The (Extra-)territorial Scope Rules of the New European Data Protection Law from a Private International Law Perspective—A Model for South Africa?

Abstract

Novel technical developments are a source for new business models and, at the same time, a challenge for legal systems and in particular data protection laws. A fundamental challenge in this respect is the delocalisation of data proceedings enabled by modern technologies. In addition, most cases related to such new data driven business models contain foreign elements. From a data protection perspective this raises numerous legal questions, related to the territorial scope of data protection instruments and their relation to the established rules and principles of private international law. The European General Data Protection Regulation (GDPR) addresses the delocalisation with extra-territorial scope rules, but the discussion on how those provisions are embedded in the legal framework of private international law has only started. This article will address those questions in context of the GDPR and the South African Protection of Personal Information Act (POPIA) from a comparative perspective. After a brief overview of the GDPR, the requirements of the territorial scope rules of Articles 3(1) and (2) GDPR will be examined. Thereafter, the doctrinal classification of these rules within the established categories of private international law and the question of whether a choice of the applicable data protection law is permitted within the legal framework of the EU will be investigated. In conclusion, the article examines the territorial scope of the POPIA and provides recommendations for an improvement of the existing rules de lege ferenda.