Global regulatory competition on digital rights and data protection: A novel and contractive form of Eurocentrism?

Abstract Global regulatory competition is a recent phenomenon that confronts us in various different fields, ranging from food and chemical safety to climate change, and animal welfare to environmental law. The digital economy is not immune to this trend, and it seems highly unlikely that this will soon come to an end when we consider the radical differences between the European Union and the United States with respect to the importance they assign to the right to privacy and the right to freedom of speech. Nevertheless, despite their differences in content, it can be contended that they both tend to disregard the interest of others even though they have enough resources at their disposal to take them seriously. This becomes visible when the recent case law of the CJEU and the recent regulations such as the GDPR and the US CLOUD Act are taken into account. Their similar attitude to regulating for the globe raises the question of whether we are confronted with a new type of Eurocentrism, which is more contracted and introverted than the previous expansionist version. The article argues that unilateralism should be a selfless one and that it should necessarily consider outsiders if it is to acquire legitimacy.


I. Introduction
Global regulatory competition is a recent phenomenon encountered in various fields such as food and chemical safety, climate change, and animal welfare. The digital economy is not immune to this trend, and it seems highly unlikely that regulatory competition between big powers will soon come to an end. Despite the early pessimistic views which suggested that global regulatory competition would lead to forum shopping, deregulation, and a 'race to the bottom', 1 recent studies have revealed that this represents only half the rules of comity. 12 On the other hand, as an exceptionalist, Daskal suggests that it is necessary to design new jurisdictional rules capable of representing the legitimate interests of states in extraterritorial regulation as well as the countervailing interests of foreign states. 13 Similarly, Scott contends that regulatory territorial extension can be justified only because we have a right to avoid being complicit with the global wrongdoings committed abroad. 14 Likewise, decoupling the notion of unilateralism from egoism and selfishness, Ryngaert asserts that unilateral actions can be justified insofar as it is motivated not by parochial interests, but by the common interests of the international community. This should be selfless intervention pursuing a cosmopolitan agenda and aiming to promote the general interest of the global community, as opposed to the parochial interests of the states. 15 Research dealing with global governance of the internet may take two different approaches: concentration on institutions or concentration on norms. If stress is put on institutions, then the focus would be on associations, organizations and meetings such as the Budapest Convention of the Council of Europe, the World Summit on the Information Society or the World Conference on International Telecommunications. 16 In this article, however, the focus is on norms, specifically the way norms governing digital rights and data flows began to crystallize and how norm generation plays out in the global regulatory sphere. It thus looks for the ways in which unilateral regulation can be considered legitimate under the conditions where the choice is between unilateralism and inaction, as reaching a multilateral consensus on global data regulation seems highly unlikely. Admitting that neither output (the best regulation) nor input (consent-based) legitimacy may provide us with a framework for legitimate ways of global unilateral regulation, it confines its attention to the following question: How is it possible to avoid Eurocentric legal domination when data forces any regulator into going global? Revisiting concepts such as comity, benevolent unilateralism and inter-legality, it asserts that to be accepted as legitimate, any attempt to global regulation should be inclusive and take on an other-regarding perspective as well as bear the responsibility of assuming the role of a global regulator. It may also may lead up to its commitments only if it remains genuinely committed to taking others' perspectives seriously instead of showing a late sympathy after an already decided one right answer was already imposed on them. As things stand, the only way to realize this is to brush aside the logic of harmonization in favour of mutual recognition.
The presence of competition between different actors does not always mean the approaches taken by the competitors are dissimilar. A competitive attitude may display a common mode of governance below the surface, despite there being divergent practices at first glance. For example, the European Union takes a rather cosmopolitan and global approach by imposing its conception of digital rights onto the world. The United States, however, abstains from regulation on the grounds that it will impair innovation. 17 Nevertheless, both tend to disregard the interests of the other, adopting similar versions of unilateralismnotwithstanding their robust regulatory capacities, which are able to include outsiders. The human rights impact assessment is a case in point. Even though whether the regulation is compatible with the human rights law has been analysed, the question of just how inclusive the impact assessments are has generally been overlooked. Taking the question of legitimacy to centre stage, this article examines the problem of extraterritoriality as a special case of global regulatory competition (section II). It then covers the EU and US approaches toward data regulation and digital rights (sections III and IV), with a focus on the debate surrounding the right to be forgotten (section II), data transfer from the EU to the other countries (section III) and the US CLOUD Act, enacted following the Microsoft case (section IV). It then turns to the points on which the European Union and the United States diverge and converge (section V) with respect to digital rights. After this, it examines ways to cope with the extraterritorial characteristics of data, suggesting that Ryngaert's selfless intervention and Woods' comity-based proposal (section VI) may be useful in legitimating unilateral regulation. By illustrating how these approaches appear in relation to one another, the article concludes by suggesting that they can be subsumed under the headings of inter-legality (section VI) and that it is possible to sustain plurality of legalities without falling victim to global monism, notably due to mutual accommodation and recognition (section VII).

II. Global regulatory competition as diffusion of law
Interaction between legal orders is not a novel phenomenon; on the contrary, legal isolationism is the exception rather than the rule when viewed from a historical and comparative perspective. 18 It is therefore not surprising that numerous terms exist that address the phenomenon of diffusion of norms; these include transplant, borrowing, reception, transfer, imposition, transposition, expansion and spread. 19 However, our current form of norm diffusionone that has captivated the attention of numerous scholars such as Anu Bradford, Joanne Scott, Marise Cremona and Ionna Hadjiyiannidiffers from its precursors. 20 First, it departs from the state-centric, modernist explanation of the interaction between different legal orders and the post-modernist approach epitomized by the legal pluralist movement. In the former, the diffusion of law is generally 17 The line is generally drawn -I think wronglybetween liberal Western states defending free data flows and multilateralism, and the conservative Global South militating for state control and intergovernmentalism. See Ibid. 18  associated with the migration of legal codes from one state to the other, whether as part of a modernization movement 21 or as a colonial imposition. By contrast, norms emanating from different legal orders, which are by nature un-hierarchical and pluralist, take up the role of legal pluralist in the latter. 22 Nevertheless, the states take the pride of place in today's global regulatory competition, or diffusion of norms, despite the very crucial role played by transnational actors, private regulators and digital platforms. 23 Regulatory competition between states is an indirect consequence of globalization, which has a 'destructive effect' 24 on the uniform and homogenous international legal order of the post-World War II period. It has played such a key role in questioning our traditional understanding of territorial legal systems, depicted as the black-box model composed 'of self-contained and self-sufficient normative and institutional boxes', 25 that today it is possible to spot new legal norms burgeoning in the interstices between national and international law. In short, the crisis generated by globalization has provided ample opportunities for an inductive jurisgenerative process. 26 This mismatch between territorially bounded states and new transnational regulatory actors, such as digital platforms, internet service providers, private organizations and NGOs, gives birth to 'a transnational struggle for law' in which 'each state is trying to impose its own standards on the others by using ISPs as soldiers for the defense of national values'. 27 Hence, the conditions under which this global regulatory competition holds closely resemble Hobbes' state of nature, where global players 'pursue their own goal and thus aim to establish norms that are favourable to their interests'. 28 This, in turn, leads to a situation that Frydman calls 'pannomie, where norms spring up from everywhere, enacted by improvised legislators, public or private'. 29 However, this is not something to drive us to despair, for in the dearth of the global legal system that may tell apart law from non-law, 30  As Rudolf von Jhering succinctly states, 'the life of the law is a strugglea struggle of nations, of the state power, of classes, of individuals'. 32 The struggle is the essence of law; it is not something to resort to in exceptional situations. It is a struggle between incompatible interpretive judgements, yet it is never tantamount to pure power and politics. It only points to the undergirding reality upon which law is founded: that law is a means to reach certain social and political ends. 33 It is a gateway through which politics is transformed to normativity. In summary, the regulatory competition between states is not an aberration. On the contrary, it exhibits the very nature of law: law flows from the clash of competing interests and normative standpoints. Nevertheless, despite this conflictual, competitive and political dimension of law, it is still a global law when seen from the perspective of Walker's reading. For global law is, he submits, 'a practical endorsement of or commitment to the universal or otherwise global-in-general warrant of some laws or some dimensions of law'. 34 Thus, it is global not because it springs from a global source, but rather because it aspires to regulate the globe for the sake of some 'globally defensible good reasons'. 35 In a nutshell, pluralism that arises from regulatory competition in the global sphere is not incompatible with global law, but instead is a perfect example of it.
