Extraterritoriality and the transatlantic free speech wars

The transatlantic free speech wars continue to rage. The US House Judiciary Committee was in action again last week, taking aim at the European Commission (who rejected its latest interim report as ‘pure nonsense’) and provoking EU civil society groups in the process.

The US administration, for its part, fired off its most recent salvo shortly before Christmas last year, when US Secretary of State Marco Rubio added five people to a list of individuals who would not be allowed visas, due to their activities in the 'global censorship-industrial complex'.

The US rogues' gallery included former EU Commissioner Thierry Breton, whose letter to Elon Musk in August 2024, referencing the Digital Services Act, scuppered Breton's prospects of a job in the 2024-2029 European Commission. The Commission have been trying to live down the letter ever since. US critics of the DSA have never let them forget it.

Notably, or perhaps prudently, the no-visa list included no current foreign state officeholders or functionaries. It did not go as far as when the US imposed visa restrictions on the Brazilian Supreme Court judge Alexandre de Moraes in July 2025. The implied threat, however, remains: "The State Department stands ready and willing to expand today's list if other foreign actors do not reverse course."

The next, heavily trailed, US counterstrike may be legislative: a federal ‘GRANITE Act’ Bill. We await to see if such a Bill materialises, and if so what it consists of. A state-level GRANITE Act was introduced into the Wyoming legislature yesterday.

If a federal Bill were framed along the lines of the 2010 SPEECH Act (aimed at libel forum-shopping) it would act as a shield, explicitly preventing enforcement of foreign regulatory and similar orders within the USA. A more radical (and controversial) step would be if it contained a sword: a cause of action on which aggrieved plaintiffs could claim damages in the US courts. The most controversial step would be if that were accompanied by amendment of the US Foreign Sovereign Immunities Act to enable foreign regulators such as Ofcom to be sued, either in the federal courts or under state legislation such as the Wyoming Bill.

Sovereignty exercised or violated?

What exactly is the US administration aggrieved about? Secretary of State Rubio's social media announcement referred to:

"egregious acts of extraterritorial censorship" by “ideologues in Europe [who] have led organized efforts to coerce American platforms to punish American viewpoints they oppose.”

The official State Department statement added:

“These radical activists and weaponized NGOs have advanced censorship crackdowns by foreign states—in each case targeting American speakers and American companies.”

It went on:

“President Trump has been clear that his America First foreign policy rejects violations of American sovereignty. Extraterritorial overreach by foreign censors targeting American speech is no exception.”

Stripped of the rhetoric, this is at least in part an accusation that the EU and UK, implicitly breaching international law on territorial sovereignty, have overreached in asserting their local regulatory regimes across the Atlantic.

The European Commission's response to the US visa bans asserted the EU's own:

"sovereign right to regulate economic activity in line with our democratic values and international commitments .... If needed, we will respond swiftly and decisively to defend our regulatory autonomy against unjustified measures."

The reported UK response was more anodyne:

"While every country has the right to set its own visa rules, we support the laws and institutions which are working to keep the internet free from the most harmful content."

Neither response directly addressed the US’s complaint about extraterritoriality. Since Secretary of State Rubio’s announcement did not identify any specific foreign state act that had prompted the visa sanctions, that was perhaps unsurprising. Moreover the visa restrictions were aimed, Thierry Bretton apart, at private persons who had not held public office. As against them, the US complaint was of ‘advancing’ censorship crackdowns by foreign states.

The French Foreign Minister, for his part, claimed that the DSA:

“…has absolutely no extraterritorial reach and in no way affects the United States.” (Jean-Noël Barrot, tweet, 23 Dec 2025)

Taking sides

What should a dispassionate legal observer make of all this? Some, no doubt, will be tempted just to plump for one side or the other, motivated by partisan preference for the EU, UK or US approach to governing speech and online platforms, by broader political affinities, or by views on the propriety or otherwise of deploying visa sanctions for this kind of purpose.

Tempting as that may be, simply to declare 'four legs good, two legs bad' will not do when it comes to considering international law rules and extraterritoriality. Taking sides based purely on a preference for the Digital Services Act or the Online Safety Act over the US First Amendment, or vice versa, does not address the underlying legal issue: how, in the inherently cross-border online world, to go about drawing boundaries - or at least minimise friction - between different national or regional legal systems. A more analytical approach is called for.

Prescriptive versus enforcement jurisdiction

For that we have first to distinguish between prescriptive and enforcement jurisdiction. Prescriptive jurisdiction is the territorial ambit of legislation: how far, and on what basis, does it claim to apply to persons or conduct outside its borders? Enforcement jurisdiction, on the other hand, is about concrete exercise of powers by a state authority. In the case of the Online Safety Act that authority is the designated regulator, Ofcom.

