{"id":3855,"date":"2018-02-05T00:00:00","date_gmt":"2018-02-05T08:42:44","guid":{"rendered":"https:\/\/staging.voelkerrechtsblog.org\/articles\/one-law-to-rule-them-all\/"},"modified":"2021-04-24T16:39:03","modified_gmt":"2021-04-24T14:39:03","slug":"one-law-to-rule-them-all","status":"publish","type":"post","link":"https:\/\/voelkerrechtsblog.org\/de\/one-law-to-rule-them-all\/","title":{"rendered":"One law to rule them all"},"content":{"rendered":"

In May 2016, the EU adopted its long-awaited new\u00a0General Data Protection Regulation (GDPR)<\/a>\u00a0and thereby opened a new chapter in the history of European and global data protection law. Meeting the challenges of the 21st<\/sup>\u00a0century globally linked information-society, it took the EU-institutions more than four years and almost 4,000 amendments to finally agree on a compromise text.\u00a0While elaborating the GDPR, the EU tried to solve one of the main problems of data protection law today: the internationalisation of data protection, caused by the global character and worldwide availability of the Internet by the general public.\u00a0In the past twenty-five years the processing and storage of data irrespective of national boundaries has become an unprecedented mass phenomenon both in terms of the number of users and the amount of data.\u00a0Thus, it has become more and more difficult for national authorities to protect their citizen\u2019s data effectively.<\/p>\n

In the absence of a sufficient territorial link, the current EU data protection law (DPD –Data Protection Directive 46\/95<\/a>) is increasingly failing to serve as an effective instrument for the implementation of the right to data protection (Article 16 TFEU\/Article 8 CFREU).\u00a0Insofar it is especially the activities of the big internet companies like Google or Facebook with their headquarters in the USA, which are causing serious problems. These companies are earning billions of Euros annually, by making use of so-called data mining (i.e. selling their European users\u2019 data). Though very active on the Single Market, they continuously refuse to accept the current EU data protection law.<\/p>\n

To counteract this, the EU is extending the territorial scope of the new GDPR, far beyond the borders of the Union and its member states.<\/p>\n

This approach, though comprehensible, seems nevertheless problematic. Hence, in the following I will firstly analyse the relevant provision for the territorial scope of the GDPR – specifically Article 3, -under the aspect of extraterritorial applicability and then argue, that in certain cases its legitimacy appears to be doubtful.<\/p>\n

Article 3 GDPR and its extraterritorial potential<\/strong><\/p>\n

The key provision for the territorial scope of the GDPR is Article 3. Though very similar to Article 4 DPD, Art. 3 GDPR includes some important changes. In this context, it is particularly Article 3 para. 2 GDPR which deserves to be analysed.<\/p>\n

Article 3 para. 2 GDRP contains two new criteria for the extraterritorial applicability of the GDPR: The\u00a0offering of goods or services\u00a0(lit. a) to and the\u00a0monitoring\u00a0(lit. b) of data subjects in the Union by a controller or processor outside the EU. By this Article 3 para. 2 GDPR is introducing the so called\u00a0lex loci solutionis<\/em>\u00a0to European data protection law, which means, that for the territorial applicability of the GDRP it is not necessary anymore that the concerned data processor has a physical establishment within the Union. Interestingly, this approach had already been used by the ECJ in his Google Spain decision (ECJ, C-131\/12<\/em>), which is why many are interpreting this ruling as a ‘bridge’ between Article 4 DPD and the new Article 3 GDPR.\u00a0This is the most substantial change in comparison with Article 4 DPD.<\/p>\n

Article 3 para. 2 lit. a GDPR<\/strong><\/p>\n

As already mentioned above, the GDPR applies to processing activities related to the offering of goods or services to data subjects in the Union, irrespective of whether a payment is required or not. According to recital 23 GDPR, this is the case if it is apparent that controller or processor\u00a0envisages\u00a0such an offer.\u00a0To that extent factors like the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, may make it apparent that the controller envisages offering goods or services to data subjects in the Union, whereas, the mere accessibility of the controller’s or processor’s website in the Union, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.<\/p>\n

As a result, the GDPR will apply especially to the free services offered by Internet search engines and social networks, such as Google and Facebook.\u00a0But apart from that, a broad interpretation of the provision would make it possible, that also third country companies, who are not specifically offering their services to EU customers, will fall within the scope of the GDPR.<\/p>\n

For instance, if a data subject in the EU is booking a trip to California using the website of a U.S. travel agency which can be shown in English, French and Spanish as well with the possibility to pay in Euro, the European data protection law would be applicable to that case, though both the relevant service and the payment would take place in the USA (cf. for this example:\u00a0<\/em>De Hert\/Michal Czerniawski, IDPL 2016, 230 (339)<\/a>).\u00a0In such an event, the necessary territorial link to the European market is in my eyes very weak. If the ECJ should interpret Article 3 para. 2 lit. a GDPR so broadly \u2013 which in light of the\u00a0ECJ\u2019s \u201cGoogle \u00a0 Spain\u201d<\/a>\u00a0decision seems very likely, this would result in an overly extensive extraterritorial application of the GDPR.<\/p>\n

