It is obvious that not only is “extraterritoriality not a bad word”, but that it is the necessary and realistic answer to the problems that characterize a world that is increasingly globally connected. But that means that just as European users should have the right to enjoy European privacy standards when they use one of the many websites operated from the U.S., so should the U.S. government have the right to access data in the control of a U.S. company regarding a U.S. resident who is suspected of committing a crime within the U.S., as was the issue in the Microsoft – Ireland case. Due to the GDPR and the Cloud Act, both forms of extraterritorial jurisdiction are, at the moment, legal reality. It makes little sense to vilify the Cloud Act while glorifying GDPR.
However, it is also obvious that both regulatory frameworks are determined by political interests, which works against their de facto reciprocity. On the one hand, the data controller argument employed in the Cloud Act comes especially handy to the US, which is the country where most Internet-based platforms headquarter. One might even argue that the data controller argument employed by the nation that hosts Silicon Valley actually might bring about de facto global enforcement jurisdiction. On the other hand, the approach of objective territory that is pursued by the EU regarding article 48 of the GDPR might be outdated and not make much sense, but it is aligned with the EU’s economic interest to become a data safe haven.
These conflicts of interest and corresponding jurisdictional conflicts will inevitably be the source of tensions between the EU and the US. Surely, the best solution would be to formulate coherent and unequivocal principles of extraterritorial jurisdictions that are developed not unilaterally, but in transnational collaboration. Such a formulation must not rely on notions relating to geography alone, but also more subtle categories, such as the nature of the data requested, respectively protected data, the nature of the crimes committed, the strength of interest that a nation might have in regulating or accessing data, and the consideration of different degrees of regulation in different countries.
(Via Just Security)