By Filippo Lancieri (University of Chicago)
The rise of data protection laws is one of the most profound legal changes of this century. Yet, despite their nominal force and widespread adoption, available data indicates that these laws recurrently suffer from an enforcement gap—that is, a wide disparity between the stated protections on the books and the reality of how companies respond to them on the ground. This raises the question: what accounts for this gap and what can be done to improve the performance of these laws?
This Article begins by describing three core building blocks of data protection regimes in the United States and Europe—namely, market forces, tort liability and regulatory enforcement—that these jurisdictions combine in different ways to ensure that companies act in accordance consumers’ privacy preferences. It then identifies two key reasons—particularly deep information asymmetries between companies and consumers/regulators, and high levels of market power in many data markets—that enable companies to behave strategically to protect private interests and undermine legal compliance.
