The Regulatory Changes in Data Protection and Foreign Direct Investment: A Comparative Analysis Across 8 European Countries
Leiden University
M.Sc. Public Administration (Economics and Governance) Wu Hao (s2156709)
Supervisor: Professor Dr. S.N. Giest Master Thesis, 9 August 2019
The Regulatory Changes in Data Protection and Foreign Direct Investment TABLE OF CONTENTS
Introduction and Research Question ... 4
Background of the study ... 4
Research question ... 6
Relevance of the study ... 7
Thesis structure ... 7
Literature Review and Theoretical Framework ... 8
An overview of regulatory changes in data technology ... 8
Analyzing regulatory change ... 9
Define foreign investments ... 13
Theoretical framework... 16
Research Methodology ... 17
Research design ... 17
Operationalization of the key variables ... 20
Dependent variable ... 20
Independent variables ... 21
Data collection ... 25
Data analysis ... 30
Reliability and validity of the research ... 31
Empirical Analysis ... 32
Inward FDI trend of the EU member states ... 35
Standards ... 42
Enforcement ... 47
Accountability ... 50
Accountability relationship ... 51
The types of accountability ... 53
Assessing accountability deficit ... 54
Summary of this chapter ... 57
Discussion and Conclusion ... 61
Answer to research question ... 61
Limitations of the research... 63
Conclusion and recommendations... 64
References... 66
Introduction and Research Question
Background of the study
The process of economic, social and political international integration, as known as Globalization, has brought dramatic changes in shaping public policies regarding employment, migration, income inequality and welfare states (Swank & Steinmo, 2002; Genschel, Kemmerling, & Seils, 2011; Walter, 2010; Hays, Ehrlich, & Peinhardt, 2005). Under the background of economic globalization, the increasing international capital mobility leads to cuts in the tax rate on capital, labour, and consumption (Swank & Steinmo, 2002). The dilemma is that downward pressure on tax revenues constraints the government's ability to raise more social security programs for those individuals who hit harder by globalization (Colantone & Stanig, 2018). As the development of globalization, Foreign Direct Investment (FDI) plays a significant role in contributing to economic growth. FDI enables host countries to ease the social pressures through providing more job opportunities, introducing advanced technologies and contributing to tax revenues (Saouli, 2017; Li, Li, & Shapiro, 2012; Renata Pindžo & Ana Vjetrov, 2013). Getting more funds to maintain the welfare state becomes critical. Since European single market have been generating, the members of the European Union show even more intensive competitions to attract foreign investments (Genschel et al., 2011). Yet, some other factors, such as Patent Rights Protection (PRP), environmental effects, technology development, and regulatory regime, to some extent jointly determine the choices of foreign investors (Bailey, 2017; Crenshaw & Robison, 2006;
Lodge & Stirton, 2010; Ushijima, 2013). However, most recent researches found empirical evidence that FDI has shown a contingent effect among developed and developing countries, where foreign capital inflows do not act on economic development (Alguacil, Cuadros, & Orts, 2011; Bekhet & Al-Smadi, 2015). Host countries aiming to stimulate domestic economic growth need to take consideration upon economic policy and institutional conditions so that maximizing the spillover effect of foreign capital inflows (Alguacil, Cuadros, & Orts, 2011).
With rapid technology development, increasing enterprises relying on data analysis services dominate the market, meantime posing a great threat to information security (Henke, Bughin, Chui, & Manyika, 2016). Citizens enjoying the convenience brought to life by Internet telecommunication technology, at the same time inadvertently expose their personal data in danger. From early incident that Snowden exposed PRISM surveillance program, to Facebook users' information disclosure. Today's society increasingly realizes the guiding role of public supervision in the development of scientific and technological innovation (Černáková, 2014; Pascucci & De Magistris, 2011; Saad, Datta, & Papadakis, 2011). On the 26th of May, 2018 GDPR (General Data Protection Regulation) came into effect, which forces businesses mandatorily take adequate actions to deal with the security of personal data. With the extraterritorial effect of GDPR, most international companies have to postpone the investment to the European countries due to lack of proper guidance and insufficient measures (Kuchler, 2018; Kottasová, 2018). However, evaluating whether regulation works on targets is crucial. Under economic integration circumstance and the rise of
the regulatory state, the rapid development of technology leads to doubts as to what extent data related technology needs to be regulated? What side effects may it have with the strict regulatory regime for data protection? And how do regulatory changes have an influence on foreign capital inflows?
Keep these puzzles in mind and combining the relevant interests above, this research attempts to describe some regulatory changes in data protection and its possible influences on foreign investment. Taking globalization into consideration, studying this topic not only helps a deeper learning of data protection regulation, but also enables researcher to further assess both compensation and efficiency hypotheses about international integration. Moreover, as the public policymaking on data regulation has become a focal topic in world economic forums, this research hopes to provide more insights and recommendations for future studies.
Research question
Based on the background and research puzzles presented above, the research from distinctive angle uncovers that to what extent the regulatory changes and its influences on attracting foreign investment, taking Europe as primary study sources, thus the research question is:
To what extent does regulatory change in data protection affect foreign investment inflows to Europe?
By conducting this research and answering the question raised above, the study also aims at identifying the data protection regulation factors that are likely associated with
inward FDI. Also, to understand the role of foreign investment in framing international regulations. Lastly, to draw insights for future studies regarding welfare state paradox in the process of international integration.
Relevance of the study
The research falls into both academic and empirical relevance.
From an academic perspective, the study provides knowledge about the changes in the regulation regarding data protection, as well as adds new factors that are data technology regulatory in studying political economies. Thus, conducting this research offers more thoughtful ideas and distinctive angles for analyzing globalization and public policy. Besides, enabling future studies in evaluating relevant topics consider more factors for model testing. Empirically, conducting this research also contributes to the current policy evaluation and information gathering for regulating data technology.
Thesis structure
This thesis is organized into five chapters. Chapter one introduces the background, goals, and contributions added to contemporary studies, as well as the structure of the research. In chapter two, the researcher intends to give a brief overview of the data technology development history, providing fresh readers with some background in mind. In this chapter, previous literature regarding the research topics is primarily discussed. On one hand, reviewing the regulatory regime for social problems and
conceptualizing variables. On the other hand, generating a theoretical framework based on reviewed literature. Chapter three explains the methodology of the research. The researcher explicitly elaborates the operationalization on key concepts, research design, and data collection sources and methods. Chapter four provides an empirical analysis. Lastly, in chapter five, the researcher summaries all work and makes conclusions.
