On The Extraterritorial Effects Of The EU General Data Protection Regulation

The extraterritorial effects of laws include active and passive aspects.The active extraterritorial effects of laws occurs when both courts and law enforcement departments apply their laws extraterritorially.Thus,active extraterritorial effects could impose binding effects on extraterritorial persons and conducts,and exert non-binding impacts on a third Country's legislation.Meanwhile,the laws of a Country are endowed with passive extraterritorial effects when a third Country applies the laws.This aspect appears legally non-binding.Therefore,the extraterritorial effects of laws contain both binding effects and non-binding legal influence.The active aspect dominates the newly validated General Data Protection Regulation in the regard of its extraterritorial effects,which mainly provides in Article 3 and Articles 44-50.Article 3 is a generic clause in terms of extraterritorial effects of the GDPR because it is a general “territorial scope” rule to the Regulation.Logically,Articles 44-50 are special clauses.Article 3 includes three categories.First,a data controller or processor with an EU establishment processing personal data may trigger Article 3.1 of the GDPR.Second,Article 3.2 applies when a data controller or processor is not established in the EU but offers goods or services to data subjects in the Union or monitors their behaviors.Third,Article 3.3 allows the GDPR applies extraterritorially when it shall apply by virtue of international public law.The Regulation,however,is vague on nearly all its core concepts of Article 3.1,like “data controller or processor”,“establishment” and “inextricably link”,“the offering of goods or services” and so on.With data protection rights being enshrined as fundamental human rights in the EU,the Court of Justice of the European Union(CJEU)interpret these concepts broadly,leading to a data controller or a processor weakly connected with the EU being subject to the GDPR.Therefore,the “territorial scope” of the GDPR is far beyond the physical territorial scope of the EU and the Regulation has extremely strong extraterritorial effects.In order to protect data of EU individuals adequately,Articles 44-50 of the GDPR provides for strict restraints on cross-border data transfer to a Country outside the EU.The first approach to remove such restraints is by an adequate decision released by the EU Commission after an exhaustive review of a third Country regarding its rules of law.Such a review,which in fact is an interference with the internal sovereignty of the third Country,presents another aspect of the GDPR's extraterritorial effects.The question,however,is that few countries fulfill the adequacy decision requirements.Thus alternatively,the GDPR allows cross-border data transfer through Standard Contractual Clause(SCC),Binding Corporate Rules(BCRs)and other mechanisms.The EU limits party autonomy by incorporating unalterable jurisdictional clause and applicable law clause into the SCC or BCR,which lay extra burdens on the exporter and the recipient.These mechanisms have adversary effects on companies outside the EU and equip the GDPR with strong extraterritorial effects.The ubiquitous reach of the GDPR is a purposefully designed outcome based on its territorial scope provision,mandatory effects,special jurisdictional rules,cross-border data transfer limitations and international cooperation mechanisms.The Regulation has created some innovative rules in these aspects.A combination of these rules provides the GDPR with powerful extraterritorial effects.Before codifying its personal data protection law,China should ascertain the legal status of personal data rights first to decide whether endows the law with strong extraterritorial effects.Based on an elaborate investigation of what difficulties the codification is confronting with,China will decide the jurisdictional scope,the territorial scope,restraints of cross-border data transfer and international cooperation mechanisms in its personal data protection law.For the EU-related business,companies should take measures to protect personal data in different aspects in compliance with the GDPR.