The Brussels Effect and the GDPR: EU Institutions as Catalysts for Global Data Protection Norms

Abstract

This article explores the pivotal role of European Union institutions in the global projection of EU regulatory power, focusing on the General Data Protection Regulation (GDPR) as a case study within the framework of the Brussels effect. The Brussels effect describes the process by which EU regulations become de facto global standards, driven by two key conditions: regulatory capacity and a preference for stringent rules. The article argues that EU institutions are essential in fulfilling these conditions. The theoretical discussion introduces the Brussels effect and highlights how EU institutions contribute to regulatory capacity and the formation of stringent regulations. By examining the GDPR, the article illustrates that EU institutions, such as the European Commission and European Parliament, have both the regulatory expertise and the enforcement power necessary to create and uphold comprehensive data protection standards. Additionally, the article presents an original argument that the stringent nature of EU regulations, necessary for the Brussels effect to unravel, can be attributed to the neofunctionalism theory's cultivated spillover effect, where supranational institutions push for stricter regulations to foster further integration. The case of the GDPR demonstrates how EU institutions not only establish and enforce these regulations within the EU but also drive their adoption internationally through both de facto and de jure mechanisms. The findings underscore that without the active involvement of EU institutions, the Brussels effect would not materialise, and EU standards, such as those embodied in the GDPR, would not achieve global influence.

Introduction

In this article, I will argue that EU institutions matter for how the EU projects power beyond its borders. They are necessary to fulfil two key conditions of the Brussels effect, a concept which explains how EU rules are exported internationally. These conditions are: “regulatory capacity”, and “preference for strict rules”. To privilege depth of analysis over breadth, I have decided to focus on the Brussels effect and the GDPR case. I will discuss the role of EU institutions in theory and will support my arguments by using the GDPR as a case study. My article will bring an additional layer of originality to the study of the Brussels effect in academia by arguing that the impetus of supranational EU institutions to form and adopt the Brussels effect’s “strict rules” condition can be found in neofunctionalism’s cultivated spillover effect. To gain a structured understanding of where EU institutions would fit in theory, the first part of the article will outline how the Brussels effect functions in theory. The second part will look at the GDPR to understand the Brussels effect in practice and will explain why the regulation could not have been exported without EU institutions arguing that they play a necessary role in the unfolding of the Brussels effect.

Theory

Sources of EU Power

In this theory chapter, I will outline the concepts that help us understand how the EU projects power beyond its borders. I will briefly mention the main concepts and give a much more detailed account of the specific concepts relevant to this article. I will also explain why I have chosen a specific theory and how it will help us understand the ways EU institutions matter in this context.

There are broadly four concepts that help us understand the different ways the EU projects power beyond its borders. François Duchêne outlined a type of power through civilian means and ends (Civilian Power Europe) (Duchêne, 1972). Ian Manners introduced the concept of normative power Europe where opinions and norms take centre stage, and where norms are diffused through contagion and transference (Manners, 2002). Andrew Moravcsik highlights that Europe remains a strong player and superpower in the international system in numerous areas (militarily, economically, soft power…) which generally acts as a single force (Moravcsik, 2009) (Moravcsik, 2010).

Market Power Europe

There is some overlap between the concepts of Regulatory Power Europe, Market Power Europe, and Normative Power Europe. I will not give a detailed account of the distinctions as I will mainly make use of the Brussels effect concept which will provide better structure and clarity to the article. Chad Damro’s Market Power Europe (MPE) highlights the EU’s large single market. In MPE, the EU’s source of power comes from its ability to externalise its market-related regulations and policies. This can be done by EU intuitions and other actors intentionally or unintentionally. This perspective of EU power exertion, Damro suggests, implies that the EU is successfully able to use coercion and persuasion to impact external actors in the international system (Damro, 2012). In this article, I will demonstrate the role of EU institutions, how they intentionally and unintentionally, through coercion and persuasion, export regulations beyond its borders. This definition of MPE is sufficient as I will outline the Brussels effect in the next section, a concept which partly builds upon MPE. Certain of the broader elements of MPE will be used in this article, but I will directly use the conceptual basis of the Brussels effect.

