Ruslan Rakhmetov, Security Vision
We continue our series of publications dedicated to the body of knowledge on cybersecurity – Cybersecurity Body of Knowledge (CyBOK). Chapter 3 of this body of knowledge describes the main regulatory norms and principles of international law that are relevant to cybersecurity and can be applied in assessing cyber risks, managing information security, and investigating cyber incidents. Today is the second part of the review of Chapter 3 of CyBOK, which describes various aspects of jurisdictions in relation to cyberspace.
3.2. Jurisdiction
The Internet provides unprecedented opportunities for global cross-border interaction, so when assessing legal risks, it is important to consider jurisdictional aspects and the nuances of conflict of laws. Jurisdiction describes the scope of state authority and the mechanisms used by the state to assert it. Conflict of laws is a set of rules that resolve contradictions between the laws of different states; it allows us to determine which national rules of law should be applied to a particular legal dispute.
3.2.1. Territorial Jurisdiction
Jurisdiction is most often understood as the limits of a state's competence on its territory, but when assessing legal risks within the framework of cross-border (interstate) activities of an individual or company, three different types of jurisdiction should be considered:
1) Prescriptive jurisdiction:
Prescriptive jurisdiction describes the extent to which a state has the power to regulate the activities of individuals or the ownership of property. State legislators generally make laws to protect their resident citizens and may regulate the actions of foreign nationals to the extent that they may cause harm to residents.
2) Juridical jurisdiction
Legal jurisdiction describes the power of a court to decide a case or dispute. In civil cases, courts usually require a minimum degree of connection between the court's jurisdiction and the entity being sued (for example, the presence of a branch of a company in the territory of the state). In criminal prosecutions, courts usually require the physical presence of the accused before the trial begins, but in some countries, courts make exceptions to this rule and conduct the trial in the absence of the accused who is outside the territorial jurisdiction of the court.
3) Enforcement jurisdiction
Enforcement jurisdiction describes the powers of the state to enforce laws, such as the use of force to maintain law and order and to stop crime. In civil cases, this may mean the seizure of documents and data carriers, the confiscation of equipment, the seizure of real estate and bank accounts, etc.
3.2.2 Prescriptive Jurisdiction
Traditionally, states have adopted provisions of prescriptive and legal jurisdictions for non-residents who do business with residents, take advantage of the domestic market, and therefore must comply with state requirements. In more complex cases, a non-resident may not do business with residents of the country, but nevertheless, his actions may in some way harm the state or citizens. For example, such a case would follow in the case of a cartel agreement between foreign exporters, concluded outside the territory of the state and leading to an increase in prices within the country.
States may also use prescriptive jurisdiction provisions where resident citizens have committed an offense while in another country (even if it did not clearly harm the interests of their state) or where a crime has been committed abroad against that country’s own citizens (for example, in the case of terrorism). However, when conducting international business, companies may be faced with conflicting requirements from several countries. In this case, the business will typically change its processes and management or ownership structure to avoid or reduce the likelihood of such a conflict of interest.
3.2.2.1 Prescriptive Jurisdiction over Online Content
Various countries may apply provisions of prescriptive jurisdiction to harmful or criminal Internet content that was created outside the country, transmitted over the Internet, and displayed to resident users, including copyrighted material, defamation, gambling, and country-specific prohibitions. In this case, courts typically apply the provisions of prescriptive and judicial jurisdiction and assess such violations as having been committed within the territory of their country against their citizens, regardless of the location of the server on which the illegal content is stored.
3.2.2.2. Prescriptive jurisdiction over cybercrime
When drafting legislation concerning cybercrime, cross-border aspects are usually taken into account. Therefore, the rules of prescriptive jurisdiction can be applied to cybercriminals regardless of their location if they attack information systems within the country in question. Similarly, cases are brought against cybercriminals who are located in the country in question and hack foreign systems. A hacker located in his own country and attacking a computer in another country may violate the laws of both countries. But even if computer hacking is not considered a crime in his own country, he will still be considered an offender in the other country.
3.2.2.3. Prescriptive Jurisdiction and Protection of Personal Data
The scope of the GDPR (General Data Protection) applies to all operators and processors of personal data (PDn) who process PDn of citizens of the European Union (EU) and other citizens located in the EU. At the same time, the operator may not have a representative office in the EU, and its automated systems may also be located outside the EU. The GDPR applies the rules of prescriptive jurisdiction with respect to the processing of PDn of EU citizens by an operator (or processor) of PDn that is not located in Europe, but offers goods and services to residents of the European Union, and also monitors the behavior of users located in the EU. Thus, for example, a Russian company that does not have a representative office in the EU may still fall under the GDPR if users from Europe register on the company's website and provide their personal data.
3.2.3. Executive Jurisdiction
Although countries make extensive use of prescriptive and judicial jurisdiction, the challenge is more complex when it comes to directly enforcing legal requirements. Generally, under public international law, one state does not have the right to enforce laws in another state. Enforcement includes enforcement of laws against persons and property, as well as requests or demands for international assistance from other states.