Literature Review and Theoretical Framework
An overview of regulatory changes in data technology
The report "Realizing the Information Future: The Internet and Beyond" elaborates the prospect of open data network and its opportunities, but raises concerns upon regulating this technology regarding equitable access, the flow of information, privacy, intelligent property and border consideration of ethics (National Academy of Sciences - National Research Council, 1994). In 1995, the European Data Protection Directive (DPD, Directive 95/46/EC) was adopted. The Directive aims to protect privacy within the European Union and prevent any violation during processing personal data. Yet, the definition of processing and managing personal data is too conceptualized so that leads to ambiguous assessment to the conduct of the violation, additionally the accountability of Data Protection Authority DPA is inconsistent (Robinson, Graux, Botterman, & Valeri, 2009). Since PRISM, the whole world is questioning the scarcity of effective regulation on data protection. To against the personal data risk, General Data Protection Regulation (GDPR) was adopted in 2016, is regarded as the replacement for the prior Directive 95/46/EC. On the 24th of May
2018, GDPR enters into force and applies in all EU member states (EU GDPR org, n.d.). So far, GDPR is considered as the most strict and comprehensive rules of regulating data protection worldwide (Smith, 2016).
Nonetheless, data technology promotes transformation and upgrading of thousands of industries. Big data, Cloud computing, Internet of Things, Artificial Intelligence and more other technologies are undermining the traditional way of manufacturing, transportation, catering, clothing and many more others (Ranger, 2018; Yao, 2018). Under the intensive competition in the globalization, data technology seems to be the factor endowment that contributes to a country's economic growth. Facing fast changes in technology, the major reform of regulation in data technology gives more attentions on individual rights and the process of personal data (EU GDPR org, n.d.). Hence data protection change could have an effect on the foreign investment inflows, especially under its enforcement of GDPR (ECIPE, 2018; Iamteam, 2018; McHugh, 2017).
Analyzing regulatory change
The reasons that society needs regulation are based on two argumentations. One is that rules correct market failures including information asymmetries, externalities, natural monopolies, and public goods (Veljanovski, 2010). Data as an emerging resource is commercializing, but information asymmetry existing between data collectors and data subjects in the market imposes negative externalities to social efficiency (Hull, 2015; Kugler, 2016). The other one is to strengthen social solidarity,
as defined by Lodge (2012), building a community that people wish to live. However, the interests of people are various and sometimes even conflict, so a regulation state hardly satisfies everybody in the community. For example, GDPR protects the personal information by prescribing standards for public and private sectors of using personal data. But the extraterritorial effect of GDPR increases burdens on compliance costs, several data related technological companies pause partial services provided for EU users (Iamteam, 2018). At the national level, the inward FDI of Ireland could benefit from GDPR, since after Brexit, Ireland becomes the only country who use English as the official language that attracts more opportunities when multinationals dealing with negotiation to Data Protection Communication (McHugh, 2017). Therefore, it is insufficient to observe the effect of regulatory changes for only one country.
The regulatory regime is significant for analyzing regulatory change. An abstract definition according to Lodge et al (2012), the regulatory regime includes standard setting, information gathering, and behavior modification. Specifically, standard-setting refers to how regulations shape individual behaviors and channel the way for their obedience. And the process that regulators gather feedback in order to make proper modification is known as information gathering. Behavior modification is the way that regulations are enforced and compliance with (Lodge, 2012).
Standards defined by Braithwaite et al., (2010) as instruments that encourage targets to chase a value or achieve a goal without requiring specific actions (Braithwaite & Braithwaite, 1995). Since the rise of the regulatory state, the role of regulation tends to "steering" rather than controlling (Levi-Faur, 2005). Yet, the broad standards mean
the ambiguous definition, regulation could have failed of preventing undesired actions (Scott, 2010). Freeman et al., (2000) suggest the negotiation brings transparency during standard-setting consequently wins more legitimacy. Because such a process is superior in "generating information, facilitating learning, and building trust" (Freeman & Langbein, 2000). Lodge et al., (2012) believe that the type of regulatory standards is also fundamental during standard-setting. The technology-based standard focuses on prescriptions of technology but requires a good understanding of the industry to intervene properly; the performance-based standard emphasizes on outputs or outcomes but imposes different compliance costs on targets; the management-based standard provides more flexibility that only controls critical points in the managerial system, but the motivation of truthful and faithful compliance is difficult to perceive (Lodge, 2012).
Behavior-modification in regulatory analysis refers to how standards are complied with, in which enforcement plays a significant role in making this happen (Lodge, 2012). Hofmann et al., (2011) define enforcement as the necessity to ensure the realization of the existence of rights and obligations prescribed in regulatory standards (Hofmann, Rowe, & TÜrk, 2011). Noncompliance is likely caused by poor enforcement, such as rule-breakers lack of professional advice, or regulatory agencies set inadequate penalties for breaking rules (Seitz & Ragsdale, 2019). Lodge et al., (2012) elaborate two enforcement styles, namely deterrence approach and persuasion approach (Lodge, 2012). By calculating the costs of compliance and benefits if non-compliance, 'amoral calculators' selectively comply with regulatory standards (Scholz, 1984). Thus, for those regulated targets, the compliance relies on the level of punishment and the
probability of actual sanctions that will be imposed (Ritchey & Nicholson-Crotty, 2011; Shavell, 1993; Stigler, 1970). On the other side, the persuasion approach primarily applies mediation and negotiation with targets for achieving compliance, punishment is the last resort of enforcement (Hawkins, 1984; Lodge, 2012). Both approaches are interdependent. Once compliance calculators perceive a high fine or sanction is negligible for future development, the deterrence approach probably is not effective (Lodge, 2012). Besides, deterrence yields potential abuse of power, for example, firms may be punished to leave them out of the business competition (Bardach, 1982; Lodge, 2012). Likewise, persuasion is not a silver bullet. This approach is based on advice and warnings, and no actual punishment imposed (Lodge, 2012). In serious cases, the persuasion approach is challenged and difficult to inspire compliance (Bardach, 1982; Pires, 2011). Hence, better regulation should contain both deterrence and persuasion approaches (Lodge, 2012).
Information-gathering or 'detection' is an indispensable regulatory component. Lozner (2004) defines information gathering as the key to identifying problems and a necessary mean for formulating responses to the public (Lozner, 2004). The regulators need to collect feedback to improve regulatory standards and enforcement (Lodge, 2012). Due to the discrete locations of regulatory agencies and fragmented responsibilities, the enforcement unit does not have to be the same unit of gathering information (Baldwin, Cave, & Lodge, 2010). The form that enforcement implemented by a local level but information gathered by another professional agency may benefit to some extent, but bring complexity for accountability (Singer, 2009; Todd S. Aagaard,
2011).
