Browsing by Subject "Territorial Scope"

The European Union’s (EU) General Data Protection Regulation (GDPR) guarantees a high level of data protection for individuals in the European Union (EU data subjects). Other jurisdictions may not guarantee an equivalent level of protection, and therefore the GDPR has mechanisms through which it ensures that personal data is protected when processed extraterritorially. The two main mechanisms examined in this research paper are the rules on territorial scope under Article 3(2) and those for international data transfers in Chapter V GDPR. The mechanisms may apply simultaneously, and their interplay is not regulated by the GDPR, resulting in confusion and inconsistent application of the two protective mechanisms. The confusion has resulted in two approaches to addressing how the mechanisms should interact when applied simultaneously: the ‘cumulative’ and the ‘compensatory’ approaches. The cumulative approach advocates for the simultaneous application of the two rules, while the compensatory advocates for the disapplication of Chapter V when Article 3(2) applies. The presence of two approaches may undermine the rule of law and the general reception of the data protection measures in a foreign jurisdiction, and thusly, clarifications of the law is needed. Considering the above, the aim of this work is to (1) ascertain the overlap between Article 3(2) and Chapter V, and (2) evaluate which of the two approaches –‘cumulative’ or ‘compensatory’ – better achieves the EU data protection framework’s objective of ensuring extraterritorial data protection. In chapter 2, the research evaluates the extent of the overlap between the two mechanisms by laying out their legal requirements and background. It is established that the extraterritorial application of the GDPR faces issues with enforcement and conflict of laws. In chapter 3, the ‘cumulative’ and ‘compensatory’ approaches are evaluated from a reformist legal doctrine perspective to account for the wider societal context in which the approaches operate in. The research concludes that, while the cumulative approach yields in a higher level of protection, the approach can be unnecessarily cumbersome for data controllers and processors from a cost and compliance perspective. The research recommends the adoption of a middle-ground approach, where the limitations of both cumulative and compensatory approaches are accounted for. The middle-ground approaches explored in this paper are: the development of a new data transfer instrument and regulatory reform. The research also recommends more in-depth research into the topic to aid the development of a new data transfer instrument or laws.