Page 1 of 70

Externalization of the GDPR: promoting global regulatory standards in data protection and privacy.

Student name: Orin Pieterson Student number: S2067064 Coursecode: 8921M900 Program: Master Crisis & Security Management Course title: Master Thesis 1st reader : Drs. Georgieva / Dr. Van den Berg 2nd reader: Dr. Els de Busser Date: 10-6-2018 Wordcount: 22.257

Page 2 of 70

Page 3 of 70

Abstract Over the last seven decades, the EU has grown into a formidable economic actor in its own right. By bundling economic capabilities and leveraging them vis-à-vis other international actors, the EU has obtained a strong position as a regulatory power. With the GDPR, the EU once again reiterates its commitment to safeguard its core principles.

This thesis explores the mechanisms in the GDPR that trigger the extraterritorial application of the regulation, possibly leading to a global standard on data protection and privacy. Building on the notion of soft power – the ability to exert influence by utilizing attractive elements in an actor’s culture, society, or values – this thesis argues that the EU managed to devise a legislative framework that incorporates its ideological conviction when it comes to privacy and data protection, while facilitating international data transfers, and does so on its own terms. The theoretical notion of soft power is made tangible by placing it within the concept of ‘Normative Power Europe’, which describes the processes through which the EU diffuses its normative preferences throughout the world. This is supplemented with the Brussels Effect, which describes how EU regulatory standards gain global traction and are adhered to by organizations outside the jurisdictional scope of the EU.

The GDPR involves six instruments that drive the extraterritorial application of the Regulation, mainly focusing on multinational corporations and other organizations that regularly transfer data across jurisdictional lines. These instruments aim to create uniform frameworks that safeguard data protection and privacy within these organizations, and when they transfer personal data to other organizations. Moreover, the EU devised a system to assess the adequacy of data protection in third states in which it also takes into account whether this third states adheres to the same normative preferences as the EU.

The GDPR is an example how the EU actively pursues a normative agenda in relation to other states, and in relation to private actors. This research adds to NPE research paradigm by analyzing a landmark legislation that will have effects for years to come.

Page 4 of 70

Contents

Abstract 3

1 Introduction 6

2 Theoretical Framework and Body of Knowledge 10

2.1 Societal and Academic Relevance 10

2.1.1 The Political Dimension 12

2.1.2 Academic relevance 13

2.2 Literature review: GDPR 14

2.3 Soft Power: The power of Attraction. 17

2.4 Normative Power Europe 20

2.5 The Brussels Effect 22

2.5.1 The Brussels Effect 22

2.5.2 Conditions for the Brussels Effect 24

2.6 Externalization in the soft and normative power framework 25

3 Methodology 28

3.1 Formulating the Research Questions 28

3.2 Using a holistic approach 30

4 Analysis 33

4.1 The GDPR: the European rights-based approach 33

4.2 Why history and context matters 35

4.3 The ‘Transatlantic Data War’ 38

4.4 Externalizing the GDPR: triggers and mechanisms 41

4.5 Diffusing the GDPR: a NPE perspective 48

4.6 The GDPR and the Brussels Effect 50

4.6.1 De Facto or De Jure? 55

4.7 GDPR as an attempt to externalize EU Policies on a global scale 56

4.8 The GDPR: pushing EU norms 57

Page 5 of 70

5 Conclusion: Externalization of the GDPR: an exercise in soft and normative power? 59

5.1 Analytical Results 62

5.2 Limitations of the research 63

6 Bibliography 65

Page 6 of 70

1 Introduction The Regulation 2016/679 of the European Parliament and the Council, or the General Data Protection Regulation (hereafter: GDPR), the EU’s new legislative framework for privacy and data protection, has been drafted in 2016 and will be enforced by national Data Protection Authorities (DPAs) from the 25th of May 2018. Over the last 23 years since Directive 95/46/EC (hereafter: DIR95) came into existence, a tremendous advance in information- and communication technology has transformed the European and the global economy. DIR95 was drafted in 1995, before the commercialization of the internet and thus urgently required a review and adaptation to current practices. (European Data Protection Supervisor, 2018) The GDPR provides a comprehensive framework that prepares the Union for the increased digitalization of its economy, and lays the groundwork for years to come. The aim is to harmonize the European framework for data protection and privacy by creating one uniform legislation for all Union Member States, facilitate the free flow of data between member states, and to ‘contribute to the accomplishment of an area of freedom, security and justice, and of an economic union, to economic and social progress, to the strengthening and convergence of the economies within the internal market, and to the well-being of natural beings.’ (GDPR: Recital 2) Moreover, the European Data Protection Supervisor Giovanni Buttarelli, promoted the GDPR as ‘a clarion call for a new global digital gold standard’ (Buttarelli, 2016), which facilitates ‘streamlining international data transfers and setting global data protection standards.’ (European Commission, 2018b)

This outspoken ambition of the EU to shape global standards with regard to data protection come as no surprise, just as it comes as no surprise that it is the EU that has realized the most far-reaching privacy framework in the world. The right to the protection of personal data is enshrined in article 16(1) of the Treaty on the European Union and in article 8(1) of the Charter of Fundamental Rights of the European Union and thus firmly codified within legal documents in the Union. The inclusion of the right to protection of personal data, and to a certain degree of privacy, stems from a long commitment to the individual’s right to informational self-determination, which is

Page 7 of 70

understood as the individual’s ability to determine what information is publicly disclosed. (Bloch-Wehba, 2015) Europe’s history has engrained its societies with an appreciation of respect for the private sphere and private life, which is clearly valued by its citizens and its legislators. (Schwartz, 2013) Especially as the societal impact of unlimited and unrestricted data gathering becomes more controversial following recent discussions about the use of personal data in political campaigns and by intelligence services, this new legislative framework provides more control over personal data for individual data subjects. Moreover, recent incidents with Cambridge Analytica and Facebook, and the surge in data breaches occurring around the world have elevated the issue of protecting personal data on the political agenda. (Boyd & Crawford, 2012; Cadwalladr, 2017, 2018; Eriksson & Giacomello, 2006; Identity Theft Resource Center, 2017; van Den Broek & van Veenstra, 2018)

Besides a much-needed update - especially in the light of these revelations about the potential abuse of personal data by both private and public actors - the GDPR also provides the EU with an instrument to extend and cement its influence abroad. This thesis argues that the GDPR contains a number of mechanisms or ‘triggers’ that legitimate the application of the GDPR beyond the jurisdictional and territorial borders of the EU, and that these triggers result in externalization of the GDPR. Potentially leading to global regulatory convergence. Joanne Scott (2014: 1344) defined these triggers as ‘a mechanism that launches the application of EU law and delimits its personal and territorial scope of application.’ In the GDPR, these triggers are identified as: the definition of the scope of the regulation (article 3 GDPR), the adequacy decisions on adequate data protection standards (article 45 GDPR), Binding Corporate Rules (BCRs) (article 47 GDPR), Standard Contractual Clauses (SCCs) (article 28(6) GDPR), Codes of Conduct (article 40 GDPR), the certification procedure (article 42 GDPR), and the Privacy-by-Design and Privacy-by-Default principles (article 25). These legal triggers launch the application of the GDPR beyond the territorial borders of the EU, but there are also other factors that enable this process, rooted in a market-based approach. These are identified using the theory of the ‘Brussels Effect’, as coined by Anu Bradford

Page 8 of 70

(2012: 5). These factors include the large single market, the propensity to enforce strict rules over inelastic targets, a significant regulatory capacity, the nondivisibility of standards, and the emergence of the privacy-by-design and the privacy-by-default standards. The motivation for including these mechanisms that trigger extraterritorial application of the GDPR are explained using two theories: the theory of soft power, as conceived by Joseph Nye, and the theory of the normative power approach, as formulated by Ian Manners.

A consequence of this jurisdictional muscle-flexing by the Union is that it potentially clashes with other conceptualizations of privacy and data protection. One example is found in relation to the United States, where these concepts are regarded in a different light. Unlike the EU, where data protection is seen as a right and finds its legal base in the Treaty of the EU, privacy and data protection in the US is found in a fragmented collection of state law, case law, and commercial law, or ‘a patchwork of sectoral law’. (Schwartz & Peifer, 2017: 147) Accordingly, the European approach to data protection and privacy, and its inclusion in constitution-like documents, is not self-evident. It is a product of the historical context that facilitated this process. The European approach of data protection as a right is further explained in the theoretical framework, where it is juxtaposed to the American approach to data protection in order to argue that historical processes shape preferences and understandings that can differ around the world.

In this thesis multiple theories are combined to explain a phenomenon: the occurrence of the extraterritorial application and externalization of EU privacy and data protection legislation. This approach leads to a deeper understanding of the political and societal implications of the GDPR, and sheds a light on the way in which the EU manages to exert influence beyond its borders by using legal mechanisms that trigger extraterritorial effect, and how the EU relies on market forces to externalize EU policies by leveraging its economic capabilities.

Page 9 of 70

The following research questions are formulated to guide this thesis:

To what extent does the EU exercise normative power through externalization of its privacy and data protection regulation?’

This question is answered by dissecting it in four distinct sub-questions:

1. Does the concept of externalization fit within the broader frame of soft and normative power? 2. What is the background and context in which the GDPR was drafted? 3. How, and to what extent, can the GDPR be considered an attempt to externalize EU policies on a global scale? 4. How, and why, is the externalization of the GDPR an example of Normative Power Europe?

The first section of this thesis is comprised of a theoretical framework that is built up in three parts: first a literature review on available scholarly work on the GDPR is provided to give an overview of what work has been undertaken by the academic community, and to give an impression of the topics that are related to the GDPR. Subsequently, the concepts of soft power, Normative Power Europe, and the Brussels Effect provide the framework that is later applied to the case of the GDPR. After this theoretical framework, the employed methodology is discussed, which is followed by the analysis which applies the theoretical framework to the case of the GDPR in order to argue that the GDPR is a landmark legislation that contains mechanisms to trigger extraterritorial application of the GDPR, and thereby externalizes the European normative agenda on data protection and privacy.

Page 10 of 70

2 Theoretical Framework and Body of Knowledge This thesis seeks to combine a number of different elements: recent developments that have led to closer scrutiny on data collection practices, concerns about privacy in the digital age, how the GDPR can be seen as a response to these concerns, and how the GDPR is externalized by the EU as part of its normative agenda. Hence, it also draws upon different schools of thought and theoretical frameworks, which are combined in this chapter. The first section outlines the societal and academic relevance of this thesis. After which the second section offers a literature review on scholarly work on the GDPR. This overview illustrates the urgency for more multi-disciplinary work on the GDPR and its potential geopolitical implications. A broader perspective, besides merely legal perspectives or comparative studies into the effects of the GDPR can help create more understanding for the exercise of power or influence through legal acts such as regulations. After substantiating that claim by using the the concept of ‘soft power,’ this will be linked to the theory of Normative Power Europe, to explain the motivation behind the externalization of the GDPR, and finally the Brussels Effect to outline how this is achieved in practice. Hence, the combination of these three theories offers an explanation of why the EU actively pursues its normative agenda, and how it externalizes this normative agenda through its regulations to achieve global impact.

2.1 Societal Relevance The development of computers and information- and communication has had an enormous impact on daily life. This is true for the individual, who is now connected to the world through a smartphone or computer, but also for organizations in both the public and private sector. As interconnectivity has grown, the world has become a smaller place and globalization is enhanced. This compression of time and space through technology has a lot of advantages, but it also carries with it the challenge of managing that technology in a proper manner. People have grown accustomed to sharing information – and personal data - online through social media platforms, or accessing commercial or government services through online environments or applications. According to IBM, the world has created more data in the last two years than in the entire

Page 11 of 70

history of the human race before that. (Lewis, 2018) This will presumably increase in the coming years as large technological innovations are taking place, including the development of artificial intelligence, the Internet of Things, and virtual reality applications, to name a few. The fact that we now produce more data than ever, combined with the rapid development of new, potentially invasive technology, reiterates the momentous challenge of managing personal data nowadays.

Besides the likely increase of personal data in the future, the development of the digital economy and recent events have illustrated the necessity of legislative frameworks for data protection and online privacy which simultaneously facilitate international data flows to continue unabated. The collection of personal data has developed into a full- fledged business model for many of the largest companies in the world. According to a report by PwC, the technology industry is the largest sector in terms of market capitalization, closely followed by the financial sector and consumer goods. (PwC, 2017: 4) These sectors rely heavily on data, either to sustain their business model (such as in the case of Facebook and Google), to build models or automate trading (in the financial sector), or to drive business efficiency and analyze consumer behavior for example (in the consumer goods sector). (Muzellec, Ronteau, & Lambkin, 2015) Data occupies a central position in contemporary society, but this has come at a high price, as the number of incidents related to data protection and privacy illustrate. Over the last few years, there have been numerous data leaks. An impressive, but non-exhaustive list of large data breaches includes MyFitnessPal (2018), Equifax (2017), Uber (2017), eBay (2014), Morgan Stanley (2015), T-Mobile/Experian (2015), JP Morgan Chance (2014), Home Depot (2014), Yahoo! (2013), Target Stores (2013), Adobe (2013), and Sony PlayStation (2011). (Identity Theft Resource Center, 2017) This includes multinational, corporate companies across all sectors, with significant cybersecurity budgets which apparently do not mitigate the risk of personal data being accessed, leaked, or stolen. Consumers should be wary who they give their personal data to, and cannot automatically trust large corporations to manage their personal data in a secure way. Data by the Identity Theft Resource Center (ITRC) indicates that the number of data

Page 12 of 70

breaches has doubled between 2014 and 2017, with an all-time-high of some 178 million records compromised in 2017, (Identity Theft Resource Center, 2017) while the well-known website haveibeenpwnd.com, which keeps a record of all data breaches and offers the possibility to check whether your information has been compromised, recently announced it had surpassed 5 billion hacked or compromised accounts.1 Accordingly, it can be concluded that data has taken on a central role in today’s digital economy and that the management of that data poses significant challenges for companies, and form a source of concern for individuals who are increasingly confronted with data leaks and mismanagement of their personal data.

