“Dancing with the puppets’ strings”: Tech regulation between extraterritoriality and jurisdictional constraints, a public international law perspective

  1. Rules of good neighborliness: The world is a small place[1]

Trans-national and cross-border dynamics form the underlying fabric of many global challenges. Organised crime and terrorism, pandemics, the economic implications of the ongoing conflict in Eastern Europe, or the possibility that environmental disasters or human-made hazards produce effects with consequences for third states are just a few instances of this. After all, the “butterfly effect”[2] has become part of our collective consciousness for a reason.

Recently, much controversy sparked from the UN Atomic Energy Agency’s decision to endorse Japan’s plan for nuclear waste disposal, which involved discharging “treated water” into the Pacific ten years after a tsunami had severely damaged the nuclear plant of Fukushima. Costal countries and fishing unions, in particular, voiced their concerns.[3]

The triangular framework of above, encompassing [1] entities and/or events provoking [2] at least potential detriment to third parties and [3] the state on whose territory the possible detriment to third parties’ originates[4] seems here equally applicable to situations where e.g. private companies based in non-EU countries commit cross-border violations of fundamental rights of individuals within the EU territory vis-à-vis the protection offered by EU regulations with extraterritorial application such as the General Data Protection Regulation (GDPR) and the proposed AI Act (AIA) – prospectively.


  1. Extraterritoriality, effectiveness, and jurisdictional constraints in fundamental right protection

While evocative concepts like the “Brussels effect”[5] powerfully describe the far-reaching impact of the GDPR beyond EU borders – and a scope of (extra)territorial application similar to that enshrined in Art 3 GDPR emerges from corresponding provisions in the AIA – instances of vast-scale and serious violations of several aspects of the right to data protection in its European understanding still exist. In this sense, the Clearview AI and ChatGPT cases[6] serve as paradigmatic examples revealing how vulnerable we still are before violations originating in third countries. These events expose the limitations and deficiencies of EU regulations with extraterritorial effect – particularly in terms of effectiveness and enforcement.

The «uniquely transboundary character of personal data»[7] challenges traditional models of fundamental rights protection based on defined boundaries and territories, the direct exercise of sovereignty, jurisdiction and/or control by state actors proving their inadequacy. However, certain principles and schemes of public international law offer some possibilities to reflect upon and frame transboundary phenomena such data protection and AI-based issues, while exploring alternative research perspectives.

At the end of the day, there are not many differences among scenarios encompassing states’ obligations deriving from risks of transboundary environmental damage,[8] hackers causing harm/committing violations against targets based in the territory of a third state[9] and companies violating the rights of data subjects within the EU territory, all originating on the territory of a state different from the one affected. In similar cases, considerations on responsibility allocation would all point at the positive due diligence obligations[10] that states have in not having their territory or the infrastructures under their control used for operations that affect the rights of third states or produce adverse consequences for them.[11]

However, a crucial distinction arises when comparing the examples above with cases involving the protection of fundamental rights through EU regulations with extraterritorial effect. And that consists in having – on the one hand – parties subject to international standards and obligations descending from multi-lateral agreements and/or norms of customary international law, while – on the other – a sui generis international organisation somehow exercising forms of “prescriptive jurisdiction” over companies based outside its territory through regulations adopted on the basis of the conferral of powers it received by its member states – i.e. Article 5(2) TEU.[12] Consequently, non-compliance with GDPR provisions or difficulties in exercising effective forms of “jurisdiction to enforce” the measures adopted by e.g. data protection authorities should not come as a surprise. Yet, it is important to note that the extraterritorial application of EU secondary law cannot be seen as entirely imposed on third-party actors. Instead, foreign companies could be considered as having accepted the provisions contained in EU regulations through facta concludentia by conducting business in a manner that triggers the elements outlined in Arts 3 GDPR and 2 AIA – thus activating the “if you target the EU, the EU targets you back”[13] mechanism.

Still, one of the main limitations of this system consists in the fact that without genuine compliance such measures prove insufficient for granting the effective protection of fundamental rights.


