Introduction
Technology, since its introduction into the industry, has observed global and drastic changes over the years. With communication channels expanding across nations, the threats to security continue being increased with each growing day. Management of communication channels, by state or federal authorities, is thus important in the identification of criminals masked behind the internet. These criminals utilize the internet to generate or perform criminal acts such as fraud and theft, from a personal to a state level. Countless times institutions have complained of the presence of a breach within their networking or predominant organizational system. For this reason, it is important to define rules and regulations which govern a region of the world which, previously, did not have any laws or regulations.
Cyber-attacks are issues which are experienced in every nation. For persons who engage in cyber-attacks, they violate the privacy of persons and thus are acting against the law of the land. However, the determination of which nation has a right to convict the actor of the deed differs as various laws stipulate which nation is to be sovereign in given situations. Various state differs as to the point at which a person’s private life is invaded with the action of processing data that is from within their account. For this reason, there is need to develop regulations that state where the privacy of an individual is contravened when accessing information that is online.
Delegate your assignment to our experts and they will do the rest.
In 2016, the European Parliament and the Council of the European Union developed the General Data Protection Regulation (GDPR). Previously, it was a directive that had been developed to manage the Europeans Union Jurisdiction in international conditions within the use of the Internet. In this paper, a critical analysis of the General Data Protection Regulation is given with concentration being placed on the clauses stated within the Regulation, the factors and institutions it affects, and its scope of jurisdiction within and beyond the European Union.
Jurisdiction and Governing Law Clauses and Scope of the GDPR
In matters of law about the operations of a business, there are clauses which are limited to the location or geographical reach to which the law regulates. For instance, many laws have been developed to address situations about business operations within a nation’s borders. For international organizations, for instance, there is constant controversy relating to which law applies to the organization's operations in multiple countries. For this reason, there have been very many efforts in the development of laws that can be applied on international borders. An example being the work conventions, treaties, and standards, which are applicable across the borders of member countries that agree to the conditions of such conventions, treaties or standards. These set standards are set to ensure the development and advancement of the economic and social practices within different nations (Casagran, 2016).
The General Data Protection Regulation (GDPR) jurisdiction is, however, variating from those developed under the location of a given region. Its jurisdiction is not concerned with the location within which a business operates, or where the business is headquartered, rather it has created a regulatory hub for all the operations of the business that are present in all or multiple EU countries. The terms of the GDPR relate to the extent to which the business operations span, that is, the scope and location of the business activities. In this sense, organizations that are members of the European Union have to incorporate and follow the laws that are set within the GDPR. They are however stated, not as directives, but as regulations. For a directive, the member’s states within the European Union (EU) have the freedom to select whether they would implement the desired results and policies within their nations into national law. However, for a regulation, the laws and policies stated are treated as a formal matter that applies to all the member states within the EU with little discretion in implementation (Rein LLP, 2017).
Material Governing Clauses of the GDPR
For businesses that are operating outside EU countries, there are clauses which touch on them where there operations and activities are experienced or focused on countries or individuals residing in EU member states, this, of course, is in pertinence to the processing of data activities conducted by the businesses. The regulations provided by the GDPR are stated in Article 2 of the GDPR. It states that the regulation of the GDPR applies to the processing of “Personal Data.” As a directive, the GDPR was recognized as the European Union Data Protection Directive. The laws stated under the directive were not explicitly explained but stated in more so, abstract form, that they applied to the processing of personal data and the free movement of that data (Herward-Mills, 2015). For GDPR as a regulation, there is still much “abstractive” from the original directive. However, it has stated vital changes inclusive of definitions.
The GDPR has defined “personal data” to mean any information that is relating to a natural person that has been identified or can be identified. From the information derived, the GDPR also issues the various categories of sensitive information or data which may be in the form of either biometric or genetic data. It also includes the data processing activities. These activities are further defined as anything covering any operations or sets of operations which are performed on personal data or sets of personal data. The means utilized to process this information can either be automated or not. It further gives definitions for the persons who hold crucial roles in data processing. For any organization or individual that can determine the purposes or means or process such data, they are referred to as the data controllers. Whereas, for any person or organization that processes data on behalf of the data controllers is referred to as the data processors. These are definitions that were previously not present in the EU Data Protection Directive (Rein LLP, 2017).
