Scope of data protection law: challenges and solutions

Published in

Golden Data

20 min readFeb 5, 2019

USAID Pakistan — Painting Competition- Colors of Energy

It could be argued that data protection law is the law of modern technology. Many different legal disciplines regulate the so called “information society”, however no other field impacts the design and implementation of computerized systems quite the way data protection law does.The territorial, material and personal scope of data protection was specifically designed to regulate the “information society”.

Data protection laws typically have extraterritorial applicability (that is to say, they apply beyond the physical borders of the jurisdiction that enacted them). The expansive territorial scope is designed to avoid circumvention of the requirements. Circumvention was a major concern for Europeans when they designed the first data protection laws, as their goal was to treat data protection is a fundamental right. However, they were also aware that the move towards global computerization meant there was no feasible way to limit the purposes for which technology could be used through traditional borders and customs rules. In practice, the inevitable consequence of extraterritorial applicability is overlap of potentially contradictory laws.

The material scope of data protection law is the computerized processing of personal data. Data protection law aims to limit the purposes for which computers can be used, and it does so by governing the way computers ‘think’ about humans. Certain jurisdictions expand the concept of ‘computerized’ to include information held in organized filing systems to prevent circumvention, or rules where the life cycle of data is not fully digitalized. Other jurisdictions include data of legal entities within the scope of their national data protection laws.

Under data protection law, entities that process personal data by computerized means are subject to certain obligations, and any individual to whom the data relates is entitled to certain rights. The personal scope of data protection revolves around three roles: controllers, processors and data subjects. Controllers and processors process data, however only controllers determine the purposes and means of the processing. Because the goal of data protection is to ensure technology is used for purposes that benefit humanity, entities acting as controllers (i.e. those that determine the purposes) are always ultimately responsible for compliance. Data subjects are entitled to certain rights but, as opposed to privacy law, the existence of such rights is not predicated on any special relationship between the data subject and the entities processing the data (i.e. fiduciary relationship) or on any special characteristic of the data (i.e. being sensitive or private). The rights of data subjects under data protection law are based on the concept of information self-determination, and any data subject is entitled to them, regardless of the nature of the data or what relationship (if any) they may have with processing entities.

The wide scope of data protection laws creates a number of challenges since data protection laws can conflict with other legal fields and with laws of foreign nations in ways that are difficult to resolve.

SCOPE OF DATA PROTECTION LAW

Key points:
(1) The territorial scope of data protection laws is typically broad to avoid circumvention of the rules. As a consequence, any entity processing personal data at a global scale is likely subject to overlapping and potentially contradictory laws.
(2) The main criteria used to determine the territorial applicability of data protection laws are the location of the data or equipment criterium, ‘residency’ (typically based on the existence of an ‘establishment’), and targeting data subjects residing in a particular jurisdiction.
(3) The material scope of data protection law is the computerized processing of personal data, but some jurisdictions expand data protection law requirements to include data in filing systems and data of corporations. Public data and non-sensitive data is always within the scope of data protection law.
(4) Data protection law revolves around three roles: controllers, processors and data subjects.

TERRITORIAL SCOPE

The territorial scope of data protection laws is typically broad. The purpose of this broad scope is primarily to ensure that data subjects are not deprived of protection through international data transfer schemes. This approach is logical when considering that data protection law was conceived by Europeans with the purpose of protecting individuals from a specific form of technology (computers) through imposing restrictions on an intangible asset (data) that travels seamlessly across-borders.

Legal certainty in the territorial applicability of data protection law is challenging. The complexity has grown due to increased globalization. The internet makes it much easier to provide services from a distance and to collect and share personal data in a virtual environment. Companies are increasingly operating in different jurisdictions. Additionally, cloud computing makes it difficult to determine the location of the data and the equipment being used at any given time.

In practice, the inevitable consequence of expanding territorial scope to avoid circumvention is overlap: Any entity processing personal data at a global scale today is likely subject to multiple potentially conflicting data protection laws. For this reason, the study of comparative data protection is the best foundation for any global data governance program.

