Professional Documents
Culture Documents
Article Evolution of Eu Data Law
Article Evolution of Eu Data Law
Article Evolution of Eu Data Law
* The author is deeply grateful to Angelina Fisher and Benedict Kingsbury with whom he has collaborated
in the Global Data Law project: <www.guariniglobal.org/global-data-law>. He also thanks Johann Justus Vasel,
Przemysław Pałka, and Elettra Bietti for their substantive and engaging comments on earlier drafts.
1 The relationship between ‘data protection’ and ‘privacy’ is complicated and contested. See Section A.2. In line
with the theme of the volume, the chapter focuses on EU law, without ignoring the Council of Europe’s significant
contributions.
2 CT Marsden, ‘The Regulated End of Internet Law, and the Return to Computer and Information Law?’
in K Werbach (ed), After the Digital Tornado (Cambridge University Press, 2020) ch 1; A Murray, Information
Technology Law (4th edn, Oxford University Press, 2019).
3 LA Bygrave, ‘Information Concepts in Law: Generic Dreams and Definitional Daylight’ (2015) 35 OJLS 91.
4 B Kitchin, The Data Revolution: Big Data, Open Data, Data Infrastructures & their Consequences (SAGE
Publications, 2014) 9.
Thomas Streinz, The Evolution of European Data Law In: The Evolution of EU Law Edited by: Paul Craig and Gráinne de Búrca, Oxford
University Press. © Paul Craig and Gráinne de Búrca 2021. DOI: 10.1093/oso/9780192846556.003.0029
THE EVOLUTION OF EUROPEAN DATA LAW 903
This chapter on the evolution of European data law provides a snapshot into a broader
project studying how EU law has conceptualized different categories of digitalized infor-
mation as data. The analytical objective is a (re)construction of European data law as a field
of scholarship and practice transcending the established boundaries under which EU data
protection law, intellectual property law, consumer protection law, competition law, tele-
communications law, and internal market law, respectively, conceive of data regulation by
law. The ultimate objective of this broader project is to understand how EU law has been
intertwined with the digital transformation of Europe so far and how it might need to shape
5 Paradigmatic in this regard but not focused on EU law: JE Cohen, Between Truth and Power: The Legal
Constructions of Informational Capitalism (Oxford University Press, 2019); A Kapczynski, ‘The Law of
Informational Capitalism’ (2020) 129 YLJ 1267; see also M Hildebrandt, Smart Technologies and the End(s) of Law
(Edward Elgar, 2015).
6 See Craig, Chapter 2 this volume.
7 Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1 (GDPR).
8 The movie Democracy: Im Rausch der Daten (2015) tells this story from the perspective of the European
Parliament’s rapporteur Jan Philipp Albrecht. The movie also suggests that political agreement was only made pos-
sible by Edward Snowden revealing US surveillance practices in June 2013.
904 THE EVOLUTION OF EUROPEAN DATA LAW
for the evolution of EU law more generally by highlighting the ways in which domestic and
international law shape EU law, the growing importance of EU fundamental rights, institu-
tional aspects of EU law implementation, the increasing and maybe irreducible complexity
of different strands of secondary EU law, and the EU’s capacity for law-making beyond its
borders.
To unfold these themes, the chapter is divided in four sections: The first (Section A) tells
the story of the Europeanization of data protection law. The second (Section B) positions
European data protection law in conversation with other strands of European data law
European data protection law is a relatively recent area of EU law. But before there was
European data protection law, there was data protection law in Europe. Several nation states
began to legislate on data protection issues from the 1960s onwards and thereby developed
core concepts that have subsequently become part of the European data protection law
acquis. International developments, most notably the OECD’s data protection guidelines
and the Council of Europe’s data protection Convention also laid important groundwork
that influenced the regime as it constituted itself under and as EU law. Tracing these sub-
and supra-supranational influences on European data protection law reveals important
path dependencies. As it is befitting of a legal regime that straddles a distinct realm be-
tween international and domestic law, EU law claims uniform legal authority in theory, but
exhibits tinges and occasional fissures in practice as it continues to be understood, taught,
and practised with significant variation across the EU. These variations materialize in par-
ticular when legal concepts that were initially developed in domestic law settings get in-
corporated in and scaled up through EU legal instruments, which are in turn dependent
on downstream domestic implementation. This dynamic can be observed through var-
ious legal domains but it is especially pronounced in EU data protection law, which has
existed for a quarter century (1995–2020) as a domain of EU law with antecedents in do-
mestic and international data protection law dating back roughly another quarter century
(1970–1995).
As this chapter cannot offer a comprehensive account of European data protection law,9
it will focus on dimensions that exhibit distinctive characteristics of EU law more gener-
ally. Accordingly, this section traces the evolution of European data protection law along
three intersecting dimensions: EU data protection law-making through legislative efforts
and its interplay with antecedent, parallel, and subsequent developments at national and
international levels; the evolution of data protection and privacy as related but distinct
9 See, for such accounts, L Edwards (ed), Law, Policy, and the Internet (Hart, 2018) chs 3–5; O Lynskey, The
Foundations of EU Data Protection Law (Oxford University Press, 2015); P Hustinx, ‘EU Data Protection Law: The
Review of Directive 95/46/EC and the General Data Protection Regulation’ in M Cremona (ed), New Technologies
and EU law (Oxford University Press, 2017).
THE EUROPEANIZATION OF DATA PROTECTION LAW 905
fundamental rights; and the institutionalization of EU data protection law through crea-
tion of novel institutional structures to administer and implement and thereby shape this
evolving domain of EU law.
20 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, <www.oecd.org>
(https://perma.cc/9CRF-4NPW).
21 CETS No 108 (Convention 108).
22 Since 2013, nine non-Council of Europe members have acceded to Convention 108. The current list of signa-
tories is available at <www.coe.int> (https://perma.cc/QYD6-PHRG>).
