You are on page 1of 18

CONSUMER PRIVACY IN THE EU: WHO HAS JURISDICTION?

Hillary Musselman December 2009

Introduction I. EU Privacy Law II. EU Consumer Contract Law i. The Brussels Convention ii. Rome I iii. E-Commerce Directive III. Analysis i. Consumer Contract Law ii. The Public Interest Question iii. The Role of the Markets IV. Inspire Art V. Lessons from the US VI. Conclusion

Introduction In the last two decades the number of commercial transactions conducted electronically has increased dramatically. Consumers provide extensive personal information to retailers in order to make online purchases, and each transaction increases the risk that sensitive data will be end up in the hands of someone other than the party with whom a consumer is doing business.1 When personal information is combined with information retailers can collect related to product
1

Lynn Chuang Kramer, Private Eyes Are Watching You: Consumer Online Privacy Protection Lessons from Home and Abroad, 37 TEX. INT'L L.J. 387, 389 (2002)
1

preferences and information they can collect using cookies, retailers are able to create revealing profiles of individual consumers. These profiles are extremely valuable to marketers who use them to develop targeted advertising, but they may also be valuable to individuals, or governments, with more nefarious purposes. To protect consumers and promote the growth of e-commerce, many countries have enacted legislation placing specific restrictions on what information companies may collect and how they may use this data. The starting point for such legislation in Europe is the EU EPrivacy Directive. Member States must comply with its terms, but they are free to implement it into their laws as they see fit and may include requirements beyond those in the Directive. As a result, privacy laws vary from one Member State to another and companies attempting to craft policies applicable to each Member State face serious challenges. The E-commerce Directive of 2003 allows e-retailers to establish a base in one Member State and specify in their Privacy Policy/Terms of Service (TOS) that, in the event of a dispute, they are subject solely to the rules of that country.2 However, this may not be effective in protecting against claims for violations occurring beyond the scope of the TOS agreement. Questions remain as to whether the Data Protection Authority (DPA) of a Member State that requires higher levels of consumer protection could receive and address complaints from its citizens related to a company based in a Member State that requires lower levels of protection. The following analysis attempts to resolve this question by first considering how European law has addressed the issue of jurisdiction in consumer contracts. A websites privacy policy is, after all, a contract between consumer-users and website-businesses. If a choice of law provision is enforceable under European law consumers will only be able to bring suit in the

Council Directive 2003/31, 2000 O.J. (L 178) 1 (EC)


2

forum specified in the contract. If, however, the term is found invalid, consumers may have options as to where they will sue. If a Member State has jurisdiction to hear a contract claim that Member States DPA might also assert jurisdiction over related claims against website-businesses, even if the company is based in a Member State where privacy laws have not been violated, on the premise that it would be incongruous for a Member State to have jurisdiction to hear a contract claim but not to address related complaints. It follows that if the choice of law provisions in a TOS contract are valid then a country, other than the selected forum, may not hear issues arising under the contract and it should also not have jurisdiction to hear related claims. However, based on the Brussels Convention and Rome I, choice of law provisions in a TOS agreement are probably not valid as part of a consumer contract. Therefore, the question remains whether or not the DPA of a Member State, other than that in which a company is based, may hear claims for violations of that Member States privacy laws. The following attempts to answer to this question based on 1) a brief review of EU privacy law; 2) an assessment of EU Consumer Contract law and EU law regarding electronic transactions viewed in light of the overall purposes of the E-commerce Directive and the E-privacy Directive; and 3) ECJ case law that has addressed issues of choice of law and the effect of EU Directives on local laws. If a company is subject to unique privacy laws in each Member State where it has users, crafting privacy policies that protect consumers while also shielding the company from liability will become extremely difficult and there may be a chilling effect on information transfer and commerce. As this is the exact result that much EU legislation is meant to prevent, individual Member States DPAs should not have the authority to enforce claims of privacy violations by companies based in other Member States.

