Generally, where the US prioritises freedom of expression as enshrined in the First Amendment to the US Constitution, the EU favours the right to privacy. The freedom to impart and receive information is an important component of freedom of expression. The right to erasure (‘right to be forgotten’) as articulated by the Court of Justice of the EU in its 2014 Google Spain judgment, whereby search engines must delist certain results upon requests from EU data subjects, and its subsequent implementation, show transatlantic divides over the right to freedom of expression vis-à-vis data privacy rights. In an attempt to combine fundamental rights concerns, permissive principles of jurisdiction, and questions of connection and reason, the research suggests a way for the EU to exercise jurisdiction regarding the right to erasure that will lessen transatlantic conflicts. Specifically, delisting should not be limited to EU country-specific websites that can easily be circumvented by going to a non-EU version of the same site, but nor should it be implemented globally, thereby subjecting the whole world to EU law. This approach can be applied in future situations where US and EU values, interests and laws on data protection and the freedom of expression collide.

Under public international law, a State has a right to exercise jurisdiction. States are expected to show restraint when attempting to regulate a situation with foreign elements. The research outlines territory- and personality-based permissive principles of jurisdiction. EU data protection provisions that lend themselves to extraterritorial application fall into the subjective territoriality, objective territoriality, passive personality, effects doctrine and potentially protective principles of jurisdiction. The provisions do not come under any one of these principles, but rather an interpretation of several of them. The applicable law articles in the General Data Protection Regulation could most plausibly constitute the objective territoriality (where an act is terminated) and passive personality (the nationality of a victim) principles. Whilst there appears to be a shift from territory to personality, for example, by referring to data processing in the context of activities ‘in the Union’ or individuals ‘subject to the jurisdiction of’ rather than data processing in the context of the activities ‘on the territory of a Member State’ or ‘in the territory of’ each state party’, to justify the exercise of jurisdiction, territory is still necessary to trigger the application of jurisdiction in the online sphere.

The question is raised of whether the EU is acting with the goal to raise rights protection standards for the global community in its exercise of extraterritorial jurisdiction in the data protection sphere. The research conceives of the EU’s exercise of jurisdiction as falling somewhere into three categories along a spectrum: pure rule diffusion (third States enacting laws to trade with the EU), consequential norm diffusion (third States striving for strong data protection having internalised these laws), or full norm export (the EU actively spreading a high data protection standard globally). First, the EU has used its market leverage to influence third State law. Second, the EU’s actions could incidentally ratchet up global data protection standards and start to take on more of a normative character; it could be consequential norm diffusion. Third, although initially appearing parochial, the EU increasingly sells its data protection regulation worldwide as the gold standard. Consequential norm diffusion, as opposed to self-proclaimed norm export, is the most effective way of spreading values in practice, but the EU also has responsibilities not to exercise jurisdictional overreach in viewing its role solely as an exporter of a strict data protection norm.

Jurisdiction under public international law, that is, a State’s authority to make, apply or enforce law, has long been rooted in the Westphalian notion of a State having sovereign authority within its own physical territorial boundaries. The current socio-technological landscape has witnessed temporal and spatial shifts, which have changed how the States exercise jurisdiction.

Governments, companies and individuals are handling ever more digitised personal data, so it is increasingly important to ensure this data is protected. The EU, compared to most non-EU States, strongly advocates the importance of protecting personal data. EU data protection law is often considered the strictest and certainly the most influential in the world. There is an extraterritorial character to this law that throws into question traditional notions of public international law jurisdiction, wherein legislative authority is limited by territory.

Whereas EU data protection law reflects its being a fundamental right in the Union, the US’ information privacy laws are rooted in the marketplace. This research offers ways to approach transatlantic jurisdictional conflicts with the underlying goal of mitigating them. It explores how the EU’s characterisation of data protection as a fundamental right conditions how it may, does and should exercise extraterritorial jurisdiction.

Simply being applicable could still permit far too much in terms of the extraterritorial reach of the EU’s data protection laws. The law of jurisdiction cannot solve all the present issues. It helps to solve conflicts in terms of sovereignty, but not fundamental rights. As such, this warrants a second-tier, additional set of criteria including degree of connection and interest-balancing as a rule of reason. The degree of connection between a regulated situation and the regulator, and interest-balancing are useful in assessing the legitimacy of the EU’s exercise of extraterritorial jurisdiction in the internet age, which throws traditional concepts of territoriality into question. Flowing from this, a rule of reason transpires. A State may legitimately exercise jurisdiction where it has an obligation to do so to protect a fundamental right, based on a permissive principle exercised reasonably, that is, after regulators have balanced different interests to identify the State with the strongest interest in regulating the situation, unless this harms the global interest.

