| Since the 21 st century,with the continuous progress of modern information technologies such as social network,cloud computing,radio frequency identification,equipment positioning and application positioning,data mining and big data analysis,the Internet has greatly promoted the vigorous development of the digital economy,and at the same time deeply integrated into all aspects of human life and work.With the rapid development of information technology,the Internet is becoming more and more remote,globalized and virtualized.Data collection and processing activities carried out by Internet enterprises often require cloud computing to provide technical support.Global Internet companies collect massive data from data subjects from all over the world through platform websites,mobile terminals and application software,and carry out data mining and big data analysis through cloud computing in order to grab greater commercial value.Small Internet companies can also purchase personal data collection,analysis and processing services from cloud computing companies.From the perspective of domestic law,the personal information protection legislation of various countries must respond:how to protect the personal information of their citizens in a timely,full and effective manner while giving reasonable consideration to commercial interests?From the perspective of international law,most laws are implemented within the jurisdiction of sovereign countries,and the geographical boundaries of countries are generally the territorial application scope of laws.Considering the principle of national sovereignty,a country cannot claim extraterritorial jurisdiction over people,things or acts outside its territory in principle.However,due to the unbounded nature of the Internet,the cross-border nature of personal data and the global nature of personal data processing,in order to effectively protect the personal information of its citizens,the geographical application scope of relevant laws may need to be appropriately expanded.Based on such a logical starting point,the research and discussion on "extraterritorial jurisdiction in the personal information protection law" came into being.On 25 May 2018,General Data Protection Regulations(hereinafter referred to as GDPR)came into effect.This law claims extraterritorial jurisdiction over personal data processing acts that occur abroad and involve EU.Article 3(Territorial Scope)of the Law sets a broad territorial jurisdiction by establishing "establishment criterion" and "targeting criterion ".According to the "establishment criterion",as long as the personal data controller or processor has set up an establishment within EU,the law has jurisdiction,regardless of whether the data processing activities carried out in the context of activities of the establishment.According to the "targeting criterion",the law is applicable to data controllers or processors outside EU to conduct personal data processing against data subjects within EU.This legislative trend has had a profound impact on the personal information protection legislation of Brazil,India and other countries,which have followed suit and added extra-territorial jurisdiction clauses.At present,Chinese legislator is formulating the Personal Information Protection Law.It is worth studying whether it is necessary to expand the territorial application scope of the law in legislation.From the perspective of comparative law,extraterritorial jurisdiction in GDPR can provide legislative inspiration and practical reference.This article is divided into five chapters,which in turn carry out in-depth analysis and research on the legitimacy of GDPR's assertion of extraterritorial jurisdiction,the extraterritorial jurisdiction boundary in the "establishment criterion",the extraterritorial jurisdiction boundary in the "targeting criterion",the practical difficulties in implementing extraterritorial jurisdiction and the solutions,as well as the Chinese response to extraterritorial jurisdiction of GDPR.The first chapter mainly discusses the general theory of extraterritorial jurisdiction.The development of the theory of extraterritorial jurisdiction resonates with the understanding of jurisdiction system in international law.In addition,extraterritorial jurisdiction has both connections and differences with extraterritorial effect and extraterritorial application.By reviewing the reasoning of the 1927 Lotus case of the Permanent Court of International Justice,the main contents of the 1935 Harvard Draft Study on Criminal Jurisdiction Convention and the development of the extraterritorial application theory of anti-monopoly law,and combing out the overall development and evolution of the extraterritorial jurisdiction theory,it is not difficult to find that with the gradual advancement of economic globalization,the extraterritorial jurisdiction theory has gradually developed in the criminal law,anti-monopoly law,securities law and other legal departments.The extraterritorial jurisdiction of a country is the premise and foundation of the extraterritorial application of domestic laws.The extraterritorial application of domestic laws is the external manifestation of the exercise of extraterritorial jurisdiction by a country.Although no specific rules of international law have been formed,the establishment and exercise of extraterritorial jurisdiction are still limited by the principles of international law.The principle of international comity can effectively limit inappropriate extraterritorial jurisdiction practices.A country cannot violate the principle of national sovereignty when establishing extraterritorial jurisdiction in legislation.The precondition for a country to exercise such legislative jurisdiction is that there should be a "substantial and good faith" connection between the act and jurisdiction,and such jurisdiction cannot interfere with other countries' domestic jurisdiction or territorial jurisdiction.The implementation of extraterritorial jurisdiction by a state should conform to the principle of proportionality and abide by the principle of "territoriality first",and there should be no violation of its own laws by forcing the subjects subject