A Privacy Violation Suit Filed Against Facebook’s Faceprints Database

Facebook’s facial recognition technology that uses faceprints data to identify friends in the network has been alleged to contravene Illinois Biometric Information Privacy Act and a class action has been filed against Facebook. It has been alleged that  the  Facebook’s faceprint data compilation and its automatic tagging and  data sharing is done without explicit consent of Facebook users to whom the data has been collected. For details read the article by Wendy Davis .

‘Right to be Forgotten’ v. ‘Duty to be Forgetful’, and the Importance of Correct Labelling

It is amazing how a well chosen expression may capture our imagination. ‘Cloud computing’, ‘big data’ and the ‘right to be forgotten’ are all examples of phenomena that existed prior to, but came to life through, the catchy labels we attached to them. Am I the only one worried by this? Isn’t there something odd about the idea that the focus of legal, and other, researchers is so strongly guided by something as flimsy as catchy labels?

Fortunately, a catchy label alone may perhaps not be enough; something else may be needed. Looking at the development of research relating to ‘cloud computing’, ‘big data’ and the ‘right to be forgotten’, it seems to me that where we have a strongly developing phenomenon (SDP), and a catchy label (CL) describing that phenomenon we are guaranteed to see significant research interest (SRI):


Perhaps keeping this simple formula in mind may assist us in predicting ‘the next big thing’?


The power of labels

It is also interesting to consider how strongly the mental pictures painted by the labels guide our thinking. Labels such as ‘going online’, ‘visiting a website’ and the ‘web’ have all had an impact on how the law, and legal researchers, approach the underlying phenomena – our thinking is shaped by labels chosen perhaps rather arbitrarily and without legal consequences in mind. Also this worries me, and perhaps the time has come to be more careful in this regard.

Below I will argue that the recent judgment of the Court of Justice of the European Union (CJEU) in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (Case C-131/12) cannot be seen to articulate a ‘right to be forgotten’ but rather a (selective) ‘duty to be forgetful’. This difference is not merely a matter of phrasing.


A ‘right to be forgotten’ or a (selective) ‘duty to be forgetful’?

The ‘right to be forgotten’ has attracted considerable attention for some years now both in legal circles and in media. And as is well-known, much, perhaps too much, of the focus of the undergoing reform work of the EU data privacy framework has been devoted to this right.

The relevant legal landscape in Europe has been largely unaltered since the Data Protection Directive (Directive 95/46) was introduced in the mid-90s. So the thought that the current debate influenced the CJEU’s willingness to embrace a right to be forgotten in Google Spain SL (Case C-131/12) is inescapable.

At any rate, even if the Court spoke expressly about a right to be forgotten, it seems to me that, that was not what they delivered in their judgment. The court order is not focused on any such right. If it was, it would have required the original publisher (La Vanguardia) to remove the content as well, but it did not.

The real effect of the judgment is to impose a ‘duty to be forgetful’ onto certain Internet actors – in this case search engines, or indeed, one particular search engine.

So does this matter? I think it does. First of all, politically, it is of course always easier to ‘sell’ a right than it is to sell a duty. And second, as was referred to more generally above, the labels guide, or even control, our thinking to a large extent.

Bite v. Bark Jurisdiction – More Nuances to Internet Jurisdiction

Extraterritorial claims of jurisdiction over Internet conduct are often controversial. This is particularly so when the jurisdictional claims have a slim, or no, prospect of being effectively enforced. One prominent scholar, Bygrave, has described this using the term “regulatory overreaching”:

“By ‘regulatory overreaching’ is meant a situation in which rules are expressed so generally and non-discriminately that they apply prima facie to a large range of activities without having much of a realistic chance of being enforced.” ([1] Lee Bygrave, Determining Applicable Law Pursuant to European Data Protection Legislation 16 Compu. L. & Sec. Rep. 252, 255 (2000))

Although perhaps one can see hints at a softening in Bygrave’s approach in his most recent writings (Lee Bygrave, Data privacy law and the Internet: policy challenges, in Emerging Challenges in Privacy Law: Comparative Perspectives 277 (Normann Witzleb, David Lindsay, Moira Paterson, & Sharon Rodrick, eds., Cambridge University Press, 2014), Bygrave sees “regulatory overreaching” as a problem – a view shared by several other leading commentators, see e.g.:

  • Christopher Kuner, Data Protection Law and International Jurisdiction on the Internet (Part 2), 18 Int’l J. L. & Info. Tech. 227, 235 (2010);
  • Bernhard Maier, How Has the Law Attempted to Tackle the Borderless Nature of the Internet? 18 Int’l J. L. & Info. Tech. 161 (2010);
  • Chris Reed, Making Laws for Cyberspace, 49 (Oxford University Press, 2012); and
  • Lokke Moerel, The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to Processing of Personal Data of EU Citizens by Websites Worldwide? 1 Int’l Data Privacy L. 23, 24 (2011).