Accountability in contemporary study is defined as the responsibility of obligation parties accounting for their behavior (Lodge & Stirton, 2010). Bovens (2007) defines accountability as a relationship between an accountor who initiates accountability and an accountee who justifies his or her conducts (Bovens, 2007). Black (2013) further explains that judgment passed by an accountor should impose consequences on an accountee based on corresponding criteria (Black, 2013). However, in the case of involving multiple actors in accountability, a few challenges it may encounter during the process. Here listed three of them. Firstly, the discrete and hybrid type of regulatory agencies follow different criteria for judgment. Various norms or standards may internally dispute so that is hard to reach a consistent decision, in other words, one social problem is overseen by "too many eyes"; secondly, accountability yields an opportunity cost of the resources that could have been used for delivering other public services (Black, 2013; Bovens, 2007; Lodge & Stirton, 2010). Thirdly, the eligibility and capacity of an accountor of initiating accountability determine the legitimacy of consequence (Bovens, 2007).
Define foreign investments
To study the foreign investment, it is critically to explore how the concept is defined and suited in studying data regulatory changes. Over the years, many forms of foreign investment have been created alongside economic and technology development but resemble somehow. According to Collins Dictionary of Business 3rd edition (2004),
foreign investment means the "purchase of overseas physical and financial assets". From an international financial perspective, this term was defined as acquisitions of assets in a foreign country in either direct investment or portfolio investment (Moles & Terry, 1997). An amiable explanation of foreign investment is that the capital flows from one country to another and grants domestic companies the extensive ownership (Chen, 2018). In principle, the definition could involve various forms of investment, such as shares, properties, ownership and all kinds of using foreign funds. But the generic definition is too broad and not suitable to address nuances of foreign investment.
Moles and Terry (1997) describe foreign investment as foreign firms either establish or merge a local firm, and portfolio investment that foreign firms purchase common stocks or bonds in a host country (Moles & Terry, 1997). Sheng (2011) measures foreign investment in two ways, one is the amount that capital inflow minus outflow and the other is the stock of foreign investment in local currency (Sheng, 2011). The benefit of that measurement is that foreign investments are simply conceptualized as capital flows. Mridusmita (2018) summaries four concepts of foreign investments, namely Foreign Direct Investment (FDI), Foreign Institutional Investment (FII), Qualified Foreign Investment (QFI) and Foreign Portfolio Investment (FPI) (Mridusmita, 2018). FDI means behaviors of a foreign company or individual in establishing new business and acquiring business assets in another country. The term can be further elaborated into inward FDI that is when foreign companies or individuals invest in the host country, and outward FDI that when the host country make an investment in foreign countries. FII refers to the shares or bonds offered by the host
country that can be purchased by foreign investors. QFI prescribe the eligibility of investors, who must be qualified individuals or associations that meet certain standards. And FII and QFI collectively constitute FPI. But the distinction between FDI and FPI is that the ultimate goal of FDI attempts to obtain strategic control on the investment, while FPI essentially attempts to improve returns and lower risks for investors (Moles & Terry, 1997). In case of regulatory changes in data protection, capital investors are expected to reduce investment, while entity investors may react unpredictably. Hence, for which type of foreign investment chosen for this research would have different effects.
Drawing from the discussion above, it should be reasonable to say that the term foreign investment can be recognized as a concept consisting of two forms of investment, which are FDI and FPI. But to study the regulatory change in data protection, FDI is preferred than FPI. Because, data protection regulation aims at monitoring the behavior of processing personal data (EU GDPR org, n.d.). FPI investments may be affected with ulterior motives like high marginal return rather than purely interested in data-related technology. But FDI allows the researcher to study the investment intentions truly and directly on the data technology. Therefore, FDI closely related to the research objective, and authentically reflect the effect on capital movements through the regulatory changes in data protection. Moreover, the benefit brought by FDI can be easily perceived in the fields of job opportunities, taxes fluctuation, but most importantly the technology and knowledge to the local firms and workers (Farole, Winkler, & Oliver, 2013). Hence, the connection between FDI and
social welfare states can be established and contribute to the research goal.
Theoretical framework
Theoretical approaches for regulatory analysis are inspired by plenty of sources. Especially from the perspective of underlying problems, regulatory options, alternatives, possible side effects, trade-offs and unintended consequences (Hood, 1986; Lodge, 2012). For these reasons, this research applies the textbook Regulatory Analysis,
Politics and Policy Managing Regulation developed by Lodge and Wegrich. Martin
Lodge is a professor from the London School of Economics and Political Science, Kai Wegrich is a professor of Hertie School of Governance in Berlin. Both authors have a high reputation in the field of regulation and political science in the European Union. The theories in their book provide a fundamental overview for studying regulation and governance. They outline two significant components in the regulatory regime, which are regulatory standards and behavior modification. In most cases, behavior modification is equivalent to enforcement seen as the implementation of a regulation. Moreover, the rise of regulatory agencies highlights the complexity of accountability (Bovens, 2007; Singer, 2009; Lodge & Stirton, 2010). Therefore, to study the accountability relationship in data protection regulation also provides a complemental explanation for the research. A conceptual framework developed by Bovens (2007) suggests analyzing the role of the accountee and accountor. Specifically, the process of the accountee to explains his conduct, and accountor based on certain standards to make a judgment and impose a consequence on the accountee. In
conclusion, this research attempts to describe the relationship between regulatory changes in data protection and foreign investment from three aspects, namely regulatory regime, enforcement, and accountability.
Figure 1 Theoretical framework
Research Methodology
Based on the literature review in the previous chapter, this section elaborates on the methodology and specific measurements for conducting this research.
Research design
To study the factors that associate with foreign investment, most of the studies adopted quantitative approach (Genschel, Kemmerling, & Seils, 2011; Li, Li, & Shapiro, 2012; Walter, 2010). Yet with respect to regulatory analysis, case study approach is prevalent (Black, 2013; Buch-Hansen, 2012; Lozner, 2004; Seitz & Ragsdale, 2019; Singer, 2009; Wagner & Fain, 2018). Due to regulatory changes in data protection, particularly GDPR just came into effect in 2018, only a few series of data are available for conducting quantitative research. Thus, this study attempts to apply
small-N comparative research. This approach not only enables the researcher to observe statistical data but also allows within-case analysis (Toshkov, 2016). Another important argument of choosing small-N comparative approach is that the study intends to inductively generate hypotheses rather than deductively test a theory. In addition, rather than proving a causal mechanism, this research focuses on retrospectively accounting for the regulatory changes in data protection for the past three years, and its potential influences on foreign investment outcomes.