2.1.1 The Political Dimension

Another source of concern across the globe came from the revelations by Edward Snowden in 2013, a NSA whistleblower, who uncovered how governments have established extensive surveillance programs using publicly available data to monitor activity on the internet. This included the activities of ordinary citizens, but also that of foreign leaders and other targets abroad. (Verble, 2014) These revelations had significant consequences for transatlantic relations, and drove a wedge between the EU and the US, resulting in the invalidation of the so-called ‘Safe Harbor’ agreement, which facilitated transatlantic data transfers. (Schwartz & Peifer, 2017: 118). The tremendous power and capability of data analysis and enrichment became once more clear after The Guardian revealed that in 2016 a British firm, Cambridge Analytica, had used personal data from millions of Facebook-users to compose psychological profiles in order to influence their voting behavior. (Cadwalladr, 2017) These revelations, both the ‘Snowden files’ and the Cambridge Analytica case, reaffirmed that data protection and privacy are more relevant than ever, in multiple ways. It showed that personal data of European citizens was being analyzed and abused by foreign governments and private parties. New controversies emerge almost daily as a broad societal debate unfolds about how we should manage our personal data, who is responsible for that, and what the

1 See haveibeenpwnd.com for more information on the platforms, websites, and services that have been compromised.

Page 13 of 70

potential consequences are if we continue down this path. The GDPR addresses at least some of these challenges by declaring the EU’s commitment to privacy and data protection as fundamental rights and giving the data subject more instruments to take control over the data that is out there about them. Moreover, it establishes common procedures for international data transfers, based on European values, which potentially establishes the new norm for data transfers.

2.1.2 Academic relevance In academic circles, the GDPR has been the source of much debate and the inspiration for many publications. However thus far only two scholars produced scholarly work relating the Brussels Effect to European data protection regulations. Paul M. Schwartz (2013) reviewed how globalization of regulation on data protection has developed over the last decades, and included an analysis of the possible contribution by the Brussels Effect. Schwartz holds that while European privacy laws have influenced large parts of the rest of the world, this is not attributable to the Brussels Effect. In fact, two factors limit the occurrence according to him: ‘the existence of EU policies that sometimes conflict with information privacy and limits on the EU’s power in the global information economy’. Schwartz adds that ‘the United States never enacted EU-style privacy legislation nor created EU-style institutions,’ which is enough for Schwartz to conclude that the Brussels Effect has not occurred when it comes to data privacy. (Schwartz, 2013: 1985) This argument fails to recognize the more subtle qualities of the Brussels Effect which acknowledge that there is a world besides the US where Europe can influence privacy laws. Moreover, Schwartz’s analysis is based on an analysis of DIR95, a legislation not nearly as comprehensive as the GDPR.

The second author who engaged with the Brussels Effect in the context of data protection policy is Franz-Stefan Gady (2014). Contrary to Schwartz, Gady does acknowledge that European standards on data protection and privacy have spread globally, and contends that two other developments have increased the saliency of this topic and the capability of the EU to set global standards: the revelations by Edward

Page 14 of 70

Snowden on American surveillance practices, and the diminished role of the UK in the EU, as a supporter of laxer privacy regulation (Gady, 2014: 18)

Both authors published before the GDPR was made drafted, and can therefore not be criticized for not taking into account elements of the GDPR that facilitate the Brussels Effect. However, this does merit a new study into the elements within the GDPR that facilitate externalization, especially as these authors offer competing perspectives on this issue. This thesis contributes to creating more insight in the applicability of the Brussels Effect in global data privacy by offering a comprehensive and systematic account of the underlying reasons why the EU seeks to externalize the GDPR and how this occurs. The next section will introduce a concise summary of available scholarly literature on the GDPR in order to give an impression of the available literature on the GDPR.

2.2 Literature review: GDPR

A number of scholars have written about the general changes that the GDPR entails. Tikkinen-Piri et al (2018) give an overview of the implications of the GDPR for companies that collect personal data from EU citizens. The emphasis in this work is on 12 aspects that should be proactively implemented to with the GDPR to avoid sanctions. (Tikkinen- Piri, Rohunen, & Markkula, 2018) It provides a clear guide and pointers for a deeper understanding of the underlying motivations of the GDPR. A similar summary of the key changes under the GDPR is provided by Tankard (2016), with a number of practical suggestions to integrate GPDR compliance with other data protection standards such as ISO 27001 and ISO 27002. (Tankard, 2016) These overviews offer practical help in understanding the rationale behind the GDPR, and offer general guidelines to implement the regulation. In similar fashion, Lambert, Voigt, and Von dem Bussche (2017) offer step-by-step advice on what to keep in mind while designing compliance mechanisms, what processes should be revised or adapted, and how potential fines can be prevented by obtaining a ‘defensible position’ when being audited by national data protection authorities. (Lambert, 2017; Voigt & von dem Bussche, 2017) The strategy to obtain a

Page 15 of 70

‘defensible’ position is supported by professional services organizations, who note that many organizations, instead of pursuing full compliance opt for obtaining a position that exhibits that the organization has put in effort to comply with the regulation while not being fully compliant. (Deloitte, 2017: 3)

Eric Lachaud (2016, 2018) focused on article 42 and 43 in the GDPR which enable certification as a regulatory instrument under the GDPR. In essence, this stipulates that independent third parties can perform audits in order to provide organizations with data protection certificates if the organization demonstrates the existence of appropriate safeguards, through a voluntary and transparent process. Much remains unclear about who is authorized to perform the certifications, and what the exact requirements are for such certifications. Moreover, such procedures can be costly, and possibly unattainable for smaller organizations due to the financial costs of hiring consultancy organizations who are likely doing such certifications. Hence, article 42 and 43 provide for some leeway in the interpretation of the GDPR, and ‘can be seen as an attempt by the European authorities to address the complex challenge of enforcing fundamental rights in a technological context.’ (Lachaud, 2016: 826)

There is a body of work dealing with comparative studies regarding the differences and similarities in the implementation and enforcement of the GDPR and its transposition into national law. Custers et al (2018) offer a comparative case study between eight European countries. Although the GDPR aims to harmonize data protection standards throughout the EU, there is still ample room for national legislatures to tweak national legislation according to their preferences through implementation laws. Moreover, a number of factors are identified that influence how member states transpose the GDPR into national practices. This includes the interplay between government, civil rights organizations and data protection authorities, the intensity and scope of political debates, information campaigns, media attention, the public debate, and public debate. (Custers et al, 2018) This work focuses on an inter-European comparison of national legislations, whereas there is also a broad body of comparative research on the

Page 16 of 70

differences between EU conceptualizations of privacy and data protection and other interpretations, such as in the US, providing interesting cross-cultural comparative work. (Bignami, 2007; Boehm et al., 2015; Farrell & Newman, 2016; Gady, 2014; Schwartz & Peifer, 2017; Whitman, 2004)

A third category focuses on the impact of the legislation on specific industries or practices, such as the medical industry (Di Iorio, Carinci, & Oderkirk, 2014; Mccall, 2018), the application of artificial intelligence (Butterworth, 2018), and how the GDPR might have severe consequences for companies that are infected with ransomware (Green, 2017). An interesting article is written by Miño-Vasquez and Suhren (2018), who described the administrative sanctions in the GDPR, which aloows authorities to issue fines up to 20 million euros, or 4% of a company’s global annual revenue in cases of non- compliance. (Miño-Vásquez & Suhren, 2018) Moreover, the GDPR can also have consequences for scientific and academic research, especially with regard to data collection practices, although Article 85 holds that data processing for academic, journalistic, literary, artistic purposes should be reconciled by the Member States themselves. (Cornock, 2018; Di Iorio et al, 2014; Koščík & Myška, 2018; Mourby et al, 2018) Hence, the changes vis-à-vis previous legislation has been explored by several authors and offer a valuable contribution by contrasting the regulation with previous EU legislation and national legislative frameworks.

This overview illustrates that there has been some academic attention for the GDPR and its implications, but that it still remains largely an unexplored area of work in many regards. Mapping the consequences of the GDPR, and supporting this with sound empirical data can only occur after enforcement of the regulation will start, on the 25th of May 2018. The actual enforcement will most likely lead to fines and litigation, and subsequently to more academic efforts.

What lacks in this body of knowledge are analyzes that place the GDPR in a broader geopolitical perspective, and as an exercise of power. This thesis addresses that gap in knowledge by analyzing how the GDPR is an expression of the normative values of the

Page 17 of 70

EU, within the Normative Power Europe agenda, and how it is externalized to achieve impact beyond the territorial and jurisdictional borders of the EU. The next section will introduce the concept of ‘soft power’, and draws a clear link to the objective of the GDPR.

2.3 Soft Power: The power of Attraction. This section offers a concise introduction of the concept ‘soft power’, as coined by Joseph Nye in 1990 in his seminal book Bound to Lead: The Changing Nature of American Power. Nye, departing from the dominant paradigm that framed international relations as shaped by realist assumptions, argued that actors can exert influence with means other than purely military power, or civilian power. Nye described this as ‘soft power’. (J. Nye, 1990)

Soft power describes the power of states to convince others states to achieve a common objective. This can be done in three ways, Nye argues: 1) ‘threats of coercion (“sticks”); 2) inducements or payments (“carrots”); and 3) attraction, that makes others want what you want. A country may obtain the outcomes it wants in world politics because other countries want to follow it, admiring its values, emulating its example, aspiring to its level of prosperity and openness. In this sense, it is also important to set the agenda and attract others in world politics, and not only to force them to change through the threat or use of military or economic weapons. This soft power — getting others to want the outcomes that you want — co-opts people rather than coerces them.’ (Nye, 2014: 3) The EU has that ability, as ‘the main output of the Brussels machine are rules that govern trade and that set standards for consumer protection, for the environment, for competition, etc. […] If the power to make rules is power, then Brussels, in a modest way, is also a power.’ (Cooper, 2012: 9)

Nye makes a clear distinction between threats of coercions (or sticks), inducements or payments (which he calls carrots), and the ability to co-opt others because of intrinsic qualities that a state possesses which are deemed admirable or desirable. This division represents three dimensions of power a state can possess: military power, civilian power – also known as economic power - and soft power. (Manners, 2002: 240) As Colin S.

Page 18 of 70

Gray puts it, ‘In recent decades, scholars and commentators have chosen to distinguish between two kinds of power, “hard” and “soft.” The former, hard power, is achieved through military threat or use, and by means of economic menace or reward. The latter, soft power, is the ability to have influence by co-opting others to share some of one’s values and, as a consequence, to share some key elements on one’s agenda for international order and security.’ (Gray, 2011: v)

Nye outlined these sources of power and corresponding ‘currencies’ and government policies that are used:

(Table by: J. S. Nye, 2009: 31)

The exercise of military power is thus correlated to coercion, deterrence and protection, by relying on threats of force. This translates into practices of coercive diplomacy, war, or in alliances. Economic power is used through inducements or through coercion by means of payments (inducements) or sanctions (coercion). Governments employ economic power through aid, bribes, or sanctions. Lastly, soft power is expressed

Page 19 of 70

through agenda-setting behavior and the power of attraction, and is derived from values, culture, policies and institutions which are exercised through public, bilateral, and multilateral diplomacy.

Ultimately the concept of soft power holds that in international relations, just as in relations between individuals, a certain ‘likability factor’ comes into play. The perception of a state, whether positive or negative, can contribute to - or limit - the ability to achieve foreign policy objectives as it influences the willingness of other states to cooperate, or as it can incite them to pursue contrary objectives. The ability to form coalitions in international relations is crucial for any effective foreign policy. Spending less resources on military posturing or paying off other states but instead investing in the intrinsic qualities of the homeland certainly seems like a legitimate policy that produces positive effects both internally and externally.

The main driver of the increased recognition for the role of soft power in international relations is the assumption that military power is more costly than in earlier times. (J. Nye, 1990: 159) Both in economic terms and in terms of political capital wars are expensive and unpopular with the public. This disincentivizes states from resorting to military means to exert influence and incentivizes the use of other means, such as the power of attraction and the art of persuasion. The increased costs of imposing a state’s will on others through military means, along with the establishment of international law and a form of international community, have also empowered competition between states on issues such as trade.

Soft power is not only a less expensive, but also more successful and enduring strategy than to rely only on sticks or carrots. Many states would not even be able to coerce other actors due to insufficient resources, but soft power is in theory for every state attainable as it does not rely primarily on the economic resources that are at the disposal of a state, but rather are derived from other power sources, such as moral authority, ideas, culture, policies, or popular culture. The leader of a group or international community can establish norms consistent with its society. Increased

Page 20 of 70

interdependencies caused by cultural, social, and political diffusion are inevitable in such an environment. Hence, the one who makes the rules can shape them to their own preference, and is less likely to have to change to adapt to the standard. (J. Nye, 1990: 167)

2.4 Normative Power Europe Building on the notion of soft power, in his largely influential article ‘Normative Power Europe: Contradiction in Terms’, Ian Manners outlines how the EU has occupied a particular position in the international community, based on normative power rather than traditional sources of power such as military capabilities. He dubs this ‘Normative Power Europe’, or the normative power approach (NPA). (Manners, 2013)

With this article, Manners attempts to ‘refocus analysis away from the empirical emphasis on the EU’s institutions or policies, and towards including cognitive processes, with both substantive and symbolic components.’ (Manners, 2002: 239) In its relations with other international actors, the EU promotes a number of norms or values, derived from its historical context, hybrid polity, and political-legal constitution. Manners identifies these ‘core principles’ as: (1) the centrality of peace; (2) the idea of liberty; (3) democracy; (4) the rule of law; and (5) respect for human rights and fundamental freedoms. These are supplemented with four ‘minor norms’, identified as social solidarity, a commitment to anti-discrimination policy, sustainable development, and good governance. As Manners puts it, ‘[t]he reinforcement and expansion of the norms identified here allows the EU to present and legitimate itself as being more than the sum of its parts.’ (Manners, 2002: 244) The ideas that form the foundation of these norms are deeply rooted in the shared history of the continent, and the post-WWII desire to prevent any armed conflict. Economic cooperation and integration, supplemented with a sense of shared norms provided a rational answer to the challenges on the European continent, bonding former enemies through close reciprocal collaboration. These shared norms thus produce effects in both the ‘domestic’ European sphere, to bond the Member States and create a shared sense of purpose or identity, and in the external sphere, vis-

Page 21 of 70

à-vis other actors. They are diffused and spread, for which Manners identifies six factors: contagion, the process of unintentional diffusion of EU norms to other actors; informational diffusion, as a result of strategic communication and new policy initiatives by the EU; procedural diffusion, which occurs after relationships with third countries are institutionalized by means of cooperation agreements or through enlargement. The fourth factor that enables diffusion of EU norms is transference, which occurs through exchange of goods, trade, aid or technical assistance. Overt diffusion occurs when the EU has a physical presence in a third state, including by means of diplomatic relations, or monitoring missions for example. Finally, Manners argues the cultural filter influences the diffusion of EU norms. According to Manners, this cultural filter is ‘based on the interplay between the construction of knowledge and the creation of social and political identity by the subjects of norm diffusion.’ (Manners, 2002: 245) This cultural filter determines whether or not a third state is susceptible to the norms that the EU intends to diffuse, based on the local conditions in the third state (or the ‘subjects of norm diffusion’ as Manners calls it). As Natalia Chaban (2015) notes, these factors contributing to the diffusion of norms depend on two-way interaction between the EU as the sender, and the third state or society as a receiver. The diffusion of these norms can ‘happen either intentionally, via strategic communication (‘’informational diffusion’’) or unintentionally (‘’contagion’’). In the latter case, the mutual exchange of ideas occurs - through either the institutionalization of a relationship (‘’procedural diffusion’’); or through substantive or financial means such as trade, aid, or technical assistance (‘’transference’’); or as a result of physical presence (‘’overt diffusion’’).’ (N. Chaban, in Pardo, 2015: 40)

Hence, the potential of the normative power approach lies in the ability to identify the underlying reasons for the EU to diffuse their core principles, such as the idea of liberty, democracy, the rule of law and respect for human rights through various mechanisms of interaction. It is premised on the notion that this interaction, as a result of globalization and increased interconnectivity will inevitably produce some cultural and societal convergence. In that sense, the normative power approach shares a fundamental

Page 22 of 70

assumption with the notion of soft power, as both approaches hold that power in the form of influence can be exerted by more than merely coercing others or bribing others. If globalization and growing interdependence are taken to be a fact, promoting one’s own system of normative values can be a valuable source of power indeed.