23 Berlin Resolution of the International Conference of Data Protection Commissioners of 30 August 1989,
Additional Declaration of the Data Protection Commissioners of Nations of the European Community.
24 Proposal for a Council Directive Concerning the Protection of Individuals in Relation to the Processing of
Personal Data [1990] OJ C277/3.
25 Then Art 100a TEC, now Art 114 TFEU.
26 The UK passed its Data Protection Act in 1984. Ireland and the Netherlands got data protection laws in 1988.
Portugal and Spain followed in 1991 and 1992 (after the EU Commission’s proposal but before the adoption of the
DPD). English translations available at <https://www.cipil.law.cam.ac.uk/> (<https://perma.cc/YGM7-Q7ED>).
27 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the
free movement of such data [1995] OJ L281/31. See S Simitis, ‘From the Market To the Polis: The EU Directive on
the Protection of Personal Data’ (1995) 80 Iowa L Rev 445, 449: ‘Experience has shown that the primary interest
of the Member States is not to achieve new, union-wide principles, but rather to preserve their own, familiar rules.
A harmonization of the regulatory regimes is, therefore, perfectly tolerable to a Member State as long as it amounts
to a reproduction of the State’s specific national approach.’
28 Convention 108 also operates without such a distinction.
29 P Schwartz, ‘European Data Protection Law and Restrictions on International Data Flows’ (1995) 80 Iowa L
Rev 471. The original Convention 108 permitted, but did not require, the blocking of exports of personal data to
treaty parties that lacked equivalent levels of protection.
THE EUROPEANIZATION OF DATA PROTECTION LAW 907
as requiring ‘essential equivalency’—thereby restoring the standard that several Member
States had established before.30
The DPD, which eventually acquired global recognition as a paradigmatic model,31 was
the result of a complex political struggle in which Member States pursued their own inter-
ests. Greece staged a surprising invocation of constitutional limits, whose traces are still
discernible in EU data protection law.32 Germany used the DPD to resolve an internal po-
litical conflict over health data between the federal government and the Data Protection
Commissioners of the Länder.33
The DPD was meant to advance the twin goals of market integration, by avoiding disparate
data protection frameworks in Member States and by outlawing restrictions on the free flow
of personal data within the EU, and supranational data protection, by requiring Member
States to protect EU citizens’ fundamental rights and freedoms, in particular their right to
privacy with respect to the processing of personal data.67 This combination of a market inte-
gration rationale with a fundamental rights logic is remarkable against the backdrop of the
history of European economic integration, which is said to have favoured economic inte-
gration with fundamental rights as an afterthought.68 This is not only a question of critical
legal historiography. Critics continue to suggest that the EU remains systematically tilted
against fundamental rights when those rights conflict with market integration objectives.
The Court of Justice’s decisions in Viking and Laval where corporate freedom of establish-
ment trounced workers’ collective action rights epitomize this critique.69
The evolution of European data protection law tells a different story: even though the
internal market and fundamental rights rationales were equally present in the DPD, the
fundamental rights rationale turned out to be more powerful in the long run. The reasons
for this remarkable divergence from the conventional wisdom regarding the relationship
63 Facebook published a full page advertisement in the German newspaper Frankfurter Allgemeine Zeitung of 20
May 2018 to announce the GDPR’s imminent entry into force on 25 May 2018.
64 B-J Koops, ‘The Trouble with European Data Protection Law’ (2014) 4 IDPL 250: ‘it is dead’.
65 T Zarsky, ‘Incompatible: The GDPR in the Age of Big Data’ (2017) 47 Seton Hall L Rev 995.
66 M Gal and O Aviv, ‘The Competitive Effect of the GDPR’ (2020) Journal of Competition Law and
Economics 349.
67 Art 1 DPD.
68 See de Búrca, Chapter 15 this volume, for an alternative genealogy which emphasizes that European integra-
tion could have proceeded differently.
69 Case C-438/05 Viking [2007] ECR I-10799; Case C-341/05 Laval [2007] ECR I-11767.
THE EUROPEANIZATION OF DATA PROTECTION LAW 911
between market integration and fundamental rights in EU law are of course complex and
multifold. Yet, three distinct features can be identified that might explain the unusual influ-
ence of fundamental rights in the evolution of European data protection law.
The first, and likely most important, relates to the EU’s Charter of Fundamental Rights,
which recognized distinct yet related fundamental rights to data protection and privacy.70
Developed after the DPD was concluded, the Charter began to influence EU law even be-
fore it became formally part of EU primary law with the entry into force of the Treaty of
Lisbon in 2009. From then onwards, the Charter was prominent in major data protection
88 See, eg, U Kohl and D Rowland, ‘Censorship and Cyberborders through EU Data Protection Law’ in U Kohl
(ed), The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University
Press, 2017) ch 7.
89 Google’s ‘transparency reports’ disclose that 46.6 per cent of the delisting requests received between May 2014
and October 2020 were granted. Google only presents stylized example cases to explain its reasoning. See <trans-
parencyreport.google.com/eu-privacy> (<https://perma.cc/NGF5-CJVA>).
90 Art 28 DPD. Art 52 GDPR retains this language.
91 Case C-518/07 Commission v Germany [2010] ECR I-1885.
92 Case C-614/10 Commission v Austria EU:C:2012:631.
93 Case C-288/12 Commission v Hungary EU:C:2014:237.
94 Case C-257/19 Commission v Ireland EU:C:2020:541.
95 Regulation 45/2001 (n 42) Arts 1(2), 41, 44.
96 Anticipating this development, H Hijmans, ‘The European Data Protection Supervisor: The Institutions of
the EC Controlled by an Independent Authority’ (2006) 43 CMLRev 1313.
