Lai Sixing,Wu Di

（School of Law of Guangdong University of Foreign Studies,Guangzhou 510799）

Abstract:With the borderless nature of the Internet and the increasingly frequent cross-border data flows in the digital economy,the security and protection of personal data has become a legislative trend in the international community.The GDPR,as an ordinance adopted by the EU for the strict protection of personal data,stipulates extraterritorial jurisdiction provisions in Article 3,which serve to govern the processing of personal data occurring outside the EU or related business entities located outside the EU on the basis of“establishment standard”,“targeting standard”and public international law reasons.This provision has the corresponding rationality in the sense of international law,but there are also problems of vague terms and excessive extraterritorial jurisdiction,which has something to do with the value objectives of the GDPR legislation and the economic policies of the EU.Through the exploration of the vague concept in judicial practice and the consideration of factors limiting extraterritorial jurisdiction,the GDPR can further play a leading role in international data protection legislation.

Key words:Extraterritorial Jurisdiction;Article 3 of GDPR;Data Protection

1 Background and Introduction of the Extraterritorial Jurisdiction of GDPR

Since the 21st century,with the continuous progress of modern information technology,the Internet has been deeply integrated into every aspect of human life and work,while promoting the booming of the digital economy,but at the same time,the phenomenon of personal data leakage is also prominent.However,a paradox emerges from existing research,in which people are concerned about losing control of their privacy while at the same time eagerly consuming digital products.The use of the Internet is become increasing ubiquitous,while offline is gradually losing its territory.A geographically unrestricted Internet not only satisfies the needs of users,but also draws the interest of concerned companies in mining personal data as a valuable and competitive asset[1].

How to protect the data rights of individuals while facilitating the flow of data is a key issue that should be considered in the current legislation of each country.Based on the borderless nature of the Internet,many personal data circulate outside the domain of a country,which poses a challenge to the allocation of jurisdiction on the Internet.In this context,plenty of countries and regions have stipulated extraterritorial jurisdiction provisions in their data protection laws.The so-called extraterritorial jurisdiction refers to a state’s assumption of jurisdiction over people and actions beyond its territory[2],including extraterritorial legislative jurisdiction,extraterritorial judicial jurisdiction and extraterritorial law enforcement jurisdiction[3].Among them,extraterritorial legislative jurisdiction is the basis,and the other two are the extraterritorial application of legislation[4].This article focuses on the extraterritorial legislative jurisdiction of the GDPR.

The previous Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Data Protection Directive.(hereinafter referred to as“DPD”) lags behind in regulating extraterritorial jurisdiction and relies heavily on the European Court of Justice for interpretation of its provisions.Under this background,the General Data Protection Regulation (hereinafter referred to as“GDPR”) has been adopted and now enacted.On April 14th,2016,the European Parliament issued the GDPR,which has been described as“the most stringent personal data protection regulation in history”,in the second reading of the legislative procedure.The official text was issued in the Official Journal of the EU on May 4th,thus ending the four-year-long data protection reform in the EU since the draft legislation was introduced in 2012.

According to Article 99 of the Regulation,it will enter into force after May 24th,2016,20 days after its publication in the Official Journal,and will be readily applicable to all EU member states after May 25th,2018,two years after its entry into force,with a two-year transition period during which each EU member state may transpose the Regulation into its own national law for application.①

Compared with the DPD promulgated earlier,the GDPR has made significant adjustments to the original legislative framework in terms of geographical scope of application,configuration of rights and obligations,design of the regulatory system,penalties and remedies.The provisions on extraterritorial legislative jurisdiction are mainly embodied in Article 3 of the GDPR,which establishes the equipment standard and the targeting standard.In this paper,the content of this article will be expounded and evaluated in detail,some suggestions for its improving are proposed accordingly.

