Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context

Transcription

1 230 ARTICLE International Data Privacy Law, 2016, Vol. 6, No. 3 Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context Paul de Hert* and Michal Czerniawski* Introduction to scope: from territory, over jurisdiction to destination Jurisdiction based solely on the territoriality principle is becoming less evident in the digital age. 1 Not long ago, processing of personal data seemed easy to understand: a data controller, a data processor, a data subject, and all the means used for data processing operations were usually located in the same country. Processing operations were subject to a single legal regime. The problem of potential conflicts of jurisdiction almost did not exist and application of the territoriality principle was sufficient for the protection of individuals personal data. This kind of processing operations constituted the vast majority of personal data processing in the 80s and 90s when the Council of Europe s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter, Convention 108 ) and the European Union (EU) Directive 95/46/ EC 2 (hereinafter, Directive, Data Protection Directive ) were drafted. In today s world, due to the wide introduction and use of the Internet, the situation has dramatically changed. In a relatively short period of time, methods and technological means used for processing of personal data have become transnational, becoming a serious challenge for national legislators. 3 Technological progress resulted in the processing of EU residents personal data outside the EU on a scale never seen before. 4 Currently, almost every operation performed via the Internet is directly or indirectly connected with Key Points Changes in the current European Union (EU) data protection jurisdiction model, which comes from the early 1990s and is based mainly on the principle of territoriality and origin approach, are inevitable. The proposed EU General Data Protection Regulation (GDPR) goes beyond territoriality and bases its territorial scope on destination approach. At the same time it requires a relatively strong connection between the action and EU territory. This approach, although not without drawbacks and challenges to state interests and individual rights (of the data controller) solves one of the biggest problem European data protection law currently faces, which is lack of jurisdiction over third country s data controllers processing substantial numbers of EU data subjects data. Changes proposed in the territorial scope of the modernized Council of Europe data protection convention (Convention 108) go in the similar direction. These developments at EU level and Council of Europe level are in line with the Court of Justice of the EU position on the territorial scope of Data Protection Directive. Bearing in mind its broad design, getting the criteria for extraterritoriality correct in Article 3 GDPR must constitute part of every revision cycle of the GDPR. * Paul de Hert and Michal Czerniawski, Vrije Universiteit Brussel (VUB) Research Group on Law, Science, Technology and Society (LSTS), Brussels, Belgium. 1 For a more in-depth description of interaction between technology and data protection, see eg Ch Kuner and others, The (Data Privacy) Law hasn t Even Checked in When Technology Takes Off (2014) 4 International Data Privacy Law Directive (EC) 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31. 3 According to Ch Kuner, Data protection law has been plagued by developments throwing into question the ability of the law to provide effective protection, see Ch Kuner, Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law (2015) 5 International Data Privacy Law L Moerel, The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to Processing of Personal Data of EU Citizens by Websites Worldwide? (2011) 1 International Data Privacy Law 28. VC The Author Published by Oxford University Press. All rights reserved. For permissions, please journals.permissions@oup.com

2 Paul de Hert and Michal Czerniawski Expanding the European data protection scope beyond territory ARTICLE 231 processing of personal data. 5 With the development of the information society and ease of data transfers through the web, the territoriality principle seems to be becoming obsolete. At the same time, as the data protection area is highly diversified, with no single global standard, conflicts of jurisdiction seem to be inevitable in particular with respect to online activities. This article engages in a discussion with authors such as Kuner and Svantesson, that have expressed a critical view on expansive jurisdiction of the EU data protection regime in issue 4, November 2015, of this Journal. Our contribution focuses on the choices with regard to scope and jurisdiction made by the EU co-legislators in Article 3 of the new EU General Data Protection Regulation (hereinafter, General Regulation or GDPR ), 6 which will apply from 25 May 2018, and compares this to the current regime under Article 4 of the Data Protection Directive. It also assess whether the modernized Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (No 108) is heading in a similar direction and highlights the Court of Justice of the European Union (CJEU) position on the territorial scope of the EU data protection law. We begin by discussing the current situation regarding territoriality at the level of the Council of Europe and equally the prudent move from territoriality to jurisdiction in the reform proposals (Section The Council of Europe scope: from territory to jurisdiction ). Then, we analyse the jurisdictional scope spelled out in Article 4 of the Data Protection Directive and recent verdicts of the CJEU that provide additional guidance as how to interpret this article (Sections The scope of Article 4(1)a Data Protection Directive based on establishment and The Article 4(1)c Data Protection Directive scope based on use of equipment ). The number of proceedings before the CJEU dealing with Article 4 is constantly growing. C-131/12 Google Spain 7 is clearly a game changer adding even more extraterritorial powers to this provision of the Directive, a move confirmed in the more recent case C-230/14 Weltimmo. 