Abstract
Jurisdiction under public international law, that is, a State’s authority to make, apply or enforce law, has long been rooted in the Westphalian notion of a State having sovereign authority within its own physical territorial boundaries. The current socio-technological landscape has changed how the EU and third States exercise jurisdiction.
... read more
Companies, governmental authorities and individuals are dealing with ever more digitised personal data, and it is increasingly important to ensure this vast amount of data is protected. The EU, compared to most non-EU States, strongly advocates the importance of protecting personal data. Personal data is any information relating to an identified or identifiable natural person. EU data protection law is often considered the strictest, and is certainly the most influential, in the world. As the EU wants to ensure its data subjects’ personal data is afforded the same, notably high level of EU-standard protection when controlled, processed or transferred outside the Union, it is extending the territorial reach of its law in the field of data protection. There is an extraterritorial character to EU data protection law that could throw into question traditional notions of public international law jurisdiction rooted in State authority over physical territory. The research looks at tensions between EU and US actors when EU authorities exercise extraterritorial prescriptive jurisdiction and thus have a potentially unwarranted influence on US law and conduct. The research examines three case studies where the values and interests at stake conflict and suggests ways to mitigate these conflicts. It uses an assessment framework that combines international human rights law obligations and public international law limitations to discern how far the EU's exercise of jurisdiction may reach extraterritorially. The EU has certain positive and negative obligations of conduct and result to respect, protect and fulfil its data subjects’ fundamental right to data protection beyond its territory. Specific forms of jurisdiction, based on where an act is initiated or culminated (subjective and objective territoriality) or the nationality of a victim (passive personality), may justify this extraterritorial reach. Certain mitigating factors, such as interest-balancing and reasonableness, act as an extra tier to consider when assessing the EU’s jurisdictional claims. The research fits the EU’s actions vis-à-vis the US into this framework in three different fields, namely data protection in relation to security, freedom of expression and international trade. Firstly, when considering transatlantic agreements that aim to protect personal data and preserve security and counter-terrorism interests, the EU ought to consider the US’ security interests, and those of the international community, in pushing for only the core EU data protection principles to filter into a data transfer agreement with the US. Secondly, when considering the right to have certain personal data removed from search engine results (the right to erasure as a data protection concern legally protected in the EU) in tension with the free flow of information (as a freedom of expression concern prioritised in the US), it should be realised in such a way that EU data subjects may enjoy this right everywhere in the EU, but not that everyone on the global internet could see redacted results. Thirdly, A third State’s data protection legal order must be essentially equivalent to the EU’s for that State to receive personal data from the Union, necessitating the near-direct application of EU law abroad. In terms of transatlantic data flows for commercial purposes, parts of EU data protection law should apply extraterritorially to safeguard the right to data protection and enable transatlantic trade. Through the aforementioned case studies, the EU has mostly been successful at spreading a high-level, global data protection standard. Its role in doing this was originally focused on protecting its own citizens, but has evolved to become consequentially normative. General trends in public international law show an enduring yet evolving concept of territoriality and the foregrounding of fundamental rights protection. If the extraterritorial reach of the EU’s jurisdiction were strong enough to avoid or counter resistance, this would ultimately lead to fewer conflicts in jurisdiction as global standards would converge and, even in the EU-US data protection law interface, commonalities and shared approaches to rights protection would emerge.
show less