The Brussels Effect

The concept of the Brussels effect was coined and developed by Anu Bradford in 2012. It theorises how and why external actors like foreign governments and firms adhere to regulations within and outside the EU’s jurisdiction. “It identifies the conditions for and the mechanism through which the externalization of one state’s standards unfolds.” (Bradford, 2012, p. 10). It was partly inspired by and builds on the concept of the California effect which describes a regulatory race to the top where actors adopt the rules of the highest common denominator in a federal system like the US. If certain conditions are met, the state which implements the strictest regulatory policies becomes the norm across the US making it the standard in other states (Vogel, 1997). The Brussels effect as a concept transposes the California effect to the international system. I will outline what the necessary conditions are for the Brussels effect to unfold and explain where EU institutions may fit arguing that they are vital actors in the process without whom regulations could not be externalised at such a large scale.

Brussels Effect Condition: Market Power
EU Institutions Create and Maintain a Strong, Large, and Attractive Single Market

For the Brussels effect to unfold, certain conditions must be met. There first must be a large and strong market. This directly touches on Market Power Europe where there is an assumption that the size of the internal market is correlated to its ability to exert power globally. What matters most here is the attractiveness of the market which is not only dependent on market size but also on its GDP per capita, preferably higher with affluent consumers (Bradford, 2019, p. 26 - 30). Although I have chosen not to focus on and analyse this condition (market attractiveness), we can arguably, on a theoretical basis, start answering our question. EU institutions matter here as they played a fundamental role in creating and maintaining a large single market, in particular: The Commission in proposing the legislative framework that underpinned the single market, the Court of Justice of the European Union to ensure that laws are interpreted uniformly, and the European Central Bank in integrating markets through the adoption and maintenance of the Euro among other examples. The EU intuition’s role in creating and maintaining the single market’s four freedoms is largely incontrovertible in academia.

Brussels Effect Condition: Nondivisibility

Before tackling the two conditions most directly connected to EU institutions, I must first address the so-called “nondivisibility of standards” condition to understand how norms can be exported internationally. Bradford separates this condition into three subcategories: Legal, technical, and economic nondivisibility (Bradford, 2012, p. 17 - 19). I will focus on the latter two since they are most relevant to our case study. In technical nondivisibility, the product cannot be easily divided and adapted for different jurisdictions because of the nature of the industry and product. In the case of the GDPR and data privacy, alongside several reasons, this is because the main product in question, data, needs to flow in and out of the EU to get possessed due to how server’s infrastructures are organised. In the case of economic nondivisibility, companies are not necessarily technically or legally constrained but rather decide to comply with the strictest regulation because it makes the most economic sense. This is typically because producing an identical product at scale is cheaper than adapting the product for each market. In certain cases, as we will see, adhering to the strictest regulation at a large scale is simply cheaper than adapting one’s product for each jurisdiction even if other regulations are less strict. Beyond leveraging economies of scale, risk avoidance may also be a reason for economic nondivisibility. Risking non-compliance with the GDPR comes at a cost through fines, therefore complying with the GDPR in all markets minimises accidental non-compliance (Gunst and De Ville, 2021, p. 19 - 20).

Brussels Effect Condition: Regulatory Capacity
EU Institutions Have the Necessary Power, Size, and Expertise to Form and Enforce Rules

The Brussels effect’s condition most salient to our question is “Regulatory Capacity” as it will directly address why EU institutions specifically matter in how EU power is exerted through the externalisation of norms. For the EU to export norms, it needs to have the regulatory capacity to harness its market power so that it can influence actors and rules beyond its jurisdiction (Bach and Newman, 2007). Bradford states that this is a key aspect of the Brussels effect as without it there is no clear norm to externalise, and firms do not have an incentive to comply. This touches on two simple points, firstly policy formulation and adoption, and secondly enforcement. When referring to regulatory capacity, Bradford is referring to the size, power and regulatory expertise of EU institutions. This condition is almost entirely and directly dependent on EU institutions; they matter most at this stage of the EU’s power exertion. Regulatory capacity is first achieved due to the EU institution’s size. Taking the EU Commission as an example, it employed 32262 members of staff as of 2023 (EU Commission, 2023). Since the foundation of the Commission, Council and European Parliament, the number of staff members employed has grown by about 5% each year (Pegan, 2017). As noted earlier, the size of the institutions forms part of regulatory capacity but expertise also plays a key role. The competence and skill of the European Commission should not be understated. As Bradford notes, this can be measured and observed through the education level of the Commission’s staff where over 70% of officials have a postgraduate degree (Kassim et al, 2013, p. 39). The last relevant element of the regulatory capacity condition is the capacity of institutions to enforce the rules they set. As I will demonstrate in the case of the GDPR, EU institutions act as a sanctioning authority which is vital to how the EU projects power beyond its borders through different means such as via consequential fines. To conclude this section, one must note that in the case of EU institutions, the “regulatory capacity” condition is only fulfilled in certain policy areas. Particularly, the condition is fulfilled where EU institutions have been granted strong regulatory competencies, and where it has the means in terms of size and expertise to tackle the policy area in question (Bradford, 2019, p. 36). I will further demonstrate that, through an analysis of the GDPR case and its Brussels effect, data privacy is a policy area where EU institutions possess strong regulatory capacity which is why it successfully exported its norms.

