Hostname: page-component-cd9895bd7-7cvxr Total loading time: 0 Render date: 2024-12-27T05:35:01.461Z Has data issue: false hasContentIssue false

Global regulatory competition on digital rights and data protection: A novel and contractive form of Eurocentrism?

Published online by Cambridge University Press:  22 March 2022

Gürkan Çapar*
Affiliation:
Law Faculty, Scuola Superiore Sant’Anna, Pisa, Italy Ankara University, Ankara, Turkey
Rights & Permissions [Opens in a new window]

Abstract

Global regulatory competition is a recent phenomenon that confronts us in various different fields, ranging from food and chemical safety to climate change, and animal welfare to environmental law. The digital economy is not immune to this trend, and it seems highly unlikely that this will soon come to an end when we consider the radical differences between the European Union and the United States with respect to the importance they assign to the right to privacy and the right to freedom of speech. Nevertheless, despite their differences in content, it can be contended that they both tend to disregard the interest of others even though they have enough resources at their disposal to take them seriously. This becomes visible when the recent case law of the CJEU and the recent regulations such as the GDPR and the US CLOUD Act are taken into account. Their similar attitude to regulating for the globe raises the question of whether we are confronted with a new type of Eurocentrism, which is more contracted and introverted than the previous expansionist version. The article argues that unilateralism should be a selfless one and that it should necessarily consider outsiders if it is to acquire legitimacy.

Type
Research Article
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2022. Published by Cambridge University Press

I. Introduction

Global regulatory competition is a recent phenomenon encountered in various fields such as food and chemical safety, climate change, and animal welfare. The digital economy is not immune to this trend, and it seems highly unlikely that regulatory competition between big powers will soon come to an end. Despite the early pessimistic views which suggested that global regulatory competition would lead to forum shopping, deregulation, and a ‘race to the bottom’,Footnote 1 recent studies have revealed that this represents only half the storyFootnote 2. Phenomena such as the ‘California effect’ or the ‘Brussels effect’Footnote 3 have already demonstrated that a race to the top is just as possible as a race to the bottom. The European Union, as Bradford points out, has been supplying the global market with global standards not because its rules are the least restrictive, but because the European Union links its stricter regulations to its market power. As such, its ‘ability to set global rules alone is always contingent on it preferring the highest rule’.Footnote 4 This is in addition to factors such as globalization, its regulatory capacity and market power.Footnote 5

The internet is a medium that, by its nature, is ‘global and borderless’;Footnote 6 therefore, it is always running the risk of extraterritorial regulation.Footnote 7 The use of the internet highlights the same question that confronts us in almost every discipline: how does one square unilateral regulation with the principle of state sovereignty? A possible answer to this question rests on how we perceive data and the internet, and how this perception differs from other global commons. How are the issues caused by the internet different from issues caused to our existing legal concepts by telephones, video cassettes or computers? It is plausible to argue, like Easterbrook, that there is nothing new on the internet, and therefore there is no need to create a new branch of law titled ‘the Law of the Horse’.Footnote 8 Conversely, one may claim that data is different because of its mobility, divisibility and partitioning, and its independence from location.Footnote 9 When viewed from this perspective, data seems like an exception to our conventional legal concepts that prevent the application of pre-existing legal categories to the new challenges posed by technology.Footnote 10 Nonetheless, irrespective of the position we take on this debate, it is necessary for any legal scholar to consider the territorial challenges posed by data, namely the unavoidable extraterritorial effect of data even if it is regulated by observing the territorial limitations arising from legitimate regulatory power. We are confronted with Schrödinger’s cat in that we cannot pinpoint where it is located or whether it exists. As such, it is better to admit that data cuts to the heart of the issue of territoriality; it renders the distinction between territorial and extraterritorial highly imperceptible.Footnote 11

It is highly telling that there appears to be a tendency, in both the exceptionalist and anti-exceptionalist camps, to accept unilateral global regulation as fact and to find solutions to legitimize it. For example, as an anti-exceptionalist, Woods holds that extraterritoriality of data regulation is an age-old problem that can be addressed by the rules of comity.Footnote 12 On the other hand, as an exceptionalist, Daskal suggests that it is necessary to design new jurisdictional rules capable of representing the legitimate interests of states in extraterritorial regulation as well as the countervailing interests of foreign states.Footnote 13 Similarly, Scott contends that regulatory territorial extension can be justified only because we have a right to avoid being complicit with the global wrongdoings committed abroad.Footnote 14 Likewise, decoupling the notion of unilateralism from egoism and selfishness, Ryngaert asserts that unilateral actions can be justified insofar as it is motivated not by parochial interests, but by the common interests of the international community. This should be selfless intervention pursuing a cosmopolitan agenda and aiming to promote the general interest of the global community, as opposed to the parochial interests of the states.Footnote 15

Research dealing with global governance of the internet may take two different approaches: concentration on institutions or concentration on norms. If stress is put on institutions, then the focus would be on associations, organizations and meetings such as the Budapest Convention of the Council of Europe, the World Summit on the Information Society or the World Conference on International Telecommunications.Footnote 16 In this article, however, the focus is on norms, specifically the way norms governing digital rights and data flows began to crystallize and how norm generation plays out in the global regulatory sphere. It thus looks for the ways in which unilateral regulation can be considered legitimate under the conditions where the choice is between unilateralism and inaction, as reaching a multilateral consensus on global data regulation seems highly unlikely. Admitting that neither output (the best regulation) nor input (consent-based) legitimacy may provide us with a framework for legitimate ways of global unilateral regulation, it confines its attention to the following question: How is it possible to avoid Eurocentric legal domination when data forces any regulator into going global? Revisiting concepts such as comity, benevolent unilateralism and inter-legality, it asserts that to be accepted as legitimate, any attempt to global regulation should be inclusive and take on an other-regarding perspective as well as bear the responsibility of assuming the role of a global regulator. It may also may lead up to its commitments only if it remains genuinely committed to taking others’ perspectives seriously instead of showing a late sympathy after an already decided one right answer was already imposed on them. As things stand, the only way to realize this is to brush aside the logic of harmonization in favour of mutual recognition.

The presence of competition between different actors does not always mean the approaches taken by the competitors are dissimilar. A competitive attitude may display a common mode of governance below the surface, despite there being divergent practices at first glance. For example, the European Union takes a rather cosmopolitan and global approach by imposing its conception of digital rights onto the world. The United States, however, abstains from regulation on the grounds that it will impair innovation.Footnote 17 Nevertheless, both tend to disregard the interests of the other, adopting similar versions of unilateralism – notwithstanding their robust regulatory capacities, which are able to include outsiders. The human rights impact assessment is a case in point. Even though whether the regulation is compatible with the human rights law has been analysed, the question of just how inclusive the impact assessments are has generally been overlooked. Taking the question of legitimacy to centre stage, this article examines the problem of extraterritoriality as a special case of global regulatory competition (section II). It then covers the EU and US approaches toward data regulation and digital rights (sections III and IV), with a focus on the debate surrounding the right to be forgotten (section II), data transfer from the EU to the other countries (section III) and the US CLOUD Act, enacted following the Microsoft case (section IV). It then turns to the points on which the European Union and the United States diverge and converge (section V) with respect to digital rights. After this, it examines ways to cope with the extraterritorial characteristics of data, suggesting that Ryngaert’s selfless intervention and Woods’ comity-based proposal (section VI) may be useful in legitimating unilateral regulation. By illustrating how these approaches appear in relation to one another, the article concludes by suggesting that they can be subsumed under the headings of inter-legality (section VI) and that it is possible to sustain plurality of legalities without falling victim to global monism, notably due to mutual accommodation and recognition (section VII).

II. Global regulatory competition as diffusion of law

Interaction between legal orders is not a novel phenomenon; on the contrary, legal isolationism is the exception rather than the rule when viewed from a historical and comparative perspective.Footnote 18 It is therefore not surprising that numerous terms exist that address the phenomenon of diffusion of norms; these include transplant, borrowing, reception, transfer, imposition, transposition, expansion and spread.Footnote 19 However, our current form of norm diffusion – one that has captivated the attention of numerous scholars such as Anu Bradford, Joanne Scott, Marise Cremona and Ionna Hadjiyianni – differs from its precursors.Footnote 20 First, it departs from the state-centric, modernist explanation of the interaction between different legal orders and the post-modernist approach epitomized by the legal pluralist movement. In the former, the diffusion of law is generally associated with the migration of legal codes from one state to the other, whether as part of a modernization movementFootnote 21 or as a colonial imposition. By contrast, norms emanating from different legal orders, which are by nature un-hierarchical and pluralist, take up the role of legal pluralist in the latter.Footnote 22 Nevertheless, the states take the pride of place in today’s global regulatory competition, or diffusion of norms, despite the very crucial role played by transnational actors, private regulators and digital platforms.Footnote 23

Regulatory competition between states is an indirect consequence of globalization, which has a ‘destructive effect’Footnote 24 on the uniform and homogenous international legal order of the post-World War II period. It has played such a key role in questioning our traditional understanding of territorial legal systems, depicted as the black-box model composed ‘of self-contained and self-sufficient normative and institutional boxes’,Footnote 25 that today it is possible to spot new legal norms burgeoning in the interstices between national and international law. In short, the crisis generated by globalization has provided ample opportunities for an inductive jurisgenerative process.Footnote 26 This mismatch between territorially bounded states and new transnational regulatory actors, such as digital platforms, internet service providers, private organizations and NGOs, gives birth to ‘a transnational struggle for law’ in which ‘each state is trying to impose its own standards on the others by using ISPs as soldiers for the defense of national values’.Footnote 27 Hence, the conditions under which this global regulatory competition holds closely resemble Hobbes’ state of nature, where global players ‘pursue their own goal and thus aim to establish norms that are favourable to their interests’.Footnote 28 This, in turn, leads to a situation that Frydman calls ‘pannomie, where norms spring up from everywhere, enacted by improvised legislators, public or private’.Footnote 29 However, this is not something to drive us to despair, for in the dearth of the global legal system that may tell apart law from non-law,Footnote 30 the interaction and competition between different legal orders provide the only hope for ‘the emergence and crystallisation of new norms’.Footnote 31

As Rudolf von Jhering succinctly states, ‘the life of the law is a struggle – a struggle of nations, of the state power, of classes, of individuals’.Footnote 32 The struggle is the essence of law; it is not something to resort to in exceptional situations. It is a struggle between incompatible interpretive judgements, yet it is never tantamount to pure power and politics. It only points to the undergirding reality upon which law is founded: that law is a means to reach certain social and political ends.Footnote 33 It is a gateway through which politics is transformed to normativity. In summary, the regulatory competition between states is not an aberration. On the contrary, it exhibits the very nature of law: law flows from the clash of competing interests and normative standpoints. Nevertheless, despite this conflictual, competitive and political dimension of law, it is still a global law when seen from the perspective of Walker’s reading. For global law is, he submits, ‘a practical endorsement of or commitment to the universal or otherwise global-in-general warrant of some laws or some dimensions of law’.Footnote 34 Thus, it is global not because it springs from a global source, but rather because it aspires to regulate the globe for the sake of some ‘globally defensible good reasons’.Footnote 35 In a nutshell, pluralism that arises from regulatory competition in the global sphere is not incompatible with global law, but instead is a perfect example of it.

