Before the EU General Data Protection Regulation was effective, we heard tales about how the GDPR covered every business and how even those not within the EU could be subject to fines up to 4% of annual turnover. Now, we are told the same about the California Consumer Privacy Act. These claims are too broad. This article addresses international law issues related to them. Let’s explore them using these hypotheticals:
- Joe runs a website out of his home in California, but the website targets only EU data subjects. He has no assets in the EU. He ignores most of the provisions of the GDPR and is issued a 20,000,000 euro fine under Article 83 by a data protection authority. The DPA seeks to collect the fine in the U.S.
- Jill lives in France and runs an English-only website that targets California residents. She doesn’t have any assets in the U.S. She doesn’t comply with any of the requirements of the CCPA. The California attorney general sues her, gets a judgment for a civil penalty of $6,000,000,000, and attempts to enforce the fine in the EU.
- The U.S. state of Southbridge passes a statute that bars transfers of data in or out of the state unless the other jurisdiction involved has a law with at least the same protections as Southbridge's.
The difference between prescriptive and enforcement jurisdiction
International jurisdiction was originally simple — a country’s jurisdiction ended at its borders. Over time, things got blurry. Actions outside the country had impacts inside or impacted nationals. Countries began to claim the right to regulate these “extraterritorial” actions. International law soon let countries regulate beyond their borders, and “prescriptive jurisdiction” was born.
While prescriptive jurisdiction expanded long ago, to this day, countries lack the practical and legal power to enter other countries to enforce laws or collect on judgments. “Enforcement jurisdiction” does not extend beyond national borders.
To fill the gap between prescriptive jurisdiction, which goes beyond borders, and enforcement jurisdiction, which doesn’t, international law relies on comity — countries recognize each other’s judgments. But like any rule, comity has exceptions.
One exception is the “revenue rule.” Under the rule, countries don’t enforce foreign taxes, fines or penalties. The test is whether the law is remedial or whether it compensates individuals. It’s important to understand that the revenue rule only applies to fines and penalties imposed by government entities — it doesn’t apply to lawsuits brought by individuals seeking compensation. Moreover, countries can enforce fines and penalties within their borders, so any assets that are in the other jurisdiction can be seized. That said, the revenue rule means that fine enforcement ends at the border.
Fines under the GDPR are penal. They are supposed to be proportionate, effective, and dissuasive. A different article allows for individual compensation. Therefore, a U.S. court wouldn’t enforce the fine imposed in the first hypothetical.
On the other hand, countries will enforce revenue laws if they’ve agreed to. If Joe had falsely said that he complied with the EU-U.S. Privacy Shield Framework, the U.S. Federal Trade Commission could issue an administrative complaint. The FTC has issued eight complaints since the Safe Harbor Framework began. These complaints often result in 20-year consent orders, which require monitoring; violations of the consent orders can result in fines of up to $41,484 per violation.
Hypothetical 2 is the same. The CCPA imposes administrative penalties. It’s important to understand that the revenue rule also applies to U.S. states. So it’s unlikely the judgment would be enforced — even if Jill lived in Nevada.
Jill may have some other arguments based on constitutional law and prescriptive jurisdiction.
Constitutional law and prescriptive jurisdiction
First, the Constitution gives Congress power to regulate commerce with foreign nations (the foreign commerce power) and among the states (the interstate commerce power). Federal commerce powers have a dormant aspect, which means that states can’t touch these matters even if Congress hasn’t legislated.
The federal foreign relations powers are based on the idea that the U.S. must “speak with one voice” in international affairs. The CCPA and other state statutes may be invalid to the extent that they conflict with these powers if applied outside the U.S. Hypothetical 3, involving a limit on international cross-border transfers, is likely to flunk the dormant foreign commerce test. Jill’s might, too.
Similar rules apply to state laws that reach across state lines instead of international borders. Most states presume that their laws don’t apply extraterritorially, in part to avoid collisions with the dormant commerce clauses, the due process clause, interstate comity, and a related idea called “horizontal federalism,”: the limits on powers of states with respect to other states.
These arguments are weaker if the law seeks to protect only state residents. But courts say that a state may not apply its statutes to commerce that takes place “wholly outside of the State's borders, whether or not the commerce has effects within the State.” Courts have rejected statutes on consumer lending, rights of publicity, corporate securities, advertising and internet pornography based on the doctrine.
The interstate commerce clause prevents economic “balkanization” of the states but leaves states some local autonomy. The internet and interstate data privacy laws present a test case. Like cross-border water rights or radio bandwidth, inconsistent state regulations may present serious conflicts that can’t or shouldn’t be solved by heckler’s veto. The law is messy, but the CCPA and the Southbridge statute in Hypothetical 3 could fail the test.
Second, there’s prescriptive jurisdiction. A 2009 International Bar Association study and Section 402 of The Restatement (Fourth) of the Foreign Relations Law of the US identify two principles that support cross-border privacy laws:
- Active personality: Countries may regulate the activities of their nationals that occur outside of their borders. Of course, a country usually lacks jurisdiction to enforce these laws against its expatriate nationals until they return home.
- Passive personality: Countries may regulate activities that occur outside of their borders if they harm their nationals.
While it’s tempting to look for overreach, it’s not always easy to find. The GDPR’s coverage, for example, is limited to controllers and processors in the context of an establishment in the EU or processing of data subject that is in the EU (passive personality) and requires additional territory-directed conduct. Recital 23 suggests that inadvertent, unintentional or incidental dealings with EU data subjects isn’t enough, which is typical language used to limit the territorial and passive personality principles.
The CCPA lacks such limits. Moreover, California isn’t a country. International law defines the rights of countries and not their local governments.
A foreign court could find that California lacks prescriptive jurisdiction to apply the CCPA outside of the U.S. A court might also apply California’s (or Chode’s) presumption against extraterritoriality to avoid reaching international law issues in the first place. If that’s true, Hypotheticals 2 and 3 result in the statutes going unenforced by foreign courts.
So, privacy pros, there are very good reasons to care about privacy laws, including those of other states and countries, but fear of cross-border fines isn’t at the top of the list. If you’ve certified compliance with Privacy Shield, you should comply. Individuals and classes of plaintiffs can sue. Not complying with the GDPR or other international data protection laws will make international deals tricky. Not caring about privacy will damage your company’s reputation. But don’t base your decisions on fear of huge fines unless you have assets where they could be imposed.
If you want to comment on this post, you need to login.