Transatlantic Jurisdictional Conflicts in Data Protection Law: Fundamental Rights, Privacy and Extraterritoriality 1108489567, 9781108489560

Citation preview

transatlantic jurisdictional conflicts in data protection law This book looks at transatlantic jurisdictional conflicts in data protection law and how the fundamental right to data protection conditions the EU’s exercise of extraterritorial jurisdiction. Governments, companies and individuals are handling ever more digitised personal data, so it is increasingly important to ensure this data is protected. Meanwhile, the Internet is changing how territory and jurisdiction are realised online. The EU promotes personal data protection as a fundamental right. Especially since the EU General Data Protection Regulation started applying in 2018, the EU’s data protection laws have had strong effects beyond its territory. In contrast, similar US information privacy laws are rooted in the marketplace and carry less normative heft. This has provoked clashes with the EU when their values, interests and laws conflict. This research uses three case studies to suggest ways to mitigate transatlantic jurisdictional tensions over data protection and security, the free flow of information and trade. Mistale Taylor is Counsel at the Public International Law and Policy Group. Her background lies in public international law and data privacy law. She has published and presented on many subjects, including international law, human rights, ethics, privacy and data protection as they relate to emerging technologies.

Published online by Cambridge University Press

Published online by Cambridge University Press

Transatlantic Jurisdictional Conflicts in Data Protection Law fundamental rights, privacy and extraterritoriality MISTALE TAYLOR

Published online by Cambridge University Press

Shaftesbury Road, Cambridge cb2 8ea, United Kingdom One Liberty Plaza, 20th Floor, New York, ny 10006, USA 477 Williamstown Road, Port Melbourne, vic 3207, Australia 314–321, 3rd Floor, Plot 3, Splendor Forum, Jasola District Centre, New Delhi – 110025, India 103 Penang Road, #05–06/07, Visioncrest Commercial, Singapore 238467 Cambridge University Press is part of Cambridge University Press & Assessment, a department of the University of Cambridge. We share the University’s mission to contribute to society through the pursuit of education, learning and research at the highest international levels of excellence. www.cambridge.org Information on this title: www.cambridge.org/9781108489560 doi: 10.1017/9781108784818 © Mistale Taylor 2023 This publication is in copyright. Subject to statutory exception and to the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press & Assessment. First published 2023 A catalogue record for this publication is available from the British Library. A Cataloging-in-Publication data record for this book is available from the Library of Congress isbn 978-1-108-48956-0 Hardback Cambridge University Press & Assessment has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this publication and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.

Published online by Cambridge University Press

Contents

page xiii

Acknowledgements Author’s Note

xv

Table of Cases

xvii

1

Introduction 1.1 Background 1.2 Extraterritoriality 1.3 Jurisdictional Tensions 1.4 Towards an Assessment Framework 1.5 Scope of the Study 1.6 Relevance of the Study 1.7 Defining Terms 1.8 Approach of the Study

2

Conceptual Approaches to Data Protection in the European Union and the United States 2.1 Introduction 2.2 The Difference between the Right to Privacy and the Right to Data Protection 2.3 The Evolution of the Right to Data Protection in the EU Legal Order 2.3.1 Data Protection in Early International Instruments 2.3.2 From National Laws to EU Law 2.4 Data Protection as a Value and Right in the EU 2.5 Information Privacy in the United States 2.6 A Global Approach to Data Protection

v

Published online by Cambridge University Press

1 4 5 8 9 10 11 13 14

18 18 18 20 20 22 24 27 31

vi

3

4

Contents

The European Union’s Obligations to Safeguard the Fundamental Right to Data Protection Extraterritorially 3.1 Introduction 3.2 The EU Charter’s Scope of Application 3.3 Data Protection as a Fundamental Right in the EU 3.4 The Nature of the Right to Data Protection and Associated Obligations 3.4.1 Under Public International Law 3.4.2 Under International Human Rights Law 3.5 The Extraterritorial Application of Human Rights Instruments 3.5.1 Jurisdiction under International Human Rights Law 3.5.2 Applying Different Models of International Human Rights Law Jurisdiction to European Data Protection Law 3.5.3 Control in International Human Rights Law Jurisdiction 3.6 Positive and Negative Obligations to Respect/Protect/Fulfil Human Rights 3.6.1 The Obligation to Respect 3.6.2 The Obligation to Protect 3.6.3 The Obligation to Fulfil 3.7 The Increased Weight of the Fundamental Right to Data Protection and Consequences for Extraterritoriality 3.7.1 The Free Flow of Information 3.7.2 The Right to Freedom of Expression 3.7.3 Security Interests 3.7.4 A Heavier Right 3.8 Interim Conclusion Limits That Public International Law Poses on the European Union Safeguarding the Fundamental Right to Data Protection Extraterritorially 4.1 Public International Law Approaches to Jurisdiction 4.2 Two Approaches to Lawfulness under Public International Law 4.2.1 A Substantial Connection 4.2.2 Permissive Principles 4.3 The Scope of EU Data Protection Law

Published online by Cambridge University Press

33 33 34 35 36 36 38 40 41

42 44 46 47 48 49 51 52 53 54 54 55

57 60 61 63 64 65

Contents

4.4

4.5

4.6 4.7 4.8 4.9 5

4.3.1 Applicable Law and Jurisdiction 4.3.2 Data Controllers and Data Processors Territoriality 4.4.1 In EU Data Protection Law 4.4.2 Subjective Territoriality 4.4.3 Objective Territoriality 4.4.3.1 In the Context of the Activities of an Establishment in the EU 4.4.3.2 From the Use of Equipment in the EU to Targeting Those in the EU 4.4.3.3 Public International Law 4.4.4 The Effects Doctrine Personality 4.5.1 Individuality and Personality 4.5.2 Active and Passive Personality 4.5.2.1 Reconciling Citizenship, Residence and Applicability 4.5.2.2 Reconciling Personality and Territoriality The Protective Principle Universal Jurisdiction Prohibitions in Exercising Jurisdiction Interim Conclusion

Ways to Mitigate Problematic Jurisdictional Overreach 5.1 Introduction 5.2 Mitigating Factors as Proxy for Territoriality 5.3 Connection 5.3.1 Connection in EU Data Protection Law 5.3.1.1 Context of the Activities of an Establishment of a Controller or Processor 5.3.1.2 Targeting 5.3.2 Interim Conclusion on Connection in EU Data Protection Law 5.4 Reasonableness 5.4.1 Comity 5.4.2 The Enduring Appeal of the Third Restatement of US Foreign Relations Law 5.4.3 Interest 5.4.4 Interest-Balancing 5.4.5 Balancing Rights

Published online by Cambridge University Press

vii

66 67 68 73 75 76 76 77 79 80 82 83 84 85 89 90 91 92 93 95 95 96 97 100 101 103 107 107 108 109 110 111 112

viii

Contents

5.4.6 Reasonableness and a Rule of Reason 5.5 Assessment Framework 6

7

The Reach of European Union Data Protection Law in Transatlantic Data Transfers for Counterterrorism Purposes 6.1 Introduction 6.2 Conceptual Approaches to Privacy in Counterterrorism Agreements 6.3 Transatlantic Tensions in Passenger Name Record Agreement Negotiations 6.3.1 The 2004 Agreement and Reactions 6.3.2 The 2006 Annulment 6.3.3 The 2007 Agreement 6.3.4 The 2011 Agreement 6.4 Incorporating Interpretations of EU Data Protection Law into Passenger Name Record Agreements 6.5 Jurisdictional Assessment 6.5.1 International Human Rights Law Obligations 6.5.2 Territoriality 6.5.3 Personality 6.5.4 Mitigating Factors 6.6 Spreading a Global Passenger Name Record Processing Norm 6.7 Interim Conclusion Data Protection and the Free Flow of Information 7.1 Introduction 7.2 Framing the Jurisdictional Questions 7.2.1 The Freedom of Expression 7.2.2 The Free Flow of Information 7.2.3 The Freedom of Expression, the Free Flow of Information and the Right to Erasure 7.3 The Right to Erasure in the EU 7.3.1 In the Data Protection Directive and the General Data Protection Regulation 7.3.2 In Case Law: Google Spain 7.3.3 Reactions to the Judgment 7.4 Implementing the Right to Erasure 7.4.1 Possible Implementation Methods 7.4.2 Applied Implementation Methods

Published online by Cambridge University Press

114 116

118 118 122 124 124 127 128 129 132 136 137 139 142 145 147 149 150 150 153 154 155 156 159 159 160 163 165 165 166

Contents

7.5

7.6

7.7 7.8 7.9 8

7.4.3 Google v CNIL and Proposed Implementation Methods 7.4.4 Assessing Reasonableness in Google v CNIL Exercising the Right to Erasure 7.5.1 Concealing Territorial and National Connections 7.5.2 The Content of the Request Analysing the Implementation Methods 7.6.1 The Fundamental Right to Data Protection 7.6.1.1 Respect 7.6.1.2 Protect 7.6.1.3 Fulfil 7.6.2 Territoriality Issues 7.6.3 The Effects Doctrine 7.6.4 Personality Issues 7.6.5 Degree of Connection 7.6.6 Reasonableness Suggested Solutions to Implementation Issues Spreading a Global Standard through an EU Court Decision Interim Conclusion

Enabling Transatlantic Trade and Protecting Privacy through Cross-Border Data Transfer Agreements 8.1 Introduction 8.2 Balancing International Trade and Privacy 8.3 The Need for Adequate Protection 8.4 Direct and Indirect Effects of the Adequacy Standard 8.5 Transatlantic Data Transfer Agreements 8.5.1 Safe Harbour 8.5.2 Proceedings in the Schrems Case 8.5.3 The Privacy Shield and Subsequent Developments 8.5.3.1 The Schrems II Case 8.5.3.2 Responses and Further Developments 8.6 The Extraterritoriality of Transatlantic Data Transfer Arrangements 8.6.1 Effects on Companies 8.6.2 Government Reactions 8.6.3 Privacy Shield Negotiations and Marginally Successful Legal Diffusion

Published online by Cambridge University Press

ix

168 169 172 173 174 175 175 176 176 176 177 178 178 179 182 184 187 188

189 189 191 193 194 195 196 197 199 202 203 204 205 208 210

x

Contents

8.6.4 The Failure of EU Law Diffusion in Data Transfer Frameworks 8.6.5 Interim Conclusion on Extraterritoriality 8.7 Jurisdictional Assessment 8.7.1 International Human Rights Law 8.7.1.1 Protecting Individual Interests 8.7.1.2 The Obligation to Respect 8.7.1.3 The Obligations to Protect and Fulfil 8.7.1.4 Interim Conclusion on International Human Rights Law 8.7.2 Public International Law 8.7.2.1 Data Localisation as Territoriality 8.7.2.2 Subjective Territoriality 8.7.2.3 Personality 8.7.2.4 Interim Conclusion on Public International Law 8.7.3 Mitigating Factors: Interest-Balancing and Reasonableness 8.8 Successful Legal Diffusion 8.9 Interim Conclusion 9

10

211 214 214 215 215 216 217 219 219 220 224 225 226 227 231 232

The Normative External Effects of the European Union’s Exercise of Extraterritorial Jurisdiction in Data Protection Law 9.1 Introduction 9.1.1 Global Values 9.1.2 Whom the Law Protects 9.2 Purely Legal Diffusion 9.3 Consequential Norm Diffusion 9.3.1 Data Transfer Arrangements 9.3.1.1 Adequacy Requirements 9.3.1.2 Safe Harbours as Adequacy Decisions 9.3.2 Interim Conclusion 9.4 The EU as Norm Entrepreneur 9.5 Interim Conclusion

234 234 234 236 238 242 244 244 246 249 250 253

Conclusion: Enduring Territoriality and Fundamental Rights 10.1 Introduction 10.2 Overview of Findings

254 254 254

Published online by Cambridge University Press

Contents

10.3 Potential Future Directions 10.3.1 Enduring Territorialism 10.3.2 Foregrounding Fundamental Rights 10.4 Concluding Remarks

xi

257 258 260 261

Select Bibliography

263

Index

277

Published online by Cambridge University Press

Published online by Cambridge University Press

Acknowledgements

Amongst his many prodigious observations, Blaise Pascal supposedly observed that ‘the last thing one discovers in composing a work is what to put first’. Indeed, I find myself writing the first page of this book now, more than seven years after the whole outing began. Over these years, so many people have offered inspiration, support, guidance and general camaraderie. To them, I am perpetually grateful. Below are just some of these people. First and foremost, endless thanks to my brilliant PhD supervisor Cedric Ryngaert from Utrecht University for having the faith in me to make this possible. I am most grateful, too, to my second supervisor John Vervaele. I would like to acknowledge and thank my reading committee for their reflections on a nascent version of this research: Michiel Luchtman, Linda Senden, Christopher Kuner, Paul De Hert and Joe Cannataci. Thank you to my editor at Cambridge University Press, Tom Randall, for his guidance and enduring patience. I would again like to express my gratitude to Christopher Kuner and Paul De Hert for their collegiality during my research visit to the Brussels Privacy Hub and subsequent stint in Brussels. From my time as a visiting scholar at the University of California, Berkeley, thank you to Chris Hoofnagle, Paul Schwartz and Jim Dempsey for offering their invaluable thoughts on all things American. Marise Cremona and Joanne Scott so kindly took the time to discuss my research during my stay at the European University Institute: thank you. Many thanks, too, to Dan Svantesson for his kindness and support. For their academic illumination and friendship, I am indebted to my colleagues past and present: Brianne, Julie, Sander, Natalie, Arron, Nelson, Friederycke, Lucas, Mark, Marieke K, Otto, Machiko, Tony, Christophe, Marieke d H, Ilina, Marco, Rocco, Amy, Bart, Filippo, Julia and Katrina. A special thank you to Alice and Irina, who have been wonderful as colleagues, friends and paranymphs. xiii

Published online by Cambridge University Press

xiv

Acknowledgements

My friends have been incredible throughout all these years, so I’d like to express my heartfelt gratitude to Adrien, Aisha, Alex, Aviv, Alexia, Bárbara, Coen, Daan, Dan, Darshan, Dubbs, Emma, Eoin, Fabian, Flipo, Freddie, George, Gussie, Hayley, Helen, Kroefie, Liselotte, Luca, Max, Merel, Mol, Nick, Patrick, Quirijn, Sarah, Severin, Susy, Teo, Tymon and Willem. For his support and affection, I am especially grateful to Peter. To my parents, and Safira and Caspian: thank you for everything, always. And with that, I believe I’ve discovered the first and last thing to put into this book.

Published online by Cambridge University Press

Author’s Note

It has become something of a cliché to say that technology is changing rapidly and the law struggles to keep up. Acknowledging the accuracy of this cliché in most instances, it follows that scholarship tends to lag behind legal developments. This complicated race is especially evident in the field of data privacy law. This book aims to make general statements about public international law and uses data privacy law as a lens through which to do this. I hope, therefore, that the pronouncements it makes stand the test of time and are useful and interesting to readers, acknowledging full well that much of the law and policy mentioned will continue to evolve swiftly.

xv

Published online by Cambridge University Press

Published online by Cambridge University Press

Table of Cases

Permanent Court of International Justice SS Lotus (France v Turkey) [1927] PCIJ Rep Series A No 10. International Court of Justice Barcelona Traction, Light and Power Co Ltd (Belgium v Spain) (Separate Opinion of Judge Sir Gerald Fitzmaurice) [1970] ICJ Rep 65. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14. Arrest Warrant of 11 April 2000 (Democratic Republic of the Congo v Belgium) [2002] ICJ 1. Court of Justice of the European Union Case 167/73 Commission of the European Communities v French Republic [1974] ECLI:EU:C:1974:35. Joined Cases 3, 4 and 6/76 Cornelis Kramer and others [1976] ECLI:EU: C:1976:114. Case C-286/90 Poulsen and Diva Navigation [1992] ECLI:EU:C:1992:453. Case C-214/94 Ingrid Boukhalfa v Federal Republic of Germany [1996] ECLI:EU:C:1996:174. Case C-162/96 Racke v Hauptzollamt Mainz [1998] ECLI:EU:C:1998:293. Case C-369/98 The Queen v Minister of Agriculture, Fisheries and Food, ex parte Trevor Robert Fisher and Penny Fisher [2000] ECLI:EU: C:2000:443. Case C-101/01 Bodil Lindqvist [2003] ECLI:EU:C:2003:596. Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECLI:EU:C:2003:294.

xvii

Published online by Cambridge University Press

xviii

Table of Cases

Joined Cases C-317/04 and C-318/04 European Parliament v Council of the European Union and European Parliament v Commission of the European Communities [2006] ECLI:EU:C:2006:429. Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy [2008] ECLI:EU:C:2008:727. Joined Cases C-402/05 and C-415/05P Kadi and Al Barakaat International Foundation v Council and Commission [2008] ECLI:EU:C:2008:461. Case C-28/08 European Commission v Bavarian Lager [2010] ECLI:EU: C:2010:378. Case C-279/09 DEB Deutsche Energiehandels- und Beratungsgesellschaft mbH v Bundesrepublik Deutschland [2010] ECLI:EU:C:2010:811. Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECLI:EU:C:2010:662. Joined Cases C-585/08 and C-144/09 Pammer v Reederei Karl Schlüter GmbH & KG11 and Hotel Alpenhof GesmbH v Oliver Heller [2010] ECLI:EU:C:2010:740. Case C-347/10 A. Salemink v Raad van bestuur van het Uitvoeringsinstituut [2011] ECLI:EU:C:2011:562, Opinion of AG Cruz Villalón. Case C-347/10 A. Salemink v Raad van bestuur van het Uitvoeringsinstituut [2011] ECLI:EU:C:2011:562. Case C-366/10 Air Transport Association of America and Others v Secretary of State for Energy and Climate Change [2011] ECLI:EU:C:2011:864. Case C‑131/12 Google Spain SL Google Inc. v Agencia Española de Protección de Datos [2013] ECLI:EU:C:2013:424, Opinion of AG Jääskinen. Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez [2014] ECLI:EU:C:2014:317. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] ECLI:EU:C:2014:238. Opinion 2/13 of the Court [2014] ECLI:EU:C:2014:2454. Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] ECLI:EU:C:2015:639. Case C‑362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:627, Opinion of AG Bot. Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650. Case C-104/16 P Council v Polisario Front [2016] ECLI:EU:C:2016:677, Opinion of AG Wathelet. Case C-104/16 P Council v Polisario Front [2016] ECLI:EU:C:2016:973.

Published online by Cambridge University Press

Table of Cases

xix

Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz SchleswigHolstein v Wirtschaftsakademie Schleswig-Holstein GmbH [2016] ECLI: EU:C:2017:796, Opinion of AG Bot. Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others [2016] ECLI:EU:C:2016:970. Opinion 1/15 [2016] ECLI:EU:C:2016:656, Opinion of AG Mengozzi. Opinion 1/15 of the Court [2017] ECLI:EU:C:2017:592. Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz SchleswigHolstein v Wirtschaftsakademie Schleswig-Holstein GmbH [2018] ECLI: EU:C:2018:388. Case C-507/17 Google v Commission nationale de l’informatique et des libertés (CNIL) [2019] EU:C:2019:772. Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559. Case C-623/17 Privacy International [2020] ECLI:EU:C:2020:790. Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others [2020] ECLI:EU:C:2020:791. European Court of Human Rights Soering v United Kingdom App no 14038/88 (7 July 1989). Bankovic´ and Others v Belgium and 16 Other Contracting States App no 52207/99 (12 December 2001). S and Marper v the United Kingdom App nos 30562/04 and 30566/04 (4 December 2008). Axel Springer AG v Germany App no 39954/08 (7 February 2012). Von Hannover v Germany (No 2) App nos 40660/08 and 60641/08 (7 February 2012).

national judgments Belgium Rechtbank van Eerste Aanleg Brussel, Voorzitter van de Belgische Commissie voor de bescherming van de persoonlijke levenssfeer v Facebook Ireland Limited, 26 February 2018, AR/2016/153-A.

Published online by Cambridge University Press

xx

Table of Cases

France Case No RG: 00/05308, Association ‘l’Union des Etudiants Juifs de France’, la ‘Ligue contre le Racisme et l’Antisemitisme’ c Yahoo! et Yahoo France [2000], 22 May 2000. Case No RG: 00/05308, Association ‘l’Union des Etudiants Juifs de France’, la ‘Ligue contre le Racisme et l’Antisemitisme’ c Yahoo! et Yahoo France [2000], 20 November 2000. Ireland Schrems v Data Protection Commissioner [2014] IEHC 310, 2 ILRM 441. Schrems v Data Protection Commissioner (No 2) [2014] IEHC 351, 2 ILRM 506. Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2016] IEHC 414. United Kingdom Rio Tinto Zinc Corp v Westinghouse Electric Corp [1978] AC 547 (HL). United States Strassheim v Daily, 221 US 280 (1911). United States v Aluminum Co of America, 148 F 2d 416 (2d Cir, 1945). Griswold v Connecticut, 381 US 479 (1965). Katz v United States, 389 US 347 (1967). Florida Star v BJF, 491 US 524 (1989). In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, No 14-2985, 2016 WL 3770056 (2d Cir, 2016). United States v Microsoft Corp, 584 US __ (2018). Carpenter v United States, 585 US __ (2018).

Published online by Cambridge University Press

1 Introduction

Jurisdiction under public international law, that is, a State’s authority to make, apply or enforce law, has long been rooted in the Westphalian notion of a State having sovereign authority within its own physical territorial boundaries.1 The current socio-technological landscape has witnessed temporal and spatial shifts, such as the lasting memory of the Internet and the advent of deterritorialised cloud computing services, which have changed how the European Union (EU) and third States exercise jurisdiction. Technology has become omnipresent, and affects our lives on both a local and global scale. Companies, governmental authorities and individuals are handling ever more digitised personal data, and it is increasingly important to ensure this vast amount of data is protected. The EU, in contrast to most non-EU States, strongly advocates the importance of protecting personal data. Personal data is any information relating to an identified or identifiable natural person, known as a data subject.2 Broadly speaking, data protection encompasses an individual’s right to have their personal information processed according to a set of legal safeguards, in a fair way that protects the individual’s rights and

1

2

United Nations, Charter of the United Nations, 24 October 1945, 1 UNTS XVI (UN Charter) art 2(7); Amos S Hershey, ‘History of International Law since the Peace of Westphalia’ (1912) 6 (1) The American Journal of International Law 30; Samantha Besson, ‘Sovereignty’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2011) (Online version Oxford University Press); Jutta Brunnée, ‘Consent’, Max Planck Encyclopedia of Public International Law (Article last updated: January 2022) (Online version Oxford University Press). Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) art 4(1); Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD) art 2(a).

1

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

2

Introduction

freedoms.3 It is closely connected to the right to privacy. EU data protection law is often considered the strictest, and is certainly the most influential, in the world. As the EU wants to ensure its data subjects’ personal data is afforded the same notably high level of EU-standard protection when controlled, processed or transferred outside the Union, it is extending the territorial reach of its law in the field of data protection. There is an extraterritorial character to EU data protection law that could throw into question traditional notions of public international law jurisdiction rooted in State authority over physical territory. This extraterritoriality has inspired conflicts in jurisdiction between the EU and other States, most notably the United States (US), which has markedly different conceptions of data protection. Friction arises when underlying values and interests clash, and the inevitable nature of international data flows prevents these values or interests from being realised. Where the US is inclined to prioritise national security, the freedom of expression, access to documents, a free and open Internet, and international trade, the EU tends to foreground the privacy or protection of personal data that is processed in all those instances. It is crucial to consider this transatlantic dynamic through the lens of jurisdiction because it is a basic limiting factor that is key to international and transnational relations, but which is necessarily evolving to accommodate the novel capacities and limitations that the Internet offers. Whilst data protection emerged partly to facilitate cross-border trade by ensuring the harmonised treatment of personal data, it has increasingly become characterised as a human right. This reimagining raises questions of how to apply a fundamental right in the EU in a virtual or extraterritorial space. Technological advances and globalisation mean that personal data is controlled and processed in multiple jurisdictions with differing levels of legal protections afforded to that data. Moreover, data protection is not a fundamental right everywhere and is particularly interesting because it is not nearly a universal value. Since its onset as a concept, at least in Europe, data protection has been conflated with human dignity and the right to privacy. States conceive of

3

The EU’s GDPR protects ‘fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data’. GDPR art 1(2) cf the DPD that protects ‘the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data’. DPD art 1(1); Maria Tzanou, The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Hart Publishing 2017) 12–13; Christopher Kuner, European Data Protection Law: Corporate Compliance and Regulation (2nd ed, Oxford University Press 2007) 3.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

Introduction

3

privacy differently, as reflected in their privacy laws.4 In line with this sentiment, the weight that different States place on data protection varies greatly. This framing is not simply an example of an ‘us and them’ dichotomy between developed and developing countries, but shows how conceptions of privacy, information and personal data, and the value they are assigned, differ between Western liberal democracies. Concerns about privacy and personal data protection are also evident across the political spectrum.5 Despite the growing ubiquity of data processing and the general public’s increased concern for their data privacy, the marked difference in conceptions of data protection and the resulting laws, or the lack thereof, make it difficult to characterise data protection as a globally shared value. It is, however, acceptable to characterise it as a regional value in the EU. If it is difficult to agree on a definition of privacy, in part due to its fluid, relativist, subjective yet inherently valuable nature, data protection is even more problematic to conceive of beyond a local construct or ideal.6 As it is not a global value, this underlies jurisdictional conflicts over who may prescribe data protection law and where, and how far this law reaches beyond physical boundaries. Third States have underlying ideologies that inform their attitudes to data protection and, consequently, their relevant regulation. It is when these States’ values, and thus laws, clash with those that the EU applies and promotes extraterritorially that conflicts in jurisdiction over situations involving data protection arise. Whereas EU data protection law reflects its being a fundamental right in the Union, the US’ similar information privacy laws are

4

5

6

World Legal Information Institute, ‘The Global Data Protection, Privacy & Surveillance Law Library’ ; Graham Greenleaf, Philip Chung and Andrew Mowbray, ‘Supporting and Influencing Data Privacy Practice: The Free Access International Privacy Law Library’ (2014) 31(2) Computer Law & Security Review 221. The issue is so sufficiently broad that it can encompass a variety of different positions, from the civil libertarian who demands constraints on overzealous law enforcement to the conservative business group that wants tax data to be kept confidential. The issue tends to pose a dilemma for democratic socialist parties in particular; it exposes a tension between the welfare statism of the old Left, which relies on a sacrifice of individual privacy for the collective benefit, and the more antistatist individualism of the new Left. Thus below the broad liberal democratic concern for individualism and human dignity lies a complex and often contradictory set of positions. . . . The ideological foundations of the issue are inherently ambiguous because privacy and data protection do not stir partisan emotion until the debate centers on particular information in specific contexts. We then find a complexity of cross-cutting concerns. (Colin J Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press 1992) 147.) James Q Whitman, ‘The Two Western Cultures of Privacy: Dignity versus Liberty’ (2004) 113 (6) Yale Law Journal 1151, 1219.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

4

Introduction

rooted in the marketplace and carry far less normative heft.7 This research aims to offer ways to approach transatlantic jurisdictional conflicts with the underlying goal of mitigating them. It explores how the EU’s characterisation of data protection as a fundamental right conditions how it may, does and should exercise extraterritorial jurisdiction.

1.1 background Extraterritoriality in the cybersphere is per se a highly relevant concept to analyse. With the shrinking role of territoriality, especially in the virtual, online realm, it is important to justify talking about extraterritoriality. Examining data protection law provides a useful platform from which to analyse the relevance of these concepts. Transborder data flows, as a form of data processing, have raised pertinent questions related to international jurisdiction.8 International jurisdiction and data protection is an understudied pair.9 There is little literature on jurisdiction specifically under public international law, rather than private international law or EU law, as it pertains to 7

8

9

The term ‘information privacy’ roughly equates to ‘data protection’ in the EU. The former is more commonly used in the US and is more specific than ‘data protection’; Paul M. Schwartz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy Law’ (2017) 106 Georgetown Law Journal 115, 132. It is also worth noting three popular conceptions about EU-US approaches to data privacy, which are not wholly accurate, when researching this topic: ‘(1) Europe believes in fundamental rights to data privacy, but the U.S. legal tradition is different; (2) Europe is concerned about privacy invasions by big corporations, while the U.S. cares instead about privacy invasions by big government; and (3) Europe believes in comprehensive legislation while the U.S. supports self-regulation and multi-stakeholder processes.’ There are more similarities between the two legal cultures than is sometimes portrayed. Peter Swire, ‘Peter Hustinx and Three Clichés about E.U.-U.S. Data Privacy’ in Hielke Hijmans and Herke Kranenborg (eds), Data Protection Anno 2014: How to Restore Trust? Contributions in Honour of Peter Hustinx, European Data Protection Supervisor (2004–2014) (Intersentia 2014) 191. This is not new, but it is ongoing: see, e.g., Hague Conference on Private International Law, Cross-border Data Flows and Protection of Privacy (2010) para 14 . Furthermore, ‘[t]hus far, there has been little interaction between scholars, international organizations, regulators, and others working on international jurisdiction, and those working on data protection’. Christopher Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (2010) 18(2) International Journal of Law and Information Technology 176. This interaction, however, has been increasing: see, e.g., the Internet & Jurisdiction Policy Network (www.internetjurisdiction.net/work/data-jurisdiction) founded in 2012, which deals with, inter alia, questions of data and jurisdiction. They released the first ‘Internet & Jurisdiction Global Status Report’ in 2019. The Report acknowledges the lack of cooperation and coordination between international stakeholders, which exacerbates jurisdictional challenges arising from, for instance, data privacy breaches – Dan Jerker B Svantesson, ‘Internet & Jurisdiction Global Status Report’ (2019) Internet & Jurisdiction Policy Network 14.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.2 Extraterritoriality

5

data protection.10 The fundamental rights dimension of this research also distinguishes it from much previous research on the extraterritoriality of data protection law. Such a rights-based approach is becoming more prevalent, but is still rare.11 Most questions of the extraterritorial application of human rights have centred on situations of armed conflict, military occupation and electronic surveillance, so this research attempts to offer a novel contribution to debates surrounding the extraterritorial applicability of human rights. With the research anchored in public international law, it makes sense to turn first to issues of extraterritoriality.

1.2 extraterritoriality EU data protection law with an extraterritorial dimension affects entities, people and activities in third States through its direct or indirect application abroad.12 This research focuses on the General Data Protection Regulation (GDPR), which started applying in EU Member States in May 2018, as well as the legislation it replaced, the 1995 Data Protection Directive (DPD), which Member States had incorporated into their national laws.13 It uses these 10

11

12

13

Dan Jerker B Svantesson, ‘Enforcing Privacy across Different Jurisdictions’, in David Wright and Paul De Hert (eds), Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer 2016) 196 mentions the ‘rare examples of literature engaging with the topics addressed here [mainly applicable law, jurisdiction and data privacy law]’. On data protection and private international law, see, inter alia, Dan Jerker B Svantesson, Private International Law and the Internet (Kluwer Law International 2007); Kuner, European Data Protection Law (n 3); Maja Brkan, ‘Data Protection and European Private International Law: Observing a Bull in a China Shop’ (2015) 5(4) International Data Privacy Law 257; Lee A Bygrave, ‘Determining Applicable Law Pursuant to European Data Protection Legislation’ (2000) 16 Computer Law & Security Report 252. See, e.g., Tzanou, The Fundamental Right to Data Protection (n 3); Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014); Maja Brkan, ‘The Unstoppable Expansion of EU Fundamental Right to Data Protection. Little Shop of Horrors?’ (2016) 23(5) Maastricht Journal of European and Comparative Law 812. Christopher Kuner, ‘The Internet and the Global Reach of EU Law’ in Marise Cremona and Joanne Scott (eds), EU Law Beyond EU Borders: The Extraterritorial Reach of EU Law (Oxford University Press 2019) 124. GDPR; DPD; for other EU instruments that regulate personal data, see, e.g., Directive 2016/ 680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution (Law Enforcement Directive); Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (ePrivacy Directive); Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

6

Introduction

because they provide the most relevant examples pertaining to extraterritorial prescriptive jurisdiction, that is, laying down legal norms.14 Even though the GDPR superseded the DPD, the Directive is relevant here because it was the original ‘gold standard’ and informed the GDPR and many third State data protection laws. Much of the case law around relevant data protection issues uses the DPD as its legal framework. Indeed, almost two years after the GDPR started applying, the CJEU was using the DPD, eventually in conjunction with the GDPR, to inform its analysis.15 Furthermore, the DPD and related jurisprudence, opinions and recommendations show the legislative history of data protection within the EU; these allow people to trace the evolution of data protection as a right. Similarly, the changes in the wording of the DPD compared to the GDPR help demonstrate how the EU’s approach to extraterritoriality has developed. Whilst there has been a lot of hype around the GDPR, its predecessor was ground-breaking legislation for its time, so readers should not forget or neglect this. The chapters split relevant sections into the DPD and GDPR, so readers with an interest in only the GDPR can easily focus on this. This research uses the term extraterritoriality to signify something with a nature/effect beyond a territory, rather than something completely a-territorial. It covers manifestations that directly or indirectly influence the behaviour of private actors and third State law. In the present research, that third State is the US. The relevant actors include States and their representatives, private entities, such as corporations or Non-Governmental Organisations, and individuals (usually data subjects). The EU’s approach to data protection extraterritoriality, in both the GDPR and DPD, is extremely complex, rendering it almost unproductive.16 This necessitates a delineation of the EU’s obligations and limitations concerning the extraterritoriality of its data protection law. Data protection laws in, inter alia, the US, Canada and Australia also have extraterritorial effect.17 This

14

15

16

17

with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. For example, the EU can influence third-State law by requiring it to enact regulation ‘essentially equivalent’ to its own (GDPR art 45). For example, Case C-507/17 Google v Commission nationale de l’informatique et des libertés (CNIL) [2019] EU:C:2019:772 from September 2019 was an early case to use the DPD and GDPR as its legal context. Dan Jerker B Svantesson, ‘The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses’ (2014) 50 Stanford Journal of International Law 53, 67. The relevant articles include art 3 GDPR (art 4 DPD) on the territorial scope of the legislation and art 45 GDPR (art 25 DPD) on international data transfers. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (n 9) 176.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.2 Extraterritoriality

7

research focuses specifically on the extraterritoriality of EU data protection law because none of the aforementioned States qualifies data protection as a fundamental right in a way comparable to the EU. Their data protection laws are not as stringent and are without such global impact. As the EU bestows fundamental rights status upon data protection, this gives rise to certain obligations that could justify the extraterritorial application of its laws. Concerning the extraterritoriality of data protection law, ‘it is not possible to distinguish, in a meaningful way, between what is extraterritorial and what is not’.18 Furthermore, differentiating between whether EU data protection law is extraterritorial in scope or extraterritorial in effect ‘no longer has any practical significance’.19 Nonetheless, several manifestations of EU data protection law have extraterritorial elements. This research considers the GDPR’s territorial scope provisions (‘national law applicable’ in the DPD), which explicitly provide for a form of extraterritoriality, as well as other provisions on, for example, data transfers, as having ramifications beyond the Union.20 Whilst the EU’s relevant actions in relation to its data protection laws do not often amount to extraterritorial jurisdiction in the strict sense, they constitute a soft form of legal diffusion or an extended territorial reach of EU law.21 The territorial nexus condition further justifies a discussion on EU territoriality and extraterritoriality based on physical borders. Whilst transferring data from the EU to a third State sounds eminently physical and territorial, these days ‘data flow is not a binary two-step process,

18

19

20 21

Dan Jerker B Svantesson, ‘The Concept of “Extraterritoriality”: Widely Used, but Misguided and Useless’ (OUPblog, 17 November 2015) (emphasis added). Christopher Kuner, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, 236. Kuner questions whether territorial jurisdiction in the data transfer context could be divorced from extraterritorial jurisdiction: ‘[T]he Schrems case thus illustrates that any distinction between extraterritorial and territorial jurisdiction has become meaningless in the context of regulation of international data transfers.’ He suggests that ‘the direct application of EU law in a third country and the transfer of EU-based data to such country . . . is a distinction without a difference’ as this transfer is only permitted when that third-State affords ‘essentially equivalent’ protections to those afforded under EU law. Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2016) Cambridge University Legal Studies Working Paper No 14/2016 10; Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 881, 892–893 (citations omitted). GDPR arts 3 and 45; DPD arts 4 and 25. See Joanne Scott, ‘The New EU “Extraterritoriality”’ (2014) 51 Common Market Law Review, 1343; Joanne Scott, ‘Extraterritoriality and Territorial Extension in EU Law’ (2014) 62(1) American Journal of Comparative Law 87.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

8

Introduction

origin and terminus’.22 Accordingly, the terms ‘cross-border’ and even ‘transborder’ should be construed somewhat abstractly.23 For the purposes of this research, a data transfer refers to information linked to an identified or identifiable individual person, which was originally subject to EU law, then becoming subject to US law by virtue of, for instance, an EU company transferring personal data about that individual to its headquarters in California for processing. As this study will demonstrate, territory is still salient when understanding data transfers. Simply an imagined change of which legal system applies forgets the enduring importance of territory when discussing transatlantic data transfers. Indeed, envisaging physical collection, processing, storage and transfers helps discern what permits a State to exercise jurisdiction over that particular situation. Whilst it might be more accurate to imagine the ‘international processing of personal data’ instead of ‘international transfers of personal data’, this research uses all the aforementioned terms interchangeably to capture, put very broadly, the extraterritoriality of EU data protection law.24

1.3 jurisdictional tensions Extraterritoriality is especially important when limiting the jurisdictional scope of EU data protection law, especially as ‘jurisdiction’ in public international law is normally limited by territory. The jurisdictional scope of the GDPR is not immediately clear. The European Data Protection Board is an independent European body, composed of representatives of EEA data protection authorities (DPAs) and the European Data Protection Supervisor (the EU’s independent DPA).25 The EDPB ensures the consistent application of data protection rules across the EU/EEA and has thus issued guidance on the territorial scope of the GDPR.26 These build upon similar guidelines issued by the EDPB’s 22

23

24

25

26

McKay Cunningham, ‘Complying with International Data Protection Law’ (2016) 84(2) University of Cincinnati Law Review 421, 448 citing Fred H. Cate, ‘The Changing Face of Privacy Protection in the European Union and the United States’ (1999) 33(1) Indiana Law Review 173, 179. See Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 11–13. Liane Colonna, ‘Article 4 of the EU Data Protection Directive and the irrelevance of the EU– US Safe Harbor Program?’ (2014) 4(3) International Data Privacy Law 203, 220–221 citing, inter alia, Paul M Schwartz, ‘Information Privacy in the Cloud’ (2013) 161(6) University of Pennsylvania Law Review 1623, 1629. Representatives of the European Commission and, on GDPR issues, the European Free Trade Association Surveillance Authority, may participate in EDPB activities, but do not have voting rights. The DPAs of EEA countries (Iceland, Liechtenstein and Norway) also do not have voting rights. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (art 3) (12 November 2019).

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.4 Towards an Assessment Framework

9

predecessor under the DPD (the Article 29 Working Party) and pre-GDPR jurisprudence.27 The territoriality principle is certainly important in questions of the EU’s exercise of jurisdiction. In 2003, for instance, the Court of Justice of the European Union (CJEU) affirmed, in the landmark Lindqvist decision, that EU law does not apply to the whole Internet.28 EU data protection law has a very wide jurisdictional reach. For example, certain principles apply to ‘onward transfers’, whereby the original data collector transfers personal data to third parties in third States.29 EU data protection law also applies to data processing activities by entities not established in the Union, but which process personal data that relates to targeting people in the Union, that is, offering those people goods or services, or monitoring their behaviour.30 For instance, EU protections apply if non-EU websites process and collect EU data subjects’ personal data by, for example, setting cookies (small pieces of data that collect information about a user’s browsing habits). Similarly, the GDPR would apply to non-EU entities processing personal data about an individual in the Union who is being offered a free service. Many commentators assert that this ‘regulatory overreaching’ is too expansive, unenforceable in practice and therefore unacceptable.31 This is in line with the so-called aggressive jurisdictional scope of the DPD and, by extension, the GDPR.32 The identified and potential extraterritorial scope of the DPD and GDPR is unclear and changeable, giving rise to cross-border friction when the aim was originally to avoid such friction.

1.4 towards an assessment framework This research asks how to approach transatlantic conflicts in jurisdiction in the data protection legal sphere, ultimately to come up with ways to mitigate these 27

28 29 30 31

32

The Article 29 Working Party, active from 1996 to 2018, was an advisory body comprising representatives from EU Member State data protection authorities, the European Data Protection Supervisor and the European Commission. It published opinions and recommendations pertaining to questions of EU data protection law. The Working Party and subsequent case law attempted to clarify the DPD’s scope, as explored in Chapter 4. Case C-101/01 Bodil Lindqvist [2003] ECLI:EU:C:2003:596. GDPR art 44. Ibid., art 3(2). Lokke Moerel, ‘The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to the Processing of Personal Data of EU Citizens by Websites Worldwide?’ (2011) 1(1) International Data Privacy Law 28, 28–29; Paul De Hert and Michał Czerniawski discuss this reaction in ‘Expanding the European Data Protection Scope beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Context’ (2016) 6(3) International Data Privacy Law 230, 231. Jack Goldsmith and Tim Wu, Who Controls the Internet? Illusions of a Borderless World (Oxford University Press 2006) 175.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

10

Introduction

conflicts. It understands ‘approach’ to mean ‘to take preliminary steps toward accomplishment or full knowledge or experience of’.33 The assessment framework outlined in Chapter 5 uses a legitimacy threshold concerning the EU’s exercise of jurisdiction. Rather than joining the extensive academic conversation on legitimacy, this research follows part of Thomas Franck’s notion of legitimacy, namely, legitimacy as ‘a property of a rule or rule-making institution which itself exerts a pull toward compliance on those addressed normatively’.34 To hone this framework, the research combines three ways of looking at extraterritorial jurisdiction. The underlying questions that Chapters 3, 4 and 5 pose are as follows:  Chapter 3: How far do the EU’s obligations to safeguard its data subjects’ fundamental right to data protection extend extraterritorially?  Chapter 4: How can the classic permissive principles of jurisdiction in public international law be interpreted to accommodate EU data protection legislation, ultimately to delimit the EU’s exercise of extraterritorial jurisdiction vis-à-vis the US?  Chapter 5: How can second-tier jurisdictional principles be used to mitigate the EU’s problematic jurisdictional overreach? These three chapters combined lead towards an assessment framework, which this study then applies.

1.5 scope of the study With this assessment framework having been honed, Chapters 6–8 look at three main subject areas and case examples that have sparked transatlantic jurisdictional clashes. These areas are largely based on a European approach to data protection competing with a particular value or interest that the US prioritises over data privacy. This research focuses on the two jurisdictions of the EU and the US because of their different approaches to data protection, sometimes clashing data protection laws, and their importance and influence as global economies that rely on technology and data-driven enterprises. The conflicts are worth examining as

33

34

‘Approach’ in Merriam-Webster.com Dictionary . Thomas Franck, The Power of Legitimacy among Nations (Oxford University Press 1990) 24. He understands legitimacy as ‘a property of a rule or rule-making institution which itself exerts a pull toward compliance on those addressed normatively because those addressed believe that the rule or institution has come into being and operates in accordance with generally accepted principles of right process’.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.6 Relevance of the Study

11

they are (i) the most noteworthy of the existing conflicts or tensions surrounding data protection and (ii) they exemplify tensions between EU and US values.  Chapter 6: How do incongruent approaches to data protection vis-à-vis security manifest as tensions between the EU and the US regarding the extraterritoriality of EU law? How can the abovementioned assessment framework delineate how far EU law may reach when negotiating the US–EU Passenger Name Record Agreement or similar agreements?  Chapter 7: How can the affected stakeholders solve transatlantic conflicts over the EU’s exercise of prescriptive jurisdiction regarding the right to erasure (as a data protection concern) and the free flow of information (as a freedom of expression concern)?  Chapter 8: To what extent should EU data protection law be applied extraterritorially when regulating EU to US transborder data flows to safeguard the right to data protection and enable transatlantic trade? Chapter 9 then grounds these case studies in an overall understanding of the EU’s role as a global actor. The Union’s actions fall along a spectrum of it simply protecting its own citizens to it trying to set a global data protection norm for the benefit of the international community.  Chapter 9: What is the character of the external effects of the EU’s exercise of extraterritorial jurisdiction in the data protection sphere? To close, the research identifies commonalities in its investigations and makes some statements about general trends in public international law and extraterritorial jurisdiction. The underlying question is how to approach and conceive of these transatlantic tensions; it is not specifically and exclusively to come up with immediate solutions and make recommendations. Nonetheless, based on the assessment framework, the research informs a way to conceptualise the conflicts and determine how far the EU’s actions may and should reach. This then informs recommendations on how to lessen jurisdictional conflicts.

1.6 relevance of the study It is particularly important to examine jurisdiction in the data protection legal sphere for several reasons, especially in light of existing and potential jurisdictional tensions arising out of differing conceptions of data protection as a human right. International data processing involves not only EU data subjects and EU entities, but also third State participants, including private actors and those under third State supervision. Firstly, as the EU has classified the right to

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

12

Introduction

data protection as a fundamental right, it has a protective duty towards its citizens. It is necessary to determine how this protective duty, rooted in regional value conceptions, can be realised extraterritorially on a global Internet. Secondly, the virtual and borderless nature of cyberspace, in which most data is processed, challenges traditional concepts of sovereignty and territorial jurisdiction. As data flows often imply a transborder element, and data is often stored on servers in multiple jurisdictions, data processing tends not to be linked to just one territory. It is important to solve or mitigate jurisdictional conflicts in the field of data protection in part because of the many stakeholders involved, including States, companies, national supervisory authorities, and individuals whose data is being processed. Each actor has different private and public functions, and different interests, thereby broadening the societal relevance of the research. Although data protection has historically sought to enable free trade, numerous instruments, further interpreted in jurisprudence, all affirm the fundamental right to data protection’s increasingly lofty status in the EU.35 Technological advances inspire the evolution of data protection law, but the law often lags far behind the technology.36 Such rapid advances admit of the possibility that data subjects’ right to data protection is violated in previously inconceivable ways. Considering the broadened technological possibilities of today, data protection is increasingly relevant, and important, to ever more of the world’s population. Moreover, in 2018, the GDPR replaced the 1995 DPD, enacted at a time when the drafters could hardly conceive of the eventual ubiquity of the Internet. The GDPR is the most heavily lobbied piece of EU legislation, exemplifying the many stakeholders involved.37 It represents ‘the biggest overhaul of the world’s privacy rules in more than 20 years’ and, therefore, has global ramifications.38 Given this, data protection law and extraterritoriality is an up-to-the-minute, pertinent and exciting topic. 35

36

37

38

Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 8; Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended, 4 November 1950, ETS 5; The Treaty on the Functioning of the European Union (TFEU) provides that ‘[e]veryone has the right to the protection of personal data concerning them’. Consolidated Version of the Treaty on the Functioning of the European Union [2012] OJ C 326/47 art 16(1); Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108 (Convention 108); the DPD, the GDPR; general principles of EU law. Christopher Kuner, Fred H Cate, Christopher Millard and Dan Jerker B Svantesson, ‘The (Data Privacy) Law Hasn’t Even Checked in When Technology Takes Off’ (2014) 4(3) International Data Privacy Law 175, 175. J Trevor Hughes, ‘General Data Protection Regulation: A Milestone of the Digital Age’ TechCrunch (11 January 2016). Mark Scott and Laurens Cerulus, ‘Europe’s New Data Protection Rules Export Privacy Standards Worldwide’ Politico (31 January 2018).

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.7 Defining Terms

13

1.7 defining terms As the thrust of this research takes the broadly European and specifically European Union perspective, it uses the European version of the relevant terms. This section outlines legal definitions of the rights to privacy and data protection. Next, it defines some key data protection terms. Finally, it covers territory and extraterritoriality. As outlined here, all of the important international human rights instruments enshrine a right to privacy. As shown by how the instruments articulate the right so differently, it is challenging to come up with a comprehensive definition of the right to privacy. The Universal Declaration of Human Rights (UDHR) affirms that ‘[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation’.39 Similarly, the International Covenant on Civil and Political Rights (ICCPR) states that ‘[n]o one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation’.40 The European Convention on Human Rights (ECHR) holds that ‘everyone has the right to respect for his private and family life, his home and his correspondence’ and the American Convention on Human Rights (ACHR), which the US has not ratified, provides that ‘no one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence’.41 The Charter of Fundamental Rights of the European Union (EU Charter) is the only one of these instruments that articulates both a right to privacy and a separate right to data protection.42 It provides that ‘[e]veryone has the right to respect for his or her private and family life, home and communications’.43 A separate article states that everyone has the right to the protection of the personal data pertaining to them.44 That personal data must be processed ‘fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’.45 Everyone may access that data and have it rectified.46 An independent authority shall monitor compliance with those rules.47 According to the Treaty on the Functioning of the

39 40 41

42 43 44 45 46 47

Universal Declaration of Human Rights, 10 December 1948, 217 A (III) art 12. International Covenant on Civil and Political Rights, 23 March 1976, 999 UNTS 171 art 17(1). ECHR art 8(1); Organization of American States, American Convention on Human Rights, 22 November 1969 art 11(2). EU Charter art 7 and 8. Ibid., art 7. Ibid., art 8(1). Ibid., art 8(2). Ibid. Ibid., art 8(3).

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

14

Introduction

European Union (TFEU), ‘[e]veryone has the right to the protection of personal data concerning them’.48 Overall, the right to privacy is an important one that underscores the right to personal data protection. As shown in the EU Charter, the right encompasses several key principles. Personal data is ‘any information relating to an identified or identifiable natural person (“data subject”)’.49 Data protection is ‘the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system’.50 Where Europeans would use ‘data protection’, those in the US would refer to ‘information privacy’, and ‘data privacy’ in the broader Anglo-Saxon tradition.51 These terms have different origins and refer to unique concepts, but this research mostly uses ‘data protection’, with ‘data privacy’ and ‘information privacy’ in specific examples.52 Data processing is ‘any operation or set of operations which is performed on personal data or on sets of personal data’.53 This research uses data processing as an umbrella term for transborder data flows, data in transit, data storage and data monitoring. Territory in the EU sense encapsulates the common territory of EU Member States and, as explained below, is necessarily physical. Extraterritoriality is used to cover territorial extension and pure extraterritoriality.54 The research describes extraterritorial situations by interchangeably referring to situations beyond territorial boundaries, with foreign elements or with external effects. Sometimes it uses these terms broadly, but, where important, it uses the specific term for the particular context.

1.8 approach of the study This research uses the assessment framework of human rights protection and the lawful exercise of jurisdiction under public international law. Transborder data flows invariably involve multiple States and multiple jurisdictions. As such, public international law offers the most useful framework to elicit limits to the exercise of jurisdiction. Chapter 4 outlines the ways in which the EU is 48 49 50 51 52

53

54

TFEU art 16(1). GDPR art 4(1). Privacy International, ‘101: Data Protection’ (2017). Lee A Bygrave, Data Privacy Law: An International Perspective (Oxford University Press 2014). See Lothar Determann, Determann’s Field Guide to Privacy Law (2nd edn, Edward Elgar Publishing 2015). GDPR art 4(2) (‘whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’). Scott, ‘The New EU “Extraterritoriality”’ (n 21) 1344.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.8 Approach of the Study

15

bound by public international law. Mostly because this research focuses on friction between States, private international law or ‘conflict of laws’ does not immediately solve the jurisdictional issues that it considers.55 The Article 29 Working Party and scholars have confirmed that public international law is the ideal lens through which to analyse jurisdiction in data protection situations with extraterritorial dimensions.56 Human rights law, as a subset of public international law, is similarly useful to determine the obligations States have to exercise jurisdiction, in this case extraterritorially, to safeguard fundamental rights. The term jurisdiction is used differently in public international law and in human rights treaties, so the research will bridge this gap. It is essentially about public international law offering ways to solve conflicts in jurisdiction. Where public international law constrains, international human rights law is expansive. Each branch deals with the protection of States and individuals, and is contingent upon consensus between States. Beyond the EU, the human rights this research explores are enshrined in important international human rights instruments, including the UDHR and ICCPR. In the EU, before the EU Charter and TFEU started to apply, there existed no specific treaty provisions on data protection. Nonetheless, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), the ECHR’s provision on protecting the right to privacy and various institutions pursuant to general legal principles common to Member State jurisdictions had safeguarded data protection in the EU.57 Since the 2009 entry into force of the Lisbon Treaty, when the EU Charter on Fundamental Rights gained binding legal effect, the EU legal order has considered data protection a fundamental right.

55

56

57

Joel R Reidenberg, ‘Resolving Conflicting International Data Privacy Rules in Cyberspace’ (1999) 52(5) Stanford Law Review 1315, 1336–1337 citing Jack L Goldsmith, ‘Against Cyberanarchy’ (1999) 65(4) University of Chicago Law Review 1199, 1210. ‘While public international law only applies directly to relations between States, its role as the basic limiting standard of the international legal order provides the testing ground for jurisdictional rules affecting private parties in different States as well; indeed, the Article 29 Working Party has recognized that jurisdiction under data protection law should be evaluated under public international law.’ Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part I)’ (n 9) 184 fn 40 citing Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based websites (WP 56, 30 May 2002) 2, stating that ‘whether national [data protection] law applies to situations with links to several countries’ is ‘a general question of international law’. Convention 108; ECHR art 8; Case C-369/98 The Queen v Minister of Agriculture, Fisheries and Food, ex parte Trevor Robert Fisher and Penny Fisher [2000] ECLI:EU:C:2000:443.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

16

Introduction

Already in 1997, somewhat prophetically, a conference of data protection commissioners acknowledged that, in the data protection sphere, they should not underestimate potential problems by doubting the EU’s ‘political will . . . to protect the fundamental human rights of citizens’.58 Although the GDPR seeks to harmonise Member State data protection laws to facilitate the free flow of data across borders for largely economic reasons, as well as to protect fundamental rights, EU authorities have increasingly pushed the Regulation using fundamental rights rhetoric.59 Data protection is noticeably moving away from being considered an economic necessity to being promoted within the EU and abroad as a fundamental right. Linking data protection to human rights is thus not a new concept, but it is growing in popularity (see the distinction between the right to privacy and the right to data protection in Chapter 2). This research focuses on data protection as a fundamental right in the EU because of the obligations this bestows upon the Union, which could provide a legitimate justification for its broadly unilateral application of extraterritorial jurisdiction. If the EU’s actions were justified to the point of legitimacy, this could reduce jurisdictional clashes between the EU and third States. Every specific field of law should have its own jurisdictional rules, so this study is trying ultimately to come up with some for the data protection legal sphere.60 Territorial jurisdiction aims both to limit State authority and distribute competences, and is still relevant in the online sphere where most data protection violations occur.61 Data protection law lacks a global norm and is thus far away from harmonisation; a multilateral treaty; or even discernible common ground between the two regulatory authorities on which this

58

59

60

61

James M Assey, Jr and Demetrios A Eleftheriou, ‘The EU-US Privacy Safe Harbor: Smooth Sailing or Troubled Waters?’ (2001) 9 CommLaw Conspectus 145, 145 citing Ulf Bruhan, Data Protection in Europe: Looking Ahead, Address before the Nineteenth International Conference of Privacy Data Protection Commissioners (September 1997) as quoted in Peter P Swire and Robert E Litan, None of Your Business: World Data Flows Electronic Commerce, and the European Privacy Directive (Brookings Institution Press 1998) 46. Acknowledging that ‘economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data’ (GDPR, recital 5), the GDPR ‘is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons’ (GDPR recital 2). Cedric Ryngaert, ‘The Limits of Substantive International Economic Law: In Support of Reasonable Extraterritorial Jurisdiction’ in Bert Keirsbilck, Wouter Devroe and Erik Claes (eds), Facing the Limits of the Law (Springer 2009) 247. Harold G Maier, ‘Interest Balancing and Extraterritorial Jurisdiction’ (1983) 31(4) The American Journal of Comparative Law, 579, 584 (citations omitted).

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

1.8 Approach of the Study

17

research focuses, namely the US and the EU. In view of this regulatory lacuna, the EU’s laws have had external effect, and the Union has spread its strict data protection laws around the world. The research is not yet looking for who should ‘win’ conflicts or how they should be resolved, but is instead honing a framework from which to approach the issues. The main actors in this assessment are States, data controllers and processors, and individuals. In data protection law, the individual is the data subject. Data controllers hold ultimate control over the purpose and means of personal data processing; data processors act on their behalf or instructions.62 Other relevant actors include, in this instance, search engine operators and data recipients (Internet users), whose interests might need to be protected. States have certain human rights obligations vis-à-vis individuals, and certain public international law obligations regarding other States. Authorities, legislators and courts in the US, EU and individual Member States exercise prescriptive jurisdiction. This jurisdiction can be exercised extraterritorially, whether directly or indirectly. The EU may exercise jurisdiction over pieces of data, linked to an identified or identifiable person, and certain situations or acts. Before delving into data privacy law, however, it is important to trace how the notion of safeguarding or preserving someone’s information came into being.

62

GDPR art 4.

https://doi.org/10.1017/9781108784818.001 Published online by Cambridge University Press

2 Conceptual Approaches to Data Protection in the European Union and the United States

2.1 introduction The state of transatlantic data privacy laws has implications beyond the individual, company and State level; it can challenge cornerstone principles of democracy and the rule of law.1 Going to the root of these issues, this section looks at how people conceive of data privacy in the EU and US. Firstly, it separates the right to data protection from the right to privacy in various legal instruments and jurisprudence. Secondly, it examines the evolution of the right to data protection in the EU to show how it has gained more normative strength, which the law reflects. The chapter then shows how data protection is both a value and a right in Europe. In contrast, the way US law protects personal data or information privacy reflects its status as something of a legal obligation rather than a fundamental right. Finally, this section considers any existing global conception of the right to data protection. Anchoring the right to data protection in region-specific legal orders can then inform subsequent analyses of its extraterritorial application.

2.2 the difference between the right to privacy and the right to data protection According to the European Convention on Human Rights (ECHR) and the European Court of Human Rights (ECtHR), the right to data protection is an expression of the right to private life.2 In the Charter of Fundamental Rights of 1

2

Dan Jerker B Svantesson and Dariusz Kloza, ‘Yet Another Book about Snowden and Safe Harbor?’ in Dan Jerker B Svantesson and Dariusz Kloza (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy (Intersentia 2017) xiii. Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended, 4 November 1950, ETS 5 art 8 on the right to respect for

18

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.2 Difference between Right to Privacy and Right to Data Protection

19

the European Union (EU Charter), however, the two rights are explicitly separated.3 Data protection often overlaps with the right to privacy, but is not necessarily an exclusive subset thereof.4 Whereas the right to privacy is broad and covers many moral and ethical considerations, data protection – especially in the US – can be seen as simply a legal requirement that entails many procedural obligations.5 In that sense it is more ‘objective’.6 The right to privacy is notably context-dependent and thus difficult to define comprehensively.7 It includes any of the following notions: [P]rivate, family and home life, physical and moral integrity, honour and reputation, avoidance of being placed in a false light, non-revelation of irrelevant and embarrassing facts, unauthorised publication of private photographs, protection against misuse of private communications, protection from disclosure of information given or received by the individual confidentially.8

In most important privacy cases, the CJEU blurs the boundaries between the two rights; in other cases, it either distinguishes clearly between the two or includes data protection as a sub-category of the right to privacy.9 The right to data protection is more specific than the right to privacy. It has a narrower

3

4

5

6

7

8

9

private and family life. See, e.g., ‘[t]he protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life’. S and Marper v The United Kingdom, App Nos 30562/04 and 30566/04 (ECtHR, 4 December 2008) para 103. Cf Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 7 on respect for private and family life and art 8 on the protection of personal data. Juliane Kokott and Christoph Sobotta, ‘The Distinction between Privacy and Data Protection in the Jurisprudence of the CJEU and ECtHR’ (2013) 3(4) International Data Privacy Law 222; Maria Tzanou ‘Data Protection as a Fundamental Right Next to Privacy? “Reconstructing” a Not So New Right’ (2013) 3(2) International Data Privacy Law 88. For example, most dictionaries define ‘data protection’ as something similar to ‘[l]egal control over access to and use of data stored in computers’. ‘data protection’ in Lexico (Oxford Living Dictionaries) . Maria Tzanou, The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Hart Publishing 2017) 24 citing Colin J Bennett and Charles D Raab, The Governance of Privacy: Policy Instruments in a Global Perspective (2nd edn, MIT Press 2006) 8. Megan Richardson, The Right to Privacy: Origins and Influence of a Nineteenth-Century Idea (Cambridge University Press 2017) 10 and generally. Christopher Kuner, ‘An International Legal Framework for Data Protection: Issues and Prospects’ (2005) 25 Computer Law & Security Review 307, 309 citing Parliamentary Assembly of the Council of Europe, Resolution 428 para C2 (1970). Maja Brkan, ‘The Court of Justice of the EU, Privacy and Data Protection: Judge-Made Law as a Leitmotif in Fundamental Rights Protection’ in Maja Brkan and Evangelia Psychogiopoulou (eds), Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017) 13 and 17.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

20

Conceptual Approaches to Data Protection

scope of application and more limitations than the right to privacy, which affects how it may apply extraterritorially.10 Accordingly, this research distinguishes between the two rights, focusing on data protection and acknowledging privacy as a connected right.

2.3 the evolution of the right to data protection in the eu legal order Data protection has been characterised relatively recently as a human right; indeed, data protection laws themselves are a comparatively new phenomenon. The German federal state Hesse enacted the first data protection laws in 1970, with various – almost exclusively European – States following suit throughout the 1970s and 1980s.11 Today, at least 145 States have data privacy laws.12 Data protection was initially constructed in market terms to allow free circulation and free delivery of services. It required harmonisation of data protection rules. Whilst originally conflated with the right to privacy, it is increasingly viewed as an autonomous right beyond a free trade necessity. The following section documents the evolution of data protection to determine its strength in the EU, which will be important for the later discussion on the Union’s human rights duties. 2.3.1 Data Protection in Early International Instruments As shown below, two of the first international instruments regulating data protection, the non-binding Federal ‘Code of Fair Information Practice’ (now known as the Fair Information Practice Principles or FIPPs) (1973) and the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), facilitated global data flows for largely economic, rather than human rights, purposes.13 The 1981 Council of Europe Convention for the 10

11

12

13

Kokott and Sobotta, ‘The Distinction between Privacy and Data Protection’ (n 4) 222–224, 226–227. Graham Greenleaf, ‘Sheherazade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ (2014) 23(1) Journal of Law, Information & Science, Special Edition: Privacy in the Social Networking World, 8, 17. Graham Greenleaf, ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report 1, 1–2. See the original Federal ‘Code of Fair Information Practice’ in the US Department of Justice Library, US Department of Health, Education and Welfare: Secretary’s Advisory Committee on Automated Personal Data Systems, ‘Records, Computers, and the Rights of Citizens’ (1973) xx–xxi; Organisation for Economic Cooperation and Development (OECD), Guidelines

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.3 The Evolution of the Right to Data Protection in the EU Legal Order

21

Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), however, focused more on protecting human rights, including the free flow of information, but also, and notably, the right to privacy.14 The US Department of Health, Education and Welfare published the original 1973 FIPPs, which codified widely accepted practices on maintaining informational privacy in an electronic marketplace.15 The FIPPS are simply recommendations and are not legally enforceable. Nonetheless, they have greatly influenced subsequent legal instruments on protecting personal data to enhance the free flow of information. The relevant organisations that drew up the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the 1981 Council of Europe Convention 108 consciously followed and expanded the major principles in the FIPPs.16 In view of this, it could be argued that the FIPPs, being the core of early data protection principles and quickly enshrined in legal instruments, are neither controversial nor contested around the world. In other words, the FIPPs could be evidence of a widely accepted data protection norm. This research argues, however, that the FIPPs were more a short set of principles linked to the free flow of information and trade that unsurprisingly influenced subsequent, similar instruments. Diverse national data protection laws and no existing global data protection instrument confirm that a globally accepted data protection norm does not exist. The OECD Guidelines enshrine eight basic data protection principles, outlined here.17 There should be limits on collecting personal data, and it should be collected lawfully and fairly (data collection). It should be relevant and accurate (data quality). Data controllers or processors should specify the purpose of collecting specific personal data (purpose specification). This data should not be used for purposes apart from the one specified except where the data subject has consented to this use or by the authority of law (use limitation). Reasonable safeguards should protect the security of the personal data

14

15 16

17

Governing the Protection of Privacy and Transborder Flow of Personal Data, 23 September 1980. The FIPPs do not mention human rights. The OECD Guidelines mention the protection of privacy, but not in human rights terms. Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108; Frits W Hondius, ‘A Decade of International Data Protection’ (1983) 30 Netherlands International Law Review 106. FIPPs (n 13). Robert Gellman, ‘Fair Information Practices: A Basic History – Version 2.22’ (2022) 12 ; OECD Guidelines; Council of Europe, Convention 108. OECD Guidelines paras 7–14.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

22

Conceptual Approaches to Data Protection

(security safeguards). There ought also to be openness relating to the personal data, and the data subject should have ready access to the data controller, information about the data and any developments (openness principle). Data subjects should have the right to request and receive data pertaining to them and to have such data rectified if they challenge it (individual participation). A data controller should be accountable for complying with the principles as the law encodes them (accountability). These principles appear in various forms in subsequent European data protection instruments, including the 1981 Convention 108, the 1995 Data Protection Directive (DPD) and the 2018 General Data Protection Regulation (GDPR).

2.3.2 From National Laws to EU Law Beyond early international instruments, it is important to acknowledge some European, country-specific data protection laws and how they eventually fed into EU law. In the 1970s, various European States had ad hoc acts or constitutional-level provisions on data processing.18 The developing European Economic Community, technological advancements and increased cross-border data trade inspired incipient data protection laws.19 Some States’ early laws moved beyond trade and were connected to the privacy of information, too. For example, public outcry over a 1969 public census and the authorities’ access to personal data in Sweden prompted that State’s 1973 data processing laws, which shows how some of the public were concerned about the privacy of their personal data.20 This concern was translated into their law. Other States’ data processing laws, however, were not necessarily inspired by privacy concerns, nor did they contain explicit references to a right to privacy.21 Whilst certain States included an implied reference to data protection at a constitutional level, in 1978, Austria became the first State to acknowledge a fundamental right to data protection, albeit as part of the right to privacy.22 18

19

20

21 22

These States include Austria, Denmark, France, Germany, Greenland, Luxembourg, Norway and Sweden. Greenleaf, ‘Sheherazade and the 101 Data Privacy Laws’ (n 11) 17; Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) 70–71. Sian Rudgard, ‘Origins and Historical Context of Data Protection Law’ in Eduardo Ustaran (ed), European Privacy: Law and Practice for Data Protection Professionals (International Association of Privacy Professionals 2012) 3, 3. Eleni Kosta, Consent in European Data Protection Law (Martinus Nijhoff Publishers 2013) 40; González Fuster, The Emergence of Personal Data Protection (n 18) 58. González Fuster, The Emergence of Personal Data Protection (n 18) 64. Ibid., 67 and 71 citing Federal Act of 18 October 1978 on the protection of personal data, Bundesgesetzblatt No 565/1968.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.3 The Evolution of the Right to Data Protection in the EU Legal Order

23

The EU’s Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data or the DPD was adopted in 1995.23 Grounded in the Council of Europe Convention 108’s provisions, the DPD maintained the notion that data processing required a balance between protecting individuals and enabling the free flow of data, a fundamental freedom.24 Nonetheless, domestic European conceptions of the links between data protection, privacy and fundamental rights in general differed widely. Indeed, as fundamental rights became increasingly emphasised in the EU, there was no clear, widespread or consistent constitutional tradition in Member States on the right to data protection.25 Various EU institution reports and national constitutions throughout the 1990s reflected the evolution of the content of the right to data protection: it was still part of the right to privacy, it was not always subject to constitutional protections, and emphasis was often on the right to the free flow of information.26 Before the Charter gained binding legal effect, legal developments in primary and secondary EU law increasingly conflated the free flow of information provisions, intended to provide internal market freedoms, with data protection provisions.27 As such, EU law that was enacted to enable the free flow of personal data within the framework of internal market freedoms began to take on more of a human rights dimension.28 The CJEU also emphasised the connection to data protection on the basis of Article 8 ECHR on the right to respect for private and family life.29 The Court saw data protection as a tool to safeguard part of the right to privacy. The European Commission’s 1999 Report of the Expert Group on Fundamental Rights referenced the ‘quest for improvement of the protection of personal data’.30 More concretely, in 1999, the Article 29 Working Party (the EU data protection advisory body) recommended that the European

23

24 25 26 27 28 29

30

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD). González Fuster, The Emergence of Personal Data Protection (n 18) 156. Ibid., 185. For an overview of the documents, see Ibid., 187–189. Ibid., 156. Ibid. Ibid., 133 citing Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECLI:EU:C:2003:294. González Fuster, The Emergence of Personal Data Protection (n 18) 191–192 citing European Commission, Expert Group on Fundamental Rights, ‘Affirming Fundamental Rights in the European Union – Time to Act: Report of the Expert Group on Fundamental Rights’ (Publications Office 1999).

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

24

Conceptual Approaches to Data Protection

Commission, the European Parliament and the Council of the European Union include a unique right to data protection in the then recently proposed EU Charter.31 The Working Party asserted that including a separate right to data protection was important, inter alia, to signify the right’s increasing importance in the information society.32 Based on the recommendation, the Charter recognised the right to data protection as a newly enshrined fundamental right.33 This recognition was not surprising considering that it responded to social values, fast-developing technological capabilities, national laws and broad consensus in the EU.34 Protecting a fundamental right is an oft-cited, but not the only reason the EU is applying its data protection extraterritorially. It is perhaps the most effective way to justify EU extraterritorial action in terms of perceived legitimacy. No matter the real underlying reasons for the EU to apply its laws extraterritorially, the right to data protection is evolving to carry more weight and the EU is using it to prescribe or promote its legislation externally. Nonetheless, there must be some territorial limit to EU data protection law as it may not interfere with other States’ sovereignty by applying indiscriminately around the globe.

2.4 data protection as a value and right in the eu Moving on to values in the law, it is evident that human rights instruments are not value-neutral instruments. More than simply not being value-neutral, such instruments attempt to enshrine shared values as rights. Values are accorded normative and legal force. The fact that existing international human rights treaties do not recognise data protection as a specific right confirms data protection is more of a regional than global value. This is relevant to the section immediately below on data privacy in the US. It is also important in 31

32 33

34

Article 29 Working Party, Recommendation 4/99 on the Inclusion of the Fundamental Right to Data Protection in the European Catalogue of Fundamental Rights, (WP 26, 7 September 1999) 2. Ibid., 2. EU Network of Independent Experts on Fundamental Rights, ‘Commentary of the Charter of Fundamental Rights of the European Union’ (2006) 90. Tzanou argues that the EU Charter introduced a new fundamental right (to data protection): Tzanou, The Fundamental Right to Data Protection (n 6) 20. Cf with van der Sloot, who argues that data protection ought not to be treated as a fundamental right: ‘[I]it would be wise for courts and national legislators not to replicate the terminology of the European Union, but instead treat data protection as an ordinary consumer right.’ Bart van der Sloot, ‘Legal Fundamentalism: Is Data Protection Really a Fundamental Right?’ in Ronald Leenes, Serge Gutwirth, Paul De Hert and Rosamunde van Brakel (eds), Data Protection and Privacy: (In)visibilities and Infrastructures (Springer 2017) 28.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.4 Data Protection as a Value and Right in the EU

25

the discussion in Chapter 9 on the EU’s role as a global actor. The EU is a trailblazing example of a supranational organisation that recognises data protection as a specific fundamental right in a human rights instrument. The EU’s historical experiences with privacy inform how much importance the region accords to data protection. This research thus considers data protection a shared value amongst EU Member States as it is enshrined in the Charter as a fundamental right. When looking at the EU treaties and Charter, a right is more easily justiciable than a value. This research attempts to establish something of a connection between values in Article 2 Treaty on European Union (TEU) and the right to data protection in the Charter.35 Characterising data protection as a justiciable EU value could unlock its potential to underpin or legitimise an obligation for the EU to safeguard the right to data protection globally. The TEU limits the Charter’s application.36 Given that the Charter applies to EU institutions and bodies, and Member States only when they implement EU law, while the values in Article 2 TEU apply for Member States across the board, there is a distinction between the applicability of rights and values. This distinction could give strength to data protection as a value. Numerous provisions in EU treaties could justify promoting an EU value abroad. Article 2 TEU outlines that the EU’s aim to ‘promote its values’, one of which is the ‘respect for human dignity’, under which the right to privacy and the right to data protection fall.37 Article 3(5) TEU outlines that ‘[i]n its relations with the wider world, the Union shall uphold and promote its values [see Article 2 TEU] . . . . It shall contribute to . . . the protection of human rights . . . as well as to the strict observance and the development of international law’.38 Promoting values, however, is different from protecting human rights. For elaboration on these terms, see Chapter 3 on human rights obligations. Article 21 TEU further strengthens the EU’s capacity to act unilaterally: ‘[T]he Union shall define and pursue common policies and actions, and shall work for a high degree of cooperation in all fields of international relations, in order to:

35 36

37

38

Consolidated Version of the Treaty on European Union [2012] OJ C326/01 (TEU) art 2. ‘The provisions of the Charter shall not extend in any way the competences of the Union as defined in the Treaties’ – Ibid., art 6(1). ‘The Union is founded on the values of respect for human dignity . . . and respect for human rights . . . These values are common to the Member States’. Ibid., art 2. See too González Fuster, The Emergence of Personal Data Protection (n 18) 23. Lorand Bartels, ‘The EU’s Human Rights Obligations in Relation to Policies with Extraterritorial Effects’ (2015) 25(4) European Journal of International Law 1071, 1073.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

26

Conceptual Approaches to Data Protection

(a) safeguard its values [and to] consolidate and support . . . human rights and the principles of international law.’39 In terms of internal policy with external effects, EU institutions have various human rights obligations. Article 21(1) TEU outlines the Union’s action principles.40 Democracy, the rule of law, and the universality and indivisibility of human rights and fundamental freedoms are implicit in the notion that principles that guide the Union’s international action have inspired its creation, development and enlargement. The Charter plays a role in EU development and enlargement. Article 51 of the Charter confirms that it is binding on EU institutions.41 Although the Charter may not amount to a basis for competence, it is nevertheless the duty of institutions to pay attention to the rights and principles in the Charter. When the institutions act on the international stage, it is understood that they consider the Charter’s provisions by, for example, mainstreaming rights in decision-making processes. Similarly, the European Commission, in its relations with third countries, has acknowledged that ‘[g]iven the cross-border nature of issues such as data protection . . . justice cooperation beyond EU level takes on even greater importance’.42 As demonstrated above, there are important links between data protection as a value and right. It is difficult, however, to use a value such as data protection to justify exercising jurisdiction, even though that value might be enshrined in legally binding, primary EU law, such as the TEU. Focusing on data protection as both a value and a right in the EU could enhance a claim to jurisdiction in conflicts with third States over data protection law. It therefore helps to turn to the fundamental right to data protection in the Charter, which reflects the EU’s values, in an attempt to discern the EU’s obligations to safeguard this right. Article 8(1) of the EU Charter overtly endows everyone with data protection rights, giving it a universal quality.43 The EU’s regulation is highly influential and other States have enacted data protection laws to mirror this regulation, so it is extending an equivalent degree of data protection to citizens of third States. There is some sentiment that, as it is based on fundamental rights law in the EU, data protection law should protect universal values.44 This would represent a move away from the

39 40 41 42

43 44

TEU art 21(2)(a) and (b). Ibid., art 21(1). EU Charter art 51(1). European Commission, ‘Relations with Third Countries’ (2011) accessed 11 March 2018. EU Charter art 8(1). ‘[D]ata protection law should be oriented towards the protection of universal values, and not just those that are local or national. This should be seen not as a weakening of local values, but

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.5 Information Privacy in the United States

27

local construction discussed above to a global conception of data protection. This approach raises questions of whether fundamental rights law in the EU should protect universal values and, if so, whether data protection is a universal value. The present research argues that data protection is demonstrably not a universal or global value. EU fundamental rights law in this example should therefore not dictate ‘global’ fundamental rights, although it does influence them.

2.5 information privacy in the united states Individuals in the EU and US enjoy different legal protections of their rights to general privacy and information privacy. Where the EU refers to ‘data protection’ and ‘data subjects’, the US uses instead ‘information privacy’ and ‘privacy consumers’.45 In a hugely influential article in the 1890 Harvard Law Review, US lawyers Samuel D Warren and Louis D Brandeis articulated a right to privacy in the US, manifested principally as an individual’s ‘right to be let alone’.46 As explained below, the US Constitution, state constitutions, common law privacy torts, and specific sectoral or state statutes protect the right to privacy in the US. The fundamental right to data privacy is notably absent in the US legal order. This section first looks broadly at the different approaches to data privacy in the US and EU, and the historical reasons for these disparities. It then looks at the qualities that US laws regulating informational privacy have in common with each other. Finally, it concludes that both value and legal systems are sufficiently different to have informed jurisdictional clashes. Unlike in the EU, where the ECHR, EU Charter and Member State constitutions articulate an explicit right to privacy, the US Supreme Court has found an implied right to privacy in, amongst others, the Fourth Amendment to the Constitution.47 Many state constitutions, however, enshrine this right

45 46

47

as a strengthening of fundamental rights at a global level.’ Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 183. Ibid., 122. Samuel D Warren and Louis D Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193. Some authors credit Warren and Brandeis with having invented the right to privacy as a legal concept, at least in the US, see: Dorothy J Glancy, ‘The Invention of the Right to Privacy’ (1979) 21 Arizona Law Review 1. For more on privacy in the US, see: Daniel J Solove, ‘A Taxonomy of Privacy’ (2006) 154(3) University of Pennsylvania Law Review, 477; Robert C Post, ‘Three Concepts of Privacy’ (2001) 89(6) Georgetown Law Journal 2087; Alan F Westin, Privacy and Freedom (Atheneum 1967). For example, Griswold v Connecticut, 381 US 479 (1965); Edward R Alo, ‘EU Privacy Protection: A Step towards Global Privacy’ (2014) 22 Michigan State International Law Review 1095, 1101 citing David Banisar and Simon Davies, ‘Global Trends in Privacy Protection: An

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

28

Conceptual Approaches to Data Protection

specifically.48 The Fourth Amendment prevents the government from interfering in someone’s personal or private life when the individual has a ‘reasonable expectation of privacy’.49 Furthermore, in the Congressional Findings and Statement of Purpose of the Privacy Act of 1974, Congress affirmed that ‘the right to privacy is a personal and fundamental right protected by the Constitution of the United States’.50 Various privacy torts also protect privacy. These include the following: (i) the unreasonable intrusion upon the privacy of another; (ii) the public disclosure of private facts; (iii) publicly portraying someone in a false light; and (iv) appropriating someone’s name or likeness.51 Most pertinent to this research, however, are the sector-specific, fragmented information privacy laws in the US; indeed the very fact that it has them is relevant. All this considered, the US legal order does not reflect the coherent, rights-oriented data protection tradition of EU law. There are various social, economic, political and historical reasons for the distinct conceptions of data protection on each side of the Atlantic. A study of these goes far beyond the scope of this research. Very briefly, Europe’s experience with the Second World War fascism and subsequent authoritarian regimes informs its citizens’ wariness of mass and indiscriminate data collection for unidentified purposes. During the Second World War, the Nazi regime used extensive government records, including reference to race, ethnicity and religion, to facilitate the arrest and deportation of ethnic minorities. Likewise, the authoritarian regimes of the communist Eastern bloc maintained extensive records on their citizenry, and pressured neighbours, colleagues and friends to pass along any compromising information to the authorities. The misuse of personal information in parts of Europe led to it being a tool of oppression in the twentieth century, with adverse consequences. In contrast, the US has not witnessed such events, and its laissez-faire economic approach and emphasis on individual liberty inform its different approach to information privacy.