Article 3 para. 2 lit. b GDPR<\/strong><\/p>\n

In addition to the ‘offering of goods and services criterion’, the GDPR\u2019s scope of applicability is also opened up if a processing activity is related to the monitoring of a data subject\u2019s behaviour as far as it takes place within the Union (Article 3 para. 2 lit. b).\u00a0In order to determine whether this is the case, recital 24 GDPR provides, that it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques, which consist of profiling a natural person.<\/p>\n

It is apparent that Article 3 para. 2 lit b is tailored to third-country providers of social networks, search engines and E-mail services, which are using so called ‘tracking-tools’ (e.g.\u00a0cookies<\/em>) to systematically monitor their users\u2019 behaviour. Especially companies like Google or Facebook are heavily reliant on such tools to finance their (in principle) free services.<\/p>\n

But once again it is not just the big internet-companies, who are falling within the scope of the GDPR. In fact, nowadays nearly every provider of internet services or services offered on the internet is using tracking tools. This means that as soon as a data subject located in the Union, is visiting the website of a third-country company, which is using cookies, the GDPR is applicable to this process. In other words, theoretically every provider of internet services falls within the scope of the GDPR as soon as he gets in touch with data subjects in the EU.<\/p>\n

Article 3 para. 2 lit. b GDPR has the potential to apply the GDPR on almost the whole internet. In my judgment this is a questionable development, which entails a substantial expansion of the European data protection law\u2019s territorial scope.<\/p>\n

The legitimacy of the extraterritorial applicability<\/strong><\/p>\n

Whether Art. 3 GDPR and its extraterritorial potential is consistent with the rules of public international law has already been discussed by several authors (e.g.:\u00a0Colonna in IDPL 2014, 203-221<\/a>), which is why I do not want to repeat the arguments here. Hence, I would rather focus my criticism on the aspect of legitimacy.\u00a0Insofar, I see particularly two fundamental points of criticism, which I am going to discuss in the following: the lack of enforceability and the question concerning the appropriate level of protection.<\/p>\n

The lack of enforceability<\/strong><\/p>\n

Public international law in general allows states to adopt laws that even apply to cases taking place outside their territory. However, this does not mean that these laws can also be enforced outside the state\u2019s territory. In this respect, the principle of non-intervention is setting a clear limit to state action.\u00a0Hence, as soon as a third-country company based outside the EU is involved, the practical enforcement of the GDPR is \u2013 to put it mildly \u2013 difficult.\u00a0Such an exercise of jurisdiction, which could be called ‘bark jurisdiction’,\u00a0is yet very problematic.\u00a0Unlike ‘bite jurisdiction’, i.e. a form of jurisdiction, which is literally able to \u2018bite\u2019, the GDPR is on the one hand extending the scope of European data protection law far beyond the EU\u2019s frontiers but is on the other hand not able to fulfil its global claim of validity by enforcing it effectively.<\/p>\n

Especially for transnational companies, in the event of a conflict of laws, this could be a serious problem, which may lead to substantial legal uncertainty.<\/p>\n

If for example, a U.S. company e.g. the travel agency mentioned above is obliged under U.S. law to transfer personal data to U.S. authorities e.g. for anti-terror measures, while at the same time such a procedure (since it falls within its scope) is forbidden under the GDPR, the company would have to decide whether it should follow the U.S. or the EU data protection law. Since the involved company will not have to fear serious consequences from a breach of the GDPR, it is very likely that it will follow the U.S. data protection rules.<\/p>\n

And it is exactly this gap between promise and delivery that could undermine the legitimacy of the GDPR\u2019s extraterritorial applicability. Applicability and enforceability are two sides of the same coin. Therefore, it appears to be inconsistent to adopt a law, which may be applied extraterritorially but cannot be effectively enforced in the same way.\u00a0Of course, this is true only for the enforcement by data protection authorities. The possibility of an ‘individual’ enforcement is a different matter. The idea behind this is, that since the European Single market is the biggest market in the world, it seems very likely, that transnational companies will ‘voluntarily’ follow the new European data protection rules, as they want to retain access to the Single market.\u00a0Insofar the EU is exploiting its market power to ‘de facto’ enforce the GDPR even towards third-country companies, by giving them the choice to ‘take it or leave it’.\u00a0Whether such a de facto enforcement is reasonable or not is closely linked to the question concerning the appropriate level of protection.<\/p>\n

