In recent years, the EU has enacted a flurry of new legislation in the digital domain, including the Data Governance Act (DGA), Digital Services Act (DSA), Digital Markets Act (DMA), Data Act (DA), and perhaps most prominently the Artificial Intelligence Act (AIA). These laws have different regulatory objectives and employ different regulatory approaches, yet they can all be conceptualised to some extent as data laws . They regulate to varying degrees what, when, where, how, and why data is to be generated, accessed, shared, used, and moved.
All these new data laws need to position themselves vis-à-vis the EU’s established data protection law, especially the General Data Protection Regulation (GDPR). Indeed, the contested legislative processes and the final legislative outcomes reveal that new European data law tends to gravitate around GDPR. Each new legislative act states that it is "without prejudice" to GDPR.
This paper makes two subsequent claims. Analytically, the paper suggests that the EU’s regulatory strategy in the digital domain proceeds with pride for and without prejudice to GDPR: Scholarly criticism for the GDPR’s design and track record does apparently not penetrate the proverbial 'Brussels bubble'. Its political economy has coalesced around the EU’s landmark data protection law, which reformed the 1995 Data Protection Directive and has antecedents in national data protection laws dating back to the 1970s. Normatively, this paper questions the viability of constructing European data law in this way. European data law is not actually "without prejudice" to GDPR. Overlaps and tensions between the various legislative acts will eventually have to get resolved. If the EU wants to achieve its regulatory objectives, it will have to (re-)calibrate the relationship between data protection law and other domains of data law.