Abstract

This article examines the emergence and evolution of European data protection norms through the lens of three major theories of European integration: neofunctionalism, liberal intergovernmentalism, and historical institutionalism. Through a critical analysis of key developments in EU data protection policy, including the 1995 Data Protection Directive, the constitutionalisation of data protection rights, and the General Data Protection Regulation (GDPR), the article assesses the explanatory power of each theoretical approach. While elements of all three theories provide insights, the analysis finds that neofunctionalism, particularly the concept of cultivated spillover, offers the most compelling explanation for the expansion of EU data protection norms. The article highlights how supranational institutions acted as policy entrepreneurs to drive integration in this domain, often against member state preferences. It also demonstrates how historical institutionalist concepts like path dependence and critical junctures complement the neofunctionalist account, especially in explaining the impact of external shocks like the Snowden revelations. The findings contribute to ongoing debates about the drivers of European integration and offer lessons for understanding EU policymaking in emerging regulatory fields.

Introduction

Theories of European integration are often utilised to analyse different areas of EU policy. Neofunctionalism, liberal intergovernmentalism, and historical institutionalism are three of the most prominently used theories of European integration. An academic consensus is often reached as to which theory best explains a certain policy area. As an example, liberal intergovernmentalism is most used to understand EU foreign policy because it is often considered that member states put effort at the European level to achieve their interests and this fundamentally drives the process and forms policy positions (Tilborg, 2016, p. 12). An academic consensus has not yet been clearly reached as to which theory best explains EU data protection as a policy area to explain why and how it was shaped since it is a much newer area of research. This dissertation provides an in-depth understanding of the emergence of EU data protection norms by analysing it through three theories of European integration.

Literature Review

Though an academic consensus has not yet been achieved regarding which theoretical approach is best to tackle data protection norms in the EU, academics have more often used a neofunctionalist approach which focuses on supranational institutions and their role in shaping these norms (Marcut, 2016, p. 16). Others have offered a more balanced approach like Schünemann and Windwehr’s article which I will utilise in parts of this essay as it addressed states’ role alongside other supranational actors. They concluded that supranational institutions were a more dominant driver in shaping the GDPR’s norms compared to national governments (Schünemann and Windwehr, 2021). In this dissertation, I question this conclusion by explicitly reintroducing liberal intergovernmentalism and historical institutionalism to understand the emergence of data protection norms beyond the GDPR most notably by analysing the data protection directive and other key events alongside it. This will give us a deeper understanding of the theoretical implications of what researchers have previously uncovered while introducing new theories and approaches. Schünemann and Windwehr state in their conclusion that they do not address the ‘why’ but rather the ‘how’ and do not answer ‘why’ supranational institutions have proposed and defended these data protection norms. This dissertation addresses this question directly since the ‘why’ has not yet been critically assessed in this policy area. I will answer this question by exploring the dynamics and play which shaped the emergence of EU data protection norms.

Some researchers adopted a historical institutionalist approach to explain the emergence of data protection norms in the EU using discourse analysis and process tracing. Laurer and Seidl having adopted this method suggest that the PRISM leak and issue-specific bodies reinforced advocates of strict data protection norms present within supranational institutions (Laurer and Seidl, 2021). An analysis of data protection norms which explicitly and directly uses liberal intergovernmentalist approaches has not yet been published although has been implicitly and indirectly utilised (Jančiūtė, 2018, p. 224). This means that this dissertation will need to fill this gap by exploring evidence which supports liberal intergovernmentalist assumptions.

Method

Theories of European Integration and their operationalisation

The purpose of this dissertation is to gain a deeper understanding of the main theories of European integration. This will be done by applying each of their perspectives to the evolution of data protection norms. Fundamentally, the objective of this dissertation is to highlight the strengths of certain theories of European Integration over others gaining an understanding of which is most useful when taking upon one such exercise. Additionally, beyond further understanding how these theories can be utilised, using the evolution of data protection norms as our case study will help us understand how and why these norms have emerged and expanded. Which actors and institutions played a key role in supporting them and why? And, were wider processes and dynamics at play beyond individual actors or events? Was this progression a linear and gradual process which moved forward in a single direction marked by automaticity, or were there reversals carried by key decision-makers? Some journal articles answer part of these questions which we will utilise, but this dissertation explains how these actors’ decisions and wider dynamics fit together to lead us to the current state of data norms in the EU. As I will demonstrate, explicitly utilising multiple theories of European integration is necessary to answer these questions. Answering these questions qualitatively in my case study will explain why one theory of integration may be more salient than another. This dissertation will be structured by exploring certain key historical events in a relatively descriptive manner, followed by a critical assessment which explicitly interprets the event through the theories of European Integration. It is necessary that these historical points be causally understood via process tracing, therefore making the links between these events central to my analysis. The historical account will mainly be based on secondary evidence which will include Newman’s work among other authors (Newman, 2008). I will end my dissertation with a comparative assessment of the overall salience of each theory of integration used based on their contributions and coherence in each of the historical cases.

This dissertation uses a specific definition of ‘European data protection norms’. Here, European data protection norms are standards codified within legislation and treaties which set out rules on the use of information typically associated with a person. I will present the legislation and treaties in question throughout this dissertation. I must emphasise that the definition I use is limited in scope as it is specific to ‘codified’ norms. The links between two codified norms that were introduced at different historical points, for example, article 8 of the Charter of Fundamental Rights of the European Union (CFR) and the General Data Protection Regulation (GDPR) are linked by a complex series of events some of which are informal in nature and uncodified. As I alluded to earlier, this dissertation will broadly take a chronological approach. I have chosen a number of seminal points in European data protection history: the introduction of the Data Protection Directive (DPD), article 16 of the Treaty on the Functioning of the European Union, the introduction of the GDPR, and the Snowden revelations. I will outline the links between these points alongside the events and key decisions which preceded each of them and analyse them through the theories of European integration in the manner outlined above which I will further develop. The theories of European integration used and their operationalisation are described as follows.

