Whose Law Applies to Your Web Site?
The Internet's worldwide scope makes it nearly impossible to avoid jurisdiction questions for long. Everything you post on your Web site can be seen all over the world. This is mostly a good thing. For example, you can pitch your product to a larger audience. However, doing business in every nation may bring your company under the jurisdiction of the laws in every nation. That is more likely to be a messy thing.
A recent jurisdictional decision by a French court in a lawsuit involving the Internet created considerable concern in the legal and business communities. The background is relatively simple. French law prohibits the sale or display of anything that can incite people to racism. Yahoo supports an auction site that allows people to sell Nazi memorabilia (along with a zillion other less controversial items). Someone challenged the availability of these auctions in France, and a French court ordered Yahoo to prevent access to users in France. A U.S. court just found for Yahoo on First Amendment grounds. The case is a complicated legal mess.
You do not find laws like the French law in the United States because the First Amendment makes speech restrictions unconstitutional. But the Internet is a different forum. As someone once said, on the Internet, the First Amendment is a local ordinance. U.S. policy does not control what the rest of the world does on the Internet. Conflicts are inevitable.
The result in the French Yahoo case -- and it is not the only decision of its type -- is deeply unsettling to U.S. companies that want to do business on the Internet without complying with the laws in other jurisdictions. If a Web site must follow the rules in every country where it does business -- or even where the site can be seen -- then it may be nearly impossible to function.
The problem of complying with national privacy laws is actually made somewhat easier by the European Union Data Protection Directive. The directive establishes a baseline of privacy protection for European Union member states. If a company established in France meets the French privacy requirements, it can do business throughout the European Union without complying with the laws of each member state. The harmonization of diverse national privacy laws in the interests of international commerce is an often overlooked purpose of the directive.
As the rest of the world gropes fitfully toward common international privacy standards, similar harmonization may eventually take place for the privacy laws of other nations. For all of its flaws, the "safe harbor" process that allows American companies to meet European Union standards is a step in the direction of addressing international jurisdictional issues.
Still unhappy that your Web site might have to comply with another nation's privacy law? Too bad. Congress has already decided that it is just fine for one nation to exercise jurisdiction over a Web site located in another nation. As long as a foreign Web site does business with Americans, that Web site falls within the jurisdiction of U.S. laws, courts and regulatory agencies.
Remember the Children's Online Privacy Protection Act that passed in 1998? It establishes privacy rules for Web site operators that collect personal information from children younger than 13. The law requires parental consent for data collection from kids, and it implements several other traditional privacy principles as well.
COPPA applies to Web sites located and engaged in commerce in the United States. It also applies to Web sites located in other nations and engaged in commerce in the United States. The law applies not to U.S. companies but to companies "located on the Internet." This interesting jurisdictional phrase makes it clear that it does not matter where your Web site is physically located as long as you do business in the United States.
For those who think that it is unnatural or unfair for a U.S. Web site to be subject to the jurisdiction of the law in other countries, you will first have to convince Congress that you are right. COPPA is not the only privacy law that applies to companies in other countries that do business with Americans. Other categories of laws (e.g., gambling) also have some extraterritorial application. As I said at the start, jurisdiction is a complicated matter.
The reality is that a privacy law that does not apply to foreign Web sites will accomplish little. Operators will simply move Web sites to another country where the laws are looser. It is the reason that the European Union Data Protection Directive regulates the export of personal data. All is lost if practices that are illegal at home can be carried out easily in another jurisdiction.
So before you grumble about the extraterritorial reach of other nations, just remember that the United States is already on record as recognizing and supporting a broad theory of Internet jurisdiction. I do not pretend to have a good solution to the jurisdictional dilemma for the Internet. But I do know that it is hard to argue both sides of the same issue at the same time, and that is just what the United States is doing.