Both the US’s Cloud Act and Europe’s GDPR Move Far Beyond Geography, but Will Not Solve Transatlantic Jurisdictional Conflicts

Europe’s destination approach of cyberspace privacy builds up to extraterritorial jurisdiction

Among the many rather general issues discussed in Mark Zuckerberg’s hearing before the U.S. Senate on April 10th was the reach of the European General Data Protection Regulation (GDPR) that entered into force May 25th. Sen. Lindsay Graham (R-S.C.) alluded to it, when he opened a series of rhetorical questions with “You, as a company, welcome regulation?”, which peaked in the question: “You think the Europeans had it right?” Somewhat predictably, Zuckerberg did not deliver a positive answer, but gave back, “I think that they get things right.” His minimalist pun lead to relieved amusement on all sides of the otherwise tense hearing. One could not help but conclude: There might be differences between Facebook and US politicians. Their real common adversary, however, is the aspiring regulatory super-power across the Atlantic Ocean. This general skepticism towards GDPR was even more directly formulated in a question by Sen. Maria Cantwell (D-Wash.), who asked Zuckerberg, in a straightforward yet merely rhetorical manner: “Do you believe European regulations should be applied here in the U.S.?”

The GDPR has justly received praise because of its innovative approach to privacy. It may, however, justify such questions as the one Cantwell asked and it may contain some things hard to swallow for US companies and regulators alike.

Its territorial scope barely deserves the label “territorial” inasmuch as it has a very long arm. GDPR’s scope is defined in article 3 of the regulation as based on participation in the EU market  — not necessarily financially remunerated participation — and the monitoring of the behavior of data subjects within the EU, “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union.”

With this, GDPR applies a destination approach, based on what could be called subjective territoriality. Rather than, for example the place where data is physically stored (objective territoriality) or the legal seat of the company controlling the data (formalist or data controller territoriality), the effects of a website on Europeans are enough to make European jurisdiction apply. As the obvious limits of the enforceability of GDPR have not yet been put to the test, it for now seemingly applies to practically to every Internet-based platform that is used in Europe. And with substantial fines for violating its terms that include forfeiting up to 4-percent of a company’s annual worldwide turnover, GDPR could, indeed, be perceived as including extraterritorial jurisdiction.

Arguments about sovereignty and extraterritorial law enforcement in the Microsoft case

The analysis of European tendencies towards extraterritorialism is all the more interesting in the context of the Microsoft – Ireland Supreme Court case in the U.S. Among the many Amici Curiae, there was one issued on December 2017 by representatives of the EU who seemed concerned with American overreach due to the US government’s insistence on unilaterally obtaining data stored in Ireland against opposing claims of the EU, because, as the US government argued, the data production order in question concerned a suspect that was a US resident and his crimes were committed within the US and — most importantly — the company controlling this data, Microsoft, is headquartered in the US.

While the Cloud Act clarified the situation in the U.S., it will not resonate well with many in the EU. Already in 2014, when the Microsoft – Ireland case was still in front of the Court for the Southern District of New York, the Republic of Ireland issued an amicus brief that emphasized its sovereignty and advocated for a use of Mutual Legal Assistance Treaties (MLATs) as the method for foreign law enforcement agencies to obtain data contained within its borders, rather than unilateral warrants or orders.

From this point on, insisting on national sovereignty as an obstacle to unilateral warrants (in this case by U.S. officials) became a locus communis in the debate.

It is, however, telling that none of the amicus briefs with links to official EU institutions contains an explicit reference to the term “sovereignty”, although they all highlighted the problem of jurisdictional conflicts and recommended the use of MLATs.

Particularly stunning, if one keeps the extraterritorial scope of the GDPR in mind, is that the amicus brief issued by the EU Commission underlined that the U.S. government could not access the data in Ireland because the European GDPR applied to it. Article 48 specifically contemplates transfers ordered by courts in third countries like the United States. “The GDPR provides that such orders may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”

A brief by EU data protection and privacy scholars came to the same conclusion: “Microsoft cannot produce the data the Government seeks without violating the GDPR”.

Both legal systems have it wrong

It is interesting to compare this positioning of the EU regarding the Microsoft – Ireland case, which is critical of a possible extraterritorial reach of the U.S. government on the basis of the GDPR, to the extraterritorial scope of the GDPR. All-too positivist legal scholars might see no contradiction here, since the extraterritorial reach of GDPR according to its Article 3 regards user privacy and its position against extraterritoriality in Article 48 regards the data transfer to third countries. Furthermore, Article 3 concerns extraterritorial legislative jurisdiction, which is generally permitted, and Article 48 concerns extraterritorial enforcement jurisdiction, which is generally prohibited.

Nevertheless, in a conceptual sense, there seems to be an evident incoherency between Article 3 and Article 48 of the GDPR. Article 3 of the GDPR is based on an advanced understanding of territoriality that emphasizes the effects of data rather than the location of data, a destination approach, founded on intuitions about subjective territoriality. On the other hand, Article 48 of the GDPR does not seem to care much about the impact that data stored within the EU has on other nations. Instead, it emphasizes the geographical location where data is stored, i. e. objective territoriality. It is obvious that this conceptual incoherency might continue to produce tensions in international relations, since it expands the regulatory reach of the EU concerning Internet-based platforms operated from abroad at the same time as it limits the reach of other nations concerning data stored within the EU.

