Chapter

The European Union General Data Protection Regulation

Drawing inspiration from the European Union’s large-scale data privacy and digital rights regulation: the General Data Protection Regulation (GDPR)

By Reece Iriye

Emerging Technology

September 24, 2024

How can collective values and shared norms be leveraged in the cyber domain? One of the most influential data protection agreements in existence, with an impact beyond its regional jurisdiction, might hold some answers.

This chapter explores how the European Union’s General Data Protection Regulation or GDPR leveraged a bedrock of shared cultural ideas around data in order to achieve a ripple effect globally. It offers an understanding of how norms become standards of behavior, and that formal legislation can be most meaningful if it relies on existing social and institutional norms.

This case study is part of the recently released report, Advancing Accountability in Cyberspace: Models, Mechanisms, and Multistakeholder Approaches

Introduction

Consumer data collection has skyrocketed in the past decade, enabling companies to enhance their products through targeted advertising and personalized services. This increase in sensitive data processing has provided valuable insights for product innovation and user experience optimization, but it also has raised concerns about the invasion of privacy.¹ European Union (EU) citizens and regulators have responded by establishing the strongest and most impactful legal framework enforcing data protection standards to date, the General Data Protection Regulation (GDPR).²

Deconstructing the Mechanism

The GDPR outlines a series of guidelines for organizations that process data belonging to individuals located in the EU. Organizations stationed inside and outside the EU are also subject to GDPR guidelines if they collect or process personal data belonging to any individual located in the EU, regardless of their nationality or residence.³ These standards are designed to provide individuals in the EU with greater control over their personal data by holding organizations accountable for the ways in which they process individuals’ data. Some key provisions of the GDPR include requirements for organizations to obtain explicit consent from individuals located in the EU to process their data only for indicated purposes; allow individuals to request their personal data to be deleted from the organization’s records; and notify individuals and relevant authorities within 72 hours in the event of data breaches that put consumers’ personal data at risk.

Each member state of the EU appoints their own Data Protection Authority (DPA) with the power to investigate GDPR infringements, interact with organizations to resolve noncompliance, and impose fines for violations.⁴ Provisions for DPA appointments grant each member state the autonomy to choose their DPA through a transparent process led by their parliament, government, head of state, or an independent body defined by national legislation.⁵

Member states have the option to nominate a singular person as the DPA for their state, or to designate a committee for data protection with a principal supervisor. For example, Ireland’s Data Protection Commission (DPC) and France’s Commission Nationale de l’Informatique et des Libertés (CNIL) both serve as committees, whereas Austria and Bulgaria employ individual DPAs for GDPR enforcement. ⁶

Ireland’s DPC is large and is the primary authority enforcing GDPR provisions against violations by several major U.S. technology companies.⁷ The GDPR entrusts DPAs with the authority to address complaints from data subjects or representative bodies/organizations and to conduct investigations, which may be initiated into GDPR compliance.⁸

DPAs have the capacity to impose financial sanctions on companies they declare are violators of GDPR guidelines. Organizations that violate the GDPR can receive penalties that amount to 4% of their global annual revenue or €20 million—whichever value is greater.⁹ In addition, the GDPR provides a “one-stop-shop mechanism,” which centralizes decision-making for cross-border cases to a single lead DPA based where a company is legally established.¹⁰

The GDPR has issued over 2,100 fines as of December 2023, surpassing €4.4 billion in total.¹¹ The five largest fines amount to nearly two-thirds of the total fines, reflecting the substantial financial repercussions for the most significant breaches of the GDPR.¹²

Table 1: Summary of Top 10 GDPR Fines in descending order (highest to lowest amount) as of December 23, 2023¹³

The data in Table 1 demonstrates a significant trend: larger GDPR fines are predominantly levied against major technology companies. Large fines against these companies showcase how size and market influence do not exempt them from the reach of GDPR enforcement.

Meta and its subsidiaries, for example, received six of the 10 largest GDPR fines to date as of December 2023 according to Table 1. In Meta’s case, and similarly with many major technology companies, their revenue model relies heavily on ad targeting and content recommendation algorithms driven by users’ personal data. Fines levied towards major technology companies featured in Table 1 generally serve as operational expenses rather than influential steps towards changing how they process personal data due to their multi-billion-dollar valuations.