8 This is followed by a discussion of Article 3 of the GDPR and its choice to complement a territoriality approach with a destination approach (Section Articles 3 and of the GDPR: reinstating the provisions regarding scope and data transfers ). The geographical scope of application of the new rules in the GDPR is already considered by some scholars as the most controversial aspect of the new Regulation. 9 An analysis of problems associated with unilateral expansion of jurisdiction is followed by a partial defence of Article 3 of the GDPR (Sections Article 3(2) GDPR: you might be targeted by EU law only if you target, Unilateral jurisdictional expansion, legitimacy, and rights of individual data controller/processor, and Addressing the consequences of unilateral expansion of jurisdiction across boundaries ). We see a moderated version of a destination approach as a way of ensuring effective enforcement of data protection laws in the age of the Internet. The jurisdictional scope of the GDPR is based on reasonable grounds, both, in the light of potential conflicts of jurisdiction and legitimacy of the EU data protection law when applied outside of the EU territory, although more boundaries could have been built into the text and coordination is necessary itself both at the level of the EU and at the international level (Section Coordinating the expanded European data protection territorial scope ). We conclude that the EU co-legislators with respect to extraterritoriality adopted solutions that could be considered to fall under a moderate destination approach (Section Conclusion ). The GDPR will have a broader territorial scope than the Data Protection Directive. This change is in line with recent CJEU verdicts and not in contradiction with the modernized Convention 108 that remains more general. In our opinion, Article 3 of the GDPR qualifies as an illustration of a reasonable approach to extraterritoriality. Its extraterritorial reach may be justified, bearing in mind the Regulation s aim, which is the effective protection of EU data subjects rights in the information society. The Council of Europe scope: from territory to jurisdiction It is not possible to analyse European data protection laws without first mentioning Convention 108. The entry into force of this act was one of the most important 5 Because data protection law is, in the main, applicable any time personal data are processed, it can apply to almost any operation performed on the Internet, Ch Kuner, Data Protection Law and International Jurisdiction on the Internet (Part 1) (2010) 18 International Journal of Law and Information Technology Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, , p Case C-131/12 Google Spain SL and Google Inc v Agencia Espa~nola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez. 8 Case C230/14 Weltimmo sro v Nemzeti Adatvédelmi és Informacioszabadsag Hatosag. 9 See eg DJB Svantesson, Extraterritoriality and Targeting in EU Data Privacy Law: the Weak Spot Undermining the Regulation (2015) 5 International Data Privacy Law

3 232 ARTICLE International Data Privacy Law, 2016, Vol. 6, No. 3 steps in evolution of the law of personal data protection. Ratified by almost 50 states, this binding international instrument lays the very foundation of various, also non-european, data protection regimes. With respect to jurisdiction, the (current) version of Convention 108 includes a direct reference to territory (Article 1): The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ( data protection ). (emphasis added) For several years the Council of Europe has been working on the modernization of Convention 108. The Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD), charged with preparing a draft updated text, adopted its final proposals in November The CAHDATA a special ad hoc committee of the Committee of Ministers, finished its work on the new text in December According to Article 1 of the text as proposed by the CAHDATA committee in December 2014: 12 The purpose of this Convention is to protect every individual, whatever their nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for their human rights and fundamental freedoms, and in particular their right to privacy. The new Article 3(1) of Convention 108 in the version adopted by CAHDATA states that: 13 Each Party undertakes to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual s right to protection of their personal data. (emphasis added) The new provision includes a direct reference to jurisdiction, instead of territory. The proposed text does not define what jurisdiction is and does not specify its scope. What is clear is that the new term allows a broadening of the Convention s scope beyond territoriality (but does not say how). It results not in abandoning, but rather in incorporating the territoriality principle. Such an approach allows for, and may indirectly encourage Convention 108 s parties, to expand territorial scope of their national data protection laws beyond their territory. Some might argue that the term jurisdiction appears vague and may create problems with interpretation. Lack of clear guidance may result in substantial differences with respect to the territorial scope between national legislations of the Convention 108 s parties and would not support harmonization of the parties data protection regimes. A possible way forward could be to understand the term jurisdiction in Article 3(1) of the modernized Convention 108 in light of the European Court of Human Rights decisions on Article 1 of the European Convention on Human Rights (ECHR). This Court has extended the scope of the ECHR beyond territory, opening situations taking place outside Europe but under direct control of EU Member States to human rights scrutiny, but it is not yet possible to apply this case law to data processing on the Internet. 