The Private International Law Dimension of the GDPR

In this post, Jòan Gondolo presents the key findings from his doctoral thesis on the private international law aspects of personal data protection (Paris I Panthéon-Sorbonne, 2024). The research examines how private international law can effectively serve the protection of personal data in international contexts, with particular attention to the territorial scope of the GDPR and the tools available for implementing its regime.

From Negative to Positive Conflicts

When personal data regulation is discussed, the instinctive reaction has long been to frame it as a matter of domestic public law. This instinct is misleading. Any actor can easily, through the internet, conduct data-intensive activities from a favourable jurisdiction. The situations thus created have a marked propensity to be international, and therefore to trigger the traditional trilogy of private international law (PIL): international jurisdiction, applicable law, and circulation of judgments.

Scholars once suggested that the internet signalled the death of conflict-of-laws (see e.g., L. Lessig, « The Zones of Cyberspace », Stanford Law Review, vol. 48, n° 5, May 1996, p. 1403) proclaiming the sovereignty of a self-governing cyberspace beyond State reach. That chimera has been well and truly buried. Internet regulation is deeply contested between legal orders, each seeking to govern data processing according to its own value system. The question is therefore not whether State law applies to data processing, but which national or regional legal regime should govern the situation.

More specifically, the distinctive feature of digital law (including data protection) is that it typically gives rise to hyper-competition between legal orders. A data controller established outside the European Union (EU) can simultaneously process data of EU residents while transferring it to a processor in a third State, thus potentially triggering the application of the GDPR, the law of its own State, and the law of the processor’s State. PIL is therefore the privileged tool for resolving these positive conflicts. Reciprocally, and this is a central theme of this research, data protection law constitutes an opportunity for the revitalisation of PIL.

The GDPR’s Territorial Scope as an Ambitious Unilateral Rule

A unilateral rule with dual objectives

The spatial limits of the GDPR’s scope of application are defined in Article 3, which establishes two distinct criteria for application: first, to controllers established in the EU for processing conducted within the context of that establishment’s activities; and second, where data subjects are located in EU territory and have been targeted by a controller established abroad.

Two preliminary observations command attention. First, Article 3 is a unilateral rule. This reflects the GDPR’s hybrid public/private law nature and its overtly social and political character, which would sit uneasily with the designation of an external legal order. Second, and most strikingly, none of these criteria relies on technical elements such as the location of a server, a file, or the processing operation itself. Where earlier instruments were repeatedly defeated by technological evolution, Article 3 builds its connecting factors around the persons involved (the controller and the data subject) rather than the regulated activity (the processing and its chain of technical events). This methodological shift is both pragmatic and a strong statement that data protection belongs to the realm of fundamental rights, where the individual, not the technology, is the relevant connecting factor.

The establishment criterion inherited from the 1995 Directive

The establishment criterion, inherited from the 1995 Directive on data protection, requires two cumulative conditions: the existence of an establishment on EU territory, and that the data processing be carried out in the context of the activities of that establishment.

The concept of establishment in the data protection context was clarified by the CJEU in Weltimmo (C-230/14), which held that even a website could constitute an establishment, provided the installation is stable and the activity genuine. The reading of the notion of establishment is deliberately broad to defeat circumvention strategies.

The “in the context of” requirement was addressed in the landmark Google Spain case (C-131/12). There, a Spanish data subject sought the de-referencing of search results managed by Google Inc., an American company. The existence of a Spanish subsidiary (Google Spain) acting as a local advertising platform for Google Inc. was not in dispute; the question was whether the processing conducted by the American parent fell within the context of the activities of that subsidiary. The CJEU held that it did, reasoning that Google Spain’s advertising revenues financed and thus inextricably linked it to the search engine’s activities (even though the Spanish company had no part in the processing of data). The logic is that of an economic continuum: whenever a European establishment contributes to the commercial viability of a data controller, the processing falls within the scope of EU law, regardless of corporate structure. This interpretation, while teleologically compelling, is mostly pragmatic: its merit lies in identifying a locally-present defendant to reduce enforcement difficulties that a purely extraterritorial claim would entail.

