In this period of change, companies must anticipate their local legal environment, regional and international regulations and foreign laws with extraterritorial scope on a daily basis.

Meeting the challenges of transition

The technical and multidisciplinary nature of these issues requires a global vision and approach to provide satisfactory answers to very concrete operational problems for businesses, their employees, partners and suppliers, and therefore for civil society as a whole. Social and environmental responsibility is central to all considerations: those of citizens first and foremost, but also those of governments and institutions in a context of transformation of our economic and societal model that has been made unavoidable by the health and energy crises combined with demographic shifts, climate change and the depletion of certain natural resources. In response to these major challenges, certain traditional tools such as the law are undergoing reform, but there is a risk of legislative overkill and an accumulation of rules and technical standards that are sometimes not very coherent and whose consequences can be extremely prejudicial. Other systems are more recent, such as "compliance", which is based on making economic operators accountable ex ante by imposing preventive obligations on them to achieve fundamental objectives that cannot be achieved by the law alone[1]. For an appropriate response to such challenges, these tools and systems must be supplemented by an approach based on economic intelligence, consisting in collecting, analysing, enhancing, disseminating and protecting strategic economic information with a view to improving decision-making, influencing actions involving information or disinformation, protecting the interests of the State or the business's assets, as the case may be, and strengthening its competitiveness. This is all the truer as data and ethics are key to developments and transformations, as shown by the most recent solutions in the field of artificial intelligence, which reflect the ongoing revolution in practices in all areas. In this geopolitical context of power struggles, one of the responses is based on the extraterritoriality of law and compliance.

The rise of the extraterritoriality of the major powers

Whether this concerns Alstom[2] or Société Générale[3], there are many examples of the extraterritorial application of US law to European companies, leading to the payment of considerable sums and the imposition of lengthy and costly compliance and monitoring obligations. This is the price to be paid in the context of negotiated justice to maintain access to the US market. The extraterritorial application by the United States of laws and regulations in key areas results in the intervention of the American judge and various services of the American administration that are known to varying degrees to companies. These include anti-corruption with the Foreign Corrupt Practices Act and the notable intervention of the Department of Justice in the area of negotiated justice, export control and compliance with international sanctions, including embargoes, under the control of customs, but also the Office of Foreign Assets Control, the operation of stock exchanges regulated by the Commodities Futures Trading Commission, the operation of financial markets regulated in particular by the Securities and Exchange Commission, etc.". The legal reasoning that allows the application of US law to foreign businesses that are not in principle subject to it is always the same: the existence of a nexus with US law. This may be the use of the dollar in the transactions concerned, but it may also be as tenuous as the transit of data, financial or otherwise, on American platforms or information systems or present on American territory (banking system, stock exchange, servers or other data centres) in application of the Cloud Act. It is clear that this interpretation is based on political will and is becoming a particularly effective economic intelligence weapon, allowing the United States to acquire and manage information, gain influence and promote its interests and those of its companies. This extraterritoriality creates legal uncertainty for all businesses, regardless of where they are established, the markets in which they operate or which they are exploring for future development. China has clearly understood and in response, it has developed its own laws and regulations with extraterritorial scope, starting with a set of administrative measures on export control adopted by the Chinese Ministry of Commerce. Amongst these a list of unreliable entities and an Export Control Law in 2020 as well as blocking statutes in 2021. These measures were further strengthened in 2021 by the Anti-Foreign Sanctions Law passed by the Standing Committee of the National People's Congress. For the European Union, the use of law, compliance and strategic intelligence in a strong and appropriate response to these challenges was rejected for a long time, at least in official discourse. However, this has not prevented the European Union from perceiving the issues at stake and developing initial responses to growing extraterritoriality.

