Juggling More Than Three Balls at Once: Multilevel Jurisdictional Challenges in EU Data Protection Regulation

International Journal of Law and Information Technology, 2019, 27, 142–170
doi: 10.1093/ijlit/eaz002
Article
Juggling more than three balls at once:
Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

multilevel jurisdictional challenges in EU
Data Protection Regulation
Julia Hörnle*
ABSTRACT
This article analyses the rules on regulatory competence, jurisdiction and applicable in
European Union (EU) data protection law in the light of recent case law of the Court
of Justice of the EU and national courts and in the light of the changes that were
introduced by the General Data Protection Regulation (GDPR). It finds that, in the
regulatory context, the rules on applicable law effectively become rules of regulatory
competence (jurisdiction in the narrower sense) and that a crucial distinction should
be made between internal conflicts of law (between the Member States) and external
conflicts of law (Member States vs third countries). It argues that Member States
should trust each other sufficiently to apply the law of the main establishment for in-
ternal conflicts but welcomes the wide interpretation of the establishment rules in
Google Spain. It argues that this wide interpretation should apply to external conflicts
of law only. Finally, the article finds that enforcement cooperation has been improved
through the detailed provisions in the GDPR (compared to the Data Protection
Directive) but that an opportunity has been missed in not creating a single EU en-
forcement authority. This is unfortunate since the coordination procedure established
in the GDPR is likely to be cumbersome and fraught with political wrangling.
K E Y W O R D S : jurisdiction, applicable law, data protection law, General Data Protection
Regulation (EU) 2016/679, competences of regulatory authorities, conflict of law
I N TRO D UC T IO N
The story of the Referendum on the ‘Brexit’ of the UK from the European Union
(EU) in the summer of 2016 as well as the election of Donald Trump as the
President of the USA illustrate each respective electorate’s call for ‘taking back con-
trol’, for more national sovereignty free from influences perceived as ‘foreign’ in the
minds of significant parts of the electorate. Thus, the notions of sovereignty and na-
tional jurisdiction are far from dead, not in spite of, but because of globalization of
trade (and connected to that—data flows). While this article is, of course, not sug-
gesting that the UK referendum or the US election were directly influenced by data
* Professor of Internet Law, CCLS, Queen Mary University of London, E-mail: [email protected]. The author
gratefully acknowledges the feedback and comments by Professor Marise Cremona and the helpful comments and
suggestions of the two peer reviewers from IJLIT. Any errors or mistakes are, of course, solely my responsibility.
C The Author(s) (2019). Published by Oxford University Press. All rights reserved.
V
For permissions, please email: [email protected].
142
Multilevel jurisdictional challenges 143
protection policy or regulation, more generally driven by fears about migration, jobs
and security in a globalized world, what the outcome of both these events show is a
call for more national sovereignty (and thus, as far as regulatory matters are con-
cerned, a strengthening of jurisdiction). There is a paradox in this respect at EU
level, namely if EU Member States are prepared to cede more of their sovereignty to

the central EU level, this will increase both compliance and the effectiveness of en-
forcement of (data protection) law vis-à-vis third countries, thereby collectively
increasing the sovereignty of all EU Member States vis-à-vis the rest of the world,
even though the sovereignty to act nationally is affected.
The main focus of this article is the intriguing question of when EU law is applied
to, and enforced against, foreign data controllers by data protection authorities situ-
ated in a Member State of the EU. This article examines jurisdiction and applicable
law in the area of data protection enforcement1 in the light of recent jurisprudence
of the Court of Justice of the European Union (CJEU) and Member States’ courts.
Given that this case law relates to the ‘old’ data protection instrument, namely, the
Data Protection Directive 1995/46/EC (‘DPD’), this is contrasted with the ‘new’
General Data Protection Regulation (GDPR),2 which has recently entered into force.
The comparison with the now superseded DPD is also important as it sketches the
background and development of current data protection law, which is important for
the wider context and in particular for showing how difficult a coordination of na-
tional competences in this field has been. The article does not examine jurisdiction
in civil litigation before the courts but instead focuses exclusively on administrative
and regulatory competence under public law.
Thus, the article analyses the vexed relationship between the jurisdictional com-
petence of data protection authorities and the law they apply. It makes two main
arguments: (i) that the rules on applicable law effectively have become jurisdiction-
al rules in that they determine the competent enforcement authority and (ii) that a
distinction should be made between internal and external conflicts of data protec-
tion law, both on a doctrinal, conceptual level and in the application of the conflict
rules.
Internal conflicts of law are conflicts between the data protection authorities of
each of the EU Member States in their application and enforcement of EU data pro-
tection law(s) despite the fact that EU data protection law is largely3 harmonized.
Thus, internal conflicts are essentially intra-EU conflicts. These conflicts arise be-
cause data protection authorities are independent from each other and can interpret
1 The article, however, does not cover litigation (by data subjects) and private international law; readers are
referred to art 79 GDPR and M Brkan, ‘Data Protection and European Private International Law:
Observing a Bull in a China Shop’ (2015) 5(4) International Data Privacy Law 257.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protec-
tion of natural persons with regard to the processing of personal data and on the free movement of such
data and repealing Directive 95/46/EC (GDPR) (text with EEA relevance) (2016) OJ L119/1.
3 Some variations will continue to exist, see arts 6(2), 9(4) and 23 GDPR, for example. Under art 6(2),
Member States can introduce more specific requirements to processing in compliance with a legal obliga-
tion or in the public interest, art 9(4) allows for further conditions and limitations in respect of the proc-
essing of genetic, biometric or health data, and art 23 allows Member States to maintain or introduce
restrictions to data protection rights.
144 Multilevel jurisdictional challenges
data protection law independently from each other.4 External conflicts of law are
conflicts between the harmonized data protection law(s) of the EU, on the one
hand, and the law of third countries (such as the USA or China), on the other hand.
For the many third countries that generally have lower standards of data protection
than the EU,5 safeguarding fundamental data protection standards in the EU argu-

ably should mean interpreting the jurisdictional criteria more expansively. It is pre-
cisely this variation in standards of data protection that means that mutual
recognition cannot be assured. Thus, there are good policy reasons to interpret juris-
diction rules more expansively for external conflicts (as the CJEU has done in Google
Spain as discussed further), compared to internal conflicts.
Equally it is argued here that, for internal conflicts of law, EU Member States
(other than the Member State where the main establishment is located) should
refrain from exercising their jurisdiction and from applying their national data
protection rules, to avoid multiple national laws applying, thereby fragmenting the ef-
fectiveness of data protection law, unless exceptional circumstances apply. Since the
fundamental right to data protection in the EU Charter of Fundamental Rights
applies everywhere in the EU, Member States should be prepared to trust each
other’s standard of regulation, at least as far as any jurisdictional rules are concerned.
Any differences in approaches to data protection law should not be dealt with
through the mechanism of jurisdiction but through enforcement cooperation mecha-
nisms (now contained in the GDPR) and at the policy level.
The article proceeds by first examining the concepts of jurisdiction and applic-
able law and the differences between these two concepts. For someone who is not
a conflict of law scholar, it may not seem obvious how the concept of jurisdiction
(competence to rule) relates to the concept of applicable law (the set of national
rules governing a particular ‘act of data processing or the obligations of a particular
data controller/processor’). The doctrinal differences between jurisdiction and ap-
plicable law will be examined in section ‘Applicable law versus jurisdiction’. The
article then examines which national authority has regulatory competence and
which data protection authority the data subject can turn to for filing his complaint
(section ‘Specific rules on the competence of the supervisory authorities in EU
data protection law’) and which law this authority must apply (section ‘Rules on
applicable law’). Section ‘General principles’ places the rules on jurisdiction and
applicable law in the wider context of international law and sets out some of the
principles used in the discussion of international jurisdiction (without going into
too much doctrinal detail for lack of space in this article) and how the data
4 art 29 Working Party WP 225 Guidelines p 8; Case C-230/14 Weltimmo v Nemzeti (1 October 2015)
ECLI:EU:C:2015:639, para 28; Advocate General Bot in Case C-210/16 Unabhängiges Landeszentrum für
Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (24 October 2017)
Advocate General Opinion, para 96–97; Case C-210/16 Unabhängiges Landeszentrum für Datenschutz
Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (5 June 2018) ECLI:EU:C:2018:388,
paras 69–74.
5 Which may not be the case for countries who have adequacy status or have higher standards than the EU
in particular subject areas, such as the US Child Online Privacy Protection Act (1999), which imposed
higher standards of protection than the Directive. However, certainly the great majority of countries in the
world have, generally speaking, lower data protection standards than the EU. Only the EU has elevated
data protection to fundamental rights status in the EU Charter of Fundamental Rights, art 8.
protection jurisdictional principles fit into that wider discussion, before the article
concludes in section ‘Conclusion’.
A P P L IC A B LE L A W V E R S US J UR I SD I C T I O N
The distinction between jurisdiction and applicable law in the area of data protection

has remained obscure for a long time, and it is only in the recent jurisprudence of
the CJEU that a clearer picture of the relationship has emerged. No international
principles, rules or consensus exists on jurisdiction and applicable law in data protec-
tion matters. The drafting processes of the 1981 OECD Privacy Guidelines, the
1999 Hague Conference on Private International Law and the 2009 Madrid
Resolution all considered including provisions on data protection conflicts of law
rules but omitted including them.6 As a matter of general principle, there are two
types of conflict of law rules: jurisdiction and applicable law.
The rules on jurisdiction determine the competence of the national data protection
authorities to exercise their enforcement powers,7 whereas the rules on applicable law de-
termine which state’s laws apply to an act of data processing.8 Doctrinally, therefore, jur-
isdiction and applicable law are two separate stages in the law enforcement process: first,
a national data protection authority needs to decide whether it can deal with the matter
at hand and, secondly, it must decide which law governs its decision-making power.9
As to which Member State’s law applies, to the chagrin of many online businesses,
the DPD did not fully harmonize data protection laws across the EU, since it is in
the nature of a Directive that Member States have some discretion in the detailed im-
plementation of its provisions. Therefore, there were considerable differences be-
tween the data protection laws of the Member States before the GDPR came into
force. Now the Data Protection Regulation EU/2016/679 is in full force (since 25
May 2018), data protection laws in the EU have been further harmonized, thus pro-
viding for fewer conflicts between internal laws of the EU. Some internal conflicts
continue to persist because of differing interpretations of the GDPR between the
Member States, albeit that only time will tell how significant these divergences will
be. By contrast, external conflicts will persist. These external conflicts are about the
question whether or not EU data protection laws apply to non-EU companies
(including US online service providers such as Google and Facebook). From the
point of view of protecting EU residents’ personal data, arguably this is a more im-
portant issue than internal conflicts.10 One of the main reasons for the broad formu-
lation and interpretation of the provisions in the DPD and GDPR on when EU data
protection law applies is to prevent that EU residents are being deprived of the
6 C Kuner, ‘Data Protection and International Jurisdiction on the Internet Part I’ (2010) 18(2)
International Journal of Law and Information Technology 176, 186–87.
7 Jurisdiction of the courts and civil litigation are outside the scope of this article.
8 Kuner (n 6) 179, referring to seminal work of FA Mann, ‘The Doctrine of Jurisdiction in International
Law’ (1964) 111 Recueil des Cours de L’Académie de Droit International 9, 13.
9 Weltimmo (1 October 2015) (n 4) paras 21–23; see also the Opinion of Advocate General Pedro Cruz
Villalon in C-230/14 Weltimmo v Nemzeti (25 June 2015) ECLI:EU:C:2015:426, para 17; and Kuner
(n 6).
10 art 29 Working Party WP 179 Update of Opinion 8/2010 on applicable law in light of the CJEU
Judgment in Google Spain, 6.
protection standards enshrined in EU law (such as the DPD, GDPR and the
Charter).11 This is important for external conflicts but to a lesser degree for internal
conflicts.
The layers of competences in EU data protection law in the shape of national jur-
isdictional competence combined with pan-EU harmonization and coordination