GDPR fines can be burdensome for newer, smaller businesses that lack the resources of their larger counterparts and are not the focus of media attention for data misuse. Former EU Commissioner of Justice Viviane Reding, who first proposed the GDPR in 2012 and was a chief architect in its development, identified the disproportionate effects that fines have towards smaller companies in an interview in May 2021:

For a regulator, it’s easier to control the local football club than a worldwide company. We should leave the local football club alone and focus on the real troublemakers… The enforcement against systematic stealing of data for commercial or political purposes is somehow not so strong.¹⁴

Despite the GDPR’s intention to centralize enforcement in the one-stop-shop mechanism, in practice it leaves Ireland and Luxembourg DPAs responsible for holding most Silicon Valley tech giants accountable.¹⁵

Ireland has particularly been criticized for its leniency in handling GDPR violations. In Ireland, 87% of cross-border GDPR complaints involve major technology companies.¹⁶ The Irish DPC resolved 46 out of 55 of their cross-border complaints from 2018 to 2022 through “amicable resolutions.”¹⁷ This approach involves holding conversations with the organizations in question and proposing mutually agreeable solutions at the discretion of the Irish DPC.¹⁸ Most of Ireland’s cross-border complaints involve repeat offenders, highlighting how the Irish DPC consistently fails to comply with EDPB guidelines.¹⁹ Thus, Ireland’s continuous use of amicable resolutions to resolve GDPR complaints indicate a systemic reluctance to enforce the GDPR with penalties of fines as Reding and other EU policymakers envisioned.

Excluding situations involving amicable resolutions, the EDPB overrules 67% of the rulings made by the Irish DPC.²⁰ This high degree of intervention by the EDPB in one-stop-shop cases highlights their commitment to firmer GDPR enforcement. However, penalties administered by the EU remain modest. Of the 160 one-stop-shop cases evaluated by the EDPB, only 29 have resulted in fines, and a significant 63% of cases were merely concluded with reprimands from the enforcing body.²¹ This minimal enforcement in practice of the GDPR suggests that even the EDPB’s oversight does not always translate into punitive action. Stronger cross-border enforcement mechanisms have been proposed, and some are being implemented to better coordinate enforcement actions.²²

Nevertheless, the GDPR has still had a noticeable impact on how organizations process personal data across the world. A significant portion of its international influence can be attributed to the “Brussels Effect,” named after the capital of Belgium where the EU’s main institutions are located. The Brussels Effect refers to the EU’s de facto regulation of companies who operate across multiple global markets by establishing policies that affect actors who conduct business in the EU but are stationed elsewhere.²³ The EU’s influence is considerable, given it consists of 27 member states, making it influential in the global economy.

Businesses worldwide that leverage consumer data must follow GDPR guidelines if they want to operate in the EU without reprimands. As a result, even countries outside the EU (e.g., Japan, Brazil, India, and the U.K.) have introduced and/or updated their data protection legislation to mirror that of the GDPR.²⁴ The U.K., for example, applied their version of the GDPR to fine TikTok Technology Unlimited in September 2023 for unlawfully processing the data of 1.4 million children under the age of 13.²⁵ While the United States has yet to adopt national data protection legislation like the GDPR as of December 2023, several U.S. states (California, Colorado, Connecticut, Utah, Virginia) have implemented laws that mirror aspects of the GDPR.²⁶ Due to the saturation of the EU market and the establishment of similar laws worldwide, countries and companies beyond the EU’s jurisdiction have found it necessary to adapt to GDPR standards, showcasing the legislation’s role as a de facto global standard for data protection.

