Jump to ContentJump to Main Navigation
EU Law Beyond EU BordersThe Extraterritorial Reach of EU Law$

Marise Cremona and Joanne Scott

Print publication date: 2019

Print ISBN-13: 9780198842170

Published to Oxford Scholarship Online: June 2019

DOI: 10.1093/oso/9780198842170.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (oxford.universitypressscholarship.com). (c) Copyright Oxford University Press, 2021. All Rights Reserved. An individual user may print out a PDF of a single chapter of a monograph in OSO for personal use. date: 12 April 2021

The Internet and the Global Reach of EU Law

The Internet and the Global Reach of EU Law

(p.112) 3 The Internet and the Global Reach of EU Law
EU Law Beyond EU Borders

Christopher Kuner

Oxford University Press

Abstract and Keywords

The internet has had a significant influence on how EU law applies beyond EU borders, and has enabled the EU to extend the application of its fundamental values to third countries. There are many examples of the EU exerting its global reach regarding the internet, particularly in data protection and privacy law. The EU’s actions in exercising its global reach with regard to the internet implicate important normative issues, such as distinguishing between the furtherance of core EU legal values and the advancement of the EU’s political interests; promoting the principles of EU law as universal values; ensuring that EU legal values are upheld in practice; and determining the territorial boundaries of EU law. The influence exercised by the EU carries responsibilities towards third countries, particularly those in the developing world. The internet may itself also be influencing EU law.

Keywords:   internet governance, legal conflict, data protection, privacy, EU law, global reach, jurisdiction

1. Introduction

Since becoming available for widespread use in the mid-1990s, the Internet has ‘contributed to a shrinking of the world and to an interconnectedness of legal orders that has never been as intense in legal history’.1 During the same period, EU law has become a global normative power that exerts its influence over a variety of phenomena,2 including the Internet.

The relationship between EU law and the Internet is one of mutual influence. On the one hand, EU law has influenced the development of the Internet, and impacted countries and parties outside the EU’s borders. On the other hand, the Internet raises important questions about the application, scope and normative values of EU law. In many ways the Internet is the ideal vehicle for examining the ambitions of EU law in an increasingly complex and globalized world.

The Internet is based on technical protocols rather than legal rules. It was established as a distributed network not under the control of a single state,3 and operates based on open standards that allow networks around the world to connect with each other. The Internet also makes it possible for anyone to create content or offer products and services without permission from a central authority. This open, independent structure has been one of the keys to its success.

(p.113) However, these same factors complicate the relationship between EU law and the Internet. The Internet is not an enterprise, government, public authority, product, technology or institution of the type that is normally the subject of influence by EU law. Furthermore, instruments of ‘soft law’ (e.g. contractual arrangements between private parties) play a crucial role in the way the Internet is used.4 This demonstrates how its governance and regulation can be regarded as an example of pluralism and global legal hybridity.5

This chapter will examine the influence that EU law has over the Internet and parties outside the EU’s territorial boundaries that use and are affected by the Internet. The global reach of EU law is manifested in different types of actions taken by the EU and its Member States, such as asserting EU values and interests in international organizations and the conclusion of international treaties; influencing the adoption of legislation in third countries; and requiring compliance with EU law with regard to activities carried out by parties in third countries.

The Internet has an impact on many areas of EU law, only a few of which can be examined here. There will be a particular focus on data protection, which is one of the areas where the global reach of EU law has been asserted most aggressively. Data protection is also strongly anchored in EU law, and has been strengthened in recent years through the Treaty of Lisbon,6 the elevation of the EU Charter of Fundamental Rights7 (the Charter) to the status of binding primary law,8 the enactment of Article 16 of the Treaty on the Functioning of the European Union (TFEU),9 and several ground-breaking judgments of the Court of Justice of the European Union (CJEU).

The Internet also presents EU law with important challenges. Because of the fragmented and global nature of Internet governance and regulation, the Internet is not subject to the direct control of EU law. The relationship between the EU institutions and the Member States also plays an important role in determining the limits and efficacy of EU action regarding the Internet.

An examination of the interaction between EU law and the Internet raises a number of important normative questions regarding the relationship between the EU’s legal values and its political or policy interests; the implications of asserting EU values as universal values; ensuring that EU values apply to the Internet in practice as well as in theory; determining the territorial limits to the application of EU law; and the responsibilities that EU law has towards third countries. It also seems that, just as EU law influences the Internet, the Internet may be changing EU law. Finally, one may ask why the EU asserts its values and interests so strongly with regard to the Internet.

(p.114) 2. The Internet and its Governance

A. What is the Internet?

Defining the Internet is more difficult than it might seem. A definition that is often cited was articulated in 1995 by the US Federal Networking Council (FNC):

‘Internet’ refers to the global information system that (i) is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons; (ii) is able to support communications using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite or its subsequent extensions/follow-ons, and/or other IP-compatible protocols; and (iii) provides, uses, or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein.10

This definition focuses on the Internet’s use of the TCP/IP suite11 in order to differentiate it from other networks. However, different networks, not all of which employ TCP/IP, may be connected to transfer data at least in part via the Internet.12 The term ‘Internet’ is often used not just in relation to a particular protocol or technology, but to refer to the interconnection of electronic communications networks around the world, including the technical infrastructure that they use. Because Internet technologies and their use change so quickly, it seems best to adopt a broad definition that includes not only networks that run based on TCP/IP, but also the global communications infrastructure that underlies the Internet.13 Understood in this way, the Internet can be defined to include the broad range of infrastructure, content, applications, hardware and other phenomena that determine both the purpose of the Internet and how it operates in practice.14 Thus, the Internet will be considered here to constitute the ‘network of networks’ that includes the totality of global communications networks, infrastructure and content that are connected to it and transmitted on it.

B. How is the Internet Governed?

The Internet functions based on a multi-layered governance model, as illustrated by Table 3.1 (note that the bullet points included in each layer of the table are only examples).

Table 3.1 Internet governance layers

Social Layer

• Trust and identity

• Human rights applied to the Internet

• Internet governance principles (e.g. net neutrality)

Content Layer

• Data protection

• Intellectual property rights

• Cybercrime


Logical Layer

• Internet naming and numbering

• Protocols & other standards

Infrastructure Layer

• Connectivit1y and universal access

Source: Adapted from Cerf, Ryan and Senges, ‘Internet Governance is our Shared Responsibility’, 10 I/S: A Journal of Law and Policy for the Information Society (2014) 1, at 10.

(p.115) In this model, the infrastructure layer comprises the networks through which data travels on the Internet; the logical layer contains the code and mechanisms by which the Internet operates; the content layer contains the information that is transmitted through it and the legal rules that govern such information; and the social layer deals with ‘practices that define paramount rights and principles associated with “social conduct” online’.15 This chapter will mainly be concerned with the third layer (i.e. the content layer), though EU law may impact all four.

The instruments of EU primary law do not specifically mention the Internet. However, the various layers of governance set forth in Table 3.1 are subject to regulation by the EU insofar as there is EU law in the respective area (e.g. telecommunications networks are subject to telecommunications regulation).

The fragmented governance structure of the Internet limits the EU’s ability to regulate it. The Internet is accessible globally, and most of the infrastructure on which it runs, the organizations that maintain it, and the individuals that use it are located outside the EU. Moreover, as a global communications infrastructure the Internet is of interest to countries all over the world, which may exercise their own legal and regulatory power over it, potentially leading to legal conflicts.

A number of international entities and organizations play an important role in the functioning and governance of the Internet. In 2006, the United Nations Secretary-General established the Internet Governance Forum (IGF), a forum for dialogue on issues of policy related to Internet governance that includes participation from stakeholders in all sectors, including governments, the private sector, civil (p.116) society, academia and the technical community.16 Several organizations also play a crucial role in setting technical standards for the Internet, such as the Internet Engineering Task Force (IETF),17 the World Wide Web Consortium (W3C)18 and the Internet Corporation for Assigned Names and Numbers (ICANN).19 However, none of these are ‘regulators’ in the sense of being public authorities mandated with enforcing a set of laws or legal rules.

The growing social, economic and political importance of the Internet has led to its increased regulation,20 which can cause legal conflicts and complicate the application and enforcement of the law. The difficulty of applying and enforcing any regulatory system (not just EU law) to the Internet rests on the fact that its operation involves a highly fragmented universe of actors, norms, procedures, processes and institutions, including many non-state entities (such as private companies, non-governmental organizations, academic institutions, standards organizations and others). Their activities have resulted in the adoption of contracts, technical standards, guidelines and best practices that differ from legislation and legal regulation traditionally enacted by governments, but that still have had a profound effect on how the Internet functions, as Bygrave explains:

[T]he governance structure for the Internet has been formed largely outside a treaty or other legislative framework that is Internet-specific. Contracts provide the legal bricks and mortar for much of the present structure, and they do so often without a direct basis in legislation. Concomitantly, the governance structure is relatively unencumbered by dirigiste ideology and has permitted a fairly high degree of self-regulation. While tentacles of government control are increasingly visible, private sector bodies have usually been allowed—and often encouraged—to lead the design and management of the Internet. Governments have acted more as facilitative partners of these bodies than as heavy-handed regulators, at least in Western democracies. In other words, governance has been exercised to a large degree by contractually based, co-operative networks rather than decree.21

Jurisdictional rules in many legal systems are based on the principle of territoriality, i.e. that jurisdiction obtains over acts committed within the territory of the country in question.22 However, the Internet complicates application of the territoriality principle, since it can be difficult to determine the place where a particular online action occurs.23 This leads to uncertainty concerning applicable law and jurisdiction, which is reflected in the challenges that the Internet presents to EU law.

(p.117) 3. The EU and the Member States

Both the EU and the Member States are active in Internet-related issues, and the relationship between them helps determine the scope of EU law.

At the EU level, the making of law and policy is fragmented among the institutions. To give a few examples, in the European Commission different Directorates-General take the lead in work on Internet issues such as net neutrality,24 data protection25 and intellectual property rights.26 Other EU institutions, such as the European Economic and Society Committee27 and the European Parliament,28 are also deeply involved in Internet issues. There are Internet-related initiatives pursued jointly by various EU institutions; an example is the Communication concerning the ‘Cybersecurity Strategy of the European Union’,29 which was published jointly in 2013 by the European Commission and the High Representative of the EU for Foreign Affairs and Security Policy (the High Representative). As discussed throughout this chapter, there are numerous legislative initiatives in the EU and judgments of the CJEU dealing with the Internet. While it is not an EU institution, the European Court of Human Rights has also issued numerous judgments concerning the Internet.30

The Member States exercise influence through the Council’s role in enacting EU law and policy (e.g. the Council is tasked with identifying the EU’s ‘strategic interests’ in the context of external action31) and by pursuing their own legal and regulatory initiatives. A few examples of such national initiatives include the ‘Digitale Agenda 2014–2017’ of the German Federal Government,32 the ‘Agenda Digitale Italiana’ of the Italian government33 and the ‘Digitales Österreich’ initiative of the Austrian government.34 Legislatures, courts and regulators in all Member States have been active in Internet-related issues.

(p.118) Shared competence between the EU and the Member States is the general rule,35 and the Internet is not mentioned in Article 3 TFEU, which lists the Union’s exclusive competences, so it is an area of shared competence. This conclusion is supported by the fact that some areas listed in Article 4(2) TFEU as examples of shared competence are particularly important with regard to the Internet, such as the internal market and consumer protection.