The ambition of the targeting criterion

Given the ease with which a controller may relocate outside the EU while continuing to process the data of EU residents, the establishment criterion alone could not carry the full weight of Article 3’s ambition. Article 3(2) therefore introduces a targeting criterion, composed of two alternative conditions: the offering of goods or services to persons in the Union, or the monitoring of their behaviour within the Union. Crucially, neither condition requires the data subject to be a national or habitual resident of a Member State: mere physical presence in the EU at the time of data collection suffices.

This data subject-centred approach is coherent with the fundamental rights conception of personal data protection that prevails in the EU, which the research discusses through the works of authors such as Luciano Floridi in the field of digital ethics.

The first alternative condition (offering of goods and services) does not raise major interpretive difficulties: Recital 23 of the GDPR employs terminology closely aligned with the “directed activity” concept well-established in EU PIL under the Brussels I bis Regulation. Notably, the GDPR explicitly includes offers that do not require payment, thereby covering the core business model of social networks and online platforms.

The second alternative condition (monitoring of behaviour) has generated sharper controversy. In France for instance, a decision by the French data protection authority (CNIL) in the Lusha Systems case adopted a restrictive interpretation, treating “monitoring” as synonymous with “profiling”, a concept that inherently requires a predictive purpose. The effect was to leave several activities (such as mere data aggregation) outside the scope of Article 3(2). In response, the French legislature amended Article 3 of the Loi Informatique et Libertés to extend its scope to data aggregation by foreign actors, effectively legislating an interpretation in lieu of the CJEU.

Implementing the GDPR’s Ambition

The failings of Article 79 on international jurisdiction

The GDPR’s ambition to build an expansive security space is implemented through both public and private enforcement. On the latter aspect, Article 79 provides data subjects with an in favorem laesi option, allowing them to bring proceedings either before the courts of any Member State where the controller is established, or before those of the Member State of the data subject’s habitual residence. This dual head of jurisdiction mirrors the dual objectives of Article 3 of the GDPR and ensures that the weaker party can litigate before an easily accessible court.

The ability to bring proceedings before the courts of any Member State where the controller is established, even those that have no connection with the disputed data processing, seems excessive. Mirroring Article 3, we recommend limiting this head of jurisdiction to establishments in the context of the activities of which the processing is conducted.

A critical lacuna emerges when the scenarios of Article 3 and Article 79 are placed side by side. Article 3(2) extends the GDPR’s scope to any controller that targets persons located in the EU, irrespective of whether those persons habitually reside there. Yet, Article 79 provides no jurisdictional basis for such a data subject to sue, since neither the controller is EU-established nor the claimant EU-habitually-resident. This void constitutes a violation of the right to effective judicial protection under Article 47 of the EU Charter of fundamental rights.

To fill this void, the research proposes the addition of an Article 79(3) establishing residual jurisdiction for all situations that fall within the GDPR’s substantive scope but outside the existing heads of jurisdiction. Mirroring Article 77, the research suggests vesting competence in the courts of the Member State where the processing-related violation occurred.

We also suggest clarifying the interaction with the Brussels I bis regulation, to ensure that it applies only where the GDPR is silent (for instance on plurality of defendants). In the same spirit, we recommend including, in the GDPR, a rule resembling Article 19 Brussels I bis for prorogation of jurisdiction.

The Applicable Law Mystery

More acute still is the silence of the GDPR on national applicable law. The shift from a directive on data protection to a regulation has undeniably reduced, yet not eliminated, the relevance of national law. The GDPR includes 56 delegations to Member States, and leaves entire domains to national rules without specifying how to identify the applicable one. This is notably the case of contractual questions not governed by the Regulation or where the Regulation allows Member States some flexibility (such as the age at which children can consent to the processing of their data).