48

49 50 51

International Survey of Privacy, Data Protection, and Surveillance Law and Developments’ (1999) 18(1) John Marshall Journal of Computer and Information Law 1, 108. The unique characteristics of the US constitutional system and its impact on data privacy is important to consider when making comparisons with the equivalent EU system; see Georg Nolte, ‘European and US Constitutionalism: Comparing Essential Elements’ in Georg Nolte (ed), European and US Constitutionalism (Cambridge University Press 2005) 3–21. See, e.g., the Californian Constitution, which, based on a 1974 proposition, gives citizens an inalienable right to pursue and obtain privacy. Cal Const (1879), art 1, section 1. See, e.g., Katz v United States, 389 US 347 (1967). Privacy Act 5 USC § 552(a) sec 2 para 4. Restatement (Second) of Torts (Am Law Inst 1977); William L Prosser, ‘Privacy’ (1960) 48 California Law Review 383.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.5 Information Privacy in the United States

29

In a seminal article on the ‘two Western cultures of privacy’, James Whitman – in essence – placed the EU on a dignity side and the US on a liberty side of a privacy spectrum.52 These considerations are broad and blurred in reality; however, the overarching distinction is evident in each body’s laws.53 The EU model uses rights-focused legal discourse whilst the US is more focused on the market.54 US ‘privacy consumers’ are quicker to put trust in corporations that collect and process their personal information. Indeed, the cliché is that they are more likely to trust corporations with their data than the government. The Fourth Amendment preventing unreasonable government searches and seizures demonstrates this approach. Conversely, the EU’s regulatory framework provides many safeguards against the private sector’s interference in someone’s privacy.55 In the US, collecting and processing personal data is lawful unless a certain regulation specifically limits it.56 An individual has to actively opt out of having their personal data transferred or otherwise processed. In the EU, however, such data processing is unlawful unless a data controller has a legal basis for processing. Broadly, the data subject needs to show freely given, specific, informed and unambiguous consent for their personal data to be collected and processed.57 The US framework has very specific rules that warrant full legal compliance.58 It is less stringent with sensitive data and public records, which is a corollary to prominent free speech rights.59 As mentioned above, perhaps the key difference between the EU and US legal orders for data privacy is that the former has an omnibus regulation and the US has sectoral approaches.60 The US order also acknowledges self52

53

54

55

56

57

58 59 60

James Q Whitman, ‘The Two Western Cultures of Privacy: Dignity versus Liberty’ (2004) 113 (6) Yale Law Journal 1151. Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy (Cambridge University Press 2016) 317. Paul M Schwartz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy’ (2017) 106 Georgetown Law Journal 115, 119. David Cole and Federico Fabbrini, ‘Bridging the Transatlantic Divide? The United States, the European Union, and the Protection of Privacy across Borders’ (2016) 14(1) International Journal of Constitutional Law 220, 221–222. Allen E Schoenberger, ‘Privacy Wars: EU versus US: Scattered Skirmishes, Storm Clouds Ahead’ (2007) 17 Indiana International & Comparative Law Review 355, 389 citing DPD and Gramm-Leach-Bliley Act 15 USC §§ 6801–6809, 15 USC §§ 6821–6827. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) arts 6(a) and 7. Hoofnagle, Federal Trade Commission Privacy Law and Policy (n 53) 311. Ibid., 315–316. Ibid., 310.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

30

Conceptual Approaches to Data Protection

regulation and regulation by private actors. Of the data processing acts that it does regulate, US law has different approaches for different types of data, the public and private sectors, and different sectors and industries within those. There are hundreds of consumer protection and information privacy laws at both federal and state levels, which cover different threats, and balance different interests spanning freedom of speech, technological potential and private enterprise.61 The California Privacy Rights Act, most of which starts applying from 2023, has the clearest parallels with European rules and offers some clear, enforceable data privacy rights.62 Other US states have passed or are passing similar such data privacy, or consumer data protection, laws.63 Some examples of ad hoc US legislation that cover issues pertaining to the privacy of personal information include statutes on electronic communications, health data, children’s online privacy and financial data. For example, the Fair Credit Reporting Act of 1970 protects the information that credit reporting agencies collect about consumers and sell to creditors, employers and other businesses.64 The Electronic Communications Privacy Act of 1986 extends existing government restrictions on telephone tapping (wiretapping) to include electronic communications.65 In the late 1990s, around the same time EU Member States were transposing the DPD into their national laws, the US Congress started regulating some fields that processed a lot of oftensensitive personal data. The relevant laws include the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Children’s Online Privacy Protection Act of 1998 (COPPA) and the Gramm-Leach-Bliley Act of 1999.66 The HIPAA regulates data collected by healthcare institutions. The COPPA applies to entities that collect and process personal data pertaining to children under the age of thirteen years, and aims to protect their privacy and safety online. Interestingly, it was the first legislation of its kind and, as it also applies to websites run by non-US operators, has had extraterritorial effect. Finally, the Gramm–Leach–Bliley Act aims to enhance competition in the

61

62 63

64 65

66

Lothar Determann, ‘Adequacy of Data Protection in the USA: Myths and Facts’ (2016) 6(3) International Data Privacy Law 244, 246. California Privacy Rights Act Cal Civ Code § 1798.100–1798.199.100. This includes Virginia (Virginia Consumer Data Protection Act 2021), Colorado (Privacy Act 2021), Utah (Utah Consumer Privacy Act 2022), New York, Texas and Florida. Fair Credit Reporting Act 15 USC §§ 1681–1681x. Electronic Communications Privacy Act 18 USC §§ 2510–2523, 18 USC §§ 2701–2713, 18 USC §§ 3121–3127. Health Insurance Portability and Accountability Act 42 USC § 1320d–2; Children’s Online Privacy Protection Act 15 USC §§ 6501–6506; Gramm-Leach-Bliley Act 15 USC §§ 6801–6809, 15 USC §§ 6821–6827.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

2.6 A Global Approach to Data Protection

31

financial services industry, but includes provisions on how financial institutions should safeguard private personal information. Having examined US information privacy approaches and regulation, it is clear that there is no comparable fundamental right to data protection in the US as there is in the EU, particularly as the US Constitution does not extend horizontally between individuals.67 Even if there are certain shared underlying values, anything close to the European data protection principles enshrined in law is largely unknown in the US. Indeed, these principles are ‘essentially absent’ in US law.68 This lack of equivalence triggered the EU’s first unilateral action in requiring the US to ratchet up its legal data privacy protections.

2.6 a global approach to data protection The long reach of EU law opens up debate about how it interacts with other States and, in general, what kind of jurisdiction States may claim over the Internet. If the EU requires US companies to comply with EU fundamental rights, does it imply the EU would accept, for example, Russia requiring US companies to comply with their provisions on not dispersing ‘homosexualpromoting propaganda’ online? The human rights dimension of data protection differs widely around the world. In the Asia-Pacific region, for instance, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and the Association of Southeast Asian Nations (ASEAN) push harmonisation for economic reasons far more than for human rights protection reasons. They cite the business potential of the digital economy and how a privacy framework can enable regional data transfers.69 The African Union, on the other hand, connects human rights to data protection in a stronger way that is more similar to the EU.70 Scholars generally accept that constitutionalism and harmonisation would not work in the foreseeable future, largely due to the 67

68 69

70

Schwartz and Peifer, ‘Transatlantic Data Privacy’ (n 54) 115, 132 citing Geoffrey R Stone and others, Constitutional Law (7th edn, Wolters Kluwer 2013) 1543 and Frank I Michelman, ‘The State Action Doctrine’ in Vikram David Amar and Mark V Tushnet (eds), Global Perspectives on Constitutional Law (Oxford University Press 2009) 228. Schoenberger, ‘Privacy Wars: EU versus US’ (n 56) 393. ‘APEC member economies realize the enormous potential of the digital economy to continue to expand business opportunities, reduce costs, increase efficiency, improve the quality of life, and facilitate the greater participation of small business in global commerce. A framework to protect privacy within and beyond economies and to enable regional transfers of personal information benefits consumers, businesses, and governments’. Asia-Pacific Economic Cooperation, APEC Privacy Framework (2015) foreword. Lee A Bygrave, Data Privacy Law: An International Perspective (Oxford University Press 2014) 83.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

32

Conceptual Approaches to Data Protection

underlying ideological differences between the EU conception of data protection and those conceptions in third States.71 As such, it might be useful to turn to a multilateral solution. Data protection does feature in the abovementioned international instruments including the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe Convention 108.72 Some multilateral agreements in the field of data protection include the Montreux Declaration, the Madrid Resolution and the Schengen Information System within the EU.73 Whilst protecting the right to data protection is an internationally important issue, and drafting a UN framework convention or an additional protocol to the ICCPR have been suggested, there is currently not enough political will to develop formal global data protection standards.74 Aside from the complexities of there being no wholly relevant international organisation to draft and monitor a data protection treaty, it is difficult to complete the time-consuming task of drafting, implementing and enforcing a data protection treaty when underlying cultural and social norms do not lend themselves to States agreeing on such standards.75 Furthermore, such an instrument would be dependent on securing ratifications, which could very well be few. To what extent should the EU recognise the US’ (and other countries’) conceptions of data protection, rights and interests? Given these issues, it is evident that the EU’s unilateralism will set global data privacy standards for the foreseeable future.

71

72

73

74

75

Ibid., 205 citing Kuner, ‘An International Legal Framework for Data Protection’ (n 8) 307, 307 and Joel R Reidenberg, ‘Resolving Conflicting International Data Privacy Rules in Cyberspace’ (1999) 52(5) Stanford Law Review 1315, 1315. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); Convention 108. 27th International Conference of Data Protection and Privacy Commissioners, ‘The Protection of Personal Data and Privacy in a Globalised World: A Universal Right Respecting Diversities (‘Montreux Declaration’)’ (2005); 31st International Conference of Data Protection and Privacy Commissioners, ‘Resolution on the Strengthening of the International Cooperation in the field of Data and Privacy Protection (‘Madrid Declaration’)’ (2009); European Commission, ‘Schengen Information System’ . Bygrave, Data Privacy Law: An International Perspective (n 70) 205 citing, e.g., a resolution of the 35th International Conference of Data Protection and Privacy Commissioners (2013); for signs of some desire to develop common standards, see Joseph A Cannataci, ‘Games People Play: Unvarnished Insights on Privacy at the Global Level’ in Gert Vermeulen and Eva Lievens (eds), Data Protection and Privacy under Pressure: Transatlantic Tensions, EU Surveillance, and Big Data (Maklu 2017) 13–48. Whitman, ‘The Two Western Cultures of Privacy’ (n 52) 1219.

https://doi.org/10.1017/9781108784818.002 Published online by Cambridge University Press

3 The European Union’s Obligations to Safeguard the Fundamental Right to Data Protection Extraterritorially

3.1 introduction This chapter looks at the EU’s obligations to protect the fundamental right to personal data protection extraterritorially under international human rights law. It conceives of the EU as a duty-bearer: the Union exercises jurisdiction, is obliged to become a party to the European Convention on Human Rights (ECHR) and is arguably becoming a human rights actor in its own right. The research explores how far the EU’s obligations should extend. Whilst data protection in the EU was initially conceived of in market terms, it is increasingly connected with fundamental rights. The growing weight of the fundamental right to data protection in the EU is arguably linked to the increased territorial reach of EU data protection law. This raises questions of how to apply what is considered a fundamental right in the EU in a virtual, borderless space and ultimately in third States. This research focuses mostly on international human rights law to determine the obligatory, as an extension of the permissive, application of law in public international law terms, that is, the exercise of prescriptive jurisdiction. Prescriptive jurisdiction is understood as a State’s authority to make law. The chapter begins by looking briefly at the extraterritorial dimension of EU data protection law; next, it justifies using a public international law and international human rights law approach to examine the right to data protection; it then delineates the EU’s obligations to protect this right extraterritorially under international human rights law; and ends by looking at the consequences of the right’s evolution within the EU.

33

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

34

Safeguarding Right to Data Protection Extraterritorially

3.2 the eu charter’s scope of application The Charter of Fundamental Rights of the European Union (EU Charter) applies to EU institutions and bodies, and to Member States ‘only when they are implementing Union law’.1 Unlike, for example, the ECHR, the Charter mentions neither jurisdiction nor territory.2 The Charter’s provisions follow the application and enforcement of EU law, rather than EU territory.3 Its scope of application seems to suggest EU ‘territory’ is not physical. For data protection law purposes, however, EU territory is understood to be physical or geographical. As data processing acts, such as cross-border data transfers, happen under the General Data Protection Regulation (GDPR) incorporated into Member State national law, the EU Charter may apply to such transfers.4 It may also apply where the GDPR explicitly lends itself to extraterritorial application.5 Furthermore, the Court of Justice of the European Union (CJEU) has confirmed that the EU data protection law must be interpreted ‘in the light of the fundamental rights guaranteed by the Charter’.6 The question that follows is whether data processing in third States could fall within the remit of EU law under the GDPR, thus prompting the EU Charter to apply. When applying laws adopted pursuant to the GDPR, Member States could conceivably apply EU law to extraterritorial situations. As this satisfies the scope requirement for triggering the application of the EU Charter, being that the Charter applies when a Member State is implementing EU law, the Charter’s provision on the fundamental right to data

1 2

3

4

5 6

Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 51(1). Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended, 4 November 1950, ETS 5 art 1. Violeta Moreno-Lax and Cathryn Costello, ‘The Extraterritorial Application of the EU Charter of Fundamental Rights: From Territoriality to Facticity, the Effectiveness Model’ in Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward (eds), The EU Charter of Fundamental Rights: A Commentary (Hart Publishing 2014) 1662. The territorial scope of the Charter is not limited to a ‘geographical definition of the EU’, but is rather the ‘field of application of the treaties’. Elspeth Guild, Sergio Carrera, Leonhard den Hertog and Joanna Parkin, ‘Implementation of the EU Charter of Fundamental Rights and Its Impact on EU Home Affairs Agencies’, European Parliament (2011) 48. See also Cedric Ryngaert, ‘EU Trade Agreements and Human Rights: From Extraterritorial to Territorial Obligations’ (2018) 20(3–4) International Community Law Review 374, 378–383. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) arts 44–45. Ibid., art 4. Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU: C:2015:650 para 38. This was referring to the DPD, but is still relevant vis-à-vis the GDPR.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.3 Data Protection as a Fundamental Right in the EU

35

protection, and the associated obligations flowing therefrom, could apply in extraterritorial situations. Physical EU territory is important in applying the GDPR; Article 3 GDPR requires a territorial connection for EU law to apply to a non-EU data controller or processor.7 If the Charter, however, applies to situations in which EU law applies, the lack of extra criteria ‘of a territorial character or otherwise’ could potentially strengthen the EU’s attempts to apply its data protection laws outside its physical territory.8 In the CJEU’s Polisario Front case, which touched upon territoriality and the applicability of EU law, the Advocate General acknowledged that ‘fundamental rights may, in some circumstances, produce extraterritorial effects’ and that the EU Charter would apply to an activity ‘governed by EU law and carried out under the effective control of the EU and/or its Member States but outside their territory’.9 Whilst the Advocate General used the control standard typically used in military operations, which the Court did not follow, this research suggests that this standard may apply in online data privacy situations too, as Section 3.5 elucidates. Having established that EU Charter obligations could apply to extraterritorial data processing, the next step is to determine the reach of these obligations by looking at international human rights law.

3.3 data protection as a fundamental right in the eu The question can be raised of whether, based on international human rights law, the EU has an obligation to safeguard the right to data protection extraterritorially for EU data subjects, especially when their personal data is transferred, controlled or processed beyond the territorial borders of the EU. Fundamental rights are generally considered human rights rooted in a constitution.10 This research uses ‘human rights’ as an overarching or public international law term and ‘fundamental rights’ in specific EU instances. EU data protection law with extraterritorial effect focuses on protecting individuals rather than the EU itself or Member States. As such, the present discussion moves beyond just questions of territoriality and the EU’s interests as an 7 8

9

10

GDPR art 3 (titled ‘territorial scope’ and referring to ‘in the Union’). Moreno-Lax and Costello, ‘The Extraterritorial Application of the EU Charter of Fundamental Rights’ (n 3) 1680. Case C-104/16 P Council v Polisario Front [2016] ECLI:EU:C:2016:677, Opinion of AG Wathelet para 270 (citation to European Court of Human Rights jurisprudence omitted). See Ryngaert, ‘EU Trade Agreements and Human Rights’ (n 3) 380–382 for analysis of the General Court’s judgment in the Polisario Front case. ‘Fundamental right’ in Merriam-Webster.com Law Dictionary .

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

36

Safeguarding Right to Data Protection Extraterritorially

organisation to focus on individuals’ human rights. Enshrining data protection as a fundamental right in the EU bestows obligations upon the Union, which could provide a legitimate justification, or at least an explanation, for its unilaterally extending the reach of its data protection law. Most questions of the extraterritorial application of human rights have centred on military occupation in conflict situations, so the extraterritorial applicability of the right to data protection presents a unique problem.

3.4 the nature of the right to data protection and associated obligations According to Article 3(5) Treaty on European Union (TEU) and CJEU jurisprudence, the EU is obliged to respect international human rights duties in accordance with international treaties or customary international law.11 This section uses the lens of public international law to look at the nature of the right to data protection as it is enshrined in EU law. Data protection is subjective and not an absolute human right. It provides direct protection from the State and indirect protection for individuals from other individuals. This research uses international human rights law as a subset of public international law. This approach is justified in Sections 3.4.1 and 3.4.2. 3.4.1 Under Public International Law Despite the EU being a supranational organisation and not a State, it is accepted that public international law norms apply to it.12 Article 3(5) TEU confirms that ‘[i]n its relations with the wider world, the Union . . . shall contribute to . . . the protection of human rights . . . as well as to the strict observance and the development of international law’.13 Article 21 TEU adds that ‘[t]he Union’s action on the international scene shall be guided by the principles [of] the universality and indivisibility of human rights [and] respect 11

12

13

Lorand Bartels, ‘The EU’s Human Rights Obligations in Relation to Policies with Extraterritorial Effects’ (2015) 25 European Journal of International Law 1071, 1078; as elaborated on below, see also ‘[i]n its relations with the wider world, the Union shall uphold and promote its values . . .. It shall contribute to . . . the protection of human rights . . . as well as to the strict observance and the development of international law’. Consolidated Version of the Treaty on European Union [2012] OJ C326/01 art 3(5); Case C-366/10 Air Transport Association of America and Others v Secretary of State for Energy and Climate Change [2011] ECLI:EU:C:2011:864 paras 101–102. Moreno-Lax and Costello, ‘The Extraterritorial Application of the EU Charter of Fundamental Rights’ (n 3) 1663 citing Michael P Scharf, The Law of International Organisations (2nd edn, Carolina Academic Press 2007) and Christiane Ahlborn, ‘The Rules of International Organizations and the Law of International Responsibility’ (2011) 8 International Organizations Law Review 397. Bartels, ‘The EU’s Human Rights Obligations’ (n 11) 1073.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.4 Nature of Right to Data Protection and Associated Obligations

37

for the principles of . . . international law’.14 The TEU mentions contributing to the strict observance and development of international law, and respecting its principles, which is not as strong as, for example, outright requiring the EU to adhere to public international law. The jurisprudence of the CJEU, however, further confirms the EU’s obligations vis-à-vis public international law. The Court in Air Transport Association of America repeated the TEU’s above provisions on international law and went further: ‘[The EU] is bound to observe international law in its entirety, including customary international law, which is binding upon the institutions of the European Union.’15 Certain internal market and fisheries cases exemplify how the EU sometimes adheres to a concept of jurisdiction under public international law.16 For instance, in the fisheries case Kramer, the CJEU applied an EU regulation, ‘in so far as the Member States have similar authority under public international law’, to fishing on the high seas.17 These cases show that EU courts and law ‘have drawn inspiration from public international law jurisdiction to establish the relevance and applicability of EU norms in extraterritorial situations’.18 It has even been asserted that CJEU judges have sometimes extended the scope of EU law beyond public international law conceptions of jurisdiction to effectively implement EU rights and obligations.19 Whilst it is noteworthy that scholars have observed the CJEU extending the scope of EU law to protect fundamental rights, this research limits itself to the premise that the TEU and case examples confer an obligation on the EU to observe public international law (Chapter 5 explores rules of State jurisdiction under public international law). Moreover, in a data protection context, the Article 29 Working Party and scholarship have confirmed that public international law is the ideal framework in which to analyse jurisdiction in data protection law.20 14 15

16

17 18

19 20

TEU art 21. Air Transport Association of America (n 11) paras 101 and 123. Also see judgments C‑286/90 Poulsen and Diva Navigation [1992] ECLI:EU:C:1992:453 para 9; C-162/96 Racke v Hauptzollamt Mainz [1998] ECLI:EU:C:1998:293 para 45; Joined Cases C-402/05 P and C-415/05P Kadi and Al Barakaat International Foundation v Council and Commission [2008] ECLI:EU:C: 2008:461 para 291. For an overview of examples, see: Moreno-Lax and Costello, ‘The Extraterritorial Application of the EU Charter of Fundamental Rights’ (n 3) 1664–1666 citing, e.g., Case C-214/94 Ingrid Boukhalfa v Federal Republic of Germany [1996] ECLI:EU:C:1996:174 para 22, Joined Cases 3, 4 and 6/76 Cornelis Kramer and others [1976] ECLI:EU:C:1976:114 paras 30–33 and Case 167/73 Commission of the European Communities v French Republic [1974] ECLI:EU:C:1974:35. Joined Cases 3, 4 and 6/76 Cornelis Kramer and others (n 16) paras 30–33. Moreno-Lax and Costello, ‘The Extraterritorial Application of the EU Charter of Fundamental Rights’ (n 3) 1667. Ibid. ‘While public international law only applies directly to relations between states, its role as the basic limiting standard of the international legal order provides the testing ground for

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

38

Safeguarding Right to Data Protection Extraterritorially

3.4.2 Under International Human Rights Law International human rights law as a subset of public international law is useful to delineate the nature of the EU’s obligations to protect the fundamental right to data protection when applying EU law extraterritorially. If they are binding under the EU treaties or customary international law, the EU must respect international human rights obligations.21 Broadly speaking, there is ‘[n]o formal hierarchy between human rights and “ordinary” international law’; however, this research adheres to the notion that treaties should be interpreted ‘in conformity with human rights’.22 Such an approach reaffirms the inextricable link between international human rights law and public international law. This section links those branches of law with EU data protection law. Granted, the EU Charter is not an EU treaty, but it is an important human rights instrument. It is part of primary EU law and has the same legal value as the EU treaties. In terms of subject matter, the Charter comes close to a human rights treaty: with an underlying foundation of preserving an individual’s human dignity, it aims to safeguard that individual’s rights.23 Furthermore, whilst the ECHR and European Court of Human Rights (ECtHR) jurisprudence are not directly binding on the EU, the rights in the Convention are closely connected to those in the EU Charter. The TEU establishes that the human rights that the ECHR guarantees amount to general principles of EU law.24 Although it applies to them indirectly, the CJEU often cites the ECHR and ECtHR jurisprudence in its judgments. By stating that the meaning and scope of rights in the Charter shall be equivalent

21 22

23

24

jurisdictional rules affecting private parties in different states as well; indeed, the Article 29 Working Party has recognized that jurisdiction under data protection law should be evaluated under public international law’ in Christopher Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (2010) 18(2) International Journal of Law and Information Technology 176, 184 citing Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP 56, 30 May 2002) 2, stating that ‘whether national (data protection) law applies to situations with links to several countries’ is ‘a general question of international law’. Bartels, ‘The EU’s Human Rights Obligations’ (n 11) 1078. Anne Peters, ‘Surveillance without Borders? The Unlawfulness of the NSA-Panopticon, Part II’ (EJIL: Talk!, 4 November 2013) . See also Erika De Wet and Jure Vidmar (eds), Hierarchy in International Law: The Place of Human Rights (Oxford University Press 2012). Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (Oxford University Press 2011) 3. TEU art 6(3).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.4 Nature of Right to Data Protection and Associated Obligations

39

to the corresponding rights in the Convention, Article 52(3) of the EU Charter connects the rights it contains to those enshrined in the ECHR.25 The CJEU has referred to this article when considering relevant case law of the ECtHR.26 Moreover, the accession of the EU to the ECHR further links the EU Charter and CJEU with the ECHR and ECtHR.27 The Lisbon Treaty obligated the EU to become a party to the ECHR, thus creating an appropriate legal basis for the accession.28 Specifically, it amended the TEU and added Protocol 8 on the Accession of the Union to the ECHR to pave the way for establishing this legal basis.29 In addition, the Council of Europe amended the ECHR’s provisions on signing and ratifying the Convention, permitting the EU to accede to it.30 Nonetheless, the EU still has not succeeded in acceding to the ECHR.31 When it eventually does, this will only strengthen the connection between EU and Council of Europe human rights protection mechanisms. United Nations developments also help anchor the right to data protection in an international human rights law context. Since, and most likely expedited by, the 2013 Snowden revelations, the right to privacy has featured on the UN’s agenda. In 2013, 2014 and 2016, the UN General Assembly adopted Resolutions on the right to privacy in the digital age.32 In 2015, the UN Human Rights Council appointed a Special Rapporteur on the right to privacy.33 The 2013 and 2014 UN General Assembly Resolutions focus heavily on the right to privacy

25 26

27

28

29

30

31 32

33

EU Charter art 52(3). Allan Rosas, ‘The European Union and Fundamental Rights/Human Rights’ in Catarina Krause and Martin Scheinin (eds), International Protection of Human Rights: A Textbook (Åbo Akademi University 2012) 298. See also C-279/09 DEB Deutsche Energiehandels- und Beratungsgesellschaft mbH v Bundesrepublik Deutschland [2010] ECLI:EU:C:2010:811. Commission of the European Communities, ‘Memorandum on the Accession of the European Communities to the Convention for the Protection of Human Rights and Fundamental Freedoms’, COM (79) 210 final, 2 May 1979, Bulletin of the European Communities, Supplement 2/79. ‘The Union shall accede to the European Convention for the Protection of Human Rights and Fundamental Freedoms. Such accession shall not affect the Union’s competences as defined in the Treaties.’ TEU art 6(3). Protocol (No 8) Relating to Article 6(2) of the Treaty on European Union on the Accession of the Union to the European Convention on the Protection of Human Rights and Fundamental Freedoms [2012] OJ C 326/1. Protocol No 14 to the Convention for the Protection of Human Rights and Fundamental Freedoms, Amending the Control System of the Convention (2004) art 17; ECHR art 59(2). See Opinion 2/13 of the Court [2014] ECLI:EU:C:2014:2454. G.A. Res 68/167, The Right to Privacy in the Digital Age (21 January 2014); G.A. Res 69/166, The Right to Privacy in the Digital Age (18 December 2014); G.A. Res 71/199, The Right to Privacy in the Digital Age (19 December 2016). UN Human Rights Council Res A/HRC/28/16 (1 April 2015).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

40

Safeguarding Right to Data Protection Extraterritorially

and, within that framework, mention only the collection of personal data and not, for instance, the right to data protection, cross-border data transfers, data processing or data retention. The 2016 Resolution, however, mentions, inter alia, the ‘collecting, processing and sharing of personal data’.34 Nonetheless, the 2013 Resolution – and indeed each Resolution thereafter – ‘firmly puts the issue of electronic surveillance within the framework of international human rights law’, which further strengthens the impetus to use an international human rights law approach to analyse the EU’s data protection obligations.35

3.5 the extraterritorial application of human rights instruments Numerous scholars have written extensively on the extraterritorial application of human rights treaties, but few have attempted to apply human rights treaties to potential interferences with the right to data protection as distinct from the right to privacy.36 Marko Milanovic’s research on the extraterritorial application of the right to privacy in a surveillance context makes a palpable connection between the right to privacy and applying human rights treaties extraterritorially.37 His research uses ‘foreign surveillance’ as an umbrella term that includes, inter alia, data processing (‘the collection, storage, processing, and transfer of personal data to third parties’) in the context of looking at the extraterritorial application of the right to privacy.38 The right to data protection, which is relevant to ‘data processing’, and the right to privacy, however, are sufficiently different to warrant a unique analysis of the right to data protection, which Milanovic does not do. In other words, as the legal system 34 35 36

37

38

UNGA Res 71/199 (19 December 2016) UN Doc A/RES/71/199, preamble. Milanovic, Extraterritorial Application of Human Rights Treaties (n 23) 85. Francesca Bignami and Giorgio Resta, ‘Human Rights Extraterritoriality: The Right to Privacy and National Security Surveillance’ in Eyal Benvenisti and Georg Nolte (eds), Community Interests across International Law (Oxford University Press 2018); Ilina Georgieva, ‘The Right to Privacy under Fire – Foreign Surveillance under the NSA and the GCHQ and Its Compatibility with Art. 17 ICCPR and Art. 8 ECHR’ (2015) 31(80) Utrecht Journal of International and European Law 104; Ian Brown, ‘The Feasibility of Transatlantic PrivacyProtective Standards for Surveillance’ (2015) 23(1) International Journal of Law and Information Technology 23; Ian Brown and Douwe Korff, ‘Foreign Surveillance: Law and Practice in a Global Digital Environment’ (2014) 3 European Human Rights Law Review 243. Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56(1) Harvard International Law Journal 81. Ibid., 86; Milanovic only mentions data protection once, within the context of the right to privacy: ‘In developing an extraterritorial right to privacy we can always draw upon domestic experiences, including those on data protection’, citing Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.5 The Extraterritorial Application of Human Rights Instruments

41

applicable to data protection is different and more specific than how that involving the right to privacy would apply, it is important to distinguish the data processing category from the others. It is, moreover, necessary and important to differentiate between the two rights when looking at extraterritorial jurisdiction in data protection law. To further distinguish the research, the EU may claim extraterritorial jurisdiction regarding its substantive data protection laws differently from how States Parties to the International Covenant on Civil and Political Rights (ICCPR) may claim extraterritorial jurisdiction over situations involving the right to privacy. If one accepts that some parts of the ICCPR may apply extraterritorially, it is important to note that this ‘does not mean that the ICCPR necessarily supports extraterritoriality of the particular approach to data privacy adopted in the European Union’.39

3.5.1 Jurisdiction under International Human Rights Law In the context of a discussion on extraterritoriality and the fundamental right to data protection, it has been argued that ‘jurisdiction’ under international human rights law is different from ‘jurisdiction’ under public international law.40 The ECtHR’s pronouncements in Bankovi´c that jurisdiction in human rights treaties equates to jurisdiction in general public international law have largely been criticised.41 Both approaches, however, misconstrue the concept 39

40

41

Dan Jerker B Svantesson, ‘The Extraterritoriality of EU Data Privacy Law: Its Theoretical Justification and Its Practical Effect on U.S. Businesses’ (2014) 50 Stanford Journal of International Law 53, 79. ‘Marko has argued cogently that the term “jurisdiction” as used in human rights treaties should be understood differently from its use in public international law’. Christopher Kuner, ‘Extraterritoriality and the Fundamental Right to Data Protection’ (EJIL: Talk!, 16 December 2013) . Whilst Milanovic does say that two concepts of jurisdiction (a classic public international law one and one often found in human rights treaties) ‘may be related, but . . . cannot possibly be the same’, he does not say that there is a strict difference between the two, but rather that one has to choose between several concepts of jurisdiction under general international law (Milanovic, Extraterritorial Application of Human Rights Treaties (n 23) 33, citations omitted). He is ‘not arguing that the word “jurisdiction” should be given a special meaning autonomous to human rights law. Rather, the word has several different and equally ordinary meanings in general international law itself, and the question is hence which of these meanings – which of these concepts – the jurisdiction clauses of human rights treaties refer to’ (Ibid., 53, emphasis in original). Wilde also reaches the same conclusion, see Ibid., 33 citing Ralph Wilde, ‘Triggering State Obligations Extraterritorially: The Spatial Test in Certain Human Rights Treaties’ (2007) 40(2) Israel Law Review, 503, 508, 513–514. See Bankovi´c and Others v Belgium and 16 Other Contracting States, App no 52207/99 (Grand Chamber, 12 December 2001) and, e.g., Wilde, ‘Triggering State Obligations Extraterritorially’ (n 40) 513; Milanovic, Extraterritorial Application of Human Rights Treaties (n 23) 262.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

42

Safeguarding Right to Data Protection Extraterritorially

for the present purposes. This research adheres to the notion that jurisdiction in international human rights law is a manifestation of one of several ordinary meanings of jurisdiction under public international law, although it might be emerging that data protection law needs a unique form of jurisdictional trigger. Jurisdiction in public international law takes on a different meaning depending on the context in which it is used; one can accept there are many, not one ordinary, meanings of jurisdiction.42 Before analysing the EU’s positive human rights obligations, it is important to determine how to construe the form of jurisdiction in the EU Charter’s scope article. Whilst it has been recommended, a public international law approach to this is not always favoured: discussion on the EU Charter’s extraterritorial applicability ‘should be liberated from the often politically laden debate on borders and territory and brought to the less-statist space of EU competences and legality’.43 This sentiment, however, forgets that territorial sovereignty and the authority to legislate cannot possibly be divorced from political concerns.44 Further, it sidelines the importance of physical EU territory in EU data protection law; the EU’s public international law obligations; and the basic premise of public international law being founded on territorial sovereignty, which this research has shown are needed to continue a discussion on the extraterritoriality of the Charter.

3.5.2 Applying Different Models of International Human Rights Law Jurisdiction to European Data Protection Law It is useful to examine forms of international human rights law jurisdiction documented by scholars who have researched that topic in a privacy, data protection or cybersphere context. These forms of jurisdiction are apparent in various case law examples, however this section focuses on theoretical conceptions of jurisdiction.45 Broadly speaking, extraterritorial jurisdiction in the present context may be exercised where a State has control over either foreign territory or a foreign 42 43

44

45

Milanovic, Extraterritorial Application of Human Rights Treaties (n 23) 53. Moreno-Lax and Costello, ‘The Extraterritorial Application of the EU Charter of Fundamental Rights’ (n 3) 1682. ‘[J]urisdiction is not apolitical, it does not only manage technical legal rules. It is robustly implicated in politics and sovereignty, part of the original constitution of the polis as well as its ongoing reconstitution’. Asha Kaushal, ‘The Politics of Jurisdiction’ (2015) 78 Modern Law Review, 759, 786. For relevant case law on spatial jurisdiction, see, e.g., Milanovic, ‘Human Rights Treaties and Foreign Surveillance’ (n 37) 112–113 and for the personal model, see 114–118 of the same.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.5 The Extraterritorial Application of Human Rights Instruments

43

person.46 These forms of jurisdiction under international human rights law mirror the territorial (spatial) and personality (personal) principles of public international law jurisdiction. This suggests that both concepts of jurisdiction are not dissimilar, which gives weight to the argument that international human rights law jurisdiction is a manifestation of one general form of public international law jurisdiction. Each model of international human rights law jurisdiction is discussed below. It is easier to apply some models to data protection than others, but none is completely ideal. This demonstrates the room, and perhaps the need, to come up with an original way of obliging the EU to exercise jurisdiction extraterritorially in data protection law. The spatial or territorial model, based on territory or effective control over territory, is difficult to apply in data protection examples because personal data is transferred and processed in multiple spaces or a virtual space. The GDPR uses, inter alia, the location of a data controller to establish a territorial nexus to Member State action. EU data protection law, however, can apply outside EU territory, over which the EU does not have effective control. Moreover, it would be difficult to determine precisely where and when an interference with someone’s right to data protection occurred. A data subject’s presence in the physical world is separate from an interference with their right to data protection in the virtual world.47 Indeed, both the interference with human rights and the protection thereof can occur far from an individual’s physical location. The personal model could therefore offer a more useful solution. It focuses on jurisdiction over an individual under the authority and control of a State or other actor.48 As the location of both the data subject and the interference are irrelevant in the personal model, it could apply more successfully in a data protection context. Both models, however, present issues related to control. To justify applying extraterritorial jurisdiction under the spatial model, someone has to exercise effective control over territory.49 Similarly, under the personal model, someone has to exercise authority or control over an individual. If one conceives of individuals as imbued with informational self-control over their personal data, this could move closer to a form of control over

46 47

48 49

See, e.g., Maarten den Heijer, Europe and Extraterritorial Asylum (Hart Publishing 2012) 29. Milanovic, ‘Human Rights Treaties and Foreign Surveillance’ (n 37) 81 citing Carly Nyst, ‘Interference-Based Jurisdiction over Violations of the Right to Privacy’ (EJIL: Talk!, 21 November 2013) . Milanovic, Extraterritorial Application of Human Rights Treaties (n 23) 173. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

44

Safeguarding Right to Data Protection Extraterritorially

persons.50 It is difficult, however, to establish who has control and should therefore exercise jurisdiction over ‘personal data’ or a ‘data subject’. Milanovic outlines the positive and negative obligations of jurisdiction in the context of applying them to human rights treaties to safeguard the right to privacy extraterritorially.51 His research argues that, whilst it is not flawless, the positive and negative obligations model is the most effective jurisdictional model in offering simple and straightforward guidance on how human rights treaties apply to questions of electronic foreign surveillance.52 As data protection and foreign surveillance are linked, given their virtual, cross-border nature and connections with the right to privacy, Milanovic’s positive and negative obligations model is valuable in the context of this research. Under this model, a State would have a positive obligation to secure or ensure human rights, even by preventing third-party violations where it has effective control over an area.53 A State would also have a negative obligation to respect human rights by not interfering with the rights of individuals unless sufficiently justified.54 This obligation would not have to reach any jurisdictional threshold as it would not be limited to a specific territory or area of control.55 Milanovic proposes the following rule: ‘[T]he state obligation to respect human rights is not limited territorially; however, the obligation to secure or ensure human rights is limited to those areas that are under the state’s effective overall control.’56 In terms of data transfers, however, there are still difficulties with what constitutes effective control. What qualifies as authority, power or control? Manual, physical or coercive power is almost irrelevant in light of the technological capacity to process personal data today.57 Section 3.5.3 looks briefly at control in the cybersphere.

3.5.3 Control in International Human Rights Law Jurisdiction To better protect, for instance, the rights to privacy and data protection, it could be necessary to reinterpret control in the cyber age to determine what would 50

51 52

53 54 55 56 57

Orla Lynskey, ‘Deconstructing Data Protection: The “Added-Value” of a Right to Data Protection in the EU Legal Order’ (2014) 63 International & Comparative Law Quarterly 569, 595. Milanovic, Extraterritorial Application of Human Rights Treaties (n 23) 118–119. The model is not perfect, but it is ‘clear, predictable, precludes the vast majority or arbitrary outcomes and provides a relatively stable balance between considerations of universality and effectiveness’. Milanovic, ‘Human Rights Treaties and Foreign Surveillance’ (n 37) 119. Ibid., 119. Ibid. Ibid. Milanovic, The Extraterritorial Application of Human Rights Treaties (n 23) 263. Milanovic, ‘Human Rights Treaties and Foreign Surveillance’ (n 37) 120.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.5 The Extraterritorial Application of Human Rights Instruments

45

trigger human rights obligations. It is worth considering a form of virtual control, a combination of the effective and virtual control thresholds, or a widening of the definition of control from the factual to the functional.58 If the effective control test is redundant when applied to cross-border data transfers, then Peter Margulies’ proposed ‘virtual control’ test can be used to determine State responsibility.59 His is a broad concept that asserts that virtual control qualifies as exercising control when allocating responsibility.60 For instance, if a State funded or supported an act by a private group that conducted a cyberattack, that State would be responsible for the attack.61 This test, however, is difficult to transpose onto interferences with the right to data protection. In such interferences, a State does not necessarily fund or support a specific act by a private actor. More common interferences would be, for example, a US company using EU data subjects’ personal data for a non-specified purpose or the US Department of Homeland Security retaining EU data subjects’ personal data for an excessive period of time. Attributing State responsibility does not readily inform who has the authority to exercise extraterritorial jurisdiction. Combining virtual control with other concepts could, however, prove more useful, as explored below. Valsamis Mitsilegas advocates conceiving of control over personal data as constituting both effective and virtual control, thereby prompting the extraterritorial application of the right to privacy, as explained below: To establish the applicability of human rights law in the field of surveillance, territorially or extraterritorially, we must shift our focus from control over the body of a person to control over personal data. Any type of processing of such data, from their initial collection to their further exchange, has a significant negative impact on the right to privacy of individuals. Therefore, the collection, exchange, transfer, processing, and sharing of personal data – together or individually – constitutes both effective control and virtual control, thus triggering the application of the right to privacy.62

58

59 60 61 62

Peters, ‘Surveillance without Borders?’ (n 22). On virtual control, see Peter Margulies, ‘Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility’ (2013) 14 Melbourne Journal of International Law 496, 519. On virtual and effective control, see Valsamis Mitsilegas, ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror.” The Case for a Global Privacy Regime’ (2016) 47(3) Columbia Human Rights Law Review 1. On functional extraterritoriality, see, e.g., Heijer, Europe and Extraterritorial Asylum (n 46) 48. Margulies, ‘Sovereignty and Cyber Attacks’ (n 58) 514–515. Ibid. abstract. Ibid. Mitsilegas, ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror”’ (n 58) 73.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

46

Safeguarding Right to Data Protection Extraterritorially

Moreover, Eliza Watt supports virtual control in lieu of the effective control test understood as ‘a remote control over an individual’s right to privacy’.63 Combining the abovementioned forms of control, this research conceives of EU actors who have jurisdiction as exercising effective control over someone’s personal data, as opposed to individuals or a territory. Granted, this is abstract and could lead to legal uncertainty and inconsistencies but is the most practicable way to approach effective control. This is because not only does it solve issues related to effective control as physical power, it also reinforces the notion of personal data being connected so closely to an individual that it could be afforded protections similar to those afforded to a natural person. No matter how one approaches ‘control’, parts of the positive and negative obligations jurisdictional model can apply to the GDPR read in the light of the EU Charter to determine more precisely the reach of the EU’s fundamental rights obligations.

3.6 positive and negative obligations to respect/ protect/fulfil human rights In international human rights law, there are discrete types of obligations or duties when safeguarding human rights: namely those to respect, protect and fulfil.64 In short, one could argue that the duty to respect a right bestows a negative obligation of conduct on the EU; the positive obligation to protect is one of conduct that extends to third-party violations; and the obligation to fulfil entails a positive obligation of result. These obligations could extend extraterritorially. The EU Charter articulates that when Member States are implementing EU law, such as the GDPR, ‘[t]hey shall therefore respect the rights, observe the principles and promote the application thereof in accordance with their respective powers’.65 Respect/protect/fulfil duties are a feature of international human rights law. It is inconsequential that the EU Charter contains a reference only to ‘respect’. Indeed, human rights treaties generally include no

63

64

65

Eliza Watt, ‘The Role of International Human Rights Law in the Protection of Online Privacy in the Age of Surveillance’ in Henry Rõigas, Lauri Lindström, Raik Jakschis and Tomaš Minarik (eds), 9th International Conference on Cyber Conflict: Defending the Core (NATO CCD COE Publications 2017) 106. Martin Scheinin, ‘Characteristics of Human Rights Norms’ in Catarina Krause and Martin Scheinin (eds), International Protection of Human Rights: A Textbook (2nd edn, Åbo Akademi University 2012) 27. EU Charter art 51(1).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.6 Positive and Negative Obligations

47

explicit reference to States Parties’ respect/protect/fulfil duties.66 This section outlines what these duties entail and discusses how they relate to data protection in the EU and beyond.

3.6.1 The Obligation to Respect The obligation to respect connotes a negative obligation of conduct, whereby the EU would have to refrain from conduct that would infringe upon someone’s enjoyment of the right to data protection. Specifically, this constitutes a negative obligation to respect an individual’s right to data protection by not interfering with their privacy in the context of personal data. The Charter requires that EU bodies, institutions and Member States shall ‘respect’ human rights and, under international human rights law, the duty to respect would be inherent to that human rights instrument.67 According to Milanovic’s aforementioned positive and negative obligations jurisdiction model, and his assertion that the EU’s negative obligations could apply extraterritorially, the EU’s duty to respect the fundamental right to data protection could provide a basis for the EU to apply this negative obligation extraterritorially. One conceivable manifestation of this duty to respect, which draws some parallels with the obligation to protect, could be the territorially unlimited or extraterritorial application of the ‘negative obligation to refrain from conduct that would assist third parties in violating the right to privacy’ – or, in this instance, the right to data protection.68 This manifestation can be seen in the territorial extension of EU law through, for example, its adequacy requirement and bilateral negotiations when dealing with third States. Specifically, personal data may only be transferred to third States with an adequate level of protection.69 By not transferring personal data to third States that do not have adequate levels of data protection, the EU is fulfilling its obligations to avoid conduct that would enable third States to interfere with its 66

67 68

69

For example, the International Covenant on Civil and Political Rights uses such language as States Parties ‘undertake to respect and to ensure’ (art 2(1)) and the International Covenant on Economic, Social and Cultural Rights says each State Party ‘undertakes to take steps . . . [to achieve] the full realization of the rights’ (art 2(1)) International Covenant on Civil and Political Rights, 23 March 1976, 999 UNTS 171 and International Covenant on Economic, Social and Cultural Rights, 16 December 1966, 993 UNTS 3. EU Charter art 51(1). Milanovic, ‘Human Rights Treaties and Foreign Surveillance’ (n 37) 124. In footnote 176, see Milanovic’s analogy of the non-refoulement rule in, e.g., Soering v United Kingdom App no 14038/88 (ECtHR, 7 July 1989) or Judge v Canada, Communication No 829/1998, UN Doc CCPR/C/78/D/829/1998 (2003). GDPR art 45(1).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

48

Safeguarding Right to Data Protection Extraterritorially

citizens’ right to data protection. If the European Commission determines that a third State does not satisfy the GDPR’s adequacy requirement, the relevant Member State shall take measures to prevent transfers to that third State and the Commission ‘shall enter into consultations with the third country . . . with a view to remedying the situation’.70 As is evident in negotiations between the US and EU over data transfers in many different contexts, this provision shows that, through negotiating, the EU must attempt to encourage or ensure a third state adopts at least some aspects of its high-level data protection law if that state wants to receive personal data from the EU at all. Accordingly, the GDPR’s adequacy requirement could be interpreted as necessitating an indirect application of EU law abroad. The Union’s obligation to respect could be understood to apply initially as a negative obligation of conduct to refrain from transferring data to certain third states. If it then had to enter into negotiations with third states, the EU’s obligation would become a positive obligation of conduct to protect, as outlined below.

3.6.2 The Obligation to Protect The obligation to protect is an obligation of conduct, wherein the EU would be obliged to ensure a third party does not violate someone’s right to data protection.71 It can be asked whether this obligation to protect would apply if the thirdparty violator were located outside of EU territory or if the victim’s personal data moved from the EU to a third State. The EU Charter requirement that Member States promote the application of Charter rights and principles draws parallels with the duty to protect. They both imply a third party or an external actor (i) to whom the Member State must promote the application of the right to data protection and/or (ii) whom the EU as a responsible party must prevent from interfering with its data subjects’ right to data protection. The question arises of whether this requirement could oblige the EU to actively prevent third-party violations of its citizens’ right to data protection in an extraterritorial context. If the EU’s positive obligations would apply only in a place under its effective control, one again runs into difficulties with the effective control threshold. Nonetheless, the general duty to protect citizens from third-party interferences that the Charter bestows upon the EU could legitimise the GDPR’s wide scope of application, regardless of effective control 70 71

Ibid., art 45(6). See, e.g., Jean-Franҫois Akandji-Kombe, Positive Obligations under the European Convention on Human Rights: A Guide to the Implementation of the ECHR (Council of Europe Publishing 2007).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.6 Positive and Negative Obligations

49

requirements. Territory and control would be sidelined in this instance. This would not allow unlimited jurisdictional claims, however. Chapter 4 explores how such claims ought to be limited. The Google Spain case illustrates how the CJEU and, by extension, EU Member States are enabling this active protection.72 In that case, a Spanish individual requested that Google Inc. remove some search listings about his earlier debts from Google search results.73 The CJEU determined that he may do this, thus affirming a ‘right to be forgotten’.74 Specifically, through the establishment of a subsidiary in Spain, Google Inc., incorporated in a third State (the US), was held responsible for potentially interfering with EU data subjects’ data protection rights. The Court was attempting to regulate how personal data is processed by search engine operators in third States, those being the rights violators. There exists a trend towards rulings covering similar questions of the reach of EU jurisdiction abroad. 3.6.3 The Obligation to Fulfil The obligation to fulfil implies a positive obligation of result, that is, an obligation to fulfil an individual’s right to data protection by providing legal, regulatory and enforcement mechanisms, and resources.75 The suggestion that this obligation applies only in a place under a State’s effective control makes much more sense here. The EU ordinarily offers legal and enforcement data protection mechanisms within its own territory or in places under its effective control. It is hard to say that it is obliged to offer these abroad. That said, some EU data protection authorities have attempted to enforce EU data protection law in third States by, for example, conducting audits to confirm these states are complying with EU data protection law.76 As exercising 72 73 74 75

76

Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez [2014] ECLI:EU:C: 2014:317. Ibid. Ibid. Scheinin, ‘Characteristics of Human Rights Norms’ (n 64) 19–37. On the positive and negative obligations associated with art 8 ECHR, see Equality and Human Rights Commission, ‘Article 8: The Right to Respect for Private and Family Life, Home and Correspondence’ (2012) Human Rights Review 259. Christopher Kuner, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, 240 citing Agencia Española de Protección de Datos, ‘Report on International Data Transfers: Ex officio Sectorial Inspection of Spain-Colombia at Call Centres’ (2007) and Loek Essers, ‘Google Agrees to Italian Privacy Authority Audits in the US’, PCWorld News (2015). The GDPR mandates that a DPA exercise its powers ‘on the territory of its own Member State’. GDPR art 55(1), which is more explicit than the DPD.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

50

Safeguarding Right to Data Protection Extraterritorially

extraterritorial enforcement jurisdiction is prohibited under international law, these third States should in principle first consent to this, which often State authorities have done.77 Initiating such enforcement action could be understood as EU representatives carrying out their obligation-to-protect duties. The obligation to fulfil is one of result, so if these extraterritorial enforcement mechanisms resulted in effectively safeguarding the right to data protection for EU data subjects, that obligation could be considered satisfied. Again, however, the EU cannot be said to have effective control over, for instance, Colombia, where the Spanish data protection authority has conducted audits to ascertain compliance with EU data protection law.78 Another consideration is the obligation in the GDPR to appoint a Data Protection Officer (DPO) in the EU in certain circumstances, even if the data controller or processor is located outside the EU.79 The Article 29 Working Party Guidelines on DPOs, endorsed by the EDPB, acknowledge that in such a situation, ‘a DPO may be able to carry out his or her activities more effectively if located outside the EU’.80 Similarly, non-EU controllers or processors that target people in the Union, within the scope of Article 3(2) GDPR, must designate a representative in the EU.81 In evaluating the application of the GDPR, the European Commission has recognised the GDPR’s extended territorial scope, which also covers the processing activities of foreign operators that are active in the EU market.82 To guarantee effective compliance with the GDPR and a level playing field, ‘it is essential that this extension is appropriately reflected in the enforcement action by the data protection authorities’ by involving the entity’s representative in the EU.83 Moreover, this action should be pursued vigorously ‘to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR’.84 Such obfuscation about the limits of enforcement further strengthens

77 78 79 80

81 82

83 84

Ibid. Agencia Española de Protección de Datos, ‘Report on International Data Transfers’ (n 76) 7–9. GDPR art 37. Article 29 Working Party, Guidelines on Data Protection Officers (‘DPOs’) (WP 243, 5 April 2017) 11, 22. The physical location of the DPO ‘seems to be irrelevant nowadays’, as long as it is accessible. Cecilia Alvarez Rigaudias and Alessandro Spina, ‘Article 37. Designation of the data protection officer’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 697. GDPR art 27. Commission, ‘Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition – Two Wears of Application of the General Data Protection Regulation’ (Communication) COM (2020) 264 final 12. Ibid. Ibid.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.7 Right to Data Protection and Consequences for Extraterritoriality

51

the need to redefine effective control vis-à-vis personal data. In sum, there appear to be more concrete examples to justify the Charter’s extraterritorial application when looking at the obligations to respect and protect, as opposed to the obligation to fulfil.

3.7 the increased weight of the fundamental right to data protection and consequences for extraterritoriality As the right to data protection ‘must be considered in relation to its function in society’, recent jurisprudence, explored below, suggests data protection’s function in society is evolving to gain increased importance.85 There exist legal limitations on infringing the fundamental right to data protection, yet it must be balanced against other, often fundamental, rights. As it is a subjective right, the increased emphasis the CJEU and EU legislators have recently placed on data protection could enhance the Union’s obligations to safeguard that right beyond its borders. Article 52 of the EU Charter outlines the scope of application of the fundamental rights contained therein: Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.86

This article recalls certain provisions in other human rights instruments, notably the ICCPR and the ECHR, which allow restrictions on the exercise of certain rights if they are in accordance with the law, serve a legitimate purpose and are necessary.87 In light of the possibilities to limit the exercise of fundamental rights, it is necessary to examine the rights and freedoms against which the right to data protection is often weighed. These include, inter alia, the free flow of information, the right of access to documents, the right to freedom of expression and security interests. The fact that EU fundamental rights law accords data protection a special status aimed at strongly protecting individuals has spurred some scholars to

85

86 87

Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECLI:EU: C:2010:662 para 48. EU Charter art 52(1). See, e.g., ICCPR art 22(2); ECHR art 8(2).

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

52

Safeguarding Right to Data Protection Extraterritorially

assert that the EU must go further than conducting a balancing test between that right and others; they claim it may not be considered as subordinate or subject to other rights.88 Important CJEU jurisprudence appears to support this assertion. Some case examples that demonstrate the traction the right to data protection has been gaining in the EU are the Google Spain, Digital Rights Ireland and Schrems cases from 2014 and 2015, explained below.89

3.7.1 The Free Flow of Information Firstly, the right to data protection should be balanced with facilitating the free flow of information or the right to freedom of information, and the right to freedom of opinion and expression.90 Council of Europe Convention 108 and the GDPR, inter alia, affirm the need to balance the fundamental freedom of the free flow of data with the right to data protection to establish an internal market.91 The particular form of the right to erasure that the CJEU established in the Google Spain case arguably threatens the public’s right to information and the free flow of information. The judgment affirmed the right to erasure, deeming search engines responsible for removing certain links to third-party websites that publish information related to a data subject.92 On the basis of the Data Protection Directive (DPD) and Articles 7 (right to privacy) and 8 (right to data protection) of the Charter, the Court explicitly formulated

88

89

90

91

92

See, e.g., Stefano Rodotà, ‘Data Protection as a Fundamental Right’ in Serge Gutwirth, Yves Poullet, Paul De Hert, Cécile de Terwangne and Sjaak Nouwt (eds), Reinventing Data Protection? (Springer 2009) 77. Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 72); Joined Cases C-293/ 12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] ECLI:EU:C:2014:238; Case C-362/14 Maximillian Schrems v Data Protection Commissioner (n 6). See, e.g., Universal Declaration of Human Rights, 10 December 1948, 217 A (III) art 19; ICCPR art 19(2); Constitution of the United Nations Educational, Scientific and Cultural Organisation (UNESCO), 16 November 1945 art 1(2); Florence Agreement on the Importation of Educational, Scientific and Cultural Materials, Florence (UNESCO), 17 June 1950 preamble. Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108 preamble: ‘[r]ecognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples’; GDPR art 1 on the Regulation’s objectives: ‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data [and the] free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’ Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 72) para 88.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.7 Right to Data Protection and Consequences for Extraterritoriality

53

the right to erasure.93 As such, an EU data subject may request that inaccurate, inadequate, irrelevant, excessive or outdated search results related to them be delisted.94 Notably, the Court pronounced that the Charter’s rights to privacy and data protection ‘override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name’.95 This pronouncement marginalises both the market freedoms that the right to the free flow of information initially sought to enable and the public’s access to information in favour of protecting personal data. The Court stipulated that the only justified interference in these rights would be if the general public had a greater interest in accessing the information, such as if the data subject were a public figure.96 This case also follows earlier CJEU decisions that emphasise the right to data protection over the freedom of information.97

3.7.2 The Right to Freedom of Expression The CJEU has noticeably been sidelining the right to freedom of expression in favour of data protection. In Google Spain, the Court did not mention the right and in Digital Rights Ireland, it did not fully address it. In the latter case, the applicants successfully sought the annulment of the 2006 Data Retention Directive, which obliged telecommunications to retain communication data for between six months and two years for counterterrorism purposes.98 The legal grounds put forward for annulling the Data Retention Directive were three articles in the EU Charter, namely the protection of private and family life (Article 7); the right to data protection (Article 8); and the right to freedom of expression (Article 11).99 Article 11 was included as a ground for annulment based on the sentiment that individuals might not feel completely free to express themselves in an environment where they felt under constant surveillance. As such, the rights to data protection and freedom of expression in this example do not clash. Instead, the former enables the latter. Nonetheless, the Court found it

93 94 95 96 97

98 99

Ibid., para 99. Ibid., para 94. Ibid., para 99. Ibid. See, e.g., Lynskey, ‘Deconstructing Data Protection’ (n 50) 579, which discusses how one fundamental right (to data protection) consistently trumps the fundamental right of access to documents (EU Charter art 42) citing C-28/08 European Commission v Bavarian Lager [2010] ECLI:EU:C:2010:378. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland (n 89). Ibid., para 35.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

54

Safeguarding Right to Data Protection Extraterritorially

unnecessary to discuss the right to freedom of expression because it had already determined that the Data Retention Directive was invalid on the basis of the right to private and family life, and the right to data protection.100 As such, it sidelined the right to freedom of expression, and foregrounded issues related to privacy and data protection. 3.7.3 Security Interests The right to data protection is often necessarily weighed against security interests and criminal law enforcement requirements.101 Passenger Name Record agreements between the EU and the US, Canada and Australia establish a set of guidelines on processing EU data subjects’ airline passenger data – such as name, booking information and method of payment – and transferring it to the US Department of Homeland Security or comparable organisations in Canada and Australia.102 The Agreements aim to counteract terrorism and serious transnational crime. The ongoing negotiations between the EU and the US over their Passenger Name Record Agreement, where a pro-privacy (EU) and pro-security (US) conflict is evident, exemplify an attempt at balancing the two interests. Furthermore, the EU is increasingly finding data protection issues in counterterrorism measures that require (third) States to retain the personal data of EU data subjects.103 For instance, the CJEU determined that the draft Canada–EU Passenger Name Record Agreement, which threatens privacy less than does the US–EU PNR Agreement, is incompatible with EU fundamental rights law and may not be concluded in that form.104 This decision further suggests that data protection is gaining more force when compared to security interests. 3.7.4 A Heavier Right The aforementioned examples could be a reflection of increased public concern for personal data protection, particularly perceptible since the Snowden 100

Ibid., para 70. Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) 233. 102 Council Decision 2012/472/EU pf 26 April 2012 on the Conclusion of the Agreement between the United States of America and the European Union on the Use and Transfer of Passenger Name Records to the United States Department of Homeland Security, OJEU L 215, 11 August 2012. 103 Also see, in an intra-EU context, Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Postoch telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others [2016] ECLI:EU:C:2016:970. 104 Opinion 1/15 of the Court [2017] ECLI:EU:C:2017:592. 101

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

3.8 Interim Conclusion

55

revelations. If one recalls that the legal restrictions on limiting the fundamental right to data protection include the principles of proportionality and necessity, the EU’s measures to protect its data subjects’ right to data protection beyond its borders could be understood as being increasingly necessary, thus justifying a different balancing test in terms of proportionality. The CJEU has been playing a central role in developing and interpreting the fundamental right to data protection, thereby greatly influencing the fundamental rights doctrine.105 Nonetheless, it is yet to be seen to what extent the Court’s decisions actually safeguard fundamental rights.106 Data protection could be conceived of as what has been called a ‘super-right’ and a ‘super-fundamental right’, but what this research will conceive of as a ‘heavier’ right in terms of balancing tests or prominence in decisions.107 It is a right that has recently surpassed other rights or freedoms against which it ought to be balanced. At least in the EU, data protection has evolved from being conceptualised as an economic necessity, to a human right in general, to a fundamental right, to a right with such elevated status that it could potentially threaten the protection of other fundamental rights. It is important, however, not to forget its enduring importance as an economic necessity.

3.8 interim conclusion In sum, the EU is broadening the application of its data protection laws. Under international human rights law, the EU’s protective duty could apply in 105

106

107

Maja Brkan, ‘The Court of Justice of the EU, Privacy and Data Protection: Judge-Made Law as a Leitmotif in Fundamental Rights Protection’ in Maja Brkan and Evangelia Psychogiopoulou (eds), Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017) 10. Placing so much emphasis on data protection as a human right might not actually protect or promote human rights. Note that certain States, such as China and Russia, have strong privacy laws or internet firewalls, which completely stymie the rights to freedom of expression and the free flow of information. There have also been issues with implementing, e.g., the Digital Rights Ireland decision in Member States. ‘[T]he Court seems increasingly to consider data protection a “super-right” and should not forget the need to balance with freedom of expression.’ Christopher Kuner, ‘A Super-Right to Data Protection? The Irish Facebook Case and the Future of EU Data Transfer Regulation’ (LSE Media Policy Project Blog, 24 June 2014) . In what he calls a ‘very personal opinion’, Daniel Sarmiento responds to several CJEU judgments about fundamental rights, including Schrems, by noting that ‘privacy is a super-fundamental right that reigns supreme above all other rights after the Court’s decision in Schrems’. Daniel Sarmiento, ‘What Schrems, Delvigne and Celaj Tell Us about the State of Fundamental Rights in the EU’ (Verfassungsblog, 16 October 2015) .

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

56

Safeguarding Right to Data Protection Extraterritorially

extraterritorial situations. For data protection purposes, EU territory is understood to be physical. The EU Charter applies when Member States are implementing EU law. As cross-border data transfers happen under the GDPR, the EU Charter may apply to such transfers. It may also apply where the GDPR explicitly lends itself to extraterritorial application. Data protection’s evolution from economic necessity to an autonomous, fundamental right, which has corresponded to the EU’s territorial expansion of its law to safeguard this right, could imply causality between the two developments. The former evolution of the right could at least explain or justify the latter extension of EU law. The changing nature of the right to data protection in the EU is especially relevant if one considers the EU’s Charter obligations under international human rights law. The obligation to respect the right to data protection in its actions with external effects implies a negative duty of conduct. Similarly, the EU’s duties to protect and fulfil this right impose positive obligations on the Union. This could amount to a requirement that the EU protects and fulfils its citizens’ fundamental right to data protection beyond its territorial borders, perhaps justifying the aggressive jurisdictional scope of the GDPR. As the fundamental right to data protection morphs to carry more weight in the EU, this could amplify the EU’s obligations under human rights law to protect its data subjects’ personal data when such data is processed outside EU territory. To extrapolate this further, the EU could be moving beyond being simply an economic and political union to something closer to a global fundamental rights actor or norm setter. That said, there must be some territorial limit to EU data protection law to be legitimate under public international law. The next section looks at limits that public international law poses on safeguarding the fundamental right to data protection extraterritorially.

https://doi.org/10.1017/9781108784818.003 Published online by Cambridge University Press

4 Limits That Public International Law Poses on the European Union Safeguarding the Fundamental Right to Data Protection Extraterritorially

Oftentimes, and particularly in the data privacy law interface between the EU and US, there exist situations in which more than one State could have the competence to exercise jurisdiction; multiple States might have legitimate claims to regulate the same situation. Indeed, overlapping jurisdictional claims could be seen as a reality of international law, amplified in the digitised data-sharing sphere due to globalisation and interconnectivity brought on by technology.1 This reality, however, can lead to conflicting regulation and jurisdictional tensions between States, which often causes complications.2 Even though such clashes exist between the EU and other third States, the present research focuses on the transatlantic divide because the value-based legal approaches to data privacy are markedly different in the Union and the US. Both are Western liberal democracies and strong economic powers that rely heavily on a healthy transatlantic relationship. There have thus been noteworthy clashes that lend themselves to being explored with a public international law perspective. Jurisdiction in public international law regulates a State’s application of power through that State’s laying down the law, hearing and investigating cases, and administering the law. These three categories are commonly respectively labelled prescriptive or legislative, adjudicative or judicial, and

1

2

Alex Mills, ‘Rethinking Jurisdiction in International Law’ (2014) 84(1) British Yearbook of International Law 187, 197. Ibid., 199–200; ‘Regulation of data transfers under EU data protection law has become an extraterritorial jurisdictional regime, which is leading to increasing conflicts of law and greater difficulty in enforcing the law in a global context’. Christopher Kuner, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, 236.

57

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

58

Limits That Public International Law Poses

enforcement jurisdiction.3 Jurisdiction is closely connected to cornerstone principles of public international law: state sovereignty and non-intervention.4 As such, the main principle permitting a State to exercise jurisdiction over a particular situation is territoriality; a State may regulate conduct within its territorial boundaries. Whilst there exists in public international law a presumption against exercising jurisdiction beyond State borders, that is, extraterritorially, there are several permissive principles that could allow the exercise of such jurisdiction depending on the circumstances.5 These principles extend to where an act is initiated or consummated (subjective and objective territoriality); a perpetrator or victim’s nationality (active or passive personality); the ramifications of an act felt within a State (effects doctrine); the protection of a State’s vital interests (protective); and crimes against all that could entail jus cogens norms and spark obligations erga omnes (universal). It is perhaps only the last category of universal jurisdiction that could in theory admit of the exercise of wholly extraterritorial jurisdiction, that is to say, without any territorial connection between a situation and its regulation. There are numerous examples of the expansive application of EU data protection law where the territorial nexus between the law-making body and the regulated situation is weak. For instance, EU law could apply when personal data is transferred from an EU Member State to a US incorporated company, or when a US-based company collects browsing data of an EU data subject on EU territory. The US has often contested this apparent expansive application of EU law, which has led to clashes. Such clashes have in turn resulted in, inter alia, legal uncertainty, forum shopping and misused resources, all of which could ultimately threaten the protection of EU citizens’ fundamental rights. Nonetheless, these tensions and the negotiations, renegotiations and attempts to find compromises between parties, however arduous, are not entirely negative. They have, for example, obliged parties to accommodate aspects of each other’s value-based legal traditions in data privacy law, which is a positive development in a pluralistic world. It is beneficial for EU residents and the States and other residents involved, however, to have these jurisdictional conflicts mitigated. Indeed, a key purpose of ‘jurisdiction’, it being ultimately the regulation of a State applying sovereign power, is to 3

4

5

Restatement (Third) of the Foreign Relations Law of the United States (American Law Institute 1987) 401; Council of Europe Resolution 68(17): Model Plan for the classification of documents concerning state practice in the field of public international law (1968). Philip Kunig, ‘Prohibition of Intervention’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2008) (Online version Oxford University Press). See, e.g., James Crawford, Brownlie’s Principles of Public International Law (Oxford University Press 2012) 486.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.1 Public International Law Approaches to Jurisdiction

59

demarcate and thus restrict a State’s authority to act, which could reduce interState conflicts.6 This chapter starts from the premise that the EU has fundamental rights obligations in relation to its data protection laws with extraterritorial effect (see Chapter 3).7 The Union is understood to have a duty or obligation to exercise extraterritorial jurisdiction under international human rights law, as a subset of public international law. Public international law is used as an overarching system to demarcate the EU’s exercise of jurisdiction. Whilst international human rights law casts a wide jurisdictional net, public international law jurisdiction aims to limit far-reaching jurisdictional claims.8 This chapter reinterprets the existing principles of jurisdiction for the data protection legal sphere to illustrate how provisions in EU data protection instruments can fall within multiple permutations of multiple forms of public international law jurisdiction. First, the chapter outlines classic approaches to jurisdiction under public international law. It then looks at applicable law provisions and important definitions in EU data protection legal instruments, which EU Member States incorporate into their national legal systems. It focuses on the 2016 General Data Protection Regulation (GDPR), but also pays attention to the 1995 Data Protection Directive (DPD).9 Even though the GDPR superseded the DPD, the Directive is nonetheless relevant here to understand the evolution of EU law extraterritoriality. Most of the relevant case law and Article 29 Working Party opinions relate to the DPD, which together have influenced both the content and interpretation of the GDPR. The general subject matter of the GDPR reflects that of the DPD, but it is nonetheless useful to note the key differences between the two instruments regarding their territorial application. The bulk of the research lays out ways to exercise territory- or personalitybased jurisdiction over situations with an extraterritorial dimension. It attempts to see if and how EU data protection law could fit into these principles. The 6

7

8 9

Cedric Ryngaert, Jurisdiction in International Law (2nd edn, Oxford University Press 2015) 29: jurisdiction has a regulating purpose in ‘delimiting States’ spheres of action and thus reducing conflicts between States. Mistale Taylor, ‘The EU’s Human Rights Obligations in Relation to Its Data Protection Laws with Extraterritorial Effect’ (2015) 5(4) International Data Privacy Law 246, 255–256. Ryngaert, Jurisdiction in International Law (n 6) 23. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR); Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

60

Limits That Public International Law Poses

research’s underlying question is how the classic permissive principles of territorial and personality jurisdiction in public international law can be interpreted to accommodate EU data protection legislation, ultimately to delimit the EU’s exercise of extraterritorial prescriptive jurisdiction. It purports to show how territory-based jurisdiction as in the DPD could be moving closer to a form of personality-based jurisdiction in the GDPR, but that territory is not nearly obsolete in European data protection law and online data processing in general.

4.1 public international law approaches to jurisdiction Below is an outline of how the present research understands jurisdiction under public international law. It focuses on prescriptive jurisdiction in the data protection sphere as opposed to adjudicative or enforcement jurisdiction. Whilst there are examples of the EU exercising the latter two extraterritorially, the EU has arguably had most influence in prescribing data protection law abroad, either directly or indirectly, so one can draw stronger conclusions from these actions.10 Although its actions may be addressed towards an actor including another State; a non-State actor such as a corporation or international organisation; or, increasingly, an individual, the State is the exclusive agent in exercising jurisdiction under public international law. The present research equates EU action with State action. This is not only because Member States have handed many competences over to the EU, but also because the GDPR’s provisions are directly applicable in Member States. As such, Member State law reflects EU law and vice versa. Furthermore, the EU is bound by the customary international law of jurisdiction.11 The eminent Permanent Court of Arbitration Island of Palmas judgment (1928) established that when settling most questions of inter-State relations, one begins with the notion that a State has exclusive regulatory competence within its 10

11

Examples of the EU exercising indirect prescriptive jurisdiction extraterritorially include the influence of the DPD’s adequacy requirement (art 25) on third-State law (now GDPR art 45). EU Courts can also exercise prescriptive jurisdiction by, for example, interpreting EU legislation according to international law principles; see Ryngaert, Jurisdiction in International Law (n 6) 10. Case C-366/10 Air Transport Association of America and Others v Secretary of State for Energy and Climate Change [2011] ECLI:EU:C: 2011:864: ‘[the EU] is bound to observe international law in its entirety, including customary international law, which is binding upon the institutions of the European Union’ (para 101) and ‘[the EU] must respect international law in the exercise of its powers, and therefore Directive 2008/101 must be interpreted, and its scope delimited, in the light of the relevant rules of . . . international law’ (para 123).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.2 Two Approaches to Lawfulness under Public International Law

61

territory.12 Exercising jurisdiction becomes an issue and consequently a question of international law when a State attempts to regulate matters that go beyond its own territory and exclusively domestic concerns.13 In the similarly renowned Barcelona Traction case (1970) of the International Court of Justice (ICJ), Judge Sir Gerald Fitzmaurice in his Separate Opinion acknowledged that international law obliges States to show restraint when exercising jurisdiction in cases with foreign elements.14 With a view to preserving State sovereignty, there has traditionally existed a presumption against exercising extraterritorial jurisdiction. That said, even in the 1927 Permanent Court of International Justice Lotus judgment (discussed in Section 4.2), the judges anticipated the diminishing relevance of physical borders.15 In addition, in their joint individual opinion in the ICJ’s Arrest Warrant case (2000), three judges noted a move ‘towards bases of jurisdiction other than territoriality’.16 Such a presumption against extraterritoriality is becoming increasingly obsolete, or less controvertible, due in part to legal questions raised in the online sphere.17

4.2 two approaches to lawfulness under public international law There are two main approaches when exercising jurisdiction, with the first enshrined in a prominent case and the second being most commonly applied 12

13

14

15

16

17

Island of Palmas Case (or Miangas), United States v Netherlands, Award, (1928) II RIAA 829, ICGJ 392 (PCA 1928) 838. See too ‘Draft Convention on Jurisdiction with Respect to Crime’ (1935) 29 The American Journal of International Law 439, art 3. Ryngaert, Jurisdiction in International Law (n 6) 5–6 citing Frederick Alexander Mann, The Doctrine of Jurisdiction in International Law (AW Sijthoff 1964) 9. Barcelona Traction, Light and Power Co Ltd (Belgium v Spain) (Separate Opinion of Judge Sir Gerald Fitzmaurice) [1970] ICJ Rep 65 para 70. SS Lotus (France v Turkey) [1927] PCIJ Rep Series A No 10 para 50, which states that ‘[t]he territoriality of criminal law, therefore, is not an absolute principle of international law and by no means coincides with territorial sovereignty’. As Judges Higgins, Kooijmans and Buergenthal pointed out in their joint individual opinion in Arrest Warrant of 11 April 2000 (Democratic Republic of the Congo v Belgium) [2002] ICJ 1 para 47. Acting extraterritorially is unsurprisingly linked to preserving national interests and it has been asserted that public international rules hardly restrain State action in practice. See, e.g., ‘States increasingly perceive the need to protect both their own interests and the interests of the international community in respect of conduct occurring beyond their borders.’ Menno T Kamminga, ‘Transnational Human Rights Litigation against Multinational Corporations PostKiobel’ in Cedric Ryngaert, Erik J Molenaar and Sarah MH Nouwen (eds), What’s Wrong with International Law? Liber Amicorum A.H.A. Soons (Brill Nijhoff 2015) 157; ‘courts often only pay lip-service to the territoriality presumption’. Ryngaert, Jurisdiction in International Law (n 6) 77 (citations omitted).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

62

Limits That Public International Law Poses

in practice.18 First, a State could be allowed to exercise jurisdiction as desired, unless such abandon were limited by a prohibitive rule to the contrary. This approach was established in a landmark jurisdiction case, the Lotus case (1927).19 That case involved a collision between a Turkish steamer (SS BozKourt) and a French steamer (SS Lotus) on the high seas – that is, outside the national jurisdiction of any State – which resulted in the death of eight Turkish citizens.20 Upon the arrival of SS Lotus in Turkey, Turkish officials initiated criminal proceedings against the French officer of the watch who had been on board the steamer during the collision.21 France eventually brought a case before the Permanent Court of International Justice to determine whether Turkey’s exercise of criminal jurisdiction over a foreign national for an incident that happened outside Turkey’s territorial jurisdiction was a violation of international law.22 The Court decided that Turkey’s exercise of jurisdiction, lacking a prohibitive rule to the contrary, was lawful.23 The Lotus decision, however, has since been criticised, in part because it confers a burden upon States to prove that a rule prohibiting the exercise of jurisdiction exists, which does not match current State practice.24 The second main approach prohibits a State from exercising jurisdiction unless there is a positive rule permitting it to do so. Customary international law, most States and most of the doctrine support this approach.25 As such, States are expected to act with restraint when exercising jurisdiction. They have a right to exercise jurisdiction at their own discretion, but do not necessarily have to regulate to the full extent that international law permits.26 The State has an option, not necessarily an obligation, to exercise power. This discretion, however, could be evolving into a duty, especially in international

18 19 20 21 22 23 24 25

26

Ryngaert, Jurisdiction in International Law (n 6) 23. PCIJ, SS Lotus (France v Turkey) (n 15) paras 45–48. Ibid., para 2. Ibid. Ibid. Ibid., paras 45–48. See, e.g., Malcolm Shaw, International Law (7th edn, Cambridge University Press 2014) 477. See, e.g., Arrest Warrant of 11 April 2000 (Democratic Republic of the Congo v Belgium) (n 16) (Joint separate opinion of Judges Higgins, Kooijmans and Buergenthal) paras 49–50 and Dissenting opinion of Judge ad hoc Van den Wyngaert para 51; Crawford, Brownlie’s Principles of Public International Law (n 5) 477. Mills, ‘Rethinking Jurisdiction in International Law’ (n 1) 199 citing Mann, The Doctrine of Jurisdiction in International Law (n 13) 3: ‘Jurisdiction involves a State’s right to exercise certain of its powers’ (emphasis in original); this sentiment is echoed in Arrest Warrant of 11 April 2000 (Democratic Republic of the Congo v Belgium) (n 16): ‘[A] State is not required to legislate up to the full scope of the jurisdiction allowed by international law’ (Joint separate opinion of Judges Higgins, Kooijmans and Buergenthal) para 45.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.2 Two Approaches to Lawfulness under Public International Law

63

human rights law.27 In specific situations with a foreign element, States may exercise jurisdiction, as explored below.

4.2.1 A Substantial Connection A regulating State should have a genuine connection with the situation over which it claims prescriptive jurisdiction.28 Public international law allows for a State with a strong, ordinarily territorial connection to a situation to regulate that situation.29 Another understanding of ‘connection’ under public international law posits that a State may exercise extraterritorial jurisdiction if it does not interfere with another, more closely connected State’s right to do so.30 Similarly, under conflict of laws or private international law, the State exercising jurisdiction must have the strongest connection to a situation over which multiple States could claim jurisdiction.31 A manifestation of the ‘greater connection’ threshold appears in both public and private international law.32 It is nonetheless difficult to establish precisely what constitutes a substantial and direct connection to a situation to permit a State’s exercise of jurisdiction, and whether this connection need only be strong or rather the strongest. The general public international law principles discussed below cover some of the links or connections needed to establish a State’s basis for exercising jurisdiction.33 That endeavour appears more straightforward and simplistic than its application in practice, however. The permissive principles are not 27

28

29

30 31 32

33

See, e.g., Mills, ‘Rethinking Jurisdiction in International Law’ (n 1) 187; Ryngaert, Jurisdiction in International Law (n 6) 22. See, e.g., Christopher Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (2010) 18(3) International Journal of Law and Information Technology 227, 237 citing, inter alia, ILC, ‘Report on the Work of Its Fifty-Eighth Session’ (1 May–9 June and 3 July–11 August 2006) UN Doc A/61/10, Annex E para 42. Ryngaert, Jurisdiction in International Law (n 6) 19. Svantesson goes so far as to suggest that a substantial connection has replaced territory as a permissive principle to exercise jurisdiction in both public and private international law – Dan Jerker B Svantesson, Solving the Internet Jurisdiction Puzzle (Oxford University Press 2017) 61 (as first unveiled in Dan Jerker B Svantesson, ‘A New Jurisprudential Framework for Jurisdiction’ (2015) 109 AJIL Unbound 69, 74). John H Currie, Public International Law (Irwin Law 2001) 299. Ryngaert, Jurisdiction in International Law (n 6) 19. Mills, who has written extensively on the differences and similarities between public and private international law, posits that ‘the exercise of international jurisdiction by each state aspires to avoid a conflict through openness to the application of foreign rules which have a greater “connection” to the dispute at hand, as determined and shaped by public and private international law rules and principles’. Mills, ‘Rethinking Jurisdiction in International Law’ (n 1) 209. This sentiment is confirmed by, for instance, the International Law Commission’s statement that ‘[t]he types of connections that may constitute a sufficient basis for the exercise of

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

64

Limits That Public International Law Poses

clear-cut; especially in the data protection examples they often overlap; they are not without contestation; and in general ‘must be employed with great caution’.34

4.2.2 Permissive Principles Permissive principles of jurisdiction in public international law concern links between a situation and a State’s related authority to prescribe, adjudicate or enforce the law governing that situation. These principles consist of, inter alia, territoriality (including the effects doctrine) and personality, upon which this chapter focuses. Other principles not discussed here include the protective and universal jurisdictional principles. The State-to-situation link is not always hinged upon territory. A State that claims jurisdiction according to one of these principles often elicits controversy and protest by other States. This remonstration does not necessarily render such claims unlawful or illegitimate. By the same token, if a State’s claim to jurisdiction falls within one of the below principles, that does not per se imply lawfulness or legitimacy.35 According to the Third Restatement of US Foreign Relations Law, an authority on extraterritorial jurisdiction, a State exercising extraterritorial prescriptive jurisdiction must foremost adhere to one of the principles to be permitted to do so.36 Thereafter, threshold requirements apply and include the State’s degree of link/connection to the situation, its interests and how reasonable its exercise of jurisdiction is.37 This research accordingly proceeds from the understanding that: (i) the EU’s data protection law has extraterritorial effects; (ii) States may not exercise jurisdiction unless expressly permitted to do so; (iii) there should exist a

34 35 36 37

extraterritorial jurisdiction are reflected in the general principles of international law which govern the exercise of such jurisdiction by a State’ – Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 237 citing inter alia ILC, ‘Report on the Work of Its Fifty-Eighth Session’ (n 28), Annex E para 42. See too, ‘[w]hat is a “sufficient connection” may be established initially with reference to certain general principles of jurisdiction’. Menno T Kamminga, ‘Extraterritoriality’, Max Planck Encyclopedia of Public International Law (Article last updated: September 2020) (Online version Oxford University Press). Kamminga, ‘Extraterritoriality’ (n 33). Dan Jerker B Svantesson, Extraterritoriality in Data Privacy Law (Ex Tuto Publishing 2013) 84. Restatement (Third) of the Foreign Relations Law of the United States (n 3) 402–403. Ibid.; it has been suggested that the classic principles are substitutes for the second-tier requirements (Cedric Ryngaert, ‘An Urgent Suggestion to Pour Old Wine into New Bottles – Comment on “A New Jurisprudential Framework for Jurisdiction”’ (2015) 109 AJIL Unbound 81, 82). If the second-order criteria are so analogous to the first, then it makes sense to analyse them.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.3 The Scope of EU Data Protection Law

65

substantial link between the regulating State and a situation; and (iv) classic public international law jurisdictional principles can demarcate how and when the EU may exercise (extraterritorial) jurisdiction. Multiple States may lay claim to applying the abovementioned forms of jurisdiction to the same situation. Regulation in EU data protection law overlaps when a third State data controller or processor – prima facie subject to that third State’s law – is required to comply with EU data protection law (Article 3 GDPR) or when the GDPR requires a State to enact laws in line with those in the EU to receive data transfers from the EU (Article 45 GDPR). International tensions arise when US and EU laws could apply to a situation and US laws run counter to EU data protection principles. The following section introduces the relevant parts of EU data protection law, which are then woven into an analysis of the major permissive principles of extraterritorial jurisdiction to discern under which principles the GDPR (and DPD) could fall.

