Skip to main content

Jurisdictional issues on the Internet: national values and territoriality in a world without borders

di Mirta Cavallo


«Governments of the Industrial World, you weary giants of flesh and steel. […]. You have no moral right to rule us nor you do possess any methods of enforcement we have true reason to fear. […] Cyberspace does not lie within your borders» (Barlow[1])


  1. Changes and challenges in Cyberspace

The internet, which can be considered the third major technological revolution since the development of the written word after the printing press and the industrial revolution[2], has determined a number of changes (and challenges): the move from atoms to bits[3], that goes together with the move from tangible to intangible, from economic value being sited within physical goods to economic value being sited within information, from rivalrousness to non-rivalrousness[4]; the creation of cyberspace as a virtual reality that can compete on an equal footing with the real one[5]; disintermediation, convergence and the participatory culture of the Web 2.0[6]; lastly, the shrinking of distances and decentralization, that have made “the global village” a reality more than ever.

The latter is particularly relevant for the regulation and governance of the internet, significantly defined as «the battle for the soul of the internet»[7]. In fact the internet, with its Janus-faced nature, can be considered as both «the best of Webs, [and] the worst of Webs. […] Agora, True Democracy, but also Big Brother»[8]: it has been considered a formidable chance for civil liberties[9], but is has also prompted «norm regression»[10], i.e., the demand for more control, to address phenomena like copyright infringement, online gambling sites, anti-semitic material (as in Töben), as well as for cooperation in criminal investigation (as in Microsoft).

However, it is not easy to exert such control over the internet, given that its decentralized, borderless and ubiquitous nature weakens the traditional concept of state sovereignty, it allows arbitrage and makes any state intervention easy to circumvent. The tension between state sovereignty, which is territorially bounded[11], and the non-territorial virtual reality created by network computers challenges the existing state-centered institutional arrangements. So, while the global dimension of cyberspace cuts across borders, with anyone with so much as a device and some connectivity able to carry almost any activity online,  law is enacted and enforced on the assumption that the activities under regulation are geographically limited – which is not still the case.

The general accessibility of websites from everywhere, regardless of the “physical” location of the data, destabilizes the allocation of regulatory control as traditionally made by private or public internation law to ensure both the juste partage de souveraineté among States (not surprisingly comity is mentioned in Microsoft) and the just treatment of individuals who should not be subjected to conflicting or compounding obligations.

Although suggestive the cyberlibertarians’ idea that if every State has jurisdiction over one website, no State has actually such power[12] and that the lack of effective enforcement methods is reveiling of States lack of sovereignity in cyberspace[13], «as the internet moves from being in the main a nerd-preserve, and becomes an office park, shopping mall and community center, it is sheer fantasy to expect that its uses and users will be beyond the law»[14].

To address such internet-related regulatory challenges, while also ensuring legal continuity, legislators and courts have taken a moderate and incremental approach in (re-)interprating the law. Inter alia, evidence of such geographically-based approach are the Töben case – demonstrating how the objective territoriality principle has been stretched to the maximum by States willing to impose their version of “good life” online through extensive adjudicative/legislative jurisdiction –, and the Microsoft case – on the strong defence of the presumption against extraterritoriality in relation to enforcement jurisdiction.


  1. Refining adjudicative and legislative jurisdictional rules

The most adopted principle for regulatory adjudicative/legislative claims over transnational online crimes, among the recognised heads of jurisdicion (i.e., territoriality, nationality, protective and universality principles), is, rather paradoxically, the territoriality principle. However, all its versions have serious drawbacks in the internet context.

The subjective territoriality principle (i.e., the origin rule), despite being the most favourable for States – since it would be also coupled with enforcement jurisdiction– and for online intermediaries – in terms of regulatory burden –, would allow a server to become a shield from liability, would encourage forum-shopping and a race to the bottom and would leave users with the burden of identifying the applicable foreign legal standards, which is especially problematic when there are widely diverging legal standards worldwide.

For this reasons, States, which are not willing to forego their regulatory control over their territory, accept the application of this principle, but reject its exclusive application and often recur to the objective territoriality principle[15].

This principle, in the version of the destination approach, by giving relevance to any non-physical effects – including the mere accessibility of websites –, leads to overlapping regulatory claims by a number of destination States interested in asserting regultatory control over online activities either for moral[16], political[17], economic[18] or safety[19] reasons.

