Cordi researcher Jockum Hildén defended his doctoral dissertation titled “The Politics of Datafication – The influence of lobbyists on the EU’s data protection reform and its consequences for the legitimacy of the General Data Protection Regulation” on 8 November 2019.

Hildén’s Lectio praecursoria highlights the core findings of his research – the lack of transparency of regulatory decision-making processes, and their propensity to align themselves with corporate lobbyists and advance surveillance programmes – and calls for more transparency and true inclusion of more voices, also those of the citizens:

It has been virtually impossible to ignore the ramifications of widespread data collection in our everyday lives. In this very room, we have multiple devices regularly notifying hundreds of servers of our respective locations, possibly leading to new suggestions of Facebook friends or inferring academic interests based on our presence at the Faculty.

This is datafication in practice – turning social relations into something quantifiable and actionable. To some, this is technological magic and the pinnacle of innovation, to others, it is a sign of Orwell’s 1984 becoming reality.

The focus of my research has not been to outline data collection practices, but to discuss a very specific aspect of the information society: how personal data processing and transfers of data are regulated, and why. To do this, I have focused on the legislative process of the General Data Protection Regulation, or the GDPR, which entered into force on the 25^th of May last year.

Contrary to most EU legislation, people were actually made aware of the new law by virtue of the panic that it infused in online marketers and ecommerce business owners. Millions of emails were sent – our privacy policy has changed, please consent – and we did, just to stop the emails from coming.

New laws seldom cause this type of reaction, but the GDPR came with significant weight: infractions could be met with severe sanctions, up to 4 per cent of the global annual turnover of a company. For Google, that is five and a half billion dollars.

In light of the potential sanctions, spending a few millions on lobbying comes across as a wise investment. The GDPR has been widely regarded as one of the most lobbied pieces of legislation in the history of the European Union.

It was this aspect of the GDPR that piqued my interest. I wanted to know more about the ways lobbying shaped the rules that govern how our data are handled.

The GDPR is a fascinating case study not only because of the significant economic interests involved, but also because it marks a shift in the evolution of lobbying in the EU.

Political scientists have struggled with the question of the EU’s democratic deficit for decades. However, the question became even more pertinent when the Lisbon Agreement entered into force. The gradual expansion of the EU’s competences into new areas have made the democratic deficit of the Union more pronounced.

While the Parliament was granted more powers with the Lisbon Agreement, the dismal voter turnout in the European elections has not really reduced the democratic deficit. Instead, the European institutions have tried to address other aspects of the legislative process to make things slightly better.

First, access to documents has been made easier. Second, stakeholder’s access to the legislative process has been promoted. Both of these initiatives – transparency and participation —  have very specific goals in mind: to make it appear that decisions are not made behind closed doors in Brussels, far away from the people, but that the EU operates in an open way and takes the opinions of the people into account.

But whose opinions are really expressed, and more importantly, listened to?

The problem is of course, that “the people” rarely follow legislative processes too closely, but big business does.

Earlier research on interest group participation in legislative processes has demonstrated that corporate interests tend to be much better represented, and have much better access to decision-makers. What is slightly less researched is the impact this has on the regulatory output of lawmakers.

In order to dig deeper into these aspects of the GDPR, I proposed two research questions:

First, what policy alternatives were put forth by the EU institutions in the course of the GDPR’s legislative process, and how did they correspond to the ideas, issues and frames promoted by interest representatives?

Second, what does the influence of organized interests and stakeholders in GDPR decision-making reveal about the democratic legitimacy of the process?

Before I attempt to answer these questions, I want to raise how the wider societal context has an impact on policy choice and democratic legitimacy. Technology has always played an important role in the development of bureaucratic societies. Datafication relies on technologies that enable large-scale tracking of populations. Punched cards were, for example, first put into wide-scale use in the 1890s U.S. census, and would later become pervasive in private industry and public administration.

With digitization the efficiency of record-keeping increased and the will to do so did as well. But it is important to note that it was mainly public use of data that triggered concerns and encouraged lawmakers to act in Europe in the first place.

In the beginning of the 1970s, when the first data protection laws were signed into law in countries such as Germany, France, and Sweden, legislators were mostly preoccupied with public uses of data. As interest grew in using personal data for business purposes, the focus of legislators started to shift. The GDPR’s predecessor, the Data Protection Directive, must be seen in this light. The Data Protection Directive was drafted not because the EU Commission had an interest in the matter, but because national data protection authorities had blocked and threatened to block transfers of data to European Community Member States that lacked data protection legislation.

The Directive’s legislative process, comprehensively documented by Abraham Newman, was special in that national regulators used their powers to force data protection on the EU’s agenda. They would subsequently also assist the EU Commission in drafting the new Directive. Corporate stakeholders were unhappy with the legislative process and felt that they had been left on the sidelines. However, importantly, they managed to sway the Council’s position in a favourable direction. Moreover, they managed to insert a second goal of the Directive in addition to protecting the privacy of EU residents: the free movement of data within the Union.