4.3 the scope of eu data protection law This section outlines the provisions in the DPD and GDPR that inform the subsequent analysis. The DPD was the only data protection instrument of its kind to clarify its jurisdictional scope and the GDPR similarly clarifies its scope, thus making them the ideal texts to analyse when attempting to find some jurisdictional limits to EU data protection law.38 Earlier proposals for the DPD and its preamble show that the drafters aimed to delineate applicable law to avoid data processors relocating to escape the reach of the Directive.39 38

39

Christopher Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (2010) 18(2) International Journal of Law and Information Technology 176, 186; Svantesson, Extraterritoriality in Data Privacy Law (n 35) 89 citing Lee A Bygrave, ‘Determining Applicable Law Pursuant to European Data Protection Legislation’ (2000) 16 Computer Law and Security Report 252, 252. Svantesson, Extraterritoriality in Data Privacy Law (n 35) see 96, footnote 203 citing Commission of the European Communities (COM 92) 422 final – SYN 287, 15 October 1992, 13. To avoid the possibilities that ‘the data subject might find himself outside any system of protection, and particularly that the law might be circumvented in order to achieve this [and/ or] that the same processing operation might be governed by the laws of more than one country’. Ibid., 95 citing Christopher Kuner, European Data Protection Law: Corporate Compliance and Regulation (2nd edn, Oxford University Press 2007) 111: ‘[T]he intent of the drafters was [inter alia] to prevent the possibility of evading EU rules through the relocation of data processing to third countries.’ See also recital 20 in the DPD preamble: ‘[w]hereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive’ cf recital 23 in the GDPR preamble: ‘to ensure that natural persons are not deprived of the protection to

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

66

Limits That Public International Law Poses

This had the ultimate aim of protecting EU data subjects. If data processors could avoid having EU data protection law cover their activities simply by moving out of EU territory, this would mean the Directive’s scope was entirely territorial. The fact that the drafters aimed to prevent this possibility to forum shop means they might have, purposefully or inadvertently, broadened the DPD’s scope of application so much as to have extraterritorial effect. In revising the DPD, the European Commission had the comparable aim to ‘revise and clarify the existing provisions on applicable law [ultimately to] provide for the same degree of protection of EU data subjects, regardless of the geographic location of the data controller’.40 To that end, they expanded the territorial scope of the GDPR. This expansion would also level the playing field for businesses in the EU and abroad that wanted to access the EU market, and anchor the GDPR in the international order.41

4.3.1 Applicable Law and Jurisdiction Based on the wording in the DPD and GDPR, this research equates prescriptive jurisdiction with which law applies – to a certain extent. That is, if the GDPR applies to a certain situation, the EU can be understood as ultimately exercising prescriptive jurisdiction by having laid down the law that should apply to that situation. In scholarly analyses of the differences and similarities between applicable law and jurisdictional scope, a generally accepted conclusion is that prescriptive, but not necessarily adjudicative or enforcement, jurisdiction in the data protection context are comparable.42 Moreover, the two often overlap in extraterritorial situations.43 That said, the Weltimmo judgment and other cases separate jurisdiction from applicable law.44

40

41

42

43 44

which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation [subject to certain conditions]’. European Commission, ‘A Comprehensive Approach on Personal Data Protection in the European Union’, COM (2010) 609 final of 4.11.2010, 11. Dan Jerker B Svantesson, ‘Article 3. Territorial Scope’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 76. Liane Colonna, ‘Article 4 of the EU Data Protection Directive and the Irrelevance of the EU–US Safe Harbor Program?’ (2014) 4(3) International Data Privacy Law 203, 208: ‘[e]ven though applicable law and jurisdiction are two legally distinct concepts, in practice, applicable law provisions may also govern questions of jurisdiction, at least in the context of data protection’ citing inter alia Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013). Kuner, ‘Extraterritoriality and Regulation of International Data Transfers’ (n 2) 236. Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] ECLI:EU:C: 2015:639 para 57 and, e.g., Case C‑210/16 Unabhängiges Landeszentrum für

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.3 The Scope of EU Data Protection Law

67

Weltimmo, a company registered in Slovakia, ran a property website concerning Hungarian properties. In that context, it unlawfully processed the personal data of the (Hungarian) advertisers, so the Hungarian data protection authority (DPA) investigated and fined the (Slovakian) data controller. The CJEU ruled that DPAs may, in certain circumstances, investigate complaints (thus exercising a form of adjudicatory jurisdiction), but not impose penalties (a form of enforcement jurisdiction), regardless of the national law applicable.45 This is in an intra-EU context, however, and is not necessarily applicable to prescriptive jurisdiction with external effects, which is examined here. This research thus equates applicable law in the DPD to prescriptive jurisdiction. Indeed, it is highly likely that a State would seek to apply its own law and not foreign law to a situation. Private international law can readily solve some jurisdictional clashes; however, it draws more parallels with adjudicative rather than prescriptive jurisdiction.46 The present research focuses on prescriptive jurisdiction, equivalent to the applicable national law, under public international law.

4.3.2 Data Controllers and Data Processors Distinguishing between data controllers and data processors is important when looking at the extraterritoriality of EU data protection law in part because the applicability of many of the GDPR’s provisions hinges upon the characterisation of an entity as a controller, joint controller or processor, and that entity’s location. For further elaboration, see Chapter 5 on establishing connection based on the location and activities of a data processor or controller. Whether an entity is a controller or processor can be ambiguous and difficult to determine, and multiple entities can be considered controllers. In essence, however, a controller decides the ‘why’ and ‘how’ of the processing and the processor processes personal data on behalf of the controller.47

45

46

47

Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH [2016] ECLI: EU:C:2017:796, Opinion of AG Bot, confirmed in Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH [2018] ECLI:EU:C:2018:388; Rechtbank van Eerste Aanleg Brussel, Voorzitter van de Belgische Commissie voor de bescherming van de persoonlijke levenssfeer v Facebook Ireland Limited, 26 February 2018, AR/2016/153-A. Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (n 44) para 57. Cedric Ryngaert, ‘The Concept of Jurisdiction in International Law’ in Alexander Orakhelashvili (ed), Research Handbook on Jurisdiction and Immunities in International Law (Edward Elgar Publishing 2015) 59. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (7 July 2021) 3.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

68

Limits That Public International Law Poses

The GDPR defines a data controller as follows: [T]he natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.48

The data controller is thus responsible for complying with data protection rules according to the accountability principle. Examples of controllers include corporate bodies and Non-Governmental Organisations. An individual, such as a doctor keeping personal information about patients or a selfemployed consultant keeping personal information about clients, could also be a data controller. If more than one controller determines the purposes and means for the processing – as long as this purpose is the same for both – they qualify as joint controllers. A data processor is outlined in the GDPR as the following: [A] natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.49

Accountants, market research companies and Internet service providers would normally be considered data processors. The controller and processor are ordinarily separate entities. For instance, a food delivery company that outsources its ordering service to a call centre would be considered the data controller (responsible for its customers’ personal data, such as names, addresses and phone numbers) and the call centre would be the data processor (processing this personal data on the company’s behalf ). The GDPR defines controllers and processors in almost exactly the same way as the DPD.50 Notably, however, the GDPR confers some accountability obligations on the processor as well as the controller. Following the above outline of the relevant EU data protection terms, the next section looks at other provisions in the DPD and GDPR, and fits them into the main basis for exercising jurisdiction: territoriality.

4.4 territoriality As it has different meanings depending on the field of law, this section looks at territorial jurisdiction in terms of data protection law on the Internet in an EU 48 49 50

GDPR art 4(7); DPD art 2(d) reads almost entirely the same. GDPR art 4(6); DPD art 2(e) reads almost entirely the same. GDPR arts 4(7) and 4(8). The DPD refers to ‘national or Community law’ whereas the GDPR uses ‘Union or Member State law’, which is a negligible difference for the present purposes.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

69

context.51 The Internet has become the leading example of a ‘space’ or ‘place’ that is difficult to link directly with a physical territory. It thus raises challenges for traditional claims of jurisdiction premised on territorial sovereignty. The Internet is popularly referred to as representing ‘deterritorialization, transnationalism, state decline, and the replacement of national pyramids of normativity by global networks of spread-out normativity’.52 This characterisation calls into question using territoriality as an analytical lens. It remains accurate that ‘the scope of the extraterritorial effect of territorial action is transformed by cyberspace’.53 As exciting as the prospect sounds, however, the Internet is not so borderless and universal.54 One could rephrase that in terms of jurisdiction: Exercising jurisdiction in the virtual data protection sphere is not usually divorced from territory. Indeed, a territorial nexus to a situation is required to trigger the application of the GDPR. As with the DPD, often this nexus is somewhat far-fetched and could admit of the Regulation’s broad application, which is partly what has inspired the conflicts between the perhaps aggressive reach of EU law and the US’ own exercise of jurisdiction. As such, strict territoriality as a jurisdictional trigger in EU data protection law with extraterritorial ramifications is divorced from reality and unhelpful. The abovementioned human rights obligations and other ways to rein in excessive jurisdictional claims, explored below, can serve to hone a more ideal jurisdictional framework. This immediate section briefly looks at the meaning of territory and jurisdiction within the EU and Council of Europe. The subsequent sections then focus on forms of territorial jurisdiction in EU data protection law. Whereas the DPD refers repeatedly to ‘territory’ in the article entitled ‘national law applicable’,55 the GDPR instead uses ‘in the Union’, which could suggest an area not necessarily physical.56 The GDPR article, however, is called ‘territorial

51

52

53

54 55

56

Ryngaert, Jurisdiction in International Law (n 6) 218, footnote 138 citing, e.g., Harvard Law Association, ‘Predictability and Comity: Toward Common Principles of Extraterritorial Jurisdiction’ (1985) 98(6) Harvard Law Review 1310. Thomas Schultz, ‘Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface’ (2008) 19(4) European Journal of International Law 799, 801 citing Jack Goldsmith and Tim Wu, Who Controls the Internet? Illusions of a Borderless World (Oxford University Press 2006) 179, 181–183. Mireille Hildebrandt, ‘Extraterritorial Jurisdiction to Enforce in Cyberspace? Bodin, Schmitt, Grotius in Cyberspace’ (2013) 63(2) Toronto Law Journal 196, 220. Schultz, ‘Carving up the Internet’ (n 52) 801. DPD art 4: ‘established on the Member State’s territory . . . established on Community territory . . . situated on the territory’ cf GPDR art 3: ‘an establishment of a controller or a processor in the Union . . . data subjects who are in the Union’. GDPR art 3.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

70

Limits That Public International Law Poses

scope’, potentially bringing physical territory back into the picture.57 Indeed, territory is still a jurisdictional trigger under the GDPR, but its importance is decreasing.58 In his opinion in the Salemink case, the Advocate General asserted that ‘for EU purposes, the “territory” of the Member States is the area (not necessarily territorial, in the spatial or geographical sense) of exercise of the competences of the Union’, calling the connection between exercising sovereignty and a physical territory closer to a contingent, rather than a necessary, truth.59 To be able to continue a discussion on territorial and extraterritorial jurisdiction, however, this research employs the term ‘territory’ here to mean the physical or geographical space of a State or the EU. This justifies discussing extraterritoriality in the traditional public international law sense; if one used ‘territory’ to cover all areas in which Member States and EU institutions implemented EU law, there would arguably be no extraterritorial application of the law. Nonetheless, redefining territory in the cybersphere could help clarify how EU data protection law applies, as physical boundaries are indeed becoming less relevant and EU territory as non-physical space is a compelling idea. Territoriality is certainly important in questions of the EU’s exercise of jurisdiction in the cybersphere. In 2003, for instance, the CJEU affirmed in the landmark Lindqvist case that EU law does not apply indiscriminately to the whole Internet.60 In that case, Mrs Lindqvist had uploaded personal data about her fellow parish volunteers, such as names and phone numbers, onto her own web page.61 She was charged with violating Swedish data protection law because she had processed personal data by automatic means without first notifying the Swedish data protection supervisory authority; she had processed sensitive data without authorisation; and she had transferred personal data to third States

57 58

59

60

61

Ibid. Paul de Hert and Michał Czerniawski, ‘Expanding the European Data Protection Scope beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Context’ (2016) 6(3) International Data Privacy Law 230, 236. Case C-347/10 A. Salemink v Raad van bestuur van het Uitvoeringsinstituut [2011] ECLI:EU: C:2011:562, Opinion of AG Cruz Villalón paras 54–57. See also Lorand Bartels, ‘The EU’s Human Rights Obligations in Relation to Policies with Extraterritorial Effects’ (2015) 25(4) European Journal of International Law 1071, 1088, which also cites the Salemink AG Opinion. Case C-101/01 Bodil Lindqvist [2003] ECLI:EU:C:2003:596 paras 69–71: there is no data transfer that falls within the scope of art 25 DPD on data transfers to third States first requiring adequacy decisions, ‘where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country’. Ibid., 2.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

71

without authorisation.62 The CJEU made several landmark pronouncements on EU data protection law in Lindqvist, but the most relevant one for the present purposes relates to the third issue of data transfers to third States.63 The Court held that simply being in the EU and uploading personal data to a web page, which anyone in the world with Internet access could access, did not constitute the transfer of personal data to a third State.64 This ruling was important because the DPD only allows personal data to be transferred to a third State if that State offers adequate data protection. As such, the Court limited the scope of application of EU law: Not every State with Internet users who accessed EU pages needed an official acknowledgement of adequate data protection standards. In revising data protection instruments, there appears to be a move from ‘territory’ to ‘jurisdiction’, somewhat de-emphasising the link between territory and a State’s authority to regulate. The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) provides the most pertinent example, which can animate the discussion on territory in the GDPR.65 Between 2011 and 2018, various privacy experts worked on updating the 1981 Convention. During the discussion and consultation phase, there were three notable developments regarding jurisdiction. First, the 2012 modernisation proposal changed the text of the Convention’s object and purpose article from reading that its purpose was to secure respect for rights and freedoms ‘in the territory of each Party for every individual, whatever his nationality or residence’ to securing them ‘for every individual subject to the jurisdiction of the Parties, whatever their nationality or residence’.66 Aside from this change bringing Convention 108 into line with the European Convention on Human Right’s jurisdictional scope (‘everyone within their jurisdiction’)67 and allowing for international organisations to ratify the Convention more easily, this change was recommended because ‘referring to the concept of jurisdiction, rather

62 63 64 65

66

67

Ibid., 15. Ibid., 23. Ibid., 71. Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108 (Convention 108); for another analysis of how Council of Europe Convention 108 shows a move from territory to jurisdiction, see de Hert and Czerniawski, ‘Expanding the European Data Protection Scope beyond Territory’ (n 58) 231–233. Convention 108 (1981) art 1 (emphasis added); Council of Europe, ‘The Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data [ETS No 108]: Propositions of Modernisation’, 18 December 2012 (Convention 108 Propositions of Modernisation (2012)) art 1 (emphasis added). Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended, 4 November 1950, ETS 5 art 1.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

72

Limits That Public International Law Poses

than territory, [would seem most likely] to stand the test of time and continual technological developments [and] would seem more amenable to legal interpretation and more adaptable’.68 Interestingly, the final version of the modernised text (2018) did away with territory and jurisdiction altogether in the object and purpose article, so it now reads that the Convention’s purpose is ‘to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data’.69 This appears to sideline jurisdictional principles based on both territory and nationality or residence, although the aforementioned versions also make the effort to avoid discrimination based on nationality or residence without explicitly saying as much. The evolution of the modernised Convention 108 text appears to confirm that having a jurisdictional space that is not necessarily physical – rather like ‘in the Union’ in the GDPR – would be more suitable in the data protection field. Second, the scope article of the same Convention shows a move towards jurisdiction and a focus on the data subject, which is notable for the below discussion on the growth of personality-based jurisdiction in data protection. The 1981 Convention applied ‘to automated personal data files and automatic processing of personal data’.70 According to the modernised scope article, each Party applies the Convention ‘to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data’.71 Here, the proposal drafters added jurisdiction to the scope article, attaching it to both a data-processing act and an individual. Third, the suggested changes to the article covering transborder flows of personal data reflect a move from territory to jurisdiction. The 1981 version covered ‘transborder flows of personal data going to the territory of another Party’,72 whereas the modernised text refers to data transfers to a recipient who is ‘subject to the jurisdiction of another Party’.73 This is in line with the 2001 Additional Protocol to Convention 108 on supervisory authorities and transborder data flows, which covers data transfers to a recipient that is ‘subject to the jurisdiction of a State or organisation that is not Party to the Convention’.74 Whilst the 68

69

70 71 72 73 74

Jean-Philippe Moiny, ‘Memorandum on Introducing the Concept of Jurisdiction into Article 1 of Convention 108 (5 September 2012, Update)’ (2012) 6. Council of Europe, Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data, 18 May 2018, ETS 108 (Modernised Convention 108) art 1. Convention 108 (1981) art 3(1). Modernised Convention 108 art 3(1). (This also appeared in earlier draft texts.) Convention 108 (1981) art 12(2). Modernised Convention 108 art 12(1). (This also appeared in earlier draft texts.) Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows, 8 November 2001, CETS No 181 art 2(1); this also raises the complex question of how to exercise jurisdiction in respect of organisations as non-State actors.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

73

aforementioned articles do not nearly make territory irrelevant when determining how and when the Convention applies to a certain situation, they could represent a change – necessitated by technological developments and a need for malleability – in the approach to territory vis-à-vis jurisdiction. It is interesting to track the practical effect these developments have in the EU, all Member States of which have ratified Convention 108, and indeed the twenty-plus non-EU States that are also party to the Convention. In sum, whilst some commentators might suggest otherwise, territory is relevant and important when looking at jurisdiction and EU data protection law. Trends towards ‘territory’ not being physical or ‘jurisdiction’ replacing ‘territory’ could have several ramifications. For instance, the terms could be interpreted flexibly to accommodate advancing technologies that do away with physical territory, such as cloud computing or the metaverse. On the contrary, understanding ‘territory’ as something non-physical could pave the way for the EU to expand its jurisdictional reach through creative interpretation or by relying upon other, more controversial ways to trigger jurisdiction. Section 4.4.1 looks at the applicable law provisions in the DPD and GDPR in terms of territory.

4.4.1 In EU Data Protection Law This section similarly traces the evolution of the jurisdictional provisions in the DPD and the GDPR. The Directive enshrines jurisdiction as below: National law applicable 1.

75

Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State …; (b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.75

DPD art 4 (emphasis added). Whilst online data is stored or processed on a computer in a specific physical location, it is increasingly difficult to determine this location: [a]ny personal data processed on the Internet will still have to be stored on a computer in a physical location. However, in light of increased data processing on the Internet, it is usually

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

Limits That Public International Law Poses

74

Where a controller was established and where ‘equipment’ was located were important as ways to trigger the application of the DPD. As it may have applied to controllers established in third States, the Directive could have effects beyond EU territory. The Article 29 Working Party suggested that ‘neither the nationality or place of habitual residence of data subjects, nor the physical location of the personal data, are decisive’ when determining the applicable law.76 If personal data were processed in whole or in part outside the EU and there existed a relevant (territorial) link with the EU through the establishment of a controller and the nature of its activities, or through the location of equipment, the DPD may have applied. The GDPR’s jurisdiction article is as follows: Territorial Scope This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.77 1.

Despite being called ‘territorial scope’, the GDPR’s application article moves away from being anchored explicitly in physical territory. The DPD had a wide scope of application and the GDPR has an even wider one. Instead of simply the place of establishment of a controller criterion, it adds the place of establishment quite difficult to determine the place of storage or processing. Indeed, under scenarios such as cloud computing, the processing may take place in a number of States simultaneously. Thus, the question is whether, in the era of cloud computing, it makes sense to speak of the data being “located” in a specific place. (Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 238 (citations omitted).) 76

77

Article 29 Working Party, Opinion 8/2010 on applicable law (WP 179, 16 December 2010) 8. See too EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (12 November 2019) 15: ‘the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the Regulation’. GDPR art 3.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

75

of a processor as a possible jurisdictional hook. It also explicitly states that the data processing does not necessarily have to take place in the EU for the GDPR to apply. Moreover, it replaces the complicated ‘location of equipment’ criterion in the DPD with the following broader criteria: processing activities related to the offering of goods or services, or monitoring of the behaviour of EU data subjects in the Union as long as their behaviour takes place in the Union. Furthermore, as some important US data controllers have establishments on EU territory, Article 3 GDPR prompts them to comply with EU law. As the relevant legislation could apply to ‘an enormous amount of entities and activities [it therefore has] very little chance at being widely enforced’.78 Indeed, it would only serve to exacerbate tensions and not solve conflicts if authorities began applying the GDPR in all or almost all situations involving US data controllers or processors and some sort of minor EU connection. The GDPR confirms that territory is the main base upon which the EU may exercise jurisdiction. It also reaffirms the abovementioned tendency to move away from the term ‘territory’ to terms that could be construed more vaguely (‘in the Union’). Section 4.4.2 looks at some of the main permissive principles of jurisdiction not hinged solely upon a territorial connection to a single State, and endeavours to fit EU data protection law into each category.

4.4.2 Subjective Territoriality Subjective territoriality covers situations in which an act begins in one territory, but is completed in a different territory. Under this principle, the State in which the act was initiated could claim jurisdiction over the act. The EU law country of origin principle provides that where there is a conflict of laws when an act is performed in one State, but received in another, the law of the original State applies.79 This draws parallels with the subjective territoriality principle, albeit in an intra-EU context. The scope article and recitals of the GDPR lend themselves much more easily to the objective territoriality principle, especially in terms of prescriptive jurisdiction. The relevant acts terminate in the EU, which contrasts with the adequacy requirement discussed below, where the acts originate in the EU. The GDPR’s adequacy requirement could be understood as a manifestation of the subjective territoriality principle.80 The adequacy requirement provides that 78 79

80

Colonna, ‘Article 4 of the EU Data Protection Directive?’ (n 42) 221 (citations omitted). Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market [2000] OJ L 178 recital 22. GDPR art 45.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

76

Limits That Public International Law Poses

any transfer of personal data outside the EU is, with some exceptions, per se unlawful unless the European Commission has deemed that the third State adequately protects that personal data.81 More than 145 States have data protection laws, many of which afford an EU level of data protection to personal data transferred to those States despite not having followed the procedure to obtain an adequacy decision.82 Indeed, many States have almost directly copied the DPD or GDPR text and incorporated it into their own legal system, showing some sort of legal diffusion, or, at a stretch, an inadvertent exercise of prescriptive jurisdiction by the EU.83 In lieu of an adequacy decision by the European Commission, data may be transferred based upon the consent of the data subject, bilateral agreements, standard contractual clauses and binding corporate rules.84 In these examples, EU law essentially applies not only where an act, namely a data transfer, begins in the EU, but where the transfer terminates in a third State.85 As such, it exemplifies something close to the subjective territoriality principle in that a potential interference would occur in the third State, yet EU law would preemptively apply. This application could be understood as an example of legal diffusion, perhaps approaching a soft form of extraterritorial prescriptive jurisdiction.

4.4.3 Objective Territoriality Objective territoriality imbues the State where an act is consummated with jurisdictional authority. Provisions in the GDPR can be seen as examples of this principle. This section examines Article 3 GDPR with some acknowledgement of its legislative precedent in Article 4 DPD.

4.4.3.1 In the Context of the Activities of an Establishment in the EU According to Article 3(1) GDPR, if an entity has its main establishment not in the EU (e.g. a company headquartered in the US), but it processes data in the context of the activities of an establishment of a data controller or processor in the Union, EU data protection law could apply to this processing. Accordingly, EU jurisdiction could be established by a data-processing act having an ultimately territorial connection to the Union. An establishment must carry out the ‘effective and real 81 82

83 84 85

DPD art 25(4). Graham Greenleaf, ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report 1, 1–2. Ibid.; interview with Christopher Kuner, March 2016. See, e.g., DPD art 26. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 240.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

77

exercise of activity through stable arrangements’ in the relevant data-processing context to qualify as such.86 Sometimes, the presence of merely one employee or agent of a non-EU entity in the EU could constitute an establishment.87 That said, the presence of an establishment ‘should not be interpreted too broadly’ to mean that ‘the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law’.88 It follows that a server or computer almost certainly would not qualify as an establishment.89 The main factor to consider when analysing whether a data-processing act occurs in the ‘context of the activities’ is the extent to which an establishment is involved in the activities in the data-processing context.90 The nature of the activities is of secondary importance.91 The nature of the link, however, is important. In terms of territory and Article 3 (1) GDPR, ‘geographical location is not important . . . with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question’.92 What is important, however, is where the data controller or processor is established and the business presence of the non-EU controller or processor.93

4.4.3.2 From the Use of Equipment in the EU to Targeting Those in the EU A somewhat ambiguous provision in the DPD states that it applies if a data controller is not established on EU territory, but makes use of equipment on Member State territory to process personal data.94 ‘Making use’ is premised on (i) the activity of the controller and (ii) its clear intention to process personal data.95 The Article 29 Working Party understood ‘equipment’ as ‘means’ because this was a more accurate translation of the same word in nonEnglish versions, it was used in other parts of the Directive and it appeared

86 87 88 89 90 91 92 93 94 95

GDPR recital 22. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) 6. Ibid., 7. Article 29 Working Party, Opinion 8/2010 12. Ibid., 14. Ibid. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) 10. Ibid. DPD art 4(1)(c). See Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based websites (WP 56, 30 May 2002).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

78

Limits That Public International Law Poses

in earlier proposals for the Directive.96 The Working Party’s interpretation was perhaps too broad as the fact that other articles in the Directive and earlier proposals used ‘means’, whilst Article 4(1)(c) specifically and consciously uses ‘equipment’, suggests they are not interchangeable terms. The Article 29 Working Party nevertheless acknowledged that its broad interpretation of ‘equipment’ could mean the Directive applied ‘where the processing in question has no real connection with the EU/EEA’.97 A controversial example was when external controllers used cookies or JavaScript banners to collect personal data about EU Internet users. For instance, if a data controller located on third State territory, such as a cloud computing service provider in the US, made use of means on EU territory by installing cookies to collect data about users’ browsing habits, Article 4(1)(c) would trigger the application of the relevant parts of the DPD. The service provider could therefore be obliged to adhere to certain EU data protection principles. To fit Article 4(1)(c) DPD into either the subjective or objective territoriality model, it is useful to ask whether EU data protection law would apply only to data processing that happens in the EU or to the third-State controller for all processing stages, including, for example, the eventual storage of browsing data by the controller in a third State. If it only applied to data processing in the EU, the article would be seen as more akin to the objective territoriality model of jurisdiction: Jurisdiction could only be exercised vis-à-vis the processing acts in the EU. As asserted above, data processing on behalf of an external controller can be understood as the termination of an act. The Article 29 Working Party, however, believed that, because the protection of personal data is a fundamental right, the Directive should apply to the whole processing procedure, including that which happened in a third State.98 The Working Party, however, did limit this to situations where the connection to the EU was ‘effective and not tenuous (such as by almost inadvertent, rather than intentional, use of equipment in a Member State)’.99 As explored below, the GDPR could offer clarification of how ‘intentional use of equipment’ has evolved. The GDPR replaces the use of equipment criterion with a clause that could admit of a wider application of jurisdiction than the DPD.100 The GDPR

96 97 98 99 100

Article 29 Working Party, Opinion 8/2010 20. Ibid., 29. Ibid., 24. Ibid. As EU data protection jurisdiction needs to be grounded in clear criteria that allow data controllers and processors to identify the link between their obligations and the applicable law, some contend that the GDPR drafters did well to remove the ‘use of equipment’ threshold. Michał Czerniawski, ‘Extraterritoriality in the Age of the Equipment-Based Society: Do We

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

79

applies to data processing by external controllers of the personal data of data subjects in the Union when the processing is related to: (i) the offering of goods or services to the data subjects, regardless of whether they require a payment; or (ii) the monitoring of the data subjects’ behaviour in the EU.101 The enhanced potential for the GDPR to apply extraterritorially foreseen in Article 3(2) GDPR represents a ‘dramatic shift from a country of origin to a country of destination approach’.102 This country of destination approach draws parallels with the objective territoriality principle. It has been suggested that this article enables the application of the GDPR to all processing of EU data subjects’ personal data, ‘regardless of a lack of a geographical nexus to the controller or its equipment’.103

4.4.3.3 Public International Law The third point on national law applicable in Article 3(3) GDPR appears to provide plainly for public international law to give guidance on how EU data protection rules should apply when controllers are located in third States. In practice, however, it simply means that the relevant provisions could apply aboard ships, on aircraft and similar, according to general public international law and specific treaties. This provision is largely comparable in the DPD and GDPR. One oversight in recital 25 GDPR is the suggestion that the GDPR applies ‘in a Member State’s diplomatic mission or consular post’.104 This is inaccurate, however, as according to the Vienna Convention on Diplomatic Relations, the Vienna Convention on Consular Relations and customary

Need the “Use of Equipment” as a Factor for the Territorial Applicability of the EU Data Protection Regime?’ in Dan Jerker B Svantesson and Dariusz Kloza (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy (Intersentia 2017) 239. 101 GDPR art 3(2). 102 Omar Tene and Christopher Wolf, White Paper – Overextended: Jurisdiction and Applicable Law under the EU General Data Protection Regulation, the Future of Privacy Forum (2013) 2 (emphasis in original). Whilst questioning the territoriality principle as a limit to jurisdiction per se, Hörnle acknowledges that Article 3(2) GDPR falls within the objective territoriality principle. Julia Hörnle, ‘Juggling More Than Three Balls at Once: Multilevel Jurisdictional Challenges in EU Data Protection Regulation’ (2019) 27 International Journal of Law and Information Technology 142, 165. 103 Ibid., 3 citing Draft Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012)0011 – C7 0025/2012 – 2012/0011(COD)), Committee on Civil Liberties, Justice and Home Affairs, Rapporteur: Jan Philipp Albrecht. 104 GDPR recital 25.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

80

Limits That Public International Law Poses

international law, the law of the receiving State applies on the premises of diplomatic or consular missions and diplomatic staff are obliged to respect the laws of the receiving State.105 Diplomatic staff, however, enjoy immunity from criminal, civil and administrative jurisdiction in most circumstances.106 It is ill-advised to extend the reach of the GDPR into an EU Member State’s diplomatic or consular mission outside the EU.107

4.4.4 The Effects Doctrine The effects doctrine is a particularly controversial basis for enacting extraterritorial jurisdiction.108 It is an extension of the objective territoriality principle. Some States purport to apply this doctrine when the effects of conduct by citizens abroad, even non-nationals of the affected State, are felt within a State.109 Thus far, it has mostly been applied by the US and then usually in antitrust cases.110 The effects doctrine is commonly said to have been introduced in the 1945 antitrust case United States v Aluminum Co of America, where the court found that ‘it is settled law . . . that any state may impose liabilities, even upon persons not within its allegiance, for conduct outside its borders that has consequences within its borders which the state reprehends’.111 It also appears in an early form in the US Supreme Court case Strassheim v Daily, which in the context of a federation asserts that ‘[a]cts done outside a jurisdiction, but intended to produce and producing detrimental effects within it, justify a state in punishing the cause of the harm as if he had been present at the effect if the state should succeed in getting him within its power’.112 The latter poses requirements of intention and effect. According 105

Vienna Convention on Diplomatic Relations (adopted 14 April 1961, entered into force 24 April 1964) 500 UNTS 96 (VCDR) art 41(1); Vienna Convention on Consular Relations (adopted 2 April 1963, entered into force 19 March 1967) 596 UNTS 261 (VCCR) art 55. 106 VCDR art 31(1); VCCR art 43. 107 Svantesson, ‘Article 3. Territorial Scope’ (n 41) 92–93. 108 See, e.g., the international reaction to Rio Tinto Zinc Corp v Westinghouse Electric Corp [1978] AC 547 (HL), where US law was applied to non-US companies in the absence of intra-territorial conduct. See also Vaughan Lowe and Christopher Staker, ‘Jurisdiction’ in Malcolm Evans (ed), International Law (3rd edn, Oxford University Press 2010) 323 and Amicus Curiae Brief by the European Commission on Behalf of the European Commission on Behalf of the European Union in Support of Neither Part in Kiobel v Royal Dutch Petroleum Co., 133 SC 1659 (2013). 109 Najeeb Samie, ‘The Doctrine of “Effects” and the Extraterritorial Application of Antitrust Laws’ (1982) 14(1) Lawyer of the Americas 23, 23 (citations omitted). 110 The effects doctrine has arguably been developing in EU antitrust law: Joanne Scott ‘The New EU “Extraterritoriality”’ (2014) 51(5) Common Market Law Review 1343, 1356–1358. 111 United States v Aluminum Co of America, 148 F 2d 416, 443 (2d Cir, 1945). 112 Strassheim v Daily, 221 US 280 (1911).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.4 Territoriality

81

to the US Third Restatement of Foreign Relations Law, which outlines the US approach to international law, the effects doctrine may only apply where extraterritorial conduct has substantial effects on US territory, and where its exercise of jurisdiction is reasonable.113 Parts of Article 3 GDPR on territorial scope could be construed as manifestations of the effects doctrine; many scholars in the field support this opinion.114 Dan Svantesson suggests the DPD’s use of equipment provision and the GDPR’s clause on monitoring the behaviour of people in the EU both fall within the effects doctrine, in that external conduct has an effect in the specific jurisdiction of the EU.115 Christopher Kuner asserts that, whilst prima facie appearing to fall exclusively within the objective territoriality principle, the use of equipment clause in the DPD can also be understood as falling within the effects doctrine.116 This is because the clause aims to prevent data controllers from escaping the reach of EU law by establishing themselves outside EU territory.117 This approach is reflected in the GDPR. The issue with the effects doctrine is that whereas it is quite straightforward to differentiate between an act being decided by a controller and carried out on the controller’s behalf by a processor, thus triggering a form of territoriality jurisdiction, it is more difficult to decipher where an effect of data processing is felt. In the transatlantic context, is an effect felt on EU territory and did all the relevant conduct take place in the US? Did the US data controller have the intention for such effects to occur? It is also difficult to quantify how substantial or detrimental this effect is, and who gets to make that decision. These questions are better applied to concrete examples of conflicts in jurisdiction (see Chapters 6–8), rather than to provisions of the GDPR, which would be merely speculative. Furthermore, in data protection law, it is challenging to establish a genuine link between an act abroad and an effect. Schultz asserts that in the cybersphere, the link between a State and an act or omission needs to reach a higher threshold than in the physical world.118 This is due to the fact that

113

114

115 116 117 118

Restatement (Third) of the Foreign Relations Law of the United States (n 3) 402–403. See also: Kamminga, ‘Extraterritoriality’ (n 33) and Shaw, International Law (n 24) 500. See discussions in Svantesson, Extraterritoriality in Data Privacy Law (n 35) and Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28). See too Colonna, ‘Article 4 of the EU Data Protection Directive’ (n 42) 211 and Hörnle, ‘Juggling More Than Three Balls at Once’ (n 102) 164. Svantesson, Extraterritoriality in Data Privacy Law (n 35) 141–142. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (n 38) 190. Ibid. Schultz, ‘Carving up the Internet’ (n 52) 815, citations omitted.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

82

Limits That Public International Law Poses

everyone with Internet access could in theory access every website, indiscriminately establishing this act–effect link. As such, the effects doctrine in respect of data protection law has been criticised as being too open-ended.119 Such a potentially broad reach of EU data protection law is echoed in the CJEU’s pronouncements in the Lindqvist judgment.120 Going further, Schultz suggests that the effects doctrine ‘should a fortiori be rejected entirely on the Internet’.121 Moreover, if the effects doctrine is an expansion of the objective territoriality principle, and the effects doctrine is so heavily criticised, it is more readily acceptable to consider Article 3 GDPR, and undoubtedly Article 4 DPD, as reflecting the objective territorial principle.122 In sum, this research considers it overly simplistic to claim that the GDPR falls wholly under the effects doctrine. With reference to the targeting approach discussed supra, Svantesson calls for a departure from territoriality as the main criterion from which to assess claims to exercise jurisdiction.123 An approach less connected to territory resonates better with the effects doctrine than with the objective territorial principle. Extrapolating this, if territory in itself is no longer sufficient to demarcate the EU’s exercise of jurisdiction over situations with a foreign element, personality-based jurisdictional principles could offer an alternative option, as explored below.

4.5 personality There is a perceptible shift from territory to personality as a basis for jurisdiction in EU data protection law. This is especially true in view of the changing nature of State obligations and the increased emphasis on individuals, namely data subjects, in the GDPR compared to the DPD. Classic personality-based jurisdiction law is not based on legal obligations of the State towards individuals, but rather on bonds of allegiance between the individual and the State. Increasingly, however, a State can be understood to owe jurisdictional obligations to individuals, rather than simply to States in respect of individuals.124 Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (n 38) 190 citing Ralf Michaela, ‘Territorial jurisdiction after territoriality’ in Piet-Jan Slot and Mielle Bulterman (eds), Globalisation and Jurisdiction (Kluwer Law International 2004) 123, who says that ‘in a globalized economy, everything has an effect on everything’. 120 Case C-101/01 Bodil Lindqvist (n 60) 71. 121 Schultz, ‘Carving up the Internet’ (n 52) 815, citations omitted. 122 Ibid. 123 Svantesson, Extraterritoriality in Data Privacy Law (n 35) 233–234. 124 Mills, ‘Rethinking Jurisdiction in International Law’ (n 1) abstract, 213–214 and 229. 119

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.5 Personality

83

A State could owe duties to individuals as both subjects and objects of regulation. As subjects, they are active agents, positive actors and rights bearers; as objects, they are passive addressees.125 These concepts operate on a spectrum, not a clear-cut dichotomy.126 Individuals can be conceived of as ‘international legal persons’.127 With individuals becoming a focus of international rules of jurisdiction, it is important to consider individuals in EU data protection law. The EU wants to protect its data subjects; it focuses on protecting individuals. This raises the question of how personal data can be connected to EU data subjects as individuals, and how these individuals could fall within classic principles of jurisdiction. This section outlines various forms of personality-based jurisdiction.

4.5.1 Individuality and Personality The protection of personal data has always been connected closely with an individual. Personal data is any information pertaining to an identified or identifiable natural person, who per se is a data subject.128 The full titles of the DPD and GDPR mention not data protection or data privacy, but ‘the protection of individuals with regard to the processing of personal data’.129 In a broader sense, privacy can be attached to the concepts of individuality and autonomy.130 Autonomy, in turn, can be understood as being intimately linked to freedom and self-determination.131 Self-determination and privacy flow ultimately from human dignity. Human dignity is a value upon which the EU is founded and is common to EU Member States.132 There are strong ties between individuality and developing one’s personality. The right to

125

Ibid., 219. Ibid., 213. 127 Ibid., 220, footnote 136 citing ‘States have had to concede to ordinary human beings the status of subjects of international law, to concede that individuals are no longer mere objects, mere pawns in the hands of states’. Louis B Sohn, ‘The New International Law: Protection of the Rights of Individuals Rather Than States’ (1982) 32(1) American University Law Review 1, 1. 128 GDPR art 4(1). 129 DPD; GDPR. 130 Edward J Bloustein, ‘Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser’ in Ferdinand David Schoeman (ed), Philosophical Dimensions of Privacy: An Anthology (Cambridge University Press 1984) 170, 191. 131 Alan F Westin, Privacy and Freedom (Atheneum 1967) 7. 132 ‘The Union is founded on the values of respect for human dignity . . . and respect for human rights . . . . These values are common to the Member States’. Consolidated Version of the Treaty on European Union [2012] OJ C326/01 art 2. 126

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

84

Limits That Public International Law Poses

protection of personal data, as a subset and counterpart to the right to privacy, is a personality right.133 Individuals have a right to informational selfdetermination, to know and determine what is done with their personal data. An individual’s personal data is closely connoted with an individual as a legal person. Personality-based jurisdiction is also tied to a person’s individuality, nationality and personality. This is relevant for extraterritorial jurisdiction because someone’s personal data is often controlled, processed and stored in multiple jurisdictions, much more than an actual physical person might be involved in different jurisdictions. As such, someone’s personal data could potentially trigger a form of personality jurisdiction.

4.5.2 Active and Passive Personality The personality principle can be classified as active or passive. According to the active personality principle, a State has the right to extend the application of its laws to its nationals outside its territory.134 This principle is commonly a basis for criminal jurisdiction. It may also extend to companies, ships and aircraft.135 A common example is when a State prosecutes a citizen who commits a crime abroad. There are no examples in EU data protection law that readily lend themselves to the active personality principle. The passive personality principle covers situations where a State exercises jurisdiction over injured nationals abroad.136 It is usually applied in criminal law cases to enable jurisdiction over victims. The passive personality principle is arguably the most hard-line basis for exercising extraterritorial jurisdiction and has thus been much challenged.137 Whilst under customary international law the passive personality principle is not usually considered a valid basis to permit the exercise of extraterritorial prescriptive jurisdiction,138 more recent State practice suggests States might be more accepting of the principle.139 Indeed, 133

134 135 136 137

138 139

Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) 23 citing Bernard Edelman, La personne en danger (Presses Universitaires de France 1999) 509. Lowe and Staker, ‘Jurisdiction’ (n 108) 322. Kamminga, ‘Extraterritoriality’ (n 33). Ibid.,; Arrest Warrant of 11 April 2000 (Democratic Republic of the Congo v Belgium) (n 16). See Mann, The Doctrine of Jurisdiction in International Law (n 13) 30, referring to the passive personality principle as ‘strongly contested’; Ryngaert, Jurisdiction in International Law (n 6) 92–93, calling the passive personality principle ‘quite likely, the most aggressive basis for extraterritorial jurisdiction’. Currie, Public International Law (n 30) 36. Svantesson, Extraterritoriality in Data Privacy Law (n 35) 141 citing Danielle Ireland-Piper, ‘Extraterritorial Criminal Jurisdiction: Does the Long Arm of the Law Undermine the Rule of

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.5 Personality

85

in reinterpreting existing permissive principles to see how data protection law fits within them, passive personality is an increasingly useful concept to delineate the EU’s regulatory authority. The passive personality principle could apply in EU situations with foreign elements because EU individuals are rights holders and potential victims of having their right to personal data protection violated when their personal data is transferred, controlled or processed outside of EU territory. Moreover, they are addressees of the EU’s data protection norm. Especially in the cybersphere, it is important to note that an EU resident’s right to data protection could conceivably be violated ‘even in absence of any detriment to the affected individual’.140 Indeed, an individual could be legally, but not physically, present.141 This notion, under the GDPR, is expanded upon below. 4.5.2.1 Reconciling Citizenship, Residence and Applicability To ensure a stronger connection between the GDPR and its application to a situation, an additional jurisdictional criterion would plausibly be personality, that is, nationality or even residency. EU residents are highly likely to be citizens of an EU country, so the personality principle hinged purely upon someone’s nationality could apply, as long as the data processing is related to actions in the EU. By extension, the GDPR would not apply to an EU resident outside the EU with no further connection between the data processing and the EU. The EDPB confirms this approach in its Guidelines on the territorial scope of the GDPR: [I]t should be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union.142

Moving beyond pure citizenship or residency, EU data protection law refers to data subjects ‘in the Union’. If other criteria are satisfied, the GDPR applies ‘whatever [someone’s] nationality or place of residence’.143 The Article Law?’ (2012) 13(1) Melbourne Journal of International Law 1, 13–14, which discusses Australian law and Gillian D Triggs’ scholarship on the matter. 140 Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56(1) Harvard International Law Journal 81, 134 citing Huvig v France App no 11105/ 84 (ECtHR, 24 April 1990) para 35. 141 Richard T Ford, ‘Law’s Territory: (A History of Jurisdiction)’ (1999) 97(4) Michigan Law Review 843, 904. 142 EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) 16. 143 GDPR recital 14.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

86

Limits That Public International Law Poses

29 Working Party also posited that it would be unacceptable to protect only those residing in the EU as the fundamental right to data protection is enjoyed without discriminating based on someone’s nationality or residence.144 Similarly, in determining the jurisdiction and applicability of one EU Member State’s data protection law vis-à-vis another Member State, the CJEU in its Weltimmo judgment stipulated that ‘the issue of the nationality of the persons concerned by such data processing is irrelevant’.145 This approach also avoids the exclusion of non-EU nationals who live in or are visiting the EU, to whose personal data EU data protection law generally ought to apply according to the principle of non-discrimination. Furthermore, by virtue of its status as a fundamental right, the application of the right to data protection does not depend on citizenship.146 In practice, however, EU fundamental rights law cannot simply apply to everyone everywhere; there ought to be some practical limitations. An approach focused de facto on personality would permit EU data protection principles to apply to an EU individual’s personal data regardless of its location.147 Residence is similar to the private international law concept of domicile, which gives the individual, as opposed to the State, some freedom to choose jurisdiction.148 Indeed, private international law rules on adjudicative jurisdiction recall personality jurisdiction.149 This research focuses on residency or acts ‘in the Union’ as opposed to citizenship because it would be excessive to expect EU data protection law to apply, for example, to the personal data of an Italian citizen who resides in Australia if their banking data were exchanged between Australian and Chinese financial institutions. Indeed, whilst the Charter of Fundamental Rights of the European Union (EU Charter) affirms the right to data protection for ‘everyone’, EU DPAs ordinarily attend to EU data protection legal claims where the link between

144 145

146

147

148 149

Article 29 Working Party, Opinion 8/2010 24. Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (n 44) para 41. The DPD and GDPR acknowledge that rules on data processing should respect a person’s fundamental rights and freedoms, whatever that person’s nationality or residence (DPD recital 2; GDPR recital 2). Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28), 238–239 and see 239, footnote 161 citing Bygrave, ‘Determining Applicable Law Pursuant’ (n 38) 256 making this argument. Bygrave draws parallels between this approach and existing EU consumer protection applicable law rules. Mills, ‘Rethinking Jurisdiction in International Law’ (n 1) 21. ‘In the rules of adjudicatory jurisdiction in civil and commercial matters under private international law, the domicile principle may serve as a variation on the active personality principle’. Ryngaert, Jurisdiction in International Law (n 6) 108.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.5 Personality

87

the data subject and the EU is clear.150 As the Article 29 Working Party confirmed in its Guidelines on implementing the Google Spain judgment, a data subject’s residency in an EU Member State qualifies as a clear link.151 The main issue with this approach, however, is that it could be technologically difficult to determine someone’s residence status in the moment. As shown in Chapter 7 on the free flow of information, however, exercising certain data subject rights can be tied to residency. The residence or domicile view has been gaining greater traction with the popular focus on protecting individuals.152 In national and international legal practice, to link residence with nationality or personality to permit the exercise of personality-based jurisdiction is not a new approach.153 The GDPR, however, has evolved. Whereas the territorial scope article used to refer to ‘data subjects residing in the Union’ in the 2012 proposal for a Regulation, it now Article 29 Working Party, ‘Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12’ (WP 225, 26 November 2014) 8. 151 Ibid. 152 ‘One could also argue that the place of the domicile [or residence of the data subject] should be the place of jurisdiction, in order to give maximum protection to the individual’. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 238–239 citing Bygrave, ‘Determining Applicable Law Pursuant’ (n 38) 256: The problem of more than one State’s laws governing the same situation ‘could be remedied if applicable law were to be made the law of the State in which a data subject has his/her domicile. Such a rule would parallel existing European rules on jurisdiction and choice of law in the case of consumer contracts.’ Similarly, [p]erhaps the artificiality of attempting to localize internet conduct territorially means that jurisdiction should be determined by reference to the defendant’s nationality or the claimant’s domicile?’ Oren Bigos, ‘Jurisdiction over Cross-Border Wrongs on the Internet’ (2005) 54(3) International and Comparative Law Quarterly 585, 602 (citations omitted). For EU legislation on jurisdiction and consumer protection that takes a similar approach, see 1968 Brussels Convention on Jurisdiction and the Enforcement of Judgements in Civil and Commercial Matters [1972] OJ L 299, arts 13–15; 1988 Lugano Convention on Jurisdiction and the Enforcement of Judgements in Civil and Commercial Matters [1988] OJ L 319, arts 13–15; Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) [2008] OJ L 177 art 5 and recital 25. That said, somewhat confusingly, the EDPB has stated that if a territorial connection is established through the location of a data controller in the EU (France), ‘even though processing relates to personal data of data subjects who are not in the Union [for a service directed exclusively towards customers in Morocco, Algeria and Tunisia], the provisions of the GDPR will apply to the processing carried out by the French company, as per Article 3 (1)’, so third State nationals would enjoy GDPR-level protection in that scenario. See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (n 76) 9. It could be argued that the EU lacks the legitimate interest required to apply its laws in this situation to which it has a weak connection. 153 Referencing Dutch and Belgian law, see Cedric Ryngaert, ‘Amendment of the Provisions of the Dutch Penal Code Pertaining to the Exercise of Extraterritorial Jurisdiction’ (2014) 61(2) Netherlands International Law Review 243, 245 (citations omitted). 150

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

88

Limits That Public International Law Poses

reads ‘data subjects who are in the Union’, which prima facie seems to broaden its reach even more by removing an explicit residency requirement.154 That said, other sections of the GDPR related to its territorial scope mention a data subject’s residence on EU territory.155 In practice, residence could be a useful jurisdictional hook and location is certainly important. A specific example of how an EU DPA, in this case the Greek one, has extended the applicability of its data protection law shows how a form of the passive personality principle has been applied in an EU–third State dimension.156 The Greek DPA in the early 2000s required that data controllers outside Greece that processed the personal data of Greek residents appoint a representative in Greece, who would be accountable for this data processing.157 This appears to be a combination of territory and residency as a jurisdictional trigger, but as Greek residents are highly likely to be Greek nationals, it could be considered a manifestation of the passive personality principle.158 Furthermore, it is practically difficult to have to distinguish between residents and citizens when the goal is to provide broad protection of the fundamental right to data protection – at least for data subjects in the EU. The European Commission took issue with the abovementioned requirement in Greek law, so Greece changed it in 2006.159 This example draws parallels, however, with certain substantive rules in the GDPR that could apply very broadly. The GDPR mandates that non-EU entities that target people in the Union (per Article 3(2) GDPR) must designate a representative in the EU who is established in one of the Member States.160 Svantesson has called the potential situation where a non-EU organisation that has little contact with EU individuals is obliged to implement certain measures, such as appointing a representative in accordance with the GDPR, ‘absurd’.161 Indeed, this notion runs counter to the Greek example, and could, as Svantesson suggests, discredit the GDPR.162

Cf COM (2012) 11 final 2012/0011 (COD), Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 25.1.2012 art 3(2) with GDPR art 3(2). 155 See, inter alia, GDPR recitals 122 and 124. 156 Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 188–189. 157 Ibid., 189 citing European Commission, Analysis and impact study on the implementation of Directive EC 95/46 in Member States (2003) 8. 158 Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 188–189. 159 Ibid., 189 (citations omitted). 160 GDPR art 27. 161 Ibid., arts 37–39; Svantesson, Extraterritoriality in Data Privacy Law (n 35) 31. 162 Svantesson, Extraterritoriality in Data Privacy Law (n 35) 31. 154

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.5 Personality

89

4.5.2.2 Reconciling Personality and Territoriality The DPD’s scope of application refers only to the ‘processing of personal data’, without mentioning data subjects or EU residents.163 In contrast, the GDPR focuses more on individuals. It applies to the processing of ‘personal data of data subjects who are in the Union . . . the offering of goods or services . . . to such data subjects in the Union [or] the monitoring of their behaviour [as far as it takes place] within the Union’.164 The DPD appears to anchor jurisdiction more palpably on territory and the GDPR seems to take more of a personality-based approach. That is not to say that physical territory is inconsequential in the GDPR. A subject’s location if being offered goods or services, or being monitored, is still important. Companies can often, but not always, use geolocation technology to determine a data subject’s location. This raises questions of how the GDPR would apply if a subject’s location could not be determined. Whilst not currently a pertinent issue, this situation could conceivably be solved with a focus on personality. Svantesson is also of the view that the GDPR’s applicability provisions appear to fall within the passive personality principle, or at least a version thereof.165 The GDPR’s scope article has been interpreted as lending itself to the potential overextended application of EU data protection law through emphasising the personality/residence requirement. The GDPR could conceivably apply to all data collection and processing pertaining to data subjects in the Union, with no requirement for the location of a controller or equipment to establish a territorial nexus. This expansive interpretation could ‘bring about precisely the “general application” that the ECJ tried to prevent [in the Lindqvist case]’.166 However, this interpretation might not be so expansive as residence or location implies a territorial connection: The GDPR lends itself readily to jurisdiction based on the residence or location of the data subject, which is linked to territory and an individual. Whilst not an EU privacy instrument, the Asia-Pacific Economic Cooperation Framework (APEC) provides for something close to the passive personality principle and draws certain parallels with, for instance, the

163 164 165 166

DPD art 4(1). GDPR art 3(2). Svantesson, Extraterritoriality in Data Privacy Law (n 35) 141–142. Tene and Wolf, White Paper – Overextended (n 102) 3; unfortunately, the EDPB Guidelines 3/2018 on the GDPR’s territorial application have not clarified the applicability of Article 3(2) GDPR to people simply passing through the EU. See Svantesson, ‘Article 3. Territorial scope’ (n 41) 88–89.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

90

Limits That Public International Law Poses

adequacy requirement in EU data protection law.167 In that Framework, the national data protection laws of the APEC Member State where the original data controller collected the relevant personal data attach to and follow that data, even when transferred abroad.168 As the transfer from one State to another implies a territorial connection to a controller or a processor, and to a place of data export or import, the passive personality principle does not per se apply to the EU data protection framework.169 There is a necessary territorial connection implied in cross-border data transfers. Further, if territoriality were completely sidelined, the abovementioned targeting requirement in the GDPR could easily lead to problematic regulatory overreach. Whilst personality is becoming a pragmatic basis for the EU’s exercise of extraterritorial jurisdiction, it needs to be combined with territorial forms of jurisdiction to be effective in practice. The location of a data subject’s personal data at the moment of transaction would also be relevant, particularly in terms of data transfers. As the GDPR applies ‘regardless of whether the processing takes place in the Union or not’, the residence criterion could be an ideal combination of territory and personality that would most effectively prompt the EU’s exercise of prescriptive jurisdiction over situations with an extraterritorial dimension.

4.6 the protective principle The protective principle is a ground for exercising extraterritorial jurisdiction that is rooted in protecting a State’s vital interests, its security or its ability to govern. Under this principle, States may extend their jurisdiction extraterritorially to individuals, including non-nationals, who threaten these State interests, such as national security.170 In 2013, former-US National Security Agency 167 168

169

170

Asia-Pacific Economic Cooperation, APEC Privacy Framework, APEC#205-SO-01.2 (2005). Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (n 38) 189 citing Asia-Pacific Economic Cooperation (n 167). See Cedric Ryngaert, ‘Whither Territoriality? The European Union’s Use of Territoriality to Set Norms with Universal Effects’ in Cedric Ryngaert, Erik J Molenaar and Sarah MH Nouwen (eds), What’s Wrong with International Law? Liber Amicorum A.H.A. Soons (Brill Nijhoff 2015) 441, footnote 17: Admittedly, one could also make the argument that, insofar as EU law follows the transfer of data of EU persons abroad, the protection offered by EU law is based on the passive personality principle, which allows states to protect the interests of their own citizens abroad. It is noted, however, that a transfer from the EU to another state presupposes an initial EU territorial presence of data. See Lowe and Staker, ‘Jurisdiction’ (n 108) 326; Bernard H Oxman, ‘Jurisdiction of States’, Max Planck Encyclopedia of Public International Law (Article last updated: November 2007) (Online version Oxford University Press).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.7 Universal Jurisdiction

91

employee, Edward Snowden, exposed the US’ mass surveillance of EU individuals’ electronic communications data. It later became apparent that the US had essentially been spying on, inter alia, German Chancellor Angela Merkel.171 Whilst espionage is not per se unlawful and the US might have had a legal or legitimate basis for doing so, namely national security and combating transnational organised crime and terrorism, the indiscriminate data collection and retention runs contrary to EU data protection principles, thus violating requirements for such processing to be proportionate and necessary. In such a situation, however, it is conceivable that Article 3(2) GDPR, where a controller established in a third State but whose processing activities relate to the monitoring of data subjects’ behaviour in the Union, could prompt the application of EU data protection principles. Monitoring the behaviour of government officials, agencies and heads of State could trigger some form of the protective principle if it threatened, in this example, Germany’s fundamental interests. Here, however, the protective principle would more likely be used to trigger adjudicative or perhaps enforcement jurisdiction. It lends itself less to prescriptive jurisdiction, especially as the GDPR already sets out provisions pertaining to third-State entities monitoring behaviour or conducting surveillance activities.

4.7 universal jurisdiction Universal jurisdiction allows for a State to try a non-national who has acted unlawfully against another non-national outside its territory, in specific circumstances.172 The State need not have any territorial or nationality-based connection to the situation. Universal jurisdiction was traditionally associated with piracy, which by definition occurs on the high seas. It is a crime jure gentium that occurs outside the jurisdiction of any State, so any State could exercise jurisdiction over the offenders. Universal jurisdiction then evolved to incorporate crimes that challenge peremptory norms, such as genocide, crimes against humanity, torture and slavery. In theory, given the scale of a crime, a third State with no involvement in the situation could try those believed responsible for these crimes. Under the DPD and the GDPR, the EU would almost certainly not invoke universal jurisdiction to apply its laws elsewhere. This is because violations of EU data protection principles do not constitute crimes against all

171

172

Reuters in Berlin, ‘NSA tapped German Chancellery for Decades, WikiLeaks Claims’ The Guardian (London, 8 July 2015). See, e.g., Restatement (Third) of the Foreign Relations Law of the United States (n 3) 404.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

92

Limits That Public International Law Poses

and do not nearly reach the level of seriousness and scale needed to form a legitimate basis for exercising universal jurisdiction.

4.8 prohibitions in exercising jurisdiction Whilst the principles outlined supra are largely permissive, defining when a State may exercise prescriptive jurisdiction is per se limiting. This section asks whether there exist more concrete prohibitions on a State’s exercise of extraterritorial jurisdiction under public international law. Public international law ‘cast[s] aside only the most outrageous assertions [of jurisdiction]’, requiring a strong, or perhaps the strongest, connection between a State and a situation.173 The Third Restatement of US Foreign Relations Law provides that, even if an abovementioned permissive principle exists, a State may not exercise prescriptive jurisdiction over extraterritorial situations where this exercise is unreasonable.174 The Restatement then lists myriad factors used to assess whether asserting jurisdiction would be unreasonable or not.175 Accordingly, there is a high threshold for pronouncing a jurisdictional claim ‘exorbitant’, ‘excessive’, ‘improper’ or ‘unreasonable’ under public international law. Scholars who have written on data protection and jurisdiction suggest it could be unproductive to ascertain whether an extraterritorial jurisdictional claim is lawful under public international law, and that such assessments ought to be treated with a degree of scepticism.176 This research adheres to those sentiments by not attempting a lawfulness assessment, but more a balance of obligations and restraints. The question then arises of whether the EU’s assertions of prescriptive jurisdiction, particularly vis-à-vis the US’ data privacy laws, are exorbitant. The exorbitance threshold is high, so the subsequent sections do not aim to pronounce a claim to exercise jurisdiction as strictly lawful or not under 173 174

175

176

Ryngaert, Jurisdiction in International Law (n 6) 19 (citations omitted). Restatement (Third) of the Foreign Relations Law of the United States (n 3) 403(1); the Third Restatement summarises the US approach to international law and is an authority on extraterritoriality. It has since been superseded by the Fourth Restatement (see Chapter 5), but is still authoritative. Ibid., 403(2); in situations of jurisdictional conflict, a State ought to defer to that State with the clearly greater interest in exercising jurisdiction (Ibid., 403(3)). Kuner says that the high threshold for finding a jurisdictional claim exorbitant means ‘claims that particular types of jurisdiction “violate international law” should thus be taken with a grain of salt’. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (n 28) 241; Dan Jerker B Svantesson, ‘The concept of “extraterritoriality”: widely used, but misguided and useless’ (OUPblog, 17 November 2015) .

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

4.9 Interim Conclusion

93

international law. If such an assessment were conducted, it is likely the EU’s actions could be construed as lawful, albeit through a tenuous territorial link, and strongly helped by the current vogue for human rights concerns, especially the right to data protection, superseding other concerns. Indeed, Svantesson suggests it is unproductive to determine whether extraterritorial claims should or should not be allowed.177 He suggests it is hard to distinguish concretely between the two concepts. Further, even though labelling a claim ‘extraterritorial’ has sometimes been understood to mean that it is exorbitant, in practice, this oversimplifies the issue. As such, the legitimacy threshold mentioned in Chapter 1, whereby a rule implies legitimacy if it compels the addressees of a norm to compliance, underpins the subsequent analysis. Moreover, the now generally accepted approach to exercising extraterritorial jurisdiction is that a claim is unlawful unless justified by a specific permissive rule. This approach is in contrast with the Lotus ruling, discussed at the beginning of this chapter, that an assertion of jurisdiction would be lawful unless restricted by a specific prohibitive rule. It is more useful therefore to focus on permissive rules as opposed to clear-cut prohibitive rules, as outlined supra. The EU’s discretionary powers can then be determined in specific situations of overlapping or conflicting jurisdiction.

4.9 interim conclusion Under public international law, a State has a right to exercise jurisdiction. States are expected to show restraint when attempting to regulate an extraterritorial situation. Similar to the DPD, the GDPR is far-reaching and has tangible effects beyond its territory. It could apply to third-State controllers or processors if the data processing were carried out in the context of the activities of an establishment of the controller on EU territory. It could also apply to a third-State controller or processor processing data related to the offering of goods or services, or the monitoring of the behaviour of data subjects in the Union. The GDPR could indirectly prescribe third-State data protection law through its adequacy requirements for data transfers. The foregoing data protection provisions could conceivably fall into the following categories of jurisdiction: subjective territoriality, objective territoriality, passive personality or the effects doctrine. This research concludes that the provisions do not come under any one of these principles, but rather a combination of interpretations of several of them. The GDPR’s scope article 177

Svantesson, ‘The Concept of “Extraterritoriality”’ (n 176).

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

94

Limits That Public International Law Poses

could most plausibly constitute the objective territoriality and passive personality principles. Whilst there appears to be a shift from territory to personality in European data protection law, territory is still necessary to trigger jurisdiction. The demarcations provided by public international law form part of an approach to transatlantic conflicts in jurisdiction, which – taken together with other considerations explored below – could inform ways to lessen them. Simply establishing a territorial or residential/nationality form of connection would be too simple and allow for EU data protection law to apply in far too many situations. Accordingly, there must be other considerations assessing, for instance, the degree of an existing connection or the reasonableness of a jurisdictional claim to further hone this approach to the extraterritoriality of EU data protection law. Chapter 5 explores this additional layer of considerations.

https://doi.org/10.1017/9781108784818.004 Published online by Cambridge University Press

5 Ways to Mitigate Problematic Jurisdictional Overreach

5.1 introduction The foregoing sections have sketched out an assessment framework from which to approach jurisdiction that is rooted in public international law (Chapter 4) with an emphasis on international human rights law (Chapter 3). The first part of the assessment framework affirms that data protection as a fundamental right bestows an obligation upon the EU to guarantee its data subjects’ right to have their personal data kept private and safe. This obligation could entail safeguarding against extraterritorial or thirdState violations of EU data subjects’ right to data protection. The second part of the framework uses general public international law to fit EU data protection laws with extraterritorial effect into traditional permissive principles of jurisdiction. The subjective territoriality, objective territoriality, passive personality, effects doctrine and protective principles of jurisdiction could all be applicable in this context. Simply being applicable, however, could admit too much in terms of the extraterritorial reach of the EU’s data protection laws. The law of jurisdiction cannot solve all the present issues. It helps to solve conflicts – implicit or not – in terms of sovereignty, but not fundamental rights. As such, a second-tier, additional set of criteria needs to be considered in such situations to restrain jurisdictional overreach. This section provides a set of tools with which to approach transatlantic conflicts and tensions, in combination with the two previously outlined. Jurisdictional overreach can cause tensions by encroaching upon a foreign State’s sovereignty. Sometimes, however, this overreach – whether it causes tensions or not – is necessary for rights protection. Conflict-causing overreach should be mitigated because, inter alia, it is unproductive in achieving the goal of legitimately protecting EU data subjects’ fundamental right to data protection.

95

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

96

Ways to Mitigate Problematic Jurisdictional Overreach

The following section is a non-exhaustive list of methods to conceive of and eventually mitigate problematic jurisdictional overstretch. The list is based on primary sources (including the Third Restatement of US Foreign Relations Law,1 the Harvard Draft Convention on Jurisdiction,2 regional privacy law and human rights instruments, and case law) and existing scholarship on jurisdiction. First, it outlines the need for a sufficient connection between a situation and prescribed law. It then looks at how EU data protection law can be interpreted to assess the extent to which this connection is substantial and direct. Second, it looks at the notions of interest-balancing and reasonableness. It couches interests in human rights terms and looks at whose, and which, interests need to be balanced. The research then suggests how a State could be understood to exercise jurisdiction reasonably. The section concludes with a sketch of an assessment framework from which to consider the subsequent examples of transatlantic conflicts in jurisdiction. This section begins by examining the notion of a ‘connection’.

5.2 mitigating factors as proxy for territoriality Jurisdiction in the Internet age has particular resonance with public international law and data protection. In this area, Svantesson has proposed a threepronged test combining connecting, interest and reasonableness considerations.3 He does away with the first-tier permissive principles that revolve around territoriality and personality, and instead moves straight to the second-tier principles usually used to assess the lawfulness of the assertion of jurisdiction after a permissive principle is established. He bases these mostly on the 1935 Harvard Research Draft Convention on Jurisdiction with Respect to Crime, and reinterprets them in view of how the Internet challenges existing notions of territory-based jurisdiction.4 In the absence of an obligation under international law to exercise jurisdiction, a state may only exercise jurisdiction where: (1) there is a substantial connection between the matter and the state seeking to exercise jurisdiction; 1 2

3

4

Restatement (Third) of the Foreign Relations Law of the United States (Am Law Inst 1987). ‘Draft Convention on Jurisdiction with Respect to Crime’ (1935) 29 The American Journal of International Law, Supplement: Research in International Law 439. Dan Jerker B Svantesson, Solving the Internet Jurisdiction Puzzle (Oxford University Press 2017) 57–90. Svantesson earlier discussed these ideas in Dan Jerker B Svantesson, ‘A New Jurisprudential Framework for Jurisdiction: Beyond the Harvard Draft’ (2015) 109 AJIL Unbound 69, 74. ‘Draft Convention on Jurisdiction with Respect to Crime’ (n 2) 439.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.3 Connection

97

(2) the state seeking to exercise jurisdiction has a legitimate interest in the matter; and (3) the exercise of jurisdiction is reasonable given the balance between the state’s legitimate interests and other interests.5

Both he and respondents to his suggestion confirm this is not novel; rather he is bringing the three ideas together and suggesting they could apply effectively in the complex data protection world with malleable borders and differing interests.6 As explained in Chapter 3, the EU could have an obligation to protect its residents’ fundamental rights in the extraterritorial situations examined. If so, there would be no ‘absence of an obligation’ needed to apply Svantesson’s criteria. The EU’s obligation, however, is not absolute or always applicable. If this obligation were not clearly palpable or needed some limit, a version of the above criteria could be applied. The subsequent sections assume that the EU’s obligations to exercise jurisdiction are not absolute and thus warrant a traditional basis of jurisdiction and restraining devices to be considered legitimate.

5.3 connection Where two or more States may claim jurisdiction over a certain situation, a traditional public international law approach holds that the law of the sovereign State with the strongest, ordinarily territorial, nexus applies.7 The permissive principles of jurisdiction outlined earlier are ways to establish this nexus. That framework is not so straightforward, however. Not only does it not necessarily evade conflicts, but it also neglects the fact that many situations involve multiple territorial connections, giving way to indeterminate results.8 Such issues are especially evident when exercising jurisdiction online, as almost any activity could be linked to one or several territories. One threshold level, particularly applicable in situations of concurrent jurisdiction, is that of

5 6

7

8

Svantesson, Solving the Internet Jurisdiction Puzzle (n 3) 61. See Horatia Muir Watt, ‘A Private (International) Law Perspective – Comment on “A New Jurisprudential Framework for Jurisdiction”’ (2015) 109 AJIL Unbound 75; Cedric Ryngaert, ‘An Urgent Suggestion to Pour Old Wine into New Bottles – Comment on “A New Jurisprudential Framework for Jurisdiction”’ (2015) 109 AJIL Unbound 81. Cedric Ryngaert, ‘The Limits of Substantive International Economic Law: In Support of Reasonable Extraterritorial Jurisdiction’ in Bert Keirsbilck, Wouter Devroe and Erik Claes (eds), Facing the Limits of the Law (Springer 2009) 240. Ibid. 238; Uta Kohl, Jurisdiction and the Internet: Regulatory Competence over Online Activity (Cambridge University Press 2007) 4.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

98

Ways to Mitigate Problematic Jurisdictional Overreach

a ‘close’ connection.9 In his Hague Lectures, Frederick A Mann maintained that the important legal degree of connection would be ‘the State which has a close, rather than the closest, connection with the facts, a genuine link, a sufficiently strong interest’.10 Going further than simply a close connection threshold, another approach to overlapping jurisdiction is that a State may exercise extraterritorial jurisdiction if it does not interfere with another State’s right to do so if that State has a closer connection to the person or events concerned.11 This approach falls within the principle of non-interference whilst providing for some sort of weighing up which State’s connection is closest. The initial threshold, however, is non-interference. According to both public and private international law rules, when exercising extraterritorial jurisdiction, a State endeavours to avoid conflict by being open to applying foreign rules ‘which have a greater “connection” to the dispute at hand’.12 This applies to adjudicative jurisdiction and which court to assign a case, but it is also a consolidation of the closest connection threshold in prescriptive jurisdiction. To avoid the exercise of jurisdiction based on weak links and to determine which State has the closest connection to a situation, the degree of this connection needs to be assessed. The following section outlines various approaches to the degree of connection needed to render a basis for asserting extraterritorial jurisdiction legitimate when two sovereigns simultaneously attempt to prescribe the law, and run into disagreements with each other. The International Law Commission outlined that a State must have ‘some connection’ to a situation to have a legitimate claim to jurisdiction.13 General principles of jurisdiction – including territoriality, nationality and State security – may establish a connection. It is important to note, however, that

9

10 11

12

13

‘Jurisdiction need not be exclusive and may be concurrent, so the link need not indicate the State with the closest connection, as long as it is a close one’. Christopher Kuner, ‘Jurisdiction on the Internet (Part 2)’ (2010) 18(3) International Journal of Law and Information Technology 227, 237 citing Frederick Alexander Mann, ‘The Doctrine of Jurisdiction in International Law’ (1964) 111 Recueil des Cours de l’Académie de Droit International 1, 46. Mann, ‘The Doctrine of Jurisdiction in International Law’ (n 9) 46. Thomas Schultz, ‘Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface’ (2008) 19(4) European Journal of International Law 799, 808 citing John H Currie Public International Law (Irwin Law 2001) 299. Alex Mills, ‘Rethinking Jurisdiction in International Law’ (2014) 84(1) British Yearbook of International Law 187, 223. Kuner, ‘Jurisdiction on the Internet (Part 2)’ (n 9) 237 citing ILC Report (International Law Commission (ILC)), ‘Report on the Work of Its Fifty-Eighth Session’ (1 May–9 June and 3 July–11 August 2006) UN Doc A/61/10, Annex E para 42.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.3 Connection

99

simply the existence of a connection in conformity with one of those principles does not immediately and per se render a jurisdictional claim legitimate.14 For instance, in the data protection sphere, a territorial connection between a situation and the legislator might be so weak as to render a claim of jurisdiction unreasonable and thus illegitimate. Accordingly, the intensity of this connection must be evaluated. Besides there needing to be simply ‘some connection’, it is accepted that this connection must reach a certain threshold to render a jurisdictional claim legitimate. To assess the validity of such a claim, a classic approach is to determine the existence of what has been variously termed a ‘substantial’,15 ‘direct’,16 ‘meaningful’,17 ‘genuine’,18 or ‘bona fide’19 connection, culminating in a ‘sufficient’ link,20 between the State exercising extraterritorial prescriptive jurisdiction and the relevant situation. The present research uses the terms substantial, direct, meaningful and genuine connection interchangeably according to which is most appropriate for the context. It has been asserted that a substantial connection, once established, would immediately indicate lawfulness, although one should be more cautious with these assessments.21 The threshold, rather than dichotomy, approach (to what degree is there a substantial and direct connection rather than is there a substantial and direct connection) would better inform a legitimacy assessment. This is for multiple reasons, including that it is too subjective and indeterminate to ascertain what a substantial and direct connection is, and

14

15

16

17 18

19

20 21

Menno T Kamminga, ‘Extraterritoriality’, Max Planck Encyclopedia of Public International Law (Article last updated: September 2020) (Online version Oxford University Press). See, e.g., Mann, ‘The Doctrine of Jurisdiction in International Law’ (n 9) 49; Frederick Alexander Mann, ‘The Doctrine of International Jurisdiction Revisited after Twenty Years’, Collected Courses of the Hague Academy of International Law (Brill Nijhoff 1984) 28–29. Dan Jerker B Svantesson, Private International Law and the Internet (Kluwer Law International 2007) 246. Kuner, ‘Jurisdiction on the Internet: (Part 2)’ (n 9) 237 (citations omitted). Cedric Ryngaert, Jurisdiction in International Law (2nd edn, Oxford University Press 2015) 43 (emphasis removed). Ryngaert says this principle was espoused in the International Court of Justice case Nottebohm (Liechtenstein v Guatemala) [1955] ICJ Rep 4. Ian Brownlie, Principles of Public International Law (Oxford University Press 2008) 311 (‘that there should be a substantial and bona fide connection between the subject-matter and the source of the jurisdiction’); the present research equates ‘bona fide’ with ‘genuine’ as in the genuine connection principle espoused in the abovementioned Nottebohm case (see Ryngaert, Jurisdiction in International Law (n 18)). Kamminga, ‘Extraterritoriality’ (n 14). ‘[I]f there is a substantial and direct connection between the state claiming jurisdiction and the person, group of people or object to whom/which the jurisdictional claim relates, such a claim is, as a consequence of the sovereignty and equality of states, permitted under international law’. Svantesson, Private International Law and the Internet (n 16) 246.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

100

Ways to Mitigate Problematic Jurisdictional Overreach

thus whether it exists. Furthermore, the traditional first-tier principles of jurisdiction cover the existence of a connection approach, which a secondtier analysis can refine by determining the strength of this connection. Examining the type and then the degree of connection according to these approaches constitutes part of the legitimacy assessment for the EU’s exercise of extraterritorial jurisdiction. The following section explores in more depth ‘connection’ in EU data protection law with the aim of finding ways to reduce undesirable jurisdictional overreach.

5.3.1 Connection in EU Data Protection Law In terms of territory-based jurisdiction, one major challenge that data protection on the Internet presents is that cyber activities can affect multiple jurisdictions without having tangible and substantial connections to the relevant States.22 The following section sets out the scope articles in the Data Protection Directive (DPD) and the General Data Protection Regulation (GDPR). It then looks at how courts and commentators have interpreted specific clauses in these articles. It moves beyond connections based on territory or nationality/residence, which could be present but weak, to more specific and practical ways of establishing a genuine connection. Article 4 DPD states that the Directive’s provisions apply when data processing occurs ‘in the context of the activities of an establishment of the controller on the territory of the Member State’.23 The GDPR retains this provision, adding ‘regardless of whether the processing takes place in the Union or not’.24 Accordingly, it is still useful to discuss how this provision has been interpreted under the DPD. The Directive applied when a controller was not on Community territory, but made ‘use of equipment . . . situated on the territory of the said Member State’, except when the equipment was used for data in transit through Community territory.25 The GDPR changes this to focus not on equipment and territory, but data processing related to offering goods or services to, or monitoring the behaviour of, those in the

22 23

24

25

Svantesson, ‘A New Jurisprudential Framework for Jurisdiction’ (n 3) 69. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD) art 4(1)(a). Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) art 3(1). DPD art 4(1)(c).

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.3 Connection

101

Union.26 The DPD also applied where the data controller was not established on a Member State’s territory, but ‘in a place where its national law applies by virtue of international public law’.27 The GDPR retains this provision almost verbatim.28 The Article 29 Working Party and EDPB have highlighted the need for a ‘sufficient’, ‘relevant’ or ‘clear’ connection between EU territory and a data controller, data processor or data processing activity.29 Particularly in the DPD as interpreted in Court of Justice of the European Union (CJEU) decisions, territorial links may permit the EU’s exercise of jurisdiction over certain situations with extraterritorial elements and very weak territorial hooks.30 These decisions have clarified how to interpret the DPD’s scope of application to establish a sufficient connection between a situation and prescribing the law. The following section looks at specific ways to establish a substantial and genuine connection between EU data protection law and extraterritorial situations based on clauses in Article 3 GDPR and its legislative precedent Article 4 DPD.

