Article Evolution of Eu Data Law

29
THE EVOLUTION OF EUROPEAN

DATA LAW
Thomas Streinz*
Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

European data law is a legal domain that encompasses, but extends beyond, data protec-
tion law as the familiar area of law concerned with the protection of personal data and, by
extension, individual privacy.1 Conceptualizing data law more broadly sheds light on the
various ways in which different elements of EU law have come to conceptualize and regu-
late different categories of data over time. These other data-related areas of EU law are often
discussed within their own fields of scholarship and practice, ranging from intellectual pro-
perty law, to consumer and competition law, and to telecommunications law, which tends
to cloud their relationship to and entanglement with data protection law and misses the
growing significance of personal and non-personal data for many other domains of EU law.
European data law is an attempt at reconstructing disparate areas of law around a uni-
fying concept, akin to Internet law or IT law.2 The focus on data is conceptually and termi-
nologically problematic because the distinction between data and information tends to be
underspecified in law.3 For information theorists, data denotes abstractions from the world
that only acquire meaning as information through additional processes of distillation.4 EU
law ignores this distinction and tends to define data as information (if at all). Relatedly, it
has become a truism that ‘data protection’ is a misnomer in at least three ways. Firstly, data
protection is not concerned with the protection of data but with the protection of individ-
uals. This also explains, secondly, why data protection is not, as the name might suggest,
about protecting all data, but only concerned with personal data. Thirdly, data protection
is not regulating data as conceptualized in information theory, but regulates information
(data with meaning). The term data law, as employed in this chapter, avoids the first two
problems, but embraces the third for reasons both pragmatic and conceptual. Data is in-
creasingly being used synonymously with ‘digital information’ in law and policy and de-
fining data in this way for the purposes of this chapter is helpful to reveal the extent to which
European data law is grappling with digitalization at large.
* The author is deeply grateful to Angelina Fisher and Benedict Kingsbury with whom he has collaborated
in the Global Data Law project: <www.guariniglobal.org/global-data-law>. He also thanks Johann Justus Vasel,
Przemysław Pałka, and Elettra Bietti for their substantive and engaging comments on earlier drafts.
1 The relationship between ‘data protection’ and ‘privacy’ is complicated and contested. See Section A.2. In line
with the theme of the volume, the chapter focuses on EU law, without ignoring the Council of Europe’s significant
contributions.
2 CT Marsden, ‘The Regulated End of Internet Law, and the Return to Computer and Information Law?’
in K Werbach (ed), After the Digital Tornado (Cambridge University Press, 2020) ch 1; A Murray, Information
Technology Law (4th edn, Oxford University Press, 2019).
3 LA Bygrave, ‘Information Concepts in Law: Generic Dreams and Definitional Daylight’ (2015) 35 OJLS 91.
4 B Kitchin, The Data Revolution: Big Data, Open Data, Data Infrastructures & their Consequences (SAGE
Publications, 2014) 9.
Thomas Streinz, The Evolution of European Data Law In: The Evolution of EU Law Edited by: Paul Craig and Gráinne de Búrca, Oxford
University Press. © Paul Craig and Gráinne de Búrca 2021. DOI: 10.1093/oso/9780192846556.003.0029
THE EVOLUTION OF EUROPEAN DATA LAW 903
This chapter on the evolution of European data law provides a snapshot into a broader
project studying how EU law has conceptualized different categories of digitalized infor-
mation as data. The analytical objective is a (re)construction of European data law as a field
of scholarship and practice transcending the established boundaries under which EU data
protection law, intellectual property law, consumer protection law, competition law, tele-
communications law, and internal market law, respectively, conceive of data regulation by
law. The ultimate objective of this broader project is to understand how EU law has been
intertwined with the digital transformation of Europe so far and how it might need to shape

this transformation going forward.5
The EU is, famously, a project of integration through law.6 European data law can be un-
derstood as an attempt to carry this legacy forward in the digital domain. The EU’s General
Data Protection Regulation (GDPR),7 in particular, is often heralded as a success story
of European law-making, in which the European people, as represented by the European
Parliament, asserted their democratic will over powerful concentrated interests.8 Without
detracting from this legislative accomplishment, even the most advanced data protection
law in the world—the GDPR—is ultimately insufficient to regulate data. One important
aspect of this is the, maybe sobering, realization that data is not just regulated by law, but
also by a vast array of non-legal instruments: data relies on and is regulated by various infra-
structures, whose key components are often controlled by private actors and defined by a
wide range of formal and informal standard-setting organizations; data-related practices
are social practices governed by written and unwritten norms prevalent in companies, gov-
ernments, and society writ large. European data law is grappling increasingly with these
other modalities of data regulation and might, as the concluding section suggests, need to
shift focus to address data-driven power asymmetries in Europe and beyond.
The societal relevance of data regulation through law is hard to overstate. The resurgence
of artificial intelligence through machine-learning is to a significant extent driven by and
dependent on large quantities of data. Distributed ledger technologies such as blockchain
are ultimately data storage and transfer infrastructures (sometimes with broader data pro-
cessing and ‘smart contract’ capabilities). European citizens and businesses have come to
rely on cloud computing as infrastructure for software delivery and development as well as
data storage, processing, and transfer. By consequence, European data law also regulates,
albeit indirectly, AI, blockchain, the cloud, and any other data-dependent or related tech-
nology. At the same time, the cross-cutting nature of data poses significant challenges for
tailoring European data law towards its multiple, and sometimes conflicting, regulatory
objectives in a coherent fashion.
Drawing on this broader project and in line with the general theme of the volume, this
chapter focuses on certain aspects of the evolution of European data law that are instructive
5 Paradigmatic in this regard but not focused on EU law: JE Cohen, Between Truth and Power: The Legal
Constructions of Informational Capitalism (Oxford University Press, 2019); A Kapczynski, ‘The Law of
Informational Capitalism’ (2020) 129 YLJ 1267; see also M Hildebrandt, Smart Technologies and the End(s) of Law
(Edward Elgar, 2015).
6 See Craig, Chapter 2 this volume.
7 Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1 (GDPR).
8 The movie Democracy: Im Rausch der Daten (2015) tells this story from the perspective of the European
Parliament’s rapporteur Jan Philipp Albrecht. The movie also suggests that political agreement was only made pos-
sible by Edward Snowden revealing US surveillance practices in June 2013.
904 THE EVOLUTION OF EUROPEAN DATA LAW
for the evolution of EU law more generally by highlighting the ways in which domestic and
international law shape EU law, the growing importance of EU fundamental rights, institu-
tional aspects of EU law implementation, the increasing and maybe irreducible complexity
of different strands of secondary EU law, and the EU’s capacity for law-making beyond its
borders.
To unfold these themes, the chapter is divided in four sections: The first (Section A) tells
the story of the Europeanization of data protection law. The second (Section B) positions
European data protection law in conversation with other strands of European data law

(non-personal data, data ownership, and access to data). The third (Section C) explains how
European data law became globalized and exposes limits to its further global diffusion. The
fourth and final section (Section D) ventures a critical glimpse into the future of European
data law.
A. THE EUROPEANIZATION OF DATA PROTECTION LAW
European data protection law is a relatively recent area of EU law. But before there was
European data protection law, there was data protection law in Europe. Several nation states
began to legislate on data protection issues from the 1960s onwards and thereby developed
core concepts that have subsequently become part of the European data protection law
acquis. International developments, most notably the OECD’s data protection guidelines
and the Council of Europe’s data protection Convention also laid important groundwork
that influenced the regime as it constituted itself under and as EU law. Tracing these sub-
and supra-supranational influences on European data protection law reveals important
path dependencies. As it is befitting of a legal regime that straddles a distinct realm be-
tween international and domestic law, EU law claims uniform legal authority in theory, but
exhibits tinges and occasional fissures in practice as it continues to be understood, taught,
and practised with significant variation across the EU. These variations materialize in par-
ticular when legal concepts that were initially developed in domestic law settings get in-
corporated in and scaled up through EU legal instruments, which are in turn dependent
on downstream domestic implementation. This dynamic can be observed through var-
ious legal domains but it is especially pronounced in EU data protection law, which has
existed for a quarter century (1995–2020) as a domain of EU law with antecedents in do-
mestic and international data protection law dating back roughly another quarter century
(1970–1995).
As this chapter cannot offer a comprehensive account of European data protection law,9
it will focus on dimensions that exhibit distinctive characteristics of EU law more gener-
ally. Accordingly, this section traces the evolution of European data protection law along
three intersecting dimensions: EU data protection law-making through legislative efforts
and its interplay with antecedent, parallel, and subsequent developments at national and
international levels; the evolution of data protection and privacy as related but distinct
9 See, for such accounts, L Edwards (ed), Law, Policy, and the Internet (Hart, 2018) chs 3–5; O Lynskey, The
Foundations of EU Data Protection Law (Oxford University Press, 2015); P Hustinx, ‘EU Data Protection Law: The
Review of Directive 95/46/EC and the General Data Protection Regulation’ in M Cremona (ed), New Technologies
and EU law (Oxford University Press, 2017).
THE EUROPEANIZATION OF DATA PROTECTION LAW 905
fundamental rights; and the institutionalization of EU data protection law through crea-
tion of novel institutional structures to administer and implement and thereby shape this
evolving domain of EU law.
1. FROM THE DATA PROTECTION DIRECTIVE TO THE

GENERAL DATA PROTECTION REGULATION

Data protection law emerged in the 1970s in response to advances in computation tech-
nology. The German state of Hesse is often credited with enacting the world’s first data
protection law in 1970.10 Then and future Member States followed suit by creating their
own, varying domestic data protection laws over the course of the 1970s, including Sweden,
Germany, Austria, Denmark, France, and Luxembourg.11 On the other side of the Atlantic,
the US also began to grapple with the impact of computerization on society. An influen-
tial 1973 report on Records, Computers, and the Rights of Citizens proposed fundamental
principles of fair information practice and has been prescient for the future development
of data protection law in Europe and elsewhere.12 In the US, however, the legislative re-
sult remained limited as the 1974 Privacy Act only applies to data processing by federal
agencies.13 The private sector remained largely unregulated, with the exception of certain
sectoral interventions.14 The resulting divergence in transatlantic data protection law has
repeatedly led to tensions between the EU and US regimes.15
The European Communities refrained from legislative efforts during this first phase of
data protection regulation, despite repeated urging by the European Parliament, which has
been a consistent advocate for European data protection legislation.16 The Commission,
which later recast itself as a champion of EU data protection law, refused to propose such
legislation for a variety of reasons.17 It claimed, initially, that it did not have nor planned to
have any ‘data banks’, reflecting an early, narrow (mis)conception of data protection.18 For a
long time, the Commission was focused almost entirely on the economic potential of digi-
talization, computerization, and telecommunication and ignored the commensurate need
for European data protection law.19 As a consequence, the EU initially failed to shape this
burgeoning field within Europe and beyond. As the need for international coordination
10 Hessisches Datenschutzgesetz [1970] GVBl I 625.

11 Austria (1978), Denmark (1978), France (1978), Germany (1977), Sweden (1973), Luxembourg (1979).
English translations at <https://www.cipil.law.cam.ac.uk/> (https://perma.cc/YGM7-Q7ED>).
12 1973 Report of the US Health Education and Welfare Secretary’s Advisory Committee on Automated
Personal Data Systems; see Przemysław Pałka, ‘Data Management Law for the 2020s: The Lost Origins and the
New Needs’ (2020) 68 Buffalo L Rev 559.
13 5 USC § 552a (1974).
14 AL Newman, Protectors of Privacy: Regulating Personal Data in the Global Economy (Cornell University Press,
2008) ch 2.
15 PM Schwartz, ‘Privacy and Participation: Personal Information and Public Sector Regulation in the United
States’ (1995) 80 Iowa L Rev 554. See also, PM Schwartz, ‘The Computer in German and American Constitutional
Law: Towards an American Right of Informational Self-Determination’ (1989) 37 AJCL 675. See further
Section C.2.
16 Resolutions to this effect date back to [1975] OJ C60/48 where a directive on individual freedom and data
processing was called an ‘urgent necessity’. See also the resolutions [1976] OJ C100/27; [1979] OJ C140/147; [1982]
OJ C87/39.
17 See the detailed account by AC Evans, ‘European Data Protection Law’ (1981) 29 AJCL 571.
18 Reply to Oral Question 122/73, EP Debates No 168 at 104 (13 November 1973).
19 Community policy on data processing, SEC(73) 4300 final.
grew, other international organizations began to fill the void. In 1980, the OECD built on
the fair information practice principles that the US had developed and issued guidelines
on the protection of privacy and transborder flows of personal data, which included im-
portant data protection concepts such as the collection and use limitation, data quality and
security, and purpose specification principles.20 In 1981, the Council of Europe adopted its
Convention No 108 for the Protection of Individuals with regard to Automatic Processing of
Personal Data, the world’s first data protection treaty.21 Building on antecedents in domestic
law, it laid out key data protection principles such as fairness, lawfulness, proportionality,

