Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context

Jurisdiction based solely on the territoriality principle is becoming less evident in the digital age This article engages in a discussion with authors such as Kuner and Svantesson, that have expressed a critical view on expansive jurisdiction of the EU data protection regime in issue 4, November 2015, of this Journal. Our contribution focuses on the choices with regard to scope and jurisdiction made by the EU co-legislators in Article 3 of the new EU General Data Protection Regulation (hereinafter, ‘General Regulation’ or ‘GDPR’),6 which will apply from 25 May 2018, and compares this to the current regime under Article 4 of the Data Protection Directive. It also assesses whether the modernized Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (No 108) is heading in a similar direction and highlights the Court of Justice of the European Union (CJEU) position on the territorial scope of the EU data protection law.