[2025] UKUT 319 (AAC)

Ms Proops described the EU as “fundamentally a territorially preoccupied legal edifice” and said this position was reflected in EU caselaw.

InAir Transport Association of America and others v Secretary of State for Energy and Climate Change C-366/10 (“Air Transport Association of America”)the CJEU considered a challenge to the EU’s emissions trading scheme on the basis that the directive implementing it was in breach of applicable international laws. The CJEU took a territorially confined approach, concluding that the scheme applied only where an aircraft was within an aerodrome within the territory of a Member State, and did not apply to aircraft flying over the high seas, or even flying over the territory of a Member State but not landing there. This was, Ms Proops said, notwithstanding that EU citizens would clearly be better off were the EU to control emissions globally, rather than simply within the territories of the EU.

Ms Proops pointed to Google v CNIL(discussed at [106] to [114] above) as another example of the CJEU taking a territorially confined approach to construction of EU legislation, this time in a data protection context. Google v CNIL did not involve the application of international law, but it did engage comity considerations, including the imperative to avoid regulating how non-EU actors go about exercising their right to access information online.

As we explained in our earlier summary, in Google v CNIL the CJEU decided that Google’s response was compliant even though Google had “geo-fenced” its de-referencing activities with the result that links concerning the requester were de-referenced only in respect of searches conducted from within the EU, and not in respect of searches conducted from outside the EU. This was because the de-referencing provisions in question were essentially territorial in nature, and so applied only within the territories of the EU, even though that meant that EU data subjects’ “right to be forgotten” was therefore only partial. Ms Proops said this underlined that data protection rights are fundamentally territorial in nature.

We accept this to be an example of a territorially focused approach being taken by the CJEU. However, it represented the CJEU following the wording of the material provisions of the 95 Directive and the GDPR, rather than giving them an artificially narrow interpretation. The EU legislators chose to enact provisions (Articles 12(b) and 14(a) of the 95 Directive, replaced by Article 17 of the GDPR) that prescribed a territorially focused approach. This case is not authority for the proposition that EU legislation must be construed territorially where the provisions themselves do not indicate an intention to be territorially confined.

Ms Proops pointed to the objective of the GDPR as explained in Recital 170 as being to ensure an equivalent level of protection “throughout the Union”, and not “throughout the world”. She said this reflects the principle that EU law generally strives to regulate what happens within, not beyond, the borders of the EU, even when that might result in sub-optimal protection for EU citizens.

However, as Ms Proops had to concede, it cannot be said that there could never be any element of extra-territoriality to EU laws to protect the interests of EU citizens. Rather, she said that if provisions are to have extra-territorial effect that effect must be provided for in sufficiently clear terms, and the situation is starker still in relation to the activities of foreign states because the EU simply has no competence to legislate for what foreign states do, or do not do.

We agree with Ms Proops that the EU is generally focused on matters within its borders, but we are not persuaded that the authorities she seeks support from really advance Clearview’s case. This is for the simple reason that Recitals 23 and 24 GDPRmake clear that the legislators had identified a need to regulate extra-territorially in order to protect the data rights of EU data subjects in the digital age, and they introduced express wording into Article 3 to provide for precisely that.

Ms Proops made the point that the EU is not a sovereign state in joint dominion over the territories comprised within it, but rather a legal construct through which a collection of sovereign states agree to come together and agree to be bound by a set of common rules on various matters by way of the treaties to which the members signed up, and the legislation made under those treaties. She likened the EU’s laws to the rules of a members’ club whose rules bind its members because those members have agreed to be bound by them. Ms Demetriou also invoked the analogy between EU legislation and the rules of a members’ club. Like them, we find this analogy to be helpful.

As a “members’ club”, the EU’s competence extends only to its Member States, and, even then, it extends only to those matters in respect of which its Member States have conferred authority on it to decide. Ms Proops submitted that any construction of EU legislation to the contrary is “legal heresy” and fails to understand the essentially constitutional nature of the EU. She added that, even were the EU to have competence to legislate to control or regulate the acts of foreign states, it is inconceivable that it would exercise that competence so as to create rules that risk capturing the activities of foreign states, whether through the “front door” or the “back door”, because to do so would profoundly infringe the principles of comity and sovereign equality. She said that to seek to regulate private actors in the sovereign territories of other nation states raised significant comity and futility issues, but to seek to regulate or control how foreign states function is a “completely different order of comity offence”.

We find Ms Proops’ submissions on the “heresy” of any interpretation that fails to reflect the limits to the EU’s competence somewhat puzzling. This is because neither the ICO nor Privacy International has proposed such a construction. Ms Demetriou said Article 2(2)(a) amounts simply to a confirmation that the GDPR does not seek to regulate in respect of matters that had been reserved to the national governments of its Member States, and it says nothing of the position of foreign states. That is very much “on all fours” with what the Advocate General said in his opinion in Latvijas at [58], namely that Article 2(2)(a) reiterates the constitutional requirement of what must be guaranteed for a State to function: see [81] above.

Privacy International’s case is not that foreign states are within the material scope of regulation, but rather that they are outside the scope of the GDPR entirely by operation of public international law. That interpretation is unarguably respectful of comity.

The ICO’s construction of Article 2(2)(a) is that, while it is mainly about the things that Privacy International says it is about, because it must be viewed through the lens of comity principles, the words “outside the scope of Union law” must be read to exclude the activities of foreign states too. That interpretation is likewise perfectly respectful of comity.