Brexit and the Failure of Pre-emptive Reconciliation: A study of the General Data Protection Regulation

Prefer to download or print longer articles? Download a PDF

Daniel Neyland and Sveta Milyaeva


As Britain faces up to a post European Union future, commentators and politicians compete and sometimes struggle to explain the result of the referendum. Against a backdrop of warnings of the detrimental effect of an exit from the IMF[1] and World Bank[2], opinion polls too close to call and initial indicative results that suggested a victory for those campaigning to remain in the EU, UK voters chose to leave by a majority of 3.8%. Although a prominent issue throughout the build up to the referendum and in subsequent analyses of results was immigration, many voters and firms also expressed a desire to be free from what they perceived to be the overly bureaucratic machinery of the EU. Hence, the concerns of prominent Brexit supporters such as Graeme McDonald, CEO of JCB, included frequent refrains such as: “What is needed is a lot less red tape and bureaucracy. Some of it is costly for us and quite frankly ridiculous.”[3] Right wing tabloids also implored readers to “to remove ourselves from the undemocratic Brussels machine.”[4] And even the Business Task Force, many of whom were in favour of remaining in the EU, had previously expressed similar sentiments: “The removal of unnecessary regulatory burdens in areas which are critical for job creation and growth will free up businesses across the EU to lead the way towards economic recovery.”[5]

In this paper we will investigate one basis for these expressions of ill feeling toward European Union legislation: the process of changing legal forms of EU legislation from subsidiarity and the creation of Directives, toward Regulations. Subsidiarity is enshrined in Article 5 of the Treaty on European Union[6] and suggests decisions should be made as locally and as locally accountable as possible. One expression of this principle has been the development of Directives. These are formed of sets of principles that European member states negotiate and agree upon. Member states then interpret and implement Directives in line with national interests, culture, law, practices of enforcement and so on.[7] The flexibility of principles built into Directives should enable member states to enact a form of subsidiarity. Moves to implement Regulations, on the other hand, are designed to implement a single, binding, legislative Act on all member states simultaneously. Although Directives have been designed to solve one type of problem (creating the opportunity for decision making as local and locally accountable as possible while having member states in a Union), Regulations are designed to solve quite a different type of problem (ensuring a consistent legislative basis for citizens and businesses across (what were) 28 member states of the EU).

One recent and very prominent example of a change from Directive to Regulation can be seen in the development of the General Data Protection Regulation (GDPR). This legislation replaces the Data Protection Directive of 1995. In studying the move from Directive to Regulation, we will argue that many of the tensions in EU policy making can be brought to the surface. The precise composition of the legislative form requires study to understand how these tensions emerge but are never fully resolved. Our suggestion in this paper is that Regulations involve what we will term pre-emptive reconciliation: on-going, lengthy and costly negotiations which draw together distinct viewpoints, aims, interests and concerns generating tensions that are built into the legislative form but never fully reconciled or resolved.

In order to study this pre-emptive reconciliation and its failure, our paper first turns to Science and Technology Studies (STS) research on data, markets and legislative forms. This provides one basis for considering the complex composition of legislation like the GDPR that has to navigate the market interests of the data industry, individuals’ concerns about their data, and policy making priorities around emerging data markets. Second, we turn attention to the GDPR, what is frequently termed ‘the data-driven economy’ (EC 2014) and the difficulties faced by those responsible for developing the legislation: the task of engaging with new notions of what counts as data, new practices of data ownership, movement and use, what could count as privacy and data protection in what has been called a business-led data landscape. Third, the paper delves into the political intricacies, legal expertise, and institutional arrangements that are required for the production of a Regulation like the GDPR. Despite the apparent urgency of the Regulation (EC 2012, Reding 2013) it took six years and an unprecedented amount of amendments for the process of negotiation of the legislation to result in the final text[8]. As we will show, these years of making the Regulation involved bringing together a number of controversies over distinctive sets of business and civil concerns in an attempt at pre-emptive reconciliation. The paper concludes with an assessment of the ways these efforts to reconcile distinct concerns at times seemed to make such concerns more prominent.

STS, data, markets and legislation

Academic writing on the need for, and challenges of, producing legislation that addresses market, legal and public or social concerns tends to focus on the interplay of different spheres that are somehow at odds with but nevertheless affect each other. For instance, in studies of transnational (or global) legal infrastructures, their making, maintenance and functioning, the main concern of socio-legal scholars is ‘power disparities’ and how they ‘inform and are shaped by legal relationships in transnational commercial life’ (Likosky 2002: xxi-xxii). The task of legal scholars should then be to understand how power shapes legal narratives and legal relationships that, in turn, shape power. Alternatively, suggestions are made that a new theory of regulation is required that goes beyond established ways of seeing market regulation as an ‘economic theory of politics’, in order to show how in certain cases the making of market regulation is guided not only by economic interests, but also public interests (Balleisen and Moss 2010: 5). Despite this call for a broadening out of entities to be considered in making sense of legislative forms, STS scholars have tended to call for a more radical form of inclusion. STS scholars such as Latour have, for example, suggested that people, things, processes, relations, resources and notions of power need to be shifted from something that forms an explanation, to things that need to be explained through their ‘enrolling and allying’, or what we might term their composition (Latour 1987, 2005).

