Data Power Europe GDPR Jurisdictional Reach and the bid for an international unilateral standard

Classe Accademica di Scienze sociali

Settore di Scienze Politiche

Data Power Europe

GDPR Jurisdictional Reach and the bid for an

international unilateral standard

Filippo Pierozzi

Docente relatore:

Prof.ssa Caterina Sganga

Docente tutor:

Abstract

Despite the sharp increase in data protection laws that the world has witnessed during the last decade, differences remain in both the approaches and values underpinning data protection regimes. Both the unintended leverage exerted by the EU through its single market and its role as a normative model have been addressed as potential explanations for the external effects of the EU data protection laws, increasingly hailed as a ‘golden standard’. The steep rise of data in the digital era and the need to cope with the potential legal vacuum created by unterritorial nature of data have been challenging the traditional principles of jurisdiction. Furthermore, these trends acted as a trigger for EU policy-makers to develop an all-encompassing data protection framework ‘for the 21st _{Century’. The General Data}

Protection Regulation provides for the first time a harmonized regime at the EU level with a view to enhancing coherence and legal certainty. Moreover, the Regulation - in force from the 25 May 2018 –constitutes a watershed moment for EU external relations. This thesis will echo Mr. Albrecht – GDPR’s Rapporteur - remarks on ‘how the GDPR will change the world’: hence, the main question will be how the broadened jurisdictional scope will affect the external relations of the EU vis-à-vis third countries following different rationales in data protection. For this purpose, the theoretical framework is constituted by Bradford’s ‘Brussels Effect’ theory, duly complemented with Scott’s considerations on the ‘territorial extension’ of EU law. The model isinspired by an ‘analytically eclectic’ approach and it draws on both the academic debate on extraterritoriality of EU law and theories of ‘EU-as-power’. It aims to provide an evaluation of the voluntary and unintended global effects of the GDPR at the level of EU

relations with third countries. This thesis draws on the interviews carried out with EU officials who participated directly

in the drafting process of the GDPR and attorneys of major law-firms practicing in data protection regulation. The findings suggest that both the EU official narrative and the very legal basis of the GDPR are grounded in fundamental rights protection. The EU leverage as a ‘market power’ might guarantee an enhanced role to the Regulation as a ‘seal of trust’ for foreign companies. In an increasingly fragmented scenario of internet and cyberspace governance, the EU rights-based model and its heightened emphasis on data protection alongside the increasing role of data protection as a seal of trust allowing for international trade might elicit confrontational

responses curtailing the possible creation of a coherent data governance regime at the global level.

Table of Contents

Abstract ... iii

List of Abbreviations ... vi

Preamble: ‘Post Data Resurgo’ – the EU’s Global Role in Data Protection ... 1

1 Introductory Section ... 4

1.1 The Meaning of Jurisdiction ... 4

1.2 EU and US: different stories, same morale?... 8

1.3 ‘Will the GDPR Change the World?’ ... 12

1.4 A Data Protection Framework for the XXI Century ... 16

2 Analysis’ Overview ... 22

2.1 Theoretical Framework... 22

2.2 Sources, Scope and Methodology ... 28

3 Legal Analysis. EU Data Protection and Jurisdiction. ... 31

3.1 Regulation’s scope and the meaning of ‘territoriality’ ... 31

Art. 3 GDPR: not a ‘Copernican Revolution’ ... 34

3.2 ... 34

3.3 The Market and the Territory ... 41

4 Policy Considerations. The EU as an International Player in Data Protection ... 47

4.1 ‘Market Power Europe’ and Data Protection ... 49

4.1.1 EU data protection law as a ‘seal of trust’ ... 49

4.1.2 The Effects on Private Companies ... 55

4.1.3 GDPR Tentative Global Reach and its Side Effects ... 57

4.1.4 The Outliers: Emulation without Convergence ... 60

4.2 Normative Power Europe and Data Protection... 63

5 Rethinking Data Jurisdiction beyond the GDPR ... 68

6 Conclusion ... 73

7 Provisional Takeaways ... 77

Bibliography ... 80

List of Abbreviations

Art. 29 WP Article 29 Working Party

CFREU Charter of Fundamental Rights of the

European Union

CJEU Court of Justice of the European Union

DG CONNECT Directorate-General for Communications

Network, Content and Technology

Directive 95/46 Directive 95/46 “Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data”

DG JUST Directorate-General for Justice and Consumers

EU European Union

GDPR General Data Protection Regulation

(2016/679 EU)

TEC Treaty Establishing the European

Community

TFEU Treaty on the Functioning of the European

Preamble: ‘Post Data Resurgo’ – the EU’s Global Role in

Data Protection

The tidal wave of data flows and the complex patchwork of overlapping regulations significantly effect the legal ground. hile territory is still relevant in exercising jurisdiction, “the relevance of a practical distinction between territoriality and extraterritoriality is decreasing, especially in the online sphere”1_.

Data –challenges the ‘identifiable and stable location principle’ as it can flow across borders with “ease, speed, and unpredictability” making its location unstable and arbitrary.2 _{Furthermore data, due to its mobility, interconnectednessand divisibility, calls}

into question the centrality of territoriality as determinative of the constitutional and statutory rules determining jurisdiction.3

Despite opinions expressed by scholars such as Greenleaf and Taylor however, it is debatable whether the EU has managed to “successfully become a global standard-setter in the data protection sphere.”4_{. While we maintain that the EU is striving to set ‘a high}

global data protection norm, enabled by the fundamental right to data protection conditioning its exercise of extraterritorial jurisdiction’, on the other hand this study asserts that normative considerations might not suffice to prove EU effectiveness as a global standard setter.

The natural dichotomy of EU functions and the raison d’etre between a market power and a normative-based actor, leads us to suggest that in order to fully evaluate Brussels’ performance as a standard-setter, economic and political considerations and effects should be inserted in the equation.

EU Commission President Juncker himself, whilstaddressing the EU-India business forum, labeled data as the ‘black gold of 21st _century’.5 _{During the last two decades, both}

1 _{M. Taylor, “Transatlantic Jurisdictional Conflicts in Data Protection Law”, PhD Thesis, 2018, p. 250.} 2 _{J. C. Daskal, “The Un-Territoriality of Data”. Yale Law Journal, Vol. 125, 2016, p. 329.}

3 _{Ibid., pp.329-331.} 4 _Ibid.