Some might say this was a meaningless symbolic victory, but I argue that this very addition opened the floor for interest representatives to stress the importance of data sharing. It made arguing for such policy applications much easier.

It is against this historical backdrop that the GDPR should be viewed:  the strong role of national regulators, the question of emerging markets reliant on data transfers, and the role of corporate lobbying.

The Data Protection Directive was signed in 1995. The rise of the commercial internet would quickly challenge many of the provisions that had been agreed upon just a few years prior.  It would nevertheless take over two decades for the Commission to replace the Directive.

The first steps were taken in 2009 when the Commission instigated a public consultation with interested parties. After the first consultation and a EU wide survey on attitudes to privacy, the Commission issued a Communication outlining the approach it was going to take. It then asked for comments on this approach in the second consultation in 2011.

Who did these participants to the public consultation represent? What was their agenda? And most importantly, were they successful in shaping the Commission’s policy output?

Consistent with earlier research, business interests dominated the public consultations on data protection. The results are not surprising, but the public consultations on data protection are set apart from other EU consultations by virtue of the significant interest foreign lobbyists had in the process. While some member states were completely absent from the consultations, a wide variety of US-based business networks and corporations submitted their views.

It must be stressed that this is the most accessible form of participatory policymaking: no invitations are needed, just an internet connection and an interest in the policy being drafted. If you are not here, it is doubtful that you will be on the ground in Brussels lobbying for your position.

Nevertheless, looking at public consultations only says so much. The participation might be uneven, but what does it say about the actual impact different lobbyists have on the policy output?

To address the question of influence, I looked at the proposals put forth by lobbyists and compared them to the policy output of the EU institutions.

One of the main conclusions from this study is that it is impossible to draw any meaningful inferences by looking at just one institutional actor or a subset of politicians. While the early stages of the GDPR’s legislative process were clearly marked by the profound presence of corporate lobbyists, the Commission’s proposal from 2012 was not too accommodating of the businesses concerns. Rather, they opted for listening to data protection authorities and civil society. It shows that any studies on EU lobbying must take public authorities into account as well – quasi-insiders to the process, they have privileged access to the Commission.

The Parliament, on the other hand, was a completely different story. During the early stages of the Parliament’s assessment of the Commission’s proposal, flags were raised that IT lobbyists had succeeded in convincing MEPs to water down the proposal. MEPs copied extensively from the lobbyists’ position papers, sometimes even complete paragraphs. Many MEPs from different parties and different committees would submit the exact same amendments that clearly echoed the lobbyists’ proposals.

But as luck would have it, Edward Snowden came forth in 2013 and revealed the National Security Agency’s extensive surveillance programme. Civil society and the privacy-oriented rapporteur Jan Philipp Albrecht used the revelations strategically. They called out MEPs that had followed the IT lobbyists’ suggestions, accusing them of putting European’s data at risk.

The document that passed the Parliament’s first reading was therefore less marked by lobbyist influence than the individual amendments put forth by the MEPs. There were still some traces of lobbyist influence, but the Parliament’s proposal was more aligned with privacy activists’ positions.

However, the Snowden revelations would have less of an impact on the Council. In many cases, the Council decided to side with businesses and undermine the rights of citizens. Moreover, the Council inserted a range of national exceptions to the regulation, effectively punctuating the harmonized approach first put forth by the Commission.

Ultimately, the Council’s position prevailed in most cases. The Council was far more successful than the Parliament in advancing its suggestions to the final GDPR.

It appears that the institutional inclusion of powerful actors in the early stages of the policy formulation process did not overly upset the balance of interests and disproportionally favour corporate interests. Rather, legitimacy issues emerged at later stages of the process: the lack of insight into how the Council reached its position, and the demonstrable effect corporate interests had on the output.

By returning to the broader societal context it is possible to explain why the Council would favour such an approach.

The rationale for processing personal data is connected to a discourse most commonly associated with resource efficiency.  This perspective is integral for understanding the role of personal data in bureaucratic power and control. After all, surveillance and datafication are seen as inherent necessities for achieving the functional goals of relevancy, rationality, and efficiency. The parties that engage in these practices argue that the individual as such is of no functional interest.

This is also why data protection regulation, although instrumental in providing people with some rights to the data concerning them, will ultimately be insufficient because other, strong societal interests are at play.

The problems that I have pointed out in my dissertation – the lack of transparency of the Council’s decision-making process, and their propensity to align themselves with corporate lobbyists and advance surveillance programmes – are symptomatic for information society policy in the EU. The onslaught of lobbying is also becoming the new normal in Europe. This raises concerns for the legitimacy of EU policymaking.

If my research is to have an impact it should be this: if we want to address the democratic deficit of the EU, we need new rules on how the interactions of lobbyists with Council representatives are documented. And if we want to address the problems associated with surveillance and datafication, we need to look beyond data protection regulation and address whether these practices are compatible with the principles of the Rechsstaat.

The entire dissertation is available in electronic form through the E-thesis service.

More information:
Jockum Hildén
Phone: +358 50 341 0462
Email: jockum.hilden [at] helsinki.fi