Neofunctionalism

There are two major theories of European integration; Neofunctionalism is one of them. It is referred to as one of the two ‘Grand’ theories of European integration alongside Liberal intergovernmentalism. I will focus on one of its main key dynamics explained later but will also use as a basis its wider essential assumptions. Neofunctionalism will be used as a tool to help us understand interdependent dynamics as Haas described (Haas 1976). This, I will argue is central to understand the evolution of data protection norms, perhaps more so than the other theoretical approaches described in the next sections. I must note that neofunctionalism, in its earliest versions in particular, has been highly questioned by academics, this includes Ernst Haas himself, the political scientist who developed the theory. This led to multiple reformed variants of the theory, some of which incorporate elements of Historical institutionalism. Of the three theories of integration I will use to assess the emergence of data protection norms, it could be claimed that neofunctionalism is the most challenged approach (Niemann, 2017, p. 6). Moving to Neofunctionalism’s constitutive assumptions, it first claims that European integration is a process. Therefore, when looking at the development of data protection norms, it could be viewed as a tool and a minor part of a larger process at play. A second Neofunctionalist assumption is that supranational institutions are the main guiding force on key decisions. When these supranational institutions have notable influence and power, the integrative process becomes automatic, and arguably self-sustaining, as the spillover dynamics are set in motion.

There are three main types of spillover: functional, political, and, cultivated spillover (Tranholm-Mikkelsen, 1991, p. 4). Functional spillover states that policy goals on one issue tend to require action on interdependent neighbouring policy areas. Supranational reach, therefore, widens through this process and competencies spread. Therefore functional spillover looks at the interdependence between policy areas (Haas, 1958, p. 283 - 317). Moving on to political spillover, this dynamic describes national elites shifting their focus and allegiance to the EU level as they view supranational action to be more effective to tackle issues (Haas, 1958, p. 14). We will find some evidence of functional spillover and political spillover throughout this dissertation when assessing the emergence of the data protection norms, but I will focus on a more salient and yet less utilised form of spillover in academia, namely cultivated spillover. Of the three spillover dynamics neofunctionalism outlines, I will demonstrate that the cultivated spillover dynamic best explains the emergence of data protection norms.

The role of supranational institutions is the direct focus of cultivated spillover. When analysing integration through cultivated spillover, supranational institutions are interpreted as the direct motor of European integration. The grip member states have over supranational institutions is gradually diminished as they gain a life of their own. Supranational institutions actively encourage European integration because their interest and power are linked to this process, in theory, as integration deepens supranational institutions’ power grows. Supranational institutions actively promote the integration process and gain power in several ways, I will explore two ways most salient to the evolution of data protection norms and this dissertation. Firstly, by introducing legal instruments which accelerate uniformity throughout the EU and put their own authority forward. Secondly, through norm and policy entrepreneurship (Niemann, 2017, p. 6). In this dissertation, the European Commission, the European Parliament, and the Court of Justice are the supranational institutions I will focus on. Evidence of neofunctional spillover will be assessed by answering the following questions: has the main policy entrepreneurs for data protection norms been supranational institutions? Have supranational institutions introduced legislation to broaden their competencies? Have legal instruments which favour supranational institutions been used and encouraged by them?

Liberal Intergovernmentalism

It is necessary to make use of the liberal intergovernmentalist perspective to assess the evolution of data protection norms in a thorough manner. According to liberal intergovernmentalists, neofunctionalism lacks focus on the dynamics at play from the perspective of member states and their domestic actors (Niemann, 2017, p. 8).

Three key assumptions constitute the basis of liberal intergovernmentalism. Firstly, domestic actors influence international negotiations through the state. The state acts as their main political instrument according to Andrew Moravcsik who outlined the theory (Moravcsik, 1998, p. 22). Secondly, states, rather than supranational institutions, are the primary drivers of integration. Thirdly, states acting within an anarchical international system act rationally. Moravcsik also introduces us to a three-part framework of international cooperation which will help us understand the evolution of data protection norms.

The demands of domestic actors are what form states’ national preference in the first stage. For example, the development of data protection norms could be encouraged by a government to satisfy the needs and interests of domestic actors such as companies or interest groups. This first stage which forms the national interest is issue specific. Here, focusing on data protection directly rather than considering neighbouring policy areas is necessary. Furthermore, according to Moravcsik, geopolitical threats which could have economic implications play a significant role in this first national preference formation stage. The second stage touches upon the interstate bargaining process and the focus is on the distribution of benefits (Ivanova, 2021, p. 8). States, seeking cooperation for their common benefit, are, as stated early, considered rational actors. The outcome of the interstate bargaining process is often a lowest common denominator scenario. In the third stage, states decide which institution to put their efforts in to secure their desired outcome, in theory, choosing the most efficient option (Hooghe and Marks, 2019, p. 1121). To uncover evidence of liberal intergovernmentalist dynamics present in the emergence of data protection norms, we ask the following questions: Were encouragement of the adoption of the data protection norms due to domestic actors’ pressure on member states? For European data protection norms, have states been the main decisive actor? Is the introduction of data protection norms driven by perceived geopolitical threats or national geopolitical interests?

Historical institutionalism

I will also make use of Historical institutionalism to explain the evolution of data protection norms as the theory has been used to understand norms over time. Historical institutionalism answers the question of why it becomes less likely to deviate from certain paths which have been taken and seek to understand how changes occur (Versolmann, 2020, p. 23). Some academics believe that historical institutionalism goes beyond the impasse of the liberal intergovernmentalist versus neofunctionalist debate (Pollack, 1996, p. 430). The theory does not focus nor fundamentally assume that decisions are a result of rational choices by actors which significantly distinguishes it from the former two. Longer-term results are not necessarily driven by actor’s long-term calculated and rational choices while rational choices are present on a reactive event-per-event basis. I will use ‘path dependency’ which is a major concept that historical institutionalism introduces which will aid us to interpret the evolution of data protection norms.

Path dependency is defined as ‘the causal relevance of preceding stages in a temporal sequence’ by one of the major contributors to historical institutionalism, Paul Pierson (Pierson, 2000, p. 252). This will enable us to explore the steps that guided data protection norms in a large sense and to find direct causal links between them. Regarding the institutional dimension of the theory, ‘institutions’ are not only a set of codified formal rules but can also be viewed through an informal interpretation, as an example via cultural perceptions and standards (Christiansen and Verdun, 2020, p. 14). The new institutionalist approach tends to adopt this interpretation of institutions. Historical institutionalism is part of the new institutionalist approach but adopts both interpretations of institutions. I will therefore also consider how current data protection norms are affected by the cultural element of privacy in Europe while keeping in mind that this approach is more relevant to other new institutionalist theories rather than historical institutionalism specifically.

