Content, Online Scholarship, Perspectives

“Contracting Out” Human Rights in International Law: Schrems II and the Fundamental Flaws of U.S. Surveillance Law

August 14, 2020

By: Genna Churches and Monika Zalnieriute

Introduction

In the midst of COVID-19 pandemic, on July 16, 2020, the Court of Justice of the European Union (“CJEU”) in Luxembourg handed down a long-awaited judgement on international data transfers in the Schrems II case. The European Union (“EU”) Court found that U.S. law does not provide the “essentially equivalent” protection for personal data to that guaranteed by EU law, and therefore invalidated the key mechanism for EU-United States data transfers—this time known as Privacy Shield—for the second time in a decade. While the CJEU generally upheld the validity of another legal basis for international data transfers—Standard Contractual Clauses (“SCCs”), the Court also implied that these clauses are not an avenue for continued transfers of personal data from the EU to the United States.

Schrems II is a win for human rights in the EU and beyond, yet, the long-term political impact of this judgement in securing human rights in the digital economy is less certain in light of the $7.1 trillion transatlantic economic relationship at stake. Until now, U.S. companies, including Facebook, Amazon, and Google, have relied on private self-certifications schemes, such as Privacy Shield, to assure the EU of “essentially equivalent” protection for personal data of EU residents, despite the extensive scope of U.S. surveillance programs. The U.S. government maintains that the protection under its national security laws “meets” and “exceeds” the safeguards “in foreign jurisdictions, including Europe,” suggesting that structural changes in the U.S. legal system are unlikely. Instead, the European Commission (“EC”) and U.S. Department of Commerce may soon carve out another solution for EU companies to “contract out” the protection for human rights where public authorities are unwilling to ensure it.

International Data Transfers and U.S. Surveillance Law: Schrems I

Following the Edward Snowden revelations about mass surveillance programs in 2013, various privacy advocates in the EU opposed the exposure of their personal data to such regimes. Snowden revealed U.S. surveillance programs including PRISIM and UPSTREAM, which collect data directly from undersea cables or from providers. These programs were authorized by executive powers under the U.S. legal system and often failed to guarantee the basic constitutional rights for U.S. citizens, let alone foreigners. The long-running Schrems saga began when Austrian privacy activist, Maximillian Schrems, lodged one such complaint with the Irish Data Protection Commissioner (“DPC”) about Facebook Ireland’s transfer of data to the United States. His complaint highlighted the incompatibility of U.S. surveillance programs and existing EU law permitting transfers to the United States. Under EU law at the time, the EC’s Safe Harbor Decision created an arrangement where U.S. data importers could “self-certify” that they provided “essentially equivalent” to that guaranteed under EU law, including the protection of fundamental rights under the EU Charter of Fundamental Rights (“EUCFR”). Schrems challenged the adequacy of these arrangements in ensuring “essentially equivalent” protection in his complaint, which the DPC rejected. Schrems then took his complaint to the High Court of Ireland, which referred two questions to the CJEU in the case now known as Schrems I. In that case, the CJEU invalidated Safe Harbor, because it did not afford “essentially equivalent” protection for personal data to that guaranteed under EU law (¶¶ 98, 104–106).

Facebook and other companies then relied upon SCCs, a mechanism created under another EC adequacy decision (“SCC Decision”), which enabled data transfers where contractual arrangements could provide the “essentially equivalent” protection to that under the EU legal order. In 2015, the Irish DPC asked Schrems to reformulate his original complaint in light of the invalidation of Safe Harbor. The revised complaint focused on Facebook’s data transfers outside of the EU based on SCCs (Schrems II ¶¶ 151–153), claiming the reliance on SCCs could not be valid due to U.S. law obliging private companies to provide access to personal data to public authorities under U.S. surveillance programs. Following the reformulation of his complaint, the EC and U.S. officials replaced Safe Harbor with a new version of a “self-certification” regime for EU-United States data transfers—the EU-United States Privacy Shield.

Based on Schrems’ revised complaint, the DPC raised a number of questions before the High Court of Ireland, which then referred 11 questions to the CJEU in Schrems II. These questions turned the focus towards the suitability and validity of SCCs and, by inference, the validity of Privacy Shield under the General Data Protection Regulation (“GDPR”).

International Data Transfers Continued: Schrems II

The Schrems II judgement challenges the mechanisms for EU-United States personal data transfers based on fundamental inadequacy of U.S. law to ensure the “essentially equivalent” protection to that guaranteed by EU law. The CJEU found that in circumstances where adequate safeguards exist in third countries, or where contractual terms can provide the “essentially equivalent” protection to EU law, the use of SCCs is valid. The Court then chose to engage directly with the validity of EU-United States data transfers under Privacy Shield, finding it invalid due to the fundamental inadequacy of safeguards for personal data provided by U.S. law.

The CJEU first focused on the standard contractual clauses, finding the SCC Decision valid (¶ 105). However, the Court stressed that data controllers must assess the level of protection afforded across the agreed contractual clauses between the data controller and the third country importer/processor, any access by public authorities to the data, and the legal system of the third country (¶¶ 93, 105). The CJEU reiterated that the SCCs must afford appropriate safeguards, enforceable rights, and effective legal remedies (¶ 103), with data controllers/exporters obliged to act if there is a conflict between the SCCs and third country laws, including an incompatibility with national security laws, by suspending data flows (¶¶ 134–135). Where SCCs cannot provide an “essential equivalent” to EU law, and data controllers have not acted, the CJEU held that National Data Protection Authorities (“DPAs”) must suspend, limit, or even ban international data transfers (¶¶ 113, 121).

However, the CJEU held that DPAs cannot act to suspend, limit, or ban data transfers where there is an adequacy decision, such as Privacy Shield, in place. The Court asserted that DPAs “cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection” (¶ 118). The CJEU noted that DPAs must still investigate complaints received, and if concerned about the equivalence of protection under an adequacy decision, bring an action before national courts questioning adequacy. If the national court agrees, it can make reference for a preliminary ruling on the validity of an adequacy decision in question (¶¶ 120, 121).