However, certain areas of EU law related to the Internet may fall primarily within the competence of the EU, as can be seen by the example of data protection. The Member States may act with regard to areas of shared competence only to the extent that the EU has not done so,36 and data protection, which the EU first regulated on a horizontal basis in Directive 95/46/EC,37 has now been harmonized via Regulation 2016/679 (‘the GDPR’), which replaced the Directive.38 The Regulation on Privacy and Electronic Communications39 proposed by the Commission in January 2017 (the ePrivacy Regulation proposal) would also result in harmonization of data protection issues related to the Internet. This means that the Member States may not act with regard to data protection issues that fall within the scope of harmonizing EU legislation. The Member States may not undertake obligations with third countries that affect common rules laid down by the EU,40 suggesting that, in practice, the conclusion of international agreements concerning data protection lies exclusively in the competence of the EU.41 There are also limits on the ability of the Member States to participate in law-making initiatives in international fora even in the absence of exclusive competence of the EU,42 in light of the duty of sincere cooperation that applies in cases of shared competence.43

With regard to the negotiation of international treaties relating to the Internet, in most cases the Commission should negotiate on behalf of the EU after being nominated by the Council,44 except for treaties relating exclusively or principally to the Common Foreign and Security Policy, which should be negotiated by the High (p.119) Representative.45 This latter case would apply in an area such as cybersecurity insofar as it relates to defence, as this would seem to fall under the Common Security and Defence Policy,46 which is an integral part of the Common Foreign and Security Policy.47

Many important discussions between governments, countries and other stakeholders take place in the work of international organizations. Both the EU and the Member States participate in organizations such as the Council of Europe, the Organisation for Economic Co-operation and Development (OECD), various UN agencies, standards-setting bodies, entities dealing with Internet governance, and others.

The relationship between the EU and its Member States with regard to the Internet is marked by both cooperation and tension. On the one hand, the EU seeks to promote cooperation between the EU institutions and the Member States with regard to Internet issues. This can be seen in the European Commission’s 2014 Communication on Internet governance, where it is stated that ‘[t]he Commission invites the Council and Parliament, the Economic and Social Committee, the Committee of the Regions, as well as Member States, to agree on a common vision as highlighted in this Communication and to defend it jointly in the forthcoming international debates’.48

At the same time, the division of competences between the EU and the Member States can lead to disputes between them. For example, during negotiation of the EU Directive on Electronic Signatures,49 the German government sought to have it cover only digital signatures using asymmetric cryptography (as in the original version of the German Digital Signatures Act50), and not the broader category of electronic signatures,51 which led to a dispute between it and the Commission as to the scope of the Directive. There were also disputes between the Member States and the European Commission during the drafting and enactment of the GDPR.

I have witnessed the tension between the EU and its Member States in international organizations such as the Council of Europe in its modernization of Convention 108,52 and the United Nations Commission for International Trade Law (p.120) (UNCITRAL) in its work concerning the UNCITRAL Model Law on Electronic Signatures53 and the UNCITRAL Convention on Electronic Communications.54 In particular, disputes have arisen between the European Commission and the Member States when both have been participating in the work of an international organization and the Commission has asserted its right to negotiate on behalf of the EU regarding a matter that was the subject of present or pending EU legislation. When such disputes break into the open in the work of international organizations, it weakens the influence of EU law by showing cooperation between the EU institutions and the Member States in a bad light, and allowing third counties to assert themselves at the expense of a disunited EU.

4. The Internet and the Values of EU Law

A. Introduction

The EU is an autonomous legal entity based on values, the promotion of which is one of its aims,55 and it is obliged to uphold and promote them in its dealings with the wider world.56 The Treaty on European Union (TEU) contains a list of values by which the EU is to be guided on the international scene, including ‘democracy, the rule of law, the universality and indivisibility of human rights and fundamental freedoms, respect for human dignity, the principles of equality and solidarity, and respect for the principles of the United Nations Charter and international law’.57

The extension of these values to the Internet has occurred in conjunction with the development of EU law over the last 20 years. One of the first times when the EU dealt with Internet legal issues in an international context was at the ministerial conference on ‘Global Information Networks’ held in Bonn on 6–8 July 1997,58 which was jointly organized by the European Commission and the German government and included representatives of the Commission, the Member States, the US government, other third country governments, international organizations, and the private sector. The final ‘Ministerial declaration’, published at the conclusion of the conference, contained hardly any mention of actions to be taken specifically by the EU.59 During the next few years, the EU largely focused on Internet-related (p.121) issues relevant to the internal market, through the enactment of instruments such as the Directive on Electronic Commerce60 and the Directive on Electronic Signatures.61 It was only following the entry into force of the Treaty of Lisbon in 2009 and the resultant elevation of the Charter to the status of primary law that EU law was given the tools to assert its values and interests at a global level regarding the Internet,62 as can be seen in the post-Lisbon judgments of the CJEU which rely on the TEU, the TFEU and the Charter to assert the global reach of EU law. The following sections consider the values of EU law that are implicated with regard to the Internet.

B. The Autonomy of EU Law

EU law views itself as an autonomous legal system,63 which refers to ‘the separateness and autonomy of the EC from other legal systems and from the international legal order more generally, and the priority to be given to the EC’s own fundamental rules’.64 The autonomy of EU law means that even obligations imposed by international agreements cannot prejudice the constitutional principles of EU law.65

The pluralistic and fragmented nature of the Internet can lead to legal conflicts and situations where different norms cover the same actors or conduct, without the existence of clear rules to determine which has priority. Such situations impact the autonomy of EU law, since they may create a risk that non-EU norms could prevail over the fundamental values of EU law, a possibility that the CJEU has rejected in Internet-related cases.66 An example of a potential conflict is provided by Article 44 GDPR, which states that onward transfers of personal data from an international organization to a third country or another international organization shall take place only if the other provisions of the GDPR and the conditions laid down in Chapter V are complied with.67 However, many international organizations enjoy privileges and immunities under public international law, and may expect that the further transfer of data they receive from the EU will be subject to international law or their own internal rules, not EU law.

(p.122) C. The Rule of Law

The rule of law is one of the values upon which the EU is founded.68 While the meaning of the term is open to interpretation,69 it includes requirements such as: actions by governments or public authorities are limited by rules; such rules are fixed and set in advance; and judicial review and access to courts are available if the rules are violated.70

As one of the central values of the EU, the rule of law is a benchmark for EU action with respect to third countries, and is a value that the EU seeks to export beyond the borders of the Union.71 The CJEU has emphasized the need to respect the rule of law with regard to data processing on the Internet, as can be seen in its Schrems judgment, where it stressed the importance of upholding the rule of law with regard to legislation limiting the effective right to judicial protection contained in Article 47 of the Charter.72 Thus, upholding the rule of law with regard to the Internet is a key concern of EU law.73

D. Fundamental Rights

Fundamental rights are a value upon which the EU is founded,74 and they play an important role in the relationship between EU law and the Internet. First, the EU’s action on the international scene must be guided by fundamental rights,75 which includes action affecting the Internet. Second, fundamental rights place limits on the action that the EU may take, and oblige it to protect the rights of EU individuals. Fundamental rights must be respected whenever EU law applies,76 as the CJEU has stressed in various judgments dealing with Internet-related issues of data protection,77 online copyright infringement78 and the retention of telecommunications data.79 The CJEU has also found that a draft international agreement of the EU could not be concluded in its current form since it was adopted under the wrong legal basis and it did not comply with the standards of the Charter.80 The CJEU’s main concern (p.123) seems to be to prevent the evasion of fundamental rights protection,81 which can be seen as an ‘anti-evasion trigger’ for the application of EU law.82

5. Interaction between EU Law and the Internet

A. Introduction

Some topics of EU law are by their nature ‘external’, while others are inherently ‘internal’ but have global reach.83 The Internet merges the distinction between these two categories, since ‘in a globalized economy, everything has an effect on everything’.84 The discussion in this section will thus cover several areas of EU law that directly focus on the Internet (such as Internet governance), as well as others that routinely raise Internet-related issues (such as data protection), in order to show how the EU exerts its influence on Internet-related developments.

B. Internet Governance

The term ‘Internet governance’ refers not only to the technical management of the Internet, but also to law and policy in a host of areas dealing with communication and information policy. This is reflected in the definition used by the European Commission in its 2014 Communication on Internet governance, which defines the term broadly and emphasizes its pluralistic nature.85 One of the EU’s main objectives in Internet governance is to have the law apply to the Internet just as it does to the offline world,86 as has also been advocated by the UN Human Rights Council.87

An example of EU action to promote its values regarding Internet governance concerns the domain name system (DNS), which functions as a kind of address book that translates domain names to Internet protocol addresses so that computers connected to the Internet can communicate with each other.88 Domain name registrars maintain a register of the owners of domain names that can be queried online by searching the WHOIS servers, which contain a substantial amount of data about (p.124) registered domains, their registrants, and the servers used. Placing this data on the Internet via the WHOIS protocol has led to criticism by the former Article 29 Working Party (the body of EU and Member State data protection authorities (DPAs), now replaced by the European Data Protection Board).89 These criticisms have, in some cases, resulted in ICANN granting waivers to registrars in the EU with regard to the conditions for data access and retention contained in the Registrar Accreditation Agreement (RAA), which controls how they store and make available WHOIS data, in order to allow the registrars to take EU data protection requirements into account.90

The EU institutions may cooperate to assert the values of EU law in Internet governance. For example, the Communication published jointly by the European Commission and the High Representative of the EU for Foreign Affairs and Security Policy Communication in 2013 concerning the ‘Cybersecurity Strategy of the European Union’91 urges that the EU develop ‘a coherent international cyberspace policy’ that promotes ‘EU core values’ in cooperation with ‘relevant international partners and organisations, the private sector and civil society’, and that this be mainstreamed into EU external relations and the Common Foreign and Security Policy.92

C. Data Protection

Data protection law, which subjects the processing of personal data to a set of defined rules in order to protect the fundamental rights of individuals, has become an important tool for regulating the Internet. Much of the EU’s influence in data protection occurs through the extraterritorial application of EU law. There are different varieties or degrees of extraterritoriality, which range from the direct application of EU law to parties or conduct in third countries, to ‘territorial extension’, meaning the application of a measure triggered by a territorial connection but with the regulator required as a matter of law to take into account conduct or circumstances abroad.93 With regard to EU data protection law, it is less important to categorize the exact form of extraterritoriality used, than to recognize that it exerts its influence in different ways on persons and activities in third countries.