Scott distinguishes extraterritorial legislation and territorial extension to reveal how global regulatory power can legitimately be brought to bear. She classifies the former as an illegitimate form of global regulation owing to its failure to establish the necessary territorial connection, serving as a legitimating factor for the latter.Footnote 36 Her distinction has considerable explanatory power in many diverse areas, including regulations about aviation in the emission trading scheme, financial services and maritime transport;Footnote 37 nevertheless, data escapes any type of territorial connection. The fact that any superpower, arrogating to itself the legitimate role of global legislator, can establish a legitimate connection with dataFootnote 38 seriously undermines the explanatory power of Scott’s distinction in telling us when a global regulation is legitimate.Footnote 39 Admitting that Scott’s categorization falls short of covering global data regulation, an experimental classification is needed, which pays less attention to how the alleged global regulator presents itself than to its hidden attitudes and motivations. Here, the underlying logic of Scott’s distinction may prove useful. She rests her classification on the view that, if it is to be legitimate, global regulation should ‘ensure a sufficient international orientation’.Footnote 40 In a nutshell, it should bear the responsibilities that come with the role of the global regulator by leaving aside, at least to a certain extent, its autonomous objectives, and giving the other’s perspective and interests a modicum degree of consideration. This can only be done when the logic of harmonization is put aside in favour of mutual recognition. They differ significantly in how they promote convergence of norms. For mutual recognition, as an alternative to harmonization, does not confine itself with one all-encompassing regulation (one right answer), but rather aims at reaching this objective by preserving the diversity and autonomy of the others.Footnote 41 Bearing this in mind, the article dwells on, not being content with any sort of dubious territorial connection, the attitudes of alleged global regulators with a view to shedding light on how responsible global regulation differs from its self-interested counterparts.

III. Global reach of the European Union: In the name of digital rights

The European Union’s internal contradiction: Her values or interests Footnote 42

It is now widely believed among lawyers that the EU is a global regulator. This is something not only observed by legal scholars,Footnote 43 but also made explicit in the reports of the European Commission.Footnote 44 Indeed, the European Union has long prepared itself for seizing the regulatory opportunities arising out of global common problems. In order to comprehend the global reach of the European Union regarding data governance, one can review key events occurring over the past two decades. Since 2007, official EU documents such as the European Green Deal and Europe’s Digital Decade presented the European Union as a ‘global regulator’ among other labels.Footnote 45 For example, in implementing its Green Deal, the EU initiated a process of global regulatory competition in international environmental law.Footnote 46 Regarding data governance, the EU, with the policies it has pursued over the past decade, including its Global Data Protection Regulation (GDPR),Footnote 47 the Regulation on the free flow of non-personal data (FFD),Footnote 48 the Cybersecurity ActFootnote 49 and the Open Data Directive,Footnote 50 has already become one of the most important players in the global competition of data regulation. It has also exercised ‘digital diplomacy’Footnote 51 by ruling the level of protection provided by 13 countries as ‘adequate’ and signing two successive agreements with Japan that connect international trade to data protection.Footnote 52

In the European Commission’s recent communication, A European Strategy for Data, it is clearly noted that ‘the EU has a strong interest in … shaping global standards and creating an environment in which economic and technological development can thrive, in full compliance with EU law’.Footnote 53 The European Union is able to leverage its market power by indirectly setting global standards or it may restrict access to its market based upon countries providing substantively equivalent protection.Footnote 54 In both cases, the European Union connects its market power to its regulatory capacity, as it has been doing for decades regarding its internal policies, which can be summarized as ‘integration through law’. That is not to say that the European Union sees law merely as a means to its political ends. To the contrary, it uses law as an end to itself, treating it as a tool. Just as law has been the driving force of the EU internal integration process, it is now helping with ‘engaging in shaping, importing and promoting international legal norms’Footnote 55 outside. The European Union is destined to oscillate between its own interests and its own values.Footnote 56 On the one hand, it must respect ‘the principles of the United Nations Charter and international law’; however, on the other, the EU is subject to the guidance of ‘the principles which have inspired its own creation, development and enlargement, and which it seeks to advance in the wider world’.Footnote 57 It is therefore, by nature, torn between its values and interests, from which it can only liberate itself if the European Union sets the standards for the globe.Footnote 58 However, the question of whether it bears full responsibility for being a global regulator still hangs in the air, as the European Union is still under the spell of ‘harmonization’.Footnote 59

The European Union’s digital rights

On 13 May 2014, the CJEU held in a landmark ruling that Google was obliged to remove the search results pertaining to a ‘Mr. Gonzalez’, on the grounds that he was entitled to the right to be forgotten.Footnote 60 In the ruling, the Court draws attention to the balance between an individual’s right to be forgotten and the public’s right to access information, pointing out that this balance may change depending on the degree of importance assigned to the data subject and the content of the information at stake.Footnote 61 This ruling did not disambiguate on whether Google’s responsibility was limited to the geographical boundaries of the country where the complainant filed its application, or extended to the globe. In other words, the territorial scope of the right to be forgotten is still a matter of controversy. Google Spain, rather than claiming a universal jurisdiction, opined that even though it does not directly have jurisdiction over Google, this does not mean that it lacks jurisdiction over Google Spain, and so indirectly Google.Footnote 62

Against this backdrop, the CNIL (French Data Protection Agency) imposed a penalty on Google in 2015 on the basis that it failed to apply de-referencing requests globally and limited its scope of application to country-specific borders through its geo-blocking technology. In September 2019, the case came before the CJEU, which ruled that the EU law neither requires nor prohibits ordering a global de-referencing requestFootnote 63 because it falls within the competence of each member state to determine the exact scope of de-referencing, depending on the balance struck between competing rights.Footnote 64 The Court, however, made it clear that the principle of uniform application of the EU law entails that ‘the de-referencing in question is, in principle, supposed to be carried out in respect of all the Member States’.Footnote 65 One month later, in October 2019, the CJEU ruled, in a fashion bearing out its ambivalent and indeterminate approach towards the scope of the right to be forgotten, that the member states are not precluded from ‘ordering a host provider to remove information … worldwide’.Footnote 66 In those two judgments, the EU applied what Scott calls territorial extension by establishing a territorial connection – yet data, as already shown above, eludes territory. And this brings into question whether it is still legitimate to establish an artificial territorial connection.

The European Union’s Data Transfer Standard: Between mutual recognition and harmonization

On 6 October 2015, in Schrems, the CJEU was called upon to rule on the compatibility of the Commission Decision 2000/520/EC (Safe Harbour Principles), which ensures that the United States provides an adequate level of protection and allows data transfer from the European Union to the United States. The Court, highlighting the crucial importance of the right to effective judicial remedyFootnote 67 and the proportionality principle,Footnote 68 and specifying the necessity of reading the Commission Decision in light of the Charter of Fundamental Rights, found the level of protection to be inadequate. By doing so, it drew attention to Article 7 (right to privacy), Article 8 (right to data protection) and Article 47 (right to an effective remedy and fair trial). However, the Court’s emphasis on ‘the essence of the fundamental rights’ goes one step further than proportionality review because even a proportionate measure may be deemed to compromise the essence of that right. Thus, it leaves undetermined the question of which measures will entrench upon the essence of the right as well as what is expected from foreign authorities in finding a proportionate balance between data protection and competing interests, and when this will occur. As such, it gives almost a free hand to the ECJ in assessing the level of protection provided by the other legal orders.

Schrems I is also challenging with regards to balancing because the CJEU tilts the balance away from criminal surveillance and undermines the importance of data flow for surveillance and cooperation in criminal matters.Footnote 69 Epstein contends that the Court in Schrems I adopted a highly dogmatic methodology that was reminiscent of the judicial reasoning of the conceptual jurisprudence of the nineteenth century. In not assessing the impact of data privacy on surveillance, it gives one right answer to the delicate balance between access to information and data protection: ‘the privacy right in data … [is] a fundamental interest deserving the highest protection’.Footnote 70 However, despite all these criticisms and the ambivalent nature of balancing focusing on the essence of right, the ruling can still be palatable when the legal conditions prevalent in the United States are considered. For instance, the safe harbour principles are ‘applicable solely to self-certified United States organizations receiving personal data from the European Union, and United States public authorities are not required to comply with them’.Footnote 71 Further, in case of conflicting obligations originating from national security concerns, self-certifying organizations may be obliged to comply with them. This may seriously undermine the rights-holder’s right to effective judicial remedy, as the US legal system does not vest data subjects with required ‘administrative or judicial means of redress’.Footnote 72 So the absence of such a mechanism to assess the necessity of measures taken by the US authorities, particularly when they oblige self-certified organizations to deviate from the safe harbour principles, provided a legitimate base for the Court’s ruling.

This decision effectively ended the large-scale data transfer from the European Union to the United States – which was not surprising given that, in 2013, Edward Snowden had revealed the surveillance activities of the US intelligence services. Within a very short period, in August 2016, the European Union and the United States reached a new agreement in order to reopen the flow of data from Europe to the United States. The Privacy Shield, in contrast to its predecessor, gave US authorities such as the FTC and DOJ the power to oversee whether companies voluntarily pledging to follow the EU standards were indeed observing the rules. Further, it established an independent supervisory institution, the US Ombudsman, to provide a forum through which individuals could raise their grievances if they suspected that their digital rights were being violated.Footnote 73 However, the Privacy Shield could not succeed in saving itself from the same fate suffered by the Safe Harbour. In July 2020, building upon its arguments in Schrems I, the Court stated that ‘the limitations on the protection of personal data arising from the domestic law of the United States … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter’.Footnote 74

This ruling is highly controversial when seen in the light of principle, expressed by the ECJ on numerous occasions as meaning that the term ‘adequate protection’ does not necessitate an identical level of protection; rather, it entails ‘a level … that is essentially equivalent to that guaranteed within the European Union’.Footnote 75 That is so because the equivalent protection principle is an alternative to harmonization that demands one right answer (the European Union’s answer) to the balance between data protection and, say, criminal surveillance, and thus it requires granting a certain margin of appreciation to the other legal orders. Nevertheless, this appears to be highly unlikely if the CJEU lays down the application of proportionality analysis as it is applied by itself as a condition for regarding foreign law as adequate without leaving enough discretion to the foreign authorities.

On its face, Schrems II may seem more palatable than Schrems I because the Court, adjusting its proportionality analysis and giving up its ‘essence of right’ discourse in favour of a more flexible balancing exercise, assesses the minimum safeguards provided by the foreign law in light of the Charter of Fundamental Rights.Footnote 76 However, when it is read in depth and contextually, a different picture begins to emerge. First, unlike AG Saugmandsgaard’s detailed analysis in which he weighs how the measures taken by the US authorities for national security concerns impact the EU’s digital rights,Footnote 77 the CJEU’s balancing exercise seems to be afflicted with the right to effective judicial remedy. However, those are different issues to be separated from each other. Finding a balance between digital rights and national security is independent of whether the essence of right to effective judicial remedy is compromised. In Schrems II, the CJEU seems to confuse these different rights as, even in the balance between digital rights and national security, it appears to be obsessed with the right to effective judicial remedy.Footnote 78 Its recourse to the notion of ‘effective of enforceable rights’Footnote 79 can be interpreted as an attempt to create a connection between digital rights and the EU’s understanding of right to effective judicial protection, which may only be met when data subjects are endowed with actionable rights ‘before the courts against the US authorities’.Footnote 80

In its analysis of the right to effective judicial protection (Art. 47), the Court therefore affirms that none of the regulations in the US legal system ‘grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy’.Footnote 81 Seen in this light, any legal system that falls short of providing an effective judicial protection owing to its different legal tradition is deemed inadequate from the perspective of the CJEU, which seems more aligned with the logic of harmonization than mutual recognition. This argument can also be observed in the references made to the ECtHR’s case law in Schrems II, contrary to the AG’s elaborate legal reasoning engaging also with the ECtHR’s case law.Footnote 82 As such, it is misleading to expect from the CJEU that it takes notice of the differences between legal orders when it shies away from even referring to the ECtHR. Schrems II, when evaluated contextually, turns out to be rather problematic because it comes right after the legal adjustments made by the US legal system to align its legal order with the expectations of the CJEU. Against this backdrop, a question springs to mind: Is there any adequate measure that is not identical to the EU legal system but meets the demands of the CJEU? As stated clearly by Christakis, Schrems II ‘is without a doubt a constitutional judgment’ attempting to create a ‘holistic and coherent regime of protection’, and thereby raises the suspicion of European legal imperialism.Footnote 83

Opinion 2/15 and the GDPR: Still going global?

