You are here: Home > Publications > RIPE Labs > Sara Solmone > Establishing Jurisdiction Online: the Problem of the Access-based Jurisdictional Principle

Establishing Jurisdiction Online: the Problem of the Access-based Jurisdictional Principle

Sara Solmone — 16 Oct 2017
The advent of the Internet has posed numerous challenges to regulators worldwide. One of these challenges concerns the uncertainty about the meaning of State jurisdiction online according to international law.

 

One of the reasons why it is difficult to ascertain the meaning of State jurisdiction in cyberspace is the Internet’s apparently borderless nature. Traditionally, State jurisdiction has been established by relying primarily on the territorial criterion (i.e. a State can exercise jurisdiction over acts committed within its territory and over those established within its borders). However, the acts committed online happen in what appears at first sight as a non-physical environment, where it is not always possible to identify the perpetrator of an unlawful act, the territory from which the act originated, and the place where it produced its adverse effects. This is because once published online, content becomes instantly accessible nearly worldwide. For all these reasons, it appears particularly difficult to establish which State is entitled to apply its own laws to regulate acts committed online.

Due to the uncertainty about the rules regulating the exercise of State jurisdiction online, currently multiple and conflicting national laws are simultaneously being applied by States to regulate content published online. In particular, States are applying their laws to regulate content that has been published online from and is hosted in foreign countries on the basis of the fact that that content can be accessed from within the territory of the country exercising jurisdiction. This jurisdictional approach can be defined as access-based jurisdiction.

I argue that establishing jurisdiction based on access to online content can have negative effects on the fulfilment of human rights online, especially on freedom of expression.

The access-based jurisdictional principle: the Perrin vs. the United Kingdom case

What happened

Mr. Perrin, French national living in the UK, owned a website which was operated by a company based in the US. This website hosted images of sexual nature available free of charge on a preview page. In the US, the publication of this material was legal. In the UK, the images available on the website could be classified as obscene according to the Obscene Publications Act 1959. A policeman accessed the pictures as part of an investigation in the UK and criminal proceedings were initiated against Mr. Perrin.

What the court found

Southwark Crown Court sentenced Mr. Perrin to 30-month imprisonment because the images were accessible from within the UK. The England and Wales Court of Appeal (EWCA) confirmed Southwark Court’s conviction.

Mr. Perrin brought a claim that his right to freedom of expression had been violated to the European Court of Human Rights. The Court dismissed this claim stating that, as a resident of the UK, the UK laws were reasonably accessible to Mr. Perrin. Therefore, he should have acted more cautiously than normally expected in conducting his professional activity and have sought legal advice. Finally, the Court affirmed that the fact that the images in question were legal in the US did not mean that the UK had violated the European Convention on Human Rights by preventing the publication of the same images within its territory.

The implications of the exercising jurisdiction based on access

The Perrin case illustrates the key characteristic of the access-based jurisdictional approach. The accessibility of online content published abroad from within the territory of a given State has been used to justify the exercise of State jurisdiction and specifically the application of the objective territorial principle. In other words, publishing content online is equated to having committed an act within the territory of the State where that content can be accessed.

The access-based approach has attracted many critiques. First, it impacts negatively on human rights online as it can have the effect of imposing restrictions on Internet users located in foreign countries and subjected to foreign jurisdictions. Indeed, as observed by Korff (2014, p. 59), “the conviction of Perrin meant that the material on the website was illegal under UK (or at least English) law”. This means, as stated by Gillespie (2012, p. 170), that the person who controls a website that is hosted outside the UK “can be tried in an English court if he enters the territory of England”.

Second, in cases where the jurisdiction has been established based on access, no thorough analysis of the link between the perpetrator of the unlawful act, the illegal content published online and the State that exercises jurisdiction has been conducted, as Korff (2014, p. 61-62) rightly observes. This analysis could perhaps have helped the national courts to limit the exercise of their jurisdiction only to cases that have a genuine link with their country.

The importance of a “clear and close nexus”

The necessity to carry out a targeting test has been confirmed in the Geneva Internet Disputes Resolution Policy, which has been developed by the University of Geneva to provide some policy proposals on issues that can arise in Internet-related disputes. The proposal rejects the access-based jurisdictional approach as it “ignores the fact that many websites do not seek global attention and that it allows any country to enjoy jurisdiction over all those websites which do not make use of technological ways of filtering users” (Topic 1, Proposal 2).

Furthermore, some declarations and reports were issued between 2011 and 2014 by some international authorities in the field of freedom of expression. More specifically, the special representatives of freedom of expression of the United Nations (UN), the Organisation for Security and Cooperation in Europe (OSCE), the Organisation of the American States (OAS), the African Commission on Human and People’s Rights (ACHPR), the Inter-American Commission on Human Rights (IACHR) and the Council of Europe (CoE) High Commissioner on Human Rights have stated that jurisdiction over content published online should be limited to States to which those cases “have a real and substantial connection” (OSCE [4](a) or “are most closely associated” (IACHR para 66) or show “a clear and close nexus” (CoE 61-62).