The CJEU then moved on to assess the adequacy of protection under U.S. law to determine the validity of the Privacy Shield. The Court held it invalid because of the largely unrestrained surveillance regime, a lack of redress under those regimes, and the lack of independence for the ombudsperson (¶ 199). Noting the EC can only make a decision on adequacy if the third country’s legislation provides all the necessary guarantees to ensure an adequate level of protection (¶¶ 129, 162, 167), the CJEU assessed the level of protection afforded by the United States. It found that U.S. surveillance regimes like PRISM and UPSTREAM which collect data directly from undersea cables or from providers like Google and Facebook, permitted under section 702 of the Foreign Intelligence Surveillance Act (“section 702 FISA”), were not limited to what was strictly necessary for the purposes of foreign intelligence. In particular, the legislation did not lay down any limitations or scope of the programs nor impose any minimum safeguards (¶¶ 179, 180). The CJEU also assessed the Presidential Policy Directive 28 (“PPD-28”—a response to the Snowden revelations attempting to restrain mass surveillance) and Executive Order 12333 (“EO-12333”—a 1981 order permitting expanded surveillance powers authorized by the executive), finding they did not grant actionable rights against U.S. authorities (¶¶ 181, 182, 184). The CJEU noted that the EU legal order provides a right to a hearing before an independent and impartial tribunal (article 47 of the EUCFR) (¶ 186), and that Privacy Shield created a specific role of an ombudsperson for EU data transfers. However, the Court held that surveillance programs based on section 702 FISA and EO-12333, even when read in conjunction with PPD-28, do not provide data subjects with actionable rights, leaving them with no effective remedy (¶ 192). The CJEU also highlighted a lack of independence in the oversight systems of Privacy Shield, as the role of the ombudsperson was related to the executive (¶ 195). Thus, the Court concluded that the Privacy Shield Decision could not provide an “essentially equivalent” protection for personal data to that guaranteed under the EU legal order and, therefore, was invalid (¶ 199).

So How Can Data Be Transferred to the United States Now?

After this pronouncement, many are asking how can data be lawfully transferred from the EU to the United States? The SCCs (and for that matter Binding Corporate Rules) are also unusable because the CJEU in Schrems II ruled that U.S. law—as a whole—does not provide adequate protection required under EU law for international data transfers. The Court partially answered this question: “transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.” (¶ 202). In other words, the Court has not prohibited data transfers to the United States where “essentially equivalent” safeguards are provided. However, data controllers and exporters now face the very real dilemma of having to contract for the impossible—to form contracts under SCCs or article 46 of the GDPR, which protect the rights of the data subject despite the scope of the U.S. surveillance programs. With the CJEU’s findings that because of the extensive U.S. surveillance regime, the United States does not afford essentially equivalent safeguards, and confirmation that SCCs cannot bind a public authority in the third country (¶¶ 123, 125), it now appears impossible to transfer data lawfully from the EU to the United States. Some commentators suggest that not all organizations are subject to the U.S. surveillance regime. However, given the scope of the surveillance programs, as discussed by the CJEU, and the possibility of surveillance access even before the data reaches the data importer, such as through the “tapping” of undersea cables (¶¶ 62–63), the adequacy of protection from surveillance by any company is doubtful.

Will “Contracting Out” Human Rights to the United States Be Possible?

In light of the fundamental inadequacy of U.S. surveillance law to guarantee the level protection required by EU law, the remaining avenue for data transfers points to the use of contracts under the SCC Decision. Contractual obligations between businesses can play a role in protecting human rights in international law, for example in ensuring workers are protected in supply chains and offshore manufacturing. However, these contracts do not bind the government or public authorities in foreign countries, and the local laws in those countries may still over-ride contractual terms. Therefore, contractual clauses to protect data transferred to the United States will not be adequate because of the extensive surveillance powers granted to public authorities under the U.S. legal system, which can easily override those clauses.

The U.S. surveillance regime shows no sign of contracting. Often, as the CJEU found, there is little specific legislation which limits foreign surveillance programs, instead, they are authorized by a supervisory body or through executive order. While the EU Parliament called to overhaul the U.S. foreign surveillance regime following the Snowden revelations, calls for amendment in the United States were reinvigorated in late 2019 following reported breaches of section 702 FISA. However, proposed reforms have now stalled. With U.S. comments in response to Schrems II that the U.S. safeguards for data protection under national security programs “meets” or “exceeds” those in European jurisdictions, the stalemate between the EU and the United States is set to continue.

The use of SCCs in light of the scope of the U.S. surveillance framework places an impossible burden on data controllers to attempt to “contract out” the protection of human rights. The Berlin DPC has already issued advice to data controllers to cease EU-United States transfers, reinforcing the importance of a valid legal basis for data transfers. Fines for breaching the GDPR can be up to four percent of a company’s global revenue. The CJEU was clear that the DPAs are obliged to act against unlawful transfers, so it seems a risky business for private companies to keep doing “business as usual” after Schrems II. “Contracting out” human rights protection will simply not work for the CJEU, where the local laws in third countries, such as the United States, fundamentally violate those rights.

Conclusion

Schrems II has lived up to the hype—the decision will have far reaching effects. In response to the judgement, the EC could act quick to negotiate another agreement with the U.S. counterparts, just like it did earlier with the Safe Harbor and Privacy Shield, again authorizing data flows to the United States. However, without changes in the U.S. surveillance regime, we can be certain that any future adequacy decisions will be challenged by privacy advocates, costing DPAs millions of Euros in further court costs. Similarly, attempts to “contract out” human rights protection under SCCs, given the inability of the United States to provide “essentially equivalent” protection, expose data controllers to fines under the GDPR. Yet, the high stakes of the transatlantic economy weaken the EU position, while the bargaining power of the United States suggests that structural changes—that would bring the United States in line with “essential equivalence”—are unlikely any time soon. Failing U.S. changes, tech companies might have to process personal data in Europe, as legally “contracting out” protection for human rights might be next to impossible.

[hr gap=”30″]

Content, Online Scholarship, Perspectives

UK and Canada Domestic Courts’ Game-changing Rulings and International Custom: A Dress Rehearsal for Global Sustainability Law?