If we treat legislation as a matter of fundamental composition – that is the very nature or ontology of entities is to be settled through the composition of legislation – then we are presented with a particular basis for understanding such matters as the GDPR. Rather than assume that business concerns, data, market prerogatives or privacy (to name just a few of the terms we will encounter in subsequent sections of this paper) straightforwardly pre-exist the legislation, this approach suggests treating these entities as a contingent effect of the legislative process (broadly conceived to include debates, discussions, forms of paper work and policy). To understand such matters as the composition of data, we can usefully draw on recent STS work which has questioned what might count as data, for whom and when, with what consequence (Gillespie 2013; MacKenzie 2012; MacKenzie and McNally 2013; Neyland 2014, 2016; Ruppert 2012; Ruppert et al. 2013).

However, considering such fundamental matters as composition in transnational policy matters suggests quite a task, with an escalation of the number of entities to be included. STS scholars have proposed a number of ways forward. Jasanoff (2005) suggests treating the process of transnational governance as a form of (trans)national building inculcating a contest of ‘civic epistemologies’. Alternatively Barry (2001) suggests considering transnational policy in terms of a quest for ‘a European technological zone’. Or Faulkner (2012) views the composition of policy as a textual entity.

Each of these approaches offers ways forward for considering the ways in which EU legislation takes specific form. Yet the focus of the GDPR, we will suggest, brings into being or composes the nature of matters of concern in very specific ways, at the same time delineating what ought to count as data, for example, and what ought to count as market relations through which that data flows. The recent STS work on markets can prove useful here for demarcating the particular kind of composition work at stake. In this emerging body of work, markets have been treated as heterogeneous assemblages that constitute the very nature of people, things, processes and relations, often through devices of calculation and valuation (Callon 1998, Callon and Muniesa 2005, Callon et al. 2007). Here, then we might think of the GDPR as a heterogeneous assemblage of compositions.

STS inspired empirical studies of legislative forms and markets are not extensive. Existing research tends to treat legal expertise, for example, as an enabler of various market transactions. For instance, Laurent (2012-13) demonstrates how a ‘responsible’ nanotechnology market is constructed by European regulation, or Milyaeva (2014) emphasises the importance of local legal culture in transnational financial markets, or Riles (2011) studies private legal governance. In order to make sense of the composition of a public form of legal governance such as the GDPR we need to expand on these studies. We need to investigate how the shape of the GDPR as a Regulation demands that different concerns are brought to the fore and reconciled pre-emptively through the writing of the legislation and how this becomes consequential for the entities thus composed. In order to do so, we need to perform our own pre-emptive reconciliation on STS studies of data, markets and legislation. We will do this in the following sections, analysing the production of the GDPR and its consequences.

The following analysis of the GDPR is based on 40 in-depth semi-structured interviews with heads of various national data protection authorities, European Commission, European Parliament and Council officials and technical experts, members of the personal data industry, personal data consultancies, as well as fieldnotes from various personal data industry events attended in the US and UK, and a hearing in the European Parliament in Brussels. First, we will introduce the European Digital Single Market, linked to unfettered flows of data as a European Commission priority on the one hand, and the necessity to change the existing legal framework that governed data protection on the other. We will then focus on the compositional practice of drafting a Regulation to replace an existing Directive (95/46/EC). In so doing we will follow the debates in the European Parliament and the Council of the European Union tracing the political and technical complexities involved in composing the Regulation and its entities. These two sections will provide the means to explore how STS work on composing markets and governance might prove its analytic utility. Finally, we will conclude by considering how pre-emptive reconciliation within these forms of legislative composition brings tensions to the fore that are not resolved. 

The Data Protection Directive and Its Discontents (1995-2012).

‘Today, we lay the groundwork for Europe’s digital future. I want to see pan-continental telecoms networks, digital services that cross borders and a wave of innovative European start-ups. I want to see every consumer getting the best deals and every business accessing the widest market – wherever they are in Europe.’ These were the words of Jean-Claude Juncker, the President of the European Commission, when he listed the Digital Single Market as one of the top priorities for the EU (EC 2015a). The project of building such a market was envisioned as part of ‘supporting and accelerating the transition towards a data-driven economy in Europe’ (EC 2014, 2014a). The concept of a transnational economy driven by innovation nested in big data (OECD 2015) and supported by free flows of data[9] seemed compelling. Achieving such a concept through data protection legislation already pointed toward the potential need for reconciliation and suggested compositional efforts might need to be directed toward data itself in the first instance.

To create a Single Digital Market, regulation needed to effortlessly incorporate a more or less singular nature for data – a form for data that could sit centrally in new legislation and un-problematically survive the exigencies of differing and new data practices and the legal structures, actions and modes of enforcement of multiple member states. Although the types of digital data at the centre of a future single market might include individuals’ online searches, their shopping, payments for services, and communications among many others, data had to occupy a position in the legislation that was more or less singular, universal and able to accommodate these distinctions. Yet the relatively low costs of storage and transmission and the burgeoning industries of data scraping, mining and profiling meant that what counted as data, what could be done with data, over how long, at what speed and for what purpose was continually open to question. A vast expansion of services that capitalize online personal data meant that a singular nature for data was unlikely. Pacifying the nature of data in order to regulate it would itself restrict the data industry, with ever more ways emerging to monetize data by advertisers and data brokers.[10]

Yet regulating the vast and unrestricted collection of personal data by the online data industry had become a significant concern among regulators in the European Union. As one of our interviewees, a head of one of the European data protection authorities put it:

‘If you want to use Facebook, if you want to use Google, the deal is clear – you don’t have to pay in money, but you do understand that the business model is of serving you based on the information you put up there, and the more information that the service provider has, the more targeted the ads can be, and the more money they can get from you. […] I think the data protection law has had difficulty dealing with these so-called free services, because [it] was developed on the basis that you’re giving information to a company to provide a specific service which you are paying for, and it gives you control over any further use of the data. But in the case of these so-called free services your data is the payment, so therefore it’s more complex’.[11]

