Free Expression and EU Privacy Regulation: Can the GDPR Reach U.S. Publishers?
32 Pages Posted: 18 Jun 2018
Date Written: June 1, 2018
The question of whether distant law should apply to online publishers has taken on new immediacy because of a new European Union (EU) privacy law, the General Data Protection Regulation (GDPR). The GDPR is a sea-change in EU privacy law, and companies operating outside of the borders of Europe are grappling with whether this stringent new regulation will apply to them. Under pre-GDPR law, publishers outside of the EU could structure their activities to avoid EU jurisdiction. The GDPR, however, aspires to a broad jurisdictional reach, and it is intended to cover any in the world with an online presence that markets “goods or services” to Europeans or “monitors the behavior” of EU data subjects. Just because the GDPR aspires to this jurisdictional breadth, however, does not mean that it is permissible. Longstanding rules of public international law must be satisfied before regulatory agencies and courts can exercise extraterritorial jurisdiction. This article analyzes those principles and concludes that non-EU publishers will have persuasive arguments against the jurisdiction of EU regulatory authorities and courts to enter orders against them, and a strong argument against the enforcement of such orders or subsequent fines.
Keywords: GDPR, privacy, jurisdiction, public international law, right to be forgotten, FTC
JEL Classification: K20, K23, K30
Suggested Citation: Suggested Citation