This incoherency seems even more grave if one takes the transatlantic reality as created by the Cloud Act into account. The Cloud Act employs yet another, formalistic understanding of territoriality based on the data controller argument, i. e. for the applicability of the Cloud Act, the legal seat of the company who controls data is decisive, regardless of where that data might be physically stored.

It seems the best way to assess this confusing situation by asking a simple question: Which one is actually to be preferred, the destination approach, respectively subjective territoriality, objective territoriality based on the physical location of data, or formalistic territoriality based on the data controller argument?

From a point of view of legal practice, it is not hard to see that, although it may seem counter-intuitive at first, the destination approach makes sense and is very common. Well-known cyberspace-related cases such as LICRA and UEJF v. Yahoo! Inc. and Yahoo France and People v. World Interactive Gaming Corp already transcended a location-based understanding of the territorial applicability of regulations concerning cyberspace towards an effects-based approach. The popularity of the destination approach is merely an adaption of legal reality to the technical functioning of cyberspace. The vast reach of cyberspace-related activities leads the territorial restriction of law in geographical terms ad absurdum. Take, for example, the whole debate about abuse of extraterritoriality as a means for criminals to avoid persecution for criminal acts committed via cyberspace, e.g. the offering of pirated material in Germany via a website operated from a country with a low degree of regulations regarding cyberspace.

However, the data controller argument also makes a lot of sense. Less so because, as the U.S. government argued during the Microsoft – Ireland case, police forces do not need to actually execute extraterritorial searches themselves when they oblige companies to produce data within their control that is stored extraterritorially. More so, however, because there are a growing number of situations in which it does not make sense to think of data as something that occupies identifiable territory at all. Google, for instance, breaks up its emails and stores them on different servers all over the world and moves them constantly around in an automatized process. Therefore, the company itself cannot fully determine where data is actually stored at any given moment in time. In such increasingly common cases, the data controller argument is the only territorial link that can be established at all. Therefore, despite its probably negative effect on privacy and human rights, the Cloud Act reinforced a sound principle regarding its territorial reach and it will be probably included in a wider transnational regulatory framework between the EU and the U.S., since it is similar to two pieces of legislation that the European Commission proposed in April 2018.[5] In terms of territoriality, its weaknesses concern rather political than structural aspects and will be discussed later on.

The approach of objective territoriality, i. e. an emphasis on the geographical place of stored data that the EU seemed to favor in regard to the Microsoft – Ireland case, seems to have only one argument playing to its favor: That the jurisdictional reach of a nation is usually limited by the geographical borders of its territory. One might argue, however, that, as the term “usually” implies, even this seemingly simple argument is not as strong as it seems. On ships sailing on international waters, for example, the jurisdictional sphere of a nation is extended without any relation to its territory in geographical terms. Cyberspace might be understood in similar ways as an international space between nations. In this space, the jurisdictional spheres of nations can be extended independently from their geographical territory, in relation to the relevance that actions that are formally taking place in another territory can have to them. In an abstract sense, it remains the only pragmatic advantage of the origin approach that it is instrumental in avoiding international conflicts that inevitably arise if different nations perceive to have jurisdiction over one and the same situation.

Extraterritoriality is not a bad word, but a necessary and realistic answer to contemporary problems

It is obvious that not only is “extraterritoriality not a bad word”, but that it is the necessary and realistic answer to the problems that characterize a world that is increasingly globally connected. But that means that just as European users should have the right to enjoy European privacy standards when they use one of the many websites operated from the U.S., so should the U.S. government have the right to access data in the control of a U.S. company regarding a U.S. resident who is suspected of committing a crime within the U.S., as was the issue in the Microsoft – Ireland case. Due to the GDPR and the Cloud Act, both forms of extraterritorial jurisdiction are, at the moment, legal reality. It makes little sense to vilify the Cloud Act while glorifying GDPR.

However, it is also obvious that both regulatory frameworks are determined by political interests, which works against their de facto reciprocity. On the one hand, the data controller argument employed in the Cloud Act comes especially handy to the US, which is the country where most Internet-based platforms headquarter. One might even argue that the data controller argument employed by the nation that hosts Silicon Valley actually might bring about de facto global enforcement jurisdiction. On the other hand, the approach of objective territory that is pursued by the EU regarding article 48 of the GDPR might be outdated and not make much sense, but it is aligned with the EU’s economic interest to become a data safe haven.

These conflicts of interest and corresponding jurisdictional conflicts will inevitably be the source of tensions between the EU and the US. Surely, the best solution would be to formulate coherent and unequivocal principles of extraterritorial jurisdictions that are developed not unilaterally, but in transnational collaboration. Such a formulation must not rely on notions relating to geography alone, but also more subtle categories, such as the nature of the data requested, respectively protected data, the nature of the crimes committed, the strength of interest that a nation might have in regulating or accessing data, and the consideration of different degrees of regulation in different countries.

Photo by Justin Sullivan/Getty Images 

About the Author(s)

Johannes Thumfart

Fellow at LSTS at Vrije Universiteit Brussels, holds a PhD in the philosophy of international law of Humboldt Universität Berlin, formerly working at Universidad Iberoamericana in Mexico-City and the University of Cincinnati. Follow him on Twitter: @JThumfart.

Paul De Hert

Professor at the Vrije Universiteit Brussel (VUB) and associated professor at Tilburg University. His research focuses on technology and European data protection law; international (European) criminal law; fundamental concepts of criminal law and human rights law. He is co-director of the Brussels Privacy Hub (http://brusselsprivacyhub.org) and co-founder of the Privacy Salon (http://www.privacysalon.org)