Thursday, January 11, 2007

Some thoughts on international conflicts of law in recent privacy controversies

The free flow of data around the globe is the lifeblood of the Information Age. And any company doing business on the Internet is participating in this global flow. So, what happens when a company finds itself challenged by different regulatory authorities with completely contradictory requirements?

There have been numerous recent cases of companies facing such conflicting legal requirements. Airlines flying from Europe to the US were confronted with US anti-terrorism laws which required them to provide so-called Passenger Name Records to the US authorities, at the same time that privacy regulators in Europe held such transfers to be illegal under European data protection laws. SWIFT, the financial services company, was forced by the US anti-terrorism authorities to provide it with large amounts of individual wire transfer records, which was then condemned by the Belgian data protection authorities.

Similarly, Google was recently involved in a court action in Brazil with regards to its US-operated social networking site, Orkut. The Brazilian authorities were trying to investigate Internet crimes, like child pornography and hate speech directed against blacks and gays, and demanded that Google provide them with the personal information of some Orkut users. But Google is also a US-based company, and the applicable US privacy law, the Electronic Communications Privacy Act, prohibits Google from answering any demand for its users’ personal data, except pursuant to a valid legal order. Google said publicly that it had cooperated with the Brazilian authorities in numerous cases, and was prepared to cooperate again, as long as the Brazilian authorities direct their valid legal order to the operator of the service, namely Google Inc in the US, and not to its sales office in Brazil (which neither operates the service, nor has access to the data).

These are just a few examples of the many casese where companies are being torn by the conflicting legal requirements of different governments. Such cases are becoming much more frequent in the era of the Internet. So, perhaps it’s time to ask ourselves whether governments have an obligation to talk more to each other. Every child knows what it’s like to have mom tell you one thing, and dad tell you just the opposite. In a functional family, mom and dad will talk and work it out. In a disfunctional family, the kids will just have to choose between listening to mom or to dad.

The legal arena of resolving disputes of international jurisdiction has always been complicated, based on numerous factors: location of the company providing a service, location of the users of the service, location of equipment providing the service, etc, and those factors are sometimes inconclusive and contradictory themselves. But such jurisdictional conflicts arise constantly on the Internet, a medium which naturally crosses borders. Ironically, many of the legal mechanisms in the world to resolve such jurisdictional disputes are ancient, from an era where cross-border disputes were rare.

The time has come for governments and multinational companies to assume their respective responsibilities to work with each other to develop a process to discuss and resolve cross-border legal conflicts. The fight against child pornography and terrorism, to take these examples from recent casees, is simply too important to hamper on the basis of legal conflicts. The answer is not to expect companies to work out a solution to contradictory laws on their own. It’s time for mom and dad to talk.

No comments: