The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on U.S. businesses.

• Author: Svantesson, Dan Jerker B.

Due to its extraterritorial effect, the European Union's trailblazing data privacy law has long been a major concern for U.S. businesses. With the proposal for a new EU data privacy framework with potential penalties of up to two percent of an offending enterprise's annual worldwide turnover, and with the European Union at the same time expanding the extraterritorial reach of its data privacy law, such concerns are justified indeed.

This Article examines the extraterritoriality of current and proposed EU data privacy law and analyses whether reference to international law can either strengthen or weaken those claims of extraterritoriality. In doing so, this Article demonstrates that international law lends support to the approach to extraterritoriality adopted in the EU data privacy law. At the same time, however, the examination of EU law highlights that, from the perspective of extraterritoriality, the current EU Directive is dysfunctional in its unnecessary complexity, and the proposed EU Regulation is in desperate need of refinement.

Finally, the Article presents a doctrine of "market sovereignty," established by reference to the effective reach of "market destroying measures," as a mechanism for determining the extraterritorial reach of jurisdictional claims.

INTRODUCTION A. Data Privacy--A Brief Transatlantic Comparison B. Briefly About the Concept of Jurisdiction C. Briefly About the Concept of Extraterritoriality I. EXTRATERRITORIAL CLAIMS IN EU DATA PRIVACY LAW A. The European Data Protection Directive of 1995 B. The Proposed European Data Protection Regulation C. Conclusions Regarding the European Union's Directive and Proposed Regulation II. WHY EXTRATERRITORIAL CLAIMS IN FOREIGN DATA PRIVACY LAWS MATTER TO U.S. BUSINESSES III. GENERALLY ABOUT JUSTIFICATION OF EXTRATERRITORIAL CLAIMS IN DATA PRIVACY LAWS IV. JUSTIFICATION UNDER INTERNATIONAL LAW A. Under International Conventions B. Under International Custom 1. Grounds for Jurisdiction 2. The "Effects Doctrine" Independent or Not? 3. The Jurisdictional Grounds Relied upon for EU Data Privacy Laws 4. International Custom--Concluding Observations C. Under "General Principles of Law Recognized by Civilized Nations" 1. General Principles of Law--Extraterritoriality of Data Privacy Laws 2. General Principles of Law--Conflict of Laws 3. General Principles of Law--Substantive Data Privacy Laws 4. General Principles of Law--Concluding Observations V. THE LIKELY WAY FORWARD VI. THE PREFERRED WAY FORWARD VII. CONCLUDING REMARKS INTRODUCTION

Data privacy has emerged as a particularly fertile ground for transatlantic controversy. (1) This is hardly surprising considering that data privacy involves both competing fundamental human rights--the right of privacy versus the freedom of expression--and significant commercial values. Information, it has accurately been said, is the lifeblood of our modern information society, or indeed, information world. (2)

We are currently witnessing an unprecedented number of data privacy laws being enacted (e.g. Singapore and Malaysia) or revised (e.g. Australia and the European Union) around the world. An examination of such initiatives shows a tendency toward wide extraterritorial jurisdictional claims--claims that directly impact upon U.S. businesses engaging in business activities overseas, such as through an online presence.

There is, of course, nothing novel about extraterritorial jurisdictional claims. However, the impact they have in the data privacy setting is largely unexplored to date. This gap in the literature is surprising given the central role cross-border data flow plays in our modern global world.

This Article addresses this question and adds to the discussion of the theoretical justifications for such extraterritorial jurisdictional claims. Special attention is given to how such claims affect, and are affected by, the modern use of information and communication technologies.

In undertaking this research task, focus is placed on the most influential, and arguably strictest, data privacy laws in the world: those of the European Union. However, much of what is said, and most of the conclusions reached, are equally relevant for extraterritorial jurisdictional claims made by other jurisdictions.