The importance of external developments and events as an institutional factor is within the conceptual scope of historical institutionalism. For example, one such event that may arguably have had a central effect on the evolution of data protection norms was the Snowden revelations. I will answer the following questions to assess whether path dependence and critical junctures are central to understanding current European data protection norms: Has the emergence of today’s data protection norms been a product of causally linked preceding stages? Has the emergence of today’s data protection norms been marked and guided by a central critical event? Are longer-term historical trajectories transcending rational choices the guiding force for current European data protection norms? Can clear causal links between the events which led up to today’s data protection norms be identified?

Early history and shortcomings of cultural explanations

In part due to totalitarian regimes in of the 20th century in Europe, privacy has been a salient issue on the continent well before the digital revolution and before the inception of the European project in its current form. Evident links between contemporary data protection concerns can be traced back to the fall of those regimes Newman argues (Newman, 2008). Germany, a country where privacy concerns are particularly strong today, is one of the earliest states to impose data privacy codes. Another key state which also upholds relatively high standards of privacy compared to other countries in the world is France, where privacy was viewed as a matter of dignity, this notion dating back to the 18th century according to Whitman (Whitman, 2003, p. 28). As discussed in my theory and operationalisation section, ‘institutions’ can be definitionally viewed through a cultural perspective which is sometimes the case for the new institutionalists, and the history of the cultural aspect of privacy described above arguably fits this definition. A long-term historical explanation of Germany and France’s deep-rooted culture of privacy provides, in a broad sense, the seed for the origin and emergence of the data privacy norms we have today. It must be said that this interpretation better fits the sociological institutionalist explanation above historical institutionalism as path dependency, nor a critical juncture is clearly identifiable here. Germany and France both bear weight in the EU today so it would be fair to argue that a correlation is likely. I will later analyse the direct influence of these two states on the introduction and formation of data privacy legislation in a later section. As the purpose of this dissertation is to identify the strengths and weaknesses of the theories of European integration through an analysis of the emergence of data protection norms in the EU, we can already identify the significant weaknesses of historical institutionalism. The cultural explanation, which this section outlines, partly gives credit to the usefulness of new institutionalist perspectives such as historical institutionalism to a minor degree, but, the direct link to current data privacy norms is unclear. This cements Sven Steinmo’s points (one of the founders of Historical institutionalism) regarding cultural explanations stating that causal vagueness is one of its key characteristics (Steinmo, 1994). A rigorous analysis leading to certain links is complex in the case of cultural explanations. Making this point is essential in order to understand some of the shortcomings of certain methods and makes it evident that moving our focus to specific political actors, key events and formal institutions will help us better understand the theories of integration and the emergence of data protection norms (Rossi, 2018, p. 2).

The Data Protection Directive (1995)

Reinforcing norms and making the free movement of data irreversible

In this section I will outline and interpret the key aspects of the 1995 Data Protection Directive as I will show is a seminal legislation in European data protection norms which is often overlooked. Events surrounding the directive’s introduction gives us valuable insight into different actors’ role in influencing EU policy. In concrete terms, the directive’s introduction was made in exchange for a guarantee for data to move freely throughout the European Union. In 1995, the predecessor to the GDPR, the Data Protection Directive, was introduced because Data Protection Agencies (DPAs) put significant pressure on European institutions to adopt the legislation. Abusive practices and lobbying from private firms which went against data protection principles made them be perceived as increasingly untrustworthy in the eyes of DPAs which believe corporations had too much power to freely collect and process data with little scrutiny or oversight according to Newman. In concrete terms, and where this more directly relates to European integration, because of this, DPAs, by leveraging their power, threatened to stop data flows in the EU which jeopardised an important new space for European integration which led to the adoption of the Data Protection Directive to appease the situation (Newman, 2008, p. 142-144). ‘Data privacy authorities effectively held the European integration process hostage to their demands for greater protection within Europe by threatening to block data flows between EU companies and governments. Far more than simply implementing and enforcing national privacy rules, these protectors of privacy became political players in the integration process capable of bolstering European rules’ (Newman, 2008, p. 143). DPAs, as stated earlier evidently went against economic and corporate interests, but also undermined national preferences which go against the expectations of the liberal intergovernmentalist perspective. DPAs, after the introduction of the Data Protection Directive, had less power as they relinquished their power to limit data flows in the EU as a result of the directive’s adoption (Schünemann and Windwehr, 2021, p. 7). A note we can take on this event in regard to the theories of European Integration is that data protection norms become more homogeneous. But, more interestingly, reversing data protection flows become increasingly hard since a key actor which could have reversed this advancement no longer has this ability as they relinquished their power after the adoption of the directive. This makes integration seemingly more irreversible since the free flow of data in the EU is now less likely to be limited. This is in line with expectations of the neofunctionalist’s assumption that the integration process, as it advances, become irreversible.

Institutionalisation of EDPS and WP29

The European Data Protection Supervisor (EDPS) was created as a direct result of the Data Protection Directive. Its creation can be interpreted as an embodiment of the process of spillover. As we saw earlier, DPAs lost their veto power but also gained the creation of this new institution. The EDPS de facto operates as a supranational organisation (Sabel and Zeitlin, 2010). The process of institutionalisation describes this event. Furthermore, it shows that when legislation is made at a supranational, through the encouragement of supranational institutions like the European Parliament and Commission, power is encouraged to move from the national level to the supranational level, the creation of the EDPS demonstrates this.

The Data Protection Directive is also responsible for the creation of the Article 29 Data Protection Working Party (WP29). Beyond making it mandatory for a data protection agency to be present in each member state, the directive prescribed the creation of a new body which would centralise the cooperation of all of these data protection agencies. The Data Protection Directive’s articles 29 and 30 states that the WP29 provides recommendations on future data protection rules and on future amendments of the directive. The birth of this new body is further evidence of cultivated spillover as it is an example of supranational institutions encouraging legislation which creates new institutions which concentrate power at a supranational level and encourage integration. Some academics expressed that the WP29 advocates for data protection to such an extent that it was arguably an influential de facto lobby group in the middle of EU institutions (Poullet and Gutwirth, 2008).