914 THE EVOLUTION OF EUROPEAN DATA LAW
The EDPS also provides the secretariat for the European Data Protection Board (EDPB),
an institutional innovation that the GDPR created to succeed the Article 29 Working Party
on which the DPD had relied.97 A domain in which multi-jurisdictional fact patterns are
the norm calls for coordination, if not centralization, of the EU’s traditionally distributed
enforcement infrastructure. Moreover, the EU had promoted the GDPR to business stake-
holders, who were naturally concerned about the newly created sanctions regime, with the
promise that only one data protection authority (DPA) would be responsible for them (‘one
stop shop’).98 The reality turned out to be much more messy and complex. Member States
European data law has been constructed around data protection law. However, there is also
EU law that can be understood as European data law without being data protection law. As
alluded to in the introduction, such a distinction hinges on data protection law’s traditional
97 Art 29 DPD.
98 P Balboni, E Pelion, and L Scudiero, ‘Rethinking the One-Stop-Shop Mechanism: Legal Certainty and
Legitimate Expectation’ (2014) 30 Computer Law & Security Review 392.
99 Art 65 GDPR; see L Jančiūtė, ‘European Data Protection Board: A Nascent EU Agency or an
“Intergovernmental Club”?’ (2020) 10 IDPL 57.
100 O Tambou, ‘Lessons from the First Post-GDPR Fines of the CNIL against Google LLC’ (2019) EDPL 80.
101 Conseil d’Etat Judgment of 19 June 2020, No 430810 (Société Google LLC).
102 Case C-645/19 Facebook Ireland and Others (against the Belgium DPA) is pending before the Court.
103 Art 37 GDPR.
104 KA Bamberger and DK Mulligan, Privacy on the Ground: Driving Corporate Behavior in the United States and
Europe (MIT Press, 2015). But see AE Waldman, ‘Designing Without Privacy’ (2018) 55 Houston L Rev 659.
105 S Yakovleva, W Geursen, and A Arnbak, ‘Kaleidoscopic Data-Related Enforcement in the Digital Age’ (2020)
57 CMLRev 1461.
EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW 915
focus on ‘personal data’. EU legislators eventually turned to ‘non-personal’ data as a reg-
ulatory object promising economic and societal benefits without being inhibited by data
protection constraints. These efforts culminated in the Regulation on the Free Flow of Non-
Personal Data (NPDR), which constitutes the first element of ‘European non-personal data
law’ and raises intricate line-drawing questions about its relationship to data protection
law.106
Other domains of European data law intersect with data protection law. This is the case
when the relevant law pertains to the same regulatory object—data, whether personal or
106 Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union
[2018] OJ 303/59.
107 A Digital Single Market Strategy for Europe, COM(2015)192 final. See D Adamski, ‘Lost on the Digital
Platform: Europe’s Legal Travails with the Digital Single Market’ (2018) 55 CMLRev 719.
108 This metaphor is inspired by JHH Weiler, ‘The Geology of International Law—Governance, Democracy and
Legitimacy’ (2004) 64 ZaöRV 547.
916 THE EVOLUTION OF EUROPEAN DATA LAW
Regulatory interventions that seek to increase access to data, whether based on trans-
parency or economic rationales, are often in tension with data protection and intellectual
property law, which creates incentives to focus on non-personal data without attendant
property claims to separate the different domains of data law. While this inclination may
be understandable for reasons of legal certainty and political expediency, it seems doubtful
whether the intended separation between personal and non-personal data laws will be sus-
tainable in the long run and whether such a binary separation is desirable in the first place.
The categorical distinction between personal and non- personal data is fundamental
109
for European data protection law. The GDPR is general, but not all-encompassing;
non-personal data is excluded from its scope of application. The GDPR clarified that
pseud-onymous data, where an alternative identifier is used, is within its scope of appli-
cation and hence subject to its requirements;110 only anonymous data escapes the GDPR’s
scope of application. The binary consequence of (non)application turns the threshold
question of what constitutes ‘personal data’ into a highly contentious issue as avoiding
‘personal data’ categorically might avoid the strictures of European data protection law. The
conditions under which data can be regarded as ‘anonymous’ are contested, with signifi-
cant variation in the views espoused by the various institutions engaged in the shaping of
European data protection law.111 The conundrum of defining ‘personal data’ is yet another
example of the intricate interplay between law and technology and the proper allocation of
risk in European data law. The potential of re-identification has grown due to technological
advances, making it ‘reasonably more likely’—in the words of the GDPR—that a natural
person may become (again) identifiable.112 The Court of Justice has so far only opined on
relatively straightforward cases that shed light on the question how much additional effort
was required to turn anonymous into personal data.113 The inverse situation of turning per-
sonal data into anonymous data has not yet been litigated before the Court.114
There is of course also data that has never been linked to a person (eg data about the
weather). Yet, some suggest that even this kind of non-personal data could potentially be
used to identify individuals due to rampant datafication, especially in highly technologized
urban environments (‘smart cities’). The prospect of synthetic data, that is data that has
been artificially generated, but is still meant to reflect reality (in some form), poses a com-
parable conundrum. If European data protection law applied to these categories of data, it
would become the data law of ‘everything’ and would likely overstretch its substantive and
procedural standards, let alone its enforcement capacity.115
109 Art 1, 2(1), 4(1) GDPR; Art 3(1) and 2(1)(a) DPD.
110 Art 4(5) GDPR.
111 M Finck and F Pallas, ‘They Who Must Not Be Identified—Distinguishing Personal from Non-Personal Data
under the GDPR’ (2020) 10 International Data Privacy Law 11. See Section A.3.
112 Recital 26 GDPR.
113 Contrast Case C-70/10 Scarlet Extended [2011] EU:C:2011:771, [51] (which held that a static IP address was
personal data) with Case C-582/14 Patrick Breyer [2016] EU:C:2016:779 (holding that a dynamic IP address was
personal data if the Internet service provider could identify the person).
114 But see Art 29 WP, Opinion 05/2014 on Anonymisation Techniques, 0829/14/EN WP 216.
115 N Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’
(2018) 10 Law, Innovation and Technology 40.
EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW 917
The difficulty of distinguishing between personal and non-personal data in theory and
in practice, where mixed data sets containing both personal and non-personal data are
common, have led some to argue that European data law should abandon the binary dis-
tinction between personal and non-personal data in favour of a more holistic and more dif-
ferentiated regimes.116 European data law, however, went in a different direction.
In 2018, as part of its Digital Single Market strategy, the EU adopted a regulation on the
free flow of non-personal data (NPDR).117 The NPDR claims strict separation from data
protection law and, where such separation is not possible, data protection law prevails.118
Jurisdictions around the world are trying to find answers to analytical and normative ques-
tions of data ownership. The EU is no exception. While this situation is sometimes lamented
as unsustainable legal uncertainty, it reflects the complexity and breadth of digitalization,
which legal systems ought to reflect. It is relatively trivial that property rights exist for the
land on which data centres reside, for the computers, large and small, that process data, for
the cables through which data is transmitted, and for the physical media on which data is
stored. These data-related property questions are governed by Member States’ domestic law
as the EU is barred by the Treaties to interfere with Member States’ property regimes.120 The
critical question, however, is not whether property rights exist with regard to the physical
infrastructure necessary for data generation, storage, transfer, and use, but whether pro-
perty rights do or should also attach to data as such. In economic theory, data is often cat-
egorized as a public good, since consumption is non-rival and non-excludable.121 But law
can make data excludable by virtue of intellectual property rights and in practice data is
often controlled as if it was property.
Since data is intangible, intellectual property law has been the main legal framework
through which insular data ownership claims have been developed under EU law. Some
have suggested that certain data protection rights should be understood as akin to data
116 I Graef, R Gellert, and M Husovec, ‘Towards a Holistic Regulatory Approach for the European Data
Economy: Why the Illusive Notion of Non-Personal Data is Counterproductive to Data Innovation’ (2020) 44
ELRev 605.
117 Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU [2018] OJ L303/
59 (NPDR).
118 Recital 8, Art 2(2), 3(1) NPDR.
119 Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic com-
merce, in the Internal Market [2000] OJ L178/1.
120 Art 345 TFEU. But see on its limited impact in practice D Caruso, ‘Private Law and Public Takes in European
Integration: the Case of Property’ (2004) 10 ELJ 751.
121 N Duch-Brown, B Martens, and F Mueller-Langer, ‘The Economics of Ownership, Access and Trade in
Digital Data’ JRC Digital Economy Working Paper (2017).
918 THE EVOLUTION OF EUROPEAN DATA LAW
ownership rights.122 But data protection law and intellectual property law follow ultimately
different logics,123 despite certain functional similarities. Data protection law’s right to era-
sure and the right to data portability may seem analogous to the right to destroy or transfer
one’s property, but they are ultimately grounded in informational self-determination, not
property theory.
Certain categories of data are subject to intellectual property (IP) protection under the es-
tablished IP rights of copyright and trade secrecy, but such protection is not comprehensive.
The EU has been gradually harmonizing copyright law to confront the ‘challenge of tech-
122 See, eg, JM Victor, ‘The EU General Data Protection Regulation: Toward a Property Regime for Protecting
Data Privacy’ (2013) 123 Yale LJ 513.
123 D Liebenau, ‘What Intellectual Property Can Learn from Informational Privacy, and Vice Versa’, (2016)
HLJT 285.
124 These efforts date back to the 1988 Green Paper on Copyright and the Challenge of Technology, COM(1988)
172 final.
125 Directive 96/9/EC on the legal protection of databases [1996] OJ L77/20 (Database Directive).
126 Art 7 Database Directive.
127 Case C-46/02 Fixtures Marketing [2004] ECR I-10365.
128 The Commission’s 2018 evaluation of the Database Directive concluded: ‘As in 2005, the sui generis
right continues to have no proven impact on the production of databases’ (acknowledging limited evidence),
SWD(2018)146 final, [19].
129 Case C-30/14 Ryanair EU:C:2015:10.
130 Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital
services [2019] OJ L136/1.
131 Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade
secrets) against their unlawful acquisition, use and disclosure [2016] OJ L157/1.
132 J C Fromer, ‘Machines as the New Oompa-Loompas: Trade Secrecy, the Cloud, Machine Learning, and
Automation’ (2019) 94 NYU L Rev 706.
EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW 919
Trade secrecy protection, however, falls short of full property protection. The most signif-
icant shortcoming, from the perspective of business interests, is that the protection is lost
if the data is no longer secret. However, trade secrecy protection can be useful to counter
access to data claims.
133 Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission
documents [2001] OJ L145/43, based on then Art 255 TEC, now Art 15 TFEU. See S Peers, ‘The New Regulation on
Access to Documents: A Critical Analysis’ (2001) 21 YEL 385.
134 See the EDPS opinion on a (failed) proposal for a new regulation regarding public access to Parliament,
Council, and Commission documents [2009] C2/7, [11–18].
135 Arts 4(1)(b), 4(2) Regulation (EC) No 1049/2001.
136 Art 41 EU Charter of Fundamental Rights.
137 Case C-28/08 P Commission v Bavarian Lager [2010] ECR I-6055.
138 Council Directive 90/313/EEC on the freedom of access to information on the environment [1990] OJ L158/
56; now Directive 2003/4/EC on public access to environmental information [2004] OJ L41/26. See S Bugdahn, ‘Of
Europeanization and Domestication: The Implementation of the Environmental Information Directive in Ireland,
Great Britain and Germany’ (2005) 12 JEPP 177.