Qualitative Comparative Approach (QCA) in fact is the most popular and only one approach for small and medium cases comparative research (Toshkov, 2016). QCA is a research method between case-oriented (qualitative method) and variable-oriented (quantitative method), which is a comprehensive research strategy that can combine the advantages of both methods (Ragin, 1989). The basic idea is that using a set of theories and Boolean algebra as the foundation, and exploring how the combination of several conditions cause observable changes or discontinuities in the results (Fiss, Cambré, Marx, & Lounsbury, 2013; Ragin, 1989; Toshkov, 2016). The basic rule of Boolean algebra is working with a binary variable, which "1" represents the occurrence of that variable otherwise "0" if it does not appear. What QCA aiming to find is that the explanation for the occurrence of outcome variables. Based on Boolean minimization, the configuration of various complex conditions is continuously simplified so that redundant variables and contradictions can be gradually eliminated in the process (Toshkov, 2016). Then establishing a set of Truth Table to investigate how many combinations of conditional variable exist (Mao, 2016; Toshkov, 2016). There is a QCA
example in the research of Mao (2016), the relevant condition variables that cause the occurrence of phenomenon D, are A, B, and C. The total number of combination in case of occurrence and non-occurrence with all variable equals to 2 cubic, which is 8 possible sets (Table 1). The truth table expresses the proportion of the total number of cases covered by the 8 sets based on the configuration in Table 1. For example, suppose 10 cases observed, in which A=0, B=1, and C=1 appear simultaneously in 7 cases and this combination appears the most frequently. The result can be concluded that when condition A does not occur and both conditions B and C occur, the probability of occurrence of D=1 is the highest. Several symbols are used to represent the relationship, in which " +" stands for "or", "*" means "and", "à" and "=" represents the inferred result. For instance, A*B=Y implies that when variable A and B occur simultaneously, the result Y can be derived.
Table 1 Matrix table for a combination of A, B and C conditional variables
A B C
Yes (1) Yes (1) Yes (1)
No (0) Yes (1) Yes (1) Yes (1) No (0) Yes (1) No (0) No (0) Yes (1) Yes (1) Yes (1) No (0) No (0) Yes (1) No (0) Yes (1) No (0) No (0) No (0) No (0) No (0)
Cases selected for QCA need to have the characteristics of the complexity of causes (Mao, 2016). As Ragin (1989) pointed out the reason why social phenomena are complicated and difficult to explain is not because of too many variables that affect the occurrence of social phenomena, but because different causally relevant conditions are combined together to produce a specific result (Ragin, 1989). In other words, the focal point of QCA emphasizes on the configuration of several variables that affect the outcome, rather than individual variable leading to a consequence. In the end, counterfactual can be achieved, through maximizing the variation of the explanatory variable of interest, meantime ignores the impact of confounding factors on the outcome variable (Toshkov, 2016).
Operationalization of the key variables
Dependent variable
The dependent variable of this research is the foreign investments inflow to the EU member states. According to the OECD benchmark 4th edition, foreign direct investment means investor residing in one economy is interested in investing enterprises or other types of cross-border investment in another economy. And as foreign investment, the investment direction determined by the parent of an enterprise (OECD, 2008). Outward FDI refers to investing strategies applied by a host economy, such as purchase goods in a foreign economy; in the opposite, inward FDI concerns an investment that comes from an external or foreign entity to a local economy (The World
Bank, n.d.). Since this research tries to study how GDPR affect the capital inflows to Europe, inward FDI measures more precisely. There are two forms of inward FDI, one is the total investment as the number of inflows in the unit of US dollars; the other is the total amount of FDI inflows as a percent of GDP. In this research, the latter form the amount of foreign direct investment in total percent of GDP to each EU member countries is preferred, since large or small size countries certainly have a different level of foreign investments (Genschel, Kemmerling, & Seils, 2011). To avoid biased conclusion, the ratio of FDI as a percent of GDP is fairer for comparative analysis.
Independent variables
In this research, the independent variables are regulatory regime, enforcement, and accountability. Based on the theories of Lodge et al., (2012) good standards should be stable guidance of conduct, reasonable to encourage compliance, and valid to impose sanctions when breaking a law, other than those, standards shall neither conflict with each other (Hood, 1986; Lodge, 2012). Better Regulation Task Force, an independent authority of any government department in the UK, provides five principles of evaluating regulatory standards generally in any domain. They are proportionate, accountable, consistent, transparent and targeted. The table below presents a specific definition for each principle.
Table 2 Five principles of regulatory standards
Proportionality
Regulators should only intervene when necessary. Remedies should be appropriate to the risk posed and costs identified and minimized.
Accountability
Regulators should be able to justify decisions and be subject to public scrutiny.
Consistency
Government rules and standards must be joined up and implemented fairly.
Transparency
Regulators should be open and keep regulations simple and user-friendly.
Targeting
Regulation should be focused on a problem and minimize side effects.
Source: Better Regulation Task Force 2005: 26-7
In this research, proportionality identifies whether the regulatory changes in data protection are suitable to solve a perceived problem or risk with a more effective and cheaper way to apply. Accountability is compatible with Bovens' conceptual framework. Consistency can be simply understood as government rules or standards that do not contradict each other (Lodge, 2012). Transparency affects the effectiveness of standards. In this case, transparency refers to whether the regulatory changes are easy to understand, and if have enough time and preparation for those regulatee being guided. Lastly, targeting is used to identify whether the side effects can be controlled and kept to a minimum. The research intends to describe whether the principles of the regulatory standard are followed by a regulator.
Enforcement can be classified as either deterrence or persuasion strategies. To be specific, the deterrence approach prefers punishment on wrongdoing (Lodge, 2012). With respect to data protection regulations deterrence approach to be seen as penalties on the conduct of violators. Directive 95/46/EC has no general condition for imposing administrative fines, but GDPR states provisions of administrative fines in case of infringement of regulation. A sanction is another penalty in reply to whoever broke rules. In this research, the deterrence type of enforcement is measured as fines and sanctions. The other approach, persuasion type of enforcement, intents to motivate regulated targets to comply with regulations and improve their awareness for regulatory performance, of which warnings or advice are commonly the indicators (Lodge, 2012). Due to both approaches have some criticisms, this research intends to measure enforcement effectiveness by analyzing whether a mixed strategy that combines both approaches is applied by the regulator.
Accountability, as another criterion of assessing regulatory change, is primarily informed about responsibility taken by regulators and enforcers. Bovens (2007) suggest three aspects of studying accountability. The first is whether an accountability relationship is established; the second is what types of accountability are identified; the third is for what reason accountability deficits may be produced (Bovens, 2007). According to his theory, a relationship that qualifies as a case of accountability when "there is a relationship between an actor and a form in which the actor is obliged to explain and justify his conduct, and the forum can pose questions and pass judgment to have consequences on the actor" (Bovens, 2007). The types of accountability
relationship can be identified from political, administrative, legal, professional and social aspects. Regarding political accountability, an authority is accountable to a cabinet of a minister, who must account to the representatives in parliament, and eventually all account to voters (Bovens, 2007). Hence, to determine the political type of accountability, the fundamental is to know the chain of responsibility. Courts as a formal forum are the most trustworthy type of accountability, which is scrutinized by elaborated legal standards (Bovens, 2007). Auditors, inspectors render administrative accountability to public organization for external administrative and financial supervision and control. In addition, to decide whether data processor or controller violates GDPR, professional expertise must to provides diagnosis, this type of accountability is rendered by professional bodies. Finally, social accountability refers to interest groups or stakeholders, particularly, non-government agencies that are responsible to the public in governing private sectors. Therefore, this type of accountability could take place for every stakeholder involved in personal data protection. To evaluate whether an accountability arrangement is adequate to public agencies, Bovens (2007) suggest three perspectives of assessing accountability deficit. The first is democratic control that implies citizens as a significant role in judging the conduct of public organizations. Besides, to evaluate whether corruption is prevented and no abuse of power during the accountability process. Lastly is organizational learning, in specific, improving the learning capacity and effectiveness of public organizations.