Constitutionalisation

The WP29, as a result of the power afforded to them through the Data Protection Directive, played an important role in the insertion of data protection norms in key EU treaties and documents (Poullet and Gutwirth, 2008, p. 13 – 15). This process is what I refer as the constitutionalisation of data protection norms. As we saw earlier, the WP29, among other responsibilities, provided regular recommendations in regard to data protection and acted as an informal de facto lobby. This resulted in the insertion of Article 8 in The EU’s Charter of Fundamental Rights introduced in 2000 which is dedicated to data protection (Article 29 Working Party, 1999). We can observe a very close resemblance between the final wording of WP29’s recommendations and Article 8 which states ‘Everyone has the right to the protection of personal data concerning him or her’ (Charter of fundamental rights of the European Union, 2000). Article 50 of the draft Treaty establishing a Constitution for Europe has the exact same wording as the one in Article 8 of the Charter of fundamental rights of the European Union (Draft Treaty establishing a Constitution for Europe, 2003). This transposition was also advocated for by Stefano Rodotà, the chairman of WP29. The draft constitution was of course not adopted but the Treaty on the Functioning of the European Union’s Article 16 adopts a very similar principle and wording.

It is clear that a path-dependant link is observable, in the case of my analysis starting with the Data Protection Directive which introduced new institutions which at first seem to have much power. But this leads to data protection norms being implemented in the Charter of Fundamental Rights which further down the road found themselves in the Lisbon treaty. I must emphasise that the convention responsible for drafting the Constitution for Europe clearly expressed the link between the Charter and Constitution in regard to the data protection clause (Laurer and Seidl, 2021, p. 8). A historical institutionalist interpretation is salient here as path-dependent causal events understood through a step-by-step reading have added value to our understanding of why and how data protection norms are present in key EU treaties. Alongside this, one should note that these key events in the history of data protection norms, their emergence, and growth, are strongly defined by supranational bodies but were first kickstarted by several national DPAs. Therefore, DPAs (national/domestic organisations), before the process of institutionalisation, played an important role. One could argue that this supports the Liberal intergovernmentalist interpretation, but they acted through the WP29 which pushed for these norms at a supranational EU level. This, to a certain extent, undermines the liberal intergovernmentalist perceptive which might have assumed that the WP29 would have lobbied national governments since they are the fundamental decision-makers in the liberal intergovernmentalist view. What I outlined in this section echoes spillover dynamics described in neofunctionalist theory, in this case, political and cultivated spillover dynamics. Political spillover dynamics are present as DPAs shifted their focus from the national level opting to lobby at the EU level seen as more effective for the dissemination of data protection norms. The DPAs’ strong engagement and collective agreement in this regard, and The creation of the WP29 further backs this and can be used as evidence. And for cultivated spillover dynamics, whether done consciously through individual or a systemic process, the creation of the WP29 resulted in more competencies at an EU level which supranational institutions benefit from and supported.

The General Data Protection Regulation (2016)

The designation of DG JUST

I will now assess key moments in the policymaking stages of the GDPR through the theories of European integration, first by exploring the role DG JUST played. In the initial stages of the GDPR, member states did not seem to be particularly engaged with the formulation of the legislation which does not benefit the liberal intergovernmentalist perspective. Academics have not found clear evidence that shows that they encouraged changes in data protection norms through the introduction of new legislation like the GDPR. Within the Data Protection Directive, it says that the European Commission must report whether changes need to be made or entirely new proposals introduced taking new technological changes into consideration. This was to be done every three years by the European Commission (Data Protection Directive, 1995). As a result, the Commission did express a need for significant data protection reforms to be made through this process, playing a significant role in initialising the early stages of the GDPR’s introduction (Karaboga, 2018, p. 45). Data protection norms needed to be updated, and according to the Commission, the introduction of the Lisbon Treaty provided an opportunity for this (European Commission, 2010, p. 4 – 5).

In practical terms, the body within the Commission responsible for leading the first stages of the GDPR was the Directorate General Justice and Consumers (DG JUST). Them being responsible for the formulation of the regulation matters significantly for reasons I will outline. DG JUST is known as a more consumer-orientated directorate compared to others. This resulted in corporate interests and corporate lobbies not having as much sway as they might if another directorate was in charge of the initial formulation of the GDPR. To back this claim, the WP29 had significant influence on the initial formulation of the GDPR afforded to them by DG JUST which is in line with my claim (Laurer and Seidl, 2021, p. 8). I must again emphasise that it was a supranational institution’s decision (the Commission) that caused this. This gives credence to the neofunctional view as it shows a level of observable cultivated spillover dynamics since supranational bodies expanded their competencies, but it also clearly shows that initial small decisions caused a string of events which expanded the influence of supranational bodies also echoing historical institutionalist assumptions.

Setting specific norms: positions, roles and outcomes in the legislative process

In this section, I will look at the legislative process of the GDPR in greater detail by analysing two specific data protection norms within it. This also gives us a more technical understanding of data protection norms while exploring how they came about. I will explore the position of specific supranational institutions, states, and domestic groups and the role they had at various parts of the policymaking process. I look at two major norms, the right to erasure, and data portability. I also outline the position of each actor and assess the final outcome. Looking at the outcome helps us understand who had more sway and why.

The right to be forgotten or right to erasure

Article 17 of the GDPR is about the right to erasure. It affords people the right to remove personal data which they previously disseminated (GDPR, 2016). The wording ‘right to be forgotten’ was the preferred term used by the European Commission which they wanted in the regulation rather than ‘right to erasure’ since the latter insinuates a lighter obligation in regard to a company’s need to remove the data requested by the individual (Sharma, 2019, p. 209). The ‘right to erasure’ term was the preferred wording by the European Parliament which contradicts certain expectations (Hilden, 2019, p 160). Unsurprisingly, the Council which embodies member states’ position fell radically more on the side of corporate interests. They advocated for a clause which would have made removal of data less possible as it would only be erased if the cost (cost effort and monetary cost) for the company was low and easily achievable. Exemption cases for companies and organisations to remove personal data from their system were outlined by the Commission. The Council presented a significantly longer list of exemptions giving organisations more ways to circumvent this proposed obligation while the European Parliament went the opposite direction (Schünemann and Windwehr, 2021, p. 11). The outcome went much more in the direction of the Council’s preference to have more exemptions for organisation’s new obligations. The specific wording of Article 17 ended up supporting the Parliament’s and Council’s preference ‘right to erasure’. The Commission preferred phrasing ‘right to be forgotten’ is also in the regulation but in parentheses.