2.5 The Brussels Effect

The previous chapters introduced the notion of soft power to exert influence, and the concept of the normative power approach. These concepts are premised on the ability to convince or co-opt other states because of intrinsic qualities or characteristics of a country that seem admirable or desirable to others. This chapter introduces another way to diffuse norms by a different mechanism, also known as ‘the Brussels Effect’. These three concepts are combined in the analysis section to explain how the GDPR is externalized by the EU and achieves global impact. The Brussels Effect describes the process of global regulatory convergence. This chapter introduces the theoretical foundations of the Brussels Effect which is later applied to analyze the case of the GDPR.

2.5.1 The Brussels Effect

The notion of the EU as a power in international relations has been approached from a variety of angles. It is often described as a sui generis, a one-of-a-kind creature, or an ‘unidentified political object’ in the words of Jacques Delors. (Phelan, 2012: 367) The EU is a political structure that combines the economic powers of its 28 member states to create a single European market - which has eliminated internal barriers to trade, and increased its external bargaining power to become one of the world’s main economic actors. (Young, 2015) The resulting economic power is not only visible when the Union conducts trade negotiations with third states, but also in its ability to take a leadership role in certain other issue areas not directly related to economic cooperation. These include issues concerned with normative values such as promoting democracy and the rule of law, as was outlined in the previous section, but extend to a wider range of issue such as regulation on chemicals (REACH), antitrust laws, environmental protection, food safety, and arguably also privacy protection. (Newman & Posner, 2015) While the exact

Page 23 of 70

modus operandi for achieving this leadership role vary from issue to issue, there are similarities to be found, as Bradford (2012) demonstrated as she explained how EU succeeds to exploit its economic strengths to reshape the global regulatory regime in its own image, and thereby exert global power through the Union’s legal and regulatory institutions. This process, also known as ‘unilateral regulatory globalization’ entails ‘a development where a law of one jurisdiction migrates into another in the absence of the former actively imposing it or the latter willingly adopting it.’ (Bradford, 2012: 4) This process is not driven by political or military coercion, or by using economic force or bribery. Rather, it is premised on private sector market processes to explain why EU regulation, in some cases, can lead to a globalized regulatory framework that is drafted in Europe, but which is adhered to in other jurisdictions.

This notion of gaining influence through regulatory standards is built on the idea of the ‘California Effect’, a concept used to describe the ability and influence of the state California in the US in setting nation-wide regulatory standards regarding environmental protections. (Bradford, 2012: 5) This occurs because of a number of conditions that enable externalization of regulations. Bradford formulates these conditions concisely by stating that ‘the jurisdiction must have a large domestic market, significant regulatory capacity, and the propensity to enforce strict rules over inelastic targets (e.g. consumer markets) as opposed to elastic targets (e.g. capital). In addition, unilateral regulatory globalization presumes that the benefits of adopting a uniform global standard exceed the benefits of adhering to multiple, including laxer, standards. This is the case in particular when the firms’ conduct or production is nondivisible, meaning that it is not legally or technically feasible, or economically feasible, for the firm to maintain different standards in different markets.’ (Bradford, 2012: 5) This takes place through the ‘de facto’ Brussels effect – which occurs when multinational corporations ‘have an incentive to standardize their production globally and adhere to a single rule’, and the ‘de jure’ Brussels Effect, which goes a step beyond that, and is said to take place when export- oriented firms ‘have the incentive to lobby their domestic governments to adopt these same standards in an effort to level the playing field against their domestic, non-export

Page 24 of 70

oriented competitors.’ (Bradford, 2012: 6) Thus, the Brussels effect entails a globalization of regulatory standards which occurs because in a global market multinational companies and export-oriented companies have an incentive to standardize production and adhere to one standard, and subsequently lobby other governments to adopt similar rules in order to level the playing field. This race-to-the- top, in which companies adapt their products to the highest regulatory standard is also known as ‘upward regulatory convergence.’ (Bradford, 2012: 7) Products, services, or conduct adhere to the highest regulatory standard, as this subsequently enables admittance in jurisdictions in which the regulations are less strict.

2.5.2 Conditions for the Brussels Effect

The Brussels Effect is driven by five factors: a large internal market, significant regulatory capacity and willingness to regulate, a preference for strong rules, a propensity to regulate inelastic targets, and nondivisibility of the firm’s conduct or product. The EU possesses four of the aforementioned qualities: it has the largest economy in the world, with a GDP of $17.1 trillion2, which is leveraged as a political instrument. Furthermore, the consumers in the European market are relatively affluent, and thus interesting for companies to sell their products to, while simultaneously imposing high opportunity costs if the market is foregone. (Orbie, 2011) Furthermore, for this strategy to be effective, besides setting high standards, there must be enough regulatory capacity to enforce these regulations, and the political willingness for strict enforcement. The EU has such a strong institutional and bureaucratic foundation that enables them to enforce these stringent regulations and it has experience in challenging non-compliant member states due to its internal market project. (Damro, 2015) Thirdly, the EU has displayed a preference for strict rules, and a predisposition to be the most stringent regulator globally. The political dynamic in the EU generates this tendency for stringent rules and ‘reflects their aversion to risk and commitment to a social market

2 See International Monetary Fund, last visited 7-5-2018, http://www.imf.org/external/pubs/ft/weo/2017/02/weodata/weorept.aspx?pr.x=89&pr.y=6&sy=2017&ey=2017&scsm=1&s sd=1&sort=country&ds=.&br=1&c=998&s=NGDPD%2CPPPGDP%2CPPPPC&grp=1&a=1

Page 25 of 70

economy.’ (Bradford, 2012: 15) Fourth, the EU has the penchant to regulate inelastic targets, which ‘cannot circumvented by moving the regulatory targets to another jurisdiction.’ (Bradford, 2012: 16) The EU often regulates consumer markets as consumers rarely relocate due to high regulatory standards. In order to access the consumers in Europe, organizations thus must comply with the EU’s high standards. This has augmented its role as a global-standard setter, whose regulations are difficult to circumvent or undermine.

The last factor contributing to the effectiveness of the Brussels Effect is the economies- of-scale rule: production becomes cheaper as the size of production increases, and if the company services several markets with the same product. This only holds up when the production standard is the same, which encourages a uniform, global production standard. In that regard, Bradford notes that ‘global standards emerge only when corporations voluntarily opt to comply with a single standard determined by the most stringent regulator, making other regulators obsolete in the process.’ (Bradford, 2012: 17) This nondivisibility occurs in three types: legal nondivisibility, technical nondivisibility, and economic nondivisibility. With regard to the GDPR, the technical nondivisibility principle is the most relevant: companies are often unable to isolate its European data collection practices, and are thus forced to comply with the EU standards globally. This will be explored more extensively in the analysis.

2.6 Externalization in the soft and normative power framework

The previous section combined three distinct theoretical perspectives to provide an answer to the question how the concept of externalization fits in the broader frame of soft and normative power fits. Soft power describes the ability to co-opt others to adopt similar policy objectives. This is achieved because of a factor of attractiveness, comprised of intrinsic qualities or elements within the culture or society of a country that contribute to a positive association in third states. Nye contends that ‘political leaders and philosophers have long understood the power of attractive ideas or the ability to set the political agenda and determine the framework of debate in a way that

Page 26 of 70

shapes others’ preferences. The ability to affect what other countries want tends to be associated with intangible power resources such as culture, ideology, and institutions.’ (J. S. Nye, 1990: 166-167) Manners expanded on that notion, by arguing that the EU finds its basis and legitimation in five normative values: the centrality of peace, the idea of liberty, democracy, the rule of law, and respect for human rights and fundamental freedoms. (Manners, 2002: 242) These norms are diffused in world politics through the EU’s international relations, as ‘it seeks to redefine international norms in its own image.’ (Manners, 2002: 252) One way in which this restructuring of international norms is pursued is through regulatory globalization, as Bradford’s Brussels Effect proclaims. The EU makes use of its internal market to incentivize multinational operating organizations to adopt EU regulations. It does so by relying on its internal market, which is too big to forego for many companies, and by regulating inelastic targets. Moreover, the EU has the capacity to enforce its regulations and the propensity to set the highest standard. Bradford supports this theory by naming examples of industries in which the EU managed to set the global standard, such as antitrust regulation, privacy regulation, the regulation of chemicals, environmental protection, and food safety standards. In these areas, the EU has stimulated upward regulatory convergence towards European standard. (Bradford, 2012)

The concept of soft power and the normative power approach are similar, but have distinguishing factors. Soft power is premised on the idea that certain elements can attract other countries, and accordingly enable influencing third countries. The normative power approach offers an analytical framework which explains which elements the EU leverages in its international relations to achieve that degree of soft power. The attractiveness of the EU is predicated on its commitment to normative values and its commitment to the rule of law and the liberal world order. The EU externalizes such policies in relations with other countries through five elements of diffusion: contagion, informational diffusion, procedural diffusion, transference, and overt diffusion. The diffusion of these norms is shaped by a cultural filter, ‘which affects the

Page 27 of 70

impact of international norms and political learning in third states and organizations leading to learning, adaptation, or rejection of norms.’ (Manners, 2002: 245)

This thesis argues that the externalization of the GDPR through various mechanisms and instruments in the Regulation can be considered an instance of soft power, as the EU promotes its own normative preferences beyond its own jurisdiction. This argument will be further elaborated on in the analysis section.

Page 28 of 70

3 Methodology

3.1 Formulating the Research Questions This research focuses on the question whether the EU can set international norms by means of its own legislation from a holistic perspective. By setting the agenda, and possibly the rules for a certain issue, influence can be acquired and exercised. Data becomes more important and concerns about the possible implications of excessive databases increase. In such an environment, with mounting domestic (European) political pressure, the ability to set the rules is a valuable form of influence that can only be analyzed by taking into account factors that are not easily quantifiable or measurable.

The main research question of this study was set to be: To what extent does the EU exercise normative power through externalization of its privacy and data protection regulation?’

To guide this research question, four sub-questions have been formulated:

 Does the concept of externalization fit within the broader frame of soft and normative power? The theoretical framework introduced three separate concepts: soft power, the normative power approach, and the Brussels Effect. The first section of the analysis offers an explanation how these concepts can be tied together in order to analyze the GDPR.  What is the background, history, and context in which the GDPR was drafted?

This questions serves to outline the history of privacy in Europe, and juxtapose this vis- à-vis the US. This places the privacy debate in a cultural, historical and societal context, crucial to understanding why this legislation emerged in Europe and in what circumstances. Moreover, it sketches the broader societal debate regarding privacy and data protection by incorporating recent incidents and current events.

Page 29 of 70

 How, and to what extent, can the GDPR be considered an attempt to externalize EU privacy regulations on a global scale? This question serves to establish the connection between the extraterritorial application of the GDPR, and how this is driven by elements of diffusion and the ‘Brussels Effect’ which potentially leads to upward regulatory convergence. This also outlines the conditions under which this unilateral regulatory globalization can occur with regard to privacy and data protection policy, and forms the basis for the analysis in which these theoretical conditions are compared with findings from practice.  How, and why, is the externalization of the GDPR an example of Normative Power Europe? This question serves to establish the connection between the externalization of the GDPR and how this fits the normative agenda of the EU, and how this can be seen as an example of the Normative Power Europe paradigm.

These four questions provide answers to specific elements of the main research question. The first sub-question justifies the use of normative power, NPA, and the Brussels Effect to analyze the GDPR. However, before the elements of the GDPR that facilitate can be answered, an understanding of the GDPR and the context in which this legislation was proposed must be formed, hence the second question. The third question merges theory with practice by questioning which elements in the GDPR ensure its extraterritorial application, and how it is externalized, which accordingly leads to the final sub-question. The research questions reflect the exploratory and explanatory nature of this thesis. One the one hand, the objective is to explore the GDPR and get acquainted with the legislation, while simultaneously aiming to explain which specific triggers it operationalizes to externalize the legislation.

