One law to rule them all
On the extraterritorial applicability of the new EU General Data Protection Regulation
Setting the gold standard …
In May 2016, the EU adopted its long-awaited new General Data Protection Regulation (GDPR) and thereby opened a new chapter in the history of European and global data protection law. Meeting the challenges of the 21st century globally linked information-society, it took the EU-institutions more than four years and almost 4,000 amendments to finally agree on a compromise text. While elaborating the GDPR, the EU tried to solve one of the main problems of data protection law today: the internationalisation of data protection, caused by the global character and worldwide availability of the Internet by the general public. In the past twenty-five years the processing and storage of data irrespective of national boundaries has become an unprecedented mass phenomenon both in terms of the number of users and the amount of data. Thus, it has become more and more difficult for national authorities to protect their citizen’s data effectively.
In the absence of a sufficient territorial link, the current EU data protection law (DPD –Data Protection Directive 46/95) is increasingly failing to serve as an effective instrument for the implementation of the right to data protection (Article 16 TFEU/Article 8 CFREU). Insofar it is especially the activities of the big internet companies like Google or Facebook with their headquarters in the USA, which are causing serious problems. These companies are earning billions of Euros annually, by making use of so-called data mining (i.e. selling their European users’ data). Though very active on the Single Market, they continuously refuse to accept the current EU data protection law.
To counteract this, the EU is extending the territorial scope of the new GDPR, far beyond the borders of the Union and its member states.
This approach, though comprehensible, seems nevertheless problematic. Hence, in the following I will firstly analyse the relevant provision for the territorial scope of the GDPR – specifically Article 3, -under the aspect of extraterritorial applicability and then argue, that in certain cases its legitimacy appears to be doubtful.
Article 3 GDPR and its extraterritorial potential
The key provision for the territorial scope of the GDPR is Article 3. Though very similar to Article 4 DPD, Art. 3 GDPR includes some important changes. In this context, it is particularly Article 3 para. 2 GDPR which deserves to be analysed.
Article 3 para. 2 GDRP contains two new criteria for the extraterritorial applicability of the GDPR: The offering of goods or services (lit. a) to and the monitoring (lit. b) of data subjects in the Union by a controller or processor outside the EU. By this Article 3 para. 2 GDPR is introducing the so called lex loci solutionis to European data protection law, which means, that for the territorial applicability of the GDRP it is not necessary anymore that the concerned data processor has a physical establishment within the Union. Interestingly, this approach had already been used by the ECJ in his Google Spain decision (ECJ, C-131/12), which is why many are interpreting this ruling as a ‘bridge’ between Article 4 DPD and the new Article 3 GDPR. This is the most substantial change in comparison with Article 4 DPD.
Article 3 para. 2 lit. a GDPR
As already mentioned above, the GDPR applies to processing activities related to the offering of goods or services to data subjects in the Union, irrespective of whether a payment is required or not. According to recital 23 GDPR, this is the case if it is apparent that controller or processor envisages such an offer. To that extent factors like the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, may make it apparent that the controller envisages offering goods or services to data subjects in the Union, whereas, the mere accessibility of the controller’s or processor’s website in the Union, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.
As a result, the GDPR will apply especially to the free services offered by Internet search engines and social networks, such as Google and Facebook. But apart from that, a broad interpretation of the provision would make it possible, that also third country companies, who are not specifically offering their services to EU customers, will fall within the scope of the GDPR.
For instance, if a data subject in the EU is booking a trip to California using the website of a U.S. travel agency which can be shown in English, French and Spanish as well with the possibility to pay in Euro, the European data protection law would be applicable to that case, though both the relevant service and the payment would take place in the USA (cf. for this example: De Hert/Michal Czerniawski, IDPL 2016, 230 (339)). In such an event, the necessary territorial link to the European market is in my eyes very weak. If the ECJ should interpret Article 3 para. 2 lit. a GDPR so broadly – which in light of the ECJ’s “Google Spain” decision seems very likely, this would result in an overly extensive extraterritorial application of the GDPR.
Article 3 para. 2 lit. b GDPR
In addition to the ‘offering of goods and services criterion’, the GDPR’s scope of applicability is also opened up if a processing activity is related to the monitoring of a data subject’s behaviour as far as it takes place within the Union (Article 3 para. 2 lit. b). In order to determine whether this is the case, recital 24 GDPR provides, that it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques, which consist of profiling a natural person.
It is apparent that Article 3 para. 2 lit b is tailored to third-country providers of social networks, search engines and E-mail services, which are using so called ‘tracking-tools’ (e.g. cookies) to systematically monitor their users’ behaviour. Especially companies like Google or Facebook are heavily reliant on such tools to finance their (in principle) free services.
But once again it is not just the big internet-companies, who are falling within the scope of the GDPR. In fact, nowadays nearly every provider of internet services or services offered on the internet is using tracking tools. This means that as soon as a data subject located in the Union, is visiting the website of a third-country company, which is using cookies, the GDPR is applicable to this process. In other words, theoretically every provider of internet services falls within the scope of the GDPR as soon as he gets in touch with data subjects in the EU.
Article 3 para. 2 lit. b GDPR has the potential to apply the GDPR on almost the whole internet. In my judgment this is a questionable development, which entails a substantial expansion of the European data protection law’s territorial scope.
The legitimacy of the extraterritorial applicability
Whether Art. 3 GDPR and its extraterritorial potential is consistent with the rules of public international law has already been discussed by several authors (e.g.: Colonna in IDPL 2014, 203-221), which is why I do not want to repeat the arguments here. Hence, I would rather focus my criticism on the aspect of legitimacy. Insofar, I see particularly two fundamental points of criticism, which I am going to discuss in the following: the lack of enforceability and the question concerning the appropriate level of protection.
