Belgium Fines Yahoo For Protecting User Privacy On Its US Servers
from the this-is-bad... dept
For many years, we’ve discussed the many challenges faced by countries in trying to recognize that “jurisdiction” on the internet isn’t what they probably think it is. Many countries want to interpret internet jurisdiction as “if it’s accessible here via the internet, it’s covered by our laws.” But it doesn’t take much scenario planning to recognizing what a disaster would result from such an interpretation. Effectively that means that the most restrictive legislation anywhere in the world (think: China, Iran, Saudi Arabia, etc.) would apply everywhere else.
That’s why it’s quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users’ privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not have any operation in Belgium, and the data in question was held on US servers, not subject to Belgian law. On top of that, the US and Belgium have a good diplomatic relationship, such that such a data request could have gone through established diplomatic channels to make sure that US laws were properly obeyed as well. But, instead, Belgian officials just demanded the info from Yahoo’s US headquarters directly, and then took the company to criminal court where the judge issued the fine. The Center for Democracy & Technology highlights the problems of not pushing back against this ruling:
The implications of this ruling are profound and far-reaching. Following the court’s logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.
The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.
CDT suggests the US government should get involved and protest the Belgian court ruling:
In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.
Filed Under: belgium, jurisdiction, liability
Companies: yahoo
Comments on “Belgium Fines Yahoo For Protecting User Privacy On Its US Servers”
If Yahoo! says “No, screw you. We won’t give you the data and won’t pay your fine.” what will the Belgium officials do? Write Yahoo! a very angry letter explaining how angry they are?
Where Yahoo! hasn’t got a presence there, I would of given them the finger too. Heck, I think Yahoo! has gone above and beyond already by noting the US government that such a request by the Belgiums might be underway.
Re: Re:
Yeah, I’m really wondering just how Belgium thinks anything they do to Yahoo would be effective if Yahoo has no presence in the country.
Re: Re: Re:
Typical bureaucratic nonsense. The Department of Public Whohaws and Geegaws receives an officially stamped Letter of Objection from the Representative of Nonsense and Jokes that “…something must be done about this outrage.” and so shoots off a Punitive Action Item to several Committees About Nothing which spurs into action a number of Canonical Discussions of Writ in which… well, you get the gist. We all have this kind of crap, but Europe really values them and takes political process really seriously.
I guess that means that any internet company in Belgium has to follow all the US’s laws as well, right? Does that mean that Belgium internet companies will have to get the proper permits and such from the US government? I’m sure the IRS will want their cut as well…
The current state of affairs...
With countries trying to enforce their laws on foreign internet companies, it is a wonder anyone would want to start a new website. If Belgium doesn’t like Yahoo, then why don’t they just put in a national filter? Or would that not be popular with the Belgians and cause a backlash? I hope Yahoo gives them the proverbial finger.
Re: The current state of affairs...
Its really not a problem; if Yahoo is smart (and we’ve seen that they aren’t particularly bright over there in some respects) they will simply ignore Belgium. The WORST thing they could do is send some one over there to parley with with the Belgium Parliament and “…try to work something out.”
Unenforceable
> Yahoo noted, accurately, that it does not have any operation in Belgium
If that’s the case, then they should just ignore the fine. If the company has no presence in Belgium, there’s nothing the country can do to collect the fine. What are they gonna do? Come over here and arrest the CEO? Try that and the Belgian officials would be arrested themselves for kidnapping.
I know if I was a US citizen just going about my business in the US and I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I’d crumple it up and toss it. It’s completely unenforceable.
Re: Unenforceable
“I know if I was a US citizen just going about my business in the US and I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I’d crumple it up and toss it. It’s completely unenforceable.”
Are you crazy? Be careful what you do with that notice! The Belgiums are everywhere!
See, even conspiracy theorists can make fun of themselves 🙂
Re: Unenforceable
In the US, yes you would be safe, but come to the European union (or in the case of Yahoo, any of it’s exec’s) and they could be arrested
And it was the USA that started that messy precedent during the whole internet gambling ban by grabbing execs from gambling companies while they transferring flights on US soil
Extra: Even worse for UK citizen’s, due to the Gov stupidly if you break US law while in the UK you can get extradited with no legal recourse
Re: Unenforceable
@btr1701: “(If) I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I’d crumple it up and toss it.”
I’d laugh my ass off and frame the f#cker. “I got noticed by Belgium for my nonsense!” I’d tell everyone who looked at the framed copy hanging on my wall.
Re: Unenforceable
Well … Belgium could demand that you be extradited. If USA does not comply, then Belgium could invade USA to come get you. USA would probably destroy all of Belgium if that happened, but oh well.
