WestminsterResearch http://www.westminster.ac.uk/westminsterresearch EU politics and the making of the General Data Protection Regulation: Consociationalism, policy networks and institutionalism in the process of balancing actor interests Jančiūtė, L. This is an electronic version of a PhD thesis awarded by the University of Westminster. © Ms Laima Jančiūtė, 2018. The WestminsterResearch online digital archive at the University of Westminster aims to make the research output of the University available to a wider audience. Copyright and Moral Rights remain with the authors and/or copyright owners. Whilst further distribution of specific materials from within this archive is forbidden, you may freely distribute the URL of WestminsterResearch: ((http://westminsterresearch.wmin.ac.uk/). In case of abuse or copyright appearing without permission e-mail [email protected] EU POLITICS AND THE MAKING OF THE GENERAL DATA PROTECTION REGULATION: CONSOCIATIONALISM, POLICY NETWORKS AND INSTITUTIONALISM IN THE PROCESS OF BALANCING ACTOR INTERESTS LAIMA JANČIŪTĖ A thesis submitted in partial fulfilment of the requirements of the University of Westminster for the degree of Doctor of Philosophy February 2018 © Laima Jančiūtė, 2018 ABSTRACT This thesis analyses the policy process of adoption of the General Data Protection Regulation (GDPR), replacing the EU Directive 95/46/EC, the global “golden standard” setter in the field of privacy and data protection. The GDPR was proposed in January 2012 and was adopted in April 2016 following a highly politically charged process lobbied against to an unprecedented extent by certain commercial and political interests. The policy process is looked at through the lens of consociationalism, which draws attention to the importance of national governments, policy networks, which stress non-linear policy- making dynamics, and institutionalism, which highlights the significance of institutions. On the whole, the GDPR as approved strengthened the ICT users’ rights, although not to the degree originally envisaged. The study proposes that institutional factors were decisive in determining policy outcomes, either acting in coalition with different policy networks or reacting to external developments, notably the Snowden revelations in 2013. The institutional factors, amongst others, included strategic actor self-interest of preserving or even expanding their spheres of influence, sociological dimensions such as ideological adherence and diverse national and institutional cultures, and important earlier institutional and policy developments. As the thesis shows, the impact of institutional factors on the policy outcomes was particularly evident in the European Parliament’s position during the process. The EP’s influence demonstrates the strong political will of this institution and its overall defence of citizens’ rights against lobbying by the industry. At the same time, the reform process brought around many gains to the national Data Protection Authorities at the cost of the initially foreseen Commission’s remit. This thesis argues that the powers retained by these national supervisory authorities, alongside the numerous derogations following difficulties to reconcile diverse national positions, make the GDPR a tangible case of state-centrism. The Member States’ sovereign decision-making concerns posed breaks to the level of Europeanisation that the GDPR could potentially bring about in this issue-area. This work makes a significant contribution to knowledge by, amongst others, offering a political science perspective in on-line privacy and data protection research dominated by other disciplines, by applying the consociationalism theory – a less explored paradigm in the EU studies as compared to other approaches – and by providing a policy process analysis of the newly adopted data protection instrument with global rules-shaping significance. 1 LIST OF CONTENTS Abstract …………………………………………………………………………………....1 List of contents……………………………………………………………………………..2 List of boxes, tables and figures…………………………………………………………..5 Acknowledgements………………………………………………………………………...8 Author’s declaration……………………………………………………………………....9 List of abbreviations……………………………………………………………………...10 Chapter I – Introduction 1.1 Introduction……………………………………………………………………............12 1.2 Aims and contribution to knowledge………………………………………………….17 1.3 Analytical framework and research methods………………………………………….20 1.4 The structure of this thesis. …………………………………………………………...29 Chapter II – The state of privacy in the data-driven environment 2.1 Introduction……………………………………………………………………............31 2.2 The concept of privacy versus the political economy of the Internet………................32 2.3 What endangers privacy