The right to data portability

Another key data protection norm which is present in the GDPR is the right to data portability worded in Article 20. This norm makes it easy for individuals to transport their personal data from one platform to another in a standard format which should discourage silo effects and be locked into one company’s platform/service (Voss, 2014, p. 14). In the case of this norm, the most consumer-facing actor was the European Parliament; this was not as clearly the case in the right-to-erasure example. The European Parliament called for strong protections to make personal data interoperable. In comparison, the European Commission wanted data portability to only apply to data being processed. The European Parliament went further requiring all data to be easily interoperable. As was the case in the right-to-erasure case, the Council was not as advantageous to individuals. Different groups of member states opposed the Parliament’s approach for different reasons. Making data portable and interoperable would be too complex for certain organisations adding too much cost for them according to the UK, Sweden, and Finland which would be detrimental to the competitiveness internationally. Continuity complexities were expressed by France and Germany which would put an undue burden on public services (Schünemann and Windwehr, 2021, p. 12). Digital Europe, a group which defends the interest of technology companies in the EU echoed the Council’s discomfort with the strict approaches (DigitalEurope, 2012). Member states, through the Council, requested significant exemptions as they did in the last case I assessed. The outcome went more in the direction of the European Parliament’s preference, but many of the Council’s proposed exemptions were also approved and implemented.

Theoretical assessment

Here, it would be most relevant to address liberal intergovernmentalist assumptions to analyse these cases. Two features of liberal intergovernmentalism should be given particular attention. The first assumption to address is that the drivers of integration are fundamentally based on states' interests. And the second is that states act in a rational manner. In both the data portability case and the right to erasure case, the Council (representing member states’ interests) strongly put forward the issue of administrative burdens and costs new rules would bring onto companies and organisations. They specifically called for and proposed the implementation of opt-out clauses which would make these new rules applicable in rarer cases. This could be viewed as a rational reaction from states since strict rules could have made companies less competitive internationally, indirectly hurting state’s economic position. So, states, through the Council called for these new data protection norms proposed by the Commission and European Parliament to be rolled back. The more important part of this to address for the sake of this dissertation is the outcome. Were the interests and demands of the Council and member states ultimately achieved? If so, this would support vital parts of liberal intergovernmentalist assumptions and partly stray further away from neofunctionalist theory. I showed that the outcome was mixed as the European Parliament, Commission, and Council all partly successfully influenced the regulation in their favour. The Council arguably achieved their preferred outcome by successfully implementing its proposed exemptions, but the Commission and Parliament also have their say as outlined earlier. Looking at these cases through the lens of neofunctional policy entrepreneurship, supranational institutions did exhibit leadership by proactively introducing and defending their position which would widen their competencies. In digital policy, cybersecurity policy in particular, researchers successfully demonstrated that the Commission and Parliament positioned themselves as normative agents (Siltanen, 2021). Their research, although not directly on the GDPR, echoes our findings. Implementing these new norms at the EU level which harmonises regimes and encourages the movement of data in the EU is how supranational actors encourage integration. It is also of interest to highlight that the nature of the legislation is a regulation (GDPR), replacing a directive (Data Protection Directive). Certain academics have interpreted this as a form of victory for the Commission (de Hert and Papakonstantinou, 2016, p. 182), but we can also note that it may be an indicator of integration moving forward with legislation being implemented and applicable from the supranational level more directly.

Cultivated Spillover mainly manifests itself through supranational institutions acting as policy entrepreneurs (Haas, 1964) (Niemann, 2017, p. 6), and the GDPR as I have shown is a clear example of this. This section can be concluded by stating that the later stages and outcome of the GDPR and the data protection norms it introduces can best be explained through the Liberal intergovernmentalist lens somewhat descriptively, and the earlier stages can best be explained through neofunctionalist interpretation with cultivated spillover. At this point, the overall assessment I offer suggests that the emergence of data protection norms shows that supranational actors have taken a life of their own, forming their own position and defending their interests which often go at odds with member states' interests (Bergmann, 2019, p. 1257).

PRISM

Institution’s reaction to Snowden’s revelations 

I will now critically assess the impact of the Snowden revelation which could be considered a critical juncture. Lobbying from large tech companies on the GDPR was rampant which the general public broadly ignored and was apathetic about until 2013. Large corporations were lobbying the GDPR effectively and according to a leading digital rights advocacy nongovernmental organisation ‘La Quadrature du Net’ the future of the legislation was therefore unclear (O’Brien, 2013). During this period, LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs), the body which was the committee designated to be responsible for the GDPR in the European Parliament, delayed important votes as it had received an unprecedented number of amendment proposals. Many argued, including the GDPR’s rapporteur Jan Philip Albrecht (The Greens MEP in Germany), that the regulation was being watered down (Nielsen, 2013). Those advocating for strong data privacy norms in the GDPR had less sway than corporations and states who in the majority of cases working to water the regulation down. But a critical juncture took place in June 2013 that shifted this balance in favour of data privacy advocates. It was revealed by Edward Snowden that a very substantial amount of data was being collected by the GCHQ and NSA from the servers of the largest tech companies Meta, Alphabet, and Apple (Greenwald and MacAskill, 2013). The NSA programme responsible for this was named PRISM (Greenwald, MacAskill, and Poitras, 2013). While the GDPR was going through early policy-making stages, more revelations were made by Edward Snowden regularly as the regulation was being shaped. Many academics have argued that this leak was a key moment in the emergence of European data protection norms as it affected the GDPR in many ways. Historical institutionalists may consider this a critical juncture, I will now present and critically assess these arguments.

