ABSTRACT
With the growth of science and technology, the world has turned into a global village. Traditional barriers have broken down and because of the internet people are interconnected more than ever. However, this increased connectivity has also given rise to cyber-crimes which are not as easy to solve as traditional crimes. Traditional crimes occur at a certain place and involve parties from a specific location, which helps determine the jurisdiction over that crime. On the contrary, a cybercrime is committed through electronic devices resulting in a vague location of the offender, victims, and the place of commission of offence. There are no hard and fast rules imposed by international laws on states to set up their jurisdiction over a specific territory – it is left to the discretion of their state. This paper analyses the international law of jurisdiction in cybercrime, and how it interconnects with Indian law. The paper also attempts to find out the issues that arise out of the existing theories on jurisdiction in cybercrime and possible solutions to implement. Through this research, the readers would be familiarised with concepts of personal and subjective jurisdiction and the relevant sections of the Information Technology (IT) Act 2000. How the principle of lex foris is implemented in this regard would also be focussed upon, by analysing the law in India and international conventions on cyber jurisdiction.
KEYWORDS
Cybercrime, cyber jurisdiction, lex foris, personal and subjective jurisdiction, international convention
INTRODUCTION
Marshall McLuhan in 1962, coined the term “global village” to refer to the world being interconnected by new technologies.[1] The growth of the global village in the last few decades has been dramatic, to say the least. While it is agreed, that it has brought people closer, leading to increased networking opportunities and improving people’s lives, it also has a dark side which has brought unwarranted problems to modern life. With the increased usage of computers and electronic devices, the virtual world, or as known as cyberspace, became inflicted with crimes, just like the real world has traditional crimes. What made cyberspace crime prone was its self-regulating nature. Gradually, terms like “rape in cyberspace”, “cyberterrorism” and other forms of cybercrime came into existence, thus leading to the need for regulation.[2] The need for regulation arose at first due to politics, but slowly, various sectors especially financial aspects like trade and taxation also required to be regulated.[3] Then rose the question of the regulator and how far can nation states regulate their cyberspace. Cyber jurisdiction is mainly categorised into three types – national, transnational, and international.[4] Tests and theories have been formed to determine the same. Laws like Information Technology Act 2000[5] have been framed to determine the jurisdiction of cybercrimes in India, but how far it is effective for extraterritorial jurisdiction is yet to be seen. International treaties like Convention on Cyber Crime, also called as Budapest Convention do exist and take into consideration national laws on cybercrimes, but not all countries are a signatory to it.[6] States need to cooperate with each other and frame a unique law, which would not conflict with their national law, as well as make sure that justice is served when cybercrimes take place across the borders.
RESEARCH METHODOLOGY
This paper is an amalgamation of secondary sources for the analysis of the tests and theories of jurisdiction in cybercrime. National and international law journals, government websites, and newspapers have been used for the research.
REVIEW OF LITERATURE
As mentioned previously, jurisdiction can either be subject matter or personal jurisdiction. While the former means that a certain court possesses the necessary powers to hear a particular type of claim that is brought before it, personal jurisdiction allows the court to hear matters related to people who have some connection to the territory irrespective of where they are presently located.[7] When dealing with cybercrimes, the presence of multiple parties across the world, who are all virtually connected gives only a vague idea of their identity and place. This makes it difficult for the court to determine its jurisdiction.
Section 1 of the IT Act allows Indian courts to exercise jurisdiction over offences committed under the IT Act in the entire territory of India, as well as those committed outside India.[8] This is further clarified by Section 75 of the IT Act which grants the Indian courts with cross-border jurisdictions to allow the hearing of those IT Act offences which are committed outside the Indian territory, provided that the offence involves a computer or a computer network located within India.[9] Section 4 of the IPC[10] (Indian Penal Code) deals with the extra-territorial application, where, if a computer resource is targeted in India, then Indian courts would have the jurisdiction. Unlike Section 75 of the IT Act, section 4 of IPC would not give jurisdiction to Indian courts if only a computer/computer network is involved in the crime, thus making the IT Act more inclusive. The Budapest Convention that came into effect in 2004 is the first international and sole legally binding treaty on cybercrime. It had the objective of improving international cooperation, development of investigation methodologies and harmonising all national laws, but only 68 nations have ratified it so far and India is not among them. One can see the problem arising from this then. The United Nations Convention on Transnational Organized Crime (UNOTC), also known as the Palermo Convention also asks states to frame their own domestic cybercrime laws, and even though it does not address international cybercrime, its provisions are highly relevant for the same.[11] If we read about this convention carefully, we can easily see how the causes presented by this convention, about organized crime, overlap with the causes of cybercrime. Ultimately, this makes it easier to employ solutions to effectively improve the existing jurisdiction issues of cybercrimes.
