The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on U.S. businesses

• Published in: Stanford journal of international law Vol. 50; no. 1; pp. 53 - 102
• Main Author: Svantesson, Dan Jerker B
• Format: Journal Article
• Language: English
• Published: Stanford Law School 2014
• Subjects: BUSINESS; DATA PROTECTION; Data security; Economic aspects; Exterritoriality; Extraterritoriality; Fines (Penalties); Law and legislation; Laws, regulations and rules; Multinational corporations; PRIVACY; Right of privacy; UNITED STATES
• ISSN: 0731-5082; 2164-8301; 2164-8301

Due to its extraterritorial effect, the European Union's trailblazing data privacy law has long been a major concern for U.S. businesses. With the proposal for a new EU data privacy framework with potential penalties of up to two percent of an offending enterprise's annual worldwide turnover, and with the European Union at the same time expanding the extraterritorial reach of its data privacy law, such concerns are justified indeed. This Article examines the extraterritoriality of current and proposed EU data privacy law and analyses whether reference to international law can either strengthen or weaken those claims of extraterritoriality. In doing so, this Article demonstrates that international law lends support to the approach to extraterritoriality adopted in the EU data privacy law. At the same time, however, the examination of EU law highlights that, from the perspective of extraterritoriality, the current EU Directive is dysfunctional in its unnecessary complexity, and the proposed EU Regulation is in desperate need of refinement. Finally, the Article presents a doctrine of "market sovereignty," established by reference to the effective reach of "market destroying measures, as a mechanism for determining the extraterritorial reach of jurisdictional claims.
Due to its extraterritorial effect, the European Union's trailblazing data privacy law has long been a major concern for U.S. businesses. With the proposal for a new EU data privacy framework with potential penalties of up to two percent of an offending enterprise's annual worldwide turnover, and with the European Union at the same time expanding the extraterritorial reach of its data privacy law, such concerns are justified indeed.This Article examines the extraterritoriality of current and proposed EU data privacy law and analyses whether reference to international law can either strengthen or weaken those claims of extraterritoriality. In doing so, this Article demonstrates that international law lends support to the approach to extraterritoriality adopted in the EU data privacy law. At the same time, however, the examination of EU law highlights that, from the perspective of extraterritoriality, the current EU Directive is dysfunctional in its unnecessary complexity, and the proposed EU Regulation is in desperate need of refinement.Finally, the Article presents a doctrine of "market sovereignty," established by reference to the effective reach of "market destroying measures, as a mechanism for determining the extraterritorial reach of jurisdictional claims.