and the purpose limitation, and established core rights to access and correct personal data
that influenced the further development of data protection law in Europe and beyond.22
In 1990, the European Commission, after the Member States’ data protection commis-
sioners had demanded Europe-wide action,23 finally proposed a European data protection
directive.24 It invoked the internal market competence,25 proclaiming that fragmented na-
tional data protection regimes posed a threat to the free movement of personal data within
the internal market. As all Member States had data protection laws on the books,26 a direc-
tive was chosen to engineer harmonization. The protracted legislative process revealed that
Member States mainly sought to preserve the data protection concepts they had pioneered
rather than inventing new ones. The result was an amalgam of national data protection law
concepts in a supranational instrument: the Data Protection Directive (DPD) of 1995.27
Member States, naturally, could not always succeed in retaining their preferred approach.
The DPD’s adoption of a uniform ‘data controller’ concept eliminated the principal distinc-
tion between public sector and private sector data processing on which German data pro-
tection law had relied.28 The consequential rules on transfers of personal data from the EEA
to third countries were the result of a tenuous compromise. Existing national data protec-
tion regimes often restricted such transfers, but did so with significant variation in terms of
underlying rationale, substantive standards, and institutional assessment.29 EU law-makers
eventually settled on an ‘adequacy’ standard which the Court of Justice later interpreted
20 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, <www.oecd.org>
(https://perma.cc/9CRF-4NPW).
21 CETS No 108 (Convention 108).
22 Since 2013, nine non-Council of Europe members have acceded to Convention 108. The current list of signa-
tories is available at <www.coe.int> (https://perma.cc/QYD6-PHRG>).
23 Berlin Resolution of the International Conference of Data Protection Commissioners of 30 August 1989,
Additional Declaration of the Data Protection Commissioners of Nations of the European Community.
24 Proposal for a Council Directive Concerning the Protection of Individuals in Relation to the Processing of
Personal Data [1990] OJ C277/3.
25 Then Art 100a TEC, now Art 114 TFEU.
26 The UK passed its Data Protection Act in 1984. Ireland and the Netherlands got data protection laws in 1988.
Portugal and Spain followed in 1991 and 1992 (after the EU Commission’s proposal but before the adoption of the
DPD). English translations available at <https://www.cipil.law.cam.ac.uk/> (<https://perma.cc/YGM7-Q7ED>).
27 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the
free movement of such data [1995] OJ L281/31. See S Simitis, ‘From the Market To the Polis: The EU Directive on
the Protection of Personal Data’ (1995) 80 Iowa L Rev 445, 449: ‘Experience has shown that the primary interest
of the Member States is not to achieve new, union-wide principles, but rather to preserve their own, familiar rules.
A harmonization of the regulatory regimes is, therefore, perfectly tolerable to a Member State as long as it amounts
to a reproduction of the State’s specific national approach.’
28 Convention 108 also operates without such a distinction.
29 P Schwartz, ‘European Data Protection Law and Restrictions on International Data Flows’ (1995) 80 Iowa L
Rev 471. The original Convention 108 permitted, but did not require, the blocking of exports of personal data to
treaty parties that lacked equivalent levels of protection.
as requiring ‘essential equivalency’—thereby restoring the standard that several Member
States had established before.30
The DPD, which eventually acquired global recognition as a paradigmatic model,31 was
the result of a complex political struggle in which Member States pursued their own inter-
ests. Greece staged a surprising invocation of constitutional limits, whose traces are still
discernible in EU data protection law.32 Germany used the DPD to resolve an internal po-
litical conflict over health data between the federal government and the Data Protection
Commissioners of the Länder.33

Certain general characteristics of EU law also materialized in the DPD. In line with
the principle of conferral, EU data protection law could only reach as far as EU law does.
Member States’ insistence on their domaines réservés led to broad (‘in any case’) carve outs
on matters of public and national security, defence, and criminal law.34 While reflecting the
EU’s unique constitutional structure, such exemptions fragmented EU data protection law
internally. Moreover, from an external perspective, such carve outs appeared hypocritical
when the Court of Justice refused to grant similar exceptions to national security interests
by third countries.35
The DPD was created during a time at which the Internet had begun to transform global
communications and commerce, without fully realizing let alone confronting what this
would entail for data protection and privacy. Fundamental questions about whether and
how the newly created European data protection law would apply online were unsettled.36
In 1997, the EU had enacted a Directive concerning the processing of personal data and the
protection of privacy in the telecommunications sector ‘to particularise and complement’
the DPD.37 Unfortunately, that Directive was already outdated at the time of adoption as
the Internet and electronic communications superseded traditional telecommunications.
The immediate need for an ‘update’ led to the creation of the E-Privacy Directive in 2002,38
which formed part of a broader effort at reforming EU telecommunications law. Maybe best
known for its rules on online trackers known as ‘cookies’, the E-Privacy Directive created a
persistent and complicated bifurcation within European data protection law.39 Its relatively
strong (compared to DPD and GDPR) and ultimately ineffective reliance on ‘consent’ has
nurtured misperceptions about European data protection law as a largely consent-based
regime.40
30 Case C-362/14 Schrems EU:C:2015:650; see Section C.2.

31 See Section C.4.
32 The (face saving) change in Art 8(2)(a) DPD which states that even explicit consent cannot overcome abso-
lute legal prohibitions lives on in Art 9(2)(a) GDPR.
33 Simitis (n 27) provides a detailed and colourful account of all these developments.
34 Art 3(2) DPD.
35 Case C-362/14 Schrems EU:C:2015:650; see further Sections A.2 and C.3.
36 Art 29 WP, Working document: Processing of Personal Data on the Internet (23 February 1999) took the view
that European data protection law applied to the processing of personal data irrespective of the technology used
and this view prevailed eventually.
37 [1998] OJ L24/1, Art 1(2).
38 Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the elec-
tronic communications sector [2002] OJ L 201/37.
39 European Data Protection Board, Opinion 5/2019 on the interplay between the ePrivacy Directive and the
GDPR, in particular regarding the competence, tasks and powers of data protection authorities (12 March 2019).
40 G Zanfir, ‘Forgetting About Consent. Why the Focus Should Be on “Suitable Safeguards” in Data Protection
Law’ in S Gutwirth, R Leenes, and P De Hert (eds), Reloading Data Protection (Springer, 2014) 237.
Another schism exists within European data protection law, caused by the decision to
harmonize Member States’ data protection laws via a Directive instead of creating a uni-
form regime for the whole EU. Consequently, until 1999, European data protection law did
not apply to the EU institutions. The Treaty of Amsterdam remedied this untenable situ-
ation and created a distinctive—not internal market dependent—competence for the fu-
ture development of EU data protection law.41 In 2001, the EU enacted a data protection
Regulation applicable to its institutions and bodies.42 Its 2018 reform aims for alignment
‘as far as possible’ with the GDPR, but continues to operate as a separate legal instrument.43

After the terrorist attacks of 11 September 2001 in the US, 11 March 2004 in Madrid, and
7 July 2005 in London, counter-terrorism and national security became more prominent
on the EU’s legislative agenda, necessitating reconciliation of surveillance interests with
data protection principles. The EU’s 2006 Data Retention Directive44 reflected the security-
oriented sentiment of the time and was later invalidated by the Court of Justice.45
As the DPD aged, the need for reform grew.46 Disparate implementation across Member
States and a persistent enforcement deficit led the Commission to propose a regulation in-
stead of a directive, reflecting a broader shift in the EU’s legislative strategy in pursuit of
increased uniformity in the application and implementation of EU law.47 Indeed, EU law-
making had changed in the meantime. The Treaty of Lisbon reformed the EU’s competence
for data protection law, explicitly recognizing the need for fundamental rights protection
in this domain, while also emphasizing—in a separate declaration—potential national se-
curity implications.48 The European Parliament had become a co-equal legislator. While
the DPD had been hashed out between Commission and Council, the Parliament played
a much more assertive role in the creation of the GDPR. Even though the Treaty of Lisbon
had abolished the pillar structure,49 criminal justice was carved out from the GDPR’s scope
of application and relegated to a separate directive.50
The GDPR was a remarkable legislative achievement of supranational law-making. It
carried forward the legacy of the DPD, which it replaced, by insisting on the same core
principles of European data protection law,51 and codified some of the case law that the
Court of Justice had rendered in the interim. But it also injected new concepts and ideas
41 Art 286 TEC.

42 Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data
by the Community institutions and bodies and on the free movement of such data [2001] OJ L8/1.
43 Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal
data by the Union institutions, bodies, offices and agencies and on the free movement of such data [2018] OJ L295/
39.
44 Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of
publicly available electronic communications services or of public communications networks [2006] OJ L105/54,
recital 5.
45 Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger EU:C:2014:238; see Section A.2.
46 V Reding ‘The European Data Protection Framework for the Twenty-First Century’ (2012) 2 IDPL 119
(2012).
47 This dynamic is the inverse of the one observed at the constitutional level; see G de Búrca and J Scott (eds),
Constitutional Change in the EU: from Uniformity to Flexibility (Hart, 2000).
48 Art 16 TFEU and Declaration No 20 annexed to the Treaty of Lisbon.
49 See Art 30(1)(b) and Art 34(2)(b) TEU (pre-Lisbon).
50 Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA [2016] OJ L119/89.
51 Art 5 GDPR lists lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy;
storage limitation; integrity and confidentiality; and accountability.
into European data protection law and reformed its institutional structure.52 Its general
scope of application raises intricate questions about its application to and implications for
different digital technologies such as distributed and encrypted ledgers (eg blockchain),53
the Internet of Things (IoT),54 and the development and use of personal data-dependent
and self-trained algorithms (artificial intelligence/machine learning).55
Even though the GDPR kept the core of European data protection law intact, the GDPR
was often perceived as revolutionary rather than evolutionary by the business community
and data protection advocates alike. The main reason for the increased attention garnered

by the GDPR can be attributed to its new sanctions regime, which seems inspired by EU
competition law. Whereas the DPD had largely left it to Member States how to sanction vio-
lations, the GDPR required ‘effective, proportionate and dissuasive penalties’ and stipulated
that administrative fines could amount to up to 4 per cent of an undertaking’s worldwide
annual turnover.56
The growing influence of competition law concepts in EU data protection law is also dis-
cernible in the GDPR’s introduction of a right to data portability, whereby data subjects can
choose to transfer ‘their’ data from one controller to the other.57 While one can develop a ra-
tionale according to which increased competition among data controllers in the face of data
portability may lead to a ratcheting up of data protection standards, there is also a tension
between one data subject’s data portability right and other data subject’s privacy and data
protection rights.58
The GDPR also made some steps towards addressing the growing importance of algo-
rithmic decision-making systems by expanding data subjects’ rights regarding mean-
ingful information about the logic, significance, and envisaged consequences of automated
decision-making.59 While it has been controversial whether this amounts to a ‘right of ex-
planation’,60 the GDPR seeks to leverage a rights-based approach against technological de-
terminism and (deliberate) inscrutability.
At the same time, building on antecedents in the DPD, the GDPR embraced the concept
of ‘data protection by design and by default’ according to which appropriate technical and
organizational measures are to be used to achieve the GDPR’s regulatory objectives.61 While
not without complications,62 this regulatory innovation shows how EU law can develop in
sync with technological developments by requiring the (adaptive) use of ‘state of the art’
52 See Section A.3.

53 M Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press, 2018).
54 S Wachter, ‘The GDPR and the Internet of Things: A Three-Step Transparency Model’ (2018) 10 Law,
Innovation and Technology 266.
55 G Sartor, The Impact of the General Data Protection Regulation (GDPR) on Artificial Intelligence (Study for the
Panel for the Future of Science and Technology, 2020).
56 Contrast Art 24 DPD with Art 83 and 84 GDPR.
57 Art 20 GDPR.
58 As recognized by Art 20(4) GDPR and routinely stressed by platform companies; see, eg, E Egan, Data
Portability and Privacy: Charting a Way Forward (Facebook, 2019), available at <about.fb.com> (<https://perma.
cc/MN2V-WR5Z>).
59 See Arts 13–15 in conjunction with Art 22 GDPR.
60 Contrast S Wachter, B Mittelstadt, and L Floridi, ‘Why a Right to Explanation of Automated Decision-
Making Does Not Exist in the General Data Protection Regulation’ (2017) 7 IDPL 76 with AD Selbst and J Powles,
‘Meaningful Information and the Right to Explanation’ (2017) 7 IDPL 233.
61 Art 25 GDPR.
62 IS Rubinstein and N Good, ‘The Trouble with Article 25 (and how to Fix it): the Future of Data Protection by
Design and Default’ (2020) 10 IDPL 37.
technology and also reflects that technological implementation of EU law is necessary to
achieve the desired regulatory outcome.
While lauded by many, the GDPR has also attracted its fair share of criticism, not only
from businesses, which had lobbied ferociously against the law but changed tune once
it came into force.63 Three main lines of academic critique can be identified: one alleges
that the GDPR follows the wrong model by creating a comprehensive, complicated, and
user-control focused model that does not and cannot achieve what it aspires to.64 Another
critique claims that the GDPR fails to account for changes in the digital economy, particu-

larly the transformations brought about by ‘big data’ as the idea of repurposing and max-
imizing the economic and social value of personal data conflicts with the established data
protection concepts of purpose limitation and data minimization.65 A third line of critique
focuses on the GDPR’s economic effects and claims that the law failed to achieve the optimal
balance between market integration and individual rights protection.66 Indeed, European
data protection law stands out within EU law for its strong emphasis on fundamental rights.
This outcome was not preordained, but is the result of a broader evolution of EU law and the
Court of Justice’s embrace of data protection and privacy as fundamental rights.
2. DATA PROTECTION AND PRIVACY AS EUROPEAN