Territorial Governing Clauses of the GDPR
About the territorial scope of the GDPR, they are contained in Article 3 of the GDPR; this is under Section 1 and Section 2 of the Articles. The Article explains that the GDPR applies to all businesses which are established in the EU. As explained, for the businesses that are not established within the EU, are to conform to the regulations as stipulated within the GDPR where they provide goods or services for member states that are within the EU, and that also monitor data and information within those member states.
Article 3(1) of the GDPR regulations state the applicability to be where processing of personal data is done regardless of whether the processing is taking place within the union or not. In this Article, this processing can be one conducted where there has been an establishment of a controller or a processor within the EU (Rein LLP, 2017). The establishment of these entities can either be through a branch or subsidiary that may not be present within the EU, however, the legal form of this processing, where it affects member states within the EU.
“ One of the key changes in the GDPR is that data processors have direct obligations for the first time. 1 ”
Article 3(2) under the GDPR provides and applies to the processing of personal data of data subjects present within the Union, by either a controller or a processor, who is not established within the Union. The Article proceeds to define the scope of the processing further and states it to be activities which relate to the offering of goods and services to data subjects within the Union. The data can be that which has been provided, whether or not there is a payment that has been made for such information. Additionally, the data processing activities can be where there is monitoring of data subjects behavior. In this case, data processing relates to this monitoring, as far as the behavior is conducted within the Union. Under the EU Data Protection Directive, the express mention of entities that are outside of the EU was not mentioned (Allen & Overy, 2017).
The Article also gives a proper definition or explanation of the conditions which would make an entity, acting as a data processor or data controller outside the EU, liable to the laws stated under the GDPR. The laws stipulate that for non-EU businesses, where they have a different language than that of the EU member state; Where these entities are using a currency that differs from that of the EU member state and more so; where the data processor or controller is utilizing a top-level domain name of the member state, they will be liable to the data processing laws stipulated. Additionally, where they also mention customers that are within or based on the member and or target advertising consumers within the member state, the data controller or processor are under the jurisdiction of the GDPR. Finally, the Article also gives mention of businesses that are monitoring the behavior of individuals within the EU. Their nationality or residence is not relevant.
Article 3(3) of the GDPR adds to the above regulations and states that the regulations are also applicable to member states which hold the EU regulations and laws of public international law. The GDPR provides an example of a diplomatic mission or consular position acting as public international laws which would put the nation under the GDPR law. The rule in public international law which gives this condition is established by the Permanent Court of International Justice. It states this to be possible where there is no public international law which acts as an inhibitor to the assumption of Jurisdiction of the EU.
Governing Clauses and Bases of International Jurisdiction
Under international law, traditionally recognized bases which are currently being used to exercise jurisdiction include The Territorial Principle, The Nationality Principle, The Passive Personality Principle and the protective Principle. These principles typically impact conduct within online platforms.
Within the EU Data Protection Directive, there appeared to be a jurisdictional test which acted as a manifestation of the territorial Principle. However, under the EU, the Directive stated that websites and online services that were utilized in foreign countries were under the Jurisdiction of the EU where the servers and equipment used to store such information from these sources was located within the EU. However, controversy has continually sparked the applicability of this Principle with data within the US.
Using the Principle of Passive Personality, the United States has been able to exercise Jurisdiction in foreign countries. The Passive personality Principle states and asserts that jurisdiction is given to the state which a person belongs to when they perform certain acts in foreign lands, and also where acts have been committed against the nationals of the state in a foreign land. Thus, this principle allows the states to exercise their authority about the connection the state has with the victims of illegal conduct.