June 23, 2020

By: Anna Aseeva

Introduction

Just before most industrialized countries came to a standstill due to the 2020 Coronavirus (“COVID-19”) pandemic, two domestic courts in the United Kingdom (“UK”) and Canada issued groundbreaking judgments, which somewhat passed under the “radar” of public opinion relative to their importance in global sustainability. The two rulings were issued within 24 hours between February 27 and 28, 2020. These rulings outlined the foundation for sustainability obligations, including new obligations under international customary law. These obligations under international law concern environmental and human rights due diligence.

A rising number of voices suggest that the response to COVID-19 is bound to offer a dress rehearsal for global approaches to climate change and global inequalities. I cannot join those enthusiasts, for such a dress rehearsal might be mitigated in distributional terms, especially for people and regions outside the privileged bubbles of the Global North, for whom that dress rehearsal is not a matter of choice. Therefore, I submit that, while the primary role of domestic courts has not changed as such, their part in what I would call “sustainability litigation” is likely to positively influence the existing approaches to climate change and global inequalities in international law. In this post, I elaborate on that by analyzing the two most recent, crucial examples of such litigation.

R v. Secretary of State for Transport **(the Heathrow Ruling)**

In its decision on February 27, 2020, already baptized as “the Paris Agreement ruling,” the United Kingdom Court of Appeal (“UKCA”) ruled that climate change is a crucial concern before a state authority could consent to a climate-sensitive national policy. The environmental campaign groups Plan B and Friends of the Earth brought the case to the court arguing that the expansion of Heathrow Airport would jeopardize the UK’s ability to substantively reduce the greenhouse gas (“GHG”) emissions necessary to meaningfully fight climate change.

In ¶ 284 of its judicial review of the lower court’s ruling, the UKCA reaffirmed the unlawfulness in the conduct of the UK Secretary of State for Transport. The court found that the Secretary breached UK’s international obligations and domestic law, when he agreed to the expansion of Heathrow in the government’s 2018 Airports National Policy Statement described in ¶ 283.

Discussion

This judgment puts the obligations of the UK, and also of all parties to the Paris Agreement, to significantly reduce GHG emissions at the forefront of global and local sustainability policymaking. The ruling that the relevant authority’s administrative appraisal of the planned activity was not produced as the law required (¶ 283) drew on different sources. Those included national law, such as UK Strategic Environmental Assessment Directive, and the UK Government’s policy and international commitments on climate change, notably the obligations under the Paris Agreement, according to ¶¶ 222–238, 242–261.

Given that unincorporated treaties do not ordinarily produce direct binding effect in UK law, the Paris Agreement became relevant to the decision under UK law in a rather circuitous, yet pragmatic way. The UKCA refrained from identifying specific national planning or types of administrative assessment that may give rise to public authorities’ duties and accountability in case of lack of due diligence and/or other lacunae in the authority’s administrative appraisal of the planned activity. The ruling allows for its findings to be applied in a number of broad contexts, including climate change. The UKCA’s flexible and pragmatic approach is likely to allow future claimants, including climate advocates and broader civil society, to request that the planning procedures ensure that the dedicated authorities assess the climate impacts that are likely to result from the activities it approves in relevant national policies.

It is difficult to overestimate the court’s verdict in the context of Brexit. The judgment timely reaffirms the UK’s climate obligations under international law as the UK is leaving the European Union (“EU”). At the same, the ruling may have both short-term national and long-term global consequences for infrastructure and fossil fuel projects, since the global political economy still heavily relies on extraction. As Heathrow airport is a “bastion of the global fossil fuel economy,” the court’s stance may imply the UK Government’s obligation to reassess related national policies to ensure they are in line with the Paris Agreement. These could include revisiting subsidies offered to UK extractive and energy companies, or even reviewing and/or revoking licenses for the exploration for fossil fuel.

Last but not least, the ruling also arguably adds to the debate on establishing a particular obligation under customary international law for states to conduct a climate assessment. The climate assessment may differ from, or alternatively make part of, an environmental assessment invoked above, which is a proceeding to measure possible environmental consequences of relevant activities of national planning.¹ While in a transborder context, the obligation to carry out an environmental assessment is currently recognized as a general obligation under customary international law,² a similar obligation concerning climate assessment in the context of a global environmental harm, namely GHG emissions, does not seem to have been accepted as law. For example, unlike the rather clear states’ duties to perform environmental assessment, in the case of conducting climate assessment, one needs to first determine who owes such duty to whom and why. Following relevant international case law, climate change—plainly a global common concern—may make the duty to conduct climate assessment an erga omnes obligation owed to the international community as a whole (South China Sea, ¶ 927; Whaling in the Antarctic, ¶ 226). This erga omnes option is though far from undisputable (ILC 2018, conclusion 3, ¶ 4).

Nevsun v. Araya **(the Nevsun Ruling)**³

Across the pond, the Supreme Court of Canada (“SCC”) released its long awaited decision in Nevsun Resources Ltd. v. Araya (“Nevsun”) on February 28, 2020. Note that the numerous interveners in this case consisted almost exclusively of academia and civil society, including scholars, law clinics, and human rights litigation advocates. The suit was initiated in November 2014 in British Columbia by three Eritrean nationals, refugees in Canada, who sued Nevsun Resources Ltd., a Vancouver-based mining company, for its complicity in violent, cruel, inhumane, and degrading treatment at Bisha Mine, owned and operated by the Bisha Mine Share Company (“BMSC”) (Araya v.Nevsun Resources Ltd. (“Araya”), ¶ 33), where Nevsun held an indirect majority of a 60% interest and the other 40% being held by the national mining company, an arm of the Eritrean government (Nevsun, ¶ 7).

