Externalization of the GDPR: promoting global regulatory standards in data protection and privacy

(1)

Page 1 of 70

Externalization of the GDPR: promoting global regulatory standards in data protection and privacy.

Student name: Orin Pieterson

Student number: S2067064

Coursecode: 8921M900

Program: Master Crisis & Security Management

Course title: Master Thesis

1st reader : Drs. Georgieva / Dr. Van den Berg

2nd reader: Dr. Els de Busser

Date: 10-6-2018

(2)

(3)

Page 3 of 70

Abstract

Over the last seven decades, the EU has grown into a formidable economic actor in its own right. By bundling economic capabilities and leveraging them vis-à-vis other international actors, the EU has obtained a strong position as a regulatory power. With the GDPR, the EU once again reiterates its commitment to safeguard its core principles. This thesis explores the mechanisms in the GDPR that trigger the extraterritorial application of the regulation, possibly leading to a global standard on data protection and privacy. Building on the notion of soft power – the ability to exert influence by utilizing attractive elements in an actor’s culture, society, or values – this thesis argues that the EU managed to devise a legislative framework that incorporates its ideological conviction when it comes to privacy and data protection, while facilitating international data transfers, and does so on its own terms. The theoretical notion of soft power is made tangible by placing it within the concept of ‘Normative Power Europe’, which describes the processes through which the EU diffuses its normative preferences throughout the world. This is supplemented with the Brussels Effect, which describes how EU regulatory standards gain global traction and are adhered to by organizations outside the jurisdictional scope of the EU.

The GDPR involves six instruments that drive the extraterritorial application of the Regulation, mainly focusing on multinational corporations and other organizations that regularly transfer data across jurisdictional lines. These instruments aim to create uniform frameworks that safeguard data protection and privacy within these organizations, and when they transfer personal data to other organizations. Moreover, the EU devised a system to assess the adequacy of data protection in third states in which it also takes into account whether this third states adheres to the same normative preferences as the EU.

The GDPR is an example how the EU actively pursues a normative agenda in relation to other states, and in relation to private actors. This research adds to NPE research paradigm by analyzing a landmark legislation that will have effects for years to come.

(4)

Page 4 of 70

1 Introduction

The Regulation 2016/679 of the European Parliament and the Council, or the General Data Protection Regulation (hereafter: GDPR), the EU’s new legislative framework for privacy and data protection, has been drafted in 2016 and will be enforced by national Data Protection Authorities (DPAs) from the 25th_{of May 2018. Over the last 23 years}

since Directive 95/46/EC (hereafter: DIR95) came into existence, a tremendous advance in information- and communication technology has transformed the European and the global economy. DIR95 was drafted in 1995, before the commercialization of the internet and thus urgently required a review and adaptation to current practices. (European Data Protection Supervisor, 2018) The GDPR provides a comprehensive framework that prepares the Union for the increased digitalization of its economy, and lays the groundwork for years to come. The aim is to harmonize the European framework for data protection and privacy by creating one uniform legislation for all Union Member States, facilitate the free flow of data between member states, and to ‘contribute to the accomplishment of an area of freedom, security and justice, and of an economic union, to economic and social progress, to the strengthening and convergence of the economies within the internal market, and to the well-being of natural beings.’ (GDPR: Recital 2) Moreover, the European Data Protection Supervisor Giovanni Buttarelli, promoted the GDPR as ‘a clarion call for a new global digital gold standard’ (Buttarelli, 2016), which facilitates ‘streamlining international data transfers and setting global data protection standards.’ (European Commission, 2018b)

This outspoken ambition of the EU to shape global standards with regard to data protection come as no surprise, just as it comes as no surprise that it is the EU that has realized the most far-reaching privacy framework in the world. The right to the protection of personal data is enshrined in article 16(1) of the Treaty on the European Union and in article 8(1) of the Charter of Fundamental Rights of the European Union and thus firmly codified within legal documents in the Union. The inclusion of the right to protection of personal data, and to a certain degree of privacy, stems from a long commitment to the individual’s right to informational self-determination, which is

(7)

Page 7 of 70

understood as the individual’s ability to determine what information is publicly disclosed. (Bloch-Wehba, 2015) Europe’s history has engrained its societies with an appreciation of respect for the private sphere and private life, which is clearly valued by its citizens and its legislators. (Schwartz, 2013) Especially as the societal impact of unlimited and unrestricted data gathering becomes more controversial following recent discussions about the use of personal data in political campaigns and by intelligence services, this new legislative framework provides more control over personal data for individual data subjects. Moreover, recent incidents with Cambridge Analytica and Facebook, and the surge in data breaches occurring around the world have elevated the issue of protecting personal data on the political agenda. (Boyd & Crawford, 2012; Cadwalladr, 2017, 2018; Eriksson & Giacomello, 2006; Identity Theft Resource Center, 2017; van Den Broek & van Veenstra, 2018)

Besides a much-needed update - especially in the light of these revelations about the potential abuse of personal data by both private and public actors - the GDPR also provides the EU with an instrument to extend and cement its influence abroad. This thesis argues that the GDPR contains a number of mechanisms or ‘triggers’ that legitimate the application of the GDPR beyond the jurisdictional and territorial borders of the EU, and that these triggers result in externalization of the GDPR. Potentially leading to global regulatory convergence. Joanne Scott (2014: 1344) defined these triggers as ‘a mechanism that launches the application of EU law and delimits its personal and territorial scope of application.’ In the GDPR, these triggers are identified as: the definition of the scope of the regulation (article 3 GDPR), the adequacy decisions on adequate data protection standards (article 45 GDPR), Binding Corporate Rules (BCRs) (article 47 GDPR), Standard Contractual Clauses (SCCs) (article 28(6) GDPR), Codes of Conduct (article 40 GDPR), the certification procedure (article 42 GDPR), and the Privacy-by-Design and Privacy-by-Default principles (article 25). These legal triggers launch the application of the GDPR beyond the territorial borders of the EU, but there are also other factors that enable this process, rooted in a market-based approach. These are identified using the theory of the ‘Brussels Effect’, as coined by Anu Bradford

(8)

Page 8 of 70

(2012: 5). These factors include the large single market, the propensity to enforce strict rules over inelastic targets, a significant regulatory capacity, the nondivisibility of standards, and the emergence of the privacy-by-design and the privacy-by-default standards. The motivation for including these mechanisms that trigger extraterritorial application of the GDPR are explained using two theories: the theory of soft power, as conceived by Joseph Nye, and the theory of the normative power approach, as formulated by Ian Manners.

