False alarm?

• Author: Perritt, Henry H., Jr.
• Position: Privacy protection of personal data in the U.S. and Europe

Privacy law in the United States has been unsettled by a directive from the European Commission requiring every Member Nation of the European Union to enact comprehensive privacy legislation regulating databases with information about individuals.(1) The Directive requires that national legislation in the European Union prohibit the exchange; of data between European database operators and persons in other countries that do not have adequate data privacy protection.(2)

The United States historically has not had comprehensive privacy law at the federal level. While federal law regulates federal government databases and imposes duties on credit reporting agencies, it leaves to the state most other areas of privacy. A few states have regulated insurance and healthcare databases, but none has enacted regulation as comprehensive as the European Directive.

A reality of the Information Superhighway is that computerized data, including data pertaining to individuals, flows freely across national boundaries. It is not uncommon for multinational enterprises to collect data in one country, store it, and manipulate it halfway around the world. In addition, modern mass marketing depends, to an increasing degree, on rich lodes of data about consumer interests and purchasing patterns. If an enterprise wants to succeed in global markets, it must have global information about consumer behavior. Typically, it buys that information from entities that collect it in particular geographic markets.

These aspects of electronic commerce are shaken by data privacy regulation that differs sharply from one part of the world to another. When one country or region is significantly more restrictive in its data privacy regulation, economic and technological pressures are strong for data-handling activities in other parts of the world to come into conformity with the most restrictive requirements. This practical tendency for uniform data policies means that privacy law in one part of the world tends to have de facto extraterritorial effect.

This Essay analyzes the extraterritorial effect of the European Data Privacy Directive. Drawing upon excellent work by Professors Peter Swire,(3) Joel Reidenberg,(4) and Paul Schwartz,(5) and upon the ongoing activities of the ABA Internet Jurisdiction Project,(6) it considers whether application of the European Data Privacy Directive to various kinds of conduct occurring on the Internet offends the customary international law of jurisdiction. Three kinds of jurisdiction are relevant to this inquiry:(7) jurisdiction to prescribe (to subject conduct to ones own rules), jurisdiction to adjudicate (what most American lawyers call "personal jurisdiction"), and jurisdiction to enforce (application of physical power by the judicial or executive branches of government to compel compliance with legislative or judicial pronouncements).

This Essay concludes that most likely applications of the European Privacy Directive do not offend the international law of jurisdiction as a formal matter. The Essay also concludes, however, that purely regional approaches to data privacy, exemplified by the European Directive, jeopardize the aspirations of free trade as codified in the World Trade Organization Agreement (WTO Agreement). It also concludes that the practical pressure for harmonization should be dealt with through multilateral negotiations rather than through unilateral imposition of norms by one important trading region. Discussions between the European Union and the U.S. government on contract-based self-regulatory approaches in the United States creating safe harbors for transfer of data outside the European Union offer promising new approaches for such multilateral adjustment.

Support for these conclusions is built upon two basic scenarios. Consider first a U.S. corporation with offices in France, a Member State of the European Union. Employee databases in France with respect to French employees of the U.S. corporation would clearly be protected by the Privacy Directive and the law of France implementing that Directive. To transfer the data to the U.S. corporate headquarters, assuming the U.S. law does not provide what the European Union considers adequate privacy safeguards, would be to violate French law. Yet rational employment policy presumably dictates that all such data be centrally stored and available to the final policy-making organs of the corporation located in the United States. If France can assert both adjudicatory and prescriptive jurisdiction and enforce its judgment, the U.S. corporation has a strong incentive to pressure the federal government to bring U.S. law into harmony with that of the European Union, whether or not as a matter of policy either the corporation or Congress is in agreement with the European Directive.(8)

As a matter of its own acknowledged power over persons and things within its borders,(9) France certainly may exercise both adjudicatory and prescriptive jurisdiction over offices and employees of the U.S. corporation in France. Their physical location also, of course, most likely moots any issue of enforceability. Employee data, therefore, may be kept from U.S. headquarters. Whether application of the law is wise, in light of the potential incentive it gives the corporation to relocate, is a separate issue.

This kind of French control simply does not constitute the feared "extraterritorial" application of another nation's law within the United States. To the contrary, it is the classic example of the law's territorial application. While international law places some restraints on what a nation-state may do within its own borders to those located there, this kind of social-economic legislation and its enforcement obviously does not constitute a violation of the norms of the international order.

Of course, France's assertion of prescriptive jurisdiction here has an effect in the United States, where the "other" party to the transaction (the corporate headquarters) is located. Such extraterritorial ramifications, however, do not convert the exercise of jurisdiction over the French office into an exercise of jurisdiction over the U.S. headquarters.(10) They are what Jack Goldsmith and others call "spillover effects."

If the corporate assets in France are insufficient to satisfy a judgment there against the corporation, a request by the plaintiff to a U.S. court to enforce the judgment against U.S. assets ought to be granted pursuant to the doctrine of comity. As noted, exercises of adjudicatory and prescriptive jurisdiction were in accordance with international and local law.

A potentially more interesting jurisdictional question arises in the second scenario. A Web-based enterprise located in the United States makes available its services to a citizen of a Member of the European Union. As that citizen uses the Web site, the U.S. enterprise collects data from and about the citizen, including information on what pages the citizen views. The U.S. enterprise combines the data with other data available about that individual and sells it to direct marketing enterprises as well as using it for its own marketing and product development purposes. The U.S. enterprise does not register with any European data protection authority; it does not seek permission from the user for combination and transfer and subsequent use of data from that user; and it does not limit transfers of its personal data in conformity with European national law or the European Data Privacy Directive.

This scenario presents jurisdictional problems depending on the answers to three questions: First, do the activities described violate...