Further Reading: Enforcement, Compliance, and the Limits of Law

The sources below provide deeper engagement with the themes introduced in Chapter 25, covering enforcement mechanisms, regulatory capture, the compliance-ethics gap, and alternative governance approaches.

GDPR Enforcement Tracker (CMS). Available at https://www.enforcementtracker.com. The most comprehensive publicly accessible database of GDPR enforcement actions, searchable by country, company, violation type, and fine amount. Essential for any empirical analysis of GDPR enforcement patterns. Updated regularly.

Ryan, Johnny. "Enforcing the GDPR: Systematic Non-Enforcement of the GDPR by EU Data Protection Authorities." Irish Council for Civil Liberties, 2021. A provocative report arguing that GDPR enforcement has been systematically inadequate, with particular focus on the Irish DPC's handling of Big Tech cases. Ryan documents enforcement delays, resource shortfalls, and structural incentives that undermine effective enforcement. Essential reading for the "Ireland problem" discussed in this chapter.

European Data Protection Board. "Contribution of the EDPB to the Evaluation of the GDPR under Article 97." Brussels, 2020. The EDPB's own assessment of GDPR enforcement after two years, identifying challenges including DPA resource constraints, the one-stop-shop mechanism's bottlenecks, and the need for stronger cooperation mechanisms. A candid institutional self-assessment.

Custers, Bart, et al. "A Comparison of Data Protection Legislation and Policies Across the EU." Computer Law & Security Review 34, no. 2 (2018): 234–243. A comparative analysis of data protection enforcement across EU member states, examining variations in DPA resources, enforcement culture, and institutional design. Demonstrates that the GDPR's uniform text produces non-uniform enforcement — a finding with significant implications for the one-stop-shop mechanism.

FTC Enforcement and US Approaches

Hoofnagle, Chris Jay. Federal Trade Commission Privacy Law and Policy. Cambridge: Cambridge University Press, 2016. The definitive account of the FTC's evolution as a privacy enforcer. Hoofnagle traces the development of Section 5 enforcement from its consumer protection origins to its modern data privacy applications, examining the consent decree model's strengths and limitations. Essential for understanding the US enforcement approach.

Solove, Daniel J., and Woodrow Hartzog. "The FTC and the New Common Law of Privacy." Columbia Law Review 114, no. 3 (2014): 583–676. An influential article arguing that the FTC's consent decrees, taken collectively, have created a de facto common law of privacy — a set of norms and expectations that, while not formally binding precedent, effectively establish behavioral standards for the industry. The article provides a framework for understanding how enforcement creates norms even without legislation.

Chopra, Rohit, and Lina Khan. "The Case for 'Unfairness' in the FTC's Authority." University of Pennsylvania Law Review 170 (2022): 1–66. Written before both authors assumed leadership positions (Chopra as CFPB Director, Khan as FTC Chair), this article argues for a more aggressive interpretation of the FTC's "unfairness" authority under Section 5 — beyond deception to encompass practices that cause substantial harm, even when disclosed. Directly relevant to the chapter's discussion of the compliance-ethics gap.

Regulatory Capture and Institutional Design

Carpenter, Daniel, and David A. Moss (eds.). Preventing Regulatory Capture: Special Interest Influence and How to Limit It. Cambridge: Cambridge University Press, 2013. The most comprehensive academic treatment of regulatory capture, covering theoretical foundations, empirical evidence, and institutional design responses. The chapter on information capture is particularly relevant to data protection, where regulators depend on industry for technical expertise about the systems they regulate.

Stigler, George J. "The Theory of Economic Regulation." Bell Journal of Economics and Management Science 2, no. 1 (1971): 3–21. The foundational article on regulatory capture theory. Stigler argues that regulation is often "captured" by the very industry it is designed to regulate, because regulated firms have concentrated interests and resources to invest in influencing regulators, while the public's interest is diffuse. Though written about economic regulation, the framework applies directly to data protection.