A consequence of this jurisdictional muscle-flexing by the Union is that it potentially clashes with other conceptualizations of privacy and data protection. One example is found in relation to the United States, where these concepts are regarded in a different light. Unlike the EU, where data protection is seen as a right and finds its legal base in the Treaty of the EU, privacy and data protection in the US is found in a fragmented collection of state law, case law, and commercial law, or ‘a patchwork of sectoral law’. (Schwartz & Peifer, 2017: 147) Accordingly, the European approach to data protection and privacy, and its inclusion in constitution-like documents, is not self-evident. It is a product of the historical context that facilitated this process. The European approach of data protection as a right is further explained in the theoretical framework, where it is juxtaposed to the American approach to data protection in order to argue that historical processes shape preferences and understandings that can differ around the world. In this thesis multiple theories are combined to explain a phenomenon: the occurrence of the extraterritorial application and externalization of EU privacy and data protection legislation. This approach leads to a deeper understanding of the political and societal implications of the GDPR, and sheds a light on the way in which the EU manages to exert influence beyond its borders by using legal mechanisms that trigger extraterritorial effect, and how the EU relies on market forces to externalize EU policies by leveraging its economic capabilities.

(9)

Page 9 of 70

The following research questions are formulated to guide this thesis:

To what extent does the EU exercise normative power through externalization of its privacy and data protection regulation?’

This question is answered by dissecting it in four distinct sub-questions:

1. Does the concept of externalization fit within the broader frame of soft and

normative power?

2. What is the background and context in which the GDPR was drafted?

3. How, and to what extent, can the GDPR be considered an attempt to externalize EU policies on a global scale?

4. How, and why, is the externalization of the GDPR an example of Normative Power Europe?

The first section of this thesis is comprised of a theoretical framework that is built up in three parts: first a literature review on available scholarly work on the GDPR is provided to give an overview of what work has been undertaken by the academic community, and to give an impression of the topics that are related to the GDPR. Subsequently, the concepts of soft power, Normative Power Europe, and the Brussels Effect provide the framework that is later applied to the case of the GDPR. After this theoretical framework, the employed methodology is discussed, which is followed by the analysis which applies the theoretical framework to the case of the GDPR in order to argue that the GDPR is a landmark legislation that contains mechanisms to trigger extraterritorial application of the GDPR, and thereby externalizes the European normative agenda on data protection and privacy.

(10)

Page 10 of 70

2 Theoretical Framework and Body of Knowledge

This thesis seeks to combine a number of different elements: recent developments that have led to closer scrutiny on data collection practices, concerns about privacy in the digital age, how the GDPR can be seen as a response to these concerns, and how the GDPR is externalized by the EU as part of its normative agenda. Hence, it also draws upon different schools of thought and theoretical frameworks, which are combined in this chapter. The first section outlines the societal and academic relevance of this thesis. After which the second section offers a literature review on scholarly work on the GDPR. This overview illustrates the urgency for more multi-disciplinary work on the GDPR and its potential geopolitical implications. A broader perspective, besides merely legal perspectives or comparative studies into the effects of the GDPR can help create more understanding for the exercise of power or influence through legal acts such as regulations. After substantiating that claim by using the the concept of ‘soft power,’ this will be linked to the theory of Normative Power Europe, to explain the motivation behind the externalization of the GDPR, and finally the Brussels Effect to outline how this is achieved in practice. Hence, the combination of these three theories offers an explanation of why the EU actively pursues its normative agenda, and how it externalizes this normative agenda through its regulations to achieve global impact.

2.1 Societal Relevance

The development of computers and information- and communication has had an enormous impact on daily life. This is true for the individual, who is now connected to the world through a smartphone or computer, but also for organizations in both the public and private sector. As interconnectivity has grown, the world has become a smaller place and globalization is enhanced. This compression of time and space through technology has a lot of advantages, but it also carries with it the challenge of managing that technology in a proper manner. People have grown accustomed to sharing information – and personal data - online through social media platforms, or accessing commercial or government services through online environments or applications. According to IBM, the world has created more data in the last two years than in the entire

(11)

Page 11 of 70

history of the human race before that. (Lewis, 2018) This will presumably increase in the coming years as large technological innovations are taking place, including the development of artificial intelligence, the Internet of Things, and virtual reality applications, to name a few. The fact that we now produce more data than ever, combined with the rapid development of new, potentially invasive technology, reiterates the momentous challenge of managing personal data nowadays.

Besides the likely increase of personal data in the future, the development of the digital economy and recent events have illustrated the necessity of legislative frameworks for data protection and online privacy which simultaneously facilitate international data flows to continue unabated. The collection of personal data has developed into a full-fledged business model for many of the largest companies in the world. According to a report by PwC, the technology industry is the largest sector in terms of market capitalization, closely followed by the financial sector and consumer goods. (PwC, 2017: 4) These sectors rely heavily on data, either to sustain their business model (such as in the case of Facebook and Google), to build models or automate trading (in the financial sector), or to drive business efficiency and analyze consumer behavior for example (in the consumer goods sector). (Muzellec, Ronteau, & Lambkin, 2015) Data occupies a central position in contemporary society, but this has come at a high price, as the number of incidents related to data protection and privacy illustrate. Over the last few years, there have been numerous data leaks. An impressive, but non-exhaustive list of large data breaches includes MyFitnessPal (2018), Equifax (2017), Uber (2017), eBay (2014), Morgan Stanley (2015), T-Mobile/Experian (2015), JP Morgan Chance (2014), Home Depot (2014), Yahoo! (2013), Target Stores (2013), Adobe (2013), and Sony PlayStation (2011). (Identity Theft Resource Center, 2017) This includes multinational, corporate companies across all sectors, with significant cybersecurity budgets which apparently do not mitigate the risk of personal data being accessed, leaked, or stolen. Consumers should be wary who they give their personal data to, and cannot automatically trust large corporations to manage their personal data in a secure way. Data by the Identity Theft Resource Center (ITRC) indicates that the number of data

(12)

Page 12 of 70

breaches has doubled between 2014 and 2017, with an all-time-high of some 178 million records compromised in 2017, (Identity Theft Resource Center, 2017) while the well-known website haveibeenpwnd.com, which keeps a record of all data breaches and offers the possibility to check whether your information has been compromised, recently announced it had surpassed 5 billion hacked or compromised accounts.1_{Accordingly, it}

can be concluded that data has taken on a central role in today’s digital economy and that the management of that data poses significant challenges for companies, and form a source of concern for individuals who are increasingly confronted with data leaks and mismanagement of their personal data.

