Belgium Fines Yahoo For Protecting User Privacy On Its US Servers

from the this-is-bad... dept

Fri, Jul 17th 2009 5:55am — Mike Masnick

For many years, we've discussed the many challenges faced by countries in trying to recognize that "jurisdiction" on the internet isn't what they probably think it is. Many countries want to interpret internet jurisdiction as "if it's accessible here via the internet, it's covered by our laws." But it doesn't take much scenario planning to recognizing what a disaster would result from such an interpretation. Effectively that means that the most restrictive legislation anywhere in the world (think: China, Iran, Saudi Arabia, etc.) would apply everywhere else.

That's why it's quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users' privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not have any operation in Belgium, and the data in question was held on US servers, not subject to Belgian law. On top of that, the US and Belgium have a good diplomatic relationship, such that such a data request could have gone through established diplomatic channels to make sure that US laws were properly obeyed as well. But, instead, Belgian officials just demanded the info from Yahoo's US headquarters directly, and then took the company to criminal court where the judge issued the fine. The Center for Democracy & Technology highlights the problems of not pushing back against this ruling:

The implications of this ruling are profound and far-reaching. Following the court's logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.

The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium's moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.

CDT suggests the US government should get involved and protest the Belgian court ruling:

In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: belgium, jurisdiction, liability
Companies: yahoo

44 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 17 Jul 2009 @ 6:04am

If Yahoo! says "No, screw you. We won't give you the data and won't pay your fine." what will the Belgium officials do? Write Yahoo! a very angry letter explaining how angry they are?
Where Yahoo! hasn't got a presence there, I would of given them the finger too. Heck, I think Yahoo! has gone above and beyond already by noting the US government that such a request by the Belgiums might be underway.
[ link to this | view in thread ]
Rekrul, 17 Jul 2009 @ 6:13am

I guess that means that any internet company in Belgium has to follow all the US's laws as well, right? Does that mean that Belgium internet companies will have to get the proper permits and such from the US government? I'm sure the IRS will want their cut as well...
[ link to this | view in thread ]
Xanthir, FCD (profile), 17 Jul 2009 @ 6:19am

Re:
Yeah, I'm really wondering just how Belgium thinks anything they do to Yahoo would be effective if Yahoo has no presence in the country.
[ link to this | view in thread ]
John Doe, 17 Jul 2009 @ 6:22am

The current state of affairs...
With countries trying to enforce their laws on foreign internet companies, it is a wonder anyone would want to start a new website. If Belgium doesn't like Yahoo, then why don't they just put in a national filter? Or would that not be popular with the Belgians and cause a backlash? I hope Yahoo gives them the proverbial finger.
[ link to this | view in thread ]
btr1701 (profile), 17 Jul 2009 @ 6:30am

Unenforceable
> Yahoo noted, accurately, that it does not have any operation in Belgium

If that's the case, then they should just ignore the fine. If the company has no presence in Belgium, there's nothing the country can do to collect the fine. What are they gonna do? Come over here and arrest the CEO? Try that and the Belgian officials would be arrested themselves for kidnapping.

I know if I was a US citizen just going about my business in the US and I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I'd crumple it up and toss it. It's completely unenforceable.
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 6:46am

mmmmm... waffles
[ link to this | view in thread ]
Dark Helmet (profile), 17 Jul 2009 @ 6:53am

Re: Unenforceable
"I know if I was a US citizen just going about my business in the US and I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I'd crumple it up and toss it. It's completely unenforceable."

Are you crazy? Be careful what you do with that notice! The Belgiums are everywhere!

See, even conspiracy theorists can make fun of themselves :)
[ link to this | view in thread ]
mike42 (profile), 17 Jul 2009 @ 7:00am

Belgium
Jean-Claude Van Damme. 'nuff said.
[ link to this | view in thread ]
Johndifo, 17 Jul 2009 @ 7:11am

That means that Belgium sites must pay for Shopping Cart and OK button style US Patents?
[ link to this | view in thread ]
Drake, 17 Jul 2009 @ 7:17am

The fine was issued because they were tracking a group of criminals that used yahoo e-mails to communicate, and yahoo refused to hand over the identities.

