What drives the EU ‘judge-made’ data protection regime, and why it matters?

The Court of Justice of the European Union (CJEU) has often been accused of not taking human rights seriously, upholding them when it serves further integration purposes but more reluctant to offer them strong protection when doing so would undermine or interfere with those ultimate aims. When it comes to data protection though, the Court has proved unusually willing to protect citizens’ privacy as an autonomous right, irrespective of any integration side-effects, going as far as invalidating EU legislation, challenging national security policies or taking on global corporate actors. Many factors may explain why the Court seems to have heralded the right to personal data protection as the ‘poster child’ of European citizenship (Granger and Irion, 2018). Certainly, the Court’s case law speaks to issues such as corporate surveillance capitalism, captured regulators and failing enforcement in the face of the ubiquity and scale of online personal data transactions, which all could justify the Court’s ‘special regard’ (Irion 2016). In this paper, however, we want to investigate the extent to which the Court’s sympathetic and supportive stance towards data privacy is, at least in part, the result of active legal mobilization by civil society organizations. Whilst the CJEU case law is having a determinant influence on the evolution and enforcement of EU data protection law and related policies, we know relatively little about the interests, motivations and strategies of those who, by mobilizing courts, including the CJEU, contribute to shape the EU regime, and how it matters for policy developments. This is all the more surprising as the field is quite heavily litigated, with digital rights’ organisations and activists actively turning to courts to enforce a stricter regulatory regime (eg Austrian legal entrepreneur Max Schrems challenging Facebook and the Irish data protection authority up to the CJEU). Legal mobilization scholarship has identified a range of micro-, meso- and macro-level factors that influence who litigates what in the European Union (Conant et al. 2018). In this paper, we build on and contribute to these works, by investigating why and how legal entrepreneurs and CSOs invoke EU data protection law before courts, and thereby contribute to shaping the EU data protection regime, based on an analysis of relevant cases brought before the CJEU and interviews with NGOs and activists. We then reflect on the dynamics of legal mobilization in this particular field, and its consequences for policy-making and democratic politics in the EU.