{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T04:08:15Z","timestamp":1778126895254,"version":"3.51.4"},"reference-count":92,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,9,10]],"date-time":"2024-09-10T00:00:00Z","timestamp":1725926400000},"content-version":"vor","delay-in-days":253,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"publisher","award":["EP\/S022503\/1"],"award-info":[{"award-number":["EP\/S022503\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"publisher","award":["EP\/W032368\/1"],"award-info":[{"award-number":["EP\/W032368\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Data protection regulations like the General Data Protection Regulation (GDPR) are increasingly important in securing individuals\u2019 privacy as society goes digital. The success of any regulation, however good, ultimately depends on how well it is executed. Existing literature fails to answer what good execution means in this context. We research what practitioners think are the objectives of data protection regulators and how they evaluate their effectiveness. We explore novel ways to assess regulator performance more systematically. We surveyed 70 chief information security officers and conducted 23 structured interviews. The interviewees included informed business executives, lawyers, digital rights activists, and four national regulators. We supplement it with an analysis of diverse enforcement databases. Our findings indicate a mismatch between the broad presumed objectives attributed to regulators and the narrow criteria used to judge them in practice. Perception of the regulator\u2019s effectiveness is subjective, sanctions-focused, and influenced by one\u2019s role and responsibilities. Moreover, the independence of regulators, intentionally designed to insulate them from daily politics, raises serious questions of accountability. We examine the historical, cultural, and organizational motivations behind the current byzantine complexity of the GDPR regime. Lastly, we contribute a series of key performance indicators and make structural suggestions around centralized and standardized reporting of cases to deliver improved learning, legitimacy, transparency, and comparability. We believe our findings have important implications for the future development of regulator assessment and accountability in Europe and in the growing number of GDPR-like regimes outside Europe.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae017","type":"journal-article","created":{"date-parts":[[2024,9,10]],"date-time":"2024-09-10T17:03:28Z","timestamp":1725987808000},"source":"Crossref","is-referenced-by-count":7,"title":["GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved?"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9261-0815","authenticated-orcid":false,"given":"Gerard","family":"Buckley","sequence":"first","affiliation":[{"name":"Department of Computer Science, UCL , Gower Street, WC1E 6BT, London ,","place":["United Kingdom"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7039-6472","authenticated-orcid":false,"given":"Tristan","family":"Caulfield","sequence":"additional","affiliation":[{"name":"Department of Computer Science, UCL , Gower Street, WC1E 6BT, London ,","place":["United Kingdom"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3963-4743","authenticated-orcid":false,"given":"Ingolf","family":"Becker","sequence":"additional","affiliation":[{"name":"Department of Security & Crime Science, UCL , Gower Street, WC1E 6BT, London ,","place":["United Kingdom"]}]}],"member":"286","published-online":{"date-parts":[[2024,9,10]]},"reference":[{"key":"2024121909134456200_bib1","doi-asserted-by":"publisher","DOI":"10.1787\/9789264116573-4-en","article-title":"Setting the scene: the importance of regulatory policy","author":"OECD","year":"2011"},{"key":"2024121909134456200_bib2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.3316\/ielapa.200206927","article-title":"Critical reflections on regulation [Plus a reply by Dimity Kingsford Smith]","volume":"27","author":"Black","year":"2002","journal-title":"Aust J Legal Phil"},{"key":"2024121909134456200_bib3","article-title":"Good practice guidance: Principles of effective regulation","author":"National Audit Office","year":"2021"},{"key":"2024121909134456200_bib4","doi-asserted-by":"crossref","DOI":"10.4159\/9780674028760","volume-title":"Regulation and Its Reform","author":"Breyer","year":"1982"},{"key":"2024121909134456200_bib5","volume-title":"Regulation: Legal form and Economic