In essence, the conundrum with which we are faced can be expressed as follows: Extraterritorial jurisdictional claims are reasonable because if states did not extend their data protection to the conduct of foreign parties, they would not be providing effective protection for their citizens. At the same time, extraterritorial jurisdictional claims are unreasonable because it is not possible for Internet users to adjust their conduct to all of the laws of all of the countries in the world with which they come into contact. In other words, a widespread extraterritorial application of state law may well end up making it impossible for businesses to engage in globally legitimate cross-border trade. (3)

This is quite a new area sparked by the remarkable features of the Internet:

When one examines academic writings, case law, and legislation relating to international jurisdiction, it becomes clear that, prior to the internet, there never existed a situation in which a state purported to extend the application of its law to many millions of entities in different countries around the world based on the fact that they were accessible by, or processed data of, citizens of the home jurisdiction. (4) After examining the extraterritoriality of both current and proposed EU data privacy law, this Article proceeds to briefly discuss how such law impacts U.S. business interests. Then, this Article assesses how international law impacts, if at all, the legitimacy of the European Union's approach. In other words, this Article seeks to assess whether the extraterritoriality of current and proposed EU data privacy law can be either justified or challenged by reference to international law.

This Article then turns to the likely, and to the desirable, future that may flow from the extraterritorial effect of EU data privacy laws. Importantly, in that context, this Article introduces the doctrine of "market sovereignty-established by reference to the effective reach of "'market destroying measures," as a mechanism for determining the extraterritorial reach of jurisdictional claims.

However, to clear the path for the discussion alluded to above, it is first necessary to briefly compare the different attitudes towards privacy found in EU countries and the United States. Further, I will make a few introductory observations about the concept of "jurisdiction" and the concept of "extraterritoriality."

1. Data Privacy--A Brief Transatlantic Comparison (5)

   In the context of a transatlantic comparison, it is important to bear in mind the role played by U.S. scholars writing in the earliest days of privacy. Already in 1890, Warren and Brandeis' crucially important article, The Right to Privacy, called for a privacy right in light of the technological development at the time:

   Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right "to be let alone." Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops." (6) The enormous influence this article has had is unquestionable. In fact, in surveying the most-cited law review articles of all time, Shapiro and Pearse found that the aforementioned Warren and Brandeis article ranked second. (7) At least two conclusions should be drawn from this. First, privacy is neither a European invention, nor an exclusively European concern. Second, technological developments have been a driving force behind the push for privacy since the very conception of the idea of a privacy right.

   Turning to privacy in the United States today, Greenleaf's assessment is that:

   The USA is best seen as a country with a unique, largely isolated, and sometimes inconsistent approach to data privacy, with some key standards weaker than is common in the rest of the world (particularly limits on collection, secondary use, disclosure, and data exports [i.e. the heartlands of European data privacy law]). But it also often provides international innovation in relation to some principles (e.g. data breach disclosure, and other aspects of security) and in the deterrent effect of draconian examples of enforcement, particularly by the FTC. (8) In short, as noted by Cate: "The protection for information privacy in the U.S. is far removed from that provided by the EU's data protection directive." (9)

   In 1970, Hesse, a federal state of Germany, passed the world's first data privacy act. This was followed by Sweden introducing the first such law on a national level in 1973. (10) The European preoccupation with the right of data privacy, or data protection, stems at least in part from the horrendous experiences in Europe during the Second World War, in which records of personal data were used for the purpose of identifying Jewish individuals. (11) However, there is also certainly a commercial side to data privacy, and the European attitude towards data privacy may be seen as an attempt to create a competitive advantage in an increasingly cutthroat world economy. As expressed by the Vice-President of the European Commission, Viviane Reding: "The new rules also give EU companies an advantage in global competition.... Trust in a coherent EU regulatory regime will be a key asset for service providers and an incentive for investors looking for optimal conditions when locating services." (12)

   Background facts such as these must be borne in mind when one approaches the modern treatment of data privacy. At the same time...