Danger! GDPR… In Space!
We’ve just realised – so far people have been thinking in a very two-dimensional way about the areas in which GDPR applies, considering the obligations relating to transfers of personal data into and out of the EU on the basis of the two-dimensional world map.
But, at what point when data leaves the EU vertically – i.e. out into space – is data considered to leave the Union? Or, on a less academic point, does transmitting data via satellite give rise to concern that adequate protections need to be enacted… in space?!
First, a quick summary of who owns the airspace above a country. It is generally considered that each nation state owns the airspace vertically above its territory and, where they have a coastline, out to their ‘territorial waters’ 12 nautical miles from that coast. The height to which a nation’s ownership of this airspace extends is not internationally agreed, but is generally considered to be between 30 and 160km above the earth. 160km is significant, as this is the lowest height at which a satellite can orbit, so it’s clear that national airspace does not encompass satellites.
Therefore, at least in theory under GDPR, any personal data which is transmitted by satellite will leave the European Union, even if it returns immediately to it (e.g. if the signal is sent up to a satellite from France and beamed back to Germany, it will still have left the European Union vertically). This also doesn’t take into account that many satellites aren’t geo-stationary, and those communications may well be with satellites which are above the airspace of non-EU countries, or the international airspace above seas and oceans. Transmission via satellite is likely to constitute ‘processing’ for the purposes of GDPR; accessing via smartphone was considered adequate ‘processing’ by WhatsApp of the data of Dutch citizens.
As a result, if EU companies believe they are protected from sanction under GDPR because they are using EU-based companies to do their processing, there may be risks which they haven’t taken into consideration that if their processor sends communications via satellite, or if satellites are used to communicate that personal data to them for processing in the first place.
The level of risk? Probably not significant. The main focus of concern at the moment is the EU looking at themselves. The next attention will be international transfers between the EU and other countries, and the processing of the personal data of EU-citizen outside the EU (e.g. the need to have adequate measures in place when transmitting data outside the EU, and the need for non-EU companies to have a Data Protection Representative in the EU). It’s unlikely the courts of the European Union will be keen to open up questions in the third dimension, when the two dimensions in which GDPR anticipates compliance are struggling to achieve it. In the future, as nation states become increasingly involved in data interception and hacking, it’s possible that data-interception satellites could become a part of a country’s national security programme, at which point the academic discussion would become much more relevant.
However – from 25 May 2018 – if you find your personal data floating around unprotected in outer space, maybe GDPR can prevent it falling into Martian hands!
Is your company ready for GDPR? If you have no base in the Europe, have you appointed a Data Protection Representative in the EU? Contact DPR Group at firstname.lastname@example.org for more information, or visit our website at www.dpr.eu.com.
Photo courtesy of NASA