2.1.1 The Political Dimension

Another source of concern across the globe came from the revelations by Edward Snowden in 2013, a NSA whistleblower, who uncovered how governments have established extensive surveillance programs using publicly available data to monitor activity on the internet. This included the activities of ordinary citizens, but also that of foreign leaders and other targets abroad. (Verble, 2014) These revelations had significant consequences for transatlantic relations, and drove a wedge between the EU and the US, resulting in the invalidation of the so-called ‘Safe Harbor’ agreement, which facilitated transatlantic data transfers. (Schwartz & Peifer, 2017: 118). The tremendous power and capability of data analysis and enrichment became once more clear after The Guardian revealed that in 2016 a British firm, Cambridge Analytica, had used personal data from millions of Facebook-users to compose psychological profiles in order to influence their voting behavior. (Cadwalladr, 2017) These revelations, both the ‘Snowden files’ and the Cambridge Analytica case, reaffirmed that data protection and privacy are more relevant than ever, in multiple ways. It showed that personal data of European citizens was being analyzed and abused by foreign governments and private parties. New controversies emerge almost daily as a broad societal debate unfolds about how we should manage our personal data, who is responsible for that, and what the

(13)

Page 13 of 70

potential consequences are if we continue down this path. The GDPR addresses at least some of these challenges by declaring the EU’s commitment to privacy and data protection as fundamental rights and giving the data subject more instruments to take control over the data that is out there about them. Moreover, it establishes common procedures for international data transfers, based on European values, which potentially establishes the new norm for data transfers.

2.1.2 Academic relevance

In academic circles, the GDPR has been the source of much debate and the inspiration for many publications. However thus far only two scholars produced scholarly work relating the Brussels Effect to European data protection regulations. Paul M. Schwartz (2013) reviewed how globalization of regulation on data protection has developed over the last decades, and included an analysis of the possible contribution by the Brussels Effect. Schwartz holds that while European privacy laws have influenced large parts of the rest of the world, this is not attributable to the Brussels Effect. In fact, two factors limit the occurrence according to him: ‘the existence of EU policies that sometimes conflict with information privacy and limits on the EU’s power in the global information economy’. Schwartz adds that ‘the United States never enacted EU-style privacy legislation nor created EU-style institutions,’ which is enough for Schwartz to conclude that the Brussels Effect has not occurred when it comes to data privacy. (Schwartz, 2013: 1985) This argument fails to recognize the more subtle qualities of the Brussels Effect which acknowledge that there is a world besides the US where Europe can influence privacy laws. Moreover, Schwartz’s analysis is based on an analysis of DIR95, a legislation not nearly as comprehensive as the GDPR.

The second author who engaged with the Brussels Effect in the context of data protection policy is Franz-Stefan Gady (2014). Contrary to Schwartz, Gady does acknowledge that European standards on data protection and privacy have spread globally, and contends that two other developments have increased the saliency of this topic and the capability of the EU to set global standards: the revelations by Edward

(14)

Page 14 of 70

Snowden on American surveillance practices, and the diminished role of the UK in the EU, as a supporter of laxer privacy regulation (Gady, 2014: 18)

Both authors published before the GDPR was made drafted, and can therefore not be criticized for not taking into account elements of the GDPR that facilitate the Brussels Effect. However, this does merit a new study into the elements within the GDPR that facilitate externalization, especially as these authors offer competing perspectives on this issue. This thesis contributes to creating more insight in the applicability of the Brussels Effect in global data privacy by offering a comprehensive and systematic account of the underlying reasons why the EU seeks to externalize the GDPR and how this occurs. The next section will introduce a concise summary of available scholarly literature on the GDPR in order to give an impression of the available literature on the GDPR.

2.2 Literature review: GDPR

A number of scholars have written about the general changes that the GDPR entails. Tikkinen-Piri et al (2018) give an overview of the implications of the GDPR for companies that collect personal data from EU citizens. The emphasis in this work is on 12 aspects that should be proactively implemented to with the GDPR to avoid sanctions. (Tikkinen-Piri, Rohunen, & Markkula, 2018) It provides a clear guide and pointers for a deeper understanding of the underlying motivations of the GDPR. A similar summary of the key changes under the GDPR is provided by Tankard (2016), with a number of practical suggestions to integrate GPDR compliance with other data protection standards such as ISO 27001 and ISO 27002. (Tankard, 2016) These overviews offer practical help in understanding the rationale behind the GDPR, and offer general guidelines to implement the regulation. In similar fashion, Lambert, Voigt, and Von dem Bussche (2017) offer step-by-step advice on what to keep in mind while designing compliance mechanisms, what processes should be revised or adapted, and how potential fines can be prevented by obtaining a ‘defensible position’ when being audited by national data protection authorities. (Lambert, 2017; Voigt & von dem Bussche, 2017) The strategy to obtain a

(15)

Page 15 of 70

‘defensible’ position is supported by professional services organizations, who note that many organizations, instead of pursuing full compliance opt for obtaining a position that exhibits that the organization has put in effort to comply with the regulation while not being fully compliant. (Deloitte, 2017: 3)

Eric Lachaud (2016, 2018) focused on article 42 and 43 in the GDPR which enable certification as a regulatory instrument under the GDPR. In essence, this stipulates that independent third parties can perform audits in order to provide organizations with data protection certificates if the organization demonstrates the existence of appropriate safeguards, through a voluntary and transparent process. Much remains unclear about who is authorized to perform the certifications, and what the exact requirements are for such certifications. Moreover, such procedures can be costly, and possibly unattainable for smaller organizations due to the financial costs of hiring consultancy organizations who are likely doing such certifications. Hence, article 42 and 43 provide for some leeway in the interpretation of the GDPR, and ‘can be seen as an attempt by the European authorities to address the complex challenge of enforcing fundamental rights in a technological context.’ (Lachaud, 2016: 826)

There is a body of work dealing with comparative studies regarding the differences and similarities in the implementation and enforcement of the GDPR and its transposition into national law. Custers et al (2018) offer a comparative case study between eight European countries. Although the GDPR aims to harmonize data protection standards throughout the EU, there is still ample room for national legislatures to tweak national legislation according to their preferences through implementation laws. Moreover, a number of factors are identified that influence how member states transpose the GDPR into national practices. This includes the interplay between government, civil rights organizations and data protection authorities, the intensity and scope of political debates, information campaigns, media attention, the public debate, and public debate. (Custers et al, 2018) This work focuses on an inter-European comparison of national legislations, whereas there is also a broad body of comparative research on the

(16)