To this regard, Töben is exemplificative: here the German Federal Supreme Court  addressed the issue of national courts’ jurisdiction over criminal offences (in this case Holocaust denial and incitement to hatred under section 130 of the German Criminal Code) committed by foreign nationals (Fredrick Töben, an Australian citizen of German origin) by posting anti-semitic material on the internet (carefully detailed in the judgment) from anywhere in the world (in this case Töben’s website was hosted in the Adelaide Institute, i.e., an Australian-based revisionist research and publishing center he co-founded)[20].

Following Töben’s arrest, the trial court excluded the application of German anti-Nazi law to material hosted in Australian servers on the assumption that German users have to actively search and download the material in order to access it.

The Supreme Court reversed this decision by adopting the destination approach in its blunt version: it found that German courts could assert jurisdiction over “Auschwitz lies” posted and hosted in other States by foreign nationals because the mere dissemination of that material on the internet was in fact able to undermine Jews’ sense of security and trust in legal certainty, as well as to endanger public peace in Germany.

The fact that there was no evidence that the website was significantly visited in Germany (on the contrary, maybe it was accessed only by the inquiring police officer[21]) makes even clearer that the only link between Töben website and Germany was the intention of the latter to uphold its moral and cultural values worldwide. In fact, the court argument that historic reasons objectively founded a close link with Töben’s anti-semitic activities that could justify the German assertion of jurisdiction over the content of his Australian website, is not persuasive.

The objective territoriality principle, places an excessively heavy regulatory burden upon online intermediaries, as they would be required to comply with the laws of each and every State – even when not intentionally targeted –. This, in turn, stifles growth and innovation, constitues a barrier to entry for new businesses and, overall, it is detrimental for the entire collectivity.

Even assuming the feasibility to know and comply with every single national law, it is questionable whether it would be desirable to do so in such a culturally diverse worldin. In fact, while Europeans are more likely inclined to applaud the decision to condemn Holocaust denial so broadly, the same would unlikely occur in relation to non-Western-typical values.

In light of the above, it would be desirable to mitigate such risk of excessively broad jurisdictional assertions with the moderate destination approach[22], taking inspiration from the developments in transnational online civil disputes. In fact, once abandoned the strict requirement of the defendant presence or domicile for asserting personal jurisdiction[23] (and, thus acknowledged the possibility to conduct proceedings even without enforcement jurisdiction[24]), the no-gain-without-pain maxim of substantive justice inspired, on the one hand the rejection of the blunt version the destination approach based on mere accessability[25], and, on the other hand, the development of jurisdictional rules based on the criteria of “directing” in the European Union[26] and, similarly, “targeting” in the USA[27].

Although more desirable, not even the moderate destination approach – which is no rejection of territoriality, rather its reincarnation under new disguise – is not immune from without drawbacks: protecting invididuals from the law and proceedings of States with which they have had fortuitous contacts, while allowing States to exercise jurisdiction over activities having a significant impact on their territory is certanly consistent with subjective justice, but it is not with formal justice. In fact, the desire to deliver just, fact-specific decisions requires case-by-case analysis that do not allow overall consistency.


  1. Enforcement jurisdiction as the “Achilles’ Heel” of States’ regulatory powers

The possibility of theoretically all States to rely on the territoriality principle for asserting jurisdiction over online activities has created a de-facto quasi-universal jurisdiction, despite the lack of harmonisation or approximation for most subject matters[28]. However, at the same time, States are bound by the strict territorial limit of enforcement jurisdiction and obstacled by their long-standing unwillingness to cooperate in enforcing each other’s (especially criminal) laws. Consequently, States very expansive regulatory claims are obstacled by the few opportunities to enforce them and States initiate less cases than they would otherwise assert jurisdiction on.

This enforcement gap is even more evident in the internet context: for instance, likely Töben would have never been imprisoned if he never crossed German territory on holiday, and US authorities, in the context of criminal narcotics investigation, could have obtained the contents of a Microsoft email-account if only they were not stored by the US-company in servers located in Ireland.

In the latter case, Microsoft used to store non-content subscriber data on US servers and the content of email communications in one of its 100 datacenters spread over 40 countries pursuant to an automatic system based on the “country code” autonomously selected by the user upon registration[29]. So, when Microsoft was served by federal law enforcement with a warrant ex Section 2703 of the Stored Communications Act (“SCA”) to produce both the non-content subscriber information and the content of the electronic communications associated with an email-account, Microsoft claimed it could not apply extraterritorially and complied only with the portion of the warrant relating to data stored in the USA.

