The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on U.S. businesses
Date of this Version
Due to its extraterritorial effect, the European Union's trailblazing data privacy law has long been a major concern for U.S. businesses. With the proposal for a new EU data privacy framework with potential penalties of up to two percent of an offending enterprise's annual worldwide turnover, and with the European Union at the same time expanding the extraterritorial reach of its data privacy law, such concems are justified indeed. This Article examines the extraterritoriality of current and proposed EU data privacy law and analyses whether reference to international law can either strengthen or weaken those claims of extraterritoriality. In doing so, this Article demonstrates that intemational law lends support to the approach to extraterritoriality adopted in the EU data privacy law. At the same time, however, the examination of EU law highlights that, from the perspective of extraterritoriality, the current EU Directive is dysfunctional in its unnecessary complexity, and the proposed EU Regulation is in desperate need of refinement. Finally, the Article presents a doctrine of "market sovereignty, " established by reference to the effective reach of "market destroying measures, " as a mechanism for determining the extraterritorial reach of jurisdictional claims.
This document has been peer reviewed.