Guard of the Guardians or Paradoxical Facilitator? Assessing the EU’s Role in Regulating Online Surveillance and Data Sharing

The Snowden revelations exposed practices of massive online surveillance conducted by American and British intelligence agencies (and of the equivalent services in European partner countries, even though to a lesser extent). The Snowden files also revealed, how leading internet companies and platforms were involved in the endeavour to collect as much data as possible since they cooperated with state agencies. The so called Prism program has probably become the most prominent example for this kind of data sharing arrangements (downstream intelligence). Soon after the revelations broke, the EU, in particular through its supranational institutions voiced criticism and condemned sweeping internet surveillance. Reactions included resolutions issued by the European Parliament invoking fundamental rights in the digital age and calling for appropriate democratic control of intrusive measures. Furthermore, they resulted in a landmark decision by the European Court of Justice against the so-called safe harbour agreement which eventually was replaced by the EU-US privacy shield. Snowden revelations also clearly facilitated the passing of the General Data Protection Regulation. This was combined with new rules to regulate practices of data sharing between companies / platforms and law enforcement agencies of member states (Data Protection Law Enforcement Directive). Already in 2006 the EU also created a legal framework that obliged platforms to store and share data (Data Retention Directive) and that was ruled unlawful by the European Court of Justice in 2014. All in all, in its regulatory practice towards surveillance and data sharing, the EU has shown a mixed picture by enacting a number of regulations that on the one hand bind platforms to uphold data protection in online communication with an explicit extraterritorial scope and on the other hand enable intrusive measures in intelligence and criminal investigation. The paper develops a framework for comparatively assessing the role the EU played in different areas of regulation, ranging from the norm entrepreneur with a fundamental rights orientation and a facilitator of international cooperation including online platforms in intelligence and criminal investigation. It will address the overarching question whether the double-sided regulatory approach is suited to paradoxically promote intrusive surveillance. For empirical research, it will focus on the regulatory activities of GDPR and Police Directive as well as the Data Retention Directive. The research design combines process-tracing with discourse network analysis.