By Dan Jerker B. Svantesson
Time to dump the old paradigm.
Cloud computing, by its very nature, transcends location, geography and territorial boundaries. Data accessed in one country might be stored half way across the world, or even in servers in multiple countries.
International law, on the other hand, sees the world through the lens of various jurisdictions, which are inherently linked to location, geography and territorial boundaries.
So when cloud computing and international law interact, sometimes the results can be highly problematic.
For example, in December 2013 the US government served a search warrant on Microsoft under the Electronic Communications Privacy Act of 1986. The warrant authorised the search and seizure of information associated with a specific web-based email account that is stored at Microsoft’s premises in Dublin, Ireland.
Microsoft has opposed the warrant since the relevant emails are located exclusively outside the US in Ireland. Under the US government’s view, international law supports them, since all steps to retrieve the data would be taken on US soil.
In contrast, Europe takes the view that the US should be engaging in law enforcement in Ireland, since that is where the data sits. From this point of view existing international law seems to support the European claim.
This situation is nonsensical and the time has surely come to start over. There are increasing calls for innovative ways to solve the considerable problems caused by overlapping claims of jurisdiction on the internet.
For example, former Homeland Security secretary Michael Chertoff recently said in the Wall Street Journal that:
The current free-for-all of competing nations needs to be replaced with an agreed-upon international system for newly designed choice-of-law rules for data in the internet Cloud.
Chertoff called for steps to harmonise existing rules in a framework of law for the cyber age. Calls such as this are both reasonable and timely. So what is the problem? What stands in the way of serious reform?
A problematic 80-year-old
The problem is that real progress cannot be made without desecrating some principles taken for granted by most lawyers, policy-makers and politicians and held as holy by the international law community.
The approach international law takes to these matters stems from 1935, when the Harvard Research Draft Convention on Jurisdiction with Respect to Crime (the so-called ”Harvard Draft”) was published. It articulated a set of grounds for jurisdiction to varying degrees recognised under international law.
Most importantly, it pointed to the so-called territorial principle – which places focus on the geographical location of events, persons, data etc. – as being “everywhere regarded as of primary importance and of fundamental character”.
It might sound pretty straightforward and uncontroversial. But it’s not in a world of cloud computing.
Unfortunately, we have allowed the Harvard Draft principles to galvanise 1930’s thinking of the world. Eighty year old principles from a very different world are still governing us, and they are restricting our thinking today.
As an unsurprising consequence, the principles found in the Harvard Draft are no longer part of any solution. They have become a part of the problem. And nowhere is this truth more obvious than in the context of jurisdictional claims in relation to the internet.
A new paradigm
To move forward, we must recognise that the territoriality principle, and the other Harvard Draft principles, are merely proxy principles for underlying core principles. They were, after all, constructed to reflect the legal practise at the time.
Particularly when we are trying to apply the law to novel phenomena that need to become the subject of clear legal rules, we need to cut away the undergrowth of such proxy principles and identify the core principles that are reflected in them. Only then will we be able to focus on the considerations and values that truly are to be balanced.
It seems to me that the essence of the jurisdictional principles currently used may be distilled into three core principles.
Jurisdiction may only be exercised where:
- there is a substantial connection between the matter and the state seeking to exercise jurisdiction
- the state seeking to exercise jurisdiction has a legitimate interest in the matter
- the exercise of jurisdiction is reasonable given the proportionality between the state’s legitimate interests and other competing (state) interests.
The proposed paradigm shift from proxy principles to core principles represents an important philosophical and theoretical change. However, it is on the practical level that the main benefits will be seen.
Done carefully and diligently, the shift would see no practical change in non-controversial areas of jurisdiction since territoriality typically will be associated with both a substantial connection and a legitimate interest.
At the same time, the proposed paradigm shift would see us being much better equipped to address what is now controversial areas. It will allow us to think in more creatively rather than just mechanically binary.
It would, for example, free us from the thinking that state A always must have a jurisdictional claim over all aspects of data that happened to be located on a server located in state A – a notion that simply does not fit with the nature of cloud computing.
Dan Jerker B. Svantesson is a co-director at the Centre for Commercial Law at Bond University.