Extraterritoriality of Data Protection: GDPR and Its Possible Enforcement in Indonesia

摘要

The expansion of communication technology entails the free flows of data beyond and across borders. Jurisdiction based on territoriality is seen by an increasing number of countries to be longer sufficient when it comes to data transfer governance, and data privacy in particular. The European Union's General Data Protection Regulation or GDPR is by far the most innovative and comprehensive set of data rules, which, aside from imposing high standards of data protection, introduces extraterritorial application to controller and processor outside the EU. Questions are raised regarding the legality of EU legislator decision to regulate non-EU actors and activities. But the biggest question remains: how such regulation can be enforced in third countries. This paper examines the enforcement of extraterritorial application of GDPR, in particular the provision of Art. 3 (1) and Art. 3 (2), by reviewing from the perspective of international law as well as domestic law. Alternative strategies deployed by EU regulators to promote compliance with the GDPR will also be discussed. Prescriptive jurisdiction and enforcement jurisdiction will be distinguished so as to give clarity on the extent of power a state has in terms of application of laws. States are permitted under International law to prescribe, in its own jurisdiction, legislation that regulate matters outside of its own territory. However, they are limited by the international law to enforce such regulation in the territory of other country without said country's consent. As Indonesia is not a party to any treaty governing enforcement of judgement and actions of foreign authority nor it permits, based on its laws, the same, it is unlikely that court decision or sanctions from European authority can be enforced in Indonesia. However, alternative strategies deployed by the EU regulators, particularly the data adequacy requirement may drive compliance among Indonesian entity.