In the absence of a lex specialis, the general EU PIL instruments, Rome I and Rome II Regulations, take centre stage, but their performance is deeply unsatisfactory.

As regards contractual aspects (which matter especially because many processing operations rest on the data subject’s consent), Rome I Regulation’s general rules in Articles 3 and 4 systematically favor the controller, who will typically draft the contract and designate a favorable governing law. The protective regime for consumers offers a more balanced approach, anchoring the applicable law to the consumer’s habitual residence. Yet, applying it requires the data subject to be qualified as a “consumer” – a frequent though non-systematic characterisation. This produces an incoherent fragmentation: supervisory authorities do not distinguish between consumers and professionals whereas the legal status of the data subject (consumer/professional) may be determinative before a court to identify the applicable law. This inconsistency is irreconcilable with a fundamental rights conception of data protection and the GDPR’s objective of uniform protection.

As regards non-contractual liability, the situation is worse: Article 1(2)(g) of the Rome II Regulation expressly excludes privacy violations from its scope, deferring the question to national conflict-of-laws rules pending a future reform of said Regulation. This results in a patchwork of solutions across Member States. The Franco-Belgian contrast is illustrative: France designates the law of the data subject’s habitual residence, while Belgium designates the law of the controller’s establishment, generating both positive conflicts (where a Belgian controller processes data of a French resident) and negative conflicts (the reverse), with divergent outcomes depending on the forum seized.

To remedy these deficiencies, the research advances two sets of proposals:

First, under the Rome I Regulation, data subjects should be systematically assimilated to consumers, justified by the structural asymmetry inherent in their relationship with controllers, which is equivalent to the consumer/professional imbalance. In the Rome II Regulation (and as discussed in the ongoing reform proposal for instance here and here), the privacy exclusion should be lifted and the law of the Member State of the data subject’s habitual residence should be designated as the primary connecting factor.

Second and alternatively, if cross-instrument reform proves politically unfeasible, the GDPR could be amended to include a new Article 79(4) designating applicable law. This new provision would designate the law of the data subject’s habitual residence as the primary connecting factor. For persons not habitually resident in the EU, the applicable law would be that of the Member State where the violation occurred.

Circulation of Judgments

The GDPR’s extensive reach also raises questions about the circulation of judgments. In this respect, the picture for intra-EU circulation of judgments is relatively clear: the simplified recognition and enforcement regime under Brussels I bis Regulation removes most practical obstacles. Extra-EU enforcement, particularly vis-à-vis the United States, is more problematic. In this context, the research identifies a combination of responses: substantive restrictions on data transfers to third States (see e.g., the Schrems saga regarding data transfer agreements between the EU and the United States), obligations on foreign controllers to appoint EU representatives, and reputational sanctions. Where enforcement of EU judgments must be sought directly in the United States (most acutely in the context of the right to be forgotten) the prospects remain bleak. American doctrine and case law treat such claims, especially when directed at domestic media outlets, as near-certain violations of the First Amendment.

Conclusion

PIL and data protection law are, in this research, shown to be mutually constitutive. The GDPR’s ambitious territorial design – establishing an expansive unilateral rule centred on persons rather than technical artefacts – represents a statement about the fundamental rights character of data protection. Yet, the ambition of that design is undermined by gaps in the ancillary PIL framework: a jurisdictional void between Articles 3 and 79, inadequate conflict-of-laws rules in Rome I and Rome II Regulations, and the absence of any rule for conflict of national laws within the GDPR itself.

Remedying these gaps is a precondition for ensuring that the rights conferred by the GDPR are genuinely effective, not only as obligations imposed on controllers by supervisory authorities through public enforcement, but as rights vindicated by individuals before courts through private enforcement. PIL has a crucial, and still largely unfulfilled, role to play in that endeavour.