ANALYSING TESTS DEVELOPED TO DETERMINE JURISDICTION
States have laid down their own national laws on cybercrimes. Depending on the nationality of the offender and the victim, and the impact the crime has upon state security, the jurisdiction of a state is determined.[12]
In traditional cases, the court of a specific territory to which the parties belong to has the jurisdiction over their dispute.[13] This is the theory of personal jurisdiction. But in cybercrimes, while this theory is good for cases occurring within a specific territory, most of the time, one of the parties is a resident of another country, making this theory difficult to implement. Hence tests were evolved to cater to everyone’s interests. The Minimum Contacts test comes into purview when the parties involved are outside the Court’s territorial jurisdiction, but they had contact with the claimant state. It is based on the principle of Personam Jurisdiction and Foreseeability and Reasonable aspect. It was in the landmark US case of Int’l Shoe v Washington[14], that this test was introduced by the court. It was a 3-fold test – 1. The defending party must have had minimum contact with the forum state. 2. The complaint should arise out of that contact. 3. There should be reasonable exercising of jurisdiction.[15] The Calder Effect or the Objective territoriality test was developed in the case of Calder v Jones[16], where the court held that an intentional action by the defendant, aimed expressly at the claimant state with the knowledge that the claimant would suffer injury is the necessary criteria for the applicability of the test.In Zippo Manufacturing Co. v Zippo Dot Com, Inc.[17], the court had checked the level of interactivity, to determine their jurisdiction over the case.[18] Through this case, they developed the Interactivity test, which was then applied in another famous case named Cybersell Inc v Cybersell Inc[19]. The purposeful availment test was also used to determine the case of Cybersell Inc, but since the action of Cybersell Inc in the forum state was not purposeful availment, hence it did not fulfil the test.While all these tests ensure that there is some way to determine jurisdiction over cybercrimes happening amongst more than one state, it also brings a lot of vagueness with it. For example, in the interactivity test, how much interaction is sufficient is not clear. Also, there is no clarity on “exercising jurisdiction in a reasonable manner”. It appears to be varying from case to case.
From the cases solved by the courts across countries, the tests do seem effective, but in reality, the ambiguity underlying these tests makes it necessary to improve the system of determining jurisdiction on cybercrimes.
CONFLICT OF JURISDICTION AND ITS THEORIES
Judicial precedents of foreign courts are not binding on Indian courts. They can merely be a persuasive argument. At the same time, with increasing transborder externalities, it becomes imperative to frame a definitive law which would be applicable across all nations. The problem arises because many of the nations do not even have a proper legal framework, to begin with, let alone being a member of international conventions on cybercrime. As per UNCTAD, here is a table showing the status of cybercrime legislation across the world.[20]
| Countries with | laws in effect | draft legislation | no legislation | no data |
| Percentage | 80% | 5% | 13% | 1% |
Nick Lewis, a member of the UK’s Serious Organized Crime Agency, explained that organized crime groups migrate to other countries because of a number of reasons including lack of legislation and ineffectively coordinated legal action, making those countries prone to exploitation.[21] The same reasons can be utilised for conducting cybercrimes from different nations. Two questions would automatically arise from this situation – the country responsible for the cybercrime and the country having the authority to exercise jurisdiction over the cybercrime.[22] Further problems arise because the nature of the network may change. So, if the network itself has no definite base (country) of origin, then one can infer that the current legal framework cannot be found suitable for finding the jurisdiction of cybercrimes. One needs an entirely new framework of cyber laws, which is what the theory of new sovereignty is all about. Conflict of jurisdiction arises if we apply the theory of jurisdictional relativity given by Professor Darrel Menthe, where if a person commits a cybercrime, then any country can exercise jurisdiction according to its own laws.[23] However, it is not possible for the Internet to determine the nationality of the person, and as established earlier, it is not just the offender whose nationality is required to determine the court’s jurisdiction. Again, by the theory of website jurisdiction it would not be possible to find out the court jurisdiction, because in cases where the website serves as an intermediary, the website owner does not become the perpetrator. At the same time, the site maintainer may have the responsibility to control the specific content of the website, making it reasonable for the host country to exercise jurisdiction over the same.[24] If the law is such, that any country has an association with cybercrime, then that country can exercise jurisdiction, it becomes problematic, as the perpetrator would be prosecuted in more than one state. The server and networks may belong to different states, and so would be the victim/claimant, making the theory of limited jurisdiction impractical to apply.