The challenge was how to enable the data industry to continue to expand while also regulating the data upon which its profits were based and how to come up with singular definitions and get agreement on principles for legislation within a very rapidly changing set of activities. The regulatory framework that guided online data collection originated in 1995 (the 95/46 Directive, or the Data Protection Directive; EU 1995),[12] and was expanded in 2002 by the Electronic Privacy Directive. The latter was aimed at regulating the processing of personal data in a new digital environment as well as specifying rules for the telecommunication sector; specifically, the e-Privacy Directive demanded that data processors declare the use of cookies and provide an opt-out option for individuals (EU 2002). In 2009, the e-Privacy Directive was again amended to accommodate further technological advances – the EU ‘Cookie’ Directive 2009 introduced stricter rules on use of cookies (EU 2009).   

This piecemeal approach to legislation that was made in response to rapid changes that had undermined the ability of legislation to maintain what kept becoming outdated singular definitions of data led to multiple calls for more significant legislative revision.  In particular this set of Directives were not fulfilling the task ‘of how best to protect citizens’ rights and at the same time facilitate legitimate data processing for business’ (Reading 2012: viii). Or, as a head of one of the national data protection authorities elaborated:

When I am making a judgment on something, I am not allowed to consider the competitiveness of the market. The FTC is[13]; I’m not. I have to make a decision based on ‘is the law broken, or isn’t it broken?’ […] In some cases, data protection law simply cuts across commercial interests, it clearly does.[14] 

At the centre of concerns articulated regarding data and its protection, business and the apparent needs of online users, was the legislative form itself: the Directive. The distinct implementation and enforcement practices of member state Data Protection Authorities was enabling subsidiarity, but undermining any singular, universal definition of data and its protection, with individual users and firms having to adapt their practices and understanding of data and its protection according to their locale. As a head of one of the European Data Protection Authorities suggested:

Well, the European Commission certainly claims one of the big motivations behind their reform of the Directive is to boost cross border trade within the single market. […] Different member states have transposed the Directive in different ways. They are very jealous of their own system. It is actually quite funny; I am going off to Brussels this afternoon, to the latest meeting of the Article 29 Working Party.[15] I know that I will have two days of dear colleagues from other data protection authorities within the European Union, who will be saying, “Of course, the way we do it is like this.” The implication is that “Our system is best”. I try to work very hard on this practical co-operation frankly, because it just seems to me to be a complete no-brainer. We are not dealing with member states entities just marketing to their own people, and thank heavens we’re not.’[16]

A review of EU Data Protection began in 2009 with the European Commission carrying out a set of public as well as ‘targeted stakeholder’ consultations, and an announcement that the European Commission intends to ‘modernise EU data privacy rules’ (EC 2010). On January 25, 2012, the Commission proposed a legislative draft – the General Data Protection Regulation – to replace the 1995 Data Protection Directive with law that would satisfy both the ambition for the European Digital Single Market and the need to achieve ‘data sovereignty’ (Albrecht 2015)[17]. 

What we can note here is that throughout this period compositional work is on-going. Distinct ways to make sense of what the nature of the problem is that requires legislation (to encourage business, to protect privacy) and distinct forms for the principal characters (data, users, business, regulators) to take, shift. Piecemeal Directives and their multiple interpretations rapidly move from solution to being part of the problem. In line with Riles’ argument of the centrality of legal technique in transnational market governance, these on-going changes are not outside legislation, but are part of continuing efforts of regulatory inclusion. Although Riles (2011: 232) suggests that the legal form has ‘been devalued in state regulatory practice,’ what we find in these EU activities is that legal technique and the form legislation can take is crucial to transnational market governance. We can already begin to see emerging in the early discontent described here in relation to the 1995 Data Protection Directive forms of pre-emptive reconciliation whereby distinct concerns are actively drawn together (here including concerns over data, data industry practices, the needs of the user, distinct implementations of the Directive). Composing the nature of these concerns in such a way that new Directives such as the 2009 e-Privacy Directive can then be seen as a solution, quickly gives way to further concerns that the new Directive itself is part of the problem. Drawing on Latour (2005: 223), legislation and its discussion is a tool – ‘something that allows something else to be transported from one side to another.’ But rather than harmonizing the nature of the problem and its solution, stabilizing controversies (Latour 1987, 2005), here pre-emptive reconciliation through new Directives (e-Privacy and the EU Cookie Directive) only signals need for a shift in the legislative form. New compositional efforts are required through Regulation.      

The General Data Protection Regulation as Pre-emptive Reconciliation (2012-2016).

The move from a Directive that delineates general rules passed into national legal frameworks at the discretion of national authorities, to a Regulation that must be applied in its entirety across all European Union member states without variations, had consequences. The change of the legal form manifested ‘the proposal’s basic aim of establishing a uniformed body of EU data protection law’ (Albrecht 2015: 125), but also meant that concerns had to be articulated clearly in advance and their associated form of reconciliation established before the legislation could be passed. Business and human rights and whatever interests these might represent would require composition and would need to be reconciled. However, prior to this, the role of the European Commission itself had to be established. As one of our interviewees suggested it was only by pushing the agenda of the EU ‘Digital Single Market’ that the European Commission ‘had authority to get involved in privacy in the first place, to make it a single market issue, by talking about barriers to data flows around the EU member states. If it wasn’t for that angle the E[uropean] C[omission] could never have proposed a Data Protection Regulation, because the member states would have said, “that is not a EC competency, protecting our citizens’ privacy and human rights is a national competence”’ (from an interview with a UK academic with research interests in data regulations; London, 4 February 2014). 

