Work on the EU’s proposed new data privacy Regulation continues, and a wide extraterritorial reach remains a key feature of the Regulation. In a recent European Commission Memo titled Data Protection Day 2014: Full Speed on EU Data Protection Reform of 27 January 2014, it was noted that one of the key benefits for businesses was the creation of a ‘level playing field’:
“The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. We are creating a level-playing field.” (p.4)
This is significant, not least when combined with another of the Regulations articulated ‘main innovations’:
“European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5%. Privacy-friendly European companies will have a competitive advantage on a global scale at a time when the issue is becoming increasingly sensitive.” (p.4)
In two previous blog posts, I have pointed to serious concerns with the current proposal (The territorial scope of the proposed EU Data Protection Regulation) and a potential improvement of how it delineates its extraterritorial scope (Re-thinking extraterritoriality in data privacy law). Here I will seek to assess what international law says about the legitimacy of the approach taken by the EU. Is it possible to either justify or object to the EU approach to extraterritoriality by reference to international law?
Under International Conventions
There are no treaties directly regulating jurisdictional claims in the data privacy context. However, a close study of the world’s, at least in theory, most significant human rights treaty, the International Covenant on Civil and Political Rights (ICCPR), shows that it arguably makes extraterritorial jurisdictional claims mandatory in the data privacy arena.
Importantly, Article 2(1) of the ICCPR states that:
“Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.”
If material originating in state A negatively affects the privacy of a person in state B, state B is arguably failing to provide “an effective remedy against those responsible” (ICCPR General Comment 16) to the affected individual “within its territory and subject to its jurisdiction” unless its laws provide for jurisdictional and legislative claims over the
offender in state A.
It can, of course, be said that even such a jurisdictional claim does not in itself provide “an effective remedy against those responsible” unless it can also be enforced. However, state B in our example can perhaps not be required to do more than what is in its power to do.
In light of the above, it is possible to suggest that the ICCPR is an example of an international convention that supports wide extraterritorial claims in the context of data privacy law.
Under International Custom
The 1935 Harvard Research Draft Convention on Jurisdiction with Respect to Crime (hereinafter, the Harvard Draft) is a natural point of departure for any discussion of jurisdiction under customary international law. Despite being dated, and despite being focused on jurisdiction with respect to crime, virtually every single text on public
international law relies upon the grounds for jurisdiction canvassed in the Harvard Draft (with the addition of the so-called ‘effects doctrine’).
So how does the traditional grounds for jurisdiction under customary international law impact the assessment of the extraterritorial claims of jurisdiction that the EU makes through its data privacy law? One thing is clear: in the context of typical data privacy infringements, four of the seven traditional principles for jurisdiction can be ignored. We need not busy ourselves with the subjective territoriality principle, the nationality principle, the protective principle, or the universal principle.
Article 4 of the current EU Data Protection Directive – in its focus on the geographical location of relevant equipment – could be argued to relate to the objective territoriality principle. That is because, as Kuner points out, this ground for jurisdiction “is at least partly based on the performance of an act (the use of equipment) occurring within the EU.”( Christopher Kuner, Data Protection Law and International Jurisdiction on the Internet (Part 1), 18 Int’l. J. L. & Inf. Tech. 176, 190-191 (2010), at 188).
Article 3 of the proposed EU Data Protection Regulation – in placing focus, for example, on the behavioural monitoring of EU residents – seem likely to fall within the passive personality principle, or at least a permutation of it, even though its focus is on the residency of the data subject rather than on the data subject’s citizenship.
Further, both types of extraterritorial claims seem to fall squarely within the effects doctrine. Regardless of the methods used to connect foreign conduct with the jurisdiction where the data privacy law has been enacted (such as focusing on the use of equipment situated on the territory or on the behavioural monitoring of EU residents), one can
argue that the conduct has an effect within the jurisdiction. Thus, both the approach taken in Article 4 of the current EU Data Protection Directive and the approach taken in Article 3 of the proposed EU Data Protection Regulation seem to fall within the effects doctrine.
Thus, one can conclude that customary international law is closer to supporting the EU approach to extraterritoriality, than it is to prohibiting it.
Under General Principles of Law Recognized by Civilized Nations
Our search for relevant so-called “general principles of law recognized by civilized nations” may be focused in a variety of manners. Here, I will restrict myself to considering whether the EU’s approach to extraterritoriality in data privacy law can be seen as a general principle of law recognized by civilized nations.
There are now more than 100 countries with data privacy laws. Many of those laws such as the laws of Australia, Singapore, the Philippines, Cape Verde, Malaysia, India and indeed in the US, all have an extraterritorial reach more or less similar to that of EU law. However, examples may also be found of data privacy laws that currently make no extraterritorial claims (see e.g. Israel and Japan). Given this, the conclusion must be that the EU’s approach to extraterritoriality in data privacy law cannot be seen as a
general principle of law recognized by civilized nations. However, with an increasing number of countries implementing or revising data privacy laws, we may have reason to revisit this issue in a not too distant future.
The above signals that international law is closer to justifying, than it is to objecting to, the EU’s approach to extraterritoriality in data privacy law. This is significant. However, it does not necessarily mean that the EU approach is to be endorsed.
It remains my view that, the current EU Directive’s approach to extraterritoriality is dysfunctional in its unnecessary complexity and that the proposed EU Regulation needs to be refined, and should ideally adopt the ‘layered approach’ I have proposed elsewhere.
For more about the extraterritoriality issues in data privacy law raised here, see e.g.: Dan Svantesson, The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses, 50(1) Stanford Journal of International Law (2014).