There are two additional incidents that demonstrate how the European Union has recently expanded its global regulatory reach. With the first, in 2015, the CJEU found an international draft agreement on the transfer of passenger-related data from the EU to Canada incompatible with the EU’s digital rights. The Court upheld its equivalent standard developed in Schrems, then also expanded its scope of application by assessing whether an international agreement was congruent with the Schrems standard.Footnote 84 Shrems involved the evaluation of the adequacy of foreign law through the mediation of the EU Commission’s decision. However, in Opinion 1/15, the Court made a straightforward evaluation of the compatibility of an international agreement with the Charter of Fundamental Rights (CFR) by using the charter as a standard in the assessment of international treaties.Footnote 85 This ruling prompted significant criticism for ruling that the level of protection provided by a country like Canada as inadequate. Given that Canada’s level of protection does not meet CJEU’s standards, one can assume that it would be all but impossible to find a significant number of other countries that could satisfy the expectations of the European Union. This may, in turn, lead to data balkanization. Critics of the ruling centred on the EU’s blind unilateralism and voiced concerns that the CJEU was using data protection as ‘a vehicle’Footnote 86 in its aspirations to be a global regulator.

The second incident occurred in May 2018 when the EU rolled out its new-generation data-protection regulation (GDPR) as a successor to the 1995 Data Protection Directive.Footnote 87 It attracted significant attention – so much so that the rollout date of 25 Mayhas been nominated by some as World GDPR Day.Footnote 88 The GDPR contains a critical provision regarding extraterritoriality, which serves an important role in the analysis presented in this article. Article 3 of the GDPR stipulates that the regulation ‘applies to the processing of personal data of data subjects who are in the Union’ even if the controller is ‘not established in the Union’, either when the processing activities can be tied to data subjectsFootnote 89 or when they occur in a place ‘in a place where Member State law applies by virtue of public international law’.Footnote 90 By placing the emphasis on data subjects, the directive extends its scope of application, and therefore goes one step further than Google Spain’s location-based approach. As such, it provides a fertile ground for the European Union to further extend its regulatory reach by imposing obligations on foreign companies that are not even physically located in the European Union. The GDPR extends its ‘territorial regulation with far-reaching extraterritorial effect’Footnote 91 to such a degree that even international organizations such as the United Nations have been affected, particularly in areas such as refugees, health research and migration.Footnote 92This step could be construed as a move that is simply concerned with its own residents rather than foreigners, even though it has some secondary consequences going far beyond this.Footnote 93 According to this argument, the directive does not amount to a unilateral imposition of its own values, for it is more concerned with the level of data protection provided for EU citizens than non-EU citizens.Footnote 94 But this still does not provide a sufficient justification for the legitimate use of global regulatory power, as it does not concern itself with how the others are affected by the regulation.

Actual intentions aside, this directive makes it apparent that the European Union engages in extraterritorial regulation, be it in the form of market-driven or treaty-driven harmonization. However, the EU is not the only actor with global aspirations and an interest in extending its regulatory arm. China is developing its own understanding of digital rights and data governance with its Great Firewall, banning a large number of apps and websites from China’s digital territory. These include YouTube, Google, Twitter and the New York Times. Footnote 95 Similarly in the United States, the hallmark of the libertarian approach embodied in Silicon ValleyFootnote 96 also makes attempts to widen its regulatory jurisdiction, although generally it tends to fly under the radar. For example, in February 2019 the United States issued an executive order under the Trump Administration, aiming to sustain American leadership in AI by embracing policies such as the development of technical standards for reducing barriers to open data and the open market.Footnote 97 The United States, similar to the European Union, has used law as a tool to protect its global power. To this end, the United States advocates for an open data policy whereby data may flow without barriers and AI can run smoothly.Footnote 98 In the next section, surveillance for criminal observation and counter-terrorism are examined – spheres where the United States uses its regulatory power as leverage to maintain its global power.

IV. Global reach of the United States: For the sake of criminal surveillance

The case involving Microsoft Ireland provides an excellent example of the US approach to data and criminal surveillance. Although the case eventually became moot when it was before the Supreme Court, after Congress’s enactment of the Clarifying Lawful Overseas Use of Data (CLOUD), replacing the 1986 Stored Communication Act (SCA), it can still shed light on the perception of rights that is prevalent in the United States. The saga began with Microsoft’s refusal to comply with a search warrant that demanded access to email accounts belonging to a suspected drug trafficker. Microsoft based its argument on the fact that the relevant data was stored in Ireland and giving access would be an extraterritorial application of the SCA, which is also at odds with the original intention of the Act.Footnote 99 Although several district courts sided with the government by placing the emphasis on the location of the company, the Second Circuit reversed these judgments, stressing the importance of the location of the data. The Circuit Court further stated that to enforce such a warrant, ‘insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act’.Footnote 100

Unfortunately, it was not possible to obtain a US Supreme Court decision because the CLOUD Act provided a political resolution to the dispute. The CLOUD Act, amending the pertinent article of the SCA, stated that any ‘provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to … disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber … regardless of whether such communication, record, or other information is located within or outside of the United States’.Footnote 101 The Act also stipulates that the Court, in cases where its obligation conflicts with that of an instruction made by a foreign government, should take into consideration numerous other factors such as the interest of the foreign government, the provider’s ties to the United States, the importance of the investigation and the possibility of less restrictive means.Footnote 102 In short, although the CLOUD Act obliges all US-based companies to disclose information regardless of where the data is located, it also enumerates the grounds on which foreign states’ conflicting interests may be taken into consideration.

One of the problems the CLOUD Act claims to address is highly relevant to the concept of extraterritoriality: the fact that the SCA did not allow the United States to disclose data to foreign countries.Footnote 103 As such, foreign governments, when in need of the US-held data, had to resort to the mutual legal assistance treaty (MLAT), which was burdensome and inefficient, the process often lasting up to one year.Footnote 104 In order to address this issue, the CLOUD Act created a mechanism for foreign governments by which they would enter into a bilateral agreement rather than the MLAT, provided that the data subject is not someone who is an American citizen or inhabitant.Footnote 105 It is, therefore, still not possible for foreign countries to access data gathered and stored by a US company, outside of the MLAT mechanism. This reflects the underlying rationality of the fourth amendment, which differentiates persons located in the United States from foreigners and excludes the latter from the purview of the Bill of Rights.Footnote 106 This therefore creates a double standard by endowing US citizens with a higher degree of protection while leaving non-US citizens at the mercy of the US government’s political preferences.

The beginning of this section outlined the arguments proposed by the two sides of the dispute in the Microsoft Ireland case. Namely, the government’s argument is founded on the location of the company (access point), and Microsoft’s argument is that the location of the data is relevant to determine the competent authority and jurisdiction. However, neither of these arguments is entirely sound. Assuming, arguendo, that the jurisdiction of the court depends on the location of the data, this will lead us to accept that the jurisdiction of the court will depend on the choices of the internet service provider regarding where to locate their data.Footnote 107 From this, it follows that every government, with the intention of regaining its jurisdictional competence, will resort to data-localization and compel the ISPs to store their data within their own borders.Footnote 108 Conversely, if, arguendo, the jurisdiction of the court is based upon the location of the company, then the vast majority of data-related cases will fall under the jurisdiction of the United States, as most the of the ISPs are based there. Hence, I conclude that it is necessary to find a middle ground between data-localization and universal jurisdiction. Under this scenario, data will become accessible even if it is located abroad, and the states will show mutual respect and deference to the autonomy and interests of each other.Footnote 109

V. The reasons for divergence and underlying similarities

Two types of culture: Cultures of authority and justification

The United States has always been an exceptional country, and law is by no means an exception to the rule of exception. By means of illustration, the United States has the most antiquated constitution in the world – over 200 years old – with a unique federal system.Footnote 110 It is impervious to what is referred to as the global model of constitutional rights, a model that includes social and economic rights, grants horizontal effect to rights, incurs positive obligations to the state and uses proportionality analysis as a legal method in balancing competing rights.Footnote 111 In the same vein, the United States maintains its exceptionalism in data regulation by according an extensive protection to the freedom of speech.Footnote 112 As such, it is apparent that there is a ‘conceptual gulf’Footnote 113 between the United Sates and the European Union in terms of data protection.

In fact, this gap emanates from dissimilar conceptions of rights, regulation, legal systems and legal culture prevalent in the European Union and the United States. According to Porat and Cohen-Eliya, the United States represents an example of the culture of authority in which ‘rights are viewed as demarcating the boundaries of the governmental sphere of action and as imposing restrictions on governmental action and authority’;Footnote 114 the European Union, by contrast, provides an example of the culture of justification in which ‘every exercise of power is expected to be justified’.Footnote 115 Accordingly, the legal culture in the United States is founded on the idea that autonomous individuals should be protected from the infringement of the state, so rights are considered as exclusionary reasons, trumps or side-constraints against state intervention.Footnote 116 By contrast, the European Union presumes that rights can only be materialized if the state undertakes positive steps,Footnote 117 so rights lose the moral power they possess in the United States. They are devaluated to the level of mere interests, values or principles in the continental tradition, which can be balanced against competing community interests. Basic rights, therefore, are thought to be ‘“equally constitutive” for both individuals and society’, as they ‘encompass their own limitations’.Footnote 118 As such, the right to privacy and the right to data protection have recently ascended to the level of rights not because rights are more valued in the European Union, but because they are less valued in the European Union than they are in the United States.

This demonstrates why there are two different paradigms on the two sides of the Atlantic with respect to the relationship between individual, market and state. Whereas Europeans are disposed to be suspicious of the market and to be more comfortable with state intervention,Footnote 119 the market in the United States is perceived as more of an opportunity where an individual may reap the rewards of their own decisions rather than as a threat to be guarded against.Footnote 120 It follows from this distinction that Europeans are more risk averse and pro-regulation than Americans, who prefer risk-taking and ex-ante solutions. Therefore, where Europeans opt for an approach based upon ex-ante regulation in order to alleviate unexpected risks and outcomes, Americans defer the distribution of resources first to the market, then to the courts with a tort system.Footnote 121 To conclude, Europe represents a tradition in which the individual is embedded in society and therefore the state may intervene in both the market and the private sphere in order to rectify the market/individual failures. Conversely, the presumption of individual autonomy and the proper functioning of the market are almost irrebuttable in US legal culture.

