The Un-Territoriality of Data

Territoriality looms large in our jurisprudence, particularly as it relates to the government’s authority to search and seize. Fourth Amendment rights turn on whether the search or seizure takes place territorially or extraterritorially; the government’s surveillance authorities depend on whether the target is located within the United States or without; and courts’ warrant jurisdiction extends, with limited exceptions, only to the borders’ edge. Yet the rise of electronic data challenges territoriality at its core. Territoriality, after all, depends on the ability to define the relevant “here” and “there,” and it presumes that the “here” and “there” have normative significance. The ease and speed with which data travels across borders, the seemingly arbitrary paths it takes, and the physical disconnect between where data is stored and where it is accessed critically test these foundational premises. Why should either privacy rights or government access to sought-after evidence depend on where a document is stored at any given moment? Conversely, why should State A be permitted to unilaterally access data located in State B, simply because technology allows it to do so, without regard to State B’s rules governing law enforcement access to data held within its borders? This Article addresses these challenges. It explores the unique features of data and highlights the ways in which data undermines longstanding assumptions about the link between data location and the rights and obligations that should apply. Specifically, it argues that a territorial-based Fourth Amendment fails to adequately protect “the people” it is intended to cover. Conversely, the Article warns against the kind of unilateral, extraterritorial law enforcement that electronic data encourages — in which nations compel the production of data located anywhere around the globe, without regard to the sovereign interests of other nations

Against Data Exceptionalism

One of the great regulatory challenges of the Internet era—indeed, one of today\u27s most pressing privacy questions—is how to define the limits of government access to personal data stored in the cloud. This is particularly true today because the cloud has gone global, raising a number of questions about the proper reach of one state\u27s authority over cloud-based data. The prevailing response to these questions by scholars, practitioners, and major Internet companies like Google and Facebook has been to argue that data is different. Data is “unterritorial,” they argue, and therefore incompatible with existing territorial notions of jurisdiction. This Article challenges this view. The Article argues that the jurisdictional challenges presented by the global cloud are not conceptually as novel as they seem. Despite the technological wizardry of modern life, the “cloud” is actually a network of storage drives bolted to a particular territory, and there is substantial case law suggesting that courts think of data as a physical object. Moreover, even if the cloud were a free-floating ether, data can be thought of as an intangible asset, like money or debt, which flows across borders; courts have been adjudicating such jurisdictional disputes for centuries. These precedents suggest numerous grounds for states to assert jurisdiction over data—not a single test, as major Internet companies claim. After showing that these jurisdictional problems are not unprecedented, the Article draws from these precedents and outlines practical steps that courts, Congress, and the President can take to alleviate jurisdictional conflicts over the cloud. As Microsoft\u27s cross-border dispute with the U.S. Department of Justice works its way through the courts, the President negotiates a treaty with the United Kingdom regarding cross-border access to the cloud, and Congress rewrites the Electronic Communications Privacy Act, finding a grounded approach to addressing this problem—one rooted in longstanding jurisdictional and conflicts principles—has never been more critical

Hidden by Sovereign Shadows: Improving the Domestic Framework for Deterring State-Sponsored Cybercrime

This Article analyzes the domestic legal framework applicable to state-sponsored cybercrime. The Article describes several instances where state sovereigns perpetrated cybercrimes in the United States. It then outlines the legal framework that the US government utilizes to hold accountable those who perpetrate such crimes. This Article argues that the current legal framework does not have a deterrence effect on sovereign states engaged in such activity and that prosecutors who seek to apply the current framework against state sovereigns or who misattribute the source of such attacks could negatively impact US foreign policy. To remedy these defects, this Article asserts that relevant US law should apply extraterritorially and that Congress should contemplate passing a statute that abrogates sovereign immunity for state sponsors of cybercrime and subjects such states to civil liability

CROSS-BORDER DATA TRANSFER REGULATION: A COMPARATIVE STUDY OF CHINA AND EUROPE

With the so-called Industry 4.0 revolution ongoing, end-to-end digitalisation of all assets and integration into a digital ecosystem led the world to the unprecedented increases in connectivity and global flows. Cross-border data flow has become the cornerstone of the cross-border economy, especially for digital products. Without cross-border data flow, there will be no transactions. As a result, governments have started updating the data-related policies, such as restrictive measures for data cross-border flows or rules to mandate local data storage. Against this background, this study focuses on emerging research topics, starting with contemporary public policies on the cross-border data transfer. The objective is to examine whether the policymakers from both regions could better achieve their goals of promoting digital economy by establishing a mutual understanding with the industrial entities, while maintaining the balance between the protection of personal information and the innovation in digital markets. For that purpose, this research explores the historical development of data transfer regulatory measures in China, the EU and the U.S., studied the specific challenges they are encountering in the data globalisation era. Part I studied the evolvement of the CBDT rules. It is pointed out that the CBDT regulation is a technology-led phenomenon yet not novel. It is an emerging threat to privacy posed by the development of technology, thus attracted the scrutiny from the public and the authorities. The CBDT regulation reflects the enforcement of national jurisdiction in the cyberspace, which does not enjoy an indisputable general consensus in the contemporary international law. The rulemaking of CBDT cannot avoid the controversial debate over the legitimacy of state supervision of the network. CBDT regulation is originated from the protection of personal data in the EU, yet the disagreement with regard to its philosophy is derived from the conflict of different legislative values, that is, different legislators have different understandings of the freedom of free flow of information and the right to personal information. The author also questioned the rationale of the EU data transfer rules by discussing the target validity of the current rules, that is, the target validity for data protection. Part II compared the EU and China\u2019s data protection laws as well as the CBDT rules respectively. Challenges that CBDT restriction measures might face are listed, since the data transborder transmission is not a legislative measure by nature. In the process of rulemaking and implementation existed dual pressures from domestic and abroad, categorised as technological, international legislative and theoretical challenges. Theoretically, Cyberspace does not have a boundary similar to a physical space, the theoretical premise that the EU CBDT rules ignored is that the state must control the transborder transmission of data by setting the borders. Thus, for China, two aspects must be addressed: is there an independent cyberspace law, and where is the boundary between the virtual and real world. International legislative challenges arise from the oversea data access of the U.S. government. The EU CBDT framework has limited impact when facing such data access under the cover of FISA and CLOUD Act of the U.S. Particularly, this dissertation discussed the potentials for a free flow of data transfer mechanism between the EU and China. It is worth exploring the possibility for a region-based bilateral collaboration, such as a free trade zone in China, to seek for the EU Commission\u2019s recognition of adequate level of protection of personal information. For general data-intensive entities, binding corporate rules and standard contractual clauses are still the preferrable approaches. Part III examines the data protection implementation and data transfer compliance in the context of the HEART project. By analysing the use-cases the HEART deployed, as well as the architecture that it proposed, Chapter 6 studies the privacy-enhancing measures from both the organisational and technical perspectives. Specifically, the data classification system and dynamic data security assessments are proposed. Chapter 7 studied the use case of federated recommender system within the HEART platform and its potentials for the promotion of GDPR compliance. The recommender system is thoroughly analysed under the requirements of the GDPR, including the fundamental data processing principles and threat assessment within the data processing