Revelations adding resistance to defending corporate interest

Many media organisations reported on the Snowden revelations as it was leaked and many articles were published regarding digital privacy in European; this had a significant influence on the public perception of this issue (Kalyanpur and Newman, 2019, p. 8) (Rossi, 2018, p. 11). What was most shocking to many was the collaboration between intelligence agencies like the NSA and tech companies (MacAskill, 2013). These companies were seen with increasing suspicion from the general public after the Snowden revelations as they were perceived as complicit in large-scale state surveillance programmes. This made it much harder for companies to lobby the GDPR with little to no scrutiny. Strict data protection norms gained momentum as a result of this and gave bodies who were more supportive of them, like DG Just in the Commission and LIBE in the European Parliament support to implement these norms in the regulation (Coyne, 2019). On the surface, to appease the public’s growing concern on data privacy, bodies institutions like the Council which were more favourable to looser rules, had to appear more approving of strict clauses. This event pushed all EU institutions to appear like they were all on the same page regarding tightening data protection rules even though they had fundamentally different ambitions. The Commission stated, after meeting Justice Ministers of the Council of the EU: ‘All EU institutions agree that we have to join forces in order to have a strong European data protection law for our continent.’ ‘It is good to see that the French and German ministers have reaffirmed, in a joint declaration, that we need a high level of data protection for European citizens.’ ‘It is also good to see that they have both committed to quickly adopting the reform of Europe's data protection rules that the Commission put on the table in January 2012. PRISM has been a wake-up call. The data protection reform is Europe's answer.’ (European Commission, 2013). This quote is a demonstrative symbol of the Commission explicitly expressing its desire to act as a policy entrepreneur as a result of a critical juncture. The Commission, in the statement, imply that the Council’s previous ambition and attitude to keep loose rules was no longer an option while stating that the Snowden leaks is a chance to update data privacy norms through the regulation. Researchers have shown through discourse analysis which analysed how strongly the PRISM leaks affected the GDPR that my analysis is aligned with clear evidence. Countries’ governments like Germany’s and France’s, when negotiating on the GDPR, no longer having the ability to campaign for loose data protection norms, did indeed swing the balance of power towards advocates of strict data protection norms (Laurer and Seidl, 2021).

Theoretical interpretation

Here, all three theories of European integration help us understand why and how the PRISM revelations had an effect on the emergence of the GDPR and data protection norms and help us contextualise the event within European integration. Liberal intergovernmentalist theory aligns with the fact that member states were the ultimate decision maker. Arguably, without Germany and France’s backing which came about after the Snowden revelations, the GDPR would not have been adopted in its current form. States did relax their position to support loose data protection norms which is why certain aspects of the GDPR could have relatively tight clauses. In this regard, states, by letting these norms get adopted remain a powerful force in the policymaking process of this regulation. A second more speculative aspect which supports liberal intergovernmentalist assumptions is that member states may have been driven by security issues and a geopolitical threat. Little evidence supports this argument and it therefore remains speculative. On the neofunctionalist front, as I have shown, significant evidence suggests that cultivated spillover dynamics through policy entrepreneurship drove much of the process as a result of the Snowden revelations. There are now more competencies on data protection at the EU level as a result of the LIBE committee encouraging all EU institutions to welcome the regulation and its relatively strict new norms as a result of the Snowden revelations. Additionally, I should also highlight that LIBE has directly stated the importance of the link between data protection and the operation of security services as a result of the PRISM leak (Coyne, 2019, p. 70). We cannot strongly argue that this is a direct case of a functional spillover dynamic since we only observe that the link between these two policy areas has only been explicitly expressed by an institution. For this, we would need clear evidence that those two policy areas are linked because in order for a goal to be met in one area, policy action needs to take place in an adjacent one. Regarding Historical intuitionalism, the timing of the Snowden revelations played a major role in shaping the GDPR in favour of strict data protection norms. This section also demonstrates how historical institutionalism can be particularly complimentary to neofunctionalism, in this case showing that a critical juncture and the right timing can lead to supranational institutions having to opportunity to act as policy entrepreneurs. As I have shown, convincing evidence demonstrates that the Snowden revelations have had a significant effect on the emergence of data protection norms as the event coincided with the formation of the GDPR which was driven by a series of path-dependant events leading to an almost irreversible result (Laurer and Seidl, 2021) (Rossi, 2018).

Conclusion

As I have demonstrated the emergence of data protection norms can be analysed through the lens of different theories of European integration. Using a variety of perspectives to analyse different stages of the history of data protection highlights the weakness and strengths of each theory. What this dissertation found is that supranational institutions rather than member states have been the fundamental driver of the emergence and formation of data protection norms which confirms some assumptions of the authors I present in the literature review. But, only looking at which actor took more action or had more influence is not sufficient to answer which theory of European integration best explains the emergence of data protection norms. To answer this and to add originality to the academic literature, what this dissertation has done is compare different theories of European integration by centring the analysis on the dynamics at play: How do the different actors interact with one another, what are their interests, and how do they defend them?

One would first be drawn towards the neofunctionalist perspective if we were to focus on which institution is most decisive in the emergence of these norms. This is because supranational institutions seem to be the most vocal promoters of strict new norms proactively taking action. To be more precise and rigorous, what I have demonstrated is that the cultivated spillover is found throughout the history of EU data protection norms, from the Data Protection Directive’s emergence, to the GDPR’s emergence, and beyond. Evidence of this has first been found when analysing the process of institutionalisation. The DPA’s action was elevated to the EU level as a direct result of the creation of new institutions like the Working Party 29 and the EDPS, the creation of which has been strongly encouraged by the European Commission and European Parliament. This ongoing process becomes increasingly more difficult to reverse as it moves forward which is what neofunctionalist theory would have assumed. As an example, the emergence of newer supranational bodies like the EDPB shows this. The second demonstration of the salient presence of the cultivated spillover dynamic relates to the constitutionalisation of data protection norms. Data protection became a right from an EU level through the WP29 lobbying to include it in the Charter of Fundamental Rights of the EU. This directly led to the right to the protection of personal data being added to the EU treaties. I have also demonstrated that historical institutionalism is particularly useful to understand this process as it is defined by a series of causal path-dependent events which started with a seemingly insignificant action: the WP29 is created leading to the Charter’s implantation of data protection norms which is then transferred to the unratified EU constitution, which ended up in the EU treaties. Another section which supports the historical institutionalist approach is the seemingly minor decision to delegate the responsibility of the GDPR to consumer-facing bodies: LIBE in the European Parliament, and DG JUST in the Commission. This made the Snowden revelations which this dissertation interprets as a critical juncture have a larger impact than expected since these bodies used it as an opportunity to adopt the strict data protection norms I outlined. As such, both cultivated spillover dynamics alongside a path-dependent series of events causal decisions and a critical juncture made it harder for actors that were against these new strict norms to lobby against their adoption.