Context

The GDPR was enacted in 2016 in place of its outdated predecessor, the 1995 Data Protection Directive (DPD). ²⁷ The DPD’s jurisdiction to regulate data processing depends on two important criteria:²⁸ 1) the organization has an “establishment” in a European Union member state, and (2) the organization conducted processing of EU citizens’ personal data within the context of its regular activities.²⁹ Pivotal court decisions such as C-230/14 Weltimmo pertaining to the application of national data protection laws and applicable fines drew criticism of the DPD’s vague definition of an “establishment” and highlighted the complexities and gaps within the directive.³⁰

The DPD’s enforcement capacity fell short due to its nature as a directive.³¹ Unlike EU regulations, which have direct applicability and uniformity across all member states, directives identify goals from the EU that must be met by each individual member state with the freedom to decide how the goals will be met.³² With these goals set by the DPD, each member state implemented laws with different applications and enforcement procedures, causing disparities in data processing standards across the EU. In 2012, the European Commission—the leading executive body in the EU—recognized the fragmented implementations of data protection laws across EU member states as problematic, which led to a revision cycle on the DPD and eventually the formation of the GDPR.³³

Both the European Parliament and the Council of the European Union—which are responsible for adopting or rejecting proposed laws—evaluated the European Commission’s proposal during this process, leading to over 4,000 proposed changes.³⁴ Firms in finance and retail, which handle large amounts of sensitive data and face high compliance costs, largely lobbied against the GDPR. In contrast, many firms, including those from the technology sector, showed overwhelming support for the GDPR, seeking to influence its final shape in their favor.³⁵

EU officials eventually decided to halt the ongoing conversations about the GDPR’s implementation. In January 2014, former European Commissioner for Justice Viviane Reding declared that the document was past the revision stage, and the EU would not be stalled in setting the norms for personal data usage.³⁶

She cited overwhelming concerns about high-profile data breaches and the lack of public trust in data processing by private and public actors as justifications for why the regulation must be implemented:

There has been a lot of hypocrisy in this debate. For instance, those who called for a high level of data protection in Europe, while simultaneously arguing that the Regulation should be replaced by a Directive. We have listened to these arguments for two years. Round and round in circles while, every day, the headlines have reminded us of why the reform is important. Discussions are mature. The text is ready. It is just a matter of political will. European Commission.³⁷

In March 2014, following Reding’s speech, the progress on reforming EU data protection was affirmed rendered irreversible with a vote from the European Parliament of 621 in favor, 10 against, and 22 abstentions—demonstrating overwhelming support for the regulation. The GDPR was then signed into law in 2016, providing a two-year period for organizations to become GDPR-compliant before becoming enforceable by law in 2018. This timeline highlights the EU’s commitment to setting enforceable standards for people-first data protection laws.

Applicability to Cyber

As the GDPR represents one of the most far-reaching agreements on a data protection issue, understanding its history and impact is important to considering how norms can become standards of behavior. Although the protection this regulation affords affects actors obtaining data in a lawful way, the regulation defines new norms of acceptable behavior for data protection, and its enactment and enforcement provide a norm for the broader world, including states, businesses, and individuals.

The successful establishment of the GDPR stems from a foundation built on shared values regarding data privacy and the institutional authority of the European Parliament. These values are deeply rooted in historical contexts, such as the use of data in the 1930s by Nazi Germany to target Jewish people,³⁸ and they are enshrined in the EU Charter of Fundamental Rights. The GDPR demonstrates how shared cultural and ethical values and norms can guide the creation of impactful legislation in other areas, such as cybersecurity and cybercrime. In addition, the GDPR showcases how dedication to enacting a policy within a specific region can cause a ripple effect across the world setting global standards for a cyber issue. This global effect of regional policies is continuing to happen in other legislative areas that the EU pursues as part of its broader EU Cybersecurity Strategy.³⁹

Key Takeaways and Recommendations

1. Leaders are key drivers of agreements and can leverage common values.

The successful establishment of the GDPR stems from a foundation built on shared values regarding data privacy and the institutional authority of the European Parliament. These values are deeply rooted in historical contexts, such as the use of data in the 1930s by Nazi Germany to target Jewish people,⁴⁰ and they are enshrined in the EU Charter of Fundamental Rights. The GDPR demonstrates how shared cultural and ethical values and norms can guide the creation of impactful legislation in other areas, such as cybersecurity and cybercrime. In addition, the GDPR showcases how dedication to enacting a policy within a specific region can cause a ripple effect across the world setting global standards for a cyber issue. This global effect of regional policies is continuing to happen in other legislative areas that the EU pursues as part of its broader EU Cybersecurity Strategy.⁴¹

2. Focusing regulation on activities and roles instead of items and technology, while also building in opportunities for review, enables continuous adaptation.