Page 16 of 70

differences between EU conceptualizations of privacy and data protection and other interpretations, such as in the US, providing interesting cross-cultural comparative work. (Bignami, 2007; Boehm et al., 2015; Farrell & Newman, 2016; Gady, 2014; Schwartz & Peifer, 2017; Whitman, 2004)

A third category focuses on the impact of the legislation on specific industries or practices, such as the medical industry (Di Iorio, Carinci, & Oderkirk, 2014; Mccall, 2018), the application of artificial intelligence (Butterworth, 2018), and how the GDPR might have severe consequences for companies that are infected with ransomware (Green, 2017). An interesting article is written by Miño-Vasquez and Suhren (2018), who described the administrative sanctions in the GDPR, which aloows authorities to issue fines up to 20 million euros, or 4% of a company’s global annual revenue in cases of non-compliance. (Miño-Vásquez & Suhren, 2018) Moreover, the GDPR can also have consequences for scientific and academic research, especially with regard to data collection practices, although Article 85 holds that data processing for academic, journalistic, literary, artistic purposes should be reconciled by the Member States themselves. (Cornock, 2018; Di Iorio et al, 2014; Koščík & Myška, 2018; Mourby et al, 2018) Hence, the changes vis-à-vis previous legislation has been explored by several authors and offer a valuable contribution by contrasting the regulation with previous EU legislation and national legislative frameworks.

This overview illustrates that there has been some academic attention for the GDPR and its implications, but that it still remains largely an unexplored area of work in many regards. Mapping the consequences of the GDPR, and supporting this with sound empirical data can only occur after enforcement of the regulation will start, on the 25th

of May 2018. The actual enforcement will most likely lead to fines and litigation, and subsequently to more academic efforts.

What lacks in this body of knowledge are analyzes that place the GDPR in a broader geopolitical perspective, and as an exercise of power. This thesis addresses that gap in knowledge by analyzing how the GDPR is an expression of the normative values of the

(17)

Page 17 of 70

EU, within the Normative Power Europe agenda, and how it is externalized to achieve impact beyond the territorial and jurisdictional borders of the EU. The next section will introduce the concept of ‘soft power’, and draws a clear link to the objective of the GDPR.

2.3 Soft Power: The power of Attraction.

This section offers a concise introduction of the concept ‘soft power’, as coined by Joseph Nye in 1990 in his seminal book Bound to Lead: The Changing Nature of

American Power. Nye, departing from the dominant paradigm that framed international

relations as shaped by realist assumptions, argued that actors can exert influence with means other than purely military power, or civilian power. Nye described this as ‘soft power’. (J. Nye, 1990)

Soft power describes the power of states to convince others states to achieve a common objective. This can be done in three ways, Nye argues: 1) ‘threats of coercion (“sticks”); 2) inducements or payments (“carrots”); and 3) attraction, that makes others want what you want. A country may obtain the outcomes it wants in world politics because other countries want to follow it, admiring its values, emulating its example, aspiring to its level of prosperity and openness. In this sense, it is also important to set the agenda and attract others in world politics, and not only to force them to change through the threat or use of military or economic weapons. This soft power — getting others to want the outcomes that you want — co-opts people rather than coerces them.’ (Nye, 2014: 3) The EU has that ability, as ‘the main output of the Brussels machine are rules that govern trade and that set standards for consumer protection, for the environment, for competition, etc. […] If the power to make rules is power, then Brussels, in a modest way, is also a power.’ (Cooper, 2012: 9)

Nye makes a clear distinction between threats of coercions (or sticks), inducements or payments (which he calls carrots), and the ability to co-opt others because of intrinsic qualities that a state possesses which are deemed admirable or desirable. This division represents three dimensions of power a state can possess: military power, civilian power – also known as economic power - and soft power. (Manners, 2002: 240) As Colin S.

(18)

Page 18 of 70

Gray puts it, ‘In recent decades, scholars and commentators have chosen to distinguish between two kinds of power, “hard” and “soft.” The former, hard power, is achieved through military threat or use, and by means of economic menace or reward. The latter, soft power, is the ability to have influence by co-opting others to share some of one’s values and, as a consequence, to share some key elements on one’s agenda for international order and security.’ (Gray, 2011: v)

Nye outlined these sources of power and corresponding ‘currencies’ and government policies that are used:

(Table by: J. S. Nye, 2009: 31)

The exercise of military power is thus correlated to coercion, deterrence and protection, by relying on threats of force. This translates into practices of coercive diplomacy, war, or in alliances. Economic power is used through inducements or through coercion by means of payments (inducements) or sanctions (coercion). Governments employ economic power through aid, bribes, or sanctions. Lastly, soft power is expressed

(19)

Page 19 of 70

through agenda-setting behavior and the power of attraction, and is derived from values, culture, policies and institutions which are exercised through public, bilateral, and multilateral diplomacy.

Ultimately the concept of soft power holds that in international relations, just as in relations between individuals, a certain ‘likability factor’ comes into play. The perception of a state, whether positive or negative, can contribute to - or limit - the ability to achieve foreign policy objectives as it influences the willingness of other states to cooperate, or as it can incite them to pursue contrary objectives. The ability to form coalitions in international relations is crucial for any effective foreign policy. Spending less resources on military posturing or paying off other states but instead investing in the intrinsic qualities of the homeland certainly seems like a legitimate policy that produces positive effects both internally and externally.

The main driver of the increased recognition for the role of soft power in international relations is the assumption that military power is more costly than in earlier times. (J. Nye, 1990: 159) Both in economic terms and in terms of political capital wars are expensive and unpopular with the public. This disincentivizes states from resorting to military means to exert influence and incentivizes the use of other means, such as the power of attraction and the art of persuasion. The increased costs of imposing a state’s will on others through military means, along with the establishment of international law and a form of international community, have also empowered competition between states on issues such as trade.

