General Practice, Solo & Small Firm DivisionMagazine
Volume 17, Number 2
INTERNATIONAL LAW AND PRACTICE
OF ELEPHANTS, MICE, AND PRIVACY INTERNATIONAL CHOICE OF LAW AND THE INTERNET
BY PETER SWIRE
Geographic sovereigns are putting into place rules that target Internet behavior. Part I of this article presents an introduction to choice of law rules within the European Union (EU) and discusses the framework for choice of law in transactions involving both the EU and the United States. Part II provides an overview of the European Union Directive on Data Protection (Directive) and analyzes the resultant choice of law regime. Part III suggests the metaphor of "elephants" and "mice" for understanding when legal regulation of the Internet is most likely to be effective. Elephants are large organizations that have major operations in a country. They are undoubtedly subject to a country's jurisdiction. Once legislation is enacted, they likely will have to comply. By contrast, mice are small and mobile actors, such as pornography sites or copyright violators, that can reopen immediately after being kicked off of a server or can move offshore.
Choice of Law in the European Union. Rules can be set at the national or even subnational level, in bilateral agreements, as a matter of EU law, or in multilateral conventions. Countries have en-tered into multilateral conventions to harmonize choice of law rules, such as the Rome Conven-tion. These conventions typically take precedence over preexisting national choice of law rules.
The Rome Convention applies to "contractual obligations in any situation involving a choice between the laws of different countries." Limitations exist on its general applicability. For example, the Rome Convention does not take precedence over choice of law rules that are included in EU legislation, and does not apply where a member state has joined an international convention on a certain topic. The convention also exempts from coverage certain substantive areas, including wills and succession, domestic relations, commercial paper, corporate law, and trusts.
Many contracts involving Europe and the United States are governed by the UN convention on Contracts for the International Sale of Goods (CISG). The CISG takes precedence when the two conflict. It applies to contracting parties who have their places of business in different states, when both states are signatories of the CISG. The CISG goes beyond the choice-of-law approach of the Rome Convention and endeavors to supply substantive rules to govern a contract. Like the Rome Convention, its scope is limited.
The European Union Directive on Data Protection. The European Union Data Protection Directive (Directive) applies to all "processing" of "personal data," with limited exceptions. Each EU Member State must adopt a strict privacy law that provides clear rights to data subjects. When collecting information from an individual, those processing data must disclose their identities, their purposes for processing, and other information. Data can only be processed for the announced purposes. Before data can be provided to third parties for direct marketing, the individual must be informed and have the right to opt out. Those processing personal data must guarantee that individuals have access to their own personal data and the opportunity to correct it.
The Directive does not itself apply to any behavior; instead, it requires each EU Member State to promulgate a law that complies with the Directive's terms. Actual enforcement will take place under the law of a particular Member State. Each country must establish one or more data protection agencies, known as "supervisory authorities," to help implement privacy rights.
Article 25 of the Directive, governing transfers of data out of the EU, allows transfers to third countries only if the third country ensures an "adequate" level of protection. Where there is not adequate protection, flows of personal information from Europe to a third country would be permitted only under one of the exceptions in article 26, such as when the data subject has consented in advance of the transfer, or where the transfer is necessary for the performance of a contract, such as providing the name and address for shipping a purchase into Europe. A different type of exception is where a supervisory authority believes there are "adequate safeguards" of privacy, such as where the transfer takes place under a contract that ensures that European-style rules will apply in the third country.
The Directive's rules for choice of law are laid out in article 4. To date, there has not been any authoritative guidance on the interpretation of article 4. The views expressed here are based on the author's personal reading of it. The interpretation of article 4 begins with two terms of art: "controller," which means the person "which alone or jointly with others determines the purposes and means of the processing of personal data;" and "processor," which means a natural or legal person "which processes personal data on behalf of the controller." Under article 4, each Member State applies its own data protection laws where "the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State." When the same controller is established on the territory of several Member States, such as where one company has operations throughout the European Union, the rule appears to be that the controller must comply with the strictest of the various laws that might apply.
A straightforward reading of the text creates a choice of law rule that a Member State's law applies wherever the controller is not established on Community territory and the controller makes use of equipment in the Member State (for more than mere transit). On this reading, article 4 does not alter a country's jurisdiction. A more ambitious, and legally questionable, reading of article 4 would find that it also speaks to personal jurisdiction. There are arguments against a jurisdiction-enhancing view and, as a policy matter, there are serious concerns about greatly expanding personal jurisdiction through article 4. Objections were mentioned about the adoption process of article 4, namely the absence of a publicized debate to broadly expand jurisdiction law, the inclusion of major reforms in a specialized Directive without any mention of the term "jurisdiction," and the major implications for legal regulations of the Internet even though the Internet was not considered in any significant way in the deliberations leading up to article 4. There are also traditional concerns about notice, fairness, comity, and national sovereignty in expanding the reach of European law to websites around the world.
Elephants, Mice, and the Legal Regulation of the Internet. A critical change for the Internet will be the increase in situations where individuals engage in international transactions themselves, rather than through import-export companies or other intermediaries. As individuals themselves act internationally, the overall style of legal regulation will differ substantially for "elephants" and "mice." As one consequence, choice of law rules will be important with respect to the former but not the latter.
Large processors of information are the easiest elephants to identify. Examples include credit card companies, airline reservation systems, telephone companies, and the human resource databases of major companies. Even if they ship data to third countries, these firms typically have large operations in Europe and are subject to enforcement actions in Europe. On the other hand, the elephants have undoubted advantages from their size. They can afford to participate in lobbying on the Directive and the implementing of national legislation. They also can defend themselves vigorously and can afford to pay fines, if necessary.
This analysis suggests that national data protection rules might work reasonably effectively where the data is primarily in the hands of the largest companies. If few people outside of mainframe computer centers ever get access to the personal data, then that sort of data can be well protected. Similarly, we would expect the websites of elephants to comply relatively well with national laws and to install relatively strict privacy policies. Failure to do so will lead to media and regulatory scrutiny.
At the other extreme, it will be difficult for national regulators to effectively govern data processing by the mice of the electronic world. Many websites are run by individuals or small companies. A country may lack jurisdiction over the website. Even if jurisdiction can be established, there may be no effective way to identify or punish the wrongdoers. The focus of legal regulation predictably falls on other groups, such as the users, Internet service providers, the payments system, or the offshore countries that shelter the mice.
Peter Swire is the Clinton administration's Chief Counselor for Privacy. The views expressed in this article are entirely his own.
For more Information About the Section of International Law and Practice
- This article is an abridged and edited version of one that originally appeared on page 991 of The International Lawyer, Winter 1998 (32:4).
- For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
- Website: www.abanet.org/intlaw/.
- Periodicals: The International Lawyer, quarterly journal; International Law News, quarterly; committee newsletters.
- Books and Other Recent Publications: ABA Guide to Foreign Law Firms, 3d ed.; China Law Deskbook; Legal Guide to Doing Business in Russia and the Former Republics of the U.S.S.R.; The Compendium of Foreign Trade Remedy Laws; The World Trade Organization; The International Human Rights of Women; The International Lawyer's Deskbook; The United Nations at 50: Proposals for Improving Its Effectiveness; NAFTA & the Environment: Substance and Process; Careers in International Law.