Re: Re: Unenforceable
Of course. When *I* am threatened, the entire destructive force of the US Armed Forces spur into action. Reserves are called, F-22 Raptors are built (on credit), nuclear arsenals are activated, Congressmen are paid, Multinational Banking Conglomerates fail, etc. I’m that important.
Re: Re: Re: Unenforceable
“Of course. When *I* am threatened, the entire destructive force of the US Armed Forces spur into action. Reserves are called, F-22 Raptors are built (on credit), nuclear arsenals are activated, Congressmen are paid, Multinational Banking Conglomerates fail, etc. I’m that important.”
Awesome return sarcasm, being serious. You just made one mistake. This is an overreactive international war, so Banking Conglomerates win, not fail.
Re: Re: Re: Unenforceable
Best comment ever. Nuff said
Re: Unenforceable
First it’s a rather stupid idea, but it’s rather common. E.g. all countries, including the US to work with this legal setup.
Second the US has clearly shown how to enforce stuff like that. E.g. arrest the officers of the company when they enter the US. In this case Yahoo officers and/or employees might get arrested when entering the Union.
Third, the US is also one of the countries that consider it okay to kidnap somebody abroad to try him at home.
(http://www.questia.com/googleScholar.qst;jsessionid=KhRWVzZ8d4yPFH1nSBNBGB1Z1xsygKbHMCj2YTpwTJxFNWd3bTV5!342583392!-481857147?docId=5000479708)
)
Basically, this happens all the time, in the real economy (not just the Internet), and it’s usually the USA that forces it’s laws on the rest of the world. Though luck when it happens the other way.
(Examples the Cuba embargo has caused an Austrian bank that got acquired by an US fond to cancel accounts by Cubans. Which is punishable in the EU and in Austria. Hence the fund had to get an exception, or the bank would be continually fined. Or the UBS handling. Guess not many people in the US realize that handing over customer data like that has been a felony in Switzerland. Or how the US has forced SWIFT to hand over data clandestinely. And so on.)
yacc
Re: Unenforceable
I’d frame it 🙂
mmmmm… waffles
Belgium
Jean-Claude Van Damme. ’nuff said.
That means that Belgium sites must pay for Shopping Cart and OK button style US Patents?
The fine was issued because they were tracking a group of criminals that used yahoo e-mails to communicate, and yahoo refused to hand over the identities.
Dutch source here: http://www.deredactie.be/cm/vrtnieuws/archief/2.1222/oostvlaanderen/1.481382
Re: Re:
“The fine was issued because they were tracking a group of criminals that used yahoo e-mails to communicate, and yahoo refused to hand over the identities [because the idiotic Belgium authorities couldn’t be bothered to go through the proper channels]”
There, fixed that for you.
Re: Re:
Oh, so it’s OK to violate individual privacy as long as a government says that they’re doing it for the right reason? It sounds like you’d agree with the US’s warrantless wiretapping program then too.
Any government is, by definition, a heartless and mindless organism that should be naturally mistrusted.
LOL! Is Belgium still a country? Who knew!
Thank you Yahoo, Keep up the good fight!
Thank you Yahoo, Keep up the good fight!
If they wanted the information
All they had to do was hire a US attorney to go to court and request a subpoena for the information. Or, you know, have their diplomat request help from the US Attorney’s office for the same. I’m sure Yahoo would have been glad to hand it over in that case.
Re: If they wanted the information
Why complicate things? All they needed to do was make a request through Interpol as Yahoo had suggested.
Doesn’t Peter Sunde have a template response letter for this sort of situations? Just ask him how to reply!
So, in this instance a US company with no links to Belgium and US data should be under US laws. The law in Belgium shouldn’t be applied to Yahoo just because someone in Belgium accessed a yahoo site. Agree with that.
But then how about the NPG case – a UK entity with (as far as I know) no outlet in the US, and UK data … but somehow people are arguing that just because the pictures on their website are available in the US they come under US copyright laws?
Sounds to me like it’s not just countries coming up with odd conclusions on jurisdiction?
Re: Re:
Your analogy, while interesting, is severely broken.
The “US data” of Yahoo in question was not published on a website and distributed internationally. And Yahoo wasn’t refusing to give it to the Belgian authorities because they were claiming copyright on said data.
Re: Re:
The two cases aren’t even remotely similar. In the NPG case, they willfully allowed the pictures to be transferred to the United States. Once that has happened, the pictures fall under United States copyright law, that is correct. To think otherwise would be foolish. Do you know where the servers you access are located? Are you familiar with every countries laws? How do you know that you haven’t violated a law in boogywoogievillestein when you viewed that ad that was on that page you saw last week?