2 Analysis on Extraterritorial Jurisdiction of Article 3 of GDPR

Article 3 (Territorial scope) of GDPR provides that“1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union,regardless of whether the processing takes place in the Union or not.2.This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union,where the processing activities are related to:(a) the offering of goods or services,irrespective of whether a payment of the data subject is required,to such data subjects in the Union;or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.3.This Regulation applies to the processing of personal data by a controller not established in the Union,but in a place where Member State law applies by virtue of public international law.”

From the content of Article 3 of the GDPR,its jurisdiction over geographical scope covers both intra-and extra-territorial.From the extra-territorial jurisdiction perspective,article 3 of the GDPR applies to the specific processing of personal data of natural persons in the EU by foreign companies.It can regulate persons and matters relating to data protection outside the territory of the EU in the above-mentioned situations.Based on the consistency of certain provisions of the GDPR and the DPD,the provisions of the GDPR will be examined by referring to some interpretations of the DPD and its judicial cases.

2.1 Presence of an Establishment in the EU (equipment standard)

Article 3(1) ensures that the GDPR applies to the processing by a controller or processor carried out in the context of the activities of an establishment of that controller or processor in the Union,regardless of the actual place of the processing.The EDPB therefore recommends a threefold approach in determining whether or not the processing of personal data falls within the scope of the GDPR pursuant to Article 3(1),first by considering the definition of an ‘establishment’ in the EU within the meaning of EU data protection law,second by examining what is meant by ‘processing in the context of the activities of an establishment in the Union’,and lastly by confirming that the GDPR will be applicable regardless of whether the processing carried out in the context of the activities of this establishment takes place in the Union or not②.

First of all,there is no explicit definition of ‘establishment’ in the regulation,but according to the Preamble to the GDPR,establishment implies the effective and real exercise of activity through stable arrangements,and the legal form of such arrangements,whether through a branch or a subsidiary with a legal personality,is not the determining factor in that respect③.And concerning the freedom of establishment under Article 50 of TFEU (former Article 43 of TEC) the European Court of Justice (ECJ) believed that a stable establishment requires that“ both human and technical resources necessary for the provision of particular services are permanently available”④.

In the Weltimmo Case,the Court held that the concept of ‘establishment’ should be defined in a flexible manner in light of Recital 19 in the preamble to Directive 95/46.It found that in order to determine whether a company/data controller has an establishment (within the meaning of Directive 95/46) in a Member State other than the one that it is registered in,one must consider (i) the degree of stability of the arrangements and (ii) the effective exercise of activities in that other Member State.These must be assessed with particular regards to the (1) specific nature of the economic activities and (iii) the provision of services concerned.It stated that this test is particularly applicable to exclusively webbased companies.Then,the Court asserted that the concept of establishment“extends to any real and effective activity — even a minimal one — exercised through stable arrangements.”⑤

What’s more,Article 3(1) confirms that it is not necessary that the processing in question is carried out by the relevant EU establishment itself;the controller or processor will be subject to obligations under the GDPR whenever the processing is carried out“ in the context of the activities”of its relevant establishment in the Union.The EDPB recommends that determining whether processing is being carried out in the context of an establishment of the controller or processor in the Union for the purposes of Article 3(1) should be carried out on a case-by-case basis and based on an analysis in concreto.Each scenario must be assessed on its own merits,taking into account the specific situation of the case⑥.

Consideration of the following two factors may be of assistance to determine whether the processing is being carried out by a controller or processor in the context of its establishment in the Union.One is the relationship between a data controller or processor outside the Union and its local establishment in the Union,and the other is revenue raising in the Union.If a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment,EU law will apply to that processing by the non-EU entity,whether or not the EU establishment plays a role in that processing of data⑦.And revenue-raising in the EU by a local establishment,to the extent that such activities can be considered as“inextricably linked”to the processing of personal data taking place outside the EU and individuals in the EU,may be indicative of processing by a non-EU controller or processor being carried out“in the context of the activities of the EU establishment”,and may be sufficient to result in the application of EU law to such processing⑧.