5 _{European Commission, “Keynote address by President Jean-Claude Juncker at the EU-India Business}

Forum”, New Delhi, 6 October 2017, retrieved 12 April 2018: http://europa.eu/rapid/press-release_SPEECH-17-3751_en.html

technological developments and evolving political scenarios have, over time, impacted EU data protection law and its scope. The tidal wave of data and the opening of the digital frontier created a scenario that could have no longer be tackled by the previous data protection law designed around an offline scenario. As Commissioner Viviane Reding noted, the Directive 95/46 dated from ‘pre-Internet times’, when just 1% of the population was using the Internet.6 _{Stakes for the EU are high: “rapid technological developments}

and globalization have brought new challenges for the protection of personal data.”7 _In

this regards, Justice Commissioner Vera Jourovà emphasized that the ‘unified and unique’ GDPR set of rules “will lead to the EU becoming the world leader, setting the standards also for the rest of the world”.8 _{Moreover, while there is a clear need for new}

privacy and data protection laws ”designed to the online age”, the possible unintended consequences of the GDPR require that we reconsider the extent of its impact on the trends in data protection worldwide.9

While the European Data Protection Supervisor welcomed the GDPR as a ‘clarion call for a new digital gold standard,’ with the ability to act as a ‘genuine platform for global partnerships’,10 _{it is worth noting how different rationales underpin data protection}

6 _{Viviane Reding, EU Commission Vice-President, “The EU Data Protection Reform 2012: Making Europe}

the Standard Setter for Modern Data Protection Rules in the Digital Age”, Innovation Conference Digital, Life, Design Munich, 22 January 2012, Speech 12/26, retrieved 8 April 2018: http://europa.eu/rapid/press-release_SPEECH-12-26_it.html

7 _{European Parliament and Council of the European Union, “Regulation (EU) 2016/679 Of The European}

Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, 4 May 2015, (henceforth: “GDPR”), para. 6.

8 _{V. Jourovà in European Parliament, “Protection of individuals with regard to the processing of personal}

data - Processing of personal data for the purposes of crime prevention (debate)”, Strasbourg, 13 April 2016.

9 _{M. Scott, “Europe’s new privacy rules are no silver bullet”, Politico.eu, 22 April 2018, retrieved 29}

November 2018:https://www.politico.eu/article/gdpr-rules-europe-facebook-data-protection-privacy-general-data-protection-regulation-cambridge-analytica/

10 _{G. Buttarelli, “The EU GDPR as a clarion call for a new global digital gold standard”, European Data}

Protection Supervisor, 1 April 2016, retrieved 28 April 2018:

making both in the EU and the global level. In fact, “while personal data is not a currency, it has monetary value [moreover, it] is also intrinsically linked to the dignity, autonomy, and personality of individuals.”11

Data protection sits at an uneasy crossroad between the pivotal core values of the EU and the aim to boost the EU economy. Moreover, as noted by the Ethics Advisory Group report, data flows raise crucial social, legal and ethical questions on the value of existing political and legal boundaries. In fact, “[m]ore than any other human enterprise, the wide-reaching circulation of data through worldwide networks, the global reach of its power to set standards across national borders and its trade and use in the business of everyday life,

fulfil even the most audacious visions of globalisation”. 12

The theoretical and ethical debate on the meaning of core EU and universal values such as freedom, justice, democracy, autonomy overlap with the quest for a regional legal system updating the Directive 95/46. The new data geopolitics is shaped by “differences in data protection rules applied across national borders that no longer represents the limits of data flows”.13

The trade-effects of the GDPR, far from being a side effect of a legal and normative design, are a quintessential part in understanding the whole framework. Moreover, the degree of convergence to both the EU acquis and towards the new data protection laws will be codetermined by trade and economic effects. As a recent Bruegel study noted “GDPR will have different implications for different trade partners of the EU. While the range of countries concerned by GDPR is broad […] this heterogeneity of impact should inform EU policy-makers in their efforts to make GDPR the global standard for personal data protection”14

11 _{F. Costa-Cabral & O. Lynskey, “Family ties: the intersection between data protection and competition in}

EU Law”, Common Market Law Review, 54(1), 2017, pp.11-50, p.12.

12 _{EDPS Ethics Advisory Group, Towards a Digital Ethics, Report, 2018, p. 9.} 13 _{Ibid., p. 23.}

14 _{S. Chowdhry and Moës, N., “Trading invisibles: Exposure of countries to GDPR”, Bruegel, 28 June}

1 Introductory Section

1.1 The Meaning of Jurisdiction

‘Jurisdiction’ is a polysemous word both in international and domestic law. In public international law, jurisdiction is commonly understood to refer “to the legal

authority of States to set and enforce rules with respects to acts that may, or may not, take

place on their territory”.15

As we have mentioned above, in the broadest sense it refers both to the regulatory competence of a State vis-à-vis others and the sharing of this power between States.16

The two aspects emphasize the territorial dimension of jurisdiction and of the broader concept of sovereignty17 _{as it has emerged in the contest of the post-Westphalian}

equilibrium.18

The avoidance of undue encroachment on other territories is a fundamental principle of “jurisdiction as a coordination game”19_{. Moreover, as it has been noted by Wolfgang}

15 _{C. Ryngaert, Jurisdiction in international law, 2015: another useful definition can be found in Oxman,}

B. H. “Jurisdiction of states”. Encyclopedia of public international law, 3(S 55), 1988: “the State’s lawful power to act and hence to its power to decide whether and, if so, how to act, whether by legislative, executive or judicial means. […] It denotes primarily, but not exclusively the lawful power to make and enforce rules”.

16 _{U. Kohl “The rule of law, jurisdiction and the Internet”. International Journal of Law & Information}

Technology, Vol. 12, Issue 3, 2004, p. 14.

17 _{Territorial sovereignty and exclusive jurisdiction are closely related: the first implies that “the respective}

State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and enforce these rules” (emphasis added) W.H. von Heinegg, " Legal implications of territorial sovereignty in cyberspace", 2012, p. 8. Moreover, Max Huber in the Palmas

Island Arbitration affirmed as a general principle that “sovereignty in the relations between States signifies

independence, Independence in regard to a portion of the globe is the right to exercise therein, to the exclusivity of any other States, the functions of a State”. Reports of International Arbitral Awards (1928), Island of Palmas case (Netherlands, USA), April 4, 1928, p. 838. http://legal.un.org/riaa/cases/vol_II/829-871.pdf,

Even though there is no universally agreed definition, the considerations of international sovereignty revolve around “the recognition of a government’s right to exercise exclusive control over territory” (emphasis added). Jensen, E. T. “ Cyber Sovereignty: The Way Ahead” Tex. Int'l LJ, 50, 201, p. 274

18 _{A. Mills, "The private history of international law". International and Comparative Law}

Quarterly, 55(01), 2006, pp.1-50, pp. 33-37.