I think this diverging stance towards regulation is due to the role attributed to law in different legal traditions. As made clear by Bomhoff in his recent historical analysis focusing on the question of how balancing is understood differently in the United States and Germany, balancing is seen as a tool for reaching ‘a perfect constitutional order’ in Germany (and now in the European Union), while it was treated as ‘a dangerous doctrine’ in the US legal scholarship.Footnote 122 Digital rights also bear the imprint of the foregoing distinctions. The underlying regulatory logic in the United States is that intervention with digital rights is legitimate unless proscribed by the law, as opposed to the European Union, which presumes that any infringement with a fundamental right is a violation unless it is justified.Footnote 123 The EU has a model of rights protection in which individual autonomy prevails over consent, and thus this is a regime where ‘rights talk’,Footnote 124 rather than a system where individual consent is deemed to hold the ultimate value. In summary, by placing special emphasis on individual autonomy, the European Union protects an individual for their own sake, contrary to the United States, where an individual is viewed as a customer and protected for the sake of the market.Footnote 125

This has further implications for the general framework set out. Unlike the compartmentalized and vertical structure of the United States, the European Union has developed a comprehensive horizontal model centred on proportionality analysis and applicable to any type of rights collision.Footnote 126 Thus, contrary to the European Union where digital rights have already gained the status of constitutional rights, the United States, giving priority to data privacy over data protection, has taken a piecemeal, sector-specific approach, like ‘a mosaic of normative instruments covering a variety of issues’.Footnote 127 The positive approach of the United States to the free flow of information in the marketplace of ideasFootnote 128 is another point of divergence that follows from the differences between the European Union and the United States described above. Whereas the European Union pushes forward for stricter and more comprehensive protection of digital rights – the rights to privacy and data protection – the United States is a staunch defender of the freedom of speech, innovation and the free flow of data. Internet regulation is another case supporting the so-far developed argument. Whereas the United States embraces a system of internet regulation, grounded in the idea of self-regulation, the European Union adopts a system of co-regulation that depends on the collaboration among government, individuals and ISPs.Footnote 129 To illustrate, section 230 of the US Communication Decency Act shields ISPs from any sort of civil and criminal liability as long as they only store and broadcast content created by others.Footnote 130 Further, it does not hold them accountable if they voluntarily act ‘in good faith to restrict access to or availability of material’Footnote 131 deemed to be illegal, obscene and harmful. In a nutshell, it creates an environment conducive to the self-regulation and empowerment of ISPs.Footnote 132 Conversely, the European Union’s Electronic Commerce Directive of 2002 is more sympathetic to the ISPs’ liability than the US equivalent and leaves ample room for state intervention.Footnote 133 In sum, law carries out different functions and assumes different roles in the European Union and the United States, which has important implications for the form that global data regulation is supposed to take.

The points of convergence: Are they that different?

It is also worth emphasizing that while these approaches are normative preferences that reflect historical and cultural values, they also reflect the stances taken with respect to global politics and regulatory competition. That is, the notion of digital sovereignty, the discourse of fundamental rights and the global reach of EU digital rights mirror the European Union’s recent efforts ‘to fill the economic gap distancing them from American and Asiatic technology giants’.Footnote 134 Thus, although they diverge significantly from each other with respect to the content of the regulation, they converge on one point: aspiration towards regulating the globe. Moreover, the European Union and United States adapt very similar policies and pay almost no regard to the interest of other states. Even the European Union, which seems highly flexible in terms of giving consideration to the interests of others as exemplified in the Inuit exemption,Footnote 135 can be seen in a different light when the GDPR is read in conjunction with the CJEU’s recent rulings. As mentioned in section 3, the CJEU – particularly in Schrems II and Opinion 1/15 – comes very close to equating an adequate standard with its own standard. Even before these judgments, the CJEU was criticized for prioritizing ‘a European perspective on privacy interests, but not necessarily a global one’.Footnote 136 This one right answer approach adopted by the CJEU, particularly in Schrems II and Opinion 1/15, bears the risk that its ‘commitment to promoting rules-based multilateral solutions to common problems will turn into an attempt to promote its own legal solutions by equating the latter with universal values’.Footnote 137 Thus, the EU should grant a wider margin of appreciation to other countries than it leaves to its own member states. It is a logical consequence that the more global the regulation, the wider the margin of discretion should be.

With regard to the US CLOUD Act, as Woods points out, it fails to factor in the other states’ interests and thereby leaves US companies with no choice but to unilaterally enforce US laws across the globe.Footnote 138 As such, it also pushes foreign countries toward data localization,Footnote 139 for they cannot access data gathered by US companies because of the CLOUD A, closer. In other words, this approach ‘encourages the balkanization of the internet into multiple closed-off systems protected from the extraterritorial reach of foreign-based ISPs’.Footnote 140 However, as Woods points out, this would have been avoided by adding a minor clause to the CLOUD Act stating that the Act does not ‘apply to law enforcement requests made outside the United States and that U.S. companies are therefore free as a matter of U.S. law to comply with those requests’.Footnote 141

In this light, it seems abundantly clear that the regulatory competition does not stem from a differing notion of rights. Instead, it emanates from the very similar unilateral attitudes towards global regulation that are clearly visible in the procedural clauses of the GDPR and CLOUD Act. The CLOUD Act makes access to data stored in the US territoryFootnote 142 conditional upon a bilateral agreement in the same way that the GDPR obliges the foreign countries to a data transfer agreement. Given that the alternatives are highly cumbersome and ineffective, they serve as a default sanction, and in some sense countries are forced to align their policies with the GDPR or the CLOUD Act. Furthermore, this bilateral agreement, using the same logic as the GDPR, will not only be subject to periodic review by the US government, but also obligates the foreign government to grant the same access to the US government.Footnote 143 Daskal points to the similarities between the CLOUD Act and the GDPR by asserting that, just like GDPR – which is applicable to any company doing business with the EU – the CLOUD Act ‘represents an effort by the United States to set international standards, but via domestic regulation rather than a global meeting of governments’.Footnote 144 For Daskal, this is a new mode of international law-making because it uses technology giants as leverage to reach the globe by merely regulating domestic incidents.Footnote 145 The only difference between the European Union and the United States seems to be the source from which they derive their powers: whereas the US derives its power from the data collected by US companies, the power of the European Union is grounded in its market and data-generating human capital.

VI. How to regulate?

Ryngaert’s selfless intervention and benevolent unilateralism

Good intentions do not always make good consequences, so we may end up in a situation that is diametrically opposed to our normative preferences. This is the case that we face with the GDPR and the CLOUD Act.Footnote 146 The GDPR has been one of the main causes of data localization because it ‘has led cloud computing providers to offer services storing personal data on servers exclusively located in the EU’ in order to avoid the strict and demanding provisions of the GDPR for transferring data abroad.Footnote 147 Similarly, the CLOUD Act left foreign countries with no viable alternative other than data-localization.Footnote 148 Therefore, any investigation into ways in which unilateralism can be used more constructively must also address the shortcomings of these regulations and their monolithic approaches.

Given that international institutions and international law have suffered losses against global issues such as climate change, migration, human rights and so on, its restrictive and bounded forms, unilateralism seems to offer a promising alternative to multilateralism. At a time when ‘the choice is not between unilateralism and multilateralism, but between unilateralism and inaction’,Footnote 149 unilateralism, bounded by subject matter and time, may be more defensible than simply standing back and observing as the multilateralism mess worsens. Intervention for the sake of global commons and responsive to unilateralism’s anti-democratic nature could be a very promising solution to the tragedy of multilateralism. Ryngaert refers to this as benevolent unilateralismFootnote 150 because it takes seriously others’ interests, right to self-determination and right to be free from domination.Footnote 151

Benevolent unilateralism does not depend on output legitimacy; it has a normative dimension that gives a prominent place to the idea of consent. As such, mechanisms through which affected states and parties could raise their voices, such as the right to access to justice and information as well as principles such as transparency and accountability, might prove useful.Footnote 152 Additionally, instruments such as consultations, making impact assessments and expanding the right to access to justiceFootnote 153 could help to improve input legitimacy. Another way to increase input legitimacy is through equivalent standard clauses, by which a regulating country treats the regulations enacted in another country as adequate as long as they provide a level of protection above a certain threshold.Footnote 154 It is of utmost importance to incorporate the perspective of outsiders into the decision-making process, no matter how limited it is, for it carves out a space in which a dialogic relationship unfolds between insiders and outsiders. In this case, decisions draw their legitimacy neither from the output nor from the input, but rather from the process itself, and this comes very close to the type of legitimacy recently referred to as throughput legitimacy.Footnote 155

It also resembles the integration method fostered by the European Union, by developing iterative and continuous dialogue between different legal orders with judicial techniques such as the Solange jurisprudence and principles like subsidiarity and proportionality. As may be recalled, in Solange I the BVerfG denied the principle of supremacy of EU law, affirming that it would continue to carry out fundamental rights review so long as the EU legal order fills its gap of fundamental rights protection.Footnote 156 Nevertheless, 12 years later in 1986, the Court ceased to carry out its fundamental rights review, finding the level of protection ensured by the EU legal order substantially equivalent to that of Germany. It further admitted that it will abstain from such a control activity, ‘as long as the European Communities ensure effective protection of fundamental rights’.Footnote 157 As may be inferred from the foregoing, it is incongruent with the logic of harmonization and seeks ways in which the logic of mutual recognition may set in motion a process of gradual norm-accumulation.

Hence, Solange jurisprudence is a method that uses time as a tool by giving each party enough time and space for mutual accommodation, and places significant importance on the process. It is an iterative, dialogic process between the CJEU and the high courts of member states, oscillating relentlessly between two opposing poles: more conflictual Solange I type rulings such as Maastricht, Lisbon and PSPP, and more coordinated Solange II type rulings such as the BverfG’s Banana judgment.Footnote 158 Unsurprisingly, other higher courts in a more horizontal context, where interaction transpires between heterarchical legal orders – such as the ECHR, the European Union and the United Nations – have recently taken advantage of the Solange method. To illustrate, whereas the ECtHR’s Bosphorus case exemplifies the Solange II type,Footnote 159 the CJEU’s Kadi case is a good example of the Solange I type. In short, it is a method that serves as an interface between different legal orders, which may also be considered a special case of judicial comity.Footnote 160 It is grounded in the idea that when states ‘seek to set global standards, it is quite obvious that they should keep in mind the impact of their policies on others, and that they should balance the others’ interests against their own’.Footnote 161

Comity as part and parcel of inter-legality

The problem of extraterritoriality is indeed a problem of allocation of authority, for states pass judgments on issues that have a bearing on other jurisdictions. As such, this brings to the fore the question of sovereignty, authority and autonomy. This may seem like an age-old doctrinal dilemma that calls for finding a compromise between different authoritative institutions;Footnote 162 however, the persistent questions – such as how to apply comity and when to defer to a foreign authority – are still challenging because they, first and foremost, compel us to strike a balance between two competing interests: (1) the state’s interest to solve the case pursuant to its own law; and (2) the foreign state’s countervailing interest in deciding the case according to its own law.Footnote 163 Hence, in this view, comity entails that the deferring authority should strike a balance between competing interests rather than show absolute deference to foreign authority.Footnote 164

Contrary to this balancing-based approach to comity, it is also plausible to think of comity as a presumptive rule requiring an authoritative institution to show deference to the judgment of another one. In this narrower reading, comity is not a matter of absolute discretion that is granted to a deferring authority, but instead is about an obligation to show respect towards the foreign authority even though it is not bound by the decision of the latter.Footnote 165 For instance, Endicott posits that comity does not stem from ‘the rights of the first (foreign) authority, nor even from the first authority’s success in carrying out its duties but from the second (deferring) authority’s duties to those whom the second authority serves, and to those whom the first authority serves’.Footnote 166 Further, he makes clear the link between comity and subsidiarity by claiming that the former is a special (horizontal) version of the latter.Footnote 167 He argues, embedding this relationship between authoritative institutions in Raz’s service conception of authority,Footnote 168 that ‘general reasons for comity are found in the service that the second authority (the one acting with comity) ought to provide to persons subject to its own authority, and in the value of the first authority’s capacity to provide a service to persons subject to it’.Footnote 169 Thus, there is an indirect relationship of duty between two authoritative institutions deferring to each other mediating through the individuals that they are supposed to serve. In sum, comity derives its legitimacy directly from the people residing in the territory of the other statesFootnote 170 and from the service deferring authority provided to this people, not from the due respect accorded to sovereign authority.