14 It might be argued that there is still room (and time) for the Council of Europe to go further and to move more explicitly beyond the territoriality principle, in the direction of moderate destination approach as adopted by the EU co-legislators in the GDPR (see below). The work on modernization of Convention 108 began long before verdicts in C-131/12 Google Spain and C-230/14 Weltimmo (see below) were handed down. The T-PD final document on the modernization was issued in December Although not bound by the Court of Justice rulings, the Council of Europe is definitely aware of developments of the above-mentioned cases. Therefore, one may argue that the Council has now a very good reason to reconsider its position as regards the territorial scope of Convention 108 and adopt a broader approach. Then there are authors that have advocated a more abstract, less EU centric approach in order to create a meaningful difference between the Council of Europe s approach and the EU approach, and encourage ratification of Convention 108 by more non-eu states. 15 These authors would have no difficulty with the current choice for the term jurisdiction in the 10 Consultative Committee (T-PD) Modernisation of Convention 108: Final Document (T-PD(2012)4Rev4_en, Strasbourg, 18 December 2012). < TPD_documents/T-PD(2012)04Rev4_E_Convention%20108%20modern ised%20version.pdf> accessed 7 March There is one more CAHDATA meeting scheduled for June 2016, afterwards the Committee of Minister has to decide on the final shape of the document. This decision is expected to be made still in With the EU General Regulation to apply from 25 May 2018 there is growing pressure on the Council of Europe to finalize its work and to keep pace with GDPR developments. 12 See the abridged report of the Ad Hoc Committee on Data Protection (CAHDATA) from the third meeting (1 3 December 2014) < CAHDATA-RAP03Abr_En.pdf> accessed 7 March Ibid. 14 Kuner (n 3) About a possible global role for Convention 108 by consciously remaining less detailed and more general than its EU counterpart, see P de Hert and V Papakonstantinou, The Council of Europe Data Protection Convention Reform: Analysis of the New Text and Critical Comment on its Global Ambition (2014) 30 Computer Law and Security Review

4 Paul de Hert and Michal Czerniawski Expanding the European data protection scope beyond territory ARTICLE 233 modernization process. This term is vague, but flexible, and allows to go beyond territoriality, without obliging ratifying states to go automatically towards a destination approach or even further. Soft law instruments used by the Council of Europe could clarify or encourage a possible consensus in the future. The scope of Article 4(1)a Data Protection Directive based on establishment Establishment: a proxy to territoriality? The territorial scope of the current EU data protection regime is spelled out in Article 4(1) of the Data Protection Directive. This provision lists two main criteria for determining whether the EU Member State law is applicable: EU jurisdiction depends on localization of an establishment of a data controller (Article 4(1)a) or localization of an equipment used for data processing purposes (Article 4(1)c). 16 (We will come back later on to Article 4(1)c.) The first, the establishment criterion, laid down in Article 4(1)a, is settled on the basis of a two-step test: 17 has the controller an establishment in an EU Member State (first step) and does a particular processing operation take place in the context of such an establishment s activities (second step). Recital 19 of the Data Protection Directive is useful in assessing the first step: establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect. Both the European Court of Justice and Advocate General Villalon 18 use this recital to defend a flexible definition of establishment. In C-230/14 Weltimmo, the Court underlined the role of this provision in particular in case of undertakings offering services exclusively over the Internet. 19 The Court stated that it: results in a flexible definition of the concept of establishment, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. 20 A similar logic and reference to recital 19 of the Directive was applied some month before C-230/14 Weltimmo in C-131/12 Google Spain, 21 that could be read as an open invitation to EU co-legislators to force non-eu-based data controllers to conform their businesses to comply with the EU data protection law just because they have a certain level of physical presence within the EU. We will come back to the method of interpretation of the CJEU below. In any case, the stated rationale behind adopting a flexible interpretation of the first step criteria, as presented by the Court, also provides guidance as to why the second step was interpreted in a similar manner. In C-230/14 Weltimmo, the Court confirmed the broad approach on territoriality arising from C-131/12 Google Spain and underlined a general attitude of flexibility towards the whole of Article 4(1)a: [i]n the light of the objective pursued by Directive 95/46, consisting in ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, the words in the context of the activities of an establishment cannot be interpreted restrictively (...) Article 4(1) states that: 1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; (b) the controller is not established on the Member State s territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community. 