The relationship between regulators and the regulated is founded on cooperation, not fines
I may have mentioned it once or twice before, but I used to work in a data protection regulator, so - as you can imagine - I have some fairly strong views about the importance and role of regulation in protecting and vindicating the data protection and privacy rights of individuals. The commentary around privacy regulation can often be very black and white, with a fixation on fines or antagonistic relationships between regulators and businesses.
The focus on fines is understandable, but as you can imagine, the reality is a bit more complicated, and regulation in this area is most effective when it also involves cooperation and proactive steps by industry. When done right, privacy should ultimately benefit all parties involved, regulators and industry as well as individuals.
The Regulator and the Regulated
Fines are, for the most part, a fairly new phenomenon. Most European privacy regulators had less in the way of tangible, robust enforcement powers before the advent of the General Data Protection Regulation (GDPR). My old workplace, the Irish Data Protection Commission, as with a number of other data protection authorities (DPAs), did not actually have the power to impose fines for breaches of the old Data Protection Directive, but were granted new powers under the GDPR.
Whilst losing money can be a powerful motivator for change, in my experience, administrative fines are often focused on a bit too much in public discourse, and we sometimes miss that (a) they’re not always the most effective or appropriate way to enhance comp ..