While Microsoft motion to quash the portion of the warrant seeking content stored in Ireland was denied by the district court – that gave no relevance to the data location, but rather to whether data was under Microsoft custody or control –, the Court of Appeals for the Second Circuit reached different conclusions and gave relevance to the location of content. It also clarified that SCA warrants carry the territorial limitations of traditional warrants typical of a «legal lineage that is centuries old»[30] (rather than being processes of “compelled disclosure” similar to subpoenas, as the government claimed), stressed the importance to safeguard individuals’ privacy and explained that, unless express congressional intent to the contrary (which is not the case of the SCA, as inferred from its wording and legislative history), federal laws must be interpreted to have only domestic reach, in accordance with the strong and binding presumption against extraterritoriality[31]. In addition, as stressed in Ireland’s Amicus Brief, compliance with the latter cannot be made dependent on the relevant State(s) intervention in cases before foreign courts.

So, in addressing the problem of how States can deal with the drastic increase of transantional (or multinational?) online activities while remaining regulatory institutions territorially defined and empowered, a tradition-bound approach is upheld, in line with Lotus, Nicaragua, as well as article 8 of the Montevideo Convention.

As rightly stressed by Judge Lynch in his concurring opinion, this dispute was less about privacy than the international reach of American law and this is intertwined with sovereignity issues, as well as cultural and political matters: «[although] it will often be tempting to attempt to protect American interests by extending the reach of American law and undetertaking to regulate conduct that occurs beyond our borders […] [w]e live in a system of independent sovereign national, in which other countries have their own ideas, sometimes at odds with ours, and their own legitimate interests. The attempt to apply U.S. law to conduct occuring abroad can cause tensions with those other countries, most easily appreciated if we consider the likely American reaction if France or Ireland or Saudi Arabia or Russia proclaimed its right to regulate conduct by Americans within our borders»[32].

In light of the above, given that extraterritorial enforcement of one State would mean the loss of territorial control – and therefore a loss in terms of sovereignity – of another State, strengthening enforcement powers is certianly not an option. Cooperation among States, although highly desirable, is problematic due to the lack of harmonised views. So, the most promising approach appears to be the exercise of control over websites outside state territory via domestic online intermediaries (including financial ones) over which they have control. Online intermediaries often engage voluntarily in self-regulatory and cooperation initiatives for reputation reasons.


  1. Which way forward?

As seen above, all moderate legal developments tinkering with existing territorial tests fail to be both fair and efficient jurisdictional solutions. Indeed, too complex legal rules are not appropriate for the staggering increase of transantional activities, which, on the contrary, demands simpler rules: after all, without certainty «all is rancour and chaos»[33].

In light of this, in the short-term a solution may be – at least for civil matters – heavier reliance on choice-of-forum and choice-of-law clauses, whereby the parties themselves, by exercising their contractual autonomy, create a link to found regulatory competence. However, often parties fail to do so or States do not recognize and enforce them.

On the long-term, besides the harmonisation of competence rules[34], two paths may be successful in reconciling national laws with the ubiquituous internet: either (i) harmonizing substantive legal rules (i.e., more global law) by design –if not by deafult –, or (ii) implementing territorial zoning (i.e., less global internet) through filtering and censorship in the country of origin or destination of online activities[35].

The first option would make more acceptable for States the exclusive adoption of the origin-rule, it would grant certainty for online players – who would no longer have to fear liability under every foreign law – and would foster the openness and continuous evolution of the internet to the benefit of the entire collectivity. However, it would sacrifice local values and national identities, especially those of the States with low bargaining power: the raison d’être of States as political and cultural communities would fade away. Accordingly, its feasibility through treaties[36] is obstacled by the lack of international consensus over most matters among States, while the difficulty in ensuring accountability outside the State paradigm undermines self-regulation by private actors – and, therefore, deregulation –.

In contrast, implementing a less transnational internet through technical measures (inspired by the idea that “code is law”[37] and the work of Network Communitarists[38]) would preserve national legal standards but il would be detrimental for the openness and evolution of the internet and extremly burdensome for online intermediaries, that, as “gatekeepers”, are often called to exercise public functions despite being private actors: it is not fair to them, nor wise to ask them to be «judge, jury and enforcer [all] at the same time»[39].

In light of the drawbacks that each possible solution carries, States should rethink jurisdictional territoriality-based rules and pursue a middle-ground approach between those envisaged above, to properly balance the need to assert the rule of law online, while also ensuring the preservation of national values and the openness of the internet. A key role will certanly be played by online intermediaries, that however should not be overly burdened by regulatory responsabilities that do not compete to private actors engaged in business activities.