Page 30 of 70

3.2 Using a holistic approach Thus far, the theoretical framework illustrated that soft power can be derived from values, culture, or ideas. These qualities are not quantifiable but rather a matter of degree. Therefore, the choice to conduct a qualitative research design fits the objective of this research better than using quantitative methods. As Blatter argues, ‘Case studies are superior to large-N studies in helping the researcher to understand the perceptions and motivations of important actors and to trace the processes by which these cognitive factors form and change.’ (Blatter, 2012: 6) This qualitative research was done by using a single case study to test the applicability of certain theories to a case, in which it is possible ‘to retain the holistic characteristics of real-life events while investigating empirical events.’ (Schnell, 1992: 2). This research design allows exploration of complex theories, and gives the possibility to focus on cognitive factors such as norms, ideas, and discourses. (Schnell, 1992) These phenomena are not necessarily measurable or quantifiable but certainly exist, as they influence and inform policy decisions which produce real effects. Using a case study allows the researcher to sketch a contextualized image of certain developments, trace motivations, or explain processes that are driven by these cognitive factors. It also allows for a broader set of theoretical approaches to be taken into account. (Blatter, 2012: 7)

The three theories that have been selected to apply to this case, all have specific characteristics which will be tested against the case of the GDPR. For the theory of soft power, Nye outlined these as ‘behaviors’ – identified as attraction and agenda-setting - and ‘primary currencies’, which he identified as values, culture, policies, and institutions. (J. S. Nye, 2009: 31) These behaviors can be seen as outputs, the result of the primary currencies which are expended in order to achieve that output: namely the ability to set the agenda and increasing the degree of attraction vis-à-vis other actors. The normative power approach describes how core European values are spread through processes of diffusion. These include contagion, informational diffusion, procedural diffusion, transference, and overt diffusion, which are affected by a cultural filter. (Manners, 2002: 244-245) The third theory used, the Brussels Effect, describes the

Page 31 of 70

prerequisites that enable the externalization of European regulations. These factors are a large domestic market, significant regulatory capacity, strict rules over inelastic targets, and nondivisibility of the product or conduct. (Bradford, 2012: 5) These factors are systematically analyzed in relation to the GDPR to identify how externalization of the GDPR takes place.

These factors are taken as concepts that explain a certain phenomenon, process, or offer a narrative on the motivations or chances to externalize EU policy. Soft power is used to explain the underlying motivation, while the factors of diffusion, outlined in the normative power approach offer an explanation how this is achieved from an institutional perspective, by the work of the EU itself. This is supplemented with the concepts of the Brussels theory, which reveals how this process of externalization is also driven by market forces and private actors.

Theory Factors Soft Power Attraction, agenda-setting, values, culture, policies, institutions Normative Power Approach contagion, informational diffusion, procedural diffusion, transference, and overt diffusion

The Brussels Effect large domestic market, significant regulatory capacity, strict rules over inelastic targets, and nondivisibility of the product or conduct.

Each of these theories is accordingly applied to the GDPR in separate chapters which are combined in the conclusion to form a coherent explanation of the underlying motivation for the GDPR, and how this translates to practice. As becomes obvious from the stated purpose, the aim of this study is to generate useful, practical insights for social actors, not to generate law-like theories or generalizable hypotheses.

The research design therefore relies on a holistic, single-case design, with a single unit of analysis. A holistic case study allows for nuance, sequentiality and context, while also retaining an open attitude to competing perspectives and recognizing the arbitrariness

Page 32 of 70

of research. (Stake, 1995: xii) Yin (2009) outlines five rationales for using a single-case design. Such designs can be used, (1) when it represents the critical case in a well- formulated theory; (2) when it represents an extreme case or a unique case; (3) when a case is the representative or typical case; (4) when it is a revelatory case; or (5) for doing a longitudinal study. (Yin, 2009: 46-49) In this thesis, the motivation for using a single-case design is a combination of two rationales: for it can be considered a representative case or typical case, and it might be a revelatory case, which can be used for further academic inquiry. The EU’s privacy regulations, and its influence abroad, has been studied from a range of different perspectives, either comparing it to other legislative frameworks or analyzing its intrinsic qualities itself. (Bignami, 2007; Bloch- Wehba, 2015; Cunningham, 2013; Greenleaf, 2012; Hughes, 2015; Kuner, 2015; Poenaru, 2014; Ryngaert, 2015; Schwartz, 2013; Schwartz & Peifer, 2017; Svantesson, 2014; Whitman, 2004) It has been used as an example of externalization of EU policy, as Gady, (2014) and Schwartz & Peifer (2017) did. In that sense, EU privacy regulation can be considered a typical case for studying the EU’s influence in an international context. Moreover, Bradford (2012) argued that the diffusion of European privacy policy was one of the issues that can be explained by the Brussels Effect. Hence, European data privacy policy is a representative case for how the EU drafts legislation with extra-territorial effects. It is a revelatory case as it concerns new legislation to which these types of analyses have not yet been applied, namely the GDPR.

In sum, the answers to the research questions can be found by analyzing the GDPR and scholarly work on privacy culture, regulatory policy and legal analyses, how European regulations trigger extra-territorial effects. Thus, the data used in this thesis is comprised of academic scholarly work and the GDPR itself, which are analyzed by doing desk research.

Page 33 of 70

4 Analysis Whereas the theoretical framework offered a descriptive analysis of soft power, the normative power approach and the Brussels Effect, these concepts will be applied to the specific case of the GDPR in this chapter. This analysis provides answers to the sub- research questions as stated in the introduction and methodology. The first sub-question has been answered in the closing section of the theoretical framework. This chapter provides answers to the second, third, and fourth sub-questions, after which the main research question is answered in the conclusion. In order to do so, first the core elements of the GDPR are delineated and linked to the ‘rights talk’ discourse in the Union. (Schwartz & Peifer, 2017) This will be supplemented with a broader analysis of the history, background and context in which the GDPR came into being, which is explained in order to frame this within the normative debate. This also includes a discussion on the divergence between the European approach to data protection and privacy, and the approach taken in the US to illustrate that these concepts are context-dependent. This provides an answer to the second sub-question. Subsequently, the third part of this analysis will isolate specific elements from the GDPR and review how these can be considered mechanisms for externalization, answering the third and fourth sub- questions. This will be done in three parts: first, a systematic analysis of trigger- mechanisms in the GDPR is executed, after which this is supplemented with an analysis using the Brussels Effect. Finally, a perspective on the GDPR in terms of the normative power approach complements this part, offering a comprehensive dissection of the mechanisms inherent in the GDPR that enable its application beyond the borders of the EU.

4.1 The GDPR: the European rights-based approach With the GDPR, the EU introduces a comprehensive framework legislation, aimed at harmonizing the internal European market with regard to data protection and privacy and facilitating international data transfers, while respecting the rights of data subjects (EU citizens and EU residents). This section introduces the principles on which the GDPR is premised. Hereafter, a delineation of what this means in practice for data subjects

Page 34 of 70

follows to illustrate the functional, practical consequences of the introduction of this legislation. This section is concluded by linking these principles to the framework of rights that the Union invokes as the justification for the GDPR.

As the name indicates, the GDPR is a regulation, contrary to the previous legislation which came in the form of a directive, which had to be transposed into national law by each member state. (European Union, 2018) As a consequence thereof, the GDPR has a far more harmonizing effect as there is less discretion for national legislatures to adapt the law according to their national preferences than previously with DIR95. As Tankard (2016) concludes, DIR95 resulted in a fragmented data protection legislation landscape, as countries added to the basic principles of the directive and enforced their own sanctions regime. The GDPR applies throughout Europe in the same way. Moreover, as the Commission set out in a communication, the GDPR aims at leveling the playing field for both European and non-European organizations operating on the European market. (European Commission, 2018c) The specific aim to level the playing field is backed up by the possibility to levy hefty fines for non-compliance, which are included in the GDPR as opposed to the previous directive, which left sanctions to be decided on national law resulting in differences when it came to sanctioning and enforcement. (Schwartz, 2013: 1997)

The GDPR is based on six core principles, outlined in Article 5(1) GDPR. According to this article, personal data should be processed in a lawful, fair and transparent manner; it should be collected for specific purposes (purpose limitation), it should only collect what is necessary in relation to the purpose (data minimization); it should be accurate and up-to-date; it should retain data no longer than necessary for the purpose (limitation of retention); and it should be processed in a way that ensures confidentiality and security. (Information Commissioner’s Office, 2018b) Moreover, article 5(2) states that processors or controllers of data are responsible for, and should be able to demonstrate, compliance with these principles. This is also sometimes referred to as the accountability and liability clause. (Information Commissioner’s Office, 2018a)

Page 35 of 70

These principles reflect the position of the EU with regard to privacy and data protection and translates abstract rights into tangible rights for individuals. These rights include the rights to be informed (article 12), the right to access the data that is held (article 15), the right to rectification in case the information held about the individual is incorrect (article 16), the right to erasure or the right to be forgotten (article 17), the right to restrict processing (article 18) the right to data portability (article 20), the right to object to the processing of personal data in certain circumstances (article 21), and a number of rights to opt-out of automated decision-making (article 22).

Thus, the GDPR first and foremost is centered on granting rights to individuals based on its core principles. This fits the context in which data protection and privacy emerged as rights on the European continent and why they can be considered part of the normative agenda that Europe pursues. This fits both the soft power theory – in the sense that the EU has taken a agenda-setting role in the international context - and the normative power approach – in the sense that Europe’s privacy and data protection framework has been diffused over the last decades, and has influenced subsequent data protection legislation across the globe. The next section introduces this context to clarify why history and context are essential for appreciating how and why the GDPR can be seen as an extension of the European rights-focused narrative that has given the Union legitimacy as a champion of fundamental rights enshrined in its various treaties and conventions.

4.2 Why history and context matters The GDPR is based on the European conceptualization of privacy and data protection as fundamental right, which is different from other views on privacy, most notably that in the United States. (Bignami, 2007; Bloch-Wehba, 2015; Cunningham, 2013; Poenaru, 2014; Schwartz & Peifer, 2017; Whitman, 2004) The perception of a right to data protection is mentioned in the very first recital of the GDPR, reiterating the legal basis of privacy and data protection in the Charter of Fundamental Rights of the European Union (the ‘Charter’), and the Treaty on the Functioning of the European Union (TFEU).

Page 36 of 70

This conceptualization explains why the EU has been a staunch supporter of stringent privacy legislation that respect the individual’s right to a private life, as established in article 7 and 8 of the Charter, which explicitly recognizes the right to a private life and the right to protection of personal data. The Charter already constitutes that the individual (or the data subject in GDPR terminology) has the right to access the data that is held about him or her, as well as the right to rectification. Moreover, this European ‘Bill of Rights’ also stipulates that the processing of data can only be legitimate if prior consent is given by the data subject, and the enforcement of compliance should be subject to an independent authority. The Charter, signed in 2000, thus already established key elements of what later would become the GDPR. The position of privacy and data protection in the Charter of fundamental human rights is remarkable, to say the least, especially for those brought up with a different cultural and social understanding of the concept ‘privacy’, such as in the US or China for example. The following section will first offer an outline why privacy and data protection has taken such a prominent role on the European continent, providing the foundation for a further analysis of cultural and legal differences in the role and position of privacy in contemporary societies, law, and interactions.

The conceptualization of privacy and data protection as human rights is embedded in European continental history, although varying explanations are offered by a number of scholars. James Q. Whitman (2004) argues that current privacy laws are the product of European history dating back to the revolutionary eighteenth and nineteenth century in continental Europe, as the ordinary citizen demanded equality. This evolved around the demand for ‘dignity’, which was previously only accorded to high-status individuals and ‘what we see in continental law today is the result of a centuries-long slow-maturing revolt against that style of status privilege.’ (Whitman, 2004: 1166) The argument that Whitman makes is that European continental law is grounded in a concept of human dignity, with as core values the right to one’s image, name, and reputation. They are, at their core, a form of protection of a right to respect and personal dignity. They allow the individual to control one’s public image, to guarantee that people see you as you want

Page 37 of 70

to be seen, and to be spared embarrassment and humiliation. (Whitman, 2004: 1161) Whitman’s understanding and explanation of privacy as a concept of dignity is derived from European history in times of the Enlightenment. There are also views that argue that it is rather a consequence of the violent history of Europe, and especially of the atrocities committed by the Nazi regime during the Second World War. This is proposed by Franscesca Bignami (2007), who offers a comparative analysis of European and American data protection laws, and how indiscriminative surveillance by the state is curtailed by European data protection laws. (Bignami, 2007) McKay Cunningham contributes the explanation that the origins of this European ‘commitment to privacy derive in part from Nazi exploitation of European census records preceding and during World War II.’ (Cunningham, 2013) According to Hannah Bloch-Wehba (2015), the Nazi regime aggressively pursued family policies that would lead to a ‘renewal of German society by eliminating racially problematic elements.’ (Bloch-Wehba, 2015: 753) Consequently, the divide between the public and private sphere soon deteriorated as the German government regulated the most intimate elements of human life including marital relations, and initiated programs to remove hereditary diseases from society. To sum up, the European understanding and valuation of privacy as is rooted in a historical context, and at its core relates to respect for individual dignity, which consequently constituted privacy and data protection as a fundamental right.

Safeguarding privacy and data protection in the EU thus finds its normative justification in the Charter and the TFEU, but also – most notably now with the GDPR, projects that understanding beyond its own territorial borders. This however clashes with other understandings that the role of privacy and data protection fulfils in other legislative, social, and cultural traditions. Most notable in that regard is the divergence between the understanding of privacy and data protection in Europe vis-à-vis the United States. Whereas it is considered a fundamental human right in Europe, it is considered a product of market relations in the US, leading to a ‘commodification’ of privacy and data protection. (Schwartz & Peifer, 2017: 132)

Page 38 of 70

The next section will shortly introduce the American perspective on privacy as an exercise of personal liberty, and contrast the legal, social, and economic consequences thereof with the European perspective. This reiterates the argument that these concepts are context-dependent, and shaped through interaction with actors and agents. As the largest trading partner of the EU, it is imperative to create at least a minimum agreed upon understanding on what data protection and privacy entails, and how this should be embedded in legal agreements to facilitate transatlantic data transfers.

4.3 The ‘Transatlantic Data War’ The previous section outlined the historical roots of privacy and data protection as fundamental rights in the EU. This section will contrast that understanding with the understanding of these concepts in the US and summarize the tensions between that have arisen between the US and the EU, sometimes dubbed the ‘Transatlantic data war’. (Bignami, 2007; Farrell & Newman, 2016; Poenaru, 2014; Schwartz & Peifer, 2017) The fundamental difference between the US and the EU regarding these concepts and their legal status have implications in economic and geopolitical transatlantic relations.