on-line……….........................................................................39 2.3.1 The main changes in the technology and privacy landscape since mid- 1990s………………………………………………………………………………39 2.3.2 Commercial surveillance and how it is aided by technology………………..42 2.3.3 How commercial surveillance affects the Internet users…………………….47 2.4 How privacy and data protection on-line is affected by Internet governance issues….49 2.4.1 Internet governance and the implications for the data protection on-line…...49 2.4.2 How privacy protection on-line can be enacted……………………………..54 2.5 The EU and the US privacy protection regimes: the origin of Silicon Valley lobbying against the GDPR………………………………………………………………………….57 2.6 State surveillance, the Snowden revelations and the EU responses…………………..65 2.6.1 Security, surveillance and fundamental rights……………………………....65 2.6.2 The EU response to the spying scandal……………………………………..74 2.7 Conclusions…………………………………………………………………………....78 Chapter III – The EU policy-making process through the lens of consociationalism, policy networks and new institutionalism approaches 3.1 Introduction…………………………………………………………………………....80 3.2 A brief introduction into the EU politics……………………………………................80 3.3 Consociationalism – the EU as a state-centric polity………………………………….89 3.4 Policy networks: non-linear power dynamics and lobbying and reverse lobbying…....97 2 3.5 New institutionalism: formal and informal factors in the policy-making process….105 3.6 What is the balance of interests likely to be in the EU decision-making? The rationale for the empirical analysis……………………………………………………………….114 3.7 Conclusions…………………………………………………………………………121 Chapter IV – The GDPR policy process: infusing a more risk-based approach and decentralising the proposed governance model 4.1 Introduction…………………………………………………………………………123 4.2 The GDPR draft proposal and the features of the reform…………………………..124 4.3 The process of the co-legislators deliberations……………………………………..128 4.4 The process of balancing user and business interests………………………………133 4.5 The process of balancing national, supranational and institutional interests……….139 4.5.1 Directive or Regulation? …………………………………………………139 4.5.2 Delegated and implementing acts………………………………………...140 4.5.3 Public sector controversy…………………………………………………142 4.5.4 One-stop-shop: sovereign decision-making concerns trump governance innovation and Europeanisation………………………………………………...145 4.6 Conclusions ………………………………………………………………………...150 Chapter V – Explaining the contexts, motivations and policy networking of the GDPR stakeholder constellation 5.1 Introduction………………………………………………………………………….152 5.2 The Commission: an attempt to extend powers and the strategies in overcoming formal constraints……………………………………………………………………………….153 5.3 The EP as a countervailing institutional power with a long history in privacy affairs……………………………………………………………………………………159 5.4 Negotiating country positions: the impact of formal arrangements and informal factors in the Council GDPR talks……………………………………………………………...165 5.5 DPAs – between the collective power and the preservation of domestic reign…….172 5.6 The EDPS: more supranational-level policy dynamism in advocating privacy protection………………………………………………………………………………..178 5.7 FRA – competing rights and competing realities: between supranational policy ideas and national practice on the ground. The collective redress issue……………………...182 5.8 Privacy advocacy by civil society – a fragmented but consolidating force………...184 5.9 Business actors – resourced influencers, but not quite the winners in the struggle over the GDPR……………………………………………………………………………….187 5.10 Foreign governments in the EU policy networks – the USA input into the GDPR policy process…………………………………………………………………………..191 5.11 Conclusions……………………………………………………………………….193 Chapter VI – The factors that have shaped the adoption of the GDPR: more insights into the context of the policy process 6.1 Introduction……………………………………………………………………….196 6.2 The GDPR in the context of broader EU politics: the choice of the instrument and putting breaks to the integration………………………………………………………197 6.3 Snowden revelations: the patterns of international politics feeding into the GDPR deliberations and its limits………………………………………………………….....201 3 6.4 CJEU – politics never goes away. Tracing strategic interests of the constitutional court………………………………………………………………………………….......206 6.5 Lobbying the GDPR: different venue receptiveness to competing policy advocacy..210 6.6 Domestic politics as the source of difficulties in the GDPR talks…………………...219 6.6.1 UK: negotiating the GDPR in the context of “referendum games”………..219 6.6.2 Germany – preference formation is much more than the country’s data protection and federalist profile………………………………………………….223 6.7 Time,