Regulating the European Data-Driven Economy: A Case Study on the General Data Protection Regulation

In recent years, data have become part and parcel of contemporary capitalism. This has created tensions between the growing demand for personal data and the fundamental right to data protection. Against this background, the EU's adoption of the General Data Protection Regulation (GDPR) in 2016 is puzzling. Why did the EU adopt a regulation that strengthens data protection despite intensive lobbying by powerful business groups and the EU's supposed neoliberal bias? We make two arguments to explain this outcome. First, we use process tracing to show how issue-specific institutions played a crucial role during the agenda-setting stage (1990s-2009) and policy formulation stage (2009-2012). They triggered and structured the drafting process by strengthening the position of data protection advocates within the European Commission. Second, we use discourse network analysis to show that the Snowden revelations of 2013 fundamentally changed the discursive and coalitional dynamics during the decision-making stage (2012-2016). The salience shock it produced "saved" the GDPR from being watered down, by incentivizing policymakers to distance themselves from business interests and by exposing the geo-economic dimension of data protection. This article thus offers a comprehensive explanation of the GDPR, while contributing to the literature on the political economy of data protection.