Each country has the right to exercise jurisdiction over its citizens, territory, and subject matter. However, the relationship between jurisdiction and the Internet has been ambiguous, because the Internet is global. Jurisdiction depends predominantly on the geographical division of the world into national territories, while the Internet facilitates considerable cross-border exchange, which is difficult (although not impossible) to monitor via traditional government mechanisms. The question of jurisdiction of the Internet highlights one of the central dilemmas associated with Internet governance: How is it possible to ‘anchor’ the Internet within existing legal and political geographies?
In recent years, courts have been faced with an increasing number of cases with challenging jurisdictional elements. The judgments on the right to be forgotten – cases involving authorities requesting data located in other jurisdictions – and the invalidation of the Safe Harbour agreement are notable examples. In these cases, questions of jurisdiction have put courts to the test.
Principles of jurisdiction
Three main considerations are important when deciding on jurisdiction:
- Which court or state authority has the proper authority? (procedural jurisdiction)
- Which rules should apply? (substantive jurisdiction)
- How to implement court decisions? (enforcement jurisdiction)
The following criteria establish jurisdiction in particular cases:
- Territorial Principle – the right of the state to rule over persons and property within its territory.
- Personality Principle – the right of the state to rule over its citizens wherever they might be (also known as nationality principle).
- Effects on its territory, stemming from activities conducted abroad.
An important principle introduced by modern international law is that of universal jurisdiction. ‘The concept of universal jurisdiction in its broad sense [is] the power of a state to punish certain crimes, wherever, and by whomsoever they have been committed, without any required connection to territory, nationality, or special state interest’. Universal jurisdiction covers crimes such as piracy, war crimes, and genocide.
Conflict of jurisdiction
The conflict of jurisdiction arises when more than one state claims jurisdiction of a particular legal case. This usually happens when a legal case involves an extra-territorial component (e.g. involves individuals from different states, or international transactions). The relevant jurisdiction is established by one of the following elements: territoriality, nationality, or effect of action. When placing content or interacting on the Internet, it is difficult to know which national law, if any, might be violated. In this context, almost every Internet activity has an international aspect that could lead to multiple jurisdictions or a so-called spill-over effect.
Jurisdiction and access to content
Different jurisdictions have varied definitions of what content and behaviour is illegal. Some content and behaviours is considered illegal in all jurisdictions (such as child abuse), while others vary from country to country (such as defamation). When content is posted online for the world to see, the content itself and access to it may be subject to disparate regulations of multiple jurisdictions.
One of the earlier and frequently quoted cases that exemplify the problem of multiple jurisdictions is the 2001 Yahoo! case originating in France. It was prompted by a breach of French law, which prohibits the exhibition and sale of Nazi objects, even though the website that provided these items – the Yahoo.com auction website – was hosted in the USA, where the display of such materials was, and still is, legal. The court case was solved through the use of a technical solution (geo-location software and filtering of access). Yahoo! was forced to identify users who accessed the site from France and block their access to web pages showcasing Nazi objects.
Similarly, the right to be forgotten judgment in the EU (Google et al v. Mario Costeja Gonzalez et al) imposed upon search engines the obligation to consider requests from European users to remove certain results from searches.
One of the recent examples is the judgment of the Court of Justice of the European Union (CJEU) in case C-18/18 Eva Glawischnig-Piesczek v Facebook Ireland Limited. Ms. Glawischnig-Piesczek, an Austrian politician, demanded through the national court that Facebook delete defamatory statements about her, as well as equivalent statements, worldwide. The Austrian Supreme Court asked CJEU to decide on the interpretation of the Directive on e-commerce, specifically on the obligation of the host provider to remove or to disable access to illegal information as soon as it becomes aware of it. In its decision, CJEU concluded that Facebook as the host provider can be ordered by a national court to remove information globally with identical or equivalent content to the illegal information or block such information from being posted in the first place (through filters). In the case of removing equivalent content, the host provider should not carry out an independent assessment of the content (the host provider may use automated search tools and technologies).
Jurisdiction and data protection
Probably the most known cases related to jurisdiction are the cases brought by Maximilian Schrems against Facebook Ireland on personal data protection. Maximillian Schrems brought cases against Facebook Ireland Ltd for sending his personal data to Facebook in the USA, and thus allowing for the US authorities to have access to this data. Schrems argued that the agreement on the transfer of personal data between the EU and the USA does not provide protection for the personal data of EU citizens once transferred to the USA, and that EU citizens do not have recourse under US law to protect their EU personal data protection rights.
The first case (Judgement of 6 October 2015, Maximillian Schrems v Data Protection Commissioner, C-362/14 – also called Schrems I) was addressed by the CJEU in its October 2015 judgement, declaring the Safe Harbour agreement between the USA and the EU invalid. As a result, the EU and the USA had to renegotiate the mechanism of transfer of personal data of EU citizens to the USA, resulting in the EU-US Privacy Shield framework, as well as the creation of an ombudsman position within US administration to address complaints of EU citizens regarding their personal data protection rights.
Schrems then filed complaint against Facebook Ireland, for the same reasons for personal data transfers under the EU-US Privacy Shield framework, ending at the CJEU for the second time with a judgment in July 2020 (CJEU Judgement of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, C-311/18 – the so-called Schrems II case) invalidating the EU-US Privacy Shield framework as a way to transfer data between the EU and the USA. Both the EU and the USA now have to renegotiate their agreements on the transfer of personal data of EU citizens.
Besides technical solutions (geo-location and filtering techniques), other approaches for solving the conflict of jurisdiction include the harmonisation of national laws and the use of arbitration and alternative dispute resolution.