I. EU Privacy Law The European Parliament passed the EU Data Protective Directive3 (DP Directive) in 2002. This Directive creates specific obligations for any data controller,4 defined by Directive 95/46/EC as a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.5 The term personal data is broadly construed so as to include all information about a person.6 By the terms of the Directive, personally identifying information (PII) may only be collected for legitimate purposes and may not be collected without consent unless it is to perform on a contract, meet legal obligations, or protect an individuals vital interests.7 Additionally, PII may not be transferred to countries that do not provide comparable levels of protection and it may not be transferred without adequate security. Both civil and criminal penalties may be imposed for illegally using or handling information.8 The DP Directive grew out of the desire of EU leaders to ensure that differing levels of data protection between countries would not create an obstacle to commerce and harm the functioning of the European marketplace.9 It establishes the minimum protections that Member States must provide and requires each to have an independent data protection supervisory
3 4

Council Directive 2002/58, 2002 O.J. (L 201), 31 (EC) EU Approach to Internet Privacy (1p.6) 5 Council Directive 95/46, 1995 O.J. (L 281), 31 (EC) 6 Mark F. Kightlinger, Twilight of the Idols? EU Internet Privacy and the Post Enlightenmetn Paradigm, 14 Colum. J. Eur. L. 1, 10 (2008) 7 id. at 13 8 Rustad, E-Commerce: Challenges to Privacy, Integrity, and Security in a Borderless World: Circles of E-Consumer Trust: Old E-America V. New E-Europe, 16 MICH. ST. J. INT'L L. 183, 190 (2007) 9 Kramer, supra note 1, at 398
4

authority (DPSA) capable of conducting investigations into claims of violations.10 The Directive also requires DPSAs to identify and assess privacy risks 11 and issue sanctions for violations.12 Each Member State may, however, reserve for itself sole control over what information it will deem capable. . . of infringing freedoms or privacy13 and each is free to interpret the Directive in its implementing legislation as it sees fit, as long as it provides the minimum level of required protections.14 As a result, privacy laws in Europe vary from one nation to another. Germany, for example, is highly opposed to the government maintaining stores of personal data, an outgrowth of their experience during WWII. It has implemented some of the most extensive laws in Europe regulating what information the government and private companies may collect and what they may do with it.15 In contrast, Luxembourg has implemented the Directive with few additional requirements.16 Probably not coincidentally, both Amazon.com and eBay.com maintain their European headquarters there and specify in their privacy policies/TOS that they will be subject solely to the laws and jurisdiction of Luxembourg.

II. EU Consumer Contract Law i. The Brussels Convention

10 11

Kightlinger, supra note 6, at 13 id. at 22 12 INSTITUTE FOR INFORMATIONAL LAW, REGULATING SPAM DIRECTIVE 2002/58 AND BEYOND 51 (2004) 13 Kightlinger, supra note 6, at 9 14 INSTITUTE FOR INFORMATIONAL LAW, supra note 12, at 23 15 Kightlinger, supra note 6, at 13 16 Law on Protection of Persons with regard to the Processing of Personal Data, August 2, 2002, available at http://www.cnpd.lu/fr/legislation/legis_nationale/index.html
5

The Brussels Convention establishes the rules of international private law in the European Union. A drafting committee began working in 1959 to draft [a] convention on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, and the enforcement of authentic instruments,17 with the goal of streamlining negotiations and facilitating transactions between members in accordance with the Treaty of Rome, which established the European Community.18 The committees proposed legislation was approved in 1966 and signed in 1968 by the original EC (now EU) Member States.19 The Convention specifies when Member States have jurisdiction to hear matters involving companies based in other Member States. In recent years there has been a shift in European courts to resolve questions of jurisdiction over companies according to the country of incorporation doctrine, which indicates that a company will be subject to the jurisdiction of the Member State in which it is domiciled.20 Amendment 60 of Brussels I (44/2001) provides that domicile is determined by the country where they have their statutory seat, central administration or principal place of business.21 Where contracts between equally sophisticated parties specify the forum in which disputes will be settled, courts readily uphold these provisions, where reasonable, as Brussels clearly indicates a preference for freedom to contract. In the case of consumer contracts, however, where the parties are not on equal footing due to information and power asymmetries, special protections are applied.22 Brussels Article 5
17 18

id. id. 19 Robert C. Reuland, The Recognition of Judgments in the European Community: The TwentyFifth Anniversary of the Brussels Convention, 14 Mich. J. Int'l L. 559, 563 (1993) 20 Benjamin Angelette, The Revolution that Never Came and the Revolution Coming- De Lasteyrie Du Salliant, Marks and Spencer, Sevic Systems, and the Changing Corporate Law in Eurpoe, 92 VA. L. REV. 1189, 1193 (2006) 21 Council Directive 44/2001, (2001) O.J. (L 12), 1 (EC). 22 Brussels Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters, art. 23, 1998 O.J. (C 27) 1 [hereinafter Brussels Convention]
6