17 Opinion of advocate general Pedro Cruz Villalon delivered on 25 June 2015, Case C-230/14 Weltimmo (n 8) para Ibid, para Case C230/14 Weltimmo (n 8) paras 28 and Ibid, para Case C-131/12 Google Spain (n 7) para 53. Very good summary of the Google Spain case factual background was provided by the Advocate General Nilo J a askinen (see point 62 of the Opinion of Advocate General J a askinen delivered on 25 June 2013 Case C131/12 Google Spain): Google Inc. is a Californian firm with subsidiaries in various EU Member States. Its European operations are to a certain extent coordinated by its Irish subsidiary. It currently has data centers at least in Belgium and Finland. Information on the exact geographical location of the functions relating to its search engine is not made public. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts as commercial representative of Google for its advertising functions. In this capacity is has taken responsibility for the processing of personal data relating to its Spanish advertising customers. Google denies that its search engine performs any operations on the host servers of the source web pages, or that it collects information by means of cookies of non-registered users of its search engine. 22 C230/14 Weltimmo (n 8) para 25.

5 234 ARTICLE International Data Privacy Law, 2016, Vol. 6, No. 3 Interesting in C-230/14 Weltimmo are the clarifications with regard to a possible base line for understanding the term establishment : the concept of establishment, within the meaning of Directive 95/46, extends to any real and effective activity even a minimal one exercised through stable arrangements. 23 The Court does not deny that some sort of connection with territory is needed to speak about establishment, but this nexus between an action and territory can be very loose. If the establishment criterion was ever meant to be a proxy for territoriality, then that understanding is no longer accurate. It should from now on be understood as a very loose proxy, 24 blurring the initial distinction made in the Directive between controllers in (Article 4) and out (Articles 25 26) of the EU jurisdiction. 25 Hijmans celebrates the CJEU understanding as evidence of effective data protection. 26 It challenges the existing business model of many non-eu, in particular USA, companies to establish legal (ie formal but not operational) presence in Ireland and sell goods or provide services across the EU, with possible some subsidiaries here and there. This model worked for the last 20 years, but stopped working after the verdict in C-131/12 Google Spain. In our opinion the Court overcompensated as a fair reaction to what can be seen as an abusive stretching of EU law to its limits by US online companies. 27 We will come back to the method of interpretation used by the CJEU later on. We are about two years after the Google Spain verdict, the gain in terms of effective rights protection needs to be assessed in due time. However, the change in approach towards US data controllers operating in the EU is already visible, with data protection authorities like Polish Inspector General for the Protection of Personal Data (GIODO) issuing for the very first time decisions affecting US-based companies such as Facebook. 28 In this context, the question that needs to be answered is what happens if US data controllers would minimalize their presence in the EU, for example, by doing only long-distance sales but having no presence at all in the EU? And, what if they modified their corporate structure in a way where EU sale is moved from USA to some third country/tax heaven? These questions would then have to be addressed in the context of in Article 4(1)c of the Directive (discussed in Section The Article 4(1)c Data Protection Directive scope based on use of equipment ). Would since that discussion will probably not take place in the light of the EU data protection reform agenda. The CJEU s teleological interpretation of the Directive and rejection of the origin approach C-230/14 Weltimmo and C-131/12 Google Spain are clear examples of teleological interpretation, 29 a method of interpretation first famously used by the CJEU in van Gend & Loos. 30 By applying this method legal provisions are not necessarily read literally but are understood in the light of the purpose, values, legal, social, and economic goals these provisions aim to achieve. According to Maduro: teleological interpretation in EU law does not (...) refer exclusively to a purpose driven interpretation of the relevant legal rules. It refers to a particular systemic understanding of the EU legal order that permeates the interpretation of all its rules. 31 This is the reasoning applied in C-131/12 Google Spain and C-230/14 Weltimmo: first, the CJEU recalls the EU fundamental rights context and the need for rights to be effective; then, the Court turns to the purpose of the Directive and only then Article 4 is considered. Effective and complete protection of the right to privacy in the age of the Internet, requires going prudently 23 C230/14 Weltimmo (n 8) para In Weltimmo case, the presence of only one representative of a company was considered as an establishment. Thus, nowadays, eg presence of a single employee working remotely via the Internet in a particular state may lead to creation of an establishment of a data controller in this place. 