BMSC subcontracted the construction of the Bisha Mine to the Engineering, Procurement, and Construction Manager (“EPCM”), and the EPCM then further outsourced to other subcontractors owned by members of the Eritrean military (Araya, ¶ 26). The former workers claimed that the subcontractors forced Eritreans conscripted into the country’s National Service Program (“NSP”) to provide their labour at the mine in degrading and inhumane conditions (Araya-Appeal, ¶¶ 3–4). They also sought damages on behalf of all Eritreans that had been forced to provide their labour at that mine since September 2008 (Araya, ¶ 48). Their claims were based on violations of peremptory norms of customary international law, namely, forced labour, slavery, cruel, inhumane or degrading treatment, and crimes against humanity (Araya, ¶ 2).

In its appeal to the SCC, Nevsun argued in part that the court should strike the portion of the respondents’ claim based on customary international law, as it did not on its own create a cause of action. Rather, the respondents’ claims would require the development of new torts, which is a task for the legislative, not the judiciary. (Araya, Appellant’s Factum, ¶ 61). In January 2019, the appeal ended up before the SCC.

On February 28, 2020, the SCC decided that, to the extent customary international law norms have been adopted into Canadian law, they bound Nevsun as a Canadian corporation (Nevsun, ¶ 132).

Discussion

In a 5 to 4 landmark judgment, the majority of the SCC recognized Canada’s international human rights obligation to provide an effective remedy (Nevsun, ¶ 119) and ruled that “it was not plain and obvious” that Canadian courts cannot develop a civil remedy in domestic law for corporate violations of customary international law that is part of Canadian law (Nevsun, ¶ 122). Moreover, this could be done either through the development of new torts or through a direct remedy for violations of customary international law (Nevsun, ¶¶ 127–128).

The SCC held that the civil lawsuit could go forward and that the British Columbia Supreme Court would have to decide in September 2021 whether Nevsun breached customary international law and, if so, how such harm should be remedied (Nevsun, ¶ 131). This decision opens the door for more cases to be brought in Canadian courts for violations of human rights or failure to engage with environmental due diligence against Canadian extractive corporations operating transnationally.

While Nevsun is a seminal judgment in terms of opening Canadian courts to these types of claims, it may also be persuasive in other common law jurisdictions. It is in many ways a landmark ruling that will surely be referred to in relevant future decisions. In that regard, it has the potential to take the international community where the Supreme Court of the United States’ Kiobel v. Royal Dutch Petroleum 2013 ruling was hoped to take it: to a creation of extraterritorial tort liability of corporations for serious environmental, fundamental rights, and related abuses. If more states recognize such new torts based on customary international law or direct liability in customary international law, it will contribute to state practice and opinio juris on this issue. That would make it much more difficult for states and businesses to contest the idea that corporations have international environmental and human rights obligations.

General Implications

Both rulings demonstrate that if a state (the Heathrow ruling) or a company (Nevsun) breaches the sustainability norms of international law, it may now be held liable under domestic law. Here, however, an important reservation is in order: whether international law—custom or treaty—may require obligations for states or corporations in domestic law is subject to each specific national jurisdiction. On the other hand, the participation and input made by non-state actors in both cases (environmental campaign groups in Heathrow; workers, local populations, and human rights advocates, including academia and non-governmental organizations, in Nevsun) may activate necessary developments in interstate practice that can end up generating custom.

What to Expect Next

Both rulings are expected to have significant implications in international law, in particular, international investment law and arbitration. Regarding the Heathrow decision’s climate change law dynamics, since the Maffezini v. Spain award, international investment arbitration has presented a heterogeneous set of precedents on domestic measures relating to environmental assessment. Overall, environmental assessment is likely to “inevitably be of great relevance for many kinds of major investments in modern times” (Bilcon v. Canada, ¶ 597). A customary obligation to conduct a climate assessment is about to emerge. Yet its complete acceptance faces scepticism that GHG emissions represent a global cumulative environmental harm, and thus, that the obligation to protect the atmosphere is an erga omnesobligation.

In the specific Heathrow case, the court did not explicitly mention anything related to the debate whether there was a clear obligation under customary international law to conduct a climate assessment. Nor has the UKCA relied on customary international law or said anything that would contribute to an opinio juris that such an assessment was required. However, if the Heathrow ruling activates the relevant preexisting decisions of domestic courts (Gray v. Minister for Planning; Greenpeace New Zealand v. Northland Regional Council), supports the ongoing climate lawsuits, such as Zoubek et al. v. Austria or Notre Affaire à Tous and Others v. France, and triggers new ones, I suggest that that would arguably create the necessary amount of evidence of acceptance of climate assessment as law through the element of the formation of international custom through the rulings of national courts (ILC 2018, conclusion 10, ¶ 2).

As to international human rights obligations of corporations, in the paradigmatic 2016 Urbaser v. Argentina (“Urbaser”) counterclaim, the investment tribunal held that, while the norms of customary international law provide for a duty to perform for certain rights, jus cogens norms lay down a universal obligation of “the international community of states in its entirety” to abstain from committing certain acts under Article 53 of the Vienna Convention on the Law of Treaties (“VCLT”). In Urbaser, the human right to water was determined as an obligation to perform, implying a state obligation to provide its population with water (¶ 1208). The arbitrators ruled that the situation would have been different in a case where an obligation to abstain, such as a prohibition against acts violating human rights, would have been at stake. Such an obligation can be immediately applied, not only on states, but equally on individuals and other private parties (¶ 1210). This assertion, it is argued, extends beyond human rights norms framed as customary international law to those human rights framed as prohibitions—jus cogens. While in Urbaser, the arbitrators did not specify which norms bound foreign investors, in the Nevsun ruling, the judges were quite clear that these prohibitions could apply to foreign private companies.

Although not in contradiction with the Urbaser tribunal’s reasoning, in Nevsun, the SCC goes far beyond regarding the obligations of companies under international law. It plainly concludes that there is no reason for customary international law (with no distinction between positive and negative obligations) to not directly apply to corporations for violations of obligatory, definable, and universal norms of international law (Nevsun, ¶ 113). It is even argued that, had the Urbaser tribunal followed Nevsun’s interpretation, the investor would have clearly been in violation of its duty to perform—a positive obligation to ensure citizens’ international human right to water. Nevsun’s logic would make it a direct obligation under international law instead of a mere contractual obligation.

