I. Introduction
Global regulatory competition is a recent phenomenon encountered in various fields such as food and chemical safety, climate change, and animal welfare. The digital economy is not immune to this trend, and it seems highly unlikely that regulatory competition between big powers will soon come to an end. Despite the early pessimistic views which suggested that global regulatory competition would lead to forum shopping, deregulation, and a ‘race to the bottom’,Footnote 1 recent studies have revealed that this represents only half the storyFootnote 2. Phenomena such as the ‘California effect’ or the ‘Brussels effect’Footnote 3 have already demonstrated that a race to the top is just as possible as a race to the bottom. The European Union, as Bradford points out, has been supplying the global market with global standards not because its rules are the least restrictive, but because the European Union links its stricter regulations to its market power. As such, its ‘ability to set global rules alone is always contingent on it preferring the highest rule’.Footnote 4 This is in addition to factors such as globalization, its regulatory capacity and market power.Footnote 5
The internet is a medium that, by its nature, is ‘global and borderless’;Footnote 6 therefore, it is always running the risk of extraterritorial regulation.Footnote 7 The use of the internet highlights the same question that confronts us in almost every discipline: how does one square unilateral regulation with the principle of state sovereignty? A possible answer to this question rests on how we perceive data and the internet, and how this perception differs from other global commons. How are the issues caused by the internet different from issues caused to our existing legal concepts by telephones, video cassettes or computers? It is plausible to argue, like Easterbrook, that there is nothing new on the internet, and therefore there is no need to create a new branch of law titled ‘the Law of the Horse’.Footnote 8 Conversely, one may claim that data is different because of its mobility, divisibility and partitioning, and its independence from location.Footnote 9 When viewed from this perspective, data seems like an exception to our conventional legal concepts that prevent the application of pre-existing legal categories to the new challenges posed by technology.Footnote 10 Nonetheless, irrespective of the position we take on this debate, it is necessary for any legal scholar to consider the territorial challenges posed by data, namely the unavoidable extraterritorial effect of data even if it is regulated by observing the territorial limitations arising from legitimate regulatory power. We are confronted with Schrödinger’s cat in that we cannot pinpoint where it is located or whether it exists. As such, it is better to admit that data cuts to the heart of the issue of territoriality; it renders the distinction between territorial and extraterritorial highly imperceptible.Footnote 11
It is highly telling that there appears to be a tendency, in both the exceptionalist and anti-exceptionalist camps, to accept unilateral global regulation as fact and to find solutions to legitimize it. For example, as an anti-exceptionalist, Woods holds that extraterritoriality of data regulation is an age-old problem that can be addressed by the rules of comity.Footnote 12 On the other hand, as an exceptionalist, Daskal suggests that it is necessary to design new jurisdictional rules capable of representing the legitimate interests of states in extraterritorial regulation as well as the countervailing interests of foreign states.Footnote 13 Similarly, Scott contends that regulatory territorial extension can be justified only because we have a right to avoid being complicit with the global wrongdoings committed abroad.Footnote 14 Likewise, decoupling the notion of unilateralism from egoism and selfishness, Ryngaert asserts that unilateral actions can be justified insofar as it is motivated not by parochial interests, but by the common interests of the international community. This should be selfless intervention pursuing a cosmopolitan agenda and aiming to promote the general interest of the global community, as opposed to the parochial interests of the states.Footnote 15
Research dealing with global governance of the internet may take two different approaches: concentration on institutions or concentration on norms. If stress is put on institutions, then the focus would be on associations, organizations and meetings such as the Budapest Convention of the Council of Europe, the World Summit on the Information Society or the World Conference on International Telecommunications.Footnote 16 In this article, however, the focus is on norms, specifically the way norms governing digital rights and data flows began to crystallize and how norm generation plays out in the global regulatory sphere. It thus looks for the ways in which unilateral regulation can be considered legitimate under the conditions where the choice is between unilateralism and inaction, as reaching a multilateral consensus on global data regulation seems highly unlikely. Admitting that neither output (the best regulation) nor input (consent-based) legitimacy may provide us with a framework for legitimate ways of global unilateral regulation, it confines its attention to the following question: How is it possible to avoid Eurocentric legal domination when data forces any regulator into going global? Revisiting concepts such as comity, benevolent unilateralism and inter-legality, it asserts that to be accepted as legitimate, any attempt to global regulation should be inclusive and take on an other-regarding perspective as well as bear the responsibility of assuming the role of a global regulator. It may also may lead up to its commitments only if it remains genuinely committed to taking others’ perspectives seriously instead of showing a late sympathy after an already decided one right answer was already imposed on them. As things stand, the only way to realize this is to brush aside the logic of harmonization in favour of mutual recognition.
The presence of competition between different actors does not always mean the approaches taken by the competitors are dissimilar. A competitive attitude may display a common mode of governance below the surface, despite there being divergent practices at first glance. For example, the European Union takes a rather cosmopolitan and global approach by imposing its conception of digital rights onto the world. The United States, however, abstains from regulation on the grounds that it will impair innovation.Footnote 17 Nevertheless, both tend to disregard the interests of the other, adopting similar versions of unilateralism – notwithstanding their robust regulatory capacities, which are able to include outsiders. The human rights impact assessment is a case in point. Even though whether the regulation is compatible with the human rights law has been analysed, the question of just how inclusive the impact assessments are has generally been overlooked. Taking the question of legitimacy to centre stage, this article examines the problem of extraterritoriality as a special case of global regulatory competition (section II). It then covers the EU and US approaches toward data regulation and digital rights (sections III and IV), with a focus on the debate surrounding the right to be forgotten (section II), data transfer from the EU to the other countries (section III) and the US CLOUD Act, enacted following the Microsoft case (section IV). It then turns to the points on which the European Union and the United States diverge and converge (section V) with respect to digital rights. After this, it examines ways to cope with the extraterritorial characteristics of data, suggesting that Ryngaert’s selfless intervention and Woods’ comity-based proposal (section VI) may be useful in legitimating unilateral regulation. By illustrating how these approaches appear in relation to one another, the article concludes by suggesting that they can be subsumed under the headings of inter-legality (section VI) and that it is possible to sustain plurality of legalities without falling victim to global monism, notably due to mutual accommodation and recognition (section VII).