920 THE EVOLUTION OF EUROPEAN DATA LAW
even in the context of providing accountability and oversight, run easily afoul of the funda-
mental right to data protection.139
Traditional access to documents is not the only route through which publicly held data
has been increasingly made available under EU law. Since the 1980s, the Commission had
sought to leverage ‘synergies’ between the public and private sector, reflecting the senti-
ment that the former should support the latter, while bracketing the question whether such
support should be remunerated in some form.140 The effort stalled until the early 2000s,141
when the EU passed a Directive on the ‘re-use’ of public sector information.142 This strand
139 Cases C-29/09 and C-93/09 Volker and Markus Schecke and Eifert Case [2010] I-11063; Case C-465/00
Österreichischer Rundfunk and Others [2003] ECR 2003 I-4989. See also Section A.2.
140 Guidelines for improving the synergy between the public and private sectors in the information market
(Office for Official Publications of the European Communities, 1989).
141 See K Janssen and J Dumortier, ‘Towards a European Framework for the Re-Use of Public Sector
Information: A Long and Winding Road’ (2013) 11 IJLIT 184.
142 Directive 2003/98/EC on the re-use of public sector information [2003] OJ L345/90 (PSI Directive).
143 Directive (EU) 2019/1024 on open data and the re-use of public sector information [2019] OJ L172/56 (Open
Data Directive), Art 12(5).
144 Art 5 Open Data Directive.
145 I Brown, ‘Interoperability as a Tool for Competition Regulation’ (30 July 2020), preprint available at <https://
osf.io/preprints/lawarxiv/fbvxd> 34–37.
146 Art 20 GDPR.
147 Art 12 DPD; Art 15 GDPR.
148 O Borgogno and G Colangelo, ‘Data Sharing and Interoperability: Fostering Innovation and Competition
through APIs’ (2019) 35 Computer Law & Security Review 105314.
149 See the Data Transfer Project operated by Apple, Facebook, Google, Microsoft, and Twitter: <https://data-
transferproject.dev>.
EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW 921
Data protection law is not the only strand of European data law that requires data sharing
as various regimes of EU law compel businesses to make data available to regulators, com-
petitors, or consumers.150 These disparate rules follow different logics, but all confirm the
centrality of access to data for regulatory oversight, competition, and consumer protection.
Access to data for regulatory purposes has been a central tenet of the EU’s complex reg-
ulatory regimes for chemicals and pharmaceuticals. The EU’s system for the Registration,
Evaluation, Authorization, and Restriction of Chemicals (REACH) includes extensive data
sharing commitments with regulators and among competitors to reduce the need for envi-
150 I Graef, M Husovec, and J van den Boom, ‘Spill-Overs in Data Governance: Uncovering the Uneasy
Relationship between the GDPR’s Right to Data Portability and EU Sector-Specific Data Access Regimes’ (2020) 9
EuCML 3.
151 Regulation (EC) No 1907/2006 concerning the Registration, Evaluation, Authorisation and Restriction of
Chemicals (REACH), establishing a European Chemicals Agency [2006] OJ L396/1.
152 Regulation (EC) No 726/2004 laying down Community procedures for the authorisation and supervision of
medicinal products for human and veterinary use and establishing a European Medicines Agency [2004] OJ L136/
1.
153 Case C-390/13 P(R) EMA v InterMune UK EU:C:2013:795.
154 See Section D.1.
155 Directive (EU) 2015/2366 on payment services in the internal market [2015] OJ L337/35.
156 Regulation (EC) No 715/2007 on type approval of motor vehicles with respect to emissions from light pas-
senger and commercial vehicles (Euro 5 and Euro 6) and on access to vehicle repair and maintenance information
[2007] OJ L171/1.
157 The Commission is making use of delegated acts based on Directive 2010/40/EU on the framework for the
deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of
transport [2010] OJ L207/1. See, eg, Commission Delegated Regulation (EU) 2017/1926 supplementing Directive
2010/40/EU with regard to the provision of EU-wide multimodal travel information services [2017] OJ L272/1.
922 THE EVOLUTION OF EUROPEAN DATA LAW
energy sector, EU law mandates data sharing by gas and electricity providers not just with
regulators, but also with consumers and competitors.158
These new data laws are indicative of an expansion of the salience of data not just for
regulatory oversight, but also for competition and consumer protection. This creates chal-
lenges not just for the interaction with data protection and intellectual property law, but
also for the recalibration of competition and consumer protection law itself.
Competition law has its own instrument to force data sharing—the essential facilities
doctrine.159 Data concentration concerns have also appeared in merger proceedings, where
158 Directive (EU) 2019/944 on common rules for the internal market for electricity [2019] OJ L158/125;
Directive 2009/73/EC concerning common rules for the internal market in natural gas [2009] OJ L211/94.
159 I Graef, EU Competition Law, Data Protection and Online Platforms: Data as Essential Facility (Wolters
Kluwer, 2016).
160 Relevant cases include Case COMP/M.4854 TomTom/TeleAtlas [2008] OJ C237/53; Case COMP/M.6314
Telefonica/Vodafone/EE [2012] OJ C66/122; Case COMP/M.7023 Publicis/Omnicon [2014] OJ C84/112.
161 F Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (Harvard
University Press, 2015).
162 Case COMP/M.7217 Facebook/WhatsApp C(2014)7239 final. The Commission only analysed data concen-
tration that would potentially strengthen Facebook’s position in online advertising—ignoring spill-over effects
and broader concerns arising from data concentration.
163 Case COMP/M.8228 Facebook/WhatsApp C(2017)3192 final.
164 Decision of 6 February 2019, B6-22/16 (<https://perma.cc/TZR5-KFB9>); upheld in preliminary proceed-
ings by the German Federal Court of Justice, decision of 23 June 2020, KVR 69/19.
165 Facebook/WhatsApp (n 162) [164]: ‘Any privacy-related concerns flowing from the increased concentration
of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competi-
tion law rules but within the scope of the EU data protection rules.’
166 Art 9 Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online inter-
mediation services [2019] OJ L186/57Cas.
