Beyond National Jurisdiction: Cyberspace

Cyberspace

Cyberspace is the virtual environment in which computers interact with other computers. 

Many functions of modern-day society are heavily reliant on cyberspace.  From communications and commerce to defense and security, activities in cyberspace are now part of everyday life for many people.  These activities involve significant interactions between individuals and entities in different States and have innumerable real-life repercussions in territory within the jurisdiction of one or more States.  To give just a few examples: transactions over the Internet; communications through social media; the use of cyber "currencies" such as bitcoin and others that rely on blockchain technology; cyber "attacks" undertaken by actors in one State against the critical infrastructure in another State; the use of cyberspace by one State to interfere in the political processes of another State; the collection of intelligence  or other acts of "espionage" in cyberspace; and the use of cyberspace for military purposes, such as shutting down an adversary's communications platform during a military operation.

Text

Although the devices that generate activities in cyberspace (servers, computer networks, and the like) exist within the traditional territory of States, the interactions between these devices do not take place within the territory of a State or States in the traditional sense.  As a result, activities in cyberspace raise significant questions regarding international law, international institutions, and international governance, including in the following areas:

    Sovereignty, Jurisdiction, and Extraterritoriality:  Under what circumstances may a State exercise legislative, judicial or enforcement authority to regulate cyber-related activity beyond its physical boundaries (territory)?  Under what circumstances may a State take actions through cyberspace that have a physical or other tangible impact in another State's territory? 

    International Human Rights:  How do "rights" recognized by some States but not others apply to activity in cyberspace?  For example, with respect to personal privacy, to what extent may an individual exercise control over her or his own information that appears on the Internet, and what are the obligations of those holding personal information of other actors collected on the Internet?  How should speech be governed in common areas of cyberspace such as social media platforms?

    International Humanitarian Law:  How do the traditional laws of armed conflict apply to military activities undertaken in cyberspace, for example deliberate attacks by one State on the information systems of another State for strategic or military purposes?[i]

    International law and espionage:  What is the international law framework for the use of cyberspace by one State to collect information on another State, or the interception in cyberspace by one State of communications from another State? 

    Cybersecurity and "defensive" activities in cyberspace:  What is the international law framework governing activities that a State may take to defend itself and important State assets from attacks that emanate through cyberspace? 

    Governance of cyberspace: Which international institutions or conventions, if any, should govern standards-setting and other issues in cyberspace (for example, Internet domain name registration)?

    International Commercial Law and Private International Law: Commercial transactions conducted electronically on the Internet raise questions of product regulation, including standards and enforcement and health and safety, labor and environmental considerations, taxation, and choice of law issues.[ii] 

    Financial regulatory standards:  What standards or framework should apply to financial transactions involving stock, cybercurrency, blockchain, etc. that are conducted in cyberspace?

    Data-protection and data-sharing:  Which standards or norms should apply to ensure that data shared or stored in cyberspace is safeguarded from corruption, compromise or loss?  What standards or norms should govern the sharing of data in cyberspace, for research and educational purposes, for commercial purposes, between one or more States, etc?   When a company in one country stores its data in another country, whose laws govern the access to and security of that data?[iii]

Although there is general agreement that international law applies in cyberspace, activities conducted in cyberspace frequently raise novel jurisdictional questions or seem to be prime candidates for international agreements.  An electronic transaction between a company in State A and a company in State B may actually travel through servers located in States C, D, and E.  It is not always clear which State's laws and rules govern such behavior.  To give but one example, a French law (now replaced by the European Union's General Data Protection Regulation, articles 17 & 19[iv]) prohibited the provision of data related to an individual over the Internet if the individual had directed that the data be erased (the so-called right to be forgotten or right to erasure).  It was clear that the French law applied to requests for data from servers located in France.  But thus far that is not the case if the request came from a server in another country.  The issue, which has played out in legal proceedings between France and Google, can be phrased as whether one country – in this instance France – should be able to control the provision of information throughout cyberspace.   As another example, in 2018 the U.S. Supreme Court reversed a long-standing U.S. doctrine requiring that a merchant have a physical presence in a U.S. state in order for that state to have the authority to tax Internet sales to consumers in that state.[v]  This outcome has international implications because the same logic would appear to apply to Internet sales involving sellers in other countries.

At this time, there is relatively little specific international governance of cyberspace.  To date, discussions regarding various aspects of the international legal framework for cyberspace have taken place with mixed success.[vi]  An example of existing supranational law that may well develop into an international norm in cyberspace is the European Union's General Data Protection Regulation (GDPR), mentioned above.  Generally speaking, the GDPR governs the handling within the European Union of personally identifiable information of individuals and the export of such data, and it applies to enterprises doing business with the European Union, European Economic Area and the United Kingdom (even after Brexit).  Given the breadth of its coverage, the GDPR may result in the establishment of international norms that govern the handling of personal data.  Generally established international law also applies to cyberspace, of course, such the U.N. Charter's restrictions on the use of force in another State's territory, or the customary international law prohibition against intervention in the internal affairs of another State.  International norm establishing responsibility for environmental harm to another State or areas beyond national jurisdiction also apply in cyberspace.[vii]

It can be expected that international law, institutions, and norms will continued to be developed to deal with these and other cyberspace issues.

i See, for example, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.

ii See, for example, the work of the Hague Conference on Private International Law on E-Commerce.

iii See, for example, the proceedings in the US v. Microsoft litigation that was before the US Supreme Court in 2018.

iv European Union 2016/679.

v See South Dakota v. Wayfair, Inc. (June 21, 2018).

vi See, for example, the work of the UN Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

vii See Principle 21, Stockholm Declaration on the Human Environment (1972); Principle 2, Rio Declaration on Environment and Development (1992).


Clicking the icon in the upper corner of the video below will expand the full playlist.


Publicly Accessible

American Bar Association (ABA): Cyberspace Law Committee

Electronic Information System for International Law (EISIL)

  • http://www.eisil.org
  • Contains linkages to conventions, treaties, and access to other sites containing relevant information and related research guides.
  • Relates to: Cyber Crime, Data Protection & Privacy

Georgetown Law Library: International and Foreign Cyberspace Law and Research Guide

  • http://guides.ll.georgetown.edu
  • Contains linkages that relate to: Internet Governance, E-Commerce, Data Protection & Privacy, Cyber Crime, and Cyber Warfare

International Technology Law Association (ITLA)

  • https://www.itechlaw.org/
  • Provides access to current developments in the field, as well as other related material.
  • Relates to: E-Commerce, Data Protection, Cyber Security, Cyber Crime.

Oxford Public International Law (OPIL)

  • http://opil.ouplaw.com
  • Contains linkages that relate to: Cyber Warfare, Cyber Crime, Data Protection & Privacy

United Nations: International Telecommunication Union

  • https://www.itu.int
  • Contains linkages to current discussions in the field, other related material.
  • Relates to: Cyber Crime, Data Protection & Privacy, Cyber Security