II. Global regulatory competition as diffusion of law
Interaction between legal orders is not a novel phenomenon; on the contrary, legal isolationism is the exception rather than the rule when viewed from a historical and comparative perspective.Footnote 18 It is therefore not surprising that numerous terms exist that address the phenomenon of diffusion of norms; these include transplant, borrowing, reception, transfer, imposition, transposition, expansion and spread.Footnote 19 However, our current form of norm diffusion – one that has captivated the attention of numerous scholars such as Anu Bradford, Joanne Scott, Marise Cremona and Ionna Hadjiyianni – differs from its precursors.Footnote 20 First, it departs from the state-centric, modernist explanation of the interaction between different legal orders and the post-modernist approach epitomized by the legal pluralist movement. In the former, the diffusion of law is generally associated with the migration of legal codes from one state to the other, whether as part of a modernization movementFootnote 21 or as a colonial imposition. By contrast, norms emanating from different legal orders, which are by nature un-hierarchical and pluralist, take up the role of legal pluralist in the latter.Footnote 22 Nevertheless, the states take the pride of place in today’s global regulatory competition, or diffusion of norms, despite the very crucial role played by transnational actors, private regulators and digital platforms.Footnote 23
Regulatory competition between states is an indirect consequence of globalization, which has a ‘destructive effect’Footnote 24 on the uniform and homogenous international legal order of the post-World War II period. It has played such a key role in questioning our traditional understanding of territorial legal systems, depicted as the black-box model composed ‘of self-contained and self-sufficient normative and institutional boxes’,Footnote 25 that today it is possible to spot new legal norms burgeoning in the interstices between national and international law. In short, the crisis generated by globalization has provided ample opportunities for an inductive jurisgenerative process.Footnote 26 This mismatch between territorially bounded states and new transnational regulatory actors, such as digital platforms, internet service providers, private organizations and NGOs, gives birth to ‘a transnational struggle for law’ in which ‘each state is trying to impose its own standards on the others by using ISPs as soldiers for the defense of national values’.Footnote 27 Hence, the conditions under which this global regulatory competition holds closely resemble Hobbes’ state of nature, where global players ‘pursue their own goal and thus aim to establish norms that are favourable to their interests’.Footnote 28 This, in turn, leads to a situation that Frydman calls ‘pannomie, where norms spring up from everywhere, enacted by improvised legislators, public or private’.Footnote 29 However, this is not something to drive us to despair, for in the dearth of the global legal system that may tell apart law from non-law,Footnote 30 the interaction and competition between different legal orders provide the only hope for ‘the emergence and crystallisation of new norms’.Footnote 31
As Rudolf von Jhering succinctly states, ‘the life of the law is a struggle – a struggle of nations, of the state power, of classes, of individuals’.Footnote 32 The struggle is the essence of law; it is not something to resort to in exceptional situations. It is a struggle between incompatible interpretive judgements, yet it is never tantamount to pure power and politics. It only points to the undergirding reality upon which law is founded: that law is a means to reach certain social and political ends.Footnote 33 It is a gateway through which politics is transformed to normativity. In summary, the regulatory competition between states is not an aberration. On the contrary, it exhibits the very nature of law: law flows from the clash of competing interests and normative standpoints. Nevertheless, despite this conflictual, competitive and political dimension of law, it is still a global law when seen from the perspective of Walker’s reading. For global law is, he submits, ‘a practical endorsement of or commitment to the universal or otherwise global-in-general warrant of some laws or some dimensions of law’.Footnote 34 Thus, it is global not because it springs from a global source, but rather because it aspires to regulate the globe for the sake of some ‘globally defensible good reasons’.Footnote 35 In a nutshell, pluralism that arises from regulatory competition in the global sphere is not incompatible with global law, but instead is a perfect example of it.
Scott distinguishes extraterritorial legislation and territorial extension to reveal how global regulatory power can legitimately be brought to bear. She classifies the former as an illegitimate form of global regulation owing to its failure to establish the necessary territorial connection, serving as a legitimating factor for the latter.Footnote 36 Her distinction has considerable explanatory power in many diverse areas, including regulations about aviation in the emission trading scheme, financial services and maritime transport;Footnote 37 nevertheless, data escapes any type of territorial connection. The fact that any superpower, arrogating to itself the legitimate role of global legislator, can establish a legitimate connection with dataFootnote 38 seriously undermines the explanatory power of Scott’s distinction in telling us when a global regulation is legitimate.Footnote 39 Admitting that Scott’s categorization falls short of covering global data regulation, an experimental classification is needed, which pays less attention to how the alleged global regulator presents itself than to its hidden attitudes and motivations. Here, the underlying logic of Scott’s distinction may prove useful. She rests her classification on the view that, if it is to be legitimate, global regulation should ‘ensure a sufficient international orientation’.Footnote 40 In a nutshell, it should bear the responsibilities that come with the role of the global regulator by leaving aside, at least to a certain extent, its autonomous objectives, and giving the other’s perspective and interests a modicum degree of consideration. This can only be done when the logic of harmonization is put aside in favour of mutual recognition. They differ significantly in how they promote convergence of norms. For mutual recognition, as an alternative to harmonization, does not confine itself with one all-encompassing regulation (one right answer), but rather aims at reaching this objective by preserving the diversity and autonomy of the others.Footnote 41 Bearing this in mind, the article dwells on, not being content with any sort of dubious territorial connection, the attitudes of alleged global regulators with a view to shedding light on how responsible global regulation differs from its self-interested counterparts.
III. Global reach of the European Union: In the name of digital rights
The European Union’s internal contradiction: Her values or interests Footnote 42
It is now widely believed among lawyers that the EU is a global regulator. This is something not only observed by legal scholars,Footnote 43 but also made explicit in the reports of the European Commission.Footnote 44 Indeed, the European Union has long prepared itself for seizing the regulatory opportunities arising out of global common problems. In order to comprehend the global reach of the European Union regarding data governance, one can review key events occurring over the past two decades. Since 2007, official EU documents such as the European Green Deal and Europe’s Digital Decade presented the European Union as a ‘global regulator’ among other labels.Footnote 45 For example, in implementing its Green Deal, the EU initiated a process of global regulatory competition in international environmental law.Footnote 46 Regarding data governance, the EU, with the policies it has pursued over the past decade, including its Global Data Protection Regulation (GDPR),Footnote 47 the Regulation on the free flow of non-personal data (FFD),Footnote 48 the Cybersecurity ActFootnote 49 and the Open Data Directive,Footnote 50 has already become one of the most important players in the global competition of data regulation. It has also exercised ‘digital diplomacy’Footnote 51 by ruling the level of protection provided by 13 countries as ‘adequate’ and signing two successive agreements with Japan that connect international trade to data protection.Footnote 52
In the European Commission’s recent communication, A European Strategy for Data, it is clearly noted that ‘the EU has a strong interest in … shaping global standards and creating an environment in which economic and technological development can thrive, in full compliance with EU law’.Footnote 53 The European Union is able to leverage its market power by indirectly setting global standards or it may restrict access to its market based upon countries providing substantively equivalent protection.Footnote 54 In both cases, the European Union connects its market power to its regulatory capacity, as it has been doing for decades regarding its internal policies, which can be summarized as ‘integration through law’. That is not to say that the European Union sees law merely as a means to its political ends. To the contrary, it uses law as an end to itself, treating it as a tool. Just as law has been the driving force of the EU internal integration process, it is now helping with ‘engaging in shaping, importing and promoting international legal norms’Footnote 55 outside. The European Union is destined to oscillate between its own interests and its own values.Footnote 56 On the one hand, it must respect ‘the principles of the United Nations Charter and international law’; however, on the other, the EU is subject to the guidance of ‘the principles which have inspired its own creation, development and enlargement, and which it seeks to advance in the wider world’.Footnote 57 It is therefore, by nature, torn between its values and interests, from which it can only liberate itself if the European Union sets the standards for the globe.Footnote 58 However, the question of whether it bears full responsibility for being a global regulator still hangs in the air, as the European Union is still under the spell of ‘harmonization’.Footnote 59
The European Union’s digital rights
On 13 May 2014, the CJEU held in a landmark ruling that Google was obliged to remove the search results pertaining to a ‘Mr. Gonzalez’, on the grounds that he was entitled to the right to be forgotten.Footnote 60 In the ruling, the Court draws attention to the balance between an individual’s right to be forgotten and the public’s right to access information, pointing out that this balance may change depending on the degree of importance assigned to the data subject and the content of the information at stake.Footnote 61 This ruling did not disambiguate on whether Google’s responsibility was limited to the geographical boundaries of the country where the complainant filed its application, or extended to the globe. In other words, the territorial scope of the right to be forgotten is still a matter of controversy. Google Spain, rather than claiming a universal jurisdiction, opined that even though it does not directly have jurisdiction over Google, this does not mean that it lacks jurisdiction over Google Spain, and so indirectly Google.Footnote 62
Against this backdrop, the CNIL (French Data Protection Agency) imposed a penalty on Google in 2015 on the basis that it failed to apply de-referencing requests globally and limited its scope of application to country-specific borders through its geo-blocking technology. In September 2019, the case came before the CJEU, which ruled that the EU law neither requires nor prohibits ordering a global de-referencing requestFootnote 63 because it falls within the competence of each member state to determine the exact scope of de-referencing, depending on the balance struck between competing rights.Footnote 64 The Court, however, made it clear that the principle of uniform application of the EU law entails that ‘the de-referencing in question is, in principle, supposed to be carried out in respect of all the Member States’.Footnote 65 One month later, in October 2019, the CJEU ruled, in a fashion bearing out its ambivalent and indeterminate approach towards the scope of the right to be forgotten, that the member states are not precluded from ‘ordering a host provider to remove information … worldwide’.Footnote 66 In those two judgments, the EU applied what Scott calls territorial extension by establishing a territorial connection – yet data, as already shown above, eludes territory. And this brings into question whether it is still legitimate to establish an artificial territorial connection.