Kwoka, Margaret B. "The Revolving Door and Agency Capture." In Preventing Regulatory Capture, edited by Daniel Carpenter and David A. Moss, 289–319. Cambridge: Cambridge University Press, 2013. A detailed analysis of the revolving door mechanism and its effects on regulatory independence. Kwoka examines empirical evidence on whether regulators who later join industry make different decisions during their tenure, and evaluates proposed solutions (cooling-off periods, restrictions on post-government employment).

Compliance, Ethics, and the Limits of Law

Parker, Christine, and Vibeke Lehmann Nielsen. "Deterrence and the Impact of Calculative Thinking on Business Compliance with Competition and Consumer Regulation." Antitrust Bulletin 56 (2011): 377–426. An empirical study of how businesses respond to regulatory enforcement — challenging the simplistic assumption that higher penalties produce more compliance. The authors find that enforcement effectiveness depends on how businesses perceive the risk of detection, the certainty of sanctions, and the legitimacy of the regulatory framework.

Brownsword, Roger. Law, Technology and Society: Re-Imagining the Regulatory Environment. London: Routledge, 2019. Brownsword examines the fundamental limits of law in governing technology, proposing a framework for understanding when law should regulate (setting standards), when technology should regulate (embedding compliance in design), and when neither is sufficient (requiring new governance approaches). Directly relevant to the chapter's discussion of law's structural limits.

Floridi, Luciano, et al. "An Ethical Framework for a Good AI Society: Opportunities, Risks, Principles, and Recommendations." Minds and Machines 28 (2018): 689–707. A multi-author framework for AI ethics that explicitly addresses the relationship between legal compliance and ethical responsibility. The authors argue that ethics should be understood as a "soft" governance mechanism that complements "hard" legal regulation — a framework applicable beyond AI to data governance generally.

Alternative Governance Mechanisms

Delacroix, Sylvie, and Neil D. Lawrence. "Bottom-Up Data Trusts: Disturbing the 'One Size Fits All' Approach to Data Governance." International Data Privacy Law 9, no. 4 (2019): 236–252. An influential proposal for "data trusts" — fiduciary structures that manage data on behalf of individuals, with trustees legally obligated to act in the interests of data subjects. Data trusts represent an alternative governance model that could address some of law's limitations by creating institutional advocates for data subjects.

Mayer-Schonberger, Viktor, and Thomas Ramge. Reinventing Capitalism in the Age of Big Data. New York: Basic Books, 2018. An exploration of how data governance could move beyond individual consent toward structural mechanisms that better reflect the collective nature of data's value and risks. The authors propose market-based governance mechanisms — data markets with appropriate rules — as a complement to regulatory approaches.

Metcalf, Jacob, and Kate Crawford. "Where Are Human Subjects in Big Data Research? The Emerging Ethics Divide." Big Data & Society 3, no. 1 (2016). An analysis of the gap between the ethical review framework for research (IRBs, ethics committees) and the absence of comparable review for commercial data practices. The authors argue for extending ethical review mechanisms beyond academia to the commercial data economy — a proposal directly relevant to the chapter's discussion of governance beyond law.

IEEE. "Ethically Aligned Design: A Vision for Prioritizing Human Well-Being with Autonomous and Intelligent Systems." 1st ed. IEEE, 2019. The IEEE's comprehensive framework for ethical technology design, including data governance principles. Relevant as an example of professional standards and technical design principles that can complement legal regulation — addressing the space between compliance and ethics that the chapter identifies as critical.

These readings extend the chapter's analysis from enforcement mechanisms to the deeper questions they raise: Why does enforcement so often fall short? What governance mechanisms can fill the gaps that law leaves? And how do we build institutions capable of governing data practices that evolve faster than the rules designed to control them? As Part 5 turns to corporate responsibility, these questions shift from the theoretical to the practical.