University of Melbourne · S1 2026 · FACULTY OF ARTS & HUMANITIES

MECM90002 · Global Data Policy And Governance

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters4-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 3 of 8 · MECM90002

The European Union Approach

The EU anchors one end of the course’s regulatory spectrum: a rights-based, citizen-centred model in which protecting the individual is the starting point, not an afterthought to the market. Lecture 7 frames the EU as a “Regulatory Superpower” that “puts people first” and exports its rules to the world. The heart of the model is the data subject and a catalogue of enforceable rights — GDPR Chapter 3, Articles 12–23 (transparency, access, rectification, the ‘right to be forgotten’, portability, objection, limits on automated decisions) — matched by accountability obligations on the controller and processor. Beyond GDPR sits an expanding rulebook: the DSA (platforms and content), the DMA (gatekeepers), and the EU AI Act (four risk tiers). The model’s reach travels via the Brussels effect and is proven by real enforcement (Google Spain; large data-transfer fines). The EU is the reference point every other region is measured against — the cleanest contrast is the single fact that the US still has no federal data-protection law (Cervi, 2022).

In this chapter

What this chapter covers

  • 01The EU as 'Regulatory Superpower' and the citizen-AND-consumer framing
  • 02Three 'Europes' and how an EU law is made
  • 03Rights of the data subject — GDPR Chapter 3, Arts 12–23
  • 04Controller / processor / DPO and 'accountability'
  • 05The Snowden hinge — why the EU went this way
  • 06The expanding rulebook: DSA, DMA (gatekeepers), the EU AI Act
  • 07The Brussels effect (Art 3) and the enforcement record
  • 08Using the EU model in your essay or case study
Worked example · free

Worked example: assign the roles, then reach for a right + an article

Q [6 marks]. A user asks a search engine to delist an old, lawful news article about them. Using the EU model, frame the analysis: assign the roles, name the right and article, and test whether the regime actually reaches the actor.
  • +1Name the philosophy first. Open with the framing — the EU as a rights-based ‘Regulatory Superpower’ treating the citizen-AND-consumer as the unit of protection. This signals you understand the logic, not just the laws.
  • +1Assign the roles. The user is the data subject; the search engine is the data controller (this was the holding in Google Spain, 2014); ask whether a DPO is required.
  • +1Reach for a right + an article. Tie the facts to Art 17 (erasure — the ‘right to be forgotten’) rather than gesturing at ‘privacy’ in the abstract.
  • +1Balance it. The right is not absolute — Google Spain balanced erasure against public interest in access to information. State the balancing test.
  • +1Test for the Brussels effect. Ask whether Art 3 reaches the actor (the ‘inextricably linked’ processing logic) — this is where you show the model travels beyond the EU’s borders.
  • +1Bring enforcement evidence + a critical edge. Cite a real fine to prove the regime bites, then add Ranchordas’ exclusion point so the analysis is not one-sided.
Frame it as a rights-based analysis: the data subject invokes Art 17 erasure against the search engine as data controller (Google Spain), the right is balanced against public-interest access, Art 3 extends the reach extraterritorially (the Brussels effect), and real fines prove the regime bites — tempered by the citizen/consumer critique.
Glossary

Key terms

Data subject
The identified or identifiable individual whose personal data is processed — the unit of protection in the EU model. GDPR Chapter 3 (Arts 12–23) gives the data subject a catalogue of enforceable rights, the feature that most distinguishes the EU from the US (which has no equivalent federal list).
Right to be forgotten (Art 17)
The GDPR right to demand deletion of one’s personal data in defined circumstances. Established in practice by Google Spain (2014), where the court ruled the search engine a data controller and balanced erasure against the public interest in access to information. It is the famous member of the Arts 12–23 grid.
Controller / processor / DPO
The obligation side of GDPR. The controller determines the purposes of processing and bears accountability; the processor acts on its behalf; a Data Protection Officer (DPO) must be appointed in defined cases. ‘Accountability’ means firms must demonstrate compliance, not merely assert it — the burden of proof sits with the company.
The Brussels effect
The EU’s ability to export its rules worldwide: because GDPR Art 3 reaches any firm processing EU residents’ data, global companies often apply the EU standard everywhere. It is the mechanism behind the EU’s ‘Regulatory Superpower’ status — a national/regional rule that goes global.
DMA gatekeepers
Under the Digital Markets Act (2024), the largest platforms providing core services are designated ‘gatekeepers’ (turnover/market-cap and user thresholds) and made subject to asymmetric ex-ante duties — allow interoperability and data access, but no self-preferencing, no blocking uninstalls, no ad-tracking without consent. It codifies the old case-by-case competition fights into standing rules.
FAQ

The European Union Approach FAQ

Why is the EU treated as the course's reference point?

Because every other region is partly defined by how far it sits from Brussels. The EU is the clearest rights-based pole: it wrote enforceable individual rights into binding law and exported them. Cervi (2022) supplies the single sharpest contrast — the EU exported data-protection law to four continents while the US still has no federal data-protection law. Build comparisons around that asymmetry.

What is the difference between GDPR and the DSA / DMA / AI Act?

GDPR governs personal data and the rights of the data subject. The DSA governs online intermediaries and content (transparency, appeal rights, strict rules for ‘Very Large Online Platforms’). The DMA governs ‘gatekeepers’ and competition (asymmetric do’s and don’ts). The EU AI Act governs AI systems by four risk tiers. Together they are the EU’s expanding digital rulebook — know what each one targets.

Why did the EU adopt such a strict regime?

Partly principle, partly politics. The lecture flags the ‘Snowden hinge’: after the 2013 mass-surveillance disclosures, US business lobbyists lost influence in Brussels, clearing the path for a tougher European regime — ‘along comes Mr Snowden and everything goes into a tailspin.’ The political-economy point is that regulation is shaped by events and power, not just by values.

Is the rights-based model beyond criticism because it protects people?

No — and saying so earns marks. Glazunova and Ranchordas (2018) flag that the EU merges the citizen with the consumer, a neoliberal construct that can be ‘problematic’ and that ‘excludes citizens who are less tech-savvy.’ A strong answer states the model’s strengths and then adds this critical edge, so the analysis is not one-sided.

Study strategy

Exam move

Don’t summarise the EU model — operationalise it. Learn the move: name the philosophy (rights-based superpower), assign the roles (data subject / controller / processor / DPO), reach for a specific right and article (Art 17 erasure, Art 20 portability), test the Brussels effect via Art 3, and bring an enforcement case as evidence. Keep one comparative fact loaded at all times — the EU exported data law to four continents while the US has no federal law (Cervi) — because the cleanest essay structure contrasts EU rights-based regulation against US market-based self-regulation. Always finish with a critical edge (Ranchordas’ exclusion point) so the analysis argues rather than describes.

A+Everything unlocked
Unlocks this Bible + all 9 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your MECM90002 tutor, unlimited, worked the way the exam marks it
The full 4-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full MECM90002 Bible + 9 University of Melbourne subjects解锁完整 MECM90002 Bible + University of Melbourne 9 门科目
$25/mo