The European Union’s Data Transfer Standard: Between mutual recognition and harmonization
On 6 October 2015, in Schrems, the CJEU was called upon to rule on the compatibility of the Commission Decision 2000/520/EC (Safe Harbour Principles), which ensures that the United States provides an adequate level of protection and allows data transfer from the European Union to the United States. The Court, highlighting the crucial importance of the right to effective judicial remedyFootnote 67 and the proportionality principle,Footnote 68 and specifying the necessity of reading the Commission Decision in light of the Charter of Fundamental Rights, found the level of protection to be inadequate. By doing so, it drew attention to Article 7 (right to privacy), Article 8 (right to data protection) and Article 47 (right to an effective remedy and fair trial). However, the Court’s emphasis on ‘the essence of the fundamental rights’ goes one step further than proportionality review because even a proportionate measure may be deemed to compromise the essence of that right. Thus, it leaves undetermined the question of which measures will entrench upon the essence of the right as well as what is expected from foreign authorities in finding a proportionate balance between data protection and competing interests, and when this will occur. As such, it gives almost a free hand to the ECJ in assessing the level of protection provided by the other legal orders.
Schrems I is also challenging with regards to balancing because the CJEU tilts the balance away from criminal surveillance and undermines the importance of data flow for surveillance and cooperation in criminal matters.Footnote 69 Epstein contends that the Court in Schrems I adopted a highly dogmatic methodology that was reminiscent of the judicial reasoning of the conceptual jurisprudence of the nineteenth century. In not assessing the impact of data privacy on surveillance, it gives one right answer to the delicate balance between access to information and data protection: ‘the privacy right in data … [is] a fundamental interest deserving the highest protection’.Footnote 70 However, despite all these criticisms and the ambivalent nature of balancing focusing on the essence of right, the ruling can still be palatable when the legal conditions prevalent in the United States are considered. For instance, the safe harbour principles are ‘applicable solely to self-certified United States organizations receiving personal data from the European Union, and United States public authorities are not required to comply with them’.Footnote 71 Further, in case of conflicting obligations originating from national security concerns, self-certifying organizations may be obliged to comply with them. This may seriously undermine the rights-holder’s right to effective judicial remedy, as the US legal system does not vest data subjects with required ‘administrative or judicial means of redress’.Footnote 72 So the absence of such a mechanism to assess the necessity of measures taken by the US authorities, particularly when they oblige self-certified organizations to deviate from the safe harbour principles, provided a legitimate base for the Court’s ruling.
This decision effectively ended the large-scale data transfer from the European Union to the United States – which was not surprising given that, in 2013, Edward Snowden had revealed the surveillance activities of the US intelligence services. Within a very short period, in August 2016, the European Union and the United States reached a new agreement in order to reopen the flow of data from Europe to the United States. The Privacy Shield, in contrast to its predecessor, gave US authorities such as the FTC and DOJ the power to oversee whether companies voluntarily pledging to follow the EU standards were indeed observing the rules. Further, it established an independent supervisory institution, the US Ombudsman, to provide a forum through which individuals could raise their grievances if they suspected that their digital rights were being violated.Footnote 73 However, the Privacy Shield could not succeed in saving itself from the same fate suffered by the Safe Harbour. In July 2020, building upon its arguments in Schrems I, the Court stated that ‘the limitations on the protection of personal data arising from the domestic law of the United States … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter’.Footnote 74
This ruling is highly controversial when seen in the light of principle, expressed by the ECJ on numerous occasions as meaning that the term ‘adequate protection’ does not necessitate an identical level of protection; rather, it entails ‘a level … that is essentially equivalent to that guaranteed within the European Union’.Footnote 75 That is so because the equivalent protection principle is an alternative to harmonization that demands one right answer (the European Union’s answer) to the balance between data protection and, say, criminal surveillance, and thus it requires granting a certain margin of appreciation to the other legal orders. Nevertheless, this appears to be highly unlikely if the CJEU lays down the application of proportionality analysis as it is applied by itself as a condition for regarding foreign law as adequate without leaving enough discretion to the foreign authorities.
On its face, Schrems II may seem more palatable than Schrems I because the Court, adjusting its proportionality analysis and giving up its ‘essence of right’ discourse in favour of a more flexible balancing exercise, assesses the minimum safeguards provided by the foreign law in light of the Charter of Fundamental Rights.Footnote 76 However, when it is read in depth and contextually, a different picture begins to emerge. First, unlike AG Saugmandsgaard’s detailed analysis in which he weighs how the measures taken by the US authorities for national security concerns impact the EU’s digital rights,Footnote 77 the CJEU’s balancing exercise seems to be afflicted with the right to effective judicial remedy. However, those are different issues to be separated from each other. Finding a balance between digital rights and national security is independent of whether the essence of right to effective judicial remedy is compromised. In Schrems II, the CJEU seems to confuse these different rights as, even in the balance between digital rights and national security, it appears to be obsessed with the right to effective judicial remedy.Footnote 78 Its recourse to the notion of ‘effective of enforceable rights’Footnote 79 can be interpreted as an attempt to create a connection between digital rights and the EU’s understanding of right to effective judicial protection, which may only be met when data subjects are endowed with actionable rights ‘before the courts against the US authorities’.Footnote 80
In its analysis of the right to effective judicial protection (Art. 47), the Court therefore affirms that none of the regulations in the US legal system ‘grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy’.Footnote 81 Seen in this light, any legal system that falls short of providing an effective judicial protection owing to its different legal tradition is deemed inadequate from the perspective of the CJEU, which seems more aligned with the logic of harmonization than mutual recognition. This argument can also be observed in the references made to the ECtHR’s case law in Schrems II, contrary to the AG’s elaborate legal reasoning engaging also with the ECtHR’s case law.Footnote 82 As such, it is misleading to expect from the CJEU that it takes notice of the differences between legal orders when it shies away from even referring to the ECtHR. Schrems II, when evaluated contextually, turns out to be rather problematic because it comes right after the legal adjustments made by the US legal system to align its legal order with the expectations of the CJEU. Against this backdrop, a question springs to mind: Is there any adequate measure that is not identical to the EU legal system but meets the demands of the CJEU? As stated clearly by Christakis, Schrems II ‘is without a doubt a constitutional judgment’ attempting to create a ‘holistic and coherent regime of protection’, and thereby raises the suspicion of European legal imperialism.Footnote 83
Opinion 2/15 and the GDPR: Still going global?
