Sebastian J. Golla
Is Data Protection Law Growing Teeth?
The Current Lack of Sanctions in Data Protection Law and
Administrative Fines under the GDPR
by Sebastian J. Golla, Dr. iur, research assistant at Johannes Gutenberg-Universität Mainz*
© 2017 Sebastian J. Golla
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
Recommended citation: Se bastian J. Golla, Is Dat a Protection Law Grow ing Teeth? The Current Lack of Sanctions in Data
Protection Law and Adminis trative Fines under the GDPR, 8 (2017) JIPITEC 70 para 1.
Keywords: GDPR; European Data Protection Law; sanctions; administrative fines, enforcement; DPAs
tion Regulation (GDPR) to compensate for those def-
icits. The article argues that the practical application
of the new rules and the coordination of Data Pro-
tection Authorities (DPAs) in all member states of the
EU are the key to more efficient sanctioning and en-
forcement through administrative fines.
Abstract: This article looks at the current lack
of enforcement and sanctions in European Data Pro-
tection Law with a particular focus on administrative
fines. It identifies reasons for the existing deficits in
European Data Protection Law and analyses the po-
tential of the new rules of the General Data Protec-
A. The Current Lack of
Enforcement and Sanctions
in Data Protection Law
It is common sense that the enforcement of Data
Protection Law in Europe needs improvement.
lack of effective sanctions has frequently been cited
as one of the main reasons for existing enforcement
In general, effective sanctions are regarded
1 European Union Agency for Fundamental Rights, Access
to data protection remedies in EU member states (Publications
Ofce of the European Union, 2013), pp. 11 ff.; Thorben
Burghardt and others, ‘A Study on the Lack of Enforcement
of Data Protection Acts’ (Next Generation Society.
Technological and Legal Issues - Third International
Conference, e-Democracy 2009, Athens, Greece, September
2009); David Wright, ‘Enforcing Privacy’ in David Wright
and Paul De Hert (eds), Enforcing Privacy: Regulatory, Legal and
Technological Approaches (Springer 2016), pp. 13 ff.
2 Benedikt Buchner, Informationelle Selbstbestimmung im
Privatrecht (Mohr Siebeck 2006), p. 299; Thomas Hoeren,
‘Datenschutz als Wettbewerbsvorteil’ in Erich Greipl (ed.),
100 Jahre Wettbewerbszentrale (Deutscher Fachverlag 2012) p.
as a prerequisite for achieving compliance with legal
rules3 and in theory, many different types of sanctions
can be applied for violations of Data Protection Law,
both under the existing national rules and the rules
of the GDPR. In practice, however, the application
of the sanctions is lagging behind the theoretical
possibilities. Accordingly, Data Protection Laws are
sometimes referred to as “toothless” or as “paper
From the perspective of legal philosophy,
it can even be argued that a law without effective
sanctions is not a law at all.
This article looks into the possible reasons for the
lack of sanctions for violations of data protection
rules, and focuses particularly on administrative
nes. Specically, the article examines the new
rules of the GDPR concerning administrative nes
3 Thomas Raiser, Grundlagen der Rechtssoziologie (6th edn,
Mohr Siebeck 2013), p. 253.
4 Jan Philipp Albrecht, ‘Regaining Control and Sovereignty
in the Digital Age’ in David Wright and Paul De Hert
(eds), Enforcing Privacy: Regulatory, Legal and Technological
Approaches (Springer 2016), p. 473, 483; European Union
Agency for Fundamental Rights, supra note 1, p. 47.