Data protection: with the elites, for the people?

The above discussion has outlined three important trends in EU policy-making. First, the EU institutions are becoming more accessible and transparent, but the so-called elites still have privileged access to the EU institutions. Second, this elite pluralism can largely be attributed to the EU institutions’ origins and their close relationships with the industry. After all, a functioning single market is only partly dependent on harmonised legislation, and the cooperation of dominant market actors is equally important. Third, EU legislators navigate an intrinsically complex regulatory environment with countless actors and interests, and listening to stakeholders is a prerequisite for being able to draft efficient policies and legislation. When legislators lack expert knowledge in policy areas, this relationship might evolve into one of dependency instead of mutual benefit. These trends contribute to creating an understanding of why lobbying is such an integral part of the EU. However, such a determinist approach overemphasises structure over ideology and disregards the ideological choices of political actors, windows of opportunity, and path dependencies of policy domains.

Data protection regulation in Europe has activist origins, and the Data Protection Directive was initiated in a manner which is slightly alien to the EU’s decision-making process. The role of DPAs cannot be understated, and

73

their participation in the GDPR’s legislative process is unquestionable.

However, owing to their special relationship to the national ministries of justice as well as their institutionalised role in EU data protection governance, their input cannot be compared with that of individual lobbyists. It is, nevertheless, precisely this institutional advantage and prioritised access to law-makers that encouraged the Commission to be more inclusive in the GDPR’s legislative process. After all, the private sector hardly participated in the early drafting of the Data Protection Directive. While that may to some commentators seem as an inherently positive feature of the legislative process, it is unquestionable that the companies that were directly affected by a new law had very little to say about its contents. In that respect, the Data Protection Directive’s legislative process was very far from the ideals of deliberative democracy – closer, in fact, to enlightened absolutism: ‘everything for the people, nothing by the people’.²⁷ The heart of the legitimacy problem is perhaps not solved by including interest groups, but excluding the private sector from the legislative process is equally problematic.

The legitimacy dilemma can be summarised as follows: because there is no hope of creating a truly European public sphere, we are left with the solution to institutionalise the involvement of interest groups, but as policy elites dominate these processes, they cannot serve as a proxy for deliberated societal consensus. Within the data protection policy domain, there is an added level of complexity. Data transfers are not limited by geographical borders, and information society services can be efficiently provided from one jurisdiction and consumed in another. If one chooses to ignore this aspect of the economies of personal data, the rights of EU citizens are heavily weakened. On the contrary, if one engages in extra-territorial law-making, ²⁸ one creates responsibilities for actors that never had a say in the legislative process by way of political representation. To what extent is the legislature obliged to include non-nationals of member states in the legislative process? Furthermore, many of the world’s largest IT companies are based in the U.S. but have European subsidiaries. What level of influence can be considered appropriate in those particular cases, knowing that these companies will mainly seek to transfer data outside of the EU’s jurisdiction?

A legitimate policy process would have to take all of the following factors into account: the global nature of data protection, the unequal division of power, the EU law-makers’ lack of policy expertise, the growing importance of

27 Allegedly, this was the motto of Austrian emperor Joseph II who lived in the 18^th century.

28 Legal scholar Anu Bradford (2012) has coined this type of unilateral regulatory globalisation as the

‘Brussels Effect’.

74

national DPAs, the ever-increasing lobbying activity in Brussels, and peoples’

expectations of privacy. Owing to the data protection domain’s cross-sectoral nature, even identifying all relevant sectors and interests is a challenge, much less including them in the decision-making process. The Data Protection Directive’s legislative process revealed that at least the advertising industries, credit and financial actors, DPAs, and arms of the national governments are worth examining more closely. While the private sector might argue that they are fighting an uphill battle owing to the path dependence of data protection regulation in Europe and the undeniable influence of national regulators, the amount of resources spent on lobbying tells a different tale. If lobbying was a complete waste of time and money, specialised data protection lobbyists would not exist. Given the multitude of factors to consider when analysing the GDPR’s legislative process, correctly identifying influence is of principal importance. The approach taken in this study is presented in the following chapter.

75

5 EVALUATING LEGITIMACY AND