makes data protection law very complex, uncertain and difficult to comply with, and
this will be discussed in more detail further.
In public law, traditionally, an administrative authority only applies its ‘own’ na-
tional law and never that of another state, which would be inimical to the notion of
sovereignty of the state. Thus, the paradigm in ‘public law’ is that the applicable law
is that of the state to which the administrative authority belongs.
However, the ‘old’ DPD in Article 28(6) provided that ‘each supervisory authority
is competent, whatever the national law applicable to the processing in question (em-
phasis added), (. . .)’ to exercise the powers of enforcement on its territory. This
phrasing suggested that, under the now superseded DPD, a data protection authority
had the power to apply the data protection law of another Member State in some
instances. This would have been a novel concept in International Law—the idea that
a public authority applied the administrative law of another state would be totally
against the grain of the concept of national sovereignty.12 Indeed, the CJEU has
made clear in Weltimmo that this power to act on the basis of foreign data protection
law was limited to the initial investigative powers, mutual assistance and cooperation
but did not extend to enforcement action per se, namely the imposition of penal-
ties.13 This will be discussed in greater detail further, but it should be pointed out al-
ready in this section that essentially, the CJEU has maintained the status quo, that
competence follows the applicable law, ie only the national data protection
authority/-ies whose law applies to a specific infringement is/are in fact competent
to enforce the data protection law ‘on their territory’. Advocate Bot stated in the
ULD v Wirtschaftsakademie case that ‘given that the law of the Member State to
which the German supervisory authority belongs is applicable to the processing of
personal data (. . .), that authority is in a position to exercise all its powers of inter-
vention in order to ensure that German law is applied and observed by Facebook on
German territory’. Effectively, this means that under the old DPD, the rules on ap-
plicable law determined both jurisdiction and applicable law.14 This then raises the
question of how do the specific rules on the competence of the supervisory author-
ities15 relate to this determination of jurisdiction through the applicable law. As will
be seen in the next section, the GDPR provides for much wider jurisdictional compe-
tences than just establishment of the controller but limits the jurisdictional compe-
tences at the same time by the consistency mechanism. This will be discussed in the
next section.
11 ibid; Case C-131/12 Google Spain (2014) ECLI:EU:C:2014:317, paras 53–55.

12 J Crawford, Brownlie’s Principles of Public International Law (8th edn, OUP 2012) 204, 472; C Kuner (n
6) 181.
13 Discussed below in section ‘Equipment as a territorial link’.
14 Wirtschaftsakademie (24 October 2017) (n 4), para 111; Wirtschaftsakademie (5 June 2018) (n 4), para
52.
15 art 28 (6) DPD previously and now, art 56 GDPR.
S P EC I F IC R UL E S O N T HE C OM P E TE NC E OF T HE S UP E RV I SO RY
A U T H O R I T I E S I N EU D A T A P R O T EC T I O N L A W
DPD 1995/46/EC
In a situation where the data controller is established in one Member State and the

data subject is resident in another, the question arises which state’s data protection
authority is competent/has jurisdiction to hear complaints, make use of investigatory
powers and take enforcement action. The question of competency of the national
data protection authorities used to be addressed by Article 28(6) of the DPD: ‘is
competent (. . .) to exercise on the territory of its own Member State the powers
conferred on it (. . .)’.
In case C-230/14 Weltimmo v Nemzeti,16 a business—‘formally registered’ and
established in Slovakia17—allowed Hungarian owners of holiday properties to adver-
tise on its real estate website. It operated a freemium business model with the first
month of advertising being free, but a fee was payable thereafter. However, several
Hungarian property owners complained to their local data protection authority.
Weltimmo had omitted to delete advertisements and personal data of these
Hungarian property owners even though they had withdrawn from the transaction
within the first month. Instead, Weltimmo demanded payment of a fee and passed on
the property owners’ details to debt collection agencies. The question was whether
the Hungarian data protection authority had jurisdiction to take enforcement action
against the business formally established in Slovakia. The Hungarian data protection
authority imposed a fine of approx. Euro 32,000 on the business established in
Slovakia in accordance with Hungarian law (the Slovakian data protection authority
did not have the power under its own law to impose any fine). The case was referred
to the CJEU on appeal by Weltimmo who argued that the Hungarian data protection
authority was not competent and, therefore, should not have imposed a fine under
Hungarian law.18
The CJEU held in Weltimmo that a data protection authority has to follow its
own national procedural law when exercising its investigative and enforcement
powers but that these powers are ‘limited to its territory’.19 A data protection author-
ity in one Member State (eg Hungary) may not impose a penalty on a data control-
ler in another Member State (eg Slovakia) if the data protection law of the first
Member State (Hungary) is not applicable under Article 4 of the DPD (for example,
where the data controller is not established in the first Member State (Hungary) and
does not use equipment there). Therefore, in the case that Hungarian law did not
apply to Weltimmo,20 the Hungarian data protection authority may investigate
according to its own procedural law, but it must not apply fines and other penalties
16 Weltimmo (1 October 2015) (n 4).

17 Though the CJEU thought it likely that, on the facts (to be determined by the national court), it was
established in Hungary as well, paras 32–33.
18 Paras 9–12.
19 Weltimmo (1 October 2015) (n 4) paras 50 and 52; see also Wirtschaftsakademie (5 June 2018) (n 4),
para 50.
20 Although the fact-finding is ultimately a question for the national courts, the CJEU indicated that
Weltimmo is likely to be established in Hungary with a relevant establishment and that, therefore,
Hungarian law applies, paras 32–33, 38. So, the prohibition on applying fines under Hungarian law is
but should cooperate with the Slovakian data protection authority in respect of
enforcement.21 Otherwise, the principle of national sovereignty and the rule of law
would be infringed. Therefore, as a consequence of this CJEU ruling, it is now clear
that the rules on applicable law effectively determine both applicable law ‘and juris-
diction’, for external conflicts of law situations and internal conflicts of law

situations.22
Thus, since data protection authorities are independent, and independent from
each other, they may exercise jurisdiction for their territory and may equally apply
the law independently from each other. This was certainly the case under the DPD,
as confirmed by Wirtschaftsakademie, where the CJEU held that data protection
authorities do not need to take into account a countervailing decision of another
data protection authority who has come to a different conclusion and that there was
no priority for the data protection authority at the place of the (main) data control-
ler’s main establishment.23 The GDPR maintains that in principle, each independent
data protection authority remains jurisdictionally competent but introduces a manda-
tory coordination procedure, the so-called consistency mechanism. The GDPR is dis-
cussed in the next section.
Thus, it is now clear that if a data controller is not at all established in the
Member State whose data protection authority is examining the case, then the data
protection authority should investigate and use its power to cooperate with other
data protection authorities, but it may ‘not’ impose penalties under its own law,
according to Weltimmo..While national data protection authorities have a duty to
cooperate, for example, by exchanging information and granting each other mutual
assistance,24 they cannot apply the enforcement powers of another state. So, for ex-
ample, the data protection authority of one Member State (eg Greece) may ask a
data protection authority of another (eg a German Data Protection Authority) to ex-
ercise its enforcement powers against a data controller established in that country
(eg a German trader) on behalf of data subjects in the former Member State (eg con-
sumers in Greece). But the Greek authority may not impose these measures itself.
One example for a coordinated approach between the different data protection
authorities of the Member States are the common criteria for handling of complaints
in respect of search engines’ refusal to delist search results after the Google Spain
case.25 This approach ensures some consistency between the enforcement actions
that different national data protection authorities may take in response to delisting
requests that have been refused by search engines.
Furthermore, the Article 29 Working Party has made clear in its Guidelines that
data subjects are entitled to contact their local establishment (eg subsidiary) of the
search engine with their delisting request and may complain to their local, domestic
data protection authority. In other words, the data protection authority at the place
only relevant if the national court was to find on the facts that Weltimmo is not established in Hungary at
all: paras 42, 55 and 57.
21 ibid, paras 57 and 59; Weltimmo (25 June 2015) (n 9), paras 60–66.
22 Wirtschaftsakademie (5 June 2018) (n 4), paras 50–52.
23 ibid, paras 69–74.
24 ibid, para 68; coordination now further enhanced by the consistency mechanism discussed further.
25 See n 4, 5 and 12–20.
of residence of the data subject is competent to hear a complaint and must act on it.
This is mandated by the principle of effective protection.26 In turn, a national data
protection authority may contact the local establishment/subsidiary of the data con-
troller who has to deal with and/or coordinate any requests for information and
cooperate in respect of complaints.27 Moreover, it is equally clear that a national data

protection authority’s power is limited in that it cannot declare invalid a ‘EU’ legal
act such as the Safe Harbour Adequacy Decision, which only the CJEU has jurisdic-
tion to declare invalid (as it has done in case C-362/14 Max Schrems) in order to
guarantee the uniform application of EU law.28
As this discussion illustrates, the duties to cooperate and coordinate between data
protection authorities in the EU/EEA Member States had been limited, and it is in
this context that the improvements in the GDPR have to be examined. From the
viewpoint of the operation of the DPD, it was clear that a better defined system of
enforcement cooperation was required, and this deficit has now been addressed (but
not solved) in the new GDPR, which will be discussed next.
GDPR EU/2016/679
The approach in the DPD with potentially several data protection authorities being
competent to enforce data protection laws simultaneously and independently of each
other against the same data controller, with only a minimum and vague duty to
cooperate their enforcement actions, has created an unsatisfactory situation, which is
both ineffective from a law enforcement point of view and creating legal uncertainty
for data controllers and processors, and leads to conflicts of law.
This situation has been addressed by the GDPR by providing for a lead data pro-
tection authority at the place of the main establishment of a data controller or pro-
cessor for cross-border data processing (‘one stop shop’), greater obligations of data
protection authorities to cooperate and a mechanism to coordinate conflicts between
data protection authorities (‘consistency mechanism’), an EU body with enhanced
powers, including the making of binding decisions (European Data Protection Board
(EDPB)) and clearer and more comprehensive rules on national competency.29
One-stop shop
If a data controller has several establishments across the EU, the data protection au-
thority in the state of the ‘main’ establishment will be the lead data protection au-
thority for cross-border30 processing.31 This overcomes the deficiencies discussed
earlier in relation to internal conflicts, at least partially. The lead authority is
26 ibid 8; see also Case C-362/14 Max Schrems (6 October 2015) ECLI:EU:C:2015:650, paras 56–58.
27 ibid.
28 ibid, para 61.
29 See also the Guidelines on the Lead Supervisory Authority WP244 rev.01 of 31 October 2017 (EDPB)
(hereafter ‘2017 EDPB Guidelines’).
30 Cross-border data processing is defined as two alternatives: (i) where a data controller has several estab-
lishments in the Member States and carries out data processing in the context of its activities and (ii)
where a data controller has only one establishment, but the data processing substantially affects persons
in several Member States, art 4(23); see also the 2017 EDPB Guidelines fn 32.
31 art 56(1) GDPR.
essentially the data protection authority who has the primary responsibility for
enforcement.32 This is only a partial solution, however, as it only applies where there
is a main establishment within the EU—it does not apply where the data controller
has no establishment and EU law applies because of the targeting provisions in
Article 3(2).33

