Visibility

Internet-based businesses that advertise and market their products and services globally are frequently confronted with issues surrounding how to comply with the laws of the twenty-seven European Union Member States (“Member States”).   This is especially true for those with eCommerce websites that involve direct contact with, or are directly accessed by, consumers.  The Internet is “borderless” and content is exchanged globally regardless of a particular sender’s location.  The result is unprecedented business opportunity.  However, given that international legal authorities claim jurisdiction over content and services delivered within their territories, numerous potential hazards exist should a business fail to take into account what may be required of it in the various Member States.

Numerous, sometimes conflicting legal and regulatory compliance issues exist within the European Union.  Exactly whose rules apply to the handling of personal information, data protection, intellectual property rights, consumer protection, and content regulation are increasingly becoming more challenging.

Online businesses that wish to transact business in Europe must acquire a threshold degree of familiarity with various European Union Directives (“Directives”).  Directives are a means by which the European Parliament seeks to harmonize fragmented rules and economic activities amongst Member States.  However, Directives are not laws and, as discussed herein, may not have a direct effect on individual Member States.  Directives are merely “instructions” to Member States to implement laws that are consistent with the principles cited by the European Parliament. 

Unfortunately, Member States convert and interpret Directives in many different ways.  For any given legal principle, each individual Member State is essentially free to adopt its very own interpretation.  This is especially true with regard to electronic commerce and consumer protection laws which vary amongst Member States.  As a result, there is a lack of consistency amongst national laws and court decisions. 

Electronic Commerce Directive
Perhaps the most important Directive is the Electronic Commerce Directive (2000/31/EC) which created the basic legal structure for electronic commerce amongst the Member States (“eCommerce Directive”).  The policy behind the eCommerce Directive is to encourage greater use of eCommerce and enhance consumer confidence throughout Europe by clarifying the rights and obligations of businesses and consumers. 

The eCommerce Directive contains several critical principles, including that online businesses that select a European home-base, in any Member State, are licensed to conduct business throughout Europe.  This principle provides a critical advantage to United States-based businesses that wish to expand operations internationally because once a legitimate online business selects a single home-base in a Member State, they are free to offer its products and services to consumers throughout the entire European territory.   The eCommerce Directive also requires Member States to separately adopt national legislation regarding information that must be provided to consumers pertaining to online marketing and advertising.   

Importantly, the eCommerce Directive also sets-forth rules on civil and criminal liability for Internet service providers (“ISP”) and other “intermediaries.”  The European Union’s approach with regard to the issue of ISP liability is set forth in the eCommerce Directive at Article 1.2.  It addresses copyright, defamation, and obscenity.  In that respect, the Directive largely follows the United States Digital Millennium Copyright Act (“DMCA”)  and the Communications Decency Act (“CDA”)  which both provide safe-harbors for certain specified activities by “passive” ISPs. 

The eCommerce Directive is intended to prevent Member States from burdening ISPs that are “mere conduits” from having to monitor content or actively seek facts or circumstances indicating illegal activity.  However, the respective safe-harbors contained in the eCommerce Directive are currently the subject of litigation throughout Europe.  Various Member States, including Belgium, France, Germany, and the United Kingdom have seemingly abandoned the principles of the eCommerce Directive by shifting traditional policing and enforcement burdens.  These Member States have recently found ISPs accountable for user-generated content to a much larger degree than initially envisioned in the eCommerce Directive. 

Diverging decisions amongst the Member States, coupled with failure to adopt the various safe- harbors provided by the eCommerce Directive have slowly eroded its force.  For example, the French court case of La Ligue Contre Le Racisme et l'antisémitisme (“LICRA”) v. Yahoo! (2000), decided by the High Court of Paris, raises issues of Member States’ authority to claim jurisdiction over persons whose alleged crimes were committed outside the boundaries of the prosecuting country.  The LICRA case is not only an example of contemporary issues and risks inherent in international online business, it also illustrates the conflict between national laws in Europe and the First Amendment to the United States Constitution. 

In short, the LICRA case concerned the sale of Nazi memorabilia via an Internet auction which resulted in criminal proceedings against Yahoo! and its former President for allegedly violating Article R645-1 of the French Criminal Code.  Yahoo! argued that any attempt to enforce a foreign judgment in the United States would fail under the First Amendment to the United States Constitution, that the auctions were conducted within the jurisdiction of the United States and directed towards United States residents, and that there was no practical method to prevent French residents from participating in the auctions.  Nevertheless, the High Court ruled that because the content was accessible within France, there was a sufficient basis to establish jurisdiction.  The High Court issued a mandatory injunction, ordering Yahoo! to take measures to prevent access to auctions of Nazi memorabilia on its site by French residents.  

Another example of the uncertainty imposed when a Member State disregards the various safe- harbor guidelines provided by the eCommerce Directive was provided earlier this year, when a Municipal Court in Prague controversially found the operator of finance website (Mesec.cz) liable for the “abusive” content of a thread on its discussion forum.  The Municipal Court found the defendant liable for the content of the discussion because its revenues were generated by using the website in order to rank various companies on the market, therefore creating responsibility for maintaining the quality of those discussions.  The Court further reasoned that the defendant could have known that the expressions contained in the discussions were unlawful and that the defendant took no steps to remedy the situation. 

The foregoing illustrates issues that arise when Member States exceed the scope and breadth intended by the European Parliament when it issued the eCommerce Directive.