The US represents the largest trading partner of the US, both in terms of imports and exports, with the trade in digital services amounting to $260 billion annually. (Eurostat, 2018; Pritzker, 2016) Hence, differences in the understanding of important concepts such as privacy and data protection can potentially lead to disruptions of this exchange and lead to economic damage. This was witnessed when the Safe Harbor Agreement, a framework for facilitating transatlantic data flows which was in force from 1998 until 2016, was challenged by an Austrian privacy activist, Maximilian Schrems. In the ruling by the European Court of Justice on October 6 2015, the court found that the US did not provide adequate protecting for the data of EU citizens stored in the US, and overturned this framework. (Court of Justice of the European Union, 2015) This gave the impetus for new negotiations between the EU and the US, resulting in the Privacy Shield Agreement, a revised framework to facilitate transatlantic data flows. (European Commission, 2016)

Page 39 of 70

While privacy and data protection are included in the European Convention of Human Rights and the Lisbon Convention, and thus codified in official legal documents, the American legal basis for these issues is anchored primarily in information privacy law in the marketplace. As Schwartz and Peifer note, ‘U.S. law does not equip the privacy consumer with fundamental constitutional rights; rather, she participates in a series of free exchanges involving her personal information. […] Personal information is another commodity in the market, and human flourishing is furthered to the extent that the individual can maximize her preferences regarding data trades. The focus of information privacy law in the United States is policing fairness in exchanges of personal data.’ (Schwartz & Peifer, 2017: 132) This commodification of privacy, as something that can be exchanged for (free) services, has been the business model of many industry leaders in the technology sector such as Google and Facebook, who offer free services in exchange for personal data. That data is subsequently analyzed and used for business performance optimization and targeted advertising. These practices, legitimized by the commodification of privacy in the US, are a source of concern in the EU, as witnessed by the lawsuits that have been filed against many of these companies. Exacerbating the tensions are the legal disputes related to the taxation of these companies, as several companies such as Facebook, Apple, Microsoft, Adobe, Airbnb, Yahoo! and IBM using structures to minimize their effective tax rates. (Gumbel, 2012) A new EU plan to tax the turnover of companies with significant digital revenues in Europe further strains the relationship between the EU and influential tech companies. (Blenkinsop, 2018)

Besides the cultural differences between the US and the EU, the previous section illustrated that there are more issues driving a wedge between the US and the EU when it comes to the regulation of tech companies and the management of privacy and data protection. The permissive climate in the US for companies to utilize personal data has presumably allowed these technology companies to thrive, as their business models are built on the commodification of personal data. The exchange of personal data for services has widened their customer base by eliminating thresholds to the accessibility of their services, allowing them to build up large databases of personal data which are

Page 40 of 70

used to optimize their business performance and sustain their advertisement-based revenues. This strategy was actively supported by the US government, for example through the WTO as worldwide dispersion of American information- and communication technology was enabled by the Information Technology Agreement (ITA), adopted in 1996. This agreement liberalized world trade in information technology, and safeguarded market access opportunities for tech companies. It also removed tariffs for a range of IT products, including manufacturing equipment, telecommunication apparatus, data storage media, and software. (Burri, 2017: 177) Accordingly it can be concluded that the US has also done its fair share to promote its companies abroad and stimulate their global dominance through trade agreements or pushing for regulatory convergence through the WTO. The GDPR in that perspective can be seen as a European pushback and another example of an instrument used to protect economic and political interests.

Page 41 of 70

4.4 Externalizing the GDPR: triggers and mechanisms The previous chapters set out the historical context of the GDPR and how this differs from the conceptualization of these concepts in the US. This section describes why this matters in terms of the externalization of the GDPR, and through which mechanisms and instruments the EU ensures the extraterritorial effects of the GDPR.

The EU has crafted quite an ingenious system of spreading its privacy and data protection principles around the world. This is accomplished through a range of instruments that ensure the application of EU regulations globally and are the result of the legal phrasing in the GDPR, a track-record of promoting privacy and data protection regulations abroad, and instruments that incentivize adopting EU. Joanne Scott (2014) described how EU increasingly deploys ‘a broad range of legislative techniques to regulate conduct that takes place outside the EU’s borders.’ (Scott, 2014: 1343) These legislative techniques are described as ‘triggers’ which regulate conduct beyond its own borders. According to Scott (2014: 1344) the EU relies on three grounds to legitimate these triggers: either the conduct takes place in the EU, there is a legal or physical presence in the EU, or EU law applies when it concerns individuals holding a nationality of an EU member state. This opens possibilities to engage in extraterritorial regulation by the EU of entities or organizations beyond its own territorial jurisdiction.

In the GDPR, there are at least six mechanisms or triggers that launch the extraterritorial application of the GDPR. These are identified as: 1) the scope of the GDPR (article 3); 2) the instrument of adequacy decisions (article 45); 3) Binding Corporate Rules (article 47); 4) Standard Contractual Clauses (articles 28(6); 5) Codes of Conduct (article 40); 6) certification procedures (article 42). These instruments are twofold: there is a mechanism aimed directly to compel other countries to adopt similar standards, by means of adequacy decisions issued by the European Commission. Secondly, there are instruments aimed at multinational corporations, such as Binding Corporate Rules, the Standard Contractual Clauses, the Codes of Conduct, and the certification mechanism as outlined in article 42 GDPR. Thirdly, there are elements in the GDPR that drive

Page 42 of 70

regulatory convergence because they make sense business-wise. These elements aim at increasing the nondivisibility of data protection and ensure that the GDPR regulates inelastic targets to increase the difficulty of circumventing the regulation. By increasing the nondivisibility of data protection and increasing the difficulty of circumventing the regulation, the GDPR incentivizes global implementation of the regulation as this would entail standardization of production, and stimulates benefits achieved through economies of scale. These instruments and mechanisms are analyzed for their potential to disseminate GDPR compliance measures around the world, and thus their ability to extend the influence of the EU beyond its own territorial borders. This section will systematically analyze how these triggers contribute to the extraterritorial application of the GDPR. Some of these triggers or mechanisms may have been present in previous legislation, such as DIR95 and are not new, but merit to be included in any systemic analysis of factors that enable externalization of the GDPR.

1. The scope of the GDPR (article 3)

Article 3(1) of the GDPR holds that ‘[t]his regulation applies to the processing of personal data in the context of activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.’ This indicates that ‘in order to fall within the EU jurisdiction it is not necessary for a data controller to process the data within the EU.’ (de Hert & Czerniawski, 2016: 237) This ‘extra-territorial’ application has been source for much contention with proponents of the principle arguing that it relates to an individual’s fundamentals rights, which merits extraterritorial application (Ryngaert, 2015: 233) and which might even justify widening the jurisdictional scope of EU data protection legislation (Taylor, 2015: 256) On the other hand, Kuner (2015: 243) argues that the extraterritorial application of EU law must have some limits, ‘unless EU data protection law is conceived of as a kind of universal law that applies to the entire world.’ (2015: 243) While this might not be the case necessarily, the scope of the GDPR is rather wide, as can also be seen in article 3(2), which extends the scope of the regulation to include any processing of personal

Page 43 of 70

data by controllers or processors not in the Union, if they offer services of goods to data subjects in the Union, or monitor behavior of EU data subjects. The net is cast fairly wide as article 3 triggers the application of the GDPR if the controller or processor is located in the Union, when a controller or processor offers goods or services to EU data subjects, or when a processor or controller monitors behavior of EU data subjects. These activities can take place outside the Union but still fall within the scope of the Regulation.

2. The instrument of adequacy decisions (article 45)

The second trigger analyzed here are the so-called ‘adequacy decisions’, issued by the European Commission. Thus far, the EU has issued adequacy decisions for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (Privacy Shield framework). Furthermore, adequacy talks are ongoing with Japan and South Korea.3 These adequacy decisions enable the transfer of personal data from EU citizens from to third countries if the third country is found to offer adequate protection through its laws and legislation. This is outlined in article 45, which also specifies some of the elements that the Commission takes into account when making such a decision. This includes elements such as the rule of law, respect for human rights and fundamental freedoms, and relevant legislation, but also membership of international organizations and other commitments, as well as the existence of independent supervisory authorities. In doing so, the EU clearly issues a normative judgment about political elements in a third state which indicates that such adequacy decisions are not merely concerned with assessing whether or not a country has a firm legislative framework regarding data protection and privacy, but also whether it adheres to normative, European preferences such as the rule of law and ‘respect for human rights and fundamental freedoms’. This reminds of the words of Manners, who held that the EU ‘seeks to redefine international norms in its own image.’ (2002: 252) The EU thus only allows unrestricted data transfers of personal data

3 See: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non- eu-countries_en

Page 44 of 70

to third countries that adhere to the same political principles. If there is no adequacy decision – as is the case with the majority of the rest of the world – organizations can seek redress in BCRs, Codes of Conduct, or through SCCs but this only grants the possibility of transferring data between two organizations or within an organization. The adequacy instrument is an inherently normative assesment of the EU about the level of data protection in third countries, which is only granted when a third state possesses similar political structures or adheres to the same normative values. This process, as Scott (2014: 1377) argues, facilitates extensive dialogues between the EU and third states, which can build trust and reduce conflict. This can be seen as procedural diffusion and transference, in the normative power framework. However, in many cases such an adequacy decision is made in an asymmetrical power relation, with the EU wielding significant more economic power than, say, Guernsey, the Faroe Islands, or the Island of Man. De facto, this asymmetrical bargaining game allows the EU to impose its legislative framework onto third states which are to a large degree dependent on trade with the EU.

3. Binding Corporate Rules (article 47)

When an organization needs to transfer data from an entity in the EU, or regarding EU citizens, to an entity in a third country with which the EU has no agreement in the form of an adequacy decision, it can opt for implementing so-called Binding Corporate Rules, to facilitate these transfers. BCRs enable data transfers within one organization but between different countries. Article 47 sets out that these BCRs have to be ‘legally binding and enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity’. Lokke Moerel (2012) offers a number of explanations why companies choose for using these BCRs. She holds that globalization resulted in diffusion of activities of multinationals throughout the world, as they offshore certain services or processes for cost reasons, which involves data transfers to service other business units. This, along with the increased complexity of international data transfers which are often routed through multiple networks or computers, exacerbated the need to facilitate a legal framework that enables

Page 45 of 70

international data transfers within multinational corporations. As these companies operate in a global environment, they have to comply with several national legislations. According to Moerel, ‘the existing regulatory minefield in the data protection area has led many multinationals to implement worldwide corporate privacy policies.’ (Moerel, 2012: 22) Moreover, ‘[t]he complications with the EU data transfer rules in particular have led multinationals to put pressure on the DPAs to recognize their corporate privacy policies as providing an adequate level of protection for the processing of personal data throughout their groups of companies.’ ((Moerel, 2012: 23) BCRs ultimately rely on a system of transnational self-regulation combined with public arrangements. Multinational companies compose their own privacy regulations, which contain a legally binding element that implores them to follow self-prescribed rules in line with the GDPR. However, these rules must be validated by a DPA before they are applicable and legitimate international data transfers. (Moerel, 2012: 23)

A consequence of this system of BCRs is that multinational corporations increasingly use privacy regulations that comply with the GDPR to facilitate international data transfers. As such, they adopt EU-style self-imposed regulations in third countries although the data protection legislation of that third country might be far less restrictive, rendering the local regulator obsolete. Multinational corporations diffuse these EU norms across the world if they want to be able to continue necessary data transfers between different business units, thereby extending the scope of EU legislation, as it also applies to employees, suppliers and business partners in these third states. The instrument of BCRs thus contributes to the diffusion of European data protection standards as it bestows EU data protection norms on non-EU residents in non-EU countries and thereby expands the scope and applicability of the regulation.

4. Standard Contractual Clauses (articles 28(6)

The SCC principle is outlined in article 28(6) of the GDPR and provides the possibility of using standard contractual clauses, laid down by the Commission, as legitimate ground for processing international data transfers between a controller (presumably inside the

Page 46 of 70

EU) and a processor of data (presumably outside the EU). These SCCs contain a number guarantees that these transfers, as well as the internal procedures of the processor, are aligned with Union law (the GDPR). This involves data transfers between companies of different entities, but this functions in similar fashion as the BCRs, for it extends the scope of EU legislation to include entities outside the jurisdictional scope of the EU. These processors, in order to continue processing data from EU controllers, voluntarily comply with EU regulation although they might reside in a completely different jurisdiction.

5. Codes of Conduct (article 40)

The fifth trigger of extraterritorial application of the GDPR can be found in article 40, dealing with Codes of Conduct, which are voluntarily drawn up by organizations. Article 40(3) specifies that ‘In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organizations under the terms referred to in point (e) of Article 46(2).’ (GDPR: article 40(3)) De facto, this allows controllers and processors not in the EU to demonstrate that they have implemented GDPR compliance measures in their operations, which can subsequently be used to demonstrate that the organization provides adequate safeguards, after which it may, without requiring specific authorization from a supervisory authority, transfer personal data to a third country or international organization.

Hence, the extraterritorial application of the GDPR is facilitated through approved codes of conduct that provide guarantees that processors outside the EU adopt similar standards and provide the necessary technical, organizational, and procedural measures to comply with European regulations wherever they may be located.

Page 47 of 70

6. Certification procedures (article 42)

Lastly, the Regulation provides for a new certification scheme, as outlined in article 42 and 43. Lachaud (2016: 815) notices that this is the first time that a ‘certification ecosystem is included into the European law’. Such a certification process is ‘a voluntary assessment process realized by an external and accredited auditor, based on requirements issued by a recognized authority. The assessment, if successful, leads to the issuance of a formal attestation of conformity.’ (Lachaud, 2018: 245) These certifications are specifically aimed at demonstrating ‘the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3’. (GDPR: article 42(2)).

Fundamentally, such certifications are a sign of approval that an organization has complied with the rules as laid down by the GDPR, performed by an external auditor (who must have the capacity and expertise to perform these audits), even though they are not legally bound by the GDPR because they fall outside the jurisdictional scope as laid down in article 3. This certification process thus includes - equal to the process of BCRs, SCCs and the Codes of Conduct – a voluntary component, and the supervision of European data protection authorities. With the certification mechanism, the EU opens up to the possibility of voluntary affiliation of non-EU entities with EU law. Although there are some major concerns yet to be addressed – for example the capacity of the DPAs to perform sufficient audits to guarantee the quality of the certification process and of the independent certification bodies – the certification mechanism offers ample opportunity to expand the EU legislative framework to include organizations all over the world.

The various triggers in the GDPR that allow for extra-territorial application of the GDPR are thus specifically aimed at drawing organizations into the data privacy framework of the Union. By requiring adherence to EU practices, the EU de facto renders other regulators obsolete in their function as rule-setters. Being fully aware that the GDPR is arguably the most comprehensive data privacy framework in the world, it relies on the capabilities of the market to diffuse these European values and norms.