When we look at two specific data protection norms like the right to erasure and data portability rather than more general clauses, I have demonstrated that significant evidence shows that supranational institutions acted as norm and policy entrepreneurs whereas intergovernmental institutions like the Council and member states did not. I showed that cultivated spillover dynamics are present here too. But the Liberal intergovernmentalist analysis should not be ignored as it brings valuable and accurate insight. The Council was indeed generally against approving strict new norms, but these norms would not have been adopted if the Council did not comply with their implementation. Furthermore, we must note that even though these norms have been adopted and seem strict at first glance, I have shown that many applicability adopt-outs were also adopted at the request of the member states. I later showed that the PRISM leaks made the adoption of these strict norms more acceptable since the Council could no longer easily lobby against their adoption. There is some evidence that partly goes against liberal intergovernmentalist assumptions, for example, there is little evidence that shows that domestic actors passed through their states’ apparatus to protect their interests. Indeed, some domestic actors such as La Quadrature du Net and DPAs lobbied at an EU level directly not going through states’ institutions. Regarding the PRISM leaks, the ability for corporate interests to effectively lobby against strict data protection norms diminished due to the media’s interest in their collaboration with intelligence agencies. The large-scale dissemination of the Snowden revelations worked against corporate interests as they were particularly strongly scrutinised. Although little evidence has proven it, an argument could be made that member states responded to a perceived geopolitical threat after the Snowden revelations which is why they did not lobby against new data protection norms as forceful as could have been expected. This would line up with liberal intergovernmentalist assumptions. By critically assessing three theories of European integration through an interpretation of European data protection norms, this dissertation shows that all three can be utilised the understand their emergence and expansion. But I can conclude that the most salient theory in the context of this policy area is clearly neofunctionalism, more precisely the cultivated spillover dynamic. I have shown that historical institutionalism can be used to complement neofunctionalism which suggests that attempts to reform the latter by implementing the former theory within it as has been done by political scientists like Alec Stone Sweet (Stone Sweet and Sandholtz, 2010) may be necessary to push the field forward.

Bibliography

• Article 29 Data Protection Working Party (2000) Recommendation 4/99 on the inclusion of the fundamental right to data protection in the European catalogue of fundamental rights.

• Bergmann, J. (2019) ‘Neofunctionalism and EU external policy integration: the case of capacity building in support of security and development (CBSD)’, Journal of European Public Policy, 26(9), pp. 1253–1272. Available at: https://doi.org/10.1080/13501763.2018.1526204.

• Charter of fundamental rights of the European Union (2000). Available at: https://eur- lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000X1218%2801%29&qid=1651150040123.

• Christiansen, T. and Verdun, A. (2020) Historical Institutionalism in the Study of European Integration, Oxford Research Encyclopedia of Politics. Available at: https://doi.org/10.1093/acrefore/9780190228637.013.178.

• Coyne, H. (2019) ‘The Untold Story of Edward Snowden’s Impact on the GDPR’, The Cyber Defense Review, 4(2), pp. 65–80.

• Data Protection Directive, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995) Available at: http://data.europa.eu/eli/dir/1995/46/oj/eng.

• de Hert, P. and Papakonstantinou, V. (2016) ‘The new General Data Protection Regulation: Still a sound system for the protection of individuals?’, Computer Law & Security Review, 32(2), pp. 179–194. Available at: https://doi.org/10.1016/j.clsr.2016.02.006.

• DigitalEurope (2012) Comments on Proposed European Commission’s Regulation on Data Protection. Available at: https://wiki.laquadrature.net/images/1/1f/DIGITALEUROPE- priorities-of-Data-Protection-Regulation_March-2012.pdf.

• Draft Treaty establishing a Constitution for Europe (2003) Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52003XX0718(01).

• European Commission (2013) Informal Justice Council in Vilnius. Available at: https://ec.europa.eu/commission/presscorner/detail/en/MEMO_13_710.

• GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (2016) Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj.

• Greenwald, G. and MacAskill, E. (2013) ‘NSA Prism program taps in to user data of Apple, Google and others’, The Guardian, 7 June. Available at: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.

• Greenwald, G., MacAskill, E. and Poitras, L. (2013) ‘Edward Snowden: the whistleblower behind the NSA surveillance revelations’, The Guardian, 11 June. Available at: https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance.

• Haas, E.B. (1958) The uniting of Europe: political, social, and economic forces, 1950-1957. Stanford, Calif.: Stanford University Press.

• Haas, E.B. (1964) Technocracy, pluralism and the New Europe. Berkeley, California: Institute of international studies, University of California.

• Haas, E.B. (1976) ‘Turbulent fields and the theory of regional integration’, International Organization, 30(2), pp. 173–212. Available at: https://doi.org/10.1017/S0020818300018245.

• Hilden, J. (2019) The Politics of Datafication: The influence of lobbyists on the EU’s data protection reform and its consequences for the legitimacy of the General Data Protection Regulation. Doctoral Thesis. University of Helsinki.

• Hooghe, L. and Marks, G. (2019) ‘Grand theories of European integration in the twenty-first century’, Journal of European Public Policy, 26(8), pp. 1113–1133. Available at: https://doi.org/10.1080/13501763.2019.1569711.

• Ivanova, M. (2021) Explaining European Integration in Cybersecurity. Available at: https://doi.org/10.5282/ubm/epub.77240.

• Jančiūtė, L. (2018) EU politics and the making of the General Data Protection Regulation: Consociationalism, policy networks and institutionalism in the process of balancing actor interests. doctoral. University of Westminster. Available at: https://westminsterresearch.westminster.ac.uk/item/q509y/eu-politics-and-the-making-of-the-general-data-protection-regulation-consociationalism-policy-networks-and-institutionalism-in-the-process-of-balancing-actor-interests.

