Abstract

Traditionally, Europe stands out as the region where data protection regulation is strongest throughout the world. With its General Data Protection Regulation (GDPR), the European Union in 2016 updated its claim for leadership in this policy realm by adopting measures which better meet the challenges of digitalisation. The main interest of this paper is whether three intensely debated emerging norms in the regulation have been driven by the supranational institutions or by single or groups of member states who acted as norm entrepreneurs. Therefore, we trace the decision-making process leading to the GDPR. We conclude that the new regulation provides more support for supranational norm promotion, while we see little evidence for norm entrepreneurship by member states.