The ‘Strasbourg Effect’ on data protection in light of the ‘Brussels Effect’: Logic, mechanics and prospects

This article considers various factors that will shape the potential effect of the Council of Europe’s modernised Convention on data protection (Convention 108 + ) on non-European states’ regulatory policy. It does so by elucidating the logic and mechanics of this effect in light of the ‘Brussels Effect’ that is commonly attributed, in part, to EU data protection law. The central arguments advanced in the article are that the impact of Convention 108 + beyond Europe will rest primarily on the Council of Europe’s ideational power tempered by processes of acculturation, and secondarily on the degree to which the EU is willing to use the ‘Brussels Effect’ as a vehicle for promoting non-European states’ accession to the Convention.


Introduction
When the Council of Europe (CoE) adopted its Convention on data protection in 1981 (Convention 108; hereinafter also 'C108'), 1 it did so predominantly in order to create harmonised standards for its own member states.Although the Conven-it went about drafting its modernised Convention on data protection (Convention 108 + ; hereinafter also 'C108 + '). 4 Relative to its predecessor, C108 + was conceived with far greater thought to its potential global role and with far greater discussion by scholars and other policy entrepreneurs on the likelihood and desirability of the new instrument becoming a data protection treaty for the world.
This article considers various factors that will shape the potential effect of C108 + -and, by implication, other CoE instruments upon which C108 + is based -on non-European states' regulatory policy in the data protection field.The thrust of the article is directed not so much at making firm predictions about what that effect is likely to be but at elucidating the logic and mechanics of the Convention's potential extra-European impact.The overarching questions addressed herein are how and why C108 + might shape norm development in non-European regions.I describe this potential impact as part and parcel of the 'Strasbourg Effect' (SE) on data protection.
In terms of function , SE may take one or more forms.As Colin Bennett and Charles Raab point out, international agreements in the data protection field have had several overlapping functions: (i) 'instruments of harmonization'; (ii) 'templates' for states to fashion their own data protection regimes; (iii) 'exemplars, producing a progressive and inexorable desire to be within the community of nations that has adopted data protection legislation'; and (iv) 'penetrative force' (i.e.instruments of coercion). 5For reasons provided further on in the article, the impact of C108 + (at least if considered on its own) could fill the first three-listed functions, but not the last one, as has also been the case with C108.
In terms of visibility , the primary manifestation of SE with respect to C108 + would obviously be accession to the modernised Convention by non-European states.Yet the effect could manifest itself in a variety of other ways also, again as has occurred with C108.For example, it could manifest itself by non-European states using C108 + norms as sources of inspiration when developing domestic legislation or 'soft law' codes (i.e.recommendations, guidelines, and the like).Alternatively, it could manifest itself by intergovernmental or regional organisations with non-European members applying these norms as benchmarks for their own hard or soft law instruments.
As intimated above, the Strasbourg Effect on data protection did not begin with the adoption of C108 + .Ever since the 1970s, the CoE has been enormously influential in shaping regulatory discourse in the field, primarily within Europe but also beyond.This influence has been fundamentally treatybased, and it has drawn upon ideational power flowing from the inherent regulatory appeal of the CoE's data protection vision.The logic and mechanics of this influence are analysed in greater detail in Section 3 .
Over the last decade, though, much of the dominant narrative seeking to explain the spread of data protection norms across the globe has focused on the role played by the European Union (EU) rather than the CoE.This narrative has tended to be summed up in terms of the 'Brussels Effect' (BE).The 'Brussels Effect' (BE) is a term coined by Anu Bradford in 2012, 6 and further elaborated by her in 2015 7 and 2020. 8t is a variation on the 'California Effect' theme first presented by David Vogel in 1995 as a counter-narrative to arguments that globalisation brings on an overall relaxation of regulatory standards or a 'race-to-the-bottom' (otherwise often termed the 'Delaware Effect'). 9In summary, Vogel's thesis is that certain legislative standards for consumer and environmental protection developed for large, stringently regulated markets in rich nations are disseminated to other nations, often through corporate take-up of those standards.This leads to an overall ratcheting up of protection levels.Bradford's notion of the 'Brussels Effect' focuses on a subset of these processes, more specifically, the way(s) in which relatively strict EU rules have shaped policy development in areas outside Europe, leading to 'Europeanisation' of numerous norms across the globe.This effect is measured not just in terms of legislative change, but also in terms of what corporate boardrooms around the world view as the 'gold standard' to guide or otherwise shape their behaviour.The field of data protection is commonly seen as an example par excellence of this effect, with both the former Data Protection Directive 1995 (DPD) 10 and its successor, the General Data Protection Regulation 2016 (GDPR), 11 cast in the lead roles.
On its own, however, the BE narrative does not tell the full story behind the 'Europeanisation' of data protection norms across the world -for reasons made clear further on in the article.A major shortcoming is the narrative's failure to consider the workings of SE in any significant detail.An aim of this article is to describe these workings so as to arrive at a more complete explication for the transnational spread of data protection norms.One might query whether an article devoted to SE in the field of data protection need delve into the BE 6 Anu Bradford, 'The Brussels Effect ' (2012)  narrative.There are, though, several cogent reasons for doing so.First, Bradford's explication of BE serves as a useful framework and foil for considering the potential worldwide impact of C108 + .By looking at the logic and mechanics of BE, we can more easily tease out those of SE.Secondly, consideration of the potential worldwide impact of C108 + must inevitably take account of the global role played by other data protection instruments, particularly those that are the most internationally influential.Thirdly, BE is not simply a useful foil for teasing out SE dynamics; rather, the two processes are intertwined in multiple ways such that properly understanding the one cannot be accomplished without understanding the other.Hence, the article's analysis of the global ramifications of C108 + is undertaken primarily in light of the BE narrative concerning the diffusion of data protection norms.
The article's use of the phrase 'Strasbourg Effect' must be accompanied by some words of caution.While the article employs the phrase primarily with respect to data protection as opposed to the entirety of regulatory policy issues that fall within the CoE's remit, the phrase is not unique to the data protection field and has accordingly been employed in other contexts to denote somewhat different processes.For example, Lauri Mälksoo and Wolfgang Benedek employ the phrase to describe the impact of jurisprudence of the European Court of Human Rights (ECtHR) on the state of human rights protection in Russia, particularly in the period after Russia's accession to the CoE in 1996 and its ratification of the European Convention on Human Rights and Fundamental Freedoms (ECHR) in 1998. 12Moreover, they employ their notion of 'Strasbourg Effect' in a more open-ended way than Bradford does with respect to BE: for them, the 'Strasbourg Effect' does not necessarily denote a process in which CoE ideals triumphantly 'colonise' Russian legal-political culture; it may also denote a process in which those ideals engender a counter-reaction that can ultimately weaken their grip. 13Although the following discussion takes account of the possibility of a backlash to C108 + ideals, it employs the notion of SE in a similar fashion to Bradford's use of BE.In other words, SE refers herein to the acceptance (tacit or explicit) rather than rejection of C108 + (and other CoE codes upon which the Convention builds) by countries that are not CoE member states.