Privacy and Data Security Directives
Current rules regarding consumers’ consent to the gathering and processing of their personal data have also been interpreted differently throughout the European Union.  The privacy and data protection structure that is currently applicable throughout the European Union must be overhauled in order to keep pace with evolving methods of conducting business over the Internet, including targeted marketing, cloud computing and social networking.  The resolution of discrepancies between the ways in which Member States implement various Directives is critical for global business.  

The important Privacy Directives are made up of the original 1995 Directive (95/46/EC) and the 2002 ePrivacy Directive (2002/58/EC).  The ePrivacy Directive is a Directive which compliments the general 1995 Directive, covering data protection and privacy.  It establishes a European consent framework which requires online businesses to gather and maintain data in a secure manner, and obtain the informed consent of consumers (i.e., a consumer must affirmatively opt-in) in order to store or access cookies.  There are exceptions to this opt-in approach in circumstances where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the consumer.

The 1995 Directive establishes the basic principles for protecting privacy in Europe – only personal data that is absolutely and legitimately necessary may be processed.  The 1995 Directive also sets forth that each Member State should have a data protection authority that would, in some manner, supervise the application of the Directive’s principles.  Again, the  manner in which data protection authorities implement various Directives throughout the European Union varies and reinforces the idea that consumer facing websites doing business in Europe must be well informed of the potential risks.  

The 1995 Directive also sets forth the definition of “personal data,” a definition that remains very contentious as European Union data protection authorities continue to take the position that it includes such things as Internet Protocol addresses (an interpretation not necessarily taken in the United States).  Further complicating matters is that the implementation of the given definition of “personal data” set forth by the 1995 Directive varies from one Member State to the next.    

As a general rule, an online advertiser is generally subject to the data protection law of the individual Member State in which it is established.  Similarly, if a particular online business activity requires a license, the home-base license will be recognized throughout Europe.  Therefore, careful consideration should be given to exactly which Member State to call home.  Internet agreements should be carefully reviewed and, when necessary, amended to conform to Member States’ specific requirements.  Conversely, Internet-based businesses that market products or services throughout Europe but maintain a physical presence solely within the United States have different issues to consider, such as whether they maintain adequately broad privacy and data protection regimes for citizens throughout the European Union.  Failure to do so may render online businesses, which are exclusively based in the United States, subject to many different national governments and data protection authorities which will assert that th
eir individual national laws apply. 

It is anticipated that there may be substantial revisions to the outdated 1995 Data Protection Directive, followed by proposed legislation in the year 2011.  Changes are expected with regard to numerous industry “best practices,” including the mandatory appointment of a data protection official for companies of a certain size.  Currently, only Estonia, France, Germany, and Hungary have adopted this concept, which places privacy and data compliance responsibilities upon one designated individual.  One fundamental difference between this concept in the United States and abroad is the existence of criminal liability for infringement in Europe.  The modernization of the European Union privacy and data protection scheme will focus upon clarifying Member States’ responsibilities and providing for a similar degree of protection within and without the European Union.

Further underscoring the need for compatible privacy standards throughout the European Union is the recent ruling earlier this year by a court in Milan, Italy.  The Italian court found the Chief Financial Officer (retired), Chief Legal Officer, and Global Privacy Counsel of Google, Inc. responsible for the actions of a group of teenagers who uploaded a mobile-telephone video onto Google Video (the predecessor website of YouTube) of an autistic boy being harassed by classmates.  The video was uploaded in 2006 and was viewed more than 5,000 times.  Despite not having been notified of the existence of the controversial video and having absolutely nothing to do with those involved, the defendants were convicted for failing to comply with the Italian privacy code.   

Balancing the freedom of expression with fundamental privacy rights is a growing concern, especially as the general public increasingly demands that someone be held accountable.  However, finding an employee of an Internet services operator personally responsible for user-generated content and imposing an obligation to pre-screen countless hours of user-generated content uploaded to websites like YouTube, every day, constitutes a legitimate threat to freedom of expression on the Internet.  

In today’s digital age, traditional notions of privacy and freedom of expression are becoming increasingly more difficult to interpret, as are contemporary issues surrounding liability for user-generated content.  The policy implications of the Google, Inc. matter upon platforms that permit user-generated content, including social media networks, are potentially staggering.  Clearly, Internet-based businesses must tread carefully in the absence of consistent Directives amongst Member States.

Rapid technological developments have significantly changed today’s business world and have  brought a whole new set of challenges for the protection of freedom of expression and personal data that will stand the test of time.  The European Union must use caution so as not to stifle the promotion and use of new technological developments.  In that regard, a balance must be achieved between strengthening consumers’ rights by increasing transparency and ensuring informed and free consent, creating consistent international laws for online businesses that handle personal data and host third-party content, and maintaining reasonably coherent and realistic standards for online businesses that wish to expand into the European Union.

Broad-sweeping clarification will most certainly be welcomed by online businesses that sell, market, or advertise goods and services in one or more Members States.

Richard Newman is an experienced Internet lawyer and business litigation attorney who counsels clients on a broad range of Internet and technology-related legal matters.  Prior to founding Hinch Newman LLP, Richard was a Senior Associate with a marketing, promotions and communications law firm located in New York City.  Hinch Newman LLP maintains offices in San Diego, California and the United Kingdom.  New office location coming soon to New York City (April 2011).