25 On the meaning of Articles 25 and 26 of the Directive (governing transfers to third countries) for our understanding of the scope of the Directive, see Kuner (n 3) 242ff. 26 H Hijmans, Right to have Links Removed: Evidence of Effective Data Protection (2014) 21 Maastricht Journal of European and Comparative Law See P De Hert and V Papakonstantinou, Google Spain: Addressing Critiques and Misunderstandings One Year Later (2015) 22 Maastricht Journal of European and Comparative Law See GIODO s decision issued on 22 January 2016, no DOLiS/DEC 50/ Combined with the principle of effectiveness (rights should be effective), that we know from the case law of the European Court of Human Rights. 30 Case 26-62, Judgment of the Court of 5 February NV Algemene Transport- en Expeditie Onderneming van Gend & Loos v Netherlands Inland Revenue Administration. Reference for a preliminary ruling: Tariefcommissie Netherlands: based on a teological reading of the Treaty, the CJEU found and established the principle of direct effect of Treaties in the legal order of the Member States. No statutory implementation act was needed in Member States by his State to apply the Treaty of Rome. On this method O Pollicino, Legal Reasoning of the Court of Justice in the Context of the Principle of Equality between Judicial Activism and Self-restraint (2004) 5 German Law Journal L M Poiares Pessoa Maduro, Interpreting European Law: Judicial Adjudication in a Context of Constitutional Pluralism (2007) 1 European Journal of Legal Studies 5.

6 Paul de Hert and Michal Czerniawski Expanding the European data protection scope beyond territory ARTICLE 235 extraterritorial and that is precisely what, as already mentioned, C-131/12 Google Spain does. 32 The example and logic was followed several months later in C-230/14 Weltimmo. 33 Both verdicts assume the position that, in order to achieve the human rights goals of the Data Protection Directive, there is a need for a broad interpretation of its territorial scope. Above we labelled this approach as fair, but outstretching the legal provisions. It definitely does not serve the interests of international companies that usually favour the origin approach, ie situation where only law of the state where company is established is applicable. This origin approach could have been made possible at the EU level through a more restrictive or plain reading of Article 4. However, assuming that only the EU has the appropriate personal data protection standards, 34 this approach would allow international non- EU-based players, which operate in the EU, to comply with less-restrictive legal regimes, 35 decreasing the level of protection of personal data in the EU. 36 An origin approach could even lead to forum shopping with controllers choosing the most favourable jurisdiction for setting up their establishments. At least in terms of European fundamental rights, restricting the possibility of conducting data transfers to less-protective regimes can be understood as a human rights obligation. 37 That is why we called the approach of the CJEU as fair: itis fair in terms of fundamental rights obligations. Honesty obliges us, however, to acknowledge that the origin approach or a more restrictive approach towards Article 4, read together with Articles 25 and 26 of the Directive does not per se equal non-respect of these important fundamental rights obligations. On the paper, Articles 4, 25, and 26 set up seemingly takes into account all concerns for lesser protection once data falls in hands of non-eu actors. The lack of trust in the EU US Safe Harbour scheme and other data transfer arrangements, fuelled by the Snowden revelations, must have brought the CJEU to its flexible and broad understanding of the scope of Article 4(1)a of the Data Protection Directive due to a perceived lack of alternative in terms of effective fundamental rights protection. 38 The Article 4(1)c Data Protection Directive scope based on use of equipment If territorial scope of the current EU data protection regime would be based solely on Article 4(1)a of the Data Protection Directive, processing operations would fall outside the EU jurisdiction for data controllers without an establishment in the territory of an EU Member State. However, the Data Protection Directive includes provisions allowing alternative bases for establishing the 32 In C-131/12 Google Spain, as seen above, the CJEU stated that, under certain conditions, the Spanish data protection law may be applied to a US data controller present in Spain through (only) a marketing subsidiary (only) selling advertisements with no connection to the actual processing operations of personal data under discussion. Although the Court did not specify the geographical scope of the ruling, it indicated that Article 4(1)a of the Data Protection Directive needed to be interpreted broad, bearing in mind the objective of Data Protection Directive, which is ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data (C-131/12 Google Spain, para 53). The Court underlined that (...) it is clear in particular from recitals 18 to 20 in the preamble to Directive 95/46 and Article 4 thereof that the European Union legislature sought to prevent individuals from being deprived of the protection guaranteed by the directive and that protection from being circumvented, by prescribing a particularly broad territorial scope (C-131/12 Google Spain, para 54). At first glance, Google, a Californian firm, with a very strong (stronger than the one with the EU) connection to the USA, should not be covered by the EU law. However, setting Google outside of the Spanish