Where extraterritoriality is concerned, international law gives more leeway to prescriptive than to enforcement jurisdiction. That is because the state’s conduct in legislating is merely assertive. Although laws are an expression of state power, writing something into a state’s own legislation does not of itself involve conduct on the territory of another state.

Typically it is enforcement that causes problems, both in its own right - steps that the authorities have taken, especially cross-border, to enforce against a foreign person - and in the light that enforcement shines on the prescriptive territorial reach of the substantive legislation.

The US complaint – prescriptive or enforcement?

Did the US complaint concern prescriptive or enforcement jurisdiction? An interview given by Under-Secretary of State Sarah B. Rogers to the Liz Truss Show before Christmas put a little more flesh on the bones as far as the Online Safety Act is concerned. She suggested that European, UK and other governments abroad were trying to nullify the American First Amendment and that: 

"when British regulators decree that British law applies to American speech on American sites on American soil with no connection to Britain, then we're kind of forced to have this conversation." 

She went on:

"The position that Ofcom has taken in the 4Chan litigation is essentially that I, an American, could go set up a website in my garage, it could be Sarah's hobby forum, it could be all about America, it could be all about the 4th of July or whatever. It could have no employees in Britain, no buildings in Britain, my speech wouldn't even need to reach into Britain. I'm not posting about the Queen or anything, I'm posting about American concepts, American political controversies. Ofcom's legal position nonetheless is that if I run afoul of British content laws, then I have to pay money to the British government. When that happens, I think you should expect a response from the American government, and I expect to see one shortly." 

On the face of it Rogers’ concern is about the substantive territorial ambit of the OSA: in other words, prescriptive jurisdiction. 

Prescriptive jurisdiction

International law recognises various grounds on which extraterritorial prescriptive jurisdiction can be regarded as justified, some of them potentially very broad. These tend to reflect a broader principle that there must be sufficient connection between the person or conduct and the state asserting jurisdiction to justify the extraterritoriality in question. The more tenuous the connection and the greater the cross-border reach, the more exorbitant the claim to jurisdiction and the less likely that the extraterritoriality can be justified. 

That is the theory. In practice, the customary norms of international law tend to be distinctly malleable and, when push comes to shove, to merge into geopolitics.

Enforcement jurisdiction

In contrast, for exercise of investigative or enforcement jurisdiction, the traditional view is that nothing less than consent of the target state will do. Unlike for prescriptive jurisdiction, there is no balancing exercise to justify the degree of extraterritoriality of the asserted jurisdiction. The focus is entirely on the conduct of the state and whether it is an incursion on the territorial sovereignty of the target state.

However, this principle has come under strain. When electronic communication and the internet enable state authorities to act remotely without setting foot in another state’s territory or sending a physical document across the border, does that violate another state’s territorial sovereignty? Should, as for prescriptive jurisdiction, other factors come into play that could justify the state's conduct?

For one answer we can go back to 1648 and the Peace of Westphalia. This was the birth of the modern nation state, in which each state has exclusive sovereignty over its own territory. The corollary of that principle is an aversion to projection of state power into another state's territory: most obviously, sending troops across the border.

That, however, is not the only way of violating a state's sovereignty. Enforcement actions such as serving a court order or an arrest warrant within a foreign state's territory also project state power across the border and are considered to require the consent of the nation state concerned:

"Persons may not be arrested, a summons may not be served, police or tax investigations may not be mounted, and orders for production of documents may not be executed on the territory of another state, except under the terms of a treaty or other consent given." (Brownlie's Principles of Public International Law (9th edn) J. Crawford, Oxford, 2019. p.462)

That is why there is a proliferation of international treaties dealing with issues such as cross-border service of legal proceedings, assistance from overseas authorities in obtaining evidence for criminal prosecutions (MLAT) or, more recently, enabling direct service of information requests on foreign telecommunications operators. 

Enforcement jurisdiction and regulators

A requirement for consent of the target state creates a potential problem for regulators, whose procedures are highly bureaucratic: inevitably so since considerations of due process and fundamental rights will require them to give enforcement targets full and fair notice of their proposed and actual decisions. They are also often given powers to serve mandatory demands for information, backed up by sanctions (sometimes criminal offences, sometimes civil penalties).

On what basis can a regulator send such official documents across borders without impinging on the sovereignty of the target state? The answer is not immediately obvious, especially since the activities of regulators do not necessarily fall into simple categories of civil or criminal upon which international treaties regarding service of legal documents tend to be founded.