19 _{T. Schultz, "Carving up the Internet: jurisdiction, legal orders, and the private/public international law}

interface." European Journal of International Law 19, no. 4, 2008, pp. 799-839. p. 808. The idea is “that a state is […] prima facie free to legislate or regulate with respect to persons or event beyond its territory, as

Friedman, the system of international law could be summarised as a ‘law of coexistence’, i.e. a departure from “an essentially negative code of rules of abstention to positive rule of co-operation”.20

Nevertheless, such a cooperative view of ‘jurisdiction’ in the international arena has been questioned from both a theoretical and practical standpoint. Mann emphasizes the ‘deep doctrinal link’ between jurisdiction and conflict of laws and the complementarity of the two.21

The Restatement (Third) on Foreign Relations Law of the United States asserts that “in a number of contexts the question of jurisdiction to prescribe resembles questions traditionally explored under the heading of conflict of laws (private international law)”.22

Inasmuch as debates surrounding conflicting laws of data jurisdiction and public international law are closely tied together, it is worth underscoring that for the latter, the term jurisdiction is used in a much broader sense than in domestic or in private international law, essentially encompassing any exercise of regulatory power.23

To summarize, regulatory activity in the transnational legal context tends to be divided in into three types: these may overlap and thus the distinction is not always easy to maintain.24

Prescriptive jurisdiction (or legislative jurisdiction): the jurisdiction to prescribe the

limits on the law-making power of government, i.e. the permissible scope of application

long as doing so does not interfere with the same right of states that may have a closer connection to those persons or event”, Ibid.

20 _{W. Friedmann, The changing structure of international law, Columbia University Press. 1964, p. 62} 21 _{F.A. Mann, ‘The Doctrine of Jurisdiction in International Law’ Recueil des Cours de l’Académie de Droit}

International 9, reprinted in Mann, F.A. Studies in International Law. Oxford: Clarendon Press, 1964, pp.

11-12.

22 _{The Restatement of the Law (Third), The Foreign Relations Law of the United States (American Law}

Institute Publishers 1987), vol. 1, 237.

23 _{A. Mills, "Rethinking Jurisdiction in International Law", British Yearbook of International Law, 84(1),}

2014, pp. 187-239, p. 194.

24 _{Kohl, op.cit., p. 7; Mills, “Rethinking Jurisdiction in International Law” more generally see: generally,}

C. Staker, ‘Jurisdiction’, in Malcolm D. Evans (ed.), International Law, OUP, 2014; Brownlie, I., and Crawford, J. Brownlie's principles of public international law. Oxford University Press, 2012.

of the laws of each State.25 _{Legislative jurisdiction may be concurrent rather than}

exclusive.26

Adjudicative jurisdiction (or judicial jurisdiction): the jurisdiction to adjudicate the limits

on the powers of the judicial branch of government27_{, namely - insofar as data are}

concerned – “the power of a State’s courts to try cases involving a foreign element”28_.

Enforcement jurisdiction (or executive jurisdiction): the jurisdiction to enforce the limits

on the executive branch of government responsible for implementing law, i.e. the power of one State to perform acts in the territory of another State’.29

Even though an investigation on prescriptive and adjudicative jurisdiction falls outside the scope of the present study, the overview provided above could be valuable, bearing in mind that the legality of enforcement jurisdiction is closely connected with that of legislative and adjudicative jurisdiction30 _{and limitations on one type of jurisdiction may}

affect the scope of the others.31

Despite the controversies surrounding the boundaries of public international law’s prescriptive jurisdiction, there is general agreement on its main framework: States are recognized as having prescriptive jurisdiction based on one of two types of connecting factors – territoriality (intimate connection between territorial control and statehood in international law) and nationality, reflecting ideas of individual subjectivity to sovereign power.32

“The territorial character of enforcement jurisdiction is well established, and an important reflection of the principle of non-intervention in the internal affairs of other states”33_:

25 _{A. Mills, “Rethinking Jurisdiction in International Law”, p. 195}

26 _{C. Kuner, "Data protection law and international jurisdiction on the Internet (part 1)". International}

Journal of Law and Information Technology, 2010, p. 184 and Svantesson, D. Private international law and the internet. Kluwer law international, 2007, p. 245

27 _{A. Mills, "Rethinking Jurisdiction in International Law", 2014, p. 195} 28 _{M. Akehurst "Jurisdiction in international law.", 1972, p. 145} 29 _Ibid.

30 _{International Law Commission (ILC), ‘Report on the Work of its Fifty-Eighth Session’ (1 May-9 June}

and 3 July-11 August 2006) UN Doc A/61/10, Annex E, para. 5, stating that ‘the internationally valid exercise of prescriptive jurisdiction in the adoption of a law is a prerequisite for the valid exercise of adjudicative or enforcement jurisdiction with respect to that law’.

31 _{A. Mills, The Confluence of Public and Private International Law. Cambridge University Press, 2009,}

p. 229

32 _{A. Mills, "Rethinking Jurisdiction in International Law", and C. Staker, Jurisdiction. International Law}

(4th ed., 2014, pp. 323-326.

Adjudicative and legislative jurisdiction have an extra-territorial reach, but enforcement jurisdiction is, in international law, almost exclusively territorial.34

Although these principles have been accepted for decades, with the advent of Internet andto an even greater extent, cloud computing and ground-breaking data storage techniques, the traditional bedrocks of international law have been challenged. As a result, the core of the debate relies upon the extent of that ‘almost’.

The Harvard draft35 published in 1935 by the American Journal of International Law

constituted a “sterling research effort” by top scholars which embodied and summarized the main grounds for exerting jurisdiction in international law.36 _{The Harvard Draft}

streamlined and emphasized the territoriality principle as “everywhere regarded as of primary importance and of fundamental character”.37

Following this traditional approach, once operating outside its territory, the State loses its position of ultimate authority and it has to rely on permissive rules of international law to claim jurisdiction.38

While it is undisputed that “States may exercise sovereign prerogatives over any cyber infrastructure located on their territory, as well as activities associated with that cyber infrastructure”,39 _{cyberspace as a whole cannot be positioned territorially solely because}

it runs on territorial infrastructures.

34 _{Ibid. p. 195 and Kohl, op. cit., pp. 16-18}

35 _{Harvard Research Draft Convention on Jurisdiction with Respect to Crime. Draft Convention on}

Jurisdiction with Respect to Crime. The American Journal of International Law. Vol. 29, Supplement: Research in International Law, 1935, pp. 439-442.

36 _{D.J. Svantesson,}

" A new jurisprudential framework for jurisdiction: Beyond the Harvard Draft." American Journal of

International Law Unbound, 2015, p. 69;

37 _{Draft Convention on Jurisdiction with Respect to Crime. The American Journal of International Law.}

Vol. 29, Supplement: Research in International Law, 1935, pp. 439-442.

38 _{M. Zoetekouw, “Ignorantia Terrae Non Excusat” - Discussion paper for the Crossing Borders -}

Jurisdiction in Cyberspace conference, 2016, February 25, 2016. Available at: https://english.eu2016.nl/documents/publications/2016/03/7/c-mzoetekouw---ignorantia-terrae-non- excusat---discussion-paper-for-the-crossing-borders---jurisdiction-in-cyberspace-conference-march-2016---final

39 _{M.N. Schmitt, Tallinn manual on the international law applicable to cyber warfare. Cambridge}

University Press, 2013. The scope of territorial sovereignty includes the cyber infrastructures “located on a State’s land area, in its internal waters, territorial sea and, where applicable, archipelagic waters, and in national airspace”

We argue that data storage and data flows in the cloud erode the traditional features of jurisdiction.40 _{Contrarily , the ‘unexceptionalist’ approach maintains that there is nothing}

truly unique in cyberspace’s dynamics, therefore every jurisdictional dispute should be solved according to the traditional territoriality criterion.41

Even if we were to assume that jurisdiction could always be rooted in territoriality, it should be recognized that the concept of territorial sovereignty no longer suffices to fully address jurisdictional claims.42 _{Due to the panoply of conceptions linked to ‘where data}

lies’ – i.ethe physical location of the server, the location of the user, the domain of the address etc - “a State might legitimately assert its jurisdiction over a piece of data because that data or its controller is located on the state’s territory, or simply because the data is need for law enforcement there”43

1.2 EU and US: different stories, same morale?

The landmark ‘Microsoft Ireland’ case has been defined as a logical consequence of the ‘post-Snowden’ era, characterised by an increase emphasis on the need to strike a balance between security and privacy and to keep the momentum in solving jurisdictional conundrums concerning data jurisdiction.44

40 _{Although Daskal and Ryngaert in their essays go too far as the implications of cloud and data flows}

proclaiming that they “shake jurisdiction at its core” and suggesting a “community based approach”, we agree with Scassa and Currie: “Not only does the Internet pose new challenges for states in terms of how to determine when and how they should exercise their jurisdiction, the Internet and the related phenomenon of globalization also have an eroding effect on jurisdiction.” Scassa, T. and Currie J.R., “New First Principles? Assessing the Internet’s Challenges to Jurisdiction”, 42 Geo. J. Int’l L. 2012, p. 1063

41 _{D.R. Johnson, & Post, D.G., “Law and Borders: The Rise of Law in Cyberspace”, Vol. 48 Stanford Law}

Review, 1996, p. 1367 and D.G. Post, D, G., “Against ‘Against Cyberanarchy’”, Berkeley Technology Law Journal, 2002, p 1365.

42 _{Svantesson, D. J. B." A new jurisprudential framework for jurisdiction: Beyond the Harvard Draft", 2015,}

p. 70

43 _{A.K. Woods, "Against Data Exceptionalism". Stanford Law Review, 2015, p. 38}

44 _{De Hert, P. & J. Thumfart “The Microsoft Ireland case and the cyberspace sovereignty trilemma”,}

Thinking in traditional terms and concepts cannot provide a secure basis for the evaluation of jurisdictional disputes.45 _{Both Microsoft and US Government claims are plausible,}46

which indicates that ‘sharp lines’ can no longer be drawn between what is territorial and what is extraterritorial.47 _{In fact, Microsoft Global Criminal Compliance Team argued}

from the very beginning of the case that since it was “determined that the target account was host in Dublin and the content information stored there, it filed the instant motion seeking to quash the warrant to the extent it directs the production of information stored abroad.”48 _{Hence, “to the extent that the warrant here requires acquisition of information}

from Dublin, it is unauthorized and must be quashed”.49 _{On the other hand, the US}

Government, echoing Judge James Francis IV reasoning,concluded that the relevant reference point for the purpose of warrant’s jurisdiction was the location of the provider,

45 _{When in 2013 Microsoft was asked to produce the emails of a suspected drug-trafficker stored in Ireland,}

Microsoft stressed that committing to the judge’s request would have “violate[d] the territorial integrity of sovereign nations and circumvent the commitments made by the US in mutual legal assistant treaties”, concluding that “Court in the US lack authority to issue warrants for extraterritorial searches and seizures”. The EU (in particular Members of the European Parliament and EU Data Protection and Privacy Scholars) stepped into the case filing an amicus brief endorsing Microsoft’s positions: “EU rules apply to the email account covered by the warrant” and a mutual legal assistant treaty should be used. US Department of Justice emphasized that would have been Microsoft that had to do the extraterritorial search (not the US Government) and that the company was obliged to do so since the data was under its control “regardless the location of that information”. Ibid.

While it falls beyond the scope of this research an in-depth analysis of how the Microsoft Ireland case might have speeded up the drafting process of the GDPR and onto how it might affect the dynamic towards ‘cyber sovereignty’ or ‘cyber balkanization’ (Cfr. Dert & Thumfart), it is telling of the overlapping rationales that come into play when States are called to decide on jurisdiction on data flows.

For political considerations see: Nakashima, E. “Supreme Court to hear Microsoft case: A question of law and borders”, The Washington Post, 25 February 2018; among the many legal analyses see, about the effects on the international level: K. Eichensehr, “Microsoft, Ireland, and the Rest of the World”, Just Security, 21 February 2018; for a US domestic overview cfr. J. Daskal, “Microsoft Ireland Argument Analysis: Data, Territoriality, and the Best Way Forward”, Harvard Law Review Blog, 28 February 2018.

46 _{We remind that, after District Court ruling Microsoft opposed the warrant since the relevant e-mails were}

located exclusively in its Dublin servers, and argued that the US enforcement activities are extraterritorial. The United States Government asserted that, as all the activities required to retrieve the data can be operated from the US, it is not extraterritorial jurisdiction. We agree with Prof. Dan Svantesson in saying that United States may support its claim with the territoriality principle, nationality principle and protective principle (more on this below). At the same time Ireland may argue that the warrant was a violation of its territorial sovereignty and may rely upon the territoriality principle and the duty of non-interference in internal affairs. Svantesson, D. " A new jurisprudential framework for jurisdiction: Beyond the Harvard Draft". American

Journal of International Law Unbound, 2015, p. 70

47 _Ibid.

48 _{United States Court of Appeals for the Second Circuit, Decided: July 14, 2016, d. No. 14-2985, In the}

Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, p. 7.

not the location of data arguing that “the fact that those premises [where data were stored] were located abroad was, in the magistrate judge’s view, of no moment”.50

Keeping in mind the analogies between the Internet and the cloud storage,51 _{we call}

attention to the increasing difficulty in allocating the jurisdictional (i.e. regulatory) competence on the ground of the location of both things and conducts.

“The traditional solutions to transnational events were workable because these events were exceptional.” However, when disputes around transnational events are common – and likely to grow at a similar pace of data storage – instead “squeezing them into a system designed to handle the exceptional occurrence is highly inefficient”.52

This new quantitative burden to which traditional jurisdictional regimes are subjected to gives rise to a floodgate argument: the “complex jurisdictional regimes,to an environment where most conduct a transaction are localised within a State – are unsustainable in the Internet age where transnational conducts are far from exceptional”.53

The tremendous increase in – latu sensu - transnational events adds another layer (acting as a ‘quantitative hurdle’) to the debate on adequacy of traditional jurisdictional principles.

Although jurisdictional disputes in cyberspace are rapidly increasing, appeals to floodgates arguments are often exaggerated.