There are two additional incidents that demonstrate how the European Union has recently expanded its global regulatory reach. With the first, in 2015, the CJEU found an international draft agreement on the transfer of passenger-related data from the EU to Canada incompatible with the EU’s digital rights. The Court upheld its equivalent standard developed in Schrems, then also expanded its scope of application by assessing whether an international agreement was congruent with the Schrems standard.Footnote 84 Shrems involved the evaluation of the adequacy of foreign law through the mediation of the EU Commission’s decision. However, in Opinion 1/15, the Court made a straightforward evaluation of the compatibility of an international agreement with the Charter of Fundamental Rights (CFR) by using the charter as a standard in the assessment of international treaties.Footnote 85 This ruling prompted significant criticism for ruling that the level of protection provided by a country like Canada as inadequate. Given that Canada’s level of protection does not meet CJEU’s standards, one can assume that it would be all but impossible to find a significant number of other countries that could satisfy the expectations of the European Union. This may, in turn, lead to data balkanization. Critics of the ruling centred on the EU’s blind unilateralism and voiced concerns that the CJEU was using data protection as ‘a vehicle’Footnote 86 in its aspirations to be a global regulator.
The second incident occurred in May 2018 when the EU rolled out its new-generation data-protection regulation (GDPR) as a successor to the 1995 Data Protection Directive.Footnote 87 It attracted significant attention – so much so that the rollout date of 25 Mayhas been nominated by some as World GDPR Day.Footnote 88 The GDPR contains a critical provision regarding extraterritoriality, which serves an important role in the analysis presented in this article. Article 3 of the GDPR stipulates that the regulation ‘applies to the processing of personal data of data subjects who are in the Union’ even if the controller is ‘not established in the Union’, either when the processing activities can be tied to data subjectsFootnote 89 or when they occur in a place ‘in a place where Member State law applies by virtue of public international law’.Footnote 90 By placing the emphasis on data subjects, the directive extends its scope of application, and therefore goes one step further than Google Spain’s location-based approach. As such, it provides a fertile ground for the European Union to further extend its regulatory reach by imposing obligations on foreign companies that are not even physically located in the European Union. The GDPR extends its ‘territorial regulation with far-reaching extraterritorial effect’Footnote 91 to such a degree that even international organizations such as the United Nations have been affected, particularly in areas such as refugees, health research and migration.Footnote 92This step could be construed as a move that is simply concerned with its own residents rather than foreigners, even though it has some secondary consequences going far beyond this.Footnote 93 According to this argument, the directive does not amount to a unilateral imposition of its own values, for it is more concerned with the level of data protection provided for EU citizens than non-EU citizens.Footnote 94 But this still does not provide a sufficient justification for the legitimate use of global regulatory power, as it does not concern itself with how the others are affected by the regulation.
Actual intentions aside, this directive makes it apparent that the European Union engages in extraterritorial regulation, be it in the form of market-driven or treaty-driven harmonization. However, the EU is not the only actor with global aspirations and an interest in extending its regulatory arm. China is developing its own understanding of digital rights and data governance with its Great Firewall, banning a large number of apps and websites from China’s digital territory. These include YouTube, Google, Twitter and the New York Times. Footnote 95 Similarly in the United States, the hallmark of the libertarian approach embodied in Silicon ValleyFootnote 96 also makes attempts to widen its regulatory jurisdiction, although generally it tends to fly under the radar. For example, in February 2019 the United States issued an executive order under the Trump Administration, aiming to sustain American leadership in AI by embracing policies such as the development of technical standards for reducing barriers to open data and the open market.Footnote 97 The United States, similar to the European Union, has used law as a tool to protect its global power. To this end, the United States advocates for an open data policy whereby data may flow without barriers and AI can run smoothly.Footnote 98 In the next section, surveillance for criminal observation and counter-terrorism are examined – spheres where the United States uses its regulatory power as leverage to maintain its global power.
IV. Global reach of the United States: For the sake of criminal surveillance
The case involving Microsoft Ireland provides an excellent example of the US approach to data and criminal surveillance. Although the case eventually became moot when it was before the Supreme Court, after Congress’s enactment of the Clarifying Lawful Overseas Use of Data (CLOUD), replacing the 1986 Stored Communication Act (SCA), it can still shed light on the perception of rights that is prevalent in the United States. The saga began with Microsoft’s refusal to comply with a search warrant that demanded access to email accounts belonging to a suspected drug trafficker. Microsoft based its argument on the fact that the relevant data was stored in Ireland and giving access would be an extraterritorial application of the SCA, which is also at odds with the original intention of the Act.Footnote 99 Although several district courts sided with the government by placing the emphasis on the location of the company, the Second Circuit reversed these judgments, stressing the importance of the location of the data. The Circuit Court further stated that to enforce such a warrant, ‘insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act’.Footnote 100
Unfortunately, it was not possible to obtain a US Supreme Court decision because the CLOUD Act provided a political resolution to the dispute. The CLOUD Act, amending the pertinent article of the SCA, stated that any ‘provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to … disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber … regardless of whether such communication, record, or other information is located within or outside of the United States’.Footnote 101 The Act also stipulates that the Court, in cases where its obligation conflicts with that of an instruction made by a foreign government, should take into consideration numerous other factors such as the interest of the foreign government, the provider’s ties to the United States, the importance of the investigation and the possibility of less restrictive means.Footnote 102 In short, although the CLOUD Act obliges all US-based companies to disclose information regardless of where the data is located, it also enumerates the grounds on which foreign states’ conflicting interests may be taken into consideration.
One of the problems the CLOUD Act claims to address is highly relevant to the concept of extraterritoriality: the fact that the SCA did not allow the United States to disclose data to foreign countries.Footnote 103 As such, foreign governments, when in need of the US-held data, had to resort to the mutual legal assistance treaty (MLAT), which was burdensome and inefficient, the process often lasting up to one year.Footnote 104 In order to address this issue, the CLOUD Act created a mechanism for foreign governments by which they would enter into a bilateral agreement rather than the MLAT, provided that the data subject is not someone who is an American citizen or inhabitant.Footnote 105 It is, therefore, still not possible for foreign countries to access data gathered and stored by a US company, outside of the MLAT mechanism. This reflects the underlying rationality of the fourth amendment, which differentiates persons located in the United States from foreigners and excludes the latter from the purview of the Bill of Rights.Footnote 106 This therefore creates a double standard by endowing US citizens with a higher degree of protection while leaving non-US citizens at the mercy of the US government’s political preferences.