Intresting
While this cover international aspects of internet law, This has potential ramifications in interstate internet law. Specifically tax collection. If there is no physical presence in the users state should sales tax be collected for that state? The item was purchased from the servers in state “X” so it seems that sales tax could be collected for all sales in state “X” but not for sales in state “Y” ….. hmmmm
EU ramifications?
OK, I’m making a small jump here by assuming that Belgium is part of the EU, but let’s assume that they are. In that case, can Belgium require other EU nations where Yahoo actually does have a presence to enforce judgements from Belgium? If they can, then this will be an issue for Yahoo and they probably will have to deal with it sooner or later.
There’s a simple solution, block Belgium’s IP addresses from accessing Yahoo. If Belgium persists then expand the companies blocking them.
Yahoo! should block their servers from being accessable from Belgium and demand an apology from the Belgium government…
Individuals already affected
I am getting the suspicion that this story pretends this to be a bigger issue because it affects an American company.
However, this kind of “which laws are affecting what I do” has already got individuals. See for example the case of Hew Raymond Griffiths,
http://en.wikipedia.org/wiki/Hew_Raymond_Griffiths
http://www.ibls.com/internet_law_news_portal_view.aspx?id=1778&s=latestnews
Griffiths was extradited to the U.S., a country he had never visited, for some “Intelectual Property” crimes.
For a company it is a mere money issue, but when individuals are extradited it becomes extremely problematic.
Stephan
Re: Individuals already affected
“I am getting the suspicion that this story pretends this to be a bigger issue because it affects an American company.”
Duh… You missed the point, which is that for lack of jurisdiction it does NOT affect any American company.”
VRP
Difference in jurisdiction
Every communication system in a local country is being watched by local authorities. The bigger countries also have a spy system to watch communications outside their borders. US has, Belgium has not such a system.
In case of criminal investigation, local police can ask for information cross border. In Europe, there is special legislation to pass information cross-border.
There is no such system in between Belgium and the US for criminal action. Everything has to go over interpol or by means of political pressure, embassies or direct contacts in between police systems.
This can upset local police and tresspass the borders of what they are authorized to do. In Belgium there are laws that authorize jurisdiction to tresspass all borders as soon as a person with links to Belgium is involved.
I guess both issues have been mixed here and this should really be left to lawyers.
And yes, Belgium can ask retaliation all over Europe against Yahoo, but they will have to convice the Polish and UK to do so as well.
And yes, Belgian companies are attacked all the time this way by US juridical systems. And yes the US has more local laws allowing to protect interests of US individuals and companies around the world.
In globo, if yahoo can be forced to hand over data about individuals to US juridical system, it should also be possible for other countries that are part of the WTO to ask the same. And this in all countries and in all directions.
Personal Indentifying Information
All of the security systems are moving toward a system of Personal Indentifying Information (PII). If it was the United States (not Belgium) and the Chinese government attacked your computers en masse, would you trust Yahoo! to keep their information private from the US Government so that no-one knows who they are? Don’t confuse the Government mandate to keep information private from keeping a way to catch criminals. Belgium is doing nothing more than protecting it’s citizens from unknown criminal gangs of hackers.
Re: Personal Indentifying Information
“Don’t confuse the Government mandate to keep information private from keeping a way to catch criminals. Belgium is doing nothing more than protecting it’s citizens from unknown criminal gangs of hackers.”
Privacy is privacy. If you don’t protect the privacy of ‘alleged’ criminals before they’ve even been brought to trial, then you’re simply not protecting privacy at all. You can’t pick and choose.
If Belgium wants to protect its citizens, then it should work within the law: contact the US Government and obtain a subpoena for the information from Yahoo. If it ignores the proper channels, Yahoo has no recourse but to protect the rights of its users under US law, which states that it can’t just randomly give out information just because someone asked for it. Not even the US Government gets that. It has to ask for it in a proper and legal way.
Re: Personal Indentifying Information
“unknown criminal gangs of hackers”.
Who are you calling criminals?
Those who haven’t even been charged, let alone convicted of anything.
Seems like you belong in Belgium, or places worse…
Meanwhile, you’ll be called a criminal. See how you like it.
VRP
ATIIL
Remind me...
not to visit Belgium.
Alot of genius has come out of Belgium. I’m surprised the Belgian government didn’t take the more diplomatic approach. They may have actually got what they wanted. Instead they were fast with their gun, made themselves look foolish and received nothing they actually wanted. Not very constructive.