As indicated above, in addition to examining the logic and mechanics of SE, the article studies the logic and mechanics of BE in order to gain proper understanding of the former.Section 2 of the article therefore elaborates on the workings of BE.It first presents Bradford's explication of BE in a broader historical context, then briefly critiques its accuracy with respect to data protection.Section 3 compares BE mechanics with the logic and workings of SE, while Section 4 considers 12 Lauri Mälksoo and Wolfgang Benedek (eds), Russia and the European Court of Human Rights (Cambridge University Press 2017).The term 'Strasbourg Effect' is therein used as a counterpoint to the 'Helsinki Effect', which was coined to describe the impact of the Helsinki Final Act 1975 on the Soviet Union: see generally Daniel C Thomas, The Helsinki Effect: International Norms, Human Rights, and the Demise of Communism (Princeton University Press 2001). 13Lauri Mälksoo, 'Introduction: Russia, Strasbourg, and the paradox of a human rights backlash' in Mälksoo and Benedek (n 12) 24.
SE prospects in light of the comparative findings in the preceding section.Section 5 concludes.
The article attempts to take due account of Realpolitik yet also draws upon the 'constructivist' lineage in International Relations (IR) scholarship.This lineage focuses on explaining the actions of states as social actors swayed and partly constituted by idea(l)s and not simply concern for economic or geopolitical power. 14In particular, the article draws upon the work of Ryan Goodman and Derek Jinks on inter-state 'socialisation', more specifically their analysis of how states influence other states through processes of persuasion and acculturation. 15Inspired partly by their work, the article argues that these processes will be of relatively large importance for generating a sizeable SE (see Sections 3 and 4 ).

The 'Brussels Effect' revisited
To understand properly Bradford's conception of BE as an explanation for the global spread of European data protection norms, it is useful first to summarise older explanations for this development.These are explanations upon which Bradford's analysis directly or implicitly builds.
Early scholarship on the spread of data protection standards around the world was reluctant to adopt any one explanatory theory for the diffusion, nor was it primarily preoccupied with 'Europeanisation' of these standards.Colin Bennett's seminal exploration of transnational regulatory trends in the field through the 1970s and 1980s found extensive transnational convergence with respect to data protection laws' core principles, but considerable divergence with respect to the monitoring and enforcement regimes that the laws established. 16Bennett canvassed five hypotheses for the convergence: (1) similarity of perceived technological threats, which forced policy makers to adopt similar solutions; (2) the desire on the part of policy makers to draw lessons from, and emulate, policies adopted earlier in other countries; (3) agreement amongst a small, cross-national network of experts as to appropriate data protection policy; (4) harmonisation efforts of international organisations, particularly the CoE and the Organisation for Economic Co-operation and Development (OECD); and (5) 'penetration' (a process in which countries are forced to adopt certain policies because of the actions of other countries). 17In a nuanced analysis, Bennett found that none of these hypotheses on its own adequately explained the policy convergence but that they had considerable explanatory utility in combination with each other.Similarly, Bennett found that no one theory or hypothesis sufficed to explain national divergence in how these principles were implemented. 18Nonetheless, he predicted that the forces of conver-gence were likely to strengthen in the long run. 19He further predicted that 'the dominant force for most countries is likely to be a penetrative one'. 20oth predictions proved fairly accurate.Over the almost three decades since Bennett's study, we have witnessed a remarkable expansion in the number of countries adopting data protection laws, with the overwhelming bulk of these following, to a considerable degree, the European model as manifest in the DPD and C108.Graham Greenleaf, who has closely charted this development, notes that 'something reasonably described as "European standard" data protection laws are becoming the norm in most parts of the world with data privacy laws'. 21In this process, the differences between countries' respective monitoring and enforcement regimes have also decreased, though not entirely disappeared.Moreover, the 'Europeanisation' of data protection norms across large tracts of the world has been largely penetrative (in Bennett's sense).The 'adequacy' requirements for non-European countries' data protection regimes under Articles 25-26 DPD and, more recently, Articles 44-49 GDPR,22 combined with relatively expansive rules on the territorial application of EU data protection law under Article 4 DPD and, more recently, Article 3 GDPR, 23 have played important roles in this regard. 24Over the last four to five years, the GDPR's strengthened sanctions regime, particularly under Article 83 GDPR,25 has as well.However, penetration has not been the sole factor behind this 'Europeanisation' process, for reasons described further on in this article.
Scholars seeking a deeper explanation of the predominance of European policy preferences in setting data protection standards in non-European regions tended initially to identify two main causes: on the one hand, the large size and international attractiveness of the EU's internal market and, on the other hand, the EU's special preoccupation with maintaining high levels of data protection.We see this exemplified in the work of Jack Goldsmith and Tim Wu who claimed that the EU's international traction in this arena has been the result of an 'unusual combination of Europe's enormous market power and its unusual concern for its citizens' privacy'. 26ater scholarship seized upon 'regulatory capacity' as another decisive factor.The work of Abraham Newman and David Bach is central here. 27While agreeing with prevalent views in IR that state power is partly a function of market size, 28 Newman and Bach contended that the large and attractive scale of the EU's internal market is a necessary but insufficient condition for the EU's international regulatory clout; equally important is the EU's superior 'regulatory capacity'.By 'regulatory capacity' is meant 'the capacity to develop, coordinate, and implement market rules'. 29This capacity has 'at a minimum' three dimensions: (i) expertise (i.e.'policy-makers' ability to identify regulatory challenges, develop policy solutions, implement them, and provide competent monitoring'); (ii) coherence (i.e.clear articulation of regulatory requirements); and (iii) statutory authority to punish non-compliance with rules. 30The basic thesis of Newman and Bach is that the EU's regulatory capacity is a byproduct of the rise of the 'regulatory state' constructed by the EU to foster and oversee realisation of its internal market.The institutions comprising that 'state' also furnish the EU with the requisite capacity to 'translate' market size into regulatory influence beyond Europe.In short, 'Europe's ability to promote its preferred policies internationally depends centrally on its internal regulatory institutions'. 31These comprise not just the EU's main institutions, such as the European Commission, Parliament, and Council, but also the pan-European network of national data protection authorities (DPAs) which have been able collectively to punch well beyond their individual weight and whose strong advocacy of data protection interests has been crucial at particular junctures in strengthening EU law and policy in the field. 32radford's work on the 'Brussels Effect' builds on the above thesis but attempts to provide a more elaborate theory as to how and why this 'Europeanisation' of norms plays out. 33radford describes BE as a process of 'unilateral regulatory globalization'.By this she means a process whereby a state or group of states 'is able to externalize its laws and regulations outside its borders through market mechanisms, resulting in the globalization of standards'. 34Interestingly, while she references the work of Newman and Bach, she does not reference that of Goldsmith and Wu. 34Bradford (n 6) 3. 35 Ibid, 4. It bears emphasis that Bradford recognises that the EU does not 'export' -or attempt to export -its standards solely through the mechanics of BE; the EU also pursues norm diffusion Concomitantly, in her view, BE is not predominantly the result of a conscious push from EU regulators to dominate the world, but a by-effect of their concern to establish an internal market that adheres to high standards of consumer and human rights protection 36 -a view implicitly shared by Goldsmith, Wu, Newman and Bach.At the same time, Bradford notes that '[e]xternalization of the single market also serves the bureaucratic interests of the European Commission and allows for the maximization of interest group support embracing corporations and consumer advocates alike'. 37ike Goldsmith, Wu, Newman, Bach and many others, 38 Bradford identifies the existence of a large domestic consumer market that is relatively immobile 39 as a crucial precondition for BE (and unilateral regulatory globalisation more generally). 40And like Newman and Bach, she identifies a high degree of regulatory capacity as another such precondition.On top of these factors, she adds two further preconditions: a high degree of 'regulatory propensity' (i.e.'prevailing domestic preferences for strict regulatory standards and the predisposition to regulate inelastic targets') 41 ; and a situation where the benefits of adopting a uniform global standard outweigh the benefits of retaining diverse regulatory standards. 42Elaborating on the latter precondition, Bradford states: 'global standards emerge only when corporations voluntarily opt to comply with a single standard determined by the most stringent regulator, making other regulators obsolete in the process.The exporter [i.e. a corporation seeking entry to the EU market] has an incentive to adopt a global standard whenever its production or conduct is nondivisible across different markets or when the benefits of a uniform standard due to scale economies exceed the costs by other means, such as traditional multilateral treaty processes or representation in international industry standards setting bodies.See further Bradford (n 8) 71ff.The type of means will depend on the nature and agenda of the norms.Bradford notes, for instance, that in cases where the EU is motivated by a 'moral quest to change behaviour globally', it will tend to engage in 'treaty-driven harmonization': ibid, 89; Bradford (n 6) 47. 36 Bradford (n 6) 6, 35, 42. 37Ibid, 35.Cf Bradford (n 8) 21ff (observing in recent years greater awareness by EU institutions of the extra-European impact of their policies and a greater push to promote their norms as global standards, but that 'external motivations seem to supplement, rather than substitute, the internal agenda of EU institutions, which remains paramount': 23). 38E.g.Vogel and Kagan (n 9). 39Bradford (n 6) 16-17 ('Unlike a regulatory target such as capital, which is more mobile, consumers rarely move to another jurisdiction in response to strict regulatory standards.Thus, as long as a firm willing to trade within the EU wants access to its 500 million consumers, it needs to comply with the EU's consumer protection regulations'). 40It bears emphasis that Bradford's analysis of the preconditions for unilateral regulatory globalization is intended to be generic rather than peculiar to the EU.See too Bradford (n 8) 64. 41Bradford (n 6) 10. 42 In her recent book, Bradford breaks up the preconditions for BE into five rather than four factors: large market size, regulatory capacity, stringent standards, inelastic targets, and non-divisibility: Bradford (n 8) ch 2. However, the exposition of these preconditions in her book does not otherwise differ fundamentally from her earlier exposition.