5.3.1.1 Context of the Activities of an Establishment of a Controller or Processor EU data protection law applies in the context of the activities of an establishment of a controller or processor in the Union, no matter where the data processing takes place. Questions arise when the main data controller is established in a third State and EU law could apply to some or all of its data-processing activities. To make a substantial link between the law and an extraterritorial situation, it is necessary to determine (i) what constitutes an establishment of the controller or processor and (ii) how this establishment’s data processing could be considered to fall within the context of the activities of the controller. In view of the EU’s fundamental rights obligations, these two

26 27 28

29

30

GDPR art 3(2). DPD art 4(1)(b). The GDPR uses slightly different wording: ‘where Member State law applies by virtue of public international law’. GDPR art 3(3). Article 29 Working Party, Opinion 8/2010 on applicable law (WP 179, 16 December 2010); EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (12 November 2019) 18, 20–21. See, e.g., Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez [2014] ECLI:EU: C: 2014:317; Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI: EU:C: 2015:650.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

102

Ways to Mitigate Problematic Jurisdictional Overreach

concepts have to be interpreted broadly and may not be interpreted restrictively.31 First, the DPD provides that an establishment on Member State territory implies the ‘effective and real exercise of activity through stable arrangements’.32 The Article 29 Working Party and EDPB have reaffirmed this standard.33 The legal form of the establishment is not a decisive factor in determining whether something is an establishment; it need not have legal personality.34 An establishment could include, for instance, a branch of the controller, a subsidiary with legal personality, an office or an agent.35 Simply a computer or server is unlikely to qualify as an establishment.36 The CJEU has clarified that the concept of an establishment ‘extends to any real and effective activity – even a minimal one – exercised through stable arrangements’, which suggests that the activity need not be particularly significant to qualify an entity as an establishment.37 Moreover, the provision ‘cannot be interpreted restrictively’.38 In its jurisprudence, the CJEU has been maintaining a trend of ‘lowering the bar’ in terms of what could constitute an establishment.39 Regarding territory, some connection is needed between territory and an establishment thereon, but this could be very loose; it is inaccurate to understand ‘establishment’ as a proxy for territoriality.40 The concept of

31

32 33

34 35 36 37

38

39

40

Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 30) para 53; Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] ECLI:EU:C: 2015:639 para 25; Article 29 Working Party, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain (WP 179 update, 16 December 2015). DPD recital 19. Article 29 Working Party, Opinion 8/2010 11; EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (12 November 2019) 6–7. DPD recital 19. Article 29 Working Party, Opinion 8/2010 12. Ibid. Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (n 31) para 31. The CJEU promulgates ‘a flexible definition of the concept of “establishment”, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered’. Ibid., para 29. Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 30) para 53; Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (n 31) para 25. Dan Jerker B Svantesson, ‘The CJEU’s Weltimmo Data Privacy Ruling: Lost in the Data Privacy Turmoil, Yet So Very Important Case C-230/14 Weltimmo, EU:C:2015:639’ (2016) 2 Maastricht Journal of European and Comparative Law 332, 340. The mere presence of an employee in the EU would not be sufficient to trigger the application of the GDPR. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) 6. Paul de Hert and Michał Czerniawski, ‘Expanding the European Data Protection Scope beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Context’ (2016) 6(3) International Data Privacy Law 230, 234.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.3 Connection

103

‘establishment’ is continually expanding, ultimately to afford EU data subjects adequate protection.41 The relevant data processing need not be carried out by the establishment in question. Rather, it need only be carried out in the context of the activities thereof. The establishment and the activities must be ‘inextricably linked’ for EU law to apply.42 For instance, a US-incorporated parent company (a search engine operator) processes the relevant data (online search indexing). If an EU subsidiary of this company only sells advertising space, this would constitute data processing in the context of the activities (selling advertising space) of an establishment (the subsidiary) of the controller (the parent company) on the territory of a Member State, so EU data protection law could lawfully apply to the US company’s data processing, namely its search indexing.43 This is because selling advertising space and indexing searches are inextricably linked as the former renders the search engine profitable. As such, for the connection to be substantial and genuine, the establishment of the controller must cover the real and effective exercise of activities through stable arrangements. These activities could be minimal. Further, EU law does not have to apply to the establishment itself, but instead to data processing in the context of the activities of the establishment, provided that the controller’s or processor’s and establishment’s activities are inextricably linked. Both these requirements purposefully provide for a broad scope of application of EU law as the link between a third-State entity and a data controller or processor related somehow to EU territory need not be overwhelmingly perceptible or significant. Simply a server sitting on EU territory, however, would not constitute an establishment. In terms of the assessment framework, it is clear that using ‘establishment’ to find links between a situation and the EU’s exercise of jurisdiction is easy in view of the Union’s fundamental rights obligations. In terms of mitigating jurisdictional overreach, it appears that this prong of the assessment framework is not too restrictive. 5.3.1.2 Targeting The GDPR’s move away from territory is useful in this second tier of assessment criteria, which aims to move away from such black-and-white public

41

42 43

Dan Jerker B Svantesson, ‘Article 4(1)(a) “Establishment of the Controller” in EU Data Privacy Law – Time to Rein in This Expanding Concept?’ (2016) 6(3) International Data Privacy Law 210, 218. Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 30) para 56. Ibid.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

104

Ways to Mitigate Problematic Jurisdictional Overreach

international law principles. The GDPR applies to data processing by external controllers or processors of the personal data of data subjects in the Union when the processing is related to: ‘(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union’.44 To determine the degree to which a controller or processor intends to offer goods or services to data subjects in the EU, the GDPR recitals provide some guidance.45 They state that simply being able to access a website or contact details, or the site’s use of a language generally spoken in the controller’s State of establishment do not sufficiently show this intention, which is understandable.46 Factors that might show this intention include that the website uses a Member State language or currency, and allows users to order goods or services in this language; or that it mentions users in the Union.47 Whilst certain scholars have welcomed this clarification, it still allows for the overextended application of jurisdiction.48 Many reactions echo the sentiment that the GDPR could permit further extension for effective rights protection, which is an explicit aim of the GDPR.49 The Article 29 Working Party opinion on applicable law, published before the first proposal of the GDPR was released, discussed the notion of targeting as an additional criterion for when a data controller was located outside EU territory.50 A form of this targeting requirement is now found in Article 3(2)a GDPR. The Working Party affirmed there must be an ‘effective link between the individual and a specific EU country’ when a data-processing act was aimed at targeting specific individuals.51 To determine the effectiveness of this link, the Working Party suggested, as endorsed by the EDPB, following the example of consumer protection law, which is comparable in this situation.52 44 45 46 47 48

49 50 51 52

GDPR art 3(2). Ibid., recital 23. Ibid. Ibid. De Hert and Czerniawski, ‘Expanding the European Data Protection Scope beyond Territory’ (n 40) 239. Ibid., 231. Article 29 Working Party, Opinion 8/2010 24. Ibid., 31. Ibid. Although it differs from the GDPR’s clarifications on what constitutes an intention to offer goods or services, following this consumer protection law suggestion could limit any overly broad reach of the GDPR. Similarly, the EU Rome I Regulation on the law applicable to contractual obligations could offer some guidance here (Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I), recital 25). See too Joined Cases C-585/08 and C-144/09

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.3 Connection

105

One could consider whether a website displays information in an EU language; advertises products and services available in the EU; delivers products or services in the EU; or premises access to a service on the use of an EU credit card.53 In drafting the GDPR, the Council of the European Union echoed these criteria and asserted that Article 3 GDPR would apply where it was apparent that ‘the controller is envisaging doing business with data subjects’ residing in the Union.54 In an EU data protection context, Uta Kohl links targeting with a ‘moderate version of the destination approach’, whereby ‘not every State where a site can be accessed has to regulate it but only those States that are specifically targeted by it’.55 Although in an intra-EU context, the CJEU’s Weltimmo judgment also supports a targeting approach.56 The Weltimmo judgment pronounced that the data protection law of one Member State vis-à-vis another Member State in which the relevant controller was located would apply, inter alia, if the activities in question were ‘mainly or entirely directed at that Member State’ and that the controller in question has a representative in the Member

53 54

55

56

Pammer v Reederei Karl Schlüter GmbH & KG11 and Hotel Alpenhof GesmbH v Oliver Heller [2010] ECLI:EU:C:2010:740. Although it involves ‘directed activity’ and the present research refers to processing activities related to the offering of goods or services, or the monitoring of behaviour, which might not explicitly involve directed activity, the Regulation is still relevant. Activities related to offering goods or services likely include more activities than directed activity does. In Rome I, a website’s accessibility, language and currency do not show directed activity (Rome I, recital 24). Rather, the website should explicitly attract and solicit visits and sales by, for instance, carrying out local activities in Member States, such as advertising in that State or showing search results on local search engines (Lokke Moerel, ‘The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to the Processing of Personal Data of EU Citizens by Websites Worldwide?’ (2011) 1(1) International Data Privacy Law 28, 45, footnote 87 citing Rome I). Article 29 Working Party, Opinion 8/2010 31. Council of the European Union, ‘Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Partial General Approach on Data Transfers (Chapter V)’, 7 para 20. Uta Kohl, ‘Jurisidiction in Cyberspace’ in Nicholas Tsagourias and Russell Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar Publishing 2015) 45; Brendan Van Alsenoy also observes a targeting approach in the GDPR and sees it as a manifestation of objective territoriality or effects doctrine: Brendan Van Alsenoy ‘Reconciling the (Extra)Territorial Reach of the GDPR with Public International Law’ in Gert Vermeulen and Eva Lievens (eds), Data Protection and Privacy Under Pressure: Transatlantic Tensions, EU Surveillance, and Big Data (Maklu 2017) 94–97. Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (n 31) NB: ‘the issue of the nationality of the persons concerned by such data processing is irrelevant’. para 41.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

106

Ways to Mitigate Problematic Jurisdictional Overreach

State to which activities were directed.57 By contrast, ‘the issue of the nationality of the persons concerned by such data processing is irrelevant’.58 Svantesson, however, submits that this focus on ‘targeting’ has disadvantages and imagined benefits.59 He suggests it would be ineffective when applied de facto as the parties in question could be seen to ‘target’ and thus apply to all or no States.60 Specifically, if there were a low threshold for what constitutes targeting, websites could be understood to target almost anyone in the Union with access to them. With a high threshold of what constitutes targeting – far beyond a website’s language, currency and similar – the GDPR could apply to very few data controllers or processors. The targeting approach as it stands needs clarification and refinement, although it is practicable.61 The approach appears in other branches of law and can readily be applied, especially absent a different, more effective approach. For example, a Japanese clothing website, in Japanese, with prices listed in Japanese Yen, from which a New Zealand citizen in the EU could buy clothing (paid for with a New Zealand credit card and delivered to a Japanese address), would likely be too weak of a link for all the GDPR’s relevant provisions to apply to that individual’s personal data. The only tangible territorial connection there is that the person is on EU soil at the moment of visiting the website and making the purchase. Furthermore, the additional targeting/intention criteria are not fulfilled, so while the initial jurisdictional considerations are fulfilled – albeit in a weak way (the EU must exercise jurisdiction to protect the person’s rights, the EU may exercise jurisdiction under the territorial principle), the second tier are not (the connection is too weak). As such, it would be unproductive to expect the EU to exercise prescriptive jurisdiction in such a situation. It could be argued, however, that the GDPR ought to apply to all of the processing activities in

57 58 59

60 61

Ibid. Ibid. Dan Jerker B Svantesson, ‘Extraterritoriality and Targeting in EU Data Privacy Law: The Weak Spot Undermining the Regulation’ (2015) 5(4) International Data Privacy Law 226, abstract. Ibid., 232. Svantesson acknowledges that the targeting approach worked well in the Weltimmo situation, but that this was because the facts in that case lent themselves directly to the targeting approach (the Hungarian data protection authority could investigate a company registered in Slovakia, but that was running a website advertising property in Hungary, in Hungarian). That it worked well in this instance says little about the general merits and suitability of the targeting approach. See Svantesson, ‘The CJEU’s Weltimmo Data Privacy Ruling’ (n 39) 337; Svantesson, ‘Extraterritoriality and Targeting in EU Data Privacy Law’ (n 59) abstract.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.4 Reasonableness

107

this situation if the individual’s behaviour is ‘monitored’ in the EU.62 That approach, however, could permit counterproductive jurisdictional overreach. If a combination of the GDPR’s recital clarifications, the Working Party 29 and EDPB criteria, the Council of the European Union’s suggestions and examples from other fields of law could develop into a form of guidance as to when EU data protection principles would apply to a data controller, no matter its location, this could provide for a strong, or at least a less tenuous, connection to trigger jurisdiction. 5.3.2 Interim Conclusion on Connection in EU Data Protection Law Assessing the degree to which there is a substantial, genuine and direct connection between a situation with foreign elements and the EU’s exercise of extraterritorial jurisdiction in the data protection legal sphere involves interpreting the territorial scope of EU data protection law according to the DPD, GDPR, CJEU jurisprudence and scholarship. It is important to focus on when EU data protection law may apply to a processing activity (thus, by extension, the EU may legitimately exercise jurisdiction over that situation) according to these authorities. This is because the criteria discussed above aim to avoid a situation where EU data protection laws apply when there is a negligible link with the EU. Whilst an initial obligation in terms of safeguarding fundamental rights and permitted – or not prohibited – by a territorial connection might trigger the EU’s exercise of jurisdiction, moving beyond these concepts helps rein in the long arm of EU law. By the same token, the criteria help establish when a link might be small, but still legitimise the exercise of jurisdiction for rights protection purposes. Simply establishing a connection and degree of connection, however, does not always suffice to demarcate the EU’s exercise of jurisdiction. The concept of reasonableness is useful to address this gap, as explored below.

5.4 reasonableness The EU’s exercise of jurisdiction ought to be reasonable. To assess reasonableness, as a subset of comity, various interests need to be balanced, as discussed below. Thereafter, it becomes easier to establish where a State sits on the ‘closest connection’ spectrum. The following section explains comity before 62

Dan Jerker B Svantesson, ‘Article 3. Territorial Scope’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 89.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

108

Ways to Mitigate Problematic Jurisdictional Overreach

focusing on interest and, more specifically, interest-balancing. Interest-balancing in the data protection sphere is linked closely to individuals and their rights. The section concludes by outlining a rule of reason, which itself is intertwined with the aforementioned concepts. 5.4.1 Comity The International Law Commission has stated that in asserting extraterritorial jurisdiction, States should consider issues of comity.63 Comity is a non-legally binding principle whereby States conduct relations, including exercising jurisdiction by, inter alia, taking into account other States’ interests, citizens’ rights, duties and practicality in a spirit of courteousness, respect and deference.64 The concept is multifaceted and broad, and spans multiple disciplines including private and public international law.65 It is closely linked to reasonableness. Some scholars suggest that reasonableness and comity are interchangeable; others suggest that the rule of reason falls within the notion of comity.66 Comity is understood as an underlying principle in law, international relations and other disciplines, and reasonableness is a rule enshrined in specific legal sources, which makes more specific demands to act reasonably than does the general doctrine of comity. Comity is not without criticism. In antitrust law in particular, US courts have not understood comity as authoritatively commanding their consideration of external interests.67 Accordingly, comity in that example foregrounds domestic concerns over international ones.68 It suffers from being insular. 63 64 65

66

67

68

ILC, ‘Report on the Work of Its Fifty-Eighth Session’ (n 13) para 45. See, e.g., Black’s Law Dictionary (9th edn, West Publishing Co 2010) 303. Scholars and courts have characterized international comity inconsistently as a choiceof-law principle, a synonym for private international law, a rule of public international law, a moral obligation, expediency, courtesy, reciprocity, utility or diplomacy. Authorities disagree as to whether comity is a rule of natural law, custom, treaty, or domestic law. Indeed, there is not even agreement that comity is a rule of law at all. (Joel R Paul, ‘The Transformation of International Comity’ (2008) 71(3) Law and Contemporary Problems 19, 19–20 (citations omitted).) Joel R Paul, ‘Comity in International Law’ (1991) 32(1) Harvard International Law Journal 1, 4, footnote 20 (citations omitted). Hannah L Buxbaum, ‘Territory, Territoriality and the Resolution of Jurisdictional Conflicts’ (2009) 57(2) American Journal of Comparative Law 631, 649 (citations omitted). Interestingly, the US urged the Irish High Court to afford weight to the principles of international comity in their amicus brief: ‘Questions of Equivalence Should Be Guided by Due Consideration of the European Commission’s Adequacy Finding and of International Comity’. Written Legal Submission on Behalf of the United States of America as Amicus Curiae in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2016] IEHC 414 para 39. Ibid.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.4 Reasonableness

109

Scholars have therefore criticised comity as manifested in the Third Restatement of US Foreign Relations Law, outlined below, as not accurately reflecting how US courts apply the law.69 Rather, they suggest it is a rule to aspire to. As comity is such a nebulous concept, it has been condemned as providing little legal certainty and predictability.70 This research nevertheless considers comity as a principle underlying reasonableness. This background helps inform the reasonableness assessments of examples of transatlantic conflicts. The next section briefly looks at the Third Restatement before exploring two concepts that are closely related to comity, namely interest and interest-balancing.

5.4.2 The Enduring Appeal of the Third Restatement of US Foreign Relations Law The 1987 Third Restatement of US Foreign Relations Law controversially introduced a section on jurisdictional ‘reasonableness’, which asserted that customary international law required US courts to decide, on a case-by-case basis, whether applying domestic law in cases with a foreign element was reasonable.71 It outlined an interest-balancing test.72 The 2018 Fourth Restatement that replaces it, however, has eliminated this section. Whilst it still reflects principles of reasonableness and doctrines of international comity, these principles and doctrines allow less case-by-case discretion by courts. William Dodge, a drafter of the Fourth Restatement, claims that reasonableness is decidedly not absent and is instead manifested in the Fourth Restatement’s provisions on the presumption against extraterritoriality and reasonableness in statutory interpretation.73 Indeed, the Fourth Restatement ‘has not abandoned reasonableness’.74 This study takes inspiration from reasonableness and interest-balancing as anchored in the Third Restatement, as explained below. It uses the terminology of both Restatements, but does not use them per se as a legal basis for its assessment. Whilst the Fourth Restatement reframes reasonableness from a US perspective, the principle itself is present in public international law, but does not yet amount to customary international law. This research thus 69 70 71 72 73

74

Ibid. Ryngaert, Jurisdiction in International Law (n 18) 172. Restatement (Third) of the Foreign Relations Law (n 1) 403. Ibid. William S Dodge, ‘Reasonableness in the Restatement (Fourth) of Foreign Relations Law’ (2019) 54 Willamette Law Review 521, 522 citing Fourth Restatement 404 and 405. Ibid., 537.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

110

Ways to Mitigate Problematic Jurisdictional Overreach

integrates the Third and Fourth Restatements of US Foreign Relations Law and focuses largely on the Third Restatement’s discourse on reasonableness and interest-balancing.

5.4.3 Interest In demarcating a State’s exercise of prescriptive jurisdiction over a situation with links to another State, the EU ought to consider sovereign, individual and global interests. First, in a discussion on clashing claims of jurisdiction, sovereign interests are important. The public international law dimension of this research lends itself to such an examination. Second, EU data protection law with extraterritorial effect focuses on protecting individuals as data subjects. The human rights dimension of this research revolves around protecting individual interests. International and regional instruments recognise the rights to privacy and data protection, which could connote extraterritorial obligations, so individual interests should be taken into consideration. Third, global interests are important because of the worldwide reach of the Internet: Digital data processing can affect people in many jurisdictions. Furthermore, EU data protection laws have had a broad impact on the laws of other jurisdictions, exemplifying a form of legal and norm diffusion where there has been none. This influence could have benefits for the international community as a whole, as discussed in Chapter 9. The Third Restatement of US Foreign Relations Law prescribes that a State may evaluate, inter alia, ‘the extent to which another state may have an interest in regulating the activity’.75 Svantesson refers to the current jurisdictional paradigm’s focus on competing State interests, but suggests considering, for instance, the interests of both those parties subject to a jurisdictional assertion – as is common in private international law jurisdictional disputes – as well as the whole international community.76 Indeed, individual and community interests are relevant to this assessment framework, in view of its human rights focus. In the present transatlantic data protection law example, the main stakeholders are EU Member States and the US, and EU data subjects. Indeed, many other stakeholders exist, including corporations and powerful non-State actors, but this public international law and international human rights law analysis limits itself mainly to States and individuals. The next section moves on to how to balance competing interests. 75 76

Restatement (Third) of the Foreign Relations Law (n 1) 403(2)(g). Svantesson, ‘A New Jurisprudential Framework for Jurisdiction’ (n 3) 71 and 73; Svantesson, Solving the Internet Jurisdiction Puzzle (n 3) 68 (citations omitted).

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.4 Reasonableness

111

5.4.4 Interest-Balancing The concept of interest-balancing as a mitigating factor when considering extraterritorial jurisdiction, along with substantial connection and legitimate interest, emerged in US antitrust law in the 1970s.77 In situations where two States’ jurisdictional assertions conflict, each one is obliged ‘to evaluate its own as well as the other state’s interest in exercising jurisdiction [whereafter] a state should defer to the other state if that state’s interest is clearly greater’.78 Significant scholarship also supports the concept of weighing up interests and attempting to balance these interests to mitigate jurisdictional conflicts.79 Questions have been raised, however, as to whether interest-balancing can or should be realised. It has been suggested that its 1970s and 1980s glory days were limited.80 Courts, States and scholars have exhibited scepticism at the concept, often rejecting it as being unworkable in practice. European States have been ‘generally uneasy’ at using interest-balancing to solve jurisdictional conflicts.81 In line with the view of some courts, the mere act of considering foreign interests could be understood not as a public international law mandate, but more an exercise in international relations.82 Mann in 1984 suggested that beyond the US, there was no support for the theory of interest-balancing in traditional public international law sources and that it ought to be firmly rejected.83 Indeed, what constitutes ‘interests’ is politicised and broad, and does not lend itself to a true, predictable legal measure that could effectively lessen conflicts in jurisdiction or solve those that have arisen. That said,

77

78 79

80

81 82 83

Buxbaum, ‘Territory, Territoriality and the Resolution’ (n 67) 646 citing Timberlane Lumber Co v Bank of America, NT 549 F2d 597, 609 (1976). Restatement (Third) of the Foreign Relations Law (n 1) 403(3). See, e.g., Karl Meessen who, based on the non-intervention principle, claims that international law affirmatively necessitates a form of interest-balancing: ‘the governmental interests of the regulating state will suffice to justify the exercise of jurisdiction, unless the governmental interests of the foreign state significantly outweigh them’. Buxbaum, ‘Territory, Territoriality and the Resolution’ (n 67) 657 citing Karl Matthias Meessen, Völkerrechtliche Grundsätze des internationalen Kartellrechts (Nomos Verlagsgesellschaft 1975) 182. Buxbaum, ‘Territory, Territoriality and the Resolution’ (n 67) 650; on Svantesson’s proposed three-pronged test (see below), Muir Watt questions the potentially retrograde interestbalancing prong: ‘[A] return to familiar forms of state interest analysis is not necessarily the best way to go about [overhauling the concept of extraterritorial sovereignty]’. Horatia, ‘A Private (International) Law Perspective’ (n 6) 75–80, 79. Ryngaert, Jurisdiction in International Law (n 18) 171. Buxbaum, ‘Territory, Territoriality and the Resolution’ (n 67) 656 (citations omitted). Ryngaert, Jurisdiction in International Law (n 18) 153 citing Mann, ‘The Doctrine of International Jurisdiction Revisited’ (n 9) 20.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

112

Ways to Mitigate Problematic Jurisdictional Overreach

interest-balancing is hardly irrelevant when looking at jurisdictional conflicts in the data protection sphere. Interest-balancing is useful, but also challenging, precisely because there are so many stakeholders and interests to be balanced in the online privacy sphere. Such a subjective matter as privacy and data protection entails many different, fascinating interests to weigh up. For example, are the US’ security fears more important than an EU citizen’s fundamental rights? Do the First Amendment’s free speech provisions pale in comparison to someone’s wish to stop unnecessary information about themself spreading around the Internet? To what degree should US companies adhere to EU data protection principles? In terms of which, rather than whose, interests to balance in the data protection sphere, this research looks at value-inspired clashes in jurisdiction between the US and the EU, namely data protection contrasted with the following: (i) security; (ii) the free flow of information as part of freedom of expression; and (iii) economic interests and international trade. Data protection as a fundamental right in the EU implies it has associated extraterritorial obligations, which further strengthens the impetus to focus on interests in terms of individual rights. This does not mean, however, that the interests of the US or others should be excluded; rather, the interest-balancing test takes on a distinctive character in this context, as explained below. 5.4.5 Balancing Rights The present research employs a human rights-focused approach when using interest-balancing to assess the legitimacy of an extraterritorial jurisdictional claim. Duties associated with these rights can show which party has a stronger impetus to exercise jurisdiction. It is important to balance the right to data protection with other imperatives, such as objectives of the general (global) interest, and the rights of others. As illustrated by the interest-balancing approaches outlined in Section 5.4.4, courts have attempted to balance conflicting legal and policy considerations to resolve tensions in jurisdiction.84 As 84

During the past decades, courts have devoted much energy to balancing out contradictory policy considerations in order to solve jurisdictional collisions. Whether framed as a problem of conflict of laws, of judicial jurisdiction (general, special, etc.), or of the international reach of public law, precise criteria are difficult to come by. Linked to the fact that contemporary conflicts are framed increasingly in terms of colliding fundamental rights (whether of constitutional or international source), the arrival of proportionality on the scene brings such balancing processes to the surface. (Muir Watt, ‘A Private (International) Law Perspective’ (n 6) 77.)

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.4 Reasonableness

113

almost every legal issue today can be framed as a question of human rights, and is increasingly framed as such, an international human rights law approach is relevant and important. The right to privacy and personal data protection, both being fundamental freedoms, are non-absolute and may be limited. In general international human rights law, limitations must be prescribed by law, fulfil a certain objective, and be necessary and proportionate. More specifically, the Charter of Fundamental Rights of the European Union (EU Charter) provides that limitations on exercising any rights it recognises must fulfil the following criteria: [Any limitation] must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.85

Even more specifically, the European Convention on Human Rights (ECHR), to which all EU Member States are party, provides in its right to privacy article, which includes a right to data protection, that a public authority may interfere in this right only if that interference is ‘in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others’.86 Whilst a full assessment of the extent to which certain competing rights may be limited or derogated from is beyond the scope of this research, it is useful to recall that States may limit certain rights whilst respecting their ‘essence’. The concept of ‘essence’ as referred to by the CJEU is a close cousin of the constitutional concept of proportionality.87 The Article 29 Working Party provided similar suggestions on which interests might override others. In making recommendations on how EU data

85 86

87

Also interesting is the concept of an individual exercising jurisdiction as a right and associated limitations: ‘[T]he right to be subject to jurisdiction only in accordance with traditional international law limitations is a right which may be waived, not only by states, but by individuals themselves.’ Mills, ‘Rethinking Jurisdiction in International Law’ (n 12) 233. Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 52(1). Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended, 4 November 1950, ETS 5 art (2). For an analysis of the relationship between ‘essence’ and ‘proportionality’, including the absolute and relative theories within national constitutional doctrine, see Maja Brkan, ‘The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way through the Maze of the CJEU’s Constitutional Reasoning’ (2019) 20(6) German Law Journal 864.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

114

Ways to Mitigate Problematic Jurisdictional Overreach

protection law should be revised, before the GDPR was finalised, the Working Party proposed including the aforementioned equipment criterion in a residual form. Using fundamental rights terms, the Working Party suggested the criterion be used only in instances with very tenuous links to the EU, such as where the relevant data was about non-EU data subjects or where the data controller had no link with the EU, but where there was still relevant infrastructure in the EU processing personal data.88 In such borderline instances, the Working Party proposed applying only certain cornerstone EU data protection principles, such as security or legitimacy, to the relevant acts.89 As with the permitted derogations from the EU Charter and ECHR, this suggestion shows that in situations with a weak link between the legislator and the regulated, certain interests could outweigh others. In this particular example, certain minor data protection principles or procedures could be sidelined in the interests of maintaining a legitimate judicial link, in order to preserve the more resonant data protection principles. To further hone this assessment, this section turns finally to a rule of reason.

5.4.6 Reasonableness and a Rule of Reason The concept of ‘interest-balancing’ can be linked directly to reasonableness.90 Reasonableness is a key mitigating factor when considering the extraterritoriality of the EU’s jurisdictional assertions. The Third Restatement of US Foreign Relations Law provides that where a State seeks to exercise prescriptive jurisdiction over a situation with foreign elements, the traditional bases for exercising jurisdiction (including territoriality and nationality) in themselves are not enough to justify exercising jurisdiction.91 A State must refrain from exercising jurisdiction based on one of those principles when this exercise is unreasonable.92 The conceptual basis of this reasonableness provision is that the State ‘with the weaker interest ought to defer to the State with the stronger interest’.93 As a factor to consider when assessing unreasonableness, the Third Restatement includes, amongst several others, another State’s interest in regulating the matter 88 89 90

91 92 93

Article 29 Working Party, Opinion 8/2010 32. Ibid. Harold G Maier, ‘Interest Balancing and Extraterritorial Jurisdiction’ (1983) 31(4) The American Journal of Comparative Law 579, 589 citing James R Atwood and Kingman Brewster, Antitrust and American Business Abroad (2nd edn, McGraw Hill 1981) 163–166 and 173–178. Restatement (Third) of the Foreign Relations Law (n 1) 403(1). Ibid. Ryngaert, Jurisdiction in International Law (n 18) 172.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.4 Reasonableness

115

at hand.94 If unreasonableness were established, this would mean a State could not exercise jurisdiction even if, for instance, it had established a territorial link to a situation. However, if two States exercised jurisdiction with reason, but what they prescribed was conflicting, each State would be obliged to balance interests, acceding to that with the greater interest.95 This appears to foreground interest-balancing when resolving a conflict of jurisdiction in a public international law setting. At the same time, the Third Restatement includes interest considerations along with several other factors, such as the character of the regulated activity and the likelihood of conflict, when determining the reasonableness and thus eventual legitimacy of an assertion of jurisdiction. The drafters of the Third Restatement have shown they conceived of the reasonableness principle as a rule of (public) international law, albeit with roots in private international law methodology.96 Some have affirmed this position in understanding reasonableness to be a customary international law rule.97 That said, reasonableness has suffered similar criticism to comity, outlined above. Masquerading as an international rule of jurisdiction, reasonableness could override a court’s scope for analysis.98 Similarly, reasonableness has been condemned as a vehicle to promote domestic US interests abroad.99 By using reasonableness in its assessment, this research runs the risk of transplanting most of these criticisms – and those applied to comity – onto the EU’s expansionist attitude to data protection law jurisdiction. The foregoing sections, however, show how the degree of connection and interest-balancing are relevant and useful in assessing the legitimacy of the EU’s exercise of extraterritorial jurisdiction in the Internet age, which throws traditional concepts of territoriality into question. Flowing from this, one can elucidate a rule of reason. A State may legitimately exercise jurisdiction where it has an obligation to do so to protect a fundamental right, based on a permissive principle exercised reasonably, that is, after regulators have balanced different interests to identify the State with the strongest interest in regulating the situation, unless this harms the global interest.

94 95

96 97 98

99

Restatement (Third) of the Foreign Relations Law (n 1) 403(2)(g). Ibid., 403 (3). Cf too the ‘view that a court should not exercise comity if doing so would be contrary to its own nation’s interests or policies’. Steven A Kadish, ‘Comity and the International Application of the Sherman Act: Encouraging the Courts to Enter the Political Arena’ (1982) 4(1) Northwestern Journal of International Law & Business 130, 133. Buxbaum, ‘Territory, Territoriality and the Resolution’ (n 67) 648 (citations omitted). Ibid., 649 citing Mann, ‘The Doctrine of International Jurisdiction Revisited’ (n 9) 87. This was asserted in reference to US courts: Maier, ‘Interest Balancing and Extraterritorial Jurisdiction’ (n 90) 590 (citations omitted). Ibid., 590 (citations omitted).

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

116

Ways to Mitigate Problematic Jurisdictional Overreach

5.5 assessment framework Using connection and reasonableness principles can reduce the importance of or even the need for territorial links to establish jurisdiction, which is significant in the online sphere where most data processing occurs.100 In view of the first- and second-tier jurisdictional principles explored in Section 5.2, this assessment framework recalls the initial fundamental rights obligations it established in Chapter 3. The assessment framework elevates the EU’s fundamental rights obligations, adhering to the following statement: While one can agree that there is much to be said in favour of a more flexible jurisdictional system that takes into account a balancing of core principles or the interests of the actors involved, the emphasis placed by the CJEU on the autonomy of EU fundamental rights law even in the face of conflicting obligations under public international law creates high barriers for the adoption of such changes.101

The following assessment framework can be used to analyse transatlantic conflicts in jurisdiction as concerns data protection law, aiming ultimately to safeguard legitimately EU data subjects’ fundamental right to data protection in extraterritorial situations. The hope is also to reduce such conflicts. Pertaining to the EU, the assessment includes the following:  Its data subjects’ fundamental right to data protection must be safeguarded. This is bearing in mind the other rights and considerations – particularly stemming from the US – with which the right to data protection ought to be balanced and instances where the right may be limited.  Specifically, this encompasses the EU’s international human rights law obligations to respect/protect/fulfil a right through positive and negative obligations of conduct and result.  The territorial sovereignty and duty of non-interference in third States (the US) is not violated, meaning there must be a permissive principle of jurisdiction allowing the EU to exercise extraterritorial prescriptive jurisdiction. 100 101

Buxbaum, ‘Territory, Territoriality and the Resolution’ (n 67) 650 (citation omitted). Christopher Kuner, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, 242 citing Opinion 2/13 of the Court [2014] ECLI:EU:C:2014:2454 and Joined Cases C-402 and 415/05P Kadi and Al Barakaat International Foundation v Council & Commission [2008] ECLI:EU:C:2008:461. See Christopher Kuner, ‘The European Union and the Search for an International Data Protection Framework’ (2014) 2(2) Groningen Journal of International Law 55.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

5.5 Assessment Framework

117

 Such permissive principles include the objective territorial, passive personality and protective principles, and conceivably the effects doctrine.  And, so this net is not cast too wide as not to be legitimate, the approach must be restrained somehow.  It should entail a sufficient (spanning substantial, genuine and direct) connection beyond the principles mentioned above. This connection can be shown by satisfying one or more of the following conditions: ▪ The establishment of the controller or processor comprises the real and effective exercise of activities through stable arrangements. ▪ EU law applies in the context of the activities of the establishment, provided that the controller’s and establishment’s activities are inextricably linked. ▪ A data controller intends to target individuals in the Union, as demonstrated by context-specific factors.  Having balanced competing State, individual and global interests, the EU exercises jurisdiction reasonably. ▪ The EU’s characterisation of data protection as a fundamental right and associated extraterritorial obligations amount to it having a legitimate interest in regulating a situation. ▪ The competing interests are rooted in State sovereignty and individual rights. ▪ The competing interests are based on differing values and laws, with fundamental rights being prioritised. In sum, a combination of the EU’s duties and discretions, in view of relevant delimitations, informs the subsequent analysis of value-inspired clashes in jurisdiction between the US and the EU. These clashes cover data protection in relation to security (Chapter 6), freedom of expression (Chapter 7) and trade (Chapter 8). The following section (Chapters 6, 7 and 8) applies the assessment framework (Chapters 3, 4 and 5) to the three aforementioned law and policy fields. It explores relevant tensions, how parties have responded to these situations and how they ought to respond.

https://doi.org/10.1017/9781108784818.005 Published online by Cambridge University Press

6 The Reach of European Union Data Protection Law in Transatlantic Data Transfers for Counterterrorism Purposes

6.1 introduction At least since the 11 September 2001 terrorist attacks in the US, certain US counterterrorism endeavours that involve transatlantic flows of personal data have given rise to EU–US jurisdictional tensions. These have revolved around the US legal framework placing too little emphasis on privacy in favour of collecting, processing and storing more personal data for security purposes, with the EU pressuring the US to include stronger privacy protections in counterterrorism measures dependent on collecting personal data related to EU individuals. Both parties have attempted to allay tension by concluding bilateral agreements, such as the US–EU Passenger Name Record (PNR) Agreement and the US–EU Terrorist Finance Tracking Programme (TFTP).1 This chapter looks at such tensions based on the sometimes-conflicting values of data protection and security. It focuses specifically on the US–EU PNR Agreement, which has developed into ‘one of the most controversial issues in the transatlantic security relationship’.2 The chapter focuses on negotiations and resultant PNR agreements, rather than an outright assertion of extraterritorial jurisdiction by the EU. In attempting to regulate a situation with

1

2

European Commission, ‘Passenger Name Record (PNR)’ ; European Commission, ‘Terrorist Finance Tracking Programme’ . Javier Argomaniz, ‘When the EU is the “Norm-Taker”: The Passenger Name Records Agreement and the EU’s Internalization of US Border Security Norms’ (2009) 31(1) Journal of European Integration 119, 120. See generally Maria Tzanou, ‘The EU–US Data Privacy and Counterterrorism Agreements: What Lessons for Transatlantic Institutionalisation?’ in Elaine Fahey (ed), Institutionalisation beyond the Nation State: Transatlantic Relations: Data Privacy and Trade Law. Studies in European Economic Law and Regulation (Springer 2018).

118

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.1 Introduction

119

external elements, the EU is exercising a soft form of prescriptive jurisdiction. The assessment framework outlined in Chapters 3, 4 and 5 is applicable to the EU’s actions: How far may its regulation reach? This section looks at the EU’s positions and actions vis-à-vis the US in light of the law of jurisdiction. The EU’s claim to exercise prescriptive jurisdiction is not wholly extraterritorial, but is triggered by a (potentially minor) territorial connection.3 The US–EU PNR Agreement establishes a set of guidelines on processing and transferring EU airline passenger data to the US Department of Homeland Security (DHS), largely for counterterrorism purposes.4 The DHS began collecting passenger information in response to the 2001 terrorist attacks in the US.5 Any passenger flying between the EU and US must have their personal data recorded and stored for security reasons.6 Examples of PNR data types include passenger names and contact details, booking and travel dates, and all available payment information.7 PNR data also includes information on meal preferences, special assistance requests and medical conditions.8 Combined, this data could form quite a detailed picture of a passenger, including their socio-economic status, religious affiliation, health situation and interpersonal relationships.

3

4

5

6

7

8

Joanne Scott, ‘Extraterritoriality and Territorial Extension in EU Law’ (2014) 62(1) American Journal of Comparative Law 87. Council Decision 2012/472/EU pf 26 April 2012 on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJEU L 215, 11 August 2012. The 2004 PNR Agreement refers to the Department of Homeland Security Bureau of Customs and Border Protection (CBP), but the present uses DHS to cover the CBP, too. The George W Bush administration created the DHS in 2002 by combining twenty-two federal departments into one cabinet agency. This included the CBP (formerly part of the US Customs Service), which was and is responsible for PNR data; see Official Website of the Department of Homeland Security . Commission, ‘Joint Review of the Implementation of the Agreement between the European Union and the United States of America on the processing and transfer of passenger name records in the United States Department of Homeland Security’ COM (2013) 844 final. Agreement on the Use and Transfer of Passenger Name Records (PNR) to the US Department of Homeland Security (DHS) of 2011 (OJ 2012 No L215/1) (PNR Agreement (2011)). PNR data that the DHS collects includes the following: date of reservation/issue of ticket; date (s) of intended travel; name(s); available frequent flier and benefit information (i.e. free tickets, upgrades, etc.); all available contact information and payment/billing information; travel itinerary; travel agency; travel status of passenger (including confirmations and check-in status); ticketing information; all baggage information; general remarks including OSI (Other Service Information), SSI (Sensitive Security Information) and SSR (Special Service Requests, such as meal preference or special assistance required) information. PNR Agreement (2011) Annex. Ibid.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

120

The Reach of European Union Data Protection Law

There have been four US–EU PNR Agreements: from 2004, 2006, 2007 and, in place currently, 2011.9 EU and US representatives reviewed the current 2011 PNR Agreement in 2013 and 2015.10 More than two decades of negotiations and revised PNR Agreements highlight the difficulties both parties have experienced in concluding an accord that sufficiently satisfies the EU’s data protection legal requirements and the US’ security interests, whilst allowing each to maintain its sovereignty. The PNR Agreement’s provisions apply to ‘carriers operating passenger flights between the European Union and the United States’ and ‘to carriers incorporated or storing data in the European Union and operating passenger flights to or from the United States’.11 As such, there exists a territorial nexus between the EU and the regulated situation, albeit a potentially minimal one. As this section demonstrates, the EU and US have tried to make citizenship- and residency-based links between someone’s PNR data, the law applicable to that data and, by extension, the authority of the EU to regulate that data processing act. The two parties, however, have also opened up several of the PNR Agreement’s provisions to ‘any individual’, regardless of affiliation to a particular State. As such, the EU is in a position to become a global standard setter for processing PNR data. Conceptual approaches to security, counterterrorism, privacy and data protection on both sides of the Atlantic are divergent, but fluid. The PNR Agreement negotiations have been a constant struggle between US–EU values and laws. A noticeable difference that has important ramifications for any EU to US data transfer is that data protection is a constitutionally protected fundamental right in the EU and not in the US.12 The CJEU is interpreting EU data protection law in such a stringent way that the 2011 US–EU PNR Agreement could be considered incompatible with the fundamental right to data protection.13 It appears, too, that the political will to address this

9

10

11 12 13

Agreements on the Use and Transfer of Passenger Name Records (PNR) to the US Department of Homeland Security (DHS) of 2004 (OJ 2004 No L183/84), 2006 (OJ 2006 No L298/29), 2007 (OJ 2007 No L204/18) and PNR Agreement (2011); European Commission, ‘Transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP)’ . Commission, ‘Report from the Commission to the European Parliament and the Council on the Joint Review of the Implementation of the Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Records to the United States Department of Homeland Security’ COM (2017) 29 final. PNR Agreement (2011) arts 2(2) and 2(3). Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 8. See the CJEU’s opinion on the incompatibility of the draft Canada–EU PNR Agreement with EU Fundamental Rights, Opinion 1/15 of the Court [2017] ECLI:EU:C:2017:592 para 232.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.1 Introduction

121

shortcoming is growing in the EU.14 For instance, in 2021, the European Commission and European Parliament reported that the US–EU PNR Agreement does not conform to standards set in CJEU jurisprudence.15 It is inaccurate to say that the EU is a proponent of purely privacy and data protection, where the US is surveillance and security oriented. The situation is also malleable in the US. For instance, recent Supreme Court cases on the use of digital surveillance for counterterrorism show how the issue is being recast.16 Furthermore, the EU has adopted its own inter-Member State PNR Agreement in the form of the 2016 PNR Directive, which looks very similar to its Agreements with third States.17 Some have argued that this shows the EU internalising US security norms.18 Collecting and storing PNR data for counterterrorism purposes is a reality in the EU. It is beyond the scope of this research to assess the EU PNR framework, especially as it is purely internal, but it is worth noting that Member States have been obliged to collect, process and retain PNR data in a harmonised manner since 2018. It seems the EU is not against such security measures per se. If the EU could ensure its data protection principles were affirmed in any subsequent external PNR datasharing arrangement, this would appear to be an extraterritorial diffusion of its law. This diffusion, however, is necessary to protect EU citizens’ fundamental right to data protection, especially when their personal data is processed by US governmental entities or on US soil, where the weaker US privacy laws could fail to protect this right sufficiently. The next section outlines briefly the background of the various US–EU PNR Agreements. In a form of diachronic analysis, it traces jurisdictional

14

15

16 17

18

Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final 2. Kenneth Propp, ‘Avoiding the Next Transatlantic Security Crisis: The Looming Clash over Passenger Name Record Data’ Atlantic Council (1 July 2021). For example, Carpenter v United States, 585 US __ (2018). Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The CJEU is issuing a preliminary ruling on the compatibility of the EU PNR Directive with the EU Charter and the European Commission reviewed the PNR Directive in 2020 and determined it needed no amendments, see Commission, ‘Report from the Commission to the European Parliament and the Council on the review of Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime’ COM (2020) 305 final. Maria Tzanou, ‘The War against Terror and Transatlantic Information Sharing: Spillovers of Privacy or Spillovers of Security?’ (2015) 31(80) Utrecht Journal of International and European Law 87.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

122

The Reach of European Union Data Protection Law

tensions between the US and EU as evident in their reviews and negotiations of the PNR Agreements. It then analyses these tensions and the extraterritoriality of EU law through an international human rights law and public international law framework, and suggests ways to address key issues.

6.2 conceptual approaches to privacy in counterterrorism agreements Whilst the EU–US PNR Agreement negotiations do not overtly show the EU prioritising privacy concerns over security ones, they do exemplify difficulties in reconciling each party’s conceptual approaches to the two concerns: ‘[T]he transatlantic cooperation in the PNR context is closely linked to the old dichotomy between security and privacy.’19 In its external strategy for various PNR Agreements that the EU was negotiating with third States (Australia, Canada and the US), the European Parliament confirmed its commitment to both (i) fighting terrorism and transnational organised crime, and (ii) protecting civil liberties and fundamental rights, including the right to data protection.20 The Parliament assessed these two values in light of the day’s sociotechnological climate.21 In the information age, data protection has become one of several values that play an ever-expanding role and therefore it warrants special attention.22 Notably, the Parliament emphasised the importance of the necessity and proportionality principles relating to data protection as key in guaranteeing effective counterterrorism measures, themselves linked with fast and effective cross-border data transfers.23 The EU thus has a discernible goal to marry data protection with security and not necessarily sideline one for the other.

19

20

21

22

23

Valentin M Pfisterer, ‘PNR in 2011: Recalling Ten Years of Transatlantic Cooperation in PNR Information Management’ (2012) 2 National Security and Armed Conflict Law Review 111, 131. European Parliament resolution of 11 November 2010 on the global approach to transfers of passenger name record (PNR) data to third countries, and on the recommendations from the Commission to the Council to authorise the opening of negotiations between the European Union and Australia, Canada and the United States, EP Resolution P7_TA (2010)0397 preamble and art 1. On the ‘dense socio-technical environment’ pertaining to the EU PNR negotiations, but relevant in the US–EU situation too, see Rocco Bellanova and Denis Duez, ‘A Different View on the “Making” of European Security: The EU Passenger Name Record System as a SocioTechnical Assemblage’ (2012) 17(2/1) European Foreign Affairs Review 109, 110. EP Resolution on the global approach to transfers of passenger name record (PNR) data to third countries (n 20) para I. Ibid., arts 1 and 6.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.2 Conceptual Approaches to Privacy in Counterterrorism Agreements

123

The 2011 PNR Agreement refers to apparently shared conceptions of security and privacy in the US and EU.24 For instance, the Agreement affirms both parties’ desire ‘to prevent and combat terrorism and serious transnational crime effectively [as a means of protecting their] common values . . . while respecting fundamental rights and freedoms and recognising the importance of privacy and the protection of personal data and information’.25 This suggests the parties share approaches to issues that, in practice, they do not. The myriad negotiations, joint reviews, and US and EU political and civil society reactions show a long-lived tussle between the parties to protect their own competing interests and implied jurisdictional claims. It is difficult to say whether the current PNR Agreement reflects an extension of the ‘long arm’ of EU data protection law or simply a reflection of US demands and security standards. The present discussion and, indeed, much of the PNR Agreement negotiations are privacy-focused: ‘[T]he EU’s reaction [in negotiating a PNR Agreement] can be perceived more as an attempt to minimize the damage of the American requests on passengers’ privacy rights than as a conscious decision to develop stronger EU–US intelligence exchange in this area.’26 There was no comparably strong resistance to creating a PNR system as a counterterrorism measure in the US to that in the EU.27 Indeed, by including specific safeguards related to data protection in various EU–US counterterrorism data exchange agreements, ‘transatlantic negotiations have resulted in attempts to ensure coherence between EU external security action and European values, most notably relating to the protection of the rights to private life and the protection of personal data’.28 In sum, it appears both parties are keen to enact counterterrorism measures, but the EU shows more concern about protecting privacy in the context of those measures, as the following section explores.

24 25

26 27

28

PNR Agreement (2011) preamble. Ibid. More specifically, one of the main EU complaints about the PNR is its violation of the proportionality and necessity principles; however, the Agreement’s preamble states: ‘[T]he United States and the European Union [recognise] the related principles of proportionality as well as relevance and necessity that guide this Agreement and its implementation by the European Union and the United States.’ Argomaniz, ‘When the EU is the “Norm-Taker”’ (n 2) 125. Alenka Kuhelj, ‘The Twilight Zone of Privacy for Passengers on International Flights between the EU & USA’ (2009) 16(2) UC Davis Journal of International Law and Policy 383, 408 (citation omitted). Valsamis Mitsilegas, ‘Transatlantic Counter-terrorism Cooperation and European Values. The Elusive Quest for Coherence’ in Deidre Curtin and Elaine Fahey (eds), A Transatlantic Community of Law (Cambridge University Press 2014) 297.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

124

The Reach of European Union Data Protection Law

6.3 transatlantic tensions in passenger name record agreement negotiations This section looks at how different conceptual approaches to security and privacy have manifested during US–EU PNR Agreement negotiations. These approaches are mirrored in other, similar bilateral negotiations over transatlantic personal data flows, such as the EU–U.S. Data Privacy Framework for commercial data transfers and the TFTP for counterterrorism purposes.29 The present section focuses on (i) the initial extraterritoriality of US law; (ii) the resulting pushback from the EU; and (iii) the EU pro-privacy values filtering into the PNR Agreement and, ultimately, into how US authorities must conduct themselves when processing PNR data. 6.3.1 The 2004 Agreement and Reactions In reaction to the September 11 attacks in the US, in November 2001 the US government enacted and instituted the Aviation and Transportation Security Act of 2001 (ATSA), obliging air carriers to give US customs electronic access to PNR data on those passengers entering or leaving the US.30 In June 2002, the European Commission informed the US that the Act’s requirements could conflict with EU and Member State legislation.31 According to the Data Protection Directive (DPD), which was in force at the time, when transferring personal data to third States where the data will be processed, the third State must ensure an adequate level of data protection.32 The EU did not consider the US to satisfy the adequacy requirements of the Directive, rendering those initial PNR data transfers to the US per se unlawful under the

29

30 31 32

European Commission, ‘EU–US Data Transfers’ ; European Commission, ‘Transfer of Air Passenger Name Record Data and Terrorist Finance Tracking Programme’ . 49 USC 44909(c)(3). Commission, ‘Joint Review’ 2013 844 final 2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD) arts 25 and 26. The GDPR retains the adequacy framework (see Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) arts 45 and 46).

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.3 Tensions in Passenger Name Record Agreement Negotiations

125

Directive, which necessitated ad hoc solutions to allow data transfers.33 To address the anomaly whereby air carriers would always be breaking one law by abiding by another, the parties entered into negotiations to draw up an international agreement. Whilst the European Commission’s agenda in concluding the PNR Agreement initially focused on maintaining the transatlantic air transport market, other stakeholders, such as the Article 29 Working Party, quickly highlighted potential privacy issues with the Agreement.34 The Article 29 Working Party, which consisted of EU Member State data protection supervisory authorities, the European Data Protection Supervisor and European Commission representatives, offered recommendations and opinions on the implementation of EU data protection law.35 The Working Party also had a notable role in determining whether or not a third State received an adequacy decision.36 The two parties accordingly began negotiations. Whilst US officials postponed the entry into force of the ATSA’s new provisions, they refused to waive their right to penalise airlines that did not comply with the obligation to provide US customs officials with electronic access to their PNR data.37 This resulted in many EU air carriers allowing US customs to have access to this data.38 As the US agreed to negotiate with the EU on the data protection provisions of its PNR Act, it also enforced penalties on non-compliant EU air carriers.39 US authorities would still collect and store PNR data from EU carriers, thereby protecting their national security interests, but disregarding EU data protection standards. Acknowledging the importance of countering terrorism, it was important for all stakeholders involved to solve this issue to protect EU data subjects’ personal data and to address the legal uncertainty

33 34

35

36

37

38 39

DPD arts 25 and 26. See Article 29 Working Party, Opinion 6/2002 on Transmission of Passenger Manifest Information and Other Data from Airlines to the United States (WP 66, 24 October 2002). DPD art 29, since replaced by the European Data Protection Board (EDPB) under the GDPR (art 68). The procedure for obtaining an adequacy decision goes as follows: the Commission submits a proposed adequacy decision, the EDPB issues an opinion on this, EU Member State representatives approve the decision and the European Commission adopts the decision – see European Commission, ‘Adequacy Decisions’ . Joined Cases C-317/04 and C-318/04 European Parliament v Council of the European Union and European Parliament v Commission of the European Communities [2006] ECLI:EU:C: 2006:429 para 33. Ibid. Ibid., 33.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

126

The Reach of European Union Data Protection Law

many air carriers faced.40 In 2004, the two parties concluded the first PNR Agreement.41 The 2004 PNR Agreement states that data transfers within its auspices are lawful as the US provides adequate protection per the European Commission issuing such a decision.42 This adequacy finding provides a legitimate basis for air carriers to process personal data under the DPD.43 The 2004 PNR Agreement introduced the ‘pull’ method of obtaining PNR data, whereby the US DHS would retrieve the relevant information from airlines.44 Specifically, the ‘pull’ method entails the DHS accessing, or being able to access, the PNR data on air carriers’ reservation systems located on EU territory, as opposed to the ‘push’ method, where air carriers transmit their PNR data to the DHS. The EU took issue with the extraterritoriality of this system.45 The US appeared to be encroaching upon the territorial sovereignty of the EU Member States. The ‘pull’ method of accessing PNR databases on EU territory amounted to the ‘exercise of US sovereign power in Community territory [and] is only possible under international law if there is consent’.46 The PNR Agreement could be a way of establishing that consent. The ‘pull’ method also ‘clearly constituted an extraterritorial exercise of regulatory jurisdiction by the United States’, although the relevant air carriers’ aircraft, and associated PNR data, would eventually arrive on US territory and fall under its jurisdiction.47 Indeed, early worries about the legality of the 2004 PNR 40

41

42 43

44 45

46

47

Ibid., 44. The GDPR acknowledges such clashes and the issues they raise regarding international law and human rights protection: ‘[T]he extraterritorial application of [third State legislation] may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union.’ GDPR, recital 115. 2004/535/EC:Commission Decision of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection (notified under document number C(2004) 1914) [2004] OJ L 235; 2004/496/EC:Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection [2004] OJ L 183. PNR Agreement (2004) preamble. Commission Staff Working Paper, ‘An EC-U.S. Agreement on Passenger Name Record (PNR)’ SEC (2004). PNR Agreement (2004) art 1. Vagelis Papakonstantinou and Paul de Hert, ‘The PNR Agreement and Transatlantic Anti-terrorism Cooperation: No Firm Human Rights Framework on Either Side of the Atlantic’ (2009) 46(3) Common Market Law Review 885, 902: ‘An international agreement was thought necessary, in order to deal with the problems of extraterritoriality (“pull” system) and [other issues].’ Commission Staff Working Paper, ‘An EC-U.S. Agreement on Passenger Name Record (PNR)’ SEC (2004) 3. Francesca Bignami, ‘European versus American Liberty: A Comparative Privacy Analysis of Antiterrorism Data Mining’ (2007) 48 Boston College Law Review 609, 669 (citations omitted).

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.3 Tensions in Passenger Name Record Agreement Negotiations

127

Agreement pertained to the ‘pull’ extraction method and the legality of the US’ exercise of its sovereign power on EU Member State territory.48 It showed the US authorities’ reluctance to engage with the EU and their preference for unrestrained extraterritorial action.49 The EU, however, soon challenged this and pushed back, adding to the Agreement extra obligations for the US authorities to better protect the privacy of the PNR data they collected, thus beginning the territorial extension of EU, rather than US, law.50 6.3.2 The 2006 Annulment In May 2006, the CJEU annulled the Council Decision (a form of adequacy decision), which had deemed that the DHS provided an adequate level of protection to EU individuals’ personal data transferred under the PNR Agreement, and ruled that it was concluded ultra vires.51 First, the Court ruled that the Council Decision infringed Article 3(2) DPD, which states that its provisions do not apply to data-processing activities that fall outside the scope of Community law.52 Further, the Court determined that the Decision underlying the PNR Agreement could not have been validly adopted on the basis of Article 95 of the Treaty of Rome.53 EU officials highlighted that the CJEU had not ruled on whether the Agreement violated the rights to privacy or data protection.54 Accordingly, although the EU–US data protectionsecurity value inconsistencies already existed, the Court’s ruling did not help solve them. In the meantime, an interim Agreement was put in place.55 48

49 50

51 52

53

54 55

Elaine Fahey, The Global Reach of EU Law (Routledge 2017) 111 citing Marise Cremona, ‘Justice and Home Affairs in a Globalised World: Ambitions and Reality in the Tale of the EU– US SWIFT Agreement’ (2011) Austrian Academy of Sciences, Institute for European Integration Research Working Paper. Argomaniz, ‘When the EU is the “Norm-Taker”’ (n 2) 119–136, 126. See the exact provisions in the Annex to the 2004 Commission adequacy decision (n 41). These were supposed to clarify the processing requirements and safeguards that the DHS was to adopt and implement when processing EU PNR data. Ibid., 69–70. Joined Cases C-317/04 and C-318/04 European Parliament v Council of the European Union and European Parliament (n 37) 60–61; Council of the European Union, ‘Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC)’, see preamble. Joined Cases C-317/04 and C-318/04 European Parliament v Council of the European Union and European Parliament (n 37) 67–70. Court of Justice press release no 46/06 (30 May 2006). Papakonstantinou and de Hert, ‘The PNR Agreement and Transatlantic Anti-terrorism Cooperation’ (n 45) 903–907.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

128

The Reach of European Union Data Protection Law

6.3.3 The 2007 Agreement In 2007, the US and EU concluded a new PNR Agreement, which applied only provisionally due to the European Parliament’s continued concerns with its lack of privacy and data protection safeguards.56 As the US government believed it was improbable that the European Parliament would approve the 2007 version of the PNR Agreement, it agreed to reopen negotiations.57 The 2007 Agreement reflects demands and compromises from both parties.58 It is more comprehensive than the 2004 Agreement, and notably stipulates that the DHS ought to change from the ‘pull’ method to the ‘push’ method, as well as specifying types of data collected, setting out limited data retention times, clearer purpose limitation and sensitive data parameters.59 Nonetheless, privacy and civil liberty advocates in both the US and the EU strongly criticised the 2007 Agreement.60 Several provisions in the 2007 Agreement reflect key US demands. The US granted some EU requests aimed at enhancing data protection, but noticeably fewer, and with less substantive effect, than the EU granted US requirements. For example, according to the 2004 Agreement, the US DHS could share PNR data with other US counterterrorism or law enforcement agencies.61 The 2007 Agreement expanded this to include public security authorities, thereby widening the scope of potential onward data transfers to third parties.62 Pursuant to an EU request, the US agreed to narrow the number of data types (e.g., name, travel agency and so on) from thirty-four to nineteen in the 2007 Agreement.63 Upon closer inspection, however, this change was merely superficial. For instance, in the 2007 Agreement, ‘[t]icketing information, including ticket number, one-way tickets and automated ticket fare quote’ constituted one data type, whereas in the 2004 agreement, this was four separate data types.64 Accordingly, despite initially not appearing so, the EU was unsuccessful in ensuring this change. 56 57

58

59 60 61 62 63 64

PNR Agreement (2007). Kristin Archick, Congressional Research Service, ‘U.S.–EU Cooperation against Terrorism’ CRS Report RS22030 (2014) 18. ‘Washington won . . . but agreed to E.U. demands’. Paul Lewis and Spencer S Hsu, ‘Travelers Face Greater Use of Personal Data’ The Washington Post (27 July 2007). PNR Agreement (2007). Lewis and Hsu, ‘Travelers Face Greater Use of Personal Data’ (n 58). PNR Agreement (2004) art 1. Archick, ‘U.S.–EU Cooperation against Terrorism’ (n 57) 16–17. Ibid. Gerrit Hornung and Franziska Boehm, ‘Comparative Study on the 2011 Draft Agreement between the Unites States of America and the European Union on the Use and Transfer of

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.3 Tensions in Passenger Name Record Agreement Negotiations

129

EU commentators mostly criticised the Agreement’s lack of basic EU data protection principles, including purpose limitation, proportionality, necessity and redress.65 The Article 29 Working Party expressed similar problems with the Agreement’s data retention and redress provisions.66 A comparative study further explained the precise issues that dissenting Ministers of the European Parliament (MEPs) had with the PNR Agreement, which included the following: expanded personal data use, less purpose limitation, an extended data retention period, unclear third-party access provisions, and insufficient rights to information and redress for data subjects.67 The EU tended to yield to the US during consultations and was largely unsuccessful at making its data protection law filter into the 2007 Agreement.68 The EU’s continuing disappointment with the Agreement’s lack of data protection safeguards eventually led to it negotiating other Agreements in 2010 and 2011, as discussed below.

6.3.4 The 2011 Agreement Since the 2009 entry into force of the Lisbon Treaty, and upon a recommendation from the European Commission, EU and US representatives in 2010 launched negotiations to revise the PNR Agreement.69 A November 2010 European Parliament resolution on a global approach to PNR agreements, including those with Australia and Canada, summarised the general collective EU stance regarding the US PNR Agreement, particularly in light of the importance of protecting personal data. The Parliament emphasised that the legal basis of any PNR agreement must include Article 16 of the Treaty on the Functioning of the European Union (TFEU) on the right to

65

66

67 68

69

Passenger Name Records (PNR) to the United States Department of Homeland Security’ (2012) 3 (NB: solicited by the German Greens Party). Valsamis Mitsilegas, ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror”: The Case for a Global Privacy Regime’ (2016) 47(3) Columbia Human Rights Law Review 1, 73. European Parliament, ‘Letter from Article 29 Working Party to LIBE Committee’ (19 March 2015) . Hornung and Boehm, ‘Comparative Study’ (n 64) 14. If anything, the 2007 Agreement’s conclusion largely reflects the ‘popular narrative of an imperial security oriented US government bullying a human rights focused European government into submission’. Jacqueline Klosek, The War on Privacy (Praeger Publishers 2007) 485. Commission, ‘On the global approach to transfers of Passenger Name Record (PNR) data to third countries’ (Communication) COM (2010) 492 final 10.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

130

The Reach of European Union Data Protection Law

personal data protection.70 The legal bases for all three EU-third State PNR Agreements have failed to include Article 16 TFEU. A May 2011 US Senate Resolution, which eventually became law, made some recommendations that could imply a pushback to the EU’s attempts to extend its prescriptive jurisdiction by trying to enact its data protection standards in the US.71 First, the Resolution urged the DHS to refuse EU attempts to amend the PNR Agreement, if such attempts would threaten the effectiveness of the PNR data in identifying terrorists and serious criminals.72 Second, the Resolution acknowledged that the EU and US have different data protection and privacy governing mechanisms that result in distinctive oversight methods, and urged the DHS not to enter into any accord ‘that would impose European oversight structures on the United States’.73 Finally, the Resolution opposed any attempt by the EU ‘to interfere with counterterrorism cooperation and information sharing’ between the DHS and non-EU States.74 The US’ use of language such as ‘impose’ and ‘interfere’ reinforces the idea that it was trying explicitly to avoid any perceived regulatory overreach by the EU. The EU arguably ‘has no basis to impose its data-protection laws on the U.S.’, although, as the jurisdictional assessment section below asserts, not only does the EU have multiple legitimate bases upon which to ‘impose’ its data protection laws in the US, it also has a duty to do so.75 Under the 2011 PNR Agreement, any data subject whose data has been processed in a way that is inconsistent with the Agreement is entitled to effective administrative and judicial redress under US law.76 During negotiations, EU officials took issue with the insufficient redress opportunities for EU citizens whose data was processed in the US.77 EU pro-privacy commentators argued that it would be practically difficult for EU citizens to have remedies enforced in the US.78 Nonetheless, and not unexpectedly, US 70

71 72 73 74 75

76 77

78

EP Resolution on the global approach to transfers of passenger name record (PNR) data to third countries (n 20) art 5. See also, Consolidated Version of the Treaty on the Functioning of the European Union [2012] OJ C 326/47 art 16. S Res 174, 112th Congress (2011) . Ibid. Ibid. Ibid. Sally McNamara, ‘European Parliament Should Back EU–U.S. Passenger Name Record Agreement’ The Heritage Foundation (6 September 2011) . PNR Agreement (2011) 13. For a selection of EU and US exchanges, see ‘Observatory on the Exchange of Data on Passengers (PNR) with USA’ Statewatch . Franziska Boehm and Mark Cole, ‘Data Retention after the Judgement of the Court of Justice of the European Union’ (2014) 65 (NB: solicited by the German Greens Party).

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.3 Tensions in Passenger Name Record Agreement Negotiations

131

officials asserted that the May 2011 draft Agreement provided enhanced legal certainty for passengers seeking redress.79 In April 2012, the European Parliament adopted the PNR Agreement and it entered into force in June of that year.80 Significant EU ‘successes’ amounted to ensuring its data subjects were entitled to judicial, and not just administrative, redress; independent supervision; a more limited purpose for collecting the personal data; and a reduced retention time for specific types of personal data.81 Regarding redress, in 2015, the US Congress passed the Judicial Redress Act, so EU and other third-State citizens may enjoy the redress opportunities offered by the US Privacy Act 1974.82 The EU Home Affairs Commissioner was positive that the Agreement both better protected the right to privacy for EU citizens and enhanced legal certainty for airlines.83 She also said it was effective in terms of EU and US security.84 The US Secretary of the DHS acknowledged the importance of strong international cooperation in light of transnational security threats.85 The US and EU jointly reviewed the Agreement in 2013 and 2015, concluding that the US was adhering to its provisions, but that there was room for improvement.86 Most responses to the 2011 US–EU PNR Agreement maintained that the US security standards were outweighing EU privacy standards.87 The EU 79 80

81

82 83

84

85 86

87

Archick, ‘U.S.–EU Cooperation against Terrorism’ (n 57) 18. Council Decision of 13 December 2011 2012/381, OJ 2012 L 186; ‘MEPs Back Deal to Give Air Passenger Data to US’ BBC News (19 April 2012). Archick, ‘U.S.–EU Cooperation against Terrorism’ (n 57) 19 citing ‘US–EU PNR Agreement’ Agence Europe (11 November 2011) and Valentina Pop, ‘Unhappy MEPs to Approve Passenger Data Deal’ EUobserver.com (11 November 2011) ; Mitsilegas, ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror”’ (n 65) 67. 5 USC § 552(a) note. ‘European Parliament Approves the Controversial EU/US PNR Agreement’ Infosecurity Magazine (20 April 2012). European Commission press release, ‘New EU–US agreement on PNR improves data protection and fights crime and terrorism’ (17 November 2011). ‘European Parliament Approves the Controversial EU/US PNR Agreement’ (n 83). Commission, ‘Joint Review’ 2013 and 2015; Commission, ‘Report from the Commission to the European Parliament and the Council on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of passenger name records to the United States Department of Homeland Security’ COM (2017) 029 final. Douglas Louks, ‘(Fly) Anywhere but Here: Approaching EU–US Dialogue concerning PNR in the Era of Lisbon’ (2013) 23(3) Indiana International & Comparative Law Review 479, 520; Juan Santos Vara, ‘Transatlantic Counterterrorism Cooperation Agreements on the Transfer of Personal Data’ in Elaine Fahey and Deirdre Curtin (eds), A Transatlantic Community of Law: Legal Perspectives on the Relationship between the EU and US Legal Orders (Cambridge University Press 2014) 288.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

132

The Reach of European Union Data Protection Law

might even be seen to have internalised US counterterrorism rhetoric and security standards, to the detriment of its individuals’ privacy. The PNR Agreement shows a degree of ‘European internalization of US-advocated security norms’.88 Indeed, the extraterritoriality does not extend unilaterally from the EU to the US; it goes both ways. Some MEPs criticised the submissive attitude exhibited by the European Commission and Member State governments in accepting that ‘US law takes precedence over EU law . . . on EU territory’.89 That said, it is evident that there is a slow, but perceptible, diffusion of EU data protection principles into the US–EU PNR Agreement and, by extension, the US when the DHS processes PNR data. Whilst the EU tends to yield to the US in PNR negotiations, ‘[t]his is not the same as accepting US standards’.90 Indeed, the opposite situation is gradually materialising, as explored in Section 6.4.

6.4 incorporating interpretations of eu data protection law into passenger name record agreements This section explains how the US–EU PNR Agreement should better incorporate EU data protection principles as interpreted by the CJEU in key jurisprudence. The EU principles related to personal data processing, as articulated in the General Data Protection Regulation (GDPR), include lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.91 Considering various CJEU decisions since 2014, with both internal and external effect, the 2011 US– EU PNR Agreement would not be compatible with EU data protection law. As the CJEU has more significantly focused on the importance of the fundamental right to data protection in the Charter of Fundamental Rights of the European Union (EU Charter), the US–EU PNR Agreement should be renegotiated to reflect this. This section traces the relevant CJEU jurisprudence that could inform a revised Agreement.

88

89

90 91

Argomaniz, ‘When the EU is the “Norm-Taker”’ (n 2) 120; Tzanou, ‘The War against Terror and Transatlantic Information Sharing’ (n 18) 95. Sophie in ’t Veld, ‘Transatlantic Relations and Security’ in Elaine Fahey and Deirdre Curtin (eds), A Transatlantic Community of Law: Legal Perspectives on the Relationship between the EU and US Legal Orders (Cambridge University Press 2014) 243. Cremona, ‘Justice and Home Affairs in a Globalised World’ (n 48) 27. GDPR art 5.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.4 EU Data Protection Law in Passenger Name Record Agreements

133

In 2017, the CJEU issued its ruling in Opinion 1-15 on the compatibility of the draft Canada–EU PNR Agreement with EU law.92 The Canada–EU PNR Agreement is similar to the US-EU one, but offers more privacy protections than the US–EU Agreement.93 The Court pronounced that parts of the draft Agreement did not comply with EU fundamental rights law, particularly the rights to respect for private life and protection of personal data, and it could therefore not be concluded in that form.94 Furthermore, the legal basis for the Agreement must be Article 87 TFEU (police cooperation) and Article 16 TFEU (protection of personal data).95 It was the CJEU’s first ruling on the compatibility of a draft international agreement with the EU Charter, so it has important ramifications for other EU-third State agreements. Whilst the bulk transfer, retention and use of all PNR data is per se lawful, certain provisions in the USEU Agreement on, for instance, sensitive data and data retention periods, go beyond justified interferences with data protection rights. Notably, in Opinion 115, the CJEU stated that transferring sensitive data to Canada needs a ‘particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime’.96 From a case directly relevant to the US–EU PNR Agreement, it is clear that the Agreement would not withstand the Court’s scrutiny. The US government has noted the CJEU’s ruling on the Canada–EU PNR Agreement and showed an even stronger pro-security response.97 After the ruling, it was said that the Trump administration ‘has taken note of [Opinion 115] and appears to be threatening to impose restrictions on EU citizens travelling to the US if limitations are placed on the transfer of personal data to US authorities’.98 A US DHS fact sheet on detecting entry into the US by terrorist suspects, which restricted entry for nationals of five States, held that countries must ‘[e]nsure that the airlines and vessel operators are not impeded from providing the USG [United States Government] with information about people traveling to the United States’.99 These statements suggest the US

92 93

94 95 96 97

98 99

Opinion 1/15 (n 13). Commission, ‘Proposal for an Agreement between Canada and the European Union on the Transfer and Processing of Passenger Name Record’ COM (2013) 0529 final. Opinion 1/15 (n 13) para 232(2). Ibid., para 118. Ibid., para 165. ‘PNR: US Takes Aim at Court of Justice Opinion on Air Traveller Data’ Statewatch (25 September 2017). Ibid. US Department of State, ‘Fact Sheet: Proclamation on Enhancing Vetting Capabilities and Processes for Detecting Attempted Entry into the United States by Terrorists or Other Public-

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

134

The Reach of European Union Data Protection Law

would not be accommodating of the EU’s efforts to enact stronger privacy protections for personal data processed under the PNR Agreement. This section looks briefly at other CJEU cases that could also affect the US–EU PNR Agreement. They show the Court has been consistent in its pronouncements on the data protection principles in the DPD and GDPR read in the light of the EU Charter. The CJEU’s 2015/2020 rulings in the Schrems and Schrems II cases, which concerned the transfer of EU data subjects’ personal data to companies in the US under various transfer mechanisms and associated concerns of mass surveillance by US authorities, will undoubtedly influence future PNR Agreement dialogues.100 In Schrems, the Court found that the Safe Harbour framework did not prevent US authorities from threatening EU data subjects’ fundamental right to data protection, especially as US security and law enforcement requirements overruled protections in the Safe Harbour (see Chapter 8).101 In 2014, the CJEU annulled the 2006 Data Retention Directive (DRD) in the landmark Digital Rights Ireland case.102 The Court ruled that the DRD, which obliged Member States to retain EU individuals’ telecommunications data for between six months and two years to help in the fight against serious crime and terrorism, violated the principles of proportionality and necessity.103 Moreover, the Court stated that the DRD caused a ‘wide-ranging’ and ‘particularly serious’ interference with fundamental rights.104 The CJEU’s Tele2 Watson case was the 2016 follow-up to 2014’s Digital Rights Ireland case and further served to highlight the importance of safeguarding data protection rights in surveillance situations.105 It involved questions on the compatibility of retaining electronic traffic and location data with EU law.106 The CJEU ruled that EU law (particularly the ePrivacy Directive on privacy and electronic communications, read in the light of Safety Threats’ (2017) . 100 Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C: 2015:650; C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559. 101 Case C-362/14 Maximillian Schrems v Data Protection Commissioner (n 100) paras 86 and 98. 102 Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung (C594/12) and Others [2014] ECLI:EU:C:2014:238 para 73. 103 Ibid., paras 65 and 69; Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105. 104 Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd (n 102) para 37. 105 Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others [2016] ECLI:EU:C:2016:970. 106 Ibid., paras 51 and 59.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.4 EU Data Protection Law in Passenger Name Record Agreements

135

Articles 7, 8, 11 and 52(1) of the EU Charter) precludes national laws from prescribing general, indiscriminate data retention.107 Such laws entail a ‘very far-reaching and . . . particularly serious’ interference in the fundamental rights to privacy and data protection.108 In view of the seriousness of this interference, only the objective of fighting serious crime may justify the targeted retention of traffic and location data, in specific circumstances.109 Two landmark judgements from 2020, Privacy International and La Quadrature du Net, confirm that the ePrivacy Directive and EU Charter generally prevent national law from enabling the bulk retention of traffic and location data.110 Taken together with Opinion 1-15, these decisions show how the Court has a consistently strong pro-privacy stance when considering questions of data protection and security. This has implications for future US-EU relations that deal with such interests. In view of the above decisions, provisions in the US–EU PNR Agreement would not be compatible with the EU Charter. The EU should incorporate the Court’s conclusions into the next PNR data-sharing agreement. In its 2017 communication on data exchange in a globalised world, the European Commission affirmed that it would work on ways to exchange PNR data with third States and consider a model PNR agreement with requirements that those third States must meet to receive PNR data from the EU.111 This is important because it shows the EU setting a global standard for PNR data exchange. Especially given the Court’s pronouncements on the Canada-EU PNR Agreement, EU representatives should push more vigilantly for the US Agreement to incorporate better rights protections – not at the expense of legitimate security concerns, but properly balanced with them. If the EU could ensure its data protection principles were affirmed in any subsequent PNR data-sharing arrangement, this would appear to be an extraterritorial diffusion of its law.

107

Ibid., para 134; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); EU Charter arts 7, 8, 11 and 52(1). 108 Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB (C 203/15) and Watson (C 698/15) (n 105) para 100. 109 Ibid., para 102. 110 Case C-623/17 Privacy International [2020] ECLI:EU:C:2020:790; Joined Cases C-511/18 La Quadrature du Net and Others, C-512/18 French Data Network and Others, and C-520/18 Ordre des barreaux francophones et germanophone and Others [2020] ECLI:EU:C:2020:791. 111 Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final 15.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

136

The Reach of European Union Data Protection Law

6.5 jurisdictional assessment The present section looks at bilateral negotiations under a jurisdictional assessment framework. It begins by delineating the EU’s duties under international human rights law to regulate the situation. Next, it looks at permissive principles under public international law to determine how far EU law may extend according to traditional principles of territoriality and nationality. To finish, the section weighs up the EU’s and US’ degree of connection to the situation and their interests in regulating PNR data transfers, and then applies a rule of reason to the reach of EU law. An interesting point to briefly explore as a side note is whether the relevant processing activities could fall within the EU’s jurisdiction under the DPD, applicable when the Agreement was concluded, or the GDPR, applicable now. National security is the responsibility of individual Member States, but if the data processing related to the national security of a third State and the DPD’s applicable law provisions were satisfied, the Directive would not be precluded from applying.112 In theory, the US’ earlier processing of EU PNR data could fall within the scope of the DPD because: (i) the processing was carried out in the context of the activities of a data controller (air carriers) on Member State territory and/or (i) the controller (a global distribution system that deals with computer reservations/the DHS) was located outside the EU, but made use of equipment (data-processing centres) on EU territory.113 Moreover, the GDPR broadens the likelihood of its applying to PNR data collection as it applies when a data controller or processor in a third State monitors the behaviour of data subjects in the Union.114 That said, a Member State may claim that threats to the US’ national security also form part of that State’s own national security, rendering EU law inapplicable.115 The present research focuses on the PNR Agreement as a stand-alone accord, however, and does not attempt to assess whether the EU may claim jurisdiction under the DPD or GDPR. This examination begins with the EU’s human rights duties, as outlined below.