to extraterritorial jurisdiction to obey the laws of the countries claiming extraterritorial jurisdiction.The establishment of extraterritorial jurisdiction in legislative jurisdiction is of declarative significance,and the effective implementation of extraterritorial jurisdiction requires the establishment of bilateral cooperation mechanisms.It should be noted that EU's legislation practice in extraterritorial jurisdiction is far later than that of the United States.With the advancement of globalization,in order to safeguard its own interests,the EU has exported "EU standards" to the world in many aspects such as anti-monopoly,environmental protection,privacy standards,food safety and drug control.The EU has rich practice in extraterritorial jurisdiction.According to the criteria of judging whether the objects subject to extraterritorial jurisdiction have territorial connection with the EU,they can be divided into two categories: "super-territorial jurisdiction" and "territorial-based extended jurisdiction".The former has been widely criticized by the international community,while the rationality of the latter needs to be judged separately after further clarifying the boundaries of extraterritorial jurisdiction.Taking the American Aviation Association case heard by the EU court as an example,the EU should also follow the principle of proportionality and the principle of practical connection in the establishment and exercise of extraterritorial jurisdiction.These EU practices provide reference for the reasonable formulation of GDPR extraterritorial jurisdiction clauses.The second chapter mainly analyzes the reasons why GDPR advocates extraterritorial jurisdiction.Through combing the legislative origins of GDPR and the 1995 EU Personal Data Protection Directive in terms of territorial scope,the EU has formulated "establishment criterion" and "targeting criterion" respectively according to the principle of territorial jurisdiction and the principle of effect,merging the jurisdiction within the domain with the jurisdiction outside the domain,weakening the concern about the place where the personal data processing acts occur,and then directly claiming jurisdiction over the personal data processing acts involving EU citizens.The extraterritorial jurisdiction in Article 3 of GDPR should be strictly distinguished from the cross-border flow restriction rules of personal data in Chapter 5.The former is the extraterritorial effect of the law and the latter is the extraterritorial impact of the law.There are differences between the two in regulatory measures,application methods,regulatory objects and implementation effects.The EU has always respected the tradition of protecting personal privacy.During the Second World War,personal data were used by the Nazis to cleanse Jews and persecute anti-Nazis.Therefore,the European people kept a high degree of vigilance on data collection.After decades of development,the EU's personal data right has a special status in the EU.First of all,the right exists as a personality right.In addition,the EU Charter of Fundamental Rights lists the right as a category of fundamental rights,which makes the EU's personal data right further in the EU.Due to the consideration of giving full and comprehensive protection to personal data rights and considering the restriction of external factors,EU chose unilateralism when formulating the extraterritorial jurisdiction clause of GDPR.GDPR advocates extraterritorial jurisdiction with profound internal motivation.On the one hand,due to the limitation and insufficiency of the existing international law rules to provide personal data protection,on the other hand,from the perspective of technological development and the EU's own situation,it is not only due to the consideration of the jurisdictional dilemma caused by cloud computing technology,but also fully reflects the EU's determination to participate in the global data competition by giving EU citizens the right to personal data.The third chapter mainly studies the establishment and exercise of extraterritorial jurisdiction under the "establishment criterion".The European Court of Justice established the idea of extraterritorial jurisdiction through the judicial judgment of Google Spain case.By determining that there is an "inextricable relationship" between the establishment within the European Union and the personal data processing activities outside the European Union,the behavior has been incorporated into the territorial application scope of the EU Personal Data Protection Directive.In addition,the EU court also recognized that if the principle of territorial jurisdiction is strictly applied,it will seriously deviate from the legislative purpose of fully protecting personal data rights.The spirit of this judgment was fully absorbed in the GDPR legislative process,and the expression "whether or not the data processing takes place within the EU" was added to the final text of the "Workplace Standards" clause.In order to clarify the boundary of extraterritorial jurisdiction,the official data protection agency of the EU has specially formulated a guideline document,which further explains the meaning of a series of terms such as "establishment" and "stable arrangement" in combination with the preamble of GDPR and classic cases of EU court decisions.In addition,in order to prevent personal data controllers or processors from deliberately evading GDPR,the classification and application of "workplace standards" are refined,and the applicable methods of data processors that do not have a workplace in the EU and the applicable problems of GDPR under the scenario of a data processor's workplace are clarified.One-sided implementation of "establishment criterion" will lead to conflicts of legal values between different jurisdictions.Taking the "forgotten right" as an example,Google Spain case,although recognizing that the data subject has the right to request deletion of specific links,does not specify the scope of implementation of the forgotten right.If we advocate global implementation,it is of positive significance for the realization of the right to be forgotten,but it will lead to violent conflicts