INDIA AND THE GLOBAL
In India, the context of jurisdiction varies from the USA. However, the tests mentioned before are also applicable here. It can already be seen how Section 75 of the IT Act depends on the minimum contact test. In (India TV) Independent News Service Pvt Limited v. India Broadcast Live LLC & Ors[25], the minimum contact theory was applied by the court, because India was the forum state and the accused was carrying on his business with the motive to profit from India.[26] In Banyan Tree Holding (P) Limited v. A. Murali Krishna Reddy & Anr, the court held that prima facie, the plaintiff has to prove the defendant had intentionally targeted the forum state (India).[27] The previously mentioned cases of the USA were also referred to in this case, and the Delhi High Court upheld what Thomas Schultz had argued – the “subjective territoriality test” and the “Calder effect test (objective territoriality test)” would make things too broad and unreasonable, rather a middle path should be chosen while deciding jurisdictions of transborder cases.[28] In SMC Pneumatics Pvt India v Jogesh Kwatra, where “cyber defamation” happened for the first time in India, the plaintiff had sent defamatory emails to users located worldwide from a cybercafe in New Delhi.[29] From the minimum contact test, it can be understood why the Delhi High Court assumed jurisdiction. India follows the principle of lex fori, that is the law of that country is to be followed, where an action is brought. Section 1 and 75 of the IT Act helps implement the same. Section 179 of the Code of Criminal Procedure[30] (CrPC) also provides jurisdiction to Indian courts, where the offence was committed or the consequences happened. This section was widely interpreted in the case of Lee Kun Hee & Ors. v. State Of U.P. & Ors[31]. The court held that “anything which has been done” (mentioned in Section 179 of the IPC) would include things done in the advancement of the execution of the agreement. In yet another case, Casio India Co. Limited v. Ashita Tele Systems Pvt. Limited[32], the same court exercised jurisdiction, even though the plaintiff was from Japan. The case was about a website which could be accessed from anywhere, so the defendant’s location being in Delhi would not be able to determine jurisdiction, but since the website was accessible from Delhi it was enough to make the court take the case.[33]
In the international scenario, there is the UNOTC which was adopted by the General Assembly in 2000. The UNOTC, although does not deal with cybercrime, can be used to cover the same when cyberspace is used as a setting for committing an organized crime. Cybercrime is intrinsically related to organized crimes. Not only can the perpetrator change his location, but the crimes can also be committed across several countries at the same time, making it necessary for using the UNTOC as a base for framing laws on jurisdiction over cybercrimes. The relevant provisions under this convention are extremely reasonable if applied in cybercrime cases. For example, in Article 5 Part 1, a state can gain jurisdiction over a crime, even if the crime is outside its territory, provided the offenders intend to commit a crime in that state.[34] Article 15 Part 4 states that if two countries get involved in a crime, where the first country hosts the perpetrator and refuses to deport them to the victim country, then in that case the first country has to mandatorily exercise jurisdiction over the crime for prosecuting the perpetrator.[35] These provisions are highly relevant for solving jurisdiction issues in cybercrime – one only needs all the countries to cooperate with each other and be a ratified member of an international convention having the same jurisdiction-related provisions as the UNOTC.
In the United Kingdom, they have the Data Protection Act 2018, the UK-GDPR (UK General Data Protection Regulation), NIS Regulations (Network and Information Security Regulations 2018)[36] and the Computer Misuse Act (CMA) 1990[37]. It is appreciable to see the numerous legislations they have for ensuring cyber security, but the most important of them is the CMA. As per Article 4(2) of CMA, there must be a link between the offence and the UK, for domestic jurisdiction over the offence. This was interpreted in such a way by the Crown Prosecution Service in the case of Gary McKinnon[38], that even if though the perpetrator committed the crime from the UK, it did not have a significant link with the UK, since it was about hacking the computers in the USA military and NASA. The crime was a part of the extradition treaty between the UK and the USA.