The beginning of this section outlined the arguments proposed by the two sides of the dispute in the Microsoft Ireland case. Namely, the government’s argument is founded on the location of the company (access point), and Microsoft’s argument is that the location of the data is relevant to determine the competent authority and jurisdiction. However, neither of these arguments is entirely sound. Assuming, arguendo, that the jurisdiction of the court depends on the location of the data, this will lead us to accept that the jurisdiction of the court will depend on the choices of the internet service provider regarding where to locate their data.Footnote 107 From this, it follows that every government, with the intention of regaining its jurisdictional competence, will resort to data-localization and compel the ISPs to store their data within their own borders.Footnote 108 Conversely, if, arguendo, the jurisdiction of the court is based upon the location of the company, then the vast majority of data-related cases will fall under the jurisdiction of the United States, as most the of the ISPs are based there. Hence, I conclude that it is necessary to find a middle ground between data-localization and universal jurisdiction. Under this scenario, data will become accessible even if it is located abroad, and the states will show mutual respect and deference to the autonomy and interests of each other.Footnote 109
V. The reasons for divergence and underlying similarities
Two types of culture: Cultures of authority and justification
The United States has always been an exceptional country, and law is by no means an exception to the rule of exception. By means of illustration, the United States has the most antiquated constitution in the world – over 200 years old – with a unique federal system.Footnote 110 It is impervious to what is referred to as the global model of constitutional rights, a model that includes social and economic rights, grants horizontal effect to rights, incurs positive obligations to the state and uses proportionality analysis as a legal method in balancing competing rights.Footnote 111 In the same vein, the United States maintains its exceptionalism in data regulation by according an extensive protection to the freedom of speech.Footnote 112 As such, it is apparent that there is a ‘conceptual gulf’Footnote 113 between the United Sates and the European Union in terms of data protection.
In fact, this gap emanates from dissimilar conceptions of rights, regulation, legal systems and legal culture prevalent in the European Union and the United States. According to Porat and Cohen-Eliya, the United States represents an example of the culture of authority in which ‘rights are viewed as demarcating the boundaries of the governmental sphere of action and as imposing restrictions on governmental action and authority’;Footnote 114 the European Union, by contrast, provides an example of the culture of justification in which ‘every exercise of power is expected to be justified’.Footnote 115 Accordingly, the legal culture in the United States is founded on the idea that autonomous individuals should be protected from the infringement of the state, so rights are considered as exclusionary reasons, trumps or side-constraints against state intervention.Footnote 116 By contrast, the European Union presumes that rights can only be materialized if the state undertakes positive steps,Footnote 117 so rights lose the moral power they possess in the United States. They are devaluated to the level of mere interests, values or principles in the continental tradition, which can be balanced against competing community interests. Basic rights, therefore, are thought to be ‘“equally constitutive” for both individuals and society’, as they ‘encompass their own limitations’.Footnote 118 As such, the right to privacy and the right to data protection have recently ascended to the level of rights not because rights are more valued in the European Union, but because they are less valued in the European Union than they are in the United States.
This demonstrates why there are two different paradigms on the two sides of the Atlantic with respect to the relationship between individual, market and state. Whereas Europeans are disposed to be suspicious of the market and to be more comfortable with state intervention,Footnote 119 the market in the United States is perceived as more of an opportunity where an individual may reap the rewards of their own decisions rather than as a threat to be guarded against.Footnote 120 It follows from this distinction that Europeans are more risk averse and pro-regulation than Americans, who prefer risk-taking and ex-ante solutions. Therefore, where Europeans opt for an approach based upon ex-ante regulation in order to alleviate unexpected risks and outcomes, Americans defer the distribution of resources first to the market, then to the courts with a tort system.Footnote 121 To conclude, Europe represents a tradition in which the individual is embedded in society and therefore the state may intervene in both the market and the private sphere in order to rectify the market/individual failures. Conversely, the presumption of individual autonomy and the proper functioning of the market are almost irrebuttable in US legal culture.
I think this diverging stance towards regulation is due to the role attributed to law in different legal traditions. As made clear by Bomhoff in his recent historical analysis focusing on the question of how balancing is understood differently in the United States and Germany, balancing is seen as a tool for reaching ‘a perfect constitutional order’ in Germany (and now in the European Union), while it was treated as ‘a dangerous doctrine’ in the US legal scholarship.Footnote 122 Digital rights also bear the imprint of the foregoing distinctions. The underlying regulatory logic in the United States is that intervention with digital rights is legitimate unless proscribed by the law, as opposed to the European Union, which presumes that any infringement with a fundamental right is a violation unless it is justified.Footnote 123 The EU has a model of rights protection in which individual autonomy prevails over consent, and thus this is a regime where ‘rights talk’,Footnote 124 rather than a system where individual consent is deemed to hold the ultimate value. In summary, by placing special emphasis on individual autonomy, the European Union protects an individual for their own sake, contrary to the United States, where an individual is viewed as a customer and protected for the sake of the market.Footnote 125
This has further implications for the general framework set out. Unlike the compartmentalized and vertical structure of the United States, the European Union has developed a comprehensive horizontal model centred on proportionality analysis and applicable to any type of rights collision.Footnote 126 Thus, contrary to the European Union where digital rights have already gained the status of constitutional rights, the United States, giving priority to data privacy over data protection, has taken a piecemeal, sector-specific approach, like ‘a mosaic of normative instruments covering a variety of issues’.Footnote 127 The positive approach of the United States to the free flow of information in the marketplace of ideasFootnote 128 is another point of divergence that follows from the differences between the European Union and the United States described above. Whereas the European Union pushes forward for stricter and more comprehensive protection of digital rights – the rights to privacy and data protection – the United States is a staunch defender of the freedom of speech, innovation and the free flow of data. Internet regulation is another case supporting the so-far developed argument. Whereas the United States embraces a system of internet regulation, grounded in the idea of self-regulation, the European Union adopts a system of co-regulation that depends on the collaboration among government, individuals and ISPs.Footnote 129 To illustrate, section 230 of the US Communication Decency Act shields ISPs from any sort of civil and criminal liability as long as they only store and broadcast content created by others.Footnote 130 Further, it does not hold them accountable if they voluntarily act ‘in good faith to restrict access to or availability of material’Footnote 131 deemed to be illegal, obscene and harmful. In a nutshell, it creates an environment conducive to the self-regulation and empowerment of ISPs.Footnote 132 Conversely, the European Union’s Electronic Commerce Directive of 2002 is more sympathetic to the ISPs’ liability than the US equivalent and leaves ample room for state intervention.Footnote 133 In sum, law carries out different functions and assumes different roles in the European Union and the United States, which has important implications for the form that global data regulation is supposed to take.
The points of convergence: Are they that different?
It is also worth emphasizing that while these approaches are normative preferences that reflect historical and cultural values, they also reflect the stances taken with respect to global politics and regulatory competition. That is, the notion of digital sovereignty, the discourse of fundamental rights and the global reach of EU digital rights mirror the European Union’s recent efforts ‘to fill the economic gap distancing them from American and Asiatic technology giants’.Footnote 134 Thus, although they diverge significantly from each other with respect to the content of the regulation, they converge on one point: aspiration towards regulating the globe. Moreover, the European Union and United States adapt very similar policies and pay almost no regard to the interest of other states. Even the European Union, which seems highly flexible in terms of giving consideration to the interests of others as exemplified in the Inuit exemption,Footnote 135 can be seen in a different light when the GDPR is read in conjunction with the CJEU’s recent rulings. As mentioned in section 3, the CJEU – particularly in Schrems II and Opinion 1/15 – comes very close to equating an adequate standard with its own standard. Even before these judgments, the CJEU was criticized for prioritizing ‘a European perspective on privacy interests, but not necessarily a global one’.Footnote 136 This one right answer approach adopted by the CJEU, particularly in Schrems II and Opinion 1/15, bears the risk that its ‘commitment to promoting rules-based multilateral solutions to common problems will turn into an attempt to promote its own legal solutions by equating the latter with universal values’.Footnote 137 Thus, the EU should grant a wider margin of appreciation to other countries than it leaves to its own member states. It is a logical consequence that the more global the regulation, the wider the margin of discretion should be.