3.2.3.1. Seizure and confiscation of assets
The state may seize and confiscate property and assets to ensure the participation of a suspect in a trial, and may also sell property to satisfy the financial obligations of the guilty party. Examples of such objects are real estate (office buildings or factories), movable property (transport, goods, cash, securities), intangible assets (trademarks, copyrights, patents, trade secrets).
3.2.3.2. Seizure and confiscation of servers, domain names and registry entries
When equipment (such as a server) is located within a country and is used to commit cybercrimes, government agencies may seize the equipment as part of enforcement measures. In addition to equipment, domain names may also be seized from offenders with the assistance of domain registrars that comply with the requirements of a particular jurisdiction.
3.2.3.3. Territorial location of the right to demand the return of bank accounts
A bank account may be considered to be located in the territory of the state in which the branch of the bank that accepted the deposit is located. The same rule may apply when the depositor used online banking and never personally visited the country and the branch of the bank. In general, it is not uncommon for conflicting parties to demand the blocking of bank accounts and assets in the form of cash and securities.
3.2.3.4. Foreign recognition and enforcement of civil claims
A procedural decision made by a court of one country to satisfy the demands of a civil claim may in some cases be executed by a court of another state. For example, friendly states may mutually exchange court decisions and ensure their execution.
3.2.3.5. Arrest of individuals on the territory of another state
Law enforcement officials may detain an accused person on the territory of another state if they themselves are on its territory. In addition, state authorities may arrest any sea vessel in the territorial waters of their state, and in international waters, vessels registered under the flag of the state that is making the arrest may also be arrested.
3.2.3.6. Extradition of individuals
If the offender is outside the territory of the state whose laws he or she has violated, representatives of that state may request the extradition of that person from another country. Extradition is usually governed by bilateral extradition treaties and is usually only permitted if the act committed is considered a crime in both states (the rule of double criminality). If two states are parties to the Budapest Convention (the Convention on Cybercrime, adopted by the Council of Europe in 2001) and maintain a bilateral extradition treaty between themselves, then certain cybercrimes covered by that convention are included in their extradition procedures. In addition, that convention may also serve as an independent legal basis for extradition between two states that do not have a bilateral extradition treaty. Extradition requests for accused cybercriminals may be refused by another state for a number of reasons, including the absence of an extradition treaty between the two countries, the absence of dual criminality, concerns about the severity of the penalty on the part of the requesting state, and well-founded concerns for the health or well-being of the accused.
3.2.3.7. Content filtering
Filtering content using technical means is one way to enforce laws or reduce the risk of malicious activity. Law enforcement agencies can issue an order (writ of execution) to a person that obliges him to filter or delete content regardless of the location of the information source (server, website). If such a person does not comply with the requirements of the order, then law enforcement agencies can oblige Internet providers to ensure the filtering of illegal content. For example, in Russia, DPI technology (Deep Packet Inspection (deep inspection of data packets).
3.2.3.8. Instructions to residents to provide data in their area of responsibility regardless of the location of the information system
Government authorities may require residents to provide data under their control, regardless of the location of the data storage. Such demands are common in court proceedings to seek possible evidence of wrongdoing. In some cases, courts require data even from individuals who are not suspects or parties to the lawsuit, and the requested data may be located in another country. For example, in 2006, a scandal erupted: the United States demanded and regularly received information about various individuals and organizations and data on international monetary transactions from the Belgian-registered interbank association SWIFT, and refusal to comply with the American demands threatened SWIFT employees with criminal prosecution in the United States, and providing the requested information violated EU law.
3.2.3.9. International legal assistance
States may request assistance from other governments to gather evidence in the context of cybercrime investigations. Such requests are most often made under a mutual legal assistance treaty and are transmitted between the authorities of the participating states. Such requests may also be made in the absence of a previously signed treaty, but in this case the other state may respond to the request at its own discretion.
The Budapest Convention imposes a number of requirements on states to provide mutual legal assistance in the investigation of cybercrime and sets forth a number of rules regarding the preservation of electronic evidence, including metadata, but such formal procedures for interaction are highly bureaucratic and not sufficiently efficient. However, Article 32 of the Budapest Convention allows for simplified cross-border access to computer data even without mutual consent of the parties to the Convention in the case of the use of publicly available information and in the case of voluntary consent to the release of information from a person located in the target country.
3.2.4. The issue of data sovereignty
The extremely low technological cost of storing and retrieving data outside the territory of the state raises concerns about the number of states that can somehow interfere with the processing of such data. For example, cloud infrastructures give a false sense of independence from the location of data, although in fact, the security of data is directly affected by the jurisdictions in which the data centers and personnel of the cloud provider are located. This is why more and more countries are introducing their own rules for national regulation of the Internet space and the processing of sensitive data. Thus, there are requirements for the protection of personal data (152-FZ in Russia, PIPL in China, GDPR in the EU, American HIPAA, CCPA, EU–US Data Privacy Framework, etc.), requirements for localization of personal databases (Russian 242-FZ on localization of personal databases in Russia, Article 37 of the Law on Cybersecurity in the PRC), rules for the operation of national networks (domestic Law on the sovereign Runet), requirements for storing user data (Russian rules for organizers of information dissemination on the Internet).
.jpg)
.jpg)