The territorial scope of data protection law varies from jurisdiction to jurisdiction. However, common criteria to determine territorial scope have evolved over time and are currently used by data protection laws across the globe. These criteria are:

The location of the data file or equipment: Location of data was historically a determining factor for the applicability of data protection law, but it is rarely used as a primary factor today (except, perhaps, where data localization is mandated by law). The location of the equipment used in the processing activities can be used both as a standalone criterion and as a factor to determine whether a specific controller or processor is established in a particular jurisdiction. Data protection laws tend to provide a broad interpretation of the concept of ‘equipment’ and, as a consequence, their provisions can be applicable to services with an international dimension, such as search engines, social networks and cloud computing. In practice, it can be difficult, or even impossible, to determine the geographic location of a file given technical advances such as cloud computing.

Example:
Where Company A processes personal data, and owns or rents equipment in Country B, the processing can fall within the scope of the national law of Country B either because the location of the equipment is a standalone criterion of applicability or a factor that tends to show A is established in Country B.

‘Residency’ of controllers: Under this criterion, personal data processing is subject to the data protection laws of a country where the entity is established. Where a controller is residenced typically revolves around the concept of ‘establishment’. An establishment under data protection law need not have legal personality. The decisive element tends to be the effective and real exercise of activities through stable arrangements. Any individual entity may have multiple establishments. The establishment of the controller or processor in a particular jurisdiction has and still is an important factor in determining the applicability of data protection law.

Example:
Where personal data is processed by a data controller (X) whose only establishment is located in country A, the national data protection laws of country A will likely apply to all of the processing by X, regardless of where the process is de-facto carried out and, in some jurisdictions, without regard for the residence of the data subjects.
However, where X has an additional establishment (Y) in Country B, the national law applicable to the processing in the context of Y may be the national law of Country B, provided that the processing is carried out in the context of the activities of Y.

Residency of data subjects: The place of habitual residency of data subjects may be used as a standalone criterion or in combination with other factors. When used as a standalone criterion, all processing is subject to the national laws of the country of residency of the data subject — regardless of the location of the data or the residency of the entities using automated processing technology. Residency of the data subject may also be used in combination with ‘targeting’ as a criterion for territorial applicability. As a general rule, neither the nationality nor the legal status of the data subject are factors to consider under this criterion. This criterion presents several challenges because controllers may not be able to ascertain the residency of the data subjects, and courts and regulators may not have jurisdiction over foreign organizations with little or no ties to the data subject’s jurisdiction of residence.
Residency of processors: Traditionally, the residence of the processor has not been a main factor in determining the territorial scope of data protection laws because the data was deemed to be subject to the laws that applied to the controller (with few exceptions typically related to security requirements). The practical consequences of including this criterion is debated amongst scholars and practitioners as it makes the already complicated mosaic of overlapping requirements imposed on processors even more complex.

Given the nature of the criteria used to determine the scope of territorial applicability of data protection laws, the analysis required to make a determination is fact based. In order to identify which laws apply, itis necessary to have a global picture of processing activities, including the location of the equipment and data, the residency of the data subjects, and the existence of establishments.

Jurisdiction, competence of data protection authorities and territorial scope of data protection law

The external scope of a country’s data protection law is an expression of the country’s capacity to lay down rules in order to protect interests within its jurisdiction. The provisions of data protection law help determine the scope of applicability of a national laws to a specific situation, but they do not affect the jurisdiction of national courts to decide relevant cases before them. In this sense, it is particularly important to distinguish the concept of applicable law (which determines the legal regime applicable to a certain matter) from the concept of jurisdiction (which usually determines the ability of a national court to decide a case or enforce a judgment or order). The applicable law and the jurisdiction in relation to any given processing may not always be the same.

The provisions of a specific data protection law may refer to the territorial scope of the supervisory authorities that may apply and enforce the applicable law. This is especially the case where the enforcement of data protection laws is not entrusted to a existing governmental agency with broad competences and instead given to a newly created data protection agency whose focus is to enforce exclusively or mainly data protection law. Although the concept of applicable law and the concept of competence of supervisory authorities tend to coincide, usually resulting in Country A’s law being applied by Country A’s authority, one may foresee the possibility of situations where this may not be the case. Additionally, there is widespread recognition of the fact that cooperation in enforcement benefits both the enforcer and the entity subject to scrutiny by ensuring consistency and avoiding duplication of work. One clear example of a data protection law that creates a structure for cooperation is GDPR (Article 60 et. seq GDPR). Structures for cooperation were also created at the international level. One example is the creation of the Global Privacy Enforcement Network (GPEN), created as a result of the adoption by the OECD in 2007 of the recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network with the following tasks: (1) discuss the practical aspects of privacy law enforcement cooperation; (2) share best practices related to cross-border challenges; (3) work to develop shared enforcement priorities; and (4) support joint enforcement initiatives and awareness campaigns for cross-border cooperation for effective and consistent enforcement.

