Yahoo! protects user privacy — and gets fined?
In March of this year, a Belgian court entered judgment in a criminal case against Yahoo! and fined the company for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.
The catch? Yahoo! has no subsidiary, employees or localized website in Belgium. The request — sent via email by a Belgian prosecutor to Yahoo!’s U.S. offices — was for user data held in the U.S. and associated with Yahoo! Mail accounts. Yahoo! Mail users sign up for this service under an agreement governed by U.S. law. The prosecutor did not allege that the specific Mail accounts were actually used by Belgian residents. Instead, the prosecutor’s sole theory for jurisdiction over Yahoo! Inc., and user data held by the company in the U.S., seems to be that Belgian residents can access Yahoo! services through the global Internet.
The court agreed: It found that the availability of Yahoo! Mail to Belgian residents, combined with what it believed to be the use of Mail in connection with criminal purposes within Belgium, was sufficient to find that Yahoo! Inc. has a commercial presence in Belgium. Therefore, Yahoo! was subject to Belgian laws, and thus in violation of a telecommunications statute that compelled disclosure of the requested data.
The implications of this ruling are profound and far-reaching. Following the court’s logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.
The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.
In addition, it is important to note that the U.S. and Belgium have a Mutual Legal Assistance Treaty (MLAT) in place, which allows Belgian law enforcement authorities to request production of this user data through diplomatic channels. Belgian authorities have refused to pursue this option, despite outreach from the Department of Justice and Yahoo! to facilitate the process. This disregard for treaty agreements, carefully negotiated between states, undermines such legitimate law enforcement cooperation efforts. If a court in Belgium or any other state is able to assert jurisdiction over user information or U.S. companies and citizens themselves based merely on web presence and availability of a service in that state, then why bother with an MLAT at all?
Companies should be paying close attention here, too: it isn’t difficult to imagine how lax jurisdictional requirements on the global Internet could invite all sorts of abuse. Competitors, governments, or other bad actors could concoct weak legal claims under local law to get a hold of proprietary information or trade secrets; nothing seems to limit this possibility under the Belgian prosecutor’s theory.
Yahoo! has caught a lot of flak over the past few years about how the company and its affiliates should protect user data when a government demands it. Importantly, this firestorm of public criticism has pushed Yahoo! to think about corporate responsibility more critically, particularly in markets where rule of law is weak and suppression of dissent online is common: what responsibility do Internet companies owe to their users, whose human rights and basic freedoms may be put at risk if user data is handed over to authorities? In response, Yahoo! has committed to implementing certain policies about how it responds to government requests, including a requirement that requests must come through appropriate and official channels.
In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.
Yahoo! is currently appealing this decision. Let’s file this one under: no good deed goes unpunished.