The risk-based approach in practice

2020 ◽  
pp. 212-238
Author(s):  
Raphaël Gellert
Keyword(s):  
Risk Management ◽  
Data Protection ◽  
Command And Control ◽  
Main Tool ◽  
Methodological Issues ◽  
Regulatory Issues ◽  
Control Regulation ◽  
And Control ◽  
The Way

The goal of this chapter is to analyse some of the main caveats associated with the risk-based approach in practice, that is, with the use of meta regulation. The risk-based approach is an attempt to address some of the issues that data protection as command and control regulation has faced. However, in trying to address these issues, and in particular (but not only) through the use of risk management as the main tool of regulation, the risk-based approach creates a number of new problems. More in particular, one can distinguish between three different issues. Methodological issues concerning techniques for assessing and managing risks; regulatory issues in particular as far as the collaboration between regulators and regulatees is concerned; and implementational issues, that is, concerning the way in which risk management is actually implemented in practice, “on the ground”.

Issues with data protection as command and control regulation

2020 ◽  
pp. 87-108
Author(s):  
Raphaël Gellert
Keyword(s):  
Data Protection ◽  
Command And Control ◽  
Control Model ◽  
Reform Process ◽  
Control Regulation ◽  
And Control

Chapter 3 shows that a number of the issues that data protection has encountered and which have served as the impetus for the GDPR reform process can be understood from the regulatory viewpoint. More in particular, they amount to the traditional criticism addressed against command and control rulemaking. It is possible to argue that the command and control model of regulation is based upon two assumptions. First, enforcement is operated through sanctions or the threat thereof—what is referred to as deterrencedeterrence|, and it is assumed that such deterrence always works. Second, it is assumed that the regulatory goalsregulatory goals| (and the standards and safeguards they lead to) are somewhat unproblematic. This last set of issues is multi-dimensional insofar as it affects the determination of what counts as an adequate standard and safeguard, but it also affects the implementation in practice of these standards. Just as determining what is the behaviour that will lead to the achievement of regulators is less than obvious, so is the concrete implementation and compliance with the various rules that are meant to lead to such behaviour. This is encapsulated for instance in the data controllers’ uncertainty on how exactly to apply certain data protection provisions, or in the inefficiency of a number of mechanisms such as notification obligations. Finally, due notice should be paid to technological evolutions, which can aggravate these issues.

Changes of regulatory models

2020 ◽  
pp. 109-135
Author(s):  
Raphaël Gellert
Keyword(s):  
Risk Management ◽  
Data Protection ◽  
Standard Setting ◽  
Necessary Condition ◽  
Collaborative Model ◽  
Linear Processes ◽  
Collaborative Models ◽  
Control Regulation ◽  
And Control ◽  
Regulatory Models

Chapter 4 explains the rationale for changing regulatory models from the standpoint of regulation theory. A newer model of regulation known as meta regulation is sought as a solution to the main issues plaguing command and control regulation. Namely, the effectiveness of deterrence strategies has often been deceiving, and linear processes of standard setting and the safeguards associated thereto have not always managed to properly address the harms stemming from data processing practices. Therefore, evolutions in regulation models have sought to address these two issues by resorting to more collaborative models of regulation. Following collaboration between regulators and regulatees, enforcement will cease to be sought through punishment, but rather, through collaboration and dialogue between the regulator and the regulatee; the object of such dialogue being a problematisation of how best to achieve regulatory goals. Simultaneously, in terms of standard setting and safeguards, new regulation models will consist in endowing regulatees with regulatory responsibility (in terms of implementing or even devising standards and safeguards), and enabling regulators to assess their performance. Particular emphasis is put on the responsibilisation of the regulatees. The latter is the necessary condition for any collaborative model of regulation. Meta regulation is the collaborative model of regulation at stake. It does bestow regulatory tasks (ie standard setting, monitoring, and behaviour control) upon regulatees, and it underpins the risk-based approach to data protection. Such responsibility, however, also entails a re-coding of the regulatees activities as a matter of risk management.

Data protection as command and control regulation

2020 ◽  
pp. 54-86
Author(s):  
Raphaël Gellert
Keyword(s):  
Data Protection ◽  
Command And Control ◽  
Historical Sources ◽  
Modus Operandi ◽  
Data Protection Directive ◽  
Control Regulation ◽  
And Control ◽  
Suitable Case ◽  
Prime Case

Chapter 2 demonstrates that data protection can be understood as command and control regulation by applying the three constitutive elements of regulation (standard setting, monitoring, behaviour control) thereto. If one wants to understand the modus operandi of newer models of regulation as applied to data protection (namely risk-based model of regulation), one must first understand the basis. That is, how data protection can be understood as regulation in the first place. This standpoint has another corollary. Since newer models of regulation are featured in contemporary statutes (with the GDPR as a prime example), an understanding of data protection as command and control regulation entails to study less contemporary statutes. The prime case study will therefore be the EU Data Protection Directive, which, even though not in force anymore is considered a suitable case for analysis as it embodies earlier models of regulation. Because this chapter is retrospective in scope (i.e. looking at previous data protection statutes in order to better understand the current ones), it often refers to historical sources of data protection (e.g. statutes and literature).

The Risk-Based Approach to Data Protection

2020 ◽  
Author(s):  
Raphaël Gellert
Keyword(s):  
Risk Management ◽  
Data Protection ◽  
Personal Data ◽  
Management Tools ◽  
General Data Protection Regulation ◽  
Regulation Theory ◽  
Régulation Theory ◽  
General Data ◽  
Data Protection Law ◽  
The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.

scholarly journals The Way We Were: Command-and-Control Centres in the Global Space-Economy on the Eve of the 2008 Geo-Economic Transition

2009 ◽  
Vol 41 (1) ◽  
pp. 7-12 ◽  
Author(s):  
Peter J Taylor ◽  
Pengfei Ni ◽  
Ben Derudder ◽  
Michael Hoyler ◽  
Jin Huang ◽  
...  
Keyword(s):  
Economic Transition ◽  
Command And Control ◽  
Global Space ◽  
Space Economy ◽  
And Control ◽  
The Way

Meta‐Regulation and Self‐Regulation

2010 ◽  
pp. 145-168 ◽  
Author(s):  
Cary Coglianese ◽  
Evan Mendelson
Keyword(s):  
Social Science ◽  
Self Regulation ◽  
Social Science Research ◽  
Command And Control ◽  
Science Research ◽  
Regulatory Governance ◽  
Conventional View ◽  
Control Regulation ◽  
And Control ◽  
Two Alternatives

The conventional view of regulation emphasises two opposing conditions: freedom and control. Government can either leave businesses with complete discretion to act according to their own interests, or it can impose regulations taking that discretion away by threatening sanctions aimed at bringing firms' interests into alignment with those of society, as a whole. This article focuses specifically on two alternatives to traditional, so-called command-and-control regulation: namely, meta-regulation and self-regulation. It defines these alternatives and situates their use in an overall regulatory governance toolkit. Drawing on the existing body of social science research on regulatory alternatives, this article identifies some of the strengths and weaknesses of both meta-regulation and self-regulation, and considers how these strengths and weaknesses are affected by different policy conditions.

Sign in / Sign up

Export Citation Format

Share Document