FUNDAMENTAL RIGHTS
The DPD was meant to advance the twin goals of market integration, by avoiding disparate
data protection frameworks in Member States and by outlawing restrictions on the free flow
of personal data within the EU, and supranational data protection, by requiring Member
States to protect EU citizens’ fundamental rights and freedoms, in particular their right to
privacy with respect to the processing of personal data.67 This combination of a market inte-
gration rationale with a fundamental rights logic is remarkable against the backdrop of the
history of European economic integration, which is said to have favoured economic inte-
gration with fundamental rights as an afterthought.68 This is not only a question of critical
legal historiography. Critics continue to suggest that the EU remains systematically tilted
against fundamental rights when those rights conflict with market integration objectives.
The Court of Justice’s decisions in Viking and Laval where corporate freedom of establish-
ment trounced workers’ collective action rights epitomize this critique.69
The evolution of European data protection law tells a different story: even though the
internal market and fundamental rights rationales were equally present in the DPD, the
fundamental rights rationale turned out to be more powerful in the long run. The reasons
for this remarkable divergence from the conventional wisdom regarding the relationship
63 Facebook published a full page advertisement in the German newspaper Frankfurter Allgemeine Zeitung of 20
May 2018 to announce the GDPR’s imminent entry into force on 25 May 2018.
64 B-J Koops, ‘The Trouble with European Data Protection Law’ (2014) 4 IDPL 250: ‘it is dead’.
65 T Zarsky, ‘Incompatible: The GDPR in the Age of Big Data’ (2017) 47 Seton Hall L Rev 995.
66 M Gal and O Aviv, ‘The Competitive Effect of the GDPR’ (2020) Journal of Competition Law and
Economics 349.
67 Art 1 DPD.
68 See de Búrca, Chapter 15 this volume, for an alternative genealogy which emphasizes that European integra-
tion could have proceeded differently.
69 Case C-438/05 Viking [2007] ECR I-10799; Case C-341/05 Laval [2007] ECR I-11767.
between market integration and fundamental rights in EU law are of course complex and
multifold. Yet, three distinct features can be identified that might explain the unusual influ-
ence of fundamental rights in the evolution of European data protection law.
The first, and likely most important, relates to the EU’s Charter of Fundamental Rights,
which recognized distinct yet related fundamental rights to data protection and privacy.70
Developed after the DPD was concluded, the Charter began to influence EU law even be-
fore it became formally part of EU primary law with the entry into force of the Treaty of
Lisbon in 2009. From then onwards, the Charter was prominent in major data protection

cases, thereby lending credence to the claim that codifying fundamental rights in a Charter
made a substantial and not merely symbolic difference over the prior baseline under which
the Court had recognized European fundamental rights as general principles of EU law.
Second, and relatedly, the Court of Justice embraced the Charter of Fundamental Rights
to influence the evolution of European data protection law. It did so while its sister Court
in Strasbourg was asked to adjudicate similar matters under recourse to the European
Convention on Human Rights’ (ECHR) right to privacy.71 The competition between the
two European Courts in a highly topical area of law may have propelled Luxembourg to em-
brace a fundamental rights-protective stance that it did not advance in a comparable fashion
in other areas of EU law, for example on immigration matters.72 The Court of Justice also
found itself in competition with national courts, including national constitutional courts.
The German Constitutional Court, mindful of its pedigree in shaping German data protec-
tion law through its Volkszählungsurteil,73 which invented the fundamental right to infor-
mational self-determination, was initially reluctant to yield authority to Luxembourg in this
important domain. It deliberately avoided preliminary references on the Data Retention
Directive.74 But eventually, at least one of Karlsruhe’s two senates embraced the Court of
Justice’s authority on the fundamental right to data protection.75
Third, compared to other domains of internal market law, the dynamic was different due
to the lack of an explicit fundamental freedom guaranteeing the free movement of data
within the EU. In other regulatory domains, business interests invoked the four freedoms of
the internal market against existing discriminatory and regulatory barriers to transnational
commerce.76 Fundamental rights only played a secondary role whenever Member States
sought to justify their measures under recourse to fundamental rights, subject to the Court
of Justice’s proportionality analysis. In theory, businesses could have invoked the free move-
ment of services to challenge national data protection laws interfering with data-enabled
services. But this would have required an additional argumentative step (drawing the con-
nection between data and services) and no such case materialized before the EU harmo-
nized data protection law with the explicit aim of safeguarding personal data protection and
privacy.
70 Arts 7 and 8 EU Charter of Fundamental Rights.

71 Art 7 ECHR; see J Kokott and C Sobotta, ‘The Distinction between Privacy and Data Protection in the
Jurisprudence of the CJEU and the ECtHR’ (2013) 3 IDPL 222.
72 Contrast Cases C-410/10 and 493/10 N. [2011] ECR I-13905 with MSS v Belgium and Greece, Application no
30696/09 (ECtHR, 21 January 2011).
73 BVerfG Judgment of the Second Senate of 6 June 1983–2 BvR 209/83.
74 BVerfG Judgment of the First Senate of 2 March 2010–1 BvR 256/08.
75 BVerfG Order of the First Senate of 6 Nov 2019–1 BvR 276/17 (Right to be forgotten II). See M Wendel,
‘The Two-Faced Guardian—Or how One Half of the German Federal Constitutional Court Became a European
Fundamental Rights Court’ (2020) 57 CMLRev 1383.
76 See the chapters by O’Leary and Iglesias, Enchelmaier, and Snell, Chapters 16–18 this volume.
When the Court of Justice was confronted for the first time with a data protection issue—
in Stauder—it recognized the fundamental rights implications, in principle, but dismissed
them in highly deferential and cursory fashion.77 Fifty years later, the Court of Justice can
look back on an elaborate and increasingly self-referential data protection law jurispru-
dence,78 often with Thomas von Danwitz serving as judge rapporteur.79 In cases prior to the
Charter, the Court relied heavily on Strasbourg’s case law.80 In later cases, after the Charter
entered into force, Luxembourg increasingly avoided such references, despite the right to
privacy being contained in both the Charter and the ECHR, maybe to account for the lack

of an explicit right to data protection in the latter.
In Schecke, with Koen Lenaerts, later President of the Court, serving as judge rapporteur,
the Court of Justice took the hitherto unusual step of invalidating secondary EU law—a
transparency scheme under the common agricultural policy—for violating the rights to
data protection and privacy guaranteed by the Charter.81 Through this case, the Court sig-
nalled early on that it would take the Charter seriously, not just vis-à-vis the Member States
but also vis-à-vis the EU’s institutions, even and especially if important countervailing
interests were at stake which call for proper balancing. In this regard, there is a direct line
from Schecke, where the Court took issue with a general obligation to disclose the names of
subsidy recipients to Digital Rights Ireland, where the Court invalidated the Data Retention
Directive for general and hence disproportionate metadata retention requirements.82 As
Member States are subject to the same level of scrutiny within the ambit of EU law, na-
tional metadata retention policies suffered the same fate.83 The Court gradually narrowed
European data protection law’s national security carve outs, thereby further expanding its
judicial authority.84 And it did not shy away from striking down international agreements
for the sharing of passenger naming records and the arrangements for the transfer of per-
sonal data between the EU and US, despite the security and business interests at stake.85
The fundamental rights to data protection and privacy are not only levers for invalidation
and rhetoric devices with global reach,86 but also shape, constructively, the Court’s interpre-
tation of data protection law. The right to be delisted (often referred to as the ‘right to be for-
gotten’) that the Court of Justice recognized in Google Spain is maybe the best example for
a fundamental-rights-driven reinterpretation of an established data protection right—the
right to erasure.87 The Court declared emphatically that economic interests do not over-
ride data subjects’ fundamental rights but failed to account for the complexity arising from
77 Case 29/69 Stauder [1969] ECR 419.

78 M Brkan, ‘The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way through
the Maze of the CJEU’s Constitutional Reasoning’ (2019) 20 GLJ 864.
79 Judge rapporteur in nine Grand Chamber cases (and counting) on the fundamental right to data protection.
80 See, eg, Case C-465/00 Rechnungshof v Österreichischer Rundfunk and Others [2003] ECR I-4989.
81 Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert v Land Hessen [2010] ECR I-11063.
82 Cases C-292/12 and C-594/12 Digital Rights Ireland and Seitlinger EU:C:2014:238.
83 Cases C-203/15 and C-698/15 Tele2 Sverige and Watson EU:2016:970.
84 Case C-623/17 Privacy International EU:C:2020:790; Cases C-511/18, C-518/18, and C-520/18 La Quadrature
du Net EU:C:2020:791.
85 Opinion 1/15 EU-Canada PNR Agreement EU:C:2016:656; Case C-498/16 Schrems EU:2018:37. In the earlier
case on the initial EU-US PNR agreement, the Court did not reach proportionality analysis as it invalidated the
Commission’s decision on other grounds; see Case C-317/04 Parliament v Council [2016] I-4721.
86 See B Petkova, ‘Privacy as Europe’s First Amendment’ (2019) 25 ELJ 140. On the EU’s outward projection of
European data protection law see also Section C.2.
87 Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario
Costeja González EU:C:2014:317.
multipolar constellations in which multiple fundamental rights are being implicated.88
Inadvertently, the decision turned Google into the de facto arbiter of the competing inter-
ests.89 This is indicative for the institutional complexity of European data protection law in
practice.
3. THE INSTITUTIONALIZATION OF EUROPEAN DATA

PROTECTION LAW

The institutionalization of European data protection law differs from the institutional de-
faults of other domains of EU law in terms of institutional independence, structures for co-
ordination, and embeddedness in practice.
The national data protection laws of some Member States established a legacy of unusu-
ally powerful and independent data protection authorities, designed to confront national
governments’ increasing data collection and processing capacities. This institutional set-up
influenced the drafters of the DPD which decreed that each Member State had to have at
least one ‘supervisory authority’ which was to act ‘with complete independence’.90
This requirement turned out to be problematic for Member States which subjected their
data protection authorities to governmental oversight. When the Commission eventually
resorted to infringement proceedings to bring recalcitrant Member States in line, the Court
of Justice brushed aside concerns over democratic legitimacy and accountability of data
protection authorities and insisted on their complete independence.91 Austria even had to
change its constitution.92 The complete independence of data protection authorities that EU
data protection law demands also guards against their premature removal93 and influences
the evolving EU law on the independence of EU-mandated institutions more broadly.94
When the EU finally enacted its own data protection law it also created its own ‘com-
pletely independent’ supervisory authority in form of the European Data Protection
Supervisor (EDPS).95 The European Data Protection Supervisors Peter Hustinx (2004–
2014), Giovanni Buttarelli (2014–2019), and Wojciech Wiewiorowski (2019–) have used
their independence not only to control EU institutions’ data protection practices but also to
influence the evolution of EU data protection law.96 Their opinions on any legislative pro-
posal that touches on data protection issues, on questions of interpretation of existing data
protection law, and on controversial decisions by the European Commission, especially
with regard to adequacy findings, have been highly influential.
88 See, eg, U Kohl and D Rowland, ‘Censorship and Cyberborders through EU Data Protection Law’ in U Kohl
(ed), The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University
Press, 2017) ch 7.
89 Google’s ‘transparency reports’ disclose that 46.6 per cent of the delisting requests received between May 2014
and October 2020 were granted. Google only presents stylized example cases to explain its reasoning. See <trans-
parencyreport.google.com/eu-privacy> (<https://perma.cc/NGF5-CJVA>).
90 Art 28 DPD. Art 52 GDPR retains this language.
91 Case C-518/07 Commission v Germany [2010] ECR I-1885.
92 Case C-614/10 Commission v Austria EU:C:2012:631.
93 Case C-288/12 Commission v Hungary EU:C:2014:237.
94 Case C-257/19 Commission v Ireland EU:C:2020:541.
95 Regulation 45/2001 (n 42) Arts 1(2), 41, 44.
96 Anticipating this development, H Hijmans, ‘The European Data Protection Supervisor: The Institutions of
the EC Controlled by an Independent Authority’ (2006) 43 CMLRev 1313.
The EDPS also provides the secretariat for the European Data Protection Board (EDPB),
an institutional innovation that the GDPR created to succeed the Article 29 Working Party
on which the DPD had relied.97 A domain in which multi-jurisdictional fact patterns are
the norm calls for coordination, if not centralization, of the EU’s traditionally distributed
enforcement infrastructure. Moreover, the EU had promoted the GDPR to business stake-
holders, who were naturally concerned about the newly created sanctions regime, with the
promise that only one data protection authority (DPA) would be responsible for them (‘one
stop shop’).98 The reality turned out to be much more messy and complex. Member States

prevented what they viewed as undue centralization by entrusting the EDPB with binding
powers only in limited situations.99 The disparate enforcement priorities and uneven capacity
of national data protection authorities are evident and have led to rising tensions between data
protection hawks and doves which threatens the coherence and uniformity of European data
protection law. In January 2020, the French Commission nationale de l’informatique et des
libertés imposed a fine of €50 million against Google which had claimed that the Irish data
protection authority was the only competent authority under the ‘one-stop-shop’ principle.100
The French Conseil d’Etat upheld the CNIL’s decision without referring the case to the Court
of Justice,101 which will eventually have to resolve this familiar conflict between supranational
uniformity and national sovereignty.102
Another consequential institutional innovation of the GDPR concerns the require-
ment to install Data Protection Officers (DPOs) in most public authorities and in private
sector data controllers whose activity requires regular and systematic monitoring of data
subjects on a large scale.103 Empirical work prior to GDPR had found that privacy profes-
sionals within firms shaped ‘privacy on the ground’.104 By mandating the creation of DPOs
throughout the EU, the GDPR has created demand for interpreters and implementers of EU
law within companies on an unprecedented scale. Whether this and the GDPR’s novel insti-
tutional structure will improve the questionable compliance record of EU data protection
law remains to be seen. Institutional challenges are likely to proliferate as European data
protection law becomes increasingly enmeshed with other areas of European data law.105
B. EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW
European data law has been constructed around data protection law. However, there is also
EU law that can be understood as European data law without being data protection law. As
alluded to in the introduction, such a distinction hinges on data protection law’s traditional
97 Art 29 DPD.
98 P Balboni, E Pelion, and L Scudiero, ‘Rethinking the One-Stop-Shop Mechanism: Legal Certainty and
Legitimate Expectation’ (2014) 30 Computer Law & Security Review 392.
99 Art 65 GDPR; see L Jančiūtė, ‘European Data Protection Board: A Nascent EU Agency or an
“Intergovernmental Club”?’ (2020) 10 IDPL 57.
100 O Tambou, ‘Lessons from the First Post-GDPR Fines of the CNIL against Google LLC’ (2019) EDPL 80.
101 Conseil d’Etat Judgment of 19 June 2020, No 430810 (Société Google LLC).
102 Case C-645/19 Facebook Ireland and Others (against the Belgium DPA) is pending before the Court.
103 Art 37 GDPR.
104 KA Bamberger and DK Mulligan, Privacy on the Ground: Driving Corporate Behavior in the United States and
Europe (MIT Press, 2015). But see AE Waldman, ‘Designing Without Privacy’ (2018) 55 Houston L Rev 659.
105 S Yakovleva, W Geursen, and A Arnbak, ‘Kaleidoscopic Data-Related Enforcement in the Digital Age’ (2020)
57 CMLRev 1461.
EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW 915
focus on ‘personal data’. EU legislators eventually turned to ‘non-personal’ data as a reg-
ulatory object promising economic and societal benefits without being inhibited by data
protection constraints. These efforts culminated in the Regulation on the Free Flow of Non-
Personal Data (NPDR), which constitutes the first element of ‘European non-personal data
law’ and raises intricate line-drawing questions about its relationship to data protection
law.106
Other domains of European data law intersect with data protection law. This is the case
when the relevant law pertains to the same regulatory object—data, whether personal or