167 Directive 2011/83/EU on consumer rights [2011] OJ L304/64; Regulation (EU) No 1169/2011 on the provi-
sion of food information to consumers [2011] OJ L304/18. See Weatherill, Chapter 28 this volume.
THE GLOBALIZATION OF EUROPEAN DATA LAW 923
got buried in contracts that hardly any consumer ever reads. Datafication raises the pros-
pect of more data-driven and more accessible consumer information, including in more
granular or even ‘personalized’ ways.168 As with data portability, data protection law and,
to a lesser extent, intellectual property law will be invoked to counter such initiatives.
Reconciling tensions between data protection law, competition law, and consumer protec-
tion law will remain a major challenge for European data law going forward.
The expansion of the Internet since the 1990s has enabled unprecedented global intercon-
nectedness. Data is being transmitted through interconnected networks that do not align
with territorial borders, are often managed by multinational entities, and establish con-
nections between nodes in different jurisdictions. When jurisdictions seek to assert their
data laws, they need to navigate the mismatch between mono-jurisdictional regulation of
data and complex infrastructures that enable multi-jurisdictional data flows. As we have
seen, European data law has responded to this challenge by creating supranational frame-
works for data flows within the EU, thereby suppressing potentially conflicting attempts by
Member States to regulate data. At the same time, EU data law had to confront the reality
that data might leave the EU’s territory, raising the question of how to establish effective
jurisdictional control over a regulatory object as mobile as data. EU law has resorted to
three interrelated mechanisms to establish jurisdictional control over data beyond the EU’s
borders.
First, the expansive interpretation of the DPD’s territorial scope of application by the
Court of Justice and its codification in the GDPR seeks to ensure that the EU’s data protec-
tion law applies even if personal data of European data subjects is being processed outside
the EU. Second, the GDPR’s dedicated rules for transfers of personal data from the EEA to
third countries seek to ensure an adequate level of data protection after transfer; function-
ally similar reciprocal arrangements were also foreseen in the Database Directive. Third,
the EU has been negotiating international agreements in certain specialized areas of data
protection law to ensure data protection standards akin to those guaranteed within the EU.
The EU resisted attempts by the US to expand the Silicon Valley Consensus of regulatory
uninhibited (‘free’) data flows in instruments of international economic law. After intense
internal debates, the Commission eventually adopted a new template for rules in trade
agreements that seeks to reconcile the EU’s economic interest in cross-border data flows
with its interest in protecting its data protection regime from external scrutiny.
These legal mechanisms alone cannot explain, however, why the EU has assumed the
role of a de facto global data regulator. Its rule-making efforts in the digital domain are often
followed by multinational corporations everywhere, even when such global compliance is
not legally required—a dynamic that Anu Bradford has theorized as the (de facto) ‘Brussels
Effect’.169 Moreover, jurisdictions around the world have been adopting data protection
168 C Busch and A de Franceschi, ‘Granular Legal Norms: Big Data and the Personalization of Private Law’ in V
Mak et al (eds), Research Handbook in Data Science and Law (Edward Elgar, 2020).
169 Anu Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press, 2020).
924 THE EVOLUTION OF EUROPEAN DATA LAW
laws with comparable structure, concepts, and content to the GDPR and the EU has the am-
bition to play a similar role with its future data laws.170
However, the globalization of European data law is not without limits. The Court of
Justice recognized that requiring implementation of European data laws globally was not
generally warranted. The Commission’s handling of the adequacy assessment process has
been criticized as uneven. Its high-profile adequacy arrangements with the US did not sur-
vive the Court of Justice’s scrutiny twice; the initial passenger name records (PNR) accords
with Canada and the US suffered a similar fate. Uptake of the Database Directive’s reci-
European data law has gradually moved away from territoriality to establish jurisdictional
authority.171 The DPD required Member States to apply the harmonized data protection law
when the data controller was either established on their territory or used equipment there
situated (unless solely used for transit).172 What if an entity established in the EU was not
engaged in the processing of personal data while its parent company processed personal
data on equipment located outside the EU? The Court of Justice was confronted with this
question in Google Spain, a case more famous for establishing a right to be delisted from
search results.173 Its answer turned on the question whether the data processing carried out
by Google Inc was in ‘the context of ’ its subsidiary Google Spain promoting and selling ad-
vertising space in the EU. As so often in data protection cases, the Court opted for a broad
approach, invoking the need for protecting individuals’ fundamental rights and preventing
circumvention.174 The Court realized that Google operates as an economic whole. Its ad-
vertising business is targeted to the European market and inextricably linked to its global
175 See on the ‘tyranny of territoriality’ DJB Svantesson, Solving the Internet Jurisdiction Puzzle (Oxford
University Press, 2017) ch 2.
176 Art 3(1) GDPR.
177 Art 3(2) GDPR.
178 Art 11 Database Directive. See M Powell, ‘The European Union’s Database Directive: An International
Antidote to the Side Effects of Feist?’ (1996) 20 Fordham Int’l LJ 1215.
179 See Section A.2.
180 Case C-507/17 Google v CNIL EU:C:2019:772.
926 THE EVOLUTION OF EUROPEAN DATA LAW
information (including identical and equivalent information)181 from social media plat-
forms? The Court found that EU law did not preclude injunctions with worldwide effects
but gestured, somewhat obliquely, to ‘rules applicable at the international level’ which
Member States’ courts had to take into account when imposing such global injunctions.182
While both cases were ostensibly about the worldwide effects of EU data law, their reso-
lution also affects implementation within the EU. The Court pointed to the GDPR’s mech-
anisms to ensure coherence within the EU to prevent divergent decisions by national data
protection authorities and courts. A comparable mechanism is lacking in other areas of EU
The DPD built on antecedents in national data protections laws in creating a dedicated re-
gime for transfers of personal data from the EU to third countries, which the GDPR re-
fined and extended to transfers of personal data to International Organizations.183 These
additional rules for international transfers of personal data are the external corollary to the
ban on restrictions on transfers of personal data within the EU. Their logic and rationale
have been questioned since their inception.184 Other international instruments—such as
the OECD guidelines or the Council of Europe’s Convention No 108—did not include a
restriction specifically for transfers of personal data to other countries. The most plausible
explanation is anti-circumvention: if personal data could be transferred from the EU to
other countries without additional safeguards, how could European data protection law be
effectuated abroad?