Brussels Effect Condition: Stringent Regulation
Supranational EU Institutions Produce Stringent Regulations as a Result of the Cultivated Spillover Effect

To answer our question, specifically regarding the role of EU institutions, I will analyse the policy formation process of the GDPR in the last sections of this article as this will help us understand the regulatory capacity condition of the Brussels effect in practical terms. Alongside this, it will also illustrate the “stringent regulation” condition of the Brussels effect. The stringent regulation condition, as outlined by Bradford, is an evident necessary condition for the de facto Brussels effect to take place. Since international firms sometimes choose to adhere to the most stringent regulation as outlined above (highest common denominator), it must be a necessary condition that the EU enact the strictest regulation in the international system for it to be externalised. Bradford argues that the EU has a tendency to enact stringent regulation due to ideological, and practical reasons (Bradford, 2012, p. 14 - 16). I will argue that in the case of the GDPR, EU institutions adopted strict regulation as a result of the neofunctional cultivated spillover effect where supranational institutions acted as policy entrepreneurs (Haas, 1964). In other words, supranational institutions pushed for a strict regulation because they would benefit from it. Explicitly supplementing the EU’s stringent regulation impetus in the context of Bradford’s Brussels Effect with Ernst Haas’s neofunctional cultivated spillover effect is an original theoretical addition to the academic corpus of this subject area. This may be somewhat technical but is arguably the most central element to understand the role of EU institutions in the Brussels effect.

De Facto Followed by De Jure Brussels Effect

To understand the Brussels effect, it is key to note the difference between the de jure and de facto effect. We have touched upon these concepts without explicitly citing them. In the de facto Brussels Effect, firms decide to adhere to one rule for their product (as outlined in the previous nondivisibility section) and will choose to follow the EU’s rule internationally if certain conditions are met. After the de facto effect, the de-jure Brussels Effect can take place. This is when firms, after choosing to adopt the EU regulation for their product internationally, lobby their governments (outside the EU) to adopt the same regulations as the EU to create a level playing field. When the government in question decides to adopt a similar version of the EU regulation for their own jurisdiction as a response to the de facto effect, it becomes a de-jure rule (Pätsch, 2018, p. 12).

EU Institution’s role in the externalisation of the GDPR

From the General Data Protection Regulation to the California Consumer Privacy Act

It is first important to address that the GDPR’s norms are exported as a cost-saving measure. Firms lobby their local governments to adopt similar standards. For reasons explained in the previous “nondivisibility of standards” (economic) section, firms first adopt the GDPR’s standards for their product internationally because it is cheaper to produce uniformly. As noted this is an instance of the de facto Brussels effect. Where the Brussels effect becomes crystallised is when a country subsequently adopts the same norm (de jure effect), in the case of the GDPR as a result of lobbying from tech companies. A specific example of this is the adoption of the California Consumer Privacy Act (CCPA) which mimics certain aspects of the GDPR. Apple and Google explicitly stated that the CCPA should largely mimic the GDPR because they invested much capital in being GDPR compliant. They successfully argued that adopting key aspects of the GDPR in the CCPA would save costs for them rather than having to re-invest in new systems to comply with the CCPA (CA DOJ, 2019). The result of this is the CCPA resembling the GDPR in certain aspects, and where there is room for harmonisation, companies continue to lobby for the CCPA to be reformed to be even more similar to the GDPR to save costs (Gunst and De Ville, 2021, p. 59-60).

