The GDPR as Global Data Protection Regulation?

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.

grounds, in part because Google had an establishment in an EU member state. 5 The case confirmed a data subject's right to erasure ("right to be forgotten"), which could have notable ramifications for internet users beyond EU territory. The GDPR reinforced this broad reach of EU data protection law.
The "extraterritorial" application of EU data protection law nevertheless has identifiable jurisdictional bases under public international law. First, the long arm of EU data protection law, with its attendant extraterritorial impact, is arguably based on territoriality, as it is triggered by a territorial link of an activity or person with the EU. Under the GDPR, territoriality may even be the key principle, where application of the Regulation to entities not based in the Union is triggered by their targeting or monitoring those "in the Union." In the literature, this process has usefully been termed "territorial extension." 6 Second, the broad geographic reach of EU data protection legislation appears to be related to individual rights premised on someone's demonstrable affiliation to the EU, which would ordinarily be citizenship or residence. Thus, the EU's assertions may be justifiable under the passive personality principle, which allows the EU to protect EU citizens or residents, e.g., in the context of transfers of EU subjects' data to substandard jurisdictions. Often, in fact, the EU's assertions are based on a combination of the territoriality and the passive personality principles, as illustrated by the fact that a data subject needs to show a "terri-national" affiliation to the EU when filing a request with a website to erase her data.

Fundamental Rights Considerations
The law of jurisdiction normally operates on the basis of permissions. For EU data protection, this means that the EU may be permitted to extend the geographic scope of EU law on the basis of territoriality or passive personality. However, on closer inspection, as data protection rises to the level of a fundamental right, the EU's exercise of jurisdiction may not just be permissive (discretionary), but also mandatory. The character of data protection as a fundamental right may create particular obligations for the EU to protect the right to data protection extraterritorially. It is of note in this respect that, unlike international human rights treaties such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights (ECHR), the EU Charter on Fundamental Rights does not have a limiting jurisdictional clause. 7 Instead, the geographical scope of a fundamental right laid down in the Charter, such as data protection (Article 8), follows the scope of the EU's competences and the application of EU law. 8 The absence of a jurisdictional clause may pose fewer doctrinal limitations to the extraterritorial application of the Charter. Thus, it may inform the application of a "control" standard that is more relaxed as compared to the control standards used by, notably, the European Court of Human Rights to delineate the extraterritorial application of the ECHR.
Given the "virtual" nature of threats to data protection, the application of a functional "virtual" control standard may be apt. 9 Arguably, the EU incurs extraterritorial obligations when it exercises virtual control over an EU resident's data. This means that, insofar as the EU has the capacity to influence how data are treated abroad, it should harness this influence to have an EU data subject's data respected and protected. The EU should refrain from giving assistance to (extraterritorial) third parties' breaches (duty to respect) and should prevent such parties from committing breaches (duty to protect). This implies that the EU should construe EU data protection legislation in such a way that it safeguards the EU subjects' fundamental right to data protection against encroachment by third states and third state-based operators.

Foregrounding Data Protection
In practice, the EU may need to make sure that decisions and agreements on the transfer of data from the EU to third countries contain adequate data protection guarantees, or that foreign-based data controllers and processors targeting EU residents sufficiently protect the latter's data. All this may also explain why the CJEU has, in a string of well-known rulings with a transatlantic dimension, such as Schrems, 10 Canada-EU PNR, 11 and Google Spain, 12 so strongly emphasized the right to data protection over countervailing interests, such as security and the free flow of information. The CJEU thereby forced the EU to renegotiate agreements with third countries or forced foreignbased data controllers targeting the EU market to enhance the protection of EU residents' data. This trend looks set to continue. Pending and recent rulings cover questions on the reach of EU data protection jurisdiction abroad. One such request asks jurisdictional questions about which EU data protection supervisory authority may institute proceedings against, for instance, Facebook. 13 Another recent case pertained to the question of whether dereferenced Google links should be de-referenced across the EU or the global internet; should only those in the EU see redacted search results or should everyone-no matter from where they access Google-see redacted results? 14 The CJEU ruled that the scope of the DPD and GDPR did not require search engine operators to carry out de-referencing on all versions of the search engine. 15 Such broad de-referencing is not, however, prohibited. 16 The Court thus largely restrained its exercise of jurisdiction over foreign companies rather than foregrounding data protection at the expense of other important considerations.

Burdens and Pushback
While fundamental rights-inspired interpretations of data protection legislation may be welcome from an EU citizen's or resident's perspective, they may create additional and possibly unwelcome burdens for the EU political branches. These interpretations exert pressure on EU institutions not to neglect the protection of EU residents' data when entering into data transfer agreements with third countries or when allowing foreign operators to carry out commercial activities on the EU market. 17 In addition, and more importantly from a classic jurisdictional had the competence to initiate enforcement action against Facebook for violating EU data protection law, a case now before the CJEU). Initially, Facebook Belgium and, by extension, the Belgian authorities were found to have the required "inextricable link" to Facebook, but now it is contested that the Irish supervisory authority should initiate such a case because Facebook has its principal EU establishment there perspective, the "extraterritoriality" of EU data protection legislation, or rather its territorial extension, risks conflicts with third countries. Such countries may claim that they have an equally strong or even stronger link to a situation than the EU does. For instance, the United States may claim that it is entitled, on territorial security grounds, to request information about passengers boarding aircraft bound for the United States. It is not self-evident that the EU, in wishing to adequately protect these passengers' data, necessarily has the stronger jurisdictional link. Ultimately, the EU-U.S. stand-off over these records was "solved" on the basis of a passenger names records (PNR) agreement (which may, strictly speaking, however fall foul of EU data protection law given the concessions made by the EU).
Even if it considers a data transfer agreement with a third country unlikely, 18 it is in any event advisable for the EU to take into account the legitimate interests of third countries. This mitigation exercise may be walking a fine line because the EU is required to guarantee the protection of EU residents' data, even in an extraterritorial context. As it happens, data protection is a field in which unilateral assertions of jurisdiction have not often met with foreign sovereign protest. This state of affairs may raise the impression that such assertions are considered lawful and reasonable. An explanation for the absence of foreign sovereign protest is that such assertions are often brought to bear on private operators controlling and processing data. Typically, these operators have strong economic clout and may be viewed by foreign governments as being able to fend for themselves. That is, they are able to protest unlawful or unreasonable jurisdictional assertions on their own, without foreign sovereign intervention. Similar dynamics have been at play in the field of sanctions law, where European governments have sometimes left "their" corporations to their own devices when confronted with U.S. secondary boycotts. 19 Doctrinally speaking, however, private actors' protest about a state's or the EU's jurisdictional assertion does not "count" for the determination of the lawfulness of such assertions under customary international law. After all, for customary law to crystallize, state practice is required. Nevertheless, there are some instances of states-notably the United States-voicing concerns over the extraterritoriality of EU data protection legislation, although it is not always clear whether its concern amounts to protest on legal grounds. For instance, while the United States undeniably resisted the EU's attempts to apply EU data protection law to the PNR transfer from the EU to the United States, it is doubtful whether this resistance was based on a U.S. perception that the application of EU law to PNR amounted to an unlawful exercise of prescriptive jurisdiction. Similarly, with respect to data transfers, while the United States may have opposed the inclusion of strong EU-style data protection norms in the U.S.-EU Safe Harbor and its post-Schrems Privacy Shield, 20 it may not necessarily have viewed the extension of EU law to U.S.-bound data transfers as unlawful. 21