To send this article to your Kindle, first ensure firstname.lastname@example.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle.
Find out more about sending to your Kindle.
Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.
To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account.
Find out more about sending content to Dropbox.
To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account.
Find out more about sending content to Google Drive.
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
1The Net and the Nation State (Uta Kohl ed., 2017); Dan Jerker B. Svantesson,Solving the Internet Jurisdiction Puzzle(2017).
2Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L. 281) 31; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 199) 1 [hereinafter GDPR].
3GDPR, supra note 2, art. 3(2) (emphasis added).
4Id., art. 45(1) (“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”).
5 Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (AEPD), ECLI:EU:C:2014:317, paras. 55–56 (Eur. Ct. Justice, May 13, 2014).
6See Joanne Scott, Extraterritoriality and Territorial Extension in EU Law, 62 Am. J. Comp. L. 87 (2014).
7Charter of Fundamental Rights of the European Union, 2000 O.J. (C 364) 1 (Dec. 18, 2000).
8 Violeta Moreno-Lax & Cathryn Costello, The Extraterritorial Application of the EU Charter of Fundamental Rights: From Territoriality to Facticity, the Effectiveness Model, inThe EU Charter of Fundamental Rights: A Commentary 1662 (Steve Peers et al. eds., 2014).
9 Peter Margulies, The NSA in the Global Perspective: Surveillance, Human Rights and International Counterterrorism, 82 Fordham L. Rev. 2137 (2014).
10 Case C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650 (Eur. Ct. Justice, Oct. 6, 2015).
11Opinion 1–15 on Draft EU-Canada PNR Agreement, ECLI:EU:C:2017:592 (Eur. Ct. Justice, July 26, 2017).
12Google Spain, supra note 5.
13 Brussels Court of Appeal, Facebook Ireland Ltd., Facebook Inc. and Facebook Belgium B.V.B.A. v. Belgian Data Protection Authority (DPA) 2018/AR/410, May 8, 2019 (considering the jurisdictional question of whether the Belgian DPA had the competence to initiate enforcement action against Facebook for violating EU data protection law, a case now before the CJEU). Initially, Facebook Belgium and, by extension, the Belgian authorities were found to have the required “inextricable link” to Facebook, but now it is contested that the Irish supervisory authority should initiate such a case because Facebook has its principal EU establishment there).
14 Case C-507/17, Google Inc. v. Commission nationale de l'informatique et des libertés (CNIL), ECLI:EU:C:2019:772 (Eur. Ct. Justice, Sept. 24, 2019), in which the French DPA had fined Google for not de-referencing globally links to websites about EU subjects who had successfully requested this de-referencing.
15Id. at para. 73.
16Id. at para. 72.
17 Concerns over casting the net of human rights beneficiaries too wide, and thereby overburdening the state encumbered with extraterritorial obligations, have been central to the debate on the geographical scope of human rights treaties. See Samantha Besson, The Extraterritoriality of the European Convention on Human Rights: Why Human Rights Depend on Jurisdiction and What Jurisdiction Amounts to, 25 Leiden J. Int'l L. 857 (2012).
18See Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 Harv. L. Rev. 1966 (2013).
19 EU companies are barred from complying with U.S. secondary sanctions on the basis of Council Regulation (EC) No 2271/96 of 22 November 1996 Protecting Against the Effects of the Extra-Territorial Application of Legislation Adopted by a Third Country, and Actions Based Thereon or Resulting Therefrom, 1996 O.J. (L 309) 1. However, the Regulation does not provide for EU support in case an EU company faces enforcement action in the United States for non-compliance with U.S. secondary sanctions. See generally Tom Ruys & Cedric Ryngaert, Secondary Sanctions: A Weapon out of Control? International Legality of, and European Responses to, US Secondary Sanctions (Study for the European Central Bank, forthcoming 2019).
20See, e.g., U.S. Mission to the European Union, Statement from U.S. Secretary of Commerce Penny Pritzker on EU-U.S. Privacy Shield (Feb. 2, 2016) (arguing that giving EU data protection law a broad scope would significantly impede upon individual rights and the free flow of information). SeeCommission Implementing Decision (EU) 2016/1250 of 12 July 2016 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield, 2016 O.J. (L 207) 1, 48–67.
21 In Schrems II, an Irish judge authorized the U.S. government to file an amicus curiae brief in support of Facebook. The High Court Commercial Ireland, [2016 no. 4809] Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems  para. 19 (“The United States has a significant and bona fide interest in the outcome of these proceedings. At issue in the proceedings is the assessment, as a matter of EU law, of the applicant's law governing the treatment of EU citizens’ data transfer to the US. The imposition of restrictions on the transfer of such data would have potentially considerable adverse effects on EU-US commerce and could affect US companies significantly.”). In Schrems II, Schrems requested that the Irish Data Protection Commissioner halt data transfers between Facebook Ireland and Facebook Inc. on the basis of Standard Contractual Clauses, on the ground that the relevant data may be subject to U.S. mass surveillance in violation of EU data protection law. The CJEU heard arguments July 9, 2019. It is unclear what the U.S. government position is.
22 The Brussels effect is defined as the “unprecedented and deeply underestimated global power that the EU is exercising through its legal institutions and standards,” which “it successfully exports . . . to the rest of the world.” Anu Bradford, The Brussels Effect, 107 Nw. U. L. Rev. 1 (2012).
23See, e.g., Facebook CEO Zuckerberg stating that the GDPR protections would in spirit (although not necessarily in detail) extend worldwide. Alex Hern, Facebook Refuses to Promise GDPR-Style Privacy Protection for US Users, Guardian (Apr. 4, 2018).
24See, e.g., Agreement on the Use and Transfer of Passenger Name Records (PNR) to the US Department of Homeland Security (DHS) of 2011 2012 O.J. (L 215) 1, 13, which provides for judicial redress for EU data subjects “in the US.”
25 Relatively weak EU bargaining power may result in agreements between the EU and third countries that insufficiently protect EU subjects’ data transferred abroad. See, e.g., Opinion 1–15 on Draft EU-Canada PNR Agreement, ECLI:EU:C:2017:592, para. 232 (Eur. Ct. Justice, July 26, 2017) (ruling that parts of the agreement did not comply with the EU fundamental rights to respect for private life and protection of personal data). It is likely that also the EU-U.S. PNR Agreement violates EU fundamental rights. Such agreements would have to be renegotiated to make them compatible with EU fundamental rights law.
Recommend this journal
Email your librarian or administrator to recommend adding this journal to your organisation's collection.