MECM90002 · Global Data Policy And Governance
The European Union Approach
The EU anchors one end of the course’s regulatory spectrum: a rights-based, citizen-centred model in which protecting the individual is the starting point, not an afterthought to the market. Lecture 7 frames the EU as a “Regulatory Superpower” that “puts people first” and exports its rules to the world. The heart of the model is the data subject and a catalogue of enforceable rights — GDPR Chapter 3, Articles 12–23 (transparency, access, rectification, the ‘right to be forgotten’, portability, objection, limits on automated decisions) — matched by accountability obligations on the controller and processor. Beyond GDPR sits an expanding rulebook: the DSA (platforms and content), the DMA (gatekeepers), and the EU AI Act (four risk tiers). The model’s reach travels via the Brussels effect and is proven by real enforcement (Google Spain; large data-transfer fines). The EU is the reference point every other region is measured against — the cleanest contrast is the single fact that the US still has no federal data-protection law (Cervi, 2022).
What this chapter covers
- 01The EU as 'Regulatory Superpower' and the citizen-AND-consumer framing
- 02Three 'Europes' and how an EU law is made
- 03Rights of the data subject — GDPR Chapter 3, Arts 12–23
- 04Controller / processor / DPO and 'accountability'
- 05The Snowden hinge — why the EU went this way
- 06The expanding rulebook: DSA, DMA (gatekeepers), the EU AI Act
- 07The Brussels effect (Art 3) and the enforcement record
- 08Using the EU model in your essay or case study
Worked example: assign the roles, then reach for a right + an article
- +1Name the philosophy first. Open with the framing — the EU as a rights-based ‘Regulatory Superpower’ treating the citizen-AND-consumer as the unit of protection. This signals you understand the logic, not just the laws.
- +1Assign the roles. The user is the data subject; the search engine is the data controller (this was the holding in Google Spain, 2014); ask whether a DPO is required.
- +1Reach for a right + an article. Tie the facts to Art 17 (erasure — the ‘right to be forgotten’) rather than gesturing at ‘privacy’ in the abstract.
- +1Balance it. The right is not absolute — Google Spain balanced erasure against public interest in access to information. State the balancing test.
- +1Test for the Brussels effect. Ask whether Art 3 reaches the actor (the ‘inextricably linked’ processing logic) — this is where you show the model travels beyond the EU’s borders.
- +1Bring enforcement evidence + a critical edge. Cite a real fine to prove the regime bites, then add Ranchordas’ exclusion point so the analysis is not one-sided.
Key terms
- Data subject
- The identified or identifiable individual whose personal data is processed — the unit of protection in the EU model. GDPR Chapter 3 (Arts 12–23) gives the data subject a catalogue of enforceable rights, the feature that most distinguishes the EU from the US (which has no equivalent federal list).
- Right to be forgotten (Art 17)
- The GDPR right to demand deletion of one’s personal data in defined circumstances. Established in practice by Google Spain (2014), where the court ruled the search engine a data controller and balanced erasure against the public interest in access to information. It is the famous member of the Arts 12–23 grid.
- Controller / processor / DPO
- The obligation side of GDPR. The controller determines the purposes of processing and bears accountability; the processor acts on its behalf; a Data Protection Officer (DPO) must be appointed in defined cases. ‘Accountability’ means firms must demonstrate compliance, not merely assert it — the burden of proof sits with the company.
- The Brussels effect
- The EU’s ability to export its rules worldwide: because GDPR Art 3 reaches any firm processing EU residents’ data, global companies often apply the EU standard everywhere. It is the mechanism behind the EU’s ‘Regulatory Superpower’ status — a national/regional rule that goes global.
- DMA gatekeepers
- Under the Digital Markets Act (2024), the largest platforms providing core services are designated ‘gatekeepers’ (turnover/market-cap and user thresholds) and made subject to asymmetric ex-ante duties — allow interoperability and data access, but no self-preferencing, no blocking uninstalls, no ad-tracking without consent. It codifies the old case-by-case competition fights into standing rules.
The European Union Approach FAQ
Why is the EU treated as the course's reference point?
Because every other region is partly defined by how far it sits from Brussels. The EU is the clearest rights-based pole: it wrote enforceable individual rights into binding law and exported them. Cervi (2022) supplies the single sharpest contrast — the EU exported data-protection law to four continents while the US still has no federal data-protection law. Build comparisons around that asymmetry.
What is the difference between GDPR and the DSA / DMA / AI Act?
GDPR governs personal data and the rights of the data subject. The DSA governs online intermediaries and content (transparency, appeal rights, strict rules for ‘Very Large Online Platforms’). The DMA governs ‘gatekeepers’ and competition (asymmetric do’s and don’ts). The EU AI Act governs AI systems by four risk tiers. Together they are the EU’s expanding digital rulebook — know what each one targets.
Why did the EU adopt such a strict regime?
Partly principle, partly politics. The lecture flags the ‘Snowden hinge’: after the 2013 mass-surveillance disclosures, US business lobbyists lost influence in Brussels, clearing the path for a tougher European regime — ‘along comes Mr Snowden and everything goes into a tailspin.’ The political-economy point is that regulation is shaped by events and power, not just by values.
Is the rights-based model beyond criticism because it protects people?
No — and saying so earns marks. Glazunova and Ranchordas (2018) flag that the EU merges the citizen with the consumer, a neoliberal construct that can be ‘problematic’ and that ‘excludes citizens who are less tech-savvy.’ A strong answer states the model’s strengths and then adds this critical edge, so the analysis is not one-sided.
Exam move
Don’t summarise the EU model — operationalise it. Learn the move: name the philosophy (rights-based superpower), assign the roles (data subject / controller / processor / DPO), reach for a specific right and article (Art 17 erasure, Art 20 portability), test the Brussels effect via Art 3, and bring an enforcement case as evidence. Keep one comparative fact loaded at all times — the EU exported data law to four continents while the US has no federal law (Cervi) — because the cleanest essay structure contrasts EU rights-based regulation against US market-based self-regulation. Always finish with a critical edge (Ranchordas’ exclusion point) so the analysis argues rather than describes.