Download - Consumer Privacy in the EU
-
8/4/2019 Consumer Privacy in the EU
1/18
1
CONSUMER PRIVACY IN THE EU: WHO HAS JURISDICTION?Hillary Musselman
December 2009
Introduction
I. EU Privacy Law
II. EU Consumer Contract Law
i. The Brussels Conventionii. Rome I
iii. E-Commerce Directive
III. Analysisi. Consumer Contract Law
ii. The Public Interest Questioniii. The Role of the Markets
IV.Inspire Art
V. Lessons from the US
VI. Conclusion
Introduction
In the last two decades the number of commercial transactions conducted electronically
has increased dramatically. Consumers provide extensive personal information to retailers in
order to make online purchases, and each transaction increases the risk that sensitive data will be
end up in the hands of someone other than the party with whom a consumer is doing business.1
When personal information is combined with information retailers can collect related to product
1Lynn Chuang Kramer, Private Eyes Are Watching You: Consumer Online Privacy Protection -
Lessons from Home and Abroad, 37 TEX. INT'L L.J. 387, 389 (2002)
-
8/4/2019 Consumer Privacy in the EU
2/18
2
preferences and information they can collect using cookies, retailers are able to create revealing
profiles of individual consumers. These profiles are extremely valuable to marketers who use
them to develop targeted advertising, but they may also be valuable to individuals, or
governments, with more nefarious purposes.
To protect consumers and promote the growth of e-commerce, many countries have
enacted legislation placing specific restrictions on what information companies may collect and
how they may use this data. The starting point for such legislation in Europe is the EU E-
Privacy Directive. Member States must comply with its terms, but they are free to implement it
into their laws as they see fit and may include requirements beyond those in the Directive. As a
result, privacy laws vary from one Member State to another and companies attempting to craft
policies applicable to each Member State face serious challenges.
The E-commerce Directive of 2003 allows e-retailers to establish a base in one Member
State and specify in their Privacy Policy/Terms of Service (TOS) that, in the event of a dispute,
they are subject solely to the rules of that country.2
However, this may not be effective in
protecting against claims for violations occurring beyond the scope of the TOS agreement.
Questions remain as to whether the Data Protection Authority (DPA) of a Member State that
requires higher levels of consumer protection could receive and address complaints from its
citizens related to a company based in a Member State that requires lower levels of protection.
The following analysis attempts to resolve this question by first considering how
European law has addressed the issue of jurisdiction in consumer contracts. A websites privacy
policy is, after all, a contract between consumer-users and website-businesses. If a choice of law
provision is enforceable under European law consumers will only be able to bring suit in the
2 Council Directive 2003/31, 2000 O.J. (L 178) 1 (EC)
-
8/4/2019 Consumer Privacy in the EU
3/18
3
forum specified in the contract. If, however, the term is found invalid, consumers may have
options as to where they will sue.
If a Member State has jurisdiction to hear a contract claim that Member States DPA
might also assert jurisdiction over related claims against website-businesses, even if the company
is based in a Member State where privacy laws have not been violated, on the premise that it
would be incongruous for a Member State to have jurisdiction to hear a contract claim but not to
address related complaints. It follows that if the choice of law provisions in a TOS contract are
valid then a country, other than the selected forum, may not hear issues arising under the contract
and it should also not have jurisdiction to hear related claims. However, based on the Brussels
Convention and Rome I, choice of law provisions in a TOS agreement are probably not valid as
part of a consumer contract. Therefore, the question remains whether or not the DPA of a
Member State, other than that in which a company is based, may hear claims for violations of
that Member States privacy laws. The following attempts to answer to this question based on 1)
a brief review of EU privacy law; 2) an assessment of EU Consumer Contract law and EU law
regarding electronic transactions viewed in light of the overall purposes of the E-commerce
Directive and the E-privacy Directive; and 3) ECJ case law that has addressed issues of choice
of law and the effect of EU Directives on local laws.
If a company is subject to unique privacy laws in each Member State where it has users,
crafting privacy policies that protect consumers while also shielding the company from liability
will become extremely difficult and there may be a chilling effect on information transfer and
commerce. As this is the exact result that much EU legislation is meant to prevent, individual
Member States DPAs should not have the authority to enforce claims of privacy violations by
companies based in other Member States.
