Abstract

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.

Highlights

  • The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities.[1]

  • EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects

  • This process has usefully been termed “territorial extension.”[6]. Second, the broad geographic reach of EU data protection legislation appears to be related to individual rights premised on someone’s demonstrable affiliation to the EU, which would ordinarily be citizenship or residence

Read more

Summary

THE GDPR AS GLOBAL DATA PROTECTION REGULATION?

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities.[1]. Within the Union.”[3] It conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards.[4] This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It looks at how the EU balances data protection with third states’ countervailing interests. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects

Bases for Extraterritoriality
AJIL UNBOUND
Fundamental Rights Considerations
Foregrounding Data Protection
Burdens and Pushback
Regional Regulation as Global Inspiration

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.