However, if the subject matter of enforcement relates only to the establishment of
one Member State and/or if only persons in one Member State are affected, then
the local data protection authority of that Member State remains competent and not
the lead authority.34 Therefore, enforcement continues to be fragmented to deal
with local issues. In that case, the local supervisory authority must inform the lead
authority and give it an opportunity to take on the lead of any enforcement action.35
Even if the lead authority takes on the case, the local supervisory authority may pass
a draft decision, which should be taken into account by the lead authority.36 But in
any case, all communications, decisions, orders, etc to the data controller in cross-
border cases must come from the lead data protection authority.37
The main establishment is defined as the place of central administration in the
EU, or, for data controllers the establishment where the decisions on purposes and
means of data protection are taken,38 or for data processors who do not have one
central administration in the EU, the establishment where the main processing in
the context of the activities of that establishment ‘actually’ take place39 (such as
the location of a data centre used in cloud computing). This is largely determined
by the companies themselves (for example, through designation), but the data pro-
tection authorities will look at the factual reality of where decisions are made.40
Also in some cases, for example, where data processing decisions are made outside
the EU and EU establishments are not involved in these decisions and no central
administration exists within the EU, no lead authority may exist, and several na-
tional data protection authorities may be equally competent, according to the
2017 Guidelines.41
This provision is more compliance friendly (compared to the Directive) for data
controllers such as Amazon or Facebook whose corporate structure has designated
one of their EU establishments as the EU headquarters (including for data protection
compliance and policy purposes), but it has created a complicated, almost byzantine
coordination structure, which may prove slow and cumbersome (but does at least
encourage cooperation between the Member States).
32 2017 EDPB Guidelines fn 32, 4.

33 ibid 10.
34 art 56(2) GDPR.
35 art 56(3) GDPR.
36 art 56(4).
37 art 56(6), art 60.
38 art 4(16)(a) GDPR—if decisions in respect of different acts of processing are made by different main
establishments, this could mean that there will be more than one lead authority, 2017 EDPB Guidelines
fn 32, 5–6.
39 art 4 (16)(b) GDPR.
40 2017 EDPB Guidelines fn 32, 6 and 8.
Competence of data protection authorities—jurisdiction

Additionally, the GDPR provides much more detailed rules on the competence of
the data protection authorities in the Member States. First, it makes clear that the na-
tional data protection authority in the Member State where the data subject is habit-
ually resident has jurisdiction to hear complaints; in other words, data subjects can

make complaints to their local data protection authority.42 Furthermore, data sub-
jects may also lodge a complaint in their place of work or the place of the alleged in-
fringement.43 The Regulation furthermore imposes an obligation on Member States
to provide data subjects with a judicial remedy and stipulates that the courts at the
place of establishment of the controller (or processor) and the courts in the place of
habitual residence of the data subject have concurrent jurisdiction,44 unless the data
controller is a public body acting in the exercise of official authority.45 The GDPR
also provides for ‘lis pendens’ rules, whereby any court other than the court first
seized must suspend proceedings to prevent irreconcilable judgments.46
Each authority’s acts are expressly limited to its territory in a similar provision to
Article 28(6) of the DPD as interpreted in Weltimmo. Article 55(1) of the GDPR
states: ‘each supervisory authority shall be competent for (. . .) the exercise of the
powers conferred on it in accordance with this Regulation on the territory of its own
Member State’.
Furthermore, the GDPR sets out which data protection authorities are (in prin-
ciple jointly, but subject to the hierarchy of the lead authority47 and the cooperation
mechanism48) competent to act, thereby setting out the required jurisdictional links
by defining the concept of ‘the supervisory authority concerned’. This has evolved
from the case law under the DPD discussed earlier. The supervisory authority con-
cerned can be the data protection authorities in the following Member States: (i) the
place where the controller/processor is established, (ii) a Member State in which
data subjects are or are likely to be substantially affected and (iii) a Member State be-
fore whose supervisory authority a complaint has been lodged.49 These grounds of
jurisdictional competence of data protection authorities are extremely wide in that
from this wording, it seems that a data protection authority cannot refuse to initially
investigate based on jurisdiction and that, if a particular practice impacts on consum-
ers in all Member States, potentially all authorities are competent to investigate.
However, this wide competency is tempered by the mechanisms examined in the
next section. Therefore, competency is no longer limited to the rules on applicable
law,50 and national data protection authorities other than the lead authority have
jurisdiction.51
42 art 77(1) on the right to lodge a complaint with a supervisory authority.

43 ibid.
44 art 79(2).
45 ibid—in which case presumably the courts in that Member State have jurisdiction according to national
law, but the Regulation leaves this open.
46 art 81(2).
47 Described earlier.
48 Described further.
49 art 4(22).
50 art 4 DPD and art 3 GDPR.
Cooperation obligation of the Member States, the consistency

mechanism and the EDPB
Under the new GDPR, national data protection authorities, even if competent, can
only act under the consistency mechanism and are thereby forced to cooperate at
least on paper. It remains to be seen how well this cooperation mechanism will work

in practice. The express obligation of the supervisory authorities to cooperate with
each other and the European Commission is contained in Article 51(2), and its pur-
pose is to contribute to the consistent application of the Regulation. This
cooperation includes the sharing of information, mutual assistance and conducting
joint operations.52 Given the different approaches to data protection in different
Member States it is, however, likely that some Member States are more likely to
cooperate than others.
In cross-border cases, there is an obligation for supervisory authorities to
cooperate with each other with a view to reaching a consensus decision, and the
GDPR contains detailed procedural rules for achieving this.53 In particular, the lead
authority should circulate any draft decisions and, if any other authority expresses a
‘relevant and reasoned’ objection,54 which the lead authority does not wish to follow,
the EDPB55 will decide any disputes between the authorities (‘consistency mecha-
nism’ in Article 63).56 In urgent cases,57 a local supervisory authority has the power
to take provisional measures for a maximum period of three months58 or if final
measures are required in such urgent cases, it can request a decision from the
Board.59 The EDPB will also have an advisory role, giving guidance and issuing
Opinions (similar to the existing Article 29 Working Party).60 This procedure is like-
ly to be cumbersome and will lead to the usual political entanglements in inter-
national state cooperation. The inability of the Member States to fully empower the
EDPB with the power to be responsible for enforcement measures is regrettable as a
missed opportunity. However, given the existing differences between Member States,
this could be an intermediate step to the ultimate creation of a full EU enforcement
body.61 However, given the current centrifugal tendencies in (some) EU Member
States (the strongest of which is, of course, the UK’s Brexit), further integration in
the EU data protection area may not be quickly forthcoming.
R UL ES ON A P P L I CA B L E L A W
Article 3 of the GDPR EU/2016/67962 contains the provisions on applicable law.
The rules on applicable law were contained in Article 4 DPD, which determined
52 art 57 (g), art 60(2) and arts 61–62.

53 art 60.
54 art 60(3)–(4).
55 Consisting of representatives of all data protection authorities and replacing the current art 29 Working
Party.
56 art 60(4) and art 65(1)(a).
57 ‘urgent need to act in order to protect the rights and freedoms of data subjects’, art 66(1).
58 art 66(1).
59 art 66(2).
60 art 70.
61 This is just speculation on the author’s part.
62 (2016) OJ L119/1.
conflicts of law between different national laws in the EU Member States. However,
since a public regulatory authority only applies its own law, it became clear that these
provisions also by necessity determined regulatory competence under the old DPD63
and, therefore, indirectly stipulated when an EU data protection authority was able
to apply its data protection law. As explained earlier, Article 4 of the old DPD, there-

fore, effectively determined ‘both’ the applicable law and which EU data protection
authority was competent to enforce. This has now changed with the GDPR as the
GDPR has set out separate provisions on regulatory competence in Article 4(22) by
defining the ‘supervisory authority concerned’. This was possible as the GDPR works
on the basis that EU data protection law has now been completely harmonized and
that, therefore, all Member States apply the same law (the GDPR).
Establishment link in the directive and the regulation

There are two basic principles for determining the data protection law applicable to
a particular act of processing: 1) The main basis for deciding which state’s law
applies to an act of data processing is the concept of establishment, originally con-
tained in Article 4(1) (a) of the Data Protection Directive 1995/46/EC (‘DPD’)64
but now contained in Article 3(1) of the GDPR EU/2016/679.65
Both the Directive provided and the Regulation now continues to provide that if
the processing is carried out in the context of the activities of an establishment of the
controller (and, in the case of the GDPR additionally, the processor), the law at the
place of that establishment applies.66 In order to provide for effective protection, the
CJEU has interpreted the concept of establishment broadly, and this broad applica-
tion refers to both the Directive and the Regulation.67
The main distinction68 between the establishment provision in the ‘old’ Directive
and the ‘new’ Regulation is that the Directive referred to establishment in a Member
State and the Regulation now refers to establishment in the EU. The reason behind
this difference is that since the aim of the Regulation is to harmonize data protection
law, there is no need to provide for any internal conflicts of applicable laws between
the Member States. However, since in practice (some) gaps are likely to remain (see
the derogation in Article 6(2) and the exceptions in Article 23), there is uncertainty
how these remaining internal conflicts are solved under the GDPR.
It is important to emphasize here that the location of the processing as such is ir-
relevant for determining the applicable law.69 For example, if a French-established
business (who is responsible for the data processing and the data controller) used a
Canadian cloud company who uses a data centre in the USA (where the processing
63 More generally, with respect to regulatory law: C Ryngaert, Jurisdiction in International Law (2nd edn,
OUP 2015) 17.
64 (1995) OJ L281/31.
65 GDPR (n 62).
66 art 4(1)(a) of the DPD and art 3(1) of GDPR: ‘This Regulation applies to the processing of personal
data in the context of the activities of an establishment of a controller or a processor in the Union, regard-
less of whether the processing takes place in the Union or not.’
67 Google Spain (n 11) paras 53–54; Weltimmo (1 October 2015) (n 4) para 25.
68 The other distinction is that the GDPR now only refers to the processor’s establishment for actions taken
against processors.
69 Recital 20 DPD; Recital 22 and art 3(1)GDPR.
physically takes place), French data protection laws would nevertheless apply.70
Likewise, if the data centre is located in Belgium, only French data protection law
applies, as the data controller (French company) has an establishment in the EU.
The nationality of the data subject complaining about a data protection infringement
is irrelevant.71