jurisdiction, would lead to an absurd situation where EU citizens would be left without sufficient protection of their rights, ie where the EU data protection rules would not apply to a Spanish citizen who, through a Spanish website, searches on his own name, and finds a link to a Spanish website of a Spanish newspaper which published his personal data on something that happened in Spain. See H Kranenborg, Google and the Right to be Forgotten (2015) 1 European Data Protection Law Review 76; Van Alsenoy and M Koekkoek, The Territorial Reach of the EU s Right To Be Forgotten : Think Locally, but Act Globally? < accessed 7 March 2016; B Van Alsenoy and M Koekkoek, Internet and Jurisdiction after Google Spain: the Extraterritorial Reach of the Right to be Delisted (2015) 5 International Data Privacy Law C230/14 Weltimmo (n 22) para Although, outside of the EU, there are sectoral regulations that providing for stricter data protection rules, in general, the EU data protection regime can be regarded as one of the most advanced data protection regime in the world, at least on paper. A good example might be here the US Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub L , 110 Stat 1936, enacted 21 August 1996), which regulates processing of personal data for health insurance in the USA. 35 U Kohl, Jurisidiction in Cyberspace in N Tsagourias and R Buchan (eds), Research Handbook on International Law and Cyberspace 50 (Edward Elgar Publishing, Cheltenham, UK and Northampton, MA, US, 2015). 36 Moreover, in the digital age, the majority of states rejects the origin approach notably not in terms of foregoing their rights to regulate local online actors, but rather in terms of leaving the regulation of foreign online actors solely to the State of origin (ibid 50). 37 See the interesting analysis of positive and negative human rights obligations and of the obligations to protect, respect, and fulfil rights, M Taylor, The EU s Human Rights Obligations in RElation to its Data Protection Laws with Extraterritorial Effect (2015) 5 International Data Privacy Law This honest acknowledgement of the fact that another Court reaction in Google Spain would not have been unthinkable, does not mean that we hold that territoriality should remain the principal connector in the future, on the contrary. As pointed out by Taylor: The spatial or territorial model, based on territory or effective control over territory, is difficult to apply to data protection because data are transferred in a virtual space from the EU to a third state (ibid 250). We do esteem that the Court could have limited itself to an identification of shortcomings in the Data Protection Directive (without fixing it), sending the implicit message to the EU legislator to reconsider the conceptual starting points.

7 236 ARTICLE International Data Privacy Law, 2016, Vol. 6, No. 3 applicability of EU law in given case. First, the EU data protection law may be applied to the controller not established on the Member State s territory by virtue of international public law (Article 4(1)b). The second exception from this rule is based on Article 4(1)c. According to recital 20 of Data Protection Directive: the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive (...) in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice. While Article 4(1)c uses the term equipment, recital 20 allows for application of EU data protection law if the means are located within the EU territory. Moerel points out that at the time of the drafting of the Directive there was a last minute change of means to equipment in the English version of Article 4(1)c, aimed at narrowing its scope. 39 It seems that, bearing in mind that the term equipment was created before expansion of the Internet, the intention underlying the introduction of use of equipment was initially to cover a relatively narrow number of situations, for example, use of computer servers, terminals or questionnaires. 40 However, throughout the years the interpretation of the term equipment went in the opposite direction. A broad understanding of the term equipment is inter alia supported by Article 29 Data Protection Working Party in its Opinion 8/2010: (t)his provision is especially relevant in the light of the development of new technologies and in particular of the internet, which facilitate the collection and processing of personal data at a distance and irrespective of any physical presence of the controller in EU/EEA territory. 41 In the same opinion, the Working Party confirmed that the term equipment should be interpreted as means, and therefore receive a broad understanding. 42 For example, according to the Working Party, human intermediaries shall also be considered as means. 43 The Working Party s position was to be validated (or rejected) by the CJEU in case C-192/15 Rease et Wullems. 44 However, the claims in the abovementioned case were withdrawn and probably, due to the entry into force of the GDPR, we will never learn the Court of Justice s position as regards the term equipment. Let us now turn to the upcoming regulatory landscape, as contained in the GDPR. The text of this legal act has been adopted in what is called a trilogue between the EU co-legislators. 45 Political agreement on the final shape of the GDPR was reached on 15 December 2015 and the text of the new act was published on 4 May We will first look at its provisions with regard to the territorial scope (Article 3(1) and (2)) and then briefly at Articles 44 48, which address transfers of data. Articles 3 and of the GDPR: reinstating the provisions regarding scope and data transfers In the General Regulation, which will replace the current Data Protection Directive, the EU co-legislators went beyond the territoriality principle. Territory remains as one of the nexuses in the future EU data protection landscape but its importance is decreasing. The GDPR introduces new factors for assessing EU Member States jurisdiction in data protection cases. The initial European Commission proposal regarding territorial scope of the General Regulation, as presented in document COM(2012) 11 in Article 3 stated: 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union. 