Document Type : Original Article

Authors

1 M.Sc. in international law , law faculty , university of Tehran, Iran.

2 Assistant Professor, faculty of law, university of Tehran, Iran.

Abstract

The need to protect users' personal data in cyberspace is inevitable nowadays, thus governments and regional and international mechanisms such as the European Union have also taken legislative actions in this regard. On the other hand, the interpretation of the framework of laws adopted within the European Union is that the implementation of these laws is also limited to the territory of the constituent states of this regional body, while the provisions of the latest European Data Protection Document (GDPR: 2016) shows that it has extraterritorial character and can be applied outside the borders of the union. Therefore, this study uses a descriptive analytical method to examine the text of this document and its previous version (DPD: 1995), and the most important cases before the European Union Court of Justice regarding the transfer of European users’ personal data to the United States of America to clarify the possibility of cross-border application of this document in non-EU countries. Finally, the findings of the present study indicate that due to the significant political and economic power of the Union, the large number of European users in the Internet space, interpretations and opinions provided by the European Court, history of data transfer mechanisms between Europe and the United States, as well as the administrative mandates provided in this document, it can be said that in practice this regulation has extraterritorial character and is applied outside the union.

Keywords

Akbari Tabar, A & Eskandarpour, E, (2013). Social Media and Virtual Social Networks.
Tehran: National Culture Network Publications. [in Persian].
Analytical Report of Maher Specialized Center, on GDPR and its Role in Protecting the
Privacy of Social Network Users (2018). [in Persian].
Ansari, B (2007). Mass Communication Law. Tehran: Printing and Publishing Organization
of the Ministry of Culture and Islamic Guidance. first edition [in Persian].
Article 29 Data Protection Working Party. Opinion 03/2013 on purpose limitation, Adopted
on 2 April 2013.
Article 29 Data Protection Working Party, Working Party Guidelines on consent under
Regulation 2016/679, Adopted on 28 November 2017, last Revised and Adopted on 10
April 2018.
Article 29 Data Protection Working Party. Working Party Guidelines on consent under
Regulation 2016/679.
Aslani, H, (2010). Information Technology Law. Tehran: Mizan Publications. Second
Edition.
Cjeu, Judgment of the Court (Grand Chamber). Judgment of 13. 5. 2014 — Case C-131/12
Google Spain and Google, (Google Spain SL, Google Inc. v Agencia Española de
Protección de Datos (AEPD), Mario Costeja González).
Cjeu, Judgment of The Court (Grand Chamber), Judgment of 16. 7. 2020 — Case C-311/18
Facebook Ireland And Schrems, (Data Protection Commissioner v Facebook Ireland Ltd,
Maximillian Schrems).
CJEU, JUDGMENT OF THE COURT (Grand Chamber), JUDGMENT OF 30. 5. 2006 —
JOINED CASES C-317/04 AND C-318/04, (European Parliament, European Data
Protection Supervisor (EDPS) v Council of the European Union, Commission of the
European Communities).
Cjeu, Judgment of the Court (Grand Chamber), Judgment oF 6. 10. 2015 — CASE C-
362/14, (Maximillian Schrems v Data Protection Commissioner).
Commission Decision 2000/520/EC, of July 26, 2000 Pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the Adequacy of the Protect Provided by the
Safe Harbor Privacy Principles and Related Frequently Asked Questions Issued by the U.S. Department of Commerce, 2000.
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive
95/46/EC of the European Parliament and of the Council on the Adequacy of the protection
provided by the EU-US Privacy Shield.
Convention for the Protection of Individuals with Regard to Automatic Processing of
Personal Data, Strasbourg, 28 January 1981, (Convention 108).
Council of Europe, European Convention on Human Rights (1976).
Dalla Corte, L, (2019). Scoping Personal Data: Towards a Nuanced Interpretation of the
Material Scope of EU Data Protection Law. European Journal of Law and Technology,
