First, something about what we mean by jurisdiction. We shouldn’t get too hung up on this, because jurisdiction is mostly used just as shorthand for cross border legal liability. But lawyers use the single word jurisdiction to mean several different things and, if we are not careful, we can end up talking at cross-purposes.
In a nutshell, there is:
- Prescriptive jurisdiction. This is simply the assertion, however theoretical, as to the reach of a local law. If the UK had passed a law making it illegal for UK citizens to read the banned book Spycatcher when visiting the USA, that would be an assertion of prescriptive jurisdiction. Another example is when a court makes an order requiring something to be done (or not done) in a foreign country.
- Adjudicative jurisdiction. This is when a court determines that it has the ability (or not) to hear and decide a case. It also describes a court determining which country’s law it should apply to the case before it. In civil litigation between private parties the court may end up applying its own law or a foreign law. In a criminal prosecution the court will either apply its own country’s law or refuse jurisdiction.
- Enforcement jurisdiction. This engages territoriality issues most strongly, since taking enforcement measures in another country is rather like sending troops across the border – an invasion of territorial sovereignty unless done with the consent of the other state.
- Investigatory jurisdiction. Sometimes regarded as a subset of enforcement jurisdiction, investigatory jurisdiction has become such an important topic for the internet (think of the Microsoft Warrant case pending before the US Supreme Court, or the Yahoo case that went up to the Belgian Supreme Court and back three times) that it deserves its place as a separate category.The issue here is when and how it is legitimate for law enforcement or intelligence agencies, with or without court orders, to demand that communications (or their associated data) held overseas be handed over. As with enforcement jurisdiction this involves direct assertion of state power within the territory of another country – either where the data is held, where a foreign company is established, or both.
It gets more complicated than that. International law has developed principles around when it is legitimate for a state to act extraterritorially. They form the background to a discussion of how jurisdiction should apply to the internet. But we should not necessarily be hamstrung by the existing order of things when debating the question of what rules should look like in the internet age.
Yes, the internet is different. Time was when people would say that the internet was just another new medium. We have coped with cross-border issues as a result of international communications and satellite broadcasting, so why do we need new rules for the internet?
The internet is not wholly different, but some of its features are sufficiently different to demand reconsideration of the old rules.
Individuals by the million are authors and publishers as well as readers. Their content is instantly accessible worldwide. Conversely, the effect of a national law or court injunction is amplified by the internet. An order can have effects in other countries that the same instrument would not have in the offline world. Cloud computing means that data is volatile. It may not stay in the same country from one second to the next, and fragments of one item of content may be split between data centres in different countries. All these things render the internet not only different, but materially so.
It’s not about whose law is better. If you arrive at a jurisdiction conference determined to demonstrate the superiority of your own local, national or regional law over that of every other country, then you are at the wrong conference. Jurisdiction rules are about resolving friction between different legal systems in as agnostic a way as possible, not about ensuring that the best (in someone’s view) law wins.
It’s not about global harmonisation. Perhaps you harbour an ambition of achieving global consensus about the substantive laws that should apply to the internet. That may be a noble goal (albeit there is also merit in diversity of laws) but it is a different project. Jurisdiction rules presuppose different laws in different countries, albeit admittedly it is easier to reach agreement on jurisdictional rules when the underlying laws are more closely aligned. Nevertheless, while a jurisdiction project can aim to create international norms at the level of metalaw (rules about rules), creating uniform substantive law is not its goal.
Comity is not enough. Resolving jurisdictional frictions is often seen through the prism of comity. Comity has two aspects: the need as far as possible to recognise a legitimate assertion of state power by foreign countries, even if that may have some cross-border spillover effects; and conversely, the need to avoid treading on the toes of other foreign states when making orders that may have effects in other countries (but in both cases bearing in mind that spillover effects are likely to be greater on the internet than offline).
However, comity is a state-centric concept. It treats states as proxies for the rights and interests of their citizens. Extraterritorial legislation and court orders not only engage the sensitivities of other states, but directly affect individuals in other countries, engaging their universally recognised fundamental rights of, for instance, privacy or freedom of expression.
Those individuals’ interests stand to be considered separately from the question of whether the sensitivities of another state are likely to be engaged by a particular legal instrument. Failure to engage in separate consideration can lead to the kind of reasoning adopted in the Equustek case, where the Supreme Court of Canada concluded that since protection of intellectual property was the kind of interest that another state would be expected to protect, its sensitivities would not be engaged and there was no issue of comity.
The SCC did not go on to ask whether, and if how the freedom of expression interests (the right to receive and seek out information) of citizens of other countries might be engaged by the particular assertion of rights in that case. That is of particular relevance in intellectual property cases since intellectual property rights are themselves generally territorial, so that a person may own rights only in some countries and not others; or may own rights of different scope in different countries.
We need brakes as well as accelerators. The jurisdictional problems of the internet manifest themselves in both underreach and overreach. There are situations where arrangements between states are no longer providing adequate means to obtain evidence to support criminal investigations. We can no longer assume that the evidence relating to a domestic crime will be held domestically. It could as easily be in a data centre abroad. That would suggest a need to improve procedures for obtaining cross-border evidence.
Conversely, we have situations in which domestic legislatures, agencies and courts are at risk of overreaching in the cause of giving maximum effect to their local laws. That can result in the de facto imposition of those laws in countries with different laws. The concern here is the need for jurisdictional self-restraint.
The challenge is to forge rules that enable cross-border reach when appropriate, yet prevent the exercise of jurisdiction when not appropriate. The same kinds of rules are unlikely to achieve both. An approach that enables a court to weigh up and balance a series of factors in deciding whether or not to make an extraterritorial order may have desirable flexibility for the first case. But where risk of jurisdictional overreach is concerned a multi-factorial approach may be more enabling than restraining. Hard stops are likely to be required.
Peaceful co-existence requires compromise. The premise of jurisdiction rules is that nation states have different laws. The objective where the internet is concerned should be to achieve peaceful co-existence between conflicting national regimes while protecting to the greatest possible extent universal values such as freedom of expression and privacy.
Peaceful co-existence cannot be achieved without compromise. That means taking a broader view than simply a laser-like focus on securing the effectiveness of one country or region’s most cherished laws. It may mean accepting that your country’s citizens can, if they try hard enough, find somewhere on the internet content that complies with another country’s laws and not your own.
(For more on this final topic see Cyberborders and the Right to Travel in Cyberspace, my chapter in The Net and the Nation State (2017 CUP, ed Uta Kohl).)