Cyberspace: The Final Frontier of Extra-Territoriality in Human Rights Law

Cyberspace: The Final Frontier of Extra-Territoriality in Human Rights Law

Prof. Yuval Shany
Prof. Yuval Shany

Published: September 26th, 2017

Lecture delivered in ESIL Annual Conference, Naples, Sept. 2017

The tension between universality and state-centrism in international human rights law

International human rights law has always suffered from a split personality as far as its relationship to the state system goes. The idea of human rights is inherently universal, it emanates from a moral conviction about justified claims that individuals and groups of individuals have vis-à-vis the rest of the world, and such “rights” have been described as inalienable,[i] pre-political[ii] and as “trumps”.[iii] At the same time, international law is state-based, highly influenced by political developments, and a field of constant contestation. Hence, international human rights law is at its essence a legal hybrid): It is a system of norms and institutions that channels universal norms through the apparatus of the state system. Human rights obligations are imposed on states, and their enforcement is invested in states. As long as the world was neatly divided into states – in the sense that each state controlled more or less exclusively a slice of the planet – and as long as states were reasonably viewed as a dominant source of power, authority and control exercised over individuals and groups of individuals – international human rights law could be regarded at some level to be both universal and state-centered, at the same time: This idea is captured in article 2 of the UDHR:  

“Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind.  Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty.”

Under this worldview, human rights are universal because everyone belongs to a “country or territory”, in which his or her rights are to be implemented.

Two vexing questions have challenged over time this "individual rights- state obligations-universal norms" structure: (1) The extra-territorial exercise of government authority; and (2) the exercise of power and control over individuals by non-states actors. With respect to the first one, the projection of state power outside state territory has created the risk of regulatory overlaps and gaps – including, that some individuals would be harmed by a “country or territory” to which they do not belong in a physical sense. We have seen, in response, a gradual move by the ECHR and the UN HRC to address this concern by expanding the applicability of state-centered IHRL to the extra-territorial exercise of governmental power, through expanding construction of the key term of ‘jurisdiction’ – which triggers the extra-territorial applicability of the ECHR and the ICCPR (as construed by the HRC). There are, however, different spheres of power and control, which could conceivably implicate the extra-territorial protection of human rights (and the resulting degree of overlap between the obligations of the territorial and the extra-territorial state) and different approaches by different human rights bodies to the question of where do state obligations under IHRL end. Ultimately, all approaches limit the scope of extra-territorial application of state authority, leaving some individuals under protected.


Extra-territorial obligations

Due to space constraints, I will not go into discussion of the very interesting history of the development of the extra-territorial jurisprudence across the different treaty regimes and regional sub-systems. Suffice it mention that the ECHR approach – elaborated recently in Al Skeini (2011),[iv] Catan (2012),[v] Chiragov (2015)[vi] and Sargsyan (2015)[vii] has tended to require a high degree of control over persons and territory, which tries to approximate the level of control a state exercises over individuals in its own territory – including, situations of physical custody and situations of effective control over territory due to military occupation or “decisive influence” over a separatist regime. In cases, where a state lost effective control over its territory, the Court has accepted the continued application of the Convention, but emphasized that the level of positive obligations imposed on the state would be reduced so as to reflect its limited ability to influence the human rights situation on the ground, leaving multiple protection gaps.

The HRC has taken a more sweeping approach, construing “jurisdiction” as covering both effective control and exercise of power. General Comment 31(2004) which codifies previous practice, stated that – “a State party must respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party”. This standard has been regarded by the Committee as applicable, for instance, to drone attacks (USA COB 2014;[viii] cf. Bankovic ECtHR 2001([ix] which is compatible with the Nuclear weapons AO which regarded the (presumably extra-territorial) use of nuclear weapons as potentially contradictory to the ICCPR.[x] It has also been applied (USA COB 2014)[xi] to the surveillance of mobile phones of foreign subjects in foreign territory (alluding to the US wiretapping operation directed against German President, Angela Merkel) – under the theory that extra-territorial surveillance operations brought targets of surveillance and their ability to enjoy privacy rights sufficiently under the power  of the US.