With regard to the US CLOUD Act, as Woods points out, it fails to factor in the other states’ interests and thereby leaves US companies with no choice but to unilaterally enforce US laws across the globe.Footnote 138 As such, it also pushes foreign countries toward data localization,Footnote 139 for they cannot access data gathered by US companies because of the CLOUD A, closer. In other words, this approach ‘encourages the balkanization of the internet into multiple closed-off systems protected from the extraterritorial reach of foreign-based ISPs’.Footnote 140 However, as Woods points out, this would have been avoided by adding a minor clause to the CLOUD Act stating that the Act does not ‘apply to law enforcement requests made outside the United States and that U.S. companies are therefore free as a matter of U.S. law to comply with those requests’.Footnote 141
In this light, it seems abundantly clear that the regulatory competition does not stem from a differing notion of rights. Instead, it emanates from the very similar unilateral attitudes towards global regulation that are clearly visible in the procedural clauses of the GDPR and CLOUD Act. The CLOUD Act makes access to data stored in the US territoryFootnote 142 conditional upon a bilateral agreement in the same way that the GDPR obliges the foreign countries to a data transfer agreement. Given that the alternatives are highly cumbersome and ineffective, they serve as a default sanction, and in some sense countries are forced to align their policies with the GDPR or the CLOUD Act. Furthermore, this bilateral agreement, using the same logic as the GDPR, will not only be subject to periodic review by the US government, but also obligates the foreign government to grant the same access to the US government.Footnote 143 Daskal points to the similarities between the CLOUD Act and the GDPR by asserting that, just like GDPR – which is applicable to any company doing business with the EU – the CLOUD Act ‘represents an effort by the United States to set international standards, but via domestic regulation rather than a global meeting of governments’.Footnote 144 For Daskal, this is a new mode of international law-making because it uses technology giants as leverage to reach the globe by merely regulating domestic incidents.Footnote 145 The only difference between the European Union and the United States seems to be the source from which they derive their powers: whereas the US derives its power from the data collected by US companies, the power of the European Union is grounded in its market and data-generating human capital.
VI. How to regulate?
Ryngaert’s selfless intervention and benevolent unilateralism
Good intentions do not always make good consequences, so we may end up in a situation that is diametrically opposed to our normative preferences. This is the case that we face with the GDPR and the CLOUD Act.Footnote 146 The GDPR has been one of the main causes of data localization because it ‘has led cloud computing providers to offer services storing personal data on servers exclusively located in the EU’ in order to avoid the strict and demanding provisions of the GDPR for transferring data abroad.Footnote 147 Similarly, the CLOUD Act left foreign countries with no viable alternative other than data-localization.Footnote 148 Therefore, any investigation into ways in which unilateralism can be used more constructively must also address the shortcomings of these regulations and their monolithic approaches.
Given that international institutions and international law have suffered losses against global issues such as climate change, migration, human rights and so on, its restrictive and bounded forms, unilateralism seems to offer a promising alternative to multilateralism. At a time when ‘the choice is not between unilateralism and multilateralism, but between unilateralism and inaction’,Footnote 149 unilateralism, bounded by subject matter and time, may be more defensible than simply standing back and observing as the multilateralism mess worsens. Intervention for the sake of global commons and responsive to unilateralism’s anti-democratic nature could be a very promising solution to the tragedy of multilateralism. Ryngaert refers to this as benevolent unilateralismFootnote 150 because it takes seriously others’ interests, right to self-determination and right to be free from domination.Footnote 151
Benevolent unilateralism does not depend on output legitimacy; it has a normative dimension that gives a prominent place to the idea of consent. As such, mechanisms through which affected states and parties could raise their voices, such as the right to access to justice and information as well as principles such as transparency and accountability, might prove useful.Footnote 152 Additionally, instruments such as consultations, making impact assessments and expanding the right to access to justiceFootnote 153 could help to improve input legitimacy. Another way to increase input legitimacy is through equivalent standard clauses, by which a regulating country treats the regulations enacted in another country as adequate as long as they provide a level of protection above a certain threshold.Footnote 154 It is of utmost importance to incorporate the perspective of outsiders into the decision-making process, no matter how limited it is, for it carves out a space in which a dialogic relationship unfolds between insiders and outsiders. In this case, decisions draw their legitimacy neither from the output nor from the input, but rather from the process itself, and this comes very close to the type of legitimacy recently referred to as throughput legitimacy.Footnote 155
It also resembles the integration method fostered by the European Union, by developing iterative and continuous dialogue between different legal orders with judicial techniques such as the Solange jurisprudence and principles like subsidiarity and proportionality. As may be recalled, in Solange I the BVerfG denied the principle of supremacy of EU law, affirming that it would continue to carry out fundamental rights review so long as the EU legal order fills its gap of fundamental rights protection.Footnote 156 Nevertheless, 12 years later in 1986, the Court ceased to carry out its fundamental rights review, finding the level of protection ensured by the EU legal order substantially equivalent to that of Germany. It further admitted that it will abstain from such a control activity, ‘as long as the European Communities ensure effective protection of fundamental rights’.Footnote 157 As may be inferred from the foregoing, it is incongruent with the logic of harmonization and seeks ways in which the logic of mutual recognition may set in motion a process of gradual norm-accumulation.
Hence, Solange jurisprudence is a method that uses time as a tool by giving each party enough time and space for mutual accommodation, and places significant importance on the process. It is an iterative, dialogic process between the CJEU and the high courts of member states, oscillating relentlessly between two opposing poles: more conflictual Solange I type rulings such as Maastricht, Lisbon and PSPP, and more coordinated Solange II type rulings such as the BverfG’s Banana judgment.Footnote 158 Unsurprisingly, other higher courts in a more horizontal context, where interaction transpires between heterarchical legal orders – such as the ECHR, the European Union and the United Nations – have recently taken advantage of the Solange method. To illustrate, whereas the ECtHR’s Bosphorus case exemplifies the Solange II type,Footnote 159 the CJEU’s Kadi case is a good example of the Solange I type. In short, it is a method that serves as an interface between different legal orders, which may also be considered a special case of judicial comity.Footnote 160 It is grounded in the idea that when states ‘seek to set global standards, it is quite obvious that they should keep in mind the impact of their policies on others, and that they should balance the others’ interests against their own’.Footnote 161
Comity as part and parcel of inter-legality
The problem of extraterritoriality is indeed a problem of allocation of authority, for states pass judgments on issues that have a bearing on other jurisdictions. As such, this brings to the fore the question of sovereignty, authority and autonomy. This may seem like an age-old doctrinal dilemma that calls for finding a compromise between different authoritative institutions;Footnote 162 however, the persistent questions – such as how to apply comity and when to defer to a foreign authority – are still challenging because they, first and foremost, compel us to strike a balance between two competing interests: (1) the state’s interest to solve the case pursuant to its own law; and (2) the foreign state’s countervailing interest in deciding the case according to its own law.Footnote 163 Hence, in this view, comity entails that the deferring authority should strike a balance between competing interests rather than show absolute deference to foreign authority.Footnote 164
Contrary to this balancing-based approach to comity, it is also plausible to think of comity as a presumptive rule requiring an authoritative institution to show deference to the judgment of another one. In this narrower reading, comity is not a matter of absolute discretion that is granted to a deferring authority, but instead is about an obligation to show respect towards the foreign authority even though it is not bound by the decision of the latter.Footnote 165 For instance, Endicott posits that comity does not stem from ‘the rights of the first (foreign) authority, nor even from the first authority’s success in carrying out its duties but from the second (deferring) authority’s duties to those whom the second authority serves, and to those whom the first authority serves’.Footnote 166 Further, he makes clear the link between comity and subsidiarity by claiming that the former is a special (horizontal) version of the latter.Footnote 167 He argues, embedding this relationship between authoritative institutions in Raz’s service conception of authority,Footnote 168 that ‘general reasons for comity are found in the service that the second authority (the one acting with comity) ought to provide to persons subject to its own authority, and in the value of the first authority’s capacity to provide a service to persons subject to it’.Footnote 169 Thus, there is an indirect relationship of duty between two authoritative institutions deferring to each other mediating through the individuals that they are supposed to serve. In sum, comity derives its legitimacy directly from the people residing in the territory of the other statesFootnote 170 and from the service deferring authority provided to this people, not from the due respect accorded to sovereign authority.