Page 48 of 70

4.5 Diffusing the GDPR: a NPE perspective The previous section analyzed the different mechanisms in the GDPR that enable extraterritorial application of the Regulation from a legal perspective. Earlier in the theoretical framework, the factors of diffusion of Manners were discussed. Now, these factors are used to explain how the GDPR is diffused across the globe.

First, Manners argued that contagion led to diffusion of EU norms. This is the result of unintentional diffusion, for example by leading ‘by virtuous example’. In the past, the EU has had tremendous influence in how global privacy legislative frameworks have been shaped. Graham Greenleaf (2012) conducted a comparative research assessing the influence of European data privacy standards outside of Europe and found that most new privacy frameworks drafted in 33 countries show that many of these legislations share most of the factors that are distinctive of European data privacy law, and thus can be said to be derived of, or inspired by, European privacy and data protection legislation. (Greenleaf, 2012: 94) So, before the GDPR, Europe already managed to influence the substance of privacy laws in third countries.

The second kind of diffusion, informational diffusion, also takes place in relation to the GDPR. Manners defines this as ‘the result of strategic communications, such as new policy initiatives by the EU, and declaratory communications, such as initiatives from the presidency of the EU or the president of the Commission.’ (Manners, 2002: 244) The GDPR is a policy on which there have been plenty of communications, hence it is safe to conclude that this form of diffusion has also take place. This has occurred through press statements, briefings, and official policy positions, but the EU has also embraced other means to inform the public of the GDPR, such as an interactive game.4

Thirdly, procedural diffusion ‘involves the institutionalization of a relationship between the EU and a third party, such as an inter-regional cooperation agreement, membership of an international organization or enlargement of the EU itself’. (Manners, 2002: 244)

4 The EU has developed an interactive game in collaboration with JRC: https://ec.europa.eu/jrc/en/news/understanding-gdpr-new- game-jrc,

Page 49 of 70

The EU has institutionalized relations and rules regarding data protection and privacy through its adequacy decisions, the EU-US Privacy Shield (and its predecessor, the Safe Harbor agreement). The process of adequacy decisions necessitates intensive dialogue between the EU and third states, facilitating such procedural diffusion.

The fourth form of diffusion was transference, consisting of the exchange of goods or services with third parties. Obviously, the GDPR addresses the facilitation of international data transfers and thus also this factor of diffusion has played its role in exporting the European norms on data protection and privacy. According to the European Commission, the value of the personal data of European citizens will amount to 1 trillion euro in 2020, a market that is likely to grow even more after 2020 as digitalization of several industries continues and the development of new techniques and practices, such as the Internet of Things, advances. (European Commission, 2018b) The value of the trade in digital services between the US and the EU amounts to $260 billion annually. (Eurostat, 2018; Pritzker, 2016) The EU has included data privacy as a talking point in negotiations of new trade deals, for example with Japan, indicating that it actively pursues diffusion through transference. (European Commission, 2018a)

Furthermore, overt diffusion occurs when the EU has a physical presence in a third state or in international organizations. This is arguably also relevant to the diffusion of data privacy norms, as the EU (and its Member States) applies these standards in their work across the world in embassies and in international organizations. However, this factor of diffusion is the least tangible and the hardest to identify as it is hard to qualify or quantify. Lastly, Manners argues that cultural filters ‘affect the impact of international norms and political learning in third states and organizations leading to learning, adaptation, or rejection of norms’ (Manners, 2002: 245) In that regard, the influence that the EU has asserted over the global formation of privacy policies in earlier stages (previous to the GDPR) makes the adaptation of the GDPR easier, as it is largely congruent with the privacy norms already in use in third states. Third states are therefore already familiar with the European norms on data protection and privacy which

Page 50 of 70

facilitates a learning and adaptation process, rather than outright rejection of these norms.

This analysis shows that the diffusion of European privacy norms already occurred before the GDPR, and that this particular legislative framework can be diffused in the same way. Moreover, the insertion of several instruments that make it easier for private companies to comply with the GDPR through BCRs, Codes of Conduct, or Standard Contractual Clauses will likely result in worldwide implementation of the GDPR for companies who do business with European companies or who process personal data of European citizens. The next section analyzes how these instruments can be applied in the context of the Brussels Effect, to explain the externalization of EU policy by private actors.

4.6 The GDPR and the Brussels Effect The Brussels Effect is premised on the notion that the EU can leverage its economic clout to influence the global regulatory standard on certain issues. Bradford (2012) supported this argument by providing examples from antitrust cases, privacy regulations, the regulation of chemicals, environmental protection, and with regard to food safety. This upward regulatory convergence is the result of five determinants: market size, regulatory capacity, a preference for strict standards, inelastic targets, and non- divisibility of production. (Bradford, in European Council on Foreign Relations, 2016: 134) These factors determine whether an EU regulation is capable of gaining global traction, and thus whether it will be externalized as part of upward regulatory convergence. The Brussels Effect can occur either de facto, or de jure. The former describes the process in which private actors decide to adhere to one – the highest - regulatory standard in order to achieve benefits of scale, whereas the latter goes a step beyond that, as it holds that these private actors also become active lobbyists to promote these standards to other regulators. An important element to emphasize in that regard is the assumption that this process renders other regulators and their legislation obsolete, as a higher standard is adhered by the private sector. ‘Without resorting to

Page 51 of 70

international institutions or seeking other nations’ cooperation, the EU is able to promulgate regulations that become entrenched in the legal frameworks of developed and developing markets alike, leading to the "Europeanization" of important aspects of global commerce.’ (Bradford, 2012: 64)

In the theoretical framework, it was already mentioned that the EU possesses the qualities and characteristics to achieve that result, but it remains to be assessed on a case-by-case basis whether or not it can be said that the Brussels Effect applies to a certain regulation. This section argues that the GDPR inhibits the qualities necessary for such externalization and that the GDPR will, in the years to come, drive global convergence to a higher standard of privacy and data protection. This will be guided by the criteria that Bradford set out in order to structure the argument.

First, the Brussels Effect holds that the European market is too large to forego, forcing companies to comply with its strict regulations because the opportunity costs are too high. When taking in account the significant revenues generated in the EU by large technology companies this notion seems well substantiated. To give an indication, Alphabet Group (Google) generated a stunning $10.4 billion in revenue from Europe, the

Middle East, and Africa in the first quarter of 2018. 5 In 2017, it reported a total revenue from these areas of $36.0 billion, accounting for 33% of the company’s revenue.6 Facebook reported $3.0 billion in revenues in the first quarter of 2018 originating from

Europe7, and a total European revenue of $9.7 billion in fiscal year 2017.8 Meanwhile,

Apple generated $54.9 billion in revenue in 2017 in Europe9. These three companies together alone would lose over $100 billion in revenue if they chose to forego the

5 See: https://abc.xyz/investor/pdf/20180423_alphabet_10Q.pdf, page 9

6 See: https://abc.xyz/investor/pdf/20171231_alphabet_10K.pdf, page 32-33

7 See: https://s21.q4cdn.com/399680738/files/doc_financials/2018/Q1/Q1-2018-Earnings-Presentation-(1).pdf, page 6

8 See: https://s21.q4cdn.com/399680738/files/doc_financials/annual_reports/FB_AR_2017_FINAL.pdf , page 37

9 See: http://files.shareholder.com/downloads/AAPL/6291485244x0x962680/D18FAEFF-460A-4168-993D- A60CBA8ED209/_10-K_2017_As-Filed_.pdf, page 23

Page 52 of 70

European market and this is presumably only the tip of the iceberg, as the European Commission has estimated that the personal data of EU citizens could be valued at as much as 1 trillion euro by 2020. (European Commission, 2018b) Foregoing the European market is therefore not a viable option for many data controllers and data processors.

The second criteria is that of significant regulatory capacity, and the propensity to enforce strict regulations. This is the greatest challenge when it comes to the GDPR, as the enforcement capacity of the national DPAs is presumably not sufficient. Over the last few weeks, news reports have surfaced indicating that the national DPAs are under- resourced, both financially, legally and in terms of staff. It has been reported that 8 EU Member States have failed to implement domestic legal acts that are necessary to ensure that the DPAs have the necessary resources for imposing sanctions. (EUObserver, 2018) An inquiry into the readiness of the DPAs by Reuters indicated that 17 of the 24 DPAs who responded felt that they did not have the necessary funding to fulfil their GDPR duties. (Reuters, 2018) However, the EU has shown in other sectors and industries that it has been willing and able to enforce their regulations and issue large fines, most notably regarding their antitrust legislation. (CBNC, 2017) What is more, the EU has shown in the past to be willing to take on large technology companies such as Facebook, Google, and Apple. The EU has levied fines, applied antitrust laws to threaten breaking up these companies, and has proposed a new revenue-based tax for technology companies. (Blenkinsop, 2018) Hence, the EU has shown the willingness to enforce regulations vis-à-vis large technology companies, but in order for the GDPR to be effectuated globally, the EU needs to do more than that. It needs to demonstrate that its national DPAs are willing and capable of enforcing compliance. That remains to be seen over the coming years and will provide an interesting research field for scholars of data privacy, regulatory policy, and international relations.

Thirdly, Bradford argues that ‘strict domestic regulations can operate as global standards only if such strict regulations cannot be circumvented by moving the

Page 53 of 70

regulatory targets to another jurisdiction’. (Bradford, 2012: 16) The GDPR fulfils this criteria as it targets any personal data processing of EU citizens, or taking place within the EU. A way to circumvent the Regulation is to stop servicing European clients which, considering the hundreds of billions that are earned in Europe, is not likely. Another option, which is reported to have been used by Facebook and LinkedIn for example, is separate entities servicing European clients from those of the rest of the world in order to prevent the GDPR from applying to all global customers. (Hern, 2018) This could potentially limit the application of the GDPR, but does not render it obsolete. In the same week, Facebook put out a statement that the new privacy controls they implemented to comply with the GDPR would be available for everyone – no matter where they live. (Facebook, 2018) This notion is however controversial, as they mention extending their own privacy controls to everyone, not the rights that are mentioned in the GDPR.

Lastly, and most controversial, is the criteria of nondivisibility. This is also where the applicability of the Brussels Effect might be challenged and criticized. It is argued that ‘multinational corporations often have an incentive to standardize their production globally and adhere to a single rule.’ (Bradford, 2012: 6) This is of course true for industries that produce goods, as the obvious benefits of economies of scale come into play: the more standardized the product, the more standardized the production and thus less costs for maintaining different production lines, conducting several quality inspections etcetera. The GDPR stimulates instruments that increase the nondivisibility of privacy standards for multinational corporations. The instruments offered to facilitate transnational data transfers, namely BCRs, codes of conduct, SCCs, and the Certifications under article 42, all require implementation of a single data privacy policy that stipulates how a company engages with its data subjects, what practices it uses when it comes their data, and how an adequate level of protection is guaranteed. This leads to the conclusion that these instruments are specifically designed to increase the nondivisibility of data privacy policies.

Page 54 of 70

A second factor that contributes to the increasing nondivisibility of data privacy standards is the emergence of the privacy-by-design and the privacy-by-default standards. The privacy-by-design and privacy-by-default principles are introduced in article 25 GDPR. The GDPR here stipulates that data processors and data controllers should ‘implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects,’ and that ‘by default, only personal data which are necessary for each specific purpose of the processing are processed.’ (GDPR: Article 25(1) and 25(2)) Concrete, these articles require data processors and controllers to review their data collection practices, and to implement measures to, (1) implement technical and organizational measures to safeguard the privacy of data subjects, and (2) minimize their collection wherever possible. In the years to come, the implementation of these principles will be included in the certification mechanism, as outlined in article 25(3): ‘An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.’ As Romanou (2018: 100) argues, it entails ‘the implementation of several privacy principles directly into the design specifications of the technological systems, in a way that privacy rules will be embedded in the operation and management of the processing of the data.‘ This illustrates that the intent of these articles is to bring about a substantive change in data collection practices, which will be included in the certification and the enforcement process of the GDPR. Integrating such technological standards, embedded in the operation of data processing, increases the likelihood that organizations will adhere to the GDPR as addresses the fundamental core of many data controllers and data processors for it questions their fundamental data processing infrastructure. Transforming that infrastructure is costly and requires meticulous attention: a task that is almost impossible to undertake and implement for only parts of their operations. This is also reflected in the advice of the European Commission when

Page 55 of 70

it comes to privacy-by-design and privacy-by-default: ‘Companies/organisations are encouraged to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, companies/organisations should ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).’ (European Commission, 2018d) Hence, such principles should be embedded from the earliest moment possible, requiring essentially a comprehensive review of data collection and data processing practices.

4.6.1 De Facto or De Jure? As mentioned earlier, the Brussels Effect can occur either de facto, or de jure. The former indicates a convergence towards a unitary standard or global regulatory convergence. The latter holds that export-oriented companies, who have to produce according to the highest standard, will lobby their domestic regulators and legislators to adopt similar standards. While there are overwhelming arguments to made that the de facto Brussels Effect is occurring due to the GDPR, this is harder to prove for the de jure Brussels Effect. First of all because these lobbying efforts are not made public, nor is there empirical data available on such matters. Secondly, the fact that the GDPR has only been in force for a short time renders this an impossible exercise. Most organizations first aim to comply with the GDPR by implementing technical measures in their organizational structures and will afterwards assess the efficacy of these measures before they lobby their domestic legislators. Hence, it is too early to assess whether the de jure Brussels Effect has occurred or will occur.