European Court of Justice Supporting the Regulatory Capacity Condition and De Facto Brussels Effect

One reason that the GDPR’s norms have been exported beyond the EU is due to the Binding Corporate Rules (BCR) clause of the regulation. For a corporation to legally be allowed to transfer data and process data from the EU outside the EU, it must adhere to the BCR (Schwartz, 2019, p. 122 - 123). BCR is a mechanism in the GDPR that permits the transfer of data outside the EU if the entity processing and controlling the data can guarantee that they will adhere to the GDPR’s norms even when the data has travelled outside the EU (GDPR, 2016, article 47). The role of EU institutions in this context is to uphold the BCR mechanism and prevent loopholes. Attempts have been made for the BCR mechanism to be circumvented by looser mechanisms which do not guarantee that a company adhere to the GDPR beyond the EU’s borders. One such attempt was the EU–US Privacy Shield which made it easier for companies to transfer EU data to the US without adhering to the GDPR as strictly and diminished the EU institutions’ oversight (Kuner, 2017, p. 902 - 903). The European Court of Justice declared the EU–US Privacy Shield invalid in 2020 (Tracol, 2020) upholding the GDPR’s authority and Brussels effect by preventing what could essentially be described as loopholes which would not export EU norms as strongly. This further supports my argument that in essence, in a number of ways outlined thus far and later, EU institutions, in this case the ECJ, act in supporting the Brussels effect’s regulatory capacity condition. The ECJ’s action demonstrates the role of EU instructions in their capacity to enforce and uphold legislation which supports the de facto Brussels effect.

Legal Sophistication and De Jure Brussels Effect

Before directly looking at EU institution’s role in forming policy which supports the fulfilment of the regulatory capacity condition of the Brussels effect, I will demonstrate that the GDPR is exported due to its legal sophistication. Many companies have praised the GDPR for its legal sophistication as a result of the legislator’s expertise. In particular, the regulation’s useful separation of data processors versus data controllers has been frequently commended by companies (Gunst and De Ville, 2021, p. 62). Companies have also lobbied their own local legislators to copy the GDPR’s mechanisms because it diligently considers intricate distinctions within a complex nascent industry serving most of the relevant actors (both companies and citizens). Google has explicitly stated that the CCPA has been inspired by the GDPR due to its legal sophistication and has put pressure on the US to go further in mimicking the GDPR’s mechanisms in future: “the CCPA echoes and even borrows some language from the GDPR's distinction between controllers and processors, but suffers from remaining ambiguities” (CA DOJ, 2019). This is an additional example which demonstrates how and why the GDPR’s norms get exported, thanks to the expertise of EU institutions they produced a regulation that actors, both corporate and political, wish to emulate in their jurisdiction and adopt as local laws.

Importance of EU Institutions in the Policy Marking Process,
and
Impetus of Commission and EU Parliament to Adopt Stringent Regulation

As outlined in the theory section of the article, Bradford argues that EU institutions’ role in the policy formation stage is an integral element of how the EU projects power beyond its borders, forming the “regulatory capacity” condition. This section will focus on the policy formation stage of the GDPR which is heavily, if not almost entirely dependent on EU institutions, without which the Brussels effect would not be able to take place. This section will also discuss a perspective novel in the context of the Brussels effect, borrowing from Ernst B. Haas’ research, on the impetus for supranational EU institutions to adopt “stringent regulations”. The adoption of stringent regulations is a second necessary condition for the Brussels effect to take place as international firms will, as discussed previously, often adopt the most stringent rule in the international system universally.

Supranational EU institutions strongly advocated for the most stringent norms within the GDPR. There are many clearly identifiable examples where supranational EU institutions lobbied for strong norms whereas member states and economic actors fought against them and advocated for looser rules. The representative example I will present is the right to erasure clause which permits users to delete data they previously published with few conditions (GDPR, 2016, article 17).

