Use of law across borders¶

The cyber operating environment gives an increasing number of actors the possibility of facing legal risks in foreign states. For this purpose, jurisdiction and conflict of law must be considered.

Jurisdiction describes the extent of a state’s authority and the mechanisms it applies in exercising that authority. Conflict of law examines how to determine which state’s laws apply to resolving specific aspects of a dispute. This section focuses on jurisdiction. Conflict of law is discussed in other sections within different subject areas.

The principles governing jurisdiction and conflict of law are not new. What has changed is how many actors are now affected by cross-border legal liability.

Types of jurisdiction¶

When analysing cross-border cyber legal risks, it can be useful to distinguish three aspects of jurisdiction: prescriptive, judicial, and enforcement jurisdiction. Prescriptive jurisdiction describes the matters over which a state claims authority, that is, which of its own laws a domestic court may apply beyond its borders (also referred to as the territorial scope of law). When a court has reached a decision by exercising judicial power, enforcement is still required to extend the effect of that decision to those concerned. In criminal matters, enforcement can typically be considered to begin with the police. In Finland, it continues through the Prison and Probation Service (RISE). In civil matters, other methods are used. (Perspectives on enforcement have been omitted from this material; see CyBOK Chapter 3.2.3.)

Prescriptive jurisdiction¶

Extending legal authority beyond national borders has become more common (over the course of the 20th century) and has become an accepted means of protecting the interests of a country’s citizens against external influences. An important example is the prevention of anti-competitive agreements. It has also been possible to criminalise actions by a country’s own citizens abroad, such as offering bribes. Terrorism against a country’s own citizens abroad can likewise fall within its jurisdiction.

From the perspective of cyber security, international jurisdiction concerns three domains: content, cybercrime, and data protection. The first two are outlined below. Data protection is discussed in its own section.

Online content¶

Numerous court decisions in different countries have shown that states wish to exercise jurisdiction in cases where unlawful or actionable content enters the country via networks. Examples of such areas include copyright, defamation, gambling services, and country-specific prohibitions. An example of the last category is the prohibition in France against displaying or offering Nazi memorabilia for sale (2000).

Courts appear to interpret national legislation in a way that asserts prescriptive jurisdiction, and then defend their judicial authority on the basis that the content is accessible within the state, regardless of the location of the server. In this way, the offending act (e.g. copying, publishing, transmitting, displaying, or offering for sale) is considered to take place within the state claiming jurisdiction.

Cybercrime¶

Laws addressing cybercrime often include cross-border actions. A state that has enacted such legislation typically applies prescriptive jurisdiction to individuals whose actions target computer systems located within the state—regardless of where those individuals are situated. Similarly, such laws apply to individuals who, while physically present within the state, conduct actions targeting computers located abroad. International public law recognises such prescriptive jurisdiction as part of territorial sovereignty.

If a hacker in one state directs unlawful activity at a computer located in another state, they may violate the criminal laws of both states. If, for some reason, the act does not constitute a crime in the first state, it may still be a crime under the laws of the state where the targeted computer is located.