Scott distinguishes extraterritorial legislation and territorial extension to reveal how global regulatory power can legitimately be brought to bear. She classifies the former as an illegitimate form of global regulation owing to its failure to establish the necessary territorial connection, serving as a legitimating factor for the latter. 36 Her distinction has considerable explanatory power in many diverse areas, including regulations about aviation in the emission trading scheme, financial services and maritime transport; 37 nevertheless, data escapes any type of territorial connection. The fact that any superpower, arrogating to itself the legitimate role of global legislator, can establish a legitimate connection with data 38 seriously undermines the explanatory power of Scott's distinction in telling us when a global regulation is legitimate. 39 Admitting that Scott's categorization falls short of covering global data regulation, an experimental classification is needed, which pays less attention to how the alleged global regulator presents itself than to its hidden attitudes and motivations. Here, the underlying logic of Scott's distinction may prove useful. She rests her classification on the view that, if it is to be legitimate, global regulation should 'ensure a sufficient international orientation'. 40 In a nutshell, it should bear the responsibilities that come with the role of the global regulator by leaving aside, at least to a certain extent, its autonomous objectives, and giving the other's perspective and 32 R Von Jhering, The Struggle for Law (Callaghan, London, 1915) 1. 33 39 I would like to thank an anonymous reviewer for pushing me to propose a different conceptualization in analysing what makes any attempt to global regulation legitimate; this led me to explore the underlying logic of Scott's distinction. 40 Ibid 124.
interests a modicum degree of consideration. This can only be done when the logic of harmonization is put aside in favour of mutual recognition. They differ significantly in how they promote convergence of norms. For mutual recognition, as an alternative to harmonization, does not confine itself with one all-encompassing regulation (one right answer), but rather aims at reaching this objective by preserving the diversity and autonomy of the others. 41 Bearing this in mind, the article dwells on, not being content with any sort of dubious territorial connection, the attitudes of alleged global regulators with a view to shedding light on how responsible global regulation differs from its selfinterested counterparts.
III. Global reach of the as 'adequate' and signing two successive agreements with Japan that connect international trade to data protection. 52 In the European Commission's recent communication, A European Strategy for Data, it is clearly noted that 'the EU has a strong interest in … shaping global standards and creating an environment in which economic and technological development can thrive, in full compliance with EU law'. 53 The European Union is able to leverage its market power by indirectly setting global standards or it may restrict access to its market based upon countries providing substantively equivalent protection. 54 In both cases, the European Union connects its market power to its regulatory capacity, as it has been doing for decades regarding its internal policies, which can be summarized as 'integration through law'. That is not to say that the European Union sees law merely as a means to its political ends. To the contrary, it uses law as an end to itself, treating it as a tool. Just as law has been the driving force of the EU internal integration process, it is now helping with 'engaging in shaping, importing and promoting international legal norms' 55 outside. The European Union is destined to oscillate between its own interests and its own values. 56 On the one hand, it must respect 'the principles of the United Nations Charter and international law'; however, on the other, the EU is subject to the guidance of 'the principles which have inspired its own creation, development and enlargement, and which it seeks to advance in the wider world'. 57 It is therefore, by nature, torn between its values and interests, from which it can only liberate itself if the European Union sets the standards for the globe. 58 However, the question of whether it bears full responsibility for being a global regulator still hangs in the air, as the European Union is still under the spell of 'harmonization'. 59 The European Union's digital rights On 13 May 2014, the CJEU held in a landmark ruling that Google was obliged to remove the search results pertaining to a 'Mr. Gonzalez', on the grounds that he was entitled to the 52 59 For the importance attributed to notions such as 'global convergence in the area of data protection', 'fostering a global culture of respect for privacy' and 'promoting convergence of data protection standards at international level', see Communication from the Commission to the European Parliament and the Council, Data protection as pillar of citizen's empowerment and EU's approach to the digital transitiontwo years of application of the General Data Protection Regulation Com/2020/224 Final. right to be forgotten. 60 In the ruling, the Court draws attention to the balance between an individual's right to be forgotten and the public's right to access information, pointing out that this balance may change depending on the degree of importance assigned to the data subject and the content of the information at stake. 61 This ruling did not disambiguate on whether Google's responsibility was limited to the geographical boundaries of the country where the complainant filed its application, or extended to the globe. In other words, the territorial scope of the right to be forgotten is still a matter of controversy. Google Spain, rather than claiming a universal jurisdiction, opined that even though it does not directly have jurisdiction over Google, this does not mean that it lacks jurisdiction over Google Spain, and so indirectly Google. 62 Against this backdrop, the CNIL (French Data Protection Agency) imposed a penalty on Google in 2015 on the basis that it failed to apply de-referencing requests globally and limited its scope of application to country-specific borders through its geo-blocking technology. In September 2019, the case came before the CJEU, which ruled that the EU law neither requires nor prohibits ordering a global de-referencing request 63 because it falls within the competence of each member state to determine the exact scope of dereferencing, depending on the balance struck between competing rights. 64 The Court, however, made it clear that the principle of uniform application of the EU law entails that 'the de-referencing in question is, in principle, supposed to be carried out in respect of all the Member States'. 65 One month later, in October 2019, the CJEU ruled, in a fashion bearing out its ambivalent and indeterminate approach towards the scope of the right to be forgotten, that the member states are not precluded from 'ordering a host provider to remove information … worldwide'. 66 In those two judgments, the EU applied what Scott calls territorial extension by establishing a territorial connectionyet data, as already shown above, eludes territory. And this brings into question whether it is still legitimate to establish an artificial territorial connection.