As Kohl argued in his seminal work ‘Internet and Jurisdiction’, “legal argumentation must focus on retaining, reshaping and redesigning rules, and searching for ways in which these can be preserved […] In addition to searching for what may be perceived as the best solutions, the inquiry must focus on the least disruptive solutions. Their shortcomings in efficiency they make up through providing continuity and certainty”.54

As it has been suggested by eminent scholars, a more nuanced approach to data jurisdiction would allow one to reflect more broadly than just in a ‘mechanically binary fashion’. Indeed, regulators are increasingly considering factors beyond the traditional

50 _{United States Court of Appeals for the Second Circuit, Decided: July 14, 2016, d. No. 14-2985, In the}

Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, p. 20.

51 _{D. C. Andrews, & J. Newman, "Personal Jurisdiction and Choice of Law in the Cloud". Md. L. Rev., Vol.}

73, 2013.

52 _{Kohl, op. cit. p. 110.} 53 _{Ibid. pp. 110 – 111.} 54 _{Kohl, op.cit., p. 65.}

principles underlying territorial jurisdiction. substantial connection between the matter and the State seeking to exercise jurisdiction and States’ legitimate interest in the matter55

are taking ground as bases of jurisdiction. The European Union is increasingly involved in the debate over global data regulation and its position on the matter bears more and more clout on concurrent data protection systems.

Accordingly, while the nexus between the domestic US law dispute between a private firm and the US Government and the introduction of a new regime for data protection law in Europe might seem somehow blurred, the main underlying jurisdictional concerns are the same.

As Jennifer Daskal noted, the GDPR represents the EU’s effort to set international standards via domestic regulation ‘rather than a global meeting of government […] working out new standards and rules’.56 _{It stems, in other words, from a unilateralism that}

aims at broadening and stretching the legal concept of jurisdiction to include both foreign

citizens bridging the usual divide between territoriality and extraterritoriality. As it will be further elaborated in the legal analysis, art. 3.2 of the GDPR clearly states

that the regulation applies to any company directing business at the EU market or monitoring EU data subjects providing what has been labelled as a ‘moderate destination approach’57

The intertwined legal pattern between EU data protection regime and the US data laws might be observed in EU Commission amicus curiae brief filed in the Microsoft Ireland

Warrant case outlined above.

It is also worth observing how the amicus brief belongs to a certain extent to a pre-GDPR phase in which the transition was not yet completed. In fact, the Commission seemed to embrace the principle of the presumption against extraterritoriality, welcomed in the US as the Charming Betsy canon.

55 _{D. Svantesson, “A new jurisprudential framework for jurisdiction: Beyond the Harvard Draft”; and}

Svantesson, “ Against ‘Against Data Exceptionalism.’”

56 _{J. Daskal, “Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0”, Stanford Law}

Review, May 2018, available at: https://www.stanfordlawreview.org/online/microsoft-ireland-cloud-act-international-lawmaking-2-0/

[a]ny domestic law that creates cross-border obligations—whether enacted

by the United States, the European Union, or another state—should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. The European Union’s foundational treaties and case law enshrine the principles of “mutual regard to the spheres of jurisdiction” of sovereign states and of the need to interpret and apply EU legislation in a manner that is consistent with international law.58

1.3 ‘Will the GDPR Change the World?’

58 _{European Commission, Brief of the European Commission on Behalf of the European Union as}

Amicus Curiae in Support of Neither Party, available at:

https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17-2%20ac%20European%20Commission%20for%20filing.pdf

This thesis will start from turning Jan Albrecht’s – GDPR’s Rapporteur and ‘architect’ – reflections on ‘how the GDPR will change the world’ in a crucial question

bearing the highest legal and political significance for the EU as a whole. 59

Thus, the analysis aims to develop a middle-level theory building on the scholarly debate on territoriality and jurisdiction and on the theories on the EU’s normative or economically-driven regulatory power.

Hence, it will be evaluated how the external effects of EU data protection law might interact with concurrent data protection models and, broadening the scope of the inquiry, influence the EU’s relations with major powers. It will be held that - not merely a normative instruments to promote a EU-centric ‘data imperialism’60 _{nor a mere}

side-effect of internal market policies - the EU data protection regime enshrined in the GDPR is gaining momentum at the international level, thanks to both its normative features and

the incentives that the EU is able to provide through its market size.61

Bearing in mind the impracticality of developing a catch-all framework for evaluating the

global reach of EU data protection laws, 62

this thesis will refrain from the introduction of novel far-fetched theoretical concepts. Moreover, as further developed in Chapter 2, the value of quantitative analyses that have sought to correlate the relative power wielded by EU data protection laws with the intensity of the EU’s economic relations with third countries will be recognized. Nonetheless, similar analysis – such as the comprehensive study carried out by Heisenberg for pre-GDPR EU data protection regime63 _{- would suggest a purely}

59 _{J. P. Albrecht, “How the GDPR Will Change the World”, European Data Protection Law Review, 2,}

2016, pp. 287-289.

60 _{Interview with Christopher Kuner, Co-Director of Brussels Privacy Hub, Skype Interview, 18 March}

2018.

61 _{See: A. Bradford, “The Brussels effect”, Northwestern University Law Review, Vol. 107, No. 1, 2012,}

pp. 1-68. B. Kleizen, “Externalizing EU Law, Policy and Values--Europe's Global Identity, Mechanisms of Rule Transfer and Case Studies on Illegal Logging and Bosnia and Herzegovina”, Utrecht, Utrecht University, 2015. On the GDPR market effects Mr. Albrecht observed that through a “[…] strong sanction regime [it] will ensure that there will be equal opportunities, effective rights and legal certainty for everyone on our market which, as the biggest common market in the world, nobody will be able to ignore”: European Parliament, “Protection of individuals with regard to the processing of personal data”, op. cit.

62 _{The risks of a ‘general theory of policy convergence’ in data protection rules were already emphasized}

in C.J. Bennett, Regulating privacy: Data protection and public policy in Europe and the United States, Ithaca, Cornell University Press, 1992, pp. 4-5.

63 _{D. Heisenberg, Negotiating privacy: The European Union, the United States, and personal data}

economic-driven effect behind the external effects of the GDPR thus disregarding both the very legal bases and the EU narrative concerning data protection.64

A variety of sources has been employed to provide a broad picture of both the content and the external political effects of the GDPR. The core documents are constituted by EU – primary and secondary – legislation, official EU statements and legal analyses developed by both think-tanks and law firms. In addition, the theoretical debates on data jurisdiction and on the changing meaning of ‘territoriality’ in international and EU law will constitute a pivotal element in sketching the international legal framework for data protection laws.

