ABSTRACT
Privacy is a central challenge in the on-going “datafication” of cultural, socio-economic, and political interactions in, at, and across national borders. Literature on privacy governance tends to focus on legal theory, regulatory analysis, or attitudes and behaviours of information technology users. A polycentric approach, however, calls for a more institutionally oriented take on the dynamics of privacy governance. In this chapter, we focus on regulatory intermediaries, who are pivotal for interpreting, monitoring, and implementing data policy in organizations, and as such constitute centres of power. We draw on two distinct cases of regulatory mediators in the context of data governance: institutionalization of the role of data protection officer (DPO) in the EU, and implementation of technology for remote teaching in the early stages of the COVID-19 pandemic. The two cases are substantially different. The DPO is a formally structured role that should be applicable across contexts of institutional activity. Educators and technology implementers in schools and institutions of higher education are informal intermediaries acting in a very particular domain. Yet, both cases share an emergent structure of privacy governance through regulatory intermediaries, which further emphasizes their polycentric nature. We leverage ideas from the literature on internet governance, science and technologies studies, and regulatory governance to draw conclusions on polycentrism in data governance.