In order to apply this jurisdictional link, it is necessary to determine (i) what
amounts to ‘establishment’ and (ii) what amounts to processing in the context of the
activities of the controller (or processor). The first element was clarified and at issue
in case C-230/14 Weltimmo v Nemzeti in 2016, and the second element was clarified
in case C-131/12 Google Spain v AEPD/Mario Costeja Gonzalez in 2014, and both
have been further refined in Wirtschaftsakademie in 2018.
The concept of establishment in the jurisprudence of the CJEU

The concept of establishment has been interpreted in an extensive jurisprudence of
the CJEU, for example, in connection with the distinction between two of the four
elementary freedoms guaranteed by the Internal Market: the freedom to provide
services in Article 49 TFEU and the freedom of establishment in Article 56 TFEU.72
The case law of the CJEU in essence held that establishment means ‘the effective
and real exercise of activity through stable arrangements’ in the Member State con-
cerned, irrespective of the legal form this establishment takes (branch or subsidiary
with its own legal personality).73 In Factortame, the CJEU defined establishment as
‘the actual pursuit of an economic activity through a fixed establishment in another
member state for an indefinite period’.74 The time element means that the pursuit of
the economic activity must not be only temporary but must be on a stable and con-
tinuous basis, taking into account the regularity, periodicity or continuity of the activ-
ity, which is what distinguishes it from the provision of services.75 The CJEU has
taken a broad and flexible approach to establishment, so that, for example, an under-
taking maintaining a permanent presence in a Member State even if that permanent
presence does not amount to a branch or agency but consists only of an office man-
aged by a person who acts on behalf of that undertaking would count as
‘establishment’.76 Thus, the concept of establishment provides a relatively low
threshold. While a mere website or server would not count as establishment,77 a
70 K Hon and J Hörnle, ‘Which Law(s) Apply to Personal Data in Clouds?’ in C Millard (ed), Cloud
Computing (OUP 2013) ch 9, 220–53, 222.
71 Weltimmo (1 October 2015) (n 4) para 40.
72 Advocate General Pedro Cruz Villalon in his Opinion C-230/14 Weltimmo v Nemzeti refers to the case
law on freedom of establishment, permanent establishment for VAT purposes and the Rome and
Brussels Conventions, paras 29–30.
73 Regulation Recital 22; Case C-230/14 Weltimmo v Nemzeti (1 October 2015), paras 28, 30 and 41; Case
C-131/12 Google Spain & Google, para 48; Wirtschaftsakademie (24 October 2017) (n 4), para 88 and
Advocate General Bot in Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v
Wirtschaftsakademie Schleswig-Holstein GmbH (8 June 2018), para 54.
74 Case C-221/89 [1991] ECR I-3905, [1991] CMLR 589 (CJEU) 627; Case C-81/87 Daily Mail [1988]
ECR 5500, [1988] 3 CMLR 713 (CJEU)716 (Advocate General Darmon).
75 C-55/94 Gebhard [1995] ECR I-4165 (CJEU) paras 25–26; Case 2/74 Reyners v Belgium [1974] ECR
631 (CJEU) para 21.
76 Case C-316/07 Markus Stob [2010] ECR I-8069 para 59.
77 See also E-commerce Directive 2000/31/EC, Recital 19.
continuing presence of a physical nature (office, staff, representative, etc) would be

sufficient. A data centre may well count as an establishment if it is run by the data
controller. Furthermore, the CJEU has held that the concept is a flexible one, par-
ticularly for Internet businesses, and that the concept of establishment must be inter-
preted in the light of the specific nature of the economic activities and the provision

of services concerned.78 Therefore, a subsidiary, branch or agent or a dedicated data
centre in the EU count as establishment, regardless of its legal form or whether it has
legal personality.79 In fact, the presence of a single business representative/agent on
the territory of Member State may indeed count as establishment if the arrangement
has sufficient stability and the representative has the relevant business equipment for
specific services.80 In case C-230/2014 Weltimmo, the fact that the business represen-
tative of the Slovakian company was running two websites from Hungary, directed at
Hungarian customers, had opened a bank account and maintained a post box address
was held to be sufficient for the purposes of establishment.81 Against the wording
of the DPD, the CJEU (but not the Advocate General82) in Weltimmo makes much
of the fact that the websites were targeted at the Hungarian market, introducing
a targeting test (language of the website, context) not dissimilar to the test estab-
lished in Pammer & Alpenhof in the context of determining jurisdiction and the
law applicable to consumer contracts.83 However, in case C-191/15 Verein für
Konsumenteninformation v Amazon, the CJEU held that for the data protection law of
a Member State (in this case Austria) to apply, it is not sufficient that the business
(established with its EU headquarters in Luxembourg) directs its activities to that
Member State. For Article 4(1)(a) to apply, there must be a physical establishment,
at least a minimal one, exercised through stable arrangements.84 The accessibility of
a website is not sufficient to count as establishment.85
In the context of the activities of an establishment of the controller

The second factor, namely that the data processing must be carried out in the con-
text of an establishment of the controller, has given rise to more uncertainty.86 As a
starting point, the different language versions of the DPD used different terms:
‘context’ (English) but ‘framework’ (German and French versions).87 In an early
case concerning Google Italy, both Italian courts came to the conclusion that they
had jurisdiction based on Article 4(1)(a) DPD. The Google establishment in Italy,
namely the Italian-incorporated company Google Italy SRL, was held to perform
more than mere marketing or advertising functions, for example, it had responsibility
78 Weltimmo (1 October 2015) (n 4) para 29.

79 See also the discussion in K Hon (n 70) 2.1; Recital 19 DPD and 22 GDPR; Google Spain (n 11) para
48.
80 Weltimmo (1 October 2015) (n 4) para 30; see Weltimmo (25 June 2015) (n 9) para 33.
81 Weltimmo (1 October 2015) ibid, para 33.
82 Weltimmo (25 June 2015) (n 9) para 42.
83 Joined Cases C-585/08 and C-144/09 (2010) ECLI:EU:C:2010:740.
84 (2016) ECLI:EU:C:2016:612, para 75.
85 ibid, para 76.
86 D Svantesson, ‘Article 4(1)(a) “Establishment of the Controller” in EU Data Privacy Law—Time to Rein
in This Expanding Concept?’ (2016) 6(3) International Data Privacy Law 210, 210.
87 Hon (n 70) 220–53, 222.
for compliance with Italian data protection laws and was processing personal data, ul-
timately finding that the two entities (Google Inc and Google Italy SRL) were close-
ly linked.88
The meaning of this phrase has been clarified by the CJEU in a similar vein in
case C-131/12 Google Spain v AEPD/Mario Costeja Gonzalez in 2014.89 Most online

service providers, such as search engines and social media services, finance their con-
tent delivery activities through advertising. The relevant scenario is this: the main es-
tablishment (in the USA) is responsible for all aspects of the content but has one or
more agents/subsidiaries in an EU Member State (eg Spain) who is/are placing
advertisements locally but has/have no control over the online service. The question
that arises in this scenario is whether the data processing for the online service is in
the context of the activity of advertising. The CJEU in Google Spain tackled the ques-
tion whether EU data protection applied, given that the search engine activities of
Google are controlled by Google Inc, the parent company with its seat in the USA,
and Google Spain merely is responsible for placing advertisements and carrying out
other ancillary and supporting activities. Google Spain did not carry out in Spain any
activities directly linked to the indexing or storage of information contained on third
parties’ websites (ie the search function).90 The Court found that the advertising
activities were inextricably linked with the free search engine activities; in other
words, without the search engine activities carried out by Google, there would be no
advertising revenues: ‘since the activities relating to the advertising space constitute
the means of rendering the search engine at issue economically profitable and that
engine is, at the same time, the means enabling those activities to be performed’.91
The Court also pointed out that on the same search results page, there would be
results appearing on the basis of Google Inc search activities and commercially paid
for sponsored ads, which appear as a result of the activities of Google Spain, so the
search activities took place in the context of the commercial activities of advertising
without which the search could not be financed.92 The Court looked at the business
model of the data controller (in this case Google Inc) and the relationship and con-
nection between the EU establishment and the data controller. Therefore, the Court
found that Google Inc was indeed acting in the context of the advertising activities of
its subsidiaries (including Google Spain) and that Spanish data protection law and
the then EU Directive 1995/46/EC applied (and the same would apply to the
GDPR).93 This interpretation was clearly motivated by the need to protect funda-
mental rights in the EU.94 Thus, for ‘external’ conflicts (in this case with the USA),
the CJEU has interpreted the framework of activities widely in order to ensure the
88 Sentenza n 1972/2010, Tribunal of Milan and Sentenza 8611/12 del 21 December 2012, Corte di
Appello di Milano, discussed in Hon (n 70) 220–53, 223.
89 Google Spain (n 11).
90 ibid, para 46.
91 ibid, para 56.
92 ibid, para 57.
93 ibid, paras 55–60; see also Opinion of Advocate General Jääskinen of 25 June 2013; Case C-131/12
Google Spain (2013) ECLI:EU:C:2013:424, paras 64–67; see also Wirtschaftsakademie (5 June 2018) (n
4) para 64.
94 paras 53–54, see also O Lynskey, ‘Control over Personal Data in a Digital Age: Google Spain v AEPD
and Mario Costeja Gonzalez’ (2015) 78 The Modern Law Review 522, 526.
application of EU data protection law against non-EU data controllers with establish-
ments in the EU. The judgment is not limited to the specific business model of
search engines and will equally apply to other ‘free’ online services such as social
media services, which are financed by advertising.95
Before the entry into force of the GDPR, multiple national data protection laws