112

113 114 115

TEU art 4(2); Article 29 Working Party, Working Document on surveillance of electronic communications for intelligence and national security purposes (WP 228, 5 December 2014) 31. DPD art 4. GDPR art 3. TEU art 4(2); Article 29 Working Party, WP 228 26.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.5 Jurisdictional Assessment

137

6.5.1 International Human Rights Law Obligations This section justifies approaching the US–EU PNR Agreement from a fundamental rights perspective and then examines the effect of this approach on how EU representatives should negotiate PNR agreements. Not only must the EU safeguard its people’s fundamentals rights within and – in certain situations – beyond its territory, but the provisions of any US–EU PNR Agreement must be in conformity with the EU Charter, which could entail extraterritorial obligations.116 In tracing the development of US–EU PNR Agreements, it is apparent that the transfers are increasingly framed in human rights terms, which should be reflected in future agreements. The PNR Agreement’s legal basis should move towards a more rightsfocused one. The legal basis of the 2004 PNR Agreement was Article 95 EC (part of the First Pillar on establishing an internal market), which is the same basis as the DPD. The 2007 PNR Agreement’s legal basis was ex Articles 24 and 38 Treaty on European Union (TEU) (Third Pillar on security). As outlined in the Council Decisions to sign and conclude the 2011 US–EU PNR Agreement, its legal bases are Articles 82(1)(d) and Article 87(2)(a), in conjunction with Article 218(6)(a), of the TFEU.117 These articles cover, respectively, facilitating judicial cooperation on criminal matters; collecting, storing, processing, analysing and exchanging relevant information to establish police cooperation to prevent, detect and investigate crime; and the Council adopting a decision to conclude the Agreement.118 In line with European Data Protection Supervisor commentary on the EU–Australia PNR Agreement, the US–EU Agreement should be based on Article 16 TFEU on the right to data protection.119 In response to the European Parliament’s question on whether Articles 82(1)(d) and 87(2)(a) TFEU constituted the

116 117

118 119

Mitsilegas, ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror”’ (n 65) 69. Council Decision of 13 December 2011 on the signing, on behalf of the Union, of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security (2012/471/EU), preamble; Council Decision of 26 April 2012 on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security (2012/472/EU), preamble. TFEU arts 82(1)(d), 87(2)(a) and 218(6)(a). Ibid., art 16. See, e.g., European Data Protection Supervisor, ‘Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision on the conclusion of an Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service’ OJ C 322 (5 November 2011) 19–20 and 41, esp.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

138

The Reach of European Union Data Protection Law

appropriate legal basis for the EU-Canada PNR Agreement, or if it must be based on Article 16 TFEU, the Court ruled that the Agreement should be based on both Article 16(2) (on the right to personal data protection) and Article 87(2)(a) TFEU (on police cooperation), thus giving it a specific human rights framing.120 Whilst the drive for the PNR Agreements was initially preserving the internal market, and then security, judicial, and police cooperation, the rationale behind them is now, explicitly, data protection and police cooperation; the US–EU PNR Agreement’s legal basis should reflect this move. Moving on from justifying a focus on fundamental rights, the EU could have certain positive and negative obligations of conduct and result to respect, protect and fulfil its data subjects’ rights, as outlined in Chapter 3 delineating an international human rights law assessment framework. These obligations could apply extraterritorially. The obligation to protect is a positive obligation of conduct, wherein the EU would be obliged to ensure a third party, namely the US DHS, does not violate someone’s right to data protection.121 The EU has the obligation to protect, which could legitimise the extension of its jurisdiction extraterritorially. Indeed, if the EU ‘is not willing to stand their ground and instead buckles to US pressure, the landscape of global privacy and data policy will most certainly tilt almost wholly to the US perspective’.122 Accordingly, whilst it does not directly owe anything to the global community, the EU would be enhancing privacy protections for more than its own citizens by vigilantly protecting its individuals’ data protection rights. The obligation to fulfil is also a positive one, but of result rather than conduct and would only extend to a place under the EU’s effective or virtual control. The EU itself was not interfering with an individual’s right to data protection and was thus respecting this right. This respect duty became one of [T]he EDPS considers that the purpose of the agreement, rather than improving police cooperation, is to mandate and authorise a transfer of personal data by private operators in view of the request of a third country. While such a transfer to a third country would in principle not be possible according to EU rules, the PNR agreement aims at enabling the transfer of personal data according to EU data protection requirements via the adoption of specific safeguards. (Ibid., European Data Protection Supervisor, 19) Whilst this refers to the EU–Australia PNR Agreement, its legal basis is identical to the US– EU PNR agreement, and its stated purposes are sufficiently similar for the EDPS’ comments to be relevant to the US–EU PNR Agreement, too. 120 Opinion 1/15 (n 13). 121 See, e.g., Jean-Franҫois Akandji-Kombe, Positive Obligations under the European Convention on Human Rights: A Guide to the Implementation of the ECHR (Council of Europe Publishing 2007) . 122 Louks, ‘(Fly) Anywhere but Here’ (n 87) 520.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.5 Jurisdictional Assessment

139

protect when the Union disallowed air carriers to transfer PNR data to the DHS. As this did not materialise because of the legal limbo for air carriers caught between US and EU law, meaning the right was therefore still being threatened, the EU further continued with its duty to protect by entering into negotiations with the US. Negotiating a high level of EU-style protection could constitute an extraterritorial element of the EU’s actions, which is justified under international human rights law. This extraterritoriality extended to the DHS’ data processing activities. Regarding control thresholds, the EU could be understood to have a degree of virtual control over its data subjects’ personal data. Importantly, part of the EU’s obligation to protect, namely ensuring the US offers redress mechanisms for EU individuals, extends extraterritorially. This extraterritorial reach also de jure extends to individuals who are beyond the EU’s effective or virtual control. Any individual, regardless of nationality, whose PNR data has been processed in a way incompatible with the Agreement, may seek administrative and judicial review in accordance with US law.123 In the present example, the EU carries out its obligation of conduct to protect by ensuring the US offers judicial redress for EU citizens during negotiations and reviews. By enacting relevant regulation within its territory, the EU usually carries out its obligation to facilitate rights within its own territorial boundaries. Such a wide jurisdictional net, however, could lead to politically difficult or unproductive outcome, so public international law could serve to shrink that net, as discussed below. 6.5.2 Territoriality EU authorities have attempted to ensure that the DHS safeguards EU individuals’ data protection rights when their PNR data is controlled, processed or stored in the US. A State has sovereignty over its territory and, even in the PNR context, the Article 29 Working Party had long recognised that ‘sovereign States do have discretion over the information that they can require from persons wishing to gain entry to their country’.124 This section equates applicable law with jurisdiction to discern the principles under which the EU may exercise extraterritorial prescriptive jurisdiction.125 123 124 125

PNR Agreement (2011) art 13(1). Article 29 Working Party, Opinion 6/2002 8. ‘In data protection law, the terms “applicable law” (i.e., which law applies to a particular act of data processing) and “jurisdiction” (i.e., which State or entity has regulatory power over it) are often conflated.’ Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 121.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

140

The Reach of European Union Data Protection Law

Although the EU’s lack of leverage in negotiating the PNR Agreements meant it did not effectively ensure its individuals’ data protection rights when US entities processed their personal data, the US arguably has a stronger territorial claim to jurisdiction, so its privacy approach would prevail.126 In order to do business with the US, EU airlines must land their aircraft on US territory and are thus obliged to adhere to US law and transfer PNR data to the US authorities.127 This is ostensibly justified under public international law. Accordingly, ‘Europe has few carrots or sticks to use in negotiating privacy guarantees for such information’.128 Nonetheless, the 2007 Agreement, which did include stronger data protection provisions than the pre-2007 period, showed tangible EU influence and the initial signs of the global influence of the US–EU PNR Agreement. Indeed, acknowledging stronger EU data protection laws, US officials said the Agreement would most likely serve as a template for comparable arrangements covering travellers from Asia, South America and other areas.129 It would also serve as a model for the 2016 intraEU PNR Agreement. This Agreement, however, has been heavily criticised for not offering sufficient data protection guarantees due to its indiscriminate collection of personal data, which threatens the necessity and proportionality principles.130 The application of the 2011 PNR Agreement is potentially wide-ranging, but always ensures a territorial nexus to the EU. The scope article of the PNR Agreement reads as follows: This Agreement shall apply to carriers operating passenger flights between the European Union and the United States. . . . This Agreement shall also apply to carriers incorporated or storing data in the European Union and operating passenger flights to or from the United States.131

This broad scope is most likely to avoid EU data subjects finding themselves outside of protection. The PNR Agreement’s provisions apply to, for instance, an air carrier that stores personal data in the EU, but operates flights between the US and a third, non-EU State. As such, the PNR Agreement applies when there is a minor territorial connection to the EU, and possibly no citizenship

Bignami, ‘European versus American Liberty’ (n 47) 674 citing Restatement (Third) of the Foreign Relations Law of the United States (Am Law Inst 1987) 204. 127 Ibid. 128 Ibid. 129 Lewis and Hsu, ‘Travelers Face Greater Use of Personal Data’ (n 58). 130 EDPB ‘EDPB letter to the European Commission on the Commission report on the review of Directive 2016/681 on the use of PNR data’ OUT2021–0004 (22 January 2021). 131 PNR Agreement (2011) arts 2(2) and 2(3). 126

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.5 Jurisdictional Assessment

141

or residency-based connection. An EU level of data protection, to the extent the PNR Agreement actually reflects this level, could apply to personal data of non-EU citizens and third-State data subjects. The effect has been that, likely for pure convenience, the following broad reach of protection occurs: [The] DHS applies the same level of data protection required by the Agreement for all PNR (including the processing of PNR data not collected under the Agreement) it acquires and processes. This ensures that all PNR collected from flights between the EU and US is protected. . . . This is a positive effect of the Agreement and has raised the standard of data protection for all PNR collected by the US.132

To provide some guidance, the January 2014 draft report on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (the Moraes Report), drafted by the European Parliament Committee on Civil Liberties, Justice and Home Affairs, called upon the European Commission ‘to react to concerns that three of the major computerised reservation systems used by airlines worldwide are based in the US and that PNR data are saved in cloud systems operating on US soil under US law, which lacks data protection adequacy’.133 As such, the US has a strong territorial connection to a vast amount of PNR data that is currently subject to US law. Through the PNR Agreement, the EU can strengthen these data protection safeguards for a considerable amount of EU and non-EU personal data. In the PNR example, the principles in the Agreement could apply to personal data without the data subject being an EU citizen or resident, and without the effects of any interferences with data protection rights being felt in the EU or in a place under its effective control. An EU data subject would presumably have been physically present in the US at some stage of the trip for which their PNR data was collected. That said, air carriers transfer PNR data

132

133

Commission Staff Working Paper, ‘Joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of passenger name records (PNR) to the United States Department of Homeland Security’ SWD(2017) 14 final (19 January 2017) 10. European Parliament, LIBE Committee, ‘Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs’ (2013/2188 (INI)) (8 January 2014) para 46.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

142

The Reach of European Union Data Protection Law

to the DHS before an individual boards a plane. A natural person might not enter the US, yet the air carrier would already have transferred their personal data and US data processors would already be processing it. For the length of time it was stored on US servers, this personal data would be legally present in the US. It is worth recalling that an EU data subject’s rights could be violated even without any evident harm to the affected individual.134 As such, every EU data subject with PNR data in the US is a potential victim. It is the territorial connection to the EU, namely the departing or landing of a flight on EU territory, or an airline’s incorporation or storing of personal data in the EU, that triggers the Agreement’s application – without other limiting criteria. This appears to enable regulatory overreaching in that EU-style law diffuses into how the US DHS acts, but this spillover effect is not undesirable because more individuals enjoy higher privacy protections. In practice, the US is not protesting any perceived exercise of extraterritorial jurisdiction by the EU, but it has contested the broad application of privacy and data protection rights. The PNR Agreement falls most credibly within the subjective form of territoriality under public international law, where the State in which an act begins may exercise jurisdiction over that whole act. The act here is the transfer of personal data to the DHS in the US by EU airline carriers. As the act begins in the EU, it may exercise jurisdiction according to the subjective territorial principle. Although the act terminates in the US, EU protections would apply to PNR data collected by EU air carriers – even when it is processed and stored in the US, by US authorities, on US soil. According to the territoriality principle, the EU has a strong enough nexus to the regulated situation in order to exercise jurisdiction. Per the Agreement, this could be quite tenuous (an external carrier simply storing data in the EU), but it means all relevant data subjects are protected thanks to this broad-reaching territorial connection. 6.5.3 Personality Several provisions in the PNR Agreement explicitly apply regardless of the data subject’s nationality or residency.135 As suggested above, the PNR 134

135

Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56(1) Harvard International Law Journal 81, 134 citing Huvig v France App no 11105/ 84 (ECtHR, 24 April 1990) para 35. PNR Agreement (2011) art 11 (access), art 12 (correction or rectification), art 13 (redress) and art 14 (oversight) offer protections for ‘any individual, regardless of nationality, country of origin, or place of residence’.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.5 Jurisdictional Assessment

143

Agreement seems to apply based solely on a territorial connection between the air carrier and the EU. In negotiating the various agreements, however, it appears that the EU is keen to ensure specific provisions apply explicitly to EU individuals.136 The DHS, too, is attempting to apply these provisions to EU citizens and residents or, in its own lingo, ‘EU-related’ situations, as explored below. Regarding safeguards applicable to the use of PNR data and onward data transfers, the 2011 Agreement explicitly mentions EU citizens and residents almost as a second-tier requirement for the application of jurisdiction.137 Having established enough of a territorial hook for the Agreement’s provisions – and by extension, a version of EU data protection law – to apply to the PNR data, the Agreement then focuses on prescribing what would apply to EU residents and citizens. In a way, the EU is also exercising jurisdiction based on the nationality of the potential victims, being EU citizens or residents. The section below expands upon this further, distinguishing between the EU’s exercise of prescriptive jurisdiction in concluding the Agreement and applicable law in how the Agreement’s provisions apply and to whom. Applicable law draws parallels with prescriptive (as opposed to adjudicatory or enforcement) jurisdiction, so most of this research conflates the two concepts. Unlike the 2004 and 2007 Agreements, the 2011 Agreement includes mention of EU citizens and residents, rather than only EU territory. On data security, the Agreement prescribes that the DHS shall inform relevant EU authorities about significant privacy incidents resulting from specific situations and ‘involving PNR of EU citizens or residents’.138 The DHS did not report significant privacy incidents pertaining to EU citizens or residents in the 2013 and 2015 reviews, so it is unclear how the DHS in this instance distinguishes between personal data according to the citizenship or place of residence of the data subject.139 Similarly, regarding onward transfer of personal data, ‘[w]here DHS is aware that PNR of a

136

137 138 139

Cf the PNR Agreement (2011) with the 2004 and 2007 PNR Agreements: the 2004 Agreement mentions only territory as a jurisdictional trigger and the 2007 Agreement begins to mention how its provisions could apply to individuals: ‘air carriers with reservation/departure control systems located within the territory of the Member States of the European Community . . . concerning flights to or from the U.S.’. 2004 Agreement, preamble. Regarding access and redress rights in the 2007 Agreement, the DHS ‘made a policy decision to extend administrative Privacy Act protections to PNR data stored in the ATS regardless of the nationality or country of residence of the data subject, including data that relates to European citizens’. US letter to the EU within the framework of the 2007 Agreement, IV. PNR Agreement (2011) art 5(4) and art 17(4). Ibid., art 5(4). European Commission, ‘Joint Review’ 2013 30.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

144

The Reach of European Union Data Protection Law

citizen or a resident of an EU Member State is transferred, the competent authorities of the concerned Member State shall be informed’.140 Concerning ‘EU-related’ Freedom of Information Act (FOIA) PNR requests as part of access and judicial review processes, the DHS considers an access request (under the FOIA) as ‘EU-related’ if the requester ‘claims citizenship, a mailing address, or place of birth in the EU’.141 Between the June 2013 and May 2015 review period, 24 per cent of such requests were ‘EUrelated’, which shows the DHS can make some sort of distinction.142 Nonetheless, the parties sought to further clarify this distinction, although largely for reporting purposes. The DHS acknowledged that it ‘had to make assumptions about EU-related PNR access and redress requests during the course of its review’ and thus recommended that it ‘should create a means to determine if/how requests for access to or redress involving PNR were received from EU citizens or residents’, so it could better report on the categories of people using the DHS Traveller Redress Inquiry Program (TRIP).143 As the DHS TRIP does not ask for the citizenship of individuals seeking redress, the DHS Privacy Office had to make assumptions according to a stated EU place of birth or address.144 In its 2015 review, the European Commission said it welcomed and saw as a positive step the DHS’ recommendation to create a way to determine whether EU citizens or residents were filing access and redress requests.145 As such, although there is no infallible way to connect an EU data subject with their personal data and, subsequently, how it is treated in terms of access and redress, the two parties are attempting to make this easier and more practical. The citizenship/residence connection appears to be a strong limiting factor. Some processes that the US–EU Agreement prescribes, pertaining to access to data and redress opportunities, are explicitly available to ‘any individual, regardless of nationality, country of origin, or place of residence’.146 This clearly broadens the PNR Agreement’s scope to non-EU citizens or residents. 140

PNR Agreement (2011) art 17(4). DHS, ‘A Report on the Use and Transfer of Passenger Name Records between the European Union and the United States Privacy Office’ U.S Department of Homeland Security (26 June 2015) 24. 142 Ibid., 24. 143 Ibid., 6. 144 Ibid., 25. 145 Commission Staff Working Paper, ‘Joint Review of the Implementation of the Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security’ SWD(2017) 14 final (19 January 2017) 19. 146 PNR Agreement (2011) arts 11(1), 12(1), 13 and 14(1). 141

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.5 Jurisdictional Assessment

145

Indeed, a data subject with no direct or indirect link to the EU could exercise certain access and redress rights pursuant to the US–EU PNR Agreement. Its broad reach, based on only a territorial and no additional personality basis for exercising jurisdiction, shows the diffusion of EU law or, at least, certain watered-down manifestations of its core data protection principles present in the PNR Agreement. Namely, any individual may request access to their PNR data and may seek its correction or rectification, including erasure or blocking.147 Regarding redress, any individual may seek effective administrative and judicial redress under US law; seek to challenge DHS decisions related to PNR data use and processing; and petition for judicial review in accordance with applicable law and relevant provisions of specific US laws.148 Anyone who believes they have been ‘delayed or prohibited from boarding a commercial aircraft because they were wrongly identified as a threat’ may use administrative means provided by the DHS TRIP to obtain redress.149 Furthermore, any individual may bring complaints regarding non-compliance with the PNR Agreement.150

6.5.4 Mitigating Factors This section makes recommendations on how much EU data protection law ought to filter into the PNR Agreement. It outlines how strong each party’s connection to the data processing act is. It then attempts to balance their interests and suggests how the EU should reasonably negotiate the Agreement. Granted the approach is not perfect and there could be instances where certain interests are not being sufficiently protected, but it is a suggestion based on the assessment frameworks outlined in Chapters 3, 4 and 5 that aims to be legitimate, effective and reasonable. The de jure territorial link in the PNR Agreement ought not to be tenuous, so it should apply only to air carriers operating flights between the US and EU, and only to PNR data collected in relation to these flights. Despite what happens in practice, with the US–EU PNR Agreement provisions applying to most PNR data that the US collects worldwide, the Agreement should not apply to carriers incorporated or storing personal data in the Union, with no

147 148 149 150

Ibid., arts 11(1) and 12(1). Ibid., art 13 (1)–(3). Ibid., art 13(4). Ibid., art 14(1).

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

146

The Reach of European Union Data Protection Law

further territorial link. In practice, it is not clear whether this latter provision covers any personal data that the first part would not otherwise include. To establish a genuine connection between the EU and the regulated situation, the PNR Agreement should apply only to personal data pertaining to EU citizens or residents, established in the PNR data per se. Indeed, as the DHS can already discern what constitutes ‘EU-related’ situations, it should use these capabilities to further hone the nationality/residence-based connection needed to limit the reach of EU data protection principles. The PNR Agreement’s provision that ‘any individual, regardless of nationality, country of origin, or place of residence’ is entitled to redress in the US per EU data protection law reaches too far. Requiring this extra degree of connection to the EU strengthens its claim to influence the data-processing provisions. The EU should act reasonably. Specifically, the US does have important security interests it is protecting with the PNR Agreement. Indeed, in view of the early extraterritoriality of the ATSA and how its pro-security principles in the Agreement have largely withstood negotiations, the US’ security interests are being well preserved. Security concerns are legitimate and it is important to balance them with other interests.151 It is reasonable for the EU to seek to have its core data protection principles apply in the context of the PNR data. It would be unwieldy to expect the DHS to adhere to, for instance, minor procedural requirements. Pragmatically, this approach would also avoid further political recriminations from the US government. In line with the EU’s fundamental rights obligations, stronger manifestations of core EU data protection law principles should be incorporated into the PNR Agreement and perhaps ultimately diffuse into the US’ own practices. Specifically in this context, these include necessity and proportionality as part of the data minimisation principle, that is, collecting personal data that is adequate, relevant and limited to what is necessary to achieve the purposes for its collection. Justified and legitimised by international human rights law, the EU should extend its law as interpreted in CJEU judgments to international agreement negotiations. CJEU Opinion 1-15, which pertains to the Canada–EU PNR Agreement, should influence the content of the US–EU PNR Agreement in future negotiations. In that ruling, the CJEU held that ‘the high level of protection of fundamental rights and freedoms conferred by EU law continues where personal data is transferred from the European Union to

151

The CJEU should ensure that PNR Agreements ‘reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data’. Opinion 1/15 [2016] ECLI: EU:C:2016:656, Opinion of AG Mengozzi para 8.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.6 Spreading a Global Passenger Name Record Processing Norm

147

a non-member country’.152 This protection must be effective in practice and essentially equivalent to the standard guaranteed in the Union.153 In other words, the DHS and other US governmental authorities will feel the ramifications of an EU law court decision that will ultimately affect how they may or may not process specific personal data. The EU and US have a shared interest in ensuring international security, which could be a driving force for convergence in their data privacy laws.154 Europe inevitably has interests in enhancing security and preventing serious crime, and the US can help Europe further these interests through sharing its intelligence data.155 Similarly, the US may have a legitimate basis to exercise ‘jurisdiction to prescribe law with respect to . . . certain conduct outside its territory by persons not its nationals that is directed against the security of the state or against a limited class of other state interests’.156 This raises questions of how far each party’s extraterritoriality could extend. The territorial connection between the US and the EU should be clear; there ought to be additional connecting factors, namely a data subject’s nationality/residence-based affiliation with the EU; and EU negotiators should advocate for certain core EU data protection principles to be more visible in the PNR Agreement and applied in practice. This territorial expansion of EU law, which has a stronger territorial connection to the regulated situation, is permitted, reasonable and needed to safeguard its data subjects.

6.6 spreading a global passenger name record processing norm The EU’s actions with extraterritorial effect regarding the US–EU PNR Agreement (and, indeed, the other PNR Agreements the EU has with third States) have led to greater harmonisation amongst worldwide PNR data transfers and processing as these third States modify their standards to achieve adequate protection.157 They have created harmonisation networks between

152 153 154

155

156 157

Opinion 1/15 (n 13) para 134. Ibid. Paul M Schwartz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy’ (2017) 106 Georgetown Law Journal 115, 168. ‘Time to Get Serious about Europe’s Sabotage of US Terror Intelligence Programs’ The Washington Post (5 January 2016). Restatement (Third) of the Foreign Relations Law of the United States (n 126) 402(3). Council Decision of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data [2006] (OJ L 82); Agreement between the European Union and Australia on the processing and transfer of

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

148

The Reach of European Union Data Protection Law

public and private actors.158 As outlined above, the DHS applies the same level of data protection as in the US–EU PNR Agreement to all PNR data it processes, which has ‘raised the standard of data protection for all PNR collected by the US’.159 The EU could be the forerunner for establishing a global approach to data protection that reflects its own.160 Indeed, what was initially the EU extending the applicability of its own regulation to data processing in the US has become the EU setting global standards for data flows.161 Already in 2010, the European Commission suggested that the EU should ‘examine the possibility of setting out standards at the international level for transmitting and using [PNR] data, and consequently of replacing its bilateral PNR agreements with a multilateral one’.162 The Commission also outlined specific, key EU data protection principles those third States should apply.163 The EU is ‘emerging as a global actor aiming to shape global, multilateral standards on PNR transfers’ and to ‘set best global practice’.164 Going further, calling this approach a strategy conveys ‘the intentional ambitions of the EU as a global actor’.165 In extending the reach of its own fundamental rights laws and values, the EU has been setting a high standard – initially unwittingly, but with

Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service [2012] OJ:186/4. 158 Anne-Marie Slaughter, A New World Order (Princeton University Press 2005) 59–61. 159 Commission Staff Working Paper, ‘Joint Review of the Implementation of the Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security’ SWD(2017) 14 final (19 January 2017) 10. 160 See the intra-EU PNR Directive: Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [2016] OJ L 119. 161 Kuner’s statement from 2013 now appears to have evolved: States and regional organizations have concentrated on extending the applicability of their own regulation to the processing of data in other countries, rather than on developing global standards for transborder data flows. This reflects the fact that transborder data flow regulation is still often viewed as a way to protect the rights and interests of a State’s own citizens, rather than as a matter of international importance. (Kuner, Transborder Data Flows and Data Privacy Law (n 125) 142.) 162

163 164

165

Commission, ‘The Global Approach to Transfers of Passenger Name Record (PNR) Data to Third Countries’ (Communication) COM (2010) 492 final. Ibid. Mitsilegas, ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror”’ (n 65) 63; Fahey and Curtin, The Global Reach of EU Law (n 48) 111. Fahey and Curtin, The Global Reach of EU Law (n 48) 110.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

6.7 Interim Conclusion

149

apparently growing normative aims – for PNR data processing worldwide. The CJEU’s Opinion 1-15 can serve to influence these global standards to make them even more privacy-preserving.

6.7 interim conclusion To better safeguard the data protection rights of EU data subjects, in negotiations with the US, EU authorities should push for the PNR Agreement to incorporate more EU data protection standards. If incorporated into the Agreement, this could be seen as a necessary form of legal diffusion beyond its borders. The Agreement could and should better protect EU citizens/ residents’ fundamental right to data protection. This scope for improvement lends itself to a soft form of the extraterritorial application of EU law. In conclusion, US–EU PNR Agreement negotiations and the resulting versions of the Agreements exemplify how the EU’s and US’ clashing values of data protection and security manifest as tensions in jurisdiction. Each party understandably tries to protect its own interests during negotiations, but it is the EU that attempts to ensure its protection standards apply to EU individuals’ personal data transferred to the US. Whilst the PNR Agreements reflect many original US demands, the EU’s continual renegotiation efforts show it remains dissatisfied with the Agreements’ lack of personal data protection. Rather than the EU’s outright claiming the authority to regulate the whole data-processing act, the PNR negotiations and various Agreements show a collaborative effort in law and policymaking.166 Nonetheless, a territorial link between the EU and its exercise of jurisdiction, as well as a nationality-based link, suggest the EU has the authority to prescribe the law pertaining to its data subjects’ PNR data transferred to the DHS. Through the PNR Agreement, the EU has managed to raise protection levels for PNR data everywhere, as well as concretise rules applicable to ‘any individual’, so it is spreading a high-level PNR-processing standard and promoting important fundamental rights.

166

Paul M Schwartz, ‘The EU–US Privacy Collision: A Turn to Institutions and Procedures’ (2013) 126 Harvard Law Review 1966, 1967.

https://doi.org/10.1017/9781108784818.006 Published online by Cambridge University Press

7 Data Protection and the Free Flow of Information

7.1 introduction In response to the European Commission’s 2012 proposed General Data Protection Regulation (GDPR) text, in 2013, a US diplomat warned that if the EU’s ‘right to be forgotten’ proposals were followed through, a ‘trade war’ would ensue.1 Soon thereafter, this specific manifestation of the ‘right to be forgotten’ was formally enshrined in EU law.2 No trade war has occurred, but the affirmation of this right and the potential far-reaching consequences have prompted strong reactions on both sides of the Atlantic. This research uses the ‘right to erasure’ to encapsulate what has been popularly termed, somewhat misleadingly, the ‘right to be forgotten’.3 The right to erasure is an individual’s right to ask a data controller to rectify, delete or block certain data pertaining to themself, where it is unlawfully processed or there is no longer a compelling reason for its continued processing.4 In its landmark Google Spain case,

1

2

3

4

‘US Diplomat Warns of “Trade War” If “Right to Be Forgotten” Proposals Are Followed Through’, Out-Law (2013) . For a comprehensive outline of the right’s history, from a 1973 Council of Europe Resolution to the General Data Protection Regulation (GDPR) and related jurisprudence, see Jef Ausloos, The Right to Erasure in EU Data Protection Law: From Individual Rights to Personal Protection (Oxford University Press 2020) 91–104. Christiana Markou, ‘The “Right to Be Forgotten”: Ten Reasons Why It Should Be Forgotten’ in Serge Gutwirth, Ronald Leenes and Paul De Hert (eds), Reforming European Data Protection Law (Springer 2015) 229; Bert-Jaap Koops, ‘The Trouble with European Data Protection Law’ (2014) 4(4) International Data Privacy Law 250, 258. In the GDPR, the relevant article is called ‘Right to erasure (“right to be forgotten”)’ Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) art 17. See, e.g., GDPR art 17.

150

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.1 Introduction

151

outlined below, the CJEU ruled that data subjects may ask search engine operators to delist certain search results pertaining to them and, in specific circumstances, the search engine operators would have to delist them.5 Transatlantic tensions over the reach of prescriptive jurisdiction concerning the right to data protection in contrast with the right to freedom of expression were particularly evident after the right to erasure gained legal traction. This is because the application of the right could have ramifications for the US, US companies and its citizens, but also because the US and EU have incongruent value-based approaches to the rights to data protection and freedom of expression. Online search engines, which are important because they can be data controllers and therefore have certain responsibilities under EU data protection law, no matter where they are based, can simultaneously facilitate and threaten both rights. It is, therefore, most interesting to examine these jurisdictional tensions in view of online privacy and freedom of expression. In the Google Spain case, a Spanish national sought to be able to request that Google Spain or Google Inc. remove apparently irrelevant search results about his past financial situation.6 The Court considered questions of (i) the scope of application ratione materiae of the Data Protection Directive (DPD); (ii) the territorial scope of the DPD; (iii) the responsibility of a search engine operator for the results it produces; and (iv) whether a data subject has the right to ask for these search results to be delisted.7 The Court established that the DPD applied to the situation by asserting that a search engine was a data controller that processed personal data, even though such personal data had been published elsewhere by a third party.8 Further, the Court creatively established jurisdiction over the situation. Google Inc., the US-incorporated parent company, processes the relevant personal data during searches and its subsidiary Google Spain only sells advertising space.9 The Court considered selling advertising space to constitute data processing ‘in the context of the activities of an establishment of the controller on the territory of a member state’, thus satisfying the DPD’s applicable law provision.10 As the search engine operator’s activities enable those relating to advertising space, which

5

6 7

8 9 10

Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez [2014] ECLI:EU:C: 2014:317. Ibid., para 15. Ibid., para 20; Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD). Ibid., paras 33–34. Ibid., para 56. Ibid., para 60.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

152

Data Protection and the Free Flow of Information

renders Google profitable, the activities of the controller and the establishment thereof were considered ‘inextricably linked’, which was necessary for the Court to establish that the DPD (or Spanish data protection law) could apply to the situation.11 By extension, it could regulate some of Google Inc.’s activities. In this instance, a US company (Google) was contending the reach of EU data protection law in relation to the Google Spain decision.12 Moreover, US officials resisted the reach of the right to erasure as enshrined in the GDPR.13 Pro-privacy EU regulators advocate an approach whereby the particular form of the right to be forgotten established in Google Spain and refined in the GDPR would have implications in third-State jurisdictions.14 Google and US stakeholders contend this jurisdictional (over)reach, in part because it interferes with approaches to the relevant rights and freedoms in the US.15 Furthermore, various actors affected by the decision have exhibited confused, often misinformed, reactions to how the judgment has de facto been implemented. For instance, in a 2019 CJEU case, Google v CNIL, the Court ruled on the global reach of the implementation of the right to erasure.16 Scholars from both Europe and, increasingly, the US have grappled with these issues.17

11 12

13 14

15 16

17

Ibid., para 56. Peter Fleischer, ‘Reflecting on the Right to Be Forgotten’ (Google Blog – The Keyword, 9 December 2016) . For example, ‘US Diplomat Warns of “Trade War”’, (n 1). Article 29 Working Party, ‘Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12’ (WP 225, 26 November 2014) 3. Fleischer, ‘Reflecting on the Right to Be Forgotten’ (n 12). Case C-505/17 Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) [2019] ECLI:EU:C:2019:772; ‘How far do privacy rights extend temporally (do they ever expire and, if so, under what circumstances) [and] spatially [?]’ – Robert Kirk Walker, ‘The Right to Be Forgotten’ (2012) 64(111) Hastings Law Journal 257, 261. See, inter alia, Oskar Josef Gstrein and Andrej Janko Zwitter, ‘Extraterritorial Application of the GDPR: Promoting European Values or Power?’ (2021) 10(3) Internet Policy Review 2; Ausloos, The Right to Erasure in EU Data Protection Law (n 2); Selen Uncular, ‘The Right to Removal in the Time of Post-Google Spain: Myth or Reality under General Data Protection Regulation?’ (2019) 33(3) International Review of Law, Computers & Technology 309; Robert Post, ‘Data Privacy and Dignitary Privacy: Google Spain, the Right to Be Forgotten, and the Construction of the Public Sphere’ (2017) Yale Law School, Public Law Research Paper No 598; Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in Jules Polonetsky, Omer Tene and Evan Selinger (eds), Cambridge Handbook of Consumer Privacy (Cambridge University Press 2017) 301–320; Michael J Kelly and David Satola, ‘The Right to Be Forgotten’ (2017) 1 University of Illinois Law Review 1; Edward Lee, ‘Recognizing Rights in Real Time – The Role of Google in the EU Right to Be Forgotten’ (2016) 49 UC Davis Law Review 1017; Krystyna Kowalik-Banczyk ´ and Oreste Pollicino, ‘Migration of European Judicial Ideas Concerning Jurisdiction Over Google

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.2 Framing the Jurisdictional Questions

153

Such transatlantic tension and confusion over which actors are affected by EU law warrants a reconsideration of how aspects of the right to erasure ought to apply. Unlike the previous chapter, the nature of this problem invites a very specific set of recommendations. This section explores constitutionally protected values held dear to both US and EU individuals.

7.2 framing the jurisdictional questions The Google Spain right to erasure case before the CJEU concerns Google and its EU activities vis-à-vis an EU individual, not the US and the EU directly. That said, Google is closely aligned with US ideas of the freedom of expression and freedom of speech. The States were not principally involved; rather, individual users raised the issues and they were played out on a company level.18 What does implicate the EU and the US, however, is the right to erasure as enshrined in the GDPR. As Chapters 3 and 4 showed, the GDPR has a wide scope of application. It includes an explicit right to erasure/ ‘right to be forgotten’, unlike any right in the US. What could prompt manifest transatlantic conflicts in jurisdiction would be situations in which EU lawmakers attempt to prescribe that right for those in the US or US data subjects. This research understands the EU’s exercise of prescriptive jurisdiction in the Google Spain case and subsequent developments as analogous to how Google has implemented the judgment (whether properly or not), as it is in essence adhering to EU law as interpreted by the CJEU. Google’s actions outside the EU show the reach of EU law. With that approach, the research can assess the application of the right to erasure in the EU according to the laws of jurisdiction. This chapter describes Google’s implementation of the judgment both de jure and de facto, with a real-life attempt at exercising the right to erasure. It also outlines the Google v CNIL case and shows how the Court was eminently reasonable in arriving at its decision. Data protection has two important facets, namely to protect a person’s right to privacy and enable the free flow of information. First, this section outlines the right to freedom of expression generally. It then describes US and EU conceptual approaches to the freedom of expression. Second, it examines more closely the right to the protection of personal data in tension with the freedom to receive and impart information, termed here as the free flow of information. It uses the right to erasure as the main example of such conflicts.

18

on Withdrawal of Information’ (2016) 17(3) German Law Journal 315; Jeffrey Toobin, ‘The Solace of Oblivion’ The New Yorker (29 September 2014). Cf Costeja González and Google in Google Spain and Schrems and Facebook in Schrems.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

154

Data Protection and the Free Flow of Information

Third, the section assesses the tensions using a three-pronged assessment framework. It applies international human rights law to determine the EU’s extraterritorial obligations; it then uses concepts of territoriality, nationality and certain other principles of extraterritorial jurisdiction under public international law to analyse how these obligations may be exercised; and finally applies some methods to lessen troublesome jurisdictional overreach.19 To conclude, the section offers some ways to reduce unwanted US-EU discord over how the EU exercises jurisdiction regarding the right to erasure by recommending how Google and similar entities should implement the Google Spain decision.

7.2.1 The Freedom of Expression The right to freedom of expression encompasses someone’s right ‘to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers’.20 It is a fundamental freedom stemming from personal autonomy and democratic values.21 The right to freedom of expression is multifaceted, being closely linked to freedom of thought, freedom of speech, developing and holding opinions, and selffulfilment. Being a so-called first-generation right, it has a political focus. The right is geared towards individuals yet has societal ramifications.22 The right to freedom of expression is enshrined in many international, regional and national instruments.23 The International Covenant on Civil and Political Rights (ICCPR) outlines it as follows (the italicised parts are particularly relevant to the subsequent analysis): 19

20 21

22 23

See the article by Brendan Van Alsenoy and Marieke Koekkoek that also takes a public international law approach to delineating the reach of the Google Spain judgment: Brendan Van Alsenoy and Marieke Koekkoek, ‘Internet and Jurisdiction after Google Spain: The Extraterritorial Reach of the “Right to Be Delisted”’ (2015) 5(2) International Data Privacy Law 105. That article was published before Google changed its approach to implementing the decision, but is nevertheless applicable and relevant today. Universal Declaration of Human Rights, 10 December 1948, 217 A (III) art 19. Nicola Wenzel, ‘Opinion and Expression, Freedom of, International Protection’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2014) (Online version Oxford University Press). ; Rikke Frank Jørgensen, ‘The Right to Express Oneself and to Seek Information’ in Rikke Frank Jørgensen (ed), Human Rights in the Global Information Society (MIT Press 2006) 53. Jørgensen, ‘The Right to Express Oneself and to Seek Information’ (n 21) 54. See, inter alia, UDHR art 19; Organization of American States, American Convention on Human Rights, 22 November 1969, art 13; Organization of African Unity, African Charter on Human and Peoples’ Rights, 27 June 1981, art 9.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.2 Framing the Jurisdictional Questions

155

1. Everyone shall have the right to hold opinions without interference. 2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice. 3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the rights or reputations of others; (b) For the protection of national security or of public order (ordre public), or of public health or morals.24

The Internet has had a monumental effect on the right to freedom of expression. Its borderless nature raises questions of how to protect competing rights and freedoms online in multiple jurisdictions. Such questions are explored below. 7.2.2 The Free Flow of Information The freedom to impart and receive information is a key component of the freedom of expression.25 It is not absolute and may be subject to limitations. One can make connections between the rights to freedom of expression and the free flow of information; the rights to privacy and data protection; technological innovations with mass audiences; and resulting new challenges.26 Indeed, the very structure of the Internet favours the free flow of information. States that seek to restrict this right appear to challenge an important, inherent characteristic of the online sphere. Accordingly, both issues of balancing the free flow of information with data protection rights online and how to allocate prescriptive jurisdiction have important implications beyond simply formulaic legal requirements.27 Interesting to these considerations is how States approach the right to erasure, which entails a data subject’s right to have a data controller erase personal data concerning themself in certain circumstances.28 This right has been the subject of court rulings, political discussion and academic 24

25

26 27

28

International Covenant on Civil and Political Rights, 23 March 1976, 999 UNTS 171 art 19 (emphasis added). See, too, Council of the EU, ‘EU Human Rights Guidelines on Freedom of Expression Online and Offline’ (12 May 2014) 14. Ibid., 6. Horatia Muir Watt, ‘Yahoo! Cyber-Collision of Cultures: Who Regulates?’ (2003) 24 Michigan Journal of International Law 673, 680. As codified for the EU in the GDPR art 17.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

156

Data Protection and the Free Flow of Information

comment, as will be expanded upon below. An important manifestation of this right involves having the right to request that search engine operators delist search results. Search engines can enhance the public’s right to have access to information, thus facilitating a corollary to freedom of expression.29 They enable and sustain the free flow of information, thought and opinions, thus promoting self-expression and serving free speech interests.30 Having briefly outlined the freedom of expression, Section 7.2.3 looks at transatlantic conceptual approaches thereto, especially in relation to the right to data protection and the right to erasure. 7.2.3 The Freedom of Expression, the Free Flow of Information and the Right to Erasure The legal traditions on both sides of the Atlantic generally differ regarding the freedom of expression and privacy. The right to freedom of expression is enshrined in the First Amendment to the US Constitution, as below: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.31

The broader European tradition more readily connects privacy with personal dignity, implying the right to sculpt one’s public image.32 These origins are evident in the right to erasure. Similar to the ICCPR, the European Convention on Human Rights (ECHR) outlines the following: Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. . . . The exercise of these freedoms [may be restricted] for the protection of the reputation or rights of others . . ..33 29

30

31 32 33

Eleni Frantziou, ‘Further Developments in the Right to Be Forgotten: The European Court of Justice’s Judgment in Case C-131/12, Google Spain, SL, Google Inc v Agencia Espanola de Proteccion de Datos’ (2014) 14(4) Human Rights Law Review 761, 769 (citations omitted). David Erdos, ‘Confused? Analysing the Scope of Freedom of Speech Protection vis-à-vis European Data Protection’ (2012) University of Oxford Legal Research Paper Series, Paper No 48/2012, 19 citing C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy [2008] ECLI:EU:C:2008:727 para 62; Ibid., 35. US Const (1787), amendment 1. Walker, ‘The Right to Be Forgotten’ (n 16) 270 (citations omitted). Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended, 4 November 1950, ETS 5 art 10 (1) and (2) (emphasis added; relevant in subsequent sections).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.2 Framing the Jurisdictional Questions

157

Applying to a smaller number of States and only when they implement EU law, the Charter of Fundamental Rights of the European Union (EU Charter) is more concise, but broadly similar: Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.34

It is well established that the US ‘has traditionally emphasized freedom of expression over privacy, as a fundamental value’.35 Whilst the difference should not be overstated, US authorities, namely the US Supreme Court, tend to ascribe the First Amendment of the US Constitution’s provisions on freedom of expression more weight when balancing it with the right to privacy.36 That the Internet entails largely free information exchange, unimportant geographical location and relative anonymity shows how it lends itself well to the US’ emphasis on freedom of expression.37 It was noted in 2003 and in response to the landmark French case LICRA v Yahoo!38 that the Internet

34

35

36

37 38

Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 11 (emphasis added; relevant in subsequent sections). Steven C Bennett, ‘The “Right to Be Forgotten”: Reconciling EU and US Perspectives’ (2012) 30(1) Berkeley Journal of International Law, 169 citing Ian Ballon, E-Commerce and Internet Law (Glasser Legalworks 2011) §26.01. The two sides tend to strike a different balance between privacy and freedom of expression. While there are important exceptions to this general rule, the US Supreme Court has at times tended to favor the First Amendment’s protection for freedom of expression when it stands in tension with privacy, while in similar situations the CJEU has tended to favor data protection and privacy rights over freedom of expression. (Privacy Bridges, ‘EU and US Privacy Experts in Search of Transatlantic Privacy Solutions’ (2015) 19 .) Muir Watt, ‘Yahoo! Cyber-Collision of Cultures’ (n 27) 678. This landmark case involved the sale of Nazi memorabilia on the French version of search engine Yahoo! Inc. It raised questions of whether the US-incorporated Yahoo! Inc., with servers on US territory, could be prosecuted by French courts adhering to French law and how US courts should enforce the French court’s judgment. It is a classic example of US values of freedom of expression colliding with French, and broadly European, values that make it a hate crime to offer Nazi memorabilia. The case also raised issues of the reach of the effects doctrine and targeting as applied to online content. In the end, Yahoo! Inc. was ordered to use geolocation technology to bar the sale of Nazi memorabilia to those located in France. These issues have since surfaced again, but Google Spain is more relevant to the present discussion because it concerns the free flow of information more so than Yahoo!, which focuses on freedom of speech. Association ‘l’Union des Etudiant Juifs de France’, la ‘Ligue Contre le Racisme et l’Antisemitisme’c. Yahoo! et Yahoo France [2000], 22 May 2000; Association ‘l’Union des Etudiant Juifs de France’, la ‘Ligue contre le Racisme et l’Antisemitisme’ v. Yahoo! et Yahoo France [2000], 20 November 2000. See, inter alia, Marc H Greenberg,

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

158

Data Protection and the Free Flow of Information

provided for an increasing number of international conflicts that involved differing fundamental public values – most notably the freedom of expression.39 US privacy law is codified in various privacy torts.40 The First Amendment protects the hallowed freedom of speech and expression.41 No subsequent Amendments have established a comparable right to privacy so explicitly.42 There exist several US case examples of free speech trumping privacy rights.43 The landmark case Florida Star concerned a newspaper’s accidental printing of a rape victim’s name, the publication of which was illegal in Florida.44 The trial court and eventually the Florida First District Court of Appeal maintained that the publication was unlawful and awarded the victim damages.45 Upon appeal to the US Supreme Court, however, the Court ruled that the earlier decisions violated the First Amendment as the publication contained true information obtained lawfully. As such, the Supreme Court affirmed that freedom of speech, and particularly of the press, overrode privacy concerns.46 The breadth of First Amendment protections post-Florida Star is such that the free speech and expression rights of creators of websites and third-party websites surpass the privacy rights of data subjects.47 Particularly regarding the right to erasure, US law ‘operates with assumptions and values that do not correspond’ to those of EU citizens.48 In a US–EU setting, the notion that ‘the First Amendment would make a “right to be forgotten” virtually impossible to create or enforce in the American legal system’ confirms assertions made about how the right could not easily transfer across the Atlantic.49 In particular, First Amendment protections offered to publications would make it difficult for US courts to admit requests for

39 40 41 42

43 44 45 46 47 48 49

‘A Return to Lilliput: The LICRA v. Yahoo – Case and the Regulation of Online Content in the World Market’ (2003) 18(4) The Berkeley Technology Law Journal 1191. Muir Watt, ‘Yahoo! Cyber-Collision of Cultures’ (n 27) 674. Walker, ‘The Right to Be Forgotten’ (n 16) 263–264. US Const (1787), amendment 1. Franz Werro, ‘The Right to Inform v. the Right to Be Forgotten: A Transatlantic Clash’ in Aurelia Colombi Ciacchi, Christine Godt, Peter Rott and Leslie Jane Smith (eds), Haftungsrecht im dritten Millennium – Liability in the Third Millennium (Nomos 2009) 291–292. Walker, ‘The Right to Be Forgotten’ (n 16) 257–286, 266. Florida Star v BJF, 491 US 524 (1989). Ibid. Ibid. Walker, ‘The Right to Be Forgotten’ (n 16) 275–278. Werro, ‘The Right to Inform v. the Right to Be Forgotten’ (n 42) 286. Matt Ford, ‘Will Europe Censor This Article? The Troubling Implications of the EU’s New “Right to Be Forgotten”’ The Atlantic (13 May 2014).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.3 The Right to Erasure in the EU

159

delisting information that had been made public.50 Furthermore, even if approaches to privacy in the US changed to become closer to the European approach, ‘the right to be forgotten clashes fundamentally with First Amendment values, and its application poses an explicit threat to free speech’.51 Section 7.3 examines the right to erasure in the EU and the potential effects of its extraterritoriality on US law.

7.3 the right to erasure in the eu This section expands on the right to erasure in the EU in legal texts and jurisprudence. It outlines the Google Spain case and transatlantic reactions to its outcome. Next, the section examines the extraterritorial implications of the right to erasure, and how these would change depending on how it is implemented.

7.3.1 In the Data Protection Directive and the General Data Protection Regulation The right to erasure is not a novel right that the Google Spain case introduced.52 Indeed, the 1995 DPD enshrined the right in a particular form. As appropriate, every data subject had the right to obtain from the data controller ‘the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive’.53 The GDPR has affirmed and 50

51

52

53

Gabriela Zanfir, ‘Tracing the Right to Be Forgotten in the Short History of Data Protection Law: The “New Clothes” of an Old Right’ in Serge Gutwirth, Ronald Leenes and Paul de Hert (eds), Reforming European Data Protection Law (Springer 2015) 233 citing Jasmine E McNealy, ‘The Emerging Conflict between Newsworthiness and the Right to Be Forgotten’ (2012) 39(2) Northern Kentucky Law Review 119, 126: The law of public disclosure of private facts precludes recovery where the published private information is not of ‘legitimate public concern.’ However, the Restatement offers that the publication is subject to First Amendment protection if the defendant can show that the information is of public concern. Although “of public concern” would obviously anticipate news, it also includes entertainment, film, books, and most anything that stops short of a morbid fascination. Muge Fazlioglu, ‘Forget Me Not: The Clash of the Right to Be Forgotten and Freedom of Expression on the Internet’ (2013) 3(3) International Data Privacy Law 149, 156. Zanfir, ‘Tracing the Right to Be Forgotten’ (n 50) 229; Ausloos, The Right to Erasure in EU Data Protection Law (n 2). DPD art 12(b); this stems from a data subject’s right of access to personal data, (‘any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular, the accuracy of the data and the lawfulness of the processing’ DPD recital 41) and is related to the data subject’s right to object (DPD art 14).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

160

Data Protection and the Free Flow of Information

expanded upon this right.54 It explicitly articulates a data subject’s right to have the data controller erase personal data about them on several specific grounds.55 This shall not apply, however, ‘to the extent that processing is necessary [to serve certain purposes, which include] exercising the right of freedom of expression and information’.56 7.3.2 In Case Law: Google Spain CJEU jurisprudence is useful when examining issues of the territorial reach of EU data protection rights. The form of the right to erasure that the CJEU established in the Google Spain case arguably threatens the public’s right to information and the free flow of information, which underscores subsequent jurisdictional clashes. Whilst the present research focuses on prescriptive jurisdiction, it is worth briefly touching upon the CJEU’s exercise of adjudicative jurisdiction in the Google Spain case because it demonstrates how a small territorial hook combined with a focus on where the effects of Google’s activities would be felt allowed it to assert jurisdiction in the case. In line with objective territoriality or the effects doctrine, the Court exercised jurisdiction over data processing that occurred in the US, but affected EU data subjects accessing Google in the EU.57 In light of the Google Spain outcome, the Article 29 Working Party correctly expected the GDPR to broaden the DPD’s 54

55 56 57

See GDPR art 17: 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based . . . and where there is no other legal ground for the processing; (c) the data subject objects to the processing . . . and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing . . . ; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f ) the personal data have been collected in relation to the offer of information society services. See GDPR art 17. See Ibid., art 17(3)(a). Cedric Ryngaert, Unilateral Jurisdiction and Global Values (Eleven International Publishing 2015) 78; a less cautious interpretation is that ‘[i]t is undoubtedly an application of the (territorial) effects doctrine, linked to the “implementation” of activities contrary to EU law on EU territory, and /or to the need to protect EU citizens’ privacy’. Geert van Calster, ‘Regulating the Internet. Prescriptive and Jurisdictional Boundaries to the EU’s “Right to Be Forgotten”’ (2015) 24 (citations omitted).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.3 The Right to Erasure in the EU

161

territorial reach as the GDPR ‘relies on the “effects principle” to complement the “territoriality principle”’ when regulating the activities of data controllers not established in the EU.58 In his opinion in Google Spain, the Advocate General confirmed that linking the territorial application of EU data protection law to the targeted was consistent with the CJEU’s case law.59 This approach is in line with the targeting standard in Article 3 GDPR on territorial scope. Moving away from pure territoriality, the form of jurisdiction could also show a ‘substantive community bond’ or ‘proximity’ between the foreign party and an EU individual.60 The justification for the broad application of Article 4 DPD was ‘all commendable’ and third-State courts have since cited and applied the Google Spain reasoning.61 That said, foreign courts are also becoming wary of how this reasoning could allow law to overextend.62 Perhaps most significantly, the judgment affirmed the existence of a right to erasure and deemed search engine operators responsible for removing certain links to third-party websites that publish information related to a specific data subject.63 On the basis of the DPD read in the light of Articles 7 (right to privacy) and 8 (right to data protection) of the EU Charter, the Court formally articulated the right to erasure.64 As such, an EU data subject may request that inaccurate, inadequate, irrelevant, excessive or outdated search results related to themself be delisted.65 Importantly, the Court stated that the Charter’s rights to privacy and data protection ‘override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name’.66 Only if the public had a paramount interest in accessing

58

59 60

61

62 63 64 65 66

Article 29 Working Party, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain (WP 179 update, 16 December 2015) 5–6 citing Case C‑131/12 Google Spain SL Google Inc. v Agencia Española de Protección de Datos [2013] ECLI:EU: C:2013:424, Opinion of AG Jääskinen (emphasis in original). Google Spain, Opinion of AG Jääskinen (n 58) para 56. Ryngaert discusses using a ‘substantive community bond’ or ‘proximity’ between foreign party and forum member as a jurisdictional basis in Google Spain instead of territoriality (or messy ‘reasonableness’). Ryngaert, Unilateral Jurisdiction and Global Values (n 57) 79–80. Dan Jerker B Svantesson, ‘The Google Spain Case: Part of a Harmful Trend of Jurisdictional Overreach’ (2015) European University Institute Robert Schuman Centre for Advanced Studies Research Paper No RSCAS 2015/45 7 citing Equustek Solutions Inc v Jack (2014) BCSC 1063 para 63. Svantesson, ‘The Google Spain Case’ (n 61)6 (citations omitted). Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 5) para 88. Ibid., para 99. Ibid., para 90. Ibid., para 99.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

162

Data Protection and the Free Flow of Information

certain information, for example, if the data subject were a public figure, would an interference in the rights to privacy and data protection be justified.67 This pronouncement minimises both the market freedoms that the right to the free flow of information initially sought to enable and the public’s access to information, in favour of protecting personal data. Flowing from this, the question of whether the Court balanced the two rights correctly, or indeed at all, arises. Only in outlining the legal context of the decision did the Court make explicit reference to the freedom of expression, and then only to the DPD article outlining exemptions from certain provisions of the Directive for journalistic, artistic or literary expression purposes.68 It also mentioned the objective of the DPD, which includes removing obstacles to the free flow of personal data.69 Unlike the European Court of Human Rights (ECtHR), which has a clear test for balancing the right to privacy with the right to freedom of expression, the CJEU’s balancing was more covert.70 The Court did not explain how balancing should occur in later cases or when intermediaries decide upon delisting requests. There is no immediate reason to believe that European courts will fail to balance the right to erasure and the freedom of expression properly.71 Nonetheless, the Google Spain decision supplements earlier CJEU decisions that emphasise the right to data protection over the freedom of information and related rights.72 The CJEU’s decision generated an outpouring of comment and scholarly attention.73 Immediate reactions in newspapers and blogs frequently had 67 68 69 70

71 72

73

Ibid., para 88. Ibid., para 9 citing DPD art 9. Ibid., para 3 citing DPD art 1. The ECtHR’s test was honed in two landmark cases, Axel Springer AG v Germany, App no 39954/08 (ECtHR, 7 February 2012) and Von Hannover v Germany (No 2), Apps nos 40660/08 and 60641/08 (ECtHR, 7 February 2012). The test includes the following considerations: (i) contribution to a debate of general interest; (ii) how well-known the person is and the subject matter of the report; (ii) prior conduct of the person concerned; (iv) content, form and consequences of the publication; and (v) several other case-dependent considerations. In Axel Springer AG v Germany, the Court said Articles 8 ECHR (privacy) and 10 ECHR (freedom of expression) deserved equal respect. Zanfir, ‘Tracing the Right to Be Forgotten’ (n 50) 246. See, e.g., Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Google Spain v. González: Did the Court Forget about Freedom of Expression?: Case C-131/12 Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos and Mario Costeja González’ (2014) 5(3) European Journal of Risk Regulation 389. For a brief overview of the varied immediate reactions, see Christopher Kuner, ‘The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines’ (2015) LSE Law, Society and Economy Working Papers 3/2015 2 (citations omitted). For a non-exhaustive list of academic commentary soon after the decision, see ‘Academic Commentary: Google Spain’

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.3 The Right to Erasure in the EU

163

alarmist undertones and jumped to often misinformed conclusions.74 Since then, commentators have thought more carefully about the judgment and how it has been applied, but views are still divided and divisive.75 The case raised many other issues of, for example, intermediary liability and the importance of maintaining a public archive, but the present research limits itself to the territorial reach of EU law, especially in light of US–EU jurisdictional issues in the context of how the decision has been implemented.76

7.3.3 Reactions to the Judgment The Google Spain ruling has had extraterritorial effect, but not to an excessive degree. The CJEU was silent on the territorial scope of the right to erasure and did not cover how the right might apply beyond the EU.77 Nonetheless, the Court’s ruling has had a palpable influence on third States: ‘[T]he decision has found an active life outside the European context’.78 Google has contested this extraterritoriality, saying EU data protection law is explicitly territorial.79 The overall responsibility for looking into these rights rests mostly with US companies: ‘[t]he enormously expensive effects of the decision fall squarely on the shoulders of search engines based mostly in the United States’, meaning

74 75 76

77 78

79

(2014/2015) . See too EDPB, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) (7 July 2020). Kuner, ‘The Court of Justice of the EU Judgment’ (n 73). See Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 5). Intermediary liability is certainly a fascinating topic. Intermediaries are not well-placed to decide upon delisting requests, which involves balancing competing interests and rights, and many other complicated legal considerations. It also surfaces when considering freedom of expression and privacy rights: ‘[H]olding intermediaries liable for the content disseminated or created by their users severely undermines the enjoyment of the right to freedom of opinion and expression, because it leads to self-protective and over-broad private censorship, often without transparency and the due process of the law.’ Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/17/27 (16 May 2011) para 40. Kuner, ‘The Court of Justice of the EU Judgment’ (n 73) 11. Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/32/38 (11 May 2016) para 42 (citation omitted). David Price, Legal Director at Google, has said ‘one nation does not make laws for another. . . . Data protection law, in France and around Europe, is explicitly territorial, that is limited to the territory of the country whose law is being applied’. Julia Fioretti and Mathieu Rosemain, ‘Google Appeals French Order for Global “Right to Be Forgotten”’ Reuters (19 May 2016).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

164

Data Protection and the Free Flow of Information

the Court’s decision seems to have a great impact on conduct outside EU borders.80 US commentators have a wide array of opinions on the right to erasure. These opinions vary from being receptive to the right, especially concerning children; to maintaining that the right to information ought sometimes to outweigh the right to privacy; to acknowledging the US’ strong tradition of free expression and strongly cautioning against interpreting the right to erasure in a way that would infringe upon that right, and all shades in between.81 The current interpretation of US tort law concerning privacy is not in favour of granting privacy to those embarrassed by public information, which runs counter to how the EU has applied the right to erasure.82 Highlighting general disagreement, American privacy and civil liberties advocates were divided on the struggle around privacy and free speech rights that requesting deletion raises.83 In terms of transatlantic tensions, the Google Spain ruling ‘is consistent with the interests pursued by European data protection law . . . but puts the EU on a collision course with the US when it comes to online freedom of expression’.84 In response to the European Commission’s original 2012 proposal for the GDPR, a US legal commentator called its version of the right to erasure ‘the biggest threat to free speech on the Internet in the coming decade’.85 The above reactions inform several observations about the reach of EU law. It can be asked to what extent the right to erasure may apply in the US or for US citizens, which the following section explores. It is noteworthy that an intra-EU decision is even a popularly discussed issue in the US. Perhaps the bilateral US–EU arrangements that enable transborder data flows, such as the PNR Agreement and the EU–U.S. Data Privacy Framework discussed in this research, will have to include an updated form of the right to erasure. To obtain adequacy decisions, whereby personal data may only be transferred outside the EU if the third State in question has been deemed to have an essentially equivalent level of protection, it is probable that third States will

80

81

82 83

84

85

Craig A Newman, ‘“A Right to Be Forgotten” Will Cost Europe’ The Washington Post (26 May 2014). Bennett, ‘The “Right to Be Forgotten”’ (n 35) 165–167, see 165 fn 15 for specific commentators’ opinions. Ibid., 171. Lisa Fleisher, ‘Google Ruling: Freedom of Speech vs. the Right to Be Forgotten’ The Wall Street Journal (13 May 2014). Orla Lynskey, ‘Rising Like a Phoenix: The “Right to Be Forgotten” before ECJ’ (European Law Blog, 13 May 2014) . Jeffrey Rosen, ‘The Right to Be Forgotten’ (2012) 64 Stanford Law Review Online 88, 88.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.4 Implementing the Right to Erasure

165

have to incorporate the more advanced version of the right to erasure into their data protection laws. The next section uses the research’s public international law assessment framework to examine the de facto implementation of the right to erasure and then offers some insights on these observations and related questions.

7.4 implementing the right to erasure This section looks at three aspects of how Google has implemented the right to erasure. It focuses on prescriptive jurisdiction, which includes how the right has been applied, and accordingly the territorial reach of EU law. First, it outlines three potential ways Google could implement the right. Second, it looks at which methods the search engine has used. Third, it outlines suggestions for how it ought to enact the right.

7.4.1 Possible Implementation Methods In determining the territorial reach of EU law, the right to erasure could be implemented in one of three ways. These ways cover domain-based, locationbased and global methods, which the present section links directly to the right to erasure. First, the domain-based method involves using a country code Top Level Domain (ccTLD) with which the user accesses Google.86 For instance, google.fr leads to the French version of Google, google.co.uk to the UK version and so on. Second, there is the geographic filtering method, which uses geolocation technologies to determine where a user is located.87 This location is usually determined according to the user’s Internet Protocol (IP) address. Third, there is global implementation, whereby Google would remove search results from all versions of the search engine. The results would be redacted no matter the ccTLD or geographic origin of the search.88 Something of a combination of the first two methods, and what occurs in practice with Google searches, is that users are automatically directed to their country-specific version of Google based on where their search originates. 86

87

88

Van Alsenoy and Koekkoek, ‘Internet and Jurisdiction after Google Spain’ (n 19) 112; Dan Jerker B Svantesson, ‘Delineating the Reach of Internet Intermediaries’ Content Blocking – “ccTLD Blocking”, “Strict Geolocation Blocking” or a “Country Lens Approach”?’ (2014) 11(2) SCRIPTed 153, 161–162. Van Alsenoy and Koekkoek, ‘Internet and Jurisdiction after Google Spain’ (n 19) 113–114; Svantesson, ‘Delineating the Reach of Internet Intermediaries’ Content Blocking’ (n 86) 162–164. Van Alsenoy and Koekkoek, ‘Internet and Jurisdiction after Google Spain’ (n 19) 115.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

166

Data Protection and the Free Flow of Information

Svantesson identifies this as a unique method, which he terms the ‘country lens approach’.89 The present research subsumes this approach into geographic filtering. For instance, in Australia, typing Google into the search bar would automatically take the user to google.com.au. In the Netherlands, doing the same would take the user to google.nl; if that same user typed google.com.au into the search bar, they would be taken to Australia’s countryspecific version of Google and so on for other country domains. Notably, however, if they typed google.com into the search bar, they would be taken to google.nl. Immediately after the Google Spain ruling, there was a discreet button at the bottom of the page where one could switch to google.com. Increasingly, Google search results appear to show the localised version of Google no matter the domain name. They base the location on the user’s device location, their labelled places, the home address set across their smart Google devices, their previous activity across Google products and their IP address. Van Alsenoy and Koekkoek advocate exercising the right to erasure in a way rooted in territory and reasonableness. Svantesson, on the other hand, supports a different implementation method: ‘I prefer to stay clear of a focus on territory in this context – a highly problematic focal point, not least in the Internet context’.90 He has drawn up a ‘Model Code Determining the Geographical Scope of Delisting Under the Right To Be Forgotten’, which explicitly moves away from territory, and instead focuses on connections and interests as jurisdictional triggers.91

7.4.2 Applied Implementation Methods Google initially limited the search results to EU domain names, which could easily be circumvented by clicking a button at the bottom of the Google search home page to switch to google.com. Google cited the potential ‘serious chilling effects’ on the free flow of information were it to implement the judgement more widely.92 The domain-based/geographic filtering approach 89

90

91 92

Svantesson, ‘Delineating the Reach of Internet Intermediaries’ Content Blocking’ (n 86) 165–168. See too Van Alsenoy and Koekkoek, ‘Internet and Jurisdiction after Google Spain’ (n 19) 111. Dan Jerker B Svantesson, ‘Limitless Borderless Forgetfulness? Limiting the Geographical Reach of the “Right to Be Forgotten”’ (2015) 2(2) Oslo Law Review 116, 134. Ibid., 134. Peter Fleischer, ‘Implementing a European, Not Global, Right to Be Forgotten’ (Google Europe Blog, 30 July 2015) .

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.4 Implementing the Right to Erasure

167

would mean EU-based users were automatically directed to the relevant EU version of Google, despite typing, for instance, google.com. As such, relatively few users knew about or bothered switching to non-redacted search results. Nonetheless, the territorial effect of such a method of implementation did not provide for the ‘effective and complete protection’ of data subjects’ rights, particularly their right to privacy, as the Google Spain judgment necessitated. In its Guidelines on implementing the decision, the Article 29 Working Party posited that delisting results from only EU domains did not reach the sufficient threshold to satisfactorily guarantee data subjects’ rights.93 In response to pressure from data protection authorities (DPAs) and privacy regulatory authorities, in February 2016, Google widened the territorial scope of its implementation, offering more effective and complete protection to EU users.94 A user would see redacted results on any version of Google accessed from an EU country, provided that the country in question was the same as that from which the data subject who had requested delisting made that request.95 For instance, someone in Portugal requests a URL be delisted from Google search results. People in Portugal using any version of Google (google. pt, google.de, google.com.au) would see the redacted results. However, someone outside of Portugal, but still in the EU, would not see redacted results if using a non-EU domain. In addition, users could use technology, such as Virtual Private Networks (VPNs), to hide their IP addresses and thereby bypass Google’s filtering system. It is overwhelmingly likely that those making delisting requests would be residents of wherever they make the request from, and that those Googling them with a desire to access certain information about the relevant data subject would also be using Google in that country. Google’s phrasing of how they would apply this new approach, however, did not make it clear what sort of connection would be needed between the data subject requesting delisting and the EU country. Would they need to be a resident of the relevant State or simply on its territory when filing the request? Currently, Google uses a domain-based/geographic filtering approach to discern from where someone 93 94

95

Article 29 Working Party, WP 225 9. Peter Fleischer, ‘Adapting Our Approach to the European Right to Be Forgotten’, The Keyword (2016). According to Google, this means the following: [L]et’s say we delist a URL as a result of a request from John Smith in the United Kingdom. Users in the UK would not see the URL in search results for queries containing [john smith] when searching on any Google Search domain, including google.com. Users outside of the UK could see the URL in search results when they search for [john smith] on any non-European Google Search domain. (Ibid.)

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

168

Data Protection and the Free Flow of Information

is filing a request. Could, by extension, a US citizen file a request for delisting when on holiday in Belgium and have their privacy rights protected when anyone in Belgium Googled them on any version of Google, or when anyone in the rest of the EU Googled them on an EU version of Google? Again, the territorial reach of EU data protection law is unclear and potentially farreaching. The subsequent sections attempt to address some of these questions.

7.4.3 Google v CNIL and Proposed Implementation Methods The current method of implementation does not satisfactorily protect certain EU data subjects’ data protection rights. The Article 29 Working Party recommended delisting on ‘all relevant domains, including .com’.96 It is unclear whether this would be satisfied by Google’s method of implementation as . com domains are only redacted when accessed by someone in the country from where the request originated.97 In 2015, the French data protection authority (Commission nationale de l’informatique et des libertés or CNIL) ordered Google to apply the right to all versions of Google accessed from everywhere. As explained above, Google then implemented the right so that most users in the EU would, broadly, see redacted results no matter which version of Google they used (google.fr, google.com.au and so on).98 CNIL then fined Google 100,000 EUR for not delisting results from all versions of Google.99 Eventually, the matter came before the Grand Chamber of the CJEU, which decided on the implementation of EU law. The Court had to determine the required territorial scope of the delisting in such a situation.100 It assessed whether EU law obliged a search engine operator to remove results within only one relevant Member State, within the whole EU or globally. 96 97

98

99 100

Article 29 Working Party, WP 225 9. We respect the territorial scope of the relevant laws in your location. For example, in the European Union we delist URLs from versions of Google’s search results for countries applying European data protection law. We’ll also use geolocation signals (like IP addresses) to restrict access to the delisted URL on all Google Search services for users we think are in the requester’s country. Consistent with a 2019 decision of the European Court of Justice, we don’t apply these delistings to services for countries outside the EU. (Google Legal Help, ‘Right to Be Forgotten Overview’ ) Users in the country of the ‘de-referenced’ data subject would see redacted results on all versions of Google; EU-based users not in that country would see redacted results on EU Google domains. Julia Fioretti, ‘France Fines Google over “Right to Be Forgotten”’ Reuters (24 March 2016). Case C-507/17 Google Inc. v (CNIL) (n 16) para 53.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.4 Implementing the Right to Erasure

169

The CJEU concluded that a search engine operator (Google) ‘is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States’.101 There is therefore no obligation in EU law for a search engine operator to delist results globally, so that any version of Google accessed anywhere in the world would show a redacted list of results.102 This global delisting, however, is not prohibited.103 It may not occur in only the single Member State where the requesting individual resides, but is ‘in principle, supposed to be carried out in respect of all the Member States’.104 A search engine operator must, where necessary ‘effectively prevent or, at the very least, seriously discourage’ a user from accessing the links that the data subject initially asked the search engine operator to delist.105 The following section analyses the Court’s reasoning and decision in the Google v CNIL case in view of the reasonableness aspect of the rule of reason outlined in Chapter 5.

7.4.4 Assessing Reasonableness in Google v CNIL Whereas the provision on extraterritorial jurisdiction in the Third Restatement of US Foreign Relations Law had not been embraced by the US Supreme Court or CJEU, the Google v CNIL judgment nevertheless shows the CJEU conducting an interest- and rights-balancing exercise.106 The Court drew connections between regulations and the regulated, which were centred on territory, but it also considered various interests when determining the reach of the EU manifestation of the right to erasure.107 In such a case, it is important to consider connections beyond pure territory, such as nationality or economic activity, between the regulating State or authority (the EU) and those the relevant regulation is designed to protect.108 In Google v CNIL, the necessary connection between the EU and EU data subjects was fulfilled. Beyond that, however, the Court did not attempt to require the application of this law to those outside Union territory: ‘[I]t is in no

101

Ibid., para 74. Ibid. 103 Ibid., para 72. 104 Ibid., para 66. 105 Ibid., para 74. 106 Restatement (Third) of the Foreign Relations Law of the United States (Am Law Inst 1987) 403. 107 Google Inc. v CNIL (n 16) para 52. 108 See, e.g., Restatement (Third) of the Foreign Relations Law (n 106) 403(2)(b). 102

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

170

Data Protection and the Free Flow of Information

way apparent from the wording of [provisions on the right to erasure] that the EU legislature would, for the purposes of [guaranteeing a high level of protection of personal data throughout the EU], have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States’.109 The Court thus recognises that EU lawmakers did not explicitly intend for the universal application of the right to erasure. Furthermore, if an Internet user anywhere in the world accessed a link regarding ‘a person whose centre of interests is situated in the Union’, this would likely ‘have immediate and substantial effects on that person within the Union itself ’.110 The Court used this notion of territorial effects to imply that global delisting would not be unlawful and could be necessary to prevent harmful effects within the EU.111 As such, the Court successfully moved beyond pure territoriality to consider where effects were felt (not where the whole conduct took place) and terri-national connections (EU data subject and search engine user in the EU). Beyond the individual, the Court ought to consider another State’s interest in regulating the activity.112 In the present example, this would be a non-EU State. Evidently, that State would have an interest in regulating the version of Google its users see. Even if that State’s residents may not enjoy EU data protection rights, if they are subject to the effects of EU data protection legislation, non-EU States would have such an interest in regulating the activity. In this assessment, the Court should consider the nature of the regulated activity (being an EU-centric right to erasure) and how much other States regulate this activity.113 According to the rule of reason outlined in Chapter 5, interest-balancing is intertwined with rights-balancing. To that effect, the CJEU noted that both the DPD and the GDPR were adopted on the basis of Article 16 of the Treaty on the Functioning of the European Union, which prescribes that everyone has the right to the protection of their personal data.114 Therefore, the laws’ objectives are ‘to guarantee a high level of protection of personal data

109

Google Inc. v CNIL (n 16) para 62. Ibid., para 52 (emphasis added). 111 Ibid., para 58. 112 See, e.g., Restatement (Third) of the Foreign Relations Law (n 106) 403(2)(g). 113 Ibid., 403(2)(c); a summary of other States’ conceptions of the right to erasure enshrined in law is available here: David Erdos and Krzysztof Garstka, ‘The “Right to Be Forgotten” Online within G20 Statutory Data Protection Frameworks’ (2019) University of Cambridge Faculty of Law Research Paper No 31/2019. 114 Google Inc. v CNIL (n 16) para 54 citing TFEU art 16. 110

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.4 Implementing the Right to Erasure

171

throughout the European Union’.115 The Court acknowledged that global delisting would ‘meet that objective in full’.116 It then considered the interests of other States in emphasising that numerous third States do not recognise a right to erasure or have a different approach thereto.117 The Court also acknowledged that the right to data protection is not absolute and should be balanced with other fundamental rights.118 These rights, which are likely to ‘vary significantly’ around the world, include the rights to privacy and data protection balanced with the freedom of information for Internet users.119 In this manner, without going so far as conducting a full rights-balancing exercise itself, the Court reasonably ascertained that EU rights conceptions ought not to extend unilaterally into third-State jurisdictions. Interestingly, the CJEU referred to this difference even within the EU itself. It mentioned the public’s interest in accessing information and that ‘weighing up that interest, on the one hand, and a data subject’s rights to privacy and the protection of personal data, on the other’ could differ between Member States.120 It urged cooperation between national DPAs to achieve coherence. The Court considered that the EU legislature has struck such a balance within the EU, but has not found this balance with search engine operators delisting beyond the EU.121 This latter observation suggests that the Union has not acted reasonably vis-à-vis the extraterritorial dimensions of its right to erasure. It is not apparent that the legislature would have sought to extend delisting extraterritorially.122 The Court decision, in not immediately mandating global delisting, covertly suggests its non-extraterritorial application would be the most reasonable default approach. The Court closed its judgment by affirming that national DPAs (such as CNIL) or national judicial authorities have the competence to order delisting from all versions of a search engine.123 They may weigh up the protection of different fundamental rights, and may order a search engine operator to carry out global delisting, thus conducting an interest- and rights-balancing test themselves.124 DPAs are neither elected nor part of the court structure, which

115

Ibid. Ibid., para 55. 117 Ibid., para 59. 118 Ibid., para 60. 119 Ibid. 120 Ibid., para 67. 121 Ibid., para 61. 122 Ibid., para 62. 123 Ibid., para 72. 124 Ibid. 116

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

172

Data Protection and the Free Flow of Information

could avoid necessary checks, balances and harmonisation. That said, foreign entities with an EU connection (such as Google Inc. with an establishment in France) that are affected by a decision of a national regulatory authority may challenge it before a court. Individual Internet users without an EU connection, however, may not challenge such a decision, which could cause additional problems. DPAs have the opportunity to make non-EU users see an ‘EU’ version of Google. It is unclear how this could materialise, but given their pro-data protection stance and trend towards allowing or calling for extraterritoriality, it would not be surprising if DPAs obliged global delisting from within their own jurisdictions. It flows from this that the authorities should follow the CJEU’s example in the Google v CNIL case and exercise reasonableness in making such decisions. This reasonableness involves requiring strong connections between data subjects in the EU and search engine users outside the EU, and balancing the various interests and rights, which would ordinarily lead to maintaining EU-wide delisting as the default position.

7.5 exercising the right to erasure Inspired by polemicist Stewart Baker’s self-proclaimed ‘hacking’ of Google’s delisting procedure, I attempted to file a request for delisting to determine the extent to which Google considered my territorial- or nationality-based connection to the situation and balanced the free flow of information with data protection rights. Part of Baker’s conclusion was that, as Google did not mention his US nationality as a reason for denying his requests, its approach was ‘consistent with Europe’s preening view that its legal “mission civilisatrice” is to confer privacy rights on all mankind’.125 Baker filed the requests in 2014, when Google used a domain-based approach, so it only removed search results from country-specific versions of Google. Since then, it has been expanded to all versions of Google accessed from the EU country from which the request originated. As this seems somewhat vague, I wanted to test how Google would react to my request if I made my link to the EU – in light of territory and personality – minimal or non-existent. In practice, I have EU and non-EU citizenship and reside in the EU. I could access the ‘Personal Information Removal Request Form’ from both inside and outside the EU. The exercise would also provide clues as to how Google decides upon requests; does the free flow of information come into the picture at all? It could shed light on a 125

Stewart Baker, ‘Inside Europe’s Censorship Machinery’ The Washington Post (8 September 2014) .

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.5 Exercising the Right to Erasure

173

disconnect between the prescribed law, its territorial boundaries and how it is applied.126

7.5.1 Concealing Territorial and National Connections The search removal request form entails three ways to show a connection to the EU, without expressly saying as much: (i) the applicant’s location when filing the request as shown by the computer’s IP address; (ii) the country whose law applies to the request, as selected by the applicant; and – before the Google v CNIL ruling – (iii) affiliations to a territory and/or nationality associated with the applicant’s identity document. The latter document is no longer required upon first filing the request. First, to hide my IP address and thus conceal my location, I used a Tor browser. Tor is a free, easy-to-download software programme that uses encryption and a network of hidden servers to conceal a user’s online identity, including IP address, location and browsing activity.127 As such, Google could not trace the origin of the application to anywhere. In practice, I was also able to access the form and file a request from outside EU territory. Second, when asked to select the country whose law applied to my request, I chose France from the dropdown list of all EU/EEA Member States. This choice was because I have no immediate ties with France and because their DPA has been particularly active, which might influence how Google responded to my request, considering their decisions may be appealed to national DPAs. Third, when asked to produce a document that verified my identity, I uploaded a scan of the biographical page of my Australian passport. The Google form stated that the document need not be a passport or other government-issued identification document, so I could have included a different verification document that also did not show any EU ties. In making a similar delisting request after Google v CNIL, I used a VPN to access the form from an Australian IP address and randomly chose Belgium as what was now called ‘country of origin’ rather than the law to apply to the request. There was no requirement to upload any identification.

126

127

For a general overview of how Google has dealt with specific requests, see Jef Ausloos and Aleksandra Kuczerawy, ‘From Notice-and-Takedown to Notice-and-Delist: Implementing the Google Spain Ruling’ (2016) 14(2) Colorado Technology Law Journal 219, 247. ‘There’s a Special Browser (Tor) That Leads to a Secret Web’ .

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

174

Data Protection and the Free Flow of Information

7.5.2 The Content of the Request I asked that Google delist a search result that linked to a friend’s social media profile. On that page was my name, profile picture and then location (Australia), and links to my own social media profile. I purported that the page should not be included as a search result because it was outdated and irrelevant. My friend’s page and my own had not been accessed or updated since 2008 and were not accurately representative of me or my current situation. Granted, this URL might not raise questions of the free flow of information in the way that, for instance, a link to a newspaper article might, but I had no such examples. Furthermore, Google’s response would be informative in terms of whether and how they weighed anything up against data protection and privacy rights. Google responded with the following: [W]e need to understand your connection to a country in Europe whose data protection law applies to removals of this kind, including countries in the European Union. If you reside in such a country, you may attach a copy of an identification document (passports or government documents are not required) in response to this email. Otherwise, please explain the connection you have to one or more such countries.

Their response was vague to the point of confusion. Worth noting is that they appeared to be seeking a stronger connection between me and the EU (or ‘Europe’) than with Baker. I replied by asking what sort of connection I needed to a European country; whether this connection could be to any country in Europe or only the EU; and how precisely I could demonstrate this connection. Google responded without answering the questions explicitly. Instead, they asked for relevant documentation to further clarify my association with the country identified, namely France. I then asked what sort of connection or association with France I needed, and how I could demonstrate that. Again with vagueness, they asked for a ‘document that verifies your connection to the country’ and said that without this they would be unable to take further action. Online, Google suggests citizenship or residency show the desired connection to a European country.128 In informal conversation with Google employees, it was suggested that the required connection is based on one’s country of residence, and that this is established by which country’s law the applicant chose to apply to their request (now ‘country of origin’), 128

‘European Privacy Requests Search Removals FAQs’ .

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.6 Analysing the Implementation Methods

175

which makes sense, but is hard to verify. Whilst not showing explicitly how Google decides on connection in delisting requests, this little investigation is used to inform part of the below assessment.

7.6 analysing the implementation methods This section uses the public international law assessment framework outlined in previous chapters to analyse Google’s implementation of the right to erasure. It also touches upon the same considerations were Google to implement the right globally, as CNIL had requested. Google’s actions are relevant because they illustrate the territorial extension of EU law. Moreover, they show how non-EU entities (corporations or governments) could apply the right to erasure under the GDPR. The research considers issues of territoriality, personality, connection and reasonableness. 7.6.1 The Fundamental Right to Data Protection EU Member States are under an obligation to safeguard data subjects’ fundamental right to data protection as enshrined in the EU Charter.129 In extraterritorial situations, this takes into account the other rights and considerations – particularly stemming from the US – with which the right to data protection ought to be balanced, and instances where the right may be limited. The main actors in the present scenario are the data controller (such as a search engine operator); the data subject who might want to keep particular personal data private; and Internet users who access information online and have legitimate interests being able to do so.130 The data controller has the balancing obligations and can facilitate or threaten certain rights. Setting aside the myriad issues with intermediary liability, the data controller is tasked with striking a fair balance between an Internet user’s interests and the data subject’s fundamental rights to privacy and data protection.131 Notably, and controversially, the CJEU has stipulated that the data subject’s rights ‘override, as a rule, . . . the interest of the general public in having access to that information upon a search’.132 The following three sections look at the EU’s obligations to respect, protect and 129 130 131 132

EU Charter art 8. Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 5) para 99. Ibid. Ibid. See Magdalena Jozwiak, ‘Balancing the Rights to Data Protection and Freedom of Expression and Information by the Court of Justice of the European Union: The Vulnerability of Rights in an Online Context’ (2016) 23(3) Maastricht Journal of European & Comparative Law 404, 417.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

176

Data Protection and the Free Flow of Information

ensure the fundamental right to data protection, entailing positive and negative obligations of conduct and result, in extraterritorial situations. 7.6.1.1 Respect The obligation to respect entails a negative obligation of conduct, whereby the EU would have to refrain from conduct that would interfere with someone’s enjoyment of their data protection rights. It makes sense that this applies extraterritorially. The duty to respect is not particularly relevant in terms of the right to erasure and third-State data controllers, so this research focuses instead on the duty to protect. 7.6.1.2 Protect To protect a right connotes a positive obligation of conduct that could apply in places under a State’s effective control, which is difficult to discern in the online sphere. This requirement could likely oblige the EU to actively prevent thirdparty violations of its data subjects’ personal data protection rights in an extraterritorial context. The Google Spain case illustrates how the CJEU and, ultimately, EU Member States are enabling this active protection. Specifically, through the establishment of a subsidiary in Spain, Google Inc., incorporated in a third state (the US), was held responsible for potentially interfering with EU individuals’ right to data protection. The data controller was in a third State, but had to prevent third-party violations in an extraterritorial context. Through a subsidiary on EU territory, it was compelled to comply with EU law. If the judgment were implemented on a global scale, this would be an extreme example of the EU protecting its data subjects’ rights. According to, for instance, CNIL, this is the only way to achieve effective and complete protection of the right for its citizens, leaving no room for them to circumvent EU law. As such, the EU would effectively be safeguarding the right to data protection for its data subjects whose information has been delisted from certain results. As will be shown below, however, this aggressive exercise of prescriptive jurisdiction would violate third States’ sovereignty and restrict Internet users with no affiliation to the EU from seeing a complete list of search results; it would most likely serve only to exacerbate jurisdictional conflicts. 7.6.1.3 Fulfil The obligation to fulfil implies a positive obligation of result, that is, an obligation to fulfil an individual’s right to personal data protection by

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.6 Analysing the Implementation Methods

177

providing appropriate law and policy mechanisms, and resources. In terms of safeguarding EU data subjects’ rights by exercising extraterritorial jurisdiction, the obligation to fulfil does not extend extraterritorially. Even with global implementation, legal mechanisms to achieve delisting would be available to EU data subjects who would most likely be filing requests on EU territory or showing a link to the EU that excludes extraterritorial duties to fulfil.

7.6.2 Territoriality Issues The right to erasure can entail territorial links to multiple States and, as it is usually exercised in an online setting, the actors involved can bypass these links. The issues of territoriality originated with the CJEU’s vagueness on how its decision was to be implemented. Google protested the extraterritorial scope of the global implementation of the right to erasure.133 The question that then follows is whether the GDPR has given the right to erasure some territorial limitation. Moving from the Google Spain decision to its application, the domainbased approach is partially based on the Internet user accessing search results from an EU State. It is restrictive, however, because this approach only covers EU domain names accessed from an EU State, with – at the time – an easy option to switch to google.com. The geographic filtering method exemplifies the objective territorial principle, whereby an act is consummated on EU territory, namely US-incorporated search engines display search results to Internet users on EU territory. These results might be detrimental to a data subject’s privacy. Accordingly, the EU would be allowed to exercise jurisdiction over the situation. Before the Google Spain framework was put in place, US data controllers were not under such a clear obligation to adhere to EU data subjects’ rights to access and deletion. Since the EU regulated the situation through the CJEU and in the GDPR, those accessing Google from EU territory would, with certain caveats, see redacted results. These caveats, however, show how parts of the objective territorial principle are being bypassed. Not everyone in the EU would see redacted results. Such examples could include an Italian citizen accessing google.za from Italy and thus seeing redacted results about someone who filed a request for deletion from Estonia. This would not sufficiently protect the rights of the person who filed the deletion request, despite adhering somewhat to a permissive principle of jurisdiction. Now, however, it could be more difficult to switch to different 133

Fioretti and Rosemain, ‘Google Appeals French Order for Global’ (n 79).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

178

Data Protection and the Free Flow of Information

domain names of Google, as they all appear to lead to the localised version of Google search. It would involve a complex process of changing computer or phone settings to add different Google locations. From objective territoriality and rights to territorial sovereignty, with the current form of implementation, State sovereignty is being protected, as EU data protection law is not directly applied in the US. Global implementation, however, would involve a territorial jurisdictional hook, but would spread too far extraterritorially. This is enhanced by the notion that States should exercise restraint when claiming extraterritorial jurisdiction. Territory is still relevant in the foregoing examples, but is losing heft as a jurisdictional trigger. The next section looks at the effects doctrine as an extension of the objective territoriality principle. 7.6.3 The Effects Doctrine The effects of how Google, Inc. in the US conducts its search engine operations can be felt in the EU. The CJEU’s decision suggests that not only territorial jurisdictional concepts, but also the effects doctrine, were applicable.134 The targeting requirements in the GDPR only emphasise this notion. The effects doctrine is controversial, but could be an ideal way to exercise jurisdiction in the cybersphere. It is difficult, however, to discern exactly where an effect is felt. The question could be raised of whether a data subject in the EU’s right to data protection is sufficiently protected if anyone in the US could see search results about her, which might include irrelevant or outdated information about, for instance, past behaviour. With the post-CNIL implementation approach, freedom of expression rights for those in the US are well protected as they can still access the information in question through search results. Although the adverse effects pertaining to privacy rights might then be felt by the data subject who is highly likely to be in the EU, global implementation would be the only way to avoid such a scenario. As the effects doctrine would justify applying the right to erasure everywhere, it likely threatens third-State sovereignty and, in this example, the access to information rights and interests of those in the US. Section 7.6.4 therefore turns to personality-based forms of jurisdiction. 7.6.4 Personality Issues Personality is important when applying EU law inasmuch as it purports to extend to EU citizens or residents. Again, taking Baker’s and my own attempts at exercising the right to erasure, nationality does not prima facie seem to be a 134

Van Alsenoy and Koekkoek, ‘Internet and Jurisdiction after Google Spain’ (n 19) 109.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.6 Analysing the Implementation Methods

179

factor to consider when determining whether EU data protection safeguards will apply to someone. It appears non-EU residents could request deletion from within or outside the EU, provided they supply documentation to show a connection or, in Google’s words, an ‘association’ with the country affiliated with their request. In practice, however, this seems difficult and impracticable; it is where my attempts at delisting lost strength. In line with this sentiment, the Article 29 Working Party’s Guidelines on implementing the ruling state the following: ‘[u]nder EU law, everyone has a right to data protection. In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State’.135 Implementing the Google Spain decision globally would have worrying ramifications under personality-based jurisdiction. Indeed, someone’s nationality would be irrelevant as nearly everyone in the world could be considered to have their right to data protection threatened. Directly extending EU data protection rights to everyone in the world is undoubtedly regulatory overreach that would only meet with pushback and further conflict, especially from States with different privacy conceptions and protections. Furthermore, this approach sidelines territory as a jurisdictional trigger. The European Commission’s factsheet on the Google Spain judgment states that the right to erasure ‘is a right which is given to all citizens in the EU, no matter what their nationality’.136 The EU Charter guarantees a right to data protection for ‘everyone’, but it is worth recalling that the Charter applies to EU institutions and bodies and to Member States ‘only when they are implementing Union law’.137 As such, it would not necessarily apply so broadly as to encapsulate every situation in which someone’s personal data is processed. Nonetheless, the GDPR in the light of the Charter could conceivably apply to non-EU individuals. Returning to applying the right to erasure in practice, the suggested method of implementation favours a combination of territorial and personality-based principles of jurisdiction. These need further refinement, however, with additional jurisdictional considerations outlined below. 7.6.5 Degree of Connection Simply establishing an obligation to exercise jurisdiction extraterritorially under international human rights law with a permissive principle under 135 136

137

Article 29 Working Party, WP 225 3. European Commission, ‘Factsheet on the “Right to Be Forgotten” Ruling C-131/12’ (no longer available on the European Commission website). EU Charter art 51 (1).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

180

Data Protection and the Free Flow of Information

public international law does not immediately render the EU’s actions legitimate. It is necessary, therefore, to assess the strength of an existing connection between the EU and the regulated situation. This section applies a secondtier, additional set of criteria to curb jurisdictional overreach in the right to erasure example. These criteria include establishing a sufficient (spanning substantial, genuine and direct) connection and applying a rule of reason. Primary EU law, CJEU jurisprudence and scholarship can inform an assessment of the strength and nature of the connection between a situation with foreign elements and the EU’s exercise of jurisdiction. In interpreting the DPD in Google Spain, the CJEU confirmed that the concept of an establishment ‘extends to any real and effective activity – even a minimal one – exercised through stable arrangements’.138 Accordingly, Google Spain (the subsidiary) qualified as an establishment of the controller, Google Inc. Furthermore, EU law applies in the context of the activities of the establishment, provided that the controller’s and establishment’s activities are inextricably linked. Again, the CJEU confirmed that selling advertising space and Google’s search engine functions were inextricably linked as the former, through an establishment on EU territory, renders the latter, on US territory, profitable. Selling advertising space sustains search engines. Relevant under the DPD, making use of equipment on EU territory includes intending to use that equipment, having an effective link between the processing activities and that equipment, and using that equipment to target individuals in the EU. The means in question in Google Spain consisted of search engine trawlers or robots used to index information, or domain names associated with a Member State, which trigger searches and results in the language of that Member State.139 The GDPR can help clarify the territorial scope of the ruling as it does away with the outmoded use of equipment criterion and updates it for today’s world of wholly virtual activities. Article 3 GDPR provides that the Regulation applies to data processing by external controllers or processors of the personal data of data subjects in the Union when the processing is related to: ‘(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union’.140 As Google Spain (and ultimately Google Inc.) offers goods or services to data subjects in the EU, it would fall squarely within the reach of the CJEU’s judgment. In sum, there

138

139 140

Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 5) para 53; Case C‑230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] ECLI:EU: C:2015:639 para 25. Case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (n 5) para 20. GDPR art 2.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.6 Analysing the Implementation Methods

181

exists a sufficient connection between the situation being regulated (implementing the right to erasure) and the actors involved (local versions of Google and data subjects residing in the EU), per the Google Spain judgment, the GDPR and Google’s post-CNIL method of implementation. Again, global implementation of such a right might create situations in which the EU has exercised jurisdiction by prescribing the law for a third-State actor despite no connection – physical or otherwise – between the regulated data controller, a data processor, the person in a third State using Google and the data subject who has exercised their right to be forgotten. Such a connection would be too tenuous to justify this global method of implementation. Consider, for example, the following aspect of the Article 29 Working Party’s interpretation of the CJEU Google Spain judgment: [D]e-listing decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented . . . . In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.141

As explained above, global delisting goes too far. In the same document, the Working Party acknowledges that DPAs enforcing the right would concentrate on instances with a strong link between the data subject and the EU, by virtue of the subject’s citizenship or residency of an EU Member State.142 Interestingly, the Spanish National Court (Audiencia Nacional) ruled on a case in which a Paraguayan citizen, without EU citizenship or residency, requested that links to information published in Paraguay be delisted.143 The Spanish DPA had previously dismissed the case as the individual had no relevant connection to the EU; upon appeal, the National Court did the same.144 The claimant asserted that as data protection is a fundamental right in the EU Charter, the right to erasure as in the DPD applies everywhere regardless of someone’s lack of connection to the EU.145 The National Court’s judgment, whilst unclear, has some pronouncements that potentially show its opposition to global delisting.146 In practice, a genuine connection between the EU and the situation needs, and ought, to be demonstrated.

