Recent years have seen a significant number of cases (U.S. v. Microsoft, Google Inc. v. Equustek Solutions, CNIL v. Google Inc., Richter v. Google Inc., Die Grünen v. Facebook Ireland Limited, X v. Twitter, Belgium v. Skype) centered on conflicting jurisdictions and territorial over-reach in cyberspace. Common to these litigations is a challenge to the power of States to control cross-border data transfers and offshore stored content and its distribution either directly, or indirectly, through internet intermediaries. The rise of social media platforms and online service providers, and their development and deployment of cloud computing, virtual server hosting, and anonymized and encrypted communication software pose the most recent disruptive assault on the power and legitimacy of sovereigns to assert their legislative control and adjudicative and enforcement jurisdiction.
Academic scholarship on the topic is also on the rise. Recently Jennifer Daskal published “Borders and Bits” with Vanderblit Law Review. The Article “highlights the flaws with the straightforward application of old jurisdictional rules onto the new medium of data” further shining a spotlight on “unilateral rulemaking by powerful states and the powerful multinational companies that manage our data, which in turn puts private, multinational companies increasingly in control of whose rules govern and thus the substance of both privacy and speech rights on a global, or near-global, basis.” Daskal ends her paper by calling for (1) increased and detailed transparency reporting by corporations; (2) increased public-private partnership around the development of best practices; (3) increased insistence on notice requirements to users and other governments. Ultimately, however, she notes that these are only “initial recommendations” and that there “simply is no one-size-fits-all answer to the question of how to best regulate the private actors that increasingly manage our data and play a role on par with states in setting the scope of privacy and speech rights”.
In “Litigating Data Sovereignty”, published with the Yale Law Journal, Andrew Keane Woods proposes an alternative approach. Woods argues that the “proper application of foreign affairs law to cross-border internet disputes is not what many litigants and courts have claimed. Crucially, no sovereign-deference doctrine prohibits global takedown requests, foreign production orders, or other forms of extraterritorial exercises of jurisdiction over the internet. To the contrary, one of the key lessons of the sovereign-deference jurisprudence is that in order to avoid tensions between sovereigns, courts often enable, rather than inhibit, extraterritorial exercises of authority.” The Article thus makes the case for restraint, recognition, and comity as standards that should be adopted not only by Courts but also by the legislature, the executive, and internet firms. Woods thus takes a first, though insufficient step, towards articulating a potential conflicts-of-laws framework to govern these instances of what he defines as “data-sovereignty litigation”.
Israel has recently seen an interesting move in its Courts around the application of conflict-of-laws to social media and internet companies. These developments have been pushed by privacy class action law suits which have been brought in recent years against the main California-based tech giants, namely Facebook and Google.
In PCA 5860/16 Facebook Inc. v. Ohad Ben Hemo, the Supreme Court of Israel expanded the possibility of bringing suits in Israeli Courts against multinational internet service providers. That case concerned Facebook’s access and monitoring, without user consent, of Facebook private messages. Facebook argued, in accordance with its terms and conditions, that such class actions should be heard by California courts under California law. The Supreme Court determined that the Terms of Service constitutes a “standard contract”, and that in order to decide the question of whether the Jurisdiction Clause and the Choice of Law Clause were unduly disadvantageous, an examination must be conducted as to whether these clauses deter clients that signed the contract from taking legal action. The Supreme Court found that while the choice-of-jurisdiction clause was disadvantageous (therefore opening the door for such claims to be brought before Israeli Courts) the choice-of-law clause was not. The Supreme Court argued that a choice of law clause protects Facebook’s legitimate business interests, and that in California the precedents and laws are all in English a language “understood by most Israeli residents”. Moreover, those laws and precedents are easily accessible via the internet. As such the Court concluded that the California law will apply, except where such law will deprive Israeli litigants of their preemptory rights (such as constitutional rights, and consumer protection rights).
Earlier this week, in PCA (Tel Aviv) 62205/17 Lior Winter and Liraz Spector v. Google Israel Ltd. and Google LL.C., I submitted an Expert Opinion to the District Court of Tel Aviv arguing precisely as to whether California law will in fact deprive Israeli litigants and consumers of their constitutional right to privacy. This case, concerns Google’s storage of geo-location information of Android users, even when those users selected not to have their geo-location information collected. Google sought to dismiss the class action, arguing that the law applicable should be California law in line with the Ben Hemo decision. However, in my expert opinion I argue why applying California law (including privacy law, contract law, and consumer protection law) will result in significantly narrowing the capacity of Israeli litigants from protecting their rights.
This case and others similar to it (like PCA 37839/18 Shiran Baruch v. GoogleInc.) are likely to reach the Supreme Court, which in turn will have an opportunity to elaborate beyond the ruling in Ben Hemo. Note that then, Justice Hayut made clear that she was not presented with any specific evidence as to the nature and content of the privacy law in California to effectively determine whether the Choice of Law Clause was unduly disadvantageous. If the Court adopts the position, put forward in my expert opinion, it will make for a strong statement as to the desire of the Israeli judicial branch to protect Israelis from the increasing dangers of a highly connected digital society.