The appropriate level of protection<\/strong><\/p>\n

According to high-ranking EU representatives, the new GDPR is setting the\u00a0gold standard\u00a0for the digital world of tomorrow and will make the EU the ‘de facto worldwide regulator in data protection law’ (cf. this:\u00a0Viviane Reding, SPEECH\/14\/62, 28.01.2014<\/a>).\u00a0Focussing on the often-used catch phrase ‘gold standard’, this is in fact nothing more than one of the main arguments for the legitimacy of the extensive extraterritorial applicability of the GDPR. It basically means, that since the EU has a very high standard of data protection, EU citizens shall be protected effectively by the GDPR, irrespective of where the processing activity takes place, because some states are due to their lower standards not able to do so.\u00a0But before even discussing what could be considered as an \u2018appropriate\u2019 level of protection it is necessary to make clear that such an argumentation is based on a\u00a0relational criterion:\u00a0This means firstly, it needs an object of comparison (e.g. the USA and their lower standards of protection) and secondly, a uniform idea about the comparison\u2019s point of reference – in our case data protection in general.<\/p>\n

This second requirement is highly problematic because the legal classification of data protection is a controversial issue:<\/p>\n

In the EU, data protection is a matter of fundamental rights, enshrined in Art. 16 TFEU, Art. 8 CFREU. Thus, the legal requirements to be met by the GDPR are correspondingly high. On the other hand in the common law countries, the right of data protection is \u2013historically – derived from the right of property and is consequently not a matter of fundamental rights but rather a matter of civil law. It is obvious that in these countries, data protection is not such a sensitive matter as it is in the EU.\u00a0So, what – from a European point of view – might appear as a low standard of protection, may be fully adequate from an American perspective.<\/p>\n

Thus \u2013 despite its good intention \u2013 in my opinion, the EU\u2019s attempt to impose its own ‘gold standard’ on third-countries, by applying the GDPR extensively extraterritorially, is going too far. Because the intended extraterritorial applicability of the GDPR involves the risk, that to third-countries and companies located there, the European protection level might appear to be excessive and disproportionally high. This is especially true in cases, where the GDPR is according to Article 3 para. 2 GDPR applicable, though the link between a company\u2019s processing activities and the EU Single market is quite weak.<\/p>\n

In combination with the enforcement problem this could lead to the impression of illegitimacy of the EU GDPR\u2019s extraterritorial applicability.<\/p>\n

Conclusion<\/strong><\/p>\n

These considerations lead to the following conclusions regarding extraterritorial applicability of the new European Data protection law.\u00a0Firstly, it is evident, that due to the global dimension of data protection, national measures are not able to provide effective solutions anymore.\u00a0It is equally clear, that there is a need to enforce the existing data protection law more effectively \u2013 especially towards the big internet-players, who are specifically targeting the European single market and its data subjects, to make significant profit.<\/p>\n

However, the EU\u2019s approach to apply its own data protection law extraterritorially is in certain cases questionable.<\/p>\n

The problem concerning the lack of enforceability could in my view only be solved by the conclusion of bilateral agreements on legal assistance, which would allow the EU to enforce the GDPR in third countries. However, since the conclusion of such agreements is not likely to happen soon, the\u00a0lack of enforceability\u00a0remains insofar a\u00a0core problem\u00a0of the GDPR\u2019s extraterritorial applicability that raises substantial doubts in its legitimacy.\u00a0Now it is up to the ECJ to set certain limits to the extraterritorial application of the GDPR and to interpret Article 3 para. 2 GDPR in a more restrictive manner. Having\u00a0Google Spain<\/em>\u00a0in mind, this might not be very likely, but desirable.<\/p>\n

Otherwise, the EU might have to face the allegation that the new GDPR is nothing more than ‘European data protection imperialism’.<\/p>\n

 <\/p>\n

Alexander Kloth is an undergraduate assistant at the chair of Prof. Dr. Christian Calliess LL.M. Eur for Public and European Law at Freie Universtit\u00e4t Berlin<\/em><\/p>\n

 <\/p>\n

Cite as: Alexander Kloth, “One law to rule them all –\u00a0On the extraterritorial applicability of the new EU General Data Protection Regulation”\u00a0V\u00f6lkerrechtsblog<\/em>, 05 February 2018 , doi:\u00a010.17176\/20180205-094704<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In May 2016, the EU adopted its long-awaited new\u00a0General Data Protection Regulation (GDPR)\u00a0and thereby opened a new chapter in the history of European and global data protection law. Meeting the challenges of the 21st\u00a0century globally linked information-society, it took the EU-institutions more than four years and almost 4,000 amendments to finally agree on a compromise […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[6639],"tags":[],"authors":[4869],"article-categories":[6000],"doi":[],"class_list":["post-3855","post","type-post","status-publish","format-standard","hentry","category-uncategorized","authors-alexander-kloth","article-categories-article"],"acf":{"subline":"On the extraterritorial applicability of the new EU General Data Protection Regulation"},"meta_box":{"doi":""},"_links":{"self":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/3855","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/comments?post=3855"}],"version-history":[{"count":3,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/3855\/revisions"}],"predecessor-version":[{"id":13508,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/3855\/revisions\/13508"}],"wp:attachment":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/media?parent=3855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/categories?post=3855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/tags?post=3855"},{"taxonomy":"authors","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/authors?post=3855"},{"taxonomy":"article-categories","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/article-categories?post=3855"},{"taxonomy":"doi","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/doi?post=3855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}