Browsing by Author "Beletski, Roman"

It has long been the starting point in international law that a sovereign state is entitled to exclusively have control over the activity taking place on its soil, and that states should abstain from attempts to intervene in such internal affairs of each other. However, increasing globalisation and the advent of internet have shaken up this status quo – a traditional territorial approach to the regulation of novel phenomena in the online world is simply no longer sufficient. At the same time, overly broad extraterritorial claims by one state can be seen unacceptable by other states that are also interested in regulating the matter themselves. As it is discussed in this work, the contrast between these two approaches is highly relevant in the field of protection of personal data. The aim of this work is to (1) examine the extent of the extraterritorial mechanisms of the EU General Data Protection Regu-lation, after which (2) a critical assessment of these mechanisms will be performed from the perspective of international law. Both of these questions will be reviewed from a mainly doctrinal point of view, with certain additional sociological argu-ments being presented in relation to question (1). When examining question (2), the doctrinal method will take on a critical dimension, as the assessment of reasonableness of the extraterritorial mechanisms of the GDPR will be performed using principles of public international law as a normative framework. In order to establish said framework, a review of the con-cepts of sovereignty, jurisdiction and extraterritoriality will take place in the beginning of the work. Due to the political nature of extraterritoriality, political viewpoints will also be considered, where relevant. The GDPR employs several different mechanisms that stretch the Regulation’s effects beyond the borders of the EU. Some of these effects are more direct than the others. First of all, the GDPR has a rather broad territorial scope under Article 3, pursuant to which the Regulation applies to non-EU controllers and processors that either have an establishment in the EU or target data subjects in the EU. In addition, the GDPR has an effect on controllers and processors receiving personal data from a data exporter in the EU, even if they would not be otherwise subject to the Regulation under its territorial scope. Furthermore, the European influence abroad is visible through the European Commission’s adequacy decisions, bilaterally and multilaterally negotiated instruments, the Regulation’s Brussels effect and even the public awareness concerning privacy matters that has been affected, at least indirectly, by the strict requirements of the EU data protection law. In order to critically assess these mechanisms, a novel approach that accounts for all relevant factors when evaluating an extraterritorial assertion is assumed. While it is not possible to definitively claim that an extraterritorial claim is unacceptable, an overall assessment considering the principles of comity and sovereign equality can be helpful in order to establish whether certain extraterritorial assertions are questionable and to find alternative regulatory solutions that would be better in line with international law. Therefore, considering multiple factors, such as fairness, proportionality, justification, and predictability, it is concluded that certain extraterritorial mechanisms of the GDPR can be considered overly broad, especial-ly when there is no real chance that they could be enforced. For this reason, the study suggests that special emphasis should be given to those extraterritorial mechanisms that are enforceable within the EU and to mechanisms that require no enforcement action in order to function. Additionally, a proper balance between the interests between the EU and other independent regulators needs to be sought when determining the extent of the requirements of the GDPR, as it was cau-tiously implied in the recent CJEU judgment in C-507/17 – Google.