Dutch source here: http://www.deredactie.be/cm/vrtnieuws/archief/2.1222/oostvlaanderen/1.481382
[ link to this | view in thread ]
JackSombra (profile), 17 Jul 2009 @ 7:19am

Re: Unenforceable
In the US, yes you would be safe, but come to the European union (or in the case of Yahoo, any of it's exec's) and they could be arrested

And it was the USA that started that messy precedent during the whole internet gambling ban by grabbing execs from gambling companies while they transferring flights on US soil

Extra: Even worse for UK citizen's, due to the Gov stupidly if you break US law while in the UK you can get extradited with no legal recourse
[ link to this | view in thread ]
Dark Helmet (profile), 17 Jul 2009 @ 7:20am

Re:
"The fine was issued because they were tracking a group of criminals that used yahoo e-mails to communicate, and yahoo refused to hand over the identities [because the idiotic Belgium authorities couldn't be bothered to go through the proper channels]"

There, fixed that for you.
[ link to this | view in thread ]
minijedimaster (profile), 17 Jul 2009 @ 7:37am

LOL! Is Belgium still a country? Who knew!
[ link to this | view in thread ]
interval, 17 Jul 2009 @ 8:04am

Re: Re:
Typical bureaucratic nonsense. The Department of Public Whohaws and Geegaws receives an officially stamped Letter of Objection from the Representative of Nonsense and Jokes that "...something must be done about this outrage." and so shoots off a Punitive Action Item to several Committees About Nothing which spurs into action a number of Canonical Discussions of Writ in which... well, you get the gist. We all have this kind of crap, but Europe really values them and takes political process really seriously.
[ link to this | view in thread ]
interval, 17 Jul 2009 @ 8:08am

Re: The current state of affairs...
Its really not a problem; if Yahoo is smart (and we've seen that they aren't particularly bright over there in some respects) they will simply ignore Belgium. The WORST thing they could do is send some one over there to parley with with the Belgium Parliament and "...try to work something out."
[ link to this | view in thread ]
interval, 17 Jul 2009 @ 8:11am

Re: Unenforceable
@btr1701: "(If) I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I'd crumple it up and toss it."

I'd laugh my ass off and frame the f#cker. "I got noticed by Belgium for my nonsense!" I'd tell everyone who looked at the framed copy hanging on my wall.
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 8:28am

Re:
Oh, so it's OK to violate individual privacy as long as a government says that they're doing it for the right reason? It sounds like you'd agree with the US's warrantless wiretapping program then too.

Any government is, by definition, a heartless and mindless organism that should be naturally mistrusted.
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 8:40am

Thank you Yahoo, Keep up the good fight!
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 8:40am

Thank you Yahoo, Keep up the good fight!
[ link to this | view in thread ]
Avatar28 (profile), 17 Jul 2009 @ 8:56am

If they wanted the information
All they had to do was hire a US attorney to go to court and request a subpoena for the information. Or, you know, have their diplomat request help from the US Attorney's office for the same. I'm sure Yahoo would have been glad to hand it over in that case.
[ link to this | view in thread ]
Osno (profile), 17 Jul 2009 @ 9:10am

Doesn't Peter Sunde have a template response letter for this sort of situations? Just ask him how to reply!
[ link to this | view in thread ]
ethorad, 17 Jul 2009 @ 9:24am

For many years, we've discussed the many challenges faced by countries in trying to recognize that "jurisdiction" on the internet isn't what they probably think it is. Many countries want to interpret internet jurisdiction as "if it's accessible here via the internet, it's covered by our laws."

So, in this instance a US company with no links to Belgium and US data should be under US laws. The law in Belgium shouldn't be applied to Yahoo just because someone in Belgium accessed a yahoo site. Agree with that.

But then how about the NPG case - a UK entity with (as far as I know) no outlet in the US, and UK data ... but somehow people are arguing that just because the pictures on their website are available in the US they come under US copyright laws?

Sounds to me like it's not just countries coming up with odd conclusions on jurisdiction?
[ link to this | view in thread ]
Judsonian, 17 Jul 2009 @ 9:38am

Intresting
While this cover international aspects of internet law, This has potential ramifications in interstate internet law. Specifically tax collection. If there is no physical presence in the users state should sales tax be collected for that state? The item was purchased from the servers in state "X" so it seems that sales tax could be collected for all sales in state "X" but not for sales in state "Y" ..... hmmmm
[ link to this | view in thread ]
Kevin, 17 Jul 2009 @ 9:50am