-
8/4/2019 Consumer Privacy in the EU
4/18
4
I. EU Privacy Law
The European Parliament passed the EU Data Protective Directive3 (DP Directive) in
2002. This Directive creates specific obligations for any data controller,4
defined by Directive
95/46/EC as a
natural or legal person, public authority, agency or any other body which alone orjointly with others determines the purposes and means of the processing of
personal data; where the purposes and means of processing are determined bynational or Community laws or regulations, the controller or the specific criteria
for his nomination may be designated by national or Community law.5
The term personal data is broadly construed so as to include all information about a person.6
By the terms of the Directive, personally identifying information (PII) may only be collected for
legitimate purposes and may not be collected without consent unless it is to perform on a
contract, meet legal obligations, or protect an individuals vital interests.7
Additionally, PII
may not be transferred to countries that do not provide comparable levels of protection and it
may not be transferred without adequate security. Both civil and criminal penalties may be
imposed for illegally using or handling information.8
The DP Directive grew out of the desire of EU leaders to ensure that differing levels of
data protection between countries would not create an obstacle to commerce and harm the
functioning of the European marketplace.9
It establishes the minimum protections that Member
States must provide and requires each to have an independent data protection supervisory
3Council Directive 2002/58, 2002 O.J. (L 201), 31 (EC)
4 EU Approach to Internet Privacy (1p.6)5 Council Directive 95/46, 1995 O.J. (L 281), 31 (EC)6Mark F. Kightlinger, Twilight of the Idols? EU Internet Privacy and the Post Enlightenmetn
Paradigm, 14 Colum. J. Eur. L. 1, 10 (2008)7id. at 13
8Rustad,E-Commerce: Challenges to Privacy, Integrity, and Security in a Borderless World:
Circles of E-Consumer Trust: Old E-America V. New E-Europe, 16 MICH. ST. J. INT'L L. 183, 190
(2007)9 Kramer,supra note 1, at 398
-
8/4/2019 Consumer Privacy in the EU
5/18
5
authority (DPSA) capable of conducting investigations into claims of violations.10
The Directive
also requires DPSAs to identify and assess privacy risks 11 and issue sanctions for violations.12
Each Member State may, however, reserve for itself sole control over what information it will
deem capable. . . of infringing freedoms or privacy13
and each is free to interpret the Directive
in its implementing legislation as it sees fit, as long as it provides the minimum level of required
protections.14
As a result, privacy laws in Europe vary from one nation to another. Germany, for
example, is highly opposed to the government maintaining stores of personal data, an outgrowth
of their experience during WWII. It has implemented some of the most extensive laws in Europe
regulating what information the government and private companies may collect and what they
may do with it.15
In contrast, Luxembourg has implemented the Directive with few additional
requirements.16
Probably not coincidentally, both Amazon.com and eBay.com maintain their
European headquarters there and specify in their privacy policies/TOS that they will be subject
solely to the laws and jurisdiction of Luxembourg.
II. EU Consumer Contract Law
i. The Brussels Convention
10Kightlinger, supra note 6, at 13
11id. at 2212
INSTITUTE FORINFORMATIONAL LAW, REGULATING SPAM DIRECTIVE 2002/58 AND BEYOND 51(2004)13
Kightlinger, supra note 6, at 914 INSTITUTE FORINFORMATIONAL LAW,supra note 12, at 2315
Kightlinger, supra note 6, at 1316
Law on Protection of Persons with regard to the Processing of Personal Data, August 2, 2002,
available at http://www.cnpd.lu/fr/legislation/legis_nationale/index.html
-
8/4/2019 Consumer Privacy in the EU
6/18
6
The Brussels Convention establishes the rules of international private law in the
European Union. A drafting committee began working in 1959 to draft [a] convention on
jurisdiction and the recognition and enforcement of judgments in civil and commercial matters,
and the enforcement of authentic instruments,17
with the goal of streamlining negotiations and
facilitating transactions between members in accordance with the Treaty of Rome, which
established the European Community.18
The committees proposed legislation was approved in
1966 and signed in 1968 by the original EC (now EU) Member States.19
The Convention specifies when Member States have jurisdiction to hear matters
involving companies based in other Member States. In recent years there has been a shift in
European courts to resolve questions of jurisdiction over companies according to the country of
incorporation doctrine, which indicates that a company will be subject to the jurisdiction of the
Member State in which it is domiciled.20
Amendment 60 of Brussels I (44/2001) provides that
domicile is determined by the country where they have their statutory seat, central
administration or principal place of business.21
Where contracts between equally sophisticated
parties specify the forum in which disputes will be settled, courts readily uphold these
provisions, where reasonable, as Brussels clearly indicates a preference for freedom to contract.