The European Union's Data Transfer Standard: Between mutual recognition and harmonization On 6 October 2015, in Schrems, the CJEU was called upon to rule on the compatibility of the Commission Decision 2000/520/EC (Safe Harbour Principles), which ensures that the United States provides an adequate level of protection and allows data transfer from the European Union to the United States. The Court, highlighting the crucial importance of the right to effective judicial remedy 67  principle, 68 and specifying the necessity of reading the Commission Decision in light of the Charter of Fundamental Rights, found the level of protection to be inadequate. By doing so, it drew attention to Article 7 (right to privacy), Article 8 (right to data protection) and Article 47 (right to an effective remedy and fair trial). However, the Court's emphasis on 'the essence of the fundamental rights' goes one step further than proportionality review because even a proportionate measure may be deemed to compromise the essence of that right. Thus, it leaves undetermined the question of which measures will entrench upon the essence of the right as well as what is expected from foreign authorities in finding a proportionate balance between data protection and competing interests, and when this will occur. As such, it gives almost a free hand to the ECJ in assessing the level of protection provided by the other legal orders.
Schrems I is also challenging with regards to balancing because the CJEU tilts the balance away from criminal surveillance and undermines the importance of data flow for surveillance and cooperation in criminal matters. 69 Epstein contends that the Court in Schrems I adopted a highly dogmatic methodology that was reminiscent of the judicial reasoning of the conceptual jurisprudence of the nineteenth century. In not assessing the impact of data privacy on surveillance, it gives one right answer to the delicate balance between access to information and data protection: 'the privacy right in data … [is] a fundamental interest deserving the highest protection'. 70 However, despite all these criticisms and the ambivalent nature of balancing focusing on the essence of right, the ruling can still be palatable when the legal conditions prevalent in the United States are considered. For instance, the safe harbour principles are 'applicable solely to self-certified United States organizations receiving personal data from the European Union, and United States public authorities are not required to comply with them'. 71 Further, in case of conflicting obligations originating from national security concerns, self-certifying organizations may be obliged to comply with them. This may seriously undermine the rights-holder's right to effective judicial remedy, as the US legal system does not vest data subjects with required 'administrative or judicial means of redress'. 72 So the absence of such a mechanism to assess the necessity of measures taken by the US authorities, particularly when they oblige self-certified organizations to deviate from the safe harbour principles, provided a legitimate base for the Court's ruling.
This decision effectively ended the large-scale data transfer from the European Union to the United Stateswhich was not surprising given that, in 2013, Edward Snowden had revealed the surveillance activities of the US intelligence services. Within a very short period, in August 2016, the European Union and the United States reached a new agreement in order to reopen the flow of data from Europe to the United States. The Privacy Shield, in contrast to its predecessor, gave US authorities such as the FTC and DOJ the power to oversee whether companies voluntarily pledging to follow the EU standards were indeed observing the rules. Further, it established an independent supervisory institution, the US Ombudsman, to provide a forum through which individuals could 68 'Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter': Schrems I, para 94. 69  raise their grievances if they suspected that their digital rights were being violated. 73 However, the Privacy Shield could not succeed in saving itself from the same fate suffered by the Safe Harbour. In July 2020, building upon its arguments in Schrems I, the Court stated that 'the limitations on the protection of personal data arising from the domestic law of the United States … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter'. 74 This ruling is highly controversial when seen in the light of principle, expressed by the ECJ on numerous occasions as meaning that the term 'adequate protection' does not necessitate an identical level of protection; rather, it entails 'a level … that is essentially equivalent to that guaranteed within the European Union'. 75 That is so because the equivalent protection principle is an alternative to harmonization that demands one right answer (the European Union's answer) to the balance between data protection and, say, criminal surveillance, and thus it requires granting a certain margin of appreciation to the other legal orders. Nevertheless, this appears to be highly unlikely if the CJEU lays down the application of proportionality analysis as it is applied by itself as a condition for regarding foreign law as adequate without leaving enough discretion to the foreign authorities.
On its face, Schrems II may seem more palatable than Schrems I because the Court, adjusting its proportionality analysis and giving up its 'essence of right' discourse in favour of a more flexible balancing exercise, assesses the minimum safeguards provided by the foreign law in light of the Charter of Fundamental Rights. 76 However, when it is read in depth and contextually, a different picture begins to emerge. First, unlike AG Saugmandsgaard's detailed analysis in which he weighs how the measures taken by the US authorities for national security concerns impact the EU's digital rights, 77 the CJEU's balancing exercise seems to be afflicted with the right to effective judicial remedy. However, those are different issues to be separated from each other. Finding a balance between digital rights and national security is independent of whether the essence of right to effective judicial remedy is compromised. In Schrems II, the CJEU seems to confuse these different rights as, even in the balance between digital rights and national security, it appears to be obsessed with the right to effective judicial remedy. 78 Its recourse to the notion of 'effective of enforceable rights' 79 can be interpreted as an attempt to create a connection between digital rights and the EU's understanding of right to effective judicial protection, which may only be met when data subjects are endowed with actionable rights 'before the courts against the US authorities'. 80 73  In its analysis of the right to effective judicial protection (Art. 47), the Court therefore affirms that none of the regulations in the US legal system 'grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy'. 81 Seen in this light, any legal system that falls short of providing an effective judicial protection owing to its different legal tradition is deemed inadequate from the perspective of the CJEU, which seems more aligned with the logic of harmonization than mutual recognition. This argument can also be observed in the references made to the ECtHR's case law in Schrems II, contrary to the AG's elaborate legal reasoning engaging also with the ECtHR's case law. 82 As such, it is misleading to expect from the CJEU that it takes notice of the differences between legal orders when it shies away from even referring to the ECtHR. Schrems II, when evaluated contextually, turns out to be rather problematic because it comes right after the legal adjustments made by the US legal system to align its legal order with the expectations of the CJEU. Against this backdrop, a question springs to mind: Is there any adequate measure that is not identical to the EU legal system but meets the demands of the CJEU? As stated clearly by Christakis, Schrems II 'is without a doubt a constitutional judgment' attempting to create a 'holistic and coherent regime of protection', and thereby raises the suspicion of European legal imperialism. 83 Opinion 2/15 and the GDPR: Still going global? There are two additional incidents that demonstrate how the European Union has recently expanded its global regulatory reach. With the first, in 2015, the CJEU found an international draft agreement on the transfer of passenger-related data from the EU to Canada incompatible with the EU's digital rights. The Court upheld its equivalent standard developed in Schrems, then also expanded its scope of application by assessing whether an international agreement was congruent with the Schrems standard. 84 Shrems involved the evaluation of the adequacy of foreign law through the mediation of the EU Commission's decision. However, in Opinion 1/15, the Court made a straightforward evaluation of the compatibility of an international agreement with the Charter of Fundamental Rights (CFR) by using the charter as a standard in the assessment of international treaties. 