10(1).
Data Protection (Legal Protection of Privacy of Persons in Cyberspace) (2002). Secretariat
of the Supreme Informatics Council of Islamic Republic of Iran [in Persian].
DeCew, J (1997), In Persuit of Privacy: Law, Ethics, and Rise of Technology. Cornell
University Press. London.
Decision (EU) 2016/2297 of 16 December 2016 on Standard Contractual Clauses (SCC).
Deibert, R, Palfrey, J, Rohozinski, R & Zittrain, J, (2010). Access Controlled: The Shaping
of Power, Rights and Rule in Cyberspace. United States of America: The MIT Press.
Directive 2002/58/Ec of the European Parliament and of the Council of 12 July 2002/
Concerning the Processing of Personal Data and the Protection of Privacy in the
Electronic Communications Sector (Directive on Privacy and Electronic Communications).
Directive 2006/24/Ec of The European Parliament and of the CounciL of 15 March 2006.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the Protection of Individuals with Regard to the Processing of Personal Data and on the
Free Movement of Such Data.
Douglas-Scott, S. (1993). Reviewed Work: Privacy, Intimacy and Isolation. by Julie Inness.
Oxford University Press. on behalf of the Mind Association. 102(408).
EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.
EDPB, Guidelines 4/2019 on Article 25, Data Protection by Design and by Default,
Version 2.0, Adopted on 20 October 2020.
El Khoury, A, (2015). The Safe Harbor is not a Legitimate Tool Anymore. What Lies in the
Future of EU-USA Data Transfers. Review of Case C-362/14 Maximillian Schrems v Data
Protection Commissioner. EJRR.
European Convention on Human Rights (ECHR).
Explanatory Report to Convention 108.
Foreign Intelligence Surveillance Act (FISA).
Ghadmagahi, M, A, (2021). The Right to the Protection of Personal Information in
Cyberspace, with Emphasis on EU Data Protection Guidelines (GDPR: 2018). Master
Thesis. International Law. Faculty of Law. College of Farabi. University of Tehran. [in
Persian].
Greer, D. (2011). Safe Harbor a Framework that Works. International Data Privacy Law,
Oxford University Press. 1(3).
High Court of Ireland Decisions (Schrems-v-Data Protection Commissioner Judgment)/
[2014] IEHC 310.
http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm.
https://cdt.org/wp-content/uploads/2017/02/Section-702.pdf.
https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&
doclang=en&mode=lst&dir=&occ=first&part=1&cid=9791227.
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-
protection/standard-contractual-clauses-scc_en.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046.
https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=ecli%3AECLI%3AEU%3AC%3A2006%3A346.
https://gdpr-info.eu/recitals/no-101/.
https://gdpr-info.eu/recitals/no-102/.
https://gdpr-info.eu/recitals/no-103/.
https://gdpr-info.eu/recitals/no-106/.
https://gdpr-info.eu/recitals/no-14/.
https://gdpr-info.eu/recitals/no-22/.
https://noyb.eu/en.
https://www.bailii.org/ie/cases/IEHC/2014/H310.html.
https://www.coe.int/en/web/data-protection/convention108-and-protocol.
https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf;
https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/BILLS-
110hr6304pcs.htm.
https://www.privacyshield.gov/Program-Overview.
https://www.statista.com/statistics/267808/net-income-of-microsoft-since-2002/.
Hustinx, P, (2017). EU Data Protection Law: The Review of Directive 95/46/EC and the
Proposed General Data Protection Regulation. Oxford Scholarship Online.
Jannick, S & Kosta, S. (2019). Before and After GDPR. The Changes in Third Party
Presence at Public and Private European Websites.
Jia, J, Ginger Zhe, J & Wagman, L. (2019). The Short-Run Effects of GDPR on Technology.
Venture Investment.
Kadkhodai, Abbas (2004). Structure and Law of the European Union. Tehran: Mizan
Publications. [in Persian].
Khalaf Rezaei, H. (1398). The Legal System of the European Union and the National
Sovereignty of the Member States (with Emphasis on the Rulings of the German
Constitutional Court). Bi-Quarterly Journal of Comparative Law, 6(2), [in Persian].
LG Feldkirch-57 Cg 30/19b – 15.
Libert, T, Graves, L & Nielsen, R, K. (2018). Changes in Third-Party Content on