It can be asserted that comity necessarily requires taking other legalities into account, and thus it can be said that it is closely associated with inter-legality, which concerns itself primarily with the interaction of legalities.Footnote 171 For inter-legality, it is a mistake to confine the scope of legality to the territorial borders of a legal system or sectoral boundaries of a legal regime. It is necessary to take an intersectional approach to the legalities at stake in a world that is inevitably interconnected. It is, in the end, about ‘changing the epistemic standpoint’Footnote 172 by decoupling legality from the idea of systemic validity,Footnote 173 because when legality is saved from the shackles of systemic validity, it is possible to observe legality even at the intersection of different legal orders. Thus, it problematizes one-dimensional and monolithic approaches, rendering the outsider’s perspective immaterialFootnote 174 – just as Ryngaert’s benevolent unilateralism and selfless intervention are committed to doing. It is, therefore, inherently connected to the underlying principles of comity – that is, taking the other legalities or legal authorities into account. Even though it is generally preoccupied with the problem of monolithic judicial reasoning in the case law,Footnote 175 it is a mistake to confine inter-legality to the realm of judges and to questions of what a judge can do when confronted with seemingly incompatible ought-judgments arising from different legal orders.Footnote 176 In today’s closely connected and interdependent world, inter-legality appears to be a vital tool for addressing the question of how legalities should respond to each other and how they can solve the problem of plural normativity that emanates from the interaction itself.
When viewed from this angle, inter-legality also appears to address the issue of how our policies bear on others. To address the question of how legalities respond to the intervention and extension of other legalities, it is useful to treat each legality as a legal order ‘having its own administrative machinery’.Footnote 177 As argued by Chiti, at the heart of inter-legality lies the process of recognition, which is triggered when legalities interact, and determines the responses towards the other legalities.Footnote 178 Solange jurisprudence, a special case of the principle of comity, and other ‘pluralist procedural mechanisms, institutional designs or discursive practices that maintain space for consideration of multiple norms from multiple communities’,Footnote 179 can all be considered examples of inter-legality. In these cases, inter-legality unfolds during a sequence of events in which legalities interact with each other.Footnote 180 From Solange jurisprudence to comity or to the procedural proportionality review,Footnote 181 these tools serve as an interface to the process. Here, inter-legality, rather than focusing on one case, one judge and one thought process, expands its scope by focusing on the process in which interaction plays out. One can observe how legalities recognize the existence of other legalities and how they allocate authority by using these so-called interface norms. Lastly, by forcing us to change ‘the epistemic standpoint’,Footnote 182 inter-legality provides us with an opportunity to see the legalities beyond the legal systems and to counter the threat of legal domination of a one-right legal system, which is a permanent risk on which it is necessary to keep a wary eye.Footnote 183 It warns us against the threats coming with the logic of harmonization, which today seems to be the dominant view among the global competitors.
Data governance from the perspective of inter-legality
The claim that data protection has begun to emerge as a novel global value seems almost uncontroversial today.Footnote 184 Nevertheless, any attempt at unilateral regulation, in the absence of a global regulator that may enact global data regulation, poses significant problems from the perspective of the principle of sovereign equality. However, since unilateral regulation appears to be the only possible way forward, it is imperative to find ways to mitigate the externalities generated by unilateralism and transform it into something more inclusive and participatory. Here, principles such as showing mutual respect and accommodation, and considering the other’s perspective,Footnote 185 seem to be viable alternatives. It is also important to consider a selection of undesirable cases that are to be avoided, and some representative examples that can be found in data governance: (1) blocking statutes; (2) global injunctions; and (3) lack of comprehensive impact assessments. These approaches harm the principle of comity and inter-legality by fostering selfish unilateralism.
Blocking statutes ‘prevent compliance with another country’s laws’Footnote 186 – the US CLOUD Act is a good example of this. Even though global injunctions are not necessarily detrimental to inter-legality, they risk neglecting the legitimate interests of the other side, and thereby are one of the primary concerns for the inter-legal approach. As an example, the Canadian Supreme Court’s Equustek judgment, despite it being an example of a global injunction, presents a good example of the inter-legal approach. The Court stated, giving a prominent weight to the arguments from comity adduced by Google, that, ‘If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction … it is always free to apply to the British Columbia courts to vary the interlocutory order accordingly. To date, Google has made no such application.’Footnote 187
Inversely, the EU has taken a rather controversial stance towards data transfer from the European Union to the United States. First, it should be clarified once again that the European Union’s position was much more defensible before Schrems II Footnote 188 because of the Snowden Revelations and apparent lack of effective judicial remedy in the US legal order. Today, it can be asserted that the European Union has jurisdiction over digital platforms because ‘data processors are using computer equipment located within the EU; for example, by collecting data from EU-located computers by means of ‘cookies’, JavaScript, ad banners and spyware’.Footnote 189 As such, it seems highly indefensible that the GDPR’s global reach is somehow a reflection of the European Union’s many distinctive characteristics versus simply the unilateral imposition of European rules. The still-functioning colonial ties of the European Union, its highly accessible and easily transferable regulatory model and its culture of integration based upon the idea of mutual accommodation and compromiseFootnote 190 are the properties that are supposed to be the driving force behind its global regulatory reach. However, this functional explanation has lost much of its explanatory power, particularly in the wake of Schrems II, and it has become highly vulnerable to the criticism of Eurocentrism. It is possible to raise similar concerns regarding the US CLOUD Act, brought into existence in the aftermath of the Microsoft case, because it also makes access to data contingent upon the acceptance of terms unilaterally imposed by US companies.
As may be inferred from the examples above, the practices of global injunctions and blocking statutes do violate the basic tenets of inter-legality by harming its pluralist component through leaving a very limited scope for the outsider’s perspective. They represent serious interventions to the plural coexistence of legalities, which may foster the sectoral fragmentation of international law, for sectoral fragmentation comes with global regulation and sectoral closure. In short, these practices suffocate the plurality inherent in inter-legality. One further fact worth mentioning is that the European Union does scarcely factor in the negative externalities engendered by extraterritorial intervention,Footnote 191 as pointed out by Scott in his study of the global reach of EU law. Scott gives an example from an impact assessment conducted by the EU Regulators regarding measures taken against countries allowing non-sustainable fishing. She notes that ‘no assessment of the negative impact of the EU measures on small-scale fisheries and associated downstream industries within the Faroe Islands’Footnote 192 was carried out by the European Union. Similarly, Kuner contends, with respect to data regulation, that even though EU legal documents contain comprehensive human rights impact assessments, it is fair to claim that they are inclined to consider only their impact on the European Union, rather than on third countries.Footnote 193
VII. In lieu of conclusion: A novel type of Eurocentrism?
Achille Mbembe speaks of a utopian borderless world, where every individual is endowed with the right to free movement and, more importantly, inalienable rights.Footnote 194 Mbembe’s cosmopolitan ideal, nourished by post-colonial and post-modern critiques, reminds us of the artificiality of borders, which are erected to exclude some to the advantage of the others. However, exclusion does not come only in the form of physical borders, boundaries and frontiers; it may also come in the form of epistemological borders that dismiss one’s knowledge, perspectives and ideas as irrelevant by rendering them invisible. Seen from this perspective, any form of unilateralism, be it in the form of internal regulation with extraterritorial effects or stealth unilateralism in the form of the Brussels effect, should be met with the following questions: ‘Whose law is it?’ and ‘Is it inclusive?’
