EXTRATERRITORIAL APPLICATION OF THE EU GENERAL DATA PROTECTION REGULATION: AN INTERNATIONAL LAW PERSPECTIVE
Keywords:extraterritorial jurisdiction, state sovereignty, legality of extraterritorial scope, principles of international law, rationales of the EU
The General Data Protection Regulation (the GDPR) of the European Union (EU) emerges as a hot-button issue in contemporary global politics, policies, and business. Based on an omnibus legal substance, extensive extraterritorial scope and influential market powers, it appears as a standard for global data protection regulations as can be witnessed by the growing tendency of adopting, or adjusting relevant national laws following the instrument across the globe. Under Article 3, of the GDPR applies against any data controller or processor within and outside the EU, who process the personal data of EU residents. Therefore, the long arm of the GDPR is extended to cover the whole world, including Malaysia. This gives rise to tension worldwide, as non-compliance thereof leads to severe fines of up to €20 million or 4% of annual turnover. This is not a hypothetical possibility, rather a reality, as a huge amount of fines are already imposed on many foreign companies, such as Google, Facebook, Uber, and Equifax to name a few. Such a scenario, due to the existence of state sovereignty principles under international law, has made the researchers around the world curious about some questions, why does the EU adopt an instrument having the extraterritorial application; whether the extraterritorial scope is legitimate under normative international law; how the provisions of this instrument can be enforced, and how these are justified. This article attempts to search for answers to those questions by analyzing the relevant rules and norms of international law and the techniques of the EU employed. The article concludes with the findings that the extraterritorial scope of the GDPR is justified under international law in a changed global context. The findings of this article will enlighten the relevant stakeholders, including Malaysian policymakers and business entities, to realise the theoretical aspects of inclusion of the extraterritorial feature of the GDPR, and this understanding may facilitate them to map their future strategies.
How to Cite
- Consent to publish: The Author(s) undertakes that the article named above is original and consents that the IIUM Press publishes it.
- Previous publication: The Author(s) guarantees that the article named above has not been published before in any form, that it is not concurrently submitted to another publication, and that it does not infringe anyone’s copyright. The Author(s) holds the IIUM Press and Editors of IIUM Law Journal harmless against all copyright claims.
- Transfer of copyright: The Author(s) hereby transfers the copyright of the article to the IIUM Press, which shall have the exclusive and unlimited right to publish the article in any form, including on electronic media. The Journal in turn grants the Author(s) the right to reproduce the article for educational and scientific purposes, provided the written consent of the Publisher is obtained.