It can be asserted that comity necessarily requires taking other legalities into account, and thus it can be said that it is closely associated with inter-legality, which concerns itself primarily with the interaction of legalities.Footnote 171 For inter-legality, it is a mistake to confine the scope of legality to the territorial borders of a legal system or sectoral boundaries of a legal regime. It is necessary to take an intersectional approach to the legalities at stake in a world that is inevitably interconnected. It is, in the end, about ‘changing the epistemic standpoint’Footnote 172 by decoupling legality from the idea of systemic validity,Footnote 173 because when legality is saved from the shackles of systemic validity, it is possible to observe legality even at the intersection of different legal orders. Thus, it problematizes one-dimensional and monolithic approaches, rendering the outsider’s perspective immaterialFootnote 174 – just as Ryngaert’s benevolent unilateralism and selfless intervention are committed to doing. It is, therefore, inherently connected to the underlying principles of comity – that is, taking the other legalities or legal authorities into account. Even though it is generally preoccupied with the problem of monolithic judicial reasoning in the case law,Footnote 175 it is a mistake to confine inter-legality to the realm of judges and to questions of what a judge can do when confronted with seemingly incompatible ought-judgments arising from different legal orders.Footnote 176 In today’s closely connected and interdependent world, inter-legality appears to be a vital tool for addressing the question of how legalities should respond to each other and how they can solve the problem of plural normativity that emanates from the interaction itself.

When viewed from this angle, inter-legality also appears to address the issue of how our policies bear on others. To address the question of how legalities respond to the intervention and extension of other legalities, it is useful to treat each legality as a legal order ‘having its own administrative machinery’.Footnote 177 As argued by Chiti, at the heart of inter-legality lies the process of recognition, which is triggered when legalities interact, and determines the responses towards the other legalities.Footnote 178 Solange jurisprudence, a special case of the principle of comity, and other ‘pluralist procedural mechanisms, institutional designs or discursive practices that maintain space for consideration of multiple norms from multiple communities’,Footnote 179 can all be considered examples of inter-legality. In these cases, inter-legality unfolds during a sequence of events in which legalities interact with each other.Footnote 180 From Solange jurisprudence to comity or to the procedural proportionality review,Footnote 181 these tools serve as an interface to the process. Here, inter-legality, rather than focusing on one case, one judge and one thought process, expands its scope by focusing on the process in which interaction plays out. One can observe how legalities recognize the existence of other legalities and how they allocate authority by using these so-called interface norms. Lastly, by forcing us to change ‘the epistemic standpoint’,Footnote 182 inter-legality provides us with an opportunity to see the legalities beyond the legal systems and to counter the threat of legal domination of a one-right legal system, which is a permanent risk on which it is necessary to keep a wary eye.Footnote 183 It warns us against the threats coming with the logic of harmonization, which today seems to be the dominant view among the global competitors.

Data governance from the perspective of inter-legality

The claim that data protection has begun to emerge as a novel global value seems almost uncontroversial today.Footnote 184 Nevertheless, any attempt at unilateral regulation, in the absence of a global regulator that may enact global data regulation, poses significant problems from the perspective of the principle of sovereign equality. However, since unilateral regulation appears to be the only possible way forward, it is imperative to find ways to mitigate the externalities generated by unilateralism and transform it into something more inclusive and participatory. Here, principles such as showing mutual respect and accommodation, and considering the other’s perspective,Footnote 185 seem to be viable alternatives. It is also important to consider a selection of undesirable cases that are to be avoided, and some representative examples that can be found in data governance: (1) blocking statutes; (2) global injunctions; and (3) lack of comprehensive impact assessments. These approaches harm the principle of comity and inter-legality by fostering selfish unilateralism.

Blocking statutes ‘prevent compliance with another country’s laws’Footnote 186 – the US CLOUD Act is a good example of this. Even though global injunctions are not necessarily detrimental to inter-legality, they risk neglecting the legitimate interests of the other side, and thereby are one of the primary concerns for the inter-legal approach. As an example, the Canadian Supreme Court’s Equustek judgment, despite it being an example of a global injunction, presents a good example of the inter-legal approach. The Court stated, giving a prominent weight to the arguments from comity adduced by Google, that, ‘If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction … it is always free to apply to the British Columbia courts to vary the interlocutory order accordingly. To date, Google has made no such application.’Footnote 187

Inversely, the EU has taken a rather controversial stance towards data transfer from the European Union to the United States. First, it should be clarified once again that the European Union’s position was much more defensible before Schrems II Footnote 188 because of the Snowden Revelations and apparent lack of effective judicial remedy in the US legal order. Today, it can be asserted that the European Union has jurisdiction over digital platforms because ‘data processors are using computer equipment located within the EU; for example, by collecting data from EU-located computers by means of ‘cookies’, JavaScript, ad banners and spyware’.Footnote 189 As such, it seems highly indefensible that the GDPR’s global reach is somehow a reflection of the European Union’s many distinctive characteristics versus simply the unilateral imposition of European rules. The still-functioning colonial ties of the European Union, its highly accessible and easily transferable regulatory model and its culture of integration based upon the idea of mutual accommodation and compromiseFootnote 190 are the properties that are supposed to be the driving force behind its global regulatory reach. However, this functional explanation has lost much of its explanatory power, particularly in the wake of Schrems II, and it has become highly vulnerable to the criticism of Eurocentrism. It is possible to raise similar concerns regarding the US CLOUD Act, brought into existence in the aftermath of the Microsoft case, because it also makes access to data contingent upon the acceptance of terms unilaterally imposed by US companies.

As may be inferred from the examples above, the practices of global injunctions and blocking statutes do violate the basic tenets of inter-legality by harming its pluralist component through leaving a very limited scope for the outsider’s perspective. They represent serious interventions to the plural coexistence of legalities, which may foster the sectoral fragmentation of international law, for sectoral fragmentation comes with global regulation and sectoral closure. In short, these practices suffocate the plurality inherent in inter-legality. One further fact worth mentioning is that the European Union does scarcely factor in the negative externalities engendered by extraterritorial intervention,Footnote 191 as pointed out by Scott in his study of the global reach of EU law. Scott gives an example from an impact assessment conducted by the EU Regulators regarding measures taken against countries allowing non-sustainable fishing. She notes that ‘no assessment of the negative impact of the EU measures on small-scale fisheries and associated downstream industries within the Faroe Islands’Footnote 192 was carried out by the European Union. Similarly, Kuner contends, with respect to data regulation, that even though EU legal documents contain comprehensive human rights impact assessments, it is fair to claim that they are inclined to consider only their impact on the European Union, rather than on third countries.Footnote 193

VII. In lieu of conclusion: A novel type of Eurocentrism?

Achille Mbembe speaks of a utopian borderless world, where every individual is endowed with the right to free movement and, more importantly, inalienable rights.Footnote 194 Mbembe’s cosmopolitan ideal, nourished by post-colonial and post-modern critiques, reminds us of the artificiality of borders, which are erected to exclude some to the advantage of the others. However, exclusion does not come only in the form of physical borders, boundaries and frontiers; it may also come in the form of epistemological borders that dismiss one’s knowledge, perspectives and ideas as irrelevant by rendering them invisible. Seen from this perspective, any form of unilateralism, be it in the form of internal regulation with extraterritorial effects or stealth unilateralism in the form of the Brussels effect, should be met with the following questions: ‘Whose law is it?’ and ‘Is it inclusive?’

These are laws that flow from Western powers – namely, the European Union and the United States – even though they appear to stand in conflict with one another. They are problematic due to their apparent disregard for how their policies impact third parties and deny them a forum for active participation. As such, they violate the fundamental principle of plurality: ‘the duty to take into account the third country interest’.Footnote 195 Granted, this principle does not carry much weight in the ideal world of the law of disconnected orders, yet as we have witnessed, legal orders are interconnected in today’s highly global and digital worlds. Viewed in this light, to impose the one right solution – be it GDPR or the CLOUD Act – would be tantamount to legal imperialism or Eurocentrism. As Klabbers points out, ‘any attempt to espouse universal values almost automatically carries the suspicion of domination. Hence, in order to prevent domination, some consent-like mechanism is required.’Footnote 196

It is true that inter-legality does not necessarily lead to non-conflictual relationships between legal orders, and it may evolve into a more contradictory and conflictual approach over time. However, as mentioned above, it has a thin normative dimension, which highlights the flaws of monolithic, one-dimensional approaches – be they local or global. From here arises the idea of avoiding injustice because justice ‘is (also) a matter of “responsibility”, which requires gathering diverse sensitivities and reaching a kind of more comprehensive view by dissolving one-sidedness and ensuring the perspectives of others are heard’.Footnote 197 In a world where European judges have a penchant for teaching rather than learning or even hearing, it is likely that the world will see new legal ‘fortresses’ being built around the world, similar to the GDPR in Europe. The GDPR has been described as ‘impregnable’,Footnote 198 providing a maximum level of digital rights protection, but doing so by forfeiting flexibility. Flexibility is to be protected, as it ensures the European Union’s unilateralism does not lead to legal imperialism.Footnote 199 The image of an impregnable Europe brings about thoughts of Ruben Östlund’s film The Square, where people enjoy equal rights and obligations in a trusting and caring environment tailored to the needs of (Western) humans.Footnote 200 Similarly, MbembeFootnote 201 recently put forward the idea that ‘the totality of earth belonged to the West’. Today’s Eurocentrism is based upon separation, contraction and retraction; it is, therefore, less about extraction, conquest and exploitation than ‘cutting ties with the rest’ and building a fortress.Footnote 202 This argument reflects the points made by Koskenniemi, who notes:

Whether non-Europeans were either ‘included in’ or ‘excluded from’ the system of international law, the question is based on the (Eurocentric) assumption that being included is good (because international law is ‘good’) whereas exclusion needs to be condemned. But this cannot be right: the key question is not whether somebody is included or excluded but what ‘inclusion’ and ‘exclusion’ mean.Footnote 203

Eurocentrism is an approach that puts Europe at the centre of all knowledge by marginalizing other perspectives due to their immaturity and/or inferiority. This view assigns ‘truth only to the Western way of knowledge production’,Footnote 204 thus negating the knowledge produced outside the borders of the West. This gives rise to ‘self-referentiality, or solipsism where the Europe engages in a monologic relationship with others’.Footnote 205 Accordingly, ideas, developments or cultural differences from outsiders do not carry much importance because Europe has no need to interact with other states. Nonetheless, any type of methodological nationalism or Eurocentrism as such brings about Western political and moral superiority or priority, the prevention of which requires at least a modicum of other-regarding-ness. We should decentre Europe by demarginalizing the already marginalized outsiders. In short, if the West is to eschew methodological Eurocentrism, by imposing its own views to the world unilaterally, it should question the potential impacts of its regulations upon the others. As Cover reminded us, every legal order has its own narrative, its own interpretation and its own nomos, and when they interact with each other, the judges as ‘people of violence’Footnote 206 kill one interpretation in favour of the other. However, the fact that every interpretation is a jurispathetic activity does not mean that it should be tantamount to epistemicide – that is, the murder of knowledge.Footnote 207

As indicated above, there is a close connection between non-domination and the consent-like mechanism; nevertheless, there is also one other dimension that comes with the idea of non-domination that needs to be stressed: the sense of responsibility. Even if it is not possible to have recourse to the consent of the others, it is still possible to feel morally and political responsible towards them. The Aristotelian conception of responsibility includes two minimal conditions for the attribution of responsibility to someone: (1) the agent should have a minimum degree of control over the action (control condition); and (2) they should know what they are doing (epistemic condition).Footnote 208 Nevertheless, any conception of responsibility is doomed to fail unless it takes seriously the perspective of the agent who is affected from the action (patient). That is, it should not confine itself to the perspective of the responsible agent. The question of to whom the agent is responsible bears at least as much importance as the minimum conditions of individual responsibility. In short, it should shift its focus from an agent-centric approach to a relational one that is more interested in the quality of relationship than the attitudes of agent.Footnote 209 When viewed from a relational perspective, the role played by epistemic condition in the responsibility attribution changes significantly. For once, responsibility requires agents to provide explanation and clarification about why they decided to take particular action as well as to be aware of how their actions affect the lives of the patients.Footnote 210 This is to say that, when responsibility is seen from a relational perspective, the epistemic condition takes a turn to justification, obliging the agents not only to be aware of their actions but also to ‘be able to explain decisions to someone, to be able to answer someone who rightfully and reasonably asks “Why?” when given a decision or when acted upon’.Footnote 211 Thus, the scope of responsibility is all but impossible to grasp without paying due regard to the social context in which it is embedded because it is a social, dialogical and necessarily relational concept.Footnote 212 It insists on answerability and justification.