Indeed, the acceptance of this negative view of extraterritorial claims lacking in enforcement seems nearly universal.

Elsewhere, I have introduced the distinction between what I call “bite jurisdiction” on the one hand and “bark jurisdiction” on the other. Not all jurisdictional claims are equally likely to be carried out in practice. Indeed, some jurisdictional claims are made despite the realisation that they have virtually no prospect of being exercised in practice – they are merely attempts to bark; to make clear, to articulate, a particular legal position. Obviously, it may not always be easy to draw  sharp lines between failed attempts at bite jurisdiction on the one hand, and genuine instances of bark jurisdiction on the other hand.

In an article to be published in the Santa Clara Journal of International Law early 2015 (now on SSRN), I expand on the discussion of bark v bite jurisdiction. Here I will try to highlight some of the key points I make in that article, on this topic.


Justifying bark jurisdiction

I do not see it as accurate to view “bark jurisdiction” or “regulatory overreaching” as a problem per se. After all, there may well be solid reasons why a State may wish to make clear its standpoint on a particular issue by legislating against it even though the effective enforcement of the law in question may be difficult, cumbersome or, indeed,  unlikely. This is as true in the international extraterritorial context as it is in the context of domestic law with a clear territorial limitation (e.g. legislation making it a criminal offense to drive against a red light).

Thus, I see the point Kohl’s makes when she claims that: “large-scale non-compliance with any legal rule is problematic not just in terms of the failure of achieving the law’s purpose, but also in terms of undermining the law’s and regulator’s credibility more generally” (at 153) and Kuner’s similar claim that laws that lack the means of being enforced can be seen to undermine the legal system. (at 235-6) And I can sympathize to a degree with Bygrave assertion that: “posturing without punch or even potential punch tends to be counterproductive” (at 277), and statements such as that: “[w]hen criminal laws have nothing but symbolic value [...] they are likely to erode rather than build confidence in the justice system, since they quickly come to be seen as paper tigers” (S. Coughlan, et al., Global Reach, Local Grasp: Constructing Extraterritorial Jurisdiction in the Age of Globalization, 6 Can. J. L. & Tech. 32 (2007), at 50). However, I am not convinced these claims go deep enough to do justice to the complexity of the issue at hand. On my reading, they seem to:

  1. neglect or underestimate the “dual role of law” – law plays an important role in adjudicating and punishing wrongs, but it plays an even more important role in providing guiding principles to keep us out of court;
  2. undervalue the reputational dimension of extraterritoriality – even where laws are not enforced, those acting in breach of a legal rule may be subject to scorn where the law in question is seen as justified by other; and
  3. overlook what I refer to as domestic enforceability of extraterritorial claims through market destroying measures; that is, even wher an extraterritorial claim cannot be enforced extraterritorially, it may well be enforced domestically by imposing sanctions on the offending party within the state making the extraterritorial claim.

However, the greatest weakness of the objections to bark jurisdiction is found on a more basic level. Those claiming that legal rules that lack in enforceability undermine the respect for law may do well to consider, for example, the rules against domestic violence. There can be no doubt that the enforcement of such legal rules is falling far short of perfection. The number of instances where domestic violence goes unpunished is terrifyingly large. Thus, the paper tiger of domestic violence regulation must, on the reasoning above, be viewed to undermine the respect for the law and thus be harmful. Yet, any such assertion is, of course, wholly unsatisfactory.

Surely it cannot be wrong, immoral or misguided to fail to enforce a law if the failure is due to the contextual impossibility of enforcing the law? At this point I can imagine interventions that it may, however, be wrong, immoral and misguided to introduce law where one knows that one will not be able to enforce it. But responding to such an objection is easily done by reference to the example of domestic violence laws introduced above; surely no one would suggest that it is wrong, immoral or misguided to introduce a law against domestic violence just because the prospect of effective enforcement is limited in practice? I am quite aware that those objecting to bark jurisdiction due to its potential to undermine law do not explicitly embrace this farfetched proposition. But I ask in all seriousness, what tenet of their reasoning offers a stopping place short of this ultimate reductio ad absurdum of their objection?

Adding to what I have already remarked on this issue, I suggest that the risk that laws that lack the means of being enforced will undermine the legal system is small where the parts of the law that are difficult to enforce are not dominant or even close to being the dominant feature of the legal system in question. One need only consider those situations where people in abusive dictatorships cling onto the notion of human rights even though those rights are unlikely to be upheld. Morally justifiable law (however, we define it)  – including morally justifiable law that cannot be enforced – has a quality that cannot, and should not, be ignored. And maybe this is exactly where we reach the core of this issue – moral justification.

In her excellent book on jurisdiction and the Internet, Kohl states: “It is enforceability that really matters, not actual enforcement.” (at 205) She then proceeds to note that at least in the transnational context the reason for the importance of enforceability “lies often not simply, or even mainly, in inducing a fear of a sanction in the case of non-compliance, but rather in affirming the foreign law’s legitimacy”. Thus, perhaps it can be said that the relevance and value of bark jurisdiction  depends on whether the jurisdictional claim, and the substantive law it relates to, are both morally justifiable.