141

Article 29 Working Party, WP 225 2. Ibid., 3. 143 Miquel Peguera, ‘Right to Be Forgotten and Global Delisting: Some News from Spain’ (Stanford Center for Internet and Society Blog, 17 December 2017) . 144 Agencia Española de Protección de Datos, 2 December 2015 (TD/00930/2015). 145 Peguera, ‘Right to Be Forgotten and Global Delisting’ (n 143). 146 Ibid. 142

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

182

Data Protection and the Free Flow of Information

7.6.6 Reasonableness Important to the reasonableness assessment is how the right to erasure is applied in practice. In this light, the right is very limited. It only applies to Google searches for someone’s name. As Google automatically directs a user to their country-specific version of Google, even if the user types in ‘google. com’, it nudges individuals into seeing the relevant redacted results. Moreover, in line with targeting methods, country-specific versions of Google are in that country’s language; they make everything far easier for the general user who speaks that language to use that specific version of Google. Indeed, in this instance, ‘[t]he power of default is enormous’.147 In most instances, a particular search engine user sees the appropriate list of results. Nonetheless, for the savvy Internet user, it is possible to see the full list of search results by, for instance, making use of VPN technology or a Tor browser. People in EU Member States outside of where the delisting request originated can still see non-redacted results. Furthermore, many Internet search engine users in the EU either do not know they may exercise the right to erasure or do not know their search results are redacted, despite the disclaimer at the bottom of the search results saying the results might have been modified under EU data protection law. Indeed, it is arguable that ‘the average data subject might find it difficult to take full advantage of the rights provided for under the EU data protection regime’.148 As such, in practice, most search results have not been redacted. The onus is upon the individual to request delisting. It is no party’s responsibility to ensure every Google search result is not inaccurate, inadequate, irrelevant, excessive or outdated.149 The current version of implementation, and perhaps if such a default would happen with global implementation, appears reasonable. For most data subjects who have exercised their right to erasure, most searchers see redacted results. As such, their rights are largely protected and no State sovereignty is threatened. Global implementation, however, which

147

148 149

Luciano Floridi, ‘Should You Have the Right to Be Forgotten on Google? Nationally, Yes. Globally, No.’ (2015) 32(2) New Perspectives Quarterly 24, 26. Jozwiak, ‘Balancing the Rights to Data Protection’ (n 132) 420. Naturally, there are other issues, not least that ‘[t]he judgment therefore potentially applies EU data protection law to the entire Internet, a situation that was not foreseen when the Directive was enacted. This could lead to forum shopping and “right to suppression tourism” by individuals with no connection to the EU other than the fact that they use Internet services that are also accessible there’. Kuner, ‘The Court of Justice of the EU Judgment’ (n 73) 11–12.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.6 Analysing the Implementation Methods

183

necessitates third-State jurisdictions enacting a specific aspect of EU law, is inherently unreasonable.150 Returning to balancing the rights discussed in this section, the following reactions to the decision show how such tensions are evident, also from the EU observers. In his opinion, which the CJEU did not follow, the Advocate General held that a right to erasure could ‘entail sacrificing pivotal rights such as freedom of expression and information [and he] would also discourage the Court from concluding that these conflicting interests could satisfactorily be balanced in individual cases’.151 Similarly, the 2016 Report of the Special Rapporteur on the right to freedom of opinion and expression focused on the interaction between freedom of expression, States and the private sector in the digital age.152 The Report noted how the Google Spain decision raises questions of ‘the appropriate balance between the rights to privacy and protection of personal data, on one hand, and the right to seek, receive and impart information containing such data on the other’.153 The CJEU arguably concentrated on the right to privacy to the detriment of other rights.154 The effects of delisting on an individual’s right to freedom of expression, access to information and the free flow of data are in actuality very limited.155 Nonetheless, it would have been useful, particularly for intermediaries now tasked with balancing rights, for the CJEU to have provided some guidance on when and how certain rights may be limited. Google’s method of implementation does not appear unreasonable: There exist connections between Google’s activities, EU territory and EU residents. The approach, however, does not protect a data subject’s right to data protection and privacy to the extent required in EU data protection law read in the

150

The reality is that the trend of courts demanding global blocking based on local laws will inevitably lead to the destruction of a common resource – the Internet as we know it. And no matter what the European Commission is trying to tell us, this is not a myth. After all, what would be left online if anything that may be unlawful somewhere in the world was removed globally?. (Svantesson, ‘The Google Spain Case’ (n 61) 8) 151 Google Spain, Opinion of AG Jääskinen (n 58) para 133. 152 Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/32/38 (11 May 2016). 153 Ibid., para 42. 154 Steve Peers, ‘The CJEU’s Google Spain Judgment: Failing to Balance Privacy and Freedom of Expression’ (EU Law Analysis Blog, 13 May 2014) . 155 Article 29 Working Party, WP 225 2; Jef Ausloos, ‘European Court Rules against Google, in Favour of Right to Be Forgotten’ (LSE Media Policy Project Blog, 13 May 2014) .

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

184

Data Protection and the Free Flow of Information

light of the EU Charter as it could easily be circumvented and does not provide EU-wide protection for a data subject. The following section suggests a way of exercising jurisdiction, through a specific form of implementation that would satisfy the EU’s human rights obligations, particularly vis-à-vis the US, without encroaching on the US’ sovereignty. In that sense, it is even more reasonable because it better satisfies each party’s competing interests.

7.7 suggested solutions to implementation issues Bearing in mind the assessment framework requirements that a State may legitimately exercise jurisdiction where it has an obligation to do so to protect a fundamental right, based on a permissive principle, a genuine connection and sufficiently balanced interests, this section makes recommendations for a method of implementing the judgment that fulfils these criteria to the fullest extent possible. It asks how local laws (EU law as the CJEU has clarified it and per the GDPR) may apply to extraterritorial conduct with mostly, but not exclusively, local effects. Unlike other suggestions, the present one focuses on questions of extraterritoriality, rather than on, for instance, the role of the person requesting redaction or the content of the search result in question.156 The recommendations follow the chronological process of a data subject filing a request to someone seeing redacted results. In line with the passive personality principle of jurisdiction, conflated here with the residence principle, only EU nationals or habitual residents may file delisting requests. They would have to provide a document showing as much when filing such a request. Further, Google should use geographic filtering to determine from where the data subject is filing the request. In line with an extended objective territoriality principle, it makes sense for the data subject to file the request from the EU because that is where any adverse privacy intrusions would happen. Granted, this approach is not perfect. A user could hide their location by using a VPN or similar, but as this would happen in such a small proportion of instances, any immediate negative effect of this would be minimal. This approach also excludes an EU subject from filing a request whilst abroad. However, it considers territory at the moment of initially requesting deletion in large part to avoid someone who happens to have EU citizenship, but no other connection whatsoever to the EU, from filing a request. Moreover, as Google considers each request individually, these issues

156

For a further consideration of these issues, see Svantesson, ‘Limitless Borderless Forgetfulness?’ (n 90) 134–135.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.7 Suggested Solutions to Implementation Issues

185

could be resolved on an ad hoc basis.157 Indeed, the present section outlines a broad-brush approach to implementing the right to erasure that avoids undesired extraterritoriality. The precise details are beyond the scope of the research. In public international law terms, this personality and geographic filtering combination is viable because it allows foreign conduct to be regulated by EU lawmakers, whilst limiting the impact to national territory and residents.158 Any person on EU territory who accesses any version of Google should be shown redacted results.159 Google’s approach is for only those accessing Google from the same country as the data subject requested deletion see the redacted results. This study’s proposed method is in line with the objective territoriality principle, whereby the act (providing a list of search results) culminates in the EU. All actors involved, that is, the data subject and Internet users with accessto-information interests have tangible links to the EU. It follows that EU law may legitimately apply to their actions. This approach would not violate the US’ sovereignty as EU law would not apply on US territory, that is, to search results viewed in the US. Subjecting all US search engine users to EU law would be an example of an unacceptable exercise of extraterritorial jurisdiction under public international law, even when balancing rights. CNIL has fundamental rights concerns at the heart of its preferred method of implementation. Furthermore, if Google implemented the judgment to have worldwide effect, this would raise additional questions, including the following: [W]hat about the fact that such an approach sets a dangerous precedent internationally? If violations of local EU law must result in worldwide blocking what about content that violates local laws in North Korea or Russia? . . . [G]iven that the Google Spain judgment makes clear that the original content may remain online, the right expressed in the judgment is not aimed at guaranteeing complete protection in an absolute sense, so why insist on complete protection in a geographical sense?160 157

158

159

160

Ibid., 131 citing Julia Powles, ‘Results May Vary: Border Disputes on the Frontlines of the “Right to Be Forgotten”’, Slate Magazine (2015). Van Alsenoy and Koekkoek, ‘Internet and Jurisdiction after Google Spain’ (n 19) 114 (citation omitted). Territory is still important, but the mitigating factors need to be included in the assessment; ‘I advocate a departure from our traditional focus on the territoriality principle in favour of, what I see as a more contemporary approach, focused on “substantial connections” and “legitimate interests”’. Svantesson, ‘The Google Spain Case’ (n 61) 17. Christopher Kuner, Dan Jerker B Svantesson, Fred H. Cate, Orla Lynskey and Christopher Millard, ‘The Language of Data Privacy Law (and How It Differs from Reality)’ (2016) 6(4) International Data Privacy Law 259, 260.

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

186

Data Protection and the Free Flow of Information

Moving away from CNIL’s vigilant approach, however, it helps to use common sense in analysing the effects of the proposed solution. In practice, a very small proportion of Internet users would access search results where a data subject’s delisted links would still be listed. Such a situation would occur if the Internet user were outside the EU or were technologically savvy enough to hide their location. This could then be extrapolated to the data subject with delisted results not having their rights safeguarded, which in this example would mean irrelevant, outdated or unnecessary results about them would appear for a comparatively minor audience. Even considering these issues, the model proposed above would be a satisfactory manifestation of the legitimate exercise of jurisdiction to protect rights effectively. In the proposed model, the connection between EU law and the situation is sufficient, satisfying GDPR requirements related to the processing of personal data in the context of the activities of an establishment of a controller. Furthermore, the activities of the controller/establishment are clearly targeted at the country’s audience, not least because Google automatically directs users to country-specific versions of Google based on their geographic filtering methods. Balancing EU and US interests in exercising jurisdiction whilst maintaining sovereignty, and not interfering with the rights to data privacy on the one side and, for example, freedom of expression rights on the other side, renders the EU’s exercise of jurisdiction reasonable. Exercising jurisdiction in this way should appease the interests of most parties concerned and mitigate unproductive transatlantic jurisdictional conflicts. At the very least, it would be more effective than the current and proposed methods of implementation. How the EU has characterised the right to erasure could give rise to extraterritorial obligations on the part of the EU, but the proposed way to assert jurisdiction is not extraterritorial in a problematic sense. Indeed, it regulates the conduct of US-based entities, but it is rooted in the potential victim’s/data subject’s place of residency, and the information receiver’s location, which is territorial. This solution escapes the overly broad, genuinely extraterritorial reach CNIL advocated with global implementation. In that situation, someone using Google with no connections to the EU whatsoever would be affected by EU law, which is problematic. Furthermore, the present proposed approach would maintain the right to freedom of expression and access to information in the US. It effectively balances competing interests based on differing values. Lastly, and most importantly, it would safeguard the fundamental rights to privacy and data protection in the EU, which the CJEU has said override the interest of the general public in having access to certain information upon a search relating to a data subject’s name. Moreover, it has

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

7.8 Spreading a Global Standard through an EU Court Decision

187

been correctly asserted that the effects of delisting on an individual’s right to freedom of expression, access to information and the free flow of data are minor.161 A potential pitfall of this approach is the lack of protection for EU individuals everywhere. This is at the heart of the issue of the global Internet and is unlikely to be solved readily without a novel form of jurisdiction or creative interpretation of an existing form. Territoriality is still relevant in Internet jurisdiction today. Indeed, this approach uses geolocation to subdivide the Internet in a sense, with a figurative wall around the EU, but it can be most realistically and effectively applied. The EU would exercise jurisdiction with a sufficient connection to the relevant situation and in a reasonable manner.

7.8 spreading a global standard through an eu court decision Since Google Spain, certain third States have emulated the EU-style right to erasure, thereby spreading a high-level global standard in privacy protection.162 The case shows the ‘migration of some ideas that might be perceived as universal’.163 Furthermore, to gain adequacy decisions and thus receive personal data from the EU, third States will likely incorporate the right to erasure as outlined in the GDPR into their local laws. It is plausible that the right to erasure in the US will evolve to resemble more closely that in the EU.164 Eminent US scholar Alan Westin’s 1967 treatise on Privacy and Freedom embraces the following conception of privacy, into which the right to erasure falls nicely: ‘[t]he claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others’.165 In 2017, a group of New York politicians introduced a ‘right to be forgotten’ bill in the New York State 161

Article 29 Working Party, WP 225 2. Gabriela Zanfir, ‘How CJEU’s “Privacy Spring” Construed the Human Rights Shield in the Digital Age’ in Elzbieta Kuzelewska, Dariusz Kloza, Izabela Krasnicka and Franciszek Strzyczkowski (eds), European Judicial Systems as a Challenge for Democracy (Intersentia 2015) 123. 163 Kowalik-Banczyk ´ and Pollicino, ‘Migration of European Judicial Ideas Concerning Jurisdiction’ (n 17) 315 (abstract): ‘Some courts outside of Europe – such as Canada – are gaining “inspiration” from the CJEU’s Google Spain judgment in order to reinforce their own decisions’. 164 See, e.g., Rich Matta, ‘Americans Deserve a “Right to Be Forgotten”’ The Hill (27 May 2019); Brooke Auxier, ‘Most Americans Support Right to Have Some Personal Info Removed from Online Searches’ Pew Research Center (27 January 2020). 165 Alan F Westin, Privacy and Freedom (Atheneum 1967) 7. 162

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

188

Data Protection and the Free Flow of Information

Assembly and Senate, which includes the ‘inaccurate’, ‘irrelevant’, ‘inadequate’ or ‘excessive’ thresholds for removal similar to EU law.166 This was eventually withdrawn. It is not inconceivable, however, that a European-style version of the right to erasure will make its way into US law, although not until a shared change in conceptions of First Amendment rights vis-à-vis informational privacy rights develops.

7.9 interim conclusion The US and EU have historically conceived of the freedom of expression and the right to privacy differently, as reflected in their laws. Broadly speaking, whereas the US prioritises the freedom of expression, the EU favours the right to privacy. Particularly interesting since the advent of the Internet is how these rights have manifested themselves as the rights to data protection and, on the other side of the same coin, the right to the free flow of information. Since the EU honed a right to erasure within its data protection laws and has attempted to apply the right beyond its territorial boundaries, the US has retaliated, inspiring conflicts in jurisdiction. In an attempt to marry fundamental rights concerns, permissive principles of jurisdiction, and questions of connection and reason, the foregoing has suggested a way for the EU to exercise jurisdiction in the context of the right to erasure that will lessen transatlantic conflicts. Specifically, it proposes that only EU nationals or residents on EU territory should be able to file removal requests, and any Google user on EU territory should see a redacted list of search results. It argues that this approach is legitimate under public international law and is practically effective. This method can be applied in future situations where US and EU values, interests, laws and jurisdictions regarding data protection, online data processing and the freedom of expression collide. It could be a salient example of how transatlantic human rights and sovereignty concerns can be protected in an online setting.

166

New York State Senate, Assembly Bills A10466 and S04561 (2017).

https://doi.org/10.1017/9781108784818.007 Published online by Cambridge University Press

8 Enabling Transatlantic Trade and Protecting Privacy through Cross-Border Data Transfer Agreements

8.1 introduction As far back as 2001, when most European Member States had quite recently implemented the Data Protection Directive (DPD), then US Congressman Billy Tauzin said that the Directive ‘could be the imposition of one of the largest free trade barriers ever seen’.1 Indeed, moving on from framing transatlantic disagreements over data protection, security and the free flow of information, the discussion on jurisdictional tensions could be constructed as one on enabling, or frustrating, free trade. This is especially relevant when one considers transborder data flows, which allow many companies to do business online. A key issue in the subsequent case examples is the EU’s condemnation of mass surveillance practices in the US. However, whilst ‘[t]he US can largely ignore the political critique on US mass surveillance . . . it cannot ignore the economic relevance of EU–US data flows’.2 Transborder data flows are ‘now the lifeblood of modern trade’.3 Rather than the present example being indicative of a clear EU–US values-based jurisdictional clash, it is more exemplary of the EU’s unilateral exercise of jurisdiction based on its values and the resulting legal diffusion into the US. That ‘the entire structure of EU data transfer regulation is based on protecting data through the continued

1

2

3

Christopher Kuner, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, 238 citing Patrick Ross, ‘Congress Fears European Privacy Standards’ CNET News (2 January 2002) . Europe v Facebook site, ‘US Government Joins Facebook EU–US Data Transfer Case as “Amicus”’ (19 July 2016) . Anupam Chander and Paul M Schwartz, ‘Privacy and/or Trade’ (2023) 90(1) University Chicago Law Review 1, 3.

189

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

190

Enabling Transatlantic Trade and Protecting Privacy

application of EU law once the data have left the EU’ is the main focus of this jurisdictional analysis.4 Where the EU has been successful at extending its jurisdiction to US-based companies, it has been largely unsuccessful at extending its prescriptive jurisdiction to US governmental surveillance practices, which it has tried to do through negotiating data transfer agreements. The negotiations have not solved any significant issues pertaining to US mass surveillance, but have had the positive side effect that US companies better protect data subjects’ personal data within their own privacy frameworks. The present research does not endeavour to focus on the wider political debate about the fear of mass surveillance and the security–Snowden discussion, on which much political commentary surrounding the EU–US transfer mechanisms focuses. Rather, it looks at extraterritoriality related to methods of data transfer and recent European jurisprudence on these transfers. This chapter asks to what extent the EU’s territorial extension of its data protection law is legitimate and effective when regulating EU to US data flows. It begins by briefly looking at EU law on personal data transfers to the US, covering different transfer mechanisms and Court of Justice of the European Union (CJEU) decisions. It outlines the General Data Protection Regulation (GDPR) provisions on transferring personal data to third States and, specifically, the ‘adequacy requirement’, whereby EU Member States may only transfer personal data to a third State that ensures an adequate level of protection for that data.5 As the US is not considered to provide an adequate level of protection, EU data controllers and processors transfer personal data to the US within certain frameworks, such as the now invalid Safe Harbour or Privacy Shield. In its landmark 2015 case Maximillian Schrems v Data Protection Commissioner, the CJEU ruled that, inter alia, US legislation failed to protect personal data transferred within the Safe Harbour framework to the extent that EU law requires, hence declaring it an invalid basis for data transfers.6 The European Commission and US representatives swiftly negotiated a (since invalidated) new transfer mechanism, the Privacy Shield, with many more EU-style protections.7 The chapter then looks at the

4 5

6

7

Kuner, ‘Extraterritoriality and Regulation of International Data Transfers’ (n 1) 241. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) art 45. Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU: C:2015:650. See all documents here: (Privacy Shield Package); Commission Implementing Decision of 12 July

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.2 Balancing International Trade and Privacy

191

extraterritoriality of these transfer frameworks. It concludes by assessing the situation to delineate the extent to which the EU may territorially extend its jurisdiction considering its international human rights law duties, sovereignty over territory, connection and jurisdictional reasonableness.

8.2 balancing international trade and privacy The US and EU are each other’s most important commercial partners in relation to transborder data exchange. In 2020, the US exported over 247 billion USD in digitally enabled services to Europe and imported 142 billion USD from Europe.8 The economic value of this relationship emphasises the ‘strategic importance of maintaining open markets for [transatlantic] digital trade, and keeping the Internet as a free, open and interoperable platform’.9 On both the American and European sides, the importance of such data flows is also acknowledged. A representative of the US Department of State challenged some misconceptions about this shared relationship: [I]t is both simplistic and incorrect to argue that Europeans care more about their privacy than do Americans and . . . that Europeans care less about the health of the transatlantic digital economy than do Americans. That framing, which is all too common in the popular press, is both wrong and harmful to the prospects for joint problem solving.10

As the EU Commissioner for Justice rightfully stated in response to the CJEU’s decision in Schrems to invalidate the adequacy decision that allowed certain transatlantic data transfers to be made: ‘[I]t is important that transatlantic data flows can continue, as they are the backbone of our economy.’11

8

9

10

11

2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU–US Privacy Shield, Brussels COM (2016) 4176 final. Daniel S Hamilton and Joseph P Quinlan, ‘The Transatlantic Economy 2022: Annual Survey of Jobs, Trade and Investment between the United States and Europe’, Foreign Policy Institute, Johns Hopkins University SAIS/Transatlantic Leadership Network (2022) 49. European Commission, Speech by Vice-President Ansip at the Steering Committee of the Transatlantic Legislators Dialogue, European Parliament (2016) accessed 5 March 2018. Daniel A Sepulveda, ‘Remarks on the U.S. Privacy Framework and Signals Intelligence Reforms’, Digital Europe, Brussels, Belgium (2015) . European Commission statement, ‘First Vice-President Timmermans and Commissioner Jourová’s press conference on Safe Harbour following the Court ruling in Case C-362/14 (Schrems)’ (6 October 2015).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

192

Enabling Transatlantic Trade and Protecting Privacy

Companies, regulators and commentators in the US often approach the reach of EU privacy law in terms of digital commerce.12 Actors based outside the US, including judges, lawmakers and policymakers, who limit flows of electronic information ‘to protect their citizens from U.S. surveillance’, are considered to ‘strike at the heart of . . . [technology] companies’ business models’.13 However, surveillance fears could instil distrust in the digital economy amongst consumers, so a balance must be struck between enabling data flows for economic purposes and mitigating those that could enable unwanted surveillance, which interferes with the fundamental rights to privacy and data protection.14 As the US, and particularly its technology companies, value transatlantic data flows so highly, this informs its willingness to accept some of the EU’s stringent data protection terms required to receive personal data from the EU. This seems plausible if one reads causality into the following sentiment: ‘[T]he USA support free global trade and have so far not retaliated against the protectionist data transfer restrictions in “Fortress Europe”.’15 In terms of the role of companies and governments, the US conceives of the data privacy practices of companies differently, and separately, from US governmental surveillance practices.16 These approaches to trade, data protection, and the regulation of company and governmental practices all play out in the below exploration of how jurisdiction is exercised in the online sphere.

12

13

14

15

16

See, e.g., US Mission to the EU, ‘Safe Harbor Protects Privacy and Provides Trust in Data Flows that Underpin Transatlantic Trade’ (2015) accessed 6 December 2016; an official US governmental reaction to the Advocate General’s statements in the Schrems case was that the Safe Harbour framework protected privacy was crucial for commerce and ensured trust in ‘data flows that underpin transatlantic trade’ (Ibid.) Henry Farrell and Abraham Newman, ‘The Transatlantic Data War’ Foreign Affairs (2016) . ‘If citizens are concerned about the large-scale processing of their personal data by private companies or by the surveillance of their data by intelligence agencies when using Internet services, this may affect their trust in the digital economy, with potential negative consequences on growth.’ Commission, ‘Rebuilding Trust in EU–US Data Flows’ (Communication) COM (2013) 846 final 3. Lothar Determann, ‘Adequacy of Data Protection in the USA: Myths and Facts’ (2016) 6(3) International Data Privacy Law 244, 247–248; this is the author’s own statement and not necessarily representative of the US government’s position. US FTC Commissioner Julie Brill, ‘Keynote Address at the Amsterdam Privacy Conference’ (2015) 9 8.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.3 The Need for Adequate Protection

193

8.3 the need for adequate protection Article 45 GDPR and, more broadly, Chapter V GDPR on international data transfers articulate an ‘adequacy requirement’; third States to which the EU transfers personal data must ensure this data is afforded an adequate level of protection.17 EU Member States may only transfer personal data to those States or international organisations that the European Commission has decided guarantee an adequate level of protection, which is ‘essentially equivalent’ to the protections in the EU.18 The Commission considers, amongst others, the following elements when assessing the degree of adequacy in a third State: The rule of law; respect for human rights and fundamental freedoms; relevant legislation pertaining to data protection; the existence and effectiveness of independent supervisory authorities; and international commitments the State has entered into.19 Article 46 GDPR covers transfers to third States without an adequacy decision, but where the transfer is permitted because the data controller or processor has provided for ‘appropriate safeguards’.20 Such safeguards include binding corporate rules, standard contractual clauses (‘standard data protection clauses’ in the GDPR text) and codes of conduct.21 The European Commission has issued standard contractual clauses for transfers from data controllers or processors in the EU to controllers or processors outside the EU.22 Binding corporate rules apply within multinational companies that export data from the EU to entities of the same company in States without adequate levels of protection.23 It is generally accepted that the protections

17

18 19 20 21 22

23

See GDPR arts 44–45 and recitals 6, 101–107; Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD) art 25. For an analysis of the interplay between the GDPR’s territorial scope provisions and data transfer rules, see Christopher Kuner, ‘Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU’s Ambition of Borderless Data Protection’ (2021) University of Cambridge Faculty of Law Research Paper No 20/2021. GDPR recital 104. Ibid., art 45(2). Ibid., art 46; DPD art 26 (‘adequate safeguards’). GDPR art 46(2); for more on Binding Corporate Rules, see GDPR art 47. European Commission, ‘Standard Contractual Clauses (SCC)’ . European Commission, ‘Binding Corporate Rules (BCR)’ .

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

194

Enabling Transatlantic Trade and Protecting Privacy

offered by standard contractual clauses and binding corporate rules are lower than those based on a data transfer agreement. Absent an adequacy decision or appropriate safeguards, a transfer to a third state may happen if, inter alia, the data subject has explicitly consented to the transfer; the transfer is needed to fulfil a contract between the data subject and data controller; it is necessary on important public interest grounds; or to protect the subject’s vital interests.24 Legislators intended for these derogations to be interpreted narrowly and applied sparingly.25

8.4 direct and indirect effects of the adequacy standard The GDPR’s adequacy requirement and its territorial scope directly or indirectly provide for the broad reach of EU data protection law, whereby EU data subjects and potentially third-State subjects enjoy EU-level protections. When the DPD was introduced, the concept of reciprocity in the standard was promoted.26 Some non-EU officials, however, deemed the approach protectionist and suggested it had an undesirable extraterritorial effect.27 Since then, however, the EU’s approach to data protection has proven largely successful and effective in using legal diffusion to set a high-level data protection norm around the world.28 A 2014 geopolitical study of the then 101 States with data protection laws demonstrated that European data protection standards ‘have had far more influence outside Europe than has been realised’ and asserted that this influence was only increasing.29 Only fourteen States have achieved full or partial 24 25

26

27 28

29

GDPR art 49. Christopher Kuner, ‘Article 49. Derogations for Specific Situations’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 846. Lokke Moerel, Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers (Oxford University Press 2012) 19. Ibid. Ibid.; Moerel also cites Corien Prins, ‘Should ICT Regulation Be Undertaken at an International Level?’ in Bert-Jaap Koops and others (eds), Starting Points for ICT Regulation: Deconstructing Prevalent Policy One-liners (TMC Asser Press 2006) 172. See too Cedric Ryngaert and Mistale Taylor, ‘The GDPR as Global Data Protection Regulation?’ (2020) AJIL Unbound 5 and Shannon Togawa Mercer, ‘The Limitations of European Data Protection as a Model for Global Privacy Regulation’ (2020) AJIL Unbound 20. Graham Greenleaf, ‘Sheherazade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ (2014) 23(1) Journal of Law, Information & Science, Special Edition: Privacy in the Social Networking World 4; Graham Greenleaf, ‘The Influence of European Data Privacy Standards outside Europe: Implications for Globalisation of Convention 108?’ (2012) University of Edinburgh School of Law Research Paper Series No 2012/12, abstract.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.5 Transatlantic Data Transfer Agreements

195

adequacy decisions; however, at least two-thirds of the more than 145 States with data protection laws have EU-style laws.30 These States are either EU/ EEA Member States; they have emulated the DPD or GDPR in their local privacy laws; they have ratified Council of Europe Convention 108 and its Additional Protocol, which is close to the GDPR standard; and/or they are close to obtaining an adequacy decision. The EU’s clear influence on other States’ data protection laws and its open goal to be prominent is a key example of the EU extending the reach of its law by influencing the content of third-State law.31 As its regulation is highly influential and third States have enacted data protection laws to mirror those in the EU, through a form of ‘GDPR hegemony’, the EU is successfully extending a high level of data protection to citizens of third States.32 This is largely due to trade reasons, as third States would then easily meet the EU’s adequacy standard needed for cross-border data flows, but is tangibly taking on a more fundamental rights-based character. This change could enhance the EU’s obligations to secure robust fundamental rights protections in its data transfer regulation. Some third States have consequently internalised this rights-focused approach. The US, being a key EU trading partner, has not met this standard, which has triggered many negotiations, multiple agreements and court cases, as outlined below.

8.5 transatlantic data transfer agreements This research explores the reach of the Union’s influence on the US. The US and EU have devised ad hoc policy solutions to enable data transfers. These processes ‘provide key elements for an intense process of nonlegislative lawmaking’ by governmental and non-governmental actors.33 This section looks at the Safe Harbour data transfer framework and the subsequent CJEU Schrems case that invalidated the adequacy decision enabling the Safe 30

31

32 33

Graham Greenleaf, ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report 1, 1–2; European Commission, ‘Adequacy Decisions’, ; for why few States have formal adequacy decisions, see Robert Carolina, ‘Why the EU Has Issued Relatively Few Data Protection Adequacy Determinations? A Reply’ (Lawfare, 13 January 2017) . Joanne Scott, ‘Extraterritoriality and Territorial Extension in EU Law’ (2014) 62(1) American Journal of Comparative Law 87. Greenleaf, ‘Global Data Privacy Laws 2021’ (n 30) 5. Paul M Schwartz, ‘The EU–US Privacy Collision: A Turn to Institutions and Procedures’ (2013) 126 Harvard Law Review 1967.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

196

Enabling Transatlantic Trade and Protecting Privacy

Harbour agreement. It finishes by examining the replacement Privacy Shield transfer arrangement and developments since the CJEU struck it down in 2020.34

8.5.1 Safe Harbour As the US failed to be deemed adequate, the EU and US negotiated and enacted an agreement, known as the US-EU Safe Harbour framework, which was valid from 2000 to 2015.35 It was an instrument of EU secondary legislation issued by the European Commission.36 The Safe Harbour Privacy Principles were a list of ostensibly European-style data protection principles designed for US organisations receiving and processing personal data from the EU.37 The Principles were developed to facilitate trade and commerce between the US and EU.38 US companies could join the Safe Harbour agreement voluntarily; they then self-certified their compliance with its provisions. It has always been controversial. Initially, this controversy was due to its narrow scope and slow membership growth; eventually, most of the criticism highlighted its failure in adequately protecting privacy.39 In response to Edward Snowden’s 2013 National Security Agency (NSA) surveillance disclosures and growing mistrust in cross-border transfers of personal data, in 2013, the European Commission launched negotiations with the US to make the Safe Harbour

34

35

36

37

38 39

C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [23 July 2020] ECLI:EU:C:2020:559. Whilst it is technically a unilateral act of the European Commission, one can refer to the Safe Harbour as an agreement because it is the result of bilateral negotiations and compromise. It is variably referred to as an agreement or ‘the Safe Harbour’, but also an arrangement, decision, framework, set of principles and so on – all of which are not incorrect. 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) [2000] OJ L 215/7. See US Department of Commerce, ‘Safe Harbor Privacy Principles’, U.S.–EU Safe Harbor Framework Guide to Self-Certification, 10–14 accessed 6 March 2018; for the EU’s information on the Safe Harbour, see accessed 6 March 2018. See US Department of Commerce, ‘Safe Harbor Privacy Principles’ (n 37) 10. Damon Greer, ‘Safe Harbor May Be Controversial in the European Union, but It Is Still the Law’, The Privacy Advisor (2013) .

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.5 Transatlantic Data Transfer Agreements

197

better protective of privacy.40 In March 2014, the European Parliament called for the Safe Harbour framework to be suspended.41 Noticing flaws in the Safe Harbour framework and fearing US surveillance agencies were using his personal data obtained through Facebook, Austrian Facebook user Maximillian Schrems initiated legal action against Facebook, as outlined below.

8.5.2 Proceedings in the Schrems Case The applicant, Schrems, lodged a complaint in 2013 against Facebook Ireland Ltd (Facebook Inc.’s European headquarters) with the Irish national data protection supervisory authority (DPA), the Data Protection Commissioner.42 Schrems took issue with Facebook transferring EU citizens’ personal data to the US, where, he asserted, it was insufficiently protected. Facebook Ireland was transferring personal data to Facebook Inc. in the US, where it was being processed, and Schrems claimed US privacy laws offered no protection from US security agencies using this data for indiscriminate mass surveillance.43 He also sought to highlight the general failings of the 2000 US-EU Safe Harbour agreement at ensuring that EU individuals’ data was adequately protected when processed in the US. The Irish Data Protection Commissioner declined to investigate the complaint and the case went before the High Court of Ireland.44 The High Court then filed a request for a preliminary ruling before the CJEU.45 The request pertained to the validity of the European Commission’s adequacy decision approving the Safe Harbour framework (Decision 2000/520) and thus enabling EU–US data flows between companies.46 It concerned Article 25(6) DPD, which provides that the Commission may deem a third State adequate upon concluding negotiations to remedy a finding that it does not offer adequate protection, and 40

41

42

43

44

45 46

European Commission press release, ‘European Commission calls on the U.S. to restore trust in EU–U.S. data flows’ (27 November 2013). European Parliament press release, ‘US NSA: stop mass surveillance now or face consequences, MEPs say’ (12 March 2014). Complaint against Facebook Ireland Ltd – 23 ‘PRISM’ (2013) . Ibid., 28: ‘[Schrems] contended in his complaint that the law and practice in force in [the US] did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by the public authorities.’ Schrems v Data Protection Commissioner [2014] IEHC 310, 2 ILRM 441; Schrems v Data Protection Commissioner (No 2) [2014] IEHC 351, 2 ILRM 506. Case C‑362/14 Maximillian Schrems v Data Protection Commissioner (n 6). Ibid., para 1.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

198

Enabling Transatlantic Trade and Protecting Privacy

Article 28 DPD on the powers of DPAs.47 Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (EU Charter) (on privacy, data protection and an effective remedy, respectively) were to inform this interpretation. On 6 October 2015, the Court issued its ruling in the Schrems case.48 This ruling had ramifications for many stakeholders outside the EU, showing the far reach of an EU court’s judgment. It considered two main questions on (i) the powers of DPAs – those who monitor how Member States implement EU data protection law – and (ii) the validity of the Safe Harbour agreement. The request for a preliminary ruling was based on interpreting provisions in the DPD on the transfer of personal data to third States, in the light of the EU Charter. The Court ruled that DPAs may consider whether data transfers to a third State comply with the relevant DPD and EU Charter provisions, even if the European Commission has found that State to provide an adequate level of data protection.49 Only the CJEU, however, may declare an adequacy decision invalid.50 This means the territorial extension process became highly legalised, with the Court being able to stop transborder data flows. The CJEU iterated that the Safe Harbour principles were ‘applicable solely to self-certified United States organisations receiving personal data from the European Union, and United States public authorities are not required to comply with them’.51 The principles may also be overridden by ‘national security, public interest, or law enforcement requirements’.52 This limitation admitted of interference with an EU data subject’s fundamental right to private life.53 On the Safe Harbour agreement, the Court stated that the US needs to protect EU individuals’ fundamental rights to an ‘essentially equivalent’ degree as in the EU.54 This protection was required by the DPD read together with the EU Charter.55 The Court found that the Safe Harbour agreement did not prevent US authorities from processing EU individuals’ personal data in a way incompatible with EU standards, especially as US security and law enforcement requirements could overrule protections in the Safe Harbour agreement. The Advocate General had found the Safe

47 48 49 50 51 52 53 54 55

Ibid. Ibid. Ibid., para 66. Ibid., para 61. Ibid., para 82. Ibid., paras 84 and 86 citing Annex I to Decision 2000/520/EC para 4. Ibid., para 87. Ibid., paras 73, 74 and 96. Ibid., para 73.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.5 Transatlantic Data Transfer Agreements

199

Harbour agreement and its application to constitute ‘a wide-ranging and particularly serious interference with those fundamental rights [to privacy and data protection]’.56 The Court declared the Commission’s 2000 adequacy decision invalid.57 The US and EU then had to negotiate a new transfer agreement, outlined below.

8.5.3 The Privacy Shield and Subsequent Developments As the CJEU had ultimately invalidated the Safe Harbour framework, companies could no longer lawfully transfer data to the US using that as a legal basis. The Article 29 Working Party gave US and EU negotiating parties until the end of January 2016 to conclude a suitable transfer agreement.58 US and EU representatives were compelled to finish negotiations begun two years previously to produce a new transfer arrangement as quickly as possible. This section focuses on EU individuals and US businesses as addressees of the Privacy Shield, and how it prima facie protected their interests. Even though the CJEU eventually invalidated the Privacy Shield in 2020, as explained below, it is pertinent to trace the developments of EU–US negotiations on data transfer agreements to illustrate how the EU pushes its data protection laws globally with varying degrees of success. After consultations between the European Commission and the US government that resulted in political agreement in February 2016, the European Commission issued the adequacy decision and adopted the EU–US Privacy Shield Package in July 2016.59 It came into effect in August 2016.60 Despite appearing to be a bilateral agreement, the Privacy Shield was in fact a unilateral act of the European Commission, based on bilateral negotiations.61

56

57 58

59

60 61

Case C‑362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU: C:2015:627, Opinion of AG Bot. Ibid., para 106. Article 29 Working Party, Statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Case C-362/14 Maximillian Schrems v Data Protection Commissioner (n 6) (16 October 2015). European Commission press release, ‘European Commission launches EU–U.S. Privacy Shield: stronger protection for transatlantic data flows’ (12 July 2016). Ibid. ‘Besides the public view of an agreement, the instruments – Safe Harbour and now Privacy Shield – are in effect unilateral acts of an EU organ, the European Commission, based on a negotiation process.’ Erich Schweighofer, ‘Principles for US–EU Data Flow Arrangements’ in Dan Jerker B Svantesson and Dariusz Kloza (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy (Intersentia 2017) 28.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

200

Enabling Transatlantic Trade and Protecting Privacy

The Privacy Shield Package comprised an adequacy decision with Privacy Shield principles and numerous annexed documents, which together made over 100 pages of strengthened privacy protections for EU–US data transfers.62 Irish and French privacy Non-Governmental Organisations (NGOs) uniquely initiated action before the EU’s General Court, claiming that the Privacy Shield did not provide adequate protections and seeking its annulment.63 US government officials, European Commission representatives and EU DPAs conducted the first annual review of the Privacy Shield in September 2017.64 They concluded that the Shield ensured an adequate level of protection, but the Commission nonetheless had several recommendations for improvement on the US side.65 The Privacy Shield applied to transfers of all personal data, specifically data about an ‘identified or identifiable individual that are within the scope of the [Data Protection] Directive, received by an organization in the United States from the European Union, and recorded in any form’.66 Prima facie, this appeared to fall within the wide scope of application of the DPD and, eventually, the even wider scope of application of the GDPR. This broad or overextension was unlikely to materialise, however, for reasons discussed below. As with the Safe Harbour framework, organisations that received personal data from the EU could voluntarily sign up to the Privacy Shield and continue to self-certify their adherence to it annually.67 The Privacy Shield included some key changes, which better protected privacy. It maintained and expanded upon seven key privacy principles, which mirrored those in European data protection law. The renewed principles included notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability; with some detailed supplemental principles.68 Privacy Shield companies had to inform individuals about, inter alia, the purposes for which they collected and used the data subject’s personal data, and that individual’s right to access that personal data.69 They were obliged to

62 63

64

65 66 67 68 69

Privacy Shield Package (n 7). Case T‑670/16 Digital Rights Ireland Ltd v European Commission [2017] ECLI:EU:T:2017:838; Case T-738/16 La Quadrature du Net and Others v Commission [2017] ECLI:EU:T:2017:775. European Commission, ‘First Annual Review of the EU–U.S. Privacy Shield’ (2017) . Ibid. Privacy Shield Principles (n 7) I.8.a. Ibid., III.6. Ibid. Ibid., II.1 (notice).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.5 Transatlantic Data Transfer Agreements

201

give individuals an opt-out choice as to whether their personal data may be disclosed to a third party or used for a purpose other than that for which it was originally collected.70 Companies that transferred personal data to a third party were required to enter into a contract with that third party ‘that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles’.71 Companies had to keep the data secure and limit the amount of personal data to that relevant for the purposes of processing.72 Unless it would be excessively burdensome, individuals had to be able to access the personal data companies held about them, and correct, amend or delete it if need be.73 All these provisions echoed and built upon those in the Safe Harbour. They were more detailed, bestowed more obligations upon companies and better empowered the data subject. The US Department of Commerce periodically carried out compliance reviews, and the US Federal Trade Commission (an independent governmental agency tasked with protecting consumers and maintaining competition) (FTC) or Department of Transportation enforced companies’ commitments to the Privacy Shield.74 The Department of Commerce established a contact point to liaise and cooperate with European DPAs.75 A key obstacle to concluding the Privacy Shield was the US stance on an ombudsperson with specific powers, to which US Secretary of State John Kerry finally agreed a week before the Shield was concluded.76 He agreed to establish a Privacy Shield Ombudsperson at the US Department of State, independent from national security services, to address and investigate complaints from EU individuals. These individuals had four opportunities for redress.77 First, they may have complained to the company in question, which had to reply within 70 71 72 73 74 75 76

77

Ibid., II.2 (choice). Ibid., II.3 (accountability for onward transfer). Ibid., II.4 (security) and 5 (data integrity and purpose limitation). Ibid., II.6 (access). Letter from Under Secretary for International Trade Stefan Selig. Ibid. See Sheftalovich calling this ‘the phone call that saved safe harbour’, based on discussions with ten anonymous US and EU negotiators and officials: ‘[T]he idea for an ombudsman had been floated earlier in the month, and the reception on the EU side was lukewarm. Europeans wanted the position to be independent and have real power. And they wanted it in writing. Kerry agreed.’ Zoya Sheftalovich, ‘The Phone Call That Saved Safe Harbor’ Politico (5 February 2016). European Commission Fact Sheet, ‘EU–U.S. Privacy Shield: Frequently Asked Questions’ (2016) . See too Kristina Daugirdas and Julian Davis Mortenson, ‘Contemporary Practice of the United States Relating to International Law’ (2016) 110(2) The American Journal of International Law 346, 367–368.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

202

Enabling Transatlantic Trade and Protecting Privacy

forty-five days. Second, they were entitled to free alternative dispute resolution. Third, they may have obtained redress through their national DPA, who could work with the US Department of Commerce and FTC to ensure unresolved complaints were dealt with. Finally, individuals could have final recourse to an arbitration mechanism, the Privacy Shield Panel, which could issue an enforceable decision.

8.5.3.1 The Schrems II Case After the case returned to the Irish High Court, Schrems resubmitted an amended version of his original complaint (known as the Schrems II case), this time focusing on standard contractual clauses as the data transfer mechanism.78 This case is separate from the aforementioned ones where NGOs challenged the validity of the Privacy Shield adequacy decision. Schrems was specifically requesting that the Irish Data Protection Commissioner stop data flows between Facebook Ireland and Facebook Inc., per Article 4 of the standard contractual clauses, because US surveillance laws conflicted with EU data protection laws.79 The Irish Data Protection Commissioner, however, questioned the validity of the adequacy decision underlying standard contractual clauses per se.80 In October 2017, the Irish High Court referred the matter to the CJEU.81 Notably, an Irish High Court judge in the Schrems II case approved the US government filing an amicus curiae brief, so it was then joined to the case and eventually participated as an intervening party at the CJEU. The judge justified this approval with the following statement, which shows the US had more than a passing political interest in the outcome of the case: The United States has a significant and bona fide interest in the outcome of these proceedings. At issue in the proceedings is the assessment, as a matter of EU law, of the applicant’s law governing the treatment of EU citizens’ data transfer to the US. The imposition of restrictions on the transfer of such data

78 79

80

81

Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (n 34). See ‘Irish High Court rules on Facebook Surveillance Case: Irish DPC Has “Well Founded Concerns” over US Surveillance of Facebook EU-US Data Transfer Complaint Referred to European Court of Justice – For a Second Time’ (2017) . Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (n 34) paras 34–42. Ibid., para 335.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.5 Transatlantic Data Transfer Agreements

203

would have potentially considerable adverse effects on EU-US commerce and could affect US companies significantly.82

For the first time, the US government was weighing in on the issue in a manifestly legal, rather than purely political, manner. In terms of evaluating US law, the Irish High Court in Schrems II explicitly permitted written and oral submissions by experts on US law and practice.83 This approach did not happen with proceedings in the Schrems case before the Irish High Court and the CJEU. On 16 July 2020, the CJEU concluded that the adequacy decision underlying the Privacy Shield was invalid, thereby striking it down.84 This ruling was largely based on the potential for mass surveillance within the US national security framework and a lack of data subject rights.85 The Court maintained that the adequacy decision on standard contractual clauses for transfers to third-State data processors was valid, but they outlined stricter requirements for standard contractual clauses as bases for personal data transfers.86 The clauses must ensure that the level of protection offered to the data subject is essentially equivalent to that in the GDPR read in the light of the EU Charter, which could necessitate implementing additional measures.87

8.5.3.2 Responses and Further Developments As more than 5,000 companies had been relying on the Privacy Shield to make data transfers, the decision had immediate ramifications for US companies. Even the Court’s pronouncements on making standard contractual clauses stronger based on case-by-case analyses placed extra burdens on companies using them. The ruling could ‘destroy Transatlantic commerce’ with enormous costs associated with disrupted cross-border data transfers.88 The US Secretary of Commerce Wilbur Ross quickly issued a statement saying the Department of Commerce was ‘deeply disappointed’ with the 82

83

84

85 86 87 88

Ibid., 19. See the amicus brief here: Written Legal Submission on Behalf of the United States of America as Amicus Curiae in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Ibid.). Christopher Kuner, ‘Third Country Law in the CJEU’s Data Protection Judgments’ (European Law Blog, 12 July 2017) . Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (n 34) para 201. Ibid., paras 184–185, 191–197. Ibid., paras 134–136. Ibid. Kristian Stout, ‘EU Data Transfer Laws Might Destroy Transatlantic Commerce’ The Hill (26 October 2020).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

204

Enabling Transatlantic Trade and Protecting Privacy

decision and that they were ‘in close contact with the European Commission and European Data Protection Board (EDPB) on this matter and hope to be able to limit the negative consequences to the USD7.1 trillion (trans-Atlantic) economic relationship that is so vital to our respective citizens, companies, and governments’.89 Ross affirmed, however, that the Department of Commerce would still process Privacy Shield applications. In practice, many companies turned to standard contractual clauses, as revised by the European Commission in 2021, to legitimise their personal data transfers. In March 2022, the European Commission President, Ursula von der Leyen, announced at a joint press conference that she and US President Joe Biden had ‘found an agreement in principle on a new framework for transatlantic data flows’, which would ‘[safeguard] privacy and civil liberties’ and ‘balance security and the right to privacy and data protection’.90 Companies welcomed the legal certainty of the eventual agreement, but privacy activists were wary that the US had not sufficiently changed its invasive surveillance laws.91 As such, the legality of a revised Privacy Shield could still be doubtful.

8.6 the extraterritoriality of transatlantic data transfer arrangements Despite the fundamental rights rhetoric and subtext of surveillance worries, the Privacy Shield, Safe Harbour agreement, standard contractual clauses, adequacy requirement and, indeed, data protection law in its nascent form, aim to enable personal data transfers, so US companies can easily do business with European companies and customers. The framework is intended to foster international digital trade and commerce between the US and EU.92 As the DPD could apply to many data transfers worldwide, already in 2000 it was acknowledged as having ‘extra-jurisdictional effects’.93 The same is true of the 89

90

91

92

93

US Department of Commerce press release, ‘U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU–U.S. Data Flows’ (16 July 2020). European Commission – Statement, ‘Statement by President von der Leyen with US President Biden’ (25 March 2022). Francesco Guarascio and Foo Yun Chee, ‘EU–U.S. Data Transfer Deal Cheers Business, but Worries Privacy Activists’ Reuters (25 March 2022). EU–U.S. Privacy Shield Framework Principles Issued by the U.S. Department of Commerce, I.1. citing 15 USC § 1512, which provides that ‘[i]t shall be the province and duty of [the Department of Commerce] to foster, promote, and develop the foreign and domestic commerce’. Gregory Shaffer, ‘Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of US Privacy Standards’ (2000) 25(1) Yale Journal of International Law 55, referring to the DPD, but also relevant in the context of the GDPR.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.6 The Extraterritoriality of Transatlantic Data Transfer Arrangements 205

GDPR. US businesses feel the most significant impact of these effects, amongst other reasons because they engage in so many transactions with European data controllers and processors, and have the technology to use personal data in sophisticated ways.94 Participation in the Safe Harbour and Privacy Shield by companies was voluntary, but in practice was needed to gain consumer trust and access to the EU market.95 Although a new data transfer framework is being concluded, this section refers to the Privacy Shield as representative of the US-EU approaches to such frameworks. 8.6.1 Effects on Companies US companies have increasingly adopted European-style privacy protection models, exemplifying some diffusion of EU norms. As an example of the ‘Brussels Effect’, which is the EU’s unilateral power to regulate global markets,96 Anu Bradford has acknowledged that ‘many U.S. corporations have already adopted, however reluctantly, privacy policies that satisfy the EU requirements’ in order to gain access to the EU market.97 Indeed, the decision in Schrems and subsequent developments could be understood as an indirect example of the Brussels Effect because they seem to be ‘based on the rationale that withholding recognition of data transfers to the US may result in the US adopting standards closer to the European model’.98 An assessment of privacy ‘on the ground’, in which two academics interviewed anonymous privacy officials at companies in the US, France, the UK, Germany and Spain, showed considerable convergence between the various privacy regimes.99 There were three noteworthy conclusions on the corporate privacy culture on both sides of the Atlantic. First, beyond compliance and legal formalism, privacy encompassed satisfying consumer expectations.100 94 95

96

97

98

99

100

Ibid. As of July 2022, more than 5,300 companies had self-certified compliance with the Privacy Shield; see . More companies in one year had joined the Privacy Shield than the Safe Harbour agreement in its first ten years. Anu Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020) xiv. Anu Bradford, ‘The Brussels Effect’ (2012) 107(1) Northwestern University Law Review 1, 24. See too Manuel Klar, ‘Binding Effects of the European General Data Protection Regulation (GDPR) on U.S. Companies’ (2020) 11(2) Hastings Science and Technology Law Journal, 101. Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 881, 893. Kenneth A Bamberger and Deirdre K Mulligan, Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press 2015) 65. Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy (Cambridge University Press 2016) 314 citing Bamberger and Mulligan, Privacy on the Ground (n 99).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

206

Enabling Transatlantic Trade and Protecting Privacy

Second, to avoid suffering reputational harm, companies were compelled to protect privacy in light of the potential for enforcement action by the FTC or local DPAs.101 DPAs may impose extraordinarily high fines for certain infringements under the GDPR.102 Third, making the role of Chief Privacy Officer or Chief Data Protection Officer professional and setting consumer norms has enhanced privacy protections across companies.103 Even governmental authorities acknowledge this: ‘[T]he American private sector, acting in their own self-interest as well as in an effort to comply with law, are developing a culture of privacy protection.’104 It appears European data protection norms are spreading to countries globally through private actors. In terms of companies and privacy protections, the Schrems case was not about Facebook having done something wrong.105 In allowing US authorities to access personal data imported from the EU, they were simply complying with US law.106 Rather, the issue revolved around the broad derogations the Safe Harbour adequacy decision permitted, which may or may not have been compatible with primary EU law.107 Nonetheless, the Schrems decision had an immediate impact on how US companies framed their privacy protections. For example, on the same day the Court issued the judgment, Microsoft released a message saying it had enacted ‘additional and stringent privacy protections’, and complied with EU standard contractual clauses to permit data transfers absent the Safe Harbour.108 The company also explicitly considers privacy to be a fundamental right.109 As standard contractual clauses have high transaction costs and binding corporate rules are only applicable within big multinational companies, it is more attractive for US companies to certify compliance with the Privacy Shield or equivalent data transfer framework to enable personal data transfers.

101

Ibid. GDPR art 83. 103 Hoofnagle, Federal Trade Commission Privacy Law and Policy (n 100) 314 citing Bamberger and Mulligan, Privacy on the Ground (n 99). 104 Sepulveda, Remarks on the U.S. Privacy Framework (n 10). 105 Opinion of AG Bot (n 56) para 168. 106 Ibid. 107 Ibid. 108 Brad Smith, ‘A Message to Our Customers about EU–US Safe Harbor’ (Microsoft on the Issues, 6 October 2015) . 109 John Frank, ‘Microsoft Supports EU–US Privacy Shield’ (Microsoft EU Policy Blog, 11 April 2016) . 102

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.6 The Extraterritoriality of Transatlantic Data Transfer Arrangements 207

Under the Privacy Shield, companies were only required to inform individuals about ‘the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements’.110 Further, the Privacy Shield covered data requests from national agencies, but made many things optional: Companies ‘may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons’.111 Many major companies release such transparency reports on government requests, including Alphabet, Amazon, Apple, LinkedIn, Meta, Microsoft, Twitter and Uber.112 The main point that companies have made is that they could change a lot about what they can do, but they cannot change the US government’s statutory approach to the processing of non-US persons’ data on US territory. The effect Schrems and Schrems II had on companies again exemplifies part of the Brussels Effect relating to the ‘nondivisibility’ of their conduct, whereby a company ‘is forced to adjust its global operations to the most demanding EU standard’ because it is technologically tricky to apply different protections to different data sets.113 Following from this, global standards emerge in response to corporations’ voluntary action. It is convenient, technologically feasible and cost-effective for global companies to adhere to EU data protection standards. It is similarly straightforward for third States to import the EU data protection legal framework directly into their own legal systems to obtain adequacy agreements. This anonymous interview of a US practitioner illustrates that component of the Brussels Effect: In the context of Safe Harbour, binding corporate rules, privacy and data protection discussions, the practitioner said, ‘we end up defaulting to the highest common denominator, which really right

110

EU–US Privacy Shield (n 7) II.1(a)(xii). Ibid., III.16(a). 112 For example, in addition to tens of thousands of law enforcement requests for data, Meta received 1–499 requests for US National Security Letters (NSLs) requesting data from 1–499 users or accounts in the first half of 2021. They also received 0–499 US Foreign Intelligence Surveillance Act (FISA) content requests on 125,000–125,499 users or accounts, and 0–499 noncontent requests on 0-499 users or accounts in the same period. Meta is only permitted to report these numbers in bands of 500 and must delay the release of information on the number of FISA requests. See . These statistics cover a comparatively tiny proportion of Meta users. 113 Bradford, ‘The Brussels Effect’ (n 97) 18. See too a suggestion to focus on a doctrine of ‘market sovereignty’ and a government’s ability to exercise jurisdiction over online activities in the market upon which it can exercise market-destroying measures. Dan Jerker B Svantesson, ‘The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses’ (2014) 50(1) Stanford Journal of International Law 53. 111

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

208

Enabling Transatlantic Trade and Protecting Privacy

now is Europe’.114 An anonymous former Chair of the FTC said ‘the GDPR has to some extent become the national US privacy policy’.115 Such sentiment is echoed by people in comparable work environments. In sum, smart companies realise that ‘if you want to do business in Europe . . . you have to respect values in Europe and the law here in Europe’.116

8.6.2 Government Reactions The Privacy Shield and related data transfer frameworks entail various elements of extraterritoriality. The European Commission framed the issue in terms of EU individuals, EU data subjects and ‘complaints by EU citizens’, so such frameworks are undoubtedly geared towards protecting the rights of people with a link to the EU.117 In response to the Schrems decision and resultant negotiations, the US began with a more critical stance, quickly softening to a more cooperative one. The US wants the EU to make international data transfers easier. Upon completing the Privacy Shield, US Secretary of Commerce Penny Pritzker acknowledged it was ‘essential to transatlantic commerce’, and promoted shared values whilst bridging differences.118 Similarly, President Biden noted in 2022 that the agreed framework for data transfers would ‘promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy’.119 Indeed, despite disparities, the US government is not close to protesting formally any perceived unlawful extraterritoriality by the EU in its CJEU decisions and subsequent negotiations. In response to the Advocate General’s opinion in the Schrems case, which was ultimately in line with the Court invalidating the Safe Harbour agreement, but was not followed where he gave DPAs the power to suspend transfers to third States, US governmental representatives released a key 114 115 116

117

118

119

Bamberger and Mulligan, Privacy on the Ground (n 99) 65. During an event with the author in 2022. Prof Christopher Kuner’s talk: ‘Reality and Illusion in EU Data Transfer Regulation PostSchrems’ on 6 October 2016, Trinity College Dublin, Ireland. European Commission press release, ‘European Commission launches EU–U.S. Privacy Shield’ (n 59). US Mission to the EU, ‘Statement from U.S. Secretary of Commerce Penny Pritzker on EU– U.S. Privacy Shield’ (2016) accessed 25 May 2018. The White House Briefing Room, ‘Remarks by President Biden and European Commission President Ursula von der Leyen in Joint Press Statement’ (25 March 2022) .

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.6 The Extraterritoriality of Transatlantic Data Transfer Arrangements 209

statement to refute his argumentation.120 They claimed that the Advocate General erred in much of his opinion and that the Safe Harbour was a valid, living document, which the EU and the US were renegotiating to improve.121 After describing various assertions about the US’ surveillance practices as inaccurate, the statement portrayed the Safe Harbour negotiations as successful.122 Finally, it pronounced that the ‘underlying issue’ went ‘far beyond’ the Safe Harbour and rather entailed the ability of third States, businesses and citizens to rely on agreements negotiated with the European Commission.123 It referred to the trade benefits the Safe Harbour provided to citizens and businesses on both sides of the Atlantic.124 It also referenced the ‘far-reaching consequences’ of the Advocate General’s and, by extension, the CJEU’s opinion that would significantly impede upon individual rights and the free flow of information.125 The US authorities’ response frames the consequences of the Schrems decision in terms of cross-border data flows that enable trade and commerce, and are important to businesses and individuals. Whilst not a formal legal protest at the reach of EU law, the statement demonstrates their displeasure with the Advocate General’s opinion and, following from this, the gist of the Schrems and Schrems II judgments. US authorities continued this approach by filing the abovementioned amicus curiae brief before the CJEU in the Schrems II case. Reacting to the Schrems decision and reaffirming the sentiment expressed in response to the Advocate General’s opinion, the US Secretary of Commerce released a statement saying that the US government was ‘deeply disappointed’ with the decision that gave rise to uncertainty for businesses and consumers, and put the EU-US digital economy at risk.126 The US Secretary of Commerce was similarly ‘deeply disappointed’ with the 2020 Schrems II ruling.127 The FTC Commissioner Julie Brill noted the huge shock the outcome caused to US governmental authorities, policymakers and

Glynn Moody, ‘US Defends Safe Harbor, Says It Never Uses “Indiscriminate Surveillance”’ Ars Technica (29 September 2015). 121 US Mission to the EU, ‘Safe Harbor Protects Privacy’ (n 12); an official US governmental reaction to the Advocate General’s statements in the Schrems case was that the Safe Harbour framework protected privacy, was crucial for commerce and ensured trust in ‘data flows that underpin transatlantic trade’ (Ibid.). 122 Ibid. 123 Ibid. 124 Ibid. 125 Ibid. 126 Ibid. 127 US Department of Commerce press release, ‘U.S. Secretary of Commerce Wilbur Ross Statement’ (n 89). 120

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

210

Enabling Transatlantic Trade and Protecting Privacy

companies.128 Brill acknowledged that in Europe and some parts of the US, the decision was ‘hailed as strong vindication of Europeans’ fundamental right of privacy’.129 As the FTC acknowledged, it is conceivable that the knock-on extraterritorial effect of the Schrems judgment would be to expedite changes in US law to be more protective of privacy: ‘[The decision] may, in the longer term, help restart efforts in the United States to put in place stronger privacy and data security laws that will benefit all.’130 The FTC supports this enhanced protection as it had already been calling upon Congress to enact stronger consumer privacy laws for multiple years. The FTC as an enforcer has been historically active at bringing cases under the general FTC Act and specific statutes in the area of privacy and data security. The US government’s reactions post-Schrems and Schrems II show its dismay at the uncertainty after the withdrawal of certain data transfer frameworks and the lack of acknowledgement that the two bodies were already renegotiating transfer mechanisms. That is, it does not appear to take immediate issue with the CJEU’s capacity to regulate those transfers. Reactions have lent more towards ‘we have already been protecting privacy’ than ‘we disagree with you’. The US has, to a certain extent, shown willingness to improve privacy protections for both EU and US citizens.131 8.6.3 Privacy Shield Negotiations and Marginally Successful Legal Diffusion Information about the Privacy Shield negotiations suggests pushback, but eventual commitment, from the US vis-à-vis EU requests, especially with implementing an ombudsperson and the Judicial Redress Act. This is discussed below. Details of the negotiations are unavailable – indeed the entire process was uncommendably non-transparent – but these two ‘wins’ for the EU show the Union’s strength at influencing the relevant US law. This strength, however, was limited. In the context of the Privacy Shield negotiations, the US Congress passed the Judicial Redress Act, which allows the Attorney General to extend the protections in the US Privacy Act 1974 to citizens of certain other States.132 Accordingly, European citizens may file civil actions under the US Privacy Act in US courts against, for instance, the US government or companies, for 128

US FTC Commissioner Julie Brill, Keynote Address at the Amsterdam Privacy Conference (n 16). 129 Ibid., 4. 130 Ibid., 12. 131 Sepulveda, Remarks on the U.S. Privacy Framework (n 10). 132 5 USC § 552(a) note.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.6 The Extraterritoriality of Transatlantic Data Transfer Arrangements 211

mishandling their personal data. Technology companies pushed for the legislation to pass as it would enhance post-Snowden trust in such companies, and ultimately benefit their business.133 Although the Privacy Shield conclusion was not contingent upon the passage of the Judicial Redress Act, assurance that it would pass was important in the negotiating phase. As such, some lawmakers viewed the Act as a ‘giveaway to Europe’.134 During the negotiations on the importance of the US passing the Judicial Redress Act with amendments, the Commission appeared to secure agreement unilaterally, until some late pushback from the US side.135 The US Senate passed an amended version of the bill, apparently to appease some of the issues with allowing ‘Fortress Europe’ to act unilaterally. The amended version included the following caveats: a State may be on the list of those whose citizens may obtain redress according to the Privacy Act only if it permits US companies to transfer personal data from that State’s territory to the US and if the transfer arrangements ‘do not materially impede the national security interests of the United States’.136 This again prioritised US data processing in the name of security, which did little to allay the issues behind Schrems’ original complaint to the Irish Data Protection Commissioner. It also shows how the EU was not quite successful at spreading its data protection laws in some areas. Indeed, in Schrems II, the CJEU invalidated the Privacy Shield based in part on the lack of actionable redress available to EU data subjects.137 The EU–U.S. Data Privacy Framework is due to have a new two-tier redress system. 8.6.4 The Failure of EU Law Diffusion in Data Transfer Frameworks As explored in Section 8.6.3, developments in regulating transborder data flows have been partly responsible for US companies adopting EU-style privacy protections. These developments have had varying success at extending privacy protections to EU citizens vis-à-vis US surveillance 133

134

135

136 137

Letter from technology companies to Speaker of the House John Boehner and Democratic Leader Nancy Pelosi (2015) . Katie Bo Williams, ‘Lawmakers Rush to Get 11th Hour Privacy Deal’ The Hill (27 January 2016). ‘It seemed like the Europeans held all aces. Ultimately, safe harbor 2.0 was a unilateral decision by the Commission. For once, the U.S. had to toe the line. Until someone broke ranks [and irreversible damage was done].’ Sheftalovich, ‘The Phone Call that Saved Safe harbor’ (n 76). 5 USC § 552(a) note sec 2(1)(c). Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (n 34) paras 191–193.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

212

Enabling Transatlantic Trade and Protecting Privacy

practices, as this section investigates. It also outlines some of the EU’s original issues with the US’ practices. Referring to a 2013 European Commission communication on transatlantic data flows, released in response to the NSA revelations, the CJEU in Schrems noted that the Commission found US authorities could access personal data transferred from the EU to the US, and process it in a manner incongruent to the original purposes of its transfer.138 This further processing would go beyond what was necessary and proportionate.139 US authorities, however, pledged to make some changes – or rather, to emphasise their privacy practices, as outlined in letters from government officials as part of the Privacy Shield Package.140 The European Commission understood this as being the first time that the US ‘has given the EU written assurance, to be published in the federal register, that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms’.141 One such letter from General Counsel at the Office of the Director of National Intelligence (ODNI) referenced US intelligence laws, including Presidential Policy Directive PPD-28 on Signals Intelligence Activities.142 The letter reiterated PPD-28’s provision that in response to national security threats, the US must collect signals intelligence in bulk and it provided some limitations to its use.143 These apparent privacy protections applied to all individuals, regardless of their nationality and place of residence.144 The letter, which guaranteed that the PPD-28 protections applied under the Privacy Shield, also appeared to concede the US does indiscriminately collect bulk (i.e. not targeted) information. Paradoxically, the letter also referenced the USA Freedom Act’s prohibition on bulk

138

Maximillian Schrems v Data Protection Commissioner (n 6) paras 11–25 citing Commission, ‘Rebuilding Trust in EU-US Data Flows’ (Communication) COM (2013) 846 final and Commission, ‘The Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU’ (Communication) (2013) 847 final. 139 Maximillian Schrems v Data Protection Commissioner (n 6) para 22 citing Commission, ‘The Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU’ (Communication) (2013) 847 final. 140 Brussels, 12.7.2016 (C 2016) 4176 final ANNEXES 1 to 7 to the Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU–U.S. Privacy Shield. 141 European Commission Fact Sheet, ‘EU–U.S. Privacy Shield: Frequently Asked Questions’ (n 77). 142 Privacy Shield Package, Letter from US General Counsel for the Office of the Director of National Intelligence Robert S Litt citing Presidential Policy Directive PPD-28 on Signals Intelligence Activities, 17 January 2014. 143 Ibid. 144 Ibid.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.6 The Extraterritoriality of Transatlantic Data Transfer Arrangements 213

collection of records pertaining to either US or non-US individuals.145 Even in its adequacy decision, the European Commission provided that ‘bulk collection is limited to (exceptional) situations’, seeming to acknowledge that it does occur.146 On its site on Frequently Asked Questions relating to the Privacy Shield, the European Commission stated that ‘[t]he U.S. affirms that there is no indiscriminate or mass surveillance’.147 The understanding seems to be that the US may, according to its own laws, conduct bulk collection of signals intelligence. As its authorities have guaranteed that this information would be used for any of only six specific purposes, and that the US would focus on targeted, as opposed to indiscriminate, interception, this collection would not constitute mass or indiscriminate surveillance.148 It is unclear what actually applied, however it confirms that the EU has had no direct effect on the US government’s intelligence practices as the latter’s laws have not changed in direct response to the Privacy Shield requirements. The CJEU explicitly stated that ‘legislation [as exists in the US] permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’.149 It seems that the US authorities are still compromising the essence of that right and the CJEU is the body compelling change. For instance, in Schrems II, the Court ruled that neither Section 702 of the US Foreign Intelligence Surveillance Act (FISA), nor Executive Order 12333, read together with PPD-28, provide the minimum safeguards under EU law regarding proportionality.150 US domestic law allowed access and use by US public authorities of personal data transferred from the EU to the US within the Privacy Shield framework beyond what was strictly necessary and proportional, as required in Article 52 of the EU Charter. This therefore did not satisfy the ‘essentially equivalent’ threshold of protection, rendering the adequacy decision invalid.151 It remains to be seen how 145

Ibid. EU–US Privacy Shield (n 7) recital 76. 147 European Commission Fact Sheet, ‘EU–U.S. Privacy Shield: Frequently Asked Questions’ (n 77). 148 Privacy Shield Package, Letter from US General Counsel for the Office of the Director of National Intelligence Robert S Litt citing Presidential Policy Directive PPD-28 on Signals Intelligence Activities, 17 January 2014. 149 Maximillian Schrems v Data Protection Commissioner (n 6) para 94. 150 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (n 34) para 184. See Foreign Intelligence Surveillance Act 50 USC §§ 1801–1885c. 151 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (n 34) para 185. 146

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

214

Enabling Transatlantic Trade and Protecting Privacy

rhetoric around limiting access to data by US intelligence authorities within any transatlantic data transfer frameworks will translate into legal change in the US. 8.6.5 Interim Conclusion on Extraterritoriality The developments in EU–US data transfer regulation have been successful in changing US companies’ privacy practices. Companies are compelled to comply ‘not by threat of foreign enforcement but by threat of truncation from the E.U. market’.152 That said, under the GDPR, companies that violate its stipulations on international transfers (although not necessarily bilateral transfer agreements) shall be subject to administrative fines of up to 10,000,000 EUR or 2 per cent of total worldwide annual turnover, whichever is higher, and those that do not comply with certain orders from DPAs shall be fined up to 20,000,000 EUR or 4 per cent of global annual turnover.153 Such high fines, as a form of foreign enforcement, could also induce compliance. There is concern that if the US does not make concessions on surveillance and obstinately denounces EU protectionism and privacy rights, then US businesses will be the ones to suffer.154 This risk could inspire change, again through something akin to the Brussels Effect, where trade and market access spur changes in third-State law.

8.7 jurisdictional assessment This section analyses the extent to which it is legitimate for an EU court to change how businesses (either US companies or EU companies that transfer personal data to the US) conduct themselves. The section also considers the EU’s attempted regulation of US governmental surveillance practices. It begins by looking at the EU’s obligations under international human rights law to prescribe or apply its law, specifically under the EU Charter or EU data protection law read in the light of the Charter, extraterritorially. Next, it looks at permissive principles under public international law to determine the reach of EU law under different versions of territoriality. Relevant to the enduring significance of territory is how the CJEU’s rulings have spurred a move 152

153 154

McKay Cunningham, ‘Complying with International Data Protection Law’ (2016) 84(2) University of Cincinnati Law Review 421, 450, also: ‘Regardless of whether a U.S. company technically falls within the purview of E.U. law, the international trend decidedly tilts toward expanding data protection laws.’ Ibid. GDPR art 83(5)(c); GDPR art 83(6). Farrell and Newman, ‘The Transatlantic Data War’ (n 13).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

215

towards territory-focused data nationalism. Finally, the section weighs up the EU’s and US’ interests in regulating data transfers and applies a rule of reason to the reach of EU law.

8.7.1 International Human Rights Law According to international human rights law and the EU Charter, the EU must respect, protect and fulfil its data subjects’ fundamental right to data protection. If the Privacy Shield or similar transfer agreements are understood as a manifestation of EU data protection principles and not EU law per se, this shows some attempt at applying Charter-style protections where data controllers or processors established in third States process EU data subjects’ personal data. This section outlines the ever-increasing focus on the individual in the framework of fundamental rights and data protection law. It then investigates the EU’s duties towards its data subjects.

8.7.1.1 Protecting Individual Interests The focus on the individual as data subject and rights-bearer in the Schrems and Schrems II decisions and data transfer frameworks, such as the Privacy Shield, emphasises how the protection of personal data is framed as an individual right, as opposed to an economic necessity or compliance exercise for companies. This emphasis is sometimes geared towards anyone ‘in the Union’ and sometimes uniquely geared towards EU citizens. There is an ‘[u]mbilical connection between rights and citizenship’, but EU data protection law appears to afford non-EU citizens data protection rights too.155 The Privacy Shield and similar frameworks focus unequivocally on individual rights and companies. There was a discernible shift from protecting only companies’ commercial interests to also protecting individuals’ privacy rights in the Privacy Shield framework.156 The Privacy Shield website, managed by 155

156

Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2016) Cambridge University Legal Studies Working Paper No 14/2016 37 citing Samuel Moyn, The Last Utopia: Human Rights in History (Harvard University Press 2010) location 444 (Kindle edition). Cf. e.g., the letters from the Department of Commerce in the Privacy Shield Package with their 2009 Guide to Self-Certification: ‘[A]pproved by the EC in 2000, the Safe Harbor Framework helps protect U.S. companies from experiencing interruptions in their business dealings with the EU. Self-certifying to the Safe Harbor will assure that EU organizations know that your company provides “adequate” privacy protection, as defined by the EU Directive.’ US Department of Commerce, ‘Safe Harbor Overview’, U.S.–EU Safe Harbor Framework Guide

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

216

Enabling Transatlantic Trade and Protecting Privacy

the International Trade Administration of the US Department of Commerce, was explicitly aimed at three target audiences: EU individuals, EU businesses and US businesses.157 Further, the European Commission published a guide to the Privacy Shield with information on individual rights and avenues for redress.158 Interestingly, it stated that ‘[t]he protection given to your data applies regardless of whether you are an EU citizen or not’, which suggests it applied to a broad range of data, with no citizenship or residency limiting factor.159 Furthermore, the Privacy Shield’s lack of actionable data subject rights and redress opportunities was one of the key reasons the CJEU ultimately invalidated it. The Schrems decision iterates that the DPD (and GDPR) should be read ‘in the light of the EU Charter’ and that any data transfer agreement between the US and EU should not threaten the ‘essence’ of the fundamental right to private life.160 Accordingly, the Union is working hard to frame transfer agreements in terms of rights for individuals. The present example highlights the shift from State–individual, rather than State–State relations and the associated sovereignty issues. This research argues that the EU has an obligation to safeguard its data subjects’ right to data protection abroad. In practice, this involves US companies processing personal data relating to EU individuals. The right’s constitutional status in the EU and associated obligations; CJEU jurisprudence; and the form of human rights jurisdiction the EU may exercise legitimise this obligation under international human rights law. The subsequent section aims to delineate which obligations (protect, respect, fulfil) may be applied extraterritorially.

8.7.1.2 The Obligation to Respect The obligation to respect is one of conduct. The EU has a negative obligation to refrain from acts that would infringe upon someone’s enjoyment of the right to data protection. Specifically, this constitutes a negative obligation to respect an individual’s right to data protection by not interfering with their privacy in the context of personal data processing. In this example, if the European

157 158

159 160

to Self-Certification 3 . See Privacy Shield website . European Commission, ‘Guide to the EU–U.S. Privacy Shield’ accessed 6 March 2018. Ibid., 7. Maximillian Schrems v Data Protection Commissioner (n 6) paras 38 and 97.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

217

Commission determines that a third State does not satisfy the GDPR’s adequacy requirement, the data transfer may take place only if it is subject to appropriate safeguards or falls within certain permissible derogations.161 In the DPD, this was phrased even more starkly: absent an adequacy decision, ‘Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country’.162 This approach amounts to the territorially unlimited application of the negative obligation ‘to refrain from conduct that would assist third parties in violating the right to privacy [or data protection]’.163 The EU is also fulfilling these obligations by prohibiting data transfers outside the EU that are not covered by appropriate safeguards (see Article 46 GDPR on standard contractual clauses, binding corporate rules and similar) or do not fall within permitted derogations (see Article 49 GDPR covering consent, performance of contracts, public interest, vital interests and so on). In the present example, the CJEU also contributed to respecting this right by requiring all data transfers to the US for commercial purposes to stop after it invalidated the Commission decisions underlying the Safe Harbour framework and Privacy Shield. As such, the EU is fulfilling its obligations to avoid conduct that would enable third States to unjustifiably interfere with its data subjects’ right to data protection.

8.7.1.3 The Obligations to Protect and Fulfil The Union’s obligation to respect could be understood to apply initially as a negative obligation of conduct to refrain from transferring data to certain third States. If a State has failed to receive an adequacy decision or if the Commission, upon review, determines that a State no longer ensures an adequate level of protection, it shall enter into negotiations to remedy that situation.164 If it then entered into negotiations with third States, the EU’s obligation would become a positive obligation of conduct to protect, as outlined below. Closely linked to this is the obligation to fulfil, which implies a positive obligation of result, that is, an obligation to facilitate an individual’s enjoyment of the right to data protection by providing legal, regulatory and 161

GDPR arts 46 and 49. DPD art 25(4). 163 Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56(1) Harvard International Law Journal 81, 124. As mentioned in Chapter 3, see too Milanovic’s analogy of the non-refoulement rule in, e.g., Soering v United Kingdom App No 14038/88 (ECtHR, 7 July 1989) or Judge v Canada, Communication No 829/1998, UN Doc CCPR/C/78/D/829/1998 (2003). 164 See GDPR art 45(6) and DPD art 25(5) for this phrasing. 162

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

218

Enabling Transatlantic Trade and Protecting Privacy

enforcement mechanisms, and resources. The EU ordinarily offers these mechanisms within its own territory or in places under its effective control. Evident in negotiations between the US and EU over data transfers in many different contexts (such as PNR Agreements discussed in Chapter 6), the EU must attempt to encourage or ensure a third State adopts at least some aspects of its high-level data protection law if that State wants to receive data from the EU at all. The third parties in this example, namely US companies that receive information from the EU or US surveillance bodies, are outside the EU. Accordingly, this requirement obliges the EU to actively prevent thirdparty violations of its data subjects’ right to data protection in an extraterritorial context. In terms of positive and negative obligations to exercise jurisdiction to safeguard privacy rights, the EU’s positive obligations would apply in a place under its effective control. Again, the data flows example makes it difficult to determine effective control or where an effect is felt. As the Schrems decision confirms, when establishing an interference with the fundamental right to respect for private life or data protection, it does not matter whether ‘the persons concerned have suffered any adverse consequences on account of that interference’.165 If one conceives of effective control as control ‘following’ someone’s personal data, then the EU – having initially prescribed how that data may be controlled and processed – could be understood as legitimately exercising jurisdiction over this data. The Union could also have ‘virtual control’ over this personal data. Moreover, the general duty to protect individuals from third-party interferences that the Charter bestows upon the EU could legitimise its wide scope of application, regardless of effective or virtual control requirements. It could also legitimise the territorial extension of EU law necessitated by the GDPR’s adequacy requirement. To a certain extent, the US is satisfying obligations to fulfil EU data subjects’ right to data protection. EU negotiators, as with the PNR Agreement, pushed to ensure EU citizens could have redress mechanisms in the US under the Privacy Shield. Particularly the passage of the US Judicial Redress Act meant EU citizens had a newly established way of exercising a variety of rights, ultimately in the US.166 US agencies conduct enforcement action on US soil, although this would often be in partnership with EU DPAs. They could conduct enforcement action prima facie according to US law,

165 166

Maximillian Schrems v Data Protection Commissioner (n 6) para 87. For information on redress mechanisms available to EU citizens, see European Commission Press Corner, ‘Trans-Atlantic Data Privacy Framework’ (2022) or European Commission Fact Sheet, ‘EU– U.S. Privacy Shield: Frequently Asked Questions’ (n 77).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

219

although enforcing EU data protection principles as outlined in the data transfer framework. Further, EU citizens may bring about this enforcement action as it pertains to them, without even having been to the US. The Privacy Shield Ombudsperson at the US Department of State could address and investigate complaints from EU individuals.167 Similarly, under the EU-U.S. Data Privacy Framework, a two-tier redress system, including a Data Protection Review Court, may investigate and resolve complaints by European individuals.168 The US is providing enforcement mechanisms in the US for EU citizens, inspired by EU negotiations, which shows a noteworthy degree of extraterritoriality.