Theory","author":"Ogus","year":"2004"},{"key":"2024121909134456200_bib6","volume-title":"The Political Economy of Regulation: Creating, Designing, and Removing Regulatory Forms","author":"Mitnick","year":"1980"},{"key":"2024121909134456200_bib7","volume-title":"The Public Interest Test","author":"Information Commissioners Office","year":"2023"},{"key":"2024121909134456200_bib8","volume-title":"Understanding Regulation: Theory, Strategy, and Practice","author":"Baldwin","year":"2012"},{"key":"2024121909134456200_bib9","doi-asserted-by":"crossref","first-page":"691","DOI":"10.1046\/j.0023-9216.2003.03703001.x","article-title":"Management-based regulation: prescribing private management to achieve public goals","volume":"37","author":"Coglianese","year":"2003","journal-title":"Law Soc Rev"},{"key":"2024121909134456200_bib10","doi-asserted-by":"crossref","first-page":"421","DOI":"10.1162\/002081800551280","article-title":"Hard and soft law in international governance","volume":"54","author":"Abbott","year":"2000","journal-title":"Int Organ"},{"key":"2024121909134456200_bib11","doi-asserted-by":"crossref","first-page":"152","DOI":"10.1111\/j.1540-6210.2004.00357.x","article-title":"The regulation dilemma: cooperation and conflict in environmental governance","volume":"64","author":"Potoski","year":"2004","journal-title":"Publ Adm Rev"},{"key":"2024121909134456200_bib12","doi-asserted-by":"crossref","first-page":"385","DOI":"10.1111\/j.1467-9930.1984.tb00334.x","article-title":"Voluntary compliance and regulatory enforcement","volume":"6","author":"Scholz","year":"1984","journal-title":"Law Pol"},{"key":"2024121909134456200_bib13","doi-asserted-by":"crossref","DOI":"10.1093\/oso\/9780195070705.001.0001","volume-title":"Responsive Regulation: Transcending the Deregulation Debate","author":"Ayres","year":"1992"},{"key":"2024121909134456200_bib14","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1111\/j.1748-5991.2012.01167.x","article-title":"Taking responsive regulation transnational: strategies for international organizations","volume":"7","author":"Abbott","year":"2013","journal-title":"Regul Gov"},{"key":"2024121909134456200_bib15","doi-asserted-by":"crossref","first-page":"307","DOI":"10.1111\/j.1747-4469.2004.tb00338.x","article-title":"Social license and environmental protection: why businesses go beyond compliance","volume":"29","author":"Gunningham","year":"2004","journal-title":"Law Soc Inq"},{"key":"2024121909134456200_bib16","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1111\/j.1540-5893.2012.00476.x","article-title":"Making way: legal mobilization, organizational response, and wheelchair access","volume":"46","author":"Barnes","year":"2012","journal-title":"Law Soc Rev"},{"key":"2024121909134456200_bib17","article-title":"What is the European Convention on human rights? | equality and human rights commission","author":"Equality and Human Right Commission","year":"2017"},{"key":"2024121909134456200_bib18","article-title":"Article 8: respect for your private and family life | equality and human rights commission","author":"Equality and Human Right Commission","year":"2021"},{"key":"2024121909134456200_bib19","volume-title":"Data Protection Law","author":"Bygrave","year":"2002"},{"key":"2024121909134456200_bib20","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-319-05023-2","volume-title":"The Emergence of Personal Data Protection As a Fundamental Right of the EU","author":"Fuster","year":"2014"},{"key":"2024121909134456200_bib21","first-page":"113","article-title":"Data protection law in the EU: roles, responsibilities and liability","volume":"3","author":"Van\u00a0Alsenoy","year":"2019","journal-title":"J Data Prot Priv"},{"key":"2024121909134456200_bib22","article-title":"Federal constitutional court\u2014decisions\u2014on the constitutionality of the 1983 Census Act","author":"Senat Bundesverfassungsgericht","year":"1983"},{"key":"2024121909134456200_bib23","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1007\/978-1-4020-9498-9_2","article-title":"The right to informational self-determination and the value of self-development: reassessing the importance of privacy for democracy","volume-title":"Reinventing Data Protection?","author":"Rouvroy","year":"2009"},{"key":"2024121909134456200_bib24","article-title":"Informational self-determination","author":"Wikipedia","year":"2022"},{"key":"2024121909134456200_bib25","first-page":"31","article-title":"Data protection directive","volume":"281","author":"European Union","year":"1995","journal-title":"Official Journal L"},{"key":"2024121909134456200_bib26","article-title":"Charter of fundamental rights of the European Union (2000\/C 364\/01)","author":"European Union","year":"2000"},{"key":"2024121909134456200_bib27","article-title":"General data protection regulation (GDPR)\u2014official legal text","author":"EU","year":"2018"},{"key":"2024121909134456200_bib28","volume-title":"The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power","author":"Zuboff","year":"2019"},{"key":"2024121909134456200_bib29","doi-asserted-by":"crossref","first-page":"609","DOI":"10.1162\/002081802760199908","article-title":"Paths to compliance: enforcement, management, and the European Union","volume":"56","author":"Tallberg","year":"2002","journal-title":"Int Organ"},{"key":"2024121909134456200_bib30","doi-asserted-by":"crossref","first-page":"873","DOI":"10.1080\/1350176022000046409","article-title":"Policy credibility and delegation to independent regulatory agencies: a comparative empirical analysis","volume":"9","author":"Gilardi","year":"2002","journal-title":"J Eur Public Policy"},{"key":"2024121909134456200_bib31","doi-asserted-by":"crossref","first-page":"311","DOI":"10.2307\/2585666","article-title":"A political explanation of variations in central bank independence","volume":"92","author":"Bernhard","year":"1998","journal-title":"Am Polit Sci Rev"},{"key":"2024121909134456200_bib32","doi-asserted-by":"crossref","first-page":"751","DOI":"10.1162\/002081802760403766","article-title":"Checks and balances, private information, and the credibility of monetary commitments","volume":"56","author":"Keefer","year":"2002","journal-title":"Int Organ"},{"key":"2024121909134456200_bib33","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1093\/oxfordjournals.jleo.a023375","article-title":"Choosing strategies to control the bureaucracy: statutory constraints, oversight, and the committee system","volume":"13","author":"Bawn","year":"1997","journal-title":"J Law Econ Organ"},{"key":"2024121909134456200_bib34","doi-asserted-by":"crossref","first-page":"588","DOI":"10.2307\/2111064","article-title":"A theory of political control and agency discretion","volume":"33","author":"Calvert","year":"1989","journal-title":"Am J Polit Sci"},{"key":"2024121909134456200_bib35","doi-asserted-by":"crossref","first-page":"595","DOI":"10.2307\/3234884","article-title":"Regulatory issue networks in a federal system","volume":"18","author":"Gormley","year":"1986","journal-title":"Polity"},{"key":"2024121909134456200_bib36","first-page":"407","article-title":"Administrative Law and agency policy-making: rethinking the positive theory of political control","volume":"14","author":"Spence","year":"1997","journal-title":"Yale J Regul"},{"key":"2024121909134456200_bib37","doi-asserted-by":"crossref","first-page":"62","DOI":"10.2307\/2083075","article-title":"Political control versus expertise: congressional choices about administrative procedures","volume":"89","author":"Bawn","year":"1995","journal-title":"Am Polit Sci Rev"},{"key":"2024121909134456200_bib38","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1111\/j.1540-6210.2011.02506.x","article-title":"Reputation and public administration","volume":"72","author":"Carpenter","year":"2012","journal-title":"Publ Adm Rev"},{"key":"2024121909134456200_bib39","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1017\/S0898588X01010069","article-title":"The political foundations of bureaucratic autonomy: a response to kernell","volume":"15","author":"Carpenter","year":"2001","journal-title":"Stud Am Polit Dev"},{"key":"2024121909134456200_bib40","article-title":"Art. 68 GDPR\u2013European Data Protection Board","author":"EU","year":"2018"},{"key":"2024121909134456200_bib41","article-title":"EDPB Work Programme 2023\/2024","author":"European Data Protection Board","year":"2023"},{"key":"2024121909134456200_bib42","article-title":"Art. 51 GDPR\u2013Supervisory authority","author":"EU","year":"2018"},{"key":"2024121909134456200_bib43","article-title":"Art. 52 GDPR\u2013Independence","author":"EU","year":"2018"},{"key":"2024121909134456200_bib44","article-title":"Art. 59 GDPR\u2013Activity reports","author":"EU","year":"2018"},{"key":"2024121909134456200_bib45","article-title":"Art. 58 GDPR\u2013Powers","author":"EU","year":"2018"},{"key":"2024121909134456200_bib46","volume-title":"Comparing Regulatory Systems: Institutions, Processes and Legal Forms in Industrialised Countries","author":"Ogus","year":"2004"},{"key":"2024121909134456200_bib47","first-page":"1449","article-title":"Chapter 