Perhaps we can say that, where the bark jurisdiction, and the substantive law it relates to, are both morally justifiable, it is perilous for the target of the claim to ignore it; and where the bark jurisdiction and/or the substantive law it relates to, is not morally justifiable, it is perilous for the country making the claim to make the jurisdictional claim. Revealing my idealistic (or perhaps naive) side, it may perhaps be said that this should have the dual positive effect of encouraging restraint amongst countries considering making too broad extraterritorial claims, and should encourage compliance with rules that otherwise may have been ignored amongst the targets of the extraterritorial claims.


See further: Svantesson, Dan, A Jurisprudential Justification for Extraterritoriality in (Private) International Law (August 4, 2014). Forthcoming Santa Clara Journal of International Law (Volume 13 (2015), Issue 1). Available at SSRN: http://ssrn.com/abstract=2475760

Skatteverkets efterforskningsmetoder i sociala medier

Detta blogginlägg har författats av Elisabet Ström som har skrivit sitt examensarbete inom rättsinformatik under våren 2014.

På grund av den snabba utvecklingen av internet och sociala medier utformar Skatteverket för närvarande nya riktlinjer för sin verksamhet när det gäller efterforskning i sociala medier. Riktlinjerna tar sikte på en form av efterforskning som inte är reglerad i lag enligt Skatteverket. Med ledning i grundlagen, allmänna rättsprinciper samt lämplighetsbedömningar söker Skatteverket på sociala medier för att, med ett förutbestämt syfte, leta efter potentiella skattesmitare. Uppsatsen som jag skrivit syftar till att undersöka om Skatteverket får ägna sig åt beskriven efterforskning.

Uppsatsen är uppbyggd kring tre frågeställningar, den första frågeställningen aktualiserar om det finns lagar som reglerar efterforskningen. Efter genomgång framkommer att Skatteverkets efterforskning torde omfattas av den särskilda registerförfattningen på området. Detta får betydelse för huruvida intrånget i rätten till privatliv kan rättfärdigas enligt Europakonventionen. Det får även betydelse när skyddet för den personliga integriteten enligt regeringsformen behandlas. Oavsett lagstöd undersöks även om efterforskningen är en behandling av personuppgifter i enlighet med personuppgiftslagen.

I uppsatsen förekommer begreppet personlig integritet. Vad personlig integritet innefattar i sociala medier är svårt att definiera eftersom det är någonting som är så starkt kopplat till den enskilde individen, situationen, kontexten etc.  Vad som är en kränkning av den personliga integriteten går inte att uttala sig generellt om. Man får se till den enskilda situationen och väga in i vilket syfte uppgifterna behandlas, i vilket sammanhang de förekommer, vilken spridning de riskerar att få eller fått och vad behandlingen kan leda till. Information som publicerats på sociala medier riskerar omfattande spridning och då ökar även risken för ett intrång.

Den andra frågeställningen undersöker på vilket sätt grundlagens krav på saklighet och opartiskhet påverkar Skatteverkets informationsinsamling. Hur mycket utrymme som ges till tjänstemannens godtycke är begränsat men beror dock på hur efterforskningen utformas samt hur tydligt syftet och ändamålet är.

Om Skatteverkets riktlinjer är utformade på så sätt att det i varje enskilt fall ska bedömas huruvida åtgärden är lämplig och om denna lämplighetsbedömning ges relativt stor plats kan man säga att det finns ett uttalat utrymme för värderingar. Det kan i sig bli problematiskt då det finns en risk för att bedömningen blir godtycklig. Det finns det även en risk för att lika fall behandlas olika vilket inte är optimalt ur ett rättssäkerhetsperspektiv och inte minst från likabehandlingsprincipens perspektiv. I Skatteverkets fall går det inte att kontrollera vad enskilda tjänstemän gör när de efterforskar, det är därför viktigt att de är medvetna om hur de bör handla och faktiskt handlar. Det är därför viktigt att riktlinjerna utformas på ett tydligt sätt.

Den tredje och sista frågeställningen belyser frågan om myndigheten får insamla information från öppna eller halvslutna källor anonymt. I samband med Skatteverkets presentation av deras ”identiteter vid efterforskning” gör Skatteverket analogier med den fysiska världen som blir problematiska när de undersöks närmare. Det visar sig att det inte är jämförelsebara objekt: att stå på torget, vara anonym och iaktta andra personer kan inte överföras till den digitala världen. Även om någon kommer fram och frågar vem man är när man står där på torget kan det helt enkelt inte jämföras med något ”torg” på internet. Uppsatsen söker kartlägga vilka regler som gäller vid Skatteverkets efterforskning men även mana till eftertanke.