still applied, where the business activities at different EU places of establishment
were inextricably linked with data processing.96 The GDPR has now further
harmonized EU data protection law and, as a Regulation, is of course directly applic-
able, but differences between Member States’ practices in respect of data protection
law enforcement are likely to continue, and some differences in the law are likely to
persist. These differences mean that even after the GDRP is in force, there will be
some conflicts of law, and the question which data protection authority is competent
to apply its law will continue to be relevant.
A good example for internal conflicts of law and the application of the establish-
ment ground is the Amazon case. Amazon has its European headquarters in
Luxembourg but no other subsidiary or branches, for example, in Austria, and the
question arose whether Austrian data protection law applies to some of its selling
methods (under the DPD). The Opinion of Advocate General Henrik
Saugmandsgaard Øe pointed clearly in the direction of accepting the European head-
quarters as the most logical place to pinpoint the establishment to whom the data
processing should be allocated (in the sense of the ‘in the context of the activities’
test in Article 4(1)(a)).97 The Opinion states that it is unlikely that the data process-
ing in respect of credit reference checks of potential buyers paying invoices after de-
livery was carried out in the context of the activities of the customer services in
Austria (fulfilling orders, dealing with complaints about non-delivery and other after
sales matters) and that it is more likely that the processing was carried out in the
context of the activities of the ‘EU headquarters’ in Luxembourg. The Opinion there-
by (in my view correctly) indicates that an ‘internal’ conflict of law situation (finding
the most relevant EU establishment) is treated differently from an external conflict
of law situation, such as Google Spain, where there was no EU main establishment to
anchor conflicts of laws.98 Comparing Verein für Konsumenteninformation and Google
Spain, one could argue that stricter standards should be applied to external con-
flicts.99 However, the Court itself did not go into such detail and ultimately treated
the question of whether an establishment in Austria existed, and whether the activ-
ities were carried out in the context of that establishment as a matter of fact, for the
Austrian Court to decide.100
By contrast, the CJEU,101 following the Opinion of Advocate General Bot102 in
ULD v Wirtschaftsakademie, stated that Google Spain equally applied to ‘internal
95 Working Party (n 10) 5.

96 See Working Party (n 4) 8 and also Weltimmo (1 October 2015) (n 4) para 28.
97 Case C-191/15 Verein für Konsumenteninformation v Amazon (28 July 2016), paras 119, 121.
98 ibid, para 122–25.
99 Svantesson (n 86) 221.
100 R Bond, ‘VKI v Amazon: Governing Law’ [2016] Computers & Law 20.
101 Wirtschaftsakademie (8 June 2018) (n 73) para 52.
102 Wirtschaftsakademie (24 October 2017) (n 4).
conflicts’. This case, still under the DPD, concerned a German private college using
a Facebook fanpage as a marketing tool. A German data protection authority (ULD)
found the College in breach of its data protection obligations as users (those who
did not have a Facebook account) were not told about the tracking technology
employed by Facebook and the ULD ordered the College not to use Facebook. The

Court103 (and the Opinion of Advocate General Bot104) stated that Facebook Inc,
Facebook Ireland and the Wirtschaftsakademie were (joint) data controllers. Thus,
applying Google Spain, both Facebook and the Wirtschaftsakademie had relevant
establishments in Germany in accordance with Article 4(1)(a) DPD, so that German
data protection law could be applied, and hence the ULD was one of the competent
German data protection authorities and could apply and enforce its laws there.105
This was despite the fact that Facebook had its ‘main’ establishment in Ireland (the
data controller).106 The Court, therefore, effectively held that no distinction should
be made between ‘internal’ and ‘external’ conflicts of law.
By contrast, the German courts had previously held that for internal conflicts,
‘only’ the law of the ‘main establishment’ should apply. The German data protection
authority had held that Facebook’s ‘real names’ policy of blocking the accounts of
users who had registered using false personal data or pseudonyms was against
German data protection law, which provides a right to pseudonymous or anonymous
use.107 On Facebook’s appeal, the German court held (i) that the ‘contractual’ choice
of law between Facebook Ireland and German users did not affect whether German
data protection law did or did not apply, and (ii) based on German law and Article
4(1)(a) DPD, Irish, not German, data protection law applied, so the German author-
ity was not competent to issue its order. The activities of Facebook’s German subsid-
iary were limited to advertising and marketing, and no personal data of German
users were processed in the context of activities of the German establishment. While
the ‘result’ is another indication that internal conflicts of law should be treated differ-
ently than external conflicts, it is doubtful whether the ‘reasoning’ of the German
court is compatible with the latter case of Google Spain. These German cases108 pre-
dated Google Spain.
Summarizing the position on external and internal conflicts, it seems clear that for
external conflicts, as in Google Spain Article 4(1)(a) DPD, the establishment link is
interpreted widely, in such a way that the local EU data protection authority is com-
petent to apply its law if there is a sufficiently close link between the activities of the
103 Wirtschaftsakademie (8 June 2018) (n 73), paras 42–44.

104 ibid, paras 42–52.
105 Advocate General Opinion, para 111; Judgment, paras 52 and 62.
106 Advocate General Opinion, paras 96–97, 125; Judgment, paras 62–64.
107 Telemediengesetz, Para 13 (6).
108 Facebook Ireland, Facebook Inc v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, Az 8B
60/12, Judgment of 14 February 2013 (case against Facebook Ireland) and Az B8 61/12, Judgment of
14 February 2013 (case against Facebook Inc) <https://www.datenschutzzentrum.de/facebook/
Facebook-Inc-vs-ULD-Beschluss.pdf> accessed 3 March 2019 and <https://www.datenschutzzentrum.
de/facebook/Facebook-Ireland-vs-ULD-Beschluss.pdf> accessed 3 March 2019. These judgments have
been confirmed on appeal to the Administrative Appeal Court of Schleswig-Holstein on 24 April 2013,
Az 4 MB 10/13, 4 MB 11/13, <https://www.datenschutzzentrum.de/artikel/743-OVG-Schleswig-
Holstein-Fuer-Facebook-gilt-kein-deutsches-Datenschutzrecht.html#extended> accessed 3 March 2019.
local establishment and those of the non-EU data controller. The Court did not
need to address the issue of internal conflicts in Amazon (there was no clear local es-
tablishment of Amazon in Austria in Amazon). However, as discussed in this section,
in Wirtschaftsakademie, the Advocate General and then the Court adopted the same
wide interpretation and application of local national law for ‘internal’ conflicts. As

has been argued earlier, as a matter of policy, this is the wrong approach in the opin-
ion of the author.109 However, this problem of ‘internal conflicts of law’ has been
lessened by the GDPR, as this now only refers to EU law (on the basis that data pro-
tection law is now (almost) fully harmonized, and as far as regulatory competence is
concerned, the GDPR has adopted a procedure to coordinate regulatory responses.
Furthermore, the GDPR contains a number of specific rules setting out the compe-
tences of the data protection authorities, which are wider than establishment in
Article 4(1)(a) DPD.
Equipment as a territorial link

Furthermore, a Member State’s data protection law used to be applicable under
Article 4(1)(c) if the data controller is not established on EU territory but makes use
of equipment or means for the purpose of data processing in the Member State con-
cerned. The question of what amounts to equipment had been controversial110—in
particular, the question whether cookies or executable code (such as Dynamic Java
Script) downloaded on an EU user’s computer while interacting with a non-EU web-
site could constitute ‘equipment’, thereby triggering the application of EU data pro-
tection law.111 The problem with data in networked and cloud computing
environments is that such data is intangible, mobile or even volatile, which may
make it difficult or impossible to determine its geographical location and, therefore,
the jurisdictional link to a territory.112 Thus, the location of data or data processing
is an unsuitable connecting factor; thus, the ‘equipment ground’ has been abandoned
in the GDPR and is no longer relevant.
Domain names as a jurisdictional link?

After the Google Spain judgment, search engines were obliged to implement the rul-
ing by providing for a policy dealing with the removal of search result links on
109 See the reasons given in section “Introduction” above.

110 C Kuner, ‘Data Protection and International Jurisdiction on the Internet Part II’ (2010) 18(3)
International Journal of Law and Information Technology 227, 242.
111 art 29 Working Party Opinions WP 148, 163 and 179; see further Hon (n 70) 227, 230.
112 V Krishnamurthy, ‘Cloudy with a Conflict of Laws’ Berkman Research Publication 2016-3, describing
how multinational cloud service providers operate and data sharding, 4; J Daskal, ‘The Unterritoriality
of Data’ (2015) 125 Yale Law Journal 326, 329 and 365; D Svantesson, Extraterritoriality in Data Privacy
Law (ExTuto Publishing 2013) 46–50, identifying seven factors: large data collections, interconnectivity
between networks, the border-disregarding nature of the Internet, the ease of data distribution, the diffi-
culty of data deletion, the ease of data searches and the security difficulties; WK Hon and C Millard,
‘Cloud Technologies and Services’ in C Millard (ed), Cloud Computing Law (Oxford University Press
2013) 1–18; for the opposite view, ie that data in the cloud is not conceptually different, see AK Woods,
‘Against Data Exceptionalism’ (2016) 68(4) Stanford Law Review 729, 734–35, 763.
notification. One of the crucial questions in this respect was the territorial scope of
such removals and in particular the question whether the obligation only relates to
the country code domain name of the complainant’s Member State concerned (for
example, google.es)113 or whether the takedown also applies to the .com domain.
Initially, Google limited the removal of links to the country code subdomains of EU

Member States and refused to implement the policy in relation to google.com. In
other words, a user resident in France who searched under a person’s name on goo-
gle.fr would be informed that some research results may be blocked and could then
find the search result unblocked on google.com.
The French data protection authority, Commission Nationale de l’Informatique
et des Libertés(CNIL), threatened to fine Google in September 2015 after having
formally decided that Google had only partially complied.114 The Article 29 Working
Party also stated in its Guidelines that ‘limiting de-listing to EU domains on the
grounds that users tend to access search engines via their national domains cannot
be considered a sufficient means to satisfactorily guarantee the rights of data subjects
according to the judgment (. . .) de-listing should also be effective on all relevant
domains, including .com’.115
Google amended its policy in February 2016. If it finds a delisting request justified
under EU law, it will remove the search result from all EU country code subdomains,
and using geolocation tools to identify the IP address of the browser of the search
engine user, it will remove search results accessed from the relevant EU Member
State on google.com but will leave google.com unaltered for users outside that par-
ticular EU Member State.116 This change acknowledges that the country code do-
main name is not the only appropriate territorial link to the EU, considering that
.com is in fact used by users across the EU. However, even the amended policy does
not apply EU law to all users accessing google.com from the EU, as it only delists
results on google.com if google.com is accessed from the particular Member State
from which the request originates, not from any other Member State.117 For ex-
ample, if an Irish resident wants a link to inaccurate information delisted, it will be
removed from google.com search results accessed from Ireland but would still be
available for google.com users in Germany (so effectively, the implementation does
not cover the whole of the EU territory).
113 The Spanish data protection authorities, which had to deal with hundreds of delisting requests before
and after the Google Spain case, did not stipulate in their orders whether delisting only in the country
code domain is sufficient compliance: M Peguera, ‘In the Aftermath of Google Spain: How the “Right
to Be Forgotten” Is Being Shaped in Spain by the Courts and the Data Protection Authority’ (2015)
23(4) International Journal of Law and Information Technology 325, 329.
114 <https://www.theguardian.com/technology/2015/sep/21/french-google-right-to-be-forgotten-appeal>
accessed 3 March 2019.
115 art 29 Working Party WP 225 Guidelines on the Implementation of the CJEU Judgment on Google
Spain of 26 November 2014 <http://ec.europa.eu/justice/data-protection/article-29/documentation/
opinion-recommendation/files/2014/wp225_en.pdf> accessed 3 March 2019, 3 and 9.
116 <https://www.google.com/transparencyreport/removals/europeprivacy/faq/?hl¼en#how_does_goo
gles_process> accessed 3 March 2019.
117 <https://www.cnil.fr/fr/infographie-portee-du-dereferencement-de-mplaignant-applique-par-google>
accessed 3 March 2019.
A residency requirement as a further requirement before