EU ramifications?
OK, I'm making a small jump here by assuming that Belgium is part of the EU, but let's assume that they are. In that case, can Belgium require other EU nations where Yahoo actually does have a presence to enforce judgements from Belgium? If they can, then this will be an issue for Yahoo and they probably will have to deal with it sooner or later.
[ link to this | view in thread ]
TheStupidOne, 17 Jul 2009 @ 9:52am

Re: Unenforceable
Well ... Belgium could demand that you be extradited. If USA does not comply, then Belgium could invade USA to come get you. USA would probably destroy all of Belgium if that happened, but oh well.
[ link to this | view in thread ]
interval, 17 Jul 2009 @ 10:19am

Re: Re: Unenforceable
Of course. When *I* am threatened, the entire destructive force of the US Armed Forces spur into action. Reserves are called, F-22 Raptors are built (on credit), nuclear arsenals are activated, Congressmen are paid, Multinational Banking Conglomerates fail, etc. I'm that important.
[ link to this | view in thread ]
Dark Helmet (profile), 17 Jul 2009 @ 10:39am

Re: Re: Re: Unenforceable
"Of course. When *I* am threatened, the entire destructive force of the US Armed Forces spur into action. Reserves are called, F-22 Raptors are built (on credit), nuclear arsenals are activated, Congressmen are paid, Multinational Banking Conglomerates fail, etc. I'm that important."

Awesome return sarcasm, being serious. You just made one mistake. This is an overreactive international war, so Banking Conglomerates win, not fail.
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 11:15am

Re: Re: Re: Unenforceable
Best comment ever. Nuff said
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 11:34am

There's a simple solution, block Belgium's IP addresses from accessing Yahoo. If Belgium persists then expand the companies blocking them.
[ link to this | view in thread ]
jwilliams, 17 Jul 2009 @ 11:42am

Yahoo! should block their servers from being accessable from Belgium and demand an apology from the Belgium government...
[ link to this | view in thread ]
Stephan Wehner, 17 Jul 2009 @ 11:59am

Individuals already affected
I am getting the suspicion that this story pretends this to be a bigger issue because it affects an American company.

However, this kind of "which laws are affecting what I do" has already got individuals. See for example the case of Hew Raymond Griffiths,

http://en.wikipedia.org/wiki/Hew_Raymond_Griffiths

http://www.ibls.com/internet_law _news_portal_view.aspx?id=1778&s=latestnews

Griffiths was extradited to the U.S., a country he had never visited, for some "Intelectual Property" crimes.

For a company it is a mere money issue, but when individuals are extradited it becomes extremely problematic.

Stephan
[ link to this | view in thread ]
thegoblin, 17 Jul 2009 @ 12:41pm

Re:
Your analogy, while interesting, is severely broken.

The "US data" of Yahoo in question was not published on a website and distributed internationally. And Yahoo wasn't refusing to give it to the Belgian authorities because they were claiming copyright on said data.
[ link to this | view in thread ]
Yves, 17 Jul 2009 @ 1:44pm

Difference in jurisdiction
Every communication system in a local country is being watched by local authorities. The bigger countries also have a spy system to watch communications outside their borders. US has, Belgium has not such a system.

In case of criminal investigation, local police can ask for information cross border. In Europe, there is special legislation to pass information cross-border.
There is no such system in between Belgium and the US for criminal action. Everything has to go over interpol or by means of political pressure, embassies or direct contacts in between police systems.

This can upset local police and tresspass the borders of what they are authorized to do. In Belgium there are laws that authorize jurisdiction to tresspass all borders as soon as a person with links to Belgium is involved.

I guess both issues have been mixed here and this should really be left to lawyers.

And yes, Belgium can ask retaliation all over Europe against Yahoo, but they will have to convice the Polish and UK to do so as well.
And yes, Belgian companies are attacked all the time this way by US juridical systems. And yes the US has more local laws allowing to protect interests of US individuals and companies around the world.

In globo, if yahoo can be forced to hand over data about individuals to US juridical system, it should also be possible for other countries that are part of the WTO to ask the same. And this in all countries and in all directions.
[ link to this | view in thread ]
Anonymous Coward, 17 Jul 2009 @ 2:29pm

Re:
The two cases aren't even remotely similar. In the NPG case, they willfully allowed the pictures to be transferred to the United States. Once that has happened, the pictures fall under United States copyright law, that is correct. To think otherwise would be foolish. Do you know where the servers you access are located? Are you familiar with every countries laws? How do you know that you haven't violated a law in boogywoogievillestein when you viewed that ad that was on that page you saw last week?
[ link to this | view in thread ]
yacc, 17 Jul 2009 @ 5:19pm

Re: Unenforceable
First it's a rather stupid idea, but it's rather common. E.g. all countries, including the US to work with this legal setup.

