Data collection and processing have been subject to considerable controversy in recent years, sparking many debates and governance projects. One such governance project is the General Data Protection Regulation (GDPR). Since becoming effective, the GDPR has come to represent a “global standard” for privacy and data protection. Yet, the idea that the GDPR represents a global standard overlooks broader questions about the interaction between law, technology, and society. Using co-production as a conceptual lens, this paper argues that the GDPR reflects at least three social shifts, each of which is entangled with the others. Along with these social shifts, the GDPR is also co-producing ideas of what privacy is and ought to be, and who gets the authority to interpret and construct it. [---]