of forgoing lower production costs in less regulated markets'. 43cording to Bradford, the non-divisibility factor tends to be present in the data protection field since markets for data and data services are typically difficult -technologically or economically -to segment along geopolitical lines. 44he voluntary (or semi-voluntary) take-up of EU norms by multinational corporations creates what Bradford terms a 'de facto Brussels Effect'.This may subsequently result, she contends, in corporations pressuring their domestic governments into adopting the same norms through legislation that will ostensibly 'level the playing field' with respect to their domestic competitors which are not so interested in exporting goods or services to the EU.The resultant legislation creates what she terms a 'de jure Brussels Effect'. 45verall, much of Bradford's analysis is well-argued.However, aspects of it do not fully accord with how EU data protection norms have spread across the globe.First, her characterisation of BE as a 'unilateral' process underplays the bilateral and bidirectional elements of the relationship between the EU and other states in the data protection arena. 46The EU has not simply exercised unilateral power in this arena but allowed some flexibility and negotiation over regulatory outcomes, particularly when assessing the adequacy of third countries' data protection regimes.The former Safe Harbour and Privacy Shield agreements are central examples, 47 as are the EU's adequacy decisions regarding New Zealand 48 and, most recently, Japan. 49Moreover, EU legislative developments have not been exclusively 'home grown'; they have sometimes been inspired by regulatory ideas and traditions elsewhere.Security breach notification rules (which originated in the USA) are an example in point; 50 requirements for data protection impact assessments (which have roots in the USA, Australia and New Zealand) are another example; 51 rules on data protection by design and by default (which partly originated in Canada) 52 and certification schemes (which first took widespread hold in the USA) 53 are yet others.Thus, EU data protection rules are the result of a cross-fertilisation of regulatory traditions. 54s made clear in the next section, the same can be said of CoE norms.At the same time, Bradford's account also fails to do justice to the CoE's work in laying many of the foundations for EU data protection law.Apart from acknowledging that the right to data protection in EU law builds on Article 8 ECHR, she ignores the important role played by C108 and other CoE instruments in shaping EU data protection norms.
Secondly, the 'effect' dimension of Bradford's original take on BE is deficient in two respects.On the one hand, it overplays the actual traction of EU data protection rules in third country jurisdictions.Bradford states, for instance, that 'few Americans are aware that EU regulations determine the … privacy settings they adjust on their Facebook page'. 55This is misleading: Facebook privacy settings for its US-based users are primarily determined by a mixture of its own contractually based norms together with US legislation, such as the Children's Online Privacy Protection Act 1998 -and these largely reflect a middle-to-upper class North American mindset. 56Furthermore, recent research shows that many multinational corporations appear to pay -at best -'lip service' to GDPR requirements while continuing with practices that breach these. 57On the other hand, Bradford's original take on BE completely overlooks the fact that EU data protection law operates with provisions that give it a potentially large degree of extraterritorial reach, particularly in the online context 58 -a reach that has, on paper, increased under the GDPR and has helped (at the very least) put EU data protection rules on the agenda of corporate headquarters located outside Europe.Bradford's recent book, however, is considerably more sensitive to both of these factors. 59hirdly, Bradford's presentation of the chronological and aetiological relationship between 'de facto' and 'de jure' BE is not always applicable in the data protection field.In other words, it is not always the case that de facto BE precedes and brings on de jure BE.For example, relevant legal developments in the USA and Japan have not followed this pattern. 60ourthly, as Schwartz aptly observes, the EU has not simply exercised market power; it has also exercised ideational  58 As also recognised by Goldsmith and Wu (n 26) 175 (noting the 'aggressive geographic scope' of EU data protection law). 59Bradford (n 8) 133-35, 145ff. 60Schwartz (n 47) 804-05.power. 61Part of the latter power derives from the regulatory model chosen by the EU.Schwartz claims that this model with its reliance on omnibus laws based on general principles offering high standards of data protection is relatively simple, accessible, attractive and easy to transplant 62 -a claim endorsed by Bradford in her recent book. 63I do not agree wholeheartedly with the claim, for reasons that become apparent in Section 4 .Nonetheless, the EU's hold over many non-European actors is undoubtedly based partly on the replicability and cogency of its regulatory vision.The same can be said, albeit a fortiori , for the hold exercised, and to be exercised, by the CoE -as elaborated in the next sections.

The logic and mechanics of the 'Strasbourg Effect'
In light of the basic logic and mechanics of BE, how may we characterise those of SE?There are clear differences between the former and latter.Whereas BE is fundamentally a marketpowered process, SE is fundamentally a treaty-based process with relatively scant opportunity to leverage off market power.Applying Bradford's conceptual schema, SE is an example of 'political globalization of regulatory standards' whereby regulatory convergence is achieved by treaty accession -the hallmark of classical multilateralism.As made clear in the introduction, though, the notion of SE employed in this article also takes account of regulatory convergence occurring through other means than treaty accession (e.g. through legislators using CoE instruments as sources of inspiration when drafting domestic statutes).
A related difference concerns the extent to which each process engages private sector entities (primarily corporations) and states respectively.Whereas BE primarily engages corporations (particularly those engaged in transnational commerce), SE primarily engages state actors (particularly governments).And the motivations for each set of actors' engagement will often differ (although they may overlap too) -as explained further below.
