Extraterritorial Enforcement Defined In Article 3(2) Of The GDPR: How Effective?

Introduction

Majority of the processing of personal data is now subject to the Internet which eventually resulted in a disconnection from territorial scope of the data. In this respect, expanding the regional application of the data protection regulations has become inevitable. Extraterritorial jurisdiction of the GDPR and its enforcement is a case in the point.

The territorial scope of the GDPR is undertaken in the Article 3. According to Article 3(2), GDPR applies to a situation that the data controller or processor (hereinafter referred to as “operators”) is not established in the Union, but targets the residents in the Union, if the related activity is about the offering of the goods and services, and monitoring behavior of the data subjects.[1] This refers to targeting criterion which will be the main focus of this essay.

Given the fact that operators who are established outside of the EU, but processes data of the individuals located in the EU, obliged to comply with the GDPR and their national data protection standards. Therefore, the new territorial scope of the law has raised the issues of effective enforcement of the provision outside of the EU. This essay will first discuss the uncertainties lies under the Article 3(2). Then it will move on to evaluate the extraterritorial enforcement of the supervisory authority’s orders with a discussion of their effectiveness. Finally, the concept of representation as an enforcement tool will be examined.