För egen del anser jag att uppsatsen rör svåra frågor såtillvida att rättsläget är oklart. Svaret spänner över många områden och det uppstår en dragkamp mellan Skatteverkets intresse att inhämta skatt och de enskildes intresse att skydda sin personliga integritet. Jämfört med andra rättsområden är den enskilde – i form av konsument – ett skyddsvärt intresse. En analogi kan göras mellan skyddsvärdet för konsumenter och vilket skyddsvärde som borde ges den enskilde. Det är den enskildes intresse som måste värnas, Skatteverket får retirera.

I situationen måste ett ansvar axlas, av Skatteverket, lagstiftaren eller varför inte Facebook.  Om efterforskningen inte närmare regleras och ingen ingriper kommer vi ha ett övervakningssamhälle. Frågan är väl inte om vi ska reagera utan när.

Examensarbetet finns att ladda hem som pdf här.

Do we need an international law doctrine of selective legal compliance to protect Internet intermediaries?

Almost everything we do online these days is, in one way or another, dependent on various Internet intermediaries. We search via Google, we communicate with friends and family via Facebook, we build professional networks via LinkedIN etc.

Because of the crucial bottleneck function of Internet intermediaries, it is increasingly common that such entities are being targeted in lawsuits – if you control the intermediaries you control the Internet to a great extent. For example, earlier this year, in Garcia, a US court sought to restrict certain content worldwide based on US copyright law by ordering Google to block access to that content on Youtube. Even more recently the CJEU, in the now notorious judgment of May 13 in the case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez, pointed to the effectiveness of controlling Internet intermediaries. The following two quotes are telling indeed:

Moreover, it is undisputed that that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published. (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (Case C-131/12), at para 36.)

Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites. (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (Case C-131/12), at para 84.)

Since many Internet intermediaries operate almost worldwide, they are exposed to the laws of virtually all countries in the world. And this causes problems.

First of all, while some of the larger Internet intermediaries may have the legal resources to identify, understand and comply with the different laws they are exposed to, that may not be the case for Internet start-ups. In other words, the heavy burden of complying with all the laws around the world may create barriers to competition.

Second, as we all know, laws can often be interpreted in more than one way and there are often grey areas. If we, for example, are asking Internet intermediaries to block any content that is defamatory, how do we deal with the fact that not even the courts always agree upon what content is defamatory? And do we really want private entities to be the guardians of good taste online? The risk of over-censorship is obvious.

Finally, there is, of course, also the risk of conflicting laws; what is perfectly legal in one country may be banned in another. And if we take the view that Intermediaries must comply with all the laws of our country, don’t we then have to accept that they also have to block content based on the laws of totalitarian states with fundamentally different values to ours? How useful would the Internet be if content was blocked globally just because it is unlawful in one particular country? What would be left?

While there are counter arguments to most of this, I think the time has come to consider whether an internet intermediary ever can be excused for not complying with all the laws around the world. Perhaps we need an international law doctrine of selective legal compliance. I explore this topic in a forthcoming article soon to be published in the Computer Law & Security Review. There I suggest that such a doctrine could usefully incorporate at least four elements, some of which I have discussed in more detail previously:

  • A ‘layered approach’ of law making – put simply, the linking of different substantive law rules with different rules of jurisdiction and choice of law;
  • Market Sovereignty based on the effective reach of Market Destroying Measures – governments determined to have an impact on foreign Internet actors beyond their directly effective jurisdictional reach can introduce “market destroying measures” to penalise the foreign parties within the market within their control (i.e. within their market sovereignty);
  • Technological self-help – Internet intermediaries may use e.g. geo-location technologies to block certain content in certain countries only; and
  • The abandonment of corporate structure games – There are numerous examples of globally active Internet intermediaries seeking to avoid the jurisdiction of courts by referring to the particular corporate structure they have adopted (Case C-131/12 is an example of a case in which such an argument failed, A v Google New Zealand Ltd [2012] NZHC 2352, and Duffy v Google INC & Anor [2011] SADC 178 are examples of cases in which such an argument has been successful).

These four components were, admittedly, selected in a somewhat eclectic manner in that I make no claim that their inclusion necessitates the exclusion of other components. It may well be that additional components can be identified as the
discussions of a potential international law doctrine of selective legal compliance matures. My claim is simply that these four components should be considered.

KYPADO – balancing consumer and business interests

This post was written by María Täng Palma and Vaida Domeikyte, two graduates of Stockholm University’s masters program in law & IT.

Every one of us has been exposed to various online legal notices, like Privacy Policies, Terms of Use, Disclaimers, and more. And everyone will agree that these legal notices are too long, their language is too complex, and they completely lack appeal. Moreover, they are not delivering the main goal – to properly inform users of how their personal information is going to be used or what rights and obligations apply when using websites or mobile applications.