85 This ruling prompted significant criticism for ruling that the level of protection provided by a country like Canada as inadequate. Given that Canada's level of protection does not meet CJEU's standards, one can assume that it would be all but impossible to find a significant number of other countries that could satisfy the expectations of the European Union. This may, in turn, lead to data balkanization. Critics of the ruling centred on the EU's blind unilateralism and voiced 81 Para 192. 82 This point is important because the level of protection accorded to digital rights in the ECHR regime is lower than the EU legal order, which may be observed in the detailed analysis of Advocate General: see particularly AG Schrems II, para 282. 83 T Christakis, 'After Schrems II: Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe', European Law Blog, 21 July 2020, available at: <https://europeanlawblo g.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutionalimplications-for-europe>. 84  concerns that the CJEU was using data protection as 'a vehicle' 86 in its aspirations to be a global regulator. The second incident occurred in May 2018 when the EU rolled out its new-generation data-protection regulation (GDPR) as a successor to the 1995 Data Protection Directive. 87 It attracted significant attentionso much so that the rollout date of 25 Mayhas been nominated by some as World GDPR Day. 88 The GDPR contains a critical provision regarding extraterritoriality, which serves an important role in the analysis presented in this article. Article 3 of the GDPR stipulates that the regulation 'applies to the processing of personal data of data subjects who are in the Union' even if the controller is 'not established in the Union', either when the processing activities can be tied to data subjects 89 or when they occur in a place 'in a place where Member State law applies by virtue of public international law'. 90 By placing the emphasis on data subjects, the directive extends its scope of application, and therefore goes one step further than Google Spain's location-based approach. As such, it provides a fertile ground for the European Union to further extend its regulatory reach by imposing obligations on foreign companies that are not even physically located in the European Union. The GDPR extends its 'territorial regulation with far-reaching extraterritorial effect' 91 to such a degree that even international organizations such as the United Nations have been affected, particularly in areas such as refugees, health research and migration. 92 This step could be construed as a move that is simply concerned with its own residents rather than foreigners, even though it has some secondary consequences going far beyond this. 93 According to this argument, the directive does not amount to a unilateral imposition of its own values, for it is more concerned with the level of data protection provided for EU citizens than non-EU citizens. 94 But this still does not provide a sufficient justification for the legitimate use of global regulatory power, as it does not concern itself with how the others are affected by the regulation.
Actual intentions aside, this directive makes it apparent that the European Union engages in extraterritorial regulation, be it in the form of market-driven or treaty-driven harmonization. However, the EU is not the only actor with global aspirations and an interest in extending its regulatory arm. China is developing its own understanding of digital rights and data governance with its Great Firewall, banning a large number of apps and websites from China's digital territory. These include YouTube, Google, Twitter and 86 Ibid. 87 It is also classified by many scholars as a global regulation under the guise of an EU regulation: see, for example, C Ryngaert and M Taylor, 'The GDPR as Global Data Protection Regulation? (2020) 114 AJIL Unbound 5. 88  Microsoft based its argument on the fact that the relevant data was stored in Ireland and giving access would be an extraterritorial application of the SCA, which is also at odds with the original intention of the Act. 99 Although several district courts sided with the government by placing the emphasis on the location of the company, the Second Circuit reversed these judgments, stressing the importance of the location of the data. The Circuit Court further stated that to enforce such a warrant, 'insofar as it directs Microsoft to seize the contents of its customer's communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act'. 100 Unfortunately, it was not possible to obtain a US Supreme Court decision because the CLOUD Act provided a political resolution to the dispute. The CLOUD Act, amending the pertinent article of the SCA, stated that any 'provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to … disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber … regardless of whether such communication, record, or other information is located within or outside of the United States'. 101 The Act also stipulates that the Court, in cases where its obligation conflicts with that of an instruction made by a foreign government, should take into consideration 95  numerous other factors such as the interest of the foreign government, the provider's ties to the United States, the importance of the investigation and the possibility of less restrictive means. 102 In short, although the CLOUD Act obliges all US-based companies to disclose information regardless of where the data is located, it also enumerates the grounds on which foreign states' conflicting interests may be taken into consideration.
One of the problems the CLOUD Act claims to address is highly relevant to the concept of extraterritoriality: the fact that the SCA did not allow the United States to disclose data to foreign countries. 103 As such, foreign governments, when in need of the US-held data, had to resort to the mutual legal assistance treaty (MLAT), which was burdensome and inefficient, the process often lasting up to one year. 104 In order to address this issue, the CLOUD Act created a mechanism for foreign governments by which they would enter into a bilateral agreement rather than the MLAT, provided that the data subject is not someone who is an American citizen or inhabitant. 105 It is, therefore, still not possible for foreign countries to access data gathered and stored by a US company, outside of the MLAT mechanism. This reflects the underlying rationality of the fourth amendment, which differentiates persons located in the United States from foreigners and excludes the latter from the purview of the Bill of Rights. 106 This therefore creates a double standard by endowing US citizens with a higher degree of protection while leaving non-US citizens at the mercy of the US government's political preferences.
The beginning of this section outlined the arguments proposed by the two sides of the dispute in the Microsoft Ireland case. Namely, the government's argument is founded on the location of the company (access point), and Microsoft's argument is that the location of the data is relevant to determine the competent authority and jurisdiction. However, neither of these arguments is entirely sound. Assuming, arguendo, that the jurisdiction of the court depends on the location of the data, this will lead us to accept that the jurisdiction of the court will depend on the choices of the internet service provider regarding where to locate their data. 107 From this, it follows that every government, with the intention of regaining its jurisdictional competence, will resort to data-localization and compel the ISPs to store their data within their own borders. 108 Conversely, if, arguendo, the jurisdiction of the court is based upon the location of the company, then the vast majority of data-related cases will fall under the jurisdiction of the United States, as most the of the ISPs are based there. Hence, I conclude that it is necessary to find a middle ground between data-localization and universal jurisdiction. Under this scenario, data will become accessible even if it is located abroad, and the states will show mutual respect and deference to the autonomy and interests of each other. 109 102 Ibid. 103 J Daskal, 'Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0' (2018) 71 Stanford Law Review 9, 13. 104 Ibid 13. 105 Ibid 14. 106 See, for example, Daskal, 'The Un-Territoriality of Data' (n 9) 334-65. For a detailed comparative analysis scrutinizing how different legal regimes such as the United States, the European Union and the ECHR strike a balance between the right to privacy and the state's surveillance activities, see F Bignami and G Resta, 'Human Rights Extraterritoriality: The Right to Privacy and National Security Surveillance', in E Benvenisti and G Nolte (eds), Community Interests Across International Law (Oxford University Press, Oxford, 2018), 357-80. 107 Ibid 390. 108 Ibid. 109 Ibid 393.

