U.S. Web Firms Told to Stick to EU Privacy Laws


The culture clash between American and European privacy cultures has been bubbling away for some time; witness regular battles with Google Street View (s goog), for starters. But now things have stepped up a level, with one senior European Union official making a broadside attack aimed at services such as Google and Facebook.

Off the back of last week’s concern about a new pan-European directive regulating the use of cookies, Viviane Reding, the EU’s commissioner for justice, has said companies like Facebook and Google cannot avoid complying with EU privacy law.

“Privacy standards for European citizens should apply independently of the area of the world in which their data is being processed,” she said. “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU customers.”

The question of legal jurisdiction has long been a serious one for American Internet companies with a significant number of European users. The generally accepted line is that foreign companies that have a physical presence inside the EU — whether that’s an office or servers — are subject to European law; those outside are not. Facebook, Google and others deal regularly with lawmakers and police across the continent and comply with the law — though they do spend time lobbying against rules that they feel might hamper their business.

But some companies go so far as setting up their data centers just outside European Union territory (in countries such as Iceland) in order to serve customers there while avoiding EU jurisdiction.

Reding’s comments are the clearest sign that officials in Brussels don’t like that situation, but there have been warning notes sounded before. She has commented before, for example, that any company that has a significant number of European users should be subject to the same rules as anyone inside the Union.

In particular, there’s a question around the so-called “right to be forgotten” — in which a user can demand that all information about them be removed from a particular service. It’s effectively the translation of a meatspace law into the virtual world, but some have voiced concerns about its application online. (Here is a great — and unofficial — post by Google privacy counsel Peter Fleischer discussing the issues).

There’s nothing unusual in being subject to local laws, of course. As well as federal law, American companies are subject to different laws in different states. Meanwhile, many companies that do business in China comply with far more pernicious local regulations.

So is it something to worry about? I’m still trying to understand what it is that drives so much concern about these privacy directives. Is it just a fundamental culture clash? America’s corporate, opt-out society versus Europe’s increasingly protective, opt-in approach? Or is there something more?



We run into europe privacy laws every day in our global company. We could save money by consolidating servers here in the US, but we would have to comply with the EU safe harbor laws. Its dumb and its expensive and it makes us maintain datacenters in Europe. I wonder if thats really why the laws are there.



The UK did not vote for the EU, in the 70’s the UK voted for the common market, or free trade agreement. They did not vote for increasing political union.

There has been no further referendum, and the Parliament continues to agree to European measures without such referendum because they no they are not in line with the majority of the UK population.

Furthermore the key decision makers, the Council of Europe and the European Commission are far from democratic, they are not voted in or out of office – they have no accountability. The parliament, which people vote for has no real power.



Actually the UK voted for it, twice. You also regularly take part in the European elections and the current elected European Parliament belongs to the leading forces in the EU in the surge for stricter privacy laws. Of course in case you belong to those who haven’t voted in these elections you should better keep your mouth shut or otherwise risk looking like a hypocrite.


Well i have never heard of the man before this article. Here in the UK we don’t want your laws. we didn’t vote for you, we don’t know who you are and you have no mandate. You are not accountable, electable, unelectable so take you EU ‘project’ and stick it along with your stupid laws up where the sun doesn’t shine.


I call hypocracy!

The EU has just decided to overturn a Norwegian law which prohibits broadcasters loacted in other (EU) countries from targeting Norwegian customers with ads for products containing alcohol (such ads are illegal in Norway and may TV-stations set up offices outside Norway throgh which to broadcast just to get around Norways strict advertisement laws).

Yet the EU complains when companies target EU citizens while “broadcasting” from outside the EU to get around EUs strict privacy laws.

So EU, which is it? Have your cake, or eat it?


Just the EU trying to extort privilege as usual. At least they have not sued for damages, yet.

Comments are closed.