8.7.1.4 Interim Conclusion on International Human Rights Law The EU has successfully achieved its obligations of conduct and partially of result and fulfil, too. The fundamental right to data protection has been called one ‘not to be put on the negotiating table with trade partners’.169 However, it is not an absolute right and ought to be subject to certain limitations, as explored below. Indeed, it is in the EU’s best interests to maintain transatlantic data flows that enable trade, so they ought to be prepared to put data protection rights on the negotiating table.

8.7.2 Public International Law To ensure that the EU respects the territorial sovereignty of the US and adheres to its duty of non-interference, there must be a jurisdictional principle allowing the EU to exercise extraterritorial prescriptive jurisdiction. Relevant principles include the objective territorial, passive personality and protective principles, and the effects doctrine. Some commentators have suggested that the EU’s adequacy requirement per se threatens third-State sovereignty because it compels them to implement adequate (specifically: essentially equivalent) data protection laws.170 The permissive principle underpinning the EU’s exercise of jurisdiction is most viably the subjective territorial 167 168 169

170

ANNEX A: EU-U.S. Privacy Shield Ombudsperson Mechanism (n 7). European Commission Press Corner, ‘Trans-Atlantic Data Privacy Framework’ (n 166). Max Schrems, ‘The Privacy Shield Is a Soft Update of the Safe Harbor’ (2016) 2(2) European Data Protection Law Review 148. Liane Colonna, ‘Article 4 of the EU Data Protection Directive and the Irrelevance of the EU– US Safe Harbor Program?’ (2014) 4(3) International Data Privacy Law 204 citing Joshua S Bauchner, ‘State Sovereignty and the Globalizing Effects of the Internet: A Case Study of the Privacy Debate’ (2000) 26(2) Brooklyn Journal of International Law 689, 691.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

220

Enabling Transatlantic Trade and Protecting Privacy

principle. Particularly in this example, territory is important, even as ‘extraterritorial’ and ‘territorial’ lose some of their resonance in the global sphere of international data processing.

8.7.2.1 Data Localisation as Territoriality A solution to jurisdictional conflicts that purports to safeguard data subjects’ rights, whilst returning to a rigid interpretation of the territoriality principle, is data localisation – or data nationalism. Data localisation is when governments or companies keep personal data within a specific State, usually for security or privacy reasons.171 They do so by, inter alia, making cross-border data transfers impossible or particularly cumbersome.172 A move to data localisation was a major reaction to the Schrems judgment and indicates a return to exercising jurisdiction based purely on a territorial nexus. As soon as the GPDR started applying in May 2018, many US websites denied users trying to access the sites from EU territory for fear of being fined for non-compliance.173 In other words, allowing website visitors from only specific regions meant the companies could limit their legal obligations. It is uncertain whether personal data can be wholly localised, so a discussion on extraterritoriality is still relevant. Some States, such as Russia, insist on storing all personal information locally.174 This raises serious human rights questions related to, for instance, freedom of expression; such informational control lends itself well to authoritarian regimes.175 Many, more liberal States, such as Australia, Brazil and Canada, also exercise some form of data nationalism, suggesting that the ‘era of a global Internet may be passing’.176 Some companies are endeavouring to do the same in the EU, as explained below. This manifestation of data localisation represents a ‘new generation of Internet border controls’, which seeks to keep information in a country rather than out of it.177 There are, Anupam Chander and Uyên P Lê, ‘Data Nationalism’ (2015) 64(3) Emory Law Journal 677, 679–680. 172 Ibid., 680. 173 Rebecca Sentence, ‘GDPR: Which Websites Are Blocking Visitors from the EU?’ Econsultancy (31 May 2018). 174 Chander and Lê, ‘Data Nationalism’ (n 171) abstract. See, e.g., Reuters Staff, ‘Russia Tells Facebook to Localize User Data or Be Blocked’ Reuters (26 September 2017). 175 Chander and Lê, ‘Data Nationalism’ (n 171) 735–739. See too Uta Kohl and Diane Rowland, ‘Censorship and Cyberborders through EU Data Protection Law’ in Uta Kohl (ed), The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University Press 2017) 93. 176 Chander and Lê, ‘Data Nationalism’ (n 171) 679. 177 Ibid. 171

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

221

however, several issues with data localisation. It can negatively affect the ease of transfer between digital economies and, ultimately, runs counter to the Internet as a free and open space. The present section does not weigh up the merits and shortcomings of data localisation. Instead, it uses these developments to draw conclusions about the EU–US data privacy interface and territorial jurisdiction. Soon after the Schrems ruling, Hamburg’s Data Protection Commissioner suggested that those who wanted to avoid the political and legal consequences of the judgment should consider storing personal data on EU-only servers.178 Companies such as Oracle and Microsoft announced they were storing personal data on European citizens in data centres on EU soil purportedly to better comply with EU data protection law.179 Twitter started offering services to users who ‘live outside the United States’ through their Dublinbased Twitter International company, which handles personal data under Irish data protection law, then based on the DPD. Twitter Inc. provides services to those living in the US, who are subject to US law.180 As such, both EU residents and non-US third-State residents who used Twitter’s services were subject to the EU’s strong privacy protections, whereas US residents were not. However, Twitter has since moved non-EU and non-UK customers to its Twitter Inc. company, so only its EU/UK-based customers enjoy EU-style protections.181 Many other companies have offered similar options to have users’ personal data stored in the EU.182

178

Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit (HmbBfDI), Positionspapier der Datenschutzbehörden zu Safe Harbor, Gemeinsame Erklärung schafft Rahmen für einheitliche Prüfstrategie (26 October 2015). 179 Karlin Lillington, ‘Oracle Keeps European Data Within Its EU-Based Data Centres’ The Irish Times (28 October 2015); Murad Ahmed and Richard Waters, ‘Microsoft Unveils German Data Plan to Tackle US Internet Spying’ Financial Times (11 November 2015); Max Smolaks, ‘Dropbox Moves into European Data Centers to Comply with Regulation’ DatacenterDynamics (23 September 2016). 180 ‘If you live outside the United States, our services are now provided to you by Twitter International Company, our company based in Dublin, Ireland. Twitter International Company will be responsible for handling your account information under Irish privacy and data protection law, which is based on the European Union’s Data Protection Directive. If you live in the United States, the services will continue to be provided to you by Twitter, Inc., based in San Francisco, California, under United States law.’ (Twitter, ‘Privacy Updates: Some Revisions to Our Policies’ (2015) accessed 6 December 2016). 181 ‘If you live in the United States or any other country outside of the European Union, EFTA States, or the United Kingdom, the data controller responsible for your personal data is Twitter, Inc.’. Twitter, ‘Privacy Policy’ (2022) . 182 These include Microsoft, Oracle and Dropbox: Lillington, ‘Oracle keeps European Data’ (n 179); Ahmed and Waters, ‘Microsoft Unveils German Data Plan’ (n 179); Smolaks, ‘Dropbox

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

222

Enabling Transatlantic Trade and Protecting Privacy

As the Internet is increasingly Balkanised, questions arise of whether and to what extent this walling off actually enhances data protection and could reduce undesirable mass surveillance.183 An empirical mapping of the privacy policies of twenty major Internet cloud companies and the location of their users’ personal data shows that for sixteen of these twenty companies, the data is either transferred or stored in the US (or potentially other countries), or could be transferred outside the data subject’s State of residence and potentially outside the EEA.184 In other words, the personal data was not always guaranteed EU-level protection. Indeed, Oracle representatives acknowledged that its European localisation applied only to data storage and not to data transfers.185 Three providers in the mapping of privacy policies committed to storing and processing personal data in the EU, two of which appeared to use this ‘to serve as a marketing “trust” label to differentiate them from their US counterparts’.186 The mapping was largely based on pre-Schrems information, however. Since the Schrems decision, many more cloud providers have given users the option to have their personal data stored in the EU, thereby allowing certain EU and non-EU residents to have EU-level protection. The numbers have changed, but not necessarily the motivations. In talks with a lawyer and a leader of product security at Dropbox, the former said customers could opt in to having their data stored in Europe; when asked, he said this option was largely for competition reasons because other companies were doing this, meaning the main motive was not data protection.187 The companies’ reasons are apparently not wholly privacy-inspired, but do show a changing corporate culture and heightened consumer demand for data privacy. Arguments for data localisation in this context are that firms can protect human rights or, at least, avoid being caught in difficult legal situations by walling off the Internet. In 2013, a Magistrate Judge in the US issued a warrant to Microsoft, compelling them to disclose to the Federal Bureau of

183

184

185 186

187

Moves into European Data Centers’ (n 179). This discussion is ongoing, see Brad Smith, ‘Answering Europe’s Call: Storing and Processing EU Data in the EU’ (Microsoft EU Policy Blog, 6 May 2021) . Christopher Kuner and others, ‘Internet Balkanization Gathers Pace: Is Privacy the Real Driver?’ (2015) 5(1) International Data Privacy Law 1, 2. Dimitra Kamarinou, Christopher Millard and W Kuan Hon, ‘Cloud Privacy: An Empirical Study of 20 Cloud Providers’ Terms and Privacy Policies – Part II’ (2016) 6(3) International Data Privacy Law 170, 171 (citations omitted). Lillington, ‘Oracle Keeps European Data’ (n 179). Kamarinou, Millard and Hon, ‘Cloud Privacy: An Empirical Study – Part II’ (n 184) 171 (citations omitted). Talk with Dropbox employees in Berkeley, US (2016).

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

223

Investigation all e-mails associated with an account under investigation.188 These e-mails were stored on Irish servers, so Microsoft argued that the US Stored Communications Act (SCA), under which the data had been requested, could not have such extraterritorial effect and refused to disclose the e-mails.189 After years of legal wrangling, in 2018, the US Supreme Court decided upon the issue.190 In the meantime, however, the US Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which altered the SCA to include cloud storage of US communication providers, regardless of where the cloud servers were located.191 Accordingly, the Department of Justice issued a new search warrant for the e-mails under the authority of the CLOUD Act, so Microsoft was obliged to turn over the e-mails stored on Irish servers. The case was ultimately declared moot. This instance shows how localisation did not provide legal clarity, as it purports to do. Accordingly, it is not eminently a solution to transatlantic conflicts over privacy versus security or privacy versus trade, as the ordeal surrounding the Microsoft case confirms. Whilst an interesting development that shows companies’ aims to look attractive by adhering to EU law through a distinctly territorial connection, the effectiveness of this localisation is uncertain, which might contribute to the EU standard prevailing, as explained below.192 Data localisation is not viable for every company, showing how the technical and legal ‘nondivisibility of standards’ could spur convergence.193 Not only is making data wholly local a difficult – and perhaps unattainable – venture, it has historically been ‘technologically difficult or impossible to separate data involving European and non-European citizens’.194 Creating unique data-processing facilities for only the EU and its residents has long been considered expensive, often prohibitively so.195 That said, certain big tech companies with vast technological and financial resources, such as

188

United States v Microsoft Corp, 584 US __ (2018) 1. In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, No 14-2985, 2016 WL 3770056 (2d Cir, 2016). 190 United States v Microsoft Corp (n 188). 191 18 USC § 1 note. 192 Data localisation might not be effective at preventing national intelligence agencies (especially NSA-GCHQ) from sharing personal data. See Kuner, ‘Reality and Illusion in EU Data Transfer Regulation’ (n 98) 915; Kuner and others, ‘Internet Balkanization Gathers Pace’ (n 183) 2. 193 Bradford, The Brussels Effect (n 97) 17–19. 194 Ibid., 25 citing Ryna Singel, ‘EU Tells Search Engines to Stop Creating Tracking Databases’ (2008) WIRED . 195 Bradford, The Brussels Effect (n 97) citing Brandon Mitchener, ‘Standard Bearers: Increasingly, Rules of Global Economy Are Set in Brussels’ Wall Street Journal (23 April 2002). 189

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

224

Enabling Transatlantic Trade and Protecting Privacy

Microsoft, have committed to storing the data of EU clients in the EU.196 If separating personal data of EU individuals or customers from that of non-EU individuals is technologically challenging or too expensive for certain companies, those companies would therefore default to EU-style protection regarding transatlantic data processing. As some companies choose to offer worldwide customers the option of having their personal data stored in the EU to allay their privacy concerns – despite this not necessarily being the companies’ actual motivation – data localisation could be increasing privacy protection for most of the international community. This raises questions, however, of whether that legal standard could ever become a shared ideal as the companies’ practices exclude US residents. In practice, data nationalism’s efficacy has yet to be proven, and it seems impractical and outdated. The European Commission has warned against the global trend towards ‘unjustified data localisation’, which is premised on the notion that localised services are automatically safer than transborder ones.197 If restrictive governments can wall off the Internet to perpetuate their dismal human rights records, recreating the same elsewhere does not imply better human rights protection. Further, it presents a retreat to outdated concepts (recall the cybernauts vs territorialists debate of the early Internet days) and seems unrealistic, as some data would eventually have to be transferred abroad, even if physically stored in one jurisdiction. Nonetheless, it is interesting to highlight the Balkanisation of the Internet because it per se reconfigures notions of territory online. The move towards data nationalism appears to confirm the relevance of territorial jurisdiction in protecting rights. It suggests legal diffusion has been unsuccessful and certain companies perceive US law as inadequately reflecting higher European legal standards, to the dissatisfaction of their consumers. As such, they return to cold territoriality for efficiency.

8.7.2.2 Subjective Territoriality Subjective territoriality covers situations in which an act begins in one territory and is completed in a different territory. Under this principle, the State in which the act was initiated may claim jurisdiction over the act. The adequacy requirement in the GDPR could be understood as a manifestation of the

196 197

Smith, ‘Answering Europe’s Call’ (n 182). European Commission press release, ‘Building the European Data Economy – Questions and Answers’ (2017) .

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

225

subjective territoriality principle.198 The DPD refers to the transfer of personal data to a third country, and the GDPR covers transfers to a third country or an international organisation.199 The transfers originate in an EU Member State, so there is an initial territorial connection to the EU. This is not enough, however, to justify the EU regulating the whole processing procedure, including that which happens in the third State, so the next section explores other connecting factors. EU data protection principles, or even near copies of the GDPR, have made their way into the data protection law of most of the States that have data protection laws today.200 In this example, parts of EU law essentially apply not only where an act, namely a data transfer, begins in the EU, but where the transfer terminates in a third State.201 As such, it exemplifies something close to the subjective territoriality principle in that the potential interference would occur in the third State, yet EU law would preemptively apply. The EU could be understood as exercising a soft form of extraterritorial prescriptive jurisdiction.

8.7.2.3 Personality EU law on data transfers to third States uses nationality- or residence-based links between a data subject and the EU as a basis on which to exercise jurisdiction. EU law ‘attaches’ to an individual’s personal data and follows it around the world. The Privacy Shield promoted itself as ‘ensuring that EU data subjects continue to benefit from effective safeguards and protection as required by European legislation’ when their personal data was transferred to and processed in non-EU States.202 This model continues under the GDPR, which ‘makes it clear that the basis for protecting the data of EU individuals is the continued application of EU data protection law’ when their data is transferred outside the EU.203 Where there is no adequacy decision, a data controller or processor should provide data subjects with ‘enforceable and effective rights’ once they have transferred that personal data outside the Union, ‘so that they will continue to benefit from fundamental rights and safeguards’.204 As argued before, these requirements could fall within passive 198

GDPR art 45. DPD art 25(1); GDPR art 45(1). 200 Greenleaf, ‘Global Data Privacy Laws 2021’ (n 30); interview with Christopher Kuner, March 2016. 201 Kuner, ‘Extraterritoriality and Regulation of International Data Transfers’ (n 1) 235, 240. 202 Privacy Shield Principles (n 7) I.1. 203 Kuner, ‘Extraterritoriality and Regulation of International Data Transfers’ (n 1). 204 GDPR recital 114. 199

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

226

Enabling Transatlantic Trade and Protecting Privacy

personality as an admittedly controversial, but still permissive, principle of jurisdiction, that is, the EU could exercise jurisdiction if the US injured EU nationals abroad. Likewise, the Privacy Shield and similar frameworks are explicitly geared towards protecting Europeans. They give ‘EU individuals’ access to rights and remedies. In the Privacy Shield context, the EU Commission referred to ‘complaints by EU citizens’.205 They could bring a complaint to a company, then go through alternative dispute resolution, then to their national European DPA working with the US FTC and, finally, to an arbitration mechanism. For intelligence-related queries, individuals could submit queries to an independent ombudsperson and, potentially, a Data Protection Review Court. Furthermore, EU individuals may pursue legal remedies in US state courts.206 Based on their citizenship or residence in the EU, EU law protects these data subjects’ personal data abroad in conformity with the passive personality principle.

8.7.2.4 Interim Conclusion on Public International Law The foregoing examples show that a long arm of EU law is evident, but the US is not strongly disputing this. It is based on tangible territorial and nationality/ residence connections. The fact that the Privacy Shield was quickly challenged and invalidated by the CJEU shows that such agreements have been largely unsuccessful at changing US governmental practices – and might never be, despite comporting to initiate change. It would violate principles of non-interference and sovereignty if the EU were to push more aggressively to change the US government’s national security law and policy. Where the EU has had success, however, is with changing company privacy practices. In sum, there has been little official protest and the US seems keen to show it is accommodating EU demands. Indeed, any protest has been political and thus far there has been no purely legal protest. This attitude again appears to legitimise the EU’s exercise of jurisdiction. In practice, however, this exercise of jurisdiction has not been substantively effective. The Schrems judgment explicitly requires that the third State’s legal order provide de facto protection: ‘[it] must nevertheless prove, in practice, effective in order to ensure

205

206

European Commission press release, ‘European Commission launches EU–U.S. Privacy Shield’ (n 59). Hoofnagle, Federal Trade Commission Privacy Law and Policy (n 100) 328.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

227

protection essentially equivalent to that guaranteed within the European Union’, which has evidently not happened.207

8.7.3 Mitigating Factors: Interest-Balancing and Reasonableness This section looks at interest-balancing and reasonableness as second-tier bases for exercising a form of extraterritorial jurisdiction once the above obligatory and permissive principles have been determined. The suggestions are based on the premise that a State may legitimately exercise jurisdiction where it has an obligation, permission, sufficient connection and the greatest interest in doing so. These factors can rein in the EU’s potentially wide jurisdictional claims to prevent them from being neither legitimate nor effective. This section establishes that a genuine connection exists, then outlines competing interests and attempts to balance them. Next, it describes how the EU has been acting reasonably and suggests ways in which it could exercise jurisdiction reasonably by applying only limited parts of EU law to transfers abroad. Based on the territorial and personality-based principles explored in the above section, the degree of connection between the EU and EU-US data transfers amongst companies is sufficient and bona fide. The reach would be over-extended if guarantees in the Privacy Shield or similar data transfer frameworks applied to data transfers that did not begin in the EU or if they explicitly applied to non-EU individuals. The way that the Privacy Shield was implemented suggests it focused on fulfilling the rights of ‘EU individuals’ and ‘EU citizens’, and not other individuals without this degree of connection. The EU’s characterisation of data protection as a fundamental right and associated extraterritorial obligations amounts to a legitimate interest. Indeed, this could override many other competing interests, including those rooted in non-interference under public international law. States, companies and individuals all have an interest in the present situation. The EU has leverage over private actors, which in turn influence US domestic policy. This exemplifies part of the privatisation of public international law. US technology companies have indisputable interests in receiving or processing personal data from Europe or related to European individuals. Similarly, Europe has interests in doing business with US companies and allowing them to process its people’s personal data.208 The GDPR recognises that transborder data flows 207 208

Maximillian Schrems v Data Protection Commissioner (n 6) para 74. For a different take on Europe’s economic interests, see Stewart Baker, ‘Inside Europe’s Censorship Machinery’ The Washington Post (8 September 2014): ‘The threats [to suspend data flows] were grounded partly in economic interest – keeping data processing jobs and

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

228

Enabling Transatlantic Trade and Protecting Privacy

are necessary for increasing international trade.209 As shown above, rights protection by the EU weighs more heavily than several other interests. The adequacy standard is quite high, but the EU is reasonable in offering other methods of data transfer to the US that are based on dialogue and compromise. When assessing the adequacy of the level of third-State protection, the GDPR provides that the Commission shall take into account a broad array of factors far beyond the legally formulaic ones. Inter alia, it should consider the third State’s rule of law, respect for human rights and fundamental freedoms.210 The Commission has said it considers, amongst others, the following elements: ‘the extent of the EU’s (actual or potential) commercial relations with a given third country . . . [and] the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level’.211 It appears that the US and EU do not share enough common values in this area. Unless they converge, it is unlikely the US will be awarded an all-encompassing adequacy decision. Once the CJEU invalidated the adequacy decision underlying the Safe Harbour framework, the Article 29 Working Party said DPAs would give the relevant companies a grace period in which to use other legal bases for transfer.212 Thereafter, they would potentially begin enforcement action. The Article 29 Working Party animated this by saying EU DPAs would take all necessary enforcement action, including joint action, if no agreement was reached by the end of January 2016.213 This could be seen as a form of indirectly applied reasonableness or ex post facto reasonableness.214 Schrems

companies in Europe – and partly in a European enthusiasm for expressing its moral superiority to the United States.’ 209 GDPR recital 101. 210 GDPR art 45(2)(a). 211 Commission, ‘Exchanging and Protection Personal Data in a Globalised World’ (Communication) COM (2017) 7 final 82. 212 Article 29 Working Party, ‘Statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Case C-362/14 Maximillian Schrems v Data Protection Commissioner (n 6) (16 October 2015). 213 Ibid. 214 I have to concede that in the two [examples of the CJEU using pure territoriality and sidelining considerations of the appropriateness of their jurisdictional assertions], reasonableness was indirectly applied. Although having obtained the green light of the European Court of Justice, the European Commission refrained from actually applying the Aviation Directive against foreign operators to give multilateral negotiations a chance (‘stop the clock’). This could be characterized as ‘reasonableness after the fact’. (Cedric Ryngaert, ‘An Urgent Suggestion to Pour Old Wine into New Bottles – Comment on “A New Jurisprudential Framework for Jurisdiction”’ (2015) 109 AJIL Unbound 81, 83)

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.7 Jurisdictional Assessment

229

was quick to challenge standard contractual clauses before the Irish Data Protection Commissioner and High Court.215 Hamburg’s activist DPA was the first to employ enforcement action for companies still transferring data under the Safe Harbour scheme.216 After the Privacy Shield was rendered invalid, the EDPB stated there would be no grace period during which data exporters could keep transferring personal data to the US without assessing the legal basis, confirming that transfers based on the Privacy Shield were now illegal.217 Nonetheless, the US Department of Commerce explicitly stated it would continue to administer the Privacy Shield programme, showing mismatched processes.218 One way in which the EU could exercise jurisdiction reasonably is by having only certain European data protection principles apply to data transfers. The Article 29 Working Party provided suggestions on which interests might override others. Using fundamental rights terms, the Working Party suggested the criteria be used only in instances with very weak links to the EU, such as where the relevant data was about non-EU data subjects or where the data controller had no link with the EU, but where there was still relevant equipment in the EU processing personal data.219 In this vein, the Article 29 Working Party proposed applying only certain cornerstone EU data protection principles, such as security or legitimacy, to the relevant acts.220 Indeed, parts of data protection law ‘could be seen to constitute the “essence” of the fundamental right of data protection and should thus be presumed to apply extraterritorially’.221 It is important, however, not to consider all aspects of EU data protection law as essential and extraterritorially applicable.222 Whilst the Privacy Shield did not necessarily embody the ‘essence’ of the fundamental right to data protection in the strict legal sense, it did include key data protection principles (notice; choice; accountability for onward transfer; See, inter alia, Mary Carolan, ‘Schrems and Facebook Privacy Case: Next Round Set for February’ The Irish Times (25 July 2016). 216 Julie Fioretti, ‘German Privacy Regulator Fines Three Firms over U.S. Data Transfers’ Reuters (6 June 2016). 217 EDPB, Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd (n 34). 218 US Department of Commerce press release, ‘U.S. Secretary of Commerce Wilbur Ross Statement’ (n 89). 219 Article 29 Working Party, Opinion 8/2010 on applicable law (WP 179, 16 December 2010). 220 Ibid. 221 Kuner, ‘Extraterritoriality and Regulation of International Data Transfers’ (n 1) 243 (citations omitted). 222 Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 172 citing Peter Hustinx, ‘Concluding Remarks Made at 3rd Annual Symposium of the European Union Agency for Fundamental Rights’ Vienna (10 May 2012) 5. 215

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

230

Enabling Transatlantic Trade and Protecting Privacy

security; data integrity and purpose limitation; access; recourse, enforcement and liability). These make up part of the core of the right. Much work needs to go into determining precisely what the key data protection principles are and how they ought to be applied. A 2017/8 Article 29 Working Party working paper, which the EDPB has since endorsed, outlines core data protection principles that should be present in a third-country legal order to obtain an adequacy decision.223 They cover content-based principles, and procedural and enforcement mechanisms, which amount to European data protection concepts worth emulating. The content-based principles are as follows: 1. Basic data protection concepts, such as ‘personal data’, ‘data processing’ and ‘data controller’ 2. Grounds for lawful and fair data processing for legitimate purposes 3. Purpose limitation 4. Data quality and proportionality 5. Limits on data retention 6. Security and confidentiality 7. Transparency 8. Data subject rights of access, rectification, erasure and objection 9. Restrictions on onward transfers224 Incorporating these principles into transfer agreements could address the CJEU’s issues with mass surveillance impinging upon the ‘essence’ of the right to privacy in the EU Charter.225 In the present example, however, the mass surveillance issue is not readily at hand. Having balanced competing State, individual and global interests, the EU exercises jurisdiction reasonably, but this exercise has not proven completely effective at protecting rights threatened by the US surveillance bodies’ bulk collection of EU individuals’ personal data. Certain minor data protection principles could be sidelined in the interests of maintaining a legitimate jurisdictional link, to preserve the

223 224 225

Article 29 Working Party, Adequacy Referential (WP 254, 6 February 2018). Ibid. chapter 3. See Maximillian Schrems v Data Protection Commissioner (n 6) para 94: ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’, suggesting the US’ indiscriminate access to data does not satisfy necessity and proportionality requirements for such an interference in the fundamental rights to private life and protection of personal data.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.8 Successful Legal Diffusion

231

more resonant data protection principles. In sum, only specific parts of EU data protection law should be allowed to apply extraterritorially.226

8.8 successful legal diffusion The EU is managing to protect its citizens when their personal data is transferred abroad by the spread of soft law. If data localisation is ultimately unworkable and formalism, such as the Privacy Shield, is not completely effective, this spread, which per se would come about through formalistic or (initially) unilateral ways, could be relied on to safeguard European data subjects’ fundamental right to data protection. For example, in enforcing the Safe Harbour agreement, the FTC chose cases that compelled American law to converge with some European norms.227 It will likely do the same with subsequent data transfer framework enforcement action. Furthermore, whilst the Safe Harbour was ‘only legally applicable to Europeans’ data’, it made some US companies extend Euro-style protections to American consumers.228 The ultimate underlying issues of mass surveillance by the US government raised in the Schrems case are not readily solved through EU-US transfer arrangements. Granted, EU subjects’ personal data is now better protected by companies, but what happens when the government obtains this data is beyond their control. There have been some changes in the Privacy Shield Package and equivalent frameworks that lend themselves to the US government being more transparent about its intelligence operations and allowing for redress opportunities in this area through an independent ombudsperson or, in the EU-U.S. Data Privacy Framework, a two-tier redress system, including a Data Protection Review Court. The issue is unsurprisingly political, and formulaic EU court decisions, tricky bilateral agreements and alternative transfer mechanisms do not readily solve many mass surveillance concerns. This is also not a question of directly conflicting values (see EU States with similarly invasive laws), but more of EU data protection principles diffusing into US corporate privacy practices and thereby strengthening them. 226

227 228

‘[T]he key to balance and reasonableness in the field of extraterritoriality in data privacy law lies in matching the various provisions found in each data privacy law to suitable criteria for their extraterritorial application.’ Dan Jerker B Svantesson, ‘A “Layered Approach” to the Extraterritoriality of Data Privacy Laws’ (2013) 3(4) International Data Privacy Law 278, 280; Dan Jerker B Svantesson, Solving the Internet Jurisdiction Puzzle (Oxford University Press 2017) 193. Hoofnagle, Federal Trade Commission Privacy Law and Policy (n 100) 328. Ibid. 328.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

232

Enabling Transatlantic Trade and Protecting Privacy

Solutions to jurisdictional tensions could necessitate a turn to ‘nonlegislative lawmaking’, which is arguably already happening.229 The Brussels Effect is apparent in the adequacy requirement, which compels third States to adopt high data protection standards to access the EU market. The resultant transatlantic negotiations on how to transfer personal data could then be understood as ‘harmonization networks’.230 This is because the policymaking process for transborder data flows has been collaborative rather than unilateral, ‘and marked by negotiations among a wide variety of actors, and by concessions, sometimes considerable, from the EU’.231 Accordingly, the diffusion of certain core data protection principles into the US regarding its companies that receive and process EU individuals’ personal data is a laudable achievement.

8.9 interim conclusion The foregoing described US-EU data transfer arrangements and how they have changed; it then looked at the extraterritorial effect of these arrangements; finally, it analysed the legitimacy and effectiveness of this extraterritorial effect. Both the EU and US endeavour to enable transatlantic trade through data transfer arrangements. As such, companies have been quick to implement EU-level protections, but the US government has not and nor should it be expected to. Ultimately, however, there is perceptible legal diffusion, and norm diffusion, based on EU values. If the EU has managed this diffusion by requiring certain data transfer arrangements, the wider implications for global data protection interests are such that privacy protections are gradually, but surely, becoming stronger. Based on the CJEU’s current trajectory, it is likely that the EU and US will have to negotiate new transfer agreements, which will have to be even more protective of personal data to pass the Court’s assessment. Taken together, the three law and policy areas discussed above show how the EU’s laws have had notable external effects as the Union has contributed to the global spread of its strict and influential data protection laws. The EU’s 229 230

231

Schwartz, ‘The EU–US Privacy Collision’ (n 33) 1967. Anne-Marie Slaughter, A New World Order (Princeton University Press 2004) 1–35. Schwartz and Peifer also take this view: They say that the future path for transatlantic data privacy relations ‘will be one of collaboration and concessions [that] will take place within the kinds of “harmonization networks” that Anne-Marie Slaughter has identified as playing a key role in twenty-first century international relations’. Paul M Schwartz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy’ (2017) 106 Georgetown Law Journal 115, 165 citing Slaughter, A New World Order (n 230). Schwartz, ‘The EU–US Privacy Collision’ (n 33) 1987.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

8.9 Interim Conclusion

233

exercise of territorially extended jurisdiction based on regional values has largely been successful. Even where the Union’s actions are subject to considerable pushback from the US, it has been increasingly effective at protecting its individuals’ data protection rights beyond its borders. Indeed, selling its own legal doctrines globally is more than just an effort to gain influence for isolated purposes. It incorporates a recognition that an international, transboundary technology ultimately seeks unified global policy solutions and that an approach pushed aggressively has the potential to become the dominant one or even the only viable one. The following section expands on this and considers the EU approach as the global approach.

https://doi.org/10.1017/9781108784818.008 Published online by Cambridge University Press

9 The Normative External Effects of the European Union’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

9.1 introduction This chapter brings together the abovementioned examples of the EU’s exercise of extraterritorial jurisdiction and looks at the consequences of this extraterritoriality. It examines how the EU’s internal data protection values, law and policy have had external effects. It attempts to anchor the EU’s influence on the conduct, law and policy of the US government, institutions and companies in an appropriate theoretical framework. This section focuses on the EU’s reasons for exercising jurisdiction. It sometimes revisits the above examples and traces the developments leading to those situations in more detail. Each of the three parts in this section first outlines how EU data protection legislation could fall within its bounds. A synthesis of the most pertinent and relevant policy documents then informs an overview of how EU representatives frame the reach of EU law. Finally, the research attempts to analyse this reach. 9.1.1 Global Values That a State has sovereignty over its territory and may exercise jurisdiction there, and that States consent to be bound by international law, has long imbued international law with legitimacy and binding force.1 Post–World War II, however, there have been examples of an evolution towards international

1

Samantha Besson, ‘Sovereignty’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2011) (Online version Oxford University Press); Jutta Brunnée, ‘Consent’, Max Planck Encyclopedia of Public International Law (Article last updated: January 2022) (Online version Oxford University Press).

234

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.1 Introduction

235

law with a more cosmopolitan bent.2 Cosmopolitanism is a normative ideal whereby a universal law governs the whole international community (cosmopolis), whose primary allegiance is to that community.3 One example of this evolution is a move towards the legal protection of ‘global values’.4 The notion of global values entails ‘an enduring, globally shared belief that a specific state of the world, which is possible, is socially preferable, from the perspective of the life of all human beings, to the opposite state of the world’.5 Several developments have changed how global values might be realised, as outlined below. Most data processing occurs in the online sphere, so the limitations of physical territory hardly constrain the worldwide community of those affected by the Internet. As data protection law usually applies to data processing on the Internet, which is not (at least ostensibly) territorially bound, laws and norms can diffuse more easily than through traditional, territorially bound acts that other branches of law regulate. As such, the Internet lends itself to fulfilling particular community-oriented purposes. Certain values and rights can easily transcend borders and become realised as ‘global’ more quickly through this platform. The question is then raised of whether the EU is acting with the goal to improve rights protection standards for the global community in asserting jurisdiction in the data protection sphere. The present study conceives of the EU’s exercise of jurisdiction as falling somewhere into three categories along a spectrum: pure rule diffusion (third States enacting laws to trade with the EU), consequential norm diffusion (third States striving for high data protection standards having internalised these laws), or full norm export (the EU actively spreading a high global data protection model). These three categories are malleable and interwoven. They have different temporal dimensions, specific EU actions could conceivably fall into multiple categories, and the various actors involved have different identities, all of which makes it difficult to categorise the EU’s actions in such black-and-white terms. For the 2

3

4

5

Roland Pierik and Wouter Werner, ‘Cosmopolitanism in Context: An Introduction’ in Roland Pierik and Wouter Werner (eds), Cosmopolitanism in Context: Perspectives from International Law and Political Theory (Cambridge University Press 2010). Ibid., 1 citing Martha Nussbaum, ‘Patriotism and Cosmopolitanism’ in Joshua Cohen (ed), For Love of Country: Debating the Limits of Patriotism (Beacon Press 1996) 4 and Thomas Pogge, World Poverty and Human Rights (Polity Press 2002) 169. Otto Spijkers, The United Nations, the Evolution of Global Values and International Law (Intersentia 2011) 9. For other examples of this evolution, see Nico Krisch, ‘The Decay of Consent: International Law in an Age of Global Public Goods’ (2014) 108(1) American Journal of International Law 1, 1. Spijkers, The United Nations, the Evolution of Global Values (n 4) 9.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

236

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

sake of clarity and brevity, however, this section focuses on those three unique categories. The study is largely descriptive and evaluative, and only makes minor mention of how the EU ought to act. In this example, robust personal data protection is the value the EU is advancing.6 This study does not per se assess the content or worth of this value, but recalls that it carries normative heft and places legal obligations upon EU actors.

9.1.2 Whom the Law Protects It is unclear specifically whom EU data protection law seeks to protect. It is important to know this when determining how influential, on a global scale, lawmakers intend the law to be. The law might simply seek to protect EU individuals and its extraterritorial application would be purely to fulfil this aim. It wants to avoid someone falling outside the scope of protection. This is what the General Data Protection Regulation (GDPR)’s provisions on territorial scope would prima facie suggest. Alternatively, the law could protect EU residents and non-EU residents, thereby dispersing more broadly. In looking at the relevant legislation and how States have interpreted it, EU data protection law could apply to EU citizens, citizen-residents, habitual residents, residents, nationals, third State nationals, individuals, data subjects and those passing through EU territory without any other connection to the EU, or those with no direct connection to the EU whatsoever. To uncover precisely whom the EU is trying to protect, this section examines the terminology of EU legislation, jurisprudence, lawmakers, policymakers and commentators. This could then inform how parochial its legislative goals are. Article 8(1) of the Charter of Fundamental Rights of the European Union (EU Charter) overtly endows ‘everyone’ with data protection rights and separates it from ‘citizens’ rights’, which are addressed to only ‘citizens of the Union’.7 As such, the right has an indiscriminate, universal characteristic. The Data Protection Directive (DPD) refers throughout to the ‘protection of

6

7

See Christopher Kuner, ‘The Internet and the Global Reach of EU Law’ in Marise Cremona and Joanne Scott (eds), EU Law beyond EU Borders: The Extraterritorial Reach of EU Law (Oxford University Press 2019) 135–136 for a discussion on why values and interests should not be conflated. This research focuses on values in a legal sense; interests are understood as something with more political connotations and lend themselves better to an international relations study. They are, however, not irrelevant here. Charter of Fundamental Rights of the European Union [2010] OJ C 83/02 art 8(1); EU Charter chapter V.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.1 Introduction

237

individuals’ as well as the ‘data subject’.8 There is no mention of residents or citizens. The GDPR is similar, but to establish applicability mentions ‘data subjects in the Union’, whereas the DPD focuses purely on the establishment of a controller or equipment on Member State territory.9 Evidently, the GDPR shifts the focus to individual natural persons. In landmark data protection cases with extraterritorial dimensions, the Court of Justice of the European Union (CJEU) mostly uses ‘data subject’ and, occasionally, ‘individual’.10 The Article 29 Working Party used ‘individuals’ and ‘EU residents’ in most instances.11 Perhaps implying the Working Party itself was not too concerned with differentiating between persons; its output could be inconsistent. One document, for instance, mostly refers to ‘residents’, then in the same illustrative case example, uses both ‘resident’ and ‘citizen’ to refer to the same individual.12 The European Data Protection Board (EDPB), however, focuses more on ‘individuals’ or ‘data subjects in the Union’.13 It emphasises that the GDPR’s application is not limited by someone’s citizenship or residence.14 After Schrems II, it reaffirmed its intention to play a constructive role in securing a transatlantic data transfer mechanism ‘that benefits EEA citizens and organisations’.15 Responding to the revised Privacy Shield data transfer mechanism, the Board welcomed the US highest authorities’ commitment to protecting the privacy and data protection ‘of individuals in the European Economic Area’.16 The European Commission usually uses ‘individuals’, including ‘EU individuals’ and ‘individuals in the EU’. In a Communication discussing, for example, EU-US data transfers under the Safe Harbour agreement, however, it consistently used ‘EU citizen’, perhaps implying something more connoted to citizenship and fundamental rights

8

9

10

11 12 13 14 15 16

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ 1995 L 281/31 (DPD). Cf Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR) art 3(2)(a) with DPD art 4(1)(a) and art 4(1)(c). See, e.g., Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González [2014] ECLI:EU:C:2014:317; Case C‑362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650. Article 29 Working Party, Opinion 8/2010 on applicable law (WP 179, 16 December 2010). Ibid., 28. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (12 November 2019). Ibid., 14. EDPB, Thirty-fourth Plenary session (20 July 2020). EDPB, Statement 01/2022 on the announcement of an agreement in principle on a new TransAtlantic Data Privacy Framework (6 April 2022).

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

238

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

protection.17 As such, it is unclear specifically to whom EU data protection regulation aims to apply based purely on the language that law and policymakers use, so it is useful to turn to the intent behind the key instruments. EU data protection law specifically protects ‘data subjects’, defined as identified or identifiable natural people.18 In practice, it appears to seek to protect individual data subjects who reside on EU territory and enjoy EU benefits. The DPD drafters’ intent with Article 4 on the applicable national law was, first, to avoid an EU data subject finding themself outside the scope of protection and especially to avoid a data controller circumventing the law to achieve this.19 Second, the drafters wished to avoid one act being governed by two different laws.20 Indeed, at least when the DPD first applied and preLisbon, its extraterritoriality was purely for the aforementioned reasons. The GDPR expanded its scope of application partly for competition reasons, specifically, to ensure a level playing field for EU and non-EU businesses active on the European market.21 The subsequent sections attempt to shed some light on the link – territorial or otherwise – between EU law’s applicability and how it could contribute to creating a shared, global data protection norm.

9.2 purely legal diffusion Data protection law was originally phrased in market terms to allow free circulation and free delivery of services. Few States in the world had data protection laws in place in 1995, when the DPD came into effect. Now, most States with data protection laws have strict, pro-privacy ones that are purposefully similar to those of the EU, for reasons outlined below.22 The EU has used

17

18 19

20 21

22

See, e.g., Commission, ‘Rebuilding Trust in EU–US Data Flows’ (Communication) COM (2013) 846 final; Commission, ‘The Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU’ (Communication) (2013) 847 final. DPD art 2(a); GDPR art 4(1). Dan Jerker B Svantesson, Extraterritoriality in Data Privacy Law (Ex Tuto Publishing 2013) 96 citing Commission of the European Communities (com 92) 422 final – SYN 287 Brussels, 15 October 1992, Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 13. Ibid. Dan Jerker B Svantesson, ‘Article 3. Territorial scope’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 76. For a taxonomy of these laws, see Graham Greenleaf, ‘Global Data Privacy Laws 2019: 132 National Laws and Many Bills’ (2019) 157 Privacy Laws & Business International Report 14, 14–18.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.2 Purely Legal Diffusion

239

its market leverage to influence third-State law.23 EU data protection law, particularly in its early incarnations, might have had the purely incidental effect of ensuring third-State law matched its lofty standards with no normative undertones. In unilaterally exercising extraterritorial jurisdiction, a main concern of the EU would not have been furthering these standards in the global common interest of the international community. Indeed, Joanne Scott asserts it is erroneous to suggest that the EU strives to export its own norms through the territorial extension of its law.24 This first approach adheres to that sentiment. This section examines how the EU uses its market power to encourage rule transfer. It looks mostly at Bradford’s notion of the ‘Brussels Effect’, as well as some other theoretical approaches, to consider how the EU’s exercise of jurisdiction falls within this concept.25 If the EU’s unilateral exercise of jurisdiction in regulating global markets has purely incidental influence over how the US conceives of data protection – legally and, perhaps, morally – then its actions would not be intentionally in the global interest. First, this section outlines how the EU influences third-State law. Second, it looks at how the EU fills a regulatory gap partly through the strictness of its standards and the effects of technology on the external effects of its law. Third, the section touches upon extraterritorial effects produced through regulatory networks rather than pure unilateralism. The EU is one of the world’s largest economies and thus wields strong market power, which it can use to influence certain areas of law in third States.26 In looking at regulatory and policy documents from throughout the development of EU data protection law, it is plain that EU law initially started to enable trade through the free flow of data, with little explicit intent to have extraterritorial effect for rights protection purposes. The DPD and GDPR 23

24

25

26

Bjorn Kleizen, ‘Externalizing EU Law, Policy and Values Europe’s Global Identity, Mechanisms of Rule Transfer and Case Studies on Illegal Logging and Bosnia and Herzegovina’ (2015) RENFORCE Working Paper Series No 1, 21; Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 164 citing Gregory Shaffer, ‘Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of US Privacy Standards’ (2000) 25(1) Yale Journal of International Law 55, 80. Joanne Scott, ‘Extraterritoriality and Territorial Extension in EU Law’ (2014) 62(1) American Journal of Comparative Law 87. Anu Bradford, ‘The Brussels Effect’ (2012) 107(1) Northwestern University Law Review 1, 4; Anu Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020). Kleizen, ‘Externalizing EU Law, Policy and Values’ (n 23) 13. Such areas include, amongst others, climate change, environmental protection, animal welfare, competition, consumer protection, civil aviation and financial market regulation.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

240

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

acknowledge that ‘cross-border flows of personal data are necessary to the expansion of international trade’.27 The European Commission has noted that ‘companies recognise that strong privacy protections give them a competitive advantage’ and have thus been synchronising their privacy policies with the GDPR.28 The Commission also noted that the EU data protection framework is a model for third States and that developing high global standards fosters global convergence and, inter alia, ‘reduces obstacles to the crossborder flow of data as an important element of free trade’.29 There are several reasons for the EU’s broad impact, as explained below: This influence [of EU data protection law] has been caused in part by the perceived economic benefit that can accrue to countries that enact laws based on the Directive . . . . The fact that EU data protection law is based on a set of clearly structured instruments also makes it attractive to third countries, which often find it easier to use an existing text as a model rather than draft new legislation from scratch.30

In 2009, the Article 29 Working Party and the Working Party on Police and Justice called upon the European Commission, ‘[i]n the absence of global standards, to promote the development of data protection legislation providing an adequate level of protection . . . in countries outside the European Union’.31 This does not directly reveal that they believed the EU approach was ideal or morally desirable. It does, however, show that the Working Parties believed the EU ought to take the lead in promoting an ‘adequate’ (read: highlevel, EU-style) degree of protection outside the EU, absent such a global standard. Without this standard, the EU had to engage in a form of unilateralism, whereby it exercised far-reaching jurisdiction to fill a global regulatory gap.32 Furthermore, EU data protection law is predisposed to regulate inelastic targets. As there is a lack of alternatives, third-State companies are obliged to

27 28

29 30 31

32

DPD recital 56; GDPR recital 101. Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final 2. Ibid., 11. Kuner, ‘The Internet and the Global Reach of EU Law’ (n 6) 126–127 (citations omitted). Article 29 Working Party, ‘The Future of Privacy Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data’, 02356/09/EN WP 168 (1 December 2009) para 31. Joanne Scott and Lavanya Rajamani, ‘Contingent Unilateralism: International Aviation in the European Emissions Trading Scheme’ in Bart Van Vooren, Steven Blokmans and Jan Wouters (eds), The EU’s Role in Global Governance: The Legal Dimension (Oxford University Press 2013) 209.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.2 Purely Legal Diffusion

241

adopt the strict EU standard or risk being excluded from this essential market.33 The EU has strong regulatory capacity in terms of having data protection experts who make legislation.34 It also has notable and expanding power to impose sanctions in cases of non-compliance.35 For instance, under the GDPR, European data protection authorities (DPAs) may fine companies 20,000,000 EUR or up to 4 per cent of the company’s global annual turnover for infringements of certain GDPR provisions.36 Most DPAs are active in exercising this enforcement power and issue multiple fines per year. For example, in 2021 the Luxembourgish DPA fined Amazon 746,000,000 EUR and the Irish DPA fined WhatsApp 125,000,000 EUR for GDPR violations.37 These laws also have a high degree of enforceability, meaning companies are likely to adhere to them in practice. In sum, the EU can affect third-State legislation and how companies in third States operate through its strong market power position. To be successful at influencing third-State legislation, the legislator must have strict standards.38 In the global data protection sphere, the EU has the strictest standards.39 Most importantly for data protection is the consideration of the ‘nondivisibility of standards’.40 As most data-processing acts over which the EU exercises jurisdiction occur online and compliance is partially technology-dependent, EU data protection standards cannot be divided across markets.41 It is also difficult for corporations to divide their services, with some being subject to EU law and some to other law. This is especially relevant when it is ‘technically impossible to adhere to different norms (for instance a service provided globally over the Internet)’.42 Accordingly, from the types of nondivisibility Bradford identifies (legal, economic and technical), it is technical nondivisibility that is most relevant in the present examples. As explained in Chapter 8, smaller companies that do not have the means to allow customers to choose to have personal data stored in different jurisdictions in order to have specific laws apply to it (localising data) demonstrate 33 34 35 36 37 38 39

40 41 42

Bradford, ‘The Brussels Effect’ (n 25) 16. Ibid., 12. Ibid., 13. GDPR art 83(5). See CMS, GDPR Enforcement Tracker Report (March 2022). Bradford, ‘The Brussels Effect’ (n 25) 14. Lee Andrew Bygrave, Data Privacy Law: An International Perspective (Oxford University Press 2014). With the GDPR, these standards are only becoming stricter; see, e.g., David Meyer, ‘Here Come the World’s Toughest Privacy Laws’ Fortune.com (14 April 2016). Bradford, ‘The Brussels Effect’ (n 25) 17. Ibid., 18. Kleizen, ‘Externalizing EU Law, Policy and Values’ (n 23) 13.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

242

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

how it is difficult for them to divide standards through technology. That said, the companies that can localise data have managed to divide technical standards. In practice, these standards are usually separated along a US/EU territory line, which mirrors a US/non-US residents divide. Accordingly, all non-US data subjects who have opted to have their data stored in Europe are protected by EU law. As explained above, however, the actual privacy protection that data localisation affords is unclear. It is thus still true that most data controllers default to the European standard as it is technologically practical. Conceptions of the EU’s exercise of jurisdiction are fluid. Bradford suggests it could be understood as ‘unilateral regulatory globalization’, which is when the ‘law of one jurisdiction migrates into another in the absence of the former actively imposing it or the latter willingly adopting it’.43 Whilst the degree to which the EU is actively imposing its data protection standards on third States is unclear, however, its strong market power has resulted in many States adopting these standards without protest.44 As such, this goes beyond the indifference that unilateral regulatory globalisation implies. Below, the section on the EU as a norm exporter explores how the EU could believe it should spread its standards for the betterment of third States. Furthermore, in the future, the external effects of EU law might move from Brussels unilateralism to global convergence through ‘harmonisation networks’.45 Whilst these two concepts are not mutually exclusive, this approach suggests third States, companies and international organisations will, through consultations and compromise, increasingly participate in sculpting worldwide data protection standards. In sum, the EU as a market power makes use of its regulatory capacity, strict standards and technical nondivisibility of standards to influence third-State data protection law, but not necessarily values or norms. Section 9.3 explores the Union as more than just a market power.

9.3 consequential norm diffusion The EU can use its market power to leverage other actors to adhere to ‘more normative standards’ that it ‘seeks to impose’.46 This section goes beyond the previous one to show how the EU’s actions could incidentally ratchet up global data protection standards and start to take on more of a normative 43 44

45

46

Bradford, ‘The Brussels Effect’ (n 25) 4. This research limits itself to a study of the external effects of EU law from a purely legal perspective, with little focus on political science or international relations theories. Paul M Schwartz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy Law’ (2017) 106(115) Georgetown Law Journal 115, 174. Kleizen, ‘Externalizing EU Law, Policy and Values’ (n 23) 9.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.3 Consequential Norm Diffusion

243

character. The EU’s laws could be understood to have a norm-diffusing effect that is not merely incidental. This is especially plausible considering the rhetoric with which the GDPR has been discussed, the CJEU’s judicially activist expansion of the right to data protection and, indeed, the ‘unstoppable rise’ of this fundamental right.47 This leads to a different conception of the EU’s exercise of extraterritorial jurisdiction that amounts to consequential norm-setting. This process is ‘consequential’ because it follows as an outcome of the EU’s effects on third-State law as pure legal diffusion. Setting a high global data protection norm might not per se inform the EU’s jurisdictionally expansive and unilateral action, but could be a consequence thereof.48 The EU’s ‘global digital gold standard’ is spreading, as is evident in States with adequate levels of protection and those seeking adequacy decisions.49 Similarly, EU-third State data transfer arrangements are evolving towards a more privacy-protective side of the spectrum. There is an enhanced global corporate pro-privacy culture.50 International data privacy instruments, such as the International Committee of the Red Cross’ guidance on data protection, which reflects EU privacy principles, also show this diffusion.51 In the foregoing examples, at least in part, setting a global norm has not informed the Union’s broad jurisdictional reach, but is nonetheless an after-effect thereof.52 Following on from this, it can be asked whether this consequential norm diffusion then informs the EU’s subsequent exercise of jurisdiction, bringing it closer to the norm entrepreneur role outlined in the third section below.53 This section first looks at data transfer agreements between the EU and US as an example of unilateralism, with extraterritorial triggers, as being contingent upon equivalent standards in third States.54 In light of CJEU

47

48

49

50

51

52 53 54

Aside from primary sources, see, in support of this: Maja Brkan, ‘The Unstoppable Expansion of EU Fundamental Right to Data Protection. Little Shop of Horrors?’ (2016) 23(5) Maastricht Journal of European and Comparative Law 812, 828. Cedric Ryngaert, Unilateral Jurisdiction and Global Values (Eleven International Publishing 2015) 110–111. Giovanni Buttarelli, ‘The EU GDPR as a Clarion Call for a New Global Digital Gold Standard’ (2016) 6(2) International Data Privacy Law 77, 77. Kenneth A Bamberger and Deirdre K Mulligan, Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press 2015). Christopher Kuner and Massimo Marelli (eds), Handbook on Data Protection in Humanitarian Action (2nd edn, International Committee of the Red Cross 2020). Ryngaert, Unilateral Jurisdiction and Global Values (n 48) 111. Cass R Sunstein, ‘Social Norms and Social Roles’ (1996) 96(4) Columbia Law Review 903. Joanne Scott, ‘The New EU “Extraterritoriality”’ (2014) 51 Common Market Law Review 1343, 1366, 1346.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

244

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

jurisprudence on certain data transfer agreements, it examines reactions to the more robust standards necessitated by these agreements. 9.3.1 Data Transfer Arrangements In this example, there are two relevant aspects of EU to US data transfer arrangements: adequacy requirements and safe harbours. For each one, it is useful to examine how the arrangement works, its effect when implemented and how policymakers have reacted to this implementation. This informs observations on how the EU is exercising jurisdiction. The key difference between this section and the studies in previous chapters is that it traces the EU’s apparent intentions. To what extent did it intend for its legislation to have external effects and why? It explores how the externality of EU law took on a more normative character to show the eventual consequential norm diffusion. 9.3.1.1 Adequacy Requirements The adequacy requirement in the DPD and GDPR articulates that the EU may only transfer personal data to a third State deemed to provide ‘adequate’ protection.55 Through the standards that the adequacy requirement encourages or makes mandatory, the EU is unilaterally driving third States to enact laws essentially equivalent to its own, so they may receive personal data from the Union and trade with its actors. The CJEU’s Schrems decision affirmed the standard of ‘essentially equivalent’.56 The decision was based on the DPD read in the light of the EU Charter, giving it a rights-centric quality.57 The GDPR then solidified this standard. Regarding cross-border data transfers, ‘[t]he third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union’.58 The notion of equivalence is supposed to obviate the need for complete harmonisation. In line with the aforementioned notion of the ‘strictest standard’, most States in the world now have data protection laws that mirror the pro-privacy standards in the EU regulatory framework.59 This is arguably a direct 55 56 57 58 59

GDPR art 45; DPD art 25. Maximillian Schrems v Data Protection Commissioner (n 10) paras 73, 74 and 96. Ibid., para 73. GDPR recital 104. Greenleaf, ‘Global Data Privacy Laws 2019’ (n 22); Graham Greenleaf, ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report 1.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.3 Consequential Norm Diffusion

245

consequence of the adequacy standard, although other international data privacy instruments, such as the Council of Europe’s Convention 108, have also influenced standards. In addition, it is an effect of bilateral agreements on data transfers. The temporal dimension here is particularly relevant as legal diffusion based on data transfer legislation is constantly evolving. Adequacy decisions are adaptable, living documents.60 The relevant authorities constantly review and renegotiate bilateral agreements to reflect changes in EU law. The GDPR’s application means third States could have to review their laws to align them with its provisions. As the EU strengthens its standards, so too will third States, so the external effects of its law will become more noticeable. The adequacy requirement and Privacy Shield process are examples of the EU using various degrees of coercion (e.g. by withholding data transfers), persuasion (consultations and annual reviews) and acculturation (globally diffused privacy compliance) to influence US government, institutions, and company practice and policy.61 As such, the adequacy requirement has spread rules and, perhaps, values, as the next part explores. Whereas the DPD outlines adequacy provisions in terms of their enabling cross-border trade, the GDPR is far more focused on human rights and EU values. The DPD, for example, says that ‘cross-border flows of personal data are necessary to the expansion of international trade’.62 Compare this to similar provisions of the GDPR that also mention the expansion of international trade, but include the following: ‘[I]n line with the fundamental values on which the Union is founded, in particular the protection of human rights [in assessing a third State, the Commission should consider how that State] respects the rule of law, access to justice as well as international human rights norms.’63 This sentiment is more heavily laden with rights- and valuesfocused language. It could, however, refer simply to the EU’s duty towards individuals in the EU whose personal data is transferred, controlled or processed abroad. If this is the case, it can be asked why the GDPR is so much more international- and rights-focused; it appears to apply in certain situations, nationality and residency notwithstanding. According to its Communication on exchanging personal data in a globalised world, the European Commission added that in assessing a transfer, it should consider ‘the overall political 60

61

62 63

Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final 8. Schwartz and Peifer, ‘Transatlantic Data Privacy Law’ (n 45) 175–179 citing Ryan Goodman and Derek Jinks, ‘How to Influence States: Socialization and International Human Rights Law’ (2004) 54 Duke Law Journal 621. DPD recital 56. GDPR recitals 45 and 101. See too art 45 (although that does not mention EU values).

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

246

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level’.64 Couching data transfers in such terms implies some duty to a global community that can materialise through cooperation between the EU and a third State. There seems to be a tangible move towards this latter approach, especially in CJEU judgments.

9.3.1.2 Safe Harbours as Adequacy Decisions In a spirit of global legal pluralism, ‘safe harbor agreements can manage hybridity by creating an intermediate plane between the conflicting normative requirements of two different communities’.65 As the US had not been deemed ‘adequate’, in 1998, US and EU representatives began negotiating the transatlantic Safe Harbour agreement to enable cross-border transfers for businesses. The EU was continually promoting its data protection standard, but only in terms of finding ‘adequacy’. This section traces EU to US data transfers under safe harbour agreements and uses Article 29 Working Party, EDPB and European Commission output to discern whether the EU’s motivations became more globally minded as they continually attempted to inject their privacy values into transatlantic agreements. This, by extension, could affect US law or, at the very least, certain privacy practices there. In tracing the Article 29 Working Party’s statements on safe harbour agreements with the US, a move to shared values is evident from early in the negotiations, which suggests some desire to emphasise commonalities. Interestingly, in 1999, the European Commission already identified supposedly shared transatlantic values: Data protection rules are not only intended to protect users of new technologies [but] express also the adherence to a certain number of fundamental principles and rights based on a common culture of respect for privacy and other values that are inherent in the human being and which is shared equally by the Member States of the European Union and the United States.66

64

65

66

Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final 8. Paul Schiff Berman, ‘Global Legal Pluralism’ (2007) 80 Southern California Review 1155, 1227. Berman contends that ‘the U.S.–E.C. data privacy initiative is the best-known example of a state-to-state safe harbor agreement’. Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Opinion 1/99 concerning the level of data protection in the United States and the ongoing

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.3 Consequential Norm Diffusion

247

This approach contrasts starkly with incidental standard raising, as there are acknowledged shared values and a common pro-privacy culture. Nonetheless, the Commission found that the US’ data protection rules were not adequate and ‘further improvements are needed if free movement of data to the United States is to be ensured on the basis of these [safe harbour] privacy principles’.67 This does not mean there was no common culture, but rather that any commonalities did not amount to adequacy. From 2001, the Working Party talked more of the extraterritorial effect of EU data protection law, sometimes in normative terms. On standard contractual clauses, for instance, which allow for exporting personal data out of the EU and which the Commission was concluding around 2001, the Working Party wished to ‘highlight the importance of this instrument for the protection of the personal data of European citizens outside the boundaries of our Union’.68 The focus was on protecting EU citizens extraterritorially. In the same field, a gesture to the EU’s global sphere of influence was evident. The Working Party emphasised that the Commission’s decision on standard contractual clauses would, inter alia, ‘become a reference document for future developments on data protection in the international field’, thus acknowledging the EU’s broadening impact on international data protection developments.69 Furthermore, the Working Party applauded the development of a ‘programme for the promotion of European data protection rules in a pragmatic way’ that would help third-State data controllers to understand, implement and show compliance with EU data protection laws more successfully.70 In line with consequential norm diffusion, this influence is acknowledged, but was not the explicit intention of, for instance, the Commission’s actions or how EU data protection law was applied. The 2006 Society for Worldwide Interbank Financial Telecommunication (SWIFT) incident, involving a Belgium–US conflict over a lack of protection the US afforded when transferring Belgian citizens’ financial data, triggered Article 29 Working Party and scholarly opinions on violations of EU data protection principles and fundamental rights in a transatlantic setting – par-

67 68

69 70

discussions between the European Commission and the United States Government’ (WP 15, 26 January 1999) 2. Ibid., para 2. Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP 56, 30 May 2002) 15. Ibid., 15. Ibid.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

248

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

ticularly vis-à-vis crime and terrorism.71 In response, the Working Party then said it considered it ‘essential’ that EU data protection principles be ‘fully respected in any framework of global systems of exchange of information’.72 This raises the question of whether EU principles should really be respected in any global data exchange situation, implying those without a connection – territorial, nationality-based, effects-based or otherwise – to the EU, perhaps to the detriment of other interests. Whilst the Working Party did not explicitly mention such a connection-free situation, they discussed it in later opinions, as outlined below. Once the Lisbon Treaty entered into force in 2009 and the EU Charter, which enshrined a newly autonomous right to the protection of personal data, gained binding legal effect, the Article 29 Working Party started leaning more towards the EU as a norm exporter in its output.73 The EDPB has, unsurprisingly, continued this trend. One of four pillars of its Strategy for 2021–2023 is to ‘promote EU data protection as a global model’ and to ‘provide leadership in data protection’.74 A second pillar encourages a fundamental rights approach to new technologies.75 In terms of the global exchange of personal data, a 2017 Communication by the European Commission explicitly acknowledges global convergence of privacy standards led by the EU.76 The Commission’s pronouncements recognise both this increasing convergence and the beneficial norm-setting side effects. Aside from promoting this approach to facilitate trade, it states that the revision of the Council of Europe Convention 108 to reflect GDPR principles would also contribute to convergence towards a set of high data protection standards.77 Furthermore, this should inform EU action as it should ‘strive to seek greater upward convergence of data protection principles internationally [and the Commission will take measures to] develop high personal data protection standards globally’.78 The evolution of output from the Article 29 Working

71

72

73

74 75 76

77 78

For an overview, see Laura Acreman, ‘SWIFT Developments’ (2010) Lexology . Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) (WP128, 22 November 2006) 28. Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community [2007] OJ C306/01; EU Charter. EDPB, EDPB Strategy 2021–2023 (15 December 2020) para 8. Ibid., para 7. Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final. Ibid., 11. Ibid., 16.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.3 Consequential Norm Diffusion

249

Party, EDPB and European Commission, however, shows this legal diffusion has also spread norms. For instance, the Commission has acknowledged how world consumers ‘increasingly cherish and value their privacy’;79 how the EU should seize the opportunity ‘to promote its data protection values’;80 and how this convergence ‘contributes to the more effective protection of individuals’ rights’81 and ‘a set of high data protection standards’.82 A further example of consequential norm diffusion is the Google Spain case, whereby the EU sought to apply its laws to a data controller outside the EU and used a small territorial link to exercise jurisdiction in the case.83 This is in line with the notion that when States act unilaterally to export their values, they often act on the basis of a territorial connection to a situation, no matter how minor.84 The CJEU’s exercise of jurisdiction in Google Spain, and Google’s subsequent implementation of the right to erasure (see Chapter 7), could constitute the blending of action in the regional interest with that of the global interest, especially if Google eventually implements the right to erasure globally.85 In Google Spain, the primary aim was ‘protecting national or regional interests, e.g., protecting EU citizens’ data . . ., but the consequences are global, and possibly cosmopolitan, in the sense that they protect the legitimate rights of citizens in other nations [in this example being] the right to be forgotten’.86 The CJEU thus also has an important role in spreading personal data protection as a global value. 9.3.2 Interim Conclusion There are three facets of the EU’s exercise of extraterritorial jurisdiction that are not necessarily informed by norm-setting motives, but end up having such 79 80 81 82 83

84

85

86

Ibid., 2. Ibid. Ibid., 11. Ibid. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (n 10). Ryngaert, Unilateral Jurisdiction and Global Values (n 48) 19. The need for a territorial hook also occurs in Scott’s ‘territorial extension’. Ibid., 110–111: Hybridization of global and national-interest-based action could also occur where a state or the EU applies its own regulation to a foreign operator, causing knock-on effects for the latter’s global operations. Thus, the EU’s application of the right to be forgotten as part of EU data protection regulation, to Google, a foreign ‘controller’ operating a search engine in the EU, may force Google to apply this right anywhere in the world: it may have to remove the person whose rights the EU protects from search results generated by the Google engine outside the EU. Ibid., 111.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

250

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

an effect. EU–US data transfer arrangements through adequacy decisions, safe harbours or bilateral transfer agreements exemplify a form of unilateralism that necessitates equivalence between the two legal frameworks. EU data protection legislation, particularly the GDPR, and CJEU jurisprudence have influenced corporate culture to the extent that many companies provide higher privacy protections for EU as well as non-EU individuals. Furthermore, CJEU decisions have raised and could further improve data protection standards for third-State citizens. Taken together, these examples suggest the EU is exhibiting a form of consequential norm diffusion.

9.4 the eu as norm entrepreneur Although initially appearing parochial, the EU increasingly sells its data protection regulation worldwide as the global gold standard. Due to data protection’s status as a fundamental right, the general attitude amongst lawmakers, regulators and policymakers in the EU is that this progression ought to be happening. This is beneficial for EU citizens as well as third-State citizens. The GDPR has enhanced data protection laws globally. EU law- and policymakers increasingly endorse this standard-setting by the Union. They believe the territorial extension of its law is justified by being in the global interest. For example, regarding the period during which the GDPR would apply, the European Data Protection Supervisor proclaimed the following: My hope is that . . . we will have achieved a common standard, a sort of digital gold standard, which will accompany globalisation and all the benefits and challenges it poses for individuals and society.87

Kuner has posited that ‘[t]here is tension between the nature of transborder data flow regulation as a topic of inherently global significance, and the fact that many States and regional organizations treat it mainly as a vehicle for

87

Buttarelli, ‘The EU GDPR as a Clarion Call’ (n 49) 78. See too Kuner, ‘The Internet and the Global Reach of EU Law’ (n 6) 136–137. The GDPR has already emerged as a key reference point at international level and acted as a catalyst for many countries around the world to consider introducing modern privacy rules. This trend towards global convergence is a very positive development . . . [and] the Commission has intensified its dialogue in a number of bilateral, regional and multilateral fora to foster a global culture of respect for privacy and develop elements of convergence between different privacy systems. (Commission, ‘Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition – Two Years of Application of the General Data Protection Regulation’ (Communication) COM (2020) 264 final 12)

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.4 The EU as Norm Entrepreneur

251

exporting their own standards and values’.88 If the EU treats global data flows as such a vehicle, and has norm-export interests in mind, it can be asked whether this export approach is something objectionable. Thus far, no other State has come close to having such a preponderant influence on data protection laws and, bearing the Brussels Effect criteria covering strict and nondivisible standards in mind, it appears no other State will in the near future. This research adheres to the notion that the EU is a norms-setter that establishes norms partly through leading by example (having exemplary, omnibus data protection legislation that can easily be transplanted) and partly through coercion (withholding data transfers, enforcing high penalties on non-compliant external controllers).89 The Union is attempting to set a data protection norm, of which no global norm exists. As no such norm exists, external actors are wont to contest the EU’s stringent approach to data protection law. When attempting to solve jurisdictional conflicts over data protection regulation with, for example, the US, the US strongly pushes back against any apparent EU regulatory overreaching. The Union’s domestic law appears internationally, whilst what appears internationally also has an effect on the EU domestically: There is a constant struggle with the EU’s norm entrepreneurship and external reactions to this.90 Unlike unilateral regulatory globalisation relevant to pure legal diffusion, with the growing importance of a digitised economy, the EU could also have a duty to help smaller and developing States incorporate relevant parts of the GDPR into their laws to be deemed adequate.91 Whilst not actively imposing its standards, the EU is dispersing its laws with the genuine belief that this is in the interests of the international community. Kuner also posits that as data protection is rooted in fundamental rights law in many States, it ‘should be oriented more towards the protection of universal values, and not just those that are local or national’, which should be considered ‘not as a weakening of local values, but as a strengthening of fundamental rights at a global level’.92 Is there a difference between the EU applying local rules to personal data transferred or processed abroad and its

88 89

90

91

92

Kuner, Transborder Data Flows and Data Privacy Law (n 23) 159. ‘The EU has been, is and always will be a normative power in world politics.’ Ian Manners, ‘The normative ethics of the European Union’ (2008) 84(1) International Affairs 45, 45. Peter Gourevitch, ‘The Second Image Reversed: The International Sources of Domestic Politics’ (1978) 32(4) International Organization 881. Christopher Kuner and others, ‘The GDPR as a Chance to Break Down Borders’ (2017) 7(4) International Data Privacy Law 231, 232. Kuner, Transborder Data Flows and Data Privacy Law (n 23) 183. See too:

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

252

EU’s Exercise of Extraterritorial Jurisdiction in Data Protection Law

acting in the interests of the world community as a whole? It was the first region to enact data protection legislation, it has the strictest data protection legislation and it wields strong market power. It also has open goals to promote its values abroad, albeit to contribute to protecting its own citizens and not necessarily those of third States. For example, Article 3(5) Treaty on European Union (TEU) outlines that ‘[i]n its relations with the wider world, the Union shall uphold and promote its values and interests and contribute to the protection of its citizens’.93 The CJEU’s interpretation of the DPD as having ‘a particularly broad territorial scope’, and the GDPR an even broader one, enables such value promotion.94 Thus, the EU’s role has evolved, so it is now an actor that promotes the ‘universality of fundamental rights’ precisely through ‘the application of local values outside national borders’.95 Indeed, when EU Member States or entities ‘thus flex their muscles, they exercise unilateral jurisdiction to protect some notion of “global values” or “the common interest”’.96 The question then arises of whether these local values are truly universal. The EU could be contributing to data privacy becoming globally important, but there is something contradictory about labelling a decidedly local value and fundamental right as something inherently global. Even if the EU is moving towards being an exporter of a data protection value or norm, it should be wary in doing this, so its efforts do not backfire and ultimately result in a lower level of protection for all. It is important to extend the application of EU law cautiously, for whatever purpose. This caution ensures that the checks and balances of EU law can balance the ‘projection of EU interests and values against the dangers of jurisdictional over-reach and the international tensions and blowback that follow’.97 Perhaps consequential norm diffusion, as opposed to self-proclaimed norm export, is the most effective way of spreading values in practice. Regulation has also focused too much on securing application of local standards to personal data transferred outside national borders, while neglecting policies that are in the interest of the international community as a whole. . . . The goal of transborder data flow regulation should be to promote the universality of fundamental rights, not just to ensure the application of local values outside national borders. (Ibid., 186–187) 93 94

95 96

97

Consolidated Version of the Treaty on European Union [2012] OJ C326/01 (TEU) art 3(5). Article 29 Working Party, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain (WP 179 update, 16 December 2015) citing Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (n 10) paras 53–54 (emphasis omitted from Working Party document). Kuner, Transborder Data Flows and Data Privacy Law (n 23) 186–187. Ryngaert, Unilateral Jurisdiction and Global Values (n 48) 27. See too Cedric Ryngaert, Selfless Intervention: The Exercise of Jurisdiction in the Common Interest (Oxford University Press 2020). Scott, ‘The New EU “Extraterritoriality”’ (n 54) 1346.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

9.5 Interim Conclusion

253

9.5 interim conclusion The EU is exercising extraterritorial jurisdiction in data protection law increasingly for the good of a global community. The EU’s successful spreading of its data protection law is not purely incidental, nor is the EU acting solely as a norms exporter. Rather, much of its action incidentally sets norms, which has evolved to accommodate the EU as a global standard-setter with a conviction that it ought to be doing so for the world community beyond the EU. Inasmuch as data protection is a fundamental right in the EU, certain actors, including the CJEU and the EDPB, are construing ‘territory’ broadly, apparently to protect this right. In terms of safeguarding the fundamental right to data protection in an international setting, and considering unilateral, bilateral and multilateral approaches thereto, scholars have favoured a unilateral approach – acknowledging its failings, acknowledging it might not be viable in the long term, and asserting that these three approaches do not work in isolation.98 For now, the EU seems successful at diffusing its highlevel data protection regulation – as law and norm – through initially unilateral action. This trend looks set to continue, which is laudable when pursuing objectives to further fundamental rights and ‘global’ values.99 That said, the EU ought to take care not to extend the reach of its extraterritorial prescriptive jurisdiction so far that it meets with pushback and politically awkward situations that challenge or diminish its activism in this area. Indeed, the EU’s action with external effects has inspired convergence, but eventual international cooperation would further strengthen privacy protection for the global community.100

98

99

100

Hielke Hijmans, The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU (Springer 2016) 484. Schwartz suggests the EU does not exercise unilateral power, but rather influence based on bilateral negotiations: Paul Schwartz, ‘Global Data Privacy: The EU Way’ (2019) 94 New York University Law Review 771, 818. ‘The merits of the current international governance model for data privacy ought not be overlooked: it is a pluralistic, cosmopolitan model that caters to a multitude of alternatives derived directly from stakeholders; in practice, it is a democratic model for the regulation of data privacy, allowing countries and their elected governments to choose the option that best suits their needs and culture.’ Paul de Hert and Vagelis Papakonstantinou, ‘Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency’ (2013) 9(2) I/S: A Journal of Law and Policy for the Information Society 271, 308 (citations omitted). Ibid., 310.

https://doi.org/10.1017/9781108784818.009 Published online by Cambridge University Press

10 Conclusion Enduring Territoriality and Fundamental Rights

10.1 introduction This research has examined the opportunities and limitations for the EU to exercise prescriptive jurisdiction extraterritorially to safeguard EU individuals’ fundamental right to data protection. In doing so unilaterally, the EU has been championing a value and fundamental right for its data subjects. This has inspired jurisdictional tensions with the US, with its contrasting approach to data protection and privacy rights. Over time, however, the US has been compelled to match the stricter data protection laws in the EU. In most circumstances examined, the EU has been both permitted and obliged to exercise jurisdiction in such an expansive way, resulting in better protection for its individuals whose personal data is controlled, processed or transferred abroad. In view of certain structural limitations, such as the absence of a forum for a multilateral data protection instrument, the EU’s role as a trailblazer is important in setting a high-level data protection norm around the world. This has implications not only for global data privacy, but also for the nature of jurisdiction in the age of a global Internet and digitised personal data. The following section gives an overview of the findings corresponding to the underlying questions outlined in Chapter 1. It focuses on recommendations on how the EU ought to exercise jurisdiction. The chapter then uses commonalities between the studied case examples to inform a discussion on potential future scenarios and general trends in public international law.

10.2 overview of findings This research outlined a way to assess how far EU data protection law should extend in situations over which both the EU and the US could claim some 254

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

10.2 Overview of Findings

255

form of jurisdiction. The following segment outlines the two major sections of the research, comprising the assessment framework and its application, and briefly summarises the findings. First, the research delineated how far the EU’s obligations to safeguard its data subjects’ fundamental right to data protection may extend extraterritorially. Whilst EU instruments would have the fundamental right to data protection apply to ‘everyone’ everywhere, in practice this is impermissible, impracticable and likely impossible. Instead, the EU’s protective duty to secure and ensure its data subjects’ rights may extend beyond its borders in specific circumstances. Its negative obligation to respect the right to data protection entails not engaging in conduct that would contribute to this right being unjustifiably interfered with. The Union’s obligations to protect and facilitate the right extend to a ‘place’ under its effective and/or virtual control. It has positive obligations to ensure this happens. Data protection as an EU fundamental right places duties on EU entities to ensure it is safeguarded abroad, subject to limitations. With the rights-focused General Data Protection Regulation (GDPR), these duties will only grow. Moving to wider public international law, the research next interpreted the classic permissive principles of jurisdiction in public international law to accommodate EU data protection law, ultimately to delimit the EU’s exercise of extraterritorial jurisdiction vis-à-vis the US. It established permissive principles, pertaining to where an act begins or culminates (subjective or objective territoriality) and the nationality of a perpetrator or victim (active and passive personality) that could allow the EU to claim jurisdiction over an act. If the data processing act began on EU territory or culminated there, or if the personal data was related to an EU individual, EU lawmakers could claim jurisdiction. Under the effects doctrine, which is difficult to apply in practice with the virtual world where adverse effects are not necessarily ‘felt’ somewhere, the EU could also claim jurisdiction. The protective principle, involving a State’s vital interests, could also justify the EU’s exercise of jurisdiction in questions relating to governmental surveillance. For this research, however, both territoriality principles and passive personality were most relevant. The EU would be prohibited from exercising extraterritorial jurisdiction if it reached an exorbitant threshold. Having acknowledged the foregoing pronouncements on public international law, the way in which States exercise and claim jurisdiction in the cybersphere does not fit readily with traditional notions of territory and sovereignty. As such, regulators ought to consider extra criteria to discern the legitimacy of a jurisdictional claim. These considerations include the degree of connection – territorial or otherwise – between the legislator and the

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

256

Conclusion: Enduring Territoriality and Fundamental Rights

legislated. They also cover each party’s interests in exercising jurisdiction, which can be framed in human rights terms and which ought to be balanced. Finally, the criteria include comity considerations manifested as reasonableness. The EU ought to be deferential in its jurisdictional claims. Taken together, these mitigation factors serve to lessen problematic regulatory overreach. In sum, a State may legitimately exercise jurisdiction where it has an obligation to do so to protect a fundamental right, based on a permissive principle, a genuine connection, and sufficiently balanced interests. The second part of the research applied this assessment framework to three law and policy areas. First, it examined the discrepancies between data privacy and security in the US and EU. In negotiating data transfer agreements with the US for security or counterterrorism purposes, the EU should push for more of its core data protection principles to appear in such agreements. These agreements ought to include a strong territorial connection to the EU for a version of its laws to apply to that personal data, and that protected data ought to pertain to EU data subjects with a similarly sufficient nationality or residence-based connection to the Union. Finally, the EU ought to consider the US’ security interests, and those of the international community, in pushing for only the core EU data protection principles, and not all procedural and technical requirements, to filter into an agreement with the US. This would evade political pushback and ultimately succeed in protecting its data subjects’ personal data when transferred to the US Department of Homeland Security or similar for processing. The research then investigated how to reduce transatlantic conflicts over the EU’s exercise of prescriptive jurisdiction regarding the right to have certain personal data removed from search engine results (the right to erasure as an EU-centric data protection concern) in tension with the free flow of information (as a freedom of expression concern prioritised in the US). To satisfy the three aspects of the assessment framework, the right to erasure should be realised in a way that EU data subjects who want their privacy protected enjoy this right everywhere in the EU. It should also, however, not extend beyond EU borders to such a degree that non-EU individuals located outside the EU would see a list of redacted results under European data protection law when conducting an online search. Further, these individuals should not be able to exercise the EU-style right to erasure without being on EU territory and having more than a passing affiliation to the Union (so nationality and/or residence). As such, this approach considers US interests and would be an imminently reasonable way for the EU to exercise jurisdiction in terms of the right to erasure as a feature of data protection.

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

10.3 Potential Future Directions

257

Third, the research asked to what extent EU data protection law should be applied extraterritorially when regulating EU to US transborder data flows to safeguard the right to data protection and enable transatlantic trade. A third State’s data protection legal order must be essentially equivalent to the EU’s for that State to receive personal data from the Union, necessitating the near-direct application of EU law abroad. Concerning ad hoc negotiations and agreements with the US to allow such data transfers, absent it being deemed to provide adequate protection, the EU is increasingly successful at ensuring US entities safeguard its data subjects’ rights. There is a sufficient territorial and, in practice, nationality/residence link that allows the EU to prescribe how certain personal data transferred abroad must be treated. Furthermore, relevant bodies providing, for instance, redress mechanisms to EU data subjects ensure that the relevant data is ‘EU-related’, thereby establishing a sufficient connection through means beyond nationality/residence. In practice, private corporations are ensuring these protections at a high level. With all three examples explored, a targeting approach, whereby activity intentionally directed to EU data subjects who are in the Union at the time, could reasonably be regulated by the EU. Through the aforementioned case studies, the EU has been mostly successful at spreading a high-level global data protection standard. Its role in doing this was originally focused on protecting its own citizens, but has evolved to become consequentially normative. Legal diffusion has also prompted norm diffusion. The Union now actively promotes its global digital standard, moving closer to being a norm entrepreneur acting in the interests of the international community. Bearing this development in mind, it is interesting to consider potential future scenarios, as the next section explores.