European. News Websites after GDPR.
Mahboob, A & Mehdi, N, (2020). Legal Frameworks for Security of Private Data
Processing (A Comparative Study of Iranian and European Union Law). Journal of Islamic
Law, 17(66). [in Persian].
McLean, R. (2001). EU Law. Translated by Majid Shokouhi. Tehran: Al-Huda
International Publications.
Montalbano, L. (2020). Jurisdiction and Applicable Law under the GDPR: A New
Landscape. The John Marshall Journal of Information Technology & Privacy Law, Vol:
34.
Musazadeh, R. & Tabatabai, S. (2020). A Comparative Study of Cybercrime Regulations
from the Perspective of Iranian and European Union Law. International Research Journal,
2(1).
Gruschka, N., Mavroeidis, V., Vishi, K & Jensen, M. (2018). Privacy Issues and Data
Protection in Big Data: A Case Study Analysis under GDPR. IEEE International
Conference on Big Data (Big Data).
Najafi Shoushtari, B. (2017). The Role of Personal Data Protection Authorities with a Look
at the 2016 EU Data Protection Regulations. Master Thesis. Law. Faculty of Law and
Political Science. Allameh Tabatabai University. [in Persian].
Nouri, M. A. & Nakhjavani, R. (2004). Data Protection Law. Tehran. Ganj-e-Danesh
Library Publications.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,
(1980).
Phillips, M. (2018). International Data-Sharing Norms: From the OECD to the General
Data Protection Regulation (GDPR). Human Genetics. Vol.137.
Pramesti, I & Afriansyah, A. (2019). Extraterritoriality of Data Protection: GDPR and Its
Possible Enforcement in Indonesia, Advances in Economics. Business and Management
Research, Vol 130, 3rd International Conference on Law and Governance, (ICLAVE
2019).
Regulation (EU) 2016/679 Of the European Parliament and of the Council of 27 April
2016. On the Protection of Natural Persons with Regard to the Processing of Personal Data
and on the Free Movement of Such Data.
Rengel, A. (2013). Privacy in the 21st Century (Studies in Intercultural Human Rights, 5).
Boston: Martinus Nijhoff Publishers.
Safari, B. (2017). Intangible Privacy Rights: How Europe's GDPR Will Set a New Global
Standard for Personal Data Protection. Seton Hall Law Review, 47(3), Article 6.
Sean, S, Jason, R & Webb, H. (2018). Are We There Yet? Understanding the Challenges
Faced in Complying with the General Data Protection Regulation (GDPR). In Proceedings
of the 2nd International Workshop on Multimedia Privacy and Security (MPS '18).
Association for Computing Machinery, New York: NY, USA, 88–95.
Sotoudeh, M & Atabati, N. (2020). A Comparative Study of Legal Regulations for
Electronic Communications Control in Crime Detection (Some European Countries, USA
and Iran). Quarterly Journal of International Police Studies, 11(42), [in Persian].
Taghizad, M, Zomordi, K & Hajian, M. (2017). The Role of the European Union in
Regulating Cybercrime. Quarterly Journal of International Police Studies, 7(29). [in
Persian].
U.S. Department of Commerce. Safe Harbor Privacy Principles and Related Frequently
Asked Questions. July 21, 2000.
United States Dept of Defense. Technology and Privacy Advisory Committee (TAPAC)
(2004). Safeguarding Privacy in the Fight against Terrorism: Report of the Technology and
Privacy Advisory Committee: Washington, D.C: DOD Technological Innovations in Crime
Prevention and Policing: A Review of the Research on Implementation and Impact.
User Data Protection: Global Approaches and Typology of Regulation, (2017), Research
Center of the Islamic Consultative Assembly, Deputy of Infrastructure Research and
Production Affairs, Office of Communication Studies and New Technologies. [in Persian].
Weiss, M. A & Archick, K. (2016). U.S.-EU Data Privacy: From Safe Harbor to Privacy
Shield. Report. May 19, Washington D.C: University of North Texas Libraries.
Martin, Y & Kung, A, (2018). Methods and Tools for GDPR Compliance Through Privacy
and Data Protection Engineering
andi, M. R. (2014). Preliminary Research in Cybercrime. Tehran: Mizan Publications. [in
Persian].
Zarkalam, S. (2007). Privacy of Internet Communications (Study in Iranian and European
Union Law). Islamic Studies and Law, 8(1). [in Persian].
Ziber, U. (2011). Computer Crimes. Tehran: Ganj-e-Danesh Publications. Second Edition.
CAPTCHA Image