Researchers found out that around 60% of people say that they care about their privacy and other legal obligations, however consumers find theses notices hard to read and understand due to their complicated structure and language with legal jargon (Ponemon Institute LLC, 2012 Most Trusted Companies for Privacy, Study of Consumers in the United States, 2013). According to another research, users would pay more attention to legal notices written in a simple and plain language that are more visually appealing and easy to compare (The Center for Information Policy Leadership, Ten steps to develop a multilayered privacy notice, 2006).

Overall, experts agree that good legal online notices begin with effective transparency. And transparency requires legal notices that are easy to understand, reliable and, of course, compliant with legal requirements.

This problem led us try to find a solution for it. Our inspiration was the OECD report “Making privacy Notices Simple: An OECD Report and Recommendations,” the “Ten steps to develop a multilayered privacy notice” guide by Hunton and Williams LLP, and ARTICLE 29 Data Protection Working Party’s “Opinion 10/2004 on More Harmonised Information Provisions.”

Taking this research as our starting point, we decided to approach consumers and business interests, which is how KYPADO (a name made up of parts of our surnames) came to be. On the one hand, the goal of KYPADO is to provide companies with innovative, reliable and easy-to-understand digital legal content that could allow them to their customers’ trust while, at the same time, complying with legal requirements. On the other hand, KYPADO offers consumers legal content they can easily grasp, compare, and enjoy.

In short, we develop traditional text-based and audio-visual legal content for websites and mobile applications. Our legal content consists of three layers:

Layer 1: text-based notice
It includes all the required elements of a fully compliant legal document. It describes core concepts in detail and contains applicable laws. The language is kept to a level that most individuals would understand.

Layer 2: a combination of image & text-based notice
This layer is a concise notice that combines text and images. It addresses all the core concepts that need to be covered following current regulations and provides a more human-centered approach. The language is easy to understand, and the sentences are short and simple. The images are appealing and facilitate understanding and grasping of concepts.

Layer 3: image & audio file notice
The last layer is an image and audio file notice. The images depict the story behind the legal notice at hand, while the audio narrates the story following a script. This layer improves both website and digital legal notices accessibility. Website accessibility is an important issue in the context of legal compliance that also benefits your business: improved accessibility leads to a larger and more diverse target audience.

We are excited and thrilled about our project, and we hope that our solution will attract organizations eager to better communicate with their target audiences and to make better business. We also expect this approach will make consumers better informed about their rights and obligations and increase users’ awareness of privacy issues in the digital world.

If you have any questions or suggestions you can contact us at info@kypado.com or find and follow us on Facebook and LinkedIn

Visit our website www.kypado.com and take a look at our prototype.

María Täng Palma & Vaida Domeikyte

Ignorance or arrogance – A US court claims the right to regulate the Internet world-wide

The legal drama that has followed in the wake of the online  publication of the film titled ‘Innocence of Muslims’ may be worthy of being  used as the plot for a movie in its own right. And, given a recent judgment by Chief  Judge Kozinski in the US 9th Circuit, it would no doubt be best as a  horror movie.

The background to the dispute is rather complex, but put  simply, Cindy Lee Garcia was cast in a minor role in a film with the working  title ‘Desert Warrior.’ For the three and a half days of filming she received  $500. However, that film never materialised. Instead, Garcia’s scene was used  in another film – a highly controversial film titled ‘Innocence of Muslims’.  Garcia first saw this latter film after it was uploaded online.  At that time, she discovered that her brief  performance had been partially dubbed over so that she appeared to be making a statement offensive to persons of the Muslim faith.

Garcia sought to have the movie taken down by arguing to  have a copyrightable interest in her brief performance in the movie. Needless  to say, such a claim has a slim prospect of success in most parts of the world,  but Chief Judge Kozinski concluded that Garcia does have such a right.

Copyright lawyers will no doubt find the decision highly  interesting merely by focusing on Chief Judge Kozinski contentious approach to  the copyright issues involved. However, as the title indicates, my interest in the case lies elsewhere. I am concerned about the fact that the Court ordered Google Inc to “take down all copies of ‘Innocence of Muslims’ from YouTube.com and from any other platforms under Google’s control, and take all reasonable steps to prevent further uploads of ‘Innocence of Muslims’ to those platforms.” (emphasis added)

Given Google’s virtually global presence, with various country-specific platforms, the problem is obvious. US copyright law applies in the US, not globally. This fact can scarcely have escaped the Court. Yet, it was not even touched upon by the 9th Circuit on this occasion. Indeed, Chief Judge Kozinski did not even seek to legitimise the approach by putting the court order in terms suggesting that the global take down was necessary to ensure the film was inaccessible in the US.

If we let domestic courts make orders regulating what may and may not be published globally, we will quickly find ourselves in a situation where the only content (legally) available online is such content that is acceptable globally. But how useful would such an Internet be? And where would that leave us when it comes to freedom of speech?