A typical solution to the territorial sovereignty problem is to enlist the assistance of the relevant authorities in the target state. If such assistance is not covered by a multinational or bilateral treaty, a regulator might come to an arrangement such as a memorandum of understanding between agencies in a group of states.

The 2020 multilateral Competition Authorities Mutual Assistance Framework model agreement, for instance, envisages that requests for voluntary provision of information could be made by a direct approach to persons in another territory. For mandatory process the route is via the authorities in the other country.

However, courts have sometimes held that serving a cross-border notice is not like trespassing on the territory of the receiving state. In the UK the Court of Appeal in Jimenez considered an HMRC taxpayer information notice (with the potential sanction of civil, but not criminal, financial penalties) served by post on someone in Dubai, in order to check his UK tax position. Jimenez argued that sending the notice was contrary to international law, as it would:

“offend state sovereignty by violating the principle that a state must not enforce its laws on the territory of another state without that other state’s consent.”

Leggatt LJ (as he then was) said:

“I do not accept that sending a notice by post to a person in a foreign state requiring him to produce information that is reasonably required for the purpose of checking his tax position in the UK violates the principle of state sovereignty. Such a measure does not involve the performance of any official act within the territory of another state – as would, for example, sending an office of Revenue and Customs to enter the person’s business premises in a foreign state and inspect business documents that are on the premises…”.

The Jimenez decision postdated the current edition of Brownlie quoted above. In KBR the UK Supreme Court emphasised that Jimenez concerned civil, not criminal, penalties. 

All this is not to say that a domestic statute can never expressly grant powers to take steps that, as a matter of enforcement jurisdiction, could go further than envisaged by international law. A UK statute may indeed do that, but in the expectation that the powers will be used with restraint, in a way that does not offend the sensibilities of another nation state (a.k.a. comity).

This passage from the Court of Appeal judgment in Competition and Markets Authority v Volkswagen and BMW, a case upholding CMA information notices served on German companies, is illuminating:

“All competition authorities worldwide face the same conundrum. Their statutory duty is to preserve the integrity of their domestic markets and protect consumers; yet, to perform that task regulators frequently have to focus their fire power upon actors located abroad where, if they seek enforcement, they might confront a variety of legal and practical problems. … How do legislatures square the circle? They achieve this by conferring broad extraterritorial regulatory and investigatory powers which can be exercised in undiluted form within their territorial jurisdictions, but which are exercised with circumspection and pragmatism when dealing with undertakings physically located elsewhere.”

The judgment went on to discuss comity:

“The creation of a power to be exercised with comity in mind … is, in our judgment, an eminently apt device to enable regulators to address, flexibly, issues of comity if and when they arise. [Counsel] for the CMA explained how comity worked. She acknowledged candidly that, notwithstanding the existence of broad investigatory powers, it was ‘out of the question’ that the CMA would for instance ever seek to conduct an on the spot investigation (a dawn raid) at the premises of an undertaking physically located outside the jurisdiction. Equally, she did not shirk from acknowledging that there could be difficulties in the exercise of mandatory powers of enforcement or sanction against a foreign undertaking which failed to comply with a statutory request for information. Such practical difficulties were simply the stuff of a regulator’s life.” 

Thus from a comity perspective a national regulator seeking to take enforcement steps against a foreign person may decide to tread carefully, especially where the subject matter may touch on particular sensitivities of the target state, even if the domestic legislation gives it power to act across borders. A combination of ambitiously extraterritorial prescriptive jurisdiction and broad investigatory and enforcement powers has the potential to become a combustible mixture.

Online Safety Act – prescriptive jurisdiction

With that background out of the way, how do Under-Secretary Rogers’ comments stack up?

In terms of its overall ambit, the UK Online Safety Act is extraterritorial but does not go as far as the mere accessibility position taken by Australian online safety legislation. The Australian Online Safety Act 2021 baldly asserts that a social media service is in scope of the Act unless “none of the material on the service is accessible to, or delivered to, one or more end-users in Australia”.

That legislation gave rise to civil litigation for an injunction brought by the eSafety Commissioner in the Australian courts, arguing that X should be required to take down certain videos worldwide and that geofencing to exclude Australia was insufficient. The regulator lost. 

The UK OSA sets out three grounds on which a service can be regarded as ‘UK-linked’ and so be a regulated service within scope of the Act. In the US litigation brought by 4Chan, Ofcom relies on two of those grounds: first, a significant number of UK users (based on statistics gleaned from 4Chan's website), and second the UK as a target market of the site (based on 4Chan seeking advertisers by reference to the percentage of UK users stated on its website).