The contrast between BE and SE in terms of the role played by market power also has a bearing on the regulatory capacity inherent in each process.The apparatus of the 'regulatory state' constructed by the EU to govern its internal market is much more elaborate and powerful than the bureaucratic apparatus of the CoE.The latter lacks, for instance, a body with 61 Ibid, 816 ('Ideas matter.Even though the adequacy requirement provides an impressive fulcrum for international influence, the global success of EU data protection is also attributable to the sheer appeal of high standards for data protection.This appeal cannot alone be explained by the force of EU market power or even specific EU negotiating strategies'). 62Ibid, 812. 63Bradford (n 8) 79ff.See too Christopher Kuner, 'The Internet and the Global Reach of EU Law' in Marise Cremona and Joanne Scott (eds), EU Law Beyond EU Borders: The Extraterritorial Reach of EU Law (Oxford University Press 2019) 112, 127 ('The fact that EU data protection law is based on a set of clearly-structured instruments also makes it attractive to third countries, which often find it easier to use an existing text as a model rather than to draft new legislation from scratch').
the size and punch of the European Data Protection Board, and the sanctions scheme attached to C108 + is vastly weaker than that of the GDPR.
Still, the CoE has an impressive track record with respect to the 'expertise' and 'coherence' components of regulatory capacity as conceptualised by Bach and Newman. 64The CoE's ability to identify regulatory challenges and develop timely, clearly articulated policy solutions in the data protection field is second to none amongst intergovernmental organisations.We must also not forget that the regulatory capacity and regulatory propensity inherent in BE is partly a reflection of CoE policy work.A well-established tradition of close cooperation between the CoE and EU exists across a wide range of regulatory fields. 65A considerable degree of regulatory alignment between them is also reinforced by the EU's constitutional framework. 66This carries over into the area of data protection.Although the need for political 'grandstanding' can create tensions between the two bodies, 67 they are not in intrinsic competition with each other; rather they tend to be mutually supporting.The CoE and its various data protection codes, together with jurisprudence from the ECtHR pursuant to Article 8 ECHR, have had an enormous impact on EU policy development in the area.The basic principles of Convention 108 were the central point of departure for EU legislative efforts in the field, particularly the DPD, 68 and they inform much of the backbone of the GDPR.They have also been an important benchmark for EU data protection rules in the area of policing and judicial cooperation. 69Conversely, the DPD catalysed and shaped work on the Additional Protocol to C108 adopted in 2001. 70Further, the recent process of modernising C108 in parallel with the drafting of the GDPR was a situation where 64 Bach and Newman (n 27) 831-32; Newman (n 27) 154. 65Jörg Polakiewicz, Treaty Making in the Council of Europe (Council of Europe 1999) ch 6. 66 See e.g.Article 52(3) of the Charter of Fundamental Rights of the European Union [2010] OJ C83/389 ('In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention.This provision shall not prevent Union law providing more extensive protection'). 67During the negotiation of the GDPR, for instance, Kuner 'observed the EU using its influence in the Council of Europe to prevent amendments to Convention 108 from being approved, based on the perception that this would "steal the thunder" of the EU if reformed data protection rules were adopted at the international level before the EU adopted its GDPR': Kuner (n 63) 132. 68 Brussels and Luxembourg shaped the deliberations of Strasbourg.Yet influence also went the other way.For example, the provisions in C108 + on processing of biometric data shaped the trilogue discussions on how such data should be treated under the GDPR. 71Thus, SE is baked into BE to a significant extent, and vice-versa.
Turning to the agendas of SE and BE respectively, that of SE is less infused with market considerations than that of BE.For the EU, data protection has always been intimately linked to the goal of promoting realisation of the internal market and its 'four freedoms', in addition to the goal of safeguarding data subjects' fundamental human rights. 72Although the latter goal receives increasing prominence in EU data protection legislation and in the jurisprudence of the Court of Justice of the EU (CJEU), the former remains an important part of the EU's data protection agenda. 73In contrast, the agenda of SE is predominantly concerned with promotion of human rightsthe core of the CoE's raison d'être .To be sure, the CoE is far from indifferent to economic interests.Both C108 and C108 + evidence awareness of the need to take account of economic factors in the application of data protection rules. 74This awareness, though, is not tied to the well-being of a specific market.Moreover, as indicated by the preambles to both instruments, their rules seeking to ensure flow of personal data across national borders are linked ultimately to the right to freedom of expression, which includes the right 'to receive and impart information and ideas without interference by public authority and regardless of frontiers' (Article 10(1) ECHR). 75evertheless, the EU and CoE share a broadly similar normative vision as projected onto the global stage.Zaki Laïdi famously summed up this vision for the EU as one that 'seeks the integration of a world order based on the legitimacy of rules, the predictability, and especially the enforceability of accepted principles', these principles being 'democracy, rule of law, social justice, and human rights'. 76Much the same can be said for the CoE.This vision not only helps form a metanarrative to embellish Europe's virtues as a global civil actor, 77 it is also central to Europe's ideational power over other states -a capacity often subsumed under the concept 'Normative Power Europe' (NPE). 7871 Lee A Bygrave and Luca Tosoni, 'Article 4(14): Biometric Data' in Kuner and others (n 22) 207, 214. 72See further Lynskey (n 24) ch 3. 73 Ibid. 74 For example, 'the monetary interests of the State' are one of the sets of interests upon which derogation from core data protection principles may be grounded under Article 9(2)(c) C108.See too Article 11(1)(a) C108 + (referring to 'important economic and financial interests of the State' as the equivalent basis for derogation). 75See also Explanatory Report to Convention 108, para 62; Kwasny (n 2) 533 ('Convention 108 was conceived, and delivered, with the idea that data protection should respect the principle of international free flow of information').For discussion, see Fuster (n 68) 89. 76 As noted in Section 2 above, this power plays out in the data protection field with respect to BE.It also plays out with respect to SE.Yet the importance of ideational power for the traction of SE is greater than for BE.In winning the hearts and minds of other actors, the CoE does not have any significant market power upon which to draw; it must largely draw instead upon the power of its ideas.This power is not coercive but predominantly persuasive; it is a capacity to convince other actors that the ideas hatched or espoused by Strasbourg are sufficiently superior to competing ideas as to warrant adoption.Building on the typology of ideational power developed by Martin Carstensen and Vivienne Schmidt, 79 this capacity is an instance of 'power through ideas'. 80The relative superiority of the ideas at hand is a function of both cognitive and normative elements: the ideas are seemingly more coherent (in cognitive terms) or seemingly more proper (in normative terms) than competing ideas. 81Acculturation undoubtedly plays a role here as well -detailed further on in this section -although it is not prominent in Carstensen and Schmidt's analysis.
At the same time, the CoE's ideational power in the data protection field arguably goes beyond 'power through ideas' and extends to what Carstensen and Schmidt term 'power in ideas'.The latter phrase refers to the 'background ideational processes -constituted by systems of knowledge, discursive practices and institutional setups -that in important ways affect which ideas enjoy authority at the expense of others'. 82hrough its pioneering work in data protection law and policy during the 1970s, the CoE was able to structure and help set central premises for future discourse in the field.It has thus filled the role of 'model-maker' rather than 'model-taker'.
