By Christopher Kuner
The law of the European Union has influenced the development of the Internet outside the EU’s borders. The details of this influence are too complex to go into here. But the following examples from just one Internet-related area, namely data protection and privacy law, suffice to illustrate the point:
Companies are aligning their privacy practices with the new EU General Data Protection Regulation (GDPR) that will come into force on 25 May 2018. As one news story puts it, global technology giants ‘are racing to store their data on the Continent as new laws and privacy concerns drive investment decisions’.
Independent data protection authorities (DPAs) of the EU Member States (such as ones in Germany and Spain) have investigated whether parties in third countries comply with EU law with regard to data transferred from the EU.
Judgments of the Court of Justice of the EU have led to international controversy, such as the Court’s 2014 Google Spain judgment in which it found that EU data protection law granted individuals a right to suppress search engine results in certain situations, even though the servers on which the search engine operated were based in California.
The EU asserts its regulatory power with regard to the Internet consciously and deliberately. This means that it seeks to have its own legal standards apply outside its borders, and asserts its regulatory authority towards activities in third countries that affect its interests and those of EU individuals. The global reach of EU law influences activity in almost every area relevant to the Internet, including not only data protection but also e-commerce, electronic contracting, Internet governance, and many others.
Why does the EU seek to influence the Internet? One reason is that it is obliged under the EU treaties to promote the values and principles of EU law such as democracy, the rule of law, human rights and fundamental freedoms, human dignity, equality, and solidarity.
But political factors have also proved significant. Both the EU and Europe in a wider sense are now faced with an increasing number of political, economic, and social crises. Regulation of the Internet has proved a vehicle through which the EU can assert itself on the world stage without having to take coordinated action geo-politically in a way that would exceed its current capabilities. By exerting its regulatory power over activities on the Internet, the EU has used its strengths in law and regulation, areas where it still is a superpower, to make its influence felt globally.
The ways in which the EU exercises its influence with regard to the Internet raise a number of questions. The EU increasingly asserts its values as universal, global standards for the Internet, but other countries are also likely to insist on reciprocity on the part of the EU with regard to their own legal requirements. For example, a growing number of countries allow data transfers to the EU only when it provides adequate protection based on their own standards. The EU should keep in mind that its own mechanisms for global influence may be used against it.
EU law focuses on the application of its norms to the Internet in a legal sense (e.g., the application of EU law to Internet-related activities, or the adoption by third countries of law based on EU models), rather than on an evaluation of whether the legal values that the EU seeks to export are upheld in practice. Taking data protection again as an example, the fact that EU data protection law has influenced the adoption of legislation around the world does not necessarily mean that this has led to a higher level of data protection on the Internet. In order for the application of EU law to be meaningful, the EU should put greater emphasis on whether it is implemented in practice.
Along with influence and power goes responsibility, which raises the question of whether the EU has responsibilities to third countries that adopt its standards. If EU law is to be the ‘gold standard for the world’ (as former Vice-President of the European Commission Viviane Reding stated in 2014 with regard to EU data protection law), then the EU has at least moral responsibility towards other countries that adopt it, particularly developing countries that may struggle to find the resources to build the regulatory apparatus that EU law requires. Such responsibility could be reflected in practice by measures such as, for example, assessing the impact of EU legislation on third countries, particularly developing countries, and providing information on EU legal developments of particular relevance to them via an Internet portal. Recognising such a responsibility is ultimately in the EU’s own interest, since it would provide additional incentives for other countries to adopt EU law.
The EU is faced with growing challenges as it asserts it regulatory power over the Internet. The fragmented governance structure of the Internet limits the EU’s ability to control it, since the Internet is accessible globally, and most of the infrastructure on which it runs, the organisations that maintain it, and the individuals that use it are located outside the EU. Moreover, as a global communications infrastructure the Internet is of interest to countries all over the world, which may exercise their own legal and regulatory power over it, thus leading to conflicts with EU law.
This means that the EU will have to confront an increasing number of challenges posed by the Internet, such as how to define the territorial scope of EU law to Internet-related activities, and how to deal with conflicts between EU law and the law and standards of other countries. The way in which the EU deals with these challenges will shape the Internet as an economic, social, and legal phenomenon in the coming years.