25 the effects of economic regulation","volume-title":"Handbook of Industrial Organization","author":"Joskow","year":"1989"},{"key":"2024121909134456200_bib48","doi-asserted-by":"crossref","first-page":"192","DOI":"10.1093\/reep\/rem012","article-title":"How Well Does the Government Do Cost-Benefit Analysis?","volume":"1","author":"Hahn","year":"2004","journal-title":"Review of environmental economics and policy"},{"key":"2024121909134456200_bib49","article-title":"Measuring regulatory performance: evaluating the impact of regulation and regulatory policy","author":"Coglianese","year":"2012"},{"key":"2024121909134456200_bib50","article-title":"Performance measurement by regulators","author":"National Audit Office","year":"2016"},{"key":"2024121909134456200_bib51","article-title":"General data protection regulation one year on","author":"European Commission"},{"key":"2024121909134456200_bib52","article-title":"Report 2021 overview on resources and enforcement","author":"EDPB","year":"2021"},{"key":"2024121909134456200_bib53","article-title":"Report 2022 overview on resources and enforcement","author":"EDPB","year":"2022"},{"key":"2024121909134456200_bib54","article-title":"Data Protection Commission Annual report 2021","author":"The Irish Data Protection Commission","year":"2022"},{"key":"2024121909134456200_bib55","article-title":"Data Protection Commission Annual Report 2022","author":"The Irish Data Protection Commission","year":"2023"},{"key":"2024121909134456200_bib56","article-title":"ICCL launches European Ombudsman complaint against European Commission\u2019s failure to take Ireland to court over the GDPR","author":"Ryan","year":"2021"},{"key":"2024121909134456200_bib57","article-title":"Decision on whether the European Commission collects sufficient information to monitor Ireland\u2019s implementation of the EU\u2019s General Data Protection Regulation (GDPR) (Case 97\/2022\/PB)","author":"European Ombudsman","year":"2022"},{"key":"2024121909134456200_bib58","article-title":"Big changes coming for GDPR enforcement on Big Tech in Europe?","author":"Lomas","year":"2023","journal-title":"TechCrunch"},{"key":"2024121909134456200_bib59","volume-title":"Using Visual Data in Qualitative Research","author":"Marcus Bank","year":"2018"},{"key":"2024121909134456200_bib60","doi-asserted-by":"crossref","first-page":"320","DOI":"10.1057\/palgrave.ejis.3000589","article-title":"Doing interpretive research","volume":"15","author":"Walsham","year":"2006","journal-title":"Eur J Inf Syst"},{"key":"2024121909134456200_bib61","volume-title":"Applied Thematic Analysis","author":"Guest","year":"2011"},{"key":"2024121909134456200_bib62","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","author":"Braun","year":"2006","journal-title":"Qual Res Psychol"},{"key":"2024121909134456200_bib63","doi-asserted-by":"crossref","first-page":"85","DOI":"10.1177\/1525822X02239569","article-title":"Techniques to identify themes","volume":"15","author":"Ryan","year":"2003","journal-title":"Field Methods"},{"key":"2024121909134456200_bib64","first-page":"45","article-title":"The art of coding and thematic exploration in qualitative research","volume":"15","author":"Williams","year":"2019","journal-title":"Int Manage Rev"},{"key":"2024121909134456200_bib65","doi-asserted-by":"crossref","first-page":"328","DOI":"10.1080\/14780887.2020.1769238","article-title":"One size fits all? What counts as quality practice in (reflexive) thematic analysis?","volume":"18","author":"Braun","year":"2021","journal-title":"Qual Res Psychol"},{"key":"2024121909134456200_bib66","article-title":"GDPR: Is it worth it? Perceptions of workers who have experienced its implementation","author":"Buckley","year":"2024"},{"key":"2024121909134456200_bib67","article-title":"GDPRhub","author":"NOYB","year":"2023"},{"key":"2024121909134456200_bib68","article-title":"GDPR enforcement tracker\u2014list of GDPR fines","author":"CMS Germany","year":"2023"},{"key":"2024121909134456200_bib69","doi-asserted-by":"crossref","first-page":"799","DOI":"10.1017\/S0020589322000355","article-title":"Deficient by design? the transnational enforcement of the GDPR","volume":"71","author":"Gentile","year":"2022","journal-title":"Int Comp Law Quart"},{"key":"2024121909134456200_bib70","article-title":"ICO Annual Report 2021\u20132022","author":"The Information Commissioners Office","year":"2022"},{"key":"2024121909134456200_bib71","article-title":"Art. 1 GDPR\u2013Subject-matter and