The extraterritorial application of EU data protection law through the use of private international law is discussed later, in section 5.E. A further example of extraterritoriality is provided by rules of EU data protection law restricting the transfer of personal data to third countries. Article 45 GDPR allows data transfers to third countries when an adequate level of data protection is provided in the country, based on EU legal standards. The European Commission is empowered to issue a formal decision that a third country provides an adequate level of protection,94 based on a (p.125) determination that the foreign legal system in question offers a level of protection ‘essentially equivalent’ to that under EU law.95 When an adequacy decision has not been issued, Article 46 GDPR permits transfers of personal data if ‘appropriate safeguards’ are provided, such as when contractual clauses have been signed between the data exporter in the EU and the data importer outside the EU obliging both to provide protections for the data,96 and Article 47 GDPR allows transfer when the party transferring the data has implemented binding corporate rules (BCRs, i.e., legally binding internal data processing rules applied by a group of undertakings or enterprises engaged in a joint economic activity). In addition, derogations (such as when the data subject has consented to the transfer) may allow the transfer of personal data.97

EU data protection law makes the processing of personal data transferred to third countries conditional on the external application of EU standards.98 In the case of adequacy decisions, this occurs through a formal evaluation of third country standards by the Commission (an example of ‘country-level’ territorial extension99), whereas in the case of appropriate safeguards (or ‘adequate safeguards’ as they were called under Article 26(2) of Directive 95/46/EC) the parties that receive data exported from the EU are obliged to apply protections based on EU law when they process data in third countries100 (an example of ‘firm-level’ territorial extension101). (p.126) The GDPR also introduces new data transfer mechanisms based on the application of EU data protection standards in third countries.102

The application of EU data protection law to third countries is also illustrated by the fact that Member State DPAs have several times asserted their enforcement authority to investigate whether parties in third countries comply with EU law with regard to data transferred from the EU. The first such case occurred in 1996, when Citibank consented to an on-site audit of its data processing facilities in the US, conducted by the Berlin Data Protection Commissioner’s office.103 The Spanish Data Protection Agency has also conducted an audit of a third party data processor located in Colombia regarding compliance with Spanish legal requirements for data transfers,104 and the Italian Data Protection Authority has obtained the consent of Google to audit the company’s compliance with EU data protection law on its premises in California.105

EU data protection law also exercises global influence through the adoption by third countries of data protection laws based on the EU model. Dozens of countries worldwide have enacted laws based on the model of Directive 95/46/EC,106 leading it to be called ‘by far the most influential international policy instrument’ in the field of data protection.107 Among the developments that can be traced to the influence of EU law are the adoption of data protection laws in Central and Eastern European countries that have acceded to the EU, the passage of federal privacy legislation in Canada in 2000, and the growth of privacy laws in Asian countries.108 The influence of EU data protection law can also be seen in the adoption of data protection acts in some African countries109 and the implementation of privacy standards and seal programs in the private sector.110

This influence has been caused in part by the perceived economic benefit that can accrue to countries that enact laws based on the Directive, and are then able to import personal data under an EU adequacy decision111 (though whether adequacy (p.127) decisions actually lead to economic growth has not been independently verified). The fact that EU data protection law is based on a set of clearly structured instruments also makes it attractive to third countries, which often find it easier to use an existing text as a model rather than draft new legislation from scratch.

D. International Agreements

There are few legally binding international agreements or treaties dealing specifically with the Internet.112 One example, the UNCITRAL Convention on Electronic Communications (the Convention),113 shows how the relationship between the EU and its Member States influences the EU’s approach to the conclusion of international agreements.

Both the European Commission and numerous Member States participated in the negotiation of the Convention.114 Early in the drafting, concerns were expressed by the Commission about the effect that the Convention could have on the EU acquis communautaire,115 particularly the EU E-Commerce Directive 2000/31/EC.116 In response to these concerns, the following ‘disconnection clause’ was incorporated into the Convention:

  1. 1. A regional economic integration organization that is constituted by sovereign States and has competence over certain matters governed by this Convention may similarly sign, ratify, accept, approve or accede to this Convention. The regional economic integration organization shall in that case have the rights and obligations of a Contracting State, to the extent that that organization has competence over matters governed by this Convention. Where the number of Contracting States is relevant in this Convention, the regional economic integration organization shall not count as a Contracting State in addition to its member States that are Contracting States.

  2. 2. The regional economic integration organization shall, at the time of signature, ratification, acceptance, approval or accession, make a declaration to the depositary specifying the matters governed by this Convention in respect of which competence has been (p.128) transferred to that organization by its member States. The regional economic integration organization shall promptly notify the depositary of any changes to the distribution of competence, including new transfers of competence, specified in the declaration under this paragraph.

  3. 3. Any reference to a ‘Contracting State’ or ‘Contracting States’ in this Convention applies equally to a regional economic integration organization where the context so requires.

  4. 4. This Convention shall not prevail over any conflicting rules of any regional economic integration organization as applicable to parties whose respective places of business are located in States members of any such organization, as set out by declaration made in accordance with article 21.117

The Convention entered into force in 2013, but thus far neither the EU nor any of the Member States have signed or ratified it.118 The reason for this lies in the EU’s unhappiness with the final version of Article 17(4), which requires either regional organizations (i.e. the EU) or their State members (i.e. the EU Member States) to make declarations under Article 21 in order to opt out of application of the Convention to parties located in other State members.119 The Commission demanded that this wording be replaced by a formulation under which EU law would automatically take precedence over the Convention without the need for declarations to be made.120

E. Private International Law

Rules of EU law on applicable law and jurisdiction (referred to here as private international law) can have external effect even when they are adopted mainly to further internal goals, since they impact disputes or relationships that have connections with third countries.121 Private international law has thus become ‘the key to the private law of global affairs in a multi-jurisdictional world’.122

Data protection law is a useful paradigm for examining the territorial scope of EU law under private international law as it relates to the Internet. Data protection in EU law is a self-contained area with regard to applicable law and jurisdiction, since they are determined by data protection instruments such as the GDPR rather than those dealing with private international law, at least insofar as administrative enforcement of the law by the DPAs is concerned.123 Under the GDPR, the territorial scope of application of data protection law has been expanded to include the processing of the personal data of individuals in the EU by a data controller or data (p.129) processor not established in the EU where the processing activities are related to the offering of goods or services to such individuals or the monitoring of their behaviour.124 The GDPR will thus extend the geographic reach of EU law to apply directly to the Internet activities of many parties in third countries. The ePrivacy Regulation proposal would also apply to providers of electronic communications services not established in the EU when they provide such services to end users in the EU.125

The broad jurisdictional scope of EU data protection law on the Internet can be seen in two judgments of the CJEU. In Google Spain,126 the CJEU found that EU data protection law granted individuals a right to suppress links to search engine results, even though the servers on which the search engine operated were based outside the EU. The French data protection authority (the CNIL) has interpreted the judgment to apply to searches performed on websites in all domains globally127 (this issue is currently the subject of litigation in the CJEU128). And in Schrems, the CJEU found that the transfer of personal data to a third country was subject to EU data protection law.129

F. Other Areas

EU law has extended its global reach regarding the Internet to other fields as well, only two of which will be considered here.

In L’Oréal v. eBay, the CJEU applied EU trade mark law to the sale on an Internet auction site of a trade-marked product in a third country when such sale was targeted at customers in the EU.130 The CJEU thus extended the reach of EU law to third countries when failing to do so would have an impact on the effectiveness of EU rules.131 And in May 2016 a number of leading Internet companies (including Google, Facebook, Twitter and Microsoft) agreed to apply EU rules on hate speech to their online services, following pressure from the EU Member States and the European Commission.132

(p.130) 6. Mechanisms of Global Reach

A. Introduction

EU law uses different mechanisms to exert its global reach. The EU has generally viewed this as a one-way street in which EU standards are exported to third countries rather than vice versa, leading to what has been called a ‘Europeanization’ of Internet regulation.133 Sometimes the EU’s global reach mechanisms are exercised intentionally, whereas in other situations they may apply as an afterthought or as part of some other phenomenon. These mechanisms are often intermingled, so that it can be difficult to determine which one applies in a particular case; for example, the adoption of EU standards seemingly based on a voluntary decision by a third country may in fact be motivated by behind-the-scenes political pressure. In some cases, both third countries and the EU may not want to reveal the extent of the influence that EU law has had. But sufficient evidence exists to allow classification of the different mechanisms.

B. Emulation and Learning

One approach can be referred to as learning from EU law, or emulating it in domestic or international law-making. This can occur for various reasons, such as affinities in legal culture that make the EU example attractive to a third country, or the fact that EU law tends to be contained in neatly packaged legal instruments.

This emulation is encouraged by EU external action policy, which seeks to promote the adoption of EU law through means such as financing technical assistance projects that allow experts from the EU to work with third countries.134 For example, in 2011 such assistance was given by the EU to Mauritius, focusing on ‘ensuring the data protection accreditation of Mauritius with the European Union’.135

In certain areas EU law has become the leading model that other countries and international organizations seek to emulate; data protection is a good example of this. Dozens of data protection laws in all regions of the world have been inspired by the EU model,136 and international organizations such as the Office of the United Nations High Commissioner for Refugees (UNHCR)137 and the International (p.131) Committee of the Red Cross (ICRC)138 have also turned to EU law as an important source of inspiration when adopting data protection policies and guidelines. In 2017 the ICRC and the Brussels Privacy Hub also published a handbook on data protection and humanitarian action based on a number of internationally recognized data protection standards, including those of EU law.139 As such policies become more widely adopted, they may lead to the gradual crystallization of international law based on EU standards.140

Courts in third countries have also been influenced by judgments of the CJEU in cases involving the Internet. This influence has resulted in the export of European law, which has been described thus:

European judges ‘export’ European ideas outside Europe. Put differently, European courts’ rulings, which are extensively quoted in an attempt to increase the legitimacy and persuasiveness of their own rulings, inspire and influence non-European Union judges.141

An example is the CJEU’s Google Spain judgment, where it recognized the so-called ‘right to be forgotten’.142 This judgment has served as inspiration for courts in third countries, such as Canada143 and Japan.144

EU legal standards have also influenced private sector practices in third countries and international organizations, as can be seen in the example of data protection.145 The influence of EU data protection law in the private sector is based on factors such as the need to conform to EU standards in order to compete in Europe; the power of the European market; the importance of privacy in the public consciousness; and the need to ensure that EU law is not undermined by lower standards elsewhere.146 As EU data protection law is used as the standard for private sector data transfer mechanisms such as BCRs and standard contractual clauses, its influence extends (p.132) beyond the parties that have adopted them. For example, both BCRs147 and standard contractual clauses148 allow the parties to them to transfer data on to other parties (so-called onward transfers) only if the protections under their provisions continue to apply. This results in companies and organizations in third countries gradually adopting the protections for the data contained in the original data transfer instruments, thus creating a ‘web’ of protection for the data based on EU law. Private sector entities in third countries often apply EU data protection standards even when they are not legally required to do so, since it is easier and less expensive to adopt a single set of standards globally.149 International organizations have also used the GDPR as a source of inspiration when they adopt data protection policies and procedures.150

C. International Negotiation

The EU participates in a number of international fora dealing with Internet law and regulation. This includes UN-based organizations concerned with Internet governance, such as the IGF; other multilateral organizations, such as the Council of Europe and the OECD; international legal harmonization organizations, such as UNCITRAL; and many others. The EU exercises its influence in the scope of such participation, which includes promoting its values and interests. This can lead to tension with other regions, as can be seen in the example of data protection, where there is often competition between the EU and the US to advance their respective views.151

The EU’s participation in international negotiations is also motivated by political factors. For example, during the negotiation of the GDPR, I observed the EU using its influence in the Council of Europe to prevent amendments to Convention 108 from being approved, based on the perception that this would ‘steal the thunder’ of the EU if reformed data protection rules were adopted at the international level before the EU adopted its GDPR. This shows how EU action can be motivated in part by the desire to successfully realize its internal legislative projects and to overshadow similar multilateral projects.

(p.133) D. Coercion and Conditionality

Coercion involves pressuring third countries to adopt certain policies through conditionality, i.e. by making access to resources or benefits conditional on compliance with the EU’s policy requirements.152 Coercion need not necessarily be viewed negatively, as a polity may legitimately make the granting of legal and political benefits contingent on the meeting of certain conditions. Indeed, the EU makes accession conditional on accepting and implementing the acquis communautaire, which constitutes a form of coercion.153

An example of this ‘carrot and stick’ approach is the use of adequacy decisions issued by the European Commission confirming that a third country offers an adequate level of data protection based on EU standards. The EU also uses this approach in other areas such as private international law, trade law and environmental standards.154 The ‘carrot’ in this approach is the offer of extending preferential status to third countries once their data protection standards are certified as being ‘essentially equivalent’ to those of EU law, which is considered to grant economic benefits by allowing personal data to be transferred freely to such countries. The ‘stick’ is the fact that EU law permits the free flow of data to third countries only when they adopt EU standards.