V. The reasons for divergence and underlying similarities Two types of culture: Cultures of authority and justification
The United States has always been an exceptional country, and law is by no means an exception to the rule of exception. By means of illustration, the United States has the most antiquated constitution in the worldover 200 years oldwith a unique federal system. 110 It is impervious to what is referred to as the global model of constitutional rights, a model that includes social and economic rights, grants horizontal effect to rights, incurs positive obligations to the state and uses proportionality analysis as a legal method in balancing competing rights. 111 In the same vein, the United States maintains its exceptionalism in data regulation by according an extensive protection to the freedom of speech. 112 As such, it is apparent that there is a 'conceptual gulf' 113 between the United Sates and the European Union in terms of data protection. In fact, this gap emanates from dissimilar conceptions of rights, regulation, legal systems and legal culture prevalent in the European Union and the United States. According to Porat and Cohen-Eliya, the United States represents an example of the culture of authority in which 'rights are viewed as demarcating the boundaries of the governmental sphere of action and as imposing restrictions on governmental action and authority'; 114 the European Union, by contrast, provides an example of the culture of justification in which 'every exercise of power is expected to be justified'. 115 Accordingly, the legal culture in the United States is founded on the idea that autonomous individuals should be protected from the infringement of the state, so rights are considered as exclusionary reasons, trumps or side-constraints against state intervention. 116 By contrast, the European Union presumes that rights can only be materialized if the state undertakes positive steps, 117 so rights lose the moral power they possess in the United States. They are devaluated to the level of mere interests, values or principles in the continental tradition, which can be balanced against competing community interests. Basic rights, therefore, are thought to be '"equally constitutive" for both individuals and society', as they 'encompass their own limitations'. 118 As such, the right to privacy and the right to data protection have recently ascended to the level of rights not because rights are more valued in the European Union, but because they are less valued in the European Union than they are in the United States.
This demonstrates why there are two different paradigms on the two sides of the Atlantic with respect to the relationship between individual, market and state. Whereas Europeans are disposed to be suspicious of the market and to be more comfortable with state intervention, 119 the market in the United States is perceived as more of an opportunity where an individual may reap the rewards of their own decisions rather than as a threat to be guarded against. 120 It follows from this distinction that Europeans are more risk averse and pro-regulation than Americans, who prefer risk-taking and ex-ante solutions. Therefore, where Europeans opt for an approach based upon ex-ante regulation in order to alleviate unexpected risks and outcomes, Americans defer the distribution of resources first to the market, then to the courts with a tort system. 121 To conclude, Europe represents a tradition in which the individual is embedded in society and therefore the state may intervene in both the market and the private sphere in order to rectify the market/individual failures. Conversely, the presumption of individual autonomy and the proper functioning of the market are almost irrebuttable in US legal culture.
I think this diverging stance towards regulation is due to the role attributed to law in different legal traditions. As made clear by Bomhoff in his recent historical analysis focusing on the question of how balancing is understood differently in the United States and Germany, balancing is seen as a tool for reaching 'a perfect constitutional order' in Germany (and now in the European Union), while it was treated as 'a dangerous doctrine' in the US legal scholarship. 122 Digital rights also bear the imprint of the foregoing distinctions. The underlying regulatory logic in the United States is that intervention with digital rights is legitimate unless proscribed by the law, as opposed to the European Union, which presumes that any infringement with a fundamental right is a violation unless it is justified. 123 The EU has a model of rights protection in which individual autonomy prevails over consent, and thus this is a regime where 'rights talk', 124 rather than a system where individual consent is deemed to hold the ultimate value. In summary, by placing special emphasis on individual autonomy, the European Union protects an individual for their own sake, contrary to the United States, where an individual is viewed as a customer and protected for the sake of the market. 125 This has further implications for the general framework set out. Unlike the compartmentalized and vertical structure of the United States, the European Union has developed 118  a comprehensive horizontal model centred on proportionality analysis and applicable to any type of rights collision. 126 Thus, contrary to the European Union where digital rights have already gained the status of constitutional rights, the United States, giving priority to data privacy over data protection, has taken a piecemeal, sector-specific approach, like 'a mosaic of normative instruments covering a variety of issues'. 127 The positive approach of the United States to the free flow of information in the marketplace of ideas 128 is another point of divergence that follows from the differences between the European Union and the United States described above. Whereas the European Union pushes forward for stricter and more comprehensive protection of digital rightsthe rights to privacy and data protectionthe United States is a staunch defender of the freedom of speech, innovation and the free flow of data. Internet regulation is another case supporting the sofar developed argument. Whereas the United States embraces a system of internet regulation, grounded in the idea of self-regulation, the European Union adopts a system of co-regulation that depends on the collaboration among government, individuals and ISPs. 129 To illustrate, section 230 of the US Communication Decency Act shields ISPs from any sort of civil and criminal liability as long as they only store and broadcast content created by others. 130 Further, it does not hold them accountable if they voluntarily act 'in good faith to restrict access to or availability of material' 131 deemed to be illegal, obscene and harmful. In a nutshell, it creates an environment conducive to the selfregulation and empowerment of ISPs. 132 Conversely, the European Union's Electronic Commerce Directive of 2002 is more sympathetic to the ISPs' liability than the US equivalent and leaves ample room for state intervention. 133 In sum, law carries out different functions and assumes different roles in the European Union and the United States, which has important implications for the form that global data regulation is supposed to take.
The points of convergence: Are they that different? It is also worth emphasizing that while these approaches are normative preferences that reflect historical and cultural values, they also reflect the stances taken with respect to global politics and regulatory competition. That is, the notion of digital sovereignty, the discourse of fundamental rights and the global reach of EU digital rights mirror the European Union's recent efforts 'to fill the economic gap distancing them from American and Asiatic technology giants'. 134 Thus, although they diverge significantly from each other with respect to the content of the regulation, they converge on one point: aspiration towards regulating the globe. Moreover, the European Union and United States adapt very similar policies and pay almost no regard to the interest of other states. Even the European Union, which seems highly flexible in terms of giving consideration to the interests of others as exemplified in the Inuit exemption, 135 can be seen in a different light when the GDPR is read in conjunction with the CJEU's recent rulings. As mentioned in section 3, the CJEUparticularly in Schrems II and Opinion 1/15comes very close to equating an adequate standard with its own standard. Even before these judgments, the CJEU was criticized for prioritizing 'a European perspective on privacy interests, but not necessarily a global one'. 136 This one right answer approach adopted by the CJEU, particularly in Schrems II and Opinion 1/15, bears the risk that its 'commitment to promoting rules-based multilateral solutions to common problems will turn into an attempt to promote its own legal solutions by equating the latter with universal values'. 137 Thus, the EU should grant a wider margin of appreciation to other countries than it leaves to its own member states. It is a logical consequence that the more global the regulation, the wider the margin of discretion should be.