Soft power is not only a less expensive, but also more successful and enduring strategy than to rely only on sticks or carrots. Many states would not even be able to coerce other actors due to insufficient resources, but soft power is in theory for every state attainable as it does not rely primarily on the economic resources that are at the disposal of a state, but rather are derived from other power sources, such as moral authority, ideas, culture, policies, or popular culture. The leader of a group or international community can establish norms consistent with its society. Increased

(20)

Page 20 of 70

interdependencies caused by cultural, social, and political diffusion are inevitable in such an environment. Hence, the one who makes the rules can shape them to their own preference, and is less likely to have to change to adapt to the standard. (J. Nye, 1990: 167)

2.4 Normative Power Europe

Building on the notion of soft power, in his largely influential article ‘Normative Power Europe: Contradiction in Terms’, Ian Manners outlines how the EU has occupied a particular position in the international community, based on normative power rather than traditional sources of power such as military capabilities. He dubs this ‘Normative Power Europe’, or the normative power approach (NPA). (Manners, 2013)

With this article, Manners attempts to ‘refocus analysis away from the empirical emphasis on the EU’s institutions or policies, and towards including cognitive processes, with both substantive and symbolic components.’ (Manners, 2002: 239) In its relations with other international actors, the EU promotes a number of norms or values, derived from its historical context, hybrid polity, and political-legal constitution. Manners identifies these ‘core principles’ as: (1) the centrality of peace; (2) the idea of liberty; (3) democracy; (4) the rule of law; and (5) respect for human rights and fundamental freedoms. These are supplemented with four ‘minor norms’, identified as social solidarity, a commitment to anti-discrimination policy, sustainable development, and good governance. As Manners puts it, ‘[t]he reinforcement and expansion of the norms identified here allows the EU to present and legitimate itself as being more than the sum of its parts.’ (Manners, 2002: 244) The ideas that form the foundation of these norms are deeply rooted in the shared history of the continent, and the post-WWII desire to prevent any armed conflict. Economic cooperation and integration, supplemented with a sense of shared norms provided a rational answer to the challenges on the European continent, bonding former enemies through close reciprocal collaboration. These shared norms thus produce effects in both the ‘domestic’ European sphere, to bond the Member States and create a shared sense of purpose or identity, and in the external sphere,

(21)

vis-Page 21 of 70

à-vis other actors. They are diffused and spread, for which Manners identifies six factors:

contagion, the process of unintentional diffusion of EU norms to other actors; informational diffusion, as a result of strategic communication and new policy initiatives

by the EU; procedural diffusion, which occurs after relationships with third countries are institutionalized by means of cooperation agreements or through enlargement. The fourth factor that enables diffusion of EU norms is transference, which occurs through exchange of goods, trade, aid or technical assistance. Overt diffusion occurs when the EU has a physical presence in a third state, including by means of diplomatic relations, or monitoring missions for example. Finally, Manners argues the cultural filter influences the diffusion of EU norms. According to Manners, this cultural filter is ‘based on the interplay between the construction of knowledge and the creation of social and political identity by the subjects of norm diffusion.’ (Manners, 2002: 245) This cultural filter determines whether or not a third state is susceptible to the norms that the EU intends to diffuse, based on the local conditions in the third state (or the ‘subjects of norm diffusion’ as Manners calls it). As Natalia Chaban (2015) notes, these factors contributing to the diffusion of norms depend on two-way interaction between the EU as the sender, and the third state or society as a receiver. The diffusion of these norms can ‘happen either intentionally, via strategic communication (‘’informational diffusion’’) or unintentionally (‘’contagion’’). In the latter case, the mutual exchange of ideas occurs - through either the institutionalization of a relationship (‘’procedural diffusion’’); or through substantive or financial means such as trade, aid, or technical assistance (‘’transference’’); or as a result of physical presence (‘’overt diffusion’’).’ (N. Chaban, in Pardo, 2015: 40)

Hence, the potential of the normative power approach lies in the ability to identify the underlying reasons for the EU to diffuse their core principles, such as the idea of liberty, democracy, the rule of law and respect for human rights through various mechanisms of interaction. It is premised on the notion that this interaction, as a result of globalization and increased interconnectivity will inevitably produce some cultural and societal convergence. In that sense, the normative power approach shares a fundamental

(22)

Page 22 of 70

assumption with the notion of soft power, as both approaches hold that power in the form of influence can be exerted by more than merely coercing others or bribing others. If globalization and growing interdependence are taken to be a fact, promoting one’s own system of normative values can be a valuable source of power indeed.

2.5 The Brussels Effect

The previous chapters introduced the notion of soft power to exert influence, and the concept of the normative power approach. These concepts are premised on the ability to convince or co-opt other states because of intrinsic qualities or characteristics of a country that seem admirable or desirable to others. This chapter introduces another way to diffuse norms by a different mechanism, also known as ‘the Brussels Effect’. These three concepts are combined in the analysis section to explain how the GDPR is externalized by the EU and achieves global impact. The Brussels Effect describes the process of global regulatory convergence. This chapter introduces the theoretical foundations of the Brussels Effect which is later applied to analyze the case of the GDPR.

2.5.1 The Brussels Effect

The notion of the EU as a power in international relations has been approached from a variety of angles. It is often described as a sui generis, a one-of-a-kind creature, or an ‘unidentified political object’ in the words of Jacques Delors. (Phelan, 2012: 367) The EU is a political structure that combines the economic powers of its 28 member states to create a single European market - which has eliminated internal barriers to trade, and increased its external bargaining power to become one of the world’s main economic actors. (Young, 2015) The resulting economic power is not only visible when the Union conducts trade negotiations with third states, but also in its ability to take a leadership role in certain other issue areas not directly related to economic cooperation. These include issues concerned with normative values such as promoting democracy and the rule of law, as was outlined in the previous section, but extend to a wider range of issue such as regulation on chemicals (REACH), antitrust laws, environmental protection, food safety, and arguably also privacy protection. (Newman & Posner, 2015) While the exact

(23)

Page 23 of 70

modus operandi for achieving this leadership role vary from issue to issue, there are similarities to be found, as Bradford (2012) demonstrated as she explained how EU succeeds to exploit its economic strengths to reshape the global regulatory regime in its own image, and thereby exert global power through the Union’s legal and regulatory institutions. This process, also known as ‘unilateral regulatory globalization’ entails ‘a development where a law of one jurisdiction migrates into another in the absence of the former actively imposing it or the latter willingly adopting it.’ (Bradford, 2012: 4) This process is not driven by political or military coercion, or by using economic force or bribery. Rather, it is premised on private sector market processes to explain why EU regulation, in some cases, can lead to a globalized regulatory framework that is drafted in Europe, but which is adhered to in other jurisdictions.

