Credibility in enhanced self‐regulation: The case of the European data protection regime
Abstract
This article builds upon the literature on regulatory intermediation to answer how and why European rule‐makers rely on data protection officers (DPOs) to shape the self‐regulation of private and public organizations regarding the processing of personal information. Based on the theory‐testing process‐tracing methodology, the article finds that while the old data protection regime (1995–2016) allowed national rule‐makers to pursue their preferred policy paths regarding the regulation of DPOs, this is not the case for the new data protection regime (from 2016). The article argues that a combination of two causal mechanisms—supranational and functional—has led European rule‐takers to institutionalize the designation of DPOs within broad categories of regulated organizations to motivate credibility toward data protection. The article concludes that while this policy decision enhances the self‐regulation capabilities of rule‐takers with the professional accountability and expertise of DPOs, European politics have made the reliance on DPOs more susceptible to the short‐term interests of rule‐takers.