US Counterterrorism and the Human Rights of Foreigners Abroad

This book examines why the United States has introduced safeguards that are designed to prevent their counterterrorism policies from causing harm to non-US citizens beyond US territory. It investigates what made US policymakers take steps to "put the gloves back on" through five case studies on the emergence of such safeguards related to the right not to be tortured, the right not to be arbitrarily detained, the right to life (in connection with targeted killing operations), the right to seek asylum (in connection with refugee resettlement), and the right to privacy (in connection with foreign mass surveillance). The book exposes two mechanisms – coercion and strategic learning – which explain why the United States has introduced what the authors refer to as "extraterritorial human rights safeguards", thus demonstrating that the emerging norm that states have human rights obligations towards foreigners beyond their borders constrains policy choices. This book will be of key interest to scholars and students of human rights, counterterrorism, US foreign policy, human rights law, and more broadly to political science and international relations

The role of courts in adjudicating human rights violations by transnational corporations

In this era of globalisation, Transnational Corporations (TNCs) operated in an accountability gap that is often leaving these entities largely unregulated in the context of human rights. While globalization has facilitated growth for such entities by lowering legal, financial and technical restrictions, a failure to agree an overarching protection mechanism and the weaknesses in current protection mechanisms creates a vacuum. This vacuum primarily exists due to inadequate legal and regulatory regimes in host states that are developing countries, and who need and seek such investment; and the general difficulties concerning the weak enforceability of international law. As a consequence, TNCs could and do commit grave human rights violations while avoiding scrutiny despite the existence of a few international, regional and institutional instruments that could hold them accountable. The efforts to fill the regulatory vacuum in which TNCs function have taken the form of ‘soft-law’ instruments, however, their purely voluntary nature and purpose in encouraging TNCs to oblige rather than holding them legally accountable appears inadequate in promoting and protecting recognised principles of human rights law. Under international law victims of corporate human rights abuses, just as any other types of victims, have the right to access an adequate remedy through recourse to judicial remedies where other informal or administrative remedial schemes are insufficient. Having an efficient and fair justice system in developing host states for the victims of corporate human rights abuses is key to ensuring access to an adequate remedy. The thesis aims at examining the role of various courts at international, regional and domestic level; in the intergovernmental, home, as well as in the developing host state, to remedy and punish human rights violations by TNCs. The reasoning underpinning the examination of judicial scrutiny acknowledges that such authorities are not an ideal forum for improving human rights mainly due to problems that prevent full access to such legal remedies. However, the existence of judicial systems and effective remedies stemming from them is nonetheless believed to remain the essential, if not an effective forum based for victims seeking redress for corporate human rights abuses. This thesis also explores the question as to adequate forum for accountability, assessing efforts made in ‘home’ states where the TNCs are headquartered, and in ‘host’ states, where they operate, and where, practice shows, many of the unremedied human rights violations persist. Although, the emphasis for host states is on potential accountability. The study uses Nigeria as case study to assess the extent of human rights violations by TNCs in developing host states, how these entities have been dealt with by the courts at domestic level, in a bid to highlight the challenges hindering access to effective remedy and justice. It proposes as a recommendation that developing countries undertake deep structural reforms, alongside vigorous involvement of several actors, including the state, related agencies, the judiciary and public interest organisations

US Counterterrorism and the Human Rights of Foreigners Abroad

This book examines why the United States has introduced safeguards that are designed to prevent their counterterrorism policies from causing harm to non-US citizens beyond US territory. It investigates what made US policymakers take steps to "put the gloves back on" through five case studies on the emergence of such safeguards related to the right not to be tortured, the right not to be arbitrarily detained, the right to life (in connection with targeted killing operations), the right to seek asylum (in connection with refugee resettlement), and the right to privacy (in connection with foreign mass surveillance). The book exposes two mechanisms – coercion and strategic learning – which explain why the United States has introduced what the authors refer to as "extraterritorial human rights safeguards", thus demonstrating that the emerging norm that states have human rights obligations towards foreigners beyond their borders constrains policy choices. This book will be of key interest to scholars and students of human rights, counterterrorism, US foreign policy, human rights law, and more broadly to political science and international relations