This notion of gaining influence through regulatory standards is built on the idea of the ‘California Effect’, a concept used to describe the ability and influence of the state California in the US in setting nation-wide regulatory standards regarding environmental protections. (Bradford, 2012: 5) This occurs because of a number of conditions that enable externalization of regulations. Bradford formulates these conditions concisely by stating that ‘the jurisdiction must have a large domestic market, significant regulatory capacity, and the propensity to enforce strict rules over inelastic targets (e.g. consumer markets) as opposed to elastic targets (e.g. capital). In addition, unilateral regulatory globalization presumes that the benefits of adopting a uniform global standard exceed the benefits of adhering to multiple, including laxer, standards. This is the case in particular when the firms’ conduct or production is nondivisible, meaning that it is not legally or technically feasible, or economically feasible, for the firm to maintain different standards in different markets.’ (Bradford, 2012: 5) This takes place through the ‘de facto’ Brussels effect – which occurs when multinational corporations ‘have an incentive to standardize their production globally and adhere to a single rule’, and the ‘de jure’ Brussels Effect, which goes a step beyond that, and is said to take place when export-oriented firms ‘have the incentive to lobby their domestic governments to adopt these same standards in an effort to level the playing field against their domestic, non-export

(24)

Page 24 of 70

oriented competitors.’ (Bradford, 2012: 6) Thus, the Brussels effect entails a globalization of regulatory standards which occurs because in a global market multinational companies and export-oriented companies have an incentive to standardize production and adhere to one standard, and subsequently lobby other governments to adopt similar rules in order to level the playing field. This race-to-the-top, in which companies adapt their products to the highest regulatory standard is also known as ‘upward regulatory convergence.’ (Bradford, 2012: 7) Products, services, or conduct adhere to the highest regulatory standard, as this subsequently enables admittance in jurisdictions in which the regulations are less strict.

2.5.2 Conditions for the Brussels Effect

The Brussels Effect is driven by five factors: a large internal market, significant regulatory capacity and willingness to regulate, a preference for strong rules, a propensity to regulate inelastic targets, and nondivisibility of the firm’s conduct or product. The EU possesses four of the aforementioned qualities: it has the largest economy in the world, with a GDP of $17.1 trillion2, which is leveraged as a political

instrument. Furthermore, the consumers in the European market are relatively affluent, and thus interesting for companies to sell their products to, while simultaneously imposing high opportunity costs if the market is foregone. (Orbie, 2011) Furthermore, for this strategy to be effective, besides setting high standards, there must be enough regulatory capacity to enforce these regulations, and the political willingness for strict enforcement. The EU has such a strong institutional and bureaucratic foundation that enables them to enforce these stringent regulations and it has experience in challenging non-compliant member states due to its internal market project. (Damro, 2015) Thirdly, the EU has displayed a preference for strict rules, and a predisposition to be the most stringent regulator globally. The political dynamic in the EU generates this tendency for stringent rules and ‘reflects their aversion to risk and commitment to a social market

2_{See International Monetary Fund, last visited 7-5-2018,}

http://www.imf.org/external/pubs/ft/weo/2017/02/weodata/weorept.aspx?pr.x=89&pr.y=6&sy=2017&ey=2017&scsm=1&s sd=1&sort=country&ds=.&br=1&c=998&s=NGDPD%2CPPPGDP%2CPPPPC&grp=1&a=1

(25)

Page 25 of 70

economy.’ (Bradford, 2012: 15) Fourth, the EU has the penchant to regulate inelastic targets, which ‘cannot circumvented by moving the regulatory targets to another jurisdiction.’ (Bradford, 2012: 16) The EU often regulates consumer markets as consumers rarely relocate due to high regulatory standards. In order to access the consumers in Europe, organizations thus must comply with the EU’s high standards. This has augmented its role as a global-standard setter, whose regulations are difficult to circumvent or undermine.

The last factor contributing to the effectiveness of the Brussels Effect is the economies-of-scale rule: production becomes cheaper as the size of production increases, and if the company services several markets with the same product. This only holds up when the production standard is the same, which encourages a uniform, global production standard. In that regard, Bradford notes that ‘global standards emerge only when corporations voluntarily opt to comply with a single standard determined by the most stringent regulator, making other regulators obsolete in the process.’ (Bradford, 2012: 17) This nondivisibility occurs in three types: legal nondivisibility, technical nondivisibility, and economic nondivisibility. With regard to the GDPR, the technical nondivisibility principle is the most relevant: companies are often unable to isolate its European data collection practices, and are thus forced to comply with the EU standards globally. This will be explored more extensively in the analysis.

2.6 Externalization in the soft and normative power framework

The previous section combined three distinct theoretical perspectives to provide an answer to the question how the concept of externalization fits in the broader frame of soft and normative power fits. Soft power describes the ability to co-opt others to adopt similar policy objectives. This is achieved because of a factor of attractiveness, comprised of intrinsic qualities or elements within the culture or society of a country that contribute to a positive association in third states. Nye contends that ‘political leaders and philosophers have long understood the power of attractive ideas or the ability to set the political agenda and determine the framework of debate in a way that

(26)

Page 26 of 70

shapes others’ preferences. The ability to affect what other countries want tends to be associated with intangible power resources such as culture, ideology, and institutions.’ (J. S. Nye, 1990: 166-167) Manners expanded on that notion, by arguing that the EU finds its basis and legitimation in five normative values: the centrality of peace, the idea of liberty, democracy, the rule of law, and respect for human rights and fundamental freedoms. (Manners, 2002: 242) These norms are diffused in world politics through the EU’s international relations, as ‘it seeks to redefine international norms in its own image.’ (Manners, 2002: 252) One way in which this restructuring of international norms is pursued is through regulatory globalization, as Bradford’s Brussels Effect proclaims. The EU makes use of its internal market to incentivize multinational operating organizations to adopt EU regulations. It does so by relying on its internal market, which is too big to forego for many companies, and by regulating inelastic targets. Moreover, the EU has the capacity to enforce its regulations and the propensity to set the highest standard. Bradford supports this theory by naming examples of industries in which the EU managed to set the global standard, such as antitrust regulation, privacy regulation, the regulation of chemicals, environmental protection, and food safety standards. In these areas, the EU has stimulated upward regulatory convergence towards European standard. (Bradford, 2012)

The concept of soft power and the normative power approach are similar, but have distinguishing factors. Soft power is premised on the idea that certain elements can attract other countries, and accordingly enable influencing third countries. The normative power approach offers an analytical framework which explains which elements the EU leverages in its international relations to achieve that degree of soft power. The attractiveness of the EU is predicated on its commitment to normative values and its commitment to the rule of law and the liberal world order. The EU externalizes such policies in relations with other countries through five elements of diffusion: contagion, informational diffusion, procedural diffusion, transference, and overt diffusion. The diffusion of these norms is shaped by a cultural filter, ‘which affects the

(27)

Page 27 of 70

impact of international norms and political learning in third states and organizations leading to learning, adaptation, or rejection of norms.’ (Manners, 2002: 245)

This thesis argues that the externalization of the GDPR through various mechanisms and instruments in the Regulation can be considered an instance of soft power, as the EU promotes its own normative preferences beyond its own jurisdiction. This argument will be further elaborated on in the analysis section.

