More than ever before Internet users are now interacting with people living/working in other economies. And as a result of these interactions, there are an increasing number of ‘legal contracts’ (intentional or not).
Internet policy researchers and academics debate about the changing landscape and the boundaries of the international and domestic laws, without conclusive agreements.
Earlier this year, I participated in a panel session at APRICOT 2018, with a number of other policy researchers and lawyers from the region, to discuss cross-border data transfer and legal issues arising from these, focusing on Asia Pacific economies.
We talked about the current landscape of online data transfer and transaction laws around the world including the current regimes of data transfer governance and treaties among different economies.
I specifically focused on the principles of law that have become problematic and ineffective to efficiently handle the emerging lawsuits due to the increasing number of cross-border data and content transfers; a growing and complex problem in the Asia Pacific.
One of the cases I highlighted was that of a Nepalese national, currently residing in New South Wales, Australia, who posted several nude pictures of a woman living in Nepal.
Although the Nepalese Police were able to successfully work with ISPs to remove the pictures from the host websites, the man kept posting similar content. The Nepalese police officers contacted the police in Australia to help take action on the suspect but were informed that they were not able to assist in the investigation because the plaintiff (the woman being harmed) was not residing in Australia.
The legal implications of ‘Cross-border Data Transaction’ (CBDT) have also been widely discussed in legal circles in my home economy South Korea for quite some time, following the refusal of certain overseas website hosts rejecting requests from the Korea Communications Commission to take down child pornography and sex trafficking content that had been uploaded to their sites.
Although the history of legal confusion on CBDT dates back to 2000, it has taken a while for Asian economies to be affected and as such, there has been confusion over the best way to deal with it
The above cases all involve more than one dimension of online harassment case – protection of privacy, CBDT, the liability of ISPs in online activities, and enforcement of foreign judgments.
In most legal cases within the same jurisdiction, the plaintiff can issue a cease and desist letter to deter further actions from the accused, and in urgent cases, a Court-issued injunction, to prevent criminals from further developing their behaviours. However, in the case of online content, which spans more than one jurisdiction, this can be problematic.
In the case of the Nepalese plaintiff, they would have to submit this in an Australian court, which is a costly and time-consuming exercise. Even initiating and proceeding with the lawsuits can be burdensome and not accessible for most citizens around the world.
According to the current international law system and international treaties, there are no known direct solutions to govern these lawsuits among ‘foreigners’, aside from diplomatic solutions, which are heavily dependent upon international treaties.
The recently enacted Clarifying Lawful Overseas Use of Data Act (also known as Cloud Act) of the United States and other cloud-computing related lawsuits — including the famous Google v. Equustek case — have brought such jurisdictional problems to light. This said, the enforcement of foreign judgment is complicated, and the process of implementing treaties by themselves are highly susceptible to external conditions such as domestic politics. This stems from the very nature of international treaties, which still need to be legislated by national lawmakers in order for them to have binding effects in each jurisdiction.
Even the laws and the processes required to implement such treaties widely differ from one economy to another. Therefore, the adoption of treaties cannot be a remedy for this complex CBDT landscape.
With the ensuing discussions and cases on CBDT worldwide over the past few years, cyberspace still lacks coherent governance and a legal system to rule over this phenomenon, and this legal vacuum has already created much confusion, even among legal communities.
The difficulty also lies not only in the recognition and enforcement of foreign judgments but also the lack of consistent due process and other coherent mechanisms required for the subjects of the cases to take action during lawsuits.
Mapping the mutual legal agreements across the borders, but let’s draw a bigger picture together
Although many of the current problems were already predicted by a number of pioneers in Internet law, the worldwide cooperative works that we are now witnessing have not happened until recently.
According to Jing Di, from the China Academy of Information and Communications Technology, who was a part of the panel discussion at APRICOT, between the years 2000 and 2015, international political actors including the US and the EU were in a “Safe Harbor Phase” in which domestic laws seek to regulate data transactions and actually encourage this CBDT by ensuring the safe use of them and taking measures to securely use the data on both continents. Indonesia, Brunei and Nigeria also require localized data storage back up in National Data Center before crossing borders.
However, as the volume of CBDTs has massively increased, economies have started to concretize the data types and the management of international data transaction by legislating more laws and treaties. This includes data protection regulations and international data flows by the United Nations Conference on Trade and Development (UNCTAD), Cross-border Privacy Rules by the Asia-Pacific Economic Cooperation (APEC), and the recent General Data Protection Regulation (GDPR) by EU Commission. And it’s expected that the number of treaties or other means of international regulations will increase in the coming years.
The future, and the place of technologies and laws in the society
Although technical measures have been widely sought out to block website access from specific areas for legal and business purposes, there are always legal and technical vacuums via which people can be damaged, as has been the cases above.
With the world recognizing the importance of pertinent laws on CBDT, more institutions have started to introduce laws on cross-border data transfers — the EU General Data Protection Regulation is just one of these efforts.
Internet & Jurisdiction is an international think-tank based in Paris that focuses on these inter-jurisdictional problems by calling upon stakeholders to find better legal solutions for these changes brought by the Internet. More cooperative works among different economies and law enforcement organizations, and International organizations such as the UN, ITU, ISOC and Interpol, are also investing time and effort in addressing this cause.
It’s expected that the legal landscape on this issue will become even more complicated as upcoming technologies such as the Internet of Things, cloud computing and blockchain are all heavily reliant on CBDT. Therefore, to make the Internet available for all and to make it work to connect the unconnected more widely, more proper legal regimes need to be sought out and implemented at the international level.
For more recent information on:
- CBDT laws, please refer to this article published in Computer Law & Security Journal.
- the importance of the application of existing international rule for cross-border data flows in International trade, please refer to this resource by the Brookings Institute.
- the current situation of blocking the global flow of data and a report reviewing the challenges and costs implied in CBDT, please read this article by the Information Technology & Innovation Foundation.
Contributor: Craig Ng
Yeseul Kim is a Masters student at the Science and Technology Policy Study at Korea Advanced Institute of Science and Technology.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.