between personal data protection and freedom of speech.In the Google case,the European Court deliberately evaded the issue of the reasonableness of the extraterritorial effects of laws,and did not analyze the role and value of the principle of proportionality in resolving the above differences.Although in this case the EU court decided on the merits that the scope of enforcement of the right to be forgotten was limited to the territory of the EU,it did not completely abandon the claim of global jurisdiction.We should make full use of international law thinking to solve the conflict of legal values.In individual cases,the principle of proportionality should be flexibly applied to coordinate the relationship between personal data rights and freedom of speech according to the specific circumstances of the case,instead of blindly pursuing the realization of personal data rights.In its judgment,the European Court of Justice also recognized that the right to personal data is not absolute and needs to be dynamically coordinated with legal values such as freedom of information even within the European Union.One-sided implementation of "establishment criterion" will lead to conflicts of legal values between different jurisdictions.Taking the "right to be forgotten" as an example in Google Spain case,although recognizing that the data subject has the right to request deletion of specific links,does not specify the scope of implementation of the right to be forgotten.If we advocate global implementation,it is of positive significance for the realization of the right to be forgotten,but it will lead to violent conflicts between personal data protection and freedom of speech.In the Google case,EUropean Court deliberately evaded the issue of the reasonableness of the extraterritorial effects of laws,and did not analyze the role and value of the principle of proportionality in resolving the above differences.Although in this case EU court decided on the merits that the scope of enforcement of the right to be forgotten was limited to the territory of EU,it did not completely abandon the claim of global jurisdiction.The application dilemma caused by the two standards in practice needs to be solved by international law thinking.In single case,the principle of proportionality should be flexibly applied to coordinate the relationship between personal data rights and freedom of speech according to the specific circumstances of the case,instead of blindly pursuing the realization of personal data rights.In its judgment,ECJ also recognized that the right to personal data is not absolute and needs to be dynamically coordinated with legal values such as freedom of information even within EU.The fourth chapter mainly discusses the issue of extraterritorial jurisdiction in the "targeting criterion".The "targeting criterion" replaces the "establishment criterion" in EU Personal Data Protection Directive and claims extraterritorial jurisdiction over personal data processing activities involving EU citizens carried out by data controllers or processors that do not have business premises in EU.The rationality of this clause is controversial.In order to further clarify the boundaries of extraterritorial jurisdiction,EU's official data protection agency pointed out in the relevant guidance documents that the competent intention of "providing goods or services to EU citizens" and the objective performance of "monitoring the behavior of data subjects within EU" should be measured to judge whether the standard is applicable to these personal data processing behaviors.The idea of EU's jurisdiction is too complicated.In practice,it can only be analyzed according to specific situations.Extraterritorial jurisdiction has more flexibility and less stability.In order to effectively implement the extraterritorial jurisdiction under the "targeting criterion" in practice,GDPR has created a "representative system" requiring data controllers or processors outside EU to establish representatives within EU.Representatives should play the role of transmitting information,assisting in investigations and cooperating with law enforcement in the "triple structure" formed by data subjects,data protection agencies and data processors or controllers.Representatives are different from data protection officers in nature.The former is employed by the data controller or processor and the two parties are agents.The latter is a functional department specialized in data protection and has independence.The "targeting critrrion" in GDPR lacks enforceability.The representative system has obvious application difficulties.The representative is employed by data processors or controllers outside EU,and is responsible for transmitting information between the data protection agency and the data controllers or processors,but EU data protection agency cannot exercise the right to correct the representative.GDPR cannot impose administrative fines or other punitive measures on representatives.Because some data controllers or processors have not appointed representatives within EU,the data protection agencies of EU and its member States cannot carry out law enforcement investigations,let alone impose administrative fines.As countries have not yet reached a consensus on the nature of the right to personal data,the right to personal data,as a foundamental right of EU,is more difficult to be realized through bilateral law enforcement cooperation mechanisms.EU can only hope to coordinate on a case-by-case basis.In the long run,GDPR has set a "benchmark" for global personal data protection legislation.As more and more national legislations follow suit,it has objectively realized the convergence of global personal data protection legislation,making it possible to establish bilateral law enforcement cooperation mechanisms with specific countries.On the other hand,the extraterritorial jurisdiction rules should be matched with the litigation rules for the protection of personal data rights,so as to further expand the influence of GDPR extraterritorial jurisdiction by providing adequate relief channels for data subjects and data controllers or processors.The fifth chapter mainly discusses China's