Under the Effects Doctrine, jurisdiction was given to a state where activities that were being performed by a foreign state or subjects substantially affected or had a given effect to the state. In this scenario, jurisdiction under the Effects Doctrine is given to the affected state. Across many states, even the EU, this has become the principle that has been utilized to assert jurisdiction over online activities and platforms (Meltzer, 2015).
Cross-Border Exchanges of Data within the EU and to Third-Countries
With the continued advancement in technology, information within internet networks has become vast and easily shareable.
“ Over 2.3 billion people have access to the internet, and this figure is expected to grow to five billion by 2020 2 ”
The ease of information sharing has fostered the development of laws which would ensure the security of the nation and the individuals within the state (MPWA Ltd., n.d.). The GDPR, under Article 1(3) states that information within the EU member states shall not be restricted or prevented for any reasons that are connected to the protection of the natural persons concerning the processing of these personal data. However, for information that is to cross the EU borders, there will be restrictions imposed once the GDPR is imposed (Stettinius & Eaton, 2017).
“ While the GDPR is an EU directive (law) it has been adopted by the UK Government and is therefore applicable to the UK irrespective of the outcome of Brexit . . . It not only applies to all countries in the European Economic Area including the UK. And organizations that reside outside the EEA. 3 ”
Using the current EU Data Protection Directive, the rules that govern data transfer mechanisms, rules, exceptions in the directive and the decisions under the directive are still valid within the GDPR. However, the GDPR will enable the development of new transfer systems that will certify the type of information being transferred outside the EU (Wimmer, 2017).
With these measures in place, the controversy has been whether the GDPR will touch on data exchange with members that are not remotely connected to the EU, for instance, the United States of America. Many scholars believe it to be so.
“ GDPR brings its challenges to U.S. companies, especially those that do not operate in regulated areas. 4 ”
Each state can monitor its information that is generated over communication present within their own jurisdiction. However, need for cross-border exchange of information is generated where an individual from a foreign state commits a crime and the evidence is hidden within another member’s communication jurisdiction. In such cases, the spread of justice is inhibited by the laws which give or offer access to information on the internet. Where the information is retrievable, states have to communicate with the foreign countries to retrieve that information to prosecute criminals in the courts of law. Without this information, the criminals can escape justice for their crimes. Though the GDPR protects personal data, some measures are to be incorporated to facilitate justice across borders and to access evidence located on internet platforms in foreign countries where the EU member states are unable to retrieve (Rein LLP, 2017).
Proposal for Access to E-Evidence
The European Commission, to develop and improve the cross-border exchange process, presented the European Justice Ministers with practical measures and legislative options that could be used for this purpose. These measures would be by the clauses stated within the GDPR (Rumbold & Pierscionek, 2017). Most of data exchange occurs within technological platforms, such as websites and other social media platforms.
“ In particular, the internet has enabled cross-border data flows . . . data can cross many borders without the knowledge of the sender of the recipient. 5 ”
The exchange of this information would require, up to a point, some aspect of control over the internet service providers holding the online data of subjects. Currently, there are various legal laws which give specific nations jurisdiction over certain information. Where conflict arises regarding the supreme law to be upheld in a situation, certain treaties, conventions, and laws have been generated over the years which must be consulted to prove which law holds jurisdiction in a given case (Wimmer, 2017). These treaties and Principles as explained pertain to the necessity to assert jurisdiction in the event of a given activity or data exchange process. The Jurisdiction of the GDPR is however controversial when addressing states and nationals from the US.
The Cross-Border Exchange system was presented to EU Justice Ministers within the EU to determine how best to improve the cross-border access to data and other information that can be vital to the solving of cases. Practical options were presented which addressed the needs that were being proposed. These practices are to act as the way forward in handling information based on websites and other online platforms that are within other foreign countries which are not in controversy to the laws stated within the GDPR. These measures were to improve the cooperation that exists between the judicial authorities that exist in the EU and the U.S. Each of these member states had within it, steps that would guide the communication and cooperation.