Concluding Remarks

To conclude, the two rulings offer an alternative dress rehearsal to the one promoted by the proponents of the “COVID-19 dress rehearsal.” These judgments show how different actors and society at large deal with the conflicts of jurisdictions and clashes of norms regarding sustainability issues today. The rulings will shape how we understand state and corporate direct liability of human rights and environmental due diligence under international law.

More broadly, these rulings underline the importance, and, indeed, ways of going beyond a plain, unitary boundary to capture the different legalities in the global order, yet involving modern international law properly through the use of its primary sources. Besides, the two rulings offer a more balanced system that better integrates strategic litigation, aspirations for local participation and pluralistic legal representation, as well as concrete sustainability considerations. In sum, such law allows a less hierarchical and unequal, more horizontally applicable and definitely a more inclusive model of a “post-national” law that could be seen as emerging global sustainability law.

Editors: Natasha Nicholson Gaviria; Beier Lin

[hr gap=”30″]

Content, Online Scholarship, Perspectives

Security and Human Rights Challenges of Cyber Due Diligence

June 17, 2020

By: Adina Ponta

Editor’s Note: This article does not reflect the views of the American Society of International Law or its members.

Introduction

After states, international organizations, and international coordinating fora, including the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (“UN GGE”), endorsed application of international law to cyberspace, the debate shifted to questions of how existing principles, rights, and obligations should be interpreted in regard to cyber activities.

As reaffirmed by the Tallinn Manual 2.0, several principles and rules of conventional and customary international law derive from the international law principle of sovereignty, including the “corollary” principle of non-intervention. Although states and scholars have different views regarding the legal qualification of sovereignty—either as an international law principle or as a rule —it is accepted that in cyberspace, sovereignty reflects states’ exclusive legal authority over their cyber infrastructure and activity associated with it, as well as jurisdiction over the persons engaged in cyber activity, including control of non-state cyber operations launched from their territory.

The modern due diligence principle derives from the ancient maxim sic utere tuo ut alienum non laedas, meaning use your own property in such a manner as not to injure that of others. In 2019, the Estonian President noted that “[s]overeignty entails not only rights, but also obligations,” reaffirming views expressed by Australia, France, Germany, and the Netherlands. In this regard, a state may be held responsible for the conducts of private persons if (1) upon attribution, these acts are considered to be acts of the state itself, or (2) if a state has violated its obligation “not to allow knowingly its territory to be used for acts contrary to the rights of other States,” as emphasized by the International Court of Justice (“ICJ”) in the Corfu Channel case.

Cyber Due Diligence

Deriving the obligation of due diligence in cyberspace from the principle of equal state sovereignty, Rule 6 of the Tallinn Manual 2.0. notes states’ obligation to ensure that the territory or cyber infrastructure under their control is not used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states. The due diligence principle covers remote operations and operations conducted from or through state territory that affect the legal rights, and not mere interests, of other states. As mentioned by the director of the Tallinn Manual Process, this includes, for example, the right to be free from intervention by another state.

In the environmental law context, due diligence has been recognized as a principle of customary international law by international tribunals, including the ICJ, and in treaties, such as the UN Framework Convention on Climate Change. However, under lex lata, cyber due diligence has no binding nature, therefore, its scope and consequences of non-compliance are still grey areas of international law, as reflected by the 2015 UN GGE report. The vague language might indicate a lack of state endorsement that the due diligence duty is reflective of customary international law. The rejection of a mandatory due diligence rule within the UN GGE, which might as well represent valid opinio juris, mainly underlies fears of burdensome oversight obligations such a rule would impose on states with massive technological capabilities.

In contrast to the absence of consensus which determine the general language used in the statements of international organizations, individual states often chose to assert more granular statements. Official endorsement of due diligence as a rule of international law, by the Netherlands, France, Germany, Estonia, and Finland, translates into accepting the consequences of internationally wrongful acts, such as political or diplomatic actions, including those implemented via the U.N. Security Council. In the French view, non-compliance with the due diligence rule, including failure to terminate operations which violate the sovereignty of another state, may be followed by non-forcible countermeasures. Due diligence could be especially valuable in the assessment of legitimate responses to actions committed by non-state actors, as countermeasures can be lawfully applied only against states. The answer to this dilemma could be another question: did the host state of those actors breach its due diligence obligation?

The Preventive Component of Due Diligence

The application of the French maxim “Qui peut et n’empêche, pèche” (He who can and does not prevent, sins) in the cyber realm is very controversial. According to the International Law Commission (“ILC”), states are expected to employ vigilance on their territory, a duty that has developed in relation to their responsibility for private activities. Although it is agreed that due diligence is an obligation of conduct, there is no consensus on its content, nor on whether this duty also entails a preventive aspect, which in case of violation would constitute an internationally wrongful act. Prevention, the procedural component of due diligence, is reflected in the European Union (“EU”) General Data Protection Regulation (“GDPR”), and has been endorsed by the World Trade Organization (“WTO”), by the International Tribunal for the Law of the Sea (“ITLOS”), and, in the environmental context, by the ICJ. By analogy with international environmental law, states would have to assess the cyberactivities within their jurisdiction, similar to the obligation to conduct an environmental impact assessment, when there is a likelihood that transboundary harm would occur from these activities.

The Netherlands does not include mandatory cyber hygiene or network monitoring obligations for prevention of misusing cyber infrastructure in the scope of the due diligence duty. This approach is endorsed by the director of the Tallinn Manual Process, i.e. the due diligence principle would be limited to contexts of ongoing hostile operations, and is violated only if states have knowledge of the misuse of their sovereign territory. Some experts admit that the rule can be expanded to operations which are not ongoing, but very imminent, while the results have not yet materialized.

A major challenge to an enforceable obligation to prevent is different economic and technological state capabilities, although the fundamentals of state responsibilities are common. While the Estonian President implied the existence of preventive obligations on states, she included the development of assistive means to support target states in the attribution and investigation of malicious activities in the scope of “reasonable efforts,” depending on states’ capacities. Moreover, if the duty to prevent is regarded as encompassing an affirmative state obligation to enact domestic legislation, due diligence might also comprise obligations of result. Consequently, due diligence could act as a Trojan horse to justify mass surveillance that limits human rights and liberties, including the right to privacy.

