Study On Extraterritorial Effect Of Eu Personal Data Protection Law

In the era of big data,the commercial use of personal data is getting higher and higher,data controllers and processors are processing more and more personal data,and incidents of infringing on personal data are not uncommon.The virtual nature of the Internet makes it is difficult to protect personal data.National personal data protection laws are increasingly inclined to expand jurisdiction.The European Union took the lead in broadening its extraterritorial jurisdiction in the General Data Protection Regulations(GDPR)on the basis of the “1995 Directive”,which has an impact on the world outside its territory.The purpose of this paper is to explore how the “1995 Directive”,in particular the GDPR and for what reason to expand jurisdiction.First,This paper defines the relevant concepts,and then briefly summarizes the causes and development of the extraterritorial effects of the EU Personal Data Protection Law.The “personal data” protected by the EU personal data protection law is the identifiable personal data on the Internet,which does not include all personal information and is not limited to personal privacy.The extraterritorial effect of the EU Personal Data Protection Law studied in this paper is essentially the issue of extraterritorial legislative jurisdiction.The methods and technical means for processing personal data have become cross-border issues.Since the “1995 Directive”opened the first leg of individual data protection legislation,EU countries have added extraterritorial effect clauses in their domestic personal data protection laws.Until now,the GDPR has replaced the “1995 Directive”.Next,this article specifically analyzes the extraterritorial effect clause of the EU Personal Data Protection Law-Article 4 of the “1995 Directive” and Article 3 of the GDPR.The GDPR inherited and innovated the geographical scope applicable provisions of the “1995 Directive”.The “1995 Directive” sets two standards of“establishment” and “equipment”.The European Court of Justice extended its connotation in the rulings of Google Spain and Weltimmo.The extraterritorial effect of the “1995 Directive” is increasingly evident.The GDPR inherits the “establishment”standard of the “1995 Directive” and increase the two standards of “providing goods or services for data subjects within the EU” and “monitoring data subjects within the EU”.Under the new standard,although the data controller or processor does not have an establishment in the EU,it is within the jurisdiction of the GDPR to provides goods or services to data subjects within the EU and to monitor data subjects within the EU.Specific considerations must be made in determining whether these circumstances are constituted,including the identification of “establishment”,what is the “in the context of the activities of an establishment” and how to determine whether it constitutes “providing goods or services for data subjects within the EU”.And “monitoring data entities within the EU” and so on.The European Court of Justice's decision in the Google Spain and Weltimmo cases and a series of documents issued by the European Data Protection Board,in particular the “Guidelines 3/2018 on the territorial scope of the GDPR(Article 3)-Version for public consultation”,explain the relevant considerations.The third chapter explores the legality of the extraterritorial effect of the EU's personal data protection law.A basic principle for judging a country's law to claim extraterritorial effect should be whether it conforms to international law.On how to form a conformity with international law,O'Connell believes that “judge whether an extraterritorial application of a law is in conformity with international law depends on whether the event,act or person to which it applies is related to peace,order and good governance in the legislature.” The expansion of the jurisdiction of the EU Personal Data Protection Law is related to the increasing emphasis on fundamental rights in EU data protection.The protection of personal data is part of the protection of human rights.The EU is subject to the obligations to respect,protect and fulfil under the international human rights law.The extraterritorial applicability of international human rights law provides justification for the extraterritorial effect of the EU Personal Data Protection Law.The EU also regards personal data protection as a basicright.The Personal Protection Convention in the Processing of Personal Data(Convention No.108),the Charter of Fundamental Rights of the European Union and the Treaty on the Operation of the European Union attach great importance to the protection of personal data.For the purpose of achieving “all-round effective protection”,the EU has Obligations to expand its jurisdiction.In addition,according to public international law,there must be a “sufficient connection” before the state can claim legislative jurisdiction,and a reasonable jurisdictional basis can be considered to be “fully connected”.The basis of jurisdiction is also the basis on which a country can claim extraterritorial jurisdiction.The GDPR are based on the principle of territoriality and supplemented by the “effect principle” and the “target orientation method” to make up for the deficiencies of the territorial principle.According to the“Effective Principles”,foreign actions that have actual “impact” on the data subjects in the EU will be included in the jurisdiction.According to the “target orientation method”,“providing goods or services for data subjects within the EU” and“monitoring data subjects within the EU” emphasizes “intentional targeting”.Using the destination approach,setting more thresholds on the effect,to some extent limit the expansion of the effect principle,helps to prevent the extension of jurisdiction.Finally,this paper discusses China's response to the extraterritorial effect of the EU General Data Protection Regulations.The rapid development of Internet technology and the globalization of the economy will inevitably lead to certain Chinese enterprises being subject to the GDPR.The high administrative fines in the GDPR have forced Chinese companies to increase compliance costs and prevent them.The unilateral expansion of jurisdiction by the GDPR may lead to conflicts of jurisdiction,the lack of legal certainty and enforceability,and inconsistencies with the relevant laws of our country may lead to conflicts.Drawing on the experience of the AIQ case between UK and Canada,in order to avoid conflicts,it is an effective and feasible way to follow the principle of international comity and seek multilateral cooperation mechanisms at the national level;enterprises should fully interpret the GDPR and the data protection laws of EU member states.Do a good job of the compliance work before,during and after the event.