Data collection
The goal of the research is to study the major changes in data protection regulation and the effects on economic attractiveness. Therefore, the changes in data protection regulation, specifically the study with respect to GDPR's predecessor contributes to the study of regulatory evolvement. The content of GDPR and relative regulatory information are available and collected from the EUGDPR portal. For a comparative analysis, the other regulation used to compare with GDPR is the Data Protection Directive (DPD), which officially called Directive 95/46/EC. The information about DPD is obtained from the European Commission Websites, particularly referenced from online EU law library Document 31995L0046. Standards of both regulations on data protection are obtained respectively from the sources above.
Moreover, the European Commission requires all EU member states to set up independent public authorities to guild compliance for each member state. The Data Protection Authority (DPA) can use its administrative enforcement power to ensure compliance of the regulation. Therefore, the information regarding how data protection regulation has been enforced can be captured via each national DPA website. The DPA websites of all EU member states are listed in table 3.
To evaluate the accountability relationship established for the accountee and accountor, the researcher attempts to assess the three aspects of accountability suggest by Bovens (2007), through real cases attached on DPA websites.
Finally, the statistics of FDI inflows of each EU member states is collected from the World Bank Group database labeled as Foreign Direct Investment net inflows in the
period between 2015 and 2018. The unit of inward FDI is indicated as a share of GDP of each country in the unit of US dollars.
Table 3 List of DPA in the European Union
NO. Country The name of DPA Websites
1 Austria Österreichische Datenschutzbehörde www.dsb.gv.at/dokumente
2 Belgium Commission de la protection de la vie privée www.privacycommission.be/
3 Bulgaria Autorité de la protection des données (APD-GBA) www.autoriteprotectiondonnees.be/
4 Croatia Croatian Personal Data Protection Agency www.azop.hr/
5 Cyprus Commissioner for Personal Data Protection www.dataprotection.gov.cy/
6 Czech Republic Office for Personal Data Protection www.uoou.cz/
7 Denmark Datatilsynet www.datatilsynet.dk/
8 Estonia Andmekaitse Inspektsioon www.aki.ee/en
9 Finland Office of the Data Protection Ombudsman www.tietosuoja.fi/en/
10 France Commission Nationale de l’Informatique et des Libertés – CNIL www.data.gouv.fr/ 11 Germany Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit www.bfdi.bund.de/
12 Greece Hellenic Data Protection Authority www.dpa.gr/ 13 Hungary National Authority for Data Protection and Freedom of Information www.naih.hu/
14 Ireland Data Protection Commissioner www.dataprotection.ie/
15 Italy Garante per la protezione dei dati personali www.garanteprivacy.it/
16 Latvia Data State Inspectorate www.dvi.gov.lv/
17 Lithuania State Data Protection www.ada.lt/
18 Luxembourg Commission Nationale pour la Protection des Données www.cnpd.public.lu/ 19 Malta Office of the Information and Data Protection Commissioner www.idpc.org.mt/
20 Netherlands Autoriteit Persoonsgegevens www.autoriteitpersoonsgegevens.nl/en
21 Poland Urząd Ochrony Danych Osobowych (Personal Data Protection Office) www.giodo.gov.pl/
22 Portugal Comissão Nacional de Protecção de Dados – CNPD www.cnpd.pt/
23 Romania The National Supervisory Authority for Personal Data Processing www.dataprotection.ro/ 24 Slovakia Office for Personal Data Protection of the Slovak Republic www.dataprotection.gov.sk/
25 Slovenia Information Commissioner www.ip-rs.si/
26 Spain Agencia de Protección de Datos www.aepd.es/
27 Sweden Datainspektionen www.datainspektionen.se/
Data analysis
To study the relationship between dependent and independent variables, necessary and sufficient conditions must be discussed. Necessary condition understood as, in the absence of the condition, the outcome never occurs; sufficient condition indicates the outcome definitely occur when the condition presented (Toshkov, 2016). For a qualitative comparative analysis like this one, the determinism of necessary and sufficient condition is allowed to be relaxed (Toshkov, 2016). As QCA focuses on the combination of variables leading to an outcome, thus the combination can be the approximate necessary and sufficient conditions when multiple causal factors produce an outcome (Mao, 2016; Toshkov, 2016).
In this research, the researcher firstly categorizes the EU member states based on each welfare state level. As different countries have own needs in building welfare states (Arts & Gelissen, 2002). Thus, the needs of different EU countries for foreign investments inflows should not be mixed and analyze. Next, under the theoretical framework, the regulatory changes for data protection with respect to regulatory standards, enforcement, and accountability will be examined. Thirdly, based on all factors identified in the previous step, a summary matrix can be generated. In which "1" stands for "yes" referring to the potential influence of the condition, and "0" seen as "no" means no influence of the condition on the outcome. Since all independent variables are not quantitative, numerical data such as the inward FDI as a percent of total GDP is covert into a trend and shown in the line chart. Two consequences “stable”
and “unstable” are tagged to express the status of inward FDI. After that, a truth table is summarized and the frequency for each case can be counted. Finally, throughout the process, the researcher is able to find out the most relevant variable combination of data protection regulatory changes and to answer the research question.
Reliability and validity of the research
Reliability and validity are major concerns for small-N comparative analysis (Toshkov, 2016). Reliability refers to different researchers applying the same measurement instrument and set of data that should draw a very similar conclusion (Neuman, 2013; Toshkov, 2016). However, in political science, reliability is quite challenged, because "measures are constructed passively recording what goes on in the world" (Toshkov, 2016). A lot of variable measurements regarding political science from previously written sources are probably constrained by limited data or subject to the cognition to certain circumstances. For that reason, perfect reliability in political science research rarely achieves (Toshkov, 2016). The validity, on the other hands, implies precision of the research including internal and external validity (Toshkov, 2016). Internal validity pursues minimized error or bias; external validity tries to forge a theory to be as more generalized as possible. Yet, in political science, the measurements are often limited by incomplete data and complex relationships. For example, the heterogeneous effect that the observed effect in one case might work differently in another context. Thus, external validity is extremely hard to achieve in the small-N analysis (Neuman, 2013; Toshkov, 2016).