Modifying legal instruments can be a lengthy and tedious process. The GDPR underscores the importance of clear, precise, yet adaptable terminology in regulation. The regulation builds a foundation for clarifying important terms that are fundamental to the framework such as “collecting,” “processing,” and “data controllers,” and outlines clear guidelines for actors’ roles and responsibilities. This precise identification of individuals and actions establishes clarity, including those who will be investigated for GDPR infringements.

The need for more significant adaptation and iterative review cycles since 2018 when the GDPR was established has become apparent. The realities of the market, including its evolution, must be acknowledged. The EU is thus adapting with some new initiatives, including on enforcement as noted below.⁴²

3. Centralized, uniform, and meaningful enforcement measures are crucial for managing major violations.

The transition from directive to regulation—with the DPD evolving into the GDPR—highlights the need for some uniformity in application. The transition also demonstrates how transformative regulatory policy can be, especially in the cyber domain where borders are not well defined. Policies can have far greater impact when multiple institutions operate under a single law and when penalties are structured for impact, such as fines based on company revenues. A uniform approach simplifies the regulatory landscape for companies operating in multiple countries and enhances the credibility and authority of the enforcement process.

However, the effectiveness of state enforcement facilitated by the one-stop-shop mechanism depends on collaboration and uniformity among nations in handling cases related to cross-border processing of personal data. Both the European Parliament and civil society organizations have frequently complained about the inconsistencies and inefficiencies arising from individual countries adhering to their own national procedural regulations, including the potential for forum shopping.⁴³ Martin Davies, “Two Ways to improve GDPR enforcement,” https://www.information-age.com/two-ways-to-improve-gdpr-enforcement-123510046/, Information Age, March 22 2024.⁴⁴ The EU’s upcoming procedural regulation, slated for consideration by Parliament in April 2024, aims to standardize and harmonize states’ disparate approaches.⁴⁵ Likewise, international cybersecurity norms/laws would benefit from a more systematized mechanism to facilitate cross-border cooperation among states, organizations, and experts to more effectively address cyber threats.

4. Supranational organizations like the EU (and like-minded states) are key change-makers and can leverage their global influence.

Regional frameworks and like-minded states working together may offer more value than global approaches when agreement on shared values and institutions exists. As demonstrated by the Brussels Effect, the EU’s influence in the global economy positions supranational organizations as pivotal changemakers in the realm of cyber regulation. The EU’s considerable size and market power grant it the capability to set global standards as many companies outside Europe find it necessary to comply with GDPR guidelines to maintain access to the EU market. The EU’s influence in the cyber domain highlights the significant role that supranational organizations and like-minded states can play in shaping global digital policies, particularly in areas where private actors frequently operate and cross-border interactions regularly occur.

The significant strides made by the EU’s progress in defining its digital future may well inspire others to consider similar approaches.⁴⁶ As the EU builds out operational aspects of its forthcoming Cyber Solidarity Act⁴⁷ that includes a Cybersecurity Incident Review Mechanism,⁴⁸ the EU should consider how adaptation of its information-sharing mechanism, including standardized documentation and review procedures for incidents, might be developed for use by other entities. The opportunity for consistent international reporting frameworks would help with international data collection, risk assessment/management, and support of norms, international law, and accountability. Integration into the broader EU Cyber Diplomacy Toolbox and into other efforts would be beneficial for better defining efforts that could involve other stakeholders in technical and political attribution and accountability.⁴⁹

The larger Council of Europe, with 46 member states, successfully ratified the Budapest Convention on Cybercrime in 2004.⁵⁰ The principles of the Convention drew many like-minded states to be parties. In contrast, the UN’s recently proposed international treaty on cybercrime has stalled primarily over differing values placed on concerns for human rights protections.⁵¹ How broader international agreements can develop via the work of regional organizations and like-minded states is also evidenced by the Council of Europe’s successful recent work in developing a framework convention on artificial intelligence and then sharing its work, including its risks and impact assessments, through the Organization for Security and Cooperation in Europe and with the African Union.⁵²