states that a company may be sued in the place where it provides performance of a contract,23 and Article 15 states that a company may be sued in any place where it directs its services,24 provided the directed activity precedes the contract.25 Therefore, a company that advertises in a Member State, other than that in which it is incorporated, may be subject to the jurisdiction of the other Member State if a consumer responds to the advertisement and enters into a contract with the company, whether for goods or services. Article 17 specifically states that despite the terms of a contract, a consumer cannot be stripped of his right to sue at home.26 ii. Rome I The Rome Convention further defines the consumer protection laws established by the Brussels Convention. It was enacted to create standard rules regarding choice of law in contracts between parties in different EU Member States. Its provisions are largely consistent with those of Brussels and serve to clarify existing laws to further promote commerce and exchange between EU Member States.27 Like Brussels, Rome I largely supports freedom of contract between parties, but specifically states that consumers must be provided with additional protections. Article 53 of the Treaty of Rome provides that Member States shall not introduce any new restrictions on the right of establishment in their territories of nationals of other Member States, save as otherwise provided in this Treaty.28 Article 58 extends this freedom of establishment to corporations. Like Brussels, Rome I provides that choice of law provisions do not deprive a consumer of the protections of his home state if the contract comes after the company directed activities to
23 24

Brussels Convention art. 5 Brussels Convention art. 15 25 Brussels Convention art. 13 26 Brussels Convention art. 17 27 Convention on the Law Applicable to Contractual Obligations, 1998 O.J. (C 27) 34 [hereinafter Rome I] 28 Rome I art. 53
7

that Member State.29Additionally, Article 3 states that where consumer contracts are concerned, consumer protection laws of a receiving Member State may be applied even if they are stricter than the laws of the Member State of origin if it is in the public interest.30 Further, Article 8 allows a country to determine whether or not a contract is enforceable according to its own laws when the validity of the contract is at issue. Therefore, when a party claims that a contract as a whole is unfair as against the public interest a court may determine its enforceability according to its own laws irrespective of choice of law provisions provided in the contract. This dovetails on the 1993 Directive on Unfair Terms in a Consumer Contract, which provides that portions of a consumer contract may be eliminated where they were not negotiated or are unfair.31 These provisions are particularly important in determining how a court will consider the validity of the TOS contract. Such contracts are often referred to as click wrap contracts. Consumers are presented with a standard agreement that they may accept or reject. They have no ability to negotiate the terms. This power asymmetry is precisely why consumers are afforded additional protections by consumer contract law and why European courts are less likely to enforce one-sided choice-of-law or forum clauses in consumer transactions.32 These sections may provide a means by which a consumer can allege that a click wrap contract is unfair as a whole, and therefore invalid, and provide an additional avenue by which a foreign court may assert jurisdiction over a company. iii. E-Commerce Directive By the end of the 1990s the need for uniform guidelines to facilitate online transactions
29 30

Rome I art. 5 Rome I art. 3 31 David Naylor and Cyril Ritter, French Judgment Condemning AOL Illustrates Consumer Protection Issues Facing US Businesses Operating in Europe, 1 N.Y.U. J. L. & Bus. 881, 886 (2005) 32 Rustad, supra note 8, at 186
8

and commerce was widely recognized. In 1999 the Organization for Economic Cooperation and Development (OECD) established the Guidelines for Consumer Protection in the Context of Electronic Commerce, which called for consumers to receive the same protections in online transactions as they are afforded in in-person transactions. The guidelines also stated that companies should not exploit the characteristics of e-commerce and use unfair contracting practices in order to avoid consumer protections.33 The following year, the European Parliament passed Directive 2000/31, the E-Commerce Directive. Member States were required to pass implementing legislation by 2002 in order to promote, and ensure stability in international electronic commerce.34 The Directive is primarily concerned with the efficient functioning of internal markets and with online information services such as newspapers, internet sales, and professional and entertainment services.35 It establishes the rules regarding what information covered parties must provide and establishes limits on liability for intermediary service providers.36 The Directive explicitly provides that a company will only be subject to regulation in the country where information originates.37 This was intended to create certainty in transactions and allow companies to predict where they would be subject to jurisdiction to allow them to plan their corporate activities accordingly. Despite this provision, 2000/31 makes it clear that it is not intended to deprive consumers of the protections related to contracts afforded to them under Brussels and Rome. According to Article 3(4), even if the laws in the receiving Member State are stricter than those in the Member
33
34

Naylor, supra note 31, at 893 Norbert Reich and Axel Halfmeier, Electronic Commerce: Consumer Protection in the Global Village: Recent Developments in German and European Union Law, 106 Dick. L. Rev. 111, 131 (2001) 35 Reich, supra note 34 at 133 36 id. 37 Rustad, supra note 8, at 211
9

State of origin, national consumer protection rules may be applied insofar as they are justified by the public interest.38 Therefore, where a country has a substantial interest in enforcing its laws against a foreign company it may do so to protect consumers.

