The Challenges Faced by the Extraterritorial Scope of the General Data Protection Regulation
| Author | Adèle Azzi |
| Position | LL.M. student at the London School of Economics |
| Pages | 126-137 |
2018
Adèle Azzi
126
2
The Challenges Faced by the
Extraterritorial Scope of the General
Data Protection Regulation
by Adèle Azzi*
© 2018 Adèle Azzi
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8.
Recommended citation: Adèl e Azzi, The Challenges Faced by the Ex traterritorial S cope of the General Data Pro tection
Regulation, (2018) JIPIT EC 126 para 126
Keywords: Data protection; GDPR; compliance; overseas data processing; extraterritorial scope; enforcement;
international law; international cooperation
internet users witness an undeniable wave of change
in the terms of the use and processing of data on a
majority of websites. Does this phenomenon reveal a
real power of enforcement on the EU side? This work
attempts to answer this question by analysing two
factors which greatly impact the efficiency of extra-
territorial claims. First, the legitimacy of the extrater-
ritorial claim. Through the application of international
law principles, it will be seen that the extraterritorial
claim of the EU, despite its broadness, is rather legit-
imate and even part of a shared tendency among ju-
risdictions around the world to extend the reach of
data protection laws. Second, the enforcement tools
of the regulation. This work reveals that the EU may
benefit from some direct enforcement tools such as
representatives and international cooperation, but
also, and more importantly, through indirect means.
In particular, the EU may rely on the risk of reputa-
tional damage, the incentives to self-compliance, and
the rules on data transfers to third countries.
Abstract: The General Data Protection Regu-
lation (GDPR) imposes a significant burden of com-
pliance on overseas businesses which process per-
sonal data of EU individuals. An impressive number
of articles warns about the new risks incurred by data
processors around the world; be they one of the In-
ternet giants, or a non-EU company which dared to
offer goods to EU consumers, or that had the idea
to use cookies on its website to track EU consum-
ers. However, does the EU actually have the neces-
sary means to ensure that the rules are followed by
all? And if not, is the EU equipped to enforce compli-
ance? Those are legitimate questions in the light of
the context in which the EU has extended its juris-
diction. Not only has it been decided unilaterally, but
such rules are to be enforced in cyberspace, in an in-
ternational context, and on operators, which may not
have any physical presence in the EU. One may think
that processors have no reason to panic, there is little
chance that the GDPR enforcers will find them and
force them to comply under the threat of fines. Yet,
To continue reading
Request your trial