Passing judgment on whether the law of third countries is adequate based on EU standards risks entangling legal analysis with unrelated political factors. For example, in July 2010 the government of Ireland delayed an EU adequacy decision for Israel based on alleged Israeli government involvement in the forging of Irish passports.155 The process of negotiating data protection adequacy assessments has also created political tensions with third countries.156

Pressure from the EU has led commercial actors to change their behaviour. For example, providers of Internet data storage services have located their data centres in the EU in order to escape restrictions on international data transfers under EU law. As one news story puts it, global technology giants ‘are racing to store their data on the Continent as new laws and privacy concerns drive investment decisions’.157 Data storage companies also market their services based on having infrastructure in (p.134) the EU,158 and global companies have aligned their privacy policies with the GDPR.159

E. Blocking Recognition of Third Country Legal Measures

EU law may block recognition of third country legal measures that conflict with its own values. This is a method of extending the global reach of EU law, since it is based on an assertion of EU values in relation to legal measures taken by a third country.

An example of this is Article 48 GDPR, which limits the enforceability of decisions of third country courts and administrative authorities in the EU, and reads as follows:

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.160

This provision is similar to so-called ‘blocking statutes’161 that protect parties in the EU from what are viewed as exorbitant jurisdictional assertions by third countries. For example, French law prohibits the disclosure to foreign public authorities (such as courts or administrative authorities) of data or information if this would impair the important interests of France.162

7. Normative Questions

A. Introduction

EU law does not use a comprehensive, overarching normative approach to exercise its global reach regarding the Internet, which is not surprising in light of the Internet’s relative novelty, the wide variety of EU institutions and legal instruments that deal with it, and the fragmented landscape of norms and actors involved in its governance and regulation. This accords with the view that the manifestations of the global impact of EU law vary based on their significance and difficulty of realization.163

(p.135) However, in recent years the EU has extended its reach to Internet activities beyond its borders, as demonstrated by the growing number of legislative and regulatory initiatives adopted (e.g. the GDPR), and the increased willingness of the CJEU to assert EU values in its case law dealing with Internet-related topics (e.g. Google Spain and Schrems). In this regard, the Internet has served as a vehicle allowing EU law to assert itself globally. This increasing global reach of EU law, as it concerns the Internet, raises some important normative questions.

B. Values or Interests?

In its external action the EU must uphold and promote its ‘values’, which the TEU lists as ‘human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities’.164 These are described later in the TEU as the principles which the EU ‘seeks to advance in the wider world’,165 and together represent the core values of EU law.

However, the EU is also guided by its political interests. Thus, in its external relations the EU is required to uphold and promote its ‘interests’,166 to define and pursue its ‘common policies and actions’,167 and to safeguard its ‘fundamental interests’.168 The Council is also obliged to identify the EU’s ‘strategic interests’ in the context of external action.169 Primary law does not define these terms or state whether there is any difference between them.

The influence of legal values when the EU exerts its global reach can be seen in the judgments of the CJEU in Internet-related cases, and in EU legislation such as the GDPR. An example of the EU asserting its political interests can be seen in the following statement by the European Commission concerning the adoption of adequacy decisions covering the level of data protection in third countries:

Under its framework on adequacy findings, the Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued:

  1. (i) the extent of the EU’s (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;

  2. (ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;

  3. (iii) the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and

  4. (iv) the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.170

(p.136) The CJEU stated in Schrems that the Commission’s discretion with regard to the adequacy of protection ensured by a third country ‘is reduced’, and that its review of the requirements stemming from EU data protection law and the Charter should be ‘strict’.171 It seems that the EU would like to have its cake and eat it too by having one institution (the CJEU) insist on strict legal standards for adequacy decisions, while another (the Commission) prioritizes discussions with third countries based on political factors. The entanglement of EU legal values with the EU’s political interests can also be seen in the way the CJEU has defined the territorial scope of EU law on the Internet in terms of the policy objectives that the law seeks to pursue.172

There is a natural interdependence between the EU’s legal values and its political interests,173 and law and politics can be viewed as ‘structurally coupled systems’,174 since legal values are adopted as a product of political decisions. However, this does not mean that there is not a distinction between the values that the EU has enshrined in the constitutional instruments that form the basis of its legal order, and the political priorities of the day. When, intentionally or unintentionally, political interests are presented as legal values or vice versa, there is a risk that legal values will be diluted to fit a particular political agenda, or that political viewpoints will be reduced to the exercise of technical steps by bureaucrats and experts.175 An example of the former can be seen in the assertion of EU legal values as universal values, as discussed later, which is clothed in legal language but is clearly based on a political project.

It is thus important that the EU should not cloak the assertion of its political interests in the language of fundamental legal values, in order to keep a degree of integrity in the law that is resistant to changing political pressures. As the EU increasingly asserts its global reach regarding Internet-related issues, it should be more honest about differentiating between its legal values and political interests, when each applies, and for what reasons.

C. EU Law as Universal Values

The EU increasingly asserts its values as universal, global standards for the Internet. This can be seen in the words of some of the leading figures involved in the adoption of the GDPR:

  • –Former EU Commissioner Viviane Reding: ‘Europe must act decisively to establish a robust data protection framework that can be the gold standard for the world’.176

  • (p.137) –MEP Jan-Philipp Albrecht, Rapporteur in the European Parliament for the GDPR: The GDPR will change ‘nothing less than the whole world as we know it’.177

  • –An unnamed EU official: ‘With these proposals, the EU is becoming the de facto world regulator on data protection’.178

In a newspaper interview following the Schrems judgment, CJEU President Koen Lenaerts left no doubt about the leading role that he believes EU law should play in the wider world:

Europe must not be ashamed of its basic principles: The rule of law is not up for sale. It is a matter of upholding the requirements in the European Union, of the rule of law, of fundamental rights. If this is also affecting some dealings internationally, why would Europe not be proud to contribute its requiring standards of respect of fundamental rights to the world in general?179

EU law has arisen in a unique constitutional and institutional context,180 which gives rise to a paradox: if EU law is unique and fundamentally different from other legal systems, how can its standards be replicated elsewhere, and how can third countries be expected to adopt them? Many third countries have adopted legislation close to the EU model in areas such as data protection, but few have been found to provide a level of protection that is essentially equivalent to that provided under EU standards. Whether a norm is based on a fundamental legal value or a political interest also affects the ability to assert it as being universal, since it would be unreasonable to expect third countries to accept the EU’s political interests as universal values.

When a legal system strives for its standards to be accepted as universal values, it is inevitably engaged in a hegemonic struggle in which it seeks to have its own special interests identified with the general interest.181 The EU is engaged in such a struggle with regard to the assertion of its values and interests concerning the Internet, as can be seen in data protection, where efforts to promote the spread of EU law are portrayed as encouraging third countries and international organizations to adopt strong data protection standards.182 The risk is that this may lead not to genuine, disinterested universalism, but to ‘false universalism, the universalism of Empire’.183

(p.138) The promotion of EU law as a set of universal values can also backfire when it leads third countries to insist that the EU comply with their own legal requirements. This can involve, for example, third countries allowing data transfers to the EU only when it provides adequate protection under their standards.184 Third countries may also require that any decision on the adequacy of their data protection system be mutual (i.e. they may also issue a decision as to whether they find the EU’s level of data protection to be adequate); for example, in July 2018 the EU and Japan agreed to issue mutual adequacy decisions about each other’s data protection systems.185

D. Theory and Practice

There is an important distinction between the spread of EU legal values and their protection in practice. For example, the fact that EU data protection law has influenced the adoption of legislation around the world does not necessarily mean that this has led to a higher level of data protection on the Internet. Determining the extent to which EU values are reflected in practice on the Internet would require a large-scale empirical study that has yet to be conducted.

EU law focuses on the application of its norms to the Internet in a legal sense (e.g. the application of EU law to Internet-related activities, or the adoption by third countries of law based on EU models), rather than on an evaluation of whether the legal values that the EU seeks to export are upheld in practice. An example of this phenomenon can be seen in the ePrivacy Regulation proposal,186 Article 3(2) of which requires parties not established in the EU that provide electronic communications services (i.e. many types of websites, Internet services that use connected devices, etc.) to users in the EU to designate a ‘representative in the Union’ in writing. The proposed Regulation describes the duties of representatives, but contains no details about how they should be appointed, what liability they have, and other important practical points. There are well over one billion websites on the Internet,187 not even counting the many other types of services covered by the proposal, and the resources necessary for establishing and policing a system for the appointment and registration of representatives on such a huge scale would seem to be far beyond the capabilities of any EU or Member State institution. Article 3(2) thus seems to be a textbook example of regulatory overreaching, i.e. of law being applied so broadly that it stands little chance of being enforced.188

(p.139) In order for the application of EU law to be meaningful, it must be effective in practice as well as applying on paper, as the CJEU has recognized. For example, the CJEU in Schrems emphasized that protections for personal data transferred from the EU to third countries must ‘prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union’.189 EU law should put greater emphasis on whether the values that underlie its legal standards are fulfilled in practice. An example of such an approach is the requirement in the GDPR that regular periodic reviews be conducted of Commission decisions on the adequacy of data protection in third countries and international organizations.190

E. The Territorial Scope of EU Law

The Internet raises questions about how the EU should act with regard to conduct that occurs outside its borders but has an effect within them. It is easier to state that EU law should be given wide territorial application when important public policy interests are at stake191 than to determine the limits of its application.

The EU adopts a schizophrenic attitude to the territorial application of its law. On the one hand, the EU and its Member States often insist on limits to jurisdiction based on sovereignty when jurisdictional assertions by third countries are involved; this can be seen, for example, in the insistence by the EU and the Member States on using the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (the Hague Evidence Convention)192 as the exclusive means for discovery of evidence abroad,193 and in the enactment in some Member States of so-called blocking statutes that restrict compliance with third country discovery requests.194 On the other hand, judgments such as Google Spain and Schrems demonstrate that the EU applies its law broadly to actions by third countries when this is necessary to defend its own substantive legal standards.195

The CJEU’s current approach to defining the territorial scope of EU law on the Internet is based largely on the policy objectives that the law seeks to pursue. For example, the result of the CJEU’s Google Spain judgment has been described as follows: ‘the (territorial) scope of application of EU secondary law is determined by its policy objectives: a direct correlation can be established between the achievement of EU policies and the potential need to cover situations located in third states’.196 The less guidance provided by the legislator as to the territorial scope of law, the higher the risk that courts will be left to determine it based on their interpretation of the (p.140) EU’s policy objectives of the moment.197 This risks sacrificing the coherence and consistency of EU law, and may result in the presentation of political interests as legal values, as has already been discussed.

EU law is still searching for a paradigm for its application to Internet-related activities that is based on firm legal principles, secures the rights of EU individuals, and avoids jurisdictional overreach.198 That some territorial limits to the application of EU law must exist is indicated by the CJEU’s judgment in Air Transport Association of America,199 where it found that EU law should not apply to aircraft registered in third countries that fly over third countries or the high seas, but that it can exercise jurisdiction when an aircraft arrives or departs from a Member State.200 This judgment indicates the broad outlines of a jurisdictional approach to the Internet as well, i.e. to avoid applying EU law to parties and situations outside its borders that have no contact or connection with the EU, but to extend its application to situations that have effect in the EU or on EU individuals. Such an approach can also be seen in the tendency of DPAs to prioritize the protection of individuals with a substantial connection to the EU.201

It will be up to the CJEU to define a paradigm for the territorial application of EU law as cases involving the Internet are brought before it or referred to it. This will depend on resolving difficult questions such as what constitutes a sufficient contact or connection to justify the assertion of EU law, and what it means for conduct to have ‘effects’ regarding the EU.

