U.S. Web Firms Told to Stick to EU Privacy Laws

The culture clash between American and European privacy cultures has been bubbling away for some time; witness regular battles with Google Street View (s goog), for starters. But now things have stepped up a level, with one senior European Union official making a broadside attack aimed at services such as Google and Facebook.

Off the back of last week’s concern about a new pan-European directive regulating the use of cookies, Viviane Reding, the EU’s commissioner for justice, has said companies like Facebook and Google cannot avoid complying with EU privacy law.

“Privacy standards for European citizens should apply independently of the area of the world in which their data is being processed,” she said. “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU customers.”

The question of legal jurisdiction has long been a serious one for American Internet companies with a significant number of European users. The generally accepted line is that foreign companies that have a physical presence inside the EU — whether that’s an office or servers — are subject to European law; those outside are not. Facebook, Google and others deal regularly with lawmakers and police across the continent and comply with the law — though they do spend time lobbying against rules that they feel might hamper their business.

But some companies go so far as setting up their data centers just outside European Union territory (in countries such as Iceland) in order to serve customers there while avoiding EU jurisdiction.

Reding’s comments are the clearest sign that officials in Brussels don’t like that situation, but there have been warning notes sounded before. She has commented before, for example, that any company that has a significant number of European users should be subject to the same rules as anyone inside the Union.

In particular, there’s a question around the so-called “right to be forgotten” — in which a user can demand that all information about them be removed from a particular service. It’s effectively the translation of a meatspace law into the virtual world, but some have voiced concerns about its application online. (Here is a great — and unofficial — post by Google privacy counsel Peter Fleischer discussing the issues).

There’s nothing unusual in being subject to local laws, of course. As well as federal law, American companies are subject to different laws in different states. Meanwhile, many companies that do business in China comply with far more pernicious local regulations.

So is it something to worry about? I’m still trying to understand what it is that drives so much concern about these privacy directives. Is it just a fundamental culture clash? America’s corporate, opt-out society versus Europe’s increasingly protective, opt-in approach? Or is there something more?