objectives","author":"EU","year":"2018"},{"key":"2024121909134456200_bib72","article-title":"Art. 57 GDPR\u2013Tasks","author":"EU","year":"2018"},{"key":"2024121909134456200_bib73","article-title":"5-years: GDPR\u2019s crisis point","volume-title":"Technical report","author":"Irish Council for Civil Liberties","year":"2023"},{"key":"2024121909134456200_bib74","article-title":"Data protection day: 41 years of \u201cCompliance on Paper\u201d?!","author":"nyob","year":"2022"},{"key":"2024121909134456200_bib75","article-title":"EDRI LETER TO EDPB","author":"European Digital Rights","year":"2022"},{"key":"2024121909134456200_bib76","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1145\/501158.501163","article-title":"E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior","volume-title":"Proceedings of the 3rd ACM Conference on Electronic Commerce","author":"Spiekermann","year":"2001"},{"key":"2024121909134456200_bib77","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1145\/988772.988777","article-title":"Privacy in electronic commerce and the economics of immediate gratification","volume-title":"Proceedings of the 5th ACM Conference on Electronic commerce","author":"Acquisti","year":"2004"},{"key":"2024121909134456200_bib78","doi-asserted-by":"crossref","first-page":"737","DOI":"10.1016\/B978-044451608-4\/50028-6","article-title":"History of privacy","volume-title":"The History of Information Security","author":"Holvast","year":"2007"},{"key":"2024121909134456200_bib79","doi-asserted-by":"crossref","first-page":"477","DOI":"10.2307\/40041279","article-title":"A taxonomy of privacy","volume":"154","author":"Solove","year":"2006","journal-title":"Univ Penn Law Rev"},{"key":"2024121909134456200_bib80","doi-asserted-by":"crossref","DOI":"10.1515\/9780804772891","volume-title":"Privacy in context: technology, policy, and the integrity of social life","author":"Nissenbaum","year":"2009"},{"key":"2024121909134456200_bib81","article-title":"Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation\u2014Have your say","author":"European Commission","year":"2023"},{"key":"2024121909134456200_bib82","article-title":"Courts and Civil law (Miscellaneous Provisions) Bill 2022","author":"\u00c9ireann","year":"2023"},{"key":"2024121909134456200_bib83","article-title":"Courts and civil law (Miscellaneous Provisions) Bill 2022: From the Seanad\u2013D\u00e1il \u00c9ireann (33rd D\u00e1il)\u2014Wednesday, 28 Jun 2023\u2013Houses of the Oireachtas","author":"Oireachtas","year":"2023"},{"key":"2024121909134456200_bib84","article-title":"Irish government criticized over proposed law-change that would \u2018muzzle\u2019 Big Tech critics","author":"Sawers","year":"2023"},{"key":"2024121909134456200_bib85","article-title":"Ireland: Corrupt GDPR procedures now \u201dconfidential\u201d","author":"noyb","year":"2023"},{"key":"2024121909134456200_bib86","article-title":"Ireland: Draconian law to make data protection procedures confidential","author":"Amnesty International","year":"2023"},{"key":"2024121909134456200_bib87","article-title":"Legitimacy and accountability of independent regulatory agencies: a critical review","author":"Maggetti","year":"2010"},{"key":"2024121909134456200_bib88","article-title":"The right to lodge a data protection complaint: ok, but then what?: an empirical study of current practices under the GDPR","author":"Fuster","year":"2022"},{"key":"2024121909134456200_bib89","article-title":"Four years under the EU GDPR: how to fix its enforcement","author":"Masse","year":"2022"},{"key":"2024121909134456200_bib90","article-title":"European Commission plans to improve cooperation between supervisory authorities in cross-border GDPR cases","author":"Cooper","year":"2023"},{"key":"2024121909134456200_bib91","volume-title":"The Effective Executive: The Definitive Guide to Getting the Right Things Done","author":"Drucker","year":"1967"},{"key":"2024121909134456200_bib92","article-title":"Ryan to Reynders re UK adequacy","author":"Ryan","year":"2023"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae017\/61182301\/tyae017.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae017\/61182301\/tyae017.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,19]],"date-time":"2024-12-19T09:14:13Z","timestamp":1734599653000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae017\/7754590"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":92,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae017","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae017"}}