This study explores how one of the most talked about regulations in the internet policy domain was drafted. The General Data Protection Regulation (GDPR) has been widely regarded as one of the most lobbied pieces of legislation in the history of the European Union (EU). This raises two questions: What policy alternatives were put forth by the EU institutions in the course of the GDPR’s legislative process, and how did they correspond to the ideas, issues and frames promoted by interest representatives? What does the influence of organized interests and stakeholders in GDPR decision-making reveal about the democratic legitimacy of the process? Drawing on new institutionalism, this research traces the evolution of the GDPR, comparing the different EU institutions’ iterations of the new law with the positions of interest representatives, and simultaneously situating the GDPR in the history of data protection policy. The results reveal that business groups dominated the public consultations prior to the Commission’s draft proposal, but the Commission’s approach was more closely aligned with the positions of civil society. Members of the European Parliament were, on the contrary, highly susceptible to the influence of business interests, until public salience of information privacy increased owing to Edward Snowden’s revelations of governmental mass surveillance by the National Security Agency. These revelations made it possible for policy entrepreneurs to push for stronger rules on data protection. However, public salience would not have a significant impact on the Council, which was mostly aligned with the interests of businesses and concerned with maintaining public interest exceptions. The final GDPR was more reminiscent of the Council’s position than the Parliament’s first reading, demonstrating that in many instances, business interests prevailed. This result should not be understood as mere resistance to policy change, but rather that a big data paradigm, which encourages the collection, processing and exchange of personal data in the name of progress, security and innovation, structured and constrained the available policy options. Therefore, the answer to the second question is that the institutionalized inclusion of stakeholders in the early stages of the process did not negatively impact its legitimacy, but the opaqueness and overall tendency to support business interests in the Council critically challenge the democratic legitimacy of the GDPR’s legislative process.
|Award date||10 Dec 2019|
|Place of Publication||Helsinki|
|Publication status||Published - 8 Nov 2019|
|MoE publication type||G4 Doctoral dissertation (monograph)|
Fields of Science
- 518 Media and communications