Example: EU entity providing services in Argentina
Company A, established in an EU country, provides services through a web portal and app specifically designed for residents of Argentina. The web and app are in Spanish and collect data of millions of Argentina residents. The processing by Company A of the data of Argentinian residents is subject to EU data protection laws under Article 3.1. of GDPR and it is also subject to the data protection law of Argentina under LPDP. If a dispute were to arise between an Argentinian user and Company A, the Dirección Nacional de Protección de Datos Personales (DNPDP) (data protection authority of Argentina) and Argentinian courts would likely be competent to resolve the dispute based on local procedural and substantive laws. Although they will likely apply Argentina data protection law to the resolution of the conflict, theoretically the user could request that EU law be applied instead of or in addition to Argentine law.

Processors and applicable data protection law

Entities acting as processors under data protection law are typically subject to a complex web of obligations that they may be unable to ascertain. As described above, the determination of applicable law is based on concepts that relate back not to the processor itself but to either the controller or the data subject. Which law applies to any specific processing performed by a processor will be dictated by the data protection laws that apply to entities they provide services for. Processors are in a precarious situation when it comes to conducting the legal analysis required to determine which law actually applies, as the analysis is factual in nature and processors may not be aware or have access to the information required to fully perform the analysis.

There is typically an exception to this general rule regarding security measures. The law of the country in which the entity acting as processor is established tends to be the relevant data protection law dictating required security measures. In case of conflict between the substantive security obligations of the law of the processor and the law of the controller, the lex loci (law of the processor) tends to prevails.

In addition to the security requirements imposed by applicable data protection laws, the security requirements contractually imposed on entities acting as processors must also be considered. Because the ultimate liability remains with the entity acting as controller, data protection laws tend to require that security standards be imposed on controller to processor data transfer contracts. Therefore, entities acting as processors are subject to overlapping legal and contractual security requirements.

Applicability beyond territorial scope

Although the territorial scope of data protection laws is broad, it is not unlimited. There are situations where a specific processing activity or an entity may fall outside the scope of data protection law, or where enforcement would be so costly as to be rendered impracticable. Data protection law created strategies to prevent circumvention of existing requirements in these situations. A great example is the complex set of requirements that are contractually or otherwise imposed on entities that export data from countries subject to data protection laws. Data protection authorities devised strategies to ensure indirect applicability of data protection laws, typically through putting pressure on local entities that may obtain services from the foreign non-compliant entities.

Example: Forcing applicability of data protection indirectly
Company (X), residing in country A, is using software designed by a company (Y) which is neither established nor otherwise connected to country A. The data protection authority of country A (DPA) has concluded that the software in question is not compliant with country A’s data protection laws. The DPA is reluctant to initiate enforcement against Y as, even if a favorable court decision is secured, enforcement against Y, a foreign entity, would be challenging. The DPA decides to instead indirectly seek compliance by serving all of Y’s clients in country A with notices of enforcement or making public statements about DPA’s intent to investigate them. As a result, Y may choose to modify its software to avoid the risk of losing its country A clients to competitors whose compliance with data protection laws has not been put into question.

MATERIAL SCOPE

The material scope of data protection law expands to all aspects of computerized processing of personal data.

‘Computerized’ in some jurisdictions includes the processing of information held in non-electronic systems arranged in such a manner as to constitute filing systems. This is meant to prevent the circumvention of data protection law rules by performing part of the processing through non-automated means.
‘Processing’ is typically defined to include activities beyond collection and use, such as retrieving, storing and transmitting data.
‘Personal data’ is defined to include all information that relates to an identified or identifiable person. This wide definition includes publicly available data, subjective data (i.e. an opinion), and any data that is used for the purposes of targeting — even if it has been anonymized through the use of online identifiers. Data that could identify an individual, if combined with other data, may be considered personal data even where the additional data required for the identification is in the possession of third parties. In a minority of jurisdictions, the data of legal entities is within the scope of data protection law.