One manifestation of tensions around the reach of EU jurisdiction is the US–EU Passenger Name Record (PNR) Agreement. The PNR Agreement provides guidance on processing and transferring EU individuals’ airline passenger data to the US Department of Homeland Security (DHS) for counterterrorism and security purposes. As the DHS does not apply the equivalent data protection standards to EU individuals’ personal data in the US as in the EU, however, the EU has continually renegotiated the Agreements, thereby increasing the territorial reach of its data protection law to enhance protection. Nonetheless, a territorial link between the EU and its exercise of jurisdiction, as well as a nationality-based link, suggest the EU has the authority to prescribe the law pertaining to its individuals’ PNR data transferred to the DHS. Through the PNR Agreement, the EU has managed to raise protection levels for all PNR data everywhere. EU authorities should push for the US–EU PNR Agreement to better protect its individuals’ data protection rights. If incorporated into the Agreement, this could be seen as a necessary form of legal diffusion of EU data protection standards beyond its borders.

Since the EU Charter of Fundamental Rights, which enshrines an autonomous right to data protection, gained binding legal effect in 2009, the right has gained broader territorial reach, become more prominent in jurisprudence and accorded more weight in balancing tests. Under international human rights law, the EU’s protective duty could apply in the a-territorial cybersphere in which data is processed. The Union has positive and negative obligations to respect, protect and fulfil its individual’ fundamental right to data protection. These are obligations of conduct and result, and apply within different spaces. The obligation to respect connotes a negative obligation of conduct, whereby the EU would have to refrain from conduct that would infringe upon someone’s enjoyment of the right to data protection. Similarly, the obligation to protect is a positive one of conduct, so the EU would be obliged to ensure a third party does not violate someone’s right to data protection. These obligations could legitimately apply outside EU territory or in places under its effective control. International human rights law casts a very wide jurisdictional net, however. This net per se would not serve to lessen transatlantic conflicts in jurisdiction, so public international law can offer some necessary limitations.

The extraterritorial dimension of EU data protection law has inspired conflicts in jurisdiction between the EU and other States, particularly the US, which has markedly different conceptions of data privacy. In terms of processing personal data, the EU prioritises the privacy and security of that data, while the US foregrounds national security, freedom of expression, access to documents, a free and open Internet, and international trade. The EU and US attitudes to privacy can broadly be placed on a spectrum of, at one end, the EU’s focus on human dignity and, at the other end, the US’ emphasis on liberty. These distinctions are malleable and based on generalisations; they are far more nuanced than just a dignity vs liberty dichotomy. Data protection is particularly interesting because it is not nearly a universal value. The EU has an omnibus data privacy regulation and the US has fragmented, sectoral approaches. In the US, the relevant laws concern fair information practices or informational privacy, as opposed to data protection. The US legal system assigns these less normative heft, which is a beginning point for many of the jurisdictional tensions surrounding the reach of EU law.

The EU’s actions show how the exercise of extraterritorial jurisdiction by one actor (the EU) based on local approaches to human rights standards and specific values (privacy and the protection of personal data) could lead to the convergence of values and laws on the global stage. Likely directions are decreasing territorialism or broad interpretations of ‘territory’, increasing elevation of fundamental rights to the disadvantage of certain competing interests, and the EU acting to set a high global data protection norm, enabled by the fundamental right to data protection conditioning its exercise of extraterritorial jurisdiction. Convergence could be resisted. If, however, the EU’s reach were strong enough to avoid or counter resistance, this would ultimately lead to fewer conflicts in jurisdiction as global standards would converge and, even in the EU–US data privacy law interface, commonalities and shared approaches to rights protection would emerge.

The discussion on transatlantic jurisdictional tensions could be constructed as one on enabling, or frustrating, free trade. The General Data Protection Regulation holds that personal data may be transferred only to States with an essentially equivalent level of data protection to that in the EU. This so-called adequacy standard pushes third States to enact EU-style regulation and has thus had extraterritorial effect. As the US has not received an overall adequacy decision, EU to US data transfers are based upon sector-specific agreements or other transfer mechanisms. In 2015, the Court of Justice of the EU invalidated the US–EU Safe Harbour agreement, which had enabled many EU–US data transfers for companies, ruling that it infringed privacy and data protection rights. Since then, both parties have renegotiated multiple data transfer agreements, each time to incorporate stronger EU data protection standards. US companies have realised the need to have privacy and data protection approaches closer to those in Europe to be attractive to the EU market. Ultimately, there is perceptible legal diffusion based on EU values. If the EU has managed this diffusion by requiring certain data transfer arrangements, the wider implications are that global data privacy protections are gradually becoming stronger.