The Challenges Faced by the Extraterritorial Scope of the General Data Protection Regulation
Authors
Adèle Azzi
Keywords:
Data protection, GDPR, compliance, enforcement, extraterritorial scope, international cooperation, international law, overseas data processing
Abstract
The General Data Protection Regulation (GDPR) imposes a significant burden of compliance on overseas businesses which process personal data of EU individuals. An impressive number of articles warns about the new risks incurred by data processors around the world; be they one of the Internet giants, or a non-EU company which dared to offer goods to EU consumers, or that had the idea to use cookies on its website to track EU consumers. However, does the EU actually have the necessary means to ensure that the rules are followed by all? And if not, is the EU equipped to enforce compliance? Those are legitimate questions in the light of the context in which the EU has extended its jurisdiction. Not only has it been decided unilaterally, but such rules are to be enforced in cyberspace, in an international context, and on operators, which may not have any physical presence in the EU. One may think that processors have no reason to panic, there is little chance that the GDPR enforcers will find them and force them to comply under the threat of fines. Yet, internet users witness an undeniable wave of change in the terms of the use and processing of data on a majority of websites. Does this phenomenon reveal a real power of enforcement on the EU side? This work attempts to answer this question by analysing two factors which greatly impact the efficiency of extraterritorial claims. First, the legitimacy of the extraterritorial claim. Through the application of international law principles, it will be seen that the extraterritorial claim of the EU, despite its broadness, is rather legitimate and even part of a shared tendency among jurisdictions around the world to extend the reach of data protection laws. Second, the enforcement tools of the regulation. This work reveals that the EU may benefit from some direct enforcement tools such as representatives and international cooperation, but also, and more importantly, through indirect means. In particular, the EU may rely on the risk of reputational damage, the incentives to self-compliance, and the rules on data transfers to third countries.