Responsibility is, therefore, different from accountability. For instance, accountability is related to holding someone to legal account, and thus confined to a legal perspective. Responsibility, however, is a term that goes beyond legal obligations. In that regard, the courts are ‘responsible courts’Footnote 213 only if they succeed in hearing the voices coming from the other side of the border, despite always being accountable to their own legal order. As such, being a responsible court requires hearing the grievances raised from other legal orders even if they are legally immaterial from an accountability perspective. The distinction between responsibility and accountability may be explained with a distinction made by Amartya Sen. He argues that being sympathetic towards others is individuated from being committed to doing something. According to Sen, whereas ‘sympathy is combinable with self-interested behaviour’ and ‘does not signify a departure from self-love as the only accepted reason for action’, committed attitude ‘is a clear departure from self-interested behaviour’.Footnote 214 The latter forces us to leave our point of view and adopt an other-regarding attitude.Footnote 215 It demands us to leave our comfort zone and commit ourselves to take the perspective of the patient seriously. For instance, the blocking statutes, global injunctions or insufficient impact assessments all fall short of meeting the demands of a committed attitude, even if they all become compatible with the demands of sympathy. As pointed out earlier, data regulation has a natural bias to going global, so it calls for responsibility, which may only be realized if one takes a committed stance rather than a sympathetic one, bearing in mind the relational dimension of responsibility. It requires us to become more inclusive, either in the process of regulation or at the time of implementation of the unilaterally designed regulation.

References

1 B Frydman, ‘A Pragmatic Approach to Global Law’, working paper, 8-11, available at: <https://www.academia.edu/2319860>; see for the same argument in the data protection context, Kowalik-Bańczyk, K and Pollicino, O, ‘Migration of European Judicial Ideas Concerning Jurisdiction Over Google on Withdrawal of Information’ (2016) 17(3) German Law Journal, 315, 336CrossRefGoogle Scholar.

2 See for the California effect, Vogel, D and Kagan, RA (eds), Dynamics of Regulatory Change: How Globalization Affects National Regulatory Policies (University of California Press, Berkeley, CA, 2004)Google Scholar.

3 Bradford, A, The Brussels Effect: How the European Union Rules the World (Oxford University Press, Oxford, 2020)CrossRefGoogle Scholar.

4 Ibid 47.

5 See for the conditions of the Brussels effect, Ibid 25–63.

6 Schmidt-Kessen, MJ, ‘EU Digital Single Market Strategy, Digital Content and Geo-Blocking: Costs and Benefits of Partitioning EU’s Internal Market’ (2017) 24 Columbus Journal of European Law 561, 561Google Scholar.

7 Woods, AK, ‘Litigating Data Sovereignty’ (2018) 128 Yale Law Journal 328 Google Scholar.

8 FH Easterbrook, ‘Cyberspace and the Law of the Horse’ (1996) University of Chicago Legal Forum 207: ‘data is just another globally distributed good’. Ibid 328.

9 Daskal, J, ‘The Un-Territoriality of Data’ (2015) 125 Yale Law Journal 326 Google Scholar, 365–78. Note that ‘data’ has been used in this article in the singular form as a collective noun.

10 Mandel, GN, ‘Legal Evolution in Response to Technological Change’, in Brownsword, R, Scotford, E and Yeung, K (eds), The Oxford Handbook of Law, Regulation and Technology (Oxford University Press, Oxford, 2017) 225 Google Scholar.

11 Daskal, ‘The Un-Territoriality of Data’ (n 9) 365–430; Kowalik-Bańczyk and Pollicino (n 1) 337.

12 Woods, ‘Litigating Data Sovereignty’ (n 7) 351.

13 Daskal, J, ‘Borders and Bits’ (2018) 71 Vanderbilt Law Review 179, 228Google Scholar.

14 Scott, J, ‘The Global Reach of EU Law’, in Cremona, M and Scott, J (eds), EU Law Beyond EU Borders (Oxford University Press, Oxford, 2019) 2163 CrossRefGoogle Scholar.

15 Ryngaert, C, Selfless Intervention: The Exercise of Jurisdiction in the Common Interest (Oxford University Press, Oxford, 2020) 11 CrossRefGoogle Scholar; for a similar argument confining the scope of extraterritorial intervention to the domain of some highly crucial issues such as non-refoulment and environmental externalities, see Kumm, M, ‘Sovereignty and the Right to Be Left Alone: Subsidiarity, Justice-Sensitive Externalities and the Proper Domain of the Consent Requirement in International Law’ (2016) 79 Law & Contemporary Problems 239 Google Scholar.

16 For an institutional approach to the problem of global internet governance, see Flonk, D, Jachtenfuchs, M and Obendiek, AS, ‘Authority Conflicts in Internet Governance: Liberals vs Sovereigntists?’ (2020) 9(2Global Constitutionalism 364 CrossRefGoogle Scholar.

17 The line is generally drawn – I think wrongly – between liberal Western states defending free data flows and multilateralism, and the conservative Global South militating for state control and intergovernmentalism. See Ibid.

18 Twining, W, ‘Diffusion of Law: A Global Perspective’ (2004) 36 The Journal of Legal Pluralism and Unofficial Law 49 CrossRefGoogle Scholar.

19 See, for example, Watson, A, Legal Transplants: An Approach to Comparative Law (University of Georgia Press, Athens, GA, 1993)Google Scholar; Örücü, E, ‘Law as Transposition’ (2002) 51 International and Comparative Law Quarterly 205 CrossRefGoogle Scholar; Frankenberg, G, ‘Constitutional Transfer: The IKEA Theory Revisited’ (2010) 8(3) International Journal of Constitutional Law 563 CrossRefGoogle Scholar; Neto, A, Borrowing Justification for Proportionality (Springer, Dordrecht, 2018)Google Scholar.

20 Hadjiyianni, I, The EU as a Global Regulator for Environmental Protection: A Legitimacy Perspective (Bloomsbury, London, 2019)CrossRefGoogle Scholar; Cremona, M and Scott, J, EU Law Beyond EU Borders: The Extraterritorial Reach of EU Law (Oxford University Press, Oxford, 2019)Google Scholar.

21 E Örücü, ‘Law as Transposition’ (n 19) 205.

22 See, for example, de S Santos, B, Toward a New Legal Common Sense: Law, Globalisation and Emancipation (Butterworths, London, 2002)Google Scholar.

23 ‘Regardless of the dynamics of globalization … when addressing transnational or global challenges, states continue to give pride of place to the core principle of the law of jurisdiction: the principle of territoriality’: Ryngaert (n 15) 211.

24 B Frydman, ‘A Pragmatic Approach to Global Law’ (n 1) 1.

25 Tuori, K, ‘From Pluralism to Perspectivism’, in Davies, G and Avbelj, M (eds), Research Handbook on Legal Pluralism and EU Law (Edward Elgar, Cheltenham, 2018) 40 Google Scholar. The black-box theory was introduced by William Twining: see Twining, W, Globalisation and Legal Theory (Cambridge University Press, Cambridge, 2000)Google Scholar.

26 B Frydman, ‘A Pragmatic Approach to Global Law’ (n 1) 7.

27 Frydman, B, Hennebel, L, Lewkowicz, G and Rousseau, E, ‘Internet Coregulation and the Rule of Law’, in Brousseau, E, Marzouki, M and Meadel, C (eds), Governance, Regulation and Powers on the Internet (Cambridge University Press, Cambridge, 2012) 148–49Google Scholar.

28 B Frydman, ‘A Pragmatic Approach to Global Law’ (n 1) 11.

29 Ibid 12.

30 Raz, J, Practical Reason and Norms (2nd ed., Oxford University Press, Oxford, 1999) 129 CrossRefGoogle Scholar.

31 B Frydman, ‘A Pragmatic Approach to Global Law’ (n 1) 12; see, for example, how global regulatory competition on climate change has stimulated many recalcitrant states to adopt policies consistent with the targets laid down in Paris Agreement: Çapar, G, ‘What have the Green New Deals to Do with Paris Agreement? An Experimental Governance Approach to the Climate Change Regime’(2021) 2 Rivista Quadrimestrale di Diritto Dell’Ambiente 141 Google Scholar.

32 Von Jhering, R, The Struggle for Law (Callaghan, London, 1915) 1 Google Scholar.

33 Von Jhering, R, Law as a Means to an End (Boston Book Company, Boston, 1913)Google Scholar.

34 Walker, N, Intimations of Global Law (Oxford University Press, Oxford, 2014) 18 CrossRefGoogle Scholar.

35 Ibid 22.

36 Scott, JExtraterritoriality and Territorial Extension in EU Law’ (2014) 62(1) The American Journal of Comparative Law 87 CrossRefGoogle Scholar.

37 For highly detailed and illustrative examples, see Ibid 96–114.

38 The most excessive version of territorial connection is what Scott calls ‘effect-based jurisdiction’ by which the home state may claim legitimate right to regulate any event, no matter from which it originated, that influences its citizens. Scott also takes a rather critical stance towards this type of territorial connection. See Ibid 95–96.

39 I would like to thank an anonymous reviewer for pushing me to propose a different conceptualization in analysing what makes any attempt to global regulation legitimate; this led me to explore the underlying logic of Scott’s distinction.

40 Ibid 124.

41 Brink, A, ‘Horizontal Federalism, Mutual Recognition and the Balance Between Harmonization, Home State Control and Host State Autonomy’ (2016) 1(3European Papers 932, 935Google Scholar.

42 This recalls the famous book of Koskenniemi and his critical remarks regarding the nature of international legal argumentation: Koskenniemi, M, From Apology to Utopia: The Structure of International Legal Argument (Cambridge University Press, Cambridge, 2006)CrossRefGoogle Scholar.

43 Hadjiyianni, I, ‘The European Union as a Global Regulatory Power’ (2021) 41(1Oxford Journal of Legal Studies 243 CrossRefGoogle Scholar.

44 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (2007), A Single Market for 21st Century Europe (makes explicit that it will use its market power as leverage to be a global regulator).

45 For instance, being a global role model, developing digital standards and promoting them internationally, setting global standards.

46 Çapar, G, ‘From Conflictual to Coordinated Inter-legality: The Green New Deals Within the Global Climate Change Regime’ (2021) 7(2) Italian Law Journal 1003 Google Scholar.

47 Regulation (EU) 2016/679.

48 Regulation (EU) 2018/1807.

49 Regulation (EU) 2019/881.

50 Directive (EU) 2019/1024.

51 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A European Strategy for Data (Com/2020/66 Final).

52 European Commission Press Release IP/19/421, ‘European Commission Adopts Adequacy Decision on Japan, Creating the World’s Largest Area of Safe Data Flows’, 23 January 2019; European Commission Press Release IP/18/6749, ‘EU–Japan Trade Agreement on Track to Enter into Force in February 2019’, 12 December 2018.