EU data protection law applies?
If EU data protection law applies to a particular act of data processing, the question
arises whether EU data protection law only applies to the personal data of EU resi-

dents or persons present in the EU, ie persons who are located in the EU (at the
time of processing). In theory, this could be a further limiting requirement and terri-
torial link to prevent extraterritorial overreach but was not included in the DPD or
GDPR. The Guidelines of the Article 29 Working Party indicate that, in practice,
data protection authorities in the EU will only take action if there is a clear link with
the EU (such as EU residency): ‘Under EU law, everyone has a right to data protec-
tion. In practice, DPAs118 will focus on claims where there is a clear link between the
data subject and the EU, for instance where the data subject is a citizen or resident
of an EU Member State.’119 This Guidance, however, assumes that it is always pos-
sible to make a clear distinction between the data of EU residents and those of non-
EU residents. As has been discussed earlier, Google found a solution by using
geolocation blocking based on the IP address of the search engine user at the point
of access (focusing on presence). However, such a neat solution may or may not be
available in all scenarios. For example, if a US data controller uses a data centre in
the EU for data storage, this data centre may well count as an establishment under
Article 4(1)(a), especially if the data processing (controlled from the USA) may in-
deed be inextricably linked to data centre in the EU, in the sense that there would be
no need for a data centre without the data processing operations. But the data may
well relate to both EU and non-EU residents, and it may be difficult for the US data
controller to distinguish between the two. In practice, this may mean that US data
controllers may be reluctant to use EU data centres, or conversely, it may give them
a competitive advantage to comply with higher EU data protection standards.
Targeting link in the regulation

The GDPR introduces a new ground for providing a link between EU data protec-
tion law and the processing of personal data in Article 3(2). The GDPR applies to
the processing of personal data of persons who are physically in the EU (if the data
controller/processor is not established in the EU) if at least one of two conditions is
fulfilled: (i) the processing is related to the offering of goods or services to such per-
sons in the EU120 or (ii) the processing relates to the monitoring of these persons’
behaviour in the EU (such as online tracking and online profiling).121
118 On appeal, the Spanish Data Protection authority refused to delist a Google search result against a com-
plainant’s name on the basis that the complainant was a citizen and resident of Chile and his personal
and business interests were located in that country: AEPD decision of 20 March 2014 (TD-01094-
2014). By contrast, it did allow the delisting in a case where a Colombian citizen requested removal of a
link showing a students’ admission list to a Colombian university, on the basis that the complainant was
a resident in Spain and had a permanent residence card, thus real links with Spain: AEPD decision of 31
March 2015 (TD-01848-2014). See Peguera (n 113) 341.
119 Working Party (n 4) 3 and 8.
120 Irrespective of whether the data subject has to pay (money), ie this provision applies to ‘free’ services
that are paid by advertisers, such as search engines, price comparison and social media.
121 Recital 24 GDPR.
This link is based on the concept of targeting, ie here the minimum contacts with
the EU are established by business contacts. For the GDPR to apply, the data con-
troller (or processor) must envisage to offer their services to and/or profile persons
in the EU.122 As the Recitals make clear, mere accessibility of a website is not suffi-
cient for this purpose nor is the fact that a website is soliciting enquiries by providing

contact details. Moreover, the fact that the website is in a language spoken in a
Member State if the data controller is established in a non-EU state in which this lan-
guage is also spoken (eg Portuguese in Brazil) is irrelevant (at least as a single fac-
tor).123 The targeting test is likely to involve several factors, including language,
currency, contextual information (such as tax), endorsements or customer ratings
from persons in the EU, etc.124
Of interest here is the concept of ‘being in the EU’ as this is a much looser terri-
torial link compared to residency. However, as just discussed in relation to Google
Spain in the online world, it is easier to establish a person’s location at the time of
the Internet connection (through geolocation technologies mapping IP addresses
and such) than determining a person’s habitual residence (especially if there is no
card payment). Clearly not everyone’s IP address can be accurately mapped to that
person’s location as he or she may access the Internet using proxy servers or virtual
private networks. But such geolocation mapping maybe the closest approximation
there can be to solving data protection conflicts of law.
Furthermore, the wording of the article (‘offering’) suggests that EU data protec-
tion law may apply even before there is a contract between the parties, including the
processing of personal data for advertising purposes or for the purposes of service
improvement or security (and online tracking is expressly mentioned in Article
3(2)(b)). The online tracking link makes EU data protection law applicable when-
ever personal data is processed for the purpose of monitoring of behaviour in the
EU. This includes online tracking by way of cookies, flash cookies, digital fingerprint-
ing and associated technologies and the subsequent profiling activities, no matter for
what purpose these tracking activities are carried out (targeted marketing, security,
user convenience, national security, taking decisions (credit risk, insurance risks and
employment context)).125 The limiting factor here for the application of the GDPR
is the complex legal question whether the tracking/profiling includes ‘personal’
data.126
If it does include the processing of personal data, the data controller must appoint
an EU representative in one of the targeted Member States as a liaison point unless
the processing is only occasional and does not include sensitive data on a large scale
and ‘is unlikely to result in a risk to the rights and freedoms’ of individuals.127 How
workable the application of EU data protection law to online profiling activities will
be remains to be seen. Real practical enforcement issues arise where the controller or
processor has no establishment in the EU.

124 ibid; see also Pammer (n 83).
126 Not further discussed here.
127 art 27 GDPR.
Application of EU law/Member States’ law by

virtue of public international law
Of less practical relevance, but for the sake of completeness, it should be mentioned
that the third ground for applying EU data protection law is that the data controller

is established ‘in a place where Member State law applies by virtue of public inter-
national law’.128 This refers to places such as foreign embassies129 and ships and air-
craft where the law of the place where that ship or aircraft is registered and whose
flag it flies applies. Google has obtained a US patent for floating data centres on the
High Seas, using seawater to generate power and cool equipment.130 So, in future,
such data centres may be deployed, using flags of convenience for data protection
law purposes, thus avoiding the application of the obligations under the GDPR.131
G EN E R A L P R I N C I P L E S
The discussion in this section places the rules on regulatory jurisdiction and applic-
able law in the area of data protection in the wider context of the jurisdiction princi-
ples under international law.132 However, the general principles of jurisdiction under
international law, although ultimately imposing the outer limit of states asserting
regulatory competence vis-à-vis other states,133 are in practice highly malleable rules
and as long as there is a strong nexus between the situation to be regulated and a
state’s territorial sovereignty, they are unlikely to be a real barrier to the assumption
of regulatory jurisdiction.134
The most relevant international law principles in the data protection context are:
the territoriality principle (states governing matters occurring on their territory)135
or the effects doctrine (jurisdiction based on foreseeable effects within the terri-
tory)136 or the protective principle (states being obliged to protect citizens/persons
present or resident on their territory)137or the ‘country of origin’ principle138 or,
128 art 4(1)(b) DPD and art 3(3) GDPR.

130 L Dignan, ‘Google Wins Floating Data Center Patent’ (Between the Lines, ZDNet 2009) <http://www.
zdnet.com/blog/btl/google-wins-floating-data-center-patent/17266> accessed 3 March 2019.
131 Although other factors may influence server location, for example, tax. For a discussion, see SR
Swanson, ‘Google Sets Sail: Ocean-Based Server Farms and International Law’ (2011) 43(3) University
of Connecticut Law Review 709, 739 (analogy of pirate radio stations), 745 and 749 outlining the im-
portance of the freedom of the High Seas.
132 For lack of space, these are not discussed here in detail, but readers may refer to Crawford (n 12) ch 21
and 457–65 and Ryngaert (n 63) 49–144.
133 It is not clear whether public international law makes inadmissible principles of jurisdiction that are not
generally well-recognized: Council of Europe, European Committee on Crime Problems, Extraterritorial
Criminal Jurisdiction (European Committee on Crime Problems 1990) 25–26.
134 Ryngaert (n 63) 19.
135 Crawford (n 12) 458.
136 U Kohl, Jurisdiction and the Internet (CUP 2007) 91–96.
137 Crawford (n 12) 462.
138 J Hörnle, ‘Country of Origin Regulation in Cross-Border Media: One Step Beyond the Freedom to
Provide Services?’ (2005) 54 International Comparative Law Quarterly 89, 90–91.
finally, the targeting principle,139 first developed in the Internet context.140 As will be
shown further, these principles are not mutually exclusive and do overlap.
The territoriality principle and the effects test