These claims, however, might be improved for this research, as the researcher combines cross-cases analysis as well as within-case study. On one hand, the former strategy facilitates the evidence collection for each individual case, and the later one helps to insight the relationship between dependent and independent variables. On the other hand, the within-case study further scrutinized alternative explanations that not possible to filter out in the cross-case analysis (Toshkov, 2016). Besides, the researcher selects cases via conditioning strategy that isolating the possible confounders, wherefore control alternative variables and only let explanatory ones vary. Finally, this research is conducted based on the theoretical framework of regulatory analysis by Lodge (2012) and Bovens (2007), the subjective and personal biases of the researcher are diminished. Because of the above reasons, the study should be reliable and valid.
Empirical Analysis
This section follows the regulatory analysis framework developed by Lodge, Wegrich, and Bovens to analyze the regulatory changes in data protection and its impact on foreign investment inflows to Europe. The analysis firstly categorizes welfare states for the EU-15 countries based on Sapir's report " An agenda for a growing Europe" (Sapir, 2004), so as to ensure the EU countries to some extent are comparable and control the possible heterogeneous causal relationship. After that, the statistics of foreign investment inflows for all EU member states are introduced, and those countries with the remarkable fluctuation of FDI inflow trends are picked for within-case analysis. The next step, the research analyzes the three aspects, regulatory standards,
enforcement and accountability for each EU member state based on the framework. By applying the combinatorial causation of QCA, irrelevant factors regarding the research variables can be filtered out. Finally, the researcher summarizes whether the regulatory changes associated with the inflows of foreign investments to Europe.
Classification and inward FDI results
According to Sapir's report and the welfare state typologies proposed by Art and Gelissen (2002), this research classifies four models of the EU member states, Nordic countries, Anglo-Saxon countries, Continental countries, and South-European countries. The classification takes multiple dimensions into account, such as the level of social security schemes, labor market policies, wage structure, social rights and so forth. Although Art and Gelissen define the fifth type Radical model for Antipodean countries like Australia and New Zeeland, this type is irrelevant for studying European countries in this research. Therefore, Radical type is excluded. Apart from prior joined EU members, East European developing countries are included in none of those typologies. First, the two studies merely made the classification for those countries that join the European Union before 2004, while the new EU enlargement barely started yet at that time. Hence the new members that joined the European Union after 2004 are not included in the classification. Second, the fiscal conditions of the new member states and social policies are different from the 15 countries that joined the EU before 2004 (Sapir, 2004). Despite no explicit classification for the East European developing countries, this research categorizes all of the countries entered the EU after 2004 as a
unique part and studies those countries individually. Based on the above discussion, the EU-15 countries can be classified as following forms.
Table 4 Classification of EU countries
Models Classify Standards Countries
Nordic l Highest level of social expenditure and Universal social protection;
l Many active labor markets policies;
l Tax-based funding combines with other contributions;
l Strong labor unions, and compressed wages.
Denmark, Finland, Sweden; Netherlands.
Anglo-Saxon l Many social assistance type schemes;
l Low benefit level that not related to previous earnings, and the benefits sometimes in kind; l Mainly tax-based funding and not including
social contributions;
l Dispersed wages and low-wage jobs.
Ireland, United Kingdom.
Continental l Social security schemes are focused on employees;
l Civil society runs the social security system, but government have made social insurances mandatory;
l Level of benefit related to individual
Austria, Belgium, France, Germany, Luxembourg.
contribution and duration of employment history;
l Redistribution mainly within social classes. South-European l Low social expenditures and public social
expenditure mainly on public pensions;
l Employment protection legislation is significant; l Compressed wage and earlier retirement;
l A high degree of segmentation regarding social rights.
Greece, Italy, Portugal, Spain.
Inward FDI trend of the EU member states
The inward FDI results are shown in different groups based on Sapir's model. For the rest of EU member states without a specific category is discussed separately. In the period of 2016 to 2018, the FDI inflows statistics demonstrate a fluctuating trend in all EU countries. The net FDI inflows of Netherlands, Ireland, Luxembourg have outstanding performance in each corresponding model. And all countries belonging to the South-European model have no particular wave path, which means every country in the model seems to have an unpredictable trend of attracting foreign investment. For the rest of the EU member states that not been included in Sapir's model are summarized in figure 6. In which Malta, Cyprus, and Hungary have remarkable waves. Since GDPR was announced in April 2016, so the observable period is after 2016, specifically two years data between 2016 and 2018.
The model of Nordic countries includes the Netherlands, Sweden, Finland, and Denmark. The share of FDI inflows in a total of GDP in the Netherlands, however, experienced a slight decline after 2015, but the share climbs 18% since 2016. After 2017, the FDI inflows dropped dramatically with a negative growth that down to negative 17% in the total share of GDP. While Denmark, Sweden, and Finland appear a relatively stable trend. In the period of 2016 to 2018, the fluctuation range of FDI inflows in the share of GDP for the three countries is between 0 to 10 percent.
Figure 2 FDI, net inflow (% of GDP) for Nordic countries
The second model is Anglo-Saxon countries including Ireland and the United Kingdom. The inward FDI of Ireland shows a sharp decline after 2015, and continue to drop a bit after 2016. In 2017, the share of FDI inflows in a percent of GDP is returned to 6 percent. The inward FDI of United Kingdom perform rather steady during the period of 2016 to 2018, and the share is no more than 10 percent in the total GDP.
Figure 3 FDI, net inflow (% of GDP) for Anglo-Saxon countries
The third model is Continental countries that Germany, France, Austria, Belgium and Luxembourg belonging to. In which the inward FDI of Luxembourg experienced positive climb from 2015 to 2016, but suddenly dropped in the year of 2016. Although the statistics of 2018 is unavailable, it is enough to determine an unstable trend of Luxembourg FDI inflows in the share of GDP growth. Germany and France did not show clear changes in FDI inflows. The statistics of Austria and Belgium show an opposite trend, which the inward FDI share in Austria decreased steadily since 2015, but gradually climbed after 2016. On the contrast, the inward FDI share of Belgium increased after 2015, but after 2016 the number continuously decreased. Basically, the fluctuation range is between negative 10 percent to positive 10 percent in the share of GDP.
Figure 4 FDI, net inflow (% of GDP) for Continental countries
The last model is the South-European countries, which contains Spain, Portugal, Greece, and Italy. The trend of inward FDI in the percent of GDP for the four countries are disorganized compared with the previous countries in each model. Spain shows dramatic changes in all three periods, in the period of 2015 to 2016, the share of FDI inflows in a percent of GDP increased, but experienced a clear decrease in one year, after 2017 the FDI inflows rebounded and in 2018 back to the level as it used to be. The statistic of Portugal has increased since 2015, kept the trend for one year but went down after 2017. The FDI inflows of Greece shows a stable increase in the past three years. Italy shows the lowest level of inward FDI in the share of GDP compared to the other three countries. However, the key point is the statistics of FDI inflows for the South-European model is higher than 0.47%, but never go beyond 5%. Unlike certain countries in other models, which the changes FDI inflows in a percent of GDP have an obvious jump or fall, the fluctuation of FDI inflows in South-European countries is
rather insignificant. Therefore, it is essential to divide countries into different models and decide their stability.
