The processing of personal data within a jurisdiction's territory is a key factor in determining the applicability of data protection laws. This factor extends the scope of data protection regulations to activities physically occurring within a country's borders, regardless of the data controller's location or the data subject's nationality.

Provision Examples

"LGPD Art.3(I) in Brazil: This Law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that: I – the processing operation is carried out in the national territory;"

"DPDP Art.3(a) in India: Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data within the territory of India where the personal data is collected–– (i) in digital form; or (ii) in non-digital form and digitised subsequently;"

Description

The "processing in jurisdiction" factor is commonly incorporated into data protection laws to ensure comprehensive coverage of data processing activities within a country's borders. Lawmakers extend the application of these laws to such situations to protect individuals' data rights regardless of the data controller's location or the data subject's nationality.Several approaches to this factor are observed in the provided provisions:

1. Broad territorial scope: Some jurisdictions, like Brazil, apply their laws to any processing operation carried out within the national territory, regardless of the data controller's location or data storage location. As stated in the LGPD, "This Law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that: I – the processing operation is carried out in the national territory;"
2. Focus on digital data: India's approach specifically targets digital personal data processing within its territory, including data collected in digital form or digitized subsequently. The DPDP Act states that it applies "to the processing of digital personal data within the territory of India where the personal data is collected–– (i) in digital form; or (ii) in non-digital form and digitised subsequently;"
3. Inclusion of means located in the territory: Some jurisdictions, like Angola, extend their laws to data controllers not established in the country but using means located within the territory for data processing. The Angolan law applies to processing "By a data controller who, not being established in the Republic of Angola, uses means located in Angolan territory for the processing of personal data." It further clarifies that "the mere use of such means for the collection, registration, or transit of personal data in the territory of the Republic of Angola is sufficient."
4. Broad interpretation of processing: The Philippines takes a comprehensive approach, applying its law to processing done in the Philippines and to entities that collect or hold personal data in the country. The Implementing Rules and Regulations state that they apply when "The processing of personal data is being done in the Philippines" or when an entity "collects or holds personal data in the Philippines."

Implications

The "processing in jurisdiction" factor has significant implications for businesses operating across borders:

1. Local presence: Companies with physical operations or data centers in a jurisdiction may be subject to its data protection laws, even if they are headquartered elsewhere. For example, a US-based company with a data center in Brazil would need to comply with the LGPD for data processed in that facility.
2. Use of local infrastructure: Businesses using cloud services or other processing means located within a jurisdiction may fall under its data protection regime. For instance, a European company using an Angolan server for data storage would likely need to comply with Angolan data protection laws.
3. Digital operations: Companies conducting digital operations within a jurisdiction, such as collecting data from local users or processing data through local networks, may be subject to local laws. An e-commerce platform based outside India but processing digital data of Indian customers would need to adhere to the DPDP Act.
4. Data collection and storage: Entities collecting or storing personal data within a jurisdiction, even temporarily, may need to comply with local regulations. A global social media platform that collects and stores user data in the Philippines, even briefly, would be subject to Philippine data protection laws.
5. Transit of data: In some jurisdictions, like Angola, even the mere transit of personal data through the territory can trigger the application of data protection laws. This could affect companies routing data through local networks or infrastructure.