Luckily, it is rare for courts to take such a parochial approach as the 9th Circuit did in this dispute. More commonly, courts have recognised that making court orders with global reach is problematic and typically excessive. An extract from a judgment by the New South Wales Supreme Court is illustrative

An injunction to restrain defamation in NSW s designed to ensure compliance with the laws of NSW, and to protect the rights of plaintiffs, as those rights are defined by the law of  NSW. Such an injunction is not designed to superimpose the law of NSW relating to defamation on every other state, territory and country of the world. Yet that would be the effect of an order restraining publication on the Internet. It is not to be assumed that the law of defamation in other countries is coextensive with that of NSW, and indeed, one knows that it is not. It may very well be that according to the law of the Bahamas, Tazhakistan [sic], or Mongolia, the defendant has an unfettered right to publish the material. To  make an order interfering with such a right would exceed the proper limits of the use of the injunctive power of this court. (Macquarie Bank Limited & Anor v Berg [1999] NSWSC 526, at para 14.)

Thus, a global removal of content that is only unlawful in some countries but not others would arguably infringe the rights of people in those latter countries to access that content. Further, global blocking in such a situation may be seen as a violation of the creator’s right to communicate that content in the countries where doing so is lawful.

It is important that we do not overlook these rights just because there may be a duty not to communicate that content in some countries.

One often sees the adherence to the harshest rules as a proposed solution to the difficulty of variances in legal standards where more than one standard applies to specific conduct. Such suggestions rely on notions such as that expressed by Justice Souter, that: “[n]o conflict exists, […] ‘where a person subject to regulation by two states can comply with the laws of both.” (W. S. Dodge, Extraterritoriality and Conflict-of-Laws Theory: An Argument for Judicial Unilateralism 39 Harv. Int’l. L. J. 101 (1998), at 136.)

I object to this duties-focused approach. Essentially what Justice Souter and others are saying is that we should only focus on the duties imposed by law. If the duties do not conflict, the laws do not conflict. This is a too simplistic perspective. It completely neglects the importance of the rights that laws provide. Importantly, the correlative relationship between rights and duties we may be accustomed to from a domestic law setting does not necessarily survive when transplanted into a cross-border environment; that is, rights provided under one country’s legal system may not necessarily create corresponding duties under other legal systems.

I argue that in assessing whether two (or more) laws are in conflict we need to take account of both the duties and the rights those laws provide for. In other words, even where the duties do not clash, the rights of one country may clash with the duties of another country.

The difference can be illustrated by way of an example. Imagine that the laws of state A specifically provide for a right of religious freedom, while the laws of state B specifically impose a duty of adherence to Norse pagan faith. Where a person, for one reason or another, finds herself bound to comply with both the laws of state A and those of state B, there is no conflict in the view of the reasoning put forward by Justice Souter and others – such a person can comply with the law of both states by adhering to Norse pagan faith.

In contrast, from the perspective I advocate here, there is a conflict since the right provided by the law of state A cannot be freely exercised while at the same time complying with the duty imposed by the law of state B (except, of course, by those who voluntarily chose to exercise their right to worship Odin, Thor, Freya etc).

In light of all this, I argue that calls for compliance with the strictest rules, as a solution to the problem of conflicting laws, are misguided. And, it would seem beyond intelligent dispute that global blocking/removal cannot be the default response to every court order requiring an Internet intermediary to block/remove certain content in a certain country. We need a more measured and more sophisticated approach.

The European Parliament’s vote on extraterritoriality in data privacy – one step forward, and one step back

Back in March 2013, I wrote a blog post here at BlawBlaw pointing to an unfortunate error in the structure of Article 3 of the proposed data protection Regulation – outlining the Regulation’s territorial scope.

Essentially my concern was that Article 3(2)(b), as found in the original January 2012 proposal, suggested that EU residents would enjoy the protection of the Regulation worldwide simply by residing in the European Union. Such a result cannot have been the drafters’ intention as it so clearly would take the Regulation’s extraterritorial scope  into the realm of absurdity.

Now the European Parliament has had its say on how the Regulation’s scope of application is to be delineated. And, I am happy to note that the problem I pointed to in the March 2013 posting has been addressed. The European Parliament’s version of Article 3 reads as follows:


Article 3: Territorial Scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of such data subjects.


While they consequently have addressed the issue above, they have done so in a manner creating another equally, or at least almost equally, serious issue – it is not clear whether the words “in the Union” in Article 3(2) relate to “data subjects” or “processing”.

The latter alternative is perhaps preferable compared to the former. However, if Article 3(2) is meant to regulate the processing taking place “in the Union” by a controller or processor not established in the Union, significantly more guidance is desirable than what we have received so far.

