Yahoo! protects user privacy — and gets fined?
July 11th, 2009 by Cynthia Wong
In March of this year, a Belgian court entered judgment in a criminal case against Yahoo! and fined the company for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.
The catch? Yahoo! has no subsidiary, employees or localized website in Belgium. The request — sent via email by a Belgian prosecutor to Yahoo!’s U.S. offices — was for user data held in the U.S. and associated with Yahoo! Mail accounts. Yahoo! Mail users sign up for this service under an agreement governed by U.S. law. The prosecutor did not allege that the specific Mail accounts were actually used by Belgian residents. Instead, the prosecutor’s sole theory for jurisdiction over Yahoo! Inc., and user data held by the company in the U.S., seems to be that Belgian residents can access Yahoo! services through the global Internet.
The court agreed: It found that the availability of Yahoo! Mail to Belgian residents, combined with what it believed to be the use of Mail in connection with criminal purposes within Belgium, was sufficient to find that Yahoo! Inc. has a commercial presence in Belgium. Therefore, Yahoo! was subject to Belgian laws, and thus in violation of a telecommunications statute that compelled disclosure of the requested data.
The implications of this ruling are profound and far-reaching. Following the court’s logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.
The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.
In addition, it is important to note that the U.S. and Belgium have a Mutual Legal Assistance Treaty (MLAT) in place, which allows Belgian law enforcement authorities to request production of this user data through diplomatic channels. Belgian authorities have refused to pursue this option, despite outreach from the Department of Justice and Yahoo! to facilitate the process. This disregard for treaty agreements, carefully negotiated between states, undermines such legitimate law enforcement cooperation efforts. If a court in Belgium or any other state is able to assert jurisdiction over user information or U.S. companies and citizens themselves based merely on web presence and availability of a service in that state, then why bother with an MLAT at all?
Companies should be paying close attention here, too: it isn’t difficult to imagine how lax jurisdictional requirements on the global Internet could invite all sorts of abuse. Competitors, governments, or other bad actors could concoct weak legal claims under local law to get a hold of proprietary information or trade secrets; nothing seems to limit this possibility under the Belgian prosecutor’s theory.
Yahoo! has caught a lot of flak over the past few years about how the company and its affiliates should protect user data when a government demands it. Importantly, this firestorm of public criticism has pushed Yahoo! to think about corporate responsibility more critically, particularly in markets where rule of law is weak and suppression of dissent online is common: what responsibility do Internet companies owe to their users, whose human rights and basic freedoms may be put at risk if user data is handed over to authorities? In response, Yahoo! has committed to implementing certain policies about how it responds to government requests, including a requirement that requests must come through appropriate and official channels.
In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.
Yahoo! is currently appealing this decision. Let’s file this one under: no good deed goes unpunished.
This entry was posted on Saturday, July 11th, 2009 at 4:15 pm and is filed under CDT, International. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
July 13th, 2009 at 10:44 am
It just beggers belief that the court has ruled this way in my opinion. How on earth is Yahoo subject to Belgian laws? So that means that any company with any online service is subject to Belgian laws does it? I honestly can’t see this case standing up when it gets to the appeals court.
July 17th, 2009 at 8:57 am
[...] would apply everywhere else. That’s why it’s quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users’ privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not [...]
July 18th, 2009 at 1:45 pm
Outrageous? Why is Belgium acting almost 1% as badly the U.S.A.?
Seriously, while the article is correct, and I agree with it, the problem is for the U.S.A to criticize such things, the USA has NO moral authority itself. When it comes to violating international rules of justice, the U.S.A. leads they way – which is why the U.S.A. is considered the greatest pariah among western nations. I don’t mean to simply slag the U.S.A. in general, it is a great country filled with great people, and many of my personal friends, and family – BUT – while on this topic – the international record of the U.S.A. itself has to be examined.
The U.S.A. prosecuted a Canadian for doing business with Cuba, even though all such business was conducted through a Canadian company. When a freak like Jesse Helms can not only get elected but the pass something as absurd as Helms-Burton bill through congress and into law, it’s quite hypocritical to get so excited about an improper simple judicial business request from another country.
Other somewhat related international law examples:
The U.S.A. weasled its way out of the international criminal court because it knew that joining would lead to all sorts of rightful prosecutions of itself.
The U.S.A. violated its own laws against torture, and still is not prosecuting those leaders for war crimes.
International renditions to escape other laws? Indefinite detentions without trial?
Perhaps this is a case of the extremely dark and burned and disgraced pot, realising is has no business calling the kettle black, until it dramatically cleans itself up first.
Sadly, my own country Canada has also lost a lot of moral authority in the last few years. If I am going to point a finger, it is only fair to point some back at us. One example – our idiot conservative government announced last year that it would no longer lobby against the death penalty for Canadian citizens facing such punishment, in a proper democratic country with “proper” judicial processes. Whether or not you agree with the death penalty – the double standard shows just what idiots and hypocrites our government is. Now they are trying to convince the Saudi’s not to execute Canadian and of course, the Saudi’s obvious indignant response is…. well you can figure that out…..
July 18th, 2009 at 7:11 pm
in this case i agree with buildgem the us govmernt has abused its power on the international stage to long and need to be put in its right place the us goverment is courpt
im a us citizen yet in many ways i trust the chinise goverment more then the us one
July 19th, 2009 at 12:58 am
[...] why it’s quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users’ privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not [...]
July 19th, 2009 at 11:50 am
There is only one word for this. Absolutely idiotic.
July 19th, 2009 at 1:15 pm
The US has been doing exactly this for years. Personally, I applaud Belgium for this.