non-personal—while pursuing different regulatory objectives than data protection law.
The following section—after discussing the nascent European non-personal data law—
discusses two dimensions of European data law of such cross-cutting quality. European
data ownership and access to data laws, respectively, conceive of data as a regulatory object
that can be ‘owned’ and ‘accessed’, which leads to overlap and potentially conflict with data
protection law.
A more comprehensive reconstruction of European data law than possible within this
chapter would have to include at least two more composite domains of European data law.
One is European data security law, which combines elements of data protection law, tele-
communications law, and cybersecurity law. The other is the EU law of (digital) services
under which data can be a service in itself, or as a medium through which services are being
delivered, mostly via the Internet, within the EU’s still often analogue, but increasingly dig-
ital, single market.107
The relevant EU law governing these different dimensions of European data law is spread
across the established domains of data protection law, competition law, intellectual property
law, telecommunications law, internal market law, among others, each with their own con-
stituencies, trajectories, and path dependencies. Pulling these disparate strands together
reveals not only that European data law is more than data protection law. It also illustrates
how difficult it is to understand, (re)construct, and further develop the evolving European
data law as a coherent regime. This difficulty is likely to grow as Europe’s digitalization pro-
gresses and the EU continues to assert itself as a supranational data regulator.
Still, a certain geology of European data law is discernible whereby different layers of
variable age, thickness, and stability are being layered on top of one another.108 Data pro-
tection law forms the core of European data law and the European law-making institutions
are at pains to construct European data law around it without infringing upon this core,
which is supported, as we have seen, by powerful fundamental rights rationales. Intellectual
property law has played a similar role in providing well-established frames for property-
like protections of different kinds of data. Not much attention has been paid to the interac-
tion between these two dominant data law frames, perhaps with the exception of the debate
around ‘data ownership’ which can be construed on the basis of data protection and intel-
lectual property rationales.
106 Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union
[2018] OJ 303/59.
107 A Digital Single Market Strategy for Europe, COM(2015)192 final. See D Adamski, ‘Lost on the Digital
Platform: Europe’s Legal Travails with the Digital Single Market’ (2018) 55 CMLRev 719.
108 This metaphor is inspired by JHH Weiler, ‘The Geology of International Law—Governance, Democracy and
Legitimacy’ (2004) 64 ZaöRV 547.
Regulatory interventions that seek to increase access to data, whether based on trans-
parency or economic rationales, are often in tension with data protection and intellectual
property law, which creates incentives to focus on non-personal data without attendant
property claims to separate the different domains of data law. While this inclination may
be understandable for reasons of legal certainty and political expediency, it seems doubtful
whether the intended separation between personal and non-personal data laws will be sus-
tainable in the long run and whether such a binary separation is desirable in the first place.

1. EUROPEAN NON-PERSONAL DATA LAW
The categorical distinction between personal and non- personal data is fundamental
109
for European data protection law. The GDPR is general, but not all-encompassing;
non-personal data is excluded from its scope of application. The GDPR clarified that
pseud-onymous data, where an alternative identifier is used, is within its scope of appli-
cation and hence subject to its requirements;110 only anonymous data escapes the GDPR’s
scope of application. The binary consequence of (non)application turns the threshold
question of what constitutes ‘personal data’ into a highly contentious issue as avoiding
‘personal data’ categorically might avoid the strictures of European data protection law. The
conditions under which data can be regarded as ‘anonymous’ are contested, with signifi-
cant variation in the views espoused by the various institutions engaged in the shaping of
European data protection law.111 The conundrum of defining ‘personal data’ is yet another
example of the intricate interplay between law and technology and the proper allocation of
risk in European data law. The potential of re-identification has grown due to technological
advances, making it ‘reasonably more likely’—in the words of the GDPR—that a natural
person may become (again) identifiable.112 The Court of Justice has so far only opined on
relatively straightforward cases that shed light on the question how much additional effort
was required to turn anonymous into personal data.113 The inverse situation of turning per-
sonal data into anonymous data has not yet been litigated before the Court.114
There is of course also data that has never been linked to a person (eg data about the
weather). Yet, some suggest that even this kind of non-personal data could potentially be
used to identify individuals due to rampant datafication, especially in highly technologized
urban environments (‘smart cities’). The prospect of synthetic data, that is data that has
been artificially generated, but is still meant to reflect reality (in some form), poses a com-
parable conundrum. If European data protection law applied to these categories of data, it
would become the data law of ‘everything’ and would likely overstretch its substantive and
procedural standards, let alone its enforcement capacity.115
109 Art 1, 2(1), 4(1) GDPR; Art 3(1) and 2(1)(a) DPD.
110 Art 4(5) GDPR.
111 M Finck and F Pallas, ‘They Who Must Not Be Identified—Distinguishing Personal from Non-Personal Data
under the GDPR’ (2020) 10 International Data Privacy Law 11. See Section A.3.
112 Recital 26 GDPR.
113 Contrast Case C-70/10 Scarlet Extended [2011] EU:C:2011:771, [51] (which held that a static IP address was
personal data) with Case C-582/14 Patrick Breyer [2016] EU:C:2016:779 (holding that a dynamic IP address was
personal data if the Internet service provider could identify the person).
114 But see Art 29 WP, Opinion 05/2014 on Anonymisation Techniques, 0829/14/EN WP 216.
115 N Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’
(2018) 10 Law, Innovation and Technology 40.
The difficulty of distinguishing between personal and non-personal data in theory and
in practice, where mixed data sets containing both personal and non-personal data are
common, have led some to argue that European data law should abandon the binary dis-
tinction between personal and non-personal data in favour of a more holistic and more dif-
ferentiated regimes.116 European data law, however, went in a different direction.
In 2018, as part of its Digital Single Market strategy, the EU adopted a regulation on the
free flow of non-personal data (NPDR).117 The NPDR claims strict separation from data
protection law and, where such separation is not possible, data protection law prevails.118

In contrast to the GDPR, the NDPR does not have a fundamental rights rationale. Instead,
the NDPR is completely focused on the EU-wide mobility of non-personal data by limiting
the extent to which Member States may require data localization. It therefore fills a gap left
by the e-Commerce Directive whose country of origin principle does not help against do-
mestic data localization requirements.119 The NPDR’s lasting contribution to European data
law may lie in establishing non-personal data as a distinct category in law, ostensibly regu-
lated without regard to data protection concerns.
2. EUROPEAN DATA OWNERSHIP LAW
Jurisdictions around the world are trying to find answers to analytical and normative ques-
tions of data ownership. The EU is no exception. While this situation is sometimes lamented
as unsustainable legal uncertainty, it reflects the complexity and breadth of digitalization,
which legal systems ought to reflect. It is relatively trivial that property rights exist for the
land on which data centres reside, for the computers, large and small, that process data, for
the cables through which data is transmitted, and for the physical media on which data is
stored. These data-related property questions are governed by Member States’ domestic law
as the EU is barred by the Treaties to interfere with Member States’ property regimes.120 The
critical question, however, is not whether property rights exist with regard to the physical
infrastructure necessary for data generation, storage, transfer, and use, but whether pro-
perty rights do or should also attach to data as such. In economic theory, data is often cat-
egorized as a public good, since consumption is non-rival and non-excludable.121 But law
can make data excludable by virtue of intellectual property rights and in practice data is
often controlled as if it was property.
Since data is intangible, intellectual property law has been the main legal framework
through which insular data ownership claims have been developed under EU law. Some
have suggested that certain data protection rights should be understood as akin to data
116 I Graef, R Gellert, and M Husovec, ‘Towards a Holistic Regulatory Approach for the European Data
Economy: Why the Illusive Notion of Non-Personal Data is Counterproductive to Data Innovation’ (2020) 44
ELRev 605.
117 Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU [2018] OJ L303/
59 (NPDR).
118 Recital 8, Art 2(2), 3(1) NPDR.
119 Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic com-
merce, in the Internal Market [2000] OJ L178/1.
120 Art 345 TFEU. But see on its limited impact in practice D Caruso, ‘Private Law and Public Takes in European
Integration: the Case of Property’ (2004) 10 ELJ 751.
121 N Duch-Brown, B Martens, and F Mueller-Langer, ‘The Economics of Ownership, Access and Trade in
Digital Data’ JRC Digital Economy Working Paper (2017).
ownership rights.122 But data protection law and intellectual property law follow ultimately
different logics,123 despite certain functional similarities. Data protection law’s right to era-
sure and the right to data portability may seem analogous to the right to destroy or transfer
one’s property, but they are ultimately grounded in informational self-determination, not
property theory.
Certain categories of data are subject to intellectual property (IP) protection under the es-
tablished IP rights of copyright and trade secrecy, but such protection is not comprehensive.
The EU has been gradually harmonizing copyright law to confront the ‘challenge of tech-

nology’ since the early 1990s.124 Copyright, however, only protects the original expression
of an idea in the form of creative works. To the extent to which data is the result of such
human ingenuity, copyright protection covers, quite naturally, texts, images, or audio-visual
recordings in their digital forms and collections of such works. However, much commer-
cially valuable data lacks the properties that copyright law conventionally requires. What is
being valued and for what protection is being sought is not the expression of information,
but the information itself. Some databases are being assembled in creative ways that may
qualify for copyright protection. But many databases are not covered under this standard.
To address this (perceived) problem, the EU enacted its 1996 Database Directive.125 The
Directive established a ‘sui generis’ right to reward European creators of databases for the
‘substantial investment’ they made by protecting them against unauthorized extraction
and/or re-utilization.126 The Database Directive created a peculiar separation between the
database, which is the regulatory object being protected, and the data contained therein,
which is not being protected. Accordingly, the investment required to obtain protection
must relate to the creation of the database, not the creation of the data.127 While certainly
advantageous for certain database creators, the Database Directive does not seem to have
contributed significantly to the development of a European database industry, let alone the
European digital economy more broadly.128 In practice, regardless of sui generis database
protection, commercial entities assign their rights and obligations largely through con-
tract,129 about which EU law is mostly silent, unless the contract is with a consumer.130
To harmonize disparate domestic laws and to advance its Digital Single Market agenda,
the EU enacted a Directive on the protection of undisclosed know-how and business infor-
mation (trade secrets) in 2016.131 Trade secrecy protection potentially covers vast amounts
of data as any information that is commercially valuable and kept secret is protected.132
122 See, eg, JM Victor, ‘The EU General Data Protection Regulation: Toward a Property Regime for Protecting
Data Privacy’ (2013) 123 Yale LJ 513.
123 D Liebenau, ‘What Intellectual Property Can Learn from Informational Privacy, and Vice Versa’, (2016)
HLJT 285.
124 These efforts date back to the 1988 Green Paper on Copyright and the Challenge of Technology, COM(1988)
172 final.
125 Directive 96/9/EC on the legal protection of databases [1996] OJ L77/20 (Database Directive).
126 Art 7 Database Directive.
127 Case C-46/02 Fixtures Marketing [2004] ECR I-10365.
128 The Commission’s 2018 evaluation of the Database Directive concluded: ‘As in 2005, the sui generis
right continues to have no proven impact on the production of databases’ (acknowledging limited evidence),
SWD(2018)146 final, [19].
129 Case C-30/14 Ryanair EU:C:2015:10.
130 Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital
services [2019] OJ L136/1.
131 Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade
secrets) against their unlawful acquisition, use and disclosure [2016] OJ L157/1.
132 J C Fromer, ‘Machines as the New Oompa-Loompas: Trade Secrecy, the Cloud, Machine Learning, and
Automation’ (2019) 94 NYU L Rev 706.
Trade secrecy protection, however, falls short of full property protection. The most signif-
icant shortcoming, from the perspective of business interests, is that the protection is lost
if the data is no longer secret. However, trade secrecy protection can be useful to counter
access to data claims.
3. EUROPEAN ACCESS TO DATA LAWS