In 2017, the discussions regarding the application of international law in cyberspace were brought to a standstill. For the first time in the framework of the United Nations Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), states were unable to reach a consensus on the question. It seems that strong disagreements raised between Western states on the one side, and Russia, China, and Cuba on the other side. The application of international humanitarian law, self-defence and counter-measures was at stake at the time. One year later, diplomatic discussions on the issue are in need of a fresh impetus.
In the light of this previous failure, the Paris Call of 12 November 2018 for Trust and Security in Cyberspace, initiated by French President Macron, sounds particularly interesting. It is innovative on both formal and substantial aspects.
A quick look at the Call’s list of supporters is enough to highlight the formal innovation. More than 200 actors from the private sectors decided to support this text. It includes social networks (Facebook, LinkedIn), computer technology (Toshiba, Dell, HP, Microsoft, Cisco, Oracle), phone (Deutsche Telekom, Nokia, Swisscom), and cybersecurity companies (FireEye, Kaspersky). Google similarly supports the Call. It also includes airplane manufacturers (Airbus, Safran), industrial conglomerates (Samsung, Siemens, Sony), energy producers, distributors and managers (Enel, Engie, Enedis, Total, Schneider Electric), banks and insurance carriers (Deutsche Bank, SIRM) etc. In addition, it gathered several supporters in the academic (Carnegie Endowment for International Peace, Center for International Law and Governance, Fletcher School of Law and Diplomacy at Tufts University, Center For Long Term Cybersecurity, CESICE, Grenoble Alpes CyberSecurity Institute Optus Macquarie University Cyber Security Hub, University of Exeter, University College Dublin etc.), as well as different non-profit organizations (Club of Madrid, World Economic Forum). Of course, states are also present, with around fifty governments supporting the text. This innovation was, besides, underlined by Microsoft President’s speech: ‘[t]he Paris Call breaks new ground by bringing together to support these steps an unprecedented and broad array of supporters. Its signatories include more than 200 companies and business associations, including leading tech companies […] it also includes leading financial services institutions [… ] as well as industrial leaders […] And it includes almost 100 critical NGOs that span groups across civil society’.
Regarding the substantial innovations, some provisions are admittedly classical– yet essential. Paris Call reaffirms that ‘international law, including the United Nations Charter in its entirety […] is applicable to the use of information and communication technologies (ICT) by States’. It ‘also reaffirms the applicability of international human rights law in cyberspace’, as ‘the same rights that people have offline must also be protected online’. These elements were already underlined in the previous reports of the UNGGE. Even the demand to ‘[p]revent ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sector’ looks familiar. It was for instance used in an agreement between China and the United States.Paris Call reiterates the need to ‘[s]trengthen the security of digital processes, products and services, throughout their lifecycle and supply chain’. Concerns regarding the supply chain had been previously expressed by the UNGGE: ‘States are concerned that embedding harmful hidden functions in ICTs could be used in ways that would affect secure and reliable ICT use and the ICT supply chain for products and services, erode trust in commerce and damage national security’; ‘States should encourage the private sector and civil society to play an appropriate role to improve security of and in the use of ICTs, including supply chain security for ICT products and services’. Such protection is vital: it was for instance revealed that ‘Chinese spies’ could have ‘planted chips in the servers of nearly 30 U.S. companies’ on their manufacturing sites in China.
Some changes have however been made when it comes to the prevention of collective welfare harm. In 2015, the UNGGE mentioned that ‘[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’. It also highlighted that states had to prevent such activities and assist other states in combating them. In the Paris Call, participants affirm their will to ‘[p]revent and recover from malicious cyber activities that threaten or cause significant, indiscriminate or systemic harm to individuals and critical infrastructure’, as well as to ‘[p]revent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet’. An express reference to activities ‘contrary’ to ‘obligations’ under ‘international law’ disappeared.
The signatories also pledge to ‘[s]trengthen our capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities’. The UNGGE had previously mentioned that ‘non-intervention in the internal affairs of other States’ did apply in cyberspace.Paris Call’s insistence on ‘electoral processes’ obviously reacts to the hacking of the Democrat National Committee and the subsequent leak of emails. One can however wonder whether this notion of ‘malign interference’ aimed ‘at undermining electoral processes’ tries or not to reinvent the wheel–i.e., if the conditions set in the Nicaragua case will have to be met. Following the allegations of Russian interference with the American elections, many scholars had actually expressed doubt regarding the involvement of any coercive mean–and thus, the breach of the principle of non-intervention.