With regard to the US CLOUD Act, as Woods points out, it fails to factor in the other states' interests and thereby leaves US companies with no choice but to unilaterally enforce US laws across the globe. 138 As such, it also pushes foreign countries toward data localization, 139 for they cannot access data gathered by US companies because of the CLOUD A, closer. In other words, this approach 'encourages the balkanization of the internet into multiple closed-off systems protected from the extraterritorial reach of foreign-based ISPs'. 140 However, as Woods points out, this would have been avoided by adding a minor clause to the CLOUD Act stating that the Act does not 'apply to law enforcement requests made outside the United States and that U.S. companies are therefore free as a matter of U.S. law to comply with those requests'. 141 In this light, it seems abundantly clear that the regulatory competition does not stem from a differing notion of rights. Instead, it emanates from the very similar unilateral attitudes towards global regulation that are clearly visible in the procedural clauses of the GDPR and CLOUD Act. The CLOUD Act makes access to data stored in the US territory 142 conditional upon a bilateral agreement in the same way that the GDPR obliges the foreign countries to a data transfer agreement. Given that the alternatives are highly cumbersome and ineffective, they serve as a default sanction, and in some sense countries are forced to align their policies with the GDPR or the CLOUD Act. Furthermore, this bilateral agreement, using the same logic as the GDPR, will not only be subject to periodic review by the US government, but also obligates the foreign government to grant the same access to the US government. 143 Daskal points to the similarities between the CLOUD Act and the GDPR by asserting that, just like GDPRwhich is applicable to any company doing business with the EUthe CLOUD Act 'represents an effort by the United States to set international standards, but via domestic regulation rather than a global meeting of governments'. 144 For Daskal, this is a new mode of international law-making because it uses technology giants as leverage to reach the globe by merely regulating domestic incidents. 145 The only difference between the European Union and the United States seems to be the source from which they derive their powers: whereas the US derives its power from the data collected by US companies, the power of the European Union is grounded in its market and data-generating human capital.

VI. How to regulate?
Ryngaert's selfless intervention and benevolent unilateralism Good intentions do not always make good consequences, so we may end up in a situation that is diametrically opposed to our normative preferences. This is the case that we face with the GDPR and the CLOUD Act. 146 The GDPR has been one of the main causes of data localization because it 'has led cloud computing providers to offer services storing personal data on servers exclusively located in the EU' in order to avoid the strict and demanding provisions of the GDPR for transferring data abroad. 147 Similarly, the CLOUD Act left foreign countries with no viable alternative other than data-localization. 148 Therefore, any investigation into ways in which unilateralism can be used more constructively must also address the shortcomings of these regulations and their monolithic approaches.
Given that international institutions and international law have suffered losses against global issues such as climate change, migration, human rights and so on, its restrictive and bounded forms, unilateralism seems to offer a promising alternative to multilateralism. 142 Not all the data is located in the United States, nor is it always possible to determine the location of data. Here, the phenomenon to which the term 'US-based' refers is that the data gathered, processed and stored by US companies originates from the territorial borders of the United States. 143 Daskal, 'Microsoft Ireland' (n 103) 9, 13-14. 144 Ibid 15. 145 Ibid. At a time when 'the choice is not between unilateralism and multilateralism, but between unilateralism and inaction', 149 unilateralism, bounded by subject matter and time, may be more defensible than simply standing back and observing as the multilateralism mess worsens. Intervention for the sake of global commons and responsive to unilateralism's anti-democratic nature could be a very promising solution to the tragedy of multilateralism. Ryngaert refers to this as benevolent unilateralism 150 because it takes seriously others' interests, right to self-determination and right to be free from domination. 151 Benevolent unilateralism does not depend on output legitimacy; it has a normative dimension that gives a prominent place to the idea of consent. As such, mechanisms through which affected states and parties could raise their voices, such as the right to access to justice and information as well as principles such as transparency and accountability, might prove useful. 152 Additionally, instruments such as consultations, making impact assessments and expanding the right to access to justice 153 could help to improve input legitimacy. Another way to increase input legitimacy is through equivalent standard clauses, by which a regulating country treats the regulations enacted in another country as adequate as long as they provide a level of protection above a certain threshold. 154 It is of utmost importance to incorporate the perspective of outsiders into the decision-making process, no matter how limited it is, for it carves out a space in which a dialogic relationship unfolds between insiders and outsiders. In this case, decisions draw their legitimacy neither from the output nor from the input, but rather from the process itself, and this comes very close to the type of legitimacy recently referred to as throughput legitimacy. 155 It also resembles the integration method fostered by the European Union, by developing iterative and continuous dialogue between different legal orders with judicial techniques such as the Solange jurisprudence and principles like subsidiarity and proportionality. As may be recalled, in Solange I the BVerfG denied the principle of supremacy of EU law, affirming that it would continue to carry out fundamental rights review so long as the EU legal order fills its gap of fundamental rights protection. 153 For a study considering the right to access to justice as a foundational right owing to the role it plays in jurisgenerative process, see G Palombella, 'Access to Justice: Dynamic, Foundational, and Generative' 34(2) Ratio Juris 121. 154 Ryngaert (n 15) 125-30. 155 'Output legitimacy requires policies that work effectively while resonating with citizens' democratic ideals, values and identity. Input legitimacy depends on citizens expressing demands institutionally and deliberatively through representative politics while providing constructive support via their sense of identity and community. And throughput legitimacy needs processes that work efficiently and inclusively while promoting constructive interaction.' See VA Schmidt, 'Democracy and Legitimacy in the European Union Revisited: Input, Output and "Throughput"' (2013) 61(1) Political Studies 2, 10 (emphasis added). 156 'As long as [Solange] the integration process [in the European Communities] has not progressed so far that Community law also receives a catalogue of fundamental rights decided on by a parliament and of settled validity, which is adequate in comparison with the catalogue of fundamental rights contained in the [German] Constitution, a reference by a court in the Federal Republic of Germany to the Nevertheless, 12 years later in 1986, the Court ceased to carry out its fundamental rights review, finding the level of protection ensured by the EU legal order substantially equivalent to that of Germany. It further admitted that it will abstain from such a control activity, 'as long as the European Communities ensure effective protection of fundamental rights'. 157 As may be inferred from the foregoing, it is incongruent with the logic of harmonization and seeks ways in which the logic of mutual recognition may set in motion a process of gradual norm-accumulation.