The UN Secretary-General has suggested the need for a new mechanism for attribution to hold states to account, while the Organization for Economic Coordination and Development (OECD) in its research also noted the need for a new attribution mechanism to address cybercrime.⁵³ Frameworks for technical, legal, and political attribution have been suggested as states are asking for more guidance.⁵⁴

Notes

1
Steve Mast, “Council Post: Data Collection: The Good, the Bad and the Ugly,” Forbes, December 10, 2021, https://www.forbes.com/sites/forbestechcouncil/2020/06/24/data-collection-the-good-the-bad-and-the-ugly/?sh=2964e46f45fa.
2
Ben Wolford, “What is GDPR, the EU’s new data protection law?”, https://gdpr.eu/what-is-gdpr/, GDPR.eu is cofunded by the Horizon 2020 Framework Programme of the European Union and operated by Proton AG, 2024.
3
Matthias Artzt, “Terrotorial Scope of the GDPR from a US Perspective,” https://iapp.org/news/a/territorial-scope-of-the-gdpr-from-a-us-perspective/, International Association of Privacy Professionals (IAPP), 26 June 2018.
4
The GDPR. Articles 51-59.
5
The GDPR. Articles 51-59.
6
“Our Members | European Data Protection Board.” European Data Protection Board, 8 Nov. 2023, edpb.europa.eu/about-edpb/about-edpb/members_en#:~:text=Austria%0A%0A%23%23%23%23%20%C3%96sterreichische%20Datenschutzbeh%C3%B6rde%0A%0ABarichgasse%2040,Acting%20Commissioner.
7
Irish Council for Civil Liberties, https://www.iccl.ie/wp-content/uploads/2023/05/5-years-GDPR-crisis.pdf, 2023 DPA Report.
8
The GDPR. Articles 57(f) and 57(h).
9
The GDPR. Articles 57(f) and 57(h).
10
Joe Jones, “Practical considerations from EU enforcement: One-stop shop” https://iapp.org/resources/article/practical-considerations-eu-enforcement-pt2/#:~:text=The%20one,most%20of%20its%20processing%20activities, International Association of Privacy Professionals (IAPP), February 2023.
11
Cameron McKenna LLP (CMS), “GDPR Enforcement Tracker,” last modified December 1, 2023, www.enforcementtracker.com/.
12
Ibid.
13
www.enforcementtracker.com
14
Vincent Manancourt, “EU privacy law’s chief architect calls for its overhaul”, https://www.politico.eu/article/eu-privacy-laws-chief-architect-calls-for-its-overhaul/#:~:text=May%2025%2C%202021%206%3A30%20am,after%20it%20came%20into%20force, Politico, May 25 2021.
15
Vincent Manancourt, “EU privacy law’s chief architect calls for its overhaul”, https://www.politico.eu/article/eu-privacy-laws-chief-architect-calls-for-its-overhaul/#:~:text=May%2025%2C%202021%206%3A30%20am,after%20it%20came%20into%20force, Politico, May 25 2021.
16
Irish Council for Civil Liberties, https://www.iccl.ie/wp-content/uploads/2023/05/5-years-GDPR-crisis.pdf, 2023 DPA Report.
17
Ibid.
18
“Core role of Irish regulator in EU data protection cases highlighted,” https://www.pinsentmasons.com/out-law/news/core-role-of-irish-regulator-in-eu-data-protection-cases-highlighted, Pinsent Masons, March 17 2022.
19
“Guidelines 06/2022 on the practical implementation of amicable settlements,” https://edpb.europa.eu/system/files/2022-06/edpb_guidelines_202206_on_the_practical_implementation_of_amicable_settlements_en.pdf, European Data Protection Board (EDPB), Version 2.0 Adopted on 12 May 2022.
20
Irish Council for Civil Liberties, https://www.iccl.ie/wp-content/uploads/2023/05/5-years-GDPR-crisis.pdf, 2023 DPA Report.
21
Ibid.
22
Some updates to the GDPR have occurred/are forthcoming, see: “Data protection: Commission adopts new rules to ensure stronger enforcement of the GDPR in cross-border cases,” 4 July 2023, European Commission, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3609 and “Coordinated Enforcement Framework,” European Data Protection Board (EDPB), https://www.edpb.europa.eu/coordinated-enforcement-framework-programme_enmissing info here?, 2024.
23