The CoE has not been alone in filling this role; the OECD has played a similar role as well, particularly through its data protection guidelines adopted in 1980. 83Indeed, both organisations collaborated and shaped each other's policy development in the field. 84There is accordingly a 'Paris Effect' baked For critiques, see e.g.Richard G Whitman (ed), Normative Power Europe: Empirical and Theoretical Perspectives (Palgrave Macmillan 2011). 79Martin B Carstensen and Vivienne A Schmidt, 'Power through, over and in ideas: conceptualizing ideational power in discursive institutionalism' (2016) 23(3) European Journal of Public Policy 318-37 ( https://doi.org/10.1080/13501763.2015.1115534). 80Ibid, 323ff. 81As Carstensen and Schmidt note, persuasion in this context 'is not necessarily -or rather, it rarely is -a completely "rational" process in the sense that the most powerful [ideas] necessarily are the ones with the 'best' argument.Instead, the persuasiveness of an idea depends on both the cognitive and normative arguments that can be mustered in its support'.Ibid, 323-24. 82Ibid, 329. 83Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, adopted by the OECD Council on 23 September 1980 (OECD Doc C(80)58/FINAL).See further Fuster (n 68) ch 4 (section 4.1). 84Explanatory Report to C108, para 15; Explanatory Memorandum to original OECD Guidelines, para 20; Fritz W Hondius 'A Decade of International Data Protection' (1983) 30(2) Netherlands International Law Review 103-28 ( https://doi.org/10.1017/S0165070X00012298 ) 112.Indeed, given that the CoE helped to shape the OECD guidelines, one could even argue that it has also into SE (and thereby BE), and vice-versa.This is another of the many instances in which international codes on data protection have interlocked and leveraged off each other, creating policy interdependence. 85It also means that, like with BE, to characterise SE as rooted in 'unilateral' setting of data protection standards would be misleading.Nevertheless, even if the CoE's capacity as 'model-maker' has never amounted to intellectual hegemony, it has played a key role in establishing parameters of normality for the field, primarily in respect of Europe (and, concomitantly, the EU), and secondarily in respect of non-European actors.In doing so, it has emulated and reinforced what Manners views as the essence of NPE mechanics: the 'ability to shape conceptions of "normal" in international relations'. 86espite its 'model-maker' function, SE is not overtly driven by a strong proselytising mission.There are no obvious vestiges here of the infamous mission civilisatrice of yesteryear's European empire building.The CoE nonetheless evinces pride in the fact that C108 is the only multilateral treaty of its kind, that it is likely to remain such, and that it accordingly has a unique role in assuring transnational legal stability.For instance, in conjunction with Uruguay's accession to C108 in 2013, the CoE declared: 'Being open to signature by any country, it [C108] is the only binding standard which has the potential to be applied worldwide, providing legal certainty and predictability in international relations'. 87The same will no doubt be said of C108 + once it enters into force.A similar, albeit more explicit pride creeps into aspects of BE -exemplified in the following rhetorical question posed by the CJEU President, Koen Lenaerts: 'Why would Europe not be proud to contribute its requiring standards of respect for fundamental rights to the world in general?'. 88s Christopher Kuner observes, '[ w ]hen a legal system strives for its standards to be accepted as universal values, it is inevitably engaged in a hegemonic struggle in which it seeks to have its own interests identified with the general interest'. 89uner aptly notes that the EU is engaged in such a struggle in the field of data protection, where the European Commission 'cloaks efforts to promote the spread of EU law in the language of encouraging third countries and international organisations to adopt strong data protection standards'. 90Drawing helped to shape the Asia-Pacific Economic Cooperation (APEC) Privacy Framework of 2005 despite the latter referring only to the OECD guidelines as its chief source of inspiration.Nonetheless, any possible 'Strasbourg Effect' on APEC policy development has been severely diluted. 85Bennett and Raab (n 5) 114. 86Manners (n 78) 239. 87CoE, 'Personal data protection: Uruguay becomes first non-European state to accede to "Convention 108"', Press Release 12 April 2013 ( https://www.coe.int/en/web/portal/news-2013/-/asset _ publisher/TEHtOeUO1Ozc/content/ personal-data-protection-uruguay-becomes-first-non-europeanstate-to-accede-to-convention-108-). 88Quoted in Valentina Pop, 'ECJ President on EU Integration, Public Opinion, Safe Harbor, Antitrust', The Wall Street Journal (14 October 2015) ( https://blogs.wsj.com/brussels/2015/10/14/ecj-president-on-eu-integration-public-opinion-safe-harborantitrust/ ). 89Kuner (n 63) 137. 90Ibid.
on the work of Martti Koskenniemi, 91 Kuner goes on to warn that there is a risk of such efforts not leading to 'genuine, disinterested universalism, but to "false universalism, the universalism of Empire"'. 92SE inescapably runs this risk as well in spite of the CoE's best intentions to avoid it.However, the risk is far greater with respect to the EU's data protection agenda than with the CoE's agenda, for reasons laid out in Section 4 .
Returning to the mechanics of the CoE's ideational power in the form of 'power through ideas', I note above that persuasion is central to the exercise of such power but that acculturation may play a role as well.Goodman and Jinks identify acculturation as one of three main mechanisms of interstate 'socialisation' with respect to the spread of international human rights law. 93Whereas persuasion involves a state taking on board the norms in question because it is genuinely convinced of their value and propriety, acculturation occurs when a state adopts the norms without significantly reflecting over their merits and does so because of various 'social' pressures, such as 'maintaining membership in an "in-group" with a shared identity' or attaining 'social legitimacy'. 94Accordingly, in acculturation processes, the relationship of the state to other states is more in the foreground than is the content of a norm. 95Perceptions by states about 'social fitness' are an important part of acculturation: 'state actors seek to attain legitimacy and, more generally, social fitness by doing what their peers (other states) do'. 96Goodman and Jinks add that acculturation 'can lead to internalization of taken-for-granted norms in some circumstances, but it may also lead to more superficial levels of conformity'. 97n the SE context, an example of acculturation would occur when a non-European state accedes to C108 + not so much because of a genuine political-philosophical recognition of the propriety of C108 + norms but more because the state wants to emulate the actions of other states that have acceded to the Convention and thus receive kudos from them for following suit.This is entirely plausible given that the CoE and its organs, particularly the ECtHR, command solid international respect in the field of human rights generally and given its 'model-maker' role in the field of data protection more specif-91 Martti Koskenniemi, 'International Law in Europe: Between Tradition and Renewal' (2005) 16(1) European Journal of International Law 113-24 ( https://doi.org/10.1093/ejil/chi105 ) 116. 92 Kuner (n 63) 137. 93Goodman and Jinks (n 15).The other two mechanisms are material inducement and persuasion.Material inducement involves shaping state behaviour by imposing material costs or conferring material benefits on the recipient state, but without necessarily altering the latter's underlying preferences.It equates roughly with Bennett's notion of 'penetration', referenced in section 2 above, and has little to do with ideational power. 94Ibid, 26. 95Ibid, 26. 96Goodman and Jinks (n 15) 45.See also e.g.Joyce Gelb, 'Feminism, NGO's and The Impact of the New Transnationalisms' in Vogel and Kagan, Dynamics of Regulatory Change (n 9) ch 9 (showing that Japanese take-up of the 1979 UN Convention on the Elimination of Discrimination against Women was, to a significant degree, motivated by a wish for international stature through adopting 'the trappings, if not reality, of new standards and regulation related to gender issues' (ibid, 321-22)). 97Ibid.