F. Responsibilities towards Third Countries

In examining the global reach of EU law, the focus has invariably been on the influence and power exercised by the EU. But along with influence and power goes responsibility, and this raises the question of whether the EU has responsibilities to third countries that adopt its standards.

EU law has been willing to exert its influence on third countries, but less inclined to learn from them. For example, the following has been stated regarding the judicial dialogue between the EU courts and courts in third countries:


The European courts seem more inclined ‘to teach’ rather than ‘to learn’ when discussing the protection, erga omnes (towards everyone), of European constitutional values, even beyond the reaches of Europe. In other words, the European judicial dialogue remains European-value-based even when globalized.202

There is a growing realization that ‘as agents of humanity, sovereigns are obligated to take other-regarding considerations seriously into account in formulating and implementing policies…’.203 It seems reasonable to conclude that this principle should also apply when one legal system exercises influence over others, particularly when it seeks to have its values adopted as global standards. The global reach of EU law should not be purely a matter of the EU seeing how far it can extend its influence towards third countries, but should subject it to responsibilities as well. These responsibilities are especially compelling with regard to developing countries, towards which there is a well-documented history of hegemony on the part of European legal systems.204

The EU’s responsibilities towards third countries can be seen in the example of EU data protection law. Many of the third countries that have enacted legislation based on EU law are developing countries with limited resources, and enacting a legal framework for data protection based on EU standards with all that entails can be a significant burden for them.205

If EU law is to be the ‘de facto standard for the world’, then the EU has a moral responsibility towards other countries that adopt it. Recognizing such a responsibility is ultimately in the EU’s own interest, since it would provide additional incentives for other countries to adopt EU law. The increased interaction with third countries produced by such measures could also benefit the EU by illuminating areas where it could learn from them.206

This moral responsibility is already reflected in some provisions of EU law. The TEU requires the EU to foster ‘the sustainable economic, social and environmental development of developing countries, with the primary aim of eradicating poverty’,207 and the Internet can be seen as a vehicle for fostering economic and social development. At the level of secondary legislation, Article 50(d) GDPR provides that the Commission and the DPAs should ‘promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries’. However, impact assessment provisions in EU (p.142) legislation concerning the Internet tend to consider only its impact with regard to the EU.208 Further measures should be enacted to assess the impact of EU legislation on third countries, particularly developing countries; to provide information on EU legal developments of particular relevance to them (e.g., via an Internet portal); and to solicit input from third countries regarding the impact of EU law on them.

Finding that the EU has certain responsibilities towards third countries that are influenced by its law also raises the question of whether it is setting standards on others that it is not prepared to live up to itself. In a legal sense, the standards of EU law and those of third country law are two different matters, but in a moral sense, the legitimacy of EU law is undermined if the EU is viewed as holding third countries to higher standards than it obliges itself to meet.

An example can be seen in the Schrems judgment, where the CJEU held the conclusion of adequacy decisions by the European Commission regarding the level of data protection in third countries to a high standard, particularly regarding access to data by third country intelligence authorities. However, Article 4 TEU grants competence for national security to the Member States, and there is widespread sharing of information by intelligence agencies of the Member States with third countries such as the US, both under the ‘Five Eyes’209 intelligence-sharing network (which includes Australia, Canada, New Zealand, the UK and the US), and under bilateral arrangements between the US and Member States such as France210 and Germany.211 Thus, there are substantial gaps in legal protection against intelligence surveillance under EU law, which undermines the moral legitimacy of criticisms of third country standards. It would increase the influence of EU law on the international stage if the EU were to ensure that it can itself satisfy the standards that it expects third countries to meet.

G.  Is the Internet Changing EU Law?

A final question is whether the Internet is also changing EU law. The increased rapidity and volume of international communications on the Internet have led to an increase in international disputes and increased contact between the EU and foreign (p.143) legal systems. These factors may cause changes in EU law, as can be seen in the growing need for the CJEU to take foreign law into consideration in the course of answering questions of EU law.

The CJEU’s role is to serve as ‘the ultimate authority for deciding any question concerning the interpretation or validity of EU law’,212 and in theory it does not pass judgment on the law of third countries.213 In the interview he gave following the Schrems judgment, CJEU President Koen Lenaerts stated about the judgment: ‘We are not judging the U.S. system here, we are judging the requirements of EU law in terms of the conditions to transfer data to third countries, whatever they be.’214

However, it is surely disingenuous to claim that the Schrems case did not involve evaluation of third country legal standards. The judgment is based on an examination of US intelligence gathering practices and their effect on fundamental rights under EU law, as can be seen, for example, in the CJEU’s mention of studies by the European Commission finding that US authorities were able to access data in ways that did not meet EU legal standards in areas such as purpose limitation, necessity and proportionality.215 The need to review third country standards is logically inherent in an evaluation of whether a Commission decision based on those standards results in protection that is essentially equivalent to that under EU law.

The CJEU’s review of third country standards can also be seen in the opinions of Advocate General Bot in Schrems,216 and Advocate General Mengozzi in Opinion 1/15,217 a case based on a request for an opinion by the European Parliament concerning a draft agreement between the EU and Canada for the transfer of airline passenger name records. The opinion of Advocate General Bot contains an evaluation of questions of US law, such as the scope of the supervisory powers of the US Federal Trade Commission (FTC).218 In his Opinion, Advocate General Mengozzi indicated that some provisions of Canadian law had been brought before the CJEU219 and that some of the contentions of the parties required interpretation of issues of Canadian law.220 The CJEU also referred to issues of Canadian law in its final Opinion.221

(p.144) In Schrems, the CJEU virtually ordered national courts to make preliminary references to it of cases involving the adequacy of data protection in third countries,222 and the Commission has indicated that in the future it will consider issuing additional adequacy decisions.223 This indicates that the CJEU is likely to be faced with an increasing number of cases that require an evaluation of foreign law in order to determine whether it meets EU legal standards. In addition, Opinion 1/15 was not a preliminary reference but a request for an opinion submitted by the European Parliament under Article 218(11) TFEU, demonstrating the variety of cases in which the CJEU may need to deal with the law and legal standards of third countries.

Since in a reference for a preliminary ruling the determinations of national courts will generally be accepted by the CJEU without further inquiry,224 and intervention in such references is not possible,225 there is a risk that a judgment could be based on an insufficient evaluation of foreign law. This could occur, for example, when the evidence concerning foreign law is delivered only by a single party and is uncontested,226 a situation that has been criticized in private international law scholarship as a ‘false application of foreign law’.227 However, the CJEU’s Opinion procedure does allow the use of expert opinions and further investigation,228 and in cases under that procedure it could consider taking evidence from individuals and groups with an expert knowledge of the relevant foreign law.

8. Final Thoughts: Why the Internet?

Bradford has argued that the EU’s external regulatory influence has emerged ‘largely as an inadvertent by-product of its internal goal to create and strengthen the single market’.229 However, as this chapter has shown, the EU tends to assert itself as a global regulatory power consciously and deliberately with regard to the Internet. This means that the EU seeks to have its own legal standards adopted by third countries and at the international level, and asserts its regulatory authority towards activities in third countries that affect its interests and those of individuals within its (p.145) borders. One may ask why the EU would promote the influence of its own standards and ideas so strongly with regard to the Internet?

The first reason relates to the legal factors described in this chapter, including in particular the Lisbon Treaty and the enhanced legal status of the Charter of Fundamental Rights, as well as the Internet-related judgments of the CJEU that have been issued in the last few years. The Internet has assumed increased importance in almost every area of life, so that there are few areas of EU law that are not affected by it. The nature of how the Internet functions means that activities carried out in the EU have an effect in third countries and vice versa, thus creating a high potential for interaction between EU law and activities implicating third countries.

But just as significant have been the legal, political and social factors that have combined to cause EU law relating to the Internet to interact with the wider world in a way that might not be seen in many other areas of law. This has occurred as both the EU and Europe in a broader sense have been faced with an increasing number of political, economic and social challenges. Regulation of the Internet has proved a convenient vehicle through which the EU can assert itself on the world stage without having to take coordinated action geo-politically in a way that would exceed its current capabilities. By focusing on the Internet, the EU has been able to use its strengths in law and regulation, areas where it is a superpower, to make itself heard globally.

The Internet has led both to an opening of EU law (as in the expanding role of the CJEU in dealing with questions of foreign law), and to a tendency to take EU standards as the measure of all things (as when the EU attempts to have its own standards accepted universally). The question is whether EU law will allow interfaces with other legal systems, or retreat into the historical European tendency to focus on itself that Mbembe has described:

[T]hroughout its history, European thought has tended to conceive of identity less in terms of mutual belonging (cobelonging) to a common world than in terms of a relation between similar beings—of being itself emerging and manifesting itself in its own state, or its own mirror.230

EU law has had significant influence on the Internet, but the Internet has also influenced the development of EU law. In coming years the EU will have to confront an increasing number of challenges posed by the Internet, such as how to define the territorial scope of EU law to Internet-related activities; what responsibilities the EU should have towards third countries that are influenced by the assertion of its legal standards; and how to evaluate issues of foreign law in the work of the CJEU. Thus, the relationship between EU law and the Internet will continue to evolve, to reflect both the values and interests of the EU, and the nature of the Internet as a social and legal phenomenon.


(1) Basedow, ‘The Law of Open Societies—Private Ordering and Public Regulation of International Relations’, 360 Recueil des cours/Collected Courses of the Hague Academy of International Law (2012) 9, at 471.

(2) Some of the leading scholarly examinations of this topic include Bradford, ‘The Brussels Effect’, 107 Northwestern University Law Review (2013) 1; Gilardi, ‘Transnational Diffusion: Norms, Ideas, and Policies’, in W. Carlsnaes, T. Risse and B. Simmons (eds), Handbook of International Relations (2012) 453, available at http://www.fabriziogilardi.org/resources/papers/gilardi_handbook_IR_v2.pdf; Scott, ‘Extraterritoriality and Territorial Extension in EU Law’, 62 American Journal of Comparative Law (2014) 87; Scott, ‘The New Extraterritoriality’, 51 Common Market Law Review (2014) 1343; De Witte and Thies, ‘Why Choose Europe? The Place of the European Union in the Architecture of International Legal Cooperation’, in B. Van Vooren, S. Blockmans and J. Wouters (eds), The EU’s Role in Global Governance (2013) 23; Young, ‘The European Union as a Global Regulator? Context and Comparison’, 22 Journal of European Public Policy (2015) 1233. (All website references in this chapter were last visited on 22 February 2019.)

(3) For a brief description of the Internet, what it is, and how it operates, see Internet Society, ‘The Internet: How it Works’, available at https://www.internetsociety.org/internet/how-it-works.

(4) See L. Bygrave, Internet Governance by Contract (2015), at 6 (Kindle edition); C. Marsden, Internet Co-Regulation (2011).

(5) See P. Schiff Berman, Global Legal Pluralism (2012), at 177–178 (Kindle edition).

(6) Treaty of Lisbon, OJ 2007 C 306/1.

(7) Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389.

