By Kurt Wimmer…
Since the advent of publishing on the Internet, media companies have been concerned about the reach of international jurisdiction over U.S. publishers. Repeatedly, media companies with few contacts outside of the United States have been subjected to the jurisdiction of distant courts in countries from Australia to Zimbabwe applying their own domestic law to content that was published under the standards of U.S. law. Media companies may publish locally, but often are forced to defend globally.
The question of whether distant law should apply to online publishers has taken on new immediacy because of a new European Union privacy law that is set to come into force in May 2018. This law, the General Data Protection Regulation, is the most significant change in EU privacy law in more than 20 years. The GDPR will be a sea-change in EU privacy law for many reasons, including fines that can amount of as much as 4 percent of a company’s global revenues and the creation of a new and powerful pan-European privacy regulatory agency – coupled with a new and more aggressive stance toward EU jurisdiction over non-EU companies.
Publishers in Europe, to be sure, are gearing up to comply with the GDPR. The open question for publishers operating outside of Europe, however, is whether this stringent new regulation will apply to them. One reason that this question of jurisdiction is of significant concern to publishers is the GDPR’s inclusion of the so-called “right to be forgotten” – the right of an EU national to insist that data about her or him be erased. The right to be forgotten, recently enforced under existing law against Google to require articles to be de-listed from search results, has a long history in the EU. Two 2016 cases in Belgium and Italy required newspapers to anonymize articles under right-to-be-forgotten petitions, with one saying that the public’s right to information can expire, “just like milk,” in as short a time as two years.
Under pre-GDPR law, publishers outside of the EU could structure their activities to avoid EU jurisdiction and avoid issues such as the right to be forgotten. The GDPR, however, aspires to a much broader jurisdictional reach than existing law. It intends to cover any company, anywhere in the world, with an online presence that “monitors the behaviour” of EU data subjects. Once subject to the GDPR’s jurisdiction, a non-EU media company could be confronted with substantial enforcement burdens and face substantial fines for refusing to comply with such an order.
Simply because GDPR aspires to global jurisdiction, however, does not answer the question of whether that aspiration is legitimate under international law. Longstanding rules and norms of public international law must be satisfied before regulatory agencies and courts can exercise jurisdiction over subjects outside their territory. Under these well-established principles of public international law, legitimate questions can be raised about whether European courts can exercise jurisdiction over non-EU publishers that do nothing on EU soil other than engage in globally accepted Internet advertising techniques that Europe believes constitute “monitor[ing] the behaviour” of Internet users.
In addition, strong U.S. constitutional and common law protections would undermine efforts to enforce an order against a U.S. publisher that would otherwise not comport with the First Amendment. Under the Securing the Protection of Our Enduring and Established Constitutional Heritage (“SPEECH”) Act, passed by Congress in 2010, certain foreign judgments are unenforceable unless the proceeding and law leading to the judgment offers “at least as much protection for freedom of speech and press” as if the case had been heard under U.S. law. Given the tenuous free-speech bases for the so-called “right to be forgotten” and the extreme financial penalties permitted by the GDPR, it seems highly unlikely that any order issued against a U.S. publisher could be enforced in U.S. courts.
For these reasons, the question of whether U.S. and other ex-EU publishers should concede that the GDPR applies to their Internet publishing activities is a very open question. It is, to be sure, a multidimensional and challenging issue. As any general counsel knows, strict applicability of the law is only one factor in determining a company’s potential responses to an enforcement action. Even if a publisher has a strong legal argument against being subject to the GDPR, there may be significant practical and reputational costs associated with defying Europe and European law. Privacy is considered to be a fundamental right in the EU; freedom of press, on the other hand, does not enjoy the same reverence in Europe that it receives in the United States. Publicly resisting a new and significant EU privacy law may attach a negative stigma to a publisher in the minds of privacy-focused Europeans. Accordingly, public perception and policy considerations will surely play a significant role in media companies’ calculus of how to approach compliance with EU privacy law generally, and the GDPR in particular.
The next six months will be crucial for U.S. publishers to form a view on the issue of whether the GDPR applies to their online activities. This will be a complex and challenging decision, to be sure, and one that may shift over time as publishers’ activities evolve. We hope, however, that publishers will take seriously the extent to which U.S. and international law may provide an alternative to complying with an onerous new privacy law.
Kurt Wimmer is a partner with Covington & Burling LLP in Washington, D.C., where he chairs the firms’s Data Privacy and Cybersecurity practice. He also chairs The Media Institute’s First Amendment Advisory Council.