European access to data laws regulate who gets access to what data under what terms. While
data protection law eschews a categorical separation between publicly and privately held
data, that principal distinction is quite consequential for access to data rights under EU
law. Such rights can be problematic both from data protection and data ownership perspec-
tives. It is hence unsurprising that the Court of Justice was repeatedly asked to resolve these
tensions.
Access to data is a deliberately broad term that encompasses both general disclosure and
transparency obligations and individual access to data rights. The key idea is that a data
holder is required to make data available to someone else. In contrast to data ownership
claims, which are a legal mechanism to ‘close’ data, access to data rights and obligations can
be said to ‘open’ data.
In the early 2000s, the EU began to enact legislation designed to make data held by public
institutions available to the public. These efforts were often justified as instruments to ad-
vance transparency and ultimately accountability, but also furthered commercial interests
benefitting from more widespread access to data. In 2001, the EU used a new competence
granted by the 1997 Treaty of Amsterdam to enact a new regulation on access to documents
held by the European Parliament, Council, and Commission.133 The explicit regulatory
object are documents, but the information that these documents contain, can, of course,
be subject to data protection or intellectual property protections.134 EU institutions must
refuse access to documents in these instances.135 This generates considerable tension be-
tween constitutive elements of European data law, since the right of access to public docu-
ments in whatever form is also recognized in the EU Charter of Fundamental Rights.136 The
Court of Justice has emphasized the need to take data protection concerns seriously when
granting access to documents (or, indeed, not).137 Access to documents held by Member
States governments is principally governed by national law, but a curious exception exists
for access to environmental information.138 In any case, Member States ought to respect
European data law limits stemming from EU data protection and intellectual property law,
when making data available to individuals or the public. Broad disclosure requirements,
133 Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission
documents [2001] OJ L145/43, based on then Art 255 TEC, now Art 15 TFEU. See S Peers, ‘The New Regulation on
Access to Documents: A Critical Analysis’ (2001) 21 YEL 385.
134 See the EDPS opinion on a (failed) proposal for a new regulation regarding public access to Parliament,
Council, and Commission documents [2009] C2/7, [11–18].
135 Arts 4(1)(b), 4(2) Regulation (EC) No 1049/2001.
136 Art 41 EU Charter of Fundamental Rights.
137 Case C-28/08 P Commission v Bavarian Lager [2010] ECR I-6055.
138 Council Directive 90/313/EEC on the freedom of access to information on the environment [1990] OJ L158/
56; now Directive 2003/4/EC on public access to environmental information [2004] OJ L41/26. See S Bugdahn, ‘Of
Europeanization and Domestication: The Implementation of the Environmental Information Directive in Ireland,
Great Britain and Germany’ (2005) 12 JEPP 177.
even in the context of providing accountability and oversight, run easily afoul of the funda-
mental right to data protection.139
Traditional access to documents is not the only route through which publicly held data
has been increasingly made available under EU law. Since the 1980s, the Commission had
sought to leverage ‘synergies’ between the public and private sector, reflecting the senti-
ment that the former should support the latter, while bracketing the question whether such
support should be remunerated in some form.140 The effort stalled until the early 2000s,141
when the EU passed a Directive on the ‘re-use’ of public sector information.142 This strand

of European data law emphasizes the commercial value of public sector documents, lever-
aging data’s non-rival nature which necessitates confronting data enclosures that public
sector entities might have agreed to contractually with private sector third parties. Phasing
out such arrangements turned out to be a major challenge. In 2019, the EU adopted the
Open Data Directive, succeeding the PSI Directive, which envisages that exclusive arrange-
ments will persist way into the 2040s, even in cases in which they are not justified by public
interest concerns.143 The other challenge to increased re-use that the Open Data Directive
seeks to address is lack of standardization and resulting barriers to interoperability. Hence,
the Directive decrees that documents are, in principle, to be made available by electronic
means in formats that are open, machine-readable, accessible, findable, re-usable, and in-
clude metadata, in accordance with formal open standards.144 This reflects a growing recog-
nition that European data law needs to find ways to reduce the risk that the law’s regulatory
objectives are being circumvented or thwarted by technological means.145
This challenge appears to be particularly prominent regarding privately held data, as evi-
denced by the limited uptake of the right to data portability that the GDPR introduced.146
The right to data portability is an evolution of the traditional right of access to one’s personal
data.147 Even though data subjects have the right to transmit ‘their’ personal data directly
from one controller to another ‘where technically feasible’, the law does not compel data
controllers to make it technically feasible. Web-based Application Programming Interfaces
(APIs) are crucial gateways to facilitate data sharing, but EU law has largely assumed their
existence instead of demanding it and regulating the technological terms of access.148 The
result is that the infrastructure necessary for effective data portability is being developed
and controlled by the entities that are the main target of the data portability requirement.149
139 Cases C-29/09 and C-93/09 Volker and Markus Schecke and Eifert Case [2010] I-11063; Case C-465/00
Österreichischer Rundfunk and Others [2003] ECR 2003 I-4989. See also Section A.2.
140 Guidelines for improving the synergy between the public and private sectors in the information market
(Office for Official Publications of the European Communities, 1989).
141 See K Janssen and J Dumortier, ‘Towards a European Framework for the Re-Use of Public Sector
Information: A Long and Winding Road’ (2013) 11 IJLIT 184.
142 Directive 2003/98/EC on the re-use of public sector information [2003] OJ L345/90 (PSI Directive).
143 Directive (EU) 2019/1024 on open data and the re-use of public sector information [2019] OJ L172/56 (Open
Data Directive), Art 12(5).
144 Art 5 Open Data Directive.
145 I Brown, ‘Interoperability as a Tool for Competition Regulation’ (30 July 2020), preprint available at <https://
osf.io/preprints/lawarxiv/fbvxd> 34–37.
146 Art 20 GDPR.
147 Art 12 DPD; Art 15 GDPR.
148 O Borgogno and G Colangelo, ‘Data Sharing and Interoperability: Fostering Innovation and Competition
through APIs’ (2019) 35 Computer Law & Security Review 105314.
149 See the Data Transfer Project operated by Apple, Facebook, Google, Microsoft, and Twitter: <https://data-
transferproject.dev>.
Data protection law is not the only strand of European data law that requires data sharing
as various regimes of EU law compel businesses to make data available to regulators, com-
petitors, or consumers.150 These disparate rules follow different logics, but all confirm the
centrality of access to data for regulatory oversight, competition, and consumer protection.
Access to data for regulatory purposes has been a central tenet of the EU’s complex reg-
ulatory regimes for chemicals and pharmaceuticals. The EU’s system for the Registration,
Evaluation, Authorization, and Restriction of Chemicals (REACH) includes extensive data
sharing commitments with regulators and among competitors to reduce the need for envi-

ronmentally and financially costly recreation of testing data.151 Chemical producers share
the requisite data with the European Chemicals Agency (ECHA) and with their competi-
tors via Substance Information Exchange Fora (SIEFs). The European Medicals Agency
(EMA) operates a similarly data-driven regulatory regime for medicinal products.152 Once
data is being submitted to these regulators, they become subject to the public access to doc-
ument requirements, which necessitates careful balancing between public access and busi-
ness interests in commercial secrecy.153
In some sectors, the EU has mandated data sharing directly between businesses (B2B)
or with consumers (B2C). This data law at the intersection of competition and consumer
protection law is still nascent, but may grow in importance in future.154 Challenging private
control over data by mandating data sharing raises concerns from the perspective of data
protection law (as far as personal data is at issue), which relies on the relationship between
data subject and data controller. As strict separation is impossible, EU law in these domains
tends to integrate data protection law principles, often at the urging of the European Data
Protection Supervisor, thereby spreading and entrenching core data protection law con-
cepts in different areas of EU law. In the banking sector, the 2nd Payment Service Directive
requires banks to grant third party access to account information.155 In the automotive
sector, car manufacturers must make vehicle repair and maintenance information available
to independent car dealers and repair shops.156 In the transport sector, the Commission has
created a wide array of data sharing requirements with public regulators, private entities,
and the public, often facilitated by and funnelled through national data access points.157 In
some of these instances, the separation between public and private sector data is breaking
down, as much public sector data is ultimately being provided by the private sector. In the
150 I Graef, M Husovec, and J van den Boom, ‘Spill-Overs in Data Governance: Uncovering the Uneasy
Relationship between the GDPR’s Right to Data Portability and EU Sector-Specific Data Access Regimes’ (2020) 9
EuCML 3.
151 Regulation (EC) No 1907/2006 concerning the Registration, Evaluation, Authorisation and Restriction of
Chemicals (REACH), establishing a European Chemicals Agency [2006] OJ L396/1.
152 Regulation (EC) No 726/2004 laying down Community procedures for the authorisation and supervision of
medicinal products for human and veterinary use and establishing a European Medicines Agency [2004] OJ L136/
1.
153 Case C-390/13 P(R) EMA v InterMune UK EU:C:2013:795.
154 See Section D.1.
155 Directive (EU) 2015/2366 on payment services in the internal market [2015] OJ L337/35.
156 Regulation (EC) No 715/2007 on type approval of motor vehicles with respect to emissions from light pas-
senger and commercial vehicles (Euro 5 and Euro 6) and on access to vehicle repair and maintenance information
[2007] OJ L171/1.
157 The Commission is making use of delegated acts based on Directive 2010/40/EU on the framework for the
deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of
transport [2010] OJ L207/1. See, eg, Commission Delegated Regulation (EU) 2017/1926 supplementing Directive
2010/40/EU with regard to the provision of EU-wide multimodal travel information services [2017] OJ L272/1.
energy sector, EU law mandates data sharing by gas and electricity providers not just with
regulators, but also with consumers and competitors.158
These new data laws are indicative of an expansion of the salience of data not just for
regulatory oversight, but also for competition and consumer protection. This creates chal-
lenges not just for the interaction with data protection and intellectual property law, but
also for the recalibration of competition and consumer protection law itself.
Competition law has its own instrument to force data sharing—the essential facilities
doctrine.159 Data concentration concerns have also appeared in merger proceedings, where

data sharing commitments may be made as a concession to get clearance.160 The Facebook/
WhatsApp merger is exemplary of the limitations of conventional competition law analysis
and the (often intentional)161 inscrutability of the tech sector.162 The Commission cleared
the merger, but later imposed fines against Facebook for making misleading statements
about its ability to match Facebook and WhatsApp user accounts.163 The German com-
petition authority found that Facebook abused its dominant market position and ordered
Facebook to refrain from aggregating personal data across its services.164 This decision is
remarkable for its integration of data protection law analysis into competition law analysis,
which the Commission had rejected in its merger decision.165
Mandatory data sharing is not the only remedy against data concentration. Preventing
such concentration in the first place is also a viable strategy for European data law. The
major platforms, operating two-sided markets with attendant network effects and vast data
collection capabilities, have been identified as the main target for such interventions, but
the EU’s 2019 platform Regulation opts for a relatively timid approach.166 Platforms are re-
quired to disclose to their business users which data they collect about them or their users.
Sharing such data is left to contractual negotiations, in which competition law rationales
might be leveraged to compel expanded access to data while data protection law cautions
against such data sharing as far as personal data is at issue.
EU consumer protection law has a long history of requiring disclosure to improve con-
sumer information and to avoid stricter regulatory measures that might impede the free
movement of goods and services within the EU’s internal market.167 The prerequisite and
highly standardized consumer information used to be attached to a product (labelling) or
158 Directive (EU) 2019/944 on common rules for the internal market for electricity [2019] OJ L158/125;
Directive 2009/73/EC concerning common rules for the internal market in natural gas [2009] OJ L211/94.
159 I Graef, EU Competition Law, Data Protection and Online Platforms: Data as Essential Facility (Wolters
Kluwer, 2016).
160 Relevant cases include Case COMP/M.4854 TomTom/TeleAtlas [2008] OJ C237/53; Case COMP/M.6314
Telefonica/Vodafone/EE [2012] OJ C66/122; Case COMP/M.7023 Publicis/Omnicon [2014] OJ C84/112.
161 F Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (Harvard
University Press, 2015).
162 Case COMP/M.7217 Facebook/WhatsApp C(2014)7239 final. The Commission only analysed data concen-
tration that would potentially strengthen Facebook’s position in online advertising—ignoring spill-over effects
and broader concerns arising from data concentration.
163 Case COMP/M.8228 Facebook/WhatsApp C(2017)3192 final.
164 Decision of 6 February 2019, B6-22/16 (<https://perma.cc/TZR5-KFB9>); upheld in preliminary proceed-
ings by the German Federal Court of Justice, decision of 23 June 2020, KVR 69/19.
165 Facebook/WhatsApp (n 162) [164]: ‘Any privacy-related concerns flowing from the increased concentration
of data within the control of Facebook as a result of the Transaction do not fall within the scope of the EU competi-
tion law rules but within the scope of the EU data protection rules.’
166 Art 9 Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online inter-
mediation services [2019] OJ L186/57Cas.
167 Directive 2011/83/EU on consumer rights [2011] OJ L304/64; Regulation (EU) No 1169/2011 on the provi-
sion of food information to consumers [2011] OJ L304/18. See Weatherill, Chapter 28 this volume.
THE GLOBALIZATION OF EUROPEAN DATA LAW 923
got buried in contracts that hardly any consumer ever reads. Datafication raises the pros-
pect of more data-driven and more accessible consumer information, including in more
granular or even ‘personalized’ ways.168 As with data portability, data protection law and,
to a lesser extent, intellectual property law will be invoked to counter such initiatives.
Reconciling tensions between data protection law, competition law, and consumer protec-
tion law will remain a major challenge for European data law going forward.