(8) Consolidated Version of the Treaty on European Union (TEU), OJ 2012 C 326/13, at Art. 6(1).

(9) Consolidated Version of the Treaty on the Functioning of the European Union (TFEU), OJ 2012 C 326/47. See H. Hijmans, The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU (2016).

(10) FNC Resolution of 24 October 1995, available at http://people.ucalgary.ca/~bakardji/Internet/definition.html.

(11) The TCP/IP suite is a set of communications protocols widely used to transmit data packets on the Internet. See http://www.pcmag.com/encyclopedia/term/52614/tcp-ip.

(12) For a discussion of the factors involved in defining what constitutes the Internet, see Bygrave, note 4, at 14–17 (Kindle edition).

(13) Ibid., at 15 (Kindle edition).

(14) Solum, ‘Models of Internet Governance’, in L. Bygrave and J. Bing (eds), Internet Governance: Infrastructure and Institutions (2009) 48, at 48–49, stating that ‘[i]n the broad sense, the Internet is a complex entity that includes the hardware and software technical infrastructure, the applications, and the content that is communicated or generated using those applications’.

(15) Cerf, Ryan and Senges, ‘Internet Governance is our Shared Responsibility’, 10 I/S: A Journal of Law and Policy for the Information Society (2014) 1, at 9.

(20) See J. Goldsmith and T. Wu, Who Controls the Internet? Illusions of a Borderless World (2008); Schiff Berman, note 5, at 28–29 (Kindle edition), stating that countries around the world have enacted ‘laws purporting to regulate almost every conceivable online activity, from gambling to chat rooms to auction sites, and seeking to enforce territorially based rules regarding trademarks, contractual relations, privacy norms, “indecent” content, and crime, among others’.

(21) Bygrave, note 4, at 2 (Kindle edition).

(22) See, e.g., C. Ryngaert, Jurisdiction in International Law (2nd edn, 2015), at 49 (Kindle edition).

(23) See, e.g., Michaels, ‘Territorial Jurisdiction after Territoriality’, in P. J. Slot and M. Bulterman (eds), Globalisation and Jurisdiction (2004) 105, at 106.

(25) See https://ec.europa.eu/info/law/law-topic/data-protection_en, work on which is led by DG JUST.

(26) See https://ec.europa.eu/growth/industry/intellectual-property_en, work on which is led by DG GROW.

(28) See, e.g., the work of the European Parliament Committee on Civil Liberties, Justice and Home Affairs, http://www.europarl.europa.eu/committees/en/LIBE/home.html.

(29) European Commission and High Representative of the European Union for Foreign Affairs and Security Policy, ‘Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’, JOIN(2013) 1 final, 7 February 2013, http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=1667. See Schaake and Vermeulen, ‘Towards a Values-based European Foreign Policy to Cybersecurity’, 1 Journal of Cyber Policy (2016) 75.

(30) See European Court of Human Rights, Research Division, ‘Internet: Case-law of the European Court of Human Rights, Updated: 2015’, https://www.echr.coe.int/Documents/Research_report_internet_ENG.pdf.

(31) TEU, note 8, at Art. 26(1). See P. Eeckhout, EU External Relations Law (2011), at 485–486 (Kindle edition).

(35) See TFEU, note 9, at Art. 4(1); A. Rosas and L. Armati, EU Constitutional Law: An Introduction (2012), at 23 (Kindle edition).

(36) TFEU, note 9, at Art. 2(2).

(37) Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31.

(38) Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

(39) Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final, 10 January 2017.

(40) See Case 22/70, Commission v. Council (AETR/ERTA) [1971] ECR 263 (ECLI:EU:C:1971:32). The GDPR, note 38, affirms this principle with regard to data protection in recital 102, stating that ‘Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects’. See also Eeckhout, note 31, at 71–76 (Kindle edition).

(41) See Hijmans, note 9, at 468–470.

(42) See De Witte and Thies, note 2, at 32–33.

(43) See TEU, note 8, at Art. 4(3).

(44) See TFEU, note 9, at Art. 218(3); Eeckhout, note 31, at 195–196 (Kindle edition).

(45) TFEU, note 9, at Art. 218(3).

(46) See P. Koutrakos, The EU Common Security and Defence Policy (2013), at 85 (Kindle edition). See also Cybersecurity Strategy of the European Union, note 29, at 11–12.

(47) TEU, note 8, at Art. 42(1).

(48) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, ‘Internet Policy and Governance: Europe’s role in shaping the future of Internet Governance’, COM/2014/072 final, 12 February 2014, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52014DC0072&from=EN.

(49) Directive 1999/93 of 13 December 1999 on a Community framework for electronic signatures, OJ 2000 L 13/12.

(50) Signaturgesetz vom l. August 1997 (BGBl. I S. 1870, 1872), amended by Signaturgesetz vom 16. Mai 2001 (BGBl. I S. 876) and Artikel 4 des Gesetzes vom 17. Juli 2009 (BGBl. I S. 2091).

(51) See Bundesregierung der Bundesrepublik Deutschland, ‘Anmerkungen der Bundesregierung zu dem Entwurf der Europäischen Kommission einer EG-Richtlinie über elektronische bzw. Digitale Signaturen’, 8 April 1998, at 1.

(52) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature on 28 January 1981, in force 1 October 1985, ETS 108. Regarding the work of the Council of Europe to modernize the Convention, see https://www.coe.int/en/web/data-protection/convention108/modernised.

(54) United Nations Convention on the Use of Electronic Communications in International Contracts 2005, 2898 UNTS, Registration No. 50525. See Killian, ‘The Electronic Communications Convention: A European Union Perspective’, in A. H. Boss and W. Killian, The United Nations Convention on the Use of Electronic Communications in International Contracts: An In-Depth Guide and Sourcebook (2008) 407.

(55) TEU, note 8, at Arts. 2 and 3(1). See also T. Tridimas, The General Principles of EU Law (2nd edn, 2006), at 15, finding that the values of the EU represent the EU legal order.

(56) TEU, note 8, at Art. 3(5) and Art. 21(3).

(57) Ibid., at Art. 21(1). See also Hijmans, note 9, at 33.

(60) Directive 2000/31 of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ 2000 L 178/1.

(61) See note 49.

(62) See Hijmans, note 9.

(63) See, e.g., Opinion 2/13 (ECLI:EU:C:2014:2454), 18 December 2014; Joined Cases C-402 and 415/05P, Kadi [2008] ECR 1–6351 (ECLI:EU:C:2008:461).

(64) de Búrca, ‘The European Court of Justice and the International Legal Order After Kadi’, 51 Harvard International Law Journal (2010) 1, at 23.

(65) See Kadi, note 63, at para. 285.

(66) See Case C-362/14, Schrems (ECLI:EU:C:2015:650), 6 October 2015, at paras 84–87, criticizing the EU-US Safe Harbour Arrangement as giving US law primacy over EU fundamental rights in situations where they conflict. See also Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post-Schrems’, 18 German Law Journal (2017) 881.

(67) See Kuner, ‘International Organizations and the EU General Data Protection Regulation: Exploring the Interaction between EU Law and International Law’, 16 International Organizations Law Review (2019) (forthcoming).

(68) TEU, note 8, at Art. 2.

(69) See Kochenov, ‘The EU Rule of Law: Cutting Paths through Confusion’, 2 Erasmus Law Review (2009) 5, at 9.

(70) Rosas and Armati, note 35, at 46 (Kindle edition).

(71) Pech, ‘Rule of Law as a Guiding Principle in the EU’s External Action’, Centre for the Law of EU External Relations, CLEER Working Papers 2012/13, http://www.asser.nl/media/1632/cleer2012-3web.pdf, at 13.

(72) See Schrems, note 66, at para. 95.

(73) See Hijmans, note 9, at 27–31.

(74) See TEU, note 8, at Art. 2. See also Art. 6(1) TEU, stating that fundamental rights have the same legal value as the Treaties.

(75) Ibid., Art. 21(1).

(76) See Case 617/10, Åkerberg Fransson (ECLI:EU:C:2013:105), 26 February 2013, at para. 21.

(77) See, e.g., Schrems, note 66; Case C-131/12, Google Spain (ECLI:EU:C:2014:317), 13 May 2014.

(78) Case C-160/15, GS Media BV (ECLI:EU:C:2016:644), 8 September 2016, at para. 31.

(79) Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger (ECLI:EU:C:2014:238), 8 April 2014; Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB (ECLI:EU:C:2016:970), 21 December 2016.

(80) Opinion 1/15 (ECLI:EU:C:2017:592), 26 July 2017. See Kuner, ‘International Agreements, Data Protection, and EU Fundamental Rights on the International Stage: Opinion 1/15’, 55 Common Market Law Review (2018) 857.

(81) See Schrems, note 66, at paras 84–87, suggesting that EU fundamental rights are violated when protections under EU law are overridden by US law enforcement requirements.

(82) See Scott, ‘The New Extraterritoriality’, note 2, at 1359–1360.

(83) See Rosas and Armati, note 35, at 237 (Kindle edition); Cremona and Micklitz, ‘Introduction’, in M. Cremona and H.-W. Micklitz (eds), Private Law in the External Relations of the EU (2016) location 1427, at location 1451 (Kindle edition).

(84) Michaels, note 23, at 123.

(85) See Communication from the Commission, ‘Internet Policy and Governance’, note 48, at 2, stating: ‘Internet governance is broadly understood to refer to the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.’

(86) Ibid.

(87) UN Human Rights Council, ‘The Promotion, Protection, and Enjoyment of Human Rights on the Internet’ (29 June 2012), UN Doc A/HRC/20L.13, at 2, stating that ‘the same rights that people have offline must also be protected online…’.

(89) Article 29 Working Party, ‘Opinion 2/2003 on the application of the data protection principles to the WHOIS directories’ (WP 76, 13 June 2003), at 4. See Bygrave, note 4, at 120 (Kindle edition).

(90) Bygrave, note 4, at 121 (Kindle edition).

(91) Cybersecurity Strategy of the European Union, note 29.

(92) Ibid., at 14–16.

(93) See Scott, ‘Extraterritoriality and Territorial Extension of EU Law’, note 2, at 90.

(94) There are currently 13 European Commission adequacy decisions in force, covering Andorra; Argentina; the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); Switzerland; the Faroe Islands; Guernsey; Israel; the Isle of Man; the Japanese Act on the Protection of Personal Information; Jersey; New Zealand; the EU-US Privacy Shield; and Uruguay. See https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en. In January 2017 the Commission announced that it will ‘actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea in 2017, and, depending on progress towards the modernization of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur, and the European neighbourhood which have expressed an interest in obtaining an “adequacy finding” ’. Communication from the Commission to the European Parliament and the Council, ‘Exchanging and Protecting Personal Data in a Globalised World’, COM(2017) 7 final, 10 January 2017, at 8. In January 2019 the Commission adopted an adequacy decision covering the Japanese Act on the Protection of Personal Information. See Commission Implementing Decision of 23.1.2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, C(2019) 304 final (not yet published in the Official Journal).

(95) The CJEU articulated this standard in Schrems, note 66, at para. 73.

(96) See, e.g., Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, OJ 2010 L 39/5, Clauses 5(a), 5(d)(i) and 5(e).

(97) See GDPR, note 38, at Art. 49.

(98) See Mills, ‘Private International Law and EU External Relations: Think Local Act Global, or Think Global Act Local?’, 65 International and Comparative Law Quarterly (2016) 541, at 573–574.

(99) See Scott, ‘Extraterritoriality and Territorial Extension of EU Law’, note 2, at 107.