In the case of consumer contracts, however, where the parties are not on equal footing
due to information and power asymmetries, special protections are applied.22
Brussels Article 5
17id.
18id.19 Robert C. Reuland, The Recognition of Judgments in the European Community: The Twenty-
Fifth Anniversary of the Brussels Convention, 14 Mich. J. Int'l L. 559, 563 (1993)20
Benjamin Angelette, The Revolution that Never Came and the Revolution Coming- De
Lasteyrie Du Salliant, Marks and Spencer, Sevic Systems, and the Changing Corporate Law inEurpoe, 92 VA. L. REV. 1189, 1193 (2006)21
Council Directive 44/2001, (2001) O.J. (L 12), 1 (EC).22
Brussels Convention on Jurisdiction and the Enforcement of Judgments in Civil and
Commercial Matters, art. 23, 1998 O.J. (C 27) 1 [hereinafter Brussels Convention]
-
8/4/2019 Consumer Privacy in the EU
7/18
7
states that a company may be sued in the place where it provides performance of a contract,23
and Article 15 states that a company may be sued in any place where it directs its services,24
provided the directed activity precedes the contract.25
Therefore, a company that advertises in a
Member State, other than that in which it is incorporated, may be subject to the jurisdiction of
the other Member State if a consumer responds to the advertisement and enters into a contract
with the company, whether for goods or services. Article 17 specifically states that despite the
terms of a contract, a consumer cannot be stripped of his right to sue at home.26
ii. Rome I
The Rome Convention further defines the consumer protection laws established by the
Brussels Convention. It was enacted to create standard rules regarding choice of law in contracts
between parties in different EU Member States. Its provisions are largely consistent with those of
Brussels and serve to clarify existing laws to further promote commerce and exchange between
EU Member States.27
Like Brussels, Rome I largely supports freedom of contract between
parties, but specifically states that consumers must be provided with additional protections.
Article 53 of the Treaty of Rome provides that Member States shall not introduce any
new restrictions on the right of establishment in their territories of nationals of other Member
States, save as otherwise provided in this Treaty.28
Article 58 extends this freedom of
establishment to corporations.
Like Brussels, Rome I provides that choice of law provisions do not deprive a consumer
of the protections of his home state if the contract comes after the company directed activities to
23Brussels Convention art. 5
24Brussels Convention art. 15
25Brussels Convention art. 13
26 Brussels Convention art. 1727
Convention on the Law Applicable to Contractual Obligations, 1998 O.J. (C 27) 34[hereinafter Rome I]28 Rome I art. 53
-
8/4/2019 Consumer Privacy in the EU
8/18
8
that Member State.29
Additionally, Article 3 states that where consumer contracts are concerned,
consumer protection laws of a receiving Member State may be applied even if they are stricter
than the laws of the Member State of origin if it is in the public interest.30
Further, Article 8
allows a country to determine whether or not a contract is enforceable according to its own laws
when the validity of the contract is at issue. Therefore, when a party claims that a contract as a
whole is unfair as against the public interest a court may determine its enforceability according
to its own laws irrespective of choice of law provisions provided in the contract. This dovetails
on the 1993 Directive on Unfair Terms in a Consumer Contract, which provides that portions of
a consumer contract may be eliminated where they were not negotiated or are unfair.
31
These provisions are particularly important in determining how a court will consider the
validity of the TOS contract. Such contracts are often referred to as click wrap contracts.
