NATIONAL UNIVERSITY OF STUDY AND RESEARCH IN

LAW, RANCHI

PRIVATE INTERNATIONAL LAW SUBMISSION

Under the guidance of
Ms. Satyabratha Mishra
Assistant Professor
SUBMITTED BY-
ANUBHA DWIVEDI
SEMESTER VII
ROLL NO. 856
SECTION A

0
 DATA PROTECTION AND THE CONFLICT OF LAWS: THE
IMPACT OF GDPR ON PRIVATE INTERNATIONAL LAW

INTRODUCTION

The internet has challenged the important position of the territoriality principle in private
international law.1
Information technologies not only greatly increase access to and exchange of information,
facilitate digital trading, and enable data transfers, but also, as recent National Security Agency
(NSA) surveillance scandals demonstrate, they can potentially lead to infringements of the
fundamental rights to data protection and privacy.2 the internet is often considered as being
borderless since it is not limited by geographical borders. E-mails are sent from one state to another
without border checks, and data freely crosses national borders between most states.3 The problems
of computer networks are difficult enough to solve within a unified law district. These difficulties
increase exponentially when they arise in the international arena or in a context involving multiple
law districts4
Domestic regulators have also become more serious about protecting
personal data in the transnational context.5 The EU implemented the General Data Protection
Regulation (GDPR).6 China incorporated the right to personal data into the Chinese General Rules
of the Civil Law.7 Nonetheless, the contents of domestic laws for personal data protections are not
the same.

1
Svantesson Dan Jerker B., Private International Law and the internet (2021).
2
Maja Brkan, Data Protection and european private international law: Observing a bull in a china shop: 5
International Data Privacy Law 257–278 (2015).
3
Svantesson, D, Private International Law and the Internet, p 56-57.
4
Houston Lowry, Transborder data flow, Lexikon des gesamten Buchwesens Online.
5
Susan Ariel Aaronson & Patrick Leblond, Another Digital Divide: The Rise of Data Realms and Its Implications
for the WTO, 21 J. INT’L ECON. L. 245 (2018).
6
Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural
Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing
Directive 95/46/EC, 2016 O.J. (L 119) 1 (EU) [hereinafter GDPR].
7
Minfa Zongze [General Rules of the Civil Law of China] (promulgated by the Twelfth Nat’l People’s Cong., Mar.
15, 2017,effective Oct. 1, 2017), http://www.court.gov.cn/zixun-xiangqing-37832.html [hereinafter General Rules of
the Civil Law of China]. 21Treasury

1
In data privacy litigation – as in any other litigation – the question which law applies to the dispute
is one of the first questions requiring clarification in legal proceedings. The question of applicable
law in the framework of data protection disputes has attracted quite some attention of the academic
doctrine8
The different domestic responses to protecting personal data in combating COVID-19 demonstrate
the need to identify the applicable law to transnational personal data. According to conflict
of laws, in finding lex causae, there are three stages: First, characterize the issue into one of the
established choice of law classifications by identifying the nature of the subject matter. Second,
select the rule of conflict of laws which lays down a connecting factor for the issue in question.
Third, identify the system of law which is tied by the connecting factor found in stage two to the
issue characterized in stage one.9
This article, dwells into analyzing the data protection regimes across the world from a conflict of
laws standpoint, dwelling into their characterization, their territorial scope.

8
Maja Brkan, ‘The Relevance of European Data Protection Standards for US Businesses and Authorities’
(6th International Conference on Society and Information Technologies: ICSIT 2015, Orlando, Florida, USA, 10-13
March 2015) published in the Conference Proceedings, 63-68.
9
Macmillan Inc. v. Bishopsgate [1996] 1 WLR 387 (Eng.).