Furthermore, the thesis draws on insights from ten interviews conducted between February and April 2018 with European Commission (DG CONNECT and DG JUST) senior officials, as well as senior attorneys from non-EU law firms based both in Brussels and outside the EU. Finally, to strengthen the analytical depth of the legal analysis, I conducted interviews with noted scholars in data protection law in order to shed light on the significance of recent novelties in EU data protection regulation. Incorporating interviews with academics and policy-makers in our analysis complement rather than replace the core analytical material provided by scholarly literature and EU official documents. While the doctrine constitutes a sound basis for the analysis, the novelty of the Regulation being discussed and the ever-changing policy framework urged a more

tailored analysis.65

The patchwork of stakeholders’ opinions – far from representing a fully comprehensive overview of the plethora of actors affected by the GDPR – provide an invaluable guidance in disentangling the potential inconsistencies between EU purported rationale and the perception thereof from both private firms and non-European players.

The thesis is articulated as follows. First, the theoretical approach is further developed: the methodological framework and the concurrent models for EU external regulatory

64 _{Jan Philip Albrecht described the data protection reform as a way through which “we are replacing 28}

different legal frameworks on data protection with one single legal framework and building a gold standard

for the protection of the fundamental right to data protection and privacy” European Parliament,

“Protection of individuals with regard to the processing of personal data”, op. cit., [emphasis added]

65 _{See, e.g. T.C. Hutchinson, The Doctrinal Method: Incorporating Interdisciplinary Methods in}

impact on data protection will be described. Secondly, the purported ‘global reach’66 _of

EU data protection law is introduced. In this section, the nexus between the legal theories on which the jurisdictional approach of EU data protection law is grounded and the models which account for the Union’s unilateral regulatory power will be identified. The interaction between the two sets of theories will allow us to better appreciate whether the anticipated ‘Copernican revolution’ in data protection has taken place67 _{Thirdly, the EU}

‘externalisation’ of the GDPR will be contrasted against its role as a – normative and market-driven – regulatory power.

The external effects of the Regulation and the global trends of convergence and potential ‘race to arms’ in global Data Protection law will be critically evaluated.68 _{Thus, the EU}

proposed ‘golden standard’ in data protection will be contrasted against the opposite narratives and designs championed by China and Russia.69

The comparative analysis of the perceptions of EU policy-makers, academia, and law-firms will converge to stipulate findings in the fourth part. The takeaways from the previous section will enable to evaluate the theoretical framework and to provide a critical assessment of the hype created around the presumptive EU quest for global hegemony in data protection.70 _{Moreover, Chapter 5 sheds light on the alternative models of data}

jurisdiction underlying their potential significance to the case of EU data protection laws.

66 _{J. Scott, “The New EU “Extraterritoriality”, Common Market Law Review, 51, 2014, pp.1343-1380,}

p.1363.

67 _{C. Kuner, “The European Commission's Proposed Data Protection Regulation: A Copernican Revolution}

in European Data Protection Law”, Bloomberg BNA Privacy and Security Law Report, 2012.

68 _{In this regard, De La Chapelle and Fehlinger noted that “Not all countries are able — or trying — to}

extend their sovereignty beyond their borders. As a consequence, renationalization is a complementary trend to extraterritorial extension of sovereignty.” P. Fehlinger & B. De La Chapelle “Jurisdiction on the Internet: from Legal Arms Race to Transnational Cooperation”, Global Commission on Internet

Governance Paper Series: No. 28, Chatham House, 2016, p.3.

69 _{See, for a general overview: S. Livingston & G. Greenleaf, “PRC's New Data Export Rules: 'Adequacy}

with Chinese Characteristics'?”, 147 Privacy Laws & Business International Report, 2017; D. Hyde “Sovereignty: the state of data”, Pennington Manches LLP, 19 September 2017, retrieved 8 November 2018: https://www.lexology.com/library/detail.aspx?g=3b28084b-43b0-4bbc-b962-d2f47a05918f

70 _{The Cassandras of an ‘arms race’ in data protection governance foresee a ‘Cold War’ about data between}

societies believing that “individuals have an absolute [fundamental] right to control their personal data [….] and those that believe that personal data is a good to be traded on the open market and thus subject to the same market forces at play elsewhere.” T. Pendergast, “The next Cold War is here, and it’s all about data”,

Wired, 28 March 2018, Retrieved 17 November 2018:

Finally, the main findings and the connected policy recommendations will be summarized in the conclusion. The closing remarks will also provide considerations for further research. In fact, while extensive discussions have been conducted on the potential reach of GDPR on non-EU companies and on EU unilateral regulatory powers, the responsibilities of the EU linked to the international reach of the Regulation71 _{and the}

potential trade-offs while engaging major countries in high politics debates are still uncharted waters.

1.4 A Data Protection Framework for the XXI Century

As early as 2010 the European Commission acknowledged how - while its core principles were still valid – the provisions set out in the Directive 95/46 could have no

longer “kept up to the challenges of technological development and globalization.”72

Furthermore, it is worth recalling that data protection impinges on EU’s core values and fundamental rights.73 _{In fact, far from being an incidental feature of the EU data}

protection law, the strong ties with fundamental rights lie at the very core of its design. In this regard, Lynskey has, thereforeargued that the EU Data Protection constitutes a ‘rights-based’ system under a double perspective: on the one hand it gives expression to a fundamental right, on the other its design is consistent with the underlying conception as a fundamental right.74 _{While, “the core architecture of the EU data protection}

71 _{C. Kuner “The Internet and the global reach of EU law”, LSE Law, Society and Economic Working}

Papers 4/2017, 2017; Isabelle Falque-Pierrotin, former Chair of Art. 29 Working Party emphasized that the GDPR requires an effort from other major economic rivals, and it has to be framed as a part of a broader negotiating table: I. Falque-Pierrotin cit. in L. Cerulus, “Europe’s data protection chief signs off, with a warning”, Politico.eu, 7 February 2018, retrieved 20 October 2018: https://www.politico.eu/article/isabelle-falque-pierrotin-europe-data-protection-chief-signs-off-with-a-warning/

72 _{European Commission, Communication From The Commission To The European Parliament, The}

Council, The Economic And Social Committee and The Committee Of The Regions “A comprehensive approach on personal data protection in the European Union”, COM (2010), 609 Final, 4 November 2010, available at: http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2015949%202010%20INIT

73 _{Interview with DG JUST Official, 26 October 2018, Brussels.}

74 _{O. Lynskey, The foundations of EU data protection law, New York, Oxford University Press, 2015, p.}

framework” remained unchanged,75 _{the Lisbon Treaty represented a watershed moment}

and a new phase in EU data protection regulation.