States are not required to remedy all transboundary harm, but only the harm resulting in “serious adverse consequences,” a term borrowed from international environmental case law. Regarding the threshold of harm to trigger due diligence obligations, the Tallinn Manual 2.0. embraces the standard of “serious adverse consequences,” and specifies in Rule 4 distinct levels of harm which may result from a hostile cyberoperation. States’ obligation to prevent transboundary harm is conditioned by knowledge about the cyberoperations conducted using their territory or cyberinfrastructure. In line with the Corfu Channel judgement, this is broken down into “actual knowledge” delivered by domestic intelligence services or from warnings received from the target state, and constructive knowledge, i.e., if the state, in the normal course of events, would or objectively should have known about the harm. The “constructive knowledge” reflects the inherent characteristics of due diligence and good faith: hypothetical reasonable limits and assessment depending on feasibility of means.

Due diligence is an objective principle of law, but its assessment represents a sliding scale based on different factors, such as knowledge, capabilities, risks, and consequences, which confer the necessary flexibility and plasticity to evaluate whether the expected vigilance was met. In some views, when the standard of care is unclearly determined by a certain rule, states should resort to the ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts (“Draft Articles”), which suggests negligence as the standard of due diligence. According to the International Law Association (“ILA”) Study Group on Due Diligence in International Law, this requires states to act with care that is “generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance.” Therefore, the standard of review should be in abstracto, i.e., whether another state would have reasonably known in similar circumstances. The main challenge remains to be the standard of proof victims have to meet when demonstrating that a state was aware about the hostile cyber operations conducted on its territory, and will likely become probatio diabolica for victims.

The concrete means employed by states to stop ongoing operations can be manifold. In the Netherlands’ view, the target state may “ask the other country to shut down the servers, regardless of whether or not it has been established that a state is responsible for the cyberattack.” Although the obligation of notification was clearly affirmed by the ICJ in the Corfu Channel case as a general principle of international law, according to the Tallinn Manual 2.0, it does not necessarily imply a specific obligation to notify the target state, as this would disclose the host state’s capabilities. The balance of interests is very delicate, if such a notification is the only means to end the ongoing hostile cyberoperation, or if the cyberoperation would harm fundamental human rights, as was the case during the recent cyberoperations against medical facilities. While in this case failure of notification could represent a breach of international human rights law, a reasonable accommodation of state interests and human rights shall be found in order for the states to comply with due diligence principle which is only breached by states when they are aware of certain harmful operations but are unwilling to end them.

Intersections with Human Rights Law

States’ obligations to safeguard human rights apply in relation to individuals located on their territory, and to states’ obligations under international law to prevent transboundary harm. Although application of international human rights law(“IHRL”) to cyberspace is widely recognized, the majority of states don’t regard the geographic scope of human rights treaty obligations as being “extraterritorial,” and consider themselves to have affirmative obligations to prevent and respond to human rights violations only on their territory. Transboundary obligations only arise when a state exercises real or de facto control and authority over another territory. I have argued before the complexity of establishing states’ responsibility to the hospitalized individuals who were injured or lost their lives as a consequence of a cyber act that could have been prevented. In relation to their own citizens, states’ obligation to provide cybersecurity will have to be integrated within the scope of the right to life, the right to health, and the right to freedom and security, in order to further trigger the relevant reparation mechanisms provided by regional and international human rights instruments. The right to health is safeguarded by the International Covenant on Economic, Social and Cultural Rights (“ICESCR”), which the United States has not ratified to date.

Human rights bodies have attached to the due diligence principle a duty to investigate and to prevent. Although the majority view is that this principle does not impose on states a general obligation of prevention, IHRL safeguards a specific duty of prevention, including the duty to limit and prevent human rights violations in cyberspace. Addressing the right to health, the UN Committee on Economic, Social, and Cultural Rights (“CESCR”) noted that “States parties [to the ICESCR] have to respect the enjoyment of the right to health in other countries.” Moreover, according to the Maastricht Principles on the Extra-Territorial Obligations of States in the area of Economic, Social and Cultural Rights, states should be held accountable for violating human rights of people outside of their own territories. Although this article does not intend to analyze the legal effects of the CESCR language, this logic implies that even if states do not recognize the application of the due diligence principle and its preventive component, their obligation to prevent transboundary harm, including the harm resulting from hostile cyberoperations on medical and testing facilities, could be derived from transboundary IHRL obligations, or the universality of human rights.

The theory that these positive duties under IHRL, including a reasonable due care requirement, can and should arise under international law in extraterritorial circumstances has already been discussed in other contexts, especially related to international law applicable to the environment. While reaching a balance between protection of individual rights and national security is very complex, states’ operational choices to comply with their obligations shall consider national resources, without derogating from absolute human rights. According to the European Court of Human Rights, this positive obligation to take preventive operational measures shall “not impose an impossible or disproportionate burden on the authorities.” Rule 36 of the Tallinn Manual 2.0. notes states’ affirmative obligation to ensure respect for human rights and to protect human rights from abuse by third parties. If the due diligence obligation will be interpreted as including a governmental duty to ensure backup power generators to medical facilities or testing databases, the scope of human rights in the artificial intelligence era will expand exponentially.

Conclusion

Although due diligence is not widely endorsed as a binding rule of international law, there is currently widespread support of this non-binding norm of responsible state behavior. There are still concerns that its clarification offers opportunities for states to allege more breaches of international law and increase the frequency of countermeasures, which ultimately hamper stabilization of this international law principle in cyberspace. Fortunately, for the purpose of protecting their national security, most states would act with due diligence simply because it is in their domestic and foreign policy interest. The challenge remains of how to legally address transboundary human rights violations of hostile cyberoperations in the absence of a unitary approach on transboundary effects of states’ human rights obligations and given the non-binding nature of due diligence. Customary international law, including parts of the Draft Articles, might be the answer in case of unlawful and attributable state actions, although their application to the cyber domain is also disputed.