2
 PRIVATE INTERNATIONAL LAW AND DATA PROTECTION

In addition to the lack of a binding international instrument regulating the applicable data protection
law – is the nature of data protection law. Data protection in cross-border situations does not clearly
fall within private or public international law, but instead “straddles the boundaries between public and
private law”.10
Whether data protection law should be seen as a part of private or public international law depends
on what the particular issue is about, and what kind of activity is in question. Furthermore, the
characterisation of data protection issues depends on the parties involved; if all the parties involved
are private parties, the data protection issue should be seen as a private law matter.11
Private international law deals with legal relationships governed by private law, and where the situation
in question is connected with more than one country.12 Private international law deals with questions
related to applicable law, international jurisdiction and recognition and enforcement of foreign
judgments.13
Due to the increased cross-border data flows, the principle of territoriality is losing its importance in
private international law. A strict application of the territoriality principle does not work in the internet
context.14 This is because the internet has no territorial boundaries, and its geography is virtual. In
order to determine which court has jurisdiction and which law is applicable, private international law
provides connecting factors. The rules on applicable law and jurisdiction in private international law
depend on the localisation of activities and persons. As a result, the connecting factors generally used
in private international law to determine the applicable law and jurisdiction are not always suitable in
an online context.15
Article 3(2) of the GDPR is analysed and examined. Article 3(2) regulates the cross-border situations
where the data subject is present in the EU and the controller or the processor is located outside the
EU. There are, however, two key criteria that need to be met in order to fall within the scope of the

10
Lee A. Bygrave, Determining applicable law pursuant to European Data Protection Legislation, E-Commerce Law
and Practice in Europe 1–11 (2001).
11
C. Kuner, Data Protection Law and international jurisdiction on the Internet(Part 1), 18 International Journal of
Law and Information Technology 176–193 (2010).
14 Peter Stone, EU Private International Law, (2014).
12
Id.
13
Id.
14
Svantesson Dan Jerker B., Private International Law and the internet (2021).
15
Chris Reed, Computer law (2011).

3
GDPR. As cited above, the processing activities need to be related to the offering of goods or services
to data subjects in the EU, or alternatively to the monitoring of the behaviour of those data subjects.

4
 THE GDPR AND CONFLICT OF LAWS

Art. 3 offers an extended territorial scope to the GDPR,especially in Internet related activities, and
that extended territorial scope is also afforded to the jurisdictional grounds of GDPR art. 79(2). 16
According to Article 3(1), any controller or processer that is established in the member state
(European Union) shall fall under the scope of the GDPR. In other words, any company which
has an office in the European Union shall come within the purview of the GDPR. Article 3(2)
states that even if any processer or controller is not established in the European Union, but if they
are offering goods or services irrespective of payment or monitoring behaviour in the European
Union, then they will also fall under the scope of GDPR.17
In Google Spain18, the Court went as far as to declare that the establishment must not actively take
part in data processing activities in order for EU data protection law to be applicable.19 found that,
where the data processing is not carried out under the control of an establishment within the EU,
the “in the context of” requirement will nevertheless be fulfilled if there is an “inextricable link”
between the activities of a non-EU establishment carrying out the data processing activities and
the activities of the EU establishment.20If the rulings of the CJEU in Google Spain21and
Weltimmo22have clarified something, that is the readiness of the Court not only to flexibly adapt
its legal reasoning to Internet situations but, most prominently, also its willingness to marginalise
the nexus of the contacts of the establishment with a Member State for the purpose of extending
the scope of data protection law23
Quite remarkably, while the Member States vehemently opposed the application of the Brussels
Ia Regulation in non-EU cases they displayed a rare unanimity and raised no objections when the
GDPR declared its own jurisdictional regime applicable to almost the entire Internet.24

16
Ioannis Revolidis, Judicial jurisdiction over internet privacy violations and the GDPR: A case of ''privacy
tourism''?, 11 Masaryk University Journal of Law and Technology 7–38 (2017).
17
GDPR
18
Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD) [2014], Case C-131/12.
19
Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD) [2014], Case C-131/12.
20
Lefebvre, Paul, EU Data Protection and the Conflict of Laws: The Usual “Bag of Tricks” or a Fight Against the
Evasion of the Law? Vol. 84 Nbr. 3, July 2017.
21
Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD) [2014], Case C-131/12.
22
Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság Case C-230/14
23
Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD) [2014], Case C-131/12.

