Competitive Deregulation vs. Uploading of High Standards: The Europeanisation of Data Protection Regulation and the Role of the European Parliament

Traditionally, Europe stands out as the region where privacy and data protection regulation is strongest throughout the world. With its general data protection regulation, the European Union in 2016 updated its claim for leadership in this policy realm by adopting measures which much better meet the challenges digitization brings than regulatory forerunners. Moreover, as in earlier examples of measures in the regulation of internet and/or telecommunication (ACTA, roaming), regulatory efforts have been predominantly driven by European Parliament – apparently acting on behalf of large parts of the European population(s) who wish for better data protection on both a national and European scale. Yet, European data protection regulation is far from harmonised today with remarkable differences prevailing among member states: While in some countries, data protection enjoys high salience and is thus strongly regulated, others have only minor regulations in place. With an ever increasing data economy, low data protection standards even serve some countries as a comparative advantage in attracting foreign direct investments, e.g. through mostly US-based internet firms seeking a foothold in the European market. This paper reconstructs and analyses the preparation of the European General Data Protection Regulation as well as first reactions to the regulatory package in an international comparison. Our argument is based on a Europeanization perspective, including processes of both download and upload. How did countries with different data protections standards influence the decision-making process on the EU level? Which role did public opinion within member states play? How do the member states react to the agreed rules? Which extent of change in national policies is to be expected in countries with either a rather low or a high level of misfit with the new regulation? We choose a most different systems design by comparing data-protection-sensitive Germany with Ireland, which has markedly low standards in data protection regulation and is one of the core hubs for the European activities of US-based internet firms. For our empirical research, we analyse documents from the European Parliament (the respective committee sessions) and the Council as well as debates in the national parliaments. Our central argument is that the uploading of high standards was favoured by the EP’s ambition to strengthen its position and visibility by addressing popular concerns in the field of data protection.