Application of GDPR to activities on the Moon

While the EU General Data Protection Regulation (“GDPR”)  was designed with Earth-based activities in mind, it does not explicitly exclude extraterrestrial activities. Let’s consider the basis for the application of the GDPR to activities on the Moon.Article 3 of the General Data Protection Regulation (GDPR) outlines the territorial scope of the regulation.

Art. 3 GDPR

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

1. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
   1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
   2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 3 GDPR primarily applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union. However, it also extends its application to situations where the processing activities are related to the offering of goods or services to data subjects in the Union or the monitoring of their behavior within the Union, regardless of the controller or processor’s location. The wording of Article 3 is broad, and it is based on the location of the data subjects and the context of the processing activities.

• The “Establishment” (and the intertwinement principle)

GDPR Article 3.1 provides that the GDPR applies to “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Under this provision there must be an establishment in the EU. Whereas clause (22) clarifies that “Establishment  implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

The principle of intertwinement, as established in the Google Spain case and reflected in Article 3, emphasizes that the regulation applies not only to entities physically located within the Union but also to those with a strong connection or establishment within the Union.

In the context of lunar activities, if a controller or processor on the Moon has a substantial establishment or business presence that is closely linked to the Union, the GDPR may apply. This could be based on factors such as the nature and scope of the activities, the degree of integration between the lunar entity and the Union, and the economic and legal ties that bind them.

For instance, if a lunar-based entity has substantial business operations in the European Union, even if the data processing itself occurs on the Moon, the GDPR might apply due to the intertwinement of its activities with the Union. The regulation seeks to ensure that individuals within the Union are protected, and the concept of intertwinement helps extend its reach to entities closely connected to the Union’s legal and economic framework.

In summary, the intertwinement principle is an essential aspect to consider when evaluating the applicability of the GDPR to activities on the Moon, as it recognizes the regulation’s reach beyond mere physical location.

• The “targeting” of data subjects in the EU

If a controller or processor on the Moon were to offer goods or services to individuals who are in the Union, the GDPR could potentially apply. Article 3(2)(a) For example, if a lunar entity engages in commercial activities that involve the provision of goods or services to individuals within the European Union, the regulation might be applicable. Article 3(2)(a) is not a black and white provision. Some level of targeting is required but it is unclear how much targeting is necessary to be under the reach of the GDPR. Whereas (23) makes clear that “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas (23) lists several factors.[1]

• The monitoring of Behavior:

If the processing activities on the Moon involve the monitoring of the behavior of individuals within the Union, the GDPR could also come into play. For instance, if a lunar-based operation engages in monitoring the online behavior of EU residents, the regulation might apply.

While applying the GDPR to activities on the Moon may seem far-fetched, the language of Article 3 is broad and focuses on the location of data subjects and the context of the processing. As technology advances and space activities become more commonplace, it’s not entirely implausible to envision scenarios where the GDPR could be relevant even beyond Earth. However, the specific application would depend on the details of the activities and their connection to individuals in the Union.

For more information, Francesca Giannoni-Crystal

[1] Whereas (23) “Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”