ically.In at least one of the benefits Greenleaf identifies as accruing to non-European states that accede to C108, 98 acculturation is implicit.This is the 'international best practice' benefit, more specifically the possibility that accession 'provides recognition that a country's data protection standards have achieved "international best practice", in the opinion of an increasingly global group of the country's peers'. 99In a similar vein, Christian Pauletto notes that accession to, and compliance with C108 is a 'quality label' and, as such, a valuable 'political asset' for 'any jurisdiction in the world'. 100Acculturation is also implicit in the 'exemplar' function that Bennett and Raab identify as one of the four functions of international agreements in the field and that is referenced in the introduction. 101owever, the criteria for permitting accession to C108 + may limit the degree to which acculturation in the shape of mere pro forma mimicry is able to inform SE.Article 4 C108 + evinces an intention that states parties -and, concomitantly, states that desire to accede -do more than engage in data protection 'theatre'; their efforts must deliver effective levels of data protection and this effectiveness must be sufficiently documented to satisfy the evaluative eye of the Convention Committee. 102These requirements appear to be more exacting than those of the original Convention. 103It is doubtful, though, that they will eliminate acculturation generally as a significant element in SE mechanics.Hence, a state will likely be able to accede to C108 + even if it is primarily motivated by a desire to attain 'social' standing, as long as it demonstrates a capacity to protect personal data 'on the ground' according to the core rules and premises of C108 + .
At this point in time, describing or gauging more precisely how these requirements will otherwise play out is very difficult.This is due mainly to ongoing uncertainty over the precise threshold for C108 + accession and over the vetting process involved.Greenleaf noted quite a few years ago a lack of clarity from the CoE as to accession standards and vetting criteria regarding C108. 104This lack of clarity regrettably persists in relation to C108 + .While there is probably 'wriggle room' with respect to meeting the latter's accession standards -just as there has been with those of C108 -we do not yet have sufficient guidance as to which standards are non-negotiable and which are more malleable. 10598 Graham Greenleaf, 'Balancing Globalisation's Benefits and Commitments: Accession to Data Protection Convention 108 by Countries Outside Europe', University of New South Wales Law Research Paper No 16-52 (23 June 2016) ( https://papers.ssrn.com/sol3/papers.cfm?abstract _ id=2801054 ). 99Ibid, 4. 100 See his contribution ('Options towards a Global Standard for the Protection of Individuals with Regard to the Processing of Personal Data') to this Special Issue. 101Bennett and Raab (n 5) 113. 102See also Greenleaf's contribution ('How far can Convention 108 + "Globalise"?Prospects for Asian Accessions') to this Special Issue. 103Ibid. 104Greenleaf (n 3) 112ff. 105See further Greenleaf (n 102).

Prospects for the 'Strasbourg Effect'
On the basis of the foregoing elucidation of the mechanics and logic of SE relative to BE, what may we make of SE's prospects?Any answer must be tempered by a great deal of caution.This is not only because crystal ball gazing is an intrinsically risky endeavour in a rapidly changing world (especially when done as part of an academic analysis), but also because of continuing uncertainty about the exact parameters of factors that are inherent to SE, such as the criteria for C108 + accession highlighted at the end of Section 3 .The following discussion accordingly steps back from making firm predictions about the future of SE and instead attempts to elucidate some of the factors that are likely to shape its prospects, particularly in light of BE.The presentation of factors here is far from exhaustive and ought to be read as a supplement to the more comprehensive analyses by, respectively, Pauletto and Greenleaf in this volume. 106nasmuch as it is a multilateral treaty-based process, SE is less efficient than BE.Being a market-based mechanism with a relatively unilateral thrust, BE has lower contracting and enforcement costs than classical multilateralism.Bradford elaborates: 'The EU's unilateral regulatory agenda is more easily implemented as it requires the cooperation of foreign corporations willing to trade in its market rather than cooperation by foreign sovereigns […] Political harmonization is particularly difficult if states do not agree on the benefits of global standards.But multilateral standard-setting is difficult even if most states agree on the desirability of uniform standards.States often have different views on the optimal standard to which they should converge.[…] Unilateral regulatory globalization solves such coordination problems: the most stringent rule becomes the focal point of convergence.[…] Perhaps most importantly, market-driven harmonization provides the most efficient form of regulatory globalization because the EU can rely on its existing domestic institutions to enforce its regulations.Treaties are distinctly difficult and expensive to enforce'. 107e problems with treaty-based harmonisation processes are especially acute at present.We live in an age characterised by a relatively high degree of multilateral 'gridlock', and the profound challenges in reaching meaningful international consensus on a large range of key policy matters (trade, climate change, cybersecurity etc.) are calling into serious question the utility of multilateralism and public international law. 108We must remember, though, that these difficulties do not necessarily mean radical reductions in cross-106 Pauletto (n 100); Greenleaf (n 102). 107 border cooperation nor markedly declining transnational production of norms.It is rather the case that international cooperation and norm production are moving into other arenas and taking on 'softer', more informal manifestations than those of classical multilateralism. 109So it may well be that forms of SE other than accession to C108 + are and will be found in those arenas and manifestations outside the treaty context.In other words, judging SE prospects simply by counting the potential number of non-European states that accede to C108 + is unlikely to do full justice to the Convention's future global impact.Were the same sort of method applied to gauge the global impact of C108, key dimensions of the CoE's extra-European influence would be missed, not least its contribution to OECD data protection policy.
It has been stated that the CoE's ability to foster global consensus will be handicapped by its regional status and bias. 110hile this passes over the potential for an organisation to come a long way in unshackling itself from its regional origins (as the OECD exemplifies), 111 aspects of C108 + and other CoE norms upon which it builds are impossible to jettison without undermining the Council's fundamental raison d'être -such as its commitment to upholding democracy and rule of law.Thus, accession to C108 + will not be a realistic option for non-European states that fail to share that commitment. 112et other aspects of C108 + may prove a stumbling block for non-European states that embrace that commitment but do not share fully the spirit or mindset that the Convention embodies, particularly its dignitarian elements that are especially pronounced in European culture. 113Other elements that are rooted in some of the 'paranoia' of European political culture, such as the insistence on data protection authorities' complete independence (Article 15(5) C108 + ), will also be hard to swallow. 114 further stumbling block is that C108 + lacks a 'killer' feature that will either induce fear of the data protection 'god' in non-European minds or make it extremely rewarding to taste that god's fruits.In terms of fear, C108 + -like C108 -does not, in itself, establish a beefed up sanctions regime like that established by the GDPR; nor does it, in itself, operate with liberal criteria for 'extraterritorial' application in the way that Article 3(2) GDPR does.These weaknesses are rooted in its very nature as a treaty instrument that is not intended to be selfexecuting.
In terms of reward, Pauletto and Greenleaf rightly point to a multiplicity of benefits that may potentially accrue from acceding to C108 + or C108, including greater stability in managing transborder data flows, 'best practice' recognition, assistance from relatively experienced DPAs in European states, and requirement of only moderate standards of protection. 115evertheless, accession does not guarantee that which many states would regard as the most attractive reward: a positive adequacy determination by the European Commission pursuant to Article 45(1) GDPR.More specifically, a non-European state's accession to C108 or C108 + will not automatically lead the Commission to decide that the state offers adequate data protection for the purposes of the requirements in Chapter V GDPR.As both recital 105 and Article 45(2)(c) GDPR indicate, the Commission should take accession 'into account' in determining adequacy, but accession on its own is not sufficient; it is one of multiple adequacy indicators.I revisit this matter further below.