Challenges and initial European responses

In addition to the administrative, financial and often criminal sanctions incurred by European businesses and their representatives, compliance allows the State that imposes the latter outside its territory to gain access to key strategic confidential information. The companies concerned therefore have no choice but to collaborate with these authorities if they want to minimise the sanctions incurred and the resulting risks for their activities, whilst in the long term continuing to access the markets in which they operate. In this context of economic warfare, extraterritoriality and compliance not only serve as a legal basis and justification, but also allow the states adopting this approach and their businesses to arm themselves. The "pre-trial discovery" procedure is a particularly dreaded illustration for European businesses. This means that the American judge can compel any party to a trial and oblige them to produce documents to facilitate the establishment of evidence, regardless of the territory where these documents are located and even if the production of these documents would be unfavourable to the party from whom they are requested. Such requests should follow the international co-operation procedure and be made through diplomatic channels. However, they are most often addressed directly to the companies concerned, which then find it extremely difficult to formulate a response. The risk of competitors abusing litigation to gain access to confidential information has thus become a reality. The legal risk incurred by European businesses is heightened by the contractualization of ethical and compliance obligations which are now imposed by the customers or partners of any business, whatever its size or turnover, and which may justify the termination of the contract in the event of a breach. To the leaks of information, technology and know-how that have resulted, some European states have first provided a national response. In France, the revision of the so-called blocking statute of 26 July 1968 by decree and decision in 2022 thus made it possible to designate the Service de l'information stratégique et de la sécurité économique (SIISE) (Department for Strategic Information and Economic Security) at the Ministry for the Economy, Finance and Industrial and Digital Sovereignty as a one-stop shop for businesses that receive a request for sensitive documents or information from persons under foreign law. This mechanism can only work if the largest businesses play the game, as the tripling of SISSE referrals on this subject by 2022 suggests. However, to address the risk of conflict between different legal and compliance systems inherent in the growth of extraterritoriality, only the European Union and its twenty-seven Member States can provide a response that is appropriate both in terms of its scope and its firmness.

The limits of the defensive response of the European blocking statute

One response to the extraterritoriality of foreign law was the adoption of the European Blocking Statute on 22 November 1996 to render measures of extraterritorial application listed therein ineffective within the European Union. On 6 June 2018, this regulation was revised to include extraterritorial sanctions unilaterally re-imposed by the US against Iran following its withdrawal from the 2015 Vienna Agreement. By depriving any US court decisions, arbitration awards or provisions of effect in the EU when they are related to Iran-related extraterritorial sanctions, by enjoining European businesses not to comply with these sanctions and by recognising a right to compensation for any victim, the blocking statute aims to protect European businesses and allow them to freely decide on their business activities in Iran. However, it does not protect them from the consequences, criminal, financial and regulatory, on US soil of their activities in Iran. In line with the blocking regulation, the establishment of INSTEX, a joint debt fund between France, Germany and the United Kingdom, has not provided a sufficient response either to European businesses that would like to trade with Iran but which are not directly exposed to the US market. It is designed to act as a clearing house between European importers and exporters in Iran and thus guarantee payment solutions without recourse to the dollar in a bid to insulate European businesses from the extraterritoriality of US sanctions; but its operation remains very limited since it is restricted in practice to so-called priority sectors, such as pharmaceuticals and foodstuffs or medical equipment. The blocking statute thus illustrates the limits of the sole defensive response to the extraterritoriality of foreign laws and the "impossible - and very unfair - dilemmas caused by the implementation of two different and directly opposed legal regimes" faced by European businesses, as recognised by the Advocate General of the European Court of Justice in his conclusions followed by the court in its decision of 21 December 2021 "Bank Melli Iran". The growing risk that European businesses will be forced to withdraw from certain markets due to the conflict of laws with extraterritorial scope or to comply with European law and compliance has led the European Union to develop a more offensive response.