Hence, Solange jurisprudence is a method that uses time as a tool by giving each party enough time and space for mutual accommodation, and places significant importance on the process. It is an iterative, dialogic process between the CJEU and the high courts of member states, oscillating relentlessly between two opposing poles: more conflictual Solange I type rulings such as Maastricht, Lisbon and PSPP, and more coordinated Solange II type rulings such as the BverfG's Banana judgment. 158 Unsurprisingly, other higher courts in a more horizontal context, where interaction transpires between heterarchical legal orderssuch as the ECHR, the European Union and the United Nationshave recently taken advantage of the Solange method. To illustrate, whereas the ECtHR's Bosphorus case exemplifies the Solange II type, 159 the CJEU's Kadi case is a good example of the Solange I type. In short, it is a method that serves as an interface between different legal orders, which may also be considered a special case of judicial comity. 160 It is grounded in the idea that when states 'seek to set global standards, it is quite obvious that they should keep in mind the impact of their policies on others, and that they should balance the others' interests against their own'. 161

Comity as part and parcel of inter-legality
The problem of extraterritoriality is indeed a problem of allocation of authority, for states pass judgments on issues that have a bearing on other jurisdictions. As such, this brings to the fore the question of sovereignty, authority and autonomy. This may seem like an ageold doctrinal dilemma that calls for finding a compromise between different authoritative institutions; 162 however, the persistent questionssuch as how to apply comity and when to defer to a foreign authorityare still challenging because they, first and foremost, compel us to strike a balance between two competing interests: (1) the state's interest to solve the case pursuant to its own law; and (2)  deciding the case according to its own law. 163 Hence, in this view, comity entails that the deferring authority should strike a balance between competing interests rather than show absolute deference to foreign authority. 164 Contrary to this balancing-based approach to comity, it is also plausible to think of comity as a presumptive rule requiring an authoritative institution to show deference to the judgment of another one. In this narrower reading, comity is not a matter of absolute discretion that is granted to a deferring authority, but instead is about an obligation to show respect towards the foreign authority even though it is not bound by the decision of the latter. 165 For instance, Endicott posits that comity does not stem from 'the rights of the first (foreign) authority, nor even from the first authority's success in carrying out its duties but from the second (deferring) authority's duties to those whom the second authority serves, and to those whom the first authority serves'. 166 Further, he makes clear the link between comity and subsidiarity by claiming that the former is a special (horizontal) version of the latter. 167 He argues, embedding this relationship between authoritative institutions in Raz's service conception of authority, 168 that 'general reasons for comity are found in the service that the second authority (the one acting with comity) ought to provide to persons subject to its own authority, and in the value of the first authority's capacity to provide a service to persons subject to it'. 169 Thus, there is an indirect relationship of duty between two authoritative institutions deferring to each other mediating through the individuals that they are supposed to serve. In sum, comity derives its legitimacy directly from the people residing in the territory of the other states 170 and from the service deferring authority provided to this people, not from the due respect accorded to sovereign authority.
It can be asserted that comity necessarily requires taking other legalities into account, and thus it can be said that it is closely associated with inter-legality, which concerns itself primarily with the interaction of legalities. 171 For inter-legality, it is a mistake to confine the scope of legality to the territorial borders of a legal system or sectoral boundaries of a legal regime. It is necessary to take an intersectional approach to the legalities at stake in a world that is inevitably interconnected. It is, in the end, about 'changing the epistemic standpoint' 172 by decoupling legality from the idea of systemic validity, 173 because when legality is saved from the shackles of systemic validity, it is possible to observe legality even at the intersection of different legal orders. Thus, it problematizes one-dimensional and monolithic approaches, rendering the outsider's perspective immaterial 174 just as Ryngaert's benevolent unilateralism and selfless intervention are committed to doing. It is, therefore, inherently connected to the underlying principles of comitythat is, taking the other legalities or legal authorities into account. Even though it is generally preoccupied with the problem of monolithic judicial reasoning in the case law, 175 it is a mistake to confine inter-legality to the realm of judges and to questions of what a judge can do when confronted with seemingly incompatible ought-judgments arising from different legal orders. 176 In today's closely connected and interdependent world, inter-legality appears to be a vital tool for addressing the question of how legalities should respond to each other and how they can solve the problem of plural normativity that emanates from the interaction itself.
When viewed from this angle, inter-legality also appears to address the issue of how our policies bear on others. To address the question of how legalities respond to the intervention and extension of other legalities, it is useful to treat each legality as a legal order 'having its own administrative machinery'. 177 As argued by Chiti, at the heart of inter-legality lies the process of recognition, which is triggered when legalities interact, and determines the responses towards the other legalities. 178 Solange jurisprudence, a special case of the principle of comity, and other 'pluralist procedural mechanisms, institutional designs or discursive practices that maintain space for consideration of multiple norms from multiple communities', 179 can all be considered examples of interlegality. In these cases, inter-legality unfolds during a sequence of events in which legalities interact with each other. 180 From Solange jurisprudence to comity or to the procedural proportionality review, 181 these tools serve as an interface to the process. Here, inter-legality, rather than focusing on one case, one judge and one thought process, expands its scope by focusing on the process in which interaction plays out. One can observe how legalities recognize the existence of other legalities and how they allocate authority by using these so-called interface norms. Lastly, by forcing us to change 'the epistemic standpoint', 182 inter-legality provides us with an opportunity to see the legalities beyond the legal systems and to counter the threat of legal domination of a one-right legal system, which is a permanent risk on which it is necessary to keep a wary eye. 183 It warns us against the threats coming with the logic of harmonization, which today seems to be the dominant view among the global competitors.
Data governance from the perspective of inter-legality The claim that data protection has begun to emerge as a novel global value seems almost uncontroversial today. 184 Nevertheless, any attempt at unilateral regulation, in the absence of a global regulator that may enact global data regulation, poses significant problems from the perspective of the principle of sovereign equality. However, since unilateral regulation appears to be the only possible way forward, it is imperative to find ways to mitigate the externalities generated by unilateralism and transform it into something more inclusive and participatory. Here, principles such as showing mutual respect and accommodation, and considering the other's perspective, 185 seem to be viable alternatives. It is also important to consider a selection of undesirable cases that are to be avoided, and some representative examples that can be found in data governance: (1) blocking statutes; (2) global injunctions; and (3) lack of comprehensive impact assessments. These approaches harm the principle of comity and inter-legality by fostering selfish unilateralism.
Blocking statutes 'prevent compliance with another country's laws' 186the US CLOUD Act is a good example of this. Even though global injunctions are not necessarily detrimental to inter-legality, they risk neglecting the legitimate interests of the other side, and thereby are one of the primary concerns for the inter-legal approach. As an example, the Canadian Supreme Court's Equustek judgment, despite it being an example of a global injunction, presents a good example of the inter-legal approach. The Court stated, giving a prominent weight to the arguments from comity adduced by Google, that, 'If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction … it is always free to apply to the British Columbia courts to vary the interlocutory order accordingly. To date, Google has made no such application.' 187 Inversely, the EU has taken a rather controversial stance towards data transfer from the European Union to the United States. First, it should be clarified once again that the European Union's position was much more defensible before Schrems II 188 because of the Snowden Revelations and apparent lack of effective judicial remedy in the US legal order. Today, it can be asserted that the European Union has jurisdiction over digital platforms because 'data processors are using computer equipment located within the EU; for example, by collecting data from EU-located computers by means of 'cookies', JavaScript, ad banners and spyware'. 189 As such, it seems highly indefensible that the GDPR's global reach is somehow a reflection of the European Union's many distinctive characteristics versus simply the unilateral imposition of European rules. The still-functioning colonial ties of the European Union, its highly accessible and easily transferable regulatory model and its culture of integration based upon the idea of mutual accommodation and compromise 190 are the properties that are supposed to be the driving force behind its global regulatory reach. However, this functional explanation has lost much of its explanatory power, particularly in the wake of Schrems II, and it has become highly vulnerable to the criticism of Eurocentrism. It is possible to raise similar concerns regarding the US CLOUD Act, brought into existence in the aftermath of the Microsoft case, because it also makes access to data contingent upon the acceptance of terms unilaterally imposed by US companies.