Essentially, before applying their law, states have to find a suitable connecting factor

to their territory.141 It is this link to the territory that makes the exercise of state au-
thority legitimate vis-à-vis other states.142 The connecting factor can relate to the
place where the subject in a criminal or regulatory case is acting (subjective territori-
ality principle) or to the place where the object or any constituent element of the
subject matter to be regulated is located (objective territoriality principle).143 The
territoriality principle is inherently wide and allows states to assume jurisdiction
widely, based on a whole array of connecting factors, depending on the elements set
out in ‘national’ law, (or EU law in the case of data protection). Since these connect-
ing factors as such are not limited by international law, the territoriality principle
does not provide a litmus test for jurisdiction—arguably, the connecting factors dis-
cussed earlier144 contained in Article 4 of the DPD and Article 3 of the GDPR would
easily fall within the territoriality principle: establishment,145 equipment146 and data
processing on ships and aircraft147 are obvious connecting factors to tangible, physic-
al elements situated on territory. More problematic in this respect is the new target-
ing test established in Article 3(2) of the GDPR,148 which provides as connecting
factors the activity of offering goods or services to data subjects in the EU and the
monitoring of the behaviour of data subjects in the EU. Under the lens of the terri-
toriality principle, this could be categorized as an example of the effects test,149 which
originated from competition law150 and allows states to assume jurisdiction where
the regulated conduct produces significant and demonstrable negative effects on
their territory/market, which need to be counteracted in order to protect their citi-
zens and residents. As such, it is closely aligned to the protective principle and the
country of destination approach, examined in the next section. But, importantly for
139 DJB Svantesson, ‘Extraterritoriality and Targeting in EU Data Privacy Law: The Weak Spot
Undermining the Regulation’ (2015) 5(4) International Data Privacy Law 226.
140 See, for example, M Geist, ‘Is There a There There? Towards Greater Certainty for Internet
Jurisdiction’ (2001) 16 Berkeley Technology Law Journal 1345.
141 C Reed, Internet Law (2nd edn, CUP 2004) 218–19.
142 Kohl (n 136) 89, fn 169.
143 Crawford (n 12) 458–59, fn 168.
144 Section ‘Rules on applicable law’.
145 Section ‘Establishment link in the directive and the regulation’.
146 Section ‘Equipment as a territorial link’.
147 Section ‘Application of EU law/Member States’ law by virtue of public international law’.
148 See discussion in section ‘Targeting link in the regulation’.
149 First formulated as such in the criminal (shipping) case before the Permanent Court of International
Justice, The Case of SS ‘Lotus’ (Permanent Court of International Justice 1927) PCIJ Reports, Series A
No 10: territorial jurisdiction is proper ‘if one of the constituent elements of the offence, and more espe-
cially its effects, have taken place there’ (p 23).
150 See, for example, Case C-89/85 A Ahlstrom Osakeyhtio v Commission of the European Communities
[1988] ECR 5193 (Wood Pulp); Case T-102/96 Gencor Ltd v Commission of the European Communities
[1999] ECR II-753; Case T-286/09 Intel Corp v European Commission (2014) EU:T:2014:547; [2014]
5 CMLR 9 and United States v Aluminium Co of America 149 F2d 416, 443 (2nd Cir 1945).
this section, the effects test is also closely related to the objective territoriality prin-
ciple since for that principle, it is sufficient that one constituent element of the sub-
ject matter to be regulated is within the territory.151 Since the (EU or national)
legislator determines and defines what are the constituent elements of the conduct
to be regulated, this leaves wide scope to bring the effects of conduct within the terri-

toriality principle. Thus, arguably, protective laws such as data protection or con-
sumer protection laws that aim at preventing harmful effects of conduct targeted to
citizens or residents on a particular territory or market easily fall within the objective
territoriality principle. Thus, arguably, Article 3(2) of the GDPR falls within the ob-
jective territoriality principle in that it regulates the objects of conduct (offering of
goods or services or monitoring of behaviour) within the territory of the EU. For
those arguing that Internet jurisdiction should be limited to avoid conflicts of juris-
diction, the territoriality principle, therefore, does not offer a convincing argument to
limit jurisdiction.152 However, the territoriality principle has been supplemented by
other jurisdictional principles,153 which are beginning to crystallize in the Internet
regulatory context and, to the extent that they are relevant, are discussed in the fol-
lowing sections.
The protective principle under international law

The protective principle is another recognized principle for jurisdiction under inter-
national law. It has had a restricted application limited to the fundamental interests
of a state jeopardizing its sovereignty or political independence (such as protecting
its currency, protecting against treason, fundamental national security interests).154
Any expansion of the protective principle increases jurisdictional uncertainty and
opens up abuse of the principle for political interests.155 By the same token, the cate-
gories of what may be considered to be a fundamental interest of the state are also
not closed, and states argue that grave injuries of fundamental interests may fall
under it.156
In respect of data protection, it may be argued that the fact that the EU has ele-
vated data protection from a mere secondary law principle (ie Directive 95/46/EC)
to a fundamental right (Primary/Treaty law) in Article 8 of the Charter157 is evi-
dence that, for EU Member States, data protection law is a central concern of public
policy, for which the protective principle may be claimed.158
The referring Court in case C-131/12 Google Spain asked the CJEU whether, if
none of the specific territorial links mentioned in Article 4(1) of the DPD159 applied,
151 Kohl (n 136) 90–94, fn 169.

152 Kohl (n 136) 104, fn 169.
153 Svantesson (139) 226–28, fn 172 arguing that the distinction between territoriality and extraterritoriality
is not helpful.
154 Ryngaert (n 63) 114–19; Crawford (n 12) 462.
155 ibid.
156 ibid.
157 Charter of Fundamental Rights of the EU published in OJ C364/1 of 18 December 2000.
158 Max Schrems (n 26); J Hörnle, ‘The EU-US Safe Harbour Decision Is Dead. Long Live its Successor?’
(SCL, 2015) <http://www.scl.org/site.aspx?i¼ed44927> accessed 3 March 2019; see also O Lynskey,
The Foundations of EU Data Protection Law (OUP 2015) 56.
159 Discussed in section ‘Rules on applicable law’.
EU data protection law may nevertheless apply to protect the fundamental right of
data protection in Article 8 of the Charter of Fundamental Rights160 if the centre of
gravity of the dispute is located in a Member State. This would have been an asser-
tion of applying EU law in order to protect fundamental rights of the EU outside the
express jurisdictional rules contained in secondary legislation. The CJEU did not an-

swer the question as it found jurisdiction based on the Article 4(1)(a) link. Advocate
General Jääskinen found in his Opinion that the interpretation of the DPD in ac-
cordance with the Charter could not add any new jurisdictional grounds that might
give rise to the territorial applicability of the national legislation implementing the
DPD and that, therefore, the geographical centre of gravity of the dispute is irrele-
vant for the applicable data protection law161 (but would be relevant for the jurisdic-
tion of the courts in privacy related civil tort actions162). This was based on the
principle that the Charter did not extend the field of application of EU law.163
Based on this principle, it is extremely unlikely that the protective principle under
international law could be used ‘on its own’ to expand the jurisdictional reach of EU
data protection law despite its incorporation into the canon of fundamental rights in
the Charter. In the opinion of this author, this is correct as the rules contained in sec-
ondary legislation provide the ‘lex specialis’ for regulatory jurisdiction in data protec-
tion cases.
However, as to the question to what extent the jurisdictional grounds laid down
in EU secondary legislation, namely Article 4 of the DPD and Article 3 of the
GDPR, are ‘themselves’ justified by international law, the use of the protective prin-
ciple as a well-established principle, may be helpful. Even if the targeting approach
under Article 3(2) of the GDPR could not be justified under the ‘territoriality’
principle,164 it would certainly fall under the protective principle, as data protection
is now a fundamental human rights interest. The ‘protective’ nature of that provision
is also indicated in Recital 23 of the GDPR: ‘in order to ensure that natural persons
are not deprived of the protection to which they are entitled under this Regulation,
the processing of personal data of data subjects who are in the Union by a controller
or a processor not established in the Union should be subject to this Regulation
where the processing activities are related to the offering of goods or services to such
data subjects (. . .)’.
The ‘country of origin’ regulation principle

Country of origin regulation is an emanation of international jurisdiction based on
establishment165 or the presence of physical business equipment or assets in a
160 Charter of Fundamental Rights of the EU published in OJ C364/1 of 18 December 2000.

161 Opinion of Advocate General Jäskinen, paras 54–59.
162 The ‘centre of gravity’ test was applied by the CJEU to determine the jurisdiction of the civil courts in
privacy-related tort cases in Joined Cases C-509/09 and C-161/10 e-Date Advertising and Martinez
[2011] ECR I-10269.
163 art 51(2) of the Charter: ‘The Charter does not extend the field of application of Union law beyond the
powers of the Union’, para 54.
164 It is argued in section ‘The territoriality principle and the effects test’ that it falls under the territoriality
principle.
165 arts 7(5)and 17(2).
jurisdiction.166 In cross-border business regulation, more generally, principles have

been established to deal with the mobility and potential remoteness of business in
determining the competent state to regulate. In the EU context, one principle for
regulatory competence in media and Internet regulation is the place of establishment
of the business—this gives the state of the place where the business is established ex-

clusive regulatory jurisdiction, this is sometimes called the ‘country of origin’.167 So,
for example, in the E-commerce Directive,168 Article 3(1) mandates for information
society services within the coordinated field169 regulatory compliance with the law in
the country where the service provider is established. Article 3(2) consequently pro-
vides that Member States other than the country of origin must not apply their laws
and regulate the service provider in such a way that its freedom to provide services is
restricted.170 This is an example for a wider trend of media regulation in the EU,
which as part of the establishment of an Internal Market, especially for services that
can be delivered electronically, adopts a twin strategy of ‘country of origin’ regulation
and law approximation, the latter in turn enabling the mutual recognition on which
‘country of origin’ regulation relies.171 While the ‘country of origin’ principle for in-
formation society services does not apply to data protection matters,172 it is used
here as an illustration of a more general trend in media regulation of business con-
duct and advertising. The rules on establishment in the DPD and the GDPR173 are
an example of ‘country of origin’ approach.
The ‘country of destination’ regulation principle, consumer

protection law and the targeting principle
The ‘country of destination’ regulation is the opposite to ‘country of origin’ regula-
tion as a principle for cross-border business regulation. The principle establishes the
concept that the regulators of the place where consumer goods or services are con-
sumed should be competent and the law of that country should apply to protect con-
sumers. An example of this ‘country of destination’ principle is the exception in
respect of consumer protection in Annex I of the E-commerce Directive. However, a
166 UK Gambling Act 2005, s 26(3) (in its original version); para 23 of the German Civil Procedure Rules
allowing personal jurisdiction to be exercised over a non-resident defendant if that defendant has sub-
stantial assets in the jurisdiction.
167 art 3 E-commerce Directive 2000/31/EC of 8 June 2000 on certain legal aspects of information society
services, in particular electronic commerce (2000) OJ L178/1C; art 3 Directive 2010/13/EU of 10
March 2010 on the coordination of certain provisions laid down by law, regulation or administrative ac-
tion in Member States concerning the provision of audiovisual media services (Audiovisual Media
Services Directive) (2010) OJ L95/1.
168 fn 181.
169 art 2(h): requirements regarding the taking up of the activity in question, such as licencing, qualifica-
tions, notification and authorization requirements and requirements concerning the pursuit of the activ-
ity such as conduct, quality of content of the information society service, advertising and contractual
requirements and liability. However, not coordinated are requirements concerning goods, the delivery
of goods or rules on services not provided by electronic means.
170 Subject to the exceptions in the Annexes and the possibility to derogate in art 3(4).
171 See further Hörnle fn 138.
172 art 1 (5)(b) E-commerce Directive.
173 Section ‘’Establishment link in the directive and the regulation’.
pure ‘country of destination’ approach is rarely found in regulatory jurisdiction. A