Page 56 of 70

4.7 GDPR as an attempt to externalize EU Policies on a global scale The previous sections outlined first the substantive changes that the GDPR brings to privacy and data protection in Europe, and beyond. The Regulation is based on six core principles which are a reflection of the narrative that the EU has long propagated in its relations with third countries. Mechanisms such as the adequacy decisions, the binding corporate rules, or the standard contractual clauses existed before the GDPR and served to reign other countries, and companies outside the jurisdiction of the EU, into the EU legislative framework. In that sense, the EU – as Greenleaf (2012) supported with empirical evidence – has been at the forefront of shaping the global privacy culture. After this, an explanation was offered why the EU has elevated this issue to its current stature. Varying accounts were offered, ranging from the history of dueling and chivalry in the 17th and 18th century, to the atrocities committed during World War II. The analysis of the GDPR itself put forward six mechanisms in the GDPR that trigger extraterritorial effects, ranging from bilateral instruments such as adequacy decisions to the rise of self- regulating measures such as BCRs and SCCs. This was supplemented with an account of how these norms are diffused, using the normative power approach which displayed the cunning ways in which the EU, through extensive contacts, manages to compel other states to adopt similar data protection regimes. Finally, the Brussels Effect demonstrated that these pressures are not only coming from the EU as a legislative body, but also emanate from the market itself, as multinational corporations prefer to deal with only one legislative framework. Moreover, by complying with the GDPR, organizations push the global regulatory standard, rendering other regulators obsolete in the process. The EU effectively managed to promote EU regulatory standards in a global context , but whether this will result in upward regulatory convergence has yet to be seen, as the effects of such legislation can only be observed in the medium and long term. Hence, a longitudinal study including empirical data can reveal whether the EU also accomplished this aim. This can be done by focusing on one instrument, for example the adaptation of BCRs, or how the certification mechanism will work out in the future,

Page 57 of 70

but also by combining the sum of these triggers and reevaluating its effectiveness over a longer period of time.

4.8 The GDPR: pushing EU norms The fourth sub-research question engaged the question how and why the externalization of the GDPR is an expression of Normative Power Europe. First and foremost, the GDPR might have given the EU a new source of legitimacy with its constituents as it demonstrated that the EU is able to effectively protect consumer rights in a globalized context. This domestic political objective adds to the legitimacy of the Union, and demonstrates the value of having a shared, common market, and common values that are to be protected. Moreover, it has done so by staying true to its history, and while facing formidable rivals who prefer other sets of standards due to different interpretations, most notably the US, but also China for example.

The GDPR can be seen as a materialization of some of the core norms that Manners distinguished: (1) the centrality of peace; (2) the idea of liberty; (3) democracy; (4) the rule of law; and (5) respect for human rights and fundamental freedoms. (Manners, 2002: 242) In the context of the GDPR, the idea of liberty can be related to the right to privacy, for liberty cannot be achieved in a panopticon or in a surveillance state, whether this is run by the government or by private organizations. Secondly, it is a reflection of the rule of law for it requires a lawful basis for the collection and processing of personal data and takes a stance against the unlimited and unrestricted data collection practices without a clear legal justification. Thirdly, the GDPR translates abstract fundamental rights and freedoms into tangible rights, thereby safeguarding the objective to increase respect for human rights and fundamental freedoms.

Manners holds that the notion of normative power Europe ‘is an attempt to suggest that not only is the EU constructed on a normative basis, but importantly that this predisposes it to act in a normative way in world politics. It is built on the crucial, and casually overlooked observation that the most important factor shaping the international role of the EU is not what it does or says, but what it is. […] The EU can

Page 58 of 70

conceptualized as a changer of norms in the international system’ and ‘the EU acts to change norms in the international system’, and ‘the EU should act to extend its norms in the international system.’ (Manners, 2002: 252) This reveals clearly a normative bias by Manners, as he supports the notion of the EU reshaping international norms in its own image. It also reveals the value of using the normative power approach in analyzing European policy, not only for the direct effects it has on certain issue, but also for analyzing the underlying reasons for that policy and how this relates to the core principles on which the Union was founded. The GDPR clearly is founded on these principles and utilizes the mechanisms of diffusion as Manners set out. Therefore this theory can be used as a basis for explaining the underlying rationale of several mechanisms that drive the externalization of the GDPR.

Page 59 of 70

5 Conclusion: Externalization of the GDPR: an exercise in soft and normative power? This thesis applied a theoretical framework to a certain policy of the EU: the notion whether soft power, and in its extension the normative power approach, can be used to explain the GDPR, and whether this can be made more concrete by offering a contemporary perspective. This current approach is offered by the Brussels Effect, a theory which is very relevant when it comes to the GDPR, data protection and privacy, and technology in general. The Brussels Effect is a politico-economic theory that ultimately seeks to explain the trend towards a more globalized regulatory framework.

The EU has been working tirelessly to devise a global system of rules to benefit what it needs most: an integrated globalized system of trade that creates interdependencies that mitigate the threat of war. Europe, deeply scarred by its violent past, has embarked on a course geared towards avoiding war and maintaining its mercantile position in the international system. It has done so through its trade policies, which leverage the fundamental reason for the EU to exist, namely bundling economic resources to create economies of scale. The backbone of the EU is its harmonized market and the ability to sign larger trade deals to the benefit of its members.

The GDPR regulates the largest market of the future: personal data, the new gold. Personal data is the lifeblood of at least half of the ten biggest companies in the world. The ability to create the world’s regulation on how companies should handle that data is a powerful tool and a possibility to obtain a better bargaining position internationally. Hence, from a realpolitker’s view, this would be a cynical explanation of the motivation to draft such far-reaching and burdensome legislation. A more optimist view is offered by more liberal or constructivist approach. Instead of seeing international politics as merely self-interested and occupied with survival, it offers the view that with cooperation more can be achieved at a lesser cost, and that it is possible to maintain a certain standard of norms or values to regulate interaction. Nye introduced the concept of soft power, in an era where realism and neo-realism were at the center of international

Page 60 of 70

relations theory. The incorporation of other sources of power, beyond merely military force, began to obtain traction among scholars, although politicians and figures in leadership positions had long been aware of this.

The concept of soft power is based on the idea that states, as people, have a certain power to influence others to like them. A ‘likability’ factor, one might say. By instruments such as culture, values and ideas, other states might get more susceptible to listening to the needs and urges of other states. This cultural diffusion can be stimulated by more international trade, and as cultures get more familiar and interdependent on each other, the more the mutual investment is, the less chance of having conflicts disturb the peace. The EU has embraced this idea shortly after World War II and has, along the leadership of the US, devised an impressive system of international institutions and mechanisms that stabilize the system. The GDPR is another such system, by means of a regulation.

Technology is the future, data plays a large part in that. The GDPR is designed with a number of core principles of the European ideology in mind. This begins with the acknowledgement of the status of data protection and privacy as rights, as is inscribed in its legal treaties. Moreover, it grants tangible rights to people, such as the right to be forgotten, or the right to have access to the data that is held by an organization. These rights can be bestowed upon European citizens, but not the citizens of other states unless such concrete rights are agreed upon by a United Nations resolution or other international governing body. However, universal rights or principles are not only granted by formal decree, but also by diffusion. By setting industry standards for example, one can influence the direction of the infrastructure of cyberspace. The infrastructure of the internet is largely based on American principles, as it was founded there. But now, with the increasing importance of personal data, the rules can be made again, and the direction of the infrastructure can be determined.

The EU clearly attempts to regulate the future of data protection and privacy policy globally according to its own preferences. By setting the agenda, by dictating the pace and direction, the EU tries to gain a strategic global position while simultaneously

Page 61 of 70

defending their own principles. Privacy has deep roots in the EU and by setting the rules for data privacy this can be safeguarded. The potential for mass surveillance has been illustrated by the scandals involving the NSA, and numerous data breaches have shown that unlimited collection of personal data by a plethora of organizations leads to great risks.

Hence, the reasons for regulating the collection, processing, and use of personal data is another possibility to obtain an agenda-setting position, to shape the international rules according to the preferences of the EU. It clearly is a legislation aimed at translating abstract fundamental rights to tangible rights in the digital space while at the same time obtaining a better bargaining position internationally. In the GDPR, there are a number of ‘triggers’ that facilitate the externalization of the GDPR: the territorial scope as defined in article 3, the adequacy decisions, and the instruments for private organizations such as the binding corporate rules, codes of conduct, and the standard contractual clauses. Moreover, the EU has initiated the first certification mechanism that allows organizations globally to demonstrate compliance with EU regulation.

Although there was resistance against the GDPR, especially among small and medium enterprises, it also provides clarity and brings a degree of transparency that ultimately will benefit organizations that legitimately collect personal data from EU citizens. The basic principle of the GDPR centers on the notion that for the collection of such personal data consent needs to be given by the data subject along with a legal basis for the collection. This might bring back some degree of trust in technology companies collecting such personal data, especially as the European consumer has more means to control which organizations may store and use their data.

The externalization of the GDPR through the aforementioned mechanisms also bestows that right onto non-EU citizens. Organizations that voluntarily comply with the GDPR in all their global operations signal that they are willing to follow a certain set of rules, which can only be applauded. Regulating cyberspace has always been a complex issue, but the GDPR might be a way to devise a more global framework of rules and principles

Page 62 of 70

that balances the needs of organizations to collect personal data, and data subject to control what is collected about them.

The main research question that guided this research was ‘To what extent does the EU exercise normative power through externalization of its privacy and data protection regulation?’ The phrasing of the question already reveals that this is a matter of degree, and not a binary question that can be answered with a simple ‘yes’ or ‘no’. As set out before, the GDPR inherently is a legislation based on a normative framework that is the result of the European experience. This context should not be overlooked, which is why this was prominently featured in the theoretical framework, and why the theories of soft power and the normative power approach were used to analyze this legislation.

5.1 Analytical Results In the methodology, a number of factors were outlined for each theory that explain the occurrence of externalization of European policy. It was argued that soft power is valuable in international politics for it gives the possibility of setting the agenda, and subsequently setting the rules or norms on a certain topic. Consequently, the process of diffusion of such norms takes place through several processes: contagion, informational diffusion, procedural diffusion, transference, and overt diffusion, which are affected by the cultural filter of a third state which determines the efficacy of these processes of diffusion. With regard to the GDPR, all these elements of diffusion are relevant, as shown in the chapter on the GDPR as an exercise of the normative power approach. Most notably, transference is the driving factor behind the externalization of the GDPR as it describes the diffusion of norms through the exchange of goods, services, or other forms of trade. The GDPR achieves this by regulating international data transfers and allowing these only to occur when premised on the norms of the EU. Moreover, the argument was made that considering diffusion of EU norms from a normative power approach alone was not enough, therefore it was supplemented with the Brussels Effect which added the rationale for internationally operating organizations for adhering to one standard. This

Page 63 of 70

drives externalization of the GDPR by private actors, as they have an incentive to adhere to only one data privacy standard, both technically and procedurally.

The externalization of the GDPR is thus a phenomenon that is facilitated by the instruments and mechanisms that are included in the legislation, alongside a broad jurisdictional scope that triggers the application of the GDPR whenever the data concerned is either processed in Europe, or when it is sourced from Europe. While the implementation of compliance measures is an ongoing process for many organizations, which requires diligence and effort, many companies have opted to draft either Binding Corporate Rules, captivating them in the EU’s legal framework, or drafting Codes of Conduct, a less binding but nonetheless meaningful way to signal that the leading global regulatory framework for data privacy that is adhered to comes from Europe. Hence, it can be said that the GDPR is a continuation of a long tradition of European leadership to safeguard data protection and privacy in the digital sphere. Through its instruments and mechanisms, the GDPR effectively manages to set a new standard, even beyond the territorial or jurisdictional boundaries of the EU.

The limitation for the EU lies in the question whether it will be able, and willing, to enforce the regulation in order to stimulate compliance and adherence to the GDPR. The worries of national DPAs of being understaffed and underfunded pose serious challenges to the efficacy of the regulation, as it undermines the signal that the EU intends to send. If the EU fails to devise an effective regulatory enforcement procedure, the GDPR could become legislation that offers a lot in theory, but less so in practice.

5.2 Limitations of the research Any analysis of the GDPR is subject to the researcher’s biases and presumptions, which is evidently also the case here. While the chosen theoretical lens provides for an explanation of the GDPR from a rather optimist perspective, one could also use other theories such as realism, neoliberalism, or even colonialism to explain the legislation. Critics of the approach in this thesis might argue it paints a one-sided, rather positive picture of the GDPR. Scholars in other parts of the world might see the GDPR as a neo-

Page 64 of 70

imperialistic attempt of Europe to maintain global control over data flows and conduct in cyberspace. This limitation is however inherent in any academic work and the result of the chosen theoretical framework and methodology.

A second limitation is that it concerns a theoretical approach, which leaves the practical implications of the GDPR undiscovered. Further research could benefit from incorporating more diverse research techniques and methods, such as surveys and interviews to discover how the externalization of the GDPR is handled in practice. This could reveal how organizations adapted their business practices. This, however, can only be done after the GDPR has been in force for some time.

A third limitation is that his thesis offers an exploratory, theoretical account of how the GDPR could be externalized, without testing that premise. It is clearly argued that the structure of the GDPR provides triggers for externalization, which is presumably only exacerbated by the difficulty of separating personal data from EU citizens from non-EU citizens. Such argument can only be empirically verified over a longer period of time as the full effects of the GDPR become more visible. This thesis was written in the run-up to the actual date of enforcement and could in the future be used as a theoretical basis to formulate a set of hypotheses to be tested once the GDPR has been in effect for a considerable time. Future research on the GDPR with similar objectives – exploring the extra-territorial effects of this legislation – could benefit from incorporating a quantitative methodology to analyze how many organizations have opted for implementing GDPR compliance measures in their global operations. A challenge in that regard is obtaining such data and verifying this in reality, as this is largely confidential and not prone to be released by large corporations and requires advanced IT auditing skills. This was also a limitation that was faced when conducting this research: although some data was available in relation to clients of EY, that data was to be treated confidential as the implementation process of compliance measures was still on-going, and non-compliance in some areas might draw unwanted attention from the data protection authorities, or even expose these companies to blackmail.