Para. 26 of draft General Comment 36 – the most recent attempt to codify the relevant practice of the Committee (adopted last July by the Committee), emphasizes the protective obligations of states. It reads that: “States parties must take appropriate measures to protect individuals against deprivations of life by other States operating within their territory or in other areas subject to their jurisdiction. They must also ensure that all activities taking place in whole or in part within their territory and in other areas subject to their jurisdiction, but having a [direct], significant and foreseeable impact on the right to life of individuals outside their territory, including activities taken by corporate entities, are consistent with article 6, taking due account of related international standards of corporate social responsibility”. As will be explained below, the combination of extra-territorial responsibility of states over operations of companies abroad raises specific issues, implicating a particularly thorny area where protection gaps exist.

It may also be noted that the recent General Comment 24 of the Committee on Economic, Social and Cultural Rights in the Context of Business Activities goes beyond the control approach of the ECHR, and control or power approach of the HRC. The most relevant paragraph of the General Comment – para. 29 - reads:

The extraterritorial obligation to respect requires States parties to refrain from interfering directly or indirectly with the enjoyment of the Covenant rights by persons outside their territories. As part of that obligation, States parties must ensure that they do not obstruct another State from complying with its obligations under the Covenant. This duty is particularly relevant to the negotiation and conclusion of trade and investment agreements or of financial and tax treaties, as well as to judicial cooperation.

The key here is “interference” – that is direct or indirect impact on right enjoyment, which does amount to a “cause and effect” type of attribution. If accepted, this approach could minimize the existing extra-territorial protection gaps. It is doubtful, however, whether states would adhere to such an open-ended standard.


Preventing violations by private actors

The other challenge facing the traditional state-centered IHRL framework when applying universal human rights derives from the decreased role of state in economic life – due to economic liberalization, deregulation and the collapse of centralized economy states, on the one hand, and the rise of MNCs as dominant economic actors on the other hand. Such economic changes coincide with a conceptual change in IHRL theory, which significantly expands the list of protected rights – including therein many economic and social rights, putting more emphasis on the needs of victims (for whom private torture in the context of domestic violence may be, for example, as terrible as “public torture” by the police), and moving gradually from dealing exclusively with the symptoms of failure to respect IHRL – the violations themselves – to root causes – the structural reasons, which enable and perpetuate the violates – including by private actors.

This challenge has been met with the development of "positive obligation" doctrines – which read the "duty to secure" in article 1 of the ECHR and the "duty to respect and to ensure" in article 2(1) the ICCPR as including negative and positive "due diligence" obligations. Again, space does not allow to discuss the multiple developments in jurisprudence in this vast field. Suffice it to mention at this stage that the ECtHR has since the late 1970s required states to take positive measures to ensure effective enjoyment of rights (Airey, 1979)[xii] and to afford effective protection for the rights of individuals from violations by other individuals (X and Y v Netherlands, 1985).[xiii] The HRC General Comment 31 has also taken a similar view on the matter, holding that:

The positive obligations on States Parties to ensure Covenant rights will only be fully discharged if individuals are protected by the State, not just against violations of Covenant rights by its agents, but also against acts committed by private persons or entities that would impair the enjoyment of Covenant rights in so far as they are amenable to application between private persons or entities. There may be circumstances in which a failure to ensure Covenant rights as required by article 2 would give rise to violations by States Parties of those rights, as a result of States Parties’ permitting or failing to take appropriate measures or to exercise due diligence to prevent, punish, investigate or redress the harm caused by such acts by private persons or entities. 