Paris Call also goes one step further regarding the applicable rules. It indeed mentions that ‘international humanitarian law and customary international law’ are ‘applicable to the use of information and communication technologies (ICT) by States’. Until now, the UNGGE had only ‘note[d] the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction’. In addition, the sole applicability of some customary rules had been acknowledged, such as ‘[s]tate sovereignty and international norms and principles that flow from sovereignty’, or in terms of responsibility.
The actual innovations reside in the following principles.
The first and main innovation is the systematic empowerment of the private sector. This is obvious in several parts of the preamble: ‘[w]e also welcome efforts by States and non-state actors to provide support to victims of malicious use of ICTs on an impartial and independent basis, whenever it occurs, whether during or outside of armed conflict’; ‘We recognize the responsibilities of key private sector actors in improving trust, security and stability in cyberspace and encourage initiatives aimed at strengthening the security of digital processes, products and services’; ‘We welcome collaboration among governments, the private sector and civil society to create new cybersecurity standards that enable infrastructures and organizations to improve cyber protections’; ‘We recognize all actors can support a peaceful cyberspace by encouraging the responsible and coordinated disclosure of vulnerabilities’. This is also reflected in the concrete measures to be taken: ‘we’–rather than the sole ‘states’–‘affirm our willingness to work together […] notably in order to […]’. As again underlined by Microsoft President, ‘[a]ll of this is important for a reason. Success in advancing cybersecurity requires an approach that is not only multinational, but multistakeholder in nature. This is because cyberspace, unlike the traditional planes of warfare like land, sea and air, is typically privately owned. Cyberspace in fact consists of concrete elements in the real world, such as datacenters, undersea cables, and laptops and mobile devices. These are designed and manufactured by private companies. And often they are owned and operated by tech companies and others in the private sector’.
Second, Paris Call adopts a clear-cut approach on the ‘hack-back’: ‘steps’ should be taken ‘to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors’. Such provision is essential to prevent an escalation of violence. A principle is however less clear: the wish to ‘[d]evelop ways to prevent the proliferation of malicious ICT tools and practices intended to cause harm’. No definition of ‘malicious ICT tools’ or ‘harm’ is actually provided, and one can wonders whether only malwares causing destruction will be excluded. The case of intelligence gathering is for instance not expressly tackled.
Yet, it suffers in parallel from non-negligible drawbacks.
First, and if one has a look to the instrumentum, Paris Call is not a binding agreement. It is obviously outside the scope of this post to discuss the role of soft law, but the efficiency of previous declarations of this nature on cyber-activities is still debated.
Second, Paris Call has admittedly received an important number of state supports, from the five continents: America (Canada, Chile, Colombia, Mexico, Panama), Asia (United Arab Emirates, Japan, Lebanon, Uzbekistan, South Korea), Africa (Gabon, Morocco, Republic of the Congo, Senegal), Oceania (New Zealand) and Europe (around 30 states). It is thus an important coalition of like-minded states. Yet, European countries remain predominant and Paris Call has major absentees. China, Russia and the USA refused to endorse it, and it goes the same way for other important players in cyberspace, such as Iran or Israel. Consequently, the risk of not reaching a global consensus is high, and Paris Call could face a fate similar to that of the UNGGE.
It is obviously too early to draw many conclusions regarding Paris Call. One can nevertheless acknowledge that Paris Call succeeded in bringing states and private actors together, and in paving ways for their cooperation. It also aims at preventing some basic and–in most cases–well-identified activities. In addition, it reiterates several vital principles and goes one step further in terms of applicable law. It makes an interesting move on the prevention of hack-back by non-state actors. It also deserves credit for relaunching the discussions regarding cyberspace regulation, one year after the failure of the UNGGE. Similarly, it has found support from a high number of states, all around the world. Yet, both the instrumentum and the absence of major powers may seem problematic. It thus remains to be seen what the future holds: whether concrete steps will be taken for its implementation, whether key state players will jump in the bandwagon–in a nutshell, whether Paris Call is a watershed moment or a storm in a teacup.
 Elaine Korzak, ‘UN GGE on Cybersecurity: The End of an Era?’, The Diplomat (31.07.2017)
 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (24.06.2013) A/68/98, para 19; Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, paras 25-26.
 Paris Call.
 The White House, ‘President Xi Jinping's State Visit to the United States’ (25.09.2015)
 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, para 28.
Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Judgment)  ICJ Rep 14, para 205
 William Banks, ‘State Responsibility and Attribution of Cyber Intrusions after Tallinn 2.0’ (2017) 95 Tex L Rev 1487, 1501; Sean Watts, ‘International Law and Proposed U.S. Responses to the D.N.C. Hack’ (justsecurity, 14.10.2016)
 Office of the United States Trade Representative, 'Findings of the Investigation into China's acts, Policies, and Practices related to Technology Transfer, Intellectual Property, and Innovation under Section 301 of the Trade Act of 1974 (22.03.2018)