Enforcing European Privacy Regulations from Below: Transnational Fire Alarms and the General Data Protection Regulation*

Abstract

AbstractThe European Union is a global leader in data protection. Nevertheless, its efforts to shape market practice have been criticized as bureaucratic and lacking citizen participation. The adoption of the General Data Protection Regulation (GDPR) has again stoked a heated implementation debate, focusing either on the law's complexity or its new enforcement sanctions. This article draws attention to a less explored provision, Article 80, which allows third parties including non‐governmental organizations to bring complaints for investigation. Empirically, the article demonstrates how NGOs are playing a bottom up role in transforming policy implementation. Theoretically, the article suggests that the legislation offers a novel governance tool – transnational fire alarms – in which third parties enhance accountability in the enforcement phase of the multilevel governance process. The article has implications for the evolution of privacy and data security within Europe as well as the interaction between transnational civil society and pan‐regional democracy.