10.3 potential future directions This section looks at two potential scenarios for the future. First, there could be a move to mostly territory-based jurisdiction to limit data protection law territorially.1 Second, there could be a move to expand the fundamental right 1

In terms of future thinking about international law, this scenario draws parallels with The Hague Institute for International Law’s potential scenario of Legal Borders, which entails that ‘the expansion of international rules and institutions reverses and legal borders thicken’, statemade law borders dominate and ‘[r]egional organisations emerge as a key part of developing legal borders’. HiiL, ‘Law Scenarios to 2030’ (2012) 26. See too Stavros Zouridis and others, ‘The Global Legal Environment and Its Future Four Scenarios’ (2012) 17(2) Tilburg Law Review 332. Legally, this territory tends to follow the political maps of the nation state, however the discussion [on the spatiality of the internet] also challenges the relevance and legitimacy of the nation state, in so far as many of the geographies of the internet do not map onto

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

258

Conclusion: Enduring Territoriality and Fundamental Rights

to data protection extraterritorially. This would decrease the relevance of distinguishing between territorial and extraterritorial in practice. 10.3.1 Enduring Territorialism A focus on physical territory implies it is narrowly construed to protect rights of, in this instance, EU individuals. This form of exercising jurisdiction focuses less on the content of EU values translated into fundamental rights law, and more on their practical expression within certain legal parameters. It is in line with the sentiment that the EU’s adequacy or geographical approach ‘is sometimes misunderstood as an element of fundamental rights, whereas actually it is an applicable law rule’.2 Construing territory narrowly is already evident in the phenomenon of data localisation. Data localisation is when a company or State stores personal data within a specific territory, so only its law applies to that data. It is not a new phenomenon, but it experienced a resurgence after the Snowden revelations. Post-Schrems, however, increasing numbers of big Internet companies have offered customers the opportunity to have their personal data stored on EU servers, to attract customers who better trust the EU level of data protection. This approach, however, sidelines the inevitability and importance of crossborder data transfers. Further, the motivations of the main actors here (private companies) do not necessarily reflect those of others, namely the EU in its attempts to territorially extend its laws to ensure privacy rights. That said, data localisation might more successfully safeguard EU residents’ – and perhaps residents of third States’ – right to data protection. Data localisation in States such as China or Russia, however, limits certain rights and freedoms. Indeed, ‘requiring local data storage would undermine, rather than strengthen, fundamental rights’.3 Furthermore, walling off the Internet ‘would the nation state, but rather ignore, sideline or transcend these political territorial boundaries in favour of other (well known) maps of social significance, such as the north-south divide, the have and have-nots, the urban versus rural divide, just to mention a few. (Barney Warf, ‘Alternative Geographies of Cyberspace’ in Uta Kohl (ed) The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University Press 2017) 148.)

2

3

See too the notion of community-based models of jurisdiction as an alternative to territoriality in Cedric Ryngaert and Mark Zoetekouw, ‘The End of Territory? The Re-Emergence of Community as a Principle of Jurisdictional Order in the Internet Era’ in Uta Kohl (ed) The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University Press 2017) 187. Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 172. Christopher Kuner, ‘Requiring Local Storage of Internet Data Will Not Protect Privacy’ (OUPblog, 6 December 2013) .

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

10.3 Potential Future Directions

259

be a disproportionate interference with the right of transborder communication, and would be legally unenforceable’.4 A territory-strong approach is also evident in case law and bilateral negotiations. Consider the implementation of the Google Spain judgment, for instance, whereby the location of a data subject directly affects what search engine results they see, and thus directly affects the privacy of certain EU residents who have requested their results be delisted. The EU’s territorial connection to the US’ collection of personal data from EU air carriers is what triggered its PNR Agreement negotiations. The Agreement now applies to air carriers leaving or arriving in the EU, or storing data or being incorporated in the EU; that is, it is contingent upon a territorial link. Furthermore, the GDPR confirms that territory is the main base upon which the EU may exercise jurisdiction.5 That said, the GDPR applies to data subjects ‘in the Union’, which prima facie seems territorially bound, but could in fact open it up to applying in situations where the focus is on jurisdiction and not territory (compare with the European Convention of Human Rights and previously proposed revisions of the Council of Europe Convention 108 on personal data processing), which could be based on notions of effective control over space or people. Applying EU data protection law to entities that target EU residents is conceivable and would be an effective way of interpreting the GDPR. Residency, however, implies a territorial link to the EU. In conclusion, territory is still important online and in terms of triggering jurisdiction. Physical territory is important in determining the application of the GDPR. The EU could exercise jurisdiction with a degree of extraterritorial effect in the Google Spain case and in negotiating the PNR Agreement due to a territorial connection, however tenuous, between EU lawmakers and the regulated situations. Moreover, data localisation is not obsolete. It is often the case that community interests, territory and thus jurisdiction do coincide.6 In that sense, territorial jurisdiction is a proxy for a State’s interests in claiming jurisdiction to protect its subjects. That said, walling off the Internet would not necessarily mitigate jurisdictional tensions as simply having personal data stored in one area would not exclude the possibility of, for instance, thirdState intelligence agencies accessing it unlawfully or it being transferred to entities in third States with lesser protection. The Union’s law does spread

4 5

6

Ibid. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119 (GDPR). Asha Kaushal, ‘The Politics of Jurisdiction’ (2015) 78 Modern Law Review 759, 765.

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

260

Conclusion: Enduring Territoriality and Fundamental Rights

globally and the Internet allows ‘unterritorial’ socio-normative communities to form, which could enable post-territorial ideas of sovereignty.7 Perhaps an explicit move to extraterritoriality can facilitate better rights protection, as discussed below.

10.3.2 Foregrounding Fundamental Rights A second possible future scenario is centred on safeguarding fundamental rights as a justification for the broad reach of EU data protection law. The scenario will only seem more likely if CJEU and national cases follow post-2009 judicial trends in according data protection more weight than other rights and interests.8 It would also gain more legitimacy when the EU ratifies the European Convention on Human Rights (ECHR). It should be noted that the rights to privacy and data protection are not absolute and may be limited in certain circumstances, for example in the interests of national security. The GDPR admits of a departure from data localisation and territory in the name of broader and more effective rights protection. The DPD applied when there was ‘an establishment of the controller on the territory of the Member State [or] the controller is not established on Community territory [but] makes use of equipment . . . situated on the territory of the said Member State’.9 Whilst in practice Union regulators have increasingly employed a functional approach, so 7

8

9

Cedric Ryngaert, ‘Representations of the (Extra)territorial: Theoretical and Visual Perspectives’ (2017) 13(2) Utrecht Law Review 1, 3. De Hert and Thumfart develop a ‘new, post-territorial, non-empirical idea of sovereignty’. Paul de Hert and Johannes Thumfart, ‘The Microsoft Ireland Case and the Cyberspace Sovereignty Trilemma. Post-Territorial Technologies and Companies Question Territorial State Sovereignty and Regulatory State Monopolies’ (2018) 4 (11) Brussels Privacy Hub Working Paper 5. They note that ‘the GDPR has a post-territorial scope inasmuch as its “territorial”-scope is based on the – not even necessarily financially remunerated – participation in the EU market and the monitoring of the behavior of data subjects within the EU, which can be understood as a pure destination approach without any relation to geographic-epistemic territory in regard to origin’ (Ibid.). They clarify that ‘the Internet is not simply non-territorial . . . [it] is based on material infrastructure that does occupy a territory’ (Ibid., 4); ‘[t]he challenge will be to sustain a measure of safety, freedom, and respect for human rights in cyberspace, based on a legality that cannot – however – be grounded in the monopolistic spatiality of territorial sovereignty’. Mireille Hildebrandt, ‘Extraterritorial Jurisdiction to Enforce in Cyberspace? Bodin, Schmitt, Grotius in Cyberspace’ (2013) 63(2) Toronto Law Journal 196, 224. The CJEU ‘applies [data protection] rules strictly, interpreting them in the light of the EU Charter of Fundamental Rights, and favouring the rights and interests of the individual above corporate or business aims, however reasonable and legitimate’. Giovanni Buttarelli, ‘The EU GDPR as a Clarion Call for a New Global Digital Gold Standard’ (2016) 6(2) International Data Privacy Law 77, 77. DPD art 4(1).

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

10.4 Concluding Remarks

261

a minor territorial link has, for instance, allowed the CJEU to regulate a particular situation with foreign elements, territory still de jure triggered the DPD’s application. The GDPR, however, applies to data controllers and processors located outside the EU, but which process personal data ‘in the context of the activities of an establishment of a processor or controller in the Union’.10 Furthermore, the GDPR applies to data subjects who are ‘in the Union’ if the data controller or processor offers goods or services, or monitors the behaviour of those data subjects if it takes place ‘in the Union’.11 The GDPR confirms a move away from the term ‘territory’, also evident in the renegotiation of the Council of Europe’s Convention 108 on personal data processing, to terms that could be construed more vaguely (‘in the Union’). This second scenario reflects the broader move within the EU to couch the territorial extension of its data protection law in fundamental rights protection terms that foreground the individual data subject’s rights. It construes territory broadly. It is plausible that the GDPR applies without regard for a data subject’s nationality. Indeed, it ‘should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data’.12 It is difficult to say what would therefore trigger the EU’s jurisdiction as it could not claim universal jurisdiction. In practice and again taking a functional approach, that an entity targets people in the Union as demonstrated through various criteria could trigger the exercise of jurisdiction. A degree of connection could be demonstrated through someone’s residence in the Union, although taking a strict fundamental rights approach would exclude this from happening, as the right ought to be guaranteed for everyone, no matter their nationality or place of residence. The likely way forward would involve a marriage of the two scenarios: an emphasis on fundamental rights protection and a reconceiving of territory – either construed broadly or narrowly – to enable this. That said, the EU’s obligations to safeguard its individuals’ fundamental right to data protection extraterritorially outweigh the somewhat outdated and strict limitations public international law poses on a State’s exercise of jurisdiction. The future looks set to foreground the individual data subject and their rights and interests.

10.4 concluding remarks Regarding public international law, the research highlights some issues with discussing (extra)territoriality per se in the online legal setting. It is increasingly 10 11 12

GDPR art 3(1). Ibid., art 3(2). GDPR recital 14.

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

262

Conclusion: Enduring Territoriality and Fundamental Rights

apparent that it is difficult – or even impossible – to differentiate in strict terms between extraterritoriality and territoriality and, particularly, something that is extraterritorial in scope or effect in EU data protection law.13 The aforementioned GDPR provisions that omit territory, as well as discounting nationality or place of residence, exemplify how discussions of ‘extraterritorial effect’ carry little practical meaning. EU data protection law has extraterritorial qualities in several senses; however, its provisions never amount to an exercise of extraterritorial jurisdiction in the strictest sense, where there would be no territorial connection to a regulated situation whatsoever. Furthermore, the GDPR compared to the DPD is much less contingent upon physical territory for its application, reflecting technological advances such as cloud computing and extended reality, so the extraterritorial and territorial is becoming and will become a less useful distinction. In terms of trends in public international law, the present research shows the salience, but decreasing relevance, of territory in exercising jurisdiction. It also shows a plausible move to personality-based jurisdiction. The case examples show how the EU is successfully becoming a global standard-setter in the data protection sphere. The EU’s exercise of extraterritorial jurisdiction based on local conceptions of certain values and approaches to human rights standards is leading to the convergence of values on the global stage. Likely directions look more towards decreasing territorialism or broad interpretations of ‘territory’, increasing elevation of fundamental rights to the disadvantage of certain competing interests, and the EU continuing to act to set a high global data protection norm, enabled by the fundamental right to data protection conditioning its exercise of extraterritorial jurisdiction. Convergence could be resisted. If, however, the EU’s reach were strong enough to avoid or counter resistance, this would ultimately lead to fewer conflicts in jurisdiction as global standards would converge and, even in the EU–US data protection law interface, commonalities and shared approaches to rights protection would emerge.

13

Dan Jerker B Svantesson, ‘The Concept of “Extraterritoriality”: Widely Used, but Misguided and Useless’ (OUPblog, 17 November 2015) ; Christopher Kuner, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, 236.

https://doi.org/10.1017/9781108784818.010 Published online by Cambridge University Press

Select Bibliography

Akandji-Kombe, J. Positive Obligations under the European Convention on Human Rights: A Guide to the Implementation of the ECHR (Council of Europe Publishing 2007). Alo, ER. ‘EU Privacy Protection: A Step towards Global Privacy’ (2014) 22 Michigan State International Law Review 1095. Alvarez Rigaudias, C and Spina, A. ‘Article 37: Designation of the Data Protection Officer’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020). Argomaniz, J. ‘When the EU Is the “Norm-Taker”: The Passenger Name Records Agreement and the EU’s Internalization of US Border Security Norms’ (2009) 31 (1) Journal of European Integration 119. Assey, JM and Eleftheriou, DA. ‘The EU–US Privacy Safe Harbor: Smooth Sailing or Troubled Waters?’ (2001) 9 CommLaw Conspectus 145. Ausloos, J. ‘European Court Rules against Google, in Favour of Right to Be Forgotten’ (LSE Media Policy Project Blog, 13 May 2014) . The Right to Erasure in EU Data Protection Law: From Individual Rights to Personal Protection (Oxford University Press 2020). Ausloos, J and Kuczerawy, A. ‘From Notice-and-Takedown to Notice-and-Delist: Implementing the Google Spain Ruling’ (2016) 14(2) Colorado Technology Law Journal 219. Bamberger, KA and Mulligan, DK. Privacy on the Ground: Driving Corporate Behavior in the US and Europe (MIT Press 2015). Banisar, D and Davies, S. ‘Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Law and Developments’ (1999) 18(1) John Marshall Journal of Computer and Information Law 1. Bartels, L. ‘The EU’s Human Rights Obligations in Relation to Policies with Extraterritorial Effects’ (2015) 25 European Journal of International Law 1071. Bennett, CJ. Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press 1992).

263

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

264

Select Bibliography

Bennett, CJ and Raab, CD. The Governance of Privacy: Policy Instruments in a Global Perspective (2nd edn, MIT Press 2006). Bennett, SC. ‘The “Right to Be Forgotten”: Reconciling EU and US Perspectives’ (2012) 30(1) Berkeley Journal of International Law 169. Berman, PS. ‘Global Legal Pluralism’ (2007) 80 Southern California Review 1155. Besson, S. ‘Sovereignty’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2011) (Online version Oxford University Press). Bignami, F. ‘European versus American Liberty: A Comparative Privacy Analysis of Antiterrorism Data Mining’ (2007) 48 Boston College Law Review 609. Bignami, F and Resta, G. ‘Human Rights Extraterritoriality: The Right to Privacy and National Security Surveillance’ in Eyal Benvenisti and Georg Nolte (eds), Community Interests across International Law (Oxford University Press 2018). Bigos, O. ‘Jurisdiction over Cross-Border Wrongs on the Internet’ (2005) 54(3) International and Comparative Law Quarterly 585. Boehm, F and Cole, M. ‘Data Retention after the Judgement of the Court of Justice of the European Union’ (2014). Bradford, A. ‘The Brussels Effect’ (2012) 107(1) Northwestern University Law Review 1. The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020). Brkan, M. ‘Data Protection and European Private International Law: Observing a Bull in a China Shop’ (2015) 5(4) International Data Privacy Law 257. ‘The Unstoppable Expansion of EU Fundamental Right to Data Protection: Little Shop of Horrors?’ (2016) 23(5) Maastricht Journal of European and Comparative Law 812. ‘The Court of Justice of the EU, Privacy and Data Protection: Judge-Made Law as a Leitmotif in Fundamental Rights Protection’ in M Brkan and E Psychogiopoulou (eds), Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017). ‘The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way through the Maze of the CJEU’s Constitutional Reasoning’ (2019) 20(6) German Law Journal 864. Brown, I. ‘The Feasibility of Transatlantic Privacy-Protective Standards for Surveillance’ (2015) 23(1) International Journal of Law and Information Technology 23. Brown, I and Korff, D. ‘Foreign Surveillance: Law and Practice in a Global Digital Environment’ (2014) 3 European Human Rights Law Review 243. Brunnée, J. ‘Consent’, Max Planck Encyclopedia of Public International Law (Article last updated: January 2022) (Online version Oxford University Press). Buttarelli, G. ‘The EU GDPR as a Clarion Call for a New Global Digital Gold Standard’ (2016) 6(2) International Data Privacy Law 77. Buxbaum, HL. ‘Territory, Territoriality and the Resolution of Jurisdictional Conflicts’ (2009) 57(2) American Journal of Comparative Law 631. Bygrave, LA. Data Privacy Law: An International Perspective (Oxford University Press 2014). van Calster, G. ‘Regulating the Internet. Prescriptive and Jurisdictional Boundaries to the EU’s “Right to Be Forgotten”’ (2015) 24 .

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Select Bibliography

265

Cannataci, JA. ‘Games People Play: Unvarnished Insights on Privacy at the Global Level’ in Gert Vermeulen and Eva Lievens (eds), Data Protection and Privacy under Pressure: Transatlantic Tensions, EU Surveillance, and Big Data (Maklu 2017). Carolina, R. ‘Why the EU Has Issued Relatively Few Data Protection Adequacy Determinations? A Reply’ (Lawfare, 13 January 2017) . Cate, FH. ‘The Changing Face of Privacy Protection in the European Union and the United States’ (1999) 33(1) Indiana Law Review 173. Chander, A and Lê, UP. ‘Data Nationalism’ (2015) 64 (3) Emory Law Journal 677. Chander, A and Schwartz, PM. ‘Privacy and/or Trade’ (2023) 90(1) University Chicago Law Review 1. Cole, D and Fabbrini, F. ‘Bridging the Transatlantic Divide? The United States, the European Union, and the Protection of Privacy across Borders’ (2016) 14(1) International Journal of Constitutional Law 220. Colonna, L. ‘Article 4 of the EU Data Protection Directive and the Irrelevance of the EU–US Safe Harbor Program?’ (2014) 4(3) International Data Privacy Law 203. Cremona, M. ‘Justice and Home Affairs in a Globalised World: Ambitions and Reality in the Tale of the EU-US SWIFT Agreement’ (2011) Austrian Academy of Sciences, Institute for European Integration Research Working Paper. Cunningham, M. ‘Complying with International Data Protection Law’ (2016) 84(2) University of Cincinnati Law Review 421. Currie, JH. Public International Law (Irwin Law 2001). Czerniawski, M. ‘Extraterritoriality in the Age of the Equipment-Based Society: Do We Need the “Use of Equipment” as a Factor for the Territorial Applicability of the EU Data Protection Regime’ in DJB Svantesson and D Kloza (eds), TransAtlantic Data Privacy Relations as a Challenge for Democracy (Intersentia 2017). Daugirdas, K and Mortenson, JD. ‘Contemporary Practice of the United States Relating to International Law’ (2016) 110(2) The American Journal of International Law 346. Den Heijer, M. Europe and Extraterritorial Asylum (Hart Publishing 2012). Determann, L. Determann’s Field Guide to Privacy Law (2nd edn, Edward Elgar Publishing 2015). ‘Adequacy of Data Protection in the USA: Myths and Facts’ (2016) 6(3) International Data Privacy Law 244. Docksey, C. ‘Four Fundamental Rights: Finding the Balance’ (2016) 6(3) International Data Privacy Law 195. Elden, S. The Birth of Territory (University of Chicago Press 2013). Erdos, D. ‘Confused? Analysing the Scope of Freedom of Speech Protection vis-à-vis European Data Protection’ (2012) University of Oxford Legal Research Paper Series, Paper No 48/2012. Erdos, D and Garstka, K. ‘The “Right to Be Forgotten” Online within G20 Statutory Data Protection Frameworks’ (2019) University of Cambridge Faculty of Law Research Paper No 31/2019. Fahey, E. The Global Reach of EU Law (Routledge 2017). Farrell, H and Newman, A. ‘The Transatlantic Data War’ Foreign Affairs (2016). Fazlioglu, M. ‘Forget Me Not: The Clash of the Right to Be Forgotten and Freedom of Expression on the Internet’ (2013) 3(3) International Data Privacy Law 149.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

266

Select Bibliography

Fleisher, L. ‘Google Ruling: Freedom of Speech vs. the Right to Be Forgotten’ The Wall Street Journal (13 May 2014). Floridi, L. ‘Should You Have the Right to Be Forgotten on Google? Nationally, Yes. Globally, No.’ (2015) 32(2) New Perspectives Quarterly 24. Ford, M. ‘Will Europe Censor This Article? The Troubling Implications of the EU’s New “Right to Be Forgotten”’ The Atlantic (13 May 2014). Ford, RT. ‘Law’s Territory: (A History of Jurisdiction)’ (1999) 97(4) Michigan Law Review 843. Franck, T. The Power of Legitimacy among Nations (Oxford University Press 1990). Frantziou, E. ‘Further Developments in the Right to Be Forgotten: The European Court of Justice’s Judgment in Case C-131/12, Google Spain, SL, Google Inc v Agencia Espanola de Proteccion de Datos’ (2014) 14(4) Human Rights Law Review 761. Fuster, GG. The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014). Gellman, R. ‘Fair Information Practices: A Basic History – Version 2.22’ (2022) 12 . Georgieva, I. ‘The Right to Privacy under Fire – Foreign Surveillance under the NSA and the GCHQ and Its Compatibility with Art. 17 ICCPR and Art. 8 ECHR’ (2015) 31(80) Utrecht Journal of International and European Law 104. Glancy, DJ. ‘The Invention of the Right to Privacy’ (1979) 21 Arizona Law Review 1. Goldsmith, J and Wu, T. Who Controls the Internet? Illusions of a Borderless World (Oxford University Press 2006). Goodman, R and Jinks, D. ‘How to Influence States: Socialization and International Human Rights Law’ (2004) 54 Duke Law Journal 621. Gourevitch, P. ‘The Second Image Reversed: The International Sources of Domestic Politics’ (1978) 32(4) International Organization 881. Greenberg, MH. ‘A Return to Lilliput: The LICRA v. Yahoo – Case and the Regulation of Online Content in the World Market’ (2003) 18(4) Berkeley Technology Law Journal 1191. Greenleaf, G. ‘The Influence of European Data Privacy Standards outside Europe: Implications for Globalisation of Convention 108?’ (2012) University of Edinburgh School of Law Research Paper Series No 2012/12. ‘Sheherazade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ (2014) 23(1) Journal of Law, Information & Science, Special Edition: Privacy in the Social Networking World. ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report 1, 1–2. Greenleaf, G, Chung, P and Mowbray, A. ‘Supporting and Influencing Data Privacy Practice: The Free Access International Privacy Law Library’ (2014) 31(2) Computer Law & Security Review 221. Gstrein, OJ and Zwitter, AJ. ‘Extraterritorial Application of the GDPR: Promoting European Values or Power?’ (2021) 10(3) Internet Policy Review 2. Guild, E., Carrera, S., den Hertog, L and Parkin, J. ‘Implementation of the EU Charter of Fundamental Rights and its Impact on EU Home Affairs Agencies’ European Parliament (2011). Hershey, AM. ‘History of International Law since the Peace of Westphalia’ (1912) 6(1) The American Journal of International Law 30.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Select Bibliography

267

de Hert, P and Czerniawski, M. ‘Expanding the European Data Protection Scope beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Context’ (2016) 6(3) International Data Privacy Law 230. de Hert, P and Papakonstantinou, V. ‘Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency’ (2013) 9(2) I/S: A Journal of Law and Policy for the Information Society 271. de Hert, P and Thumfart, J. ‘The Microsoft Ireland Case and the Cyberspace Sovereignty Trilemma: Post-Territorial Technologies and Companies Question Territorial State Sovereignty and Regulatory State Monopolies’ (2018) 4(11) Brussels Privacy Hub Working Paper. European Union Agency for Fundamental Rights (FRA) and Council of Europe. Handbook on European Data Protection Law (Publications Office of the European Union 2014). Hildebrandt, M. ‘Extraterritorial Jurisdiction to Enforce in Cyberspace? Bodin, Schmitt, Grotius in Cyberspace’ (2013) 63(2) Toronto Law Journal 196. Hijmans, H. The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU (Springer 2016). Hondius, FW. ‘A Decade of International Data Protection’ (1983) 30 Netherlands International Law Review 106. Hoofnagle, CJ. Federal Trade Commission Privacy Law and Policy (Cambridge University Press 2016). Hörnle, J. ‘Juggling More Than Three Balls at Once: Multilevel Jurisdictional Challenges in EU Data Protection Regulation’ 27 International Journal of Law and Information Technology (2019) 142. Hornung, G and Boehm, F. ‘Comparative Study on the 2011 Draft Agreement between the Unites States of America and the European Union on the Use and Transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security’ (2012) 3. Ireland-Piper, D. ‘Extraterritorial Criminal Jurisdiction: Does the Long Arm of the Law Undermine the Rule of Law?’ (2012) 13(1) Melbourne Journal of International Law 1. Jørgensen, RF. ‘The Right to Express Oneself and to Seek Information’ in RF Jørgensen (ed), Human Rights in the Global Information Society (MIT Press 2006). Jozwiak, M. ‘Balancing the Rights to Data Protection and Freedom of Expression and Information by the Court of Justice of the European Union: The Vulnerability of Rights in an Online Context’ (2016) 23(3) Maastricht Journal of European & Comparative Law 404. Kamarinou, D, Millard, C and Hon, WK. ‘Cloud Privacy: An Empirical Study of 20 Cloud Providers’ Terms and Privacy Policies – Part II’ (2016) 6(3) International Data Privacy Law 170. Kamminga, MT. ‘Extraterritoriality’, Max Planck Encyclopedia of Public International Law (Article last updated: September 2020) (Online version Oxford University Press). ‘Transnational Human Rights Litigation against Multinational Corporations PostKiobel’ in Cedric Ryngaert, Erik J Molenaar and Sarah MH Nouwen (eds),

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

268

Select Bibliography

What’s Wrong with International Law? Liber Amicorum A.H.A. Soons (Brill Nijhoff 2015). Kaushal, A. ‘The Politics of Jurisdiction’ (2015) 78 Modern Law Review 759, 786. Kelly, MJ and Satola, D. ‘The Right to Be Forgotten’ (2017) 1 University of Illinois Law Review 1. Kleizen, B. ‘Externalizing EU Law, Policy and Values Europe’s Global Identity, Mechanisms of Rule Transfer and Case Studies on Illegal Logging and Bosnia and Herzegovina’ (2015) RENFORCE Working Paper Series No 1. Klosek, J. The War on Privacy (Praeger Publishers, 2007). Kohl, U. Jurisdiction and the Internet: Regulatory Competence over Online Activity (Cambridge University Press 2007). ‘Jurisdiction in Cyberspace’ in N Tsagourias and R Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar Publishing 2015). Kohl, U and Rowland, D. ‘Censorship and Cyberborders through EU Data Protection Law’ in U Kohl (ed), The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University Press 2017). Kokott, J and Sobotta, C. ‘The Distinction between Privacy and Data Protection in the Jurisprudence of the CJEU and ECtHR’ (2013) 3(4) International Data Privacy Law 222. Koops, B-J. ‘The Trouble with European Data Protection Law’ (2014) 4(4) International Data Privacy Law 250. Kosta, E. Consent in European Data Protection Law (Martinus Nijhoff Publishers 2013). Kowalik-Banczyk, ´ K and Oreste, P. ‘Migration of European Judicial Ideas Concerning Jurisdiction over Google on Withdrawal of Information’ (2016) 17(3) German Law Journal 315. Krisch, N. ‘The Decay of Consent: International Law in an Age of Global Public Goods’ (2014) 108(1) American Journal of International Law 1. Kuhelj, A. ‘The Twilight Zone of Privacy for Passengers on International Flights between the EU & USA’ (2009) 16(2) UC Davis Journal of International Law and Policy 383. Kulk, S and Borgesius, FZ. ‘Google Spain v. González: Did the Court Forget about Freedom of Expression?: Case C-131/12 Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos and Mario Costeja González’ (2014) 5(3) European Journal of Risk Regulation 389. ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in J Polonetsky, J Tene and E Selinger (eds), Cambridge Handbook of Consumer Privacy (Cambridge University Press 2017). Kuner, C. ‘An International Legal Framework for Data Protection: Issues and Prospects’ (2005) 25 Computer Law & Security Review 307. European Data Protection Law: Corporate Compliance and Regulation (2nd edn, Oxford University Press 2007). ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (2010) 18 (2) International Journal of Law and Information Technology 176. ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’ (2010) 18 (3) International Journal of Law and Information Technology 227.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Select Bibliography

269

‘Extraterritoriality and the Fundamental Right to Data Protection’ (EJIL: Talk!, 16 December 2013) . ‘Requiring Local Storage of Internet Data Will Not Protect Privacy’ (OUPblog, 6 December 2013) . Transborder Data Flows and Data Privacy Law (Oxford University Press 2013). ‘The European Union and the Search for an International Data Protection Framework’ (2014) 2 Groningen Journal of International Law 55. ‘A Super-Right to Data Protection? The Irish Facebook Case and the Future of EU Data Transfer Regulation’ (LSE Media Policy Project Blog, 24 June 2014) . ‘The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines’ (2015) LSE Law, Society and Economy Working Papers 3/2015. ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235. ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2016) Cambridge University Legal Studies Working Paper No 14/2016. ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 10. ‘Third Country Law in the CJEU’s Data Protection Judgments’ (European Law Blog, 12 July 2017) . ‘The Internet and the Global Reach of EU Law’ in Marise Cremona and Joanne Scott (eds), EU Law beyond EU Borders: The Extraterritorial Reach of EU Law (Oxford University Press 2019). Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU’s Ambition of Borderless Data Protection’ (2021) University of Cambridge Faculty of Law Research Paper No 20/2021. Kuner, C and others. ‘The (Data Privacy) Law Hasn’t Even Checked in When Technology Takes Off’ (2014) 4(3) International Data Privacy Law 175. Kuner, C and others. ‘Internet Balkanization Gathers Pace: Is Privacy the Real Driver?’ (2015) 5(1) International Data Privacy Law 1. Kuner, C and Marelli, M. Handbook on Data Protection in Humanitarian Action (2nd edn, International Committee of the Red Cross 2020). Kuner, C and others. ‘The Language of Data Privacy Law (and How It Differs from Reality)’ (2016) 6(4) International Data Privacy Law 260. Kuner, C and others. ‘The GDPR as a Chance to Break Down Borders’ (2017) 7(4) International Data Privacy Law 231. Kunig, P ‘Prohibition of Intervention’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2008) (Online version Oxford University Press). Lee, E. ‘Recognizing Rights in Real Time – The Role of Google in the EU Right to Be Forgotten’ (2015–2016) UC Davis Law Review 1017.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

270

Select Bibliography

Louks, D. ‘(Fly) Anywhere but Here: Approaching EU-US Dialogue concerning PNR in the Era of Lisbon’ (2013) 23(3) Indiana International & Comparative Law Review 479. Lowe, V and Staker, C. ‘Jurisdiction’ in M Evans (ed), International Law (3rd edn, Oxford University Press 2010). Lynskey, O. ‘Deconstructing Data Protection: The “Added-Value” of a Right to Data Protection in the EU Legal Order’ (2014) 63 International & Comparative Law Quarterly 569. ‘Rising Like a Phoenix: The “Right to Be Forgotten’ before the ECJ’ (European Law Blog, 13 May 2014) . Maier, B. ‘How Has the Law Attempted to Tackle the Borderless Nature of the Internet?’ (2010) 18(2) International Journal of Law and Information Technology 142. Maier, HG. ‘Interest Balancing and Extraterritorial Jurisdiction’ (1983) 31(4) The American Journal of Comparative Law 579. Mann, FA. The Doctrine of Jurisdiction in International Law (AW Sijthoff 1964). ‘The Doctrine of International Jurisdiction Revisited after Twenty Years’, Collected Courses of the Hague Academy of International Law (Brill Nijhoff 1984). Manners, I. ‘The Normative Ethics of the European Union’ (2008) 84(1) International Affairs 45. Margulies, P. ‘Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility’ (2013) 14 Melbourne Journal of International Law 496. Markou, C. ‘The “Right to Be Forgotten”: Ten Reasons Why It Should Be Forgotten’ in S Gutwirth, R Leenes and P de Hert (eds) Reforming European Data Protection Law (Springer 2015). McNealy, JE. ‘The Emerging Conflict between Newsworthiness and the Right to Be Forgotten’ (2012) 39(2) Northern Kentucky Law Review 119. Mercer, ST. ‘The Limitations of European Data Protection as a Model for Global Privacy Regulation’ (2020) AJIL Unbound 20. Michaels, R. ‘Territorial Jurisdiction after Territoriality’ in P-J Slot and M Bulterman (eds), Globalisation and Jurisdiction (Kluwer Law International 2004). Michelman, FI. ‘The State Action Doctrine’ in Vikram David Amar and Mark V Tushnet (eds), Global Perspectives on Constitutional Law (Oxford University Press 2009). Milanovic, M. Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (Oxford University Press 2011). ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56(1) Harvard International Law Journal 81. Mills, A. ‘Rethinking Jurisdiction in International Law’ (2014) 84(1) British Yearbook of International Law 187. Mitsilegas, V. ‘Transatlantic Counter-terrorism Cooperation and European Values. The Elusive Quest for Coherence’ in D Curtin and E Fahey (eds), A Transatlantic Community of Law (Cambridge University Press 2014). ‘Surveillance and Digital Privacy in the Transatlantic “War on Terror.” The Case for a Global Privacy Regime’ (2016) 47(3) Columbia Human Rights Law Review 1. Moerel, L. ‘The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to the Processing of Personal Data of EU Citizens by Websites Worldwide?’ (2011) 1(1) International Data Privacy Law 28.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Select Bibliography

271

Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers (Oxford University Press 2012). Moreno-Lax, V and Costello, C. ‘The Extraterritorial Application of the EU Charter of Fundamental Rights: From Territoriality to Facticity, the Effectiveness Model’ in S Peers and others (eds), The EU Charter of Fundamental Rights: A Commentary (Hart Publishing 2014). Neale, M. No Maps for These Territories (Docurama 2000). Nolte, G. ‘European and US Constitutionalism: Comparing Essential Elements’ in Georg Nolte (ed), European and US Constitutionalism (Cambridge University Press 2005). Oxman, BH. ‘Jurisdiction of States’, Max Planck Encyclopedia of Public International Law (Article last updated: November 2007) (Online version Oxford University Press). Papakonstantinou, V and de Hert, P. ‘The PNR Agreement and Transatlantic Antiterrorism Cooperation: No Firm Human Rights Framework on Either Side of the Atlantic’ (2009) 46(3) Common Market Law Review 885. Paul, JR. ‘Comity in International Law’ (1991) 32(1) Harvard International Law Journal 1. ‘The Transformation of International Comity’ (2008) 71(3) Law and Contemporary Problems 19. Peers, S. ‘The CJEU’s Google Spain Judgment: Failing to Balance Privacy and Freedom of Expression’ (EU Law Analysis Blog, 13 May 2014) . Peguera, M. ‘Right to Be Forgotten and Global Delisting: Some News from Spain’ (Stanford Center for Internet and Society Blog, 17 December 2017) . Peters, A. ‘Surveillance without Borders? The Unlawfulness of the NSA-Panopticon, Part II’ (EJIL: Talk!, 4 November 2013) . Pfisterer, VM. ‘PNR in 2011: Recalling Ten Years of Transatlantic Cooperation in PNR Information Management’ (2012) 2 National Security and Armed Conflict Law Review 111. Pierik, R and Werner, W. ‘Cosmopolitanism in Context: An Introduction’ in R Pierik and W Werner (eds), Cosmopolitanism in Context: Perspectives from International Law and Political Theory (Cambridge University Press 2010). Post, RC. ‘Three Concepts of Privacy’ (2001) 89(6) Georgetown Law Journal 2087. ‘Data Privacy and Dignitary Privacy: Google Spain, the Right to Be Forgotten, and the Construction of the Public Sphere’ (2017) Yale Law School, Public Law Research Paper No 598. Prins, C. ‘Should ICT Regulation Be Undertaken at an International Level?’ in B-J Koops and others (eds), Starting Points for ICT Regulation: Deconstructing Prevalent Policy One-liners (TMC Asser Press 2006). Privacy Bridges. ‘EU and US Privacy Experts in Search of Transatlantic Privacy Solutions’ (2015) 19 . Prosser, WL. ‘Privacy’ (1960) 48 California Law Review 383.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

272

Select Bibliography

Reidenberg, JL. ‘Resolving Conflicting International Data Privacy Rules in Cyberspace’ (1999) 52 Stanford Law Review 1315. Richardson, M. The Right to Privacy: Origins and Influence of a Nineteenth-Century Idea (Cambridge University Press 2017). Rodotà, S. ‘Data Protection as a Fundamental Right’ in S Gutwirth and others (eds), Reinventing Data Protection? (Springer 2009). Rosas, A. ‘The European Union and Fundamental Rights/Human Rights’ in C Krause and M Scheinin (eds), International Protection of Human Rights: A Textbook (2nd edn, Åbo Akademi University 2012). Rosen, J. ‘The Right to Be Forgotten’ (2012) Stanford Law Review Online 88. Rudgard, S. ‘Origins and Historical Context of Data Protection Law’ in E Esturan (ed) European Privacy: Law and Practice for Data Protection Professionals (International Association of Privacy Professionals 2012) 3. Ryngaert, C. ‘The Limits of Substantive International Economic Law: In Support of Reasonable Extraterritorial Jurisdiction’ in B Keirsbilck, W Devroe and E Claes (eds), Facing the Limits of the Law (Springer 2009). Jurisdiction in International Law (2nd edn, Oxford University Press 2015). ‘The Concept of Jurisdiction in International Law’ in A Orakhelashvili (ed), Research Handbook on Jurisdiction and Immunities in International Law (Edward Elgar Publishing 2015). Unilateral Jurisdiction and Global Values (Eleven International Publishing 2015). ‘An Urgent Suggestion to Pour Old Wine into New Bottles – Comment on ‘A New Jurisprudential Framework for Jurisdiction’ (2015) 109 AJIL Unbound 81. ‘Whither Territoriality? The European Union’s Use of Territoriality to Set Norms with Universal Effects’ in C Ryngaert, EJ Molenaar and SMH Nouwen (eds), What’s Wrong with International Law? Liber Amicorum A.H.A. Soons (Brill Nijhoff 2015). ‘EU Trade Agreements and Human Rights: From Extraterritorial to Territorial Obligations’ (2018) 20(3–4) International Community Law Review 374. Selfless Intervention: The Exercise of Jurisdiction in the Common Interest (Oxford University Press 2020). Ryngaert, C and Taylor, M. ‘The GDPR as Global Data Protection Regulation?’ (2020) AJIL Unbound 5. Ryngaert, C and Zoetekouw, M. ‘The End of Territory? The Re-Emergence of Community as a Principle of Jurisdictional Order in the Internet Era’ in U Kohl (ed), The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University Press 2017). Samie, N. ‘The Doctrine of “Effects” and the Extraterritorial Application of Antitrust Laws’ (1982) 14(1) Lawyer of the Americas 23. Sarmiento, D. ‘What Schrems, Delvigne and Celaj Tell Us about the State of Fundamental Rights in the EU’ (Verfassungsblog, 16 October 2015) . Scheinin, M. ‘Characteristics of Human Rights Norms’ in C Krause and M Scheinin (eds), International Protection of Human Rights: A Textbook (2nd edn, Åbo Akademi University Institute for Human Rights 2012).

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Select Bibliography

273

Schoeman, FD. (ed) Philosophical Dimensions of Privacy: An Anthology (Cambridge University Press 1984). Schoenberger, AE. ‘Privacy Wars: EU versus US: Scattered Skirmishes, Storm Clouds Ahead’ (2007) 17 Indiana International & Comparative Law Review 355. Schrems, M. ‘The Privacy Shield Is a Soft Update of the Safe Harbor’ (2016) 2(2) European Data Protection Law Review 148. Schultz, T. ‘Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface’ (2008) 19(4) European Journal of International Law 799. Schwartz, PM. ‘The EU–US Privacy Collision: A Turn to Institutions and Procedures’ (2013) 126 Harvard Law Review 1966. ‘Global Data Privacy: The EU Way’ (2019) 94 New York University Law Review 771. Schwartz, PM and Peifer, KN. ‘Transatlantic Data Privacy Law’ (2017) 106 Georgetown Law Journal 115. Schweighofer, E. ‘Principles for US–EU Data Flow Arrangements’ in DJB Svantesson and D Kloza (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy (Intersentia 2017). Scott, J ‘Extraterritoriality and Territorial Extension in EU Law’ (2014) 62(1) American Journal of Comparative Law 87. ‘The New EU “Extraterritoriality”’ (2014) 51 Common Market Law Review 1343. Scott, J and Rajamani, L. ‘Contingent Unilateralism – International Aviation in the European Emissions Trading Scheme’ in BV Vooren, S Blokmans and J Wouters, The EU’s Role in Global Governance: The Legal Dimension (Oxford University Press 2013). Shaffer, G. ‘Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of US Privacy Standards’ (2000) 25(1) Yale Journal of International Law 55. Shaw, M. International Law (7th edn, Cambridge University Press 2014). Sheftalovich, Z. ‘The Phone Call That Saved Safe Harbor’ (2016) Politico . Slaughter, A-M. A New World Order (Princeton University Press 2005). van der Sloot, B. ‘Legal Fundamentalism: Is Data Protection Really a Fundamental Right?’ in R Leenes and others (eds), Data Protection and Privacy: (In)visibilities and Infrastructures (Springer 2017). Solove, DJ. ‘A Taxonomy of Privacy’ (2006) 154(3) University of Pennsylvania Law Review 477. Spijkers, O. The United Nations, the Evolution of Global Values and International Law (Intersentia 2011). Stone, GR and others. Constitutional Law (7th edn, Wolters Kluwer 2013). Sunstein, CR. ‘Social Norms and Social Roles’ (1996) 96(4) Columbia Law Review 903. Svantesson, DJB. Private International Law and the Internet (Kluwer Law International 2007). ‘A “Layered Approach” to the Extraterritoriality of Data Privacy Laws’ (2013) 3(4) IDPL 278.

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

274

Select Bibliography

Extraterritoriality in Data Privacy Law (Ex Tuto Publishing 2013). ‘Delineating the Reach of Internet Intermediaries’ Content Blocking – “ccTLD Blocking”, “Strict Geolocation Blocking” or a “Country Lens Approach”?’ (2014) 11(2) SCRIPTed 153. ‘The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses’ (2014) 50 Stanford Journal of International Law 53. ‘The Concept of “Extraterritoriality”: Widely Used, but Misguided and Useless’ (OUPblog, 17 November 2015) . ‘Extraterritoriality and Targeting in EU Data Privacy Law: The Weak Spot Undermining the Regulation’ (2015) 5(4) International Data Privacy Law 226. ‘The Google Spain Case: Part of a Harmful Trend of Jurisdictional Overreach’ (2015) European University Institute Robert Schuman Centre for Advanced Studies Research Paper No RSCAS 2015/45. ‘Limitless Borderless Forgetfulness? Limiting the Geographical Reach of the “Right to Be Forgotten”’ (2015) 2(2) Oslo Law Review 116. ‘A New Jurisprudential Framework for Jurisdiction’ (2015) 109 AJIL Unbound 69. ‘Article 4(1)(a) “Establishment of the Controller” in EU Data Privacy Law – Time to Rein in This Expanding Concept?’ (2016) 6(3) International Data Privacy Law 210. ‘The CJEU’s Weltimmo Data Privacy Ruling: Lost in the Data Privacy Turmoil, Yet So Very Important Case C-230/14 Weltimmo, EU:C:2015:639’ (2016) 2 Maastricht Journal of European and Comparative Law 332. ‘Enforcing Privacy across Different Jurisdictions’ in D Wright and P De Hert (eds), Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer 2016). Solving the Internet Jurisdiction Puzzle (Oxford University Press 2017). ‘Internet & Jurisdiction Global Status Report’ (2019) Internet & Jurisdiction Policy Network. ‘Article 3. Territorial Scope’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020). Svantesson, DJB and Kloza, D. ‘Yet Another Book about Snowden and Safe Harbor?’ in DJB Svantesson and D Kloza (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy (Intersentia 2017). Swire, P. ‘Peter Hustinx and Three Clichés about E.U.–U.S. Data Privacy’ in H Hijmans and H Kranenborg (eds), Data Protection Anno 2014: How to Restore Trust? Contributions in Honour of Peter Hustinx, European Data Protection Supervisor (2004–2014) (Intersentia 2014). Swire, PP and Litan, RE. None of Your Business: World Data Flows Electronic Commerce, and the European Privacy Directive (Brookings Institution Press 1998). Taylor, M. ‘The EU’s Human Rights Obligations in Relation to Its Data Protection Laws with Extraterritorial Effect’ (2015) 5(4) International Data Privacy Law 246. Tene, O and Wolf, C. White Paper – Overextended: Jurisdiction and Applicable Law under the EU General Data Protection Regulation, The Future of Privacy Forum (2013).

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Select Bibliography

275

Tzanou, M. ‘Data Protection as a Fundamental Right Next to Privacy? “Reconstructing” a Not So New Right’ (2013) 3(2) International Data Privacy Law 88. ‘The War against Terror and Transatlantic Information Sharing: Spillovers of Privacy or Spillovers of Security?’ (2015) 31(80) Utrecht Journal of International and European Law 87. The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Hart Publishing 2017). ‘The EU–US Data Privacy and Counterterrorism Agreements: What Lessons for Transatlantic Institutionalisation?’ in E Fahey (ed), Institutionalisation beyond the Nation State. Studies in European Economic Law and Regulation (Springer 2018). de Ubaldis, B. ‘on Codex’ (1577) vol 7, fol 70v in Iuriusconsulti Omnium. Uncular, S. ‘The Right to Removal in the Time of Post-Google Spain: Myth or Reality under General Data Protection Regulation?’ (2019) 33(3) International Review of Law, Computers & Technology 309. Ustaran, E. ‘EU General Data Protection Regulation: Things You Should Know’ (2016) 16(3) Privacy & Data Protection 3. Van Alsenoy, B. ‘Reconciling the (Extra)territorial Reach of the GDPR with Public International Law’ in Gert Vermeulen and Eva Lievens (eds), Data Protection and Privacy under Pressure: Transatlantic Tensions, EU Surveillance, and Big Data (Maklu 2017). Van Alsenoy, B and Koekkoek, M. ‘Internet and Jurisdiction after Google Spain: The Extraterritorial Reach of the “Right to Be Delisted”’ (2015) 5(2) International Data Privacy Law 105. Vara, JS. ‘Transatlantic Counterterrorism Cooperation Agreements on the Transfer of Personal Data’ in E Fahey and D Curtin (eds), A Transatlantic Community of Law: Legal Perspectives on the Relationship between the EU and US Legal Orders (Cambridge University Press 2014). in‘t Veld, S. ‘Transatlantic Relations and Security’ in E Fahey and D Curtin (eds), A Transatlantic Community of Law: Legal Perspectives on the Relationship between the EU and US Legal (Cambridge University Press 2014). Walker, K. ‘The Right to Be Forgotten’ (2012) 64(111) Hastings Law Journal 257. Warf, B. ‘Alternative Geographies of Cyberspace’ in Uta Kohl (ed), The Net and the Nation State: Multidisciplinary Perspectives on Internet Governance (Cambridge University Press 2017). Warren, SD and Brandeis, LD. ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193. Watt, E. ‘The Role of International Human Rights Law in the Protection of Online Privacy in the Age of Surveillance’ in H Rõigas and others (eds), 9th International Conference on Cyber Conflict: Defending the Core (NATO CCD COE Publications 2017). Watt, HR. ‘Yahoo! Cyber-Collision of Cultures: Who Regulates?’ (2003) 24 Michigan Journal of International Law 673. ‘A Private (International) Law Perspective – Comment on “A New Jurisprudential Framework for Jurisdiction”’ (2015) 109 AJIL Unbound 75. Wenzel, N. ‘Opinion and Expression, Freedom of, International Protection’, Max Planck Encyclopedia of Public International Law (Article last updated: April 2014) (Online version Oxford University Press).

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

276

Select Bibliography

Werro, F. ‘The Right to Inform v. the Right to Be Forgotten: A Transatlantic Clash’ in AC Ciacchi and others (eds), Haftungsrecht im dritten Millennium – Liability in the Third Millennium (Nomos 2009). Westin, AF. Privacy and Freedom (Atheneum 1967). de Wet, E and Vidmar, J. Hierarchy in International Law: The Place of Human Rights (Oxford University Press 2012). Whitman, JQ. ‘The Two Western Cultures of Privacy: Dignity versus Liberty’ (2004) 113(6) Yale Law Journal 1151. Wilde, R. ‘Triggering State Obligations Extraterritorially: The Spatial Test in Certain Human Rights Treaties’ (2007) 40(2) Israel Law Review 503. Zanfir, G. ‘How CJEU’s “Privacy Spring” Construed the Human Rights Shield in the Digital Age’ in E Kuzelewska and others (eds), European Judicial Systems as a Challenge for Democracy (Intersentia 2015). ‘Tracing the Right to Be Forgotten in the Short History of Data Protection Law: The “New Clothes” of an Old Right’ in S Gutwirth, R Leenes and P de Hert (eds), Reforming European Data Protection Law (Springer 2015).

https://doi.org/10.1017/9781108784818.011 Published online by Cambridge University Press

Index

activities (of an establishment), 101–103, 180 adequacy requirement. see also legal diffusion in DPD, 197, 217, 225, 245 EC on, 48, 193, 197–199 in GDPR, 75, 193–195, 217–218, 224 global standards, leading to, 194–196, 244–246 negotiations, 217 obligation to respect and, 47 in PNR agreements, 126–127 reasonableness, 228 Schrems case, 191, 197 Schrems II case, 202–203 US adequacy decision, 228 advertising, 103, 151, 180 African Union (AU), 31 airline passenger data. see Passenger Name Record (PNR) agreements Amazon (company), 241 American Convention on Human Rights (ACHR), 13 antitrust law, 80, 108, 111 applicable law, 66–67, see also prescriptive jurisdiction Article 29 Working Party on connections, 101 on data transfer agreements, 199 on DPOs, 50 on equipment, 77–78 on establishment, 102 on extraterritoriality, 247 on Google Spain case, 167–168, 179, 181 history of data protection law and, 23 on legal diffusion, 240 on limitation of fundamental rights, 113 on personality, 86–87

on PNR agreements, 125, 129, 139 on public international law, 15 on reasonableness, 228–229 on Safe Harbour agreements, 246–247 on targeting, 104 on territoriality, 160 on whom the law protects, 237 Asia-Pacific Economic Cooperation (APEC), 31, 89 Association of Southeast Asian Nations (ASEAN), 31 Australian data protection law, 6, 220 Austrian data protection law, 22 authoritarian regimes, 28, 220 autonomy, 83 Aviation and Transportation Security Act (ATSA), 124, 146 balancing of interests, 97, 109, 170–172, 227, 256, see also proportionality bilateral agreements and negotiations, 47, 118, 245, see also specific agreements, e.g. Passenger Name Records (PNR) agreements binding corporate rules, 193, 206 Bradford, Anu, 205, 239, 241–242 Brandeis, Louis D., 27 Brazilian data protection law, 220 browsers, 173 bulk information, collecting, 212–213 California Privacy Rights Act, 30 Canadian data protection law, 6, 220 Charter of Fundamental Rights of the European Union (EU Charter) adequacy requirement, 198

277

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

278

Index

Charter of Fundamental Rights of the European Union (EU Charter) (cont.) data protection in, 13, 15, 19, 25–26, 53, 161, 236 expression, freedom of, 53, 157 legal value of, 38 limitation of fundamental rights, 51, 113 PNR agreements and, 137 privacy, 13, 19, 53, 161 promotion of rights, 48 respect, obligation to, 46–47 scope of, 34–35, 42, 51, 65–66, 179, 218 on whom the law protects, 236 Children’s Online Privacy Protection Act (COPPA), 30 Chinese data protection law, 258 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 223 cloud providers, 222 coercion, 245, 251 comity, 107–109, see also reasonableness Commission nationale de l’informatique et des libertés (CNIL), 168, 185, see also Google v CNIL connection threshold in general, 63, 96–101, 116 overview of findings, 255–256 data controllers and, 101–107 erasure, right to, 169, 174–175, 179–181, 186 establishment and, 103 PNR agreements and, 146 consent (for data collection/processing), 29 constitutions data protection in, 23, 120 fundamental rights, rooting of, 35 US Constitution, 27, 29, 31, 156–157 consumer protection law, 104 control standard, 35 controllers, data. see data controllers Convention 108, Council of Europe, 15, 20–22, 32, 52, 71–73, 195, 248, 261 cookies (data), 9, 78 cooperation, 25 corporations. see also economic component of data protection; specific corporations, e.g. Google binding corporate rules, 193, 206 Privacy Act of 1974 and, 211 privacy protection by, 190, 192–208, 211, 214, 226, 231, 240

standard contractual clauses, 193, 202–204, 206, 247 storing of personal data, 221–224 cosmopolitanism, 235 Council of Europe (CoE), 39, see also Convention 108, Council of Europe Council of the European Union, 105 counter-terrorism, 53–54, 118–123, 132 country code Top Level Domain (ccTLD), 165 country of destination principle, 79 country of origin principle, 75 Court of Justice of the European Union (CJEU) adequacy requirement, 197–198 cases Air Transport Association of America, 37 Digital Rights Ireland, 53, 134 Front Polisario, 35 Google Spain. see Google Spain case Google v CNIL, 152, 168–170 Kramer, 37 Weltimmo, 66, 86, 105 on data subjects’ rights, 175 DPD, focus on, 6 on establishment, 102 on extraterritoriality, 35, 101 on fundamental rights data protection as, 52, 55, 243 ECHR, Article 8, 23 EU Charter, 34–35 expression, right to freedom of, 53–54 extraterritoriality and, 35 privacy vs data protection, 19 on international human rights law, 38 on Internet, 9 norm diffusion, 249, 252 Opinion 1-15, 132–134, 146, 149 PNR agreements and, 120, 127, 132–135, 146 privacy, focus on, 183 protect, on obligation to, 49 on public international law, 37 reasonableness, 169–172 on surveillance, 213 on targeting, 105 on whom the law protects, 237 criminal law enforcement, 54 data access to, 144–145 collection of, 28–30, 40, 91, 212–213 localisation, 220–224, 241, 258–259

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

Index personal. see personal data protection. see data protection retention of, 91, 128–129, 131, 133–134 transfer. see data transfer and transborder data flows data controllers. see also corporations; data processors connection and, 101–107 data processors vs, 67–68 definition, 17, 68 in DPD, 73, 77–78 equipment, 73, 77–79, 81, 100, 114 in GDPR, 43, 67–68, 74–75, 78 search engines as, 103, 150–152, 156, 180 territoriality, 43 data minimisation principle, 146 data privacy, 14, 18, see also data protection data processing. see also data controllers; data transfer and transborder data flows definition, 14, 40 EU Charter, scope of, 34 objective territoriality and, 76–77 selling advertising space as, 103, 151, 180 data processors data controllers vs, 67–68 definition, 17, 68 establishment and, 101–103 EU Charter, scope of, 65–66 in GDPR, 68, 74 data protection. see also data privacy; information privacy; privacy and privacy law in general, 1–3, 36–37 core principles of, 145–147, 230, 256 defining, 3, 14 DPAs, 8, 88, 171, 197–198, 202, 241 DPD. see Data Protection Directive (DPD) DPOs, 50 economic component of. see economic component of data protection EDPB, 8, 85, 101–102, 237, 248 enforcement, 49–51, 66, 214, 218, 228, 241 in EU Charter, 13, 15, 19, 25–26, 53, 161, 236 extraterritoriality. see extraterritoriality GDPR. see General Data Protection Regulation (GDPR) global standards for. see global standards for data protection history of, 20–24 increasing importance of, 51, 54, 122 in international human rights law, 24, 38–40

279

international instruments, 13, 32 limitations to. see limitations privacy vs, 18, 40 proportionality, 51, 55, 113, 122, 129, 146, 213 regulatory capacity of EU, 240 relevance of study, 11–12 in specific countries Australia, 6, 220 Austria, 22 Brazil, 220 Canada, 6, 220 China, 258 Greece, 88 Russia, 220, 258 US. see United States data protection law standards for, 239–242, 244, 248–249 whom the law protects, 236–238 data protection authorities (DPAs), 8, 88, 171, 197–198, 202, 241, see also enforcement Data Protection Directive (DPD). see also General Data Protection Regulation (GDPR) in general, 23 adequacy requirement, 197, 217, 225, 245 ATSA and, 124 data controllers, 73, 77–78 economic component of, 189, 239 erasure, right to, 159 PNR agreements and, 136 Privacy Shield and, 200 reciprocity, 194 scope of in general, 51 equipment, 73, 77–79, 81, 100 establishment, 102 extraterritoriality, 5–6, 59 fundamental rights and, 252, 260 Google Spain case, 151, 160–162 territory, 69, 73–74, 89 whom the law protects, 236, 238 Data Protection Officers (DPOs), 50 Data Retention Directive (DRD), 53, 134 data subjects. see also individuals; privacy consumers CJEU on rights of, 175 consent, 29 Convention 108 on, 72 definition, 17 focus on, 261 general public vs, 175

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

280

Index

data subjects (cont.) international human rights law jurisdiction, 43 personal data of. see personal data rights of. see erasure, right to; expression; fundamental rights; rights violation of rights of, 142 whom the law protects, 236–238 data transfer agreements overview of findings, 256 corporations, effects on, 205–208 extraterritoriality of, 204 legal diffusion, 211–214, 231–232 norm diffusion, 244–249 obligations, 215, 218 Privacy Shield. see Privacy Shield protect, obligation to, 218 Safe Harbour framework. see Safe Harbour framework, US–EU surveillance, 190 US government’s reaction to, 208–210 data transfer and transborder data flows. see also adequacy requirement; personal data in general, 14–17 overview of findings, 257 adequacy requirement. see adequacy requirement Convention 108 on, 72 definition, 7 Lindqvist case, 70 localisation, data, 220–224, 241, 258–259 PNR agreements and, 128, 143–144, 147–149 Schrems II, 203 territoriality and, 90 delisting, 53, 150–151, 156, 159, 161, 167–169 derogations, 217 Digital Rights Ireland case, 53, 134 diplomatic missions, 79 domain names, 165–168, 177–178, 182 domicile, 86, see also residence Draft Convention on Jurisdiction with Respect to Crime, 96 Dropbox, 222 economic component of data protection. see also corporations ‘Brussels effect’, 205, 207, 214, 232 in DPD, 189, 239 history of, 20, 23 legal diffusion, 238–240

necessity, data protection as a, 16, 55 privacy and, 28–29, 191–192 Schrems case, influence of, 209 Schrems II case, influence of, 203–204 transborder data flows. see data transfer and transborder data flows US vs EU, 28–29, 189, 191–192 effective control, 35, 43–46, 48–51, 218 effects doctrine, 80, 178, 255 Electronic Communications Privacy Act (ECPA), 30 enforcement, 49–51, 66, 214, 218, 228, 241 ePrivacy Directive, 134 equipment, 73, 77–79, 81, 100, 114 erasure, right to in general, 152–154 overview of findings, 256 author’s recommendations on implementation of, 184–187 connection threshold, 169, 174–175, 179–181, 186 definition, 150 in DPD, 159 effects doctrine, 178 expression and, freedom of, 156 free flow of information and, 52, 155 in GDPR, 159, 180 global standard, 187–188 Google Spain case, 161 Google v CNIL, 169 implementation of, 165–172 norm diffusion, 249 personality and, 178–179 prescriptive jurisdiction, 151 procedure, 172–175 protect, obligation to, 176 reasonableness, 182–184 territoriality, 177–178, 184 in US, 158, 187 espionage, 91 essence (of fundamental right), 113 establishment, 76–77, 101–103, 152, 180 EU Charter. see Charter of Fundamental Rights of the European Union (EU Charter) European Commission (EC) adequacy requirement, 48, 193, 197–199 on data transfer agreements, 208 erasure, on right to, 179 on human rights obligations, 26 on legal diffusion, 240

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

Index localisation, on data, 224 on norm diffusion, 248 PNR agreements and, 125, 135, 148 Privacy Shield. see Privacy Shield reasonableness, 228 on values, 245–246 on whom the law protects, 237 European Convention on Human Rights (ECHR) CJEU on, 23 on data protection, 18 on freedom of expression, 156 international human rights law and, 38–39 on limitation of fundamental rights, 51, 113 on privacy, 13, 15 ratification of, 260 European Court of Human Rights (ECtHR), 18, 38–39, 41, 162 European Data Protection Board (EDPB), 8, 85, 101–102, 237, 248 European Data Protection Supervisor (EDPS), 8 European Parliament, 122, 128–129 European Union (EU) ‘Brussels effect’, 205, 207, 214, 232 as commercial partner of US, 191 data protection as a value and right in, 24–27 as norm entrepreneur, 250–252 obligations. see obligations public international law norms, 36–37 setting global standards. see global standards for data protection EU–U.S. Data Privacy Framework, 211, 219, 231 expression, right to freedom of, 52–54, 151, 153–158, 162, 183, 220 extraterritoriality. see also territoriality in general, 2–9, 262 CJEU on, 35, 101 data transfer agreements, 204, 208 definition, 6, 14 DPD and, 5–6, 59 effects doctrine, 80 EU Charter and, 34–35, 42 fundamental rights and, 16, 24, 33–36 GDPR and, 262 Google Spain ruling, 163 human rights and, 40–51 jurisdiction and, 8, 49–51 limitations, 58–60, 92–93 obligations and, 47, 138–139, 218–219 of ‘pull’ method, 126

281 reasonableness, 227–231 relevance of study, 11–12

Facebook, 197, 206 Fair Credit Reporting Act, 30 Fair Information Practice Principles (FIPPs), 20–21 fascism, 28 Federal Trade Commission (FTC), 201, 209, 231 fines, administrative, 214, 241 Florida Star case, 158 Foreign Intelligence Surveillance Act (FISA), 213 Foreign Relations Law of the United States, 64, 81, 92, 108–110, 114–115, 169 foreign surveillance, 40, 44 forgotten, right to be, 150, 187, see also erasure, right to free flow of information, 52, 155–156, 166, 256 freedom of expression, 52–54, 151, 153–158, 162, 183, 220 Freedom of Information Act (FOIA), 144 freedom of opinion, 52, 183 FTC (Federal Trade Commission), 201, 209, 231 fulfil, obligation to, 49–51, 138, 176, 217–219, 255 fundamental rights. see also Charter of Fundamental Rights of the European Union; international human rights law in general, 2, 5, 7, 15–16 constitutional protection of data protection, 23, 120 definition, 35 in DPD, 252, 260 essence of, 113 extraterritoriality and, 16, 24, 33–36 future directions, potential, 260 GDPR and, 261 history of data protection as a fundamental right, 20, 23–24 lack of global standards, 31 limitations to. see limitations non-discrimination, 86 obligations. see obligations PNR agreements and, 132–139, 146 reasonableness, 229 relevance of study, 11–12 Schrems case, 213, 216, 218 values vs, 26–27, 251–252

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

282

Index

General Data Protection Regulation (GDPR). see also Data Protection Directive (DPD) adequacy requirement, 75, 193–195, 217–218, 224 data controllers, 43, 67–68, 74–75, 78 data localisation, 220 data processors, 68, 74 data protection principles, 132 DPOs, 50 erasure, right to, 159, 180 EU Charter and, 34 fines, administrative, 214, 241 free flow of information, 52 influence of, on third States, 195 jurisdictional scope of, 8 monitoring of behaviour, 79, 81, 89, 91, 104, 107, 136, 261 offering of goods or services, 79, 89, 103–107, 180 personality, 85–90 public international law, 79 reasonableness, 228 relevance of, 12 right to be forgotten, 150 safeguards, 193, 217 scope of, 65–66, 89–90, 100, 153, 238, 252 targeting, 88, 103–107 territory and in general, 5–7, 259 effective control and, 43 effects doctrine, 81–82 establishment, 76–77 EU Charter and, 35 extraterritoriality, 262 fundamental rights, 261 Internet, 69 jurisdictional trigger, 69, 74–75 objective territoriality, 76–80 residence, 87 whom the law protects, 236 on trade, 239 values and rights in, 245 on whom the law protects, 237 geolocation technology, 165 global delisting CJEU on, 169 connection threshold, 181 effects doctrine, 178 obligations, 176

reasonableness, 170–172, 182 territoriality and, 177–178, 186 global standards for data protection. see also legal diffusion adequacy requirement leading to, 194–196, 244–246 ‘Brussels effect’, 205, 207, 214, 232 EC on, 240 erasure, right to, 187–188 lack of, 16, 31 norm entrepreneur, EU as, 250–252 PNR agreements and, 147–149 after Schrems, 207 global values, 235 Google, 172–175, 178 Google Spain case. see also delisting; global delisting; erasure, right to in general, 150–153 Article 29 Working Party on, 167–168, 179, 181 DPD and, 151, 160–162 erasure, right to, 161 establishment, concept of, 180 expression, right to freedom of, 53, 162 extraterritoriality, 163 free flow of information, 52 norm diffusion, 249 prescriptive jurisdiction, 153 privacy and, 164 protect, obligation to, 49, 176 reactions to, 165–166 residence, 87 territoriality, 160, 166–170, 259 Google v CNIL, 152, 168–170 Gramm-Leach-Bliley Act (GLBA), 30 Greek data protection law, 88 harmonisation networks, 147, 242 Health Insurance Portability and Accountability Act (HIPAA), 30 Homeland Security, Department of (DHS), 119, 126, 128, 143–146, 148 human dignity, 83 human rights. see Charter of Fundamental Rights of the European Union; fundamental rights; international human rights law individuality, 83 individuals, 83, 182–183, 200, 215, 236–238, see also data subjects

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

Index information privacy, 14, 27–31, see also data protection information, right to freedom of, 52, 155–156, 166, 256 intelligence. see surveillance interests and interest-balancing, 97, 109, 170–172, 227, 256, see also proportionality International Committee of the Red Cross (ICRC), 243 International Court of Justice (ICJ), 61 International Covenant on Civil and Political Rights (ICCPR), 13, 41, 51, 154 international human rights law. see also Charter of Fundamental Rights of the European Union; European Convention on Human Rights (ECHR); fundamental rights in general, 15–16, 25 ACHR, 13 balancing of rights, 112–114 CJEU on, 38 control in, 44–46 data protection in, 24, 38–40 fundamental rights vs human rights, 35 jurisdiction under, 41–44 limitations to. see limitations obligations under. see obligations public international law vs, 41 TEU, 25–26, 36–38, 137, 252 UDHR, 13 International Law Commission (ILC), 108 Internet. see also delisting; global delisting overview of findings, 255–256 CJEU on, 9 domain names, 165–168, 177–178, 182 effects doctrine, 81 freedom of expression and, 155, 157 GDPR and, 69 global values, spreading of, 235 jurisdiction over, States’, 31 localisation, data, 220–224 standards, data protection, 241 territoriality, 68–82, 96, 100, 187 Tor (browser), 173 VPNs, 167, 173 Internet Protocol (IP) addresses, 165, 167, 173 Judicial Redress Act, 131, 210–211, 218 jurisdiction in general, 1–3, 14–17

283

overview of findings, 255 adjudicative, 160 effects doctrine, 80, 178, 255 extraterritoriality and, 8, 49–51 under international human rights law, 41–44 norm diffusion and, 235 objective territoriality, 76–80, 82, 160, 177–178, 184–185 obligations. see obligations over Internet, 31 overreach, jurisdictional, 95, 251–252 passive personality, 84, 88–90, 184, 225–226 permissive principles of, 64, 96–97, 219, 255 personality-based. see personality prescriptive. see prescriptive jurisdiction protective principle, 90–91, 255 under public international law, 41–43, 57–65 relevance of study, 11 second-tier principles in general, 96, 255 connection threshold. see connection threshold interests and interest-balancing, 97, 109, 170–172, 227, 256 reasonableness. see reasonableness subjective territoriality, 75–76, 142, 219, 224 territory-based. see territoriality unilateralism. see unilateralism universal, 91 jurisprudence, 6, 38 Kuner, Christopher, 81, 250–251 legal diffusion. see also adequacy requirement; global standards adequacy requirement, 76, 194, 244–245 ‘Brussels effect’, 205, 207, 214, 232 data transfer agreements, 211–214, 231–232 economic component of, 238–242 PNR agreements and, 149 legitimacy threshold, 10, 93, 99 LICRA v Yahoo!, 157 limitations ECHR on, 51, 113 EU Charter on, 51, 113 extraterritoriality, 58–60, 92–93 nationality, 86 necessity, 16, 55, 122, 129, 146 prescriptive jurisdiction, 92–93 proportionality, 51, 55, 113, 122, 129, 146, 213 purpose limitation, 129

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

284

Index

limitations (cont.) Safe Harbour framework and, 198 Lindqvist decision, 9, 82 Lisbon Treaty, 15, 39, 129 localisation, data, 220–224, 241, 258–259 location. See territoriality Lotus case, 61–62, 93 Microsoft, 206, 221–224 Milanovic, Marko, 40, 44, 47 Ministers of the European Parliament (MEPs), 129 national security, 136, 211–213 National Security Agency (NSA) revelations, 39, 54, 91, 196, 212 nationalism, data, 220–224, 241, 258–259 nationality, 85, 105, 143, 172, 178, 225–226, see also residence necessity, 55, 122, 129, 146 9/11 terrorist attacks, 118, 124 Non-Governmental Organisations (NGOs), 200 non-interference threshold, 98 norm diffusion, 239, 242–244, 247–249, 252, 257 obligations in general, 25, 33, 35–36, 46–51, 116 overview of findings, 255 absence of, 97 broad interpretation of, 101 CJEU on, 49 data transfer agreements, 215, 218 EC on, 26 erasure, right to, 176 EU Charter on, 46–47 extraterritoriality and, 47, 138–139, 218–219 to fulfil, 49–51, 138, 176, 217–219, 255 international human rights law and, 38, 44, 46–51, 138–139 PNR agreements and, 138–139 to protect, 48–49, 138–142, 146, 176, 217–219, 255 to respect, 47–48, 138, 176, 216–217, 255 unilateralism and, 16, 25 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 20–22, 32 ombudsperson (Privacy Shield), 201, 210, 219 opinion, right to freedom of, 52, 183 Oracle (company), 221–222

Passenger Name Record (PNR) agreements in general, 118–122 2004 Agreement, 124–127, 137 2006 annulment, 127 2007 Agreement, 128–129, 137, 140 2011 Agreement, 129–132, 140, 143 adequacy requirement, 126–127 Article 29 Working Party on, 125, 129, 139 Australia–EU, 137 author’s recommendations, 145–147 Canada–EU, 133, 146 CJEU and, 120, 127, 132–135, 146 data transfer and, 128, 147–149 data types, 119, 128, 146 Department of Homeland Security, 119, 126, 128, 143–146, 148 DPD and, 136 EC on, 125, 135, 148 EU Charter on, 137 fundamental rights and, 132–135, 137–139, 146 global standards for data protection, 147–149 harmonisation of data transfers, 147–149 intra-EU Agreement, 121, 140 legal bases for, 137 obligations, 138–139 personality, 142–145 prescriptive jurisdiction, 119 privacy, approaches to, 122–123 ‘push’ and ‘pull’ methods, 126–128 redress, 129–131, 139, 144–145 Resolution on, US Senate, 130 safeguards, 128, 141, 143 scope of, broad, 140–142, 144 security interests, 54, 122–123, 131–132, 146–147 territoriality, 139–142, 145, 259 TFEU Article 16 and, 129 Permanent Court of Arbitration (PCA), 60 Permanent Court of International Justice (PCIJ), 61–62 permissive principles, 64, 96–97, 219, 255 personal data. see also adequacy requirement; data; data transfer and transborder data flows in general, 1–3 control over, 44–46 definition, 14 as individual right, 215 individuality/personality and, 83 Lindqvist case, 70

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

Index PNR data transfers, 143–144 PNR data types, 119, 128, 146 storing of, 221–224 telecommunications data, 134 personality in general, 82–90 overview of findings, 255–256 active personality, 84 erasure, right to, 178–179 in GDPR, 85–90 individuality and, 83 nationality, 85, 106, 143, 172, 178, 225–226 passive personality, 84, 88–90, 184, 225–226 PNR agreements and, 142–145 Privacy Shield, 225–226 residence, 85, 184, 225–226 territoriality, 89–90 piracy, 91 PNR agreements. see Passenger Name Record (PNR) agreements police cooperation, 138 prescriptive jurisdiction. see also legal diffusion in general, 33 applicable law and, 66–67, 143 connection and, 63 erasure, right to, 151 in Google Spain, 153 legal diffusion of DPD and GDPR texts, 76 limitations, 92–93 over PNR agreements, 119 public international law and, 60, 92–93, 219–227 Presidential Policy Directive (PPD-28) Signals Intelligence Activities, 212–213 privacy and privacy law. see also data protection in general, 2–4 CJEU on, 183 corporations protecting privacy, 190, 192–208, 211, 214, 226, 231, 240 data protection vs, 18–20, 40 defining, 3, 13–14 in ECHR, 13, 15 economic component of data protection and, 28–29, 191–192 Electronic Communications Privacy Act (ECPA), 30 in EU Charter, 13, 19, 53, 161 extraterritorial application of human rights treaties and, 40 FTC on, 209

285

Google Spain case and, 164 information privacy, 14, 27–31 in PNR agreements, 122–123 Privacy Act of 1974, 28, 131, 210 security vs, 122–123 UN on, 39 in US, 27–31, 121–123, 187, 205–208 privacy consumers, 27, 29, see also data subjects Privacy Shield in general, 190, 199–202 corporations, effect on, 207 DPD and, 200 EDPB on, 237 individuals, focus on, 215, 227 Judicial Redress Act, 131, 210–211, 218 legal diffusion, 210–211 ombudsperson, 201, 210, 219 personality, 225–226 reasonableness, 227, 229–230 redress, 201, 216, 218 Safe Harbour framework and, 200–201 Schrems II case, 202–204 surveillance, 212–214 US government’s reaction to, 208, 212–214 private international law, 86 processors, data. see data processors proportionality, 51, 55, 113, 122, 129, 146, 213 protect, obligation to, 48–49, 138–142, 146, 176, 217–219, 255 public international law. see also international human rights law in general, 14–17, 36–37 CJEU on, 37 cosmopolitanism, 234 GDPR, 79 interest-balancing, 227 international human rights law vs, 41 jurisdiction, 41–43, 57–65 lawfulness under, 61 prescriptive jurisdiction and, 60, 92–93, 219–227 purpose limitation, 129 reasonableness in general, 96, 107–110, 114–115 overview of findings, 255–256 data transfer agreements, 228–231 global delisting, 170–172, 182 PNR agreements, 146 reciprocity, 194

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

286

Index

redress EU–U.S. Data Privacy Framework, 211, 219, 231 Judicial Redress Act, 131, 210–211, 218 PNR agreements, 129–131, 139, 144–145 Privacy Shield, 201, 216, 218 Traveller Redress Inquiry Program (TRIP), 144 residence, 85, 184, 225–226, see also nationality Resolution, US Senate, 130 respect, obligation to, 47–48, 138, 176, 216–217, 255 rights balancing of, 170, 183 erasure, right to. see erasure, right to expression, right to freedom of. see expression, right to freedom of forgotten, right to be, 150, 187 fundamental. see fundamental rights information, right to freedom of, 52, 155–156, 166, 256 limitations to. see limitations opinion, right to freedom of, 52, 183 privacy. see privacy and privacy law States’. see State sovereignty; territoriality values vs, 25–26 violation of, 142 rule of reason. see reasonableness Safe Harbour framework, US–EU in general, 190, 196 enforcement, 228, 231 limitations, 198 Privacy Shield and, 200–201 Schrems case, 197–199, 206, 208 values, 246–247 safeguards. see also Privacy Shield; Safe Harbour framework, EU–US binding corporate rules, 193, 206 GDPR on, 193, 217 PNR agreements, 128, 141, 143 standard contractual clauses, 193, 202–204, 206, 247 Schrems case in general, 190, 197–199 adequacy requirement, 191, 197, 227, 244 data localisation, 220 data transfer and transborder data flows, 197 economic component of data protection, 209 effective control and, 218

failure of law diffusion, 212 fundamental rights, 216, 218 global standards for data protection, 207 Safe Harbour framework, US-EU, 197–199, 206, 208 surveillance, 197 Schrems II case adequacy requirement, 202–203 data transfer and transborder data flows, 203 economic component of data protection, 203–204 failure of law diffusion, 211, 213 government’s reaction to, 208–210 Privacy Shield, 202–204 standard contractual clauses, 202–203, 228 surveillance, 202–203, 231 Scott, Joanne, 239 search engines, 53, 103, 150–152, 156, 180, see also delisting; global delisting; Google; Google Spain case; Google v CNIL security interests. see also surveillance in general, 54 ATSA, 124, 146 core data protection principles, 256 counter-terrorism, 53–54, 118–123, 132 in EU, 121 national security, 136, 211–213 PNR agreements, 54, 122–123, 131–132, 147 privacy vs, 122–123 protective principle, 90 self-determination, 83 sensitive data, 133 Snowden, Edward, 39, 54, 91, 196, 212 spatial model of jurisdiction, 43–44 standard contractual clauses, 193, 202–204, 206, 247 State sovereignty, 1, 58, 61, 97–98, 139, 178, 219, 234, 255 States. see adequacy requirement; specific States, e.g. United States Stored Communications Act (SCA), 223 surveillance. see also security interests CJEU on, 213 data localisation and, 222 data transfer agreements, 190 foreign surveillance, 40, 44 Privacy Shield, 212–214 Schrems case, 197 Schrems II case, 202–203, 231 Snowden revelations, 39, 54, 91, 196, 212 trade and, 189–190, 192

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

Index US vs EU, 121, 189–190, 192 Svantesson, Dan Jerker B. on effects doctrine, 81 on extraterritoriality, 93 on implementation of right to erasure, 165–166 on interest-balancing, 110 on passive personality, 89 on second-tier principles, 96 on targeting, 88, 106 on territoriality, 82 targeting, 88, 104–107, 161, 178, 257 technology, 1, 12, 241 territorial model of jurisdiction, 43–44 territoriality, 58, see also data localisation; effects doctrine; extraterritoriality overview of findings, 255–256 data controllers, 43 data localisation, 220–224, 241, 258–259 data transfer and, 90 definition, 14, 70 erasure, right to, 177–178, 184 establishment and, 102 future directions, potential, 258–260 Google Spain case, 160, 166–170, 259 Google v CNIL case, 169–172 Internet, 68–82, 96, 100, 187 jurisdiction and, 71–73 norm diffusion and, 249 objective territoriality, 76–80, 82, 160, 177–178, 184–185 personality and, 89–90 PNR agreements and, 139–142, 145, 259 subjective territoriality, 75–76, 142, 219, 224 targeting, 88, 104–107, 161, 178, 257 terrorism. see also security interests; surveillance counter-terrorism, 53–54, 118–123, 132 September 11 terrorist attacks, 118, 124 Terrorist Finance Tracking Programme (TFTP), 118 TEU (Treaty on European Union), 25–26, 36–38, 137, 252 TFEU (Treaty on the Functioning of the European Union), 14, 129, 133, 137, 170 third States. see adequacy requirement; specific third States, e.g. United States tort law, 164 transborder data flows. see data transfer and transborder data flows

287

Traveller Redress Inquiry Program (TRIP), 144 Treaty on European Union (TEU), 25–26, 36–38, 137, 252 Treaty on the Functioning of the European Union (TFEU), 14, 129, 133, 137, 170 Twitter, 221 unilateralism in general, 16, 36 data transfer agreements, 211, 231, 244 norm diffusion and, 239–240, 242, 252–253 PNR agreements, 132 territoriality and, 249 in TEU, 25 United Nations (UN), 39 United States as commercial partner of EU, 191–192 Constitution, 27, 29, 31, 156–157 Department of Commerce, 201, 203, 209, 229 Department of Homeland Security, 119, 126, 128, 143–146, 148 Department of Justice, 223 Department of State, 201 Department of Transportation, 201 FTC, 201, 209, 231 Supreme Court, 27, 158 values, 246–247 United States data protection law. see also Privacy Shield; Safe Harbour framework, EU–US in general, 2–4 adequacy decision, 228 antitrust law, 80, 108, 111 counter-terrorism, 54, 118–123, 132 erasure, right to, 158, 187 EU data protection law vs in general, 188 counter-terrorism, 118 economic component of data protection, 28–29, 189, 191–192 extraterritoriality, 6, 58, 165–166 historical factors for clashes, 28–31 PNR agreements, 125–127, 130–133 surveillance, 121, 189–190, 192 expression, freedom of, 157 Foreign Relations Law, 64, 81, 92, 108–110, 114–115, 169 information privacy, 14, 27–31 privacy, 27–31, 121–123, 187, 205–208 regulation, 29

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press

288 United States data protection law (cont.) Schrems II case, 202 Snowden revelations, 39, 54, 91, 196, 212 Universal Declaration of Human Rights (UDHR), 13 USA Freedom Act, 212 values, 24–26, 245–247, 251–252

Index virtual control, 45–46, 139, 218 Virtual Private Networks (VPNs), 167, 173 Warren, Samuel D., 27 Weltimmo case, 66, 86, 105 WhatsApp, 241 Working Party on Police and Justice, 240

https://doi.org/10.1017/9781108784818.012 Published online by Cambridge University Press