(100) See, e.g., Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, OJ 2004 L 385/74, Clause II(h), requiring the data importer to process personal data exported from the EU in accordance with one of the following, at its option: (1) the data protection law of the country (i.e. the EU Member State) where the data exporter is established; (2) the relevant provisions of a Commission adequacy decision when the data importer is based in a country where such decision applies; or (3) a set of data protection principles contained in the contract and based on EU law. See also Article 29 Working Party, ‘Working Document Setting up a Framework for the structure of Binding Corporate Rules’ (WP 154, 24 June 2008), at 10, providing that ‘[i]n any event data shall be processed in accordance to the applicable law as provided by the [sic] Article 4 of the Directive 95/46/EC and the relevant local legislation’.

(101) See Scott, ‘Extraterritoriality and Territorial Extension of EU Law’, note 2, at 107.

(102) GDPR, note 38, at Arts 40(3) and 42(2), providing that codes of conduct and certification mechanisms based on EU standards may serve as a legal basis for data transfers.

(103) C. Bennett and C. Raab, The Governance of Privacy: Policy Instruments in Global Perspective (2006), at 98.

(104) See Agencia Española de Protección de Datos, ‘Report on International Data Transfers: Ex officio Sectorial Inspection of Spain-Colombia at Call Centres’, July 2007.

(105) Essers, ‘Google agrees to Italian privacy authority audits in the US’, PC World, 20 February 2015, available at http://www.pcworld.com/article/2887192/google-agrees-to-italian-privacy-authority-audits-in-the-us.html.

(106) See, e.g., Bradford, note 2, at 22–26; L. Bygrave, Data Privacy Law: An International Perspective (2014), at 208 (Kindle edition), stating ‘the overwhelming bulk of countries that have enacted data privacy laws have followed, to a considerable degree, the EU model…’; Greenleaf, ‘The Influence of European Data Privacy Standards outside Europe: Implications for Globalization of Convention 108’, 2 International Data Privacy Law (2012) 68.

(107) Bennett and Raab, note 103, at 93.

(108) Ibid., at 117.

(109) See, e.g., République du Sénégal, loi sur la protection des données à caractère personnel, exposé des motifs, http://www.centif.sn/loi_caractere_personnel.pdf, at 1; Traça and Embry, ‘An Overview of the Legal Regime for Data Protection in Cape Verde’, 1 International Data Privacy Law (2011) 1.

(110) Bennett and Raab, note 103, at 172.

(111) See New Zealand Privacy Commissioner, ‘Privacy Amendment Important for Trade and Consumer Protection’ (26 August 2010), available at https://www.privacy.org.nz/news-and-publications/statements-media-releases/updated-media-release-30-8-10-privacy-amendment-important-for-trade-and-consumer-protection, quoting the New Zealand Privacy Commissioner as follows regarding amendments to the New Zealand Privacy Act: ‘An EU adequacy finding is also likely to satisfy data export requirements of other countries. I believe New Zealand businesses are already losing some trading opportunities through a gap in our privacy laws. This change will allow New Zealand to compete on a secure basis for international data business.’ See also Bennett and Raab, note 103, at 113–114. New Zealand was found adequate by the Commission in 2013 (Commission Implementing Decision of 19 December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand, OJ 2013 L 28/12).

(112) Examples include the Council of Europe Convention on Cybercrime 2001, ETS No. 185; the WIPO Copyright Treaty 1996, 2186 UNTS 121 (2004); and the WIPO Performances and Phonograms Treaty 1996, 2186 UNTS 203 (2004). See also Uerpmann-Wittzack, ‘Internetvölkerrecht’, 47 Archiv des Völkerrechts (2009) 261.

(113) See UNCITRAL Convention on the Use of Electronic Communications, note 54.

(114) See UNCITRAL, Working Group IV (Electronic Commerce), Forty-first session, New York, 5–9 May 2003, Provisional List of Participants, UN DOC A/CN.9/WG.IV/XLI/INF.1.

(115) See Killian, note 54, at 408.

(116) Directive 2000/31 of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ 2000 L 178/1.

(117) UNCITRAL Convention on the Use of Electronic Communications, note 54, at Art. 17.

(119) See Killian, note 54, at 411–414.

(120) Ibid.

(121) See Mills, note 98, at 542.

(122) Basedow, note 1, at 35.

(123) See Case C-230/14, Weltimmo (ECLI:EU:C:2015:639), 1 October 2015, at paras 23, 51–52, finding that for the purposes of data protection law, Directive 95/46 (the predecessor of the GDPR), Art. 4 determined choice of law and Art. 28(6) determined jurisdiction.

(124) GDPR, note 38, Art. 3(2).

(125) ePrivacy Regulation proposal, note 39, at Art. 3(1).

(126) See Google Spain, note 77, at paras 42–61. See also Kuner, ‘The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines: Current Issues and Future Challenges’, in B. Hess and C. M. Mariottini (eds), Protecting Privacy in Private International and Procedural Law and by Data Protection (2015) 19, at 27–31.

(127) See CNIL, ‘Right to be delisted: the CNIL Restricted Committee imposes a €100,000 fine on Google’, 24 March 2016.

(128) Request for a preliminary ruling from the Conseil d’État (France) lodged on 21 August 2017—Google Inc. v. Commission nationale de l’informatique et des libertés (CNIL) (Case C-507/17), 2017 OJ C 347/22.

(129) See Schrems, note 66, at paras 45–46.

(130) Case C-324/09, L’Oréal SA and Others v. eBay International AG and Others [2011] ECR I-6011 (ECLI:EU:C:2011:474).

(131) See Jääskinen and Ward, ‘The External Reach of EU Private Law in the Light of L’Oréal versus eBay and Google and Google Spain’, in M. Cremona and H.-W. Micklitz (eds), Private Law in the External Relations of the EU (2016) location 4843, at location 5123 (Kindle edition).

(132) See D. Robinson, ‘Web Giants Sign Up to EU Hate Speech Rules’, Financial Times, 31 May 2016, available at https://www.ft.com/content/e8fb1690-26fc-11e6-8ba3-cdd781d02d89#axzz4ACePo5cX, noting that ‘[t]he move comes after EU ministers demanded that the bloc work with IT companies to “counter terrorist propaganda” during an emergency meeting in the aftermath of the Brussels terror attacks’ and ‘[t]his push to codify the handling of illegal hate speech online has been led in Brussels by Vera Jourová, the commissioner responsible for justice’.

(133) Kowalik-Bańczyk and Pollicino, ‘Migration of European Judicial Ideas concerning Jurisdiction over Google on Withdrawal of Information’, 17 German Law Journal (2016) 315, at 335.

(134) See Communication from the Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’, note 94, at 12. See also Pech, note 71, at 19.

(136) See note 106.

(137) UNHCR, ‘Policy on the Protection of Personal Data of Persons of Concern to UNHCR’, May 2015, available at http://www.refworld.org/docid/55643c1d4.html. See Beck and Kuner, ‘Data Protection in International Organizations and the new UNHCR Data Protection Policy: Light at the End of the Tunnel?’, EJIL: Talk!, 31 August 2015, available at http://www.ejiltalk.org/data-protection-in-international-organizations-and-the-new-unhcr-data-protection-policy-light-at-the-end-of-the-tunnel/#more-13568.

(138) ICRC, ‘ICRC Rules on Personal Data Protection’ (January 2016), available at https://shop.icrc.org/publications/international-humanitarian-law/icrc-rules-on-personal-data-protection.html.

(139) C. Kuner and M. Marelli (eds), Handbook on Data Protection in Humanitarian Action (2017), available at http://brusselsprivacyhub.eu/publications/dataprotectionhandbook.html. See also Kuner and Marelli, ‘Creating International Frameworks for Data Protection: The ICRC/Brussels Privacy Hub Handbook on Data Protection in Humanitarian Action’, EJIL: Talk!, 13 July 2017, available at https://www.ejiltalk.org/creating-international-frameworks-for-data-protection-the-icrcbrussels-privacy-hub-handbook-on-data-protection-in-humanitarian-action.

(140) With regard to the development of rules of customary international law as a process of ‘crystallization’, see H. Thirlway, The Sources of International Law (2014), at 66 (Kindle edition).

(141) Kowalik-Bańczyk and Pollicino, note 133, at 333.

(142) Google Spain, note 77, at paras 62–99.

(143) See Kowalik-Bańczyk and Pollicino, note 133.

(144) See Miyashita, ‘The Right to be Forgotten, from the Trans-Atlantic to Japan’, in D. Svantesson and D. Kloza (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy (2017) 321.

(145) See K. Bamberger and D. Mulligan, Privacy on the Ground (2015), at 65, noting, with regard to a survey of company privacy officers in the US, that ‘respondents explained that European law plays a large role in shaping such company-wide privacy policies’.

(146) Bradford, note 2, at 24–26; Shaffer, ‘Globalization and Social Protection: the Impact of EU and International Rules in the Ratcheting Up of US Privacy Standards’, 25 Yale Journal of International Law (2000) 1, at 81–88.

(147) See, e.g., Article 29 Working Party, ‘Explanatory Document on the Processor Binding Corporate Rules’ (WP 204 rev. 01, 22 May 2015), at 7, stating ‘a member of the Processor’s group may subcontract its obligations under the Service Agreement (Art. 17 of the Directive) to an external sub-processor (outside of the group) only by way of a written agreement with the external sub-processor which provides that adequate protection is adduced according to Articles 16, 17 of Directive 95/46 and which ensures that the external sub-processor will have to respect the same obligations as are imposed on the member of the Processor’s group according to the Service Agreement and sections 1.3, 1.4, 3 and 6 of the working document 195’.

(148) See, e.g., Commission Decision 2010/87 of 5 February 2010 on standard contractual clauses, note 96, at Art. 1(e), requiring that sub-processors who receive data from the original data processor must carry out processing in accordance with the standard contractual clauses.

(149) Shaffer, note 146, at 80.

(150) See Kuner, note 67, at 28.

(151) See, e.g., Greenleaf, note 106, at 73, describing attempts by the US government and US companies ‘to use their combined economic and political influence to limit the development of data privacy laws in other countries’.

(152) Gilardi, note 2, at 13 (all citations to online version).

(153) Regarding EU accession as a form of coercion see ibid., at 14.

(154) See Mills, note 98, at 542–543.

(155) See Ihle, ‘Ireland blocks EU data sharing with Israel’, JTA, 8 July 2010, available at http://www.jta.org/2010/07/08/news-opinion/world/ireland-blocks-eu-data-sharing-with-israel. Israel later received an adequacy decision from the European Commission. Commission Decision 2011/61 of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data, OJ 2011 L 27/39.

(156) See Stoddart, Chan and Joly, ‘The European Union’s Adequacy Approach to Privacy and International Data Sharing in Health Research’, 44 Journal of Law, Medicine & Ethics (2016) 143 (concerning tensions with Quebec); Mucci, Cerulus and Von Der Burchard, ‘Data fight emerges as last big hurdle to EU-Japan trade deal’, POLITICO, 9 December 2016, available at http://www.politico.eu/article/eu-japan-trade-deal-caught-up-in-data-flow-row-cecilia-malmstrom.

(157) Cerulus, ‘It’s raining cloud storage in Europe’, POLITICO, 24 November 2016, at 20, available at http://www.politico.eu/pro/its-commission-vs-the-market-on-data-flows.

(158) See Martin-Jung, ‘Wir sind NSA-Frei’, Frankfurter Allgemeine Zeitung, 16 November 2016, at 26, in which the European head of Fujitsu states, regarding the company’s cloud storage services, that ‘[w]e are located in Germany and have a German infrastructure, we are free of the NSA…’ (author’s translation).

