Book review: Elaine Fahey, The EU as a Global Digital Actor: Institutionalising Global Data Protection, Trade, and Cybersecurity. Oxford: Hart Publishing, 2022. xxiii + 230 pages. ISBN: 9781509957040

The rapid and complex evolution of digital technologies makes regulatory efforts quickly outdated. While some regulators strive to keep up, others take a more cautious approach, refraining from regulating. The European Union (EU) has been a proactive digital regulator, assuming a leading role over the years in setting global standards for data regulation. It has become not only a powerful rule-setter but also a global norm exporter. Through multilateral, bilateral, and unilateral means, the EU exerts a significant influence on legal orders of third countries, especially those with a weaker regulatory framework, actually triggering a reshaping of third countries’ domestic legal frameworks to fit the EU’s standards. The ‘Brussels effect’ is particularly maximised through the EU’s model agreements with increasingly extensive EU law-centered clauses and carve-outs in data protection and privacy.
Elaine Fahey, in her book The EU as a Global Digital Actor: Institutionalising Global Data Protection, Trade, and Cybersecurity’, provides a comprehensive examination of the EU’s growing role in shaping global digital governance. It delves into the EU’s strategies for institutionalising high standards in data protection, digital trade, and cybersecurity, and positioning itself as a pivotal actor on the international stage. In doing so, Fahey offers a nuanced discussion of the challenges the EU faces in this endeavor, particularly as it seeks to balance its ambitious regulatory agenda with the diverse legal and geopolitical contexts of its international partners. This research builds upon Fahey’s earlier works that have advanced the understanding of the EU’s global actorness. Notably, her previously published edited volume ‘Framing Convergence with the Global Legal Order’ examined global convergence through multilateralism, regionalism, bilateralism, and unilateralism across a wide range of fields. The recent monograph focuses more narrowly on the EU’s global influence in the digital domain.
A central concept of the book is ‘institutionalisation’, defined as ‘the process by which an organisation become increasingly subject to rules, procedures and stable practices’. According to Fahey, institutionalisation, as part of the EU’s ethos, has been extensively studied across various fields of the EU’s action. However, it appears that the EU’s growing institutionalisation within the digital domain has not yet received sufficient scholarly attention. In examining the EU’s expansive ambitions in the digital realm through regulatory actions, this book opens up and broadens this field of research. Also, through the lens of institutionalisation, Fahey deeply engages with current academic critiques of EU protectionism and the shift towards digital sovereignty.
The first three chapters of the book analyse different facets of the EU’s actorness in the digital realm. In particular, Chapter 1 ‘EU as a Global Digital Actor’ explores the EU’s proactive stance in promoting high standards for data flows on the global stage. The author discusses how the EU employs its regulatory framework to encourage convergence among international partners, effectively setting benchmarks for data protection. According to Fahey, this approach not only safeguards privacy but also solidifies the EU’s position as a leader in global data governance.
Chapter 2 ‘EU as a Digital Trade Actor’ focuses on the EU’s role in digital trade, highlighting its efforts to integrate stringent data protection measures within the emerging framework of digital trade governance. The EU operates within a highly fragmented global environment characterised by diverse national and regional regimes regulating data flows in digital trade. The chapter critically examines the current ‘outsider’ role of the World Trade Organization (WTO) in establishing a coherent international framework for digital trade. The WTO’s limited influence has prompted major global actors, such as the United States (US), the EU, and China, to internationalise their own digital trade rules. Whereas some global actors tend to prioritise human rights standards in digital trade, others focus rather on economic interests. This may pose a potential threat to the integrity of the broader international human rights framework. Fahey’s fair critique of the WTO echoes the widely held academic consensus on the urgent need to reform the organisation to better address contemporary global challenges.
In Chapter 3 ‘EU as a Cyber Actor: The Evlolving Architecture of EU Cyber Law: Beyong Weak Institutionalisation’, Elaine Fahey delves into the EU’s initiatives in cybersecurity, exploring the development and implementation of comprehensive cyber laws. She discusses the institutional frameworks designed to address cyber threats and enhance resilience across member states. Notably, the introduction of cyber sanctions demonstrates an advancement of the cybersecurity regulatory framework and realisation of EU technological sovereignty. While cybersecurity in digital trade is still an emerging framework, it is already permeating various trade agreements concluded by the EU.
The concluding three chapters adopt a case study approach to analyse the EU’s interactions with major global partners—the US, Japan, and China. These chapters critically examine methodologies and comparative approaches to institutionalising data in areas such as data protection, trade, and cybersecurity. They provide theoretical insights and analyse the EU’s influence in the digital realm mainly through bilateral cooperation.
In particular, Chapter 4 ‘On the Transatlantic Divide: Beyond Weak Institutionalisation’ focuses on the longstanding collaboration between the EU and the US, particularly in terms of data flows in civil and criminal fields. It explores the complexities of the transatlantic data regulations as well as the challenges they pose in achieving strong institutional frameworks. The author highlights the ongoing efforts to bridge regulatory differences and enhance cooperation between these two powerful global actors. This chapter accurately captures the current dynamics in EU-US relations, which could potentially lead to wider institutionalisation.
In Chapter 5 ‘East Asia Convergence: EU-Japan Relations and Data’, author examines the EU’s partnership with Japan which is regarded as ‘one of the world’s largest safe flow of data regimes’, and particularly known for aligning data protection standards. Elaine Fahey discusses the mutual recognition of data protection frameworks and the establishment of mechanisms facilitating data flows (digital trade) between the two economies. Whereas convergence of legal norms and standards is significant, this process does not necessarily occur through the institutionalisation. Consequently, the level of institutionalisation in EU-Japan relations on data can be characterised as limited.
The final Chapter 6 ‘East Asian Reverse Convergence? EU-China Relations’ addresses the EU’s intricate relationship with China in terms of digital policies. Elaine Fahey explores the challenges in reconciling differing approaches to data protection and cybersecurity. China’s current engagement with EU on trade and security can be characterised as distinctly ‘law-light’ and ‘institution-light’. However, recent domestic legal developments, such as the introduction of a civil code, could potentially alter this dynamic, according to Fahey. Nonetheless, the impact of these tendencies on the national regulatory data framework and overall engagement with EU data law remains to be seen.
This monograph is notable for its interdisciplinary approach, which integrates perspectives from different fields such as law, international relations, sociology, political economy, and global governance. Fahey’s expertise in EU law and transatlantic relations enriches the analysis, offering readers a deep understanding of the complexities involved in the EU’s external digital policies. Her critical examination of the EU’s global actorness in data protection, trade, and cybersecurity is both timely and relevant, given the increasing importance of digital governance in international relations. Fahey’s conceptual framework of institutionalisation is particularly relevant when examining the EU’s emerging regulatory approaches to artificial intelligence (AI). The EU has been proactive in developing a regulatory framework for AI. Notably, the EU’s Artificial Intelligence Act, introduced in 2024, is the first-ever legal framework on AI in the world. While this regulatory initiative sets unified AI governance standards within the EU, scholars anticipate its implications globally, thereby reinforcing the ‘Brussels effect’. Therefore, this book offers a robust conceptual framework to further advance this research field.
To conclude, this book ‘The EU as a Global Digital Actor: Institutionalising Global Data Protection, Trade, and Cybersecurity’ is a significant contribution to both the literature on EU external relations and to scholarly work on digital governance. Fahey’s thorough analysis and insightful perspectives make this book an essential read for scholars, policymakers, and practitioners interested in understanding the EU’s influence in shaping global digital norms and standards.