Sign up for the DPO Europe Newsletter
We will share useful materials with you and talk about the latest news from the world of privacy.
Navigating the Jurisdictional Chaos: An International Law Perspective on the Extraterritorial Application of Data Protection Laws
- 23.04.2024
In the era of rapid globalization and seamless digital connectivity, the processing of personal data transcends national borders. As processing operations become increasingly interconnected worldwide, the choice of applicable law emerges as a critical domain. It became common among States to extend the force of privacy laws extraterritorially, which raises the question of its compatibility with international law. This essay delves into the concept of extraterritoriality in the context of data protection, examining the challenges it presents from an international law perspective.
Notion of Extraterritoriality
Traditionally, territory of the State is the most universally accepted limit to jurisdiction. However, the advent of the internet has disrupted this traditional paradigm. Effortless transnational data flows present a significant challenge to established jurisdictional boundaries.Therefore, there is a need for a re-evaluation of legal frameworks to safeguard individuals’ privacy rights, as data controllers’ activities have effects in, and affect citizens of, multiple States.
In the absence of international standards and universal treaties on data protection, States include the clause on extraterritorial application in their privacy laws, obliging companies to comply with foreign legislation under specific conditions. At the heart of this paradigm shift lie the States’ aspirations to protect the personal data of their citizens as it traverses borders and especially against harmful conduct by multinational enterprises incorporated in other States. Despite private international law developing various tests to determine applicable legal frameworks, these concepts often misalign with factors influencing the application of data protection laws. Common criteria for establishing applicability, such as targeting State’s residents or monitoring their behaviour, processing data of certain amount of residents, or having an organizational presence, create challenges when data controllers meet the requirements of multiple laws simultaneously. This complexity underscores the need to view data protection law as a self-contained system, where its application depends solely on its unique set of jurisdictional rules. Nevertheless, this raises a question – under what circumstances can a State invoke such power towards foreign actors and is it compatible with international law?
While there is no universally agreed-upon definition for extraterritorial jurisdiction, this notion may be summarised as a State’s attempt to impose, apply and enforce national legislation beyond its territory, under condition that the conduct in question affects the interests of the State and in the absence of regulation under international law. The exercise of this competence can take various forms, including prescription and enforcement. In the context of data protection law, it becomes imperative to assess these components separately.
Prescriptive Extraterritoriality
The initial facet of extraterritorial jurisdiction, known as prescriptive jurisdiction, comes into play when a State asserts authority to establish legal norms. Notably, a foreign State’s attempt to do so outside its own territory can lead to direct conflicts with the territorial State’s efforts to enact similar laws. A prominent illustration of this issue arises when the laws of the country where a data controller is established and the laws based on the residence of its data subjects are simultaneously applicable, a situation often deemed as “overreaching” by many scholars. Practical challenges compound due to significant variations among data protection laws. For instance, conflicts may arise in legal grounds for data processing, rules concerning involvement data processors, cross-border transfers, and procedural requirements, creating a complex landscape for compliance with all the rules.
Not only does extraterritoriality bring practical challenges, but also raises the question of its balance with respect of the state sovereignty. Traditionally, extraterritorial jurisdiction is viewed as permissible only in exceptional circumstances, as States cannot unilaterally determine the limits of their competence beyond their territories. However, when it comes to prescriptive jurisdiction, although not without contestation, human rights bodies have expressed the view that jurisdiction may be extended extraterritorially to the human rights impact of the activities of entities, such as companies, which are subject to a State’s effective control. Even though there is no appropriate definition of control in terms of data protection, we may conclude that it is exercised by virtue of prescriptive jurisdiction. In this scenario, States regulate the conduct of data controllers including those located outside the country. This assertion aligns with the obligation to safeguard the rights of citizens. According to ‘functional’ approach to extraterritorial jurisdiction, it can be exercised when a State has a control over the enjoyment of the rights in question, regardless of any physical control over territory, the perpetrators or the individual. This leads us to conclusion that States can control the exercise of the rights by prescribing boundaries of permissible conduct for entities. Therefore, there is an agreement that State may impose rules on processing data of its citizens and penalize unlawful actions regardless of territorial boundaries. This broad prescriptive jurisdiction, however, is not equipped with the extraterritorial enforcement jurisdiction.
Extraterritorial Enforcement
The foundational principle of enforcement jurisdiction, as established in the Lotus case dictates that a State” may not exercise its power in any form in the territory of another State.” While it is acknowledged that a State possesses the power to prescribe law extraterritorially, in terms of the enforcement jurisdiction, which ensures compliance with its laws,the legal regime is more stringent. Without the host State’s consent, such conduct is deemed unlawful as it violates the State’s right to respect for its territorial integrity and political independence.
To avoid this violation, under international law, State can only extend their powers outside its territory through a permissive rule derived from international custom or a convention.
In data protection law compliance is ensured by means of, inter alia, imposing fines,< deciding legal claims, handling complaints, conducting investigations, issuing injunctions to stop data processing. However, the only way to make such practice lawful is to obtain State’s permission on the exercise of the enforcement actions, which may be granted through bilateral agreements or multilateral instruments. Even though there are regional instruments, they do not address the issue of extraterritoriality or laws’ priority when they overlap. Moreover, existing instruments mostly have declarative character and are implemented differently from state to state. Accordingly, they are not sufficient to be regarded as State’s permission for extraterritoriality clause.
