Now that @WolfieChristl was so kind to share my research I thought that I would try to sum up my dissertation in a few (read many) tweets. You can find the dissertation here: https://helda.helsinki.fi/handle/10138/305981 (1/x)

First of all, I would like to say that my work owes a great deal to @opendatacity and @maxschrems. Their meticulous categorization of MEP amendments and publication of leaked position papers is a fantastic resource for anyone interested in how interest groups operate. (2/x)

You can find their amazing work on http://Lobbyplag.eu . I don’t think anyone has ever done as much to make a legislative process visible to the public as they did. (3/x)

My own research had two goals: one, to figure out to what extent the EU institutions’ versions of the GDPR corresponded to lobbyist output, and two, what this means for the democratic legitimacy of the process (4/x)

To do this, I went back to the Commission’s online consultations on data protection from 2009 & 2011. They are offline now, but before you could download all papers submitted in two consultations: 477 to be exact (excluding citizens). If anyone wants them, I have them (5/x)

Among other things, I found this little gem by the UK’s Ministry of Justice: “The UK’s experience is that both enhanced security and privacy can be achieved at the same time ... (6/x)

... and that the responsible use of data by law enforcement authorities and better data protection are not opposing objectives” (7/x)

(I think that it is deeply troubling that governments participate like this in public consultations. The goal with public consultations is to increase diversity & representation (ideally) from groups that do not have prioritized access to legislative processes.) (8/x)

If EU politicians are at all worried about the democratic deficit of the EU (as they should be), I think they should stop doing this (9/x).

A couple of words about the consultations. Consistent with earlier research, business interests dominated. No surprises there. But while there were no representatives from some member states, a wide variety of US business networks and firms submitted their views. (10x)

But do you know how the Commission reports nationality? They look at were these associations are registered. So naturally AmCham EU is Belgian. AmCham Spain is Spanish (see http://ec.europa.eu/information_society/newsroom/image/document/2016-32/countryoforigineprivacyconsultation_16718.jpg) (11/x)

I decided to do things a bit differently and look to where the HQ was based. The result? 20 US position papers in the first, 30 in the second. In an EU public consultation. How many from Slovakia, Slovenia, Romania, Lithuania? 0. (12/x)

Nevertheless, looking at public consultations only says so much. Participation might be uneven, but what does it say about the actual impact different lobbyists have on the output? (13/x)

To address the question of influence, I looked at the proposals put forth by the lobbyists and compared them to the policy output of the Commission, the Parliament, the Council and the final GDPR. I’ll try to summarize. (14/x)

The Commission, I found, was not too accommodating of business concerns. Instead, they listened to DPAs and civil society. Right to be forgotten and data portability? BEUC, in 2009. Privacy by default? BEUC and WP29. (15/x)

Some business frames did creep in though. The problem of “notification fatigue”, mentioned in the Commission’s 2012 proposal? Raised by the BBC, Nokia, CBI and Microsoft in 2011. (16/x)

Now the Parliament. As pointed out by others, MEPs were highly susceptible to lobbyist influence before June 2013. MEPs from different committees and different parties submitted the exact same amendments, which corresponded to lobbyist proposals. (17/x)

Interestingly, if we look at Lobbyplag’s analysis, MEPs on the left (here I include Greens, but that’s another debate) copy amendments from civil rights groups and MEPs on the right copy from amendments suggested by multinational corporations (especially EPP and ECR) (18/x)

But then @Snowden came forth. Privacy activists used this window of opportunity strategically, and the ship was turned. The Parliament’s first reading was actually more aligned with privacy activists’ positions. @JanAlbrecht role cannot be overstated (19/x)

However, the revelations would have less of an impact on the Council. In many cases, the Council sided with multinational corporations and undermined citizen rights. Moreover, a range of national exceptions were inserted, effectively punctuating the harmonized approach (20/x).

Most importantly, the Council’s position prevailed in most cases. The Council was far more successful than the Parliament in advancing its suggestions to the final GDPR (21/x)

Why don’t we have explicit consent in art 6? The Council. Why do we have the risk-based approach to data breaches? The Council. Weaker data minimization principle? The Council. (22/x)

In sum, the institutionalized inclusion of lobbyists in the early stages of the GDPR’s process did not overly upset the balance of interests and disproportionally favour corporate interests. Rather, legitimacy issues emerged later on. (23/x)

I think we are seeing the same tendencies in the ePrivacy Regulation’s legislative process. Someone should write a PhD dissertation about that process. Any takers? (24/END).