C. THE GLOBALIZATION OF EUROPEAN DATA LAW
The expansion of the Internet since the 1990s has enabled unprecedented global intercon-
nectedness. Data is being transmitted through interconnected networks that do not align
with territorial borders, are often managed by multinational entities, and establish con-
nections between nodes in different jurisdictions. When jurisdictions seek to assert their
data laws, they need to navigate the mismatch between mono-jurisdictional regulation of
data and complex infrastructures that enable multi-jurisdictional data flows. As we have
seen, European data law has responded to this challenge by creating supranational frame-
works for data flows within the EU, thereby suppressing potentially conflicting attempts by
Member States to regulate data. At the same time, EU data law had to confront the reality
that data might leave the EU’s territory, raising the question of how to establish effective
jurisdictional control over a regulatory object as mobile as data. EU law has resorted to
three interrelated mechanisms to establish jurisdictional control over data beyond the EU’s
borders.
First, the expansive interpretation of the DPD’s territorial scope of application by the
Court of Justice and its codification in the GDPR seeks to ensure that the EU’s data protec-
tion law applies even if personal data of European data subjects is being processed outside
the EU. Second, the GDPR’s dedicated rules for transfers of personal data from the EEA to
third countries seek to ensure an adequate level of data protection after transfer; function-
ally similar reciprocal arrangements were also foreseen in the Database Directive. Third,
the EU has been negotiating international agreements in certain specialized areas of data
protection law to ensure data protection standards akin to those guaranteed within the EU.
The EU resisted attempts by the US to expand the Silicon Valley Consensus of regulatory
uninhibited (‘free’) data flows in instruments of international economic law. After intense
internal debates, the Commission eventually adopted a new template for rules in trade
agreements that seeks to reconcile the EU’s economic interest in cross-border data flows
with its interest in protecting its data protection regime from external scrutiny.
These legal mechanisms alone cannot explain, however, why the EU has assumed the
role of a de facto global data regulator. Its rule-making efforts in the digital domain are often
followed by multinational corporations everywhere, even when such global compliance is
not legally required—a dynamic that Anu Bradford has theorized as the (de facto) ‘Brussels
Effect’.169 Moreover, jurisdictions around the world have been adopting data protection
168 C Busch and A de Franceschi, ‘Granular Legal Norms: Big Data and the Personalization of Private Law’ in V
Mak et al (eds), Research Handbook in Data Science and Law (Edward Elgar, 2020).
169 Anu Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press, 2020).
laws with comparable structure, concepts, and content to the GDPR and the EU has the am-
bition to play a similar role with its future data laws.170
However, the globalization of European data law is not without limits. The Court of
Justice recognized that requiring implementation of European data laws globally was not
generally warranted. The Commission’s handling of the adequacy assessment process has
been criticized as uneven. Its high-profile adequacy arrangements with the US did not sur-
vive the Court of Justice’s scrutiny twice; the initial passenger name records (PNR) accords
with Canada and the US suffered a similar fate. Uptake of the Database Directive’s reci-

procity provision has been muted. Moreover, while the Brussels Effect is theoretically well
established, EU data protection law’s questionable compliance record casts doubts on com-
panies’ assertions of compliance with EU law, especially when such compliance is voluntary.
Moreover, once European data laws becomes too cumbersome for global implementation,
corporations might decide to forego the European market or split their products (as they
already do to operate within mainland China). This dynamic would also spill over into the
diffusion of European data law. While it is true that many jurisdictions have come to adopt
EU-style data protection laws, to what extent these laws actually resemble the EU’s regime
in practice is not beyond doubt. Finally, while the EU has been able to resist the Silicon
Valley Consensus, other countries continue to incorporate rules into new instruments of
international economic law that are fundamentally in tension with the EU’s model of an in-
ternationally differentiated data governance. This section will analyse these dynamics and
their interplay over time.
1. NON-TERRITORIAL APPLICATION AND THE LIMITS OF

EUROPEAN DATA LAW
European data law has gradually moved away from territoriality to establish jurisdictional
authority.171 The DPD required Member States to apply the harmonized data protection law
when the data controller was either established on their territory or used equipment there
situated (unless solely used for transit).172 What if an entity established in the EU was not
engaged in the processing of personal data while its parent company processed personal
data on equipment located outside the EU? The Court of Justice was confronted with this
question in Google Spain, a case more famous for establishing a right to be delisted from
search results.173 Its answer turned on the question whether the data processing carried out
by Google Inc was in ‘the context of ’ its subsidiary Google Spain promoting and selling ad-
vertising space in the EU. As so often in data protection cases, the Court opted for a broad
approach, invoking the need for protecting individuals’ fundamental rights and preventing
circumvention.174 The Court realized that Google operates as an economic whole. Its ad-
vertising business is targeted to the European market and inextricably linked to its global
170 See Section D.

171 This is in line with a general shift in EU law; see J Scott, ‘Extraterritoriality and Territorial Extension in EU
Law’ (2013) 62 AJCL 87.
172 Art 4 DPD.
173 See Section A.2.
174 Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario
Costeja González EU:C:2014:317, [45]–[60].
search engine, irrespective of their technical separation by corporate form or location of
data processing.
The GDPR effectively codified this approach in a way that is often described and some-
times criticized as ‘extraterritorial application’. Such critique takes issue with the application
of EU law outside the EU’s territory, but often fails to establish (rather than simply assume)
why territoriality, a contested juridical concept anyway, ought to be or remain a relevant
criterion for data regulation by law.175 Moreover, the various prongs of the GDPR’s scope
of application all require some connection to the EU: when firms are established in the EU,

they have to comply with the GDPR anywhere.176 If companies are not established in the
EU, they are still bound by the GDPR if they offer goods and services to people within the
EU or monitor their behaviour.177 The latter approach is convincing for any law designed
to protect the rights of humans within Europe—why should it matter where the processing
of their data takes place? Thus, the GDPR’s approach is likely to be replicated in future
European data laws with comparable objectives. Contrast, however, the 1993 Database
Directive, a European data law from a different era, which sought to confer an economic
advantage to European creators and made global expansion conditional on the conclusion
of international agreements that ultimately failed to materialize.178
The GDPR’s broad scope of application, regardless of territory, does not mean, however,
that its implementation must be universal. This question was at issue in Google v CNIL, a
successor case to Google Spain.179 The French Commission nationale de l’informatique et
des libertés asserted that Google had to de-list links universally. Google refused and sought
to limit the GDPR’s scope of implementation to European country-code domain extensions
(including .fr) and to searches conducted by users within France. The case is instructive of
the difficulty to align jurisdictional boundaries—territorial and otherwise—with Internet
infrastructures, resulting in a trilemma between national sovereignty, the Internet’s global-
ity, and individual rights protection. It remains an unresolvable conundrum: either EU law
limits its scope of implementation by domain, location, or some other criteria, in which case
the rights and protections conferred by the GDPR remain equally limited in practice. In the
case of the right to be delisted, the information remains accessible via other domains and for
users’ searching from outside EU territory. The possibility to use virtual private networks
(VPNs) to pretend accessing the Internet from a different location compounds the problem
further. However, the universalist solution—to require implementation globally—while
ensuring maximalist rights protecting from a European perspective, forces the EU’s deter-
mination of how the competing interests are to be reconciled onto the rest of the world. The
Court of Justice ruled salomonically that the GDPR did not require globally uniform imple-
mentation, but also held that it did not prohibit such orders if deemed necessary by national
data protection authorities or courts.180
The related case of Eva Glawischnig-Piesczek v Facebook raised a similar issue: did the
e-Commerce Directive prevent courts of Member States from ordering the removal of
175 See on the ‘tyranny of territoriality’ DJB Svantesson, Solving the Internet Jurisdiction Puzzle (Oxford
University Press, 2017) ch 2.
176 Art 3(1) GDPR.
177 Art 3(2) GDPR.
178 Art 11 Database Directive. See M Powell, ‘The European Union’s Database Directive: An International
Antidote to the Side Effects of Feist?’ (1996) 20 Fordham Int’l LJ 1215.
180 Case C-507/17 Google v CNIL EU:C:2019:772.
information (including identical and equivalent information)181 from social media plat-
forms? The Court found that EU law did not preclude injunctions with worldwide effects
but gestured, somewhat obliquely, to ‘rules applicable at the international level’ which
Member States’ courts had to take into account when imposing such global injunctions.182
While both cases were ostensibly about the worldwide effects of EU data law, their reso-
lution also affects implementation within the EU. The Court pointed to the GDPR’s mech-
anisms to ensure coherence within the EU to prevent divergent decisions by national data
protection authorities and courts. A comparable mechanism is lacking in other areas of EU

data law, raising the possibility that individual determinations by national courts will not
just implicate the availability of information outside the EU but also within the EU. There is
no perfect solution to this trilemma as the Internet infrastructure enables global intercon-
nectivity while the relevant norms, laws, and values continue to differ around the world and
even within the EU.
2. THE REGULATION OF OUTWARD TRANSFERS OF DATA
The DPD built on antecedents in national data protections laws in creating a dedicated re-
gime for transfers of personal data from the EU to third countries, which the GDPR re-
fined and extended to transfers of personal data to International Organizations.183 These
additional rules for international transfers of personal data are the external corollary to the
ban on restrictions on transfers of personal data within the EU. Their logic and rationale
have been questioned since their inception.184 Other international instruments—such as
the OECD guidelines or the Council of Europe’s Convention No 108—did not include a
restriction specifically for transfers of personal data to other countries. The most plausible
explanation is anti-circumvention: if personal data could be transferred from the EU to
other countries without additional safeguards, how could European data protection law be
effectuated abroad?
The solution that EU law has pioneered is to require an ‘adequate’ level of protection by
the jurisdiction to which personal data is being transferred.185 The Commission has been
tasked with making this determination and its decisions can be reviewed by the Court of
Justice. From 2000 onwards, the Commission gradually recognized a number of juris-
dictions as providing an adequate level of data protection, including Switzerland (2000),
Canada (2001, albeit limited to commercial organizations), Argentina (2003), Israel (2011),
Uruguay (2012), and New Zealand (2013).186
The US posed a challenge as its sectoral approach to data privacy differs conceptually
from the EU’s general approach to data protection. Despite lamentations by US observers to
the contrary, it seemed evident—from a European perspective—that the US did not provide
181 D Keller, ‘Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’ (2020) 69
GRUR Int’l 616.
182 Case C-18/18 Eva Glawischnig-Piesczek v Facebook EU:C:2019:821.
183 Chapter IV DPD; Chapter V GDPR; see Section A.1.
184 C Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press, 2013); W Kuan Hon, Data
Localization Laws and Policy (Edward Elgar, 2017).
185 Art 25 DPD; Art 45 GDPR.
186 Adequacy decisions available at <https://ec.europa.eu/info/law/law-topic/data-protection/international-
dimension-data-protection/adequacy-decisions_en> (<https://perma.cc/Z6Z4-9BN9>).
an adequate level of data protection. Mindful of the commercial and strategic interests
implicated by transatlantic transfers of personal data from the EU to the US, the European
Commission negotiated the Safe Harbor Privacy Principles with the US Department of
Commerce. Under this self-certification framework, US organizations pledged to afford a
certain set of data protection rights to European data subjects, including notice and choice
(opt-out for personal information, opt-in for sensitive information), rights to access infor-
mation and correct, amend, or delete it where inaccurate as well as guarantees of data secu-
rity and data integrity. Satisfied with these additional safeguards, the Commission awarded

adequacy status to the US in July 2000.187 While lauded by business interests dependent on
unimpeded transfers of personal data, data protection and privacy advocates raised con-
cerns about a lack of compliance by US corporations and a lack of transparency and enforce-
ment by the US authorities. The European Commission dutifully recorded those concerns
in a series of reports reviewing the Safe Harbor framework, culminating in two 2013 com-
munications that laid out the weaknesses of the regime.188 Earlier that year, the revelations
of Edward Snowden about US surveillance practices had shattered trust in the US’s role as
benevolent Internet hegemon and implicated US Internet corporations on whose cooper-
ation the US national security apparatus relied. Despite these developments, the European
Commission refrained from revoking its adequacy decision. Meanwhile, the Austrian law
student and data protection activist Max Schrems had started proceedings against Facebook
by asking the Irish Data Protection Commissioner to prohibit Facebook Ireland from trans-
ferring his personal data to the US. On reference by the Irish High Court, the Court of
Justice annulled the Commission’s adequacy decision, in light of the fundamental rights to
data protection, privacy, and effective remedies that the EU Charter of Fundamental Rights
provides.189 The Court clarified that ‘adequate’ meant ‘essentially equivalent’, thereby ratch-
eting up the standard of protection required and commensurably reducing the discretion
available to the European Commission.190
Frantic negotiations ensued to replace the Safe Habor Principles and to provide a new
legal basis for continued transfers of personal data from the EU to the US. The Commission
negotiated in the shadow of the Court of Justice’s judgment and under a deadline the Article
29 Working Party had invented to allow for a grace period during which no enforcement
action would be taken. Despite these favourable circumstances, the Commission’s push
for fundamental change was met with stiff resistance by their US counterparts, especially
regarding questions of national security.191 The eventual compromise—euphemistically
termed ‘Privacy Shield’—addressed only the most glaring deficiencies of the Safe Harbor
arrangement. To compensate for foreigners’ lack of standing in US courts when chal-
lenging surveillance measures, an ombudsperson was installed within the US Department
of State. Despite misgivings by other European data protection institutions,192 the Council
187 Commission Decision 2000/520/EC on the adequacy of the protection provided by the safe harbour privacy
principles and related frequently asked questions issued by the US Department of Commerce [2000] OJ L215/7.
188 Rebuilding Trust in EU-US Data Flows, COM(2013)846 final; Communication on the Functioning of the
Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 final.
189 Case C-362/14 Schrems ECLI:EU:C:2015:650.
190 ibid [73].
191 H Farrell and AL Newman, Of Privacy and Power: The Transatlantic Struggle over Freedom and Security
(Princeton University Press, 2019).
192 See, eg, Article 29 Working Party, Statement on the decision of the European Commission on the EU-US
Privacy Shield.
eventually approved the Privacy Shield and the European Commission found the US to
provide an ‘adequate’ level of data protection, once again.193
Adequacy determinations are not the only legal basis under which personal data can be
transferred from the EU to third countries and international organizations.194 The prac-
tically most relevant instruments are binding corporate rules, which allow for data trans-
fers within a corporate group, and standardized data protection clauses, approved by the
European Commission and included in the contractual relationship between data subject
and data controller. After Max Schrems had brought down the Safe Harbor arrangement, he