Consumers are presented with a standard agreement that they may accept or reject. They have no
ability to negotiate the terms. This power asymmetry is precisely why consumers are afforded
additional protections by consumer contract law and why European courts are less likely to
enforce one-sided choice-of-law or forum clauses in consumer transactions.32 These sections
may provide a means by which a consumer can allege that a click wrap contract is unfair as a
whole, and therefore invalid, and provide an additional avenue by which a foreign court may
assert jurisdiction over a company.
iii. E-Commerce Directive
By the end of the 1990s the need for uniform guidelines to facilitate online transactions
29Rome I art. 5
30 Rome I art. 331
David Naylor and Cyril Ritter,French Judgment Condemning AOL Illustrates Consumer
Protection Issues Facing US Businesses Operating in Europe, 1 N.Y.U. J. L. & Bus. 881, 886(2005)32 Rustad,supra note 8, at 186
-
8/4/2019 Consumer Privacy in the EU
9/18
9
and commerce was widely recognized. In 1999 the Organization for Economic Cooperation and
Development (OECD) established the Guidelines for Consumer Protection in the Context of
Electronic Commerce, which called for consumers to receive the same protections in online
transactions as they are afforded in in-person transactions. The guidelines also stated that
companies should not exploit the characteristics of e-commerce and use unfair contracting
practices in order to avoid consumer protections.33
The following year, the European Parliament passed Directive 2000/31, the E-Commerce
Directive. Member States were required to pass implementing legislation by 2002 in order to
promote, and ensure stability in international electronic commerce.
34
The Directive is primarily concerned with the efficient functioning of internal markets and
with online information services such as newspapers, internet sales, and professional and
entertainment services.35
It establishes the rules regarding what information covered parties must
provide and establishes limits on liability for intermediary service providers.36
The Directive
explicitly provides that a company will only be subject to regulation in the country where
information originates.37 This was intended to create certainty in transactions and allow
companies to predict where they would be subject to jurisdiction to allow them to plan their
corporate activities accordingly.
Despite this provision, 2000/31 makes it clear that it is not intended to deprive consumers
of the protections related to contracts afforded to them under Brussels and Rome. According to
Article 3(4), even if the laws in the receiving Member State are stricter than those in the Member
33Naylor,supra note 31, at 893
34Norbert Reich and Axel Halfmeier,Electronic Commerce: Consumer Protection in the Global
Village: Recent Developments in German and European Union Law, 106 Dick. L. Rev. 111, 131(2001)35 Reich,supra note 34 at 13336
id.37
Rustad,supra note 8, at 211
-
8/4/2019 Consumer Privacy in the EU
10/18
10
State of origin, national consumer protection rules may be applied insofar as they are justified by
the public interest.38 Therefore, where a country has a substantial interest in enforcing its laws
against a foreign company it may do so to protect consumers.
III. Analysis
i. Consumer Contract Law
The question that arises under Brussels and Rome I is what constitutes a directed activity,
as both distinguish between passive consumers, who receive higher a higher level of protection,
and active consumers, who receive a lower level of protection. Advertising that specifically
targets citizens of a country is certainly directed activity, but, in the case of an electronic
business, are domain names and server locations relevant? A .co.uk address clearly
contemplates that a site will be accessed from the United Kingdom. Therefore, it seems
reasonable to conclude that British courts should have jurisdiction to hear consumer claims
against a company based on alleged breaches of the TOS regardless of choice of law provisions
contained in the agreement. Server location is less likely to indicate that a company is targeting
customers from a specific country. There may be a variety of reasons for using servers in a
particular country, many of which have more to do with pricing than with customer service. Still,
it seems that if a company has servers in a country they should not be surprised if that country
attempts to assert jurisdiction over activities taking place on those servers.