As noted the alternative that “in the Union” in Article 3(2) relate to the location of the “data subjects” is plausible. That would mean that the original proposal’s limitation to “data subjects residing in the Union” has been replaced by a location-focused test. In the absence of further limitations, such an approach would seem to bring the Regulation’s Article 3 back into the realm of absurdity:

Imagine that a US citizen while in the US signs up for a particular US-based web service which places cookies on that person’s browser in a manner that can be seen as “monitoring” the user. As long as that US citizen remains in the US, no drama arises. However, should that person get on a flight, like many people do these days, and travel to Berlin, Stockholm or some other beautiful place in Europe, then the US web service is suddenly bound by the European Regulation as soon as that person starts browsing the web. After all, (1) the US company is clearly a “controller or processor not established in the Union”, (2) the US citizen is a data subject “in the Union” after stepping off the plane in Europe, and (3) once she or he starts surfing the web, she/he is “monitored”.

The scenario described is not fanciful or unusual, and has nothing to do with creating a “level-playing field” – the key aim of the Regulation’s extraterritorial scope. In fact, it demonstrates that, on this interpretation, the Regulation will have an enormously wide scope of application given the mobility associated with modern society – any organisation that reasonable expects to engage with their customers while those customers travel to Europe must seriously consider their position under the Regulation.

In light of this, I think it is necessary for further modifications of the Regulation’s approach to extraterritoriality. I remain convinced that to get this right, we have to stop tinkering around the edges and start fresh as to Article 3 - preferably adopting the “layered approach” to extraterritoriality I keep promoting, for example in another of my previous blog posts here at BlawBlaw.

The extraterritoriality of EU’s Data Privacy Regulation – what does international law say?

Work on the EU’s proposed new data privacy Regulation continues, and a wide extraterritorial reach remains a key feature of the Regulation. In a recent European Commission Memo titled Data Protection Day 2014: Full Speed on EU Data Protection Reform of 27 January 2014, it was noted that one of the key benefits for businesses was the creation of a ‘level playing field’:

The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. We are creating a level-playing field.” (p.4)

This is significant, not least when combined with another of the Regulations articulated ‘main innovations’:

European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5%. Privacy-friendly European companies will have a competitive advantage on a global scale at a time when the issue is becoming increasingly sensitive.” (p.4)

In two previous blog posts, I have pointed to serious concerns with the current proposal (The territorial scope of the proposed EU Data Protection Regulation) and a potential improvement of how it delineates its extraterritorial scope (Re-thinking extraterritoriality in data privacy law). Here I will seek to assess what international law says about the legitimacy of the approach taken by the EU. Is it possible to either justify or object to the EU approach to extraterritoriality by reference to international law?


Under International Conventions

There are no treaties directly regulating jurisdictional claims in the data privacy context. However, a close study of the world’s, at least in theory, most significant human rights treaty, the International Covenant on Civil and Political Rights (ICCPR), shows that it arguably makes extraterritorial jurisdictional claims mandatory in the data privacy arena.

Importantly, Article 2(1) of the ICCPR states that:

“Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.”

If material originating in state A negatively affects the privacy of a person in state B, state B is arguably failing to provide “an effective remedy against those responsible” (ICCPR General Comment 16) to the affected individual “within its territory and subject to its jurisdiction” unless its laws provide for jurisdictional and legislative claims over the
offender in state A.

It can, of course, be said that even such a jurisdictional claim does not in itself provide “an effective remedy against those responsible” unless it can also be enforced. However, state B in our example can perhaps not be required to do more than what is in its power to do.

In light of the above, it is possible to suggest that the ICCPR is an example of an international convention that supports wide extraterritorial claims in the context of data privacy law.


Under International Custom

The 1935 Harvard Research Draft Convention on Jurisdiction with Respect to Crime (hereinafter, the Harvard Draft) is a natural point of departure for any discussion of jurisdiction under customary international law. Despite being dated, and despite being focused on jurisdiction with respect to crime, virtually every single text on public
international law relies upon the grounds for jurisdiction canvassed in the Harvard Draft (with the addition of the so-called ‘effects doctrine’).

So how does the traditional grounds for jurisdiction under customary international law impact the assessment of the extraterritorial claims of jurisdiction that the EU makes through its data privacy law? One thing is clear: in the context of typical data privacy infringements, four of the seven traditional principles for jurisdiction can be ignored. We need not busy ourselves with the subjective territoriality principle, the nationality principle, the protective principle, or the universal principle.

Article 4 of the current EU Data Protection Directive – in its focus on the geographical location of relevant equipment – could be argued to relate to the objective territoriality principle. That is because, as Kuner points out, this ground for jurisdiction “is at least partly based on the performance of an act (the use of equipment) occurring within the EU.”( Christopher Kuner, Data Protection Law and International Jurisdiction on the Internet (Part 1), 18 Int’l.  J. L. & Inf. Tech. 176, 190-191 (2010), at 188).

Article 3 of the proposed EU Data Protection Regulation – in placing focus, for example, on the behavioural monitoring of EU residents – seem likely to fall within the passive personality principle, or at least a permutation of it, even though its focus is on the residency of the data subject rather than on the data subject’s citizenship.

