This is quite a slippery slope. If I host a website in one country, I do not necessarily care where people access my website from. It is not like I actively provide a service to them - they just use internet (decentralised network) to access it. What if I publish a newspaper here, someone takes it where the contents are illegal, am I accountable?
It's not about "hosting a website", it's about providing services.
If you provide services, like selling a newspaper, in the UK, you need to respect their laws, or you will suffer the legal implications of not doing so.
And regarding the accountability, it refers to the fact that imgur USED TO provide services in the UK:
> We have been clear that exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing.
Companies providing services outside the UK can infringe all the UK laws they want, the UK doesn't care.
But as soon as you decide to provide services in the UK, you have to follow the law. And, as they explain in the article, if you break the law, stopping to provide services in the UK will not absolve you for your past wrongdoings.
The most obvious example of this is websites from the UK or Europe which operate any kind of gambling. [1] This may well be legal (based on licensing) in their jurisdiction, but they still need to restrict access to prevent US people from accessing the service or they will be breaching the US's gambling laws.
Likewise many US firm geofence access for EU residents out of fear of GDPR.
People hosting news sites have often had to geofence to prevent UK residents from accessing their site if they are hosting any kind of reporting of UK court cases that are under embargo or matters that are subject to one of the UK's famous "Super injunctions" [2]
[1] eg this guy was on the board of a listed UK company operating as far as they were concerned entirely legally who was arrested in NYC https://www.theguardian.com/business/2006/sep/14/gambling.mo...
[2] eg In the "Ryan Giggs" super injunction case https://en.wikipedia.org/wiki/2011_British_privacy_injunctio...
…and if the site has no UK assets, how enforceable is the injunction?
> We have been clear that exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law
In that context it's completely fair to say "leaving doesn't absolve you of past transgressions".
Edit. If Imgur made any revenue from UK users then it becomes impossible to claim plausible deniability on any definition of "providing a service". If the UK can do something about this is a different matter. They could make CEOs/board personally or even criminally liable for the company's failure to pay a fine but probably won't.
UK legal imperialism is self centered and unrealistic and undermines speech the world over.
I’m not happy with extraterritorial assertions over internet services either, but you can’t wish them away with sophistry about “we’re not providing services to them!” if you’re happy to take their money and serve them a page in exchange. That’s the definition of a business providing a service to a customer.
But I think that distinction was pretty moot when web 2.0 came along.
Imgur's entire purpose is clearly to host user generated content though, so you can't argue it's not "providing services".
It’s completely absurd to say that some hobbyist would have nexus in the UK because they run a Google Adwords campaign to get some occasional pocket change from their project. Pre-Internet, it would be like going after a US magazine because someone brought home a copy from the US. Websites are not global entities by default, somehow responsible for obeying laws across nearly 200 national jurisdictions and many more state/provincial/local jurisdictions, across different languages and legal customs. Completely absurd! Who do you think you are to demand such a thing?
On the other hand, I think it would be perfectly fine to say that UK domiciled ad networks cannot put their ads on sites that violate some arbitrary standard. (An anti-freedom law to be sure, but at least it’s consistent with common international conventions.) This puts the onus on the ad network, rather than the site owner, who may not know or care who is visiting or from which country.
Mr Capel said: "We have been clear that exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing."
When read in context, it's obvious the statement quoted in the HN conmment refers to only to accountability for "prior infringement", i.e., acts committed before withdrawing services in the UK
Well they will have to put up with it, as they have done over the past few decades. Or, alternatively, they can engage in aggressive China-style site blocking. Only the US has significant extraterritorial legal reach.
IMHO, this policy is a transparent effort to forcefully alter the content policy of US companies. It’s more about political influence than it is about “content safety” at home. (Unilateral site blocking, perhaps with an appeals process, would be a much more effective approach for this.) The UK will regret the consequences if they push too forcefully on this.
Not at all. Imgur does the passive side too. And by number of operations, it is by far the biggest one.
How about the fact Imgur just ceased service to millions of users from which they took no money?
If they breached laws and regulations then withdrawing their service from the country afterwards does not change anything regarding those breaches (investigation still ongoing, though).