53 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A European Strategy For Data, Com/2020/66 Final.

54 Bradford calls them market- and treaty-driven harmonization: see Bradford (n 3) 67.

55 Cremona, M, ‘Extending the Reach of EU Law: The EU as an International Legal Actor’, in Cremona, M and Scott, J (eds), EU Law Beyond EU Borders (Oxford University Press, Oxford, 2019) 11 CrossRefGoogle Scholar.

56 See Article 3(5) TEU (laying down that the EU ‘shall uphold and promote its values and interests’ in its external relations).

57 Article 21(1) TEU.

58 Kuner, C, ‘The Internet and the Global Reach of EU Law’, in Cremona, M and Scott, J (eds), EU Law Beyond EU Borders (Oxford University Press, Oxford, 2019) 112–45CrossRefGoogle Scholar.

59 For the importance attributed to notions such as ‘global convergence in the area of data protection’, ‘fostering a global culture of respect for privacy’ and ‘promoting convergence of data protection standards at international level’, see Communication from the Commission to the European Parliament and the Council, Data protection as pillar of citizen’s empowerment and EU’s approach to the digital transition – two years of application of the General Data Protection Regulation Com/2020/224 Final.

60 Case C-131/12, Google Spain v Agencia Española de Protección de Dato (13 May 2014) para. 92 (hereinafter Google Spain).

61 Google Spain, para 81.

62 For a similar argument, see Kowalik-Bańczyk and Pollicino (n 1) 324.

63 Case C-507/17, Google LLC v Commission nationale de l’informatique et des libertes (CNIL) (24 September 2019) para 72 (hereinafter CNIL).

64 CNIL, para 72.

65 CNIL, para 66.

66 Case C-18/18, Eva Glawischnig-Piesczek v Facebook Ireland Ltd (3 October 2019) para 53.

67 ‘Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection’: Case C-362/14, Maximilian Schrems v Data Protection Commissioner (6 October 2015) para 95 (hereinafter Schrems I).

68 ‘Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter’: Schrems I, para 94.

69 Epstein, RA, ‘The ECJ’s Fatal Imbalance: Its Cavalier Treatment of National Security Issues Poses Serious Risk to Public Safety and Sound Commercial Practices’ (2016) 12 European Constitutionalism 330 CrossRefGoogle Scholar, 333–35.

70 Ibid 336.

71 Schrems I, para 82.

72 Schrems I, para 90.

73 Schwartz, PM and Peifer, KN, ‘Transatlantic Data Privacy Law’ (2017) 106 Georgetown Law Journal 115 Google Scholar, 160–65.

74 Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (16 July 2020) para 185 (Hereinafter Schrems II).

75 Schrems I, para 73.

76 Tzanou, M, ‘ Schrems I and Schrems II: Assessing the Case for the Extraterritoriality of EU Fundamental Rights’, in Fabbrini, F, Celeste, E and Quinn, J (eds), Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty (Hart, Oxford, 2020), 114–15Google Scholar.

77 Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (16 July 2020), Opinion of AG Saugmandsgaard (AG Schrems II), see for balancing between the digital rights and national security paras 254–308; for balancing between the right to effective judicial protection and national security paras 309–42.

78 Schrems II, paras 183–90. I would like to thank an anonymous reviewer for inducing me to highlight clearly how proportionality analysis is differently used in Schrems I and Schrems II.

79 Paras 181–82, 188.

80 Para 181.

81 Para 192.

82 This point is important because the level of protection accorded to digital rights in the ECHR regime is lower than the EU legal order, which may be observed in the detailed analysis of Advocate General: see particularly AG Schrems II, para 282.

83 T Christakis, ‘After Schrems II: Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe’, European Law Blog, 21 July 2020, available at: <https://europeanlawblog.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutional-implications-for-europe>.

84 Kuner, C, ‘International Agreements, Data Protection, and EU Fundamental Rights on the International Stage: Opinion 1/15, EU-Canada PNR’ (2018) 55(3) Common Market Law Review 857, 876, 881CrossRefGoogle Scholar.

85 Ibid 858.

86 Ibid.

87 It is also classified by many scholars as a global regulation under the guise of an EU regulation: see, for example, Ryngaert, C and Taylor, M, ‘The GDPR as Global Data Protection Regulation? (2020) 114 AJIL Unbound 5 CrossRefGoogle Scholar.

88 Schwartz, PM, ‘Global Data Privacy: The EU Way’ (2019) 94 New York University Law Review 771, 772Google Scholar.

89 GDPR 3(2).

90 GDPR 3(3); for a study analysing the interaction between Article 3, regulating the territorial scope of the GDPR and Chapter V of the GDPR designed to regulate data transfer procedures to non-EU parties, see C Kuner, ‘Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU’s Ambition of Borderless Data Protection’, University of Cambridge Faculty of Law Research Paper (2021).

91 Daskal, ‘Borders and Bits’ (n 13) 212.

92 Bordin, FL, ‘Is the EU Engaging in Impermissible Indirect Regulation of UN Action? Controversies Over the General Data Protection Regulation’, EJIL:Talk: Blog of the European Journal of International Law, 11 December 2020 Google Scholar.

93 Ryngaert (n 15) 199.

94 Ibid.

95 Aaronson, SA and Leblond, P, ‘Another Digital Divide: The Rise of Data Realms and Its Implications for the WTO’ (2018) 21(2Journal of International Economic Law 245, 262–70CrossRefGoogle Scholar.

96 Ibid 264.

97 Executive Order 13859, Maintaining American Leadership in Artificial Intelligence, 11 February 2019.

98 Aaronson and Leblond (n 95) 248.

99 US Second Circuit, Microsoft Ireland, para. 41, available at: <https://cases.justia.com/federal/appellate-courts/ca2/14-2985/14-2985-2016-07-14.pdf?ts=1468508412> (hereafter Microsoft Ireland).

100 US Second Circuit, Microsoft Ireland, para 41.

102 Ibid.

103 Daskal, J, ‘Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0’ (2018) 71 Stanford Law Review 9, 13Google Scholar.

104 Ibid 13.

105 Ibid 14.

106 See, for example, Daskal, ‘The Un-Territoriality of Data’ (n 9) 334–65. For a detailed comparative analysis scrutinizing how different legal regimes such as the United States, the European Union and the ECHR strike a balance between the right to privacy and the state’s surveillance activities, see Bignami, F and Resta, G, ‘Human Rights Extraterritoriality: The Right to Privacy and National Security Surveillance’, in Benvenisti, E and Nolte, G (eds), Community Interests Across International Law (Oxford University Press, Oxford, 2018), 357–80Google Scholar.

107 Ibid 390.

108 Ibid.

109 Ibid 393.

110 There are different methods through which the United States creates an exceptional domain for its own policies: (1) exceptionalism; (2) double-standard; and (3) legal isolationism. The US exceptionalism referred to here stands for legal isolationism, which suggests that the US legal system is more inclined to teaching others than learning from them. See Ignatieff, M, American Exceptionalism and Human Rights (Princeton University Press, Princeton, NJ, 2009) 411 Google Scholar; for work on the compatibility of proportionality with the US model, see Möller, K, ‘US Constitutional Law, Proportionality, and the Global Model’, LSE Law, Society (LSE, London, 2016)Google Scholar.

111 Möller, K, Global Model of Constitutional Rights (Oxford University Press, Oxford, 2012) 215 CrossRefGoogle Scholar.

112 Schauer, F, ‘The Exceptional First Amendment’, in Ignatieff, M, American Exceptionalism and Human Rights (Princeton University Press, Princeton, NJ, 2009)Google Scholar.

113 Schwartz and Peifer (n 73) 156.

114 Cohen-Eliya, M and Porat, I, Proportionality and Constitutional Culture (Cambridge University Press, Cambridge, 2013) 118 CrossRefGoogle Scholar.

115 Mureinik, E, ‘A Bridge to Where? Introducing the Interim Bill of Rights’ (1994) 10(1) South African Journal on Human Rights 31, 32CrossRefGoogle Scholar.

116 Cohen-Eliya and Porat (n 114) 52–65; for the conception of rights as principles, see Alexy, R, ‘The Construction of Constitutional Rights’ (2010) 4 Law & Ethics of Human Rights 19 CrossRefGoogle Scholar. Schauer counters this argument, contending that the substantive difference in the rights protection between the United States and Europe does not result from the distinctive methodologies espoused. Even though Schauer rejects the argument that the First Amendment has a categorical, rule-based and balancing-excluding nature, he admits the role played by the one-sided nature of the First Amendment’s text by prioritizing the right to freedom of speech and press. Schauer (n 112) 30–32, 44–45.

117 In the German context, balancing requires ‘the establishment of a proportional correlation between individual rights and community interests’ and was aimed at the ‘optimization of competing values’: Bomhoff, J, Balancing Constitutional Rights: The Origins and Meanings of Postwar Legal Discourse (Cambridge University Press, Cambridge, 2013) 93 CrossRefGoogle Scholar.

118 Ibid 109.

119 Bradford (n 3) 39.

120 Schauer describes this negative stance towards regulation as “culture of distrust” that marches hand in hand with libertarianism and laissez-faire: Schauer (n 112) 30–32, 46–47.

121 Bradford (n 3) 41–43.

122 Bomhoff (n 117) Chs III and IV.

123 Tourkochoriti, I, ‘Snowden Revelations, the Transatlantic Trade and Investment Partnership and the Divide Between US–EU in Data Privacy Protection’ (2014) 36 University of Arkansas at Little Rock Law Review 161 Google Scholar.

124 Schwartz and Peifer (n 73) 138; Aaronson and Leblond (n 95) 245, 257.

125 Schwartz and Peifer (n 73) 147–55.

126 Frydman et al (n 27) 140.

127 Celeste, E and Fabbrini, F, ‘Competing Jurisdictions: Data Privacy Across the Borders’, in Lynn, T, Mooney, JG, van der Werff, L and Fox, G (eds), Data Privacy and Trust in Cloud Computing (Springer, Dordrecht, 2021) 43, 46Google Scholar.; Bignami, F and Resta, G, ‘Transatlantic Privacy Regulation: Conflict and Cooperation’ (2015) 78 Law and Contemporary Problems 231, 232–35Google Scholar.

128 Bignami and Resta (n 127) 236.

129 Frydman et al (n 27) 135–46. This is made clearer with Schrems II, where the Court imposes an obligation to the local Data Protection Agencies, data exporter and importer companies to carry out an investigation on whether the level of protection is adequate in the third country concerned. For further explanations concerning privatization/decentralization in data governance oversight, see Christakis (n 83).

130 47 USC 230(c)(1): ‘No provider or user of an interactive computer service shall be treated as publisher or speaker of any information provided by another content provider.’

131 See 47 USC 230(c)(2)

132 There are also some sectors that are more prone to state intervention, such as the prevention of child pornography, fight against terrorism and protection of copyrights. See Frydman et al. (n 27) 136–39.

133 Ibid 139–40. In December 2020, the EU Commission proposed two legislative initiatives, the Digital Services Act and the Digital Markets Act, to replace the 20-year-old e-Commerce Directive. For explanations and pertinent documents, see <https://ec.europa.eu/digital-single-market/en/digital-services-act-package>.

134 Celeste and Fabbrini (n 127) 53.

135 For the Inuit exemption granted by the EU Seal Regulation to the seals hunted by the Inuits, allowing their import to the European Union, see Scott, ‘The global reach of EU law’ (n 14) 21–63.