Although the court of a country may hear claims arising under the TOS contract when a
merchant has specifically targeted the citizens of that country, whether through advertising,
domain name, or server location, the same court may still not be able to hear related privacy
claims not arising under the contract. These claims would be subject to the provisions of the E-38 Reich,supra note 34, at 133
-
8/4/2019 Consumer Privacy in the EU
11/18
11
Commerce Directive, which applies the country of origin principle unless it is in the public
interest to do otherwise.39
ii. The Public Interest Question
Certainly privacy protection is in the public interest. However, when a company is not
accused of violating the minimum protection standards established by the E-Privacy Directive or
the minimum standards of the EU country in which it is incorporated, does the public really have
much to gain by having more stringent protections enforced? EU citizens are still afforded
essential protections, so can a company really be said to be acting against the public interest by
not providing customers with the highest levels of protections required by a Member State?
If the answer to these questions is yes, website-companies will need to either specifically
tailor their practices to the policies of each individual Member State in which they operate or
they will have to craft one policy that meets the requirements of the most restrictive country.
Alternatively, to avoid having to comply with more stringent standards, a company may opt to
not offer services in a particular country. This is exactly the effect that the E-Privacy Directive
was enacted to prevent.
iii. The Role of the Markets
Market theory indicates that party choice is the best way to allocate authority unless there
are conflicts with the public interest or negative externalities.40
In the case of TOS and privacy
policy agreements between online businesses and consumers, informational asymmetries and
privacy concerns indicate that government regulation may be needed to ensure fairness and
protection for consumers, but this regulation exists in the form of the E-Privacy Directive and in
the portions of the Brussels Convention, Rome I, and the E-Commerce Directive that provide
39Reich,supra note 34, at 133
40Horatia Muir Watt, Choice of Law in Integrated and Interconnected Economies: A Matter of
Political Economy, presented at the Ius Commune Conference, 5 (November 28-29, 2002)
-
8/4/2019 Consumer Privacy in the EU
12/18
12
increased protections in the case of consumer contracts. Violations of the privacy laws of an
individual Member State, which exist beyond what is required by the EU, simply do not
constitute negative externalities so severe as to allow regulation to interfere with freedom of
contract and the functioning of the electronic marketplace.
iv. Conclusion
Allowing claims for violations of Member State privacy laws to be heard by Member
States other than those in which companies are incorporated would lead to uncertainty in
corporate planning, which is what the E-Commerce Directive was enacted to eliminate. It seems
likely that, because all EU companies must comply with the E-Privacy Directive, there is simply
not a substantial public interest in allowing a Member State to enforce its stricter standards on a
company based in another Member State, and, in fact, there is a public interest in not allowing
such claims to be heard.
Based on the overarching purposes of the E-Commerce Directive, the recognized
importance of a well-functioning electronic marketplace, and the existence of the E-Privacy
Directive, which ensures all EU citizens of specified privacy protections, Member State privacy
claims should not be within the jurisdiction of a Member State other than the Member State in
which a company is incorporated. This is consistent with the purposes for which the EU was
created and may find support in recent ECJ case law.
IV.Inspire Art
Inspire Arthas been called one of the most important ECJ decisions in recent years.41
Although the case centers on a companys freedom of establishment, it addresses the ability of a
41Inspire Art another landmark decision regarding the cross border transfer of the companys
seat, http://www.lawforum-online.com/detail/dns.asp?dnID=45 (last updated 17 March 2004)
-
8/4/2019 Consumer Privacy in the EU
13/18
13
country to impose laws on foreign companies beyond those contained in directives. The Court
ultimately decided that a Member State should not be able to enforce its own rules on companies
established in countries with less rigid, but still EU Directive compliant, laws.
Inspire Art, Ltd. was established as a British company, despite the fact that the company
operated exclusively in the Netherlands. It was incorporated in the UK to take advantage of more
favorable laws on corporate formation. To conduct business in the Netherlands, the company
registered there as a formally foreign company,42
and, as a result, the Netherlands attempted to
enforce against it the capitalization requirements of their Law on Formally Foreign Companies
(WFBV).