SOLUTIONS TO PREVENT CONFLICT
The passive personality principle, which determines jurisdiction based on the victim’s nationality, has been too difficult a principle to be justified in the theory of public international law.[39] This was considered so, after the judgement in the Lotus case[40], which was ultimately overruled partially by the Convention on High Seas in 1958, where they said that only the offending state could have jurisdiction over the matter.[41] Basically, they endorsed the active personality principle, that is, jurisdiction based on the nationality of the offender. While this holds good in solving traditional crimes in public international law, it has already been showcased through the tests like minimum contact, and website jurisdiction, that it is not possible to use these principles for solving cybercrime jurisdiction.
The EU GDPR is an example of how a law can be framed to respect every nation’s cyber law, and at the same time make them cooperate with each other while solving a transnational/international cybercrime. Article 3 of the GDPR talks about the territorial scope, and it passes the Minimum Contacts test because as per Article 3(2), the regulation applies to cases where the offender is not a part of the union, although their behaviour/activity lies in the European Union.[42] What makes it even better, is that it objectively specifies what serves as a minimum contact, thus ensuring no space of ambiguity. Every country must first frame their cyber laws in such a way, that the laws are not arbitrary in nature and ensure that they ratify the Budapest convention. Countries should also go for Mutual Legal Assistance Treaties (MLAT) to make sure suspects of crime do not go scot-free, because of a lack of legal framework in a specific country or some other regulatory inefficiency. UNOTC being one of the MLATs, it becomes imperative for countries to not only be a member of it but also come together to frame international cyber law on similar lines, as already explained before. As of November 2019, India has signed MLATS with 42 countries.[43] The exchange of information and evidence regarding related criminal matters helps with the investigation and prosecution and also avoids any conflict thereby.
CONCLUSION
Cyber technology has been growing at a much faster pace than cyber laws. As reiterated, there is not only a need for better international law on cybercrime but also mandatory framing of domestic cyber laws across all countries. The United Nations would obviously be the place for creating a multistakeholder process to achieve this. The gaps in the current theories and laws have been explained in this paper, and it is high time to fill those inefficiencies – either by framing new laws or by amending and further evolving the existing ones. The main goal should be to prevent conflict and improve accountability.
So far states have either aligned with treaties that protect their states from people or that would protect their people from states.[44] States need to move past this and create an international forum that would not only regulate the behaviour of all but also address the concerns of everyone.
Ujjaini Biswas
II Year,
NALSAR University of Law, Hyderabad.
[1] Stanley Fischer, Global Markets and the Global Village in the 21st Century: Are international Organizations Prepared for the Challenge, International Monetary Fund, (Nov 19, 1999), https://www.imf.org/en/News/Articles/2015/09/28/04/53/sp111999.
[2] Stephan Wilske & Teresa Schiller, International Jurisdiction in Cyberspace: Which States May Regulate the Internet?, 50 Federal Communications Law Journal 119, 121 (1997), https://www.repository.law.indiana.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1148&context=fclj.
[3]Ibid.
[4] Mr. Justice A. Muhamed Mustaque, Jurisdictional Issues in Adjudication of Cyber Crimes, National Judicial Academy, https://nja.gov.in/Concluded_Programmes/2022-23/P-1299_PPTs/2.Jurisdictional%20Issues%20in%20Adjudication%20of%20Cyber%20Crimes.pdf.
[5] The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).
[6] Jennifer Daskal & Debrae Kennedy Mayo, Budapest Convention: What is it and How is it being updated?, Cross Border Data Forum (Jul 2, 2020), https://www.crossborderdataforum.org/budapest-convention-what-is-it-and-how-is-it-being-updated/.
[7] Stephanie Jurwoski, Subject matter jurisdiction, Cornell Law School, (Jun 2017), https://www.law.cornell.edu/wex/subject_matter_jurisdiction#:~:text=Personal%20jurisdiction%20is%20the%20requirement,is%20brought%20to%20that%20court.
[8] The Information Technology Act, 2000, §1, No. 21, Acts of Parliament, 2000 (India).
[9] Ishan Khanna, Anomalies in extra territorial jurisdiction for cyber crimes in India, Lexology, (Aug 20, 2021), https://www.lexology.com/library/detail.aspx?g=9fa6c473-904f-4fa6-8890-a28fc846edc8.
[10] The Indian Penal Code, 1860, §4, No. 45, Acts of Parliament, 1860 (India).