III. Analysis i. Consumer Contract Law The question that arises under Brussels and Rome I is what constitutes a directed activity, as both distinguish between passive consumers, who receive higher a higher level of protection, and active consumers, who receive a lower level of protection. Advertising that specifically targets citizens of a country is certainly directed activity, but, in the case of an electronic business, are domain names and server locations relevant? A .co.uk address clearly contemplates that a site will be accessed from the United Kingdom. Therefore, it seems reasonable to conclude that British courts should have jurisdiction to hear consumer claims against a company based on alleged breaches of the TOS regardless of choice of law provisions contained in the agreement. Server location is less likely to indicate that a company is targeting customers from a specific country. There may be a variety of reasons for using servers in a particular country, many of which have more to do with pricing than with customer service. Still, it seems that if a company has servers in a country they should not be surprised if that country attempts to assert jurisdiction over activities taking place on those servers. Although the court of a country may hear claims arising under the TOS contract when a merchant has specifically targeted the citizens of that country, whether through advertising, domain name, or server location, the same court may still not be able to hear related privacy claims not arising under the contract. These claims would be subject to the provisions of the E38

Reich, supra note 34, at 133


10

Commerce Directive, which applies the country of origin principle unless it is in the public interest to do otherwise.39 ii. The Public Interest Question Certainly privacy protection is in the public interest. However, when a company is not accused of violating the minimum protection standards established by the E-Privacy Directive or the minimum standards of the EU country in which it is incorporated, does the public really have much to gain by having more stringent protections enforced? EU citizens are still afforded essential protections, so can a company really be said to be acting against the public interest by not providing customers with the highest levels of protections required by a Member State? If the answer to these questions is yes, website-companies will need to either specifically tailor their practices to the policies of each individual Member State in which they operate or they will have to craft one policy that meets the requirements of the most restrictive country. Alternatively, to avoid having to comply with more stringent standards, a company may opt to not offer services in a particular country. This is exactly the effect that the E-Privacy Directive was enacted to prevent. iii. The Role of the Markets Market theory indicates that party choice is the best way to allocate authority unless there are conflicts with the public interest or negative externalities.40 In the case of TOS and privacy policy agreements between online businesses and consumers, informational asymmetries and privacy concerns indicate that government regulation may be needed to ensure fairness and protection for consumers, but this regulation exists in the form of the E-Privacy Directive and in the portions of the Brussels Convention, Rome I, and the E-Commerce Directive that provide
39 40

Reich, supra note 34, at 133 Horatia Muir Watt, Choice of Law in Integrated and Interconnected Economies: A Matter of Political Economy, presented at the Ius Commune Conference, 5 (November 28-29, 2002)
11

increased protections in the case of consumer contracts. Violations of the privacy laws of an individual Member State, which exist beyond what is required by the EU, simply do not constitute negative externalities so severe as to allow regulation to interfere with freedom of contract and the functioning of the electronic marketplace. iv. Conclusion Allowing claims for violations of Member State privacy laws to be heard by Member States other than those in which companies are incorporated would lead to uncertainty in corporate planning, which is what the E-Commerce Directive was enacted to eliminate. It seems likely that, because all EU companies must comply with the E-Privacy Directive, there is simply not a substantial public interest in allowing a Member State to enforce its stricter standards on a company based in another Member State, and, in fact, there is a public interest in not allowing such claims to be heard. Based on the overarching purposes of the E-Commerce Directive, the recognized importance of a well-functioning electronic marketplace, and the existence of the E-Privacy Directive, which ensures all EU citizens of specified privacy protections, Member State privacy claims should not be within the jurisdiction of a Member State other than the Member State in which a company is incorporated. This is consistent with the purposes for which the EU was created and may find support in recent ECJ case law.