An assertive European vision beyond territorial issues

European Union law is based on human rights, as laid out in the Charter of Fundamental Rights. This is what distinguishes it from the American and Chinese approaches, as illustrated by the protection of personal data. The General Data Protection Regulation (GDPR) guarantees the free movement of data within the European Union and is organised around the rights of individuals to ensure that people within the Union have the right to reclaim their data, which for a long time was commercially exploited without their knowledge. The rights of the people concerned (rights of access, rectification, opposition, portability, etc.) must be effectively guaranteed by any data controller who is subject, like his subcontractor, to prevention obligations and heavy penalties in the event of a violation. By way of comparison, the Californian text ("California Consumer Privacy Act") of 28 June 2018 adopts a less protective approach to personal data, recognising consumers more limited rights over their data. It thus evolved in early 2023 to move closer to the GDPR. The federal text on data protection put forward by the US Federal Trade Commission aims more specifically to protect people against the excessive use of surveillance techniques. With different objectives, the Chinese text on data protection also differs from the European one in that it aims to control data flows, leading some foreign businesses to leave the Chinese market, both in view of their business model and in view of the impossibility for them to comply with these new legal requirements without exposing themselves to sanctions based on the law and compliance of their country of origin. With the GDPR, the European Union goes beyond its first attempts at extraterritoriality with competition law. It postulates a level playing field between economic actors who want to access its market of nearly 450 million inhabitants. The GDPR thus applies not only to businesses established in the Union but also to third country businesses that are not established there but which offer goods or services on that territory or target individuals in Europe. In so doing, the principles of this text can no longer be thwarted by a simple choice of jurisdiction. The effectiveness of Union law is guaranteed. This is a particularly innovative development which does not reflect a will to impose European law outside the territory of the Union but rather to recognise the extraterritorial nature of the economic game. The consequences of this approach are illustrated by the case law of the Court of Justice of the European Union "Schrems 2" which on 20 July 2020 invalidated the adequacy decision issued by the European Commission on 12 July 2016 on the basis of the "Privacy Shield". It was the US legislation with extraterritorial scope in terms of tax and surveillance that led the European judge to consider that transfers of personal data from the European Union to the United States did not enjoy adequate protection. Since then and pending a new political agreement that would ensure sufficient protection of European personal data on US territory, transatlantic transfers of such data must be based on another mechanism and legal basis within the meaning of the GDPR (standard contractual clauses, binding corporate rules, etc.). With this judgment, the European approach to personal data protection has become clearer, more effective and more influential. This is evidenced by the many sanctions taken by national data protection authorities since this judgment and the recent legislative developments in third countries in this area with a view to better alignment with European law. In 2022, the "DMA" (Digital Markets Act) and "DSA" (Digital Services Act) Regulations endorsed this more proactive European vision of measured extraterritoriality. These texts contain the same legal and compliance mechanisms of an application no longer based solely on the European territory itself but on the effective protection of persons in this territory. Thus, as soon as they operate on the European market and reach certain size and turnover thresholds, "access controllers" for the DMA and "digital intermediaries" for the DSA are bound by new ex ante obligations with a view to preventing unfair practices and infringements of competition law in the case of the DMA, and with a view to limiting the dissemination of illegal content and the sale of illicit products in the case of the DSA. Modelled on the GDPR, these texts provide for heavy penalties corresponding to a percentage of the annual worldwide turnover of the business concerned in the event of a violation. The same applies to European legislative developments in support of sustainable development and governance under the Green Deal and the 2020 Taxonomy Regulation. The Corporate Responsibility Directive, CSRD of 14 December 2022 is one of the cornerstones of this as it complements the Non-Financial Reporting Directive (NFRD) in terms of the publication of non-financial information. This directive, which will apply from 2024 onwards to the first businesses reaching certain thresholds for their 2025 reports, imposes non-financial performance reporting obligations based on the environmental, social and human rights impact of the businesses concerned. The draft directive on Corporate Sustainability Due Diligence of 23 February 2022, which provides for a European corporate due diligence policy, is based on the same compliance principles. The aim of this text is to prevent human rights and environmental abuses in the business value chain, including suppliers, partners and subcontractors. It will apply to businesses reaching certain turnover and staffing thresholds, depending on their activities, as long as they operate on the European Union market.

Going further and beyond

The European Union can respond to the great powers by going beyond the notion of territory through a strategic approach to legal intelligence and compliance, illustrated in particular by a measured extraterritoriality that respects the rights of other powers: firstly, by ensuring better coordination between its institutions in a bid to see its ambitious legislative projects come to fruition quickly, with the proposed due diligence obligation for businesses in the area of sustainability thereby illustrating the difficulties in this area. After the draft of a report following stakeholder consultation in 2020, it was the subject on 10 March 2021 of a European Parliament resolution that was more political, following contrary trends inspired by different lobbies, notably within the Parliament. The text that has been revised several times has not yet been adopted. It is also through more open discussions with economic actors on the practical implementation of the objectives pursued within the envisaged timeframe, as shown by the difficult discussions for the inclusion of energy resources such as gas and nuclear power in the Taxonomy Regulation. Legal overkill, contradiction or difficulties in linking several laws and standards together and the resulting practical difficulties for businesses must also be addressed. Not to mention the considerable costs of compliance. This is a challenge that EFRAG will have to overcome when determining the extra-financial performance criteria, a prerequisite for the implementation of the CSRD. Improved consultation and real corporate involvement on these issues seems more necessary now than ever before. Finally, it is a progressive and informative approach that the regulators and judges of the Member States and the European Union will have to adopt if they are to support businesses in making these difficult and essential changes. There is no shortage of tools and projects in this respect, whether it be with the possibilities offered by development of the European Prosecutor's Office, the European Cloud project or the calls for the adoption of a "Buy European Act".