Study On Extraterritorial Effect Boundary Of EU General Data Protection Regulation

In the territory of EU,with the development of science and technology and the increase of international economic and trade activities,personal data are collected and used by domestic and foreign data controllers or processors.Therefore,the EU began to formulate the extraterritorial effect system of personal data protection.The EU first promulgated the Convention for Protection of Individuals with Regard to Automatic Processing of Personal Data(1981)(“the Convention”)in 1981,but the Convention does not have an obvious tendency of extraterritorial effect.Subsequently,the European Data Protection Directive of 1995(the “EU Directive”)issued by the EU in 1995 clearly stipulates the extraterritorial effect system,which is refined through EU cases and WP29 Opinions.However,the borderless nature of data and internet has brought new legal obstacles,which makes the extraterritorial effect of EU Directive unable to meet the needs of EU data subjects in terms of personal data protection.As a result,the General Data Protection Regulation(“GDPR”)adopted by the EU in 2018 completely replaces the EU Directive and further expands the scope of extraterritorial effect.However,in actual cases,the unilateral expansion of extraterritorial effects would call in question the reasonable boundary of extraterritorial effects.Therefore,clarifying the reasonable boundary of extraterritorial effect will be the key and important premise to ensure the effective implementation of the law.Based on these purposes,the first chapter mainly discusses the legislative status of the extraterritorial effect of GDPR.First of all,it distinguishes the relevant concepts,and clearly defines the connotation of extraterritorial effect.Secondly,it briefly summarizes the “organization criterion” and “equipment use criterion” established by EU Directive,as well as the newly established “establishment criterion”,“targeting criterion” and “public international law criterion” established by GDPR on the basis of inheriting the above criterions.At the same time,it analyzes the impact of EU Directive and GDPR on the extraterritorial effectiveness system as they are different type pf EU laws.The second chapter analyzes the specific application of the three criterions established in Article 3(extraterritorial provisions)of GDPR in practice by taking into account the EU case,the WP29 Opinions and the EDPB Guidelines.As for the“establishment criterion”,we should focus on the “inextricable link” and “financial growth relationship” between data processing behavior and the scene of activities.As for the “targeting criterion”,in the specific judgment,we should focus on the“subjective intention” in the provision of goods or services and the “objective behavior”in the implementation of monitoring.As for the “public international law criterion”,the focus is on the areas where the laws of Member States should be applied according to public international law,such as embassies and consulates of Member States,ships or aircraft abroad,etc.However,the borderless nature of data will lead to broad extension of the extraterritorial effect of data protection legislations.Although the Article 3 of GDPR has advanced nature in the legislative provisions,the uncertainty and vagueness in the actual cases mainly rely on the technical explanation of the European court or EDPB and so on.Thus,it will give the judge wide discretion to further aggravate the drawbacks of the GDPR extraterritorial effects.Based on this,the third chapter mainly focuses on the reasonable boundary of the extraterritorial effect of GDPR in the Google CNIL case,that is,the dispute over whether GDPR has global applicability.Combined with the basic facts of the case,it analyzes the court opinion of in detail,and compares it with similar cases to summarize the enlightenment of the case.In the meantime,this Chapter conducts detailed study on the legal uncertainties,legal conflicts,rising compliance costs and blocking legislation that the EU may encounter in its excessive expansion of extraterritorial effectiveness.With an overview of the global personal data legislation,under the background of not forming a unified international standard and treaty,most countries generally set up extraterritorial provisions in their domestic laws.At the same time,China actively promotes the legislations in terms of protection of personal information.In particular,the Personal Information Protection Law that newly enacted by the authority stipulated extraterritorial provisions which quite similar to but obviously different from GDPR.In this context,the fourth chapter compares Article 3 of the Personal Information Protection Law and Article 3 of GDPR on extraterritorial effects separately,focusing on the similarities and differences between them.On that basis,it further summarizes that the extraterritorial effect system of the Personal Information Protection Law may encounter practical difficulties similar to GDPR in practice,and puts forward two solutions of interpretation and law enforcement on how to avoid and solve these difficulties.In other words,in terms of interpretation,relevant departments should issue explanatory documents or guidelines to refine and clarify relevant issues,and promote the formulation of relevant subsidiary rules and regulations;In terms of law enforcement,it is required to strictly follow the principle of proportionality,strengthen the application of the “representative” and international cooperation in data governance,effectively safeguard the personal information rights and interests of Chinese citizens,and actively promote the development of global data protection governance in China.