A Study on the Extraterritorial Application of the General Data Protection Regulation with a Focus on Computing

539 Pages Posted: 29 Aug 2019

Date Written: October 2018


The fourth industrial revolution is transforming to make the world we live in today digitalization. It is not new to us that various media mentioned big data, artificial intelligence, and cloud computing. The pace of technological developments and how personal data are being processed affects each of us every day and in all sorts of ways in the light of these changes. Legal entities especially which are charge of protection of privacy and personal data, recognize the need for a data protection standards more critical than ever.

The European Union (hereinafter referred to as EU), is well known as a frontrunner of data protection rules, also has the same problem. Basically, The EU’s data protection standards are based on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter referred to as Convention 108) adapted by the Council of Europe's (hereinafter referred to as CoE), and the 1995 EU Data Protection Directive (hereinafter referred to as Directive) as well as on the respective case law of the European Court of Human Rights (hereinafter referred to as ECtHR) and of the Court of Justice of the European Union (hereinafter referred to as CJEU). Furthermore the General Data Protection Regulation (hereinafter referred to as GDPR) was adopted on April 14, 2016, and entered into force as of May 25, 2018.

The GDPR replaces and expands the Directive by centralizing powers that were previously reserved to the EU Member States. The GDPR was developed with the goal of providing consistent privacy protections for individuals across the EU, and aims to harmonize privacy laws in the EU by providing the same strong data protections for the entire region. In addition to harmonizing privacy protections across the board, the GDPR broadens the jurisdictional reach of the Directive.

One of the most significant changes in the GDPR is to extend the reach of European data protection laws to business based outside the Union. The GDPR would impact companies around the world, including Chinese companies. For instance, Chinese companies will become subject to the GDPR, if (i) they are based in the EU, (ii) they offer services and/or goods to data subjects in the EU and thereby come into possession of personal data on the EU citizens, (iii) they monitor behavior of data subjects in the EU, or (iv) public international law prescribes application of the EU Member State law.

The GDPR contains a broad jurisdictional test. There are, however, specific principles under international law to assess when the extraterritorial reach of a state is permissible under international law. Especially, under cloud computing models, data is often processed or stored in multiple jurisdictions, creating overlapping jurisdictions for Chinese-domiciled companies and multinationals, because, cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. The case of Microsoft Corp. v. United States is a good illustration that the nature of cloud computing systems, certain jurisdictional risks will be unavoidable.

These computing clouds have grown to include more users across different countries, frequently moving personal data across multiple jurisdictions and inevitably raising concerns over data protection. As legislators in each jurisdiction attempt to pass laws that protect their own constituents, jurisdictional issues arise that threaten the stability of an international cloud computing regime. Even if European Data Protection Authority (hereinafter referred to as DPA) can properly assert jurisdiction over websites and online service providers under the GDPR’s jurisdictional test, it is highly unlikely that a Chinese court would enforce the EU order. Geographic overexpansion will inevitably lead to unenforceability, given that the jurisdiction of the EU data protection authorities does not extend beyond the EU borders.

Besides, the People’s Republic of China (hereinafter referred to as China, or PRC) does not have a comprehensive data protection framework as that in the EU. There are a few provisions to be found across several regulations that address the issue of data protection. The latest substantial development is the Cyber Security Law (hereinafter referred to as CSL), effective from June 1, 2017. It introduces numerous new rules with regard to online activities and networks in China. The scope of the GDPR and the CSL should also be considered in an analysis of the differences between them. Article 3 of the GDPR makes explicit the fact that a company located outside of the EU can fall within the obligation of the GDPR, thus granting the regulation an extraterritorial effect. In contrast, the principle of cyber sovereignty on which the CSL is based is reflected in the territorial scope of the CSL that is under Article 2 strictly limited to the “territory of the People’s Republic of China.” With such a stark contrast, it can be concluded that companies located solely in China doing business in China and the EU should comply with both the CSL and the GDPR, while companies solely located in the EU would only be bound by the GDPR.

Therefore, this study suggests cross-border cooperation for the EU and China based on above mentioned the notion of the EU data protection law, i.e. the GDPR, and the bilateral agreement such as the Privacy Shield.

Suggested Citation

Lee, Sangwoo, A Study on the Extraterritorial Application of the General Data Protection Regulation with a Focus on Computing (October 2018). Available at SSRN: https://ssrn.com/abstract=3442428 or http://dx.doi.org/10.2139/ssrn.3442428

Sangwoo Lee (Contact Author)

Cheil PengTai ( email )

5/F Tower A, Pacific Century Place 2A Gongti North
Chaoyang Dist.
Beijing, Beijing 100027

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics