Motivation behind the rules

It seems likely that the motivation behind the rules in the DPD and the GDPR is the protection of the data subjects in the EU/EEA. The EU has enacted the most ambitious data privacy laws in the field, which means that any transfer of personal data to third countries represents a risk to the data subjects. By limiting the possibility to transfer personal data, the EU ensures that the data subjects are afforded protection outside their own territory. The status of data protec-tion law as a fundamental right can be a justificaprotec-tion for the protecprotec-tion of data subjects outside the EU/EEA.

Technological developments, like the internet, has simplified the transfer of personal data, regardless of state borders. Business being conducted on the internet almost invariably in-volves the transfer of personal data. The economic importance of the flow of personal data to third countries is recognized in recital 56 of the DPD and recital 101 of the GDPR. Despite the financial gains, the drafters favour the protection of data subjects. When technology al-lows for personal data to be effortlessly transferred across state borders, the limitations on transferral seems more easily justified.

43

7 Concluding remarks

This master thesis has shown that the DPD and the GDPR can be applicable outside the terri-tory of the EU/EEA. Neither instrument acknowledges its extraterritorial application explicit-ly, but the GDPR uses terminology that is more overtly extraterritorial. This exemplifies the controversial nature of extraterritoriality. Attempts have been made to designate principles that have undisputable extraterritorial effects as extensions of the territorial principle. I find these arguments unconvincing. Courts and authors of law have more recently accepted the existence, and in some cases encouraged the use, of extraterritorial jurisdiction. By covering the extraterritorial scope of the GDPR in a veil of territoriality, third country controllers and processors have a needlessly challenging task trying to predict their legal standing.

Both the DPD and GDPR have a broad scope, with some additions in the GDPR, e.g. genetic identifiers, serving to increase its scope slightly. The extraterritorial application of the instru-ments means that a vast number of different industries and actors that comes into contact with European personal data are caught by the instruments. The scope of the GDPR is also in-creased through the addition of processors as subjects that can be caught by its data protection rules. This addition discourages circumvention of its rules by controllers who outsource their processing operation.

The DPD has been plagued with diverging implementation of its rules in the member states.

This has compromised third country controllers ability to predict their legal standing, as knowledge about a multitude of deviating laws is required. Further complication arises for controllers who have multiple establishments in different member states, as each establish-ment needs to comply with the legislation of its location. Being a regulation, the GDPR leaves little room for divergence in its implementation. Consequently, third country controllers and processors only need to contend with one set of rules.

Both the DPD and the GDPR utilize the two-stage examination. The connecting factor of an establishment rejects the country of origin principle, which is the basis for the extraterritorial application the instruments. The interpretations made in the Weltimmo case have resulted in an understanding of what is considered an establishment in the context of the DPD that is not strict. I have proposed a further weakening of the connecting factor by rejecting a requirement of human presence in the DPD. This argument will solve situations in the GDPR where the use of equipment is not covered by any of the alternatives under the targeting approach.

The GDPR differs from the DPD by making the geographical location of the processing oper-ation irrelevant. This addition stems from the Google Spain case which concerned the DPD, but the judgement fell late in the instrument’s lifespan and will presumably have a bigger

im-44

pact by being codified in the GDPR. By implementing this clarification directly into the text of the GDPR, third country controllers and processors can assess their legal standing without having to consult case law or the opinions of advisory entities that are less accessible.

The GDPR has abandoned equipment as a connecting factor and substituted it with the target-ing approach. The GDPR is applicable controllers and processors who offers goods and ser-vices in the union or monitors the behaviour of data subjects in the union. The extraterritorial ramifications of this change are massive, considering the amount of business being conducted over the internet. The change in connecting factors is indicative of a new reliance on the ef-fects principle to justify extraterritorial application of European data protection law.

The data protection rules of the instruments are also effecting countries outside the EU/EEA through limitations on the transfer of personal data to third countries with an inadequate pro-tection level. The rules in the GDPR is a more elaborate continuation of the rules in the DPD, with some new additions. This continuation means that the European data protection law con-tinues to influence third countries without the EU having to engage in extraterritorial jurisdic-tion. This backdoor into extraterritoriality may become more popular in data protection law and other fields of law, if extraterritorial jurisdiction remains controversial and disputed.

The changes in the extraterritorial application from the DPD to the GDPR is characterized by the weakening of the connecting factors. The irrelevance of the geographical location of the processing operation and the applicability of the GDPR to controllers and processors, despite having no physical presence in the EU/EEA, are examples of this weakening. This has made it easier for controllers and processors to be caught by the data protection rules of the GDPR.

Consequently, the extraterritorial scope of the European data protection law has increased. To which degree these changes will affect third country controllers and processors in practice remains to be seen, but businesses who conducts their business over the internet appears to be the ones most heavily affected.