The solution that EU law has pioneered is to require an ‘adequate’ level of protection by
the jurisdiction to which personal data is being transferred.185 The Commission has been
tasked with making this determination and its decisions can be reviewed by the Court of
Justice. From 2000 onwards, the Commission gradually recognized a number of juris-
dictions as providing an adequate level of data protection, including Switzerland (2000),
Canada (2001, albeit limited to commercial organizations), Argentina (2003), Israel (2011),
Uruguay (2012), and New Zealand (2013).186
The US posed a challenge as its sectoral approach to data privacy differs conceptually
from the EU’s general approach to data protection. Despite lamentations by US observers to
the contrary, it seemed evident—from a European perspective—that the US did not provide
181 D Keller, ‘Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’ (2020) 69
GRUR Int’l 616.
182 Case C-18/18 Eva Glawischnig-Piesczek v Facebook EU:C:2019:821.
183 Chapter IV DPD; Chapter V GDPR; see Section A.1.
184 C Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press, 2013); W Kuan Hon, Data
Localization Laws and Policy (Edward Elgar, 2017).
185 Art 25 DPD; Art 45 GDPR.
186 Adequacy decisions available at <https://ec.europa.eu/info/law/law-topic/data-protection/international-
dimension-data-protection/adequacy-decisions_en> (<https://perma.cc/Z6Z4-9BN9>).
THE GLOBALIZATION OF EUROPEAN DATA LAW 927
an adequate level of data protection. Mindful of the commercial and strategic interests
implicated by transatlantic transfers of personal data from the EU to the US, the European
Commission negotiated the Safe Harbor Privacy Principles with the US Department of
Commerce. Under this self-certification framework, US organizations pledged to afford a
certain set of data protection rights to European data subjects, including notice and choice
(opt-out for personal information, opt-in for sensitive information), rights to access infor-
mation and correct, amend, or delete it where inaccurate as well as guarantees of data secu-
rity and data integrity. Satisfied with these additional safeguards, the Commission awarded
187 Commission Decision 2000/520/EC on the adequacy of the protection provided by the safe harbour privacy
principles and related frequently asked questions issued by the US Department of Commerce [2000] OJ L215/7.
188 Rebuilding Trust in EU-US Data Flows, COM(2013)846 final; Communication on the Functioning of the
Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 final.
189 Case C-362/14 Schrems ECLI:EU:C:2015:650.
190 ibid [73].
191 H Farrell and AL Newman, Of Privacy and Power: The Transatlantic Struggle over Freedom and Security
(Princeton University Press, 2019).
192 See, eg, Article 29 Working Party, Statement on the decision of the European Commission on the EU-US
Privacy Shield.
928 THE EVOLUTION OF EUROPEAN DATA LAW
eventually approved the Privacy Shield and the European Commission found the US to
provide an ‘adequate’ level of data protection, once again.193
Adequacy determinations are not the only legal basis under which personal data can be
transferred from the EU to third countries and international organizations.194 The prac-
tically most relevant instruments are binding corporate rules, which allow for data trans-
fers within a corporate group, and standardized data protection clauses, approved by the
European Commission and included in the contractual relationship between data subject
and data controller. After Max Schrems had brought down the Safe Harbor arrangement, he
193 Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the
EU-US Privacy Shield [2016] OJ L207/1.
194 Art 46 GDPR.
195 Case C-311/18 Schrems II ECLI:EU:C:2020:559.
196 Art 44, clause 2 GDPR.
197 A Chander, ‘Is Data Localization a Solution for Schrems II?’ (2020) 23 JIEL 1.
198 Case C-101/01 Criminal proceedings against Bodil Lindqvist [2003] ECR I-12971.
199 See, eg, Peter Swire’s testimony in the proceedings before the Irish High Court, at 16, there n 72.
THE GLOBALIZATION OF EUROPEAN DATA LAW 929
This is not to discount that the EU’s regulation of outward transfers of personal data im-
poses significant costs on businesses. While the Schrems litigation has focused on trans-
atlantic transfers of personal data, the Court’s pronouncements are valid for transfers of
personal data from the EU to any other third country or international organization. In light
of China’s rise in the global digital economy, it remains to be seen whether EU law will assert
itself as forcefully vis-à-vis Chinese entities that offer goods and services in Europe as it did
vis-à-vis the US.200
Despite questions about economic advisability and practical efficacy, the EU’s regulation
The genesis of European data protection law benefitted from antecedents in international
law as it built on and incorporated elements from the relevant OECD guidelines and the
Council of Europe’s Convention 108.202 As European data protection law matured through
evolving practice, institutionalized interpretation, and case law, it became itself a focal point
for international efforts to harmonize data protection laws.203 The 2013 revision of the
OECD Privacy Guidelines referenced EU data protection law at length, even though it took
a more business-friendly stance overall and refrained from recommending restrictions
on cross-border transfers of personal data. The 2001 additional protocol to the Council of
Europe’s Convention 108 incorporated two major elements of European data protection
law—institutionally independent supervisory authorities and adequacy requirements for
cross-border transfers of personal data to third countries.204 The latter remains a point of
contention between countries that limit the transfer of personal data from their jurisdiction
and those who do not. This dispute is increasingly playing out in negotiations for new rules
on questions of global data governance in instruments of international economic law.
The World Trade Organization came into being in 1995 when the Internet’s global ex-
pansion and commercialization had just begun.205 Its work programme on electronic
200 M Rotenberg, ‘Schrems II, from Snowden to China: Toward a New Alignment on Transatlantic Data
Protection’ (2020) ELJ 1.