These are laws that flow from Western powers – namely, the European Union and the United States – even though they appear to stand in conflict with one another. They are problematic due to their apparent disregard for how their policies impact third parties and deny them a forum for active participation. As such, they violate the fundamental principle of plurality: ‘the duty to take into account the third country interest’.Footnote 195 Granted, this principle does not carry much weight in the ideal world of the law of disconnected orders, yet as we have witnessed, legal orders are interconnected in today’s highly global and digital worlds. Viewed in this light, to impose the one right solution – be it GDPR or the CLOUD Act – would be tantamount to legal imperialism or Eurocentrism. As Klabbers points out, ‘any attempt to espouse universal values almost automatically carries the suspicion of domination. Hence, in order to prevent domination, some consent-like mechanism is required.’Footnote 196
It is true that inter-legality does not necessarily lead to non-conflictual relationships between legal orders, and it may evolve into a more contradictory and conflictual approach over time. However, as mentioned above, it has a thin normative dimension, which highlights the flaws of monolithic, one-dimensional approaches – be they local or global. From here arises the idea of avoiding injustice because justice ‘is (also) a matter of “responsibility”, which requires gathering diverse sensitivities and reaching a kind of more comprehensive view by dissolving one-sidedness and ensuring the perspectives of others are heard’.Footnote 197 In a world where European judges have a penchant for teaching rather than learning or even hearing, it is likely that the world will see new legal ‘fortresses’ being built around the world, similar to the GDPR in Europe. The GDPR has been described as ‘impregnable’,Footnote 198 providing a maximum level of digital rights protection, but doing so by forfeiting flexibility. Flexibility is to be protected, as it ensures the European Union’s unilateralism does not lead to legal imperialism.Footnote 199 The image of an impregnable Europe brings about thoughts of Ruben Östlund’s film The Square, where people enjoy equal rights and obligations in a trusting and caring environment tailored to the needs of (Western) humans.Footnote 200 Similarly, MbembeFootnote 201 recently put forward the idea that ‘the totality of earth belonged to the West’. Today’s Eurocentrism is based upon separation, contraction and retraction; it is, therefore, less about extraction, conquest and exploitation than ‘cutting ties with the rest’ and building a fortress.Footnote 202 This argument reflects the points made by Koskenniemi, who notes:
Whether non-Europeans were either ‘included in’ or ‘excluded from’ the system of international law, the question is based on the (Eurocentric) assumption that being included is good (because international law is ‘good’) whereas exclusion needs to be condemned. But this cannot be right: the key question is not whether somebody is included or excluded but what ‘inclusion’ and ‘exclusion’ mean.Footnote 203
Eurocentrism is an approach that puts Europe at the centre of all knowledge by marginalizing other perspectives due to their immaturity and/or inferiority. This view assigns ‘truth only to the Western way of knowledge production’,Footnote 204 thus negating the knowledge produced outside the borders of the West. This gives rise to ‘self-referentiality, or solipsism where the Europe engages in a monologic relationship with others’.Footnote 205 Accordingly, ideas, developments or cultural differences from outsiders do not carry much importance because Europe has no need to interact with other states. Nonetheless, any type of methodological nationalism or Eurocentrism as such brings about Western political and moral superiority or priority, the prevention of which requires at least a modicum of other-regarding-ness. We should decentre Europe by demarginalizing the already marginalized outsiders. In short, if the West is to eschew methodological Eurocentrism, by imposing its own views to the world unilaterally, it should question the potential impacts of its regulations upon the others. As Cover reminded us, every legal order has its own narrative, its own interpretation and its own nomos, and when they interact with each other, the judges as ‘people of violence’Footnote 206 kill one interpretation in favour of the other. However, the fact that every interpretation is a jurispathetic activity does not mean that it should be tantamount to epistemicide – that is, the murder of knowledge.Footnote 207
As indicated above, there is a close connection between non-domination and the consent-like mechanism; nevertheless, there is also one other dimension that comes with the idea of non-domination that needs to be stressed: the sense of responsibility. Even if it is not possible to have recourse to the consent of the others, it is still possible to feel morally and political responsible towards them. The Aristotelian conception of responsibility includes two minimal conditions for the attribution of responsibility to someone: (1) the agent should have a minimum degree of control over the action (control condition); and (2) they should know what they are doing (epistemic condition).Footnote 208 Nevertheless, any conception of responsibility is doomed to fail unless it takes seriously the perspective of the agent who is affected from the action (patient). That is, it should not confine itself to the perspective of the responsible agent. The question of to whom the agent is responsible bears at least as much importance as the minimum conditions of individual responsibility. In short, it should shift its focus from an agent-centric approach to a relational one that is more interested in the quality of relationship than the attitudes of agent.Footnote 209 When viewed from a relational perspective, the role played by epistemic condition in the responsibility attribution changes significantly. For once, responsibility requires agents to provide explanation and clarification about why they decided to take particular action as well as to be aware of how their actions affect the lives of the patients.Footnote 210 This is to say that, when responsibility is seen from a relational perspective, the epistemic condition takes a turn to justification, obliging the agents not only to be aware of their actions but also to ‘be able to explain decisions to someone, to be able to answer someone who rightfully and reasonably asks “Why?” when given a decision or when acted upon’.Footnote 211 Thus, the scope of responsibility is all but impossible to grasp without paying due regard to the social context in which it is embedded because it is a social, dialogical and necessarily relational concept.Footnote 212 It insists on answerability and justification.
Responsibility is, therefore, different from accountability. For instance, accountability is related to holding someone to legal account, and thus confined to a legal perspective. Responsibility, however, is a term that goes beyond legal obligations. In that regard, the courts are ‘responsible courts’Footnote 213 only if they succeed in hearing the voices coming from the other side of the border, despite always being accountable to their own legal order. As such, being a responsible court requires hearing the grievances raised from other legal orders even if they are legally immaterial from an accountability perspective. The distinction between responsibility and accountability may be explained with a distinction made by Amartya Sen. He argues that being sympathetic towards others is individuated from being committed to doing something. According to Sen, whereas ‘sympathy is combinable with self-interested behaviour’ and ‘does not signify a departure from self-love as the only accepted reason for action’, committed attitude ‘is a clear departure from self-interested behaviour’.Footnote 214 The latter forces us to leave our point of view and adopt an other-regarding attitude.Footnote 215 It demands us to leave our comfort zone and commit ourselves to take the perspective of the patient seriously. For instance, the blocking statutes, global injunctions or insufficient impact assessments all fall short of meeting the demands of a committed attitude, even if they all become compatible with the demands of sympathy. As pointed out earlier, data regulation has a natural bias to going global, so it calls for responsibility, which may only be realized if one takes a committed stance rather than a sympathetic one, bearing in mind the relational dimension of responsibility. It requires us to become more inclusive, either in the process of regulation or at the time of implementation of the unilaterally designed regulation.
Open access