IV. Inspire Art Inspire Art has been called one of the most important ECJ decisions in recent years.41 Although the case centers on a companys freedom of establishment, it addresses the ability of a
41

Inspire Art another landmark decision regarding the cross border transfer of the companys seat, http://www.lawforum-online.com/detail/dns.asp?dnID=45 (last updated 17 March 2004)
12

country to impose laws on foreign companies beyond those contained in directives. The Court ultimately decided that a Member State should not be able to enforce its own rules on companies established in countries with less rigid, but still EU Directive compliant, laws. Inspire Art, Ltd. was established as a British company, despite the fact that the company operated exclusively in the Netherlands. It was incorporated in the UK to take advantage of more favorable laws on corporate formation. To conduct business in the Netherlands, the company registered there as a formally foreign company,42 and, as a result, the Netherlands attempted to enforce against it the capitalization requirements of their Law on Formally Foreign Companies (WFBV).43 Inspire Art argued that by imposing these additional requirements, the Netherlands was interfering with its freedom of establishment as granted by 43 EC, which provides for the freedom of establishment for individuals, and 48 EC, which extends the same freedom to a company incorporated according to the laws of a Member State.44 The Dutch government argued that it was not denying the companys freedom to incorporate in another Member State and still be recognized in the Netherlands and that it was only enforcing other administrative requirements.45 The ECJ was not persuaded by this argument. The Court held that the additional requirements imposed on the foreign company were unenforceable as impediments to the freedom of establishment. It noted, in particular, that this held true even when a company was

42

Case C-167/01, Kamer van Koophandel en Fabrieken voor Amsterdam v Inspire Art Ltd., 2003 ECR I-10155 43 Id. at 1 44 Case C-167/01, supra note 42, at 5 45 id. at 17
13

incorporated in a particular country for the express purpose of avoiding the laws of another state.46 The ECJ found that it is contrary to Article 2 of the Eleventh Directive for national legislation such as the WFBV to impose on the branch of a company formed in accordance with the laws of another Member State disclosure obligations not provided for by that directive.47 Despite the fact that disclosure obligations are often viewed in light of the public interest and of the government interest in protecting citizens from unscrupulous corporate practices, the ECJ essentially found that the Eleventh Directive preempted the WFBV. The Directive established the minimum standards that all countries must abide by in order create uniformity in laws and promote a functioning European marketplace. When a country attempted to enforce obligations in excess of the Directive on a company incorporated in another jurisdiction, the ECJ would not allow it, despite the potential public interest in enforcement. Based on this, it is reasonable to conclude that the court would be equally unwilling to enforce especially stringent privacy laws of a country against a company not established there.

V. Lessons from the US The United States, as a nation founded on the principles of federalism, has been dealing with conflict of laws, choice of laws, and preemption issues for many years. In Bibb v. Navajo Freight Lines, the Supreme Court found that the mud-flap requirements Illinois imposed on truck companies impermissibly violated the Commerce Clause of the Constitution.48 If a truck company was required to comply with the more stringent requirements it would either have to bear the expense of making any truck that may enter Illinois compliant with its laws or it would
46 47

id. Case C-167/01, supra note 42, at 13 48 Bibb v. Navajo Freight Lines, 359 U.S. 520 (1959)
14

have to avoid the state entirely. The court found that this would have an impermissible chilling effect on commerce, and refused to uphold the law.49 Ensuring that one state is not able to enforce its laws on citizens of other states, including corporations, and ensuring that firms do not seek to avoid certain states with more stringent laws to the detriment of the national marketplace are primary concerns in preemption cases.50 In addition, US courts are increasingly willing to uphold choice of law provisions contained in contracts. 51 They were initially hesitant to uphold such provisions,52 as The Restatement First of Conflict of Laws applied the vested rights theory, which indicates that if multiple jurisdictions can hear a claim the jurisdiction in which rights vested will be allowed to hear the claim, that is, where the last act or event necessary to create a cause of action occurred. 53 However, the courts have recognized the desirability of enforcing contractual choice of law to deal with the problem of regulation by multiple states.54 The Restatement Second of Conflict of Laws, approved in 1969, specifies that a partys choice of law should prevail where there is a reasonable basis for the choice, it does not interfere with a fundamental policy of a state claimed to have jurisdiction, and that state does not have a materially greater interest in the issue than the chosen state.55 As commerce has expanded and changed to include transactions via electronic channels, courts have extended their willingness to accept choice of law provisions in contracts entered