Given the fact that the principle of sovereignty is under most pressure in this domain, and due diligence is one of the main means of applying pressure, development of state practice over the next few years is crucial. Cyberoperations are a reality the international community needs to face, and as there are no means of returning to the old status quo, it needs to find a modus vivendi with all implications of the new realities. For increased stability and accountability in cyberspace, and for a widespread understanding and agreement regarding the applicability and interpretation of lex lata, it is critical that states not only affirm the general applicability of international law in cyberspace, but also expressly label hostile cyber operations as violations of specific international law rules and principles, such as due diligence.

Executive Editor: Yixian Sun

[hr gap=”30″]

Online Scholarship, Perspectives

The International Health Regulations: The Past and the Present, But What Future?

April 9, 2020

By: Lauren Tonti

Containing a pandemic is a titanic task, requiring the cooperation of modern-day Titans. On March 11, 2020, the World Health Organization (“WHO”) declared a global pandemic of COVID-19, a respiratory disease spread by airborne pathogens from the coronavirus family. Infecting nearly 1,500,000 individuals across 184 countries as of April 9, 2020, and killing over 90,000 worldwide, COVID-19 has tested the tools of global health governance that are designed to protect populations. One such tool is the International Health Regulations (“IHR”). As a multinational agreement binding 196 Member States to monitor and report international health threats, the IHR seeks to coordinate a balanced public health response, while minimizing disruption to international travel and trade and upholding human rights. Mandating protocols to detect, assess, and report outbreaks, the IHR requires Member States to implement core capacities designed to equip national disease outbreak responses. Importantly, the IHR also gives the WHO’s Director-General the power to declare a public health emergency of international concern (“PHEIC”), which mobilizes coordinated international action. Indeed, states shoulder much of the responsibility to generate and report the public health metrics required to trigger any PHEIC notification. The IHR reflects an accumulation of the lessons that past pandemics have taught the global community. But as the world watches COVID-19 take its toll, the future of these regulations remains uncertain.

The IHR: An Instrument Informed by Past Pandemics

The present coronavirus is not the world’s first duel with a pandemic. The bubonic plague, a series of cholera outbreaks, and the Spanish flu are among the most notorious pandemics in recorded history. Each bout with pandemic illness has taught the international community hard-fought lessons that stakeholders used to adjust laws accordingly. Such lessons informed the evolution of this global health governance tool.

The 1892 International Sanitary Convention embodies some of the earliest concerted efforts of international powers to combat European cholera outbreaks under a unified framework. Furthering these principles, the International Sanitary Regulations were adopted by Member States of the newly-founded WHO in 1951, later revised and renamed as the International Health Regulations in 1969. The IHR of 1969 focused on six major diseases, including cholera, plague, yellow fever, smallpox, relapsing fever, and typhus. A series of illnesses across the globe prompted minor revisions throughout the subsequent decades before the AIDS epidemic and the SARS outbreak necessitated major revisions in 2005.

The 2005 revisions broadened the IHR’s scope beyond the six major diseases, aiming to encompass biological, chemical, and nuclear incidents, as well as zoonotic diseases and food safety concerns. The 2005 IHR revisions recommend best practices for international traffic at points of entry, reflecting modern globalized traffic and trade. The revisions increased the WHO’s investigational capacities and encouraged the observance of human rights in protecting public health. However, the latest round of revisions, which came into effect in 2007, failed to increase the instrument’s enforcement power. Current enforcement mechanisms rely on public shaming techniques that highlight damaged international reputations, increased national mortality, economic disruptions, and public outrage.

Since the revisions, the world has confronted Ebola, swine flu, and Zika virus. While a mix of hard and soft law direct health governance, the IHR is certainly one of the most multinational and tangible instruments available. At present, it has guided the global response to COVID-19.

At Present: IHR vs. COVID-19

As a fast-spreading, severe acute respiratory syndrome, COVID-19 matches the profile of notifiable diseases for which the IHR was designed. Yet, in response to COVID-19, there have been numerous violations of the IHR mandates, showing that the preventive mechanisms enshrined in IHR have failed—in large part due to national discretion.

Nations’ Lack of Core Capacities Hurt COVID-19 Response

Despite extended compliance deadlines, n o WHO Member State is in complete compliance with the IHR’s core competencies. Europe achieved the highest level of compliance at 72% across all competencies, according to the WHO’s State Parties Self-Assessment Annual Reporting Tool (“SPAR”). Notably, however, the SPAR has been criticized for its lack of independent validation. National evaluation of compliance is also seen as inconsistent. Nonetheless, if these metrics are the “indisputable baseline[s] for preparedness,” Member States were at marked disadvantages from the outset of COVID-19. Whether because of inadequate funding, resources, or sheer lack of will, nations’ inhibited core capacities hurt the global COVID-19 response.

Member States Violated Key IHR Provisions

The COVID-19 epidemic bears witness to several direct IHR infractions, particularly Articles 6 and 7, governing reporting, and Article 43, regarding the implementation of protective measures.

While the IHR mandates national reporting and monitoring of notifiable disease outbreaks, China, a WHO Member State, was accused of censoring and withholding information at the outbreak’s outset, violating its duties in IHR Articles 6 and 7. Since the disease’s progression, reports have surfaced that China’s disease management tactics, such as censorship and mass quarantine, violate human rights, civil liberties, and IHR Article 3’s explicit call for respecting “dignity, human rights and fundamental freedoms of persons.”

In violation of IHR Article 43, which instructs disease management tactics to be grounded in available scientific evidence, numerous nations implemented travel bans barring travelers from endemic regions and closed national borders to non-citizens in the name of disease containment. Such tactics, which usually only yield benefits at the very preliminary stages of an outbreak, have proven detrimental to disease control efforts, especially as less restrictive yet similarly effective disease containment protocols were available. Moreover, in enacting such restrictions, nations disregarded guidance repeatedly issued by the WHO, yet another Article 43 violation.

While the IHR affords nations the prerogative to enact additional disease containment, Member States must report the extraordinary measures they have taken to the WHO. Perpetuating violations, only 32% of the 72 Member States implementing coronavirus travel restrictions reported these measures in a timely fashion to the WHO during the outbreak.