• Kalyanpur, N. and Newman, A.L. (2019) ‘The MNC-Coalition Paradox: Issue Salience, Foreign Firms and the General Data Protection Regulation’, JCMS: Journal of Common Market Studies, 57(3), pp. 448–467. Available at: https://doi.org/10.1111/jcms.12810.

• Karaboga, M. (2018) ‘The Emergence and Analysis of European Data Protection Regulation’, in J. Schwanholz, T. Graham, and P.-T. Stoll (eds) Managing Democracy in the Digital Age: Internet Regulation, Social Media Use, and Online Civic Engagement. Cham: Springer International Publishing, pp. 29–52. Available at: https://doi.org/10.1007/978-3-319-61708-4_3.

• Laurer, M. and Seidl, T. (2021) ‘Regulating the European Data-Driven Economy: A Case Study on the General Data Protection Regulation’, Policy & Internet, 13(2), pp. 257–277. Available at: https://doi.org/10.1002/poi3.246.

• MacAskill, E. (2013) ‘NSA paid millions to cover Prism compliance costs for tech companies’, The Guardian, 23 August. Available at: https://www.theguardian.com/world/2013/aug/23/nsa-prism-costs-tech-companies-paid.

• Mărcuț, M. (2016) The Socioeconomic Evolution of the European Union: Exploring the Electronic Frontier. 1st ed. 2016. Cham: Springer International Publishing : Imprint: Springer (SpringerBriefs in Economics). Available at: https://doi.org/10.1007/978-3-319-40304-5.

• Moravcsik, A. (1998) The choice for Europe: social purpose and state power from Messina to Maastricht. Ithaca, N.Y.: Cornell University Press.

• Newman, A. (2008) Protectors of Privacy: Regulating Personal Data in the Global Economy. Cornell University Press.

• Nielsen, N. (2013) ‘[Interview] New EU data law could end up weaker than old one’, EUobserver. Available at: https://euobserver.com/rule-of-law/120301.

• Niemann, A. (2017) ‘Neofunctionalism’, in Niemann, A., Oxford Research Encyclopedia of Politics. Oxford University Press. Available at: https://doi.org/10.1093/acrefore/9780190228637.013.149.

• Niemann, A. (2017) ‘Neofunctionalism’, in Niemann, A., Oxford Research Encyclopedia of Politics. Oxford University Press. Available at: https://doi.org/10.1093/acrefore/9780190228637.013.149.

• O’Brien, K.J. (2013) ‘Silicon Valley Companies Lobbying Against Europe’s Privacy Proposals’, The New York Times, 25 January. Available at: https://www.nytimes.com/2013/01/26/technology/eu-privacy-proposal-lays-bare-differences-with-us.html.

• Pierson, P. (2000) ‘Increasing Returns, Path Dependence, and the Study of Politics’, The American Political Science Review, 94(2), pp. 251–267. Available at: https://doi.org/10.2307/2586011.

• Pollack, M.A. (1996) ‘The New Institutionalism and EC Governance: The Promise and Limits of Institutional Analysis’, Governance, 9(4), pp. 429–458. Available at: https://doi.org/10.1111/j.1468-0491.1996.tb00251.x.

• Poullet, Y. and Gutwirth, S. (2008) ‘The contribution of the Article 29 Working Party to the construction of a harmonised European data protection system: an illustration of ‘reflexive governance’’, Perez Asinari, MV, Palazzi, P.(eds.) Défis du droit à la Protection de la vie Privée–Challenges of Privacy and Data Protection Law, pp. 570–610.

• Rossi, A. (2018) ‘How the Snowden Revelations Saved the EU General Data Protection Regulation’, The International Spectator, 53(4), pp. 95–111. Available at: https://doi.org/10.1080/03932729.2018.1532705.

• Sabel, C.F. and Zeitlin, J. (2010) Experimentalist Governance in the European Union: Towards a New Architecture. OUP Oxford.

• Schünemann, W.J. and Windwehr, J. (2021) ‘Towards a ‘gold standard for the world’? The European General Data Protection Regulation between supranational and national norm entrepreneurship’, Journal of European Integration, 43(7), pp. 859–874. Available at: https://doi.org/10.1080/07036337.2020.1846032.

• Sharma, S. (2020) Data privacy and GDPR handbook. Hoboken, New Jersey: John Wiley & Sons, Inc.

• Siltanen, E. (2021) Whose Responsibility is Cybersecurity? : A Comparative Qualitative Content Analysis of Discourses in the EU’s Cybersecurity Strategies 2013-2020. Available at: http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-45956.

• Steinmo, S.H. (1994) ‘American Exceptionalism Reconsidered: Culture or Institutions?’, in The Dynamics of American Politics. Routledge.

• Stone Sweet, A. and Sandholtz, W. (2010) ‘Neofunctionalism and Supranational Governance’. Rochester, NY. Available at: https://doi.org/10.2139/ssrn.1585123.

• Tilborg, R. W. van. (2016) Explaining The Arctic Policy Of The European Union: Supranationalism And Liberal-Intergovernmentalism. Erasmus University Rotterdam

• Tranholm-Mikkelsen, J. (1991) ‘Neo-functionalism: Obstinate or Obsolete? A Reappraisal in the Light of the New Dynamism of the EC’, Millennium: Journal of International Studies, 20(1), pp. 1–22. Available at: https://doi.org/10.1177/03058298910200010201.

• Versolmann, I. (2020) ‘To be or not to be a European Energy Union: drivers of European energy policy from a historical institutionalist perspective’. Available at: https://doi.org/10.7488/era/339.

• Voss, W.G. (2014) Looking at European Union Data Protection Law Reform Through a Different Prism: The Proposed EU General Data Protection Regulation Two Years Later. SSRN Scholarly Paper 2567624. Rochester, NY: Social Science Research Network. Available at: https://papers.ssrn.com/abstract=2567624.

• Whitman, J.Q. (2003) The Two Western Cultures of Privacy: Dignity Versus Liberty. SSRN Scholarly Paper 476041. Rochester, NY: Social Science Research Network. Available at: https://doi.org/10.2139/ssrn.476041.