Having a right to compose the nature of the problem and solution of Data Protection, the nature of the entities involved, what concerns ought to be taken into account in what form and how those concerns ought to be reconciled, could only take place through this kind of manoeuvre. Human rights such as privacy were not enough alone to justify a Regulation. Human rights combined with rights to do business were. Hence the European Commission composed the problem and solution as a reform that ‘will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.’ (EC 2012a). And the Council of the European Union (or the Council of Ministers - the upper chamber of the EU legislative body that represents governments of the EU member states) further specified:

The Regulation provides for a single set of rules, valid across the EU and applicable both to European and non-European companies offering on-line services in the EU. This avoids a situation where conflicting national data protection rules might disrupt the cross-border exchange of data. (CEU 2016)

Composing the nature of the problem and solution of privacy and data protection, the European Commission[18] focused on consent (the Regulation requires online users to opt-in to data collection, whereas the 95/46 Directive insisted on opting-out), a right to be forgotten (whereby a user can request to delete personal data together with links to it that are either irrelevant or outdated), and a demand for data controllers (i.e. businesses involved in processing personal data) to be clear and proactive in compliance with Data Protection regulation (EC 2012c). At the same time, composing the problem and solution for business interests involved legal provisions for encouraging cross-border flows of data, a ‘one-stop shop’ for data controllers handling personal data of the Europeans and relaxed registration requirements for data controllers. In short, the Digital Single Market would be a place where ‘there are fewer barriers, and more opportunities: it is a seamless area where people and business can trade, innovate and interact legally, safely, securely, and at an affordable cost’ (EC 2014b).   

Imposing the nature of the problem and solution in this way, rather than settling the matter of how things ought to be composed, instead opened up a space for heated debate and forceful lobbying. Although the term Brexit had only just come into being (2012), the UK was at the centre of arguments about EU policy impositions. The British Banker’s Association regarded the draft as promoting ‘a number of requirements that do not necessarily bring any significant benefit to the individual, and yet impose very onerous requirements on both data controllers and customers’ (BBA 2012). Other lobbying groups quickly joined in. The Industry Coalition for Data Protection (which consists of 15 associations of European businesses) pointed out that the Regulation ‘missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business – both fundamental rights under the EU charter’ (ICDP 2013).  

In her interview on the process of drafting the Regulation, a legal scholar who closely followed the development summarised:

The original Commission’s proposal tried to re-establish the balance between what the Directive [95/46] wanted to achieve – the protection of the individual on the one hand, the facilitation of the market on the other. And it did that probably in a way that markets did not like very much. […] The industry immediately saw its margin of discretion being taken away. Because as long as [the Directive] was only guidance, you could still argue away, and have a chat with the regulator, and that worked in some respect. But once it becomes law, and the Regulation is law as such that [is] directly applicable to all countries, so no more watering down its implementation, transposition, all that sort of stuff. This was a massive shock to the system, I think, to those data controllers. (London-Edinburgh, 30 April 2015) 

To enact the Regulation and bring the composition of problem and solution, the nature of concerns and their proposed reconciliation into being, both chambers of the European legislative body – the European Parliament and the Council of Ministers – had to agree on the draft. Reflecting on the discussions of the draft, Jan Phillip Albrecht (2015: 122), a Green- European Free Alliance MEP who was appointed the rapporteur[19] for the General Data Protection Regulation in March 2012, recalls that ‘internet giants from Silicon Valley and other data gatherers […] have also enlisted massive lobbying assistance from the US Department of Commerce’. What followed were a wealth of alternative concerns that sought to recompose the nature of the problem and solution and the entities involved. For example, the US Department of Commerce published a study that calculated that ‘the direct negative welfare effect (under the same assumptions) of the regulation could reach up to 1,353 USD (1041 euro) per year for a household of four people’, and ‘if the ‘right to be forgotten’ rule is added, the regulation could cause a GDP decrease for the EU of -1.5% to -3.9%, and welfare loss of or 4,566 USD (3,512 euro) per household.’ (US CC 2016, 2013). Economic forecasts, statistics, commensuration and forms of equivalence sought to shift the terms of debate, but also the future legislative policy terms into which data businesses would be incorporated.

Once the draft Regulation was passed on to the European Parliament and the Council, the Commission expected the dialogue negotiations between the two chambers of the EU legislative authority to continue throughout 2012 and reach an agreement on the EU's new Data Protection framework by the end of 2012 (EC 2012d). However, the expectations of the Commission proved to be too optimistic. The Committee on Civil Liberties, Justice and Home Affairs that was responsible for developing a position of the Parliament, received 3,999 proposed amendments to the draft, ‘the highest number of amendments ever tabled in Parliament to a single legislative file’, which, according to Albrecht, was a direct result of lobbying on the proposed Regulation (EU 2016; Albrecht 2015).[20] Rather than pacifying a matter of concern and settling the nature of entities to be involved in Data Protection, the legal form that such legislation ought to take and the relationship between problem and solution that ought to be specified, producing a draft opened up a space for fierce argumentation. Rather than providing a means to pre-empt possible concerns in order that they could be reconciled, the draft pre-empted so many concerns that the possibility of reconciliation itself became the problem. It took over two years for the Parliament to propose a reconciliation of all the suggested amendments, adopt its position on and vote in the Regulation. On October 22, 2013, the Committee voted in favour of the new draft that proposed a particular reconciliation of the record number of amendments (EC 2013). And in March 2014, just two months before it was dissolved for the election, the Parliament voted in favour of the Regulation, expecting the Council of Ministers to adopt a position for negotiations resulting in the full approval of the law (EC 2014c).