PERSONAL SCOPE

Data subjects are individuals to whom data relates. Data protection law does not presume a relationship between the controller and the data subject. In fact, it applies regardless of whether a relationship exist at all. Therefore, concepts that are important to privacy law, such as ‘fiduciary relationship’ or ‘professional secret,’ are not necessarily relevant to data protection law.

An entity acts as a controller if it determines the purposes and means of the processing. Because the goal of data protection law is to ensure that technology is used for rightful purposes, most legal obligations are placed on controllers. An entity acts as a processor if it processes data on behalf of the controller. Because the test of who is a controller or processor is a factual determination, an entity cannot “be” a controller or processor. It can “act” as a controller or processor with regards to a particular set of processing activities at a particular time. Data protection law typically mandates the formalization of contracts requiring confidentiality and obligating processors to process data only as instructed by controllers. Where a processor oversteps the boundaries of the contractual mandate received from the controller, it becomes a ‘de-facto’ controller and is automatically subject to all the obligations imposed by data protection law on controllers, including the requirement to identify a permissible purpose. Where a permissible purpose exists under data protection law for the processor to overstep the boundaries of its contract with a controller, the violation of the contract does not necessarily result in a violation of data protection law.

Example:
Where a processor is in possession of data that is relevant to an active kidnapping situation, the processor may decide to share the information with the authorities without requesting approval by the controller -ergo becoming a ‘de facto’ controller- in jurisdictions where the vital interest of a third party is a valid ground for processing. This would likely be a violation of its contractual obligations, but not necessarily a violation of data protection law since the purpose is permissible.
Some data protection laws can include other roles in addition to data subject, controller and processor. For example, the concept of ‘third party’ is typically present in jurisdictions that leave certain sectors or certain organizations outside of the scope of data protection laws.

CHALLENGES AND SOLUTIONS

The challenge of conflicting data protection laws has not properly been addressed by international law. In 1981, the authors of Convention 108, the only binding data protection international agreement, identified the risks posed by conflict of law issues, or the legal gap, that could result from the application of different national laws. However, that Convention did not include specific rules to address these problems: the fact that the Convention provided a “common core of substantive law” was considered the main guarantee that, even if different regulations subsist, the principles applied at the end would be the same, thereby avoiding differences in terms of level of protection.

Liability of online service providers for third party content

Many jurisdictions enacted safe harbor laws that provide online platforms that publish information provided by users immunity from liability. One well known example is codified by 47 U.S.C. § 230. Section 230(c)(1),wich says: “No provider or user of an interactive computer service shall be treatedas the publisher or speaker of any information provided by another information content provider.”

Under data protection law, entities providing ‘computer services’ that determine the ‘means and purposes’ of the processing of personal data are controllers. As such, they are subject to all the obligations imposed by data protection law, including the requirement of identifying and keeping records of the lawful basis for the processing and discontinuing the processing where no lawful basis exist. This principle has lead to courts finding that search engines must, in some circumstances, exclude links to information deemed irrelevant or outdated from searches based on the name and last name of individuals (see, CJEU decision in Google v. Spain).

For a comparative analysis between EU data protection law and Sec. 230, see An overview of the US Sec 230 Internet Immunity by Eric Goldman.

Conflicts with privacy laws

Concepts that are central to privacy law, such as ‘expectation of privacy’, are not relevant under data protection law. In fact, data protection law can mandate the disclosure of private information where a request for access extends to the subjective data (opinions) of third parties.

Example:
The confidential relationship between doctors and patients regarding medical information is typically protected through privacy laws that limit the ability of medical professionals to disclose information about patients to third parties. However, data protection law may allow and even potentially mandate sharing such information. For example, where a psychologist keeps records of conversations with a patient that include the patients’ revelations and opinions about a third person in a computerized system, such third party is entitled under data protection law to request from the psychologist access to the information held in the patient record that relates to him/her and even to have it erased.