43
Inspire Art argued that by imposing these additional requirements, the Netherlands was
interfering with its freedom of establishment as granted by 43 EC, which provides for the
freedom of establishment for individuals, and 48 EC, which extends the same freedom to a
company incorporated according to the laws of a Member State.44
The Dutch government argued
that it was not denying the companys freedom to incorporate in another Member State and still
be recognized in the Netherlands and that it was only enforcing other administrative
requirements.45
The ECJ was not persuaded by this argument. The Court held that the additional
requirements imposed on the foreign company were unenforceable as impediments to the
freedom of establishment. It noted, in particular, that this held true even when a company was
42Case C-167/01, Kamer van Koophandel en Fabrieken voor Amsterdam v Inspire Art Ltd., 2003
ECR I-1015543
Id. at 144
Case C-167/01,supra note 42, at545id. at 17
-
8/4/2019 Consumer Privacy in the EU
14/18
14
incorporated in a particular country for the express purpose of avoiding the laws of another
state.46
The ECJ found that it is contrary to Article 2 of the Eleventh Directive for national
legislation such as the WFBV to impose on the branch of a company formed in accordance with
the laws of another Member State disclosure obligations not provided for by that directive.47
Despite the fact that disclosure obligations are often viewed in light of the public interest
and of the government interest in protecting citizens from unscrupulous corporate practices, the
ECJ essentially found that the Eleventh Directive preempted the WFBV. The Directive
established the minimum standards that all countries must abide by in order create uniformity in
laws and promote a functioning European marketplace. When a country attempted to enforce
obligations in excess of the Directive on a company incorporated in another jurisdiction, the ECJ
would not allow it, despite the potential public interest in enforcement. Based on this, it is
reasonable to conclude that the court would be equally unwilling to enforce especially stringent
privacy laws of a country against a company not established there.
V. Lessons from the US
The United States, as a nation founded on the principles of federalism, has been dealing
with conflict of laws, choice of laws, and preemption issues for many years. InBibb v. Navajo
Freight Lines, the Supreme Court found that the mud-flap requirements Illinois imposed on truck
companies impermissibly violated the Commerce Clause of the Constitution.48 If a truck
company was required to comply with the more stringent requirements it would either have to
bear the expense of making any truck that may enter Illinois compliant with its laws or it would
46id.
47Case C-167/01,supra note 42, at 13
48 Bibb v. Navajo Freight Lines, 359 U.S. 520 (1959)
-
8/4/2019 Consumer Privacy in the EU
15/18
15
have to avoid the state entirely. The court found that this would have an impermissible chilling
effect on commerce, and refused to uphold the law.49 Ensuring that one state is not able to
enforce its laws on citizens of other states, including corporations, and ensuring that firms do not
seek to avoid certain states with more stringent laws to the detriment of the national marketplace
are primary concerns in preemption cases.50
In addition, US courts are increasingly willing to uphold choice of law provisions
contained in contracts.51
They were initially hesitant to uphold such provisions,52
as The
Restatement First of Conflict of Laws applied the vested rights theory, which indicates that if
multiple jurisdictions can hear a claim the jurisdiction in which rights vested will be allowed to
hear the claim, that is, where the last act or event necessary to create a cause of action
occurred.53
However, the courts have recognized the desirability of enforcing contractual
choice of law to deal with the problem of regulation by multiple states.54
The Restatement
Second of Conflict of Laws, approved in 1969, specifies that a partys choice of law should
prevail where there is a reasonable basis for the choice, it does not interfere with a
fundamental policy of a state claimed to have jurisdiction, and that state does not have a
materially greater interest in the issue than the chosen state.55
As commerce has expanded and changed to include transactions via electronic channels,
courts have extended their willingness to accept choice of law provisions in contracts entered
49id.50
Larry E. Ribstein, From Efficiency to Politics in Contractual Choice of Law, 37 Ga. L. Rev. 363,393 (2003)51id. at 36652
id. at 37053
id.54
id. at 39355id. at 373
-
8/4/2019 Consumer Privacy in the EU
16/18
16
into online or over the phone, even where the contract is between a business and a consumer.56
In
cases involving Gateway 2000, Inc. courts found that a lack of bargaining between Gateway and
consumers purchasing computers over the internet and the phone did not lead to invalid
