🛃
Exception for Data Processing Outside Jurisdiction

"Processing Outside the Jurisdiction" Applicability Factor

The "Processing Outside the Jurisdiction" factor refers to the scope of data protection laws based on where the personal data processing activities take place, regardless of the location of the data controller or processor. This factor can limit or extend the applicability of data protection laws depending on the specific provisions.

Examples from Different Data Protection Laws

Malaysia Personal Data Protection Act (PDPA)

PDPA Sec.3(2):

(2) This Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.

Key Points:

  1. The PDPA does not apply to personal data processed outside of Malaysia, unless that data is intended to be further processed within Malaysia.
  2. The PDPA's scope is limited to personal data processing activities that take place within the jurisdiction of Malaysia.
  3. The PDPA does not have extraterritorial application to personal data processed outside of Malaysia, unless there is an intention to further process that data in Malaysia.

Thailand Personal Data Protection Act (PDPA, B.E.)

PDPA, B.E. Sec.5(1):

This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.

Key Points:

  1. The Thai PDPA applies to the collection, use, or disclosure of personal data by a data controller or processor located in Thailand, regardless of where the actual processing takes place.
  2. The Thai PDPA has extraterritorial application, as it covers personal data processing activities conducted outside of Thailand by entities established within Thailand.
  3. The location of the personal data processing is not a limiting factor for the Thai PDPA's applicability, as long as the data controller or processor is based in Thailand.

California Consumer Privacy Act (CCPA)

CCPA Sec.1798.145(a)(7):

(a) The obligations imposed on businesses by this title shall not restrict a business' ability to: (7) Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold.

Key Points:

  1. The CCPA does not apply to the collection, sale, or sharing of a consumer's personal information if all aspects of the commercial conduct take place wholly outside of California.
  2. For the CCPA to not apply, the business must have collected the information while the consumer was outside of California, the sale of the information must have occurred entirely outside of California, and no personal information collected while the consumer was in California can be sold.
  3. The CCPA's scope is limited to personal data processing activities that have a connection to California, either through the location of the consumer or the place of sale/sharing of the information.

General Data Protection Regulation (GDPR)

GDPR Article 3(1):

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

GDPR Article 3(2):

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Key Points:

  1. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of where the actual processing takes place.
  2. The GDPR also applies to the processing of personal data of data subjects in the EU by a non-EU based controller or processor, if the processing is related to offering goods/services or monitoring the behavior of those data subjects.
  3. The GDPR has broad extraterritorial application, covering personal data processing activities outside the EU that target or monitor individuals within the EU.

In summary, the "Processing Outside the Jurisdiction" factor can be used to limit or extend the applicability of data protection laws. Some laws, like the Malaysian PDPA, have a more limited scope that excludes personal data processed outside the jurisdiction, while others, like the Thai PDPA and the GDPR, have broader extraterritorial application.