  1. Cooperation and competition in AI governance, some considerations

In a similar scenario, the role of the “home state” from which the violation originates seems crucial in ensuring the prevention, investigation, punishment, and redress of transboundary AI-based violations. In fact, quoting the impactful title of an equally powerful article, it is mostly there that the answer to the question “who should bell the cat?” resides.[14] From this angle, one of the main issues consists in identifying for what reasons and through what means a third country should “cooperate” in granting on its territory the respect for provisions and standards of protection adopted by another state/entity. Diplomatic and market relations with allies, business partners, and competitors – together with market rules – constitute practical constraints for the protection of fundamental rights that cannot be disregarded. Nevertheless, systematic failures in effectively protecting EU fundamental rights through regulations with extraterritorial effect may prove to be a risky game. In the long run, widespread disregard for EU law could diminish the EU’s role as a normative actor on the global stage, undermine the authority of its legal system,[15] and dilute the influence of its championing of fundamental rights standards. From a slightly different angle, also the impressive production of hard and soft law instruments rich in «symbolic [fundamental rights]capital»[16] by the EU could weaken the actual power and relevance of fundamental rights discourses.

We better be aware of such risks, ward off the occurrence of similar hypotheses and the consequences they may entail. Looking ahead, forthcoming instruments such as the AIA and the Council of Europe Framework Convention on AI, Human Rights, Democracy and the Rule of Law, along with their interaction with current standards, are expected to provide an additional layer of protection whose effectiveness will once again be a question mark. In the meantime, reflecting on some of the challenges modern and emerging technologies pose to the effective protection of fundamental rights through the lenses public international law can certainly contribute to gaining perspective and identifying what are some of the limits and constraints of protecting EU values and fundamental rights in a globalised world.

[1] Francesco Paolo Levantino, PhD Candidate in International and European Human Rights Law at Sant’Anna School of Advanced Studies (Pisa, Italy). Email, f.levantino@santannapisa.it.

[2] P. Dizikes, When the butterfly effect took flight, in MIT Technology Review, 22 February 2011.

[3] S. Murakami, Fukushima: Japan gets UN nuclear watchdog approval for water release, in Reuters, 4 July 2023.

[4] S. Besson, Due diligence and extraterritorial human rights obligations-mind the gap!, in ESIL Reflections, 1(9), 2020, 1-9.

[5] A. Bradford, The Brussels effect: How the European Union rules the world. Oxford University Press, 2020.

[6] See respectively, N. Lomas, Clearview fined again in France for failing to comply with privacy orders, in Tech Crunch, 10 May, 2023; C. Goujard & G. Volpicelli, ChatGPT is entering a world of regulatory pain in Europe, in Politico, 10 April, 2023.

[7] F. Bignami & G. Resta, Human rights extraterritoriality: The right to privacy and national security surveillance, in GWU Law School Public Law Publications and Other Works, Research Paper No. 2017-67, 2017, 12.

[8] G. Vega-Barbosa & L. Aboagye, Human rights and the protection of the environment: The Advisory Opinion of the Inter-American Court of Human Rights, in EJIL:Talk!, 26 February 2018.

[9] i.a. A. Coco & T. De Souza, “Cyber due diligence” A patchwork of protective obligations in international law, in European Journal of International Law, 32(3), 2021.

[10] Ollino A., Due diligence obligations in international law, Cambridge, 2022.

[11] Cf. M. N. Schmitt, (ed) Tallinn manual 2.0 on the international law applicable to cyber operations, Cambridge, 2017, 31.

[12] Cf. S. Besson, The bearers of human rights’ duties and responsibilities for human rights: a quiet (r)evolution?, in Social Philosophy and Policy, 32(1), 2015, 255.

[13] P. De Hert & M. Czerniawski, Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context, in International Data Privacy Law, 6(3), 2016, 238.

[14] S. Deva, Acting extraterritorially to tame multinational corporations for human rights violations: Who should bell the cat, in Melbourne Journal of International Law, 5, 2004, 37.

[15] Cf. G. G. Fitzmaurice, The foundations of the authority of international law and the problem of enforcement, in The Modern Law Review, 19(1), 1956.

[16] C. Cocito & P. de Hert, The use of declarations by the European Commission: ‘careful with that axe, Eugene’, in The Digital Constitutionalist, 2023.

Share this article!

About Author

Leave A Reply