2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a 39 Moerel (n 4) Ch Kuner, Data Protection Law and International Jurisdiction on the Internet (Part 2) (2010) 18 International Journal of Law and Information Technology Article 29 Data Protection Working Party, Opinion 8/2010 on applicable law, adopted on 16 December 2010, WP 179, Ibid (...) the Working Party understands the word equipment as means. It also notes that according to the Directive this could be automated or otherwise. This leads to a broad interpretation of the criterion, which thus includes human and/or technical intermediaries, such as in surveys or inquiries. As a consequence, it applies to the collection of information using questionnaires, which is the case, for instance, in some pharmaceutical trials. (ibid 20). 44 Request for a preliminary ruling from the Raad van State (the Netherlands) lodged on 24 April 2015 TD Rease and P Wullems; other party: College bescherming persoonsgegevens (Case C-192/15). 45 The European Commission glossary defines trilogue as informal tripartite meetings attended by representatives of the European Parliament, the Council and the Commission. The purpose of these contacts is to get agreement on a package of amendments acceptable to the Council and the European Parliament. For a more detailed description see < europa.eu/codecision/stepbystep/glossary_en.htm> accessed 7 March Press release: EU data protection reform: Council confirms agreement with the European Parliament < 18-data-protection/> accessed 7 March 2016.

8 Paul de Hert and Michal Czerniawski Expanding the European data protection scope beyond territory ARTICLE 237 controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law. (Article 3 as originally proposed by the Commission) The first paragraph of this Commission proposal (Article 3(1)) repeats the jurisdiction nexus that we know from 4(1)a EU Directive. With respect to this paragraph, the European Parliament proposed a small addition in line with C-131/12 Google Spain and the ideas behind the Commission s text 47 by clarifying that in order to fall within the EU jurisdiction it is not necessary for a data controller to process the data within the EU. 48 This amendment was accepted by the EU Council and would make it into the final text of Article 3(1) of the GDPR (see below). Article 3(2), as regarding the offering of goods or services and monitoring of behaviour, triggered more institutional discussions. First, the European Parliament proposed changes to broaden the Commission s second paragraph, 49 changes that were partly followed, partly softened by the Council, which excluded monitoring that has no connection with the EU territory from the scope of the GDPR, 50 and provided some additional explanation in recital 20 of its text. 51 The final text of Article 3 of the GDPR agreed between the EU Council, the European Commission and the European Parliament was mainly built further on the Council version: 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. 52 The Data Protection Directive bases for transfers to third countries are to be found in Articles of the GDPR, with some amendments and clarifications regarding the use of binding corporate rules (Article 47) and a Snowden-inspired check on requests directed at EU data controllers or processors by foreign judges or law enforcement authorities (Article 48). Recitals highlight the importance of cross-border data flows for the expansion of international trade and international cooperation and the importance to respect Articles not to undermine the level of protection of natural persons ensured in the Union by this Regulation. 53 Kuner has previously stressed that the extraterritorial power behind the EU provisions with regard to international transfers of data allows EU institutions to assess the adequacy of other legal systems both on paper and on the ground. 54 This will not change in the future with 47 Relevant reference was already included in recital 19 of the Commission s proposal. 48 The European Parliament s proposal stated that: 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether the processing takes place in the Union or not. (emphasis added) 49 In particular by adding the reference to processor. The European Parliament s proposal stated that: 2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour such data subjects. 50 The Council s proposal stated that: 2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the European Union. 51 Recital 20 as in the EU Council version of the text: [...]In order to determine whether such a controller is offering goods or services to such data subjects in the Union, it should be ascertained whether it is apparent that the controller is envisaging doing business with data subjects residing in one or more Member States in the Union. Whereas the mere accessibility of the controller s or an intermediary s website in the Union or of an address and of other contact details or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers or users residing in the Union, may make it apparent that the controller envisages offering goods or services to such data subjects in the Union. 52 Article 3 of the Regulation 2016/ Recital 101, GDPR. 54 Kuner (n 3) 242.