This standard has been reaffirmed in draft General Comment 36 on the right to life:

States parties are thus under a due diligence obligation to undertake reasonable positive measures, which do not impose on them impossible or disproportionate burdens, in response to foreseeable threats to life originating from private persons and entities, whose conduct is not attributable to the State


The combined extra-territorial challenge

What we have been seeing more and more in the practice of the HRC and other treaty bodies – not yet at the regional human rights level - are cases involving a combination of the two aforementioned predicaments – situations involving private actors – typically, MNCs - based in the territory of one state but active in the territory of another state in ways which raise concerns about the applicability of universal human rights standards. For example, the HRC has been confronted with complaints involving the forced evictions caused due to the operations of a German company in a plantation in Uganda,[xiv] with Canadian mining and construction companies operating in multiple countries [xv] and with Italian companies selling surveillance technology to repressive governments.[xvi] Essentially, the approach of the Committee has been, as indicated before with respect to Draft General Comment 36 – is to apply the [direct], significant and foreseeable impact standard with respect to extra-territorial operations of “corporate entities” based in their territory, “while taking due account of related international standards of corporate social responsibility”. Indeed – the dialogue with States has alluded to standards such as Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises.

The recent CESCR General Comment is particularly expansive on the issue of state responsibility over extra-territorial corporate activities, specifying that:[xvii]

  • The duty to regulate companies under the control of the State covers corporations that are domiciled in their territory and/or jurisdiction. This includes corporations incorporated under their laws, or which have their statutory seat, central administration or principal place of business on their national territory.
  • The State is required to “take reasonable measures that could have prevented the occurrence of the event”
  • The duty applies “even if other causes have also contributed to the occurrence of the violation, and even if the State had not foreseen that a violation would occur, provided such a violation was reasonably foreseeable”
  • States are required to pressurize companies to influence and exercise themselves due diligence vis-à-vis their subsidiaries or business partners
  • “Appropriate monitoring and accountability procedures must be put in place to ensure effective prevention and enforcement”

Cyberspace: The additional twist of detetrritorialization and decentralization

The applicability of IHRL to cyberspace may first appear to involve a combination of the extra-territoriality and private actor protection challenges: Activity on cyberspace traverses routinely national boundaries, and private actors – including, some very powerful IT companies – enjoy a dominant position in influencing on-line interactions. It is questionable however whether, in applying the combined existing standards for extra-territoriality and positive obligations to regulate the activities of private actors, (a) it is reasonable to expect the host state to regulate activities of foreign IT companies, which may have a profound impact on important human rights of local residents – as such regulation may be hard to implement and could require a high degree of state intervention in on-line activities; (b) it is reasonable for home states to restrict the operations of local IT companies operating abroad, just because their on-line platforms may foreseeably be misused or abused by third parties? While CESCR General Comment 24 may lean in the direction of imposing such obligations, Draft HRC General Comment 36, which requires a more direct impact appears to lean in the other direction. I may say that at least with respect to the second set of issues – regulation of home-based companies - General Comment 24 may have gone too far: It is reasonably foreseeable that many useful goods and services could be abused in ways that constitute human rights violations – cars, may result in loss of life, cameras may be used to violate privacy, and banking services may be used to fund illegal activities. However, it would be difficult and probably undesirable for the home country to regulate these activities extra-territorially – as it would may interfere considerably in the regulatory regimes of host countries, and create an impossibly complex maze of regulations.        

But at a more fundamental level we need to concede further degrees of legal complication, putting in question the very suitability of human rights law to effectively regulate cyberspace. A first tension involves application of the very notions of territoriality and extra-territoriality: Some elements of interactions on cyberspace have a territorial dimension – for example, an IT company which operate a social media platform may be incorporated in the territory of one state, a cybercriminal using that platform and some of the physical infrastructure they use may be physically located in the territory of a second state, and the end user – the victim – and his computer may be based in a third state. The data also flows over cables and fibers which traverse the territory of various states. However, many of these territorial attributes are random, and the extent to which states can and should exercise control over them – without resorting to radical repressive measures – is very small. Hence, cyberspace should be described as a largely deterritorialized space, in which on-line communities – which only partly correspond to physical communities – exist. Moreover, individuals interacting in cyberspace often do so by way of developing a virtual or digital persona, which exists only in that space. In this regard too, the fit between a territory-driven state-centric legal framework based on physical presence and the actual dynamics of virtual social interactions on cyberspace is very limited.

In addition, the chief attribute that makes cyberspace such a useful and powerful vehicle for communication and access to data and ideas – including data and ideas promoting IHRL - is its universality: It is a space shared by all and freely accessible to all under more or less equal terms pursuant to the net neutrality principle. An IHRL framework that require states to renationalize segments of cyberspace and to fragment it to overlapping territorial zones of influence and regulation, cuts against the logic of creating such a space, and may result in ‘throwing the baby with the bath water’.