2.2 To Provide Goods or Services to or Monitor the Behavior of Data Subjects in the EU (targeting standard)

The“targeting standard”has a completely different legislative logic compared to the“establishment standard”and can compensate for the shortcomings of the“establishment standard”in terms of jurisdictional scope.The“establishment standard”has a natural defect:the standard applies only if the data controller or processor outside the EU has established a business premises in the EU,and it cannot be applied if the abovementioned condition is not met[5].According to Article 3(2) of GDPR,if a data controller or processor does not have an establishment in the territory of the EU,the processing of personal data carried out by it is subject to the Regulation in the following two situations.One is that the data controller or processor provides data for the EU subject with goods or services,whether or not the data subject is required to pay for the goods or services.And the other is that the processing by that data controller or processor involves the monitoring of the data subject’s actions occurring in the EU.

For the first situation,the provision of goods or services is the key point.In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union,it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.Whereas the mere accessibility of the controller’s,processor’s or an intermediary’s website in the Union,of an email address or of other contact details,or the use of a language generally used in the third country where the controller is established,is insufficient to ascertain such intention,factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language,or the mentioning of customers or users who are in the Union,may make it apparent that the controller envisages offering goods or services to data subjects in the Union⑨.

For the second situation,the act of monitoring is the key factor.In order to determine whether a processing activity can be considered as monitoring the behaviour of data subjects,it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person,particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences,behaviors and attitudes⑩.

2.3 For Reasons of Public International Law

If a data controller does not have an establishment in the EU,nor does it exist in the second situation to provide EU goods or services to data subjects in the EU or the monitoring of conduct occurring in the EU,but due to public international law,the law of the EU Member State is applicable in the territory of the data controller,then the Regulation will also apply to personal data implemented in that territory,based on Article 3(3).And Paragraph 25 of Preamble to GDPR stipulates that:“Where Member State law applies by virtue of public international law,this Regulation should also apply to a controller not established in the Union,such as in a Member State’s diplomatic mission or consular post.”This provision is in fact premised on the following assumptions that public international law allows for the application of EU member state law to the country’s embassies,consulates and diplomatic personnel abroad,so that data processing that takes place at the embassy or consulate should also be subject to EU member state law and vice versa.

3 Comments on Extraterritorial Jurisdiction of Article 3 of GDPR

In terms of the spatial effect of the law,modern countries generally regard the principle of territorial jurisdiction as the primary jurisdiction,supplemented by personal jurisdiction.But for the territorial scope of application of GDPR,it can be seen that the GDPR actually establishes a jurisdictional principle based on the principle of territoriality and supplemented by the principle of effects in terms of the scope of territorial application,which is also a realistic response of the legislature to the jurisdictional problems arising from the increasingly frequent collection,processing and cross-border flow of personal data.[6]Comments will be made on the Article 3 of GDPR,and suggestions for its improvement will be put forward in the following part.

3.1 Significance of Article 3 of GDPR

The digital economy offers abundant opportunities for value creation and well-being,but poses a substantial threat to the rights and freedoms of individuals.The EU’s digital platforms are less competitive than those of China and the U.S.,which makes it urgent for greater protection of personal data within its borders.The enacting of the GDPR will help preserve the EU’s digital economy and safeguard the security of personal data within the EU.

In addition,the extraterritorial legislative jurisdiction of the GDPR is also justified by international law.International law does not explicitly prohibit the legislation of the rules,countries around the world for their own consideration to achieve the purpose of legal regulation,in varying degrees to carry out the national practice of extraterritorial jurisdiction of domestic law.