These documents show the existence of some consensus regarding the negative effects that establishing jurisdiction based on access can have on the fulfilment of freedom of expression online.

Establishing jurisdiction online: which could be the criteria?

The criteria for exercising State jurisdiction online that have been identified by the above-mentioned freedom of expression international authorities are particularly interesting. These are: the place where the author of the content is established/resides; the place from where the content is uploaded/published; the State/public at which the content is specifically directed (OSCE and IACHR).

The first two of these criteria refer to the territorial principle of jurisdiction, while the last one is related to a targeting test. It can therefore be argued that even in an apparently borderless environment such as the Internet, territory is seen as a central element in establishing jurisdiction.

On the other hand, however, the territorial principle could be not useful in all those cases where the place where the content has been uploaded or even who uploaded cannot be established. Therefore, the targeting test seems better suited to establish which State has jurisdiction in a non-physical environment such as the cyberspace. Indeed, the targeting test permits to by-pass the obstacles represented by the unknown location of the person who uploaded some content online or the place where the content was uploaded from. This is because for the targeting test to be satisfied it is sufficient to establish that the content published online was targeting an audience located within a given State, regardless of where the content was originally uploaded from or who uploaded it.

However, the difficulty associated with the targeting test is that so far there is no consensus as to the criteria upon which this test should be based. In other words, it is unclear which factors must be considered when establishing whether content published online from a given State targets an audience located in a foreign country.

Conclusions

Three conclusions can be drawn from the themes examined here.

First, due to the uncertainty as to the meaning of State jurisdiction online, some national courts are adopting the access-based jurisdictional principle to establish jurisdiction over content uploaded and hosted abroad. This fact can have negative effects on the fulfilment of human rights online.

Second, some consensus at the international level exists - at least among some international authorities in the field of freedom of expression - on limiting State jurisdiction only to cases were a genuine link can be found between the State establishing jurisdiction and the content published online/person publishing it.

Finally, as to the criteria for exercising jurisdiction in Internet-related cases the targeting test seems better suited to establish jurisdiction in a non-physical environment than the territorial principle. However, the difficulty associated with the targeting test is that so far there is no consensus as to the criteria upon which this test should be based.

 

Sara Solmone will  be a RACI fellow at the RIPE 75 meeting in October 2017 and will present this topic during the plenary session on Monday, 23 October 2017.

3 Comments

Jordi Palet Martinez says:
16 Oct, 2017 12:31 PM
Hi Sara,

Thanks for the article, very interesting and in fact I'm very curious about this topic.

I've a question for you, if you can provide your opinion.

Let's take this example. A person or organization is sending spam from servers in country "x", to (for example) a server located in Spain.

The spammed users are some of them Spanish citizens and living in Spain, others are US citizens living there.

My belief is that the jurisdiction that apply here is the one where the spam is being "received" at the final destination (so Spain and US in those examples).

But may be is not like that and it apply the jurisdiction of where the "destination" email server is located?

Or it is the jurisdiction of the IP of the "sender" email server?

Thanks in advance!
Sara Solmone says:
16 Oct, 2017 11:18 PM
Hi Jordi,

Many thanks for your question, which is very interesting!

I believe that the answer to your question lies in the national data protection laws of the countries involved in the sending and receiving of the spam emails. My understanding is that unfortunately there isn’t a universal jurisdictional rule that all the States follow to regulate the sending of spam emails. Therefore, each State decides how to regulate this subject matter and how broad the territorial scope of their national laws is.

In your example, Spain and the US are the countries where the receivers of the spam emails are located. In Spain, the Act 34/2002 on Information Society Services and E-Commerce applies to the ISPs that are established in Spain, established in a Member State of the EU/the European Economic Space or that are outside the EU but target Spanish market/Spanish Internet users. This is valid irrespective of where both the company sending the spam emails and the server from where the emails were originally sent are located. The same goes for the EU General Data Protection Regulation, which will apply in May 2018. The regulation applies to the processing of personal data of Internet users established within the EU, irrespective of the location of the data controller.

Therefore, the jurisdictional approach taken in the Spanish and the EU Regulation case is that of the users/market targeted by the spam email, rather than that of the country where the servers are located.

Anyway, I am afraid that I am not a specialist in data protection laws, therefore please take my answer with a pinch of salt. Just my two pennies.
Jordi Palet Martinez says:
23 Oct, 2017 09:41 AM
Thanks a lot for your response.

I think we agree on that. I know very well the Spanish LOPD, LSSI and the new GDPR, however, I still fail to see if "Internet users established within the EU" means 1) "EU citizens", or 2) "Somebody living in EU" (regardless of its citizenship), or 3) "If you are receiving that email while your are traveling within the EU (regardless of your citizenship)".

My guess is that the right answer is 2, but I'm not a lawyer ;-)
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.