- UK 2025
It's not comparable because the "crime" has been committed in the hosting country (where it's arguably not even a crime) and it's a bad example because there are many incidents of murderers fleeing to non-extradition countries.
Whatever you think of my example, it is exactly the same legal reasoning at play here. If you broke the law then withdrawing does not change that and accountability.
> It's not comparable because the "crime" has been committed in the hosting country
Obviously not, that's the whole point: They may (investigation ongoing) have breached UK law. So, to really labour the point, if you breach the law in one country then cutting links with that country afterwards does not change anything.
Now, to be a bit more substantive than this tedious bike-shedding, I think the UK are just trying to send a message here even if enforcement may be difficult. The EU could do the same with the GDPR since it is the same type of law (global reach and applicability).
USA (Kim dotcom)
Russia (Skripals)
China (Teng Bio)
Israel (Mordechai Vanunu)
Meaning that the servers were located in the UK, or that the users were, or both?
Why not just avoid travel to the US?
Whose laws need to be followed?
So you are entirely right any country can do that at any time. Most countries don't have a way to enforce it on you or your users.
Does it also count for people in the UK using a vpn? What about people in the UK paying using American money? It’s not clear, but it doesn’t really matter. These laws target the service providers, not the customers. If you website says “this product isn’t available to UK residents” and you IP block and don’t take GBP as a payment method, nobody will get too angry if a spattering of tech savvy people get around the block using a VPN.
I sell a advertising package from my US HQ based self serve advertising portal to a British company who use the service to advertise to customers in the UK. Ok - kinda UK revenue. How about 'To advertise to customers in the US' well it's getting highly debatable.
What about I sell advertising packages to a US company from my US HQ but someone in the UK views and advert on my site and therefore generates me 0.001¢ - debatable.
I don’t see it that way. US companies have an atrocious record wrt user privacy and security. The Europeans don’t want their citizens data being bought and sold by online providers. And that’s a reasonable demand! Either clean up your act or leave Europe & the UK. If US companies don’t want to obey UK laws, they can’t do business in the UK. It’s just like farmers can’t sell produce in the UK if they don’t meet British health standards.
Consider the inverse: imagine if another country ran a porn site which blatantly hosted underage content (CSAM). Under your view of the world, would the us govt be ethically entitled to tell the site to clean up its act or it’ll get blocked from the US? That sounds fine to me. I’d be shocked if they were even given a warning about that. But how do you square that circle? Wouldn’t that be a “transparent effort to forcefully alter the content policy of another country”?
This is also apples and oranges. Running credit cards involves knowing exactly where people are located. You do in a real sense “decide” to do business with people in a given country.
Not every website does that. Some just serve posts to all comers. Some allow people to upload an image. Deducing where those people are from is non trivial. When I blog something I’m not “deciding” in any meaningful sense to “serve” people in country X.
There was a period a couple hundred years ago when it was all the rage internationally to write constitutions. Lots of countries got constitutions within a few decades, and almost no constitutions have been written since then. I wonder sometimes how the internet would be different if it were implemented in an era or culture in which people believed in that sort of thing.
Yes, that would be fine, as it would be here.
What I have a problem with is nations saying that a site built and hosted in a totally different country with a different set of laws and norms is “illegal” globally. Yes, I don’t like it when the US goes after people like The Pirate Bay abroad either, but that’s a result of the US being able to bully other countries for whatever reason it wants to. (That also needs to change.)
If Europe or the UK wants to protect its citizens, it should either block websites that it sees as a threat (as most of the EU does with RT) or it should come up with a scheme where ad networks with nexus in the EU must stop doing business with them. Attempting to reach across borders into the US to change US domestic norms is going to get them a well-deserved slap in the face.
The ones where you reasonably believe your customers are based, and where your employees are based.
Lets be honest, 1% of your customer base using a VPN is not going to cause you issues, unless those people are uploading something that would cause the state to act (ie CSAM, fraud, drugs, terrorism, you know the big four.) Given that this is the ICO, and nor OFCOM, we know its to do with GDPR violations, not moderation.
its not like the ICO just sent an email saying "lol you're being fined, bye". They will have had a series of communications, warnings asking for reasonable changes, time lines for change.