(28)

Page 28 of 70

3 Methodology

3.1 Formulating the Research Questions

This research focuses on the question whether the EU can set international norms by means of its own legislation from a holistic perspective. By setting the agenda, and possibly the rules for a certain issue, influence can be acquired and exercised. Data becomes more important and concerns about the possible implications of excessive databases increase. In such an environment, with mounting domestic (European) political pressure, the ability to set the rules is a valuable form of influence that can only be analyzed by taking into account factors that are not easily quantifiable or measurable.

The main research question of this study was set to be: To what extent does the EU

exercise normative power through externalization of its privacy and data protection regulation?’

To guide this research question, four sub-questions have been formulated:

 Does the concept of externalization fit within the broader frame of soft and

normative power?

The theoretical framework introduced three separate concepts: soft power, the normative power approach, and the Brussels Effect. The first section of the analysis offers an explanation how these concepts can be tied together in order to analyze the GDPR.

 What is the background, history, and context in which the GDPR was drafted? This questions serves to outline the history of privacy in Europe, and juxtapose this vis-à-vis the US. This places the privacy debate in a cultural, historical and societal context, crucial to understanding why this legislation emerged in Europe and in what circumstances. Moreover, it sketches the broader societal debate regarding privacy and data protection by incorporating recent incidents and current events.

(29)

Page 29 of 70

 How, and to what extent, can the GDPR be considered an attempt to externalize

EU privacy regulations on a global scale?

This question serves to establish the connection between the extraterritorial application of the GDPR, and how this is driven by elements of diffusion and the ‘Brussels Effect’ which potentially leads to upward regulatory convergence. This also outlines the conditions under which this unilateral regulatory globalization can occur with regard to privacy and data protection policy, and forms the basis for the analysis in which these theoretical conditions are compared with findings from practice.

 How, and why, is the externalization of the GDPR an example of Normative

Power Europe?

This question serves to establish the connection between the externalization of the GDPR and how this fits the normative agenda of the EU, and how this can be seen as an example of the Normative Power Europe paradigm.

These four questions provide answers to specific elements of the main research question. The first sub-question justifies the use of normative power, NPA, and the Brussels Effect to analyze the GDPR. However, before the elements of the GDPR that facilitate can be answered, an understanding of the GDPR and the context in which this legislation was proposed must be formed, hence the second question. The third question merges theory with practice by questioning which elements in the GDPR ensure its extraterritorial application, and how it is externalized, which accordingly leads to the final sub-question. The research questions reflect the exploratory and explanatory nature of this thesis. One the one hand, the objective is to explore the GDPR and get acquainted with the legislation, while simultaneously aiming to explain which specific triggers it operationalizes to externalize the legislation.

(30)

Page 30 of 70

3.2 Using a holistic approach

Thus far, the theoretical framework illustrated that soft power can be derived from values, culture, or ideas. These qualities are not quantifiable but rather a matter of degree. Therefore, the choice to conduct a qualitative research design fits the objective of this research better than using quantitative methods. As Blatter argues, ‘Case studies are superior to large-N studies in helping the researcher to understand the perceptions and motivations of important actors and to trace the processes by which these cognitive factors form and change.’ (Blatter, 2012: 6) This qualitative research was done by using a single case study to test the applicability of certain theories to a case, in which it is possible ‘to retain the holistic characteristics of real-life events while investigating empirical events.’ (Schnell, 1992: 2). This research design allows exploration of complex theories, and gives the possibility to focus on cognitive factors such as norms, ideas, and discourses. (Schnell, 1992) These phenomena are not necessarily measurable or quantifiable but certainly exist, as they influence and inform policy decisions which produce real effects. Using a case study allows the researcher to sketch a contextualized image of certain developments, trace motivations, or explain processes that are driven by these cognitive factors. It also allows for a broader set of theoretical approaches to be taken into account. (Blatter, 2012: 7)

The three theories that have been selected to apply to this case, all have specific characteristics which will be tested against the case of the GDPR. For the theory of soft power, Nye outlined these as ‘behaviors’ – identified as attraction and agenda-setting - and ‘primary currencies’, which he identified as values, culture, policies, and institutions. (J. S. Nye, 2009: 31) These behaviors can be seen as outputs, the result of the primary currencies which are expended in order to achieve that output: namely the ability to set the agenda and increasing the degree of attraction vis-à-vis other actors. The normative power approach describes how core European values are spread through processes of diffusion. These include contagion, informational diffusion, procedural diffusion, transference, and overt diffusion, which are affected by a cultural filter. (Manners, 2002: 244-245) The third theory used, the Brussels Effect, describes the

(31)

Page 31 of 70

prerequisites that enable the externalization of European regulations. These factors are a large domestic market, significant regulatory capacity, strict rules over inelastic targets, and nondivisibility of the product or conduct. (Bradford, 2012: 5) These factors are systematically analyzed in relation to the GDPR to identify how externalization of the GDPR takes place.

These factors are taken as concepts that explain a certain phenomenon, process, or offer a narrative on the motivations or chances to externalize EU policy. Soft power is used to explain the underlying motivation, while the factors of diffusion, outlined in the normative power approach offer an explanation how this is achieved from an institutional perspective, by the work of the EU itself. This is supplemented with the concepts of the Brussels theory, which reveals how this process of externalization is also driven by market forces and private actors.

Theory Factors

Soft Power Attraction, agenda-setting, values, culture,

policies, institutions

Normative Power Approach contagion, informational diffusion, procedural

diffusion, transference, and overt diffusion

The Brussels Effect large domestic market, significant regulatory

capacity, strict rules over inelastic targets, and nondivisibility of the product or conduct.

Each of these theories is accordingly applied to the GDPR in separate chapters which are combined in the conclusion to form a coherent explanation of the underlying motivation for the GDPR, and how this translates to practice. As becomes obvious from the stated purpose, the aim of this study is to generate useful, practical insights for social actors, not to generate law-like theories or generalizable hypotheses.

