On digital sovereignty, extraterritoriality and EU digital laws – GDPR case study

1. Introduction

“Digital” or “technological” sovereignty emerged in recent years as a possible remedy for the European Union’s struggle to maintain its strategic autonomy. It is seen as a concept that could help reduce the EU’s dependencies in the globalised and digitalised world. Although named as “sovereignty” this idea seems to be about different forms of control: over data, over capacity for innovation, and over an ability to shape and enforce legislation in the global digital environment. We can also see it as something more fundamental – the right to remain masters of one’s own fate in a globalised and complex digital environment.

Its importance is reinforced by the fact that a large part of Europe’s growth potential lies in digital markets – where the EU has to compete with China or the United States of America. One of its elements is a discussion regarding how European citizens can retain and maintain control over their personal data in an online environment, largely dominated by non-EU companies. In this context, digital sovereignty may play an essential role in building trust towards new digital products and services, in particular Artificial Intelligence.

As the protection of own citizens’ rights and impacting global digital policy standards require going extraterritorial, one of the key elements linked with debates about power and sovereignty is extraterritoriality of law (see Ch. Kuner, Data and extraterritoriality, [in:] A. Parrish & C. Ryngaert (ed.), Research Handbook on Extraterritoriality in International Law, Cheltenhamp/Northampton 2023, p. 358). The General Data Protection Regulation (GDPR), with territoriality combined with a moderate version of the destination approach,can serve here as an interesting case study.

The GDPR, which became applicable as of 25 May 2018, among many other improvements, was supposed to resolve one of the most significant shortcomings of its predecessor, Directive 95/46/EC: the lack of jurisdiction over third-country data controllers and processors processing EU residents’ personal data. Later on, the EU co-legislators applied the approach known from the GDPR, to the extraterritorial scope of, among others, the draft AI Act and the Digital Services Act.

A few months ago, we celebrated five years since the GDPR became applicable; this is therefore a good moment to draw some first conclusions as to its extraterritorial scope and the future of the extraterritorial enforcement of EU digital laws.

2. Creating the level-playing field: Art. 3(2) GDPR in its broader context

The main objective of the GDPR is to set rules relating to the protection of personal data and the free movement of such data. In a globalised world, extraterritoriality seems appropriate and necessary to uphold EU data protection standards and protect individuals’ fundamental rights and civil liberties. As regards global competition, the GDPR aims to ensure a level-playing field for businesses active in the EU markets, in particular, make sure that all of them, whether based in the EU or in a third country, are subject to the same rules.

The territory of EU Member States remains as the primary nexus for the application of the EU data protection regime, at the same time Article 3(2) GDPR introduces extraterritoriality based on two forms of targeting: (i) offering of goods or services to data subjects who are in the Union and (ii) monitoring of such data subjects’ behaviour. Article 3(2) GDPR focuses on regulating activities, which although conducted by third-country entities, take place in the EU; in this sense, one can argue that the GDPR territorial scope is not “classically” extraterritorial. In the case of the GDPR, the nexus is the location of a data subject, thus their citizenship, permanent residence or any other factors are irrelevant. This approach can be, in principle, qualified as a market access trigger and summarised as the ‘you might be targeted by EU law only if you target the EU’ approach.

3. “Soft law”: Brussels effect and adequacy findings

Bradford describes the “Brussels Effect” as the European Union’s “unilateral ability to regulate global markets by setting the standards in competition policy, environmental protection, food safety, the protection of privacy, or the regulation of hate speech in social media”. Currently, the EU is considered a standard-setter in the field of data protection: a number of third countries have adopted laws similar to the GDPR and a number of international companies have internal rules based on the GDPR as their global standard of operations. ”Brussels Effect” and externalising EU laws outside its borders through market mechanisms is seen by some authors as a way of protecting and promoting European values globally. Greenleaf, who monitors the global trends in data privacy laws, identifies 162 data protection laws worldwide, many of which were inspired by the GDPR. All these developments have happened via a soft law, as all these actors adopted their rules without being legally bound to do that.

I believe that we can qualify as a “soft law” (in the sense mentioned above) also adequacy decisions under the GDPR issued by the European Commission in the context of data transfers. To obtain the adequacy decision, a third country must align its national laws so they are “essentially equivalent” to the EU’s legal regime. The United Kingdom can serve as an interesting example here – after Brexit the UK government tries to make its data protection laws more business-friendly, but at the same time, if the UK wants to maintain this status of being “adequate”, the UK’s adequacy findings limit the scope of the possible changes. The EU law, although not directly applicable in the UK anymore, still influences UK legislation and this takes place not e.g. via an international agreement, but through a unilateral decision of one of the EU’s institutions.

4. Clearview AI decisions – you can run and you can hide

During the last 5 years, EU data protection authorities (DPAs) issued several decisions against non-EU controllers. The ones that, in my opinion, deserve a closer look are decisions by four different DPAs: French, Italian, Greek and Austrian – as the one-stop-shop mechanism was not applicable – against Clearview AI, a US company without an establishment, a representative or any assets in the EU. What makes this case so important is that Clearview AI refused to cooperate with DPAs and after receiving the decisions stated that it does not recognise the European authorities’ jurisdiction. At the same time, Clearview AI recognised jurisdiction and engaged in a legal dispute with the UK’s data protection authority.