more common approach is that of ‘targeting’ or ‘directing’, which focuses on the
question whether the business actively and foreseeably directs its activities to the
consumers’ jurisdiction.174 An example for this are the special rules on consumer jur-
isdiction and the law applicable to consumer contracts in the harmonized private

international law rules of the EU.175 The ‘targeting’ principle originated from US
conflict of law rules, especially as applied in media and Internet cases,176 and has
been applied subsequently in the regulatory context.177
As has been pointed out earlier,178 Article 3(2) can be explained as a version of
the ‘targeting approach’ now incorporated in the GDPR. It becomes clear from the
wording of Recital 23 (‘envisages’) that the provision only applies if the business
intends or foresees that EU residents would take up the offer.179
However, whether a ‘country of origin’ or the ‘country of destination’ principle is
applied to data protection regulation, it is important to consider not only the as-
sumption of jurisdiction by states but also the practicalities and realities of
enforcement. Two points can be made here: first, ‘country of origin’ regulation may
work among a homogenous group of states with similar laws, which after having
approximated their laws, share a degree of trust and mutual recognition, but it cannot
work among heterogeneous states with differing legal standards and regulatory
approaches that preclude mutual recognition. Secondly, no matter which law is
applied, effective enforcement can only be achieved if Member States cooperate in
enforcement, as the state where data subjects suffer detriment may differ from the
state where penalties can be enforced, as enforcement requires some sort of presence
and/or assets against which penalties can be enforced.
C O N CL U S I O N
From a ‘protective’ point of view, external conflicts are more significant since the law
on data protection has now been very closely approximated by the GDPR, so that
similar standards exist within the EU, and the real difference in standards are only
laid bare in external conflicts of law with (some) non-EU Member States. For this
reason, it has been argued that Member States should recognize the place of the
main EU establishment as the place of jurisdiction and applicable law. Unfortunately,
the jurisprudence of the CJEU (based on the DPD) is not clear on this point and
174 Pammer (n 83).

175 art 6 Rome I Regulation 593/2008/EU and arts 17 and 18 Brussels I Regulation (Recast) 215/2012/
EU or in relation to competition law (place where the competitive relations or collective interests of
consumers are affected) art 6 (1) Rome II Regulation EC/864/2007.
176 Geist (n 140) fn 176; see also M Sableman and M Nepple ‘Will the Zippo Sliding Scale for Internet
Jurisdiction Slide into Oblivion?’ (2016) 20(1) Journal of Internet Law 3, 4; Calder v Jones (1984) 465
US 783, 104 SCt 1482.
177 For example, Gambling Act 2005, s 36(3A) introduced by the Gambling (Licencing and Advertising)
Act 2014 and the Financial Services and Markets Act 2000, s 21(3).
178 Section ‘Targeting link in the regulation’.
179 See also in Recital 23: ‘whereas the mere accessibility of the controller’s, processor’s or an intermediary’s
website in the Union, of an email address or of other contact details, or the use of a language generally
used in the third country where the controller is established, is insufficient’.
even the GDPR has left open the multi-jurisdictional approach of the DPD even
though the GDPR imposes a clearer duty on Member States to cooperate.
Nevertheless, now that the GDPR is in force, EU law does not fully recognize in-
ternal conflicts of laws between the Member States, as legally, the Regulation pro-
ceeds on the basis that it fully harmonizes data protection law, even though the

GDPR itself recognizes a number of derogations, where Member States may main-
tain different rules. As far as external conflicts are concerned, they will be represented
as conflicts between EU law and the third country law for the first time. Therefore,
jurisdictional competence will become more important than applicable law for in-
ternal conflicts, whereas for external conflicts, the question of whether the GDPR
applies in the first place is more important for the outcome and the shaping of legal
obligations.
Finally, comparing the interpretation of the existing DPD in internal and external
cases, in the external conflict in Google Spain, the CJEU bent double backwards to in-
terpret the phrase of ‘in the context of the activities of the establishment’ expansively.
The CJEU should apply a different jurisdictional test if the conflict is between two
Member States (say Ireland and Germany) and recognize the existence of a main
EU establishment. However, as we have seen in Wirtschaftsakademie, the CJEU has
adopted the same approach and found that the German data protection authority
was competent to apply German data protection law on the same principles as in
Google Spain.
It is argued here that, for internal conflicts of law, EU Member States should rec-
ognize the jurisdiction of the Member State of the main establishment and refrain
from exercising their jurisdiction and applying their national data protection rules, so
as to avoid multiple national laws applying, thereby fragmenting the effectiveness of
data protection law. Since the fundamental right to data protection in the EU
Charter of Fundamental Rights applies everywhere in the EU, Member States should
be prepared to trust each other’s standard of regulation, at least as far as any jurisdic-
tional rules are concerned. Any differences in approaches to data protection law
should not be dealt with through the mechanism of jurisdiction but through the
coordination mechanism envisaged in the GDPR.
With the GDPR now in force, the lead authority is in fact the data protection au-
thority at the controller’s main establishment in the EU, and while other data protec-
tion authorities may make decisions concerning the processing of local data subjects’
personal data, this has to be coordinated within the procedures established by the
GDPR. So for internal conflicts, the GDPR establishes one set of EU law (with slight
national variations) and a lead data protection authority.
More generally, in terms of justifying jurisdiction based on connecting factors to
the territory, it has been shown that the DPD had used a number of different links
to the territory. The advantage of the establishment connecting factor is that it is a
recognized link for justifying business regulation (‘country of origin regulation’) and
that the location of the actual data processing is irrelevant. But as has been discussed,
it has been difficult to decide in what circumstances the processing takes place in the
context of the activities of the establishment. This ground of jurisdiction continues
to exist in Article 3 of the GDPR.
Finally, the DPD contained an equipment ground, which had given rise to contro-
versy over how physical this equipment has to be (for example, whether a cookie
constituted ‘equipment’). Thankfully, the new GDPR has scrapped the equipment
ground and relies instead on a targeting test, so that EU data protection law applies
if persons in the EU have been targeted for the collection of personal data (or other

data processing). This test relates more to the targeting principle used in business
regulation, where a state uses its regulatory law to protect citizens from harm and is
also used in other consumer protection cases or competition law cases. Therefore, ar-
guably, the jurisdictional tests in the Regulation are clearer for the digital age, albeit
how workable the profiling jurisdictional link turns out to be, in terms of practical en-
forcement, is another question.
Furthermore, as we have seen in this article, although the rules on applicable law
and jurisdiction are conceptually separate, they are also related, especially in the
sphere of public (administrative) law, including data protection. Since a public au-
thority normally ‘only’ applies its own law, the rules of applicable law in Article 4
DPD automatically determined the authority that was fully competent to enforce the
law. Although Article 28(6) of the DPD indicated that data protection authorities
may apply the law of another EU Member State, the CJEU has clarified that this
applied only to the initial power of examining complaints, powers of investigation
and mutual cooperation but ‘not to law enforcement’ powers such as sanctions and
fines. The CJEU thereby has recognized the territorial sovereignty of the Member
States in respect of enforcement powers for internal and external conflicts alike. This
limitation of enforcement powers to the territory of the Member State will remain in
place even after the GDPR.
But the improvement the GDPR has introduced, as discussed in this article, is
that there are clearer lines of which authority is competent internally to act. This is
achieved by imposing greater and stricter obligations on data protection authorities
to cooperate and coordinate their activities in the shape of the consistency mechan-
ism and an override mechanism for the lead data protection authority and ultimate
decision by the European Data Protection Board. However, the goal of a ‘one-stop-
shop’ has not been fully achieved, as the coordination procedure may well prove to
be slow and cumbersome in practice, so there will be a ‘shop’, but it potentially has
several stops. It is disappointing that the Member States were not able to agree on
giving up more of their own powers and confer greater decision-making powers on a
fully operational European Data Protection Authority.
Returning to the puzzle raised at the beginning of this article about the loss of
sovereignty, arguably, the changes in the Regulation will lead to a levelling out of the
data protection standards ‘within the EU’ so that Member States will have less sover-
eignty in respect of these protective standards. But it will also mean that Member
States as a group will be able to more effectively protect these standards vis-à-vis the
rest of the world. This is not just good news for those believing in data protection
and privacy as fundamental values, but it also enhances national sovereignty (even if
this national sovereignty is based on an EU compromise and embedded within EU
institutions) ‘globally’. Arguably, therefore, overall, in this interconnected, globalized
world, sovereignty (with respect to data protection) is enhanced.

Juggling More Than Three Balls at Once: Multilevel Jurisdictional Challenges in EU Data Protection Regulation

Uploaded by

Copyright:

Available Formats

Juggling More Than Three Balls at Once: Multilevel Jurisdictional Challenges in EU Data Protection Regulation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Juggling More Than Three Balls at Once: Multilevel Jurisdictional Challenges in EU Data Protection Regulation

Uploaded by

Copyright:

Available Formats

International Journal of Law and Information Technology, 2019, 27, 142–170

Juggling more than three balls at once:

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

11 ibid; Case C-131/12 Google Spain (2014) ECLI:EU:C:2014:317, paras 53–55.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

16 Weltimmo (1 October 2015) (n 4).

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

32 2017 EDPB Guidelines fn 32, 4.

Competence of data protection authorities—jurisdiction

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

42 art 77(1) on the right to lodge a complaint with a supervisory authority.

Cooperation obligation of the Member States, the consistency

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

52 art 57 (g), art 60(2) and arts 61–62.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Establishment link in the directive and the regulation

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

The concept of establishment in the jurisprudence of the CJEU

continuing presence of a physical nature (office, staff, representative, etc) would be

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

In the context of the activities of an establishment of the controller

78 Weltimmo (1 October 2015) (n 4) para 29.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

95 Working Party (n 10) 5.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

103 Wirtschaftsakademie (8 June 2018) (n 73), paras 42–44.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Equipment as a territorial link

Domain names as a jurisdictional link?

109 See the reasons given in section “Introduction” above.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

A residency requirement as a further requirement before

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Targeting link in the regulation

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

122 Recital 23 GDPR.

Application of EU law/Member States’ law by

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

128 art 4(1)(b) DPD and art 3(3) GDPR.

The territoriality principle and the effects test

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

The protective principle under international law

151 Kohl (n 136) 90–94, fn 169.

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

The ‘country of origin’ regulation principle

160 Charter of Fundamental Rights of the EU published in OJ C364/1 of 18 December 2000.

jurisdiction.166 In cross-border business regulation, more generally, principles have

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020

The ‘country of destination’ regulation principle, consumer

pure ‘country of destination’ approach is rarely found in regulatory jurisdiction. A

Downloaded from https://academic.oup.com/ijlit/article/27/2/142/5487446 by North-West University user on 20 November 2020