[11] Andre Standing, Transnational Organized Crime and the Palermo Convention: A Reality Check, International Peace Institute, (Dec 2010), https://www.ipinst.org/wp-content/uploads/publications/e_pub_palermo_convention.pdf.
[12] Xiaobing Li & Yongfeng Qin, Research on Criminal Jurisdiction of Computer cybercrime, Procedia Computer Science, 793, 796 (2018).
[13] Ibid.
[14] Int’l Shoe Co. v. Washington, 326 U.S. 310 (1945).
[15] Ibid.
[16] Calder v. Jones, 465 U.S. 783 (1984).
[17] Zippo Manufacturing Co. v Zippo Dot Com, Inc, 952 F.Supp. 1119 (1997).
[18] Tricia Leigh Gray, Minimum Contacts in Cyberspace: The Classic Jurisdiction Analysis in a New Setting, 1 Journal of High Technology Law, 85, 93-94 (2002).
[19] Cybersell, Inc v. Cybersell Inc, 130 F.3d 414 (9th Cir. 1997).
[20] UNCTAD, Cybercrime Legislation Worldwide, UNCTAD, (Dec 14, 2021), https://unctad.org/page/cybercrime-legislation-worldwide.
[21] Andre Standing, Transnational Organized Crime and the Palermo Convention: A Reality Check, IPI, (Dec 2010), https://www.ipinst.org/wp-content/uploads/publications/e_pub_palermo_convention.pdf.
[22] Supra note 12.
[23] Supra note 12.
[24] Darrel C. Menthe, Jurisdiction in Cyberspace: A Theory of International Spaces, 4Mich. Telecomm. Tech. L. Rev. 69, 95 (1998).
[25] (India TV) Independent News Service Pvt Limited v. India Broadcast Live LLC & Ors, 2007 (35) PTC 177 Del.
[26] Himanshu Sharma & Ritiraj, India: Minimum Contact Theory, Mondaq, (Sep 11, 2013) https://www.mondaq.com/india/contracts-and-commercial-law/262030/minimum-contact-theory#:~:text=As%20jurisdiction%20in%20our%20courts,forum%20state%20to%20exercise%20jurisdiction.
[27] Banyan Tree Holding (P) Limited v A. Murali Krishna Reddy & Anr, 2009 SCCOnline Del 3780.
[28] Thomas Schultz, Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface, 19The European Journal of International Law, 799, 816 (2008).
[29] SMC Pneumatics Pvt India v. Jogesh Kwatra,CS (OS) No. 1279/2001 (Delhi HC, 2001).
[30] The Code of Criminal Procedure, 1973, §179, No. 2, Acts of Parliament, 1974 (India).
[31] Lee Kun Hee & Ors. v. State Of U.P. & Ors, JT 2012 (2) SC 327 (India).
[32] Casio India Co. Limited v. Ashita Tele Systems Pvt. Limited, 106 (2003) DLT 554 (India).
[33] Ibid.
[34] Dr. Adel Azzam Saqf AL Hait, Jurisdiction in Cybercrimes: A Comparative Study, 22 Journal of Law, Policy and Globalization, 75, 77 (2014).
[35] Ibid.
[36] Julia Lopez MP, Cyber laws updated to boost UK’s resilience against online attacks, Department for Digital, Culture, media & Sport, (Nov 30, 2022), https://www.gov.uk/government/news/cyber-laws-updated-to-boost-uks-resilience-against-online-attacks.
[37] Rohan Massey, et al, Cybersecurity Laws and Regulations, ICLG, (Nov 14, 2022), https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/england-and-wales.
[38] McKinnon v Government of The United States of America & Anr [2008] UKHL 59.
[39] Geoffrey R. Watson, The Passive Personality Principle, 28 TEX. Int’l L. J. 1, 8 (1993).
[40] SS Lotus (France v. Turkey) (Judgment) [1927] PCIJ (ser A) No 10 (‘Lotus’).
[41] Supra note 37.
[42] EU 2016/679 (General Data Protection Regulation).
[43] Guidelines on Mutual Legal Assistance in Criminal Matters, Ministry of Home Affairs, Government of India.
[44] Duncan Hollis, A Brief Primer on International Law and Cyberspace, Carnegie Endowment for International Peace (Jun 14, 2021), https://carnegieendowment.org/2021/06/14/brief-primer-on-international-law-and-cyberspace-pub-84763.