The lack of enforceability
Public international law in general allows states to adopt laws that even apply to cases taking place outside their territory. However, this does not mean that these laws can also be enforced outside the state’s territory. In this respect, the principle of non-intervention is setting a clear limit to state action. Hence, as soon as a third-country company based outside the EU is involved, the practical enforcement of the GDPR is – to put it mildly – difficult. Such an exercise of jurisdiction, which could be called ‘bark jurisdiction’, is yet very problematic. Unlike ‘bite jurisdiction’, i.e. a form of jurisdiction, which is literally able to ‘bite’, the GDPR is on the one hand extending the scope of European data protection law far beyond the EU’s frontiers but is on the other hand not able to fulfil its global claim of validity by enforcing it effectively.
Especially for transnational companies, in the event of a conflict of laws, this could be a serious problem, which may lead to substantial legal uncertainty.
If for example, a U.S. company e.g. the travel agency mentioned above is obliged under U.S. law to transfer personal data to U.S. authorities e.g. for anti-terror measures, while at the same time such a procedure (since it falls within its scope) is forbidden under the GDPR, the company would have to decide whether it should follow the U.S. or the EU data protection law. Since the involved company will not have to fear serious consequences from a breach of the GDPR, it is very likely that it will follow the U.S. data protection rules.
And it is exactly this gap between promise and delivery that could undermine the legitimacy of the GDPR’s extraterritorial applicability. Applicability and enforceability are two sides of the same coin. Therefore, it appears to be inconsistent to adopt a law, which may be applied extraterritorially but cannot be effectively enforced in the same way. Of course, this is true only for the enforcement by data protection authorities. The possibility of an ‘individual’ enforcement is a different matter. The idea behind this is, that since the European Single market is the biggest market in the world, it seems very likely, that transnational companies will ‘voluntarily’ follow the new European data protection rules, as they want to retain access to the Single market. Insofar the EU is exploiting its market power to ‘de facto’ enforce the GDPR even towards third-country companies, by giving them the choice to ‘take it or leave it’. Whether such a de facto enforcement is reasonable or not is closely linked to the question concerning the appropriate level of protection.
The appropriate level of protection
According to high-ranking EU representatives, the new GDPR is setting the gold standard for the digital world of tomorrow and will make the EU the ‘de facto worldwide regulator in data protection law’ (cf. this: Viviane Reding, SPEECH/14/62, 28.01.2014). Focussing on the often-used catch phrase ‘gold standard’, this is in fact nothing more than one of the main arguments for the legitimacy of the extensive extraterritorial applicability of the GDPR. It basically means, that since the EU has a very high standard of data protection, EU citizens shall be protected effectively by the GDPR, irrespective of where the processing activity takes place, because some states are due to their lower standards not able to do so. But before even discussing what could be considered as an ‘appropriate’ level of protection it is necessary to make clear that such an argumentation is based on a relational criterion: This means firstly, it needs an object of comparison (e.g. the USA and their lower standards of protection) and secondly, a uniform idea about the comparison’s point of reference – in our case data protection in general.
This second requirement is highly problematic because the legal classification of data protection is a controversial issue:
In the EU, data protection is a matter of fundamental rights, enshrined in Art. 16 TFEU, Art. 8 CFREU. Thus, the legal requirements to be met by the GDPR are correspondingly high. On the other hand in the common law countries, the right of data protection is –historically – derived from the right of property and is consequently not a matter of fundamental rights but rather a matter of civil law. It is obvious that in these countries, data protection is not such a sensitive matter as it is in the EU. So, what – from a European point of view – might appear as a low standard of protection, may be fully adequate from an American perspective.
Thus – despite its good intention – in my opinion, the EU’s attempt to impose its own ‘gold standard’ on third-countries, by applying the GDPR extensively extraterritorially, is going too far. Because the intended extraterritorial applicability of the GDPR involves the risk, that to third-countries and companies located there, the European protection level might appear to be excessive and disproportionally high. This is especially true in cases, where the GDPR is according to Article 3 para. 2 GDPR applicable, though the link between a company’s processing activities and the EU Single market is quite weak.
In combination with the enforcement problem this could lead to the impression of illegitimacy of the EU GDPR’s extraterritorial applicability.
These considerations lead to the following conclusions regarding extraterritorial applicability of the new European Data protection law. Firstly, it is evident, that due to the global dimension of data protection, national measures are not able to provide effective solutions anymore. It is equally clear, that there is a need to enforce the existing data protection law more effectively – especially towards the big internet-players, who are specifically targeting the European single market and its data subjects, to make significant profit.
However, the EU’s approach to apply its own data protection law extraterritorially is in certain cases questionable.
The problem concerning the lack of enforceability could in my view only be solved by the conclusion of bilateral agreements on legal assistance, which would allow the EU to enforce the GDPR in third countries. However, since the conclusion of such agreements is not likely to happen soon, the lack of enforceability remains insofar a core problem of the GDPR’s extraterritorial applicability that raises substantial doubts in its legitimacy. Now it is up to the ECJ to set certain limits to the extraterritorial application of the GDPR and to interpret Article 3 para. 2 GDPR in a more restrictive manner. Having Google Spain in mind, this might not be very likely, but desirable.
Otherwise, the EU might have to face the allegation that the new GDPR is nothing more than ‘European data protection imperialism’.
Alexander Kloth is an undergraduate assistant at the chair of Prof. Dr. Christian Calliess LL.M. Eur for Public and European Law at Freie Universtität Berlin
Cite as: Alexander Kloth, “One law to rule them all – On the extraterritorial applicability of the new EU General Data Protection Regulation” Völkerrechtsblog, 05 February 2018 , doi: 10.17176/20180205-094704