49 50

id. Larry E. Ribstein, From Efficiency to Politics in Contractual Choice of Law, 37 Ga. L. Rev. 363, 393 (2003) 51 id. at 366 52 id. at 370 53 id. 54 id. at 393 55 id. at 373
15

into online or over the phone, even where the contract is between a business and a consumer.56 In cases involving Gateway 2000, Inc. courts found that a lack of bargaining between Gateway and consumers purchasing computers over the internet and the phone did not lead to invalid consumer contracts. They ruled that choice of law provisions would be maintained where they are not unreasonable.57 Because consumers have options when deciding which vendors to do business with and because it is not typically in the interest of a company to impose requirements on customers beyond what would typically be expected, the courts found a stronger interest in creating certainty in commerce as long as the terms of a contract are reasonable.58 Further, because a lack of established dispute resolution mechanisms reduces consumer confidence, the US legal system has attempted to create uniform laws related to e-commerce in order to create certainty and promote electronic transactions. 59 The Uniform Computer Information Transactions Act (UCITA) cites the increased costs of trying to adhere to the laws of multiple jurisdictions as a reason for applying the laws of a licensors state to conflicts that arise between parties, absent contractual choice of law provisions.60 UCITA was drafted between 1995 and 1999 in order to establish standard principles governing contracts entered into in the course of electronic transactions.61 The Act has been the subject of much criticism, and by 2004 only two states had adopted it,62 nonetheless, it indicates recognition of the need to establish standard

56 57

id. at 408 Borowiec v. Gateway 2000, Inc., 209 Ill. 2d 376 (Ill. 2004); Hill v. Gateway 200, Inc.,105 F.3d 1147 (7th Cir. 1997) 58 Ribstein, supra note 50, at 403 59 id. at 483 60 Ribstein, supra note 50, at 393 61 Pratik A. Shah, Berkeley Technology Law Journal Annual Review of Law and Technology: I, Intellectual Property: A. Copyright: 5. Preemption a) Contract enforceability: The Uniform Commercial Information Transactions Act, 15 Berkeley Tech. L.J. 85, 98 (2000) 62 Warren E. Agin and Scott N. Kumis, A Framework for Understanding Electronic Information Transactions, 15 Alb. L.J. Sci. & Tech. 277, 303 (2005)
16

laws governing e-commerce in order to facilitate the continued growth of the electronic marketplace. Were the EU to take a similar approach to preemption and choice of law questions, they would likely conclude that the court of a Member State, other than that chosen in a contract, would not have jurisdiction to hear a claim. Additionally, because of the overriding interest in promoting commerce by ensuring predictability and efficient corporate planning, courts would likely find that a Member State could not enforce its own more stringent laws on a foreign company acting in compliance with the laws of its home state and with EC Directives.

VI. Conclusion Most EC Directives and regulations have been enacted with the goal of harmonizing laws between Member States to support an efficient European marketplace. Over the last two decades the internet has played an increasingly important role in commerce, and the EU is now the second largest e-commerce market in the world.63 As a result, the EC has a strong interest in preventing and eliminating barriers to the flow of information or goods that would have a chilling effect on the electronic marketplace. Both the E-commerce Directive and the E-privacy Directive were enacted in recognition of this interest. Each clearly indicates that its purpose is to harmonize laws between European countries regarding transactions and transfers of information. However, because Member States remain free to implement the Directives into their laws as they see fit, there are still differences between the laws of each country. This raises a question as to when a country may enforce its own stricter laws against a company headquartered in another Member State that specifically
63

Lucille M. Ponte, Boosting Consumer Confidence in E-Business: Recommendations for Establishing Fair and Effective Dispute Resolution Programs for B2C Online Transactions, 12 Alb. L.J. Sci. & Tech. 441, 457 (2002)
17

provides in contracts with consumers that it will be subject solely to the jurisdiction of its home state. EU law related to consumer contracts and consumer protections makes it clear that a state may hear citizens claims arising under contracts entered into with foreign companies despite choice of law provisions. Although it seems logical that if a state can hear claims under a contract it should also be able to hear related claims not under the contract, to allow this would force companies to comply with the laws of any state in which their services may be used and would have a chilling effect on commerce. This is precisely the result the E-commerce Directive and the E-Privacy Directive sought to prevent. Therefore, a state should not have the authority to enforce laws in excess of those contemplated in a Directive on a company legally formed in another Member State, where there is not a public policy interest greater than the EUs interest in a functioning marketplace. Whether consumer privacy will be deemed a greater interest remains to be seen.

18