Max Planck Institute for Comparative Public Law and International Law Logo Max Planck Institute for Comparative Public Law and International Law

You are here: Publications Periodic Publications of the Institute Heidelberg Journal of International Law Abstracts of the last 4 Issues

Abstracts of the last 4 Issues

The GDPR’s Extra-Territorial Scope - Data Protection in the Context of International Law and Human Rights Law

Stephan Koloßa
Jurisdiction is currently one of the most debated topics in international law. It has various forms and is used differently in general international law and in human rights law. Global internet platforms massively challenge the existing frameworks of jurisdiction. The existing international legal order is based on the Westphalian notion of state-centrism and state sovereignty. The most important link is usually a state’s territory. Yet, activities conducted online frequently ignore a state’s territorial borders. In the area of human rights law, the notion of jurisdiction has equally moved away from the territorial towards a generally extraterritorial application. This, however, leads to a conflict of jurisdictions. In the field of data and privacy protection, the European Union’s General Data Protection Regulation (GDPR) prominently standardises the domestic-market principle in Article 3(2) GDPR. According to this provision that is titled “territorial scope”, data controllers and processors may fall within the range obligations stipulated in the regulation even if they are located outside of the European Union (EU) and have their main business abroad. Given the potential of creating a global privacy and data protection system, this brings up the important questions: What is the territorial scope of application of the GDPR? Which is the current role of “territory” in issues on jurisdiction? How to deal with overlapping jurisdictions? The current article examines the GDPR’s territorial scope under Article 3(2) GDPR in the light of the recent judgments delivered by the European Court of Justice (ECJ) and gives a brief analysis of the GDPR’s standard-setting potential in protecting privacy and data protection online. The article will show that the current jurisprudence of the ECJ recognises the need for an extensive protection of privacy and data protection online but fails to set out clear guidelines or criteria that may help solve potential clashes with other, more closely linked jurisdictions.