Figure 5 FDI, net inflow (% of GDP) for South-European countries
Finally, most East Europe developing countries have rather stable FDI inflows in the share of GDP, except Cyprus and Hungary. Although Malta has a stable FDI inflow in recent years, the ratio is higher than in most European countries. Around 30% GDP of Malta is comprised by FDI inflows. Genschel et al (2011) have provided a possible explanation that relatively small size countries benefit less from domestic revenues thus rely largely on the inflow of foreign capital (Genschel, Kemmerling, & Seils, 2011). Malta, in this case, can be explained as smaller than most European countries and requires more foreign investment. Likewise, Cyprus is also smaller than most EU countries, the needs for foreign investments is high. But after 2017, the FDI inflows of Cyprus has dropped remarkably, up to till 2018, the level of FDI inflows stays the same as most of East Europe developing countries. Another special country, Hungary also
shows a quite visible fluctuation of FDI inflows. After 2016, the share of inward FDI in total GDP in Hungary has declined and the situation lasts for two years with huge negative growth.
Figure 6 FDI, net inflow (% of GDP) for East Europe developing countries To sum up, since 2016, the year that GDPR has been brought forward to the public, several European countries have shown changes in the FDI inflows (the statistics attached in Appendix 1). In the Nordic model, the inward FDI of Netherlands stands out, as the same as Ireland in the Anglo-Saxon model and Luxembourg in Continental model respectively. The South-European countries all present clear changes regarding their FDI inflows, although the change if compare with countries from other models, is quite small. And among the East Europe developing countries, Hungary has impressive figures about its inward FDI fluctuation in the share of GDP. Yet, there is no clear clue whether the effect of GDPR causes up- or downward trends of FDI inflows. Besides, there are a few countries encountering the changes in data protection regulations react
no obvious fluctuation. Thus, deep learning of regulatory changes is required to analyze. For now, the status that presents an unstable trend of FDI inflows in the share of GDP among the EU countries can be summarized in Table 5. Analysis of regulatory regime and accountability focuses on those countries marked as the unstable of FDI inflows trend.
Table 5 Summary of Inward FDI status
Countries Inward FDI status
Austria Stable
Belgium Stable
Bulgaria Stable
Cyprus Unstable
Czech Republic Stable
Germany Stable Denmark Stable Spain Unstable Estonia Stable Finland Stable France Stable
United Kingdom Stable
Greece Stable
Croatia Stable
Ireland Unstable Italy Unstable Lithuania Stable Luxembourg Unstable Latvia Stable Malta Stable Netherlands Unstable Poland Stable Portugal Unstable Romania Stable
Slovak Republic Stable
Slovenia Stable
Sweden Stable
Standards
Among numerous comparisons on regulatory changes in data protection, several remarkable changes in GDPR that should not be ignored. Firstly, in DPD article 3 regarding the data protection scope states "the directive shall not apply to the processing of personal data in the country of an activity that falls outside the scope of Community law". Yet, the territorial scope extends in GDPR, and this significant change is known by law as extraterritorial applicability of regulation. Regardless of location, the GDPR
applies to all who process data of individuals that reside in the European Union (EU GDPR org, n.d.).
Secondly, the provision in GDPR has added administrative fines for companies in case of non-compliance. The penalties imposed on those violated companies can be fined up to 4 percent of total annual global turnover or 20 million euros (EU GDPR org, n.d.). EU GDPR information portal provides some examples further illustrating the conduct of violation. If no impact assessments are conducted nor notify the supervising authority and data subject about potential data breaches, the company is to be seen as breaking GDPR. This example raises a concern for some advanced data technology that may be constrained by these rules. Since both controllers and processors for personal data are also applicable. However, geographic location data provided through cloud computing technology can be stored in multiple servers, where the data has been stored is not always clear, and it is impossible to assess the impact of processing personal data in every second (Nikova, 2018; Tolsma, 2019).
Moreover, the data subject's consent right has strengthened. DPD article 2 (h) states that "any freely given specific and informed indication of his wishes by which the data subject signifies his agreements to personal data relating to him being processed". Article 7 and 8 additionally elaborate that explicit consent must be given by data subjects when processing personal data. But to what extent the explicit consent it refers, GDPR provides more elaborations, in which Article 7 of GDPR lays down specific provisions that are not included in DPD, which the explicit consent means clear and plain language that can be distinguished from other matters, and accessible form
must be easy and intelligible (EU GDPR org, n.d.). The controller must indicate consent has been given, and the consent can be withdrawn by the data subject at any time.
Furthermore, the added Article in GDPR states that data breaches notification work is mandatory to be done within 72 hours. Although judicial remedy to a data breach is stated in DPD, there are no explicit remedial measures about it. In GDPR article 33 and 34, not only supervisory authorities but also data subject shall be notified by the data controller or processor in case of data breaches. And this action should be taken within a certain time.
The last standard change addressed in this research is that every organization in the EU territory must appoint a Data Protection Officer (DPO) due to the rule of GDPR. DPD has no elaboration on this role or anyone who should provide professional data protection guidance. But GDPR appoints DPO to be involved in the whole process and to act independently for data protection.