However, the composition of the nature of the problem and solution, the entities involved and the legal form that should follow did not run so smoothly. Contrary to the hopes of those pushing the law forward, the Council did not reach a common position on the Regulation voted for by the Parliament (EU 2014). Despite admitting that, as a single comprehensive piece of legislation, it established a uniform approach to data protection in all EU member states and thus enabled unfettered data flows within the EU, promoting the EU Digital Single Market, the Council’s difficulties with settling on a unanimous position on the draft caused a significant delay in adoption of the Regulation.

Among other matters, EU Justice Ministers (members of the Council) could not agree on the future of data business envisioned by the Regulation. The list of concerns to be reconciled continued to grow (as one head of a European data protection authority suggested: ‘the Regulation […] is a very, very long shopping list’[21]). And the change of legal form from Directive to Regulation continued to be a concern:

It’s a complex legislation and what we are effectively doing is we are changing the instrument – from the Directive to the Regulation. That is why the members of the Council are twice as careful, because they are losing their margins, given that the [new] legislation is comprehensive’ (Brussels, 31 March 2015).   

Pre-emptive reconciliation was made more difficult by the change in legal form – as this interviewee suggests they were ‘losing their margins’ and this meant a reduction in future discretion among member states, business, users and Data Protection Authorities. The UK continued to hold one of the strongest counter positions on the draft. The position of the UK Ministry of Justice was set out by a UK negotiator:

The UK was very much pro-business. I mean the whole negotiating mandate was based on the idea that the original Commission draft had a lot of prescription in it – had lots of tick boxes, a lot of compulsory obligations on data controllers and processors. […] And I think from the UK point of view there was a sense that in the EU the UK is one of the leading digital economies, with a lot of creativity and innovation. (London, 28 April 2016).     

This position was made clear by a statement issued by the UK Ministry of Justice that:

…the Commission both overestimates the benefits achieved through harmonized EU data protection law and fails to address the full costs and unintended consequences of its own proposals, by only considering administrative costs. Our analysis addresses some of these failings by considering in full the impact of the proposed regime, including small and medium enterprises, the additional costs to supervisory authorities, conducting data protection impact assessment and complying with other new obligations (UK 2012).

Such disagreements led to delay in the Council’s adoption of a united position on the Regulation draft. Political objections expressed in raising these issues needed to be reconciled by finding legal ways of aligning the European Commission’s aim (already complex in its reconciliation of the seemingly opposed needs of users and data businesses) with political ambitions of the European member states. As our interviewee who participated in the Council’s negotiations explained, ‘[at the working group level are] technical negotiations, and the further up you go it becomes political [as] obviously the Ministers are not going to know [the] ins and outs of whether or not an IP address constitutes post-personal data, or what is the actual definition of pseudonymous data, or things like that’ (London, 28 April 2016). The reconciliation of different political objectives of the member states was performed through the laborious and lengthy technical discussions of the working group aiming to remove current and prevent future possible legal obstructions to the legislative objectives.   

Failure to produce a reconciliation that was accepted by different member states and data firms as adequately accounting for the number of concerns that had been articulated, led to delays. Among various points of disagreement, two concerns in particular could be discerned, namely the one-stop shop and the problem of measurability. Both concerns revolved around the so-called ‘consistency mechanism’ that would, according to the draft, harmonize rules for data processing across Europe, encourage business confidence, unleash unfettered flows of data and, ultimately, generate economic growth. According to a technical expert from the European Parliament, attempts to reconcile the concept of one-stop shop took a great deal of time because: ‘this is where member states have more intrinsic motivations to get it right, because it affects their national authorities, the way they cooperate and so on’ (Brussels-London, 20 April 2016). Reconciliation, however, created its own problems. What should count as the one stop shop kept changing and expanding to try and reconcile the number of concerns that had been expressed about it. The UK negotiator at the Council told us:

One-stop shop started changing quite a lot from the original Commission vision of it, which was quite simple, but ended up getting more and more complicated […]. Member states started to say, ‘well, hang on a second, what happens if someone makes a complaint [against a data controller] in my country but [its] main establishment is elsewhere?’ The example might be when someone in France uses his Facebook, but then Facebook HQ is in Ireland, therefore the person in France has the case dealt with in Ireland. […] So it went through endless rounds of re-writing (London 28 April 2016). 

Another point of discontent was measurability. For the UK negotiators the central point of a Regulation as a legal form was that it could harmonize a standard across the EU. The absence of a measurable entity in Data Protection, for the UK negotiator, meant that the choice of legal form itself was questionable:

We felt that a regulation is appropriate for things which are measurable. So you have a regulation for […] how much emissions done, or how fast a lorry can go on a motorway, or how long someone can drive for, those kinds of very technical things. And this was a first time that the European Union attempted a piece of legislation based around a fundamental right [that is] not measurable, because you’re balancing rights, generally. You might be balancing a right to data protection to a right to freedom of information, for example, and expression (from an interview with the UK negotiator at the Council, London, 28 April 2016).    