Within the EU, the problem identified was the presence or lack their-of, an effective system that the European Investigation Order could utilize and enhance judicial cooperation and the delivery of justice. For this reason, it was suggested that a user-friendly electronic version of the EIO form for requests. These forms are utilized to seek permission to conduct judicial activities within a member state of the EU seeking answers for an act of crime performed. These EIO form requests would be much simpler and easy for judges and other prosecutors to fill and made available through the European Justice Network Website. Additionally, the platform would have a secure communication channel that would exist for the digital exchanges of the EIOs between the EU judicial authorities.
Within the US, the system suggests that the following improvements will be made to improve the judicial cooperation that currently exists. The system would be applicable to all member states of the EU and the United States when seeking any form of Cross-Border exchange of information. The first step suggested is to foster a relationship that is mutually beneficial by organizing regular meetings whose main aim would constantly be improve the treatment experienced mutual legal assistance requests that are issued to present electronic evidence. The second step is to promote the study of US laws and procedures by the practitioners within the EU so that they can understand and enhance best practices between the two states. The last suggestion was to explore a method through which the US and the EU member states would be able to provide information. This information would be applicable in facilitating transmissions and creating requests (Casagran, 2016).
Another step that was suggested to implement the cross-border exchange of information between the EU and the US was regarding the improvement of cooperation with service providers. Currently, voluntary cooperation existing between national authorities and service providers is the base to which states can obtain data not holding a lot of content from foreign states. The laws of the US and the EU greatly differ on this regulation (Stiawan, Idris, Abdullah, Aljaber, & Budiarto, 2017). The US laws allow for service providers to provide such information. However, EU members restrict the sharing of such information with other foreign nations. For this reason, the proposal provides the following measures which will seek to improve the situation.
The first is to establish clear and distinct points of communication and contact between EU member states and Internet Service Providers. These points of communication would ensure that the information being transmitted is true and of good quality.
“ Penetration tests are useful measurement tools for discovering and addressing vulnerabilities in a network’s infrastructure, showing how vulnerable to a malicious attack such networks truly are. 6 ”
The second step is to ensure service providers streamline their policies for the release of requested data on these connection and communication points. Once these policies are streamlined, then training programmes can be developed. These training programmes would be used to identify the best methods and practices that the EU law enforcement and judicial authorities can use to cooperate with the internet providers that are based in the US. Lastly, with the understanding of how to implement these communication systems, the last step would be to establish an online information and support portal that would be based at the EU level. The portal would be used to provide support to the various online investigations that are being carried out. From the identification and development of the steps mentioned above, then the legislative procedures would be defined. These procedures would dictate the process of cross-border information sharing between the US and EU members states. With the steps enacted, there would be improvements and amendments that could be made to the current broken legal frameworks that exist (Koudelkova, 2017).
The legislative measures that would thus be input would first involve issuing of production requests or orders to the various internet service providers in other member’s states. These production orders or requests would be responded to as the regulation would stipulate the need for these service providers to respond to such request and provide information about a user’s information regardless of the headquarters location. After successful implementation, the second legislative measure would ensure there is direct access to e-evidence pertaining to a given individual through their devices or personal computer systems. It is a measure that would be applicable where the access to certain ISP providers who can offer information required for an investigation is unavailable. The last measure would be outside the EU. Where agreements with key states outside the EU or multilateral treaties could be achieved could also compliment the measures mentioned (Koudelkova, 2017).
Material and Territorial Scope of the GDPR
With the processing of information, whether manually or automatically, GDPR has a scope within the internet. The scope of the GDPR describes its reach and where it is applicable and where it is not applicable. GDPR is based on other laws and principles that have been set previously which govern the flow of information within the internet. This flow of information guarantees communication between member states and other personalities and entities that are not within the member's states of the EU. As such, there is a need to safeguard and protect the kind of information that is shared or communicated within these platforms. Safeguarding such information ensures that a country is not left vulnerable due to the access to vital state information that can be damaging when shared with other foreign nationals. Such a threat is substantial within the EU. However, the GDPR exists to ensure people’s data and the information is safeguarded at all times. It ensures that their rights to privacy are not violated. At the same time, the GDPR is only applicable to certain states and not universally. In this paper, the scope of the GDPR online is explained under the section “Jurisdiction and Governing Law Clauses and Scope of the GDPR.”
