The Scope of Application of EU Data Protection Law and Its Extraterritorial Reach

Abstract

One of the most radical changes to European data protection to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU data protection law. Under the current data protection directive, the rules are twofold. If the controller is based in an EU Member State, that controller will be subject to the law of that Member State and to the scrutiny of the regulator of that country. However, if the controller is based outside the EU but uses equipment in the EU to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator. In the case of non-EU controllers, linking the applicability of the law to the location of equipment produces bizarre situations as in a densely networked world, the use of data processing equipment is literally ubiquitous. Therefore, the European Commission is trying to introduce a completely different approach. Under the proposed Data Protection Regulation, if the controller is based in an EU Member State and it has one main establishment, then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator. But a controller that is based outside the EU will be subject to the Regulation and to the scrutiny of each and every regulator where it offers products or services to EU residents or monitors the behaviour of EU residents. This chapter analyses the existing EU rules and proposed changes, and considers its practical implications for the future of data protection.