response to GDPR's assertion of extraterritorial jurisdiction.From the legislative point of view,in the process of enacting the Personal Information Protection Law,China must consider whether it is necessary to add extra-territorial jurisdiction clauses to regulate the personal data processing acts that occur outside China and are directed against Chinese citizens.China can draw lessons from GDPR moderately,but it is not appropriate to copy the legislative achievements of GDPR on personal data rights.Personal data right in the context of EU is a foundamental right with obvious human rights attribute.However,due to different national conditions,the right to personal information in the Chinese context is almost impossible to become a basic right under the constitution,let alone to be endowed with human rights attributes.China should clarify the private law attribute of personal information right under the framework of civil law.Due to the limited means of civil relief for personal information protection,relief is mainly through criminal or administrative means,and the "Personal Information Protection Law" should be formulated under the framework of public law.It should be made clear in the future Personal Information Protection Law that the law has extraterritorial effect.The legislature should change its habitual thinking of adhering to "territorialism" in legislation,expand the scope of territorial application in personal information protection legislation,and establish the jurisdictional principle of territorial jurisdiction as main and protective jurisdiction as auxiliary.The legislature should make full use of the favorable conditions that have not yet formed binding rules of relevant international law to establish extraterritorial jurisdiction rules in legislation.There should be room for self-restraint in legislation so as to be able to handle cases with ease in the future and avoid the embarrassing situation of being stranded in a dilemma in the application of the law.On the other hand,the addition of extra-territorial jurisdiction rules is conducive to the establishment of bilateral enforcement mechanisms for personal information protection with other countries.With regard to the extraterritorial jurisdiction clauses in Personal Information Protection Law(Draft Version),legislators should carefully consider the criteria for the division of extraterritorial jurisdiction and intra-territorial jurisdiction,the basis for setting the jurisdiction of the goal-oriented standard,the legal stability caused by the addition of all-inclusive clauses,and the connection between extraterritorial jurisdiction clauses and civil legislation.The Chinese version of jurisdiction clause should be formulated on the basis of drawing lessons from GDPR's territorial scope clause.First of all,we should weaken the investigation of "the place where the behavior occurred" and strengthen the investigation of "the data processing behavior" itself.According to the EU's "business premises standard",GDPR has jurisdiction over data controllers or processors that have establishment in the EU as long as the data processing takes place in the scene where the business premises carry out activities,even if the actual data processing does not take place in the EU.The future Personal Information Protection Law should also make a strong legislative response to the rapid development of information technology,focusing on the "data processing behavior" itself,rather than the specific location where the data processing behavior occurs,so as to avoid legal evasion.Secondly,drawing on the experience of the European Union,the Chinese version of the "establishment criterion" will be formulated.The EU,through its "establishment" as a territorial factor,analyzes the relationship between the "scene of activities in the place of business" and the "data processing behavior outside the EU".If an "inextricable link" is formed,the data processing behavior outside the EU will be "naturally" brought into the territorial jurisdiction of GDPR.China's law can also refer to such legislative thinking.By creating a kind of territorial factor similar to "establishment" in the Personal Information Protection Law,whether it needs to be governed or not is determined according to the correlation between data processing behavior and the territorial factor.Finally,"dual violation principle" is introduced into "targeting criterion".The "targeting criterion" in GDPR judges whether the behavior needs to be regulated by examining the subjective intention of "providing goods or services to EU citizens" and the objective performance of "monitoring the behavior of data subjects within EU".This kind of jurisdiction boundary is too broad,which may lead to jurisdiction conflicts in the process of implementation.From the perspective of international comity,if the handling behavior violates both Chinese law and the law of the country where the behavior occurred,bilateral law enforcement cooperation can be adopted.China's legislature should,based on unilateral extraterritorial rules,set up an enforceable bilateral cooperation mechanism for the protection of personal information as its constant goal in practice.From the perspective of applicability theory,Chinese enterprises should do a good job of compliance when carrying out personal data processing business involving EU citizens,and carefully compare the differences between China and EU in the rules of personal information protection legislation.At the same time,if Chinese enterprises encounter GDPR's assertion of extraterritorial jurisdiction,they should apply the principles of national sovereignty,non-interference and proportionality to deal with it calmly and protect the legitimate business interests of enterprises from damage.In addition,as the design of GDPR provisions is very complicated,carrying out compliance business will increase the operating costs of enterprises,and Chinese enterprises should seek a balance between compliance costs and business benefits.If the compliance cost is too high,Chinese enterprises can choose to abandon European market or reduce the scale of their business in Europe in due course. |
PDF Full Text Request