A New International Law in the Making? GDPR at home and abroad

When the General Data Protection Regulation came into effect in May, it affected all businesses that have customers in the EU. But Andrew Liu says it remains unclear how the new law can be enforced for businesses outside the bloc’s jurisdiction.

The General Data Protection Regulation (GDPR) has been in effect for several months now and confusion surrounding compliance persists. What began as a European law has essentially become a global one, as it applies to all businesses and organisations that do business with European citizens. To avoid major trade disruption, the international community needs to establish clear rules regarding the GDPR’s application.

The GDPR modernises existing data laws in Europe, which are applicable to all individuals residing in the EU and the European Economic Area (EEA). This law strengthens the protection of a wide range of information about individuals living in the EU and further establishes uniformity in data protection regulation. Key to the effectiveness of the GDPR are the penalties of non-compliance, with the maximum fine of “up to 4 [percent] of annual global turnover or €20 Million (whichever is greater).” Lesser penalties also exist, such as a fine of 2 percent of annual global turnover for not having the appropriate records. Another key element is that the GDPR “applies to any organization that handles, processes, and especially exports EU citizens’ data outside the Euro Zone, even if that company is not based in Europe.” That means the GDPR is poised to become a public international law. 

At its core, the GDPR provides an uniform standard of individual privacy protection to the 28 EU member states, while leaving room for each state to “incorporate elements of the Regulation in their respective national law.” The extent of the GDPR’s jurisdiction here is largely appropriate, as the member states are in the same region and under the same overarching EU regulations. However, the application of the GDPR to companies and organisations outside of the EU that have European clients fundamentally conflicts with existing international frameworks that set out guidelines of “governing how personal data from EU citizens is received and transferred” such as the EU-US Privacy Shield. This means that US-based companies that previously complied with the Privacy Shield framework may need to take additional steps to comply with the GDPR.

However, given the current uncertainty clouding enforcement of the GDPR, many companies are taking the ‘wait and see approach’, instead of immediately complying with the new law. This hinders international financial activities between EU and non-EU countries. For example, US pharmaceutical companies are grossly unprepared to comply with the GDPR, due to confusion on applicability of the law and necessity of compliance. Another sector that is significantly affected is energy. The energy sector uses customer data for various purposes, such as determining usage patterns. Most business activities that energy companies engage in are now under the regulation of the GDPR. There is also a risk of reputational damage for non-compliant companies, which could result in the loss of customers and a decline in profit.

Under public international law—the laws and rules that govern the interaction between sovereign states and international organizations—the principles of territoriality and nationality can be invoked in order for the EU to “assert jurisdiction over acts that were initiated abroad but completed within a state’s territory.” In other words, this grants European regulators jurisdiction over foreign websites, online services, and organisations that provide services to EU citizens. Another avenue by which the European Commission can gain jurisdiction over foreign companies is through invoking the ‘Effects Doctrine’, asserting jurisdiction on the basis that actions engaged outside of the state substantially affect the state.

This legal argument is not on solid ground as it struggles to address the issue of conflicting jurisdiction of domestic and EU laws. For instance, Section 403 of the “Restatement (Third) of Foreign Relations Law of the United States” outlines several limitations of jurisdiction, particularly in instances when jurisdiction over an individual or an activity becomes unreasonable. Simply put, this American law can be contradictory to the GDPR, and when it is, the European Commission loses its jurisdiction over US-based companies. These instances where the GDPR conflicts with a state’s domestic laws introduces uncertainty about whether foreign companies need to comply. 

The GDPR does not provide a clear answer as to how the penalties will be enforced when a company outside of the EU fails to comply. Moreover, it does not address the issue of domestic privacy laws of a non-EU country conflicting with GDPR. Article 50 of the GDPR titled “International cooperation for the protection of personal data” outlines steps the European Commission and the supervisory authorities can take to achieve international cooperation, but lacks specificity. 

In a globalised financial system, the GDPR will necessarily apply to foreign companies. Uncertainty regarding whether and how the GDPR interacts with domestic laws in non-EU countries has the potential to hinder the international flow of goods and services. On the other hand, if companies are allowed to continue operating in the EU without complying with the GDPR, the gap in implementation may make data-protection inconsistent and undermine privacy. To resolve this complicated issue, the European Commission needs to work with the international community to establish clear boundaries of jurisdiction.

The upcoming G20 Summit in Buenos Aires offers an unique forum for the European Commission to open this conversation. The presidents of both the European Council and Commission will attend the summit and can discuss enforcement, jurisdiction, and penalties with the G20 countries. This meeting between European countries, EU leaders, and other global powers presents an excellent opportunity to establish an understanding on international legal jurisdiction of the GDPR.

Andrew (Fu Yuan) Liu is pursuing an MSc in Global Politics at the London School of Economics and Political Science.

Photo by www.comparitech.com/ via Creative Commons (CC BY 2.0)

The opinions expressed in this blog contribution are entirely those of the author and do not represent the positions of the Dahrendorf Forum or its hosts Hertie School and London School of Economics or its funder Stiftung Mercator.