The significant lobbying efforts by US companies regarding the proposed data protection Regulation, recently covered by the press (e.g., http://www.ft.com/intl/cms/s/0/e29a717e-6df0-11e2-983d-00144feab49a.html#axzz2KtWrMvGO), can be better understood in light of the provisions of the Regulation setting forth its scope, which lead to its extraterritorial application.
Unsurprisingly, article 1 of the Regulation sets forth that the Regulation applies “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union”. So if a controller or a processor are established in the Union, there is no doubt about it: they will be subject to the Regulation. So far, this rule merely expresses the concept of territorial application of Union law and sounds fair and straightforward. As a consequence, US companies not willing to be subject to the Regulation should simply refrain from setting up an establishment in Europe while acting as controller or processor: the rule is clear and the applicability of the Regulation would seem easy to control (and avoid).
If it weren’t for paragraph 2 of article 1, which immediately complicates matters, as it deals with the extraterritorial application of the Regulation:
“2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behavior.”
The intent of the EU institutions is clear, and well enshrined in recital (20): “[…] to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation […]”. The fear that big US internet companies, while substantially benefitting from the Union’s market, may fail to comply with the Regulation appears as a top priority for the Commission, and the lobbying of US companies is not at all surprising for exactly the same reason.
It is interesting to check how the same issue was dealt under Directive 95/46. In fact, Directive 95/46 did mandate the application of a Member State’s law even if the controller is not established on Community territory, but required that it makes use of equipment, automated or otherwise, situated on the territory of the said Member State (unless such equipment is used only for purposes of transit through the territory of the Community). The criterion then applied was the so called “using means” in the Union (except for mere transit).
The Regulation attempts to be more specific and more tailored to the protection of Union’s data subjects: instead of the “using means” test, the Regulation will apply whenever there is an offering of goods or services to data subjects in the Union or if the processing activities are related to the monitoring of their behavior.
Such new criteria have obviously sparked all sorts of debates.
The international law purists have questioned whether extraterritoriality is justified in this case on account of the nationality principle and/or the so called ‘effects’ principle. Surely, this will be another topic of debate between EU and US authorities, who often bicker about their reciprocal extraterritorial statutes.
Further, some have wondered how the provision will be applied in practice. Should the offering of goods or services to data subjects in the Union be direct, or is the potential availability to Union citizens over the Internet of goods and services enough to trigger applicability of the Regulation? Surely, it will not be possible to assume that the entirety of the Internet is subject to the Regulation whenever Union citizens are able to access certain goods or services. I happen to believe that, if the Regulation is enacted with article 1 as proposed, it will be up to case law to develop specific criteria in order to ensure that its extraterritorial application is fair and effective.
But, most of all, many question the actual chances of enforcement of a Regulation against controllers who are, well, simply not here. The significant sanctions set forth in the Regulation provide a strong incentive for companies based in the Union to comply, but cannot be applied to controllers who have no establishment in the Union. So the Commission intention to protect the Union data subjects may in fact clash with reality, and especially with the Internet reality.