The Passport to Regulate Foreign Jurisdiction: The Personal Data Protection Bill, 2019 on its Extraterritorial Application
Keywords:data protection, PDP Bill, Extraterritorial Application, GDPR, LGPD, International Cooperation
The Indian Personal Data Protection Bill, 2019 (PDP Bill) was formulated from the Recommendations of the Justice Srikrishna Report. This Bill was the first portkey for India’s exclusive data protection regime. Notably, there is an urgent need to establish a strong legal framework for data protection in India as this would be the only safehouse for protecting every individual’s personal data, including sensitive and critical data. The EU’s General Data Protection Regulation (GDPR) serves as a yardstick for global data protection regulation due to its architecture that places a great onus of compliance on foreign entities. This resolute extraterritorial nature that GDPR thatches on itself has inspired several upcoming worldwide data protection regimes. Consequently, the Joint Parliamentary Committee, which is tasked with reviewing India’s PDP Bill, has the responsibility to upgrade its stance to be tenacious and more obstinate, as well as ensure that the Bill has a strong extraterritorial foundation. This requirement comes with a plethora of challenges under international law as questions on cross-border jurisdictions are inevitable. This paper compares the PDP Bill with the GDPR and Brasil’s Lei Geral de Proteção de Dados (LGPD) and analyzes the key challenges emerging from the extraterritorial scope of these legislations through the lens of international law. Its main objective is to identify the possible and plausible solutions to these extraterritorial jurisdictional issues and highlight how the fundamental construction of India’s PDP Bill can be improved to effectively address the extraterritorial concerns.
Azzi, Adèle. “The Challenges Faced by the Extraterritorial Scope of the General Data Protection Regulation.” Journal of Intellectual Property, Information Technology and E-Commerce Law9, no. 2 (2018). https://www.jipitec.eu/issues/jipitec-9-2-2018/4723.
Batt, Jeffrey. “Reputational Risk and the GDPR: What’s at Stake and How to Handle I.” Brink News, 2018. https://www.brinknews.com/reputational-risk-and-the-gdpr-whats-at-stake-and-how-to-handle-it/.
Bioni, Bruno. R. “A Produção Normativa a Respeito Da Privacidade Na Economia Da Informação e Do Livre Fluxo Informacional Transfronteiriço.” In Direitos e Novas Tecnologias: XXIII National Meeting of Conpedi, 1, 59–82, 2014. https://brunobioni.com.br/wp-content/uploads/2020/02/internet-sectoral-overview-xi-2-privacy-7-11.pdf.
Bowett, D. W. “Jurisdiction: Changing Patterns of Authority Over Activities and Resources.”BYIL53, no.1(1982).
China'sPersonal Information Protection Law.
CommissionDecision 2001/497 of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC, 2001 O.J. (L 181/19).
Crawford, James. Brownlie’s Principles of Public International Law. 8th edn. OUP, 2012.
Forbes Technology Council. “15 Unexpected Consequences of GDPR.”n.d. https://www.forbes.com/sites/forbestechcouncil/2018/08/15/15-unexpected-consequencesofgdpr/#1ff037ae94ad.
Foreign Corrupt Practices Act of 1977 of the UnitedStates of America.
Francke, Glory. “Time to Update Your Privacy Statement For GDPR.” Law 360, n.d.
Goldsmith, Jack, and Tim Wu. Who Controls the Internet? Illusions of a Borderless World. Oxford University Press, 2006.
Googlev. Spain, Court of Justice of the European Union [CJEU], ILEC 060 (CJEU 2014).
Ingram, David, and Joseph Menn. “Exclusive:Facebook CEO Stops Short of Extending European Privacy Globally.” n.d.https://www.reuters.com/article/us-facebook-ceo-privacy-exclusive-idUSKCN1HA2M1.
International Court of Justice.
International Covenant on Civil and Political Rights.
Kuner, Christopher. Data Protection Law and International Jurisdiction on the Internet (Part 2). International Journal of Law and Information Technology, Oxford University Press, 2010.
Lei Geral de Proteção de Dados.
Leung, Ricky. “Navigating the GDPR’s Extraterritorial Applicability to Processors: A Perspective from the Non-EU Cloud Service Provider.” (2018). http://dx.doi.org/10.13140/RG.2.2.32800.43529.
Lindsey, Nicole. “Understanding the GDPR Cost of Continuous Compliance.” CPO Magazine, 2019. https://www.cpomagazine.com/data-protection/understanding-the-gdpr-cost-of-continuous-compliance/.
Maillart, Jean-Baptiste. “The Limits of Subjective Territorial Jurisdiction in the Context of Cybercrime.” ERA Forum19 (2019). https://doi.org/10.1007/s12027-018-0527-2.
Milanovic, Marko. Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy. OUP, 2011.
Nottebohm Case (Liechtenstein v. Guatemala); Second Phase,InternationalCourt of Justice (ICJ).
Perrone, Christian. “Privacy and Data Protection -From Europe To Brazil,” n.d. https://doi.org/http://dx.doi.org/10.17768/pbl.y6.n9-10.
Personal Data Protection Act, 2012 of Singapore.
Privacy Act 1988 of Australia.
Pramesti, Indriana, and Arie Afriansyah. “Extraterritoriality of Data Protection: GDPR and Its Possible Enforcement in Indonesia.” In Advances in Economics Business and Management Research, 3rd INCLAVE 2019, Volume 130. Atlantis Press, 2019.
Ryngaert, Cedric. “The Concept of Jurisdiction in International Law.” Utrecht University, n.d. https://unijuris.sites.uu.nl/wp-content/uploads/sites/9/2014/12/The-Concept-of-Jurisdiction-in-International-Law.pdf.
SS ‘Lotus’ (France v Turkey) (1927) PCIJ Ser A, No 10.
Svantesson, Dan Jerker B. “The Extraterritoriality of EU Data Privacy Law –Its Theoretical Justification and Its Practical Effect on U.S. Businesses.” Stanford Journal of International Law 50, no. 1 (2014): 53–102.
Internetsociety.org.“The Internet and Extraterritorial Effects of Laws Internet Society Concept Note.” Accessed April 11, 2021.https://www.internetsociety.org/wpcontent/uploads/2018/10/The-Internet-and-extraterritorial-application-of-laws-EN.pdf.
The United States of America’s Helms BurtonAct.The Personal Data Protection Bill, 2019.
The General Data Protection Regulation 2016/679.
The General Personal Data Protection Law 13709/2018.
The Recommendations of the Justice Srikrishna Report. UK vs. Norway (North Atlantic Fisheries Case),  ICJ Rep.116.
Universal Declaration of Human Rights. Vienna Convention on Diplomatic Relations 1961, Done at Vienna on 18 April 1961. Entered into force on 24 April 1964. United Nations, Treaty Series, vol. 500.
Walia, Harish, and Supratim Chakraborty. “Indian Data Protection Law.” iclg.com, n.d. Accessed April 11, 2021. https://iclg.com/practice-areas/data-protection-laws-and-regulations/india.
How to Cite
Copyright (c) 2022 Brawijaya Law Journal
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.