(159) See Communication from the Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’, note 94, at 2.

(160) GDPR, note 38, Art. 48.

(161) Regarding blocking statutes in general, see Basedow, note 1, at 334–342; Cooper and Kuner, ‘Data Protection Law and International Dispute Resolution’, 382 Recueil des cours/Collected Courses of the Hague Academy of International Law (2017) 9, at 142–146.

(162) Loi no 80–538 du 16 juillet 1980 relative à la communication de documents ou renseignements d’ordre économique, commercial ou technique à des personnes physiques ou morales étrangères.

(163) See Young, note 2, at 1237.

(164) TEU, note 8, at Art. 2.

(165) Ibid., at Art. 21(1).

(166) Ibid., at Art. 3(5).

(167) Ibid., at Art. 21(2).

(168) Ibid., at Art. 21(2)(a).

(169) See note 31.

(170) Communication from the Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’, note 94, at 8.

(171) Schrems, note 66, at para. 78.

(172) See Francq, ‘The External Dimension of Rome I and Rome II: Neutrality or Schizophrenia?’, in M. Cremona and H.-W. Micklitz (eds), Private Law in the External Relations of the EU (2016) location 3283, at location 3814 (Kindle edition).

(173) See Marise Cremona, Chapter 2 in this volume.

(174) Peters, ‘Compensatory Constitutionalism: The Function and Potential of Fundamental International Norms and Structures’, 19 Leiden Journal of International Law (2006) 579, at 609. See also A. Bianchi, International Law Theories (2016), at location 1701–1748 (Kindle edition).

(175) See M. Koskenniemi, The Politics of International Law (2011), at 149–151 (Kindle edition).

(176) See Reding, ‘A data protection compact for Europe’, 28 January 2014, available at http://europa.eu/rapid/press-release_SPEECH-14-62_en.htm. See also Kuner, ‘The European Union and the Search for an International Data Protection Framework’, 2 Groningen Journal of International Law (2014) 55, at 57.

(177) Albrecht, ‘How the GDPR Will Change the World’, 3 European Data Protection Law Review (2016) 287, at 287.

(178) See Vogel, ‘Reding seeks Overhaul of Data Protection Rules’, European Voice, 15 December 2011, available at http://www.europeanvoice.com/article/reding-seeks-overhaul-of-data-protection-rules.

(179) Popp, ‘ECJ President on EU Integration, Public Opinion, Safe Harbor, Antitrust’, The Wall Street Journal, 14 October 2015, available at http://blogs.wsj.com/brussels/2015/10/14/ecj-president-on-eu-integration-public-opinion-safe-harbor-antitrust/tab/print/.

(180) See, e.g., Rosas and Armati, note 35, at 4 (referring to ‘the unique nature of the EU as a legal and constitutional order’) (Kindle edition).

(181) See Koskenniemi and Leino, ‘Fragmentation of International Law? Postmodern Anxieties’, 15 Leiden Journal of International Law (2002) 553, at 561–562.

(182) See Communication from the Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’, note 94, at 10, where the Commission states that it will ‘work with and assist countries interested in adopting strong data protection laws and support their convergence with EU data protection principles’; at 12, where the Commission supports the ‘swift adoption’ of the modernized text of Council of Europe Convention 108 since the Convention ‘will reflect the same principles as those enshrined in the new EU data protection rules and thus contribute to the convergence towards a set of high data protection standards’; and at 16, stating that the EU will actively engage with third countries to explore adequacy findings ‘with a view to fostering regulatory convergence towards the EU standards…’.

(183) See Koskenniemi, ‘International Law in Europe: Between Tradition and Renewal’, 16 European Journal of International Law (2005) 113, at 116.

(184) See, e.g., Angola, Law no. 22/11 on the Protection of Personal Data, Art. 33; Economic Community of West African States (ECOWAS), Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS (16 February 2010), Art. 36; Japanese Act on the Protection of Personal Information (as amended 2015), Art. 24; Macau Special Administrative Region (MSAR) of the People’s Republic of China, Personal Data Protection Act (Act 8/2005), Art. 19. See also C. Kuner, Transborder Data Flows and Data Privacy Law (2013), at 65–66.

(185) See, e.g., European Commission, ‘The European Union and Japan agreed to create the world’s largest area of safe data flows’, 17 July 2018, available at http://europa.eu/rapid/press-release_IP-18-4501_en.htm, stating that the EU and Japan have ‘agreed to recognize each other’s data protection systems as “equivalent”’.

(186) ePrivacy Regulation proposal, note 39.

(188) See Bygrave, note 106, at vi (Kindle edition).

(189) Schrems, note 66, at para. 74. See also para. 39 (referring to the need for ‘effective and complete’ protection); para. 41 (referring to the importance of ensuring the ‘effectiveness’ of monitoring of compliance with the law by DPAs); and paras 81, 89, 91 and 95 (in which the CJEU stresses the need for protection of the fundamental right to data protection to be ‘effective’).

(190) See GDPR, note 38, Art. 45(3).

(191) See Jääskinen and Ward, note 131, at location 5246 (Kindle edition).

(192) Signed at The Hague, 18 March 1970, 847 UNTS 231.

(193) See Article 29 Working Party, ‘Working Document 1/2009 on pre-trial discovery for cross border civil litigation’ (WP 158, 11 February 2009), at 14. See also GDPR, note 38, Art. 48.

(194) E.g. in France. See Loi no 80–538 du 16 juillet 1980, note 162.

(195) See Cremona and Micklitz, note 83, at location 1523 (Kindle edition).

(196) See Francq, note 172, at location 3814 (Kindle edition).

(197) Jääskinen and Ward, note 131, at location 5253.

(198) For one proposal for such an approach, see D. Jerker B. Svantesson, Solving the Internet Jurisdiction Puzzle (2017).

(199) Case C-366/10, Air Transport Association of America [2011] ECR I-13755 (ECLI:EU:C:2011:864).

(200) Ibid., at paras 122–127.

(201) See, e.g., Article 29 Working Party, ‘Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12’ (WP 225, 26 November 2014), at 3, stating, with regard to the exercise of a request for de-listing under the Google Spain judgment, ‘[i]n practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State’. See also Peguera, ‘In the Aftermath of Google Spain: How the “Right to be Forgotten” is Being Shaped in Spain by Courts and the Data Protection Authority’, 23 International Journal of Law and Information Technology (2015) 325, at 341, describing a case in which the Spanish DPA dismissed a claim because the claimant was not an EU resident and did not have a clear link with the EU.

(202) Kowalik-Bańczyk and Pollicino, note 133, at 333.

(203) Benvenisti, ‘Sovereigns as Trustees of Humanity: On the Accountability of States to Foreign Stakeholders’, 107 American Journal of International Law (2013) 295, at 300.

(204) See, e.g., M. Koskenniemi, The Gentle Civilizer of Nations (2001), at chapter 2; A. Mbembe, Critique of Black Reason (2017) (Kindle edition); Nunn, ‘Law as a Eurocentric Enterprise’, 15 Law and Inequality (1997) 323.

(205) See Madhub, ‘The Pioneering Journey of the Data Protection Commission of Mauritius’, 3 International Data Privacy Law (2013) 239, at 241–242.

(206) Communication from the Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’, note 94, at 12, stating that ‘the EU can benefit from the exchange of best practices and the experience of other systems with new challenges for the protection of privacy and emerging legal or technical solutions, including as regards enforcement, compliance tools (e.g. certification mechanisms, privacy impact assessments) or the protections for certain specific data sets (e.g. children’s data)’.

(207) TEU, note 8, at Art. 21(2)(d).

(208) E.g. periodic reviews of Commission data protection adequacy decisions are limited to assessing the continued existence of an adequate level of data protection in the relevant third country and whether the decisions are being implemented in a discriminatory way (i.e. discriminatory against the EU). See, e.g., Commission Decision C (2003) 1731 of 30 June 2003 pursuant to Directive (EC) 95/46 of the European Parliament and of the Council on the adequate protection of personal data in Argentina, OJ 2003 L 168/19, Art. 4; Commission Implementing Decision of 21 August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data, OJ 2012 L 227/11, Art. 4.

(209) Regarding the Five Eyes alliance, see G. Greenwald, No Place to Hide (2014), at locations 1581, 1854–1900 (Kindle edition).

(210) See Root, ‘French intelligence involved in NSA spying in France’, Bloomberg News, 29 November 2013, available at http://www.bloomberg.com/news/articles/2013-11-29/french-intelligence-involved-in-nsa-spying-in-france-monde-says.

(211) See ‘Geheimdienst-Kooperation: BND leitet seit 2007 Daten an die NSA weiter’, SPIEGEL ONLINE, 8 August 2013, available at http://www.spiegel.de/netzwelt/netzpolitik/geheimdienste-bnd-leitet-seit-2007-daten-an-die-nsa-weiter-a-915589.html.

(212) G. Beck, The Legal Reasoning of the Court of Justice of the EU (2012), at 225 (Kindle edition).

(213) See Opinion 1/15, Opinion of Advocate General Mengozzi (ECLI:EU:C:2016:656), 8 September 2016, at para. 163, stating ‘the Court cannot express a view on the legislation or the practice of a third country…’. The Grand Chamber of the Court issued its judgment in the case on 26 July 2017 (ECLI:EU:C:2017:592).

(214) Lenaerts interview, note 179.

(215) See Schrems, note 66, at para. 90. See also at para. 93, where the CJEU seems to imply that data transferred to the US are subject to undifferentiated storage, access and use.

(216) Schrems, Case C-362/14, Opinion of Advocate General Bot, 23 September 2015 (ECLI:EU:C:2015:627).

(217) See note 213.

(218) Schrems, Opinion of Advocate General Bot, note 216, at paras 207–208.

(219) Opinion 1/15, Opinion of Advocate General Mengozzi, note 213, at para. 320, stating: ‘However, there is no reference in the agreement envisaged to the existence of that administrative appeal to the Canadian Privacy Commissioner, nor is its existence apparent from any provision of Canadian law brought to the knowledge of the Court.’

(220) Ibid., at para. 156, mentioning a contention by the Council and the Commission that the international agreement in question between Canada and the EU ‘reflects the obligation which the Canadian Constitution imposes on all Canadian public authorities to comply with a court order’.

(221) Opinion 1/15, note 80, at paras 66 and 177.

(222) Schrems, note 66, at paras 64–65.

(223) See Communication from the Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’, note 94, at 8.

(224) See K. Lenaerts, I. Maselis and K. Gutman, EU Procedural Law (2014), at location 15562 (Kindle edition).

(225) Ibid., at location 23573 (Kindle edition).

(226) This is what happened in the Schrems judgment of the Irish High Court that resulted in the referral to the CJEU, where the evidence considered by the High Court concerning US law was in effect uncontested. See Maximilan Schrems and Data Protection Commissioner, 18 June 2014, 2013 No. 765JR.

(227) See Jänterä-Jareborg, ‘Foreign Law in National Courts: A Comparative Perspective’, 304 Recueil des cours/Collected Courses of the Hague Academy of International Law (2003) 181, at 233.

(228) See Consolidated Version of the Rules of Procedure of the Court of Justice of 25 September 2012, Arts 196–200.

(229) Bradford, ‘Exporting Standards: The Externalization of the EU’s Regulatory Power via Markets’, 42 International Review of Law and Economics (2015) 158, at 158.

(230) Mbembe, note 204, at location 314 (Kindle edition).