Exclusions of the GDPR
As is the case with many laws, there are exclusions where the law is not applied or does not apply. The GDPR is not applicable when relating to information processing of deceased persons. In this circumstance, it is excluded. It also does not relate to processing of data that I anonymous and is unable to be traced back to the source or an individual. The GDPR is also not applicable where the information to be processed is in regards to a legal or natural person; this is a person who is a contact person or a one-man business. It is not applicable where there exists physical files or a set of files which hold no specific or definite criteria.
“ The GDPR makes the classification of pseudonymized data as personal data clearer. Biomedical research on personal data where consent has not been obtained must be of substantial public interest. 7 ”
The GDPR is also not applicable where information is being processed in the course of an activity which completely falls our o the jurisdiction of EU law. Such an activity can be where there is a threat to national security. Additionally, it is not applicable where the data has already or is current; being processed by competent authorities who are doing so to guarantee the prevention, detection or prosecution of criminal offenses by an individual. This can also include investigations and criminal penalties, offenses or executions that are to be done to safeguard against threats made to public security.
Future Challenges of Private International Law in Cyberspace
The European Union, by making the necessary amendments to the directive, have also fostered important changes in other areas as well. These changes are meant to be guidelines that are to address any challenges that are to be experienced in the future from the International Laws of Cyberspace by the Private Sector. In a conference titled, “Jurisdiction, Conflicts of Law and Data Protection in Cyberspace” that was held in Brussels in December 2017, the most controversial issues that were to raised due to the development of measure to guide the Cross-Border exchange of communications, especially, and the impact of these measures to the Private International Law. In the conference, the following future challenges were exploited and explained (Warm, Essen, & Wellens, n.d.).
The first was data fraud or theft of information. With the continuation of the complex and exceedingly internetworked communications, there will be more developed and advanced fraud and theft techniques that are to be employed by adversaries. Similarly, the advancements in Cyber will most likely lead to the development of cyber adversaries that are much more sophisticated than the current. For this reason, the US will not be able to counterattack on offensive attacks that are placed within their systems, as proposed by Col. Corn during the conference (Bjork, 2017). For this reason, there are still many conversations that are being sorted as to how the ‘grey zone’ of cyber is to be solved. Additionally, another change that was identified was the disconnect between the public actors who are supposed to be defending the private sector actors who are victims most of the time. Information sharing amongst large corporations to be used to combat cyber-attacks occurring. Such large corporations are however unwilling to share such information as they do not want to share their weaknesses (Cederberg, 2015).
A challenge that was also identified was the growth rate of cyber-attacks within the corporate sector. The cyber-attacks require constant monitoring and management. However, the costs associated with the management of the cyber-attacks continue to increase. Another concern laid around the provision of such funds to aid in this management. The federal government continues to place more effort into the confinement of prosecutors who are non-state actors of such crimes. However, the growing rate of the cyber-attacks also implies there is a continuous growth in the number of such non-state actors (Bjork, 2017).
The last problem that was addressed during the conference was the doctrine of responsibility. With the continuous growth of non-state actors, the need to identify the responsibility of the Tallinn Manual 2.0 and its relevance. The Tallinn Manual is a comprehensive analysis of how international law applies to cyberspace. It was drafted and facilitated by the NATO Cooperative Cyber Defence Centre for Excellence. The Tallinn Manual is thus called to emphasize whether it is important to differentiate between the non-state actors who are independent and those who are acting as agents for a state or with the support of a state. With the implementation of the Tallinn Manual, it is thus important to identify which state would be sovereign in the management of such cases and how the process would be managed.