24
Svantesson Dan Jerker B., Extraterritoriality in Data Privacy Law (2013).. Copenhagen: Ex Tuto Publishing, 6

5
One must not be surprised if legal orders that do not share the same privacy concerns as those
dominant in the EU react, not always positively, to such wide jurisdictional claims. The US might
pose a good example in that regard. It is after all a commonality that the US has a distinct and, in
many ways, different approach to data privacy in comparison to the EU.89 In addition, the US
retains a firm stance in defending their unique approach to judicial jurisdiction over Internet cases
that is not necessarily compatible with the Brussels regime and even more so with the rules
provided for in GDPR art. 79(2).25

25
James Q. Whitman, The two western cultures of privacy: Dignity versus liberty, 113 The Yale Law Journal 1151
(2004).

6
 THE LEX FORI APPROACH

In the US, data protection law also has a broad territorial scope. A foreign business that collects,
holds, transmits, processes, or shares a US resident’s personal information is subject to US
federal data protection laws and may also be subject to relevant state-based laws in the state
where the data subject resides.26
Like their US and EU counterparts, these connecting factors enable these Chinese data protection
laws to cover a broad territorial scope.27
Moreover, data protection laws may be considered as mandatory law and directly apply to
foreign-related civil relations without the guidance from the conflict rules. the Supreme People’s
Court issued a judicial interpretation that defines mandatory law as “provisions of the laws and
administrative regulations that involve the social public interest of China, that the parties
concerned cannot exclude their application through an agreement, or that are directly applicable
to foreign-related civil relations without the guidance from the conflict rules.”28
Since the offering of goods or services from Article 3(2)(a) GDPR would be based on a contract,
it is important to address the question whether the parties to that contract could agree on the
application of a third-country law and hence entirely exclude the application of GDPR for data
protection matters raised by the contract. According to the general conflict-of-law rules (Rome I
Regulation), the parties have in principle a freedom of choice to decide which law will govern
the contract.29 However, parties are not allowed to select a law providing a lower standard of
protection. This conclusion is also supported by judicial practice in the EU.30

26
Steven Chabinsky & F. Paul Pittman, USA: Data Protection 2020, ICLG (June 7, 2020), https://iclg.com/practice-
areas/ data-protection-laws-and-regulations/usa; Watson v. Employer Liability Corp., 348 U.S. 66, 72 (1954)
(holding that a state “may regulate to protect interests of its own people, even though other phases of the same
transactions might justify regulator legislation in other states”).
27
Jie Huang, Covid-19 and applicable law to transnational personal data: Trends and Dynamics, German Law
Journal (2021).
28
Interpretation of the Supreme People’s Court on Certain Issues Concerning the Application of the “Law of the
People’s Republic of China on the Application of Laws to Foreign-Related Civil Relations”] (promulgated by the Jud.
Comm. Supreme People’s Court, Dec. 28, 2012, effective July 1, 2013), 2012 FA SHI no. 24, art. 10,
http://cicc.court.gov.cn/html/1/219/199/201/ 679.html [hereinafter Interpretation on the Law on the Application of
Laws].
29
Supra at 29.
30
Facebook Ireland Ltd. v. Independent Data Protection Authority of Schleswig-Holstein, Germany—Facebook Is
Not Subject to German Data Protection Law, 3 INT’L DATA PRIVACY L. 210 (2013).

7
With the PDP of India soon arriving many speculations have been raised about its conflict with
the GDPR.
The primary purpose of GDPR and PDP is the protection of personal data. But, the definition of
personal data differs when GDPR is compared with PDP. The reason why such a description is
essential is that a substantial part of both laws is based on the processing of personal data. This
includes fair consent, purpose limitation, storage limitation, rights of data principle etc. Such
aspects, when read with the territorial scope of both the laws, outlines the applicability of its
provisions.31

31
Anubhav Das , The Data Protection Conflict: The EU General Data Protection Regulation 2016 and India’s Personal
Data Protection Bill 2019, 2020. < The Data Protection Conflict: The EU General Data Protection Regulation 2016
and India’s Personal Data Protection Bill 2019 – Conflict of Laws>

8
 CONCLUSION

The consequences of such inconsistencies in data protection regimes will be faced by data subjects
who won’t be able to claim damages provided under their respective data protection law.
One of the ways to ensure that damages can be claimed is by harmonizing the data protection laws
which can only be done by international cooperation. The existence of such issues in the
framework of GDPR and other data protection laws is not because of the extraterritorial
application. Advocating against the extraterritorial application to resolve the problem of overlap
in the jurisdiction of data protection laws would only give rise to more infringement of
informational privacy of data subjects by foreign companies. This, in turn, will be detrimental for
the very purpose for which data protection legislation is enacted.
The requirement at present is to harmonize the key definitions such as personal data in the data
protection legislation. Even if a foreign company cannot be dragged to the national court,
harmonization will at least ensure that a data subject has a right to seek damages in the international
court.