Scott Hanselman interviewed attorney Gary Nissenbaum in show #647 of Hanselminutes. The title was “How GDPR is effecting the American Legal System.”
Can Europe pass laws constraining American citizens? Didn’t we settle that question in 1776, or at least by 1783? And yet it is inevitable that European law effects Americans. And in fact Nissembaum argues that every country has the potential to pass internet regulation effecting citizens of every other country in the world.
Hanselman: Doesn’t that imply that we can’t win? There’s two hundred and something plus countries in the world and if any European decides to swing by a website in Djibouti now they’re going to be subject to laws of Europe?
Nissenbaum: I’ll double down on that. It implies that any country that has users of the internet can create a more stringent law than even the Europeans, and then on the basis of that being the preeminent regulatory body of the world, because it’s a race to who can be the most restrictive. Because the most restrictive is what everyone needs to comply with.
So if Tanzania decides that it is going to be the most restrictive country in terms of the laws … that relate to internet use of their citizens, theoretically, all websites around the world have to be concerned about that because there are users that could be accessing their website from Tanzania and they wouldn’t even know it.
Will the “world wide web” someday not be worldwide at all? There has been speculation, for example, that we’ll eventually have at least two webs, one Chinese and one non-Chinese. The web could tear into a lot more pieces than that.
As Nissenbaum says toward the end of the podcast
If anyone assumes there’s a simple way of handling this, they’re probably wrong. It is complicated, and you just have to live with that, because that’s the world we’re in.
The idea that it’s a global race to the bottom, or that any country can set rules that affect a large portion of the Internet, is itself an overly simple way of thinking about complicated dynamics of politics and jurisdiction.
There are essentially three polities that can set wide-ranging rules for the Internet: the US, the EU, and China. Russia, India, Japan, and others would all like to, but simply do not have the clout to enforce their rules on foreign web sites. Only the first three control enough commerce to pull it off.
For any law like this it is up to the websites to decide if worth continuing serving webpages to a people within the given jurisdiction. Either make a compliant version of the site or restrict visits. Google does not need to drop searches about “Tiananmen Square” from anywhere just because China does not want to see them.
There is a similar effect in things like the Restriction of Hazardous Substances Directive (RoHS). A manufacturer outside the EU is free to put as much lead and cadmium in their products as they want, unless they feel that the exporting to the EU is worth it.
@Michael, you may be right. It’s interesting to say that a US citizen has to obey the laws of some foreign countries and not others, that we must respect laws coming out of Brussels but can safely ignore those coming out of Tokyo, but that may be the reality.
@Sam: I agree that companies can choose not to serve pages to certain countries. Many small businesses have chosen just that because the GDPR is disproportionately burdensome on small businesses. But what do you do about EU citizens visiting your site from outside the EU, say while on vacation in Switzerland? I wouldn’t think that EU law should apply in that case, but the EU would disagree with me.
Most non-EU citizens, especially in personal life, can ignore the rules coming out of Brussels just as much as they can ignore rules coming out of Tokyo. Businesses are more likely to run afoul of the rules, but there is usually a recognition — like Recital 23 of GDPR — that companies who intend to not do business with the citizens of a country/the EU need not comply with all the laws of that country or the EU.
Obviously, private citizens will be affected by such laws through their dealings with companies that must comply with the roles, but in practice they do not need to worry about whether laws of countries that they do not directly deal with.