Google's flimsy defence shows how lawless the internet can be

Do not track
Should tech firms be able to decide which privacy laws to follow?

We can be awful hypocrites sometimes.

When the US demands to extradite British hackers, we get the placards out. "No way, USA!" we chant. But when the roles are reversed and a US firm says that if you want to sue it you need to sue it in the US, there's outrage.

Of course, it's a bit more complicated than that. The difference is power: in the first scenario you have the entire apparatus of the state apparently gearing up to crush an individual. In the second you have an enormously powerful corporation trying to crush what appears to be a perfectly legitimate lawsuit.

The internet may be global, but a lot of its leading lights are American - and that means a lot of it operates under American law, which is often much more relaxed about what corporations do than, say, UK or European law.

Google's no-UK argument is pure sophistry and accepting it in court would set a terrible precedent.

The terms and conditions we ignore when we sign up for those firms' services make it clear that they're based in the US: for example, the first line of Gmail's T&Cs says that the services are provided from 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States and notes that "the laws of California, USA... will apply to any disputes".

The problem, of course, is that the services being provided aren't in California.

They're wherever you happen to be - and if you don't happen to be in California then if your chosen Californian tech firm breaks every single one of its T&Cs, shoots your dog and gives you bubonic plague, unless you can take the firm through the Californian courts then those firms would argue that there isn't a single damn thing you can do about it.

If that were true it would mean that in most of the world, those firms are effectively beyond the law (not to mention beyond the reach of the taxman, which is a whole other box marked Pandora).

Power corrupts

Google's no-UK argument is pure sophistry and accepting it in court would set a terrible precedent.

Effectively it would mean that firms delivering services that run on UK devices using the personal data belonging to UK residents would have immunity from UK law regarding usage of personal data.

We don't have laws for a laugh.

That's nonsense: we don't exempt Amazon from the Distance Selling Regulations because its servers are in Seattle. Under the EU E-Commerce Directive, Member States - that's us - can override the country of origin principle ("We're in America! Screw you guys!") to protect consumers.

That's good, because tech firms are very good at choosing which laws they want to abide by. Yahoo famously claimed that adverts for Nazi memorabilia - something that's illegal in France - were protected by the US First Amendment when a French court ordered it to stop the ads and pay millions in fines: all that mattered was the law in the US.

A few years later, the same firm argued that a US organisation representing Chinese dissidents' families couldn't sue it in the US courts under a US statute because, er, all that mattered was the law in China.

We don't have laws for a laugh. We have them because corporations tend to misbehave - to be cavalier with our personal data, to invade our privacy, to act in anti-competitive ways.

When firms' stated policy is to go right up to "the creepy line" but not cross it, it's important that those firms aren't the ones who decide where the creepy line is.

That's not all, though. We also need to ensure that when corporations do misbehave, the fines hurt: the whole point, after all, is to ensure that a lesson has been learnt.

In the US, a privacy breach cost Google $22.5 million - arguably chicken feed for a firm doing fifty billion dollars a year, but still significant.

In the UK the maximum penalty the ICO can levy is half a million pounds, or around $780,000. Larry Page probably has that much in coins down the back of his sofa.

Still, maybe there is a silver lining to this particular cloud. If the case goes bad and the courts agree that Californian tech firms really are answerable only to God and the Californian courts, perhaps David Cameron will step up, show some backbone and do what he wants to do with all the other bad things on the internet: force ISPs to block them.

Carrie Marshall

Writer, broadcaster, musician and kitchen gadget obsessive Carrie Marshall (Twitter) has been writing about tech since 1998, contributing sage advice and odd opinions to all kinds of magazines and websites as well as writing more than a dozen books. Her memoir, Carrie Kills A Man, is on sale now. She is the singer in Glaswegian rock band HAVR.