| The intent is very much territorial. I don't think your interpretation is 100% correct, but I think it's 95% correct. Jurisdiction is clearly defined as territorial: https://gdpr-info.eu/art-3-gdpr/ However, the framing as a human rights law, protecting "fundamental rights and freedoms of natural persons," means that the intent is somewhat more broad: https://gdpr-info.eu/art-1-gdpr/ It defines principles which are believed to apply everywhere. That's reinforced by language like "This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law." This extends jurisdiction as far as practical, in ways which are legally ambiguous. "Legally ambiguous" generally means that you might be right, but the cost of finding that out will be astronomical. Human rights laws have an inherent friction to them. On one hand, if random dictator's private business violates human rights laws, that's outside of jurisdiction, so not much can be done about it. Sovereignty is an important principal. On the other hand, it's clearly viewed as not okay, and often has some ramifications at some point. If you're applying for a contract, and have a track record of human rights violations.... |