance on four implementation levels – European, national, corporate data protection provisions, and audits. DPOs also need to raise awareness, train staff, act as contact points, and provide advice on the data protection impact assessment. In order to perform their work without interruption, the regime provides DPOs with many privileges, including independence and protection from conflict of interests.

Interestingly, however, DPOs are not a new regulatory mechanism in the European regulatory internet policy. In fact, DPOs were first developed as a self-regulation mechanism in Germany as part of the national data protection laws. These laws predated the European data protection regulation of 1995 and the old regime that surrounded that directive. In my research, I trace the diffusion of data protection officers from German law to the old European data protection regime; the politics surrounding their adoption and regulation; and the reasons for their increased expansion into the new data protection regime. This new data protection regime centers around the General Data Protection Regulation (GDPR) and its “sister” data protection regulations and directives. I found that the decision of supranational policymakers to rely on DPOs results from the introduction of the accountability principle, supporting it with predefined process-based regulation, and witnessing the successful implementation of DPOs in Germany.

This decision to rely on DPOs represents a shift from public and national regulation to transnational private regulation in internet policy implemented by rule-takers, monitored by data protection officers, and enforced by data protection supervisory authorities (DPAs). This new conceptualization and understanding can help the policymakers and companies that implement data protection policies to understand more clearly who regulates data protection.