Second the US has clearly shown how to enforce stuff like that. E.g. arrest the officers of the company when they enter the US. In this case Yahoo officers and/or employees might get arrested when entering the Union.

Third, the US is also one of the countries that consider it okay to kidnap somebody abroad to try him at home.
(http://www.questia.com/googleScholar.qst;jsessionid=KhRWVzZ8d4yPFH1nSBNBGB1Z1xsygKbHMCj2YTpw TJxFNWd3bTV5!342583392!-481857147?docId=5000479708)
)

Basically, this happens all the time, in the real economy (not just the Internet), and it's usually the USA that forces it's laws on the rest of the world. Though luck when it happens the other way.

(Examples the Cuba embargo has caused an Austrian bank that got acquired by an US fond to cancel accounts by Cubans. Which is punishable in the EU and in Austria. Hence the fund had to get an exception, or the bank would be continually fined. Or the UBS handling. Guess not many people in the US realize that handing over customer data like that has been a felony in Switzerland. Or how the US has forced SWIFT to hand over data clandestinely. And so on.)

yacc
[ link to this | view in thread ]
Techn1x, 17 Jul 2009 @ 5:30pm

Re: Unenforceable
I'd frame it :)
[ link to this | view in thread ]
femtobeam, 19 Jul 2009 @ 12:12am

Personal Indentifying Information
All of the security systems are moving toward a system of Personal Indentifying Information (PII). If it was the United States (not Belgium) and the Chinese government attacked your computers en masse, would you trust Yahoo! to keep their information private from the US Government so that no-one knows who they are? Don't confuse the Government mandate to keep information private from keeping a way to catch criminals. Belgium is doing nothing more than protecting it's citizens from unknown criminal gangs of hackers.
[ link to this | view in thread ]
Allen Bishop, 19 Jul 2009 @ 1:53am

ATIIL
[ link to this | view in thread ]
Anonymous Coward, 19 Jul 2009 @ 8:35am

Re: Personal Indentifying Information
"Don't confuse the Government mandate to keep information private from keeping a way to catch criminals. Belgium is doing nothing more than protecting it's citizens from unknown criminal gangs of hackers."

Privacy is privacy. If you don't protect the privacy of 'alleged' criminals before they've even been brought to trial, then you're simply not protecting privacy at all. You can't pick and choose.

If Belgium wants to protect its citizens, then it should work within the law: contact the US Government and obtain a subpoena for the information from Yahoo. If it ignores the proper channels, Yahoo has no recourse but to protect the rights of its users under US law, which states that it can't just randomly give out information just because someone asked for it. Not even the US Government gets that. It has to ask for it in a proper and legal way.
[ link to this | view in thread ]
Thomas, 19 Jul 2009 @ 8:55pm

Remind me...
not to visit Belgium.
[ link to this | view in thread ]
Allen (profile), 19 Jul 2009 @ 10:58pm

Re: If they wanted the information
Why complicate things? All they needed to do was make a request through Interpol as Yahoo had suggested.
[ link to this | view in thread ]
VRP, 20 Jul 2009 @ 8:42pm

Re: Individuals already affected
"I am getting the suspicion that this story pretends this to be a bigger issue because it affects an American company."

Duh... You missed the point, which is that for lack of jurisdiction it does NOT affect any American company."

VRP
[ link to this | view in thread ]
VRP, 20 Jul 2009 @ 9:32pm

Re: Personal Indentifying Information
"unknown criminal gangs of hackers".

Who are you calling criminals?
Those who haven't even been charged, let alone convicted of anything.

Seems like you belong in Belgium, or places worse...
Meanwhile, you'll be called a criminal. See how you like it.

VRP
[ link to this | view in thread ]
web design, 29 Aug 2009 @ 11:20pm

Alot of genius has come out of Belgium. I'm surprised the Belgian government didn't take the more diplomatic approach. They may have actually got what they wanted. Instead they were fast with their gun, made themselves look foolish and received nothing they actually wanted. Not very constructive.
[ link to this | view in thread ]