Extraterritorial Laws vs European Sovereignty
European laws have been in the focus of great criticism regarding their long reaching effect. The General Data Protection Regulation (GDPR) changed the privacy landscape for private and public entities far beyond the European borders. It also formed the basis for the re-evaluation of the Privacy Shield framework and its eventual collapse[1]. Certain newly enacted legislation[2],[3] is expected to globally affect businesses offering hosting, internet provision, domain name and cloud computing services, online platforms, such as social networking and marketplaces, and search engines. These regulations are presented and summarized in the relevant CONCORDIA deliverable[4].
But what about the other way around? What about the case of legislation outside the EU affecting the European area? Is it possible for extraterritorial laws to hurt EU sovereignty?
Extraterritorial laws extend the jurisdiction (in this article, the term jurisdiction refers to any kind of jurisdiction: prescriptive, adjudicative or enforcement jurisdiction) of foreign laws such, that their legal power is exercised outside the territorial borders of the originating country. Extraterritorial laws have existed for a long time, troubling courts and governments around the globe.
In the digital domain, there are two sources of legislative developments that can potentially traverse the EU borders. On 23 March 2018, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into law[5]. The CLOUD Act seeks to speed up access to electronic information stored in US-based digital providers, when requested by crime investigators outside the US. It is argued[6], though, that under the hood, the CLOUD Act contains provisions that seem threating to citizens’ privacy. The bill amends the Stored Communications Act (SCA) so that US government bodies are authorized to compel a US provider to hand over the content of stored customer communications when held in a foreign country. It also allows foreign governments to obtain surveillance data, by way of prior established executive agreements.
On the other side of the map, China has been fencing against extraterritorial laws, while at the same time preparing its own arsenal of far-reaching legislation. Since 2020, existing laws have been updated and several legislative products have come into force to support China in blocking foreign sanctions laws[7]. China is also extending the reach of its laws[8]. The Asian country is constructing a system for the application of domestic laws beyond its territory, mimicking the US and the EU. In June 2021, China passed the Data Security Law[9], a supplement to the country’s Cybersecurity Law (2017), aiming to regulate the issues surrounding the processing of any kind of data. The Data Security Law also applies to data processing activities carried out outside China when the relevant activities have direct impact to the nation’s security, the lawful rights of Chinese citizen’s and organizations or China’s public interest. More recently, the Personal Information Protection Law (PIPL) of China was enacted, to stipulate how personal data are handled, in a manner similar to the GDPR, with similar extraterritorial effects[10]. The dust is yet to settle, but its already obvious that EU companies will need to comply to a number of foreign regulations on the digital domain.
All the above, demonstrate the extraterritorial implications of the respective legislation. Whether GDPR provisions are in danger of being bypassed or contradicted, is a matter that requires further investigation. But there is enough evidence to raise concerns over their effect on European sovereignty. Digital sovereignty is all about gaining and maintaining control over a country’s digital assets, whether these are data, services, hardware or even companies. And whenever foreign governments manage to infiltrate the Unions’ and its Members’ legal systems and reach to those very digital assets, European sovereignty is surely damaged.
For more information about the above and other similar issues, have a look at Deliverable D4.4 of CONCORDIA, “Cybersecurity Roadmap for Europe”[11].
(By Kostas Magkos, George Drivas and the National Cyber Security Authority of Greece)
[1] The CJEU judgement in the Schrems II case – European Parliament, 2020 https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf
[2] EU Regulation 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services (Digital Services Act) https://eur-lex.europa.eu/eli/reg/2022/2065/oj
[3] EU Regulation 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector (Digital Markets Act) https://eur-lex.europa.eu/eli/reg/2022/1925/oj
[4] Deliverable D4.3: 3rd year report on cybersecurity threats – CONCORDIA, 2021 https://www.concordia-h2020.eu/wp-content/uploads/2022/07/CONCORDIA-D4.3.pdf
[5] CLOUD Act Resources – The United States Department of Justice https://www.justice.gov/criminal-oia/cloud-act-resources
[6] “The CLOUD Act – A needed fix for U.S. and foreign law enforcement or threat to civil liberties?” – International Association of Privacy Professionals, 2018 https://iapp.org/news/a/the-cloud-act-a-needed-fix-for-u-s-and-foreign-law-enforcement-or-threat-to-civil-liberties/#
[7] Extraterritorial Sanctions with a Chinese Trademark, Steven Blockmans – CEPS, January 2021 https://www.ceps.eu/wp-content/uploads/2021/01/CEPS-PI2021-01_Extraterritorial-sanctions-with-Chinese-characteristics.pdf
[8] “Extraterritorial application of Chinese laws to be strengthened” – CHINA DAILY, 2020 https://global.chinadaily.com.cn/a/202001/22/WS5e27f2b9a310128217272ce3.html
[9] “China Issues Data Security Law” – The National Law Review, 2021 https://www.natlawreview.com/article/china-issues-data-security-law
[10] “China’s PIPL takes effect, compliance ‘a challenge’” – International Association of Privacy Professionals, 2021 https://iapp.org/news/a/chinas-pipl-takes-effect-compliance-a-challenge/
[11] Deliverable D4.4: Cybersecurity Roadmap for Europe – CONCORDIA, 2022 https://www.concordia-h2020.eu/wp-content/uploads/2021/10/CONCORDIA_Roadmap.pdf