Bradford, Anu, The Brussels Effect: How the European Union Rules the World (New York, 2020; online edn, Oxford Academic, 19 Dec. 2019), https://doi.org/10.1093/oso/9780190088583.001.0001.
24
Dan Simmons, “17 Countries with GDPR-like Data Privacy Laws. ” Comforte blog. insights.comforte.com/countries-with-gdpr-like-data-privacy-laws#:~:text=Brazil%20%E2%80%93%20Brazil’s%20Lei%20Geral%20de,financial%20penalties%20for%20non%2Dcompliance.
25
“TikTok Receives Significant GDPR Fine for Mishandling Children’s Data,” https://www.bdo.co.uk/en-gb/insights/advisory/risk-and-advisory-services/tiktok-receives-significant-gdpr-fine-for-mishandling-childrens-data#:~:text=The%20decision%20comes%20after%20TikTok,which%20you%20can%20read%20here, October 24 2023, Binder Dijker Otte (BDO) United Kingdom.
26
Fredric Bellamy, “` Data Privacy Laws to Enter New Era in 2023,” Reuters, January 12, 2023, www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/.
27
“Data Protection Law: An Overview.” 2019 Congressional Research Reports (Congressional Research Service, March 25), https://crsreports.congress.gov/product/pdf/R/R45631.
28
European Parliament and Council of the European Union. 1995. “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” Official Journal of the European Communities, L 281: 31-50.
29
de Hert, Paul, and Michal Czerniawski. 2016. “Expanding the European data protection scope beyond territory: Art. 3 of the General Data Protection Regulation in its wider context.” International Data Privacy Law, Vol. 6, no. 3: 230-243, https://doi.org/10.1093/idpl/ipw008.
30
Paul de Hert, Michal Czerniawski, Expanding the European data protection scope beyond territory: Art. 3 of the General Data Protection Regulation in its wider context, International Data Privacy Law, Vol. 6, Issue 3, August 2016, 230–243, https://doi.org/10.1093/idpl/ipw008.
31
“Data Protection Law: An Overview,” 2019, Congressional Research Reports, Congressional Research Service, March 25, https://crsreports.congress.gov/product/pdf/R/R45631.
32
USDA. “Difference between a Regulation, Directive and Decision.” USDA-EU. March 12, 2023. usda-eu.org/faq/difference-between-a-regulation-directive-and-decision/#:~:text=Regulations%20have%20binding%20legal%20force,in%20all%20the%20Member%20States.&text=Directives%20lay%20down%20certain%20results,transpose%20directives%20into%20national%20laws.
33
European Commission. “Commission Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of Their Data and to Cut Costs for Businesses,” European Commission, January 25, 2012, ec.europa.eu/commission/presscorner/detail/en/IP_12_46.
34
Wilhelm, Ernst-Oliver. “A Brief History of the General Data Protection Regulation (1981-2016),” The International Association of Privacy Professionals (IAPP), February 2016, iapp.org/resources/article/a-brief-history-of-the-general-data-protection-regulation/#:~:text=On%2012%20March%202014%3A%20The,10%20against%20and%2022%20abstentions.; https://european-union.europa.eu/institutions-law-budget/institutions-and-bodies/types-institutions-and-bodies_en#:~:text=In%20principle%2C%20the%20Commission%20proposes,the%20laws%20are%20properly%20applied; Pantlin, Nick, et al. “One Small Step for Europe; One Giant Leap for Data Protection?” Lexology, Herbert Smith Freehills LLP. July 31, 2015. www.lexology.com/library/detail.aspx?g=981b312b-3c22-4631-b7d9-a390952efac1.
35
Ece Özlem Atikcan and Adam William Chalmers, “Choosing Lobbying Sides: The General Data Protection Regulation of the European Union,” Journal of Public Policy (2019) 39, 543-564, September 26, 2018, doi:10.1017/S0143814X18000223.
36
European Commission. “Speech: A Data Protection Compact for Europe,” European Commission, January 28, 2014, ec.europa.eu/commission/presscorner/detail/de/SPEECH_14_62.
37
“Speech: A Data Protection Compact for Europe.” European Commission. January 28, 2014. ec.europa.eu/commission/presscorner/detail/de/SPEECH_14_62.
38