The Lisbon Treaty hashad momentous procedural implications for EU data protection framework. The Treaty modified the legal bases for EU data protection laws: nor ‘data protection’ nor ‘Internet governance’ as such are mentioned in art. 3 TFEU as areas of EU exclusive competence. Thus, notwithstanding data protection being a shared competence between the EU and Member States, by virtue of the well-established doctrines of implied powers and pre-emption,76 _{the area has been witnessing an}

‘Europeanization’ of the external competences.77

However, while the initial conception of EU data protection law in market terms may still be found in the Lisbon Treaty and in the secondary legislation, it is nonetheless increasingly connected with fundamental rights.78

The increased territorial scope – and the more diffuse extraterritorial effects - of EU data protection laws79 _{has been linked to the growing weight of the fundamental right to data}

protection. It is worth recalling the CJEU’s landmark judgement Google Spain where the Court stressed how the ratio legis of Directive 95/46 was to ensure “effective and complete” protection of EU individuals “by prescribing a particularly broad territorial scope.”80 _{Indeed, before addressing the debate on the political significance of the EU}

conception of data protection, it is necessary to define the content of the fundamental right

75 _{Ibid., p.15.}

76 _{The Court of Justice developed the doctrine of implied powers in the ERTA Case: Case 22/70,}

Commission v Council, EU:C, 1971, 32. Furthermore, Hijmans observes that the doctrine of effet utile may

as well provide a basis for the EU exclusive competence: “the existence of an exclusive EU competence under Article 16 TFEU must be assumed on the basis of the reasoning that effective protection of the fundamental rights of privacy and data protection on the internet cannot be achieved by internal rules alone. Effective protection requires the widest possible geographical scope of protection, and hence external action”. H. Hijmans, The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU, Cham, Springer, 2016, p. 414.

77 _{Ibid., p.399.}

78 _{M. Taylor, “The EU’s Human Rights Obligations in Relation to its Data Protection Laws with}

Extraterritorial Effect”, International Data Privacy Law, 5, 2015, p.246-256, p. 246.

79 _Ibid.

80 _{Judgment of the Court (Grand Chamber), 13 May 2014.}

Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. Request for a preliminary ruling from the Audiencia Nacional: 317, ECLI:EU:C:2014:317, para.

54. See B. Van Alsenoy & M. Koekkoek, “Internet and jurisdiction after Google Spain: the extraterritorial reach of the right to be delisted”. International Data Privacy Law, 5(2), 2015, pp.105-120, p.10.

to the “protection of natural persons in relation to the processing of personal data”81 _as

enshrined in art. 16 TFEU and art. 8(1) CFREU. The two provisions emphasize “the right of everyone to the protection of personal data concerning him/her”82_{: the fundamental}

right of data protection is closely connected to the respect of private life expressed in art. 7 CFREU.83

Whereas the fundamental rights nature of data protection is pivotal when evaluating EU data protection regime vis-à-vis third countries, , the close relationship with the EU market is nonetheless still a defining feature of the system.84 _{In fact, until the entry into}

force of the Lisbon Treaty the EU data protection laws may have been defined as “a mechanism to ensure the free flow of data within the EU’s internal market”.85 _{Such a}

nature of data protection laws as an instrumental element for the internal market can be appreciated in the Directive 95/46, having its legal basis in art. 100a TEC. At the opposite side of the spectrum, the data protection regime developed by the CJEU and envisaged by GDPR aims at valuing fundamental rights, it is quintessentially connected with human dignity and cannot be treated as a commodity nor as a leverage in power-based negotiations.86

The GDPR’s vision depicts data protection regulation as a debate mainly ‘about values’87_.

Whilst the EU approach has been criticized for its ‘legal fundamentalism’ by scholars asserting that “most aspects of data protection do not seem to fit the underlying idea of

81 _{European Parliament and Council of the European Union, “GDPR”, op. cit., p. 1: it is worth noting how}

the nature of ‘data protection’ as a fundamental right is underlined in several occasions throughout GDPR’s Recitals.

82 _{See European Parliament, “Charter of Fundamental Rights of the European Union”, Official Journal of}

the European Communities, C-364/1, 2000, p.10.

83 _{Judgment of the Court (Grand Chamber) of 9 November 2010.}

Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen.

References for a preliminary ruling: Verwaltungsgericht Wiesbaden – Germany, ECLI:EU:C:2010:662, para. 47.

84 _{Jan Philip Albrecht emphasized the closed link between the protection of ‘the fundamental right to data}

protection’ and the creation of a functioning single market: “I am convinced that respect for data protection is not only a precondition for trust and innovation in a digitalised economy, but it will be an important key for the success of our European economies in the future”. European Parliament, “Protection of individuals with regard to the processing of personal data”, op. cit.

85 _{D. Kelleher & K. Murray, EU Data Protection Law, London, Bloomsbury, 2018, p.4.} 86 _{Interview with DG JUST, op. cit.}

fundamental rights”88_{, nonetheless the market rationale and the accent on data protection}

are deeply intermingled and mutually reinforcing rather than conflicting.89

Legal analysts, scholars and EU policy-makers concur that protecting the fundamental right to data protection of EU citizens has been the major EU’s concern when drafting the GDPR.90 _A

well-established doctrine associates the perceived long-arm of the EU law to the fundamental right character of data protection.91 _{In addition, coherently with the}

‘fundamental rights character’ design and CJEU interpretation of the data protection regime over the years,92 _{the virtuous circle between strengthening and enhancing}

fundamental rights protection and boosting EU single market competitiveness and attractiveness will be pointed out.93

Data protection law has increasingly become a prime tool for regulating the Internet thus playing a pivotal role on the international arena for the debate on cyberspace regulation.

94 _{In this very scenario the design and rationale underlying EU data law might have}

significant leverage on digital and data policy at the world level. However, EU emphasis on value and GDPR’s impact in terms of trade may exert significant clout on world competitors. EU is in fact increasingly confronted by major outliers’ concurrent narratives – as it is evident in the recent Russian and Chinese data protection frameworks95 _{- that}

challenge the core values behind EU ‘rights-based’ and ‘omnibus regime’.

88 _{B. van der Sloot, “Legal Fundamentalism: Is Data Protection Really a Fundamental Right?”, Data}

Protection and Privacy:(In) visibilities and Infrastructures, 2017, pp.3-30, p.21.

89 _{Interview with Bruno Gencarelli, Head of International Data Flow Unit, DG JUST, 8 March 2018.} 90 _{Ibid. personal interviews of the author, see Annex I.}

91 _{Interview with Mistale Taylor, UNIJURIS Project, Data Protection Expert, Skype Interview, 5 Novemer}

2018.

92 _{Lynskey, op. cit., p.38.}

93 _{Interview with Bruno Gencarelli, op.cit. The same could be argued by GDPR’s recital 13 underlining the}

necessity of a Regulation “in order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market [and] to provide legal certainty and transparency for economic operators.” European Parliament and Council of the European Union, “GDPR”, op. cit., p. 3.