“ As the nature of Cyberspace is strongly interlinked and international, it is natural that international politics play a major role in defining its functions and uses.” 8
Conclusion
The GDPR provides clauses for the management of personal data processing in international law. It gives a basis for the determination and improvement of the current systems that are in place, putting in focus the need to identify exceptions to the Regulation and its applications. In the long-term, it offers a beneficial role in the management of personal data and information by the data controller and the data processor. With laws that stipulate the violation of rights of individuals. However, the presence of the GDPR also has to give room to the need for justice for persons who go against the clauses and laws that are done by non-state agents. The provision of the proposal which provides necessary measures that can be implemented to safeguard the privacy of subjects in the private sector is important. Where the GDPR rules are not followed, then it is important to identify which rules are manageable and easily applicable to guarantee a communication channel that is free of cyber corruption and attacks.
References
Allen & Overy. (2017). The EU General Data Protection Regulation. Allen & Overy.Com . Retrieved from http://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf
Bjork, C. (2017). International Law and Cyberspace: Challenges by and from State and Non-State Actors | ASIL. American Society of International Law . Retrieved from https://www.asil.org/blogs/international-law-and-cyberspace-challenges-and-state-and-non-state-actors
Casagran, C. B. (2016). Global Data Protection in the Field of Law Enforcement: An EU Perspective . Routledge.
Cederberg, A. (2015). Future Challenges in Cyberspace. Geneva Centre for Security Policy , 1–5. Retrieved from http://www.gcsp.ch/download/2764/72157
Herward-Mills, D. (2015, November 27). GDPR: From Directive To Regulation — BakerINFORM - Legal Insights on Data & Technology Trends from Baker & McKenzie. B: Inform . Retrieved from http://www.bakerinform.com/home/2015/11/27/gdpr-from-directive-to-regulation
Koudelkova, N. (2017, June 12). How can we improve cross-border access to e-evidence? [Text]. Retrieved January 24, 2018, from https://ec.europa.eu/home-affairs/news/how-can-we-improve-cross-border-access-e-evidence_en
Meltzer, J. P. (2015). The Internet, Cross-Border Data Flows, and International Trade: Data Flows and International Trade. Asia & the Pacific Policy Studies , 2 (1), 90–102. https://doi.org/10.1002/app5.60
MPWA Ltd. (n.d.). The Essence of GDPR. MPWA. Retrieved from http://mpwa.co.uk/INTRODUCTION_GDPR.pdf
Rein LLP, W. (2017). The GDPR’s Reach: Material and Territorial Scope Under Articles 2 and 3. Privacy in Focus . Retrieved from https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html
Rumbold, J. M. M., & Pierscionek, B. (2017). The Effect of the General Data Protection Regulation on Medical Research. Journal of Medical Internet Research , 19 (2). https://doi.org/10.2196/jmir.7108
Stettinius, T., & Eaton, H. L.-B. C. (2017). GDPR: How is it Different from U.S. Law & Why this Matters? | Lexology. Retrieved January 25, 2018, from https://www.lexology.com/library/detail.aspx?g=4b2843f7-f67a-4015-bca9-96bd2fe344c9
Stiawan, D., Idris, M. Y., Abdullah, A. H., Aljaber, F., & Budiarto, R. (2017). Cyber-Attack Penetration Test and Vulnerability Analysis. International Journal of Online Engineering (IJOE) , 13 (01), 125–132. Retrieved from http://online-journals.org/index.php/i-joe/article/view/6407
Waem, N.-H., Essen, J. van, & Wellens, V. (n.d.). Material and Territorial Scope: GDPR Series Part 1 | Lexology. Retrieved January 24, 2018, from https://www.lexology.com/library/detail.aspx?g=5d778547-bc7e-42b2-acb2-2ec828d40a7d
Wimmer, K. (2017). The Long Arm of the European Privacy Regulator: Does the New EU GDPR Reach U.S. Media Companies? Communications Lawyer , 1–6.