[1] J. P. Barlow, A Declaration of the independence of Cyberspace, Davos (CH), 1996.

[2] E. Chammah, internet, una rivoluzione epocale, Problemi dell’informazione, 2001, 26(2-3), 227-232.

[3] As put by N. Negroponte, in Being digital, New York, Vintage, 1995, p. 12, «the information superhighway is about the global movement of weightless bits at the speed of light».

[4] For further details on this and on the so-called information paradox see A. Murray, Information technology law: the law and society, Oxford University Press, 2013.

[5] «By generating a virtual reality, the technology in a sense leaves us with two internets, rather than one». O. S. Kerr, The problem of perspective in internet law, Georgetown Law Journal, 2003, 91, 357-405.

[6] T. O’Reilly, What is web 2.0, Sabastopol (CA), O’Reilly Media, 2009. It is memorable that the 2006 TIME’s person of the year was «You –Yes, you-. You control the Information Age. Welcome to your world». A. Hochstein, Cover, Time Magazine, Vol. 168, No. 27/28, 25 December 2006.

[7] M.L. Mueller, Networks and states: the global politics of internet governance, Cambridge (MA), The MIT Press, 2010, 1-14.

[8] D. Thorburn, Web of paradox, in D. Thorburn, H. Jenkins (eds.), Rethinking media change: the aesthetics of transition, MIT Press, 2003, 20-21.

[9] Ex multis,  W. H. Dutton et al., Freedom of connection-freedom of expression: the changing legal and regulatory ecology shaping the internet, UNESCO Publishing, 2011.

[10] R. J. Deibert, M. Crete-Nishihata, Global governance and the spread of cyberspace controls, Global Governance, 2012, 18(3), p. 341.

[11] Territory is an element of statehood according to article 1 of the Montevideo Convention on Rights and Duties of States of 1934.

[12] D. Post, D. Johnson, Law and Borders, the Rise of Law in Cyberspace, 48 Stanford Law Review, 1996, 1367.

[13] J. P. Barlow, A Declaration of the independence of Cyberspace, Davos (CH), 1996.

[14] E. Noam, Regulating cyberspace, Paper for the internet & Politics Conference, Berlin, 1997.

[15] First developed in Lotus.

[16] E.g., CompusServe, Perrin.

[17] E.g., LICRA, Sheppard.

[18] E.g., Sporttotaliser, Holland Casino, Gambelli, WTO gambling case.

[19] E.g., Apothekerverband.

[20] A separate issue addressed in Töben related to anti-semitic leaflets he used to mail to Germany, for which both the Trial Court and the Supreme Court convicted him.

[21] Similarly in Perrin.

[22] E.g., Donner is one of the rare applications in criminal context.

[23] The domicile criterion in Europe is established by article 4(1) of the EC Regulation on Jurisdictionand the Recognition and Enforcement of Judgments in Civil and Commercial Matters, no. 1215/2012.

[24] In the USA, Shoe and Hilton.

[25] E.g., as defamation cases Gutnick, Harrods; Lewis, as data protection cases Vidal-Hall.

[26] E.g., Google Spain; L’Oréal, Pammer and Alpenhof. However, a less moderate approach was held in Pinckney and Wintersteiger.

[27] The “minimum contacts” test elaborated in Shoe was refined in Hanson with the “purposeful availment test”, in World-Wide Volkswagen and Zippo.

[28] E.g., section 17 of the UK Terrorism Act 2000.

[29] Please note that for the purposes of this “allocation” process Microsoft never controlled the actual physical location of the user.

[30] Microsoft, Decision of Circuit Judge Carney, p. 25.

[31] To this regard the Court cited its previous decisions in Morrison and Nabisco.

[32] Microsoft, concurring opinion of Judge Linch, p. 6-7.

[33] R. Higgins, Problems and process: international law and how we use it, Oxford, Clarendon, 1994, 56.

[34] E.g., the Hague Conference on Private International Law.

[35] U. Kohl, Jurisdiction and the internet: Regulatory competence over online activity, Cambridge University Press, 2007, 253-290.

[36] E.g., the UN Convention on the Use of Electronic Communications in International Contracts, 2005; the Council of Europe Cybercrime Convention, 2001.

[37] L. Lessig, Code is law – on liberty in cyberspace, Harvard Magazine, 1 January 2000.

[38] E.g., Andrew Murray, Colin Scott and Roger Brownsword.

[39] C. Ahlert et al., How ‘liberty’ disappeared from cyberspace: the mystery shopper tests internet content self-regulation. 2004.