Thus, I do not think US regulation of Facebook would be a practical answer to hate speech in Italy, nor would Chinese regulation of cyber-security software installed on Lenovo computers be the answer to the challenges of privacy protection in cyberspace. At the same time, I realize that host states are often ill-positioned to impose standards of conduct on foreign companies operating in their territory – the Apples, Googles, and Intels of this world – and have great difficulties in handling violations originating outside their territory, such as hacking into sensitive personal identity information or distribution of child pornography.

So, confronting the challenge before us may require a reboot of IHRL – developing beside the state-centric branch of IHRL, which emanated from the UDHR, a new branch of universal law, which should apply to all stakeholders in cyberspace – IT companies, on-line users, regulators, states and IGOs. Some initial indications for the development of such a lex cybernetica already exists in the shape of states company policies, such as the Facebook notify/remove policy elaborated in its “community standards”, Google privacy policies detailed in its “terms of service”, the commitment not to cause physical harm in the Internet Society’s code of conduct and human rights by coding technological practices. “Traditional” IHRL can serve an ancillary role vis-à-vis such developments with a view to promote new standards: For example, to push home countries to encourage companies based in their territory to adopt generally acceptable standards of corporate responsibility, and relevant IHRL-lex cybernetica standards, which include effective remedies. Although existing IHRL cannot effectively regulate directly cyber-space, it can support and oversee self-regulation, private ordering and coding by the industry and support hybrid norms and institutions that apply globally, not extra-territorially.




[i] Universal Declaration of Human Rights, preamble

[ii] See e.g., Martha Nussbaum, Frontiers of Justice: Disability, Nationality, Species Membership

(Cambridge: Harvard University Press, 2006) 285

[iii] See e.g., Ronald Dworkin, Taking Rights Seriously (London: Bloomsbury Publishing, 1977) 6.

[iv] Al Skeini v UK, ECtHR Judgment of 7 July 2011.

[v] Catan v Moldova and Russia, ECtHR Judgment of 19 Oct. 2012.

[vi] Chiragov v Armenia, ECtHR Judgment of 16 June 2015.

[vii] Sargsyan v Azerbaijan, ECtHR Judgment of 16 June 2015.

[viii] UN HRC, Concluding Observations: USA (2014), para. 9.

[ix] Bankovic v Belgium, ECtHR Judgment of 19 December 2001.

[x] Legality of the Threat or Use of Nuclear Weapons, 1996 ICJ 226, 240.

[xi] UN HRC, Concluding Observations: USA (2014), para. 22.

[xii] Airey v Ireland, ECtHR Judgment of 9 Oct. 1979

[xiii] X and Y v Netherlands, ECtHR Judgment of 26 March 1985.

[xiv] UN HRC, Concluding Observations: Germany (2012), para. 16: “The State party is encouraged to set out clearly the expectation that all business enterprises domiciled in its territory and/or its jurisdiction respect human rights standards in accordance with the Covenant throughout their operations. It is also encouraged to take appropriate measures to strengthen the remedies provided to protect people who have been victims of activities of such business enterprises operating abroad”.

[xv] UN HRC, Concluding Observations: Canada (2015), para. 6: “The State party should (a) enhance the effectiveness of existing mechanisms to ensure that all Canadian corporations under its jurisdiction , in particular mining corporations, respect human rights standards when operating abroad; ( b) consider establishing an independent mechanism with powers to investigate human rights abuses by such corporations abroad; and ( c) develop a legal framework that affords legal remedies to people who have been victims of activities of such corporations operating abroad”.

[xvi] UN HRC, Concluding Observations: Italy (2017), para. 37:“… that measures are taken to ensure that all corporations under its jurisdiction, in particular technology corporations, respect human rights standards when engaging in operations abroad”.

[xvii] General Comment 24 of the Committee on Economic, Social and Cultural Rights in the Context of Business Activities (2017), part 2.