The European legislator has frequently stressed the competitive advantage that is provided in the General Data Protection Regulation (GDPR). However, there is little scientific evidence as to whether this promise will come true or not. Focusing on data protection certification mechanisms, this paper illustrates why the regulatory approach inherent in the GDPR has indeed the potential to provide its regulation addressees, that are, data controllers and processors, competitive advantage and even enhance data-driven innovation. Therefore, this paper will first outline an approach that will help to conduct research on the effects of regulatory instruments on innovation. This perspective differentiates between two perspectives. In a first step, the approach assesses which regulatory instruments are best suited to protect the individuals against the risks caused by innovation. In a second step, the approach focuses on the question on how these risk protection instruments should be designed to not unnecessarily hamper innovation, or even enhance innovation. This two-levelled approach does not only help the legislator to draft laws that both effectively protect against risks and support innovators in their innovation processes, but the approach also helps interpret existing laws regarding both regulatory functions. In this regard, this paper will firstly demonstrate that a co-regulation strategy is particularly suitable for reaching this aim, and secondly that the GDPR can be interpreted in such a way that it does not only protect against data protection risks but, indeed, also provides for competitive advantages. This becomes clear, in general, when examining the effects of data protection certification mechanisms on a micro-, meso-, and macroeconomic level, if these mechanisms are used to specify and standardise, for example, the data protection- and security-by-design requirements (Art. 25 and 32 GDPR). Following the proposed levels at which the competitive advantage can be achieved, conclusions can be drawn, in particular, on the following aspects. Firstly, the different economic effects of data protection certification mechanisms compared to codes of conduct (and to a limited extent also to binding corporate rules — in the following also referred to as “BCR”). Secondly, the different incentives to specify and standardise the GDPR provisions that depend on the type of data controllers and processors. Third, the appropriate level of protection signaled by data protection certification mechanisms and its interplay with the “state of the art”-requirement. Fourthly, the suitable object of data protection certification mechanisms with respect to the ability of data subjects to assess the level of protection. Lastly, three selected key questions on how to cope with the complexity of such “data protection markets”, taking into account the perspective of certification bodies, data controllers as well as processors, and data subjects. On this basis, the paper concludes by highlighting the need for empirical research to answer several remaining questions on the effectiveness of the discussed regulatory instruments from the point of view of regulating innovation.