So far, the noticeable changes of GDPR have been discussed in this research. This section, to evaluate whether the standards of GDPR are better in encouraging compliance, within-case study for the countries based on five principles is conducted. Since the research question is how regulatory changes affect FDI, the focusing is primarily on the countries having a remarkable fluctuation of inward FDI after 2016. With respect to the principle of proportionality, a good regulatory standard should assist the regulator effectively identify the problem and minimize the costs (Great Britain & Better Regulation Task Force, 2005). On every national DPA websites, the significant provisions in GDPR are highlighted and present the links for reporting the personal data
breach. Individuals or organizations are able to flexibly report a data breach incident online. To ensure national DPA only intervene when necessary, Data Protection Impact Assessment (DPIA) guilds participants to conduct a self-evaluation. Based on the assessment, DPA will provide a prior consultation in case of a high risk of processing data. Among the eight countries with an unstable inward FDI trend, three DPA websites found no explicit DPIA instruction, namely the DPA of Hungary, Portugal, and Luxembourg, in which the latter two even do not have introduction nor links of DPIA guidance on their websites. Hence, the principle of proportionality, in case of evaluating risks of innovative technology in the countries of Hungary, Portugal, and Luxembourg are not followed by the regulators. The principle of accountability derived from UK Task Force 2005, only emphasizes that the regulator should justify their decision and be subject to external scrutiny. Bovens (2007) proposed a conceptual framework for both regulator and regulatee's sides, this part is particularly discussing in the accountability section. From the principle of consistency aspect, the researcher finds facts that GDPR contradicts other regulations. For instance, the EU ePrivacy Directive aims at protecting data privacy in the digital age that to some extent is in line with GDPR ('Directive 2002/58/EC', n.d.; Gabel & Hickman, 2019). However, the legislation interpretation for territorial scope of ePrivacy Directive refers to "in the community" while GDPR extends the effect outside the EU (EU GDPR org, n.d.; Gabel & Hickman, 2019). Besides, data breaches notification required by GDPR is within 72 hours, but in ePrivacy Directive, the notifying time shrinks to 24 hours for a telecoms provider ('Directive 2002/58/EC', n.d.; EU GDPR org, n.d.). Apart from those, GDPR
is also subject to national or international regulations. Because of such ambiguous definition regarding a similar situation, and some provisions even conflict with each other, making an indisputable choice of regulations is difficult (Bu-Pasha, 2017; Madge, 2018). In this case, the principle of consistency is not fully satisfied with all EU member states. The principle of transparency assesses whether a regulator is open to public supervisory. All DPA websites have news coverage about recent actions taken against non-compliance of GDPR. Also, the annual reports regarding organizational information are open to the public. But partial countries present incomplete annual reports. It can be said that DPA in those countries are not fully transparent, of which are Luxembourg (reports no update after 2016), and Italy (so-called annual reports are only about DPA chairman speeches). The rest national DPA have uploaded all annual reports up to the budget year of 2018. Finally, the principle of targeting refers to whether the focal problem can be solved by applying the regulation, meantime minimizes the side effect. Due to a large difference between countries, the side effect is various. The research cannot rely on subjective judgment to make a conclusion. Due to the objective of GDPR and the quite clarified European Commission's requirements for each DPA, the principle of targeting is assumed to be satisfied with all member states.
To sum up, with the evolvement of data protection regulation, all EU member states shall follow the standards to protect data privacy. However, through practical cases analysis, the good standards are not followed by some national data protection authorities. The summaries of standards loophole for the eight countries are presented in binary values in the table below. "1" stands for "yes" that implies good standards
followed and implemented by the regulator for data protection, otherwise "0" or "no". Table 6 Summary of standards
CASE COUNTRIES STANDARDS
I Cyprus Yes (1)
II Hungary Yes (1)
III Spain Yes (1)
IV Portugal Yes (1)
V Italy No (0)
VI Ireland Yes (1)
VII Luxembourg No (0)
VIII Netherlands Yes (1)
Enforcement
One of the significant changes in data protection regulation is the increase of the administrative fine, which the provision is not included in the DPD. The enforcement type, therefore, evolves from general persuasion to a mixed strategy that combing more forms of deterrence approach. And according to Lodge et al., (2012), both deterrence and persuasion approach together constitutes effective enforcement (Lodge, 2012). By researching DPA websites, the researcher sorted out all enforcement actions in the eight countries, and presents the results in table 7.
Although the DPA of Cyprus has provided enough instruction upon GDPR compliance, there is no detailed report regarding the decisions on disposing of data
breaches or any activities violating GDPR. And there is only one annual report listed on the Cyprus DPA website. From that report, Cyprus issued 64 penalties to different organizations and 13 commissioner warnings in 2017.
The Hungarian national DPA elaborated seven recommendations on data protection for different industries or businesses from 2016 to 2018. The recommendation involves health records, special legislation, marketable holding companies, and sound recording related businesses. In 2018, the Hungarian DPA provides professional advice on GDPR compliance to Party websites, Internet Banking, and surveillance cameras. However, in 2017, there were no recommendations provided for any type of business. During the three years, the DPA of Hungarian imposed no sanction nor penalty to any organizations. Until the beginning of 2019, the first fine of 3135 euro was imposed on one surveillance cameras company for data breaches (Petrányi, Domokos, Horváth, & Necz, 2019).
The websites of Spanish DPA states six areas for enforcement action, Internet networks, Telecommunications, unwanted advertising, education, surveillance cameras, and other innovative technology. Almost every possible way of personal data disclosure is taken into account. In 2018, Spanish DPA imposed two fines to Vodafone Espana, one is about reporting personal data to a solvency registry, the other is the withdraw right empowered by GDPR is not implemented. These two violations cost Vodafone 5000 and 27000 euros penalty respectively.
The main topic advised by CNPD, the Portuguese DPA, is road surveillance. Although the procedure of imposing sanctions for non-compliance of road surveillance
has been emphasized several times since 2016, during the period of 2016 to 2017, Portuguese DPA only issued one penalty. A fine of 400000 euros to a hospital is laid by CNPD due to the hospital's staff accessing patient data through false profiles.
The distinction of Italian DPA from other national DPA is that a platform of communication is organized where professional advice from experts and feedback from the participants can be shared. And opinions regarding compliance issue are posted on the web pages so that readers can easily reach the answers they attempt to learn about. In the past three years, Garante (the name of Italian DPA) did no lay a fine on any subjects, until April 2019, a 50000 euros penalty imposed to the data processor of Rousseau platform for breaching users' data.
Irish DPA in addition to provide massive advice on compliance with GDPR for companies, for an individual right, especially the awareness to children data protection is brought forward. In the past few years, there is no actual sanction imposed on individuals or organizations. Although the Irish DPA attempts to issues a high fine on Facebook and Google recently, the probe between infringement companies and Irish DPA is still undergoing (Brandom, 2019).
Due to limited information on the DPA website of Luxembourg, the researcher finds no penalty or warnings issued in the recent three years in the country. However, plenty of suggestion focuses on the financial market.
Dutch DPA has 207 records of actions about maintaining GDPR compliance between 2016 to 2018. 40 records can be recognized as applying persuasion strategy, and 29 records considered as deterrence type of enforcement. Among them, 6 are
warnings letters, 34 are advice on organizations or regions of potential non-compliance. 11 sanctions sent out to data protection responsible entities, 17 penalties are issued, and 1 600,000 euro fine imposed on Uber B.V. for the violation of Dutch data breach regulation.
Table 7 Summary of enforcement
CASE COUNTRIES ENFORCEMENT
I Cyprus Yes (1)
II Hungary No (0)
III Spain Yes (1)
IV Portugal Yes (1)
V Italy No (0)
VI Ireland No (0)
VII Luxembourg No (0)
VIII Netherlands Yes (1)
Accountability
In spite of not being a part of the regulatory regime, accountability is one significant principle for good standards. Key challenges have been reviewed in the literature, which traditional, direct command and control type of accountability embedded in democratic and constitutional perspective leaves little room to reconcile independent with accountability (Lodge & Stirton, 2010). Also, the trend of decentralization in the new public administration allows multiple locations as well as
