Litigating Data Sovereignty
abstract. Because the internet is so thoroughly global, nearly every aspect of internet governance has an extraterritorial effect. This is evident in a number of high-profile cases that cover a wide range of subjects, including law enforcement access to digital evidence; speech disputes, such as requests to remove offensive or hateful web content; intellectual property disputes; and much more. Although substantively distinct, these issues present courts with the same jurisdictional challenge: how to ensure one state’s sovereign interest in regulating the internet’s local effects without infringing on other states’ interests.
The answer, for better or for worse, is comity, the foreign affairs principle that informs a number of sovereign-deference doctrines. Sovereignty arguments have pervaded a number of recent consequential cases, including Google’s challenge to the “right to be forgotten” in Europe and Microsoft’s challenge to a court order to produce foreign-held emails under the Electronic Communications Privacy Act. These arguments will continue to play a significant role in future cases. Yet the proper application of foreign affairs law to cross-border internet disputes is not what many litigants and courts have claimed. Crucially, no sovereign-deference doctrine prohibits global takedown requests, foreign production orders, or other forms of extraterritorial exercises of jurisdiction over the internet. To the contrary, one of the key lessons of the sovereign-deference jurisprudence is that in order to avoid tensions between sovereigns, courts often enable, rather than inhibit, extraterritorial exercises of authority.
This Article has three goals. First, it seeks to identify and characterize an emerging body of case law, which we might call data-sovereignty litigation: a diverse set of cases pitting national sovereigns against large internet firms. Second, the Article aims to show how the doctrinal rules of sovereign deference ought to apply to these disputes. Finally, it makes the case for a policy of sovereign deference beyond courts. The stakes are considerable. If we do not find ways to accommodate legitimate sovereign claims over global cloud activity, states will forcefully assert those interests—typically by taking physical control over local network infrastructure—imposing significant costs on entrepreneurship, privacy, and speech.
author. Associate Professor, University of Arizona College of Law. The author thanks Bill Dodge, Graeme Dinwoodie, Jack Goldsmith, Carlos Vazquez, Kristen Eichensehr, Maggie Gardner, Ingrid Wuerth, Albertina Antognini, Ben Wittes, Jennifer Daskal, Shalev Roisman, Matthew Perault, Alan Rozenshtein, Orin Kerr, Rick Salgado, Chris Bradley, Greg Nojeim, Nathaniel Jones, Alex Abdo, as well as the policy and legal teams at Google, Facebook, Twitter, Microsoft, Yahoo!, the Global Network Initiative, the ACLU, the Center for Democracy and Technology, and the Electronic Frontier Foundation. Thanks also to the editors of the Yale Law Journal, most especially Ali Cooper-Ponte, whose insights improved the Article considerably. The Article benefited from conferences and workshops at Stanford Law School, Vanderbilt Law School, Yale Law School, Florida State University, the University of Arizona, the University of Texas, the Department of Justice, the Hoover Institution, as well as the Yale/Stanford/Harvard Junior Faculty Forum and the American Society of International Law Domestic Courts Workshop. Much of this Article was written while the author was a Senior Cybersecurity Fellow and Visiting Professor at the University of Texas School of Law, and he owes a special debt to his students in the Tech Policy seminar there.