The operation of the 'adequacy' criterion in Article 45 GDPR illustrates how take-up of C108 + will in large part depend on its interaction with other international instruments and, in particular, on the degree to which the latter provide an impetus for C108 + accession.Although the GDPR is centrally important in this respect, other instruments -including those of the CoE -may play a role too.A pertinent example is the CoE's Cybercrime Convention. 116This was drafted with the intention (at least on the part of the CoE's Parliamentary Assembly) that both CoE member states and other states wishing to accede to it would be encouraged to accede also to C108 if they had not already done so. 117Unfortunately, this intention has been far from fully honoured in practice. 118he degree of C108 + take-up beyond Europe will additionally depend on which non-European states first accede to the Convention and the acculturation processes their accession sets in train.If one or two states with significant geo-political clout or ideological standing accede, this may create what Goodman and Jinks term a 'circuit of influence', 119 which may in turn pull other states into the same trajectory.We have seen this occur with the Cybercrime Convention which was drafted with input from the USA and which the latter ratified fairly quickly after its adoption, helping to prompt other states in the Western 'club' (e.g.Japan, Canada and Australia) to ratify it as well.A somewhat parallel process played out with the influence of the ECHR on African countries' drafting of their independence constitutions. 120As of 1 August 2020, only eight non-European states have ratified C108. 121None of them are globally influential nations.Just two of them (Mexico and Argentina) can be plausibly characterised as wielding sizeable regulatory influence in their respective regions, and only three of them (Argentina, Tunisia and Uruguay) have signed (but not yet ratified) C108 + .The intentions of the remaining five states with respect to their possible accession to the latter instrument remain unclear.In the present political landscape, the USA, Russia and China -the 'axis of ego' -are extremely unlikely to create the requisite circuit of influence here.In any case, China would most probably be barred from acceding to C108 or C108 + because it does not fulfil the basic requirements of a 'democratic society' laid down by the CoE. 122India could be important for creating accessional impetus, being the world's largest democracy and showing interest in adopting more comprehensive data protection rules aligned roughly with European standards.However, the work of the CoE scarcely figures in the recent deliberations in India for new data protection legislation there (whereas the GDPR occupies a prominent place). 123t the end of the day, hard-nosed economic factors, such as being able to promote consumer spending or access a lucrative market, will play a significant role in getting many governments and businesses outside Europe to pay heed to C108 + .These are precisely the factors that have central traction in BE dynamics.Could they also be harnessed in the service of SE?In my opinion, they can.There is real potential for the EU to utilise the GDPR's adequacy mechanism in a way that would help advance the global impact of C108 + .This can be done by the European Commission placing significant weight, when determining a third country's adequacy, on whether or not the country has acceded to C108 + . 124The Commission would not need to -indeed, legally may not -place decisive weight on accession; it would be sufficient to place significant or considerable weight.If the EU is serious about advancing the reach of a multilateral treaty in the data protection field that fully respects EU norms, the suggested strategy ought to be adopted.If adopted, it would not be the first time that the EU applies the unilateral power of BE to help multilateralism. 125he Commission has signalled indirectly support for the suggested strategy, stating that 'accession to Convention 108 is an important factor to be taken into account by the European Commission in its adequacy assessment' pursuant to Article 45 GDPR. 126It has also signalled, in effect, support for SE more broadly: it officially 'encourages accession by third countries to Council of Europe Convention 108 and its additional Protocol' and 'will actively promote the swift adoption' 122 See too Greenleaf (n 102). 123See e.g.White Paper of the Committee of Experts on a Data Protection Framework for India (December 2017) ( https://innovate.mygov.in/wp-content/uploads/2017/11/Final _ Draft _ White _ Paper _ on _ Data _ Protection _ in _ India.pdf). 124Cf Pauletto (n 100) (suggesting that the Commission make accession to C108 + a 'precondition' for an adequacy finding). 125See further e.g.Bradford (n 8) 90 (noting how the threat of the EU's unilateralism helped to engender international agreement on regulating the aviation industry's emissions of greenhouse gas). 126 of C108 + 'with a view to the EU becoming a Party'. 127Additionally, the Commission acknowledges the 'crucial role' that C108 has already played 'in spreading the "European data protection model" globally', 128 and predicts that the practical impact of C108 + 'can be expected to be much greater' than that of C108. 129It also sees SE as an important vehicle for BE: '[t]he adoption of a robust Convention, based on the same approach and principles as the (new) Union acquis, […] will contribute to the promotion of Union data protection standards around the world'. 130et the EU's overall message is somewhat mixed in light of the increasingly self-referential thrust of its regulatory policy.For instance, Eurojust (the EU Agency for Criminal Justice Cooperation) used C108 up until recently as an express data protection benchmark in its bilateral cooperation agreements with non-member states of the EU (although only in respect of those states that are CoE members and parties to C108). 131owever, with the entry into force of the new Eurojust Regulation, 132 the possibility for Eurojust to negotiate its own cooperation agreements has been removed.More importantly for the present context, the new Regulation omits any reference to C108 as a benchmark for data protection. 133And the most recent bilateral cooperation agreement concluded by Eurojust also omits such reference. 134While this development is logical given that the EU has finally produced its own relatively welldeveloped data protection framework for the field of criminal justice, it is not legally necessary to omit any reference to C108 (at least as a background benchmark).The omissions thus send an unfortunate signal that the Convention is largely if not entirely redundant.Although this signal may be limited to those parts of the international criminal justice arena regulated by the EU, it could also serve to undermine the salience and traction of C108 and C108 + more generally.
Finally, there is another way in which SE might benefit from BE, and one that is very different to the first way suggested above.It is not so much about BE as about BT.The latter refers to what I term the 'Byzantine Turn' in EU data protection law.With 'Byzantine Turn' I mean three trends.First, the EU data protection system has become an empire in itself 127 Communication from the Commission to the European Parliament and the Council, 'Exchanging and Protecting Personal Data in a Globalised World', COM(2017) 7 final, 10 January 2017, 11-12. 128Commission Proposal (n 126) 3. 129 Ibid, 2. 130  and an empire unto itself.Its mammoth number of rules, immense officialdom, constitutional standing and strengthened sanctions regime, combined with high-profile judicial support for its cause -all of these factors combined give the system a somewhat imperious swagger with respect to the rest of the world.As Orla Lynskey astutely observes, the EU data protection regime has developed from a 'supremacy by default' modus under the DPD to a 'supremacy by design' modus under the GDPR. 135he second dimension to the Byzantine Turn is the evermore self-referential thrust of the EU data protection system.It is a system increasingly turned in on itself.Large parts of it are essentially engaged in a conversation with other parts of it.The GDPR exemplifies this well: many of its provisions are not really addressed to the world-at-large, but to 'insiders'.For instance, over one quarter of the words making up the GDPR's operative provisions are devoted to the workings of supervisory authorities.
The third aspect of the Byzantine Turn relates to the procedural intricacy of the EU data protection regime.Data protection law in general has always had a predominantly procedural thrust.Under the GDPR, though, procedural intricacy has become extreme -and extremely problematic.It has created a Kafkaesque castle full of semantic mazes, winding procedural alleys, subterranean cross-passages, conceptual echo chambers and an immense bureaucratic apparatus.