The ICO has discovered that Imgur are breaking GDPR in a fairly big way and in a way that can be easily detected by an understaffed and over worked semi-independent organisation.
moreover breaking GDPR in a way that is obvious enough in a court of law[1], bearing in mind that the UK, just about has a working independent and largely neutral judiciary that isn't easily intimated into doing the governments whipping.
[1] the ICO doesn't tend to be showy.
The cases I listed the people were not in the country which performed the actions (dotcom in Nz but upset America, Skripal in UK but upset Russia, etc)
If you break Thai law and insult their king it’s generally good enough to simply not go to Thailand. Piss off the wrong country though and they will persue you to a third country even without extradition agreements
(Then there cases like Gary McKinnon where they try to extradite you and make your life hell even if they lose. He’d never been to America but they tried very hard to extradite him there)
If a country wants you, it will get you. If it wants to protect you, it will, if it is powerful enough. When an American killed Harry Dunn she fled and was protected by America.
If you are wanted in the Western world and the US wants you, you are likely to be got.
It could be written into blockchain to avoid this, as I hear that is quite popular nowadays.
And it also extends to countries with extradition treaties to the US; holiday in the the Dominican Republic? You can be arrested and extradited to the US (Gary Kaplan). And of course if you change planes in the US (David Carruthers)? Arrested. Only broke the laws of one US state, and you change planes in another? Arrested (Peter Dicks).
Although perhaps the real lesson there is to be better at avoiding the US.
That is in essence already in place just for CSAM. We just pretend the internet is a free for all in all other cases.
Not entirely sure what is debatable about this situation. You quite unambiguously derived revenue from a UK citizen here, although not much. If you didn’t want that revenue, then don’t display ads in the UK. If that makes serving traffic to the UK uneconomical, then don’t serve traffic to the UK, problem solved.
In practical terms, nobody’s give a crap about you making a couple of dollars here and there incidentally from UK citizens. It quite another matter when your business is clearly dependent on deriving revenue from UK citizens, and you take zero steps to try and comply with UK law.
It’s pretty simple, if you want the revenue, the you have to follow the law of the countries your deriving that revenue from. Don’t want to follow the law, then simply don’t try and derive revenue from putting adverts in front of citizens from that country, or by collecting and selling their data.
To be clear, you think the UKs data regulator, going after Imgur for not properly handling data collected from minors, which is a pretty big GDPR violation (a 7 year old law) is secretly about influencing US content policies?
I mean, maybe, but that one very convoluted approach. I’m not sure why the UK would be trying to use fines for the mishandling of data collected from minors, notably, nothing related to content on Imgur, to get Imgur to change its content policies.
It makes sense for treason to apply everywhere. If that were not the case Britain could not have executed Lord Haw-Haw given that he only sent broadcasts from Nazi Germany.
You have a level of plausible deniability there.
They're leaving and they're getting the fine. Implying if they didn't leave and implemented changes, that there is a chance they may not have been fined.
So what? Without the passively-read content there'd be no user-generated content.
> There's reactions and commenting as a core part of the service now.
It is totally optional.
also because I have to...
Telegram has entered the chat
But I didn't say "in the UK", I said "from UK users". If Imgur monetized anything coming from a user in the UK then they can no longer pretend they weren't offering a service. They knowingly used that data to make money, it wasn't that someone accessed the site and that was the end of it.
It's the difference between going in and out of a restaurant, compared to sitting down, checking out the menu, and eating then refusing to pay because the prices are ridiculous. The latter removes any pretense of deniability. If they disagreed with a ridiculous law they should have put in a modicum of effort to block the service in the UK from the start. Instead they made money for as long as they could and now pretend to stand up for the little guy and fight abuse.
Most of these jurisdictions can't actually do anything about it, but they can claim they will. The UK might actually be in this situation.
The law doesn’t require that they take any money, and you’re merely guessing they are. Weak
IMO the question is not if such services should be held accountable by local laws but how they should be held accountable. I think it would make more sense to go after the UK entities profiting from the endeavor: advertizers and financial institutions involved.