took aim at these standard contract clauses on which Facebook, and countless other com-
panies, have come to rely to transfer personal data from the EU. After lengthy proceedings
in Ireland, during which the US government participated to defend its record, the case was
referred, again, to the Court of Justice. In July 2020, Luxembourg validated concerns about
the sustainability of the Privacy Shield by striking down yet another adequacy decision of
the European Commission.195 In light of the fundamental rights implications, the Court
emphasized that the GDPR’s regime for the transfer of personal data from the EU to other
countries was meant to ensure that the level of protection of natural persons was not being
undermined.196 Accordingly, additional safeguards had to eventually ensure a level of pro-
tection abroad that is comparable to the level of protection within the EU. Only on this
basis, did the Court let the Commission’s decision on standard contract clauses stand as
it did not preclude additional measures. This is of little solace to US businesses reliant on
transatlantic transfers of personal data: while they can encrypt data in transit to prevent
unauthorized access by intelligence agencies, they remain under obligations under US law
to furnish data in their possession that the Luxembourg Court deemed disproportionate.
It is not easy to see how this problem can be resolved as long as either side insists on its
approach. For some companies, for which transatlantic transfers of personal data are a
convenience rather than a necessity, data localization within the EU might be an option to
avoid the GDPR’s data transfer regime altogether.197 There remains some uncertainty about
what constitutes a ‘transfer’ as this issue was not raised during the Schrems litigation. The
Lindqvist case from 2001 suggested that mere uploading to a website hosted within the EU
was not a ‘transfer’ even if the website was accessible from outside the EU.198 The case, now
widely viewed as outdated, is illustrative of the general challenge to calibrate the relation-
ship between global technology and EU law. The regulation of outward transfers of per-
sonal data seems out of sync with the realities of global data flows. The fact that certain US
surveillance practices may reach data in Europe while being legally pre-empted in the US
is often recited by US observers to drive this point home.199 This critique misses, however,
that European data protection law, since the DPD and reaffirmed in the GDPR, assumes
that transfers of personal data outside the EU necessitate additional safeguards compared
to intra-EU data flows. Only legislative change can remove this assumption, not the Court
of Justice.
193 Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the
EU-US Privacy Shield [2016] OJ L207/1.
194 Art 46 GDPR.
195 Case C-311/18 Schrems II ECLI:EU:C:2020:559.
196 Art 44, clause 2 GDPR.
197 A Chander, ‘Is Data Localization a Solution for Schrems II?’ (2020) 23 JIEL 1.
198 Case C-101/01 Criminal proceedings against Bodil Lindqvist [2003] ECR I-12971.
199 See, eg, Peter Swire’s testimony in the proceedings before the Irish High Court, at 16, there n 72.
This is not to discount that the EU’s regulation of outward transfers of personal data im-
poses significant costs on businesses. While the Schrems litigation has focused on trans-
atlantic transfers of personal data, the Court’s pronouncements are valid for transfers of
personal data from the EU to any other third country or international organization. In light
of China’s rise in the global digital economy, it remains to be seen whether EU law will assert
itself as forcefully vis-à-vis Chinese entities that offer goods and services in Europe as it did
vis-à-vis the US.200
Despite questions about economic advisability and practical efficacy, the EU’s regulation

of outward transfers of personal data has become a staple of data protection laws that follow
the EU’s example. The more common this approach becomes, the more likely it is that the
EU will eventually find itself on the receiving end of ‘adequacy’ or ‘reciprocity’ demands
stipulated in other countries’ data laws. So far, only the adequacy determination of Japan
was stylized as ‘bilateral’ to camouflage the unilateral fashion in which the EU had pushed
Japan to adjust its data protection law.201 Even though often stylized as an international data
transfer regime, the EU’s data law is confined to the outward transfer of personal data. It
neither places restrictions on the inward transfer of personal data, nor does it apply to non-
personal data, for which the NPDR remains silent on international data transfers.
3. INTERNATIONALIZING EUROPEAN DATA LAW AND

RESISTING THE SILICON VALLEY CONSENSUS
The genesis of European data protection law benefitted from antecedents in international
law as it built on and incorporated elements from the relevant OECD guidelines and the
Council of Europe’s Convention 108.202 As European data protection law matured through
evolving practice, institutionalized interpretation, and case law, it became itself a focal point
for international efforts to harmonize data protection laws.203 The 2013 revision of the
OECD Privacy Guidelines referenced EU data protection law at length, even though it took
a more business-friendly stance overall and refrained from recommending restrictions
on cross-border transfers of personal data. The 2001 additional protocol to the Council of
Europe’s Convention 108 incorporated two major elements of European data protection
law—institutionally independent supervisory authorities and adequacy requirements for
cross-border transfers of personal data to third countries.204 The latter remains a point of
contention between countries that limit the transfer of personal data from their jurisdiction
and those who do not. This dispute is increasingly playing out in negotiations for new rules
on questions of global data governance in instruments of international economic law.
The World Trade Organization came into being in 1995 when the Internet’s global ex-
pansion and commercialization had just begun.205 Its work programme on electronic
200 M Rotenberg, ‘Schrems II, from Snowden to China: Toward a New Alignment on Transatlantic Data
Protection’ (2020) ELJ 1.
201 PM Schwartz, ‘Data Privacy: The EU Way’ (2019) 94 NYU L Rev 771.
203 G Greenleaf, ‘The Influence of European Data Privacy Standards outside Europe: Implications for
Globalization of Convention 108’ (2012) 2 IDPL 68.
204 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data, regarding supervisory authorities and transborder data flows, CETS No 181.
205 M Burri and T Cottier, ‘Introduction: Digital Technologies and International Trade Regulations’ in Trade
Governance in the Digital Age (Cambridge University Press, 2012) ch 1.
commerce, instituted in 1997, has not been able to agree on more than a moratorium on
tariffs for electronic transmissions.206 Eventually, the US turned to free trade agreements to
advance the interests of its dominant global Internet companies. The EU struggled to find
its footing as it was confronted with US demands ostensibly in tension with its data protec-
tion regime. During the negotiations for the Trans-Pacific Partnership (TPP) agreement,
the US created a new model of rules for the digital economy, including dedicated provisions
on cross-border transfers of data (including personal data) and requirements to use local
computing facilities.207 While ostensibly part of a ‘digital trade’ and ‘e-commerce’ agenda,

these commitments are better understood as a form of ‘megaregulation’ as they bind coun-
tries regardless of a conventional trade nexus (no import or export of services required) and
lend themselves to a dynamic of de facto multilateralization as multinational corporations
can invoke them even when their host state is not—or no longer, as in the case of the US’
withdrawal from TPP—a party to the agreement.208
The EU was confronted with similar proposals in the negotiations for a Transatlantic
Trade and Investment Partnership (TTIP). Had the controversy around investor-state dis-
pute settlement and the election of Donald J Trump as President not sunk the agreement,
disagreement over the international regulation of cross-border data flows might have. At
the time, the European Commission took the position that data protection—as a funda-
mental right—could not be subjected to trade disciplines. While other fundamental rights
(such as the right to health) are regularly implicated by trade disciplines, the European
Commission stood firm and also rejected attempts to make adequacy determinations, for
which its DG JUSTICE is responsible, part of trade negotiations for which DG TRADE is in
the lead. After Japan had signed and revived the TPP as the Comprehensive and Progressive
Agreement for Trans-Pacific Partnership (CPTPP), it proposed its data governance pro-
visions in its negotiations with the EU. Eventually, the Japan-EU Economic Partnership
Agreement (JEEPA) decided to revisit the question within three years upon entry into force.
Only after JEEPA was formally concluded in January 2018, did the warring data protection
and commercial data flow constituencies within the European Commission reach a com-
promise for a new template in future EU agreements in spring 2018: this new set of provi-
sions seeks to preserve the EU’s data protection regime and its restrictions for personal data
transfers in particular by prohibiting only forms of data localization the EU is not using, by
reaffirming data protection and privacy as fundamental rights, and by stating unequivocally
that ‘[n]‌othing in this agreement shall affect the protection of personal data and privacy af-
forded by the Parties’ respective safeguards’.209 In reality, the EU is not always able to retain
its template unchanged. In the post-Brexit EU-UK Trade and Cooperation Agreement, data
protection and privacy were downgraded to mere “rights” and the UK secured a guarantee,
not included in the EU’s template, that data transfer arrangements under “conditions of ge-
neral application” are available.210
206 WTO 1998 WT/MIN(98)/DEC/2.

207 T Streinz, ‘Digital Megaregulation Uncontested? TPP’s Model for the Global Digital Economy’ in B
Kingsbury et al (eds), Megaregulation Contested: Global Economic Ordering After TPP (Oxford University Press,
2019) ch 13.
208 T Streinz, ‘Data Governance in International Economic Law: Non-Territoriality of Data and Multi-
Nationality of Corporations’ (1 April 2021), draft available at https://ssrn.com/abstract=3831743.
209 Horizontal provisions for cross-border data flows and for personal data protection in EU trade and invest-
ment agreements (May 2018) <https://perma.cc/SLC5-WG4H>.
210 Art. 202 TCA.
Still, a marked contrast persists to the US model, under which restrictions on cross-
border transfers of personal data need not only be justified by a legitimate public policy
objective, but must not be applied in an arbitrary, unjustifiably discriminatory, or secretly
trade restrictive manner or impose restrictions that are greater than necessary.211 It is this
last prong in particular and the uncertainty about how a trade or investment dispute panel
would assess the necessity of the EU’s regime why the EU will not agree to the US model as
instantiated by the TPP.212 At the same time, the fact that Canada and Japan are both bound
to the US model and enjoy adequacy status by the EU indicates that the two models are

not necessarily incommensurable. As the US has turned towards data localization measures
vis-à-vis Chinese technology companies, it may depart from the erstwhile Silicon Valley
Consensus of uninhibited data flows. Japan’s G20 proposal for ‘data free flow with trust’ may
be better able to accommodate the EU’s preference for data protection and privacy and has
been welcomed by the European Commission.213
4. THE BRUSSELS EFFECT AND THE GLOBAL DIFFUSION OF

EUROPEAN DATA LAW
The expanded scope of application of EU data protection law, its extending through unilat-
eral adequacy assessments and other safeguards, and the promoting and defending of the
EU’s conception of data protection and privacy in international instruments have all con-
tributed significantly to the globalization of European data protection law. Anu Bradford has
identified and theorized a related dynamic that leads to compliance with EU data protection
laws by businesses outside the EU even when they are not legally required to do so.214 The
relevant criteria for this ‘Brussels Effect’ to occur are market size, regulatory capacity, strin-
gency of rules, inelastic regulatory targets, and indivisibility of products.215 European data
protection law is widely seen as a key example of the Brussels Effect, but a closer look reveals
that this dynamic cannot be taken for granted. The Brussels Effect theorizes multinational
businesses’ rational behaviour in the face of disparate regulatory demands across jurisdic-
tions. In this regard, it is not just the stringency but the inescapability of EU data law due to
its expanded jurisdictional reach that animates the Brussels Effect. But even the GDPR has
jurisdictional limits that multinational corporations can exploit: before it entered into force,
Facebook reportedly moved 1.5 billion users in Africa, Asia, Australia, and Latin America,
who had been affiliated with Facebook Ireland, to Facebook Inc, thereby removing these
users from the GDPR’s reach.216 As it turns out, data can be a highly elastic target, prone to
flight, comparable to financial capital.
211 Art 14.11 TPP.

212 See also, S Yakovleva and K Irion, ‘Pitching Trade against Privacy: Reconciling EU Governance of Personal
Data Flows with External Trade’ (2020) 10 IDPL 201.
213 Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition—two
years of application of the General Data Protection Regulation, COM(2020) 264 final, [14].
214 A Bradford, The Brussels Effect: How the EU Rules the World (Oxford University Press, 2020).
215 ibid ch 2.
216 A Hern, ‘Facebook moves 1.5bn users out of reach of new European of new European privacy law’ The
Guardian (19 April 2018) (<https://perma.cc/5MKD-LA6C>). Facebook later pledged to offer certain (but not all)
options available to European users to everyone.
The Brussels Effect only materializes to the extent to which companies prefer the uni-
versalization of European data law over compartmentalization where European law only
applies to European data while other laws apply elsewhere. Such compartmentaliza-
tion can be forced, if rules are incommensurable: if it is impossible to comply simultane-
ously with European data law and the data laws of other jurisdictions, the Brussels Effect
cannot occur as companies are forced to differentiate their products by jurisdiction. A di-
vergence between the 2018 US CLOUD Act and the GDPR might eventually lead to this
outcome: US electronic communication service providers must preserve, backup, and dis-

close data within their possession, custody, or control, regardless of location.217 At the same
time, the GDPR makes clear that administrative or judicial decisions by third countries are
in themselves—in the absence of international agreements such as mutual legal assistance
treaties—insufficient for a transfer of personal data from the EU to a third country.218 The
CLOUD Act foresees that ‘qualifying foreign governments’ may enter into agreements with
the US, in which case electronic communication providers can file a motion to quash orders
that put them into a bind of violating one law or the other.219 An agreement between the US
and the UK materialized in October 2019, which raised concerns about its compatibility
with EU law that may seem moot after Brexit, but could resurface in the negotiations about
the UK’s future adequacy status under the GDPR. In the absence of an EU-US agreement,
companies may not be able to comply with both the CLOUD Act and the GDPR at the
same time.
The increased cost of non-compliance caused by the GDPR’s novel sanctions made non-
compliance with EU law less appealing. This might aid the Brussels Effect as companies
who cannot or do not want to forego the EU market will have to comply with EU protection
data law there and might opt for compliance with it anywhere. But the preference for global
uniformity cannot be taken for granted. If EU law renders certain business models unwork-
able, as is plausible for data transfer dependent businesses and certain targeted advertising
practices, companies will either forego the European market (if necessary by preventing
access to their apps and websites) or offer a different, localized product in Europe. While
global digital corporations tend to prefer globally uniform products, their plasticity can also
enable greater divisibility than common for non-digital products.
Other jurisdictions may be drawn to European data law as a ‘model’ not only because
of corporate pressure to ensure a level playing field, but also because of a growing global
convergence towards the European approach towards data protection.220 The EU is actively
supporting this narrative and has used the unilateral adequacy assessment process to nudge
other countries towards GDPR-like laws. However, as is well known from the broader dis-
course around policy diffusion and ‘legal transplants’, the adoption of EU-style data laws
elsewhere ought not to be equated with a direct extension of EU law, which has unique
supranational characteristics. Other legal systems may not have a Court of Justice com-
manding authoritative interpretation, which has consistently interpreted European data
protection law in light of the fundamental rights to data protection and privacy.221 The na-
tional security carve out, which reflects the division of competences between the EU and
217 US CLOUD Act, s 2713.