201 PM Schwartz, ‘Data Privacy: The EU Way’ (2019) 94 NYU L Rev 771.
202 See Section A.1.
203 G Greenleaf, ‘The Influence of European Data Privacy Standards outside Europe: Implications for
Globalization of Convention 108’ (2012) 2 IDPL 68.
204 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data, regarding supervisory authorities and transborder data flows, CETS No 181.
205 M Burri and T Cottier, ‘Introduction: Digital Technologies and International Trade Regulations’ in Trade
Governance in the Digital Age (Cambridge University Press, 2012) ch 1.
930 THE EVOLUTION OF EUROPEAN DATA LAW
commerce, instituted in 1997, has not been able to agree on more than a moratorium on
tariffs for electronic transmissions.206 Eventually, the US turned to free trade agreements to
advance the interests of its dominant global Internet companies. The EU struggled to find
its footing as it was confronted with US demands ostensibly in tension with its data protec-
tion regime. During the negotiations for the Trans-Pacific Partnership (TPP) agreement,
the US created a new model of rules for the digital economy, including dedicated provisions
on cross-border transfers of data (including personal data) and requirements to use local
computing facilities.207 While ostensibly part of a ‘digital trade’ and ‘e-commerce’ agenda,
The expanded scope of application of EU data protection law, its extending through unilat-
eral adequacy assessments and other safeguards, and the promoting and defending of the
EU’s conception of data protection and privacy in international instruments have all con-
tributed significantly to the globalization of European data protection law. Anu Bradford has
identified and theorized a related dynamic that leads to compliance with EU data protection
laws by businesses outside the EU even when they are not legally required to do so.214 The
relevant criteria for this ‘Brussels Effect’ to occur are market size, regulatory capacity, strin-
gency of rules, inelastic regulatory targets, and indivisibility of products.215 European data
protection law is widely seen as a key example of the Brussels Effect, but a closer look reveals
that this dynamic cannot be taken for granted. The Brussels Effect theorizes multinational
businesses’ rational behaviour in the face of disparate regulatory demands across jurisdic-
tions. In this regard, it is not just the stringency but the inescapability of EU data law due to
its expanded jurisdictional reach that animates the Brussels Effect. But even the GDPR has
jurisdictional limits that multinational corporations can exploit: before it entered into force,
Facebook reportedly moved 1.5 billion users in Africa, Asia, Australia, and Latin America,
who had been affiliated with Facebook Ireland, to Facebook Inc, thereby removing these
users from the GDPR’s reach.216 As it turns out, data can be a highly elastic target, prone to
flight, comparable to financial capital.
The European Commission has emphasized its desire to lead the EU into a digital future
for decades. While the GDPR remains a singular achievement in asserting the EU’s regula-
tory power in the digital domain and the Court of Justice has developed a remarkable dig-
ital rights jurisprudence, other legislative efforts to transition Europe towards digitalization
and supranational interconnectedness have either stalled, or fallen short of their lofty aspir-
ations. The digital single market moniker continues to symbolize an unfulfilled aspiration.
When a new European Commission took office in autumn 2019, digitalization was high
on the agenda once again, featured prominently in President Ursula von der Leyen’s accept-
ance speech, and was given additional visibility by making Margrethe Vestager Executive
Vice-President for a ‘Europe fit for the Digital Age’. The first tangible outcome was the pub-
lication of a new European data strategy in February 2020. It announced a vision for a single
European data space, understood as a genuine single market for data, open to data from
across the world.222 Meanwhile, national governments continued to pursue their own na-
tional data strategies, often with a view towards influencing the European agenda.223
While it remains to be seen in what form the European data strategy will materialize,
it gives some pointers into the future of European data law, at least as envisaged by the
European Commission. This concluding section hones in on and critiques three dimensions
The European data strategy embraces digitalization’s potential for improvements in eco-
The generation, modification, transfer, and use of data is dependent on infrastructures, many
of which are controlled by multinational private entities. The EU is responding to this reality
229 Proposal for a regulation on a single market for digital services (Digital Services Act) and amending Directive
2000/31/EC, COM(2020) 825 final.
230 Proposal for a regulation on contestable and fair markets in the digital sector (Digital Markets Act),
COM(2020) 842 final.
231 Proposal for a regulation on European data governance (Data Governance Act), COM(2020) 767 final.
232 See EDPB-EDPS Joint Opinion 03/2021 on the Data Governance Act.
233 Project GAIA-X: A Federated Data Infrastructure as the Cradle of a Vibrant European Ecosystem, <www.
data-infrastructure.eu> (<https://perma.cc/L55S-M2KC>).
234 See for this idea, L Austin and D Lie, ‘Safe Sharing Sites’ (2019) 94 NYU L Rev 581. See also CT Marsden,
Internet Co- Regulation: European Law, Regulatory Governance and Legitimacy in Cyberspace (Cambridge
University Press, 2011).
936 THE EVOLUTION OF EUROPEAN DATA LAW
European governments had preferred.235 Infrastructural control over data and resulting ec-
onomic, social, and political power exercised by global digital corporations persists and
remains largely unchecked by European data law,236 despite efforts to rein in certain anti-
competitive practices through data sharing requirements.237
235 M Veale, ‘Sovereignty, Privacy, and Contact Tracing Protocols’ in L Taylor et al (eds), Data Justice and
COVID-19: Global Perspectives (Meatspace Press, 2020) 34.
236 For ideas how to confront these forms of digital inequality see Fisher and Streinz (n 227).
237 See Section B.3.
238 JE Cohen (n 5).
239 P Nemitz, ‘Constitutional Democracy and Technology in the Age of Artificial Intelligence’ (2018) Phil Trans
R Soc A.
240 M Hildebrandt (n 5).