-
Author
-
Karen Yeung, Lee A. Bygrave
-
Year
-
04 May 2021
-
Publisher
-
wiley
-
Abstract
-
This article critically examines fundamental aspects of the recently reformed European regime for protection of personal data, focusing on the General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016. Although the GDPR is now a central concern for many organizations across multiple sectors, many complain that it is arcane, confusing, and complex. By combining knowledge from two disciplinary perspectives – from regulatory governance scholarship, on the one hand, with legal scholarship from the fields of data protection law, constitutional law, and fundamental rights, on the other hand – this article seeks to “demystify” the key elements of the regime's architecture and approach in light of the significant uncertainties concerning the nature of its requirements. In particular, this article examines the tension between the regime's pronounced “risk-based” approach to compliance and its basic objective of safeguarding fundamental rights, and the challenges facing data protection authorities in providing timely clarifications of the regime's norms.