Carefully considered exemptions to the rights of access and deletion under data protection law are required to prevent unintended consequences. This is complex since, as opposed to data protection laws, privacy laws are sectoral by nature. In the European Union, for example, the only segment of privacy law that is harmonized across all jurisdictions is communications privacy [4]. A multitude of privacy laws exist in the different Member State’s jurisdiction, and those laws do not always align with data protection requirements.

Whistleblower schemes and data protection law

Another example where data protection law may conflict with other laws is whistleblower schemes. Some jurisdiction provide whistleblower protections to individuals who raise complaints about lack of compliance with existing laws within organizations. One of the protections that can be afforded to whistleblowers is the ability to complain anonymously. As a general rule, data protection law requires that data subjects be notified of the source of the information that is held about them. In some jurisdictions, this can be interpreted as requiring controllers to record the names of individuals that raised concerns through whistleblower schemes and, potentially, disclose such names to data subjects.

Information requests and data protection law

For global organizations subject to the laws of multiple jurisdictions, conflicts between data protection and privacy laws are unavoidable and, in some cases, unsolvable. For example, allowing access by a US governmental agencies to EU resident personal data is almost always a violation of EU data protection law, while compliance with similar requests issued under EU law does almost never violate EU data protection law. This is due to the fact that a US subpoena does not constitute a lawful basis for the processing of the data under Article 6 of GDPR, and is not a valid justification for any transfer or disclosure under Article 48 of GDPR. In other words, EU data protection law requires all processing of personal data to be justified under EU or State Member law (See GDPR Articles 6 in general and specifically 6.1(c) in relation to 6.3.(a)&(b)), including the so called “anti FISA” provision.

GDPR Art. 48.
“Transfers or disclosures not authorized by Union law. Any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union Member State, without prejudice to other grounds for transfer pursuant to this chapter”.

Example: Violation of privacy law that does not result in a violation of data protection law.
US company (X) is served with subpoena for the data of a EU resident by the Spanish police. Compliance is not a violation of GDPR, even if there was no probable cause or judicial oversight at all as long as the subpoena it is valid on its face.
This is the case even where the law under which the subpoena was issued is later found to be in violation of of Article 8 (“Right to private life”) of the European Convention of Human Rights (ECHR) or Article 7 (Right to privacy) of the EU Charter of Fundamental Rights.

Example: Violation of a data protection law even where there is no violation of a privacy law.
US company (X) is served with subpoena for the data of a EU resident by the FBI. The subpoena is issued by a US court in compliance with US law. If company X complies with the subpoena, it will be in violation of GDPR even if there was probable cause and appropriate judicial oversight and the issuance of the subpoena was compliant with US privacy laws and not in violation of Article 8 (“Right to private life”) of the European Convention of Human Rights (ECHR) or article 7 (Right to privacy) of the EU Charter of Fundamental Rights (clearly the US authority issuing the subpoena is not required to comply with the ECHR or the Chapter as the US is neither a signatory to ECHR nor a EU State member but the point of the example is that, even if the subpoena was compliant with all applicable privacy EU requirements, it would still be a violation of GDPR).

International cooperation agreements allowing US agencies to request the information they require about EU residents directly from EU governmental agencies is currently the only process to access the information while avoiding a violation of EU data protection laws. Unfortunately, private organizations cannot control their receipt of subpoenas for data, and government agencies may not be inclined to utilize cooperation agreements, even where they are available, as the process can be slower and more cumbersome than a subpoena.

Endnotes:

(1) Personal data protection laws, as they apply to the public sector, do have the indirect effect of restraining surveillance by mandating that governmental authorities abide by data protection principles including data minimization. See, in general, Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data.

(2) There are some potential exceptions. For example, if the vital interest of an individual is involved, the anti-FISA provision of Article 48 GDPR does not apply to the transfer because such transfer can be justified as a derogations under Article 49.1.(f) and the processing itself could find legal basis under Article 6.1.(d) (protection of vial interest) which does not require legal recognition under EU member State law.

(3) Neither the ECHR nor the Convention apply to the issuance of subpoenas by US Courts (as the US is neither a EU State Member not a signatory to the Convention). The point the example is trying to make is that, even if the subpoena was issued in a manner that was consistent with EU privacy law, complying with it will always result in a violation of EU data protection law.

(4) See “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector” (Directive on privacy and electronic communications) available online here.