94 _{Kuner, “The Internet and the Global Reach of EU Law”, op. cit., p.15.}

95 _{J. Nocetti, “Contest and conquest: Russia and global internet governance”. International Affairs, 91(1),}

2015, pp.111-130, p.112; P. De Hert & V. Papakonstantinou, The data protection regime in China, European Parliament, In-depth Analysis for the LIBE Committee, 2015. See also G. Delval & Z. Lin, “GDPR matchup: China’s Cybersecurity Law”, IAPP, 28 June 2017, retrieved 8 April 2018: https://iapp.org/news/a/gdpr-matchup-chinas-cybersecurity-law/

In such a complex and contested political and policy framework, it is a formidable challenge to grasp signa prognostica of forthcoming trends in data protection laws, often abruptly influenced by political events or sudden geopolitical turnarounds.96 _Nonetheless,

the analysis will critically evaluate the allegedly interventionist and regulatory posture of the EU in data regulation.97 _{Despite an ever-changing scenario, when assessing the global}

development of data protection regulation, “Europe is the place to look at”98_{: while data}

protection laws at the global level are rapidly spreading, the influence of ‘European standards’ remains indeed crucial.99

In the ever-changing scenario of technological innovation, global actors have been called to adapt and further elaborate on the basis for exercising jurisdiction. Land-mark cases and the outspoken ambition of constituting a model for data protection law worldwide with its rights-based data regime have put the European Union at the forefront of data protection regulation. The landmark case opposing the US Government to Microsoft underlined above opened the Pandora’s Box of who has jurisdiction over personal data,

reviving a long-lasting lasting debate on cyberspace jurisdiction. The following chapter will provide an overview of the interdisciplinary methodology

used in this analysis. Chapter 3 will analyse the scope of ‘territoriality’ and the meaning of extraterritorial jurisdiction under the GDPR. This introductory chapter demonstrates how Commissioner Jourova’s promise that GDPR “will lead to the EU becoming the world leader, setting the standards also for the rest of the world”100 _{does not fall in a legal vacuum, representing instead a clear programmatic}

statement vis-à-vis different visions on data jurisdiction.

96 _{The implications for the EU data protection regime following the revelations of National Security}

Agency’s whistle-blower Edward Snowden are described in A. Dix et al., "EU data protection reform: Opportunities and concerns.", Intereconomics, 48 (5), 2013, pp.268-285.

97 _{C. J. Bennett, “The Geo-Politics of Personal Data”, Harvard International Review, 14 December 2012,}

retrieved 12 April 2018: http://hir.harvard.edu/article/?a=3016

98 _{W. Schunemann, “Supranational norm entrepreneurship or uploading of high standards: the case of the}

European data protection regulation and the role of the European Parliament”, ECPR General Conference, Oslo, September 2017, p.6, retrieved 9 April 2018: https://ecpr.eu/Filestore/PaperProposal/94aab165-09ee-4f99-bc1e-ff6df6056d67.pdf

99 _{G. Greenleaf, “The influence of European data privacy standards outside Europe: implications for}

globalization of Convention 108” International Data Privacy Law, 2(2), 2012, pp. 68-92.

Privacy and data protection norms are in fact unstable and uncertain in a rapidly developing digital world:101 _{the EU quest for a data protection regime for the XXI century}

will be therefore confronted by a moving target of data protection on the international scene. While the anchorage to the human rights nature of the right to privacy remain the constant reference of EU legislator,102 _{facing more than 120 data privacy laws worldwide,}

the GDPR is expected to exert its influence by virtue of its normative appeal as well as for the clout of EU internal market. While – as EU Head of EDPS Giovanni Buttarelli asserted – “regulation versus regulation is over” since there are 71 countries outside Europe geographically to have adopted data protection laws.103 _{However, humanitarian’s organization that “all the countries should adopt}

comprehensive data protection laws that place individuals’ human rights at their centre” it is far from constituting the major springboard for a convergence towards EU standards.104

101 _{R.C. Post, “Data Privacy and Dignitary Privacy: Google Spain, the Right to Be Forgotten, and the}

Construction of the Public Sphere” Duke Law Journal, vol. 67, issue 981, 2017, p. 1064.

102 _{A thorough explanation is provided by the EU Data Protection Authority “Privacy and data protection}

are two rights enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. The Charter contains an explicit right to the protection of personal data (Article 8).

The entry into force of the Lisbon Treaty in 2009, gave the Charter of Fundamental Rights the same legal value as the constitutional treaties of the EU. Thus the EU institutions and bodies and the Member States are bound by it.In addition, article 16 of the Treaty on the Functioning of the European Union (TFEU) obliges the EU to lay down data protection rules for the processing of personal data. The EU is unique in providing for such an obligation in its constitution.”. European Data Protection Supervisor, Data

Protection, retrieved 1 December 2018: https://edps.europa.eu/data-protection_en

103 _{Council of Foreign Relations, Enforcing Data Privacy: A Conversation With Giovanni Buttarelli, 20}

November 2018, retrieved 29 November 2018: https://www.cfr.org/event/enforcing-data-privacy-conversation-giovanni-buttarelli

104 _{Human Rights Watch, The EU General Data Protection Regulation, 6 June 2018, retrieved 1 December}

2 Analysis’ Overview

2.1 Theoretical Framework

This section further develops the methodological framework sketched above: the present analysis takes a cue from Bradford’s ‘Brussels Effect’ – complemented by parallel explanations of EU as a powerful ‘norms externalizer’ – and Joanne Scott insights on the changing meaning of territoriality in EU law. Bradford’s theory postulates Europe’s unilateral power to regulate global markets. This power – the theory argues – stems from EU’s largest world internal market supported by strong regulatory institutions. The Brussels effect combine the trend defined de jure regulatory convergence, whereby “a lax foreign regulator formally adopts the strict rule of the lead regulator”, with a de facto

regulatory convergence. The latter stresses how – even in the absence of formal changes

to legal rules - much of global business is conducted under unilateral EU rules.105 _Hence,

as Bradford bluntly put it the Brussels Effect [exerted by the EU] is not only about triggering an upward race but first and foremost about “one jurisdiction’s ability to override others”.106 _{Scott’s studies on the}

‘territorial extension’ of EU law aptly describe how a ‘territorial hook’ is used to address partly, or wholly, extraterritorial situations,107 _{that is to say how EU territorial law is}

‘extended’ beyond EU borders.108

Scott’s theory further emphasizes how “EU legislation which engages in territorial extension is generally characterized by an international orientation revealing the EU to be engaged in action-forcing contingent unilateralism rather than the exportation of norm”.109

105 _Ibid. 106 _{Ibid., p.8.}

107 _{Whither Territoriality? The European Union’s Use of Territoriality to Set Norms with Universal}

Effects”, in C. Ryngaert, E. Molenaar & S. Nouwen, What’s Wrong with International Law,, Leiden, Brill, 2015, p.3.

108 _{Scott, op. cit.}

109 _{Ibid.; The “territory extension as a positive phenomenon of EU rule-making beyond its territory has}

been theoretically criticized by Fahey who underlined how “from the perspective of sovereignty, there is something unsatisfactory about constructing territorial extension alone as a (quasi-)normative standard […]