consumer contracts. They ruled that choice of law provisions would be maintained where they
are not unreasonable.57 Because consumers have options when deciding which vendors to do
business with and because it is not typically in the interest of a company to impose requirements
on customers beyond what would typically be expected, the courts found a stronger interest in
creating certainty in commerce as long as the terms of a contract are reasonable.58
Further, because a lack of established dispute resolution mechanisms reduces consumer
confidence, the US legal system has attempted to create uniform laws related to e-commerce in
order to create certainty and promote electronic transactions.59
The Uniform Computer
Information Transactions Act (UCITA) cites the increased costs of trying to adhere to the laws of
multiple jurisdictions as a reason for applying the laws of a licensors state to conflicts that arise
between parties, absent contractual choice of law provisions.60
UCITA was drafted between 1995
and 1999 in order to establish standard principles governing contracts entered into in the course
of electronic transactions.61
The Act has been the subject of much criticism, and by 2004 only
two states had adopted it,62
nonetheless, it indicates recognition of the need to establish standard
56id. at 408
57Borowiec v. Gateway 2000, Inc., 209 Ill. 2d 376 (Ill. 2004); Hill v. Gateway 200, Inc.,105
F.3d 1147 (7th
Cir. 1997)58Ribstein, supra note 50, at 40359
id. at 48360
Ribstein,supra note 50, at 39361
Pratik A. Shah,Berkeley Technology Law Journal Annual Review of Law and Technology: I,
Intellectual Property: A. Copyright: 5. Preemption a) Contract enforceability: The Uniform
Commercial Information Transactions Act, 15 Berkeley Tech. L.J. 85, 98 (2000)62
Warren E. Agin and Scott N. Kumis, A Framework for Understanding Electronic InformationTransactions, 15 Alb. L.J. Sci. & Tech. 277, 303 (2005)
-
8/4/2019 Consumer Privacy in the EU
17/18
17
laws governing e-commerce in order to facilitate the continued growth of the electronic
marketplace.
Were the EU to take a similar approach to preemption and choice of law questions, they
would likely conclude that the court of a Member State, other than that chosen in a contract,
would not have jurisdiction to hear a claim. Additionally, because of the overriding interest in
promoting commerce by ensuring predictability and efficient corporate planning, courts would
likely find that a Member State could not enforce its own more stringent laws on a foreign
company acting in compliance with the laws of its home state and with EC Directives.
VI. Conclusion
Most EC Directives and regulations have been enacted with the goal of harmonizing laws
between Member States to support an efficient European marketplace. Over the last two decades
the internet has played an increasingly important role in commerce, and the EU is now the
second largest e-commerce market in the world.63
As a result, the EC has a strong interest in
preventing and eliminating barriers to the flow of information or goods that would have a
chilling effect on the electronic marketplace.
Both the E-commerce Directive and the E-privacy Directive were enacted in recognition
of this interest. Each clearly indicates that its purpose is to harmonize laws between European
countries regarding transactions and transfers of information. However, because Member States
remain free to implement the Directives into their laws as they see fit, there are still differences
between the laws of each country. This raises a question as to when a country may enforce its
own stricter laws against a company headquartered in another Member State that specifically
63Lucille M. Ponte,Boosting Consumer Confidence in E-Business: Recommendations for
Establishing Fair and Effective Dispute Resolution Programs for B2C Online Transactions, 12
Alb. L.J. Sci. & Tech. 441, 457 (2002)
-
8/4/2019 Consumer Privacy in the EU
18/18
18
provides in contracts with consumers that it will be subject solely to the jurisdiction of its home
state.
EU law related to consumer contracts and consumer protections makes it clear that a state
may hear citizens claims arising under contracts entered into with foreign companies despite
choice of law provisions. Although it seems logical that if a state can hear claims under a
contract it should also be able to hear related claims not under the contract, to allow this would
force companies to comply with the laws of any state in which their services may be used and
would have a chilling effect on commerce. This is precisely the result the E-commerce Directive
and the E-Privacy Directive sought to prevent. Therefore, a state should not have the authority to
enforce laws in excess of those contemplated in a Directive on a company legally formed in
another Member State, where there is not a public policy interest greater than the EUs interest in
a functioning marketplace. Whether consumer privacy will be deemed a greater interest remains
to be seen.