3.2 Questions to Article 3 of GDPR

While the provisions of Article 3 of the GDPR cater to the borderless nature of the Internet and the need to protect personal data,it is still not without defects.Some scholars question that the GDPR unduly burdens businesses,especially small and mediumsized enterprises (SMEs),which will have to pay huge compliance costs when the GDPR comes into effect.This is due to the fact that companies subject to the extraterritorial jurisdiction of the GDPR will be subject to high fines if they fail to meet the level of protection of personal data required by the regulation[7].And some scholars question that if the primary focus in determining the targeting standard is on the apparent intent of the surveillance conduct,then some data controllers may intentionally circumventing the law when they use third parties to conduct surveillance[1].This article does not intend to address such issues in detail,but would like to raise three questions about Article 3 of the GDPR.

First of all,Article 3(1) of GDPR may lead to a strong conflict of laws.The reason for this is that extraterritorial jurisdiction by“establishment standards”may be in conflict with the jurisdiction of the country where the data processing is processed.What’s more,based on Article 3(2),the“targeting standard”is inherently flawed:if a data-processing practice meets the standard and falls within the scope of the GDPR,member state data supervisors who find that the practice does not comply with the substantive provisions of the GDPR will not be able to enforce investigations,warnings,administrative fines,etc.as the practice is extraterritorial.Furthermore,the hypothetical premise regarding article (3) difficult to establish,since public international law does not recognize an embassy or consulate in another state as the territory of another state,but only certain privileges and immunity for diplomatic personnel,and special protection.

3.3 Suggestions for Article 3 of GDPR

From the above analysis,the problem with Article 3 of the GDPR lies mainly in the ambiguity of its extraterritorial jurisdiction provisions and its tendency to over-jurisdiction.There are three suggestions for improving Article 3 of GDPR.

First of all,the ambiguity of the provisions needs to be constantly determined by combining the legislative history of the regulations and the decisions of relevant cases to prevent overexpansion of the interpretation of extraterritorial jurisdiction.

What’s more,in judging whether to apply the regulations,it is important to adopt a certain degree of modesty and consider the limitations on extraterritorial jurisdiction in international law.For extraterritorial jurisdiction in international law,limitation factors include prohibition of intervention (interference) in other state’s affairs;prohibition of abusing the law (rule of moderation);rule of international comity;crucial necessity of the extraterritorial actual state of affairs regulation and so on[2].

Besides,the more backward countries,regions and SMEs are at a disadvantage in data protection compliance,and they should be provided with more compliance guidelines and given certain preferential policies in the enforcement process.

4 Conclusion

The EU enacted and implemented the GDPR in order to better achieve its goals of protecting the security of personal data and maintaining its data economy by providing extraterritorial legislative jurisdiction provisions in Article 3 of the GDPR.Although the provision itself has shortcomings,it also has certain legitimacy and leads the international trend of regulating extraterritorial jurisdiction provisions in data protection law or information protection law.As a regulation dedicated to the strict protection of personal data rights,the GDPR still needs to continue to clarify relevant vague concepts through judicial practice,prevent excessive extraterritorial jurisdiction and conflict of laws by considering international comity and other restrictive factors,and better balance the interests of various subjects including countries,regions,enterprises and individuals.These urgent improvements are also the current difficulties,which are far from ready conclusions.

注释：

①See Article 99 of GDPR.

②See Guidelines 3/2018 on the territorial scope of the GDPR,https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf,P.5.

③See the Paragraph 22 of the Preamble to the GDPR.

④See ARTICLE 29 DATA PROTECTION WORKING PARTY.“Opinion 8/2010 on applicable law.”p.11.

⑤See Weltimmo,Case C-230/14,https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91230/14_-_Weltimmo.

⑥See Guidelines 3/2018 on the territorial scope of the GDPR,https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf,P.7.

⑦See G29 WP 179 update -Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain,16th December 2015.

⑧See Google Spain Case C-131/12),https://fra.europa.eu/en/caselaw-reference/cjeu-c-13112-judgment.⑨See the Paragraph 23 of the Preamble to the GDPR.⑩See the Paragraph 24 of the Preamble to the GDPR.