The effectiveness of extraterritorial enforcement measures is also a subject of debate, which is confirmed by existing case law on extraterritorial application of data protection laws. For instance, European Court of Justice held that the right to be forgotten had no extraterritorial application and decision concerned only the territory of the European Union. Nevertheless, this approach undermines the primary objective of extraterritorial application, which is to ensure data subjects rights. In this scenario, it appears that, in order to delete a search result, a data subject would need to resort to multiple foreign courts—a task that is evidently impractical. This raises the question of the rationale behind extending the application of laws when, in practice, the core aspect, the exercise of data subject rights, becomes practically unattainable.
Regarding the punitive aspect of enforcement, scholars agree that such measures violate international law. Even though in practice there have been proceedings initiated by supervisory authorities against foreign data controllers, the issue of how these penalties will be enforced remains unclear. Nevertheless, recent cases indicate that foreign companies cooperate with Data Protection Authorities and adhering to their orders despite the absence of enforcement jurisdiction. States, notably, have not voiced any significant protest against the assertions of jurisdiction. This lack of objection can be attributed to the fact that such assertions often target private entities responsible for controlling and processing data.
The argument in favor of extraterritoriality is its “deterrent” effect. Scholars emphasize that the risk of enforceable sanctions has the most significant impact on influencing the behavior of data controllers, with reputation risk being a top concern associated with non-compliance, rather than effectiveness of enforcement measures. However, I do not entirely endorse this perspective. Extraterritorial jurisdictional claims are unreasonable because it is not possible for those active on the Internet to adjust their conduct to all the laws of all the countries in the world with which they come into contact. It would be far more reasonable to limit this extraterritoriality. This underscores the need for jurisdictional restraint and a greater acceptance of international values in establishing the boundaries for international data transfer regulation.
For instance, procedural clauses on deadlines, requirements on accountability documents and record keeping should not be applied as they may differ and do not affect the essence of data subjects’ rights. For example, it may be reasonable to ask a foreign company to abide by a country’s abuse-prevention rules, such as rules on the fair processing of data or penalizing unauthorized use of personal data. This request could be justified based on a certain degree of contact between the company and the country. However, this same level of contact may not warrant the country imposing obligations on the company, such as designating a Data Protection Officer or preparing separate documentation. The consideration of such factors helps establish a more nuanced and practical approach to the extraterritorial application of data protection laws.
Associated with non-compliance, rather than effectiveness of enforcement measures. However, I do not entirely endorse this perspective. Extraterritorial jurisdictional claims are unreasonable because it is not possible for those active on the Internet to adjust their conduct to all the laws of all the countries in the world with which they come into contact. It would be far more reasonable to limit this extraterritoriality. This underscores the need for jurisdictional restraint and a greater acceptance of international values in establishing the boundaries for international data transfer regulation.
For instance, procedural clauses on deadlines, requirements on accountability documents and record keeping should not be applied as they may differ and do not affect the essence of data subjects’ rights. For example, it may be reasonable to ask a foreign company to abide by a country’s abuse-prevention rules, such as rules on the fair processing of data or penalizing unauthorized use of personal data. This request could be justified based on a certain degree of contact between the company and the country. However, this same level of contact may not warrant the country imposing obligations on the company, such as designating a Data Protection Officer or preparing separate documentation. The consideration of such factors helps establish a more nuanced and practical approach to the extraterritorial application of data protection laws.
Conclusion
In conclusion, the intricate landscape of extraterritorial application of data protection laws raises multifaceted challenges that extend beyond the traditional boundaries of state jurisdiction. The extension of prescriptive jurisdiction to entities subject to State’s effective control aligns with a functional approach but demands careful consideration. The lack of a universally agreed-upon definition of control in data protection further complicates matters, emphasizing the need for a balanced and globally accepted framework.
Enforcement jurisdiction, on the other hand, introduces a more stringent set of rules, highlighting the delicate balance between State’s interest to protect its citizens’ rights and the respect for another State’s territorial integrity. The need for State’s consent for enforcement underscores the importance of diplomatic cooperation and bilateral or multilateral agreements to legitimize the practice. Otherwise, the effectiveness of enforcement measures, as demonstrated in case law, remains debatable, which is especially important in cases of severe violations.
In light of these complexities, there arises a compelling call for jurisdictional restraint and a greater acceptance of international values to delineate the limits of territorial scope of data protection laws. Striking a balance between safeguarding data subjects’ rights and avoiding unreasonable burdens on entities operating in the global digital space becomes paramount. This can be achieved by excluding procedural clauses from the extraterritorial obligations and developing rules on applicable law without them clashing one over each other. To this end, the global community must engage in constructive dialogues to develop a coherent and universally accepted framework for extraterritorial application of data protection laws. Only through collaborative efforts and a shared commitment to international standards can we navigate the intricate web of extraterritoriality in the evolving landscape of data protection.
Contact us
Fill out the form and we will contact you as soon as possible!
Our team’s expertise and their qualifications enable us to tackle any challenge related to the implementation of personal data protection and other privacy-related issues.