Finally, after numerous meetings throughout 2014-15, in June 2015 the Council approved its general approach on the Regulation and trialogue negotiations were launched between the Parliament, the Council and the Commission. The result of the negotiations was announced in December 2015 – agreement was reached on the text that would become the first comprehensive Regulation on Data Protection in Europe. On April 14, 2016, the European Parliament gave its ultimate approval to the General Data Protection Regulation (EU 2016a). On June 23rd, 2016, the UK voted to leave the EU. As a result the lengthy attempt to pre-empt concerns and then reconcile them through a single piece of legislation, composing a harmonized, singular and universal nature for data, data businesses, individual users, their problems, privacy and data protection, and what would count as an adequate solution, may come to nothing in the UK.     


What we have suggested in this paper is that legal form is an important feature of the development of EU legislation. To reconcile market demands with fundamental human rights, the European Commission employed a legal form – Regulation – that embodied a ‘consistency mechanism’ to enable business confidence. As Latour suggests, legal form is ‘one of the most important types of translation’ (Latour 2005: 223), enabling legislation to embody the concerns of different entities. It might also be said that legislation like the GDPR seeks to enact ‘a European technological zone’, a ‘spatialising project … to establish links which cut across and disrupts national boundaries’ (Barry 2001: 67). But the Regulation also effectively eliminated any discretion in compliance. In the case of the GDPR this seemed to inspire unprecedented lobbying in the European Parliament as well as incessant negotiations in the Council.

We can say, then, that the difference between a Directive and a Regulation seem important in our analysis and sit at the centre of difficulties involved in such pan European endeavours as harmonization. Producing Regulations involves moving away from the subsidiary basis of Directives. In the GDPR it also seemed to open up for the UK a basis for complaining about EU legislation, its lack of flexibility, its costs of legislative production but also its costs for business, and the length of time it takes to produce and implement. Brexit does not appear to provide a solution to these complaints regarding the apparent burden of EU Regulations. The post EU future of the UK may involve many of the same forms of Regulation: the UK may have to strike a trade deal with the EU which will require taking on board forms of EU legislation; it seems unlikely that firms (such as the data firms featured in this paper) will want to adopt one approach to business for 27 member states of the EU and a different practice for the UK, so the UK may end up with EU policy by default; at least initially the UK will not have its own alternative regulatory frameworks written and so there will be an EU legislative legacy for some time.

What we have suggested in this paper is that the development of and controversies surrounding EU legislation that featured prominently in Brexit debates and the aftermath of the UK referendum can be approached through the concept of pre-emptive reconciliation. We suggested that EU legislation involves a great deal of compositional work, particularly in Regulations that involve efforts to establish the nature of things, unquestionably and universally (or at least across all 27 or 28 member states of the EU). But efforts to compose the nature of entities also involve work to compose the nature of a problem and its solution. This kind of composition work seems to require that all concerns are articulated up front. In the GDPR this meant that in place of a singular nature for entities, problems and solutions, multiplicities abounded. Subsequent efforts to pacify those multiplicities into singularities were only as successful as the extent to which entities (whether national governments, users and their data, firms and their lobbies) accepted their new compromised natures or were only able to (or happy to) dispute these natures quietly. Given the vast lobbying machinery of the data industry that featured in our paper, acceptance and quiet was unlikely. Given the opportunity – through such matters as referenda – users’ voices were equally noisy in their discontent. Pre-empting issues thus seemed to involve bringing together and even amplifying sets of concerns. The impossibility of reconciling up to 3999 distinct concerns seemed to prompt on-going disquiet with the legal form.





[5] This group also critiqued the failure of previous attempts to cut EU bureaucracy:

[6] See:

[7] For more on the distinction between a Directive and a Regulation, see:

[8] By the time of writing this, an informal agreement was reached in December 2015 between the European Parliament, the Council of Ministers and the European Commission on the text of the General Protection Regulation (PCEU 2015) with the followed approval by the European Parliament in April 2016 (EU 2016a).

[9] Such advocacy is partly rooted in neoclassical economics – in Posner’s (1978, 1981) claim with regard to market efficiency undermined if information (data) does not flow freely.

[10] Data brokers are businesses that collect and then sell individuals’ information; for more in the data broker industry see FTC 2014; for more on the online data industry see Milyaeva and Neyland 2015, 2016.

[11] The interview took place on 8 July 2014. To maintain anonymity of the source, we do not identify the interview’s location.

[12] Although the first data protection laws were enacted in 1970s in Europe and the US (Bennett 1992). On the difference in ‘regulatory philosophies’ and ‘privacy paradigms’ forming data protection in Europe and the US see Zwick and Dholakia 2001, and also Bennett and Raab 2003. 

[13] The FTC (Federal Trade Commission) is a US regulatory body that is responsible for consumer protection and maintaining market competition. For more, see

[14] The interview took place on 8 July 2014. To maintain anonymity of the source, we do not identify the interview’s location.

[15] The Article 29 Working Party is an independent European data protection advisory body that consists of representatives of member states’ data protection authorities, the European Commission and the European Data Protection Supervisor. For more see

[16] The interview took place on 8 April 2014. To maintain anonymity of the source, we do not identify the interview’s location.

[17] The Commission produced a legislative package, which included the General Data Protection Regulation and also the Directive that aims to protect ‘personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities’ (EC 2012b). For the purpose of our discussion on what constitutes a market intervention we focus on the Regulation only.   

[18] Here we analyse the initial draft the Commission presented to the European Parliament and the Council of Ministers in January 2012. 

[19] A rapporteur is an MEP appointed as responsible for a particular piece of legislation.