Olivia B. Waxman, “The GDPR Is Just the Latest Example of Europe’s Caution on Privacy Rights. That Outlook Has a Disturbing History,” https://time.com/5290043/nazi-history-eu-data-privacy-gdpr/, Time, May 24 2018.
39
“The Cybersecurity Strategy,” https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-strategy, June 7 2022. Note, for example, “The Digital Services Act,” https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-services-act_en, European Commission, February 17 2024, and its effect on platform accountability. FN? Chander, FN? Anupam, “When the Digital Services Act Goes Global,” (2023). (Georgetown Law Faculty Publications and Other Works), 2548. https://scholarship.law.georgetown.edu/facpub/2548.
40
Olivia B. Waxman, “The GDPR Is Just the Latest Example of Europe’s Caution on Privacy Rights. That Outlook Has a Disturbing History,” https://time.com/5290043/nazi-history-eu-data-privacy-gdpr/, Time, May 24 2018.
41
“The Cybersecurity Strategy,” https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-strategy, June 7 2022. Note, for example, “The Digital Services Act,” https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-services-act_en, European Commission, February 17 2024, and its effect on platform accountability. FN? Chander, FN? Anupam, “When the Digital Services Act Goes Global,” (2023). (Georgetown Law Faculty Publications and Other Works), 2548. https://scholarship.law.georgetown.edu/facpub/2548.
42
This is also true in other EU initiatives, e.g., Kelvin Chan and The Associated Press, “Tech’s 6 ‘gatekeepers’—including Amazon, Apple, Meta and Microsoft—are about to face heavy new scrutiny as Europe aims for ‘fairer’ digital markets,” https://fortune.com/europe/2024/03/06/tech-6-gatekeepers-amazon-apple-meta-google-tiktok-microsoft-dma-europe-fairer-digital-markets/, Fortune, March 6 2024; Jay Peters, “How the EU’s DMA is changing Big Tech: all of the news and updates,” https://www.theverge.com/24040543/eu-dma-digital-markets-act-big-tech-antitrust, The Verge, May 14 2024.
43
Martin Davies, “Two Ways to improve GDPR enforcement,” https://www.information-age.com/two-ways-to-improve-gdpr-enforcement-123510046/, Information Age, March 22 2024.
44
“Data protection: Commission adopts new rules to ensure stronger enforcement of the GDPR in cross-border cases,” 4 July 2023, European Commission, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3609; Nathan Eddy, “Europe Sees More Hacktivism, GDPR Echoes, and New Security Laws Ahead for 2024,” https://www.darkreading.com/cyber-risk/europe-hacktivism-gdpr-new-security-laws-ahead-2024, Dark Reading, December 26 2023. Note that additional discussions are expected after June 2024 European parliamentary elections, Julia Tar, “EU Parliament votes to strengthen GDPR enforcement,” https://www.euractiv.com/section/data-privacy/news/eu-parliament-votes-to-strengthen-gdpr-enforcement/, Euractiv, April 11 2024.
45
Luyten Katrien, “New procedural rules to strengthen GDPR enforcement in cross-border cases,” https://www.europarl.europa.eu/thinktank/en/document/EPRS_ATA(2024)760391, April 8 2024; Brito Bastos F, Pałka P., “Is Centralised General Data Protection Regulation Enforcement a Constitutional Necessity?”, European Constitutional Law Review, 2023;19(3):487-517. doi:10.1017/S1574019623000202.
46
“A Europe fit for the digital age,” https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en, European Commission, February 21 2024.
47
“Commission welcomes political agreement on Cyber Solidarity Act,” https://ec.europa.eu/commission/presscorner/detail/en/ip_24_1332, European Commission, March 6 2024.
48
See “The EU Cyber Solidarity Act,” https://digital-strategy.ec.europa.eu/en/policies/cyber-solidarity, European Commission, March 6 2024, and the proposed regulation at “Proposed Regulation on the Cyber Solidarity Act,” https://digital-strategy.ec.europa.eu/en/library/proposed-regulation-cyber-solidarity-act, European Commission, April 20 2023.
