Boundless Courts and a Borderless Internet
This essay first appeared in the Internet Monitor project’s second annual report, Internet Monitor 2014: Reflections on the Digital World. The report, published by the Berkman Center for Internet & Society, is a collection of roughly three dozen short contributions that highlight and discuss some of the most compelling events and trends in the digitally networked environment over the past year.
Ever since Yahoo! sparked a furor in 2004 by disclosing information to the Chinese government about the journalist Shi Tao’s email account, which led to his arrest and imprisonment, major Internet companies have structured their operations in a jurisdictionally conscious manner to avoid contributing to human rights violations. Today, Internet companies service customers in some markets from servers located overseas so they can safely ignore requests from authoritarian governments to disclose user data. Similarly, companies often locate key personnel and data centers in jurisdictions with strong protections for civil liberties — in part to signal their compliance with rights-protective laws.
Two recent decisions by courts in established democracies against Internet company operations situated beyond their borders, along with the controversy surrounding the implementation of a third ruling, threaten to disrupt these arrangements, however — with potentially grave consequences for privacy and free expression should other courts adopt their logic.
The first is a decision in April by the federal district court in New York City commanding Microsoft to turn over to federal prosecutors the entire contents of a Hotmail account hosted at the company’s Irish data center. Although US laws generally do not apply extraterritorially, the court found that the Stored Communications Act treats emails stored in the cloud as business records belonging to the service provider. As such, customer content stored anywhere in the world is subject to US court orders whenever the service provider operates in the United States. Microsoft is appealing the decision, arguing that the proper way for US law enforcement to obtain access to the Hotmail account is through the Mutual Legal Assistance Treaty with Ireland. Such treaties, which the US has signed with over 60 nations, allows law enforcement in one country to obtain the assistance of the authorities in another to collect evidence, among other forms of cooperation.
In a second case, a court in British Columbia (BC) levied a worldwide injunction in June barring Google from indexing entire domains associated with the sale of counterfeit versions of a company’s products. While neither Google nor its Canadian subsidiary have employees or servers in BC, the Court held that it possessed jurisdiction over Google based on its sales of advertising to residents of the province. The Court conceded that most every court around the world would possess jurisdiction over Google on this base, but it nevertheless ruled that it could properly impose a worldwide jurisdiction against Google on the facts of this case, as the aggrieved company and the alleged counterfeiters had closer ties to BC than to any other jurisdiction.
Finally, there is the ongoing controversy over the interpretation of the European Court of Justice’s decision in the “right to be forgotten” case, which held that European residents can have “inadequate,” “irrelevant,” “excessive,” or simply outdated information about them de-indexed from search engines. Google in particular has responded to requests to be “forgotten” by de-indexing offending content from its European search offerings, such as Google.de and Google.fr. It has, however, kept such content available on Google.com as well as on its non-European search domains — all of which remain accessible within Europe. These actions have drawn the ire of European privacy regulators, who view Google’s failure to make such content entirely inaccessible in Europe as flouting the decision. No action has yet been taken against Google in this regard, but the possibility of further legal or regulatory action looms.
While courts in established democracies in North America and Western Europe might be trusted to wield extraterritorial powers responsibility, what happens when courts in countries that ignore the rule of law applies these precedents to its own ends? The New York court order to search Microsoft’s Irish servers was issued by an impartial judge (mis)construing the rights protections in the U.S. Constitution, but what if a court in, say, Saudi Arabia were to issue a similar order against a company with employees on the ground there for account information stored in the United States? Similarly, what if the courts in Turkey or Thailand were to rule that videos and tweets mocking those countries’ heads of states should be banned worldwide, and that they rightfully possess the jurisdiction to do so since their leaders enjoy a closer connection with their home countries than anywhere else? The result would be to reduce content on the Internet to the lowest global common denominator, or to balkanize the Internet into a set of regional networks within which local, rather than international, standards on digital searches and content suppression would prevail.
The current practice of the leading Internet companies to respect assertions of jurisdiction by governments within whose borders particular data is stored, or whose top-level domain graces a particular site, is not a perfect state of affairs. That said, it is far superior to a world in which governments everywhere can make demands of companies anywhere, backed up with the threat of sanctions against employees on the ground if they fail to comply. Regardless of the results in a particular case, courts in the world’s established democracies should think carefully about the wisdom of setting precedents that are inherently extraterritorial — given their potential to be abused beyond their national borders.