Both the European Commission and European Parliament proposed more stringent versions of Article 17 whereas member states favoured looser rules and a long list of exemptions. The European Commission first proposed the more stringent “right to be forgotten” wording for Article 17 versus member states who favoured making data deletion only an obligation under the condition that it would be logistically simple and not too costly, otherwise, companies would not necessarily need to comply (under the member state’s proposal) (Sharma, 2019, p. 209). The European Parliament ardently defended the minimisation of additional exceptions. Of the key actors in the policy-making process, member states proposed the most exceptions (Schünemann and Windwehr, 2021, p. 11). The result was a compromise where certain exemptions proposed by states were approved, but without the Commission and EU Parliament, the GDPR would not be stringent enough to fulfil the necessary condition for the Brussels effect to play out. Certain academics have indirectly argued that the impetus for supranational EU institutions to propose more stringent approaches is due to the neofunctional cultivated spillover (norm entrepreneurship) where they advocate for stringent rules which encourage integration which they may benefit from (Niemann, 2017) (Haas, 1964) (Siltanen, 2021) (Tamim, 2023, p. 15 - 16). As this example demonstrates, the ways EU institutions (in this case particularly: supranational EU institutions) matter for how the EU projects power beyond its borders is through the fulfilment of the “regulatory capacity” and “stringent regulations” condition.

European Commission Fulfilling the Enforcement Aspect of Regulatory Capacity Through Fines

Concluding the body of this article, a last central aspect of the “regulatory capacity” condition is enforcement as explained in the theory section. EU institutions can act as a sanctioning authority which acts as a deterrent and fosters compliance with regulations (Bach and Newman, 2007). The EU Commission can first deny an actor access to its market, this is part of Market Power Europe addressed earlier. In concrete terms, as per the GDPR, the Commission can impose large fines if an actor does not comply with the GDPR. Fines up to 4% can be imposed on a company’s turnover although this is mostly an action that is made by national Data Protection Authorities (DPAs) rather than EU-level institutions directly (GDPR, 2016, article 83). However, the Commission can impose fines of up to 10% of a company turnover for competition violations. This is not a theoretical threat as the Commission has often imposed large fines on companies like Google of over a billion Euros on the basis of antitrust rules (European Commission, 2018) (Bradford, 2019, p. 34).

Conclusion

As I have shown, the Brussels effect consists of several conditions that must be fulfilled in order for the effect to unfold: Market Power, Nondivisibility of Standards, Regulatory Capacity, and Preference for Strict Rules. I have demonstrated that both in theory and in practice, EU institutions play a role in most of these conditions but are absolutely necessary to fulfil the Regulatory Capacity, and Preference for Strict Rules conditions. This is why this article has focused on exploring these two conditions in the context of the GDPR to understand in what ways EU institutions matter for how the EU projects power beyond its borders.

On the regulatory capacity condition, as we have seen EU institutions (in particular the Commission and Parliament) played a central role in the formulation of the GDPR which sets clear uniform rules throughout the Union. The other component where EU institutions are necessary in fulfilling the regulatory capacity condition is regarding enforcement of GDPR. The European Commission and its agencies enforce the GDPR and neighbouring policies through large fines and the threat to limit access to its market. Another EU institution, The European Court of Justice, by invalidating the EU–US Privacy Shield prevents the creation of loopholes, making companies adhere to the GDPR. EU institutions are also necessary to fulfil the Brussels effect’s “preference for strict rules” condition. As I have argued, the European Commission and European Parliament propose ambitious and strict laws like the GDPR due to the neofunctional cultivated spillover effect leading to the adoption of regulations which, in the case of data privacy, are the strictest in the international system. The process of European integration can indirectly give them the impetus to adopt strict regulations.

Without these EU institutions, a strict regulation like the GDPR would not have emerged and the Brussels Effect would not have been able to take place. In the case of the GDPR, chronologically, for the remainder of the Brussels effect to take place, EU institutions are broadly only necessary to continue enforcing the regulation. Large companies then must comply with the GDPR’s strict rules in the EU. For economic reasons, these companies follow these rules internationally which is by definition the de facto Brussels effect. These actors then lobby their local government to level the playing field creating a de-jury Brussels effect. In conclusion, EU institutions matter for how the EU projects power beyond its borders as they are necessary to fulfil the regulatory capacity, and preference for strict rules of the Brussels effect. Without EU institutions, the Brussels effect would not take place, and strict European rules would not be exported internationally.

Bibliography

  • ‘European Commission HR Key figures 2023’ (2023). European Commission.

  • Bach, D. and Newman, A.L. (2007) ‘The European regulatory state and global public policy: micro-institutions, macro-influence’, Journal of European Public Policy, 14(6), pp. 827–846. Available at: https://doi.org/10.1080/13501760701497659.