49
As the European Union Agency for Cybersecurity (ENISA) promotes best practices in terms of linking the tactical, operational, and strategic levels and appropriate information sharing (https://www.enisa.europa.eu/publications/best-practices-for-cyber-crisis-management), the EU’s Diplomatic Toolbox (See Section 4. 21 on sharing with stakeholders and Section 5 on attribution) and Foreign Information Manipulation and Interference Toolbox (https://www.eeas.europa.eu/eeas/tackling-disinformation-foreign-information-manipulation-interference_en#45330), European Union External Action has already outlined some types of and ways that incident information could be shared and could be better systematized. See also: Erica Moret and Patryk Pawlak, “The EU Cyber Diplomacy Toolbox: towards a cyber sanctions regime?”, https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/resources/docs/EUISS-Brief_24_Cyber_sanctions.pdf, EU Institute for Security Studies (EUISS), July 2017.
50
“The Budapest Convention (ETS No. 185) and its Protocols,” https://www.coe.int/en/web/cybercrime/the-budapest-convention, Council of Europe. See U.S. ratification document here: “Convention Between the UNITED STATES OF AMERICA and OTHER GOVERNMENTS,” https://www.state.gov/wp-content/uploads/2019/02/13174-Mulitlateral-Law-Enforcement-Cybersecurity-11.23.2001.pdf, November 23 2001, and EU backgrounder on it here: https://eur-lex.europa.eu/EN/legal-content/summary/convention-on-cybercrime.html, EUR-Lex, November 28 2023.
51
Maya Jimenez, “Civil Society Warns of ‘Critical Gaps’ in UN’s Draft Cybercrime Treaty,” https://www.voanews.com/a/civil-society-warns-of-critical-gaps-in-un-s-draft-cybercrime-treaty-/7485917.html, Voices of America (VOA) English News, February 13 2024.
52
“Presentation of the Council of Europe’s activities on Artificial Intelligence (AI) during the OECD – African Union AI Dialogue,” https://www.coe.int/en/web/artificial-intelligence/-/presentation-of-the-council-of-europe-s-activities-on-artificial-intelligence-ai-during-the-oecd-african-union-ai-dialogue, Council of Europe, March 5-6 2024.
53
UN Secretary-General, “Our Common Agenda: A New Agenda for Peace,” United Nations, Policy Brief 9, July 2023, https://www.un.org/sites/un2.un.org/files/our-common-agenda-policy-brief-new-agenda-for-peace-en.pdf.; See page 275 for summary in: https://read.oecd-ilibrary.org/economics/emerging-risks-in-the-21st-century/conclusions-and-recommendations_9789264101227-8-en#page20.
54
“Side Event: A Taxonomy of Malicious ICT Incidents,” https://unidir.org/events/side-event-taxonomy-malicious-ict-incidents; United Nations Institute for Disarmament Research (UNIDIR), July 6 2022; Dennis Broeders, Els De Busser, and Patryk Pawlak, “Three tales of attribution in cyberspace. Criminal law, international law and policy debates,” https://www.universiteitleiden.nl/en/research/research-output/governance-and-global-affairs/three-tales-of-attribution-in-cyberspace.-criminal-law-international-law-and-policy-debates, Universiteit Leiden, April 7 2020; See Christina Rupp & Dr. Alexandra Paulus, “Official Public Political Attribution of Cyber Operations,” https://www.stiftung-nv.de/sites/default/files/official-public-political-attribution-of-cyber-operations.pdf, October 2023, for a framework with states noting the need for more discussion/guidance on attribution, 64.

Recent & Related

Field Note

Breaking Silos to Beat Scams: Why Holistic Law Enforcement Matters

Courtney Weatherby • Allison Pytlak

Policy Memo

The Impact of Artificial Intelligence on Violence Against Women and Girls

Kalliopi Mingeirou • Yeliz Osman • Raphaëlle Rafin

Policy Memo

Implications of Chinese Influence Operations for South Korea and the US-ROK Alliance

Nathan Beauchamp-Mustafaga