As may be inferred from the examples above, the practices of global injunctions and blocking statutes do violate the basic tenets of inter-legality by harming its pluralist component through leaving a very limited scope for the outsider's perspective. They represent serious interventions to the plural coexistence of legalities, which may foster the sectoral fragmentation of international law, for sectoral fragmentation comes with global regulation and sectoral closure. In short, these practices suffocate the plurality inherent in inter-legality. One further fact worth mentioning is that the European Union does scarcely factor in the negative externalities engendered by extraterritorial intervention, 191 as pointed out by Scott in his study of the global reach of EU law. Scott gives an example from an impact assessment conducted by the EU Regulators regarding measures taken against countries allowing non-sustainable fishing. She notes that 'no assessment of the negative impact of the EU measures on small-scale fisheries and associated downstream industries within the Faroe Islands' 192 was carried out by the European Union. Similarly, Kuner contends, with respect to data regulation, that even though EU legal documents contain comprehensive human rights impact assessments, it is fair to claim that they are inclined to consider only their impact on the European Union, rather than on third countries. 193 VII. In lieu of conclusion: A novel type of Eurocentrism? Achille Mbembe speaks of a utopian borderless world, where every individual is endowed with the right to free movement and, more importantly, inalienable rights. 194 Mbembe's cosmopolitan ideal, nourished by post-colonial and post-modern critiques, reminds us of the artificiality of borders, which are erected to exclude some to the advantage of the others. However, exclusion does not come only in the form of physical borders, boundaries and frontiers; it may also come in the form of epistemological borders that dismiss one's knowledge, perspectives and ideas as irrelevant by rendering them invisible. Seen from this perspective, any form of unilateralism, be it in the form of internal regulation with extraterritorial effects or stealth unilateralism in the form of the Brussels effect, should be met with the following questions: 'Whose law is it?' and 'Is it inclusive?' These are laws that flow from Western powersnamely, the European Union and the United Stateseven though they appear to stand in conflict with one another. They are problematic due to their apparent disregard for how their policies impact third parties and condemned. But this cannot be right: the key question is not whether somebody is included or excluded but what 'inclusion' and 'exclusion' mean. 203 Eurocentrism is an approach that puts Europe at the centre of all knowledge by marginalizing other perspectives due to their immaturity and/or inferiority. This view assigns 'truth only to the Western way of knowledge production', 204 thus negating the knowledge produced outside the borders of the West. This gives rise to 'self-referentiality, or solipsism where the Europe engages in a monologic relationship with others'. 205 Accordingly, ideas, developments or cultural differences from outsiders do not carry much importance because Europe has no need to interact with other states. Nonetheless, any type of methodological nationalism or Eurocentrism as such brings about Western political and moral superiority or priority, the prevention of which requires at least a modicum of other-regarding-ness. We should decentre Europe by demarginalizing the already marginalized outsiders. In short, if the West is to eschew methodological Eurocentrism, by imposing its own views to the world unilaterally, it should question the potential impacts of its regulations upon the others. As Cover reminded us, every legal order has its own narrative, its own interpretation and its own nomos, and when they interact with each other, the judges as 'people of violence' 206 kill one interpretation in favour of the other. However, the fact that every interpretation is a jurispathetic activity does not mean that it should be tantamount to epistemicidethat is, the murder of knowledge. 207 As indicated above, there is a close connection between non-domination and the consent-like mechanism; nevertheless, there is also one other dimension that comes with the idea of non-domination that needs to be stressed: the sense of responsibility. Even if it is not possible to have recourse to the consent of the others, it is still possible to feel morally and political responsible towards them. The Aristotelian conception of responsibility includes two minimal conditions for the attribution of responsibility to someone: (1) the agent should have a minimum degree of control over the action (control condition); and (2) they should know what they are doing (epistemic condition). 208 Nevertheless, any conception of responsibility is doomed to fail unless it takes seriously the perspective of the agent who is affected from the action (patient). That is, it should not confine itself to the perspective of the responsible agent. The question of to whom the agent is responsible bears at least as much importance as the minimum conditions of individual responsibility. In short, it should shift its focus from an agent-centric approach to a relational one that is more interested in the quality of relationship than the attitudes of agent. 209 When viewed from a relational perspective, the role played by epistemic condition in the responsibility attribution changes significantly. For once, responsibility requires agents to provide explanation and clarification about why they decided to take particular action as well as to be aware of how their actions affect the lives of the patients. 210 This is to say that, when responsibility is seen from a relational perspective, the epistemic condition takes a turn to justification, obliging the agents not only to be aware of their actions but also to 'be able to explain decisions to someone, to be able to answer someone who rightfully and reasonably asks "Why?" when given a decision or when acted upon'. 211 Thus, the scope of responsibility is all but impossible to grasp without paying due regard to the social context in which it is embedded because it is a social, dialogical and necessarily relational concept. 212 It insists on answerability and justification.
Responsibility is, therefore, different from accountability. For instance, accountability is related to holding someone to legal account, and thus confined to a legal perspective. Responsibility, however, is a term that goes beyond legal obligations. In that regard, the courts are 'responsible courts' 213 only if they succeed in hearing the voices coming from the other side of the border, despite always being accountable to their own legal order. As such, being a responsible court requires hearing the grievances raised from other legal orders even if they are legally immaterial from an accountability perspective. The distinction between responsibility and accountability may be explained with a distinction made by Amartya Sen. He argues that being sympathetic towards others is individuated from being committed to doing something. According to Sen, whereas 'sympathy is combinable with self-interested behaviour' and 'does not signify a departure from self-love as the only accepted reason for action', committed attitude 'is a clear departure from self-interested behaviour'. 214 The latter forces us to leave our point of view and adopt an other-regarding attitude. 215 It demands us to leave our comfort zone and commit ourselves to take the perspective of the patient seriously. For instance, the blocking statutes, global injunctions or insufficient impact assessments all fall short of meeting the demands of a committed attitude, even if they all become compatible with the demands of sympathy. As pointed out earlier, data regulation has a natural bias to going global, so it calls for responsibility, which may only be realized if one takes a committed stance rather than a sympathetic one, bearing in mind the relational dimension of responsibility. It requires us to become more inclusive, either in the process of regulation or at the time of implementation of the unilaterally designed regulation. 210 Ibid 2058-60. 211 Ibid 2061. 212 Ibid 2062. 213 Palombella (n 183) 390. 214