The motivation behind these changes seems to be rooted in a desire to protect the data sub-jects against the technological developments that have facilitated an explosion in the pro-cessing of personal data. In order to increase the extraterritorial scope of data protection law, the Commission, the CJEU and the WP all justify their opinions and interpretations by argu-ing that data protection is part of the fundamental rights and freedoms of natural persons. The protective motivation is commendable, but it raises question about where to draw the line for extraterritorial jurisdiction. I believe that the EU will continue to expand the scope of its data protection laws in response to technological innovations that facilitates data processing, and other threats towards personal data. In doing so, the EU will remain the leading provider of data protection law and principles for other states to imitate or adopt.

45

Bibliography

Literature:

Bygrave, (2014) Bygrave, Lee Andrew. Data Privacy Law: An International Perspective, first edi-tion, Oxford: Oxford University Press, 2014.

Curia, (2017) Curia. Presentation. (2017),

https://curia.europa.eu/jcms/jcms/Jo2_7024/en/ [cited 24.11.2017].

Facebook busi-ness, (2017)

Facebook business. Velge publikum. (2017),

https://www.facebook.com/business/products/ads/ad-targeting [24.11.2017].

Heisenberg, (2005)

Heisenberg, Dorothee. Negotiating Privacy: The European Union, the United States, and Personal Data Protection. Boulder and London: Lynne Rienner Pub-lishers, Inc., 2005.

Korff, (2002) Korff, Douwe. “EC Study on Implementation of Data Protection Directive 95/46/EC”, (2002), p. 1 – 252.

https://ssrn.com/abstract=1287667 [cited 24.11.2017].

Lowe, (2010) Lowe, Vaughan, Christopher Staker. “jurisdiction” in International Law, Malcolm D. Evans (edited), third edition, Oxford: Oxford University Press, 2010, p. 313 – 339.

Moerel, (2011a) Moerel, Lokke. “Back to basics: when does EU data protection law apply?”, Inter-national Data Privacy Law, Volume 1, Issue 2 (2011), p. 92 – 110.

https://doi.org/10.1093/idpl/ipq009 [cited 24.11.2017].

Moerel, (2011b) Moerel, Lokke. “The long arm of EU data protection law: Does the Data Protection Directive apply to processing of personal data of EU citizens by websites world-wide?”, International Data Privacy Law, Volume 1, Issue 1, (2011), p. 28 – 46.

https://doi.org/10.1093/idpl/ipq004 [cited 24.11.2017].

Ryngaert, (2008)

Ryngaert, Cedric. Jurisdiction in International Law, Oxford: Oxford University Press, 2008.

46

Scott, (2013) Scott, Joanne. “Extraterritoriality and Territorial Extension in EU Law” (2013), American Journal of Comparative Law, volume 62, No. 1 (2014), p. 87 – 126.

https://ssrn.com/abstract=2276433 [cited 24.11.2017].

Statista, (2017a) Statista. Number of monthly active Facebook users worldwide as of 2^nd quarter 2017 (in millions). (2017),

https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/ [cited 24.11.2017].

Statista, (2017b) Statista. Google’s revenue worldwide from 2002 to 2016 (in billion U.S. dollars).

(2017),

https://www.statista.com/statistics/266206/googles-annual-global-revenue/ [cited 24.11.2017].

Svantesson, (2015)

Svantesson, Dan Jerker B. “Extraterritoriality and targeting in EU data privacy law:

the weak spot undermining the regulation”, International Data Privacy Law, Vol-ume 5, Issue 4 (2015), p. 226 – 234.

https://doi.org/10.1093/idpl/ipv024 [cited 24.11.2017].

The American Law Institute

The American Law Institute. Restatement of the law, third: the foreign relations law of the United States, Volume 1: §§ 1 – 488. St. Paul, Minnesota: American Law Institute Publishers, 1987.

The European Union (2017)

The European Union. Regulations, Directives and other acts. (2017), https://europa.eu/european-union/eu-law/legal-acts_en [cited 24.11.2017].

Zerk, (2010) Zerk, Jennifer A. “Extraterritorial Jurisdiction: Lessons for the Business and Hu-man Rights Sphere from Six Regulatory Areas”, Corporate Social Responsibility Initiative Working Paper No. 59 (2010), p. 1 – 222.

https://sites.hks.harvard.edu/m-rcbg/CSRI/publications/workingpaper_59_zerk.pdf [cited 24.11.2017].

47 Laws, opinions, reports, proposals and decisions:

COM(90) 314 final – SYN 287

Commission of the European Communities. COM(90) 314 final - SYN 287, Pro-posal for a Council Directive concerning the protection of individuals in relation to the processing of personal data, 1990.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314&from=EN [cited 24.11.2017].

COM(92) 422 final - SYN 287

Commission of the European Communities. COM(92) 422 final - SYN 287, Amended Proposal for a council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1992.

Commission of the European Communities. COM(92) 422 final - SYN 287, Amended Proposal for a council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Explanatory memorandum, 1992.

http://aei.pitt.edu/10375/1/10375.pdf [cited 24.11.2017].

