The new territorial scope of EU data protection law: Deconstructing a revolutionary achievement

Abstract

The entry into force in May 2018 of the EU’s General Data Protection Regulation (GDPR) will see the territorial scope of EU data protection expand to include certain processing operations by third country data controllers. The prevailing view is that this will be a revolutionary achievement, both in terms of effective fundamental rights protection and establishing a level playing field for competitors on the EU market. In contrast, this article argues that the broadening is not revolutionary – as it was largely foreshadowed by the Court of Justice’s judgment in Google – nor does it significantly improve the effectiveness of EU data protection law. The contribution first analyses the Court’s interpretation of the Data Protection Directive, before focusing on the GDPR’s lack of legal certainty, which it identifies as a core deficiency of the legislative expansion.