Harmonised EU-wide data-protection framework replacing the 1995 Data Protection Directive. Core instruments: GDPR (Regulation 2016/679, applicable 25 May 2018), ePrivacy Directive revisions, Data Governance Act 2022, Data Act 2023. Stated goals: fundamental-rights grounding for personal-data control, one-stop-shop enforcement via national DPAs coordinated by the EDPB, extraterritorial application to any processor targeting EU residents. Penalty ceiling of 4% of global turnover. Framework codes this as a mixed-direction movement: data-subject protections strengthen one dimension of consumer welfare, while compliance architecture imposes fixed costs that disproportionately burden small and mid-sized firms and that empirically raised measured concentration in ad-tech and hosting markets post-2018.
Policy-content fingerprint — how the framework codes this movement on its axes
Stated pro-user intent; observed outcome includes a compliance moat benefiting incumbents in ad-tech and hosting (Johnson/Shriver/Du 2023; Peukert et al. 2022).
Johnson, Shriver, Du (2023) 'Consumer Privacy Choice in Online Advertising', Marketing Science
Peukert, Bechtold, Batikas, Kretschmer (2022) 'Regulatory Spillovers and Data Governance'
CJEU C-311/18 (Schrems II)
Notes
Honest coding: the framework accepts both the stated fundamental-rights rationale and the empirical concentration evidence. Both are policy content. Rationale text records the mechanism rather than a normative judgement.