Extraterritoriality and the Fundamental Right to Data Protection

Christopher Kuner is affiliated with the Brussels office of Wilson, Sonsini, Goodrich & Rosati, and is an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge, and an Honorary Professor at the University of Copenhagen.

Following a series of thoughtful entries by Marko Milanovic, Anne Peters, and Carly Nyst dealing with the extraterritorial application of privacy rights to foreign intelligence surveillance, this post discusses extraterritoriality and the fundamental right to data protection, particularly in the context of the Internet. I will cast my net more broadly than intelligence surveillance, and avoid revisiting points made in those earlier posts.

Since space is limited, I will limit myself to three topics: 1) the distinction between data protection and privacy; 2) the status of data protection in international law; and 3) challenges for the extraterritorial application of data protection rights.

Data Protection and Privacy

Data protection law restricts the processing of personal data, and grants legal rights to individuals in how they are processed. It was developed in Europe in the 1970s and 1980s, and has now spread to all regions of the world.

Data protection and privacy often overlap, but are not identical. Privacy generally protects against intrusion into an individual’s “private space”, whereas data protection regulates the processing of an individual’s personal data, whether or not such data are considered “private”. A good starting point for understanding the distinction between the two concepts in EU law and European human rights law is the article by Juliane Kokott and Christoph Sobotta published recently in International Data Privacy Law.

An example of a situation implicating the right to data protection is the collection of data of individual mobile telephone subscribers in Africa mentioned in the 2013 Annual Report of the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Expression and Information (see page 19). As the Special Rapporteur notes, the widespread collection of such data, and their combination with information from other databases, could lead to the comprehensive profiling of individual citizens. Data protection law is designed to protect against the untransparent processing of data files which may not seem “private” when considered in isolation, but which when combined can reveal a great deal about an individual’s personality.

Data Protection in International Law

Data protection law was originally derived from human rights instruments such as the UDHR (Article 12) and the ICCPR (Article 17) that protect the right to privacy and private life. The only legally-binding convention of potentially global scope dealing with data protection is Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108). The European Court of Human Rights has interpreted Article 8 of the European Convention on Human Rights (covering the right to private life) to include data protection (e.g., Rotaru v Romania (2000) ECHR 191), and EU law protects data protection as a fundamental right in both the Charter of Fundamental Rights of the European Union (Article 8) and the Treaty on the Functioning of the European Union (Article 16). To give just one example of the spread of data protection as a fundamental right outside Europe, the Economic Community of West African States (ECOWAS) has adopted a “Supplementary Act on Data Protection” that is based in part on the African Charter on Human and Peoples’ Rights.

The best view seems to be that data protection is an “emerging” fundamental right that has not yet gained full recognition under public international law, but may do so in the future. A growing number of international bodies support recognition of a right to data protection, as demonstrated by the recent UN General Assembly Resolution condemning the “arbitrary collection of personal data”, and by General Comment No. 16 to the ICCPR, which refers to the obligations of States to enact measures deriving from data protection law (such as providing individuals with the right to request rectification or deletion of their personal data, see para. 10).

On the other hand, the Codification Division of the UN Office of Legal Affairs concluded in 2006 in a report for the International Law Commission (ILC) that data protection is an area “in which State practice is not yet extensive or fully developed”(choose “Annexes” and go to “Annex D”, paragraph 12), and the UN General Assembly Resolution referred to above reaffirms “the right to privacy” without specifically mentioning data protection. In addition, the 35th Annual Conference of International Data Protection Commissioners would hardly have called in September 2013 for the adoption of an additional protocol to Article 17 ICCPR to “create globally applicable standards for data protection” if the right to data protection already enjoyed sufficient international recognition.

However, it seems inevitable that data protection will become broadly recognized under international law as distinct from the right to privacy. This will be particularly important in order to protect the rights of individuals in metadata relating to their electronic communications (e.g., data concerning the time and duration of Internet connections, or the location from which a connection is made), the processing of which seems more suitable for coverage by data protection law than by privacy law.

Challenges for Extraterritorial Application

Discussion of the extraterritorial application of privacy rights has thus far dealt mainly with cases of intelligence surveillance by foreign governments. To the extent that the rights of data protection and privacy are coextensive, the points made in the earlier posts would also support the argument that disproportionate intelligence surveillance constitutes a violation of data protection rights under instruments like the ECHR.

However, the everyday processing of personal data online gives rise to questions concerning the extraterritorial applicability of data protection law that go beyond intelligence surveillance. Billions of individuals use the Internet, and there is uncertainty about basic questions such as whether data protection rights apply when an individual accesses a foreign web site, and how to resolve conflicts between data protection requirements “attaching” to data transferred internationally and the law enforcement requirements of the place to which they are transferred.  For example, Indian law enforcement authorities regularly seek access to personal data accessible online from India, even when the data are stored in foreign countries that have strong data protection laws. It is thus not surprising that the Hague Conference on Private International Law noted in a paper published in 2010 (para. 14) that “cross-border data transfers have raised serious questions of international jurisdiction”.

Furthermore, much data processing is carried out not by the State, but by private entities. We lack a sound conceptual model of how the protective duty of the State under data protection law can be applied and enforced extraterritorially on the global Internet, a question that is even more difficult with regard to data processed by private parties.

Marko has argued cogently that the term “jurisdiction” as used in human rights treaties should be understood differently from its use in public international law. Most analysis of the extraterritorial applicability of human rights law has focused on cases involving armed conflict or military occupation, in the context of which the main concern has been to avoid a narrow, territorial interpretation of jurisdiction, in order to avoid leaving individuals caught in life-and-death situations without any legal protection.

Many situations involving data processing on the Internet deal not just with the question of whether any protection applies at all, but with the resolution of conflicts between different laws, a situation I have discussed in my recent book. Such conflicts confuse individuals about what law applies to the processing of their personal data, waste regulatory resources, and can lead to political tensions. These conflicts increasingly involve a clash between differing concepts of fundamental rights; an example is the current disagreement between the EU and the US with regard to what protections should apply to the online data of EU individuals that are processed in the US.

I believe that jurisdictional rules under public international law can play a useful role in allocating regulatory competence between States with regard to online data processing. I also think that States will increasingly need to take the interests of foreign stakeholders into account in applying their data protection laws, in order to avoid or at least ameliorate such conflicts; an intriguing theoretical framework that could be applied to such situations was recently set forth on this blog by Eyal Benvenisti. Resolving conflicts with regard to online data protection will also require international agreement on data protection standards, through work such as the plans to draft a protocol to Article 17 ICCPR.

Defining the extraterritorial extent of data protection rights will be one of the most challenging questions for applying fundamental rights to the online environment; much work remains to be done to meet this challenge.