COM(2003) 265 final

Commission of the European Communities. COM(2003) 265 final, First report on the implementation of the Data Protection Directive (95/46/EC), 2003.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2003:0265:FIN:EN:PDF [cit-ed 24.11.2017].

COM(2012) 11 final

European Commission. COM(2012) 11 final, Proposal for a

Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free move-ment of such data (General Data Protection Regulation), 2012.

http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf [cited 24.11.2017].

Commission Decision 2000/520/EC

Commission of the European Communities. Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, 2000.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000D0520&from=en [cited 24.11.2017].

48

DPD Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Data Protection Directive].

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en [cited 24.11.2017].

E-commerce Directive

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electron-ic commerce, in the Internal Market (Directive on electronelectron-ic commerce)

[E-commerce Directive].

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN [cited 24.11.2017].

ECHR European Convention on Human Rights, (1950), [ECHR].

http://www.echr.coe.int/Documents/Convention_ENG.pdf [cited 24.11.2017].

GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [General Data Protection Regula-tion].

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=en [cited 24.11.2017].

International Bar Association, (2009)

International Bar Association. Report of the Task Force on Extraterritorial Juris-diction, (2009), p. 1 – 348.

https://www.ibanet.org/Publications/publications_IBA_guides_and_free_materials .aspx (under “IBA Legal Practice Division Task Force on Extraterritorial Jurisdic-tion”) [cited. 24.11.2017].

Opinion of Ad-vocate General Cruz Villalón

Opinion of Advocate General Cruz Villalón on C-230/14, Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:426.

http://curia.europa.eu/juris/document/document.jsf?text=&docid=165232&pageIn dex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=582372 [cited 24.11.2017].

49 Opinion of

Ad-vocate General Jääskinen

Opinion of Advocate General Jääskinen on C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2013:424.

http://curia.europa.eu/juris/document/document.jsf?text=&docid=138782&pageIn dex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=759356 [cited 24.11.2017].

WP 12 Working Party on the Protection of Individuals with regard to the Processing of Personal Data. Working Document, Transfers of personal data to third countries:

Applying Articles 25 and 26 of the EU data protection directive [WP 12].

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1998/wp12_en.pdf [cited 24.11.2017].

WP 128 Working Party on the Protection of Individuals with regard to the Processing of Personal Data. Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) [WP 128].

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2006/wp128_en.pdf [cited 24.11.2017].

WP 169 Working Party on the Protection of Individuals with regard to the Processing of Personal Data. Opinion 1/2010 on the concepts of “controller” and “processor”

[WP 169].

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf [cited 24.11.2017].

WP 179 Working Party on the Protection of Individuals with regard to the Processing of Personal Data. Opinion 8/2010 on applicable law [WP 179].

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf [cited 24.11.2017].

WP 179 update Working Party on the Protection of Individuals with regard to the Processing of Personal Data. Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain [WP 179 update].

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp179_en_update.pdf [cited 24.11.2017].

50

Court of Justice of the European Union. C‑366/10, Air Transport Association of America and Others v. Secretary of State for Energy and Climate Change, ECLI:EU:C:2011:864.

Court of Justice of the European Union. Case 168/84, Gunter Berkholz v Finan-zamt Hamburg-Mitte-Altstadt, ECLI:EU:C:1985:299.

Bundesfinanzhof. BFH II R 12/92, 1996.

http://www.bfh.simons-moll.de/bfh_1997/XX970012.HTM [cited 24.11.2017].

2:16-mj-01061-TJR, the Google Search Warrant case

The United States District Court for The Eastern District of Pennsylvania. Case 2:16-mj-01061-TJR, 2017.

Court of Justice of the European Union. C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja Gon-zález, ECLI:EU:C:2014:317.

Court of Justice of the European Union. Joined cases: (C‑585/08) and (C-144/09)1, Peter Pammer v Reederei Karl Schlüter GmbH & Co. KG and and Hotel Alpenhof GesmbH v Oliver Heller, ECLI:EU:C:2010:740.

http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30d6f68cc 34b9c8447799f3ce14d7192d8dd.e34KaxiLc3qMb40Rch0SaxyMch10?text=&doci d=83437&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=75 5421 [cited 24.11.2017].

51 C-362/14, the

Schrems Case

Court of Justice of the European Union. C-362/14, Maximillian Schrems v Data Protection Commissioner (joined by Digital Rights Ireland Ltd),

ECLI:EU:C:2015:650.

http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIn dex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=776256 [cited 24.11.2017].

SHF II 1224/97, the Swiss Server case

Schleswig-Holsteinisches Finanzgericht. SHF II 1224/97, 2001.

http://www.jurpc.de/jurpc/show?id=20020272 [cited 24.11.2017].

C-230/14, the Weltimmo case

Court of Justice of the European Union. C-230/14, Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639.

http://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIn dex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=582372 [cited 24.11.2017].

In document The extraterritorial scope of European data protection law: The changes in extraterritorial scope between the Data Protection Directive and the General Data Protection Regulation. (sider 46-55)