  • Bradford, A. (2012) ‘The Brussels Effect’, Northwestern University Law Review, 107, pp. 1-67.

  • Bradford, A. (2019) The Brussels Effect: How the European Union Rules the World. Oxford University Press. Available at: https://doi.org/10.1093/oso/9780190088583.001.0001.

  • CA DOJ, ‘California Department of Justice, Attorney General’s Office, Public Comments Received as Part of the Preliminary Rulemaking Process.’ (2019). California. Available at: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-public-comments.pdf.

  • Damro, C. (2012) ‘Market power Europe’, Journal of European Public Policy, 19(5), pp. 682–699. Available at: https://doi.org/10.1080/13501763.2011.646779.

  • Duchêne, F. (1972) ‘Europe’s role in world peace’, Europe tomorrow: Sixteen Europeans look ahead, 43, pp. 32–47.

  • European Commission (2018)  Antitrust: Commission fines Google €4.34 billion for abuse of dominance regarding Android devices. Available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_18_4581.

  • GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (2016) Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj.

  • General Data Protection Regulation (2016) Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj.

  • Gunst, S. and De Ville, F. (2021) ‘The Brussels effect : how the GDPR conquered Silicon Valley’, EUROPEAN FOREIGN AFFAIRS REVIEW, 26(3), pp. 437–458.Haas, E.B. (1964) Technocracy, pluralism and the New

  • Europe. Berkeley, California: Institute of international studies, University of California.

  • Kassim, H. et al. (2013) The European Commission of the Twenty-First Century. Oxford University Press. Available at: https://doi.org/10.1093/acprof:oso/9780199599523.001.0001.

  • Kuner, C. (2017) ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’, German Law Journal, 18(4), pp. 881–918. Available at: https://doi.org/10.1017/S2071832200022197.

  • Manners, I. (2002) ‘Normative Power Europe: A Contradiction in Terms?’, JCMS: Journal of Common Market Studies, 40(2), pp. 235–258. Available at: https://doi.org/10.1111/1468-5965.00353.Moravcsik, A. (2009)

  • ‘Europe: The quiet superpower’, French Politics, 7(3), pp. 403–422. Available at: https://doi.org/10.1057/fp.2009.29.

  • Moravcsik, A. (2010) ‘Europe, the Second Superpower’, Current History, 109(725), pp. 91–98.

  • Niemann, A. (2017) ‘Neofunctionalism’, in Niemann, A., Oxford Research Encyclopedia of Politics. Oxford University Press. doi:10.1093/acrefore/9780190228637.013.149.

  • Pätsch, S. (2018) ‘How Brussels is emerging as a global regulatory superpower, establishing its data protection standard worldwide’, Lunds University. Available at: https://www.lunduniversity.lu.se/lup/publication/8940309.

  • Pegan, A. (2017) ‘The Bureaucratic Growth of the European Union’, Journal of Contemporary European Research, 13(2). Available at: https://doi.org/10.30950/jcer.v13i2.776.

  • Schünemann, W.J. and Windwehr, J. (2021) ‘Towards a “gold standard for the world”? The European General Data Protection Regulation between supranational and national norm entrepreneurship’, Journal of European Integration, 43(7), pp. 859–874. doi:10.1080/07036337.2020.1846032.

  • Schwartz, P.M. (2019) ‘Global Data Privacy: The EU Way’. Rochester, NY. Available at: https://papers.ssrn.com/abstract=3468554 (Accessed: 27 December 2023).

  • Sharma, S. (2019) Data privacy and GDPR handbook. Hoboken, New Jersey: John Wiley & Sons, Inc.

  • Siltanen, E. (2021) Whose Responsibility is Cybersecurity? : A Comparative Qualitative Content Analysis of Discourses in the EU’s Cybersecurity Strategies 2013-2020. Available at: http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-45956.

  • Tamim, J. (2023) Explaining the emergence of European data protection norms through competing theories of European integration.Tracol, X. (2020) ‘“Schrems II”: The return of the Privacy Shield’, Computer Law &

  • Security Review, 39, p. 105484. Available at: https://doi.org/10.1016/j.clsr.2020.105484.

  • Vogel, D. (1997) ‘Trading up and governing across: transnational governance and environmental protection’, Journal of European Public Policy, 4(4), pp. 556–571. Available at: https://doi.org/10.1080/135017697344064.