The research design therefore relies on a holistic, single-case design, with a single unit of analysis. A holistic case study allows for nuance, sequentiality and context, while also retaining an open attitude to competing perspectives and recognizing the arbitrariness

(32)

Page 32 of 70

of research. (Stake, 1995: xii) Yin (2009) outlines five rationales for using a single-case design. Such designs can be used, (1) when it represents the critical case in a well-formulated theory; (2) when it represents an extreme case or a unique case; (3) when a case is the representative or typical case; (4) when it is a revelatory case; or (5) for doing a longitudinal study. (Yin, 2009: 46-49) In this thesis, the motivation for using a single-case design is a combination of two rationales: for it can be considered a representative case or typical case, and it might be a revelatory case, which can be used for further academic inquiry. The EU’s privacy regulations, and its influence abroad, has been studied from a range of different perspectives, either comparing it to other legislative frameworks or analyzing its intrinsic qualities itself. (Bignami, 2007; Bloch-Wehba, 2015; Cunningham, 2013; Greenleaf, 2012; Hughes, 2015; Kuner, 2015; Poenaru, 2014; Ryngaert, 2015; Schwartz, 2013; Schwartz & Peifer, 2017; Svantesson, 2014; Whitman, 2004) It has been used as an example of externalization of EU policy, as Gady, (2014) and Schwartz & Peifer (2017) did. In that sense, EU privacy regulation can be considered a typical case for studying the EU’s influence in an international context. Moreover, Bradford (2012) argued that the diffusion of European privacy policy was one of the issues that can be explained by the Brussels Effect. Hence, European data privacy policy is a representative case for how the EU drafts legislation with extra-territorial effects. It is a revelatory case as it concerns new legislation to which these types of analyses have not yet been applied, namely the GDPR.

In sum, the answers to the research questions can be found by analyzing the GDPR and scholarly work on privacy culture, regulatory policy and legal analyses, how European regulations trigger extra-territorial effects. Thus, the data used in this thesis is comprised of academic scholarly work and the GDPR itself, which are analyzed by doing desk research.

(33)

Page 33 of 70

4 Analysis

Whereas the theoretical framework offered a descriptive analysis of soft power, the normative power approach and the Brussels Effect, these concepts will be applied to the specific case of the GDPR in this chapter. This analysis provides answers to the sub-research questions as stated in the introduction and methodology. The first sub-question has been answered in the closing section of the theoretical framework. This chapter provides answers to the second, third, and fourth sub-questions, after which the main research question is answered in the conclusion. In order to do so, first the core elements of the GDPR are delineated and linked to the ‘rights talk’ discourse in the Union. (Schwartz & Peifer, 2017) This will be supplemented with a broader analysis of the history, background and context in which the GDPR came into being, which is explained in order to frame this within the normative debate. This also includes a discussion on the divergence between the European approach to data protection and privacy, and the approach taken in the US to illustrate that these concepts are context-dependent. This provides an answer to the second sub-question. Subsequently, the third part of this analysis will isolate specific elements from the GDPR and review how these can be considered mechanisms for externalization, answering the third and fourth sub-questions. This will be done in three parts: first, a systematic analysis of trigger-mechanisms in the GDPR is executed, after which this is supplemented with an analysis using the Brussels Effect. Finally, a perspective on the GDPR in terms of the normative power approach complements this part, offering a comprehensive dissection of the mechanisms inherent in the GDPR that enable its application beyond the borders of the EU.

4.1 The GDPR: the European rights-based approach

With the GDPR, the EU introduces a comprehensive framework legislation, aimed at harmonizing the internal European market with regard to data protection and privacy and facilitating international data transfers, while respecting the rights of data subjects (EU citizens and EU residents). This section introduces the principles on which the GDPR is premised. Hereafter, a delineation of what this means in practice for data subjects

(34)

Page 34 of 70

follows to illustrate the functional, practical consequences of the introduction of this legislation. This section is concluded by linking these principles to the framework of rights that the Union invokes as the justification for the GDPR.

As the name indicates, the GDPR is a regulation, contrary to the previous legislation which came in the form of a directive, which had to be transposed into national law by each member state. (European Union, 2018) As a consequence thereof, the GDPR has a far more harmonizing effect as there is less discretion for national legislatures to adapt the law according to their national preferences than previously with DIR95. As Tankard (2016) concludes, DIR95 resulted in a fragmented data protection legislation landscape, as countries added to the basic principles of the directive and enforced their own sanctions regime. The GDPR applies throughout Europe in the same way. Moreover, as the Commission set out in a communication, the GDPR aims at leveling the playing field for both European and non-European organizations operating on the European market. (European Commission, 2018c) The specific aim to level the playing field is backed up by the possibility to levy hefty fines for non-compliance, which are included in the GDPR as opposed to the previous directive, which left sanctions to be decided on national law resulting in differences when it came to sanctioning and enforcement. (Schwartz, 2013: 1997)

The GDPR is based on six core principles, outlined in Article 5(1) GDPR. According to this article, personal data should be processed in a lawful, fair and transparent manner; it should be collected for specific purposes (purpose limitation), it should only collect what is necessary in relation to the purpose (data minimization); it should be accurate and up-to-date; it should retain data no longer than necessary for the purpose (limitation of retention); and it should be processed in a way that ensures confidentiality and security. (Information Commissioner’s Office, 2018b) Moreover, article 5(2) states that processors or controllers of data are responsible for, and should be able to demonstrate, compliance with these principles. This is also sometimes referred to as the accountability and liability clause. (Information Commissioner’s Office, 2018a)

(35)

Page 35 of 70

These principles reflect the position of the EU with regard to privacy and data protection and translates abstract rights into tangible rights for individuals. These rights include the rights to be informed (article 12), the right to access the data that is held (article 15), the right to rectification in case the information held about the individual is incorrect (article 16), the right to erasure or the right to be forgotten (article 17), the right to restrict processing (article 18) the right to data portability (article 20), the right to object to the processing of personal data in certain circumstances (article 21), and a number of rights to opt-out of automated decision-making (article 22).

Thus, the GDPR first and foremost is centered on granting rights to individuals based on its core principles. This fits the context in which data protection and privacy emerged as rights on the European continent and why they can be considered part of the normative agenda that Europe pursues. This fits both the soft power theory – in the sense that the EU has taken a agenda-setting role in the international context - and the normative power approach – in the sense that Europe’s privacy and data protection framework has been diffused over the last decades, and has influenced subsequent data protection legislation across the globe. The next section introduces this context to clarify why history and context are essential for appreciating how and why the GDPR can be seen as an extension of the European rights-focused narrative that has given the Union legitimacy as a champion of fundamental rights enshrined in its various treaties and conventions.

4.2 Why history and context matters

The GDPR is based on the European conceptualization of privacy and data protection as fundamental right, which is different from other views on privacy, most notably that in the United States. (Bignami, 2007; Bloch-Wehba, 2015; Cunningham, 2013; Poenaru, 2014; Schwartz & Peifer, 2017; Whitman, 2004) The perception of a right to data protection is mentioned in the very first recital of the GDPR, reiterating the legal basis of privacy and data protection in the Charter of Fundamental Rights of the European Union (the ‘Charter’), and the Treaty on the Functioning of the European Union (TFEU).