[20] The breakdown of the amendments is as following: ‘The Civil Liberties Committee tabled a record number of 3,133 amendments to the Commission's proposal for a regulation. These, plus the amendments tabled in the opinions of the Industry Committee (417), the Internal Market Committee (226), the Employment Committee (27) and the Legal Affairs Committee (196), make a total of 3,999 amendments.’ (EU 2016).

[21] The interview took place on 8 April 2014. To maintain anonymity of the source, we do not identify the interview’s location.


Albrecht, JP. 2015. Hands Off Our Data! Available at <>, accessed 22 February 2016.

Albrecht, JP., Bendrath R., Jotzo, F. and Z. Siebert. 2015. The EU’s Data Protection Reform. European Parliament & Green European Foundation.

Balleisen E. and D. Moss (eds.). 2010. Government and Markets: Toward a New Theory of Regulation. Cambridge: Cambridge University Press.

Barry, A. 2001. Political Machines: Governing a Technological Society.

(BBA) British Bankers’ Association. 2012. ‘Views on the Proposed European Union General Data Protection Regulation”. Available at>, accessed 29 July 2015.

Bennett, C. 1992. Regulating Privacy: Data Protection and Public Policy in Europe and the United States. Cornell University Press.

Bennett, C. and C. Raab. 2003. The Governance of Privacy: Policy Instruments in Global Perspective. Ashgate.

Beunza, D. and D. Stark. 2004. ‘Tools of the Trade: The Socio-Technology of Arbitrage in a Wall Street Trading Room’, Industrial and Corporate Change, 13: 369-400.

Callon, M. 1998. “Introduction: the Embeddedness of Economic Markets in Economics”, pp.1-57 in M. Callon (ed.) The Laws of Markets. Oxford: Blackwell.

Callon M. and F. Muniesa. 2005. ‘Economic Markets as calculative Collective Devices’, Organization Studies, 26(8): 1229-1250.

Callon, M. Millo, Y. and Muniesa F. (eds.) 2007. Market Devices. Wiley-Blackwell.

(CEU) Council of the European Union. 2016. ‘Data Protection Reform: Council Adopts Position at First Reading’. Available at <>.

Cloatre, E. and M. Pickersgill (eds.). 2015.  Knowledge, Technology and Law. Routledge.

(EC) European Commission. 2010. ‘European Commission sets out strategy to strengthen EU data protection rules’. Available at <>.

-. 2012. Why do we need an EU data protection reform? A factsheet. Available at

-. 2012a. ‘Commission Proposes a Comprehensive Reform of the Data Protection Rules’. Available at < >

-. 2012b. ‘Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses’. Press release issued on 25 January. Available at < >

-. 2012c. Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). Available at < >

-. 2012d. ‘Commission Proposals on the Data Protection Reform: Legislative Texts –Communication’. Available at <>

-. 2013. ‘LIBE Committee Vote Backs New EU Data Protection Rules’. 22 October. Available at <>

-. 2014. ‘Making the most of the data-driven economy’. Press release issued on 2 July. Available at <>

-. 2014a. ‘Towards a Thriving Data-Driven Economy’. Available at <>

-. 2014b. ‘Digital Single Market: Brining Down Barriers to Unlock Online Opportunities’. Available at <>

-. 2014c. ‘Progress on EU Data Protection Reform Now Irreversible Following European Parliament Vote’, 12 March. Available at <>.

-. 2015. ‘Data Protection Final Agreement: Questions and Answers’. Available at <> accessed 11 January 2016.

-2015a. ‘A Digital Single Market for Europe: Commission Sets out 16 Initiatives to Make It Happen’. Press release issued on 6 May. Available at < >.

-. 2016. ‘The European Single Market’. Available at <>.

(EDRi). European Digital Rights. 2015. The Activist Guide to the Brussels Maze 2.0. Available at <>.

(EU) European Union. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Available at <>.

-. 2002. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Available at <>.

-. 2009. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services. Available at <>.

(EU) European Union 2014. Debate in Council. 4 December. Available at <>.

-. 2016.Q&A: new EU rules on data protection put the citizen back in the driving seat: Facts and Figures.Available at <>.

-2016a. ‘Data Protection Reform – Parliament Approves New Rules Fit for the Digital Era’. Available at <>.

-2016b. ‘Regulation (EU) 2016/… of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’. Available at <>.

Faulkner, A., Lange, B. and C. Lawless. 2012. ‘Introduction: Material Worlds: Intersection of Law, Science, Technology, and Society’, Journal of Law and Society, 39(1): 1-19.

(FTC) Federal Trade Commission. 2014. Data Brokers: A Call for Transparency and Accountability. Washington, DC. Available at, accessed 3 June 2014.

Gillespie, T. 2014. ‘The Relevance of Algorithms’, pp. 167-194 in Gillespie et al (eds.) Media Technologies: Essays on Communication, Materiality, and Society. Cambridge, MA: MIT Press.

Hustinx, P. 2012. ‘Foreword’, pp.xi-xiii in Kuschewsky, M. (ed.) Data Protection & Privacy: Jurisdictional Comparisons. The European Lawyer. 

(ISPD) Industry Coalition for Data Protection. 2013. “Industry Concerned Over Negative Impact of Albrecht Draft Report’. Available at <>, accessed 29 July 2015.

Jasanoff, S. 1995. Science at the Bar. Harvard University Press.

-. 2005. Design on Nature: Science and Democracy in Europe and the United States. Princeton University Press.

-. 2012. Science and Public Reason. New York: Routledge.

Knorr Cetina, K. 2005. ‘How Are Global Markets Global? The Architecture of a Flow World’, pp. 38-61 in K. Knorr Cetina and A. Preda (eds.) The Sociology of Financial Markets. Oxford: Oxford University Press.