Extraterritorial enforcement is left to the Member States, therefore after the Clearview AI’s denial we have to wait to see whether and if so – how, respectively, France, Italy, Greece and Austria will be trying to enforce the decisions of their authorities. We may however expect that this process will take years and there is no guarantee that data protection authorities and their Member States will succeed. In this context, it is worth mentioning a study commissioned by the EDPB, which describes several cases, where European authorities could not enforce the GDPR outside of the EU borders. The study clearly indicates that EU data protection authorities struggle and lack legal tools to deal with controllers or processors that fall under the scope of Article 3(2) GDPR but are not willing to cooperate and do not designate an EU representative in the EU. What we can also observe is that despite European authorities having jurisdiction over third country’s controllers and processors, the enforcement is taking place on an extremely limited scale, with only a handful of proceedings against non-EU entities (not all decisions are published, but I would expect around a dozen of decisions from all EU’s DPAs in the last 5 years).

The four decisions issued against Clearview AI constitute an excellent example of how difficult it can be to enforce the provisions of the GDPR outside of the EU territory, in the case of a lack of cooperation or dispute regarding jurisdiction. Bearing in mind that in order to ensure the level-playing field and protect fundamental rights, GDPR enforcement should be possible against entities from all around the world, including countries, which do not have strong ties with the EU (e.g. Global South), this kind of situation should give us reasons to worry about the enforcement of EU digital laws and policies.

Although, the draft AI Act and DSA extraterritorial enforcement mechanisms differ a bit from the GDPR, their core, based on a moderate destination approach and market access trigger remains the same (for example the draft AI Act would apply to “providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country”), therefore I expect that their extraterritorial enforcement will face similar challenges. Also, no matter which national authority will be enforcing these regulations, in a situation where there are no proper tools, the problems will remain the same. Finally, as Member States are obliged to fulfil their obligations from the Treaties and enforce the EU law, these problems may further escalate – ultimately leading to possible legal actions by the Commission against Member States under Article 258 TFEU.

The study commissioned by EDPB mentions very limited solutions for the DPAs: stronger cooperation with third-country authorities and Mutual Legal Assistance Treaties (MLATs). As regards cooperation between EU and non-EU data protection authorities in line with Article 50 GDPR, although such cooperation can facilitate investigations and sharing of information, it will not help with extraterritorial enforcement as data protection authorities are not competent to enforce each other’s decisions; moreover, all authorities remain fully independent. With respect to MLATs as a possible way forward when enforcing the biggest fines and dealing with major violations of the GDPR, it has to be stressed that the GDPR sanctions are of administrative and not criminal nature – MLATs could be therefore applicable only by these countries, where GDPR violations constitute criminal offences (here I’m aware only of Denmark and Estonia) and only in the most severe cases.

5. The urgent need to discuss extraterritorial enforcement of EU digital laws

Five years since the GDPR became applicable, we are at the stage where the challenges to extraterritorial enforcement are already identifiable and where, I believe, there is an urgent need to address them. This need is reinforced by the fact that the GDPR extraterritorial enforcement model was copied by the EU co-legislators in other legal acts, including the ones that constitute the core of the EU’s digital policy. As pointed out by Reed, lack of sufficient enforcement questions the legitimacy of the state’s claims and ultimately – its governance. The problems with extraterritorial enforcement may at some point become one of the burning issues of the European Union in its attempts to regulate the digital environment and achieve digital sovereignty. At the same time, possible solutions may not necessarily require adopting new laws, as measures based on “soft” law or the EU’s market power could to a certain extent remedy this situation.

The approach of the EU policymakers when regulating the digital environment is that passing laws will make things happen. However, this reasoning, at least in the context of extraterritoriality, is flawed. The lack of effective enforcement threatens EU legitimacy in regulating cyberspace. In this context an urgent discussion about extraterritorial enforcement, not only in the context of the GDPR, but also other digital regulations, such as DSA or draft AI Act, is needed.

The European Union is focused on citizen’s rights, China’s policy concentrates on infrastructure and the United States’ priority is to incentivise innovation. Soon, we might be entering a moment in time, when different approaches to regulating cyberspace will be confronted and some governance models – contested. Hence, how can we remain masters of our fate in a globalised and complex digital environment? Bradford has recently asked a bit provocative but very important question ”Whose AI Revolution?”. With many different legal instruments being developed in the field of AI: the AI Act, the G7 Hiroshima process, the OECD AI Principles, the G20 AI Principles, the CoE Convention, the UNESCO Recommendation, or an US President’s executive order, I argue that enforceability is what will make the difference. This is true not only in case of AI but also other digital laws. Thus, effective extraterritorial enforcement, either via hard law or via soft law solutions is of a key importance for the success of the EU’s digital policies, its values-based approach and the Europe’s role in the globalised world.