218 Art 48 GDPR.
219 US CLOUD Act, s 2523.
220 Schwartz (n 201).

THE FUTURE OF EUROPEAN DATA LAW 933
its Member States, whose national constitutional courts can confront surveillance excesses
on the basis of national constitutional law, can lead to lopsided data protection regimes
elsewhere, which constrain only the private sector, but leave governmental power relatively
unchecked.
The extent to which independent data protection authorities can operate as an effective
counterweight to public and private sector interests varies significantly across jurisdictions.
The global diffusion of European data protection law, in the sense of other countries adopt-
ing regimes employing similar concepts and language, may also entail a diffusion of data

protection law in the sense that their meaning and implementation varies depending on
context, place, and time. Much as European data protection law incorporated and thereby
transformed national data protection law concepts, global data protection law will differ
from European data protection law even if the legal language used is similar or even iden-
tical. This is true for developed countries (who are working towards more uniform data pro-
tection principles in the OECD), developing countries, and International Organizations,
who seem particularly drawn towards the GDPR, perhaps because of a mistaken under-
standing of the EU as akin to an International Organization.
As the boundaries and delineations within European data law are being redrawn and
countries around the world are grappling with the transition towards increasingly digi-
talized and intra-(if not inter-)connected societies and economies, it remains to be seen
whether future European data law will command the same attraction as European data pro-
tection law has enjoyed so far.
D. THE FUTURE OF EUROPEAN DATA LAW
The European Commission has emphasized its desire to lead the EU into a digital future
for decades. While the GDPR remains a singular achievement in asserting the EU’s regula-
tory power in the digital domain and the Court of Justice has developed a remarkable dig-
ital rights jurisprudence, other legislative efforts to transition Europe towards digitalization
and supranational interconnectedness have either stalled, or fallen short of their lofty aspir-
ations. The digital single market moniker continues to symbolize an unfulfilled aspiration.
When a new European Commission took office in autumn 2019, digitalization was high
on the agenda once again, featured prominently in President Ursula von der Leyen’s accept-
ance speech, and was given additional visibility by making Margrethe Vestager Executive
Vice-President for a ‘Europe fit for the Digital Age’. The first tangible outcome was the pub-
lication of a new European data strategy in February 2020. It announced a vision for a single
European data space, understood as a genuine single market for data, open to data from
across the world.222 Meanwhile, national governments continued to pursue their own na-
tional data strategies, often with a view towards influencing the European agenda.223
While it remains to be seen in what form the European data strategy will materialize,
it gives some pointers into the future of European data law, at least as envisaged by the
European Commission. This concluding section hones in on and critiques three dimensions
222 A European strategy for data, COM(2020) 66 final.

223 Examples include the French loi pour une République numérique of 2016 and the opinion of the German
Data Ethics Commission from January 2020, <www.bmjv.de> (<https://perma.cc/2CDG-BTTV>).
of the future of European data law: its (re)conceptualization of data as a resource; its height-
ened focus on infrastructural dimensions; and its recognition that EU law is but one mode
of data governance.
1. DATA AS A RESOURCE
The European data strategy embraces digitalization’s potential for improvements in eco-

nomic and social welfare. Data is presented as something that is valuable and whose value
ought to be exploited for European citizens’ benefit. This data-as-a-resource framing is in
tension with the fundamental rights approach to personal data that the EU has championed
at home and abroad.224 In a way, the European data strategy can be read as an attempt to
resurrect the second plank of EU data protection law, which was aimed towards facilitating
personal data flows within the EU single market by harmonizing divergent approaches in
Member States.225 Though often invoked to suggest that data protection and market in-
tegration are commensurable or even mutually re-enforcing, this claim is hardly gener-
alizable beyond the preference for uniform rather than disparate rules. The economistic
framing of data as a resource sees data abundance as desirable while data protection law
insists on purpose limitation and data minimization. While the Commission often avoids
acknowledging or even embracing these tradeoffs, it seeks to recast its regulatory approach
as distinctively European. The goal is to develop a European digital economy that distin-
guishes itself from the prevailing regulatory approaches of the two digital superpowers by
guarding against the excesses of the varieties of ‘surveillance capitalism’ on display in the US
and China.226
At the same time, the European data strategy embraces digitalization as indispensable
for Europe’s economic development. The strategy is connected to the Commission’s efforts
to both regulate and promote artificial intelligence, for which data is an important input
factor.227 Given that legislative changes to the GDPR are unlikely, a focus remains on non-
personal data, which escapes the strictures of data protection law and can more readily be
exploited as a resource. This goal raises intricate questions not only about the tenuous dis-
tinction between personal and non-personal data, but about the proper legal conceptual-
ization of data in the first place. The data-as-a-resource framing suggests that data exists
and its value ought to be extracted and shared, but this framing conceals dimensions of
economic, social, and political power that are implicated when the decision is being made
where, when, how, by whom, and for what purpose data is being generated.228 The example
of artificial, synthetic data, where no traditional personal data interests are implicated as
the data is designed without regard to an identifiable individual, while still aspiring to re-
flect and affect reality, illustrates that European data law might need to grapple with these
224 See Sections A.2. and C.3.

226 S Zuboff, The Age of Surveillance Capitalism (Public Affairs, 2018); B Aho and R Duffield, ‘Beyond Surveillance
Capitalism: Privacy, Regulation and Big Data in Europe and China’ (2020) 49 Economy and Society 187.
227 On Artificial Intelligence—A European approach to excellence and trust, COM(2020) 65 final. See also
the European Commission’s proposal for a regulation laying down harmonized rules on artificial intelligence
(Artificial Intelligence Act), COM(2021) 206 final.
228 A Fisher and T Streinz, Confronting Data Inequality, World Development Report 2021 background paper (1
April 2021), available at https://ssrn.com/abstract=3825724.
THE FUTURE OF EUROPEAN DATA LAW 935
questions under a different conceptualization of data that is more attuned to power and
governance dimensions.
2. DATA INFRASTRUCTURES
The generation, modification, transfer, and use of data is dependent on infrastructures, many
of which are controlled by multinational private entities. The EU is responding to this reality

through new legislative initiatives. The Digital Services Act (DSA) seeks to reform the e-
Commerce Directive by creating new rules for intermediaries, in particular “very large online
platforms”.229 In similar fashion, the Digital Markets Act (DMA) targets “gatekeepers” of core
platform services.230 Both initiatives can be understood as forms of incipient data infrastruc-
ture regulation.
The European Data Strategy’s aim to create new European data spaces also highlights infra-
structural dimensions of data sharing. The proposal for a Data Governance Act (DGA) aims to
create an enabling environment for data sharing by increasing trust in data intermediaries.231
Calibrating the relationship between these new proposals and existing EU data law, in partic-
ular data protection law, will be a major challenge.232
As the implementation (or lack thereof) of the right to data portability exemplifies, legal inter-
ventions are insufficient if their regulatory ambition can be thwarted by infrastructural means.
Recognizing the importance of data infrastructures, a consortium of German and French in-
dustry is engaged in a project to develop a federated data infrastructure christened GAIA-X.233
While doubts about its technological sophistication and commercial viability persist, the EU’s
endorsement of the project is indicative of renewed and heightened attention towards the phys-
ical and digital components of data infrastructures and their regulatory effects. So far, European
data law has often assumed compliance and sometimes treated law as separate from, or at least
reactive to, technology. In future, European data law might need to embrace the co-generative
development of data law and data infrastructures to ensure the regulability of data.234
For some, this is also a question of sovereignty. In spring 2020, the COVID-19 pandemic
revealed European governments’ reliance on Apple’s and Google’s infrastructural con-
trol over the operating systems on hundreds of millions of smartphones within Europe.
Two global digital corporations decided how their technology could be used (or not) for
contact-tracing efforts by governments angling for technical solutions to a global public
health crisis. This episode illustrates the limitations of the conventional data protection and
privacy framing as Apple’s and Google’s solution was more privacy-preserving than some
229 Proposal for a regulation on a single market for digital services (Digital Services Act) and amending Directive
2000/31/EC, COM(2020) 825 final.
230 Proposal for a regulation on contestable and fair markets in the digital sector (Digital Markets Act),
COM(2020) 842 final.
231 Proposal for a regulation on European data governance (Data Governance Act), COM(2020) 767 final.
232 See EDPB-EDPS Joint Opinion 03/2021 on the Data Governance Act.
233 Project GAIA-X: A Federated Data Infrastructure as the Cradle of a Vibrant European Ecosystem, <www.
data-infrastructure.eu> (<https://perma.cc/L55S-M2KC>).
234 See for this idea, L Austin and D Lie, ‘Safe Sharing Sites’ (2019) 94 NYU L Rev 581. See also CT Marsden,
Internet Co- Regulation: European Law, Regulatory Governance and Legitimacy in Cyberspace (Cambridge
University Press, 2011).
European governments had preferred.235 Infrastructural control over data and resulting ec-
onomic, social, and political power exercised by global digital corporations persists and
remains largely unchecked by European data law,236 despite efforts to rein in certain anti-
competitive practices through data sharing requirements.237
3. VARIETIES OF DATA GOVERNANCE

European data law seeks to regulate data through law, but other modalities of data
regulation—for example, regulation by standards, software, and infrastructure—and struc-
tural forces, in particular the concentration of data and infrastructural power in global dig-
ital corporations, determine much data regulation in practice.238 The somewhat ambiguous
and increasingly ubiquitous term ‘data governance’ seeks to reflect a broader understanding
of who and what governs data. While it is important for European data lawyers to recognize
other modalities of data regulation, it is at least equally important to be aware of the differ-
ences between data regulation by law and by other means. One such difference is the claim
to supranational democratic legitimacy that animates European data law and distinguishes
it from authoritarian data regulation,239 even in instances in which the outcome, mecha-
nisms, or rhetoric used are identical or at least functionally equivalent. Another is the dis-
tinctiveness of human law from computer law.240 Yet, whether such a strict separation will
be sustainable or whether EU law writ large, and European data law in particular, will need
to embrace certain affordances of digital technologies to improve its regulatory outcomes
remains to be seen.
Data is not just a regulatory object or an economic resource, but also a medium of gov-
ernance. Regulatory decision-making under recourse to data and algorithms are likely to
become an integral part of EU law theory and practice. The prospect of increasingly ‘gran-
ular’ or even ‘personalized’ law and its ‘automated’ enforcement raise intricate questions
that require careful analysis and evaluation. As all these forms of governance are data-
dependent, European data law is bound to become a form of meta-regulation of legal gov-
ernance by and with data.
235 M Veale, ‘Sovereignty, Privacy, and Contact Tracing Protocols’ in L Taylor et al (eds), Data Justice and
COVID-19: Global Perspectives (Meatspace Press, 2020) 34.
236 For ideas how to confront these forms of digital inequality see Fisher and Streinz (n 227).
237 See Section B.3.
238 JE Cohen (n 5).
239 P Nemitz, ‘Constitutional Democracy and Technology in the Age of Artificial Intelligence’ (2018) Phil Trans
R Soc A.
240 M Hildebrandt (n 5).

Article Evolution of Eu Data Law

Uploaded by

Copyright:

Available Formats

You might also like

Article Evolution of Eu Data Law

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Article Evolution of Eu Data Law

Uploaded by

Copyright:

Available Formats

29

THE EVOLUTION OF EUROPEAN

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

A. THE EUROPEANIZATION OF DATA PROTECTION LAW

1. FROM THE DATA PROTECTION DIRECTIVE TO THE

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

10 Hessisches Datenschutzgesetz [1970] GVBl I 625.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

30 Case C-​362/​14 Schrems EU:C:2015:650; see Section C.2.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

41 Art 286 TEC.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

52 See Section A.3.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

2. DATA PROTECTION AND PRIVACY AS EUROPEAN

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

70 Arts 7 and 8 EU Charter of Fundamental Rights.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

77 Case 29/​69 Stauder [1969] ECR 419.

3. THE INSTITUTIONALIZATION OF EUROPEAN DATA

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

B. EUROPEAN DATA LAW BEYOND DATA PROTECTION LAW

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

2. EUROPEAN DATA OWNERSHIP LAW

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

3. EUROPEAN ACCESS TO DATA LAWS

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

1. NON-​TERRITORIAL APPLICATION AND THE LIMITS OF

170 See Section D.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

2. THE REGULATION OF OUTWARD TRANSFERS OF DATA

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

3. INTERNATIONALIZING EUROPEAN DATA LAW AND

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

206 WTO 1998 WT/​MIN(98)/​DEC/​2.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

4. THE BRUSSELS EFFECT AND THE GLOBAL DIFFUSION OF

211 Art 14.11 TPP.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

217 US CLOUD Act, s 2713.

220 Schwartz (n 201).

221 See Section A.2.

Downloaded from https://academic.oup.com/book/39246/chapter/338797238 by Universiteit Maastricht user on 16 April 2023

30 Case C-362/14 Schrems EU:C:2015:650; see Section C.2.

77 Case 29/69 Stauder [1969] ECR 419.

1. NON-TERRITORIAL APPLICATION AND THE LIMITS OF

206 WTO 1998 WT/MIN(98)/DEC/2.