Use of the term ‘extraterritorial’ to describe the regulation of international transfers of personal data in European Union (EU) data protection law has led to confusion about the scope of such regulation. The distinction in data protection law between extraterritoriality ‘in scope’ and ‘in effect’ has become meaningless.
Extraterritoriality in EU regulation of international data transfers is intrinsically neither good nor bad; rather, its appropriateness depends on how it is used and implemented. Regulation of international data transfers in EU data protection law tends to apply in a ‘black or white’ fashion, without the safety valves necessary to prevent jurisdictional overreaching. This leads to increasing conflicts between EU law and the law of third countries. There is a need to determine the territorial boundaries of the application of EU data protection law and to take factors such as enforceability into account when doing so.