Ofcom's position is thus that a sufficient UK connection (as stipulated in the OSA) exists in order for the OSA to apply to 4Chan. Ofcom did not (and could not) assert that the OSA safety duties apply to a site regardless of whether it has any UK connection.

How, then, should we interpret Under-Secretary Rogers' comment: “…when British regulators decree that British law applies to American speech on American sites on American soil with no connection to Britain”? That must presumably reflect a view of what should constitute a UK connection that is at odds with the OSA's criteria, or perhaps with Ofcom's interpretation of those criteria. It cannot, however, be argued that the OSA contains no UK connection criteria at all.

As to compliance with international law, the UK government would no doubt argue that as a matter of prescriptive jurisdiction the criteria for UK links stipulated in the OSA provide a sufficiently close connection with the UK to justify bringing a foreign service provider into scope, and are not exorbitant. It would also no doubt point to the fact that the substantive measures that can be required of an in-scope provider apply only to UK users of the service.

The Online Safety Act UK links criteria

The UK links set out in the OSA vary in the closeness of the stipulated UK connection. Some of them could be regarded as overreaching.  

The first ground - a 'significant' number of UK users - suffers from the vagueness of the term 'significant'. The Act does not elaborate on what that might mean and Ofcom has avoided specifics in its published guidance.

Speaking for myself, I have long proposed that extraterritorial jurisdiction on the internet should depend on whether a foreign site has engaged in positive conduct towards the jurisdiction. On that basis a self-contained test based only on number or proportion of users is potentially problematic: users may come to a site in numbers without the site operator ever having engaged in any positive conduct towards the country in which they are located. (This criticism can be applied to the DSA as well as the OSA).

The second ground - the UK as a target market - is reasonably conventional, if interpreted so as to reflect a requirement for positive conduct. Directing and targeting of activities has long been thought to be an appropriate ground on which to assert jurisdiction over internet actors.

The third ground - 'material risk of significant [physical or psychological] harm " is the most far-reaching and comes closest to a ‘mere accessibility’ test.

So far as prescriptive jurisdiction is concerned then, the OSA does stretch the limits of extraterritoriality, but – unless one were to take the position that a site is connected only to the country of its location - does not purport to apply to sites regardless of whether they have any connection to the UK.

Online Safety Act – enforcement jurisdiction

Although Under-Secretary Rogers’ comments are framed in terms of the OSA’s prescriptive jurisdiction, the point that 4Chan has emphasised in its US litigation concerns Ofcom’s exercise of its enforcement jurisdiction – serving a series of documents, including a mandatory information request under Section 100 of the OSA, directly on 4Chan by email.

As already noted, a regulator such as Ofcom proceeds against a service provider by way of a series of official notices. These present no jurisdictional problems if they can be served within the UK, but can Ofcom serve a notice on a foreign operator without violating the territorial sovereignty of its host country? As a matter of UK domestic law the OSA provides a variety of methods of service, including cross-border service by post and service by email.

Some might suggest that that, as a matter of international law, is an impermissible exercise of enforcement or investigatory jurisdiction unless done with the consent of the USA. But as Jimenez illustrates, a UK court would not necessarily agree; and in any case, if the words of the domestic statute are sufficiently clear to rebut any interpretative presumption against extraterritoriality, a UK court will give effect to them. 

Consequences

The consequences of exceeding acceptable limits of extraterritoriality may vary widely, depending on how exorbitant is the exercise of jurisdiction and how sensitive is the subject matter. They range from no response (often the case for merely prescriptive jurisdiction), to diplomatic, to refusal by foreign courts to recognise or enforce, to enactment of various kinds of blocking legislation.

One example of the latter was the US SPEECH Act 2010, which prevents enforcement of certain foreign libel judgments in the US courts and enables US persons to start proceedings for a declaration of non-enforceability in the US courts.

Another was the UK Protection of Trading Interests Act 1980. This was a response to a long period of US anti-trust legislation being enforced against conduct outside the USA by non-US companies. Years of diplomatic activity had failed to resolve the conflict, which had become more acute in the late 1970s.

As already mentioned, a state-level GRANITE Act has been introduced as a Bill into the Wyoming legislature. It is both a shield and a sword, albeit that the sword would be dependent on a federal amendment to the Foreign Sovereign Immunities Act. We await to see if a federal GRANITE Act will materialise. 

The Court of Appeal in the BMW case noted that it had been said that antitrust law was the best illustration of the problem of national public interest risking conflicting with issues of international sovereignty. Speech on the internet – today, online safety in particular - is bidding fair to seize that mantle.