Knorr Cetina, K. and B. Grimpe. 2008. “Global Financial Technologies: Scoping Systems That Rise the World”, pp. 161-190 in T. Pinch and R. Swedberg (eds.) Living in a Material World: Economic Sociology Meets Science and Technology Studies. Cambridge, MA: MIT Press.   

Latour, B. 2002. ‘Morality and Technology: The End of the Means’, Theory, Culture & Society, 19(5/6): 247-260.

-. 2005. Reassembling the Social. Oxford: Oxford University Press.

-. 2010. The Making of Law: An Ethnography of the Conseil d’Etat. Cambridge, MA: polity.

Lessig, L. 2006. Code: Version 2.0. NY: Basic Books.

Levy-Abegnoli, J. 2015. ‘No EU Data Protection Deal “Before End of Year”: Rapporteur on the EU data protection regulation says parliament and council are “heading in two different directions”’. The Parliament Magazine. 8 January. Avaiable at <>.

Likosky, M. (ed.) 2002. Transnational Legal Processes: Globalisation and Power Disparities. London: Butterworths, LexisNexis.

MacKenzie, A. 2012. ‘More Parts than Elements: How Databases Multiply’, Environment and Planning D: Society and Space, 30: 335-350

MacKenzie, A. and R. McNally. 2013. ‘Living Multiples: How Large-Scale Scientific Data-mining Pursues Identity and Differences’, Theory, Culture & Society, 30(4): 72-91

MacKenzie, D. 2009. Material Markets: How Economic Agents Are Constructed. Oxford University Press.

MacKenzie D. and JP. Pardo-Guerra. 2014. ‘Insurgent Capitalism: Island, Bricolage and the Re-Making of Finance’, Economy and Society, 43(2):153-182.

Milyaeva, S. 2014. ‘Tipping the Balance: Russian Legal Culture and Cash-Settled Derivatives’, Journal of Cultural Economy, 7(2): 209-225.

Milyaeva, S. and D. Neyland. 2015. ‘Is Privacy the Future of Online Marketing?’ Available at

Milyaeva S. and D. Neyland. 2016. ‘Market Innovation as Framing, Productive Friction and Bricolage: An Exploration of the Personal Data Market’, Journal of Cultural Economy, DOI: 10.1080/17530350.2015.1135473

Muniesa, F. 2008. ‘Trading-Room Telephones and the Indication of Counterparts’, pp. 291-313 in T. Pinch and R. Swedberg (eds.) Living in a Material World: Economic Sociology Meets Science and Technology Studies. Cambridge, MA: MIT Press.   

Neyland, D. 2014. ‘On Organizing Algorithms’, Theory, Culture & Society, ??

-. 2016. ‘Bearing Account-Able Witness to the Ethical Algorithmic System’, Science, Technology & Human Values, 41(1): 50-76

(OECD) Organisation for Economic Co-operation and Development. 2015. Data-Driven Innovation: Big Data for Growth and Well-Being. OECD Publishing. Paris. Available at

(PCEU) The Presidency of the Council of the European Union/ Luxembourg (2015). ‘ “Data Protection” Package: A Historic Agreement’. Available at, accessed 11 January 2016.

Posner, R. 1978. ‘The Right of Privacy’, Georgia Law Review, 12(3): 393-422

-.1981. ‘The Economics of Privacy’, American Economic Review, 71(2): 405-409

Preda, A. 2006. ‘Socio-Technical Agency in Financial Markets: The Case of the Stock Ticker’, Social Studies of Science, 36(5): 753-782.

-. 2008. ‘Technology, Agency, and Financial Price Data’, pp. 217-252 in T. Pinch and R. Swedberg (eds.) Living in a Material World: Economic Sociology Meets Science and Technology Studies. Cambridge, MA: MIT Press.   

Reding, V. 2012. ‘Foreword’, pp. vii-viii in Kuschewsky, M. (ed.) Data Protection & Privacy: Jurisdictional Comparisons. The European Lawyer. 

-. 2013. Press Conference with Vivian Reding, Vice President & Commissioner, Justice, Fundamental Rights and Citizenship, European Commission. World Economic Forum. Available at < >

Riles, A. 2011. Collateral Knowledge: Legal reasoning in the Global Financial Markets. Chicago University Press.

Rotella, P. 2012. ‘Is Data the New Oil?’, Forbes, 2 April, available at, accessed 12 April 2014.

Ruppert, E. 2012. ‘The Governmental Topologies of Database Devices’, Theory, Culture & Society, 29(4/5): 116-136.

Ruppert, E., Law, J. and Savage, M. 2013. ‘Reassembling Social Science Methods: The Challenge of Digital Devices’, Theory, Culture & Society, 30(4): 22-46.

Stupp, C. 2016. ‘Parliament Approves Privacy Rules After Record Number of Amendments’. 14 April. Available at <>

(UK) UK Parliament. 2012. The Parliamentary Under-Secretary of State for Justice (Mrs Helen Grant). Data Protection. Justice. Written Ministerial Statements. Parliamentary Business. House of Commons. 22 November. Available at <>, accessed 29 July 2015.

(US CC) US Chamber of Commerce. 2013. The Economic Importance of Getting Data Protection Right. Available at <>

-. 2016. ‘Mission Statement’. Available at <>

Zwick, D. and Dholakia, N. 2001. ‘Contrasting European and American Approaches to Privacy in Electronic Markets: Property Right versus Civil Right’, Electronic Markets, Vol. 11(2): 116-120