Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU’s Ambition of Borderless Data Protection

Research output: Working paperResearchpeer-review

Legal protection of personal data that are transferred or processed outside the EU’s territorial boundaries has been strengthened in recent years, both in the GDPR and by the Court of Justice. The main mechanisms for guarding against data protection threats originating from outside the EU’s borders are rules on the territorial scope of EU data protection law (Article 3 GDPR), which allow its application to data processing by non-EU parties, and data transfer restrictions (Chapter V GDPR), which protect personal data that are transferred to third countries. The GDPR does not indicate how these two mechanisms interact, which has led to initiatives to disapply data transfer rules when data processed outside the EU are already subject to it. However, there has been little transparency about these initiatives or explanation of their rationale, despite their significance for the protection of EU data and their impact on the GDPR’s global reach. For the protection of EU data against external threats to be both legally sound and effective in practice, it is necessary to examine the nature and interaction of rules on territorial scope and data transfers, in order to determine how the EU’s vision of cross-border data protection can be realised.
Original languageEnglish
PublisherUniversity of Cambridge. Faculty of Law
Number of pages36
Publication statusPublished - 2021
SeriesUniversity of Cambridge Faculty of Law Legal Studies Research Paper Series

Bibliographical note

Research Paper No. 20/2021

    Research areas

  • Faculty of Law - data protection, GDPR, Applicable law, international data transfers

ID: 335282908