9 238 ARTICLE International Data Privacy Law, 2016, Vol. 6, No. 3 the new provisions on international transfers, and it is, therefore, appropriate to recall this before going into a more in-depth analysis of the new provisions, which have explicit extraterritorial reach. Equally, and for the same reasons, it is useful to highlight Article 3(1) creating jurisdiction when a data controller or a processor has an establishment in the Union, a provision that will be interpreted in the light of C-131/12 Google Spain and its very loose nexus with territory to establish jurisdiction. Again, it would be a mistake to lose sight of these facts and focus the extraterritoriality discussion solely on Article 3(2) containing entirely new provisions, compared to the Data Protection Directive, bringing under the scope of EU law those who target EU data subjects without having an establishment in the EU. 55 Article 3(2) GDPR: you might be targeted by EU law only if you target Article 3(2) of the GDPR is seen by insiders as one of the more important achievements of the reform. Without using the term extraterritoriality, the provision allows to bring under the scope of the Regulation controllers or processors established outside the Union, (a) when they offer goods or services to EU data subjects, irrespective of whether a payment on the part of the data subject is required, or (b) when they monitor behaviour of data subjects, as far as their behaviour takes place within the Union. Both extensions of scope are clarified further in the recitals recital 23 for Article 3(2)a of the GDPR, and recital 24 for Article 3(2)b of the GDPR. Let us begin with behavioural monitoring. It is clear that Article 3(2)b is designed to cover third country operators of social networks, online providers of services such as accounts, operators of search engines and websites, vast majority of which systematically monitor behaviour of Internet users. The inclusion of the phrase as far as their behaviour takes place within the European Union adds a tone of moderation and eliminates from the territorial scope situations where the nexus between an EU Member State and data controller s actions is rather weak. The provision is a good example of the logic of targeting based on a straightforward rationale you might be targeted by EU law only if you target. So, for instance, the GDPR does not apply when the only connection between the data controller s actions and the EU law is the fact that the data subject is an EU resident. This would go against the legitimacy principle, which we discuss below, and could be seen as an example of excessive extraterritoriality. If, for example, a European tourist is doing shopping on Fifth Avenue in New York we do not see reasons why processing of his data in this context should ex lege fall within the territorial scope of the GDPR. In such a situation, in our opinion, there is a very strong connection between a data subject and the US law (territoriality principle) and an insufficient connection with the EU legal regime. The clarifications to Article 3(2)b of the GDPR in recital 24 about what constitutes monitoring of behaviour, 56 are in our opinion precise enough. 57 Jurisdiction based on targeting is new to EU data protection law. It is definitely a part of what Kuner calls a Copernican revolution. 58 It allows EU data protection authorities to raise jurisdictional claims towards various third country s data controllers and processors. However, as our example of shopping on Fifth Avenue shows, EU law does not apply solely because there is any effect on an EU citizen in one way or another. The extension of the scope through the requirement of targeting is moderate it is triggered only if there is a sufficient nexus between particular activity and the EU. States are not randomly expanding jurisdiction, but do it with a reason. The approach which only gives targeted States the right to regulate the activity is called by Kohl a moderate destination approach. 59 Secondly, extraterritoriality is foreseen in cases of offering goods or services in the EU from abroad in Article 3(2)a of the GDPR. This again is an example of targeting: non-eu actors are brought under the GDPR when they offer goods or services to EU data subjects. Recital 55 We note in passing that the Directive-idea laid down in Article 4(1)c of the Data Protection Directive to bring under its scope outside controllers with equipment in the EU has disappeared in the GDPR, being partly absorbed by the broader understanding of establishment in Article 3(1) of the GDPR and by the targeting provisions in Article 3(2) of the GDPR. 56 According to recital 24: The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes. 57 See on the role of soft law to clarify the scope of extraterritorial provisions, below. 58 The term Copernican revolution in the context of the EU data protection reform was first used by Ch Kuner, The European Commission s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law Bloomberg BNA Privacy and Security Law Report (6 February 2012) Kohl (n 35) 35.