Page 65 of 70

6 Bibliography Bignami, F. (2007). EUROPEAN VERSUS AMERICAN LIBERTY: A COMPARATIVE PRIVACY ANALYSIS OF ANTITERRORISM DATA MINING. Boston College Law Review, 48, 609–1387. Blatter, J. (2012). Designing case studies : explanatory approaches in small-n research. (M. (Markus) Haverland, Ed.). Houndmills, Basingstoke, Hampshire . Blenkinsop, P. (2018). EU proposes online turnover tax for big tech firms. Retrieved May 9, 2018, from https://www.reuters.com/article/us-eu-tax-digital/eu-proposes-online- turnover-tax-for-big-tech-firms-idUSKBN1GX00J Bloch-Wehba, H. (2015). Confronting totalitarianism at home: the roots of European privacy protections. Brooklyn Journal of International Law, 40(3), 749–790. Boehm, F., Andrees, M., Beaucamp, J., Hey, T., Ortner, R., Priora, G., & Suwelack, F. (2015). A comparison between US and EU data protection legislation for law enforcement purposes. Brussels : European Parliament. https://doi.org/10.2861/1389 Boyd, D., & Crawford, K. (2012). CRITICAL QUESTIONS FOR BIG DATA: Provocations for a cultural, technological, and scholarly phenomenon. Information, Communication & Society, 15(5), 662–679. https://doi.org/10.1080/1369118X.2012.678878 Bradford, A. (2012). The Brussels effect. (Global economy harmonization of economic laws). Northwestern University Law Review, 107(1), 1–68. Burri, M. (2017). The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation.(Future-Proofing Law: From rDNA to Robots). U.C. Davis Law Review, 51(1), 65–132. Buttarelli, G. (2016). The EU GDPR as a clarion call for a new global digital gold standard. International Data Privacy Law. https://doi.org/10.1093/idpl/ipw006 Butterworth, M. (2018). The ICO and artificial intelligence: The role of fairness in the GDPR framework. Computer Law & Security Review: The International Journal of Technology Law and Practice, 34(2), 257–268. https://doi.org/10.1016/j.clsr.2018.01.004 Cadwalladr, C. (2017). The Great British Brexit robbery: How our democracy was hijacked. The Guardian. Retrieved from https://www.theguardian.com/technology/2017/may/07/the- great-british-brexit-robbery-hijacked-democracy Cadwalladr, C. (2018). The Cambridge Analytica Files ‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower. Retrieved March 18, 2018, from https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher- wylie-faceook-nix-bannon-trump CBNC. (2017). Here are some of the largest fines dished out by the EU. Retrieved June 4, 2018, from https://www.cnbc.com/2017/06/27/the-largest-fines-dished-out-by-the-eu- commission-facebook-google.html Cooper, R. (2012). Hubris and false hopes.(power between the European zone and the USA). Policy Review, (172), 5.

Page 66 of 70

Cornock, M. (2018). General Data Protection Regulation (GDPR) and implications for research. Maturitas. https://doi.org/10.1016/j.maturitas.2018.01.017 Court of Justice of the European Union. (2015). The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid. Retrieved April 12, 2018, from https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf Cunningham, M. (2013). Diminishing sovereignty: how European privacy law became international norm. Santa Clara Journal of International Law, 11(2), 421–453. Custers, B., Dechesne, F., Sears, A. M., Tani, T., & van Der Hof, S. (2018). A comparison of data protection legislation and policies across the EU. Computer Law & Security Review: The International Journal of Technology Law and Practice, 34(2), 234–243. https://doi.org/10.1016/j.clsr.2017.09.001 Damro, C. (2015). Market power Europe: exploring a dynamic conceptual framework. Journal of European Public Policy, 22(9), 1–19. https://doi.org/10.1080/13501763.2015.1046903 de Hert, P., & Czerniawski, M. (2016). Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context. International Data Privacy Law, 6(3), 230–243. https://doi.org/10.1093/idpl/ipw008 Deloitte. (2017). The time is now. The Deloitte General Data Protection Regulation Benchmarking Survey. Retrieved from https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-benchmarking-survey.html Di Iorio, C. T., Carinci, F., & Oderkirk, J. (2014). Health research and systems’ governance are at risk: should the right to data protection override health? Journal of Medical Ethics, 40(7), 488. https://doi.org/10.1136/medethics-2013-101603 Eriksson, J., & Giacomello, G. (2006). The Information Revolution, Security, and International Relations: (IR)relevant Theory? International Political Science Review, 27(3), 221–244. https://doi.org/10.1177/0192512106064462 EUObserver. (2018). Eight countries to miss EU data protection deadline. Retrieved June 1, 2018, from https://euobserver.com/justice/141860 European Commission. (2016). Guide to the EU-US Privacy Shield. Retrieved from https://ec.europa.eu/info/sites/info/files/2016-08-01-ps-citizens-guide_en.pd_.pdf European Commission. (2018a). Key elements of the EU-Japan Economic Partnership Agreement. Retrieved May 2, 2018, from http://europa.eu/rapid/press-release_MEMO- 18-3326_en.htm European Commission. (2018b). Questions and Anwers - General Data Protection Regulation. Retrieved May 1, 2018, from http://europa.eu/rapid/press-release_MEMO-18- 387_en.htm European Commission. (2018c). Stronger protection, new opportunities - Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018. Retrieved May 28, 2018, from http://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:52018DC0043&from=EN

Page 67 of 70

European Commission. (2018d). What does data protection ‘by design’ and ‘by default’ mean? Retrieved June 8, 2018, from https://ec.europa.eu/info/law/law-topic/data- protection/reform/rules-business-and-organisations/obligations/what-does-data- protection-design-and-default-mean_en European Council on Foreign Relations. (2016). Connectivity Wars. European Data Protection Supervisor. (2018). History General Data Protection Regulation. Retrieved April 13, 2018, from https://edps.europa.eu/data-protection/data- protection/legislation/history-general-data-protection-regulation_en European Union. (2018). Regulations, Directives, and other acts. Retrieved May 28, 2018, from https://europa.eu/european-union/eu-law/legal-acts_en Eurostat. (2018). International trade in services. Retrieved May 2, 2018, from http://ec.europa.eu/eurostat/statistics- explained/index.php/International_trade_in_services Facebook. (2018). Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live. Retrieved June 9, 2018, from https://newsroom.fb.com/news/2018/04/new-privacy-protections/ Farrell, H., & Newman, A. (2016). The transatlantic data war: Europe fights back against the NSA.(National Security Agency). Foreign Affairs, 95(1). Gady, F.-S. (2014). EU/U.S. approaches to data privacy and the “Brussels Effect”: a comparative analysis.(Forum). Georgetown Journal of International Affairs, 15(SI), 12. Gray, C. S. (2011). Hard Power and Soft Power: the Utility of Military Force as an Instrument of Policy in the 21st Century. Retrieved from http://ssi.armywarcollege.edu/pdffiles/pub1059.pdf Green, A. (2017). Ransomware and the GDPR. Network Security, 2017(3), 18–19. https://doi.org/10.1016/S1353-4858(17)30030-2 Greenleaf, G. (2012). The influence of European data privacy standards outside Europe: implications for globalization of Convention 108. International Data Privacy Law, 2(2), 68– 92. https://doi.org/10.1093/idpl/ips006 Gumbel, P. (2012). How U.S. Firms like Google and Amazon Minimize Their European Taxes. Retrieved May 9, 2018, from http://business.time.com/2012/12/04/how-u-s-firms-like- google-and-amazon-minimize-their-european-taxes/ Hern, A. (2018). Facebook moves 1.5bn users out of reach of new European privacy law. Retrieved May 11, 2018, from https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users- out-of-reach-of-new-european-privacy-law Hughes, R. L. D. (2015). Two concepts of privacy. Computer Law & Security Review: The International Journal of Technology Law and Practice, 31(4), 527–537. https://doi.org/10.1016/j.clsr.2015.05.010 Identity Theft Resource Center. (2017). 2017 Annual Data Breach Year-End Review. Retrieved

Page 68 of 70

from https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYe arEndReview.pdf Information Commissioner’s Office. (2018a). Accountability and governance. Retrieved May 24, 2018, from https://ico.org.uk/for-organisations/guide-to-the-general-data- protection-regulation-gdpr/accountability-and-governance/ Information Commissioner’s Office. (2018b). Principles. Retrieved May 24, 2018, from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/principles/ Koščík, M., & Myška, M. (2018). Data protection and codes of conduct in collaborative research. International Review of Law, Computers & Technology, 32(1), 141–154. https://doi.org/10.1080/13600869.2018.1423888 Kuner, C. (2015). Extraterritoriality and regulation of international data transfers in EU data protection law. International Data Privacy Law, 5(4), 235–245. https://doi.org/10.1093/idpl/ipv019 Lachaud, E. (2016). Why the certification process defined in the General Data Protection Regulation cannot be successful. Computer Law & Security Review: The International Journal of Technology Law and Practice, 32(6), 814–826. https://doi.org/10.1016/j.clsr.2016.07.001 Lachaud, E. (2018). The General Data Protection Regulation and the rise of certification as a regulatory instrument. Computer Law & Security Review: The International Journal of Technology Law and Practice, 34(2), 244–256. https://doi.org/10.1016/j.clsr.2017.09.002 Lambert, P. (2017). Understanding the New European Data Protection Rules. Milton: CRC Press. Lewis, R. (2018). Transforming from Traditional Outsourcing to IBMs New Cognitive Services. Retrieved May 3, 2018, from https://www.ibm.com/blogs/nordic-msp/transforming- traditional-outsourcing-ibms-new-cognitive-services/ Manners, I. (2002). Normative Power Europe: A Contradiction in Terms? JCMS: Journal of Common Market Studies, 40(2), 235–258. https://doi.org/10.1111/1468-5965.00353 Manners, I. (2013). Assessing the decennial, reassessing the global: Understanding European Union normative power in global politics. Cooperation and Conflict, 48(2), 304–329. https://doi.org/10.1177/0010836713485389 Mccall, B. (2018). What does the GDPR mean for the medical community? The Lancet, 391(10127), 1249–1250. https://doi.org/10.1016/S0140-6736(18)30739-6 Miño-Vásquez, V., & Suhren, P. (2018). Liability for injuries according to GDPR. Datenschutz Und Datensicherheit - DuD, 42(3), 151–155. https://doi.org/10.1007/s11623-018-0926- 0 Moerel, L. (2012). Binding Corporate Rules: An Overview. Oxford University Press. https://doi.org/10.1093/acprof:oso/9780199662913.003.0002

Page 69 of 70

Mourby, M., Mackey, E., Elliot, M., Gowans, H., Wallace, S. E., Bell, J., … Kaye, J. (2018). Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK. Computer Law & Security Review: The International Journal of Technology Law and Practice, 34(2), 222–233. https://doi.org/10.1016/j.clsr.2018.01.002 Muzellec, L., Ronteau, S., & Lambkin, M. (2015). Two-sided Internet platforms: A business model lifecycle perspective. Industrial Marketing Management, 45, 139–150. https://doi.org/10.1016/j.indmarman.2015.02.012 Newman, A. L., & Posner, E. (2015). Putting the EU in its place: policy strategies and the global regulatory context. Journal of European Public Policy, 22(9), 1–20. https://doi.org/10.1080/13501763.2015.1046901 Nye, J. (1990). Soft Power. Foreign Policy, 0(80), 153. Nye, J. S. (1990). Bound to lead : the changing nature of American power. New York : Basic Books. Nye, J. S. (2009). Soft power : the means to success in world politics. New York : PublicAffairs. Nye, J. S. (2014). The Information Revolution and Soft Power. Orbie, J. (2011). Promoting labour standards through trade: normative power or regulatory state Europe? In Normative Power Europe (pp. 161–184). Springer. Pardo, S. (2015). Normative power Europe meets Israel : perceptions and realities. Lanham . Phelan, W. (2012). What Is Sui Generis About the European Union? Costly International Cooperation in a Self-Contained Regime.(Report). International Studies Review, 14, 367. Poenaru, T. (2014). BRIDGING THE TRANSATLANTIC PRIVACY DIVIDE. Modelling the New Europe. An On-Line Journal, (11), 110–137. Pritzker, P. (2016). Making a Difference to the World’s Digital Economy: The Transatlantic Partnership. Retrieved May 2, 2018, from https://www.commerce.gov/news/blog/2016/03/making-difference-worlds-digital- economy-transatlantic-partnership PwC. (2017). Global Top 100 Companies by Market Capitalization. Retrieved from https://www.pwc.com/gx/en/audit-services/assets/pdf/global-top-100-companies-2017- final.pdf Reuters. (2018). European regulators: We’re not ready for new privacy law. Retrieved June 1, 2018, from https://www.reuters.com/article/us-europe-privacy-analysis/european- regulators-were-not-ready-for-new-privacy-law-idUSKBN1I915X Romanou, A. (2018). The necessity of the implementation of Privacy by Design in sectors where data protection concerns arise. Computer Law & Security Review: The International Journal of Technology Law and Practice, 34(1), 99–110. https://doi.org/10.1016/j.clsr.2017.05.021 Ryngaert, C. (2015). Symposium issue on extraterritoriality and EU data protection.

Page 70 of 70

International Data Privacy Law. https://doi.org/10.1093/idpl/ipv025 Schnell, C. (1992). The Value of the Case Study as a Research Strategy. Retrieved from http://www.finance-mba.com/Case Method.pdf Schwartz, P. M. (2013). The EU-U.S. privacy collision: a turn to institutions and procedures.(Privacy Self-Management and the Consent Dilemma). Harvard Law Review, 126(7), 1966. Schwartz, P. M., & Peifer, K.-N. (2017). Transatlantic Data Privacy Law. Georgetown Law Journal, 106(1), 115. Scott, J. (2014). The new EU “extraterritoriality.” Common Market Law Review. Stake, R. E. (1995). The art of case study research. Sage. Svantesson, D. J. B. (2014). The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on U.S. businesses. Stanford Journal of International Law, 50(1), 53. Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5–8. https://doi.org/10.1016/S1353-4858(16)30056-3 Taylor, M. (2015). The EU’s human rights obligations in relation to its data protection laws with extraterritorial effect, 5(4), 246–256. https://doi.org/10.1093/idpl/ipv023 Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review: The International Journal of Technology Law and Practice, 34(1), 134–153. https://doi.org/10.1016/j.clsr.2017.05.015 van Den Broek, T., & van Veenstra, A. F. (2018). Governance of big data collaborations: How to balance regulatory compliance and disruptive innovation. Technological Forecasting & Social Change, 129, 330–338. https://doi.org/10.1016/j.techfore.2017.09.040 Verble, J. (2014). The NSA and Edward Snowden: surveillance in the 21st century. ACM SIGCAS Computers and Society, 44(3), 14–20. https://doi.org/10.1145/2684097.2684101 Voigt, P., & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. A Practical Guide. Springer International Publishing: Cham. https://doi.org/10.1007/978-3-319-57959-7 Whitman, J. Q. (2004). The Two Western Cultures of Privacy: Dignity versus Liberty. The Yale Law Journal, 113(6), 1151–1221. https://doi.org/10.2307/4135723 Yin, R. K. (2009). Case study research : design and methods (4th ed..). Los Angeles, CA etc. : Sage. Young, A. R. (2015). The European Union as a global regulator? Context and comparison. Journal of European Public Policy, 1–20. https://doi.org/10.1080/13501763.2015.1046902