136 Kowalik-Bańczyk and Pollicino (n 1) 329.

137 Cremona, M and Scott, J, ‘Introduction: EU law Beyond EU borders’, in Cremona, M and Scott, J (eds), EU Law Beyond EU Borders (Oxford University Press, Oxford, 2019) 4 CrossRefGoogle Scholar.

138 Woods (n 7) 399–402.

139 ‘Clubs lead to anticlubs’: Ibid 401.

140 Daskal, ‘The Un-Territoriality of Data’ (n 9) 326, 333.

141 Woods (n 7) 401; see also Daskal’s criticism of the Belgian courts due to their recent Yahoo and Skype rulings in which they extended the scope of their jurisdiction to such an extent that ‘any operator or provider that actively aims its economic activities’ on Belgian customers or ‘any activity participating in the economic life in Belgium’ will be subject to the Belgian jurisdiction: Daskal, ‘Borders and Bits’ (n 13) 192–98.

142 Not all the data is located in the United States, nor is it always possible to determine the location of data. Here, the phenomenon to which the term ‘US-based’ refers is that the data gathered, processed and stored by US companies originates from the territorial borders of the United States.

143 Daskal, ‘Microsoft Ireland’ (n 103) 9, 13–14.

144 Ibid 15.

145 Ibid.

146 See also Brehmer, HJ, ‘Data Localization: The Unintended Consequences of Privacy Litigation’ (2017) 67 American University Law Review 927 Google Scholar, arguing that the Schrems and Microsoft cases, despite their short-term positive effects with respect to the privacy and digital rights, have taken their toll on in the long term by creating incentives for data localization.

147 Celeste and Fabbrini (n 127) 50.

148 Mishra, N, ‘Data Localization Laws in a Digital World: Data protection or Data Protectionism?’ (2015) 4(1) The Public Sphere 135 Google Scholar; Millard, WK Hon C, Singh, J, Walden, I, and Crowcroft, J, ‘Policy, Legal and Regulatory Implications of a Europe-only Cloud’ (2016) 24(3) International Journal of Law and Information Technology 251 Google Scholar.

149 Bodansky, Daniel, ‘What’s So Bad about Unilateral Action to Protect the Environment?’ (2000) 11 EJIL 339 CrossRefGoogle Scholar.

150 Ryngaert (n 15) 18.

151 Pettit, P, On the People’s Terms: A Republican Theory and Model of Democracy (Cambridge University Press, Cambridge, 2012) 175–79Google Scholar.

152 For the role of these principles for holding transnational and international organizations to account, see Kingsbury, B, Krisch, N and Stewart, RB, ‘The Emergence of Global Administrative Law’ (2005) 68(3/4) Law and Contemporary Problems 15 Google Scholar.

153 For a study considering the right to access to justice as a foundational right owing to the role it plays in jurisgenerative process, see Palombella, G, ‘Access to Justice: Dynamic, Foundational, and Generative34(2) Ratio Juris 121 CrossRefGoogle Scholar.

154 Ryngaert (n 15) 125–30.

155 ‘Output legitimacy requires policies that work effectively while resonating with citizens’ democratic ideals, values and identity. Input legitimacy depends on citizens expressing demands institutionally and deliberatively through representative politics while providing constructive support via their sense of identity and community. And throughput legitimacy needs processes that work efficiently and inclusively while promoting constructive interaction.’ See Schmidt, VA, ‘Democracy and Legitimacy in the European Union Revisited: Input, Output and “Throughput”’ (2013) 61(1Political Studies 2, 10CrossRefGoogle Scholar (emphasis added).

156 ‘As long as [Solange] the integration process [in the European Communities] has not progressed so far that Community law also receives a catalogue of fundamental rights decided on by a parliament and of settled validity, which is adequate in comparison with the catalogue of fundamental rights contained in the [German] Constitution, a reference by a court in the Federal Republic of Germany to the Bundesverfassungsgericht in judicial review proceedings [involving conflicts of Community secondary law and fundamental rights under the German Basic Law] … is admissible and necessary.’ See BVerfGE 37, 271 2 BvL 52/71 Solange I-Beschluß (29 May 1974), available at: <https://law.utexas.edu/transnational/foreign-law-translations/german/case.php?id=588>.

157 BVerfGE 73, 339 2 BvR 197/83 Solange II decision, 22 October 1986, available at: <https://law.utexas.edu/transnational/foreign-law-translations/german/case.php?id=572>.

158 For explanations concerning the cases and the dialogic process between the BVerfG, the CJEU and the European Union in general, see Lavranos, N, ‘The Solange-method as a Tool for Regulating Competing Jurisdictions Among International Courts and Tribunals’ (2008) 30 Loyola of Los Angeles International and Comparative Law Review 275, 313–23Google Scholar.

159 Ibid 324.

160 Ibid.

161 Benvenisti, E, ‘The Future of Sovereignty: The Nation State in the Global Governance Space’, in Cassese, S (ed), Research Handbook on Global Administrative Law (Edward Elgar, Cheltenham, 2016) 492 Google Scholar.

162 Woods (n 7) 370–71.

163 Ibid 378; he further alludes to five principles to be considered in balancing, see on the same page.

164 ‘Comity requires the courts to weigh competing government interests, but it does not per se prohibit regulation of extraterritorial conduct.’ See Ibid 388.

165 Endicott, T, ‘Comity Among Authorities’ (2015) 68 Current Legal Problems 1, 4.CrossRefGoogle Scholar

166 Ibid 1.

167 Ibid 8–9.

168 Ibid 11.

169 Ibid 3.

170 ‘Comity towards the French authorities is not for the sake of the French Republic. It is for the sake of the persons who are subject to the authoritative acts of French institutions.’ Ibid 12.

171 ‘From the perspective of inter-legality, interconnectedness is itself a legal situation.’ Palombella, G, ‘Theory, Realities and Promises of Inter-legality: A Manifesto’, in Klabbers, J and Palombella, G (eds), The Challenge of Inter-Legality (Cambridge University Press, Cambridge, 2019) 378 Google Scholar.

172 Ibid 374.

173 Ibid 380.

174 G Çapar, ‘From Conflictual to Coordinated Inter-legality” (n 46) 20.

175 For a study approaching inter-legality from the perspective of judges and adjudication, see di Martino, A, ‘The Importance of Being a Case: Collapsing of the Law Upon the Case in Interlegal Situations’ (2021) 7(2) Italian Law Journal 961 Google Scholar.

176 For the argument that inter-legality is relevant to legislation as well as adjudication, see Palombella, G, ‘Interlegality: On Interconnections and “External” Sources’ (2021) 7(2) Italian Law Journal 943 Google Scholar.

177 Chiti, E, ‘Shaping Inter-legality: The Role of Administrative Law Techniques and Their Implications’, in Klabbers, J and Palombella, G (eds), The Challenge of Inter-Legality (Cambridge University Press, Cambridge, 2019) 272 Google Scholar.

178 Ibid 276.

179 PS Berman, ‘Understanding Global Legal Pluralism: From Local to Global, From Descriptive to Normative’ in Berman, PS (ed), The Oxford Handbook of Global Legal Pluralism (Oxford University Press, Oxford, 2020) 25 CrossRefGoogle Scholar.

180 Here the term ‘legality’ avails itself of wider interpretations, which are not confined to the domestic legal orders, but also contain sectoral regimes and even internet as a self-regulating environment. For a study of how inter-legality unfolds in the domain of copyright law, prompting interpreters to take EU and national legal orders, as well as ECHR regime and internet, into account, see Priora, G, ‘The “Two Suns” of EU Digital Copyright Law: Reconciling Rightholders’ and Users’ Interests via Interlegality’ (2021) 7 Italian Law Journal 1057 Google Scholar.

181 Bar-Siman-Tov, I, ‘Semiprocedural Judicial Review’ (2012) 6(3Legisprudence 271 CrossRefGoogle Scholar.

182 Palombella, G, ‘Theory, Realities and Promises of Inter-legality: A Manifesto’ in Klabbers, J and Palombella, G (eds), The Challenge of Inter-Legality (Cambridge University Press, Cambridge, 2019) 374 Google Scholar.

183 Ibid. 382.

184 Ryngaert (n 15) 195.

185 Woods (n 7) 335, 384, 393.

186 Woods (n 7) 384.

187 Google Inc v Equustek Sols Inc [2017] 1 SCR 824, 827-28 (Can).

188 Schwartz (n 88) 771 (explicitly stating that the EU’s adequacy standard is based upon the idea of mutual accommodation and flexibility).

189 J Scott, ‘The Global Reach of the EU Law’ (n 14) 39.

190 See, for example, Schwartz (n 88) 807–18 (attributing the GDPR’s globalization to its accessibility and the EU’s culture of flexibility).

191 Recall that this corresponds to Ryngaert’s suggestion about compensation in the cases of negative externalities Scott, ‘The Global Reach of the EU Law’ (n 14) 59.

192 Ibid. 60.

193 Kuner (n 58) 142.

194 Mbembe, A and Chaize, I, ‘Deglobalization’ (2018) 12 Esprit 86 CrossRefGoogle Scholar.

195 Cremona and Scott (n 137) 17–18.

196 Klabbers, J, ‘Law-making and Constitutionalism’ in Klabbers, J, Peters, A, and Ulfstein, G (eds), The Constitutionalization of International Law (Oxford University Press, Oxford, 2011) 114 Google Scholar.

197 Palombella (n 182) 383.

198 Kowalik-Bańczyk and Pollicino (n 1) 335.

199 For a similar argument, see Ibid. 336; flexibility is also one of the major factors turning illegitimate extraterritorial extension into legitimate territorial extension in Scott’s conceptualization: Scott, ‘Extraterritoriality and Territorial Extension in EU Law’ (n 36) 110, 116, 117.

200 I would like to thank Deniz Berfin Ayaydın for drawing my attention to the movie and helping me establish this connection.

201 ‘Provincializing Europe’ with Dipesh Chakrabarty, 16 March 2021. A recording of the webinar is available at: <https://www.youtube.com/watch?v=nb1k8xxS1fA>.

202 This contractive form of Eurocentrism recalls Wendy Brown’s ‘Walled states and waning sovereignty’, and invites us to further question whether the fortresses do signify weakness. See Brown, W, Walled States and Waning Sovereignty (Princeton University Press, Princeton, NJ, 2010)CrossRefGoogle Scholar.

203 Koskenniemi, M, ‘Histories of International Law: Dealing with Eurocentrism’ (2011) 19 Rechtsgeschichte-Legal History 152, 175CrossRefGoogle Scholar.

204 A Mbembe, ‘Decolonizing Knowledge and the Question of the Archive’ (2015), available at: <https://wiser.wits.ac.za/system/files/Achille%20Mbembe%20-%20Decolonizing%20Knowledge%20and%20the%20Question%20of%20the%20Archive.pdf>.

205 Kerner, I, ‘Beyond Eurocentrism: Trajectories Towards a Renewed Political and Social Theory’ (2018) 44(5Philosophy & Social Criticism 550 Google Scholar.

206 Cover, RM, ‘Foreword: Nomos and Narrative’ (1983) 97(4) Harvard Law Review 40, 42, 53Google Scholar.

207 de Sousa Santos, B, Epistemologies of the South: Justice Against Epistemicide (Routledge, London, 2015)CrossRefGoogle Scholar.

208 Coeckelbergh, M, ‘Artificial Intelligence, Responsibility Attribution, and a Relational Justification of Explainability’ (2020) 26(4) Science and Engineering Ethics 2051, 2052–54CrossRefGoogle Scholar.

209 Ibid 2063.

210 Ibid 2058–60.

211 Ibid 2061.

212 Ibid 2062.

213 Palombella (n 183) 390.

214 Ibid.

215 Sen, Amartya, The Idea of Justice (Penguin, Harmondsworth, 2009) 188 Google Scholar.