Set against such a system, C108 + is like a breath of fresh air.It is relatively slim, neatly packaged and uncomplicated code.This is not to suggest that it is necessarily an easy read, but it is far easier to read and digest than the GDPR.Compare, for instance, the modernised Convention's concise provisions on fully automated decision making in Article 9(1)(a) with the tortuously formulated provisions of Article 22 GDPR. 136The modernised Convention embodies a regulatory vision that is more aligned with the original instruments of data protection law from the 1970s and early 1980s in which the core principles of 'fair information practice' are placed in the foreground with relatively little procedural or bureaucratic clutter.In this sense, it offers a 'cleaner' and more understandable data protection template than the GDPR.This is all the more impressive given the greater scope of C108 + due to its coverage of processing of personal data in the areas of policing and criminal justice.As such, C108 + goes a considerable way to conforming with the maxim in medio virtus ('virtue lies in the middle path').It also goes a considerable way to conforming with the oft-cited exhortation of Bert-Jaap Koops that 'data protection law should go back to its roots, the basic data protection principles … in which the spirit of data protection is clearly visible, in contrast to the EU's tree-obscuring forest of rules'. 137espite these differences from the GDPR, there is always a risk that C108 + will be lumped together with the former and regarded as essentially a GDPR clone or GDPR-type initiative, 135 Lynskey (n 24) 43-44. 136See further Lee A Bygrave, 'Article 22: Automated Individual Decision-making, including Profiling' in Kuner and others (n 22) 522ff. 137Bert-Jaap Koops, 'The trouble with European data protection law' (2014) 4(4) International Data Privacy Law 250-61 ( https://doi.org/10.1093/idpl/ipu023 ) 259.
particularly if viewed from afar by nations with little expertise in data protection.This perception will not play out in favour of SE if the viewer regards the GDPR with antipathy.But viewed closer up and with knowledge of the CoE's basic remit, C108 + reveals itself as far less imperious and aggressive in tone than aspects of the GDPR. 138This also helps to make it an easier 'pill' to swallow, especially for jurisdictions for which any such pill will be somewhat bitter.

Conclusion
The foregoing analysis of the logic, mechanics and prospects of SE brings into relief factors that help explain the global dissemination of European data protection norms but that are downplayed in Bradford's explication of BE.The article shows that this dissemination is not simply the result of unilateral market-based power; ideational power plays a crucial role as well.A significant part of the latter power is wielded by the CoE, which has been especially influential due to its early role as a 'model-maker' for data protection law and policy.Indeed, Strasbourg has been important for BE by helping to shape and ramp up the EU's regulatory capacity and regulatory propensity in the data protection field.striking down the EU-US Privacy Shield Agreement has led some observers to argue that the EU is hereby running a serious risk of undermining the attractiveness of its norms as the primary global standards for data protection: see e.g.Chris Kuner, 'Schrems II Re-examined', Verfassungsblog (25 August 2020); < https:// verfassungsblog.de/schrems-ii-re-examined/> .It has also led the CoE to pitch itself as offering an 'ideal forum to engage in internationally reaching works on the delicate issue of national security services': Press release 7 September 2020; < https://www.coe.int/en/web/data-protection/-/to-better-protect-us-when-ourpersonal-data-falls-into-the-intelligence-trap-> The CoE's ideational power rests on the mechanics of persuasion tempered by processes of acculturation.This will continue to provide the basic 'fuel' for SE.As such, SE is an exemplary manifestation of what may be termed 'regulatory appeal' (in contradistinction to the notions of 'regulatory capacity' and 'regulatory propensity' employed by Bradford in her presentation of BE).By this is meant the degree to which a regulatory system or model developed in one jurisdiction (or set of jurisdictions) has an attractive aura for other jurisdictions.This appeal is a function not so much of coercive force based on economic or geo-political power (i.e.'penetration' in Bennett's terms) but of the inherent cogency, integrity and reputation of the regulatory system/model concerned.It points to the capacity for legal norms to spread from one state to another due (at least partly) to the recipient state perceiving those norms as intrinsically sensible or as sufficiently 'fashionable' that adherence to them augments the recipient state's reputation or status vis-à-vis other states or actors with which it wants to identify.Such appeal is vital to SE, yet it receives relatively little attention in Bradford's generic explication of BE.Although 'regulatory appeal' is arguably not a basic precondition for BE generally, it is at the very least one of the reasons for BE's extensive success in the data protection arena.Accordingly, increased focus on 'regulatory appeal' would enhance the explanatory power of future BE-focused scholarship.
As for the prospects of SE, the overall message of this article is cautiously optimistic: C108 + has considerable potential to strengthen and expand SE.At the same time, the power of such an effect will depend on BE.While BE could undermine SE, history shows that the two processes are not necessarily at loggerheads but tend to be mutually reinforcing, both intentionally and incidentally.Hopefully, this mutuality will persist.Just as SE has helped BE in the past, BE could act as a vehicle for SE in the future, particularly by utilising the 'adequacy' mechanism provided by Articles 44-45 GDPR to encourage accession to C108 + .Operationalised carefully, the strategy may help break part of the gridlock in which multilateralism at the global level is caught.

Declaration of Competing Interest
The author declares that he has no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) 120ff.See too recital 11 DPD (noting that the principles set out in the Directive 'give substance to and amplify those contained in' Convention 108). 69See e.g.Articles 14(2) and 27(4) and Recital 9 of Council Decision 2002/187/JHA setting up Eurojust with a view to reinforcing the fight against serious crime [2002] OJ L63/1 (repealed); Article 25 of Council Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime [2008] OJ L210/1. 70Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows; opened for signature 8 November 2001; in force 1 July 2004 (ETS No 181).
107(1) Northwestern University Law Review 1-67. 7Anu Bradford, 'Exporting Standards: The Externalization of the EU's Regulatory Power via Markets' (2015) 42 International Review of Law and Economics 158-173 ( https://doi.org/10.1016/j.irle.2014.09.004 ). 8 Anu Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020). 9David Vogel, Trading Up: Consumer and Environmental Regulation in a Global Economy (Harvard University Press 1995), especially ch 8. See too David Vogel and Robert A Kagan, 'Introduction: National Regulations in a Global Economy' in David Vogel and Robert A Kagan (eds), Dynamics of Regulatory Change: How Globalization affects National Regulatory Policies (University of California Press 2002) 1, 9. 10 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31 (repealed). 11Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free move- ment of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.
Proposal for a Council Decision authorising Member States to sign, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) COM/2018/449 final -2018/0237 (NLE), 5 June 2018, 4 (emphasis added).
Nonetheless, Article 80(5) of the Regulation stipulates that all earlier agreements concluded by Eurojust pursuant to Decision 2002/187/JHA before 12 December 2019 shall remain valid.Thus C108 lives on as an operational benchmark for those agreements.134Agreementon Cooperation between Eurojust and the Kingdom of Denmark, signed 7 October 2019. 133 138See tooGreenleaf(n 97) 4 ('Convention 108 accession is a voluntary acceptance of reciprocal obligations.Treaties are mutual, not unilateral.The perception, held by some countries, of EU adequacy as an imposed standard is not applicable to Convention 108').Cf.Paul de Hert and Vagelis Papakonstantinou, 'The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition' (2014) 30(6) Computer Law and Security Review 633-642 ( https://doi.org/10.1016/j.clsr.2014.09.002 ) 641 (criticising the draft C108 + for having moved too close to the GDPR model and thus risking alienation of states that are sceptical of that model).Interestingly, the recent judgment of the CJEU in Schrems II (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems , judgment of 16 July 2020 (ECLI:EU:C:2020:559))