ABSTRACT
This chapter characterizes and examines the enforcement of the EU’s General Data Protection Regulation (GDPR) through a polycentric governance framework, focusing on how the EU and national authorities at both EU and national levels manage cross-border cases. The GDPR enforcement can be viewed as a polycentric system, characterized by numerous authorities that maintain relative autonomy and engage in coordination and cooperation. It also reflects the EU’s principle of subsidiarity, emphasizing the importance of local decision-making and governance at the most immediate level. However, this interpretation faces scrutiny due to the role of the European Data Protection Board (EDPB), which introduces an additional governance layer with limited powers for coordination and dispute resolution. Although the EDPB’s mandate appears at odds with polycentric principles, its authority is tightly bound to necessity, and measures have been taken to limit its involvement. Through the lens of polycentricity, the chapter critically examines the GDPR’s enforcement structure to uncover and address its systemic challenges of two main kinds, that is, the limited scope of application that does not cover ‘establishment-less’ cases, and the insolvable conflicts between authorities, notably including the EDPB. By situating data protection enforcement within a polycentric context, the analysis reveals the complex interplay between the EU’s decentralized enforcement architecture and its overarching legal goal of consistent and effective protection of personal data. With two case studies – Clearview AI and Meta – we highlight persistent shortcomings in GDPR governance and enforcement that the latest recent EDPB initiatives, introduced by the EDPB to promote enforcement and coordination, have not fully addressed. We contend that polycentricity, despite being an implicit yet fundamental pillar of the data protection framework, merits more deliberate reflection and critical assessment as a foundation for structural reform.