Further, both types of extraterritorial claims seem to fall squarely within the effects doctrine. Regardless of the methods used to connect foreign conduct with the jurisdiction where the data privacy law has been enacted (such as focusing on the use of equipment situated on the territory or on the behavioural monitoring of EU residents), one can
argue that the conduct has an effect within the jurisdiction.  Thus, both the approach taken in Article 4 of the current EU Data Protection Directive and the approach taken in Article 3 of the proposed EU Data Protection Regulation seem to fall within the effects doctrine.

Thus, one can conclude that customary international law is closer to supporting the EU approach to extraterritoriality, than it is to prohibiting it.


Under General Principles of Law Recognized by Civilized Nations

Our search for relevant so-called “general principles of law recognized by civilized nations” may be focused in a variety of manners. Here, I will restrict myself to considering whether the EU’s approach to extraterritoriality in data privacy law can be seen as a general principle of law recognized by civilized nations.

There are now more than 100 countries with data privacy laws. Many of those laws such as the laws of Australia, Singapore, the Philippines, Cape Verde, Malaysia, India  and indeed in the US, all have an extraterritorial reach more or less similar to that of EU law. However, examples may also be found of data privacy laws that currently make no extraterritorial claims (see e.g. Israel and Japan). Given this, the conclusion must be that the EU’s approach to extraterritoriality in data privacy law cannot be seen as a
general principle of law recognized by civilized nations. However, with an increasing number of countries implementing or revising data privacy laws, we may have reason to revisit this issue in a not too distant future.


Concluding remarks

The above signals that international law is closer to justifying, than it is to objecting to, the EU’s approach to extraterritoriality in data privacy law. This is significant. However, it does not necessarily mean that the EU approach is to be endorsed.

It remains my view that, the current EU Directive’s approach to extraterritoriality is dysfunctional in its unnecessary complexity and that the proposed EU Regulation needs to be refined, and should ideally adopt the ‘layered approach’ I have proposed elsewhere.


For more about the extraterritoriality issues in data privacy law raised here, see e.g.: Dan Svantesson, The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses, 50(1) Stanford Journal of International Law (2014).

Update from the Computer Privacy and Data Protection Conference

Today was off to an interesting start at the annual Computer Privacy and Data Protection conference in Brussels.  Here are a few points (not direct quotes) that I glistened from listening to a myriad of terrific speakers:

  • What is on the table now is progress. It is not perfection.  It reflects a lot of compromising. (Paul Nemitz)
  • Law enforcement’s use of data collected from social media providers to profile individuals should not be a situation “caught between pillars.”  This is especially true when Article 16 of the Lisbon Treaty provides the opportunity to create a single instrument to address this pressing issue.  Law enforcement’s reuse of private sector data is a huge gap in the new reform package. (Alba Bosch)
  • The principle of accountability is good because it provides data controllers with the kind of flexibility that they need.  This shift away from bureaucratic requirements should be applauded. (Thomas Boué)
  • If EU institutions are excluded from the Regulation then, at the very least, there must be another instrument which provides for exactly similar rules: there must be consistency at a high level. (Hielke Hijmans)
  • The name of this panel should not be “EU Data Protection Reform: Fixing the Last Bugs” it should be “EU Data Protection Reform: The Attack of the Killer Bees” as there are a lot of major problems that must still be addressed. (Christopher Kuner)
  • There is a serious lack of awareness about data protection rights exhibited on behalf of individuals, lawyers and courts.  Please see the FRA handbook that was just released .  It is a tool to understand data protection in a straight forward way. (Mario Oetheimer)
  • There is a tendency for governments and corporations to seek “clearance” or a “green light.”  Sometimes, however, no official clearance should be possible.  One must be prepared to be responsible for his/her decisions in court.  This is the real world after all. (Paul de Hert).
  • There is a tension between a rights-based notion of regulation and a harms-based notion of regulation.  There is a prevailing wind to think more about the harms-based notion of regulation. (Charles Raab)
  • Defining the object of the risk is the hard question in a risk assessment. When using risk assessment, one must examine his/her own normative commitments.  Take nuclear reactors for example.  What is the object of the risk posed by nuclear reactors?  Is it just the reactor pressure vessel?  What about the uranium mining or the transportation of material or the recycling of the material etc.?  Where does one draw the line? (Brian Wynne)
  • There has been little improvement in the Council over the last few months.  The same questions are repeated and repeated.  The reform package will not be done before the spring elections. Let’s hope the Council reaches a decision by the end of summer.  The worst result would be that the Council does not reach an agreement, which will force the Parliament to put the 4000 amendments back on the table and further delay the reform for many more years. (Wojciech Wiewiórowski)
  • From an American perspective, the EU Commission seems to resemble a black box.  What kind of transparency mechanisms are in place in order to allow individuals to understand what is going on there? (Julie Cohen)

Copyright © blawblaw
Nyheter om, från och kring institutet för rättsinformatik

Byggt på Notes Blog Core
Powered by WordPress