Unfortunately, the trends of forsaking WHO guidance while implementing additional bans that disrupted travel and trade are all repeat offenses, as the same types of infractions occurred during the Ebola and swine flu outbreaks. These infractions reflect a severe “crisis of confidence in the [International Health] Regulations.”

Political Pressures Pose Impediments

Political pressure appears to have impeded the IHR’s functionality. Critics argue that the WHO had sufficient evidence to declare COVID-19 a PHEIC as early as January 23, 2020, though the Director-General did not officially do so until a week later. Taiwan claims the WHO failed to act upon its officials reports to the WHO in December 2019 of human-to-human coronavirus transmission. Additionally, while the WHO stated that it is not in the business of shaming Member States for missteps, it has praised China for what many call draconian measures. Critics call such politically motivated support a “deception” that gave the global community “a false sense of assurance” about COVID-19’s manageability.

What Future for the IHR?

As COVID-19 continues to rage, the IHR’s future becomes less certain. As death counts surge, confidence in the IHR sinks. In the scrutiny likely to follow this pandemic, many will likely wonder whether the IHR adequately fit modern tendencies. This criticism will not be novel. Scholars predicted such difficulties.

Before COVID-19 struck, scholars called for revisions, as the Ebola outbreak alone revealed challenges for the IHR. Lawrence O. Gostin, in symphony with other leading public health scholars, has long advocated for another IHR revision. Scholars suggest fundamental modifications to financing, harmonization, evaluation metrics, core capacities, compliance, the role of civil society, human resource utilization, transparency, and more that will fortify the instrument for modern-era pandemic response.

To maximize preparedness, Gostin and co-author Rebecca Katz suggest ramping up core capacity adoption supported by “an independent evaluation system with a feedback loop and continuous quality improvement,” as well as funding mechanisms. To address IHR enforcement violations, Gostin and Katz suggest adopting carrot and stick compliance measures to encourage core capacity adoption and discourage independent action counter to evidence-based guidelines. To reduce political influence, Gostin and Katz advocate for more transparency and independence for emergency committees involved in declaring a PHEIC. They also call for publicizing the WHO Emergency Committee’s evidence base and decision-making rationales. Furthermore, Gostin and Katz suggest a tiered approach to a PHEIC declaration to counter its present reactionary role. Proactive measures are needed “long before an outbreak becomes an international emergency.” In combination, these reforms can help strengthen future versions and functioning of the IHR.

Conclusion

Past and present International Health Regulations are the products of experience, deliberation, and compromise. However, the modern instrument’s future remains uncertain, as it attempts to govern in a world where the WHO’s efficacy is questioned. If the global community calls for the IHR’s subsequent revisions, significant political will would be required to achieve effectual reforms. Despite an uncertain future, COVID-19 does demonstrate the profound need for an evidence-based instrument that can mobilize and coordinate numerous international actors and resources with lightning precision. One thing is certain—norms, as they stand, will not suffice in the face of another pandemic.

Lauren Tonti is a Doctoral Candidate at the Max Planck Institute for Social Law & Social Policy.

Content, Online Scholarship, Perspectives

International Tax Law: Adopting the OECD Model in Light of Recent Empirical Findings

December 28, 2019

By: Naseem “Naz” Khan

An insightful May 2019 analysis by Elliott Ash and Omri Marian provided a strong contribution to the compelling debates around international tax law. The title of their article, “Who is Making International Tax Law,” is deceptive, in the sense that one might assume something as important as international tax “law-making” is undertaken in accordance with a set of universally accepted rules. This Ash and Marian “second take” provides ample confirmation that little, if anything, associated with this tax law framework has evolved in an orderly, pre-determined fashion. A single, provocative question drives the following commentary: does a customary international law of taxation actually exist, and should it?

The Current State of Play

Unlike other international lawmaking institutions, such as the World Trade Organization, the United Nations (the “UN”), or the supranational European Union, there is no equivalent World Tax Organization whose rules are accepted by and binding on its membership. It might be argued that given the over 3,000 tax treaties now negotiated across the international community, the treaty processes are a de facto lawmaking mechanism. After all, once a nation makes a treaty commitment, customary international law on treaty-making, as reflected in the 1969 Vienna Convention, requires all “contracting States” to implement the treaty’s terms into the relevant domestic legal frameworks.

This process is further supplemented by the fact that representative international institutions (notably the UN and the Organization for Economic Co-operation and Development (“OECD”)) have published and regularly updated model tax treaties that are gaining near universal acceptance as appropriate international tax law standards. Ash and Marian provide a careful and irrefutable comparison of the key words used in all tax treaties enacted since the 1960s. Their data confirms that over the past 20 years, there has been an increasing similarity in tax treaty language irrespective of which countries are crafting their treaty terms. Particular praise is directed towards the OECD model, one that they describe as “. . . the key institutional source of the consensus building process” that is ongoing across the world.

An Ephemeral Customary Tax Law

When these initial reactions to the Ash and Marian analysis are collectively assembled, a less informed, but still reasonable observer might conclude that whilst perhaps not perfect, current international tax law evolution suggests a customary law of taxation does exist. Ash and Marian rightly make a more nuanced observation — no matter how popular the OECD model may be in terms of its broader international community uptake, the fact remains that absent a legal obligation to adopt the OECD version, there is no customary law that binds every State.

If one accepts this proposition as accurate, the first part of the question posed above is clear — a customary law of taxation does not exist. At most, there might be a “coherent” international tax regime, or tax “soft law” that tends to promote convergence in the ways that States now approach taxation issues, but these concepts fall well short of binding legal obligations.

Ash and Marian offer a sensible justification for this view. They note that unlike many other international treaties with a common State interest (such as defense, environmental protection standards, or intellectual property rights), tax treaties are uniquely negotiated. The nations pairing themselves in these agreements each have unique economic, social, and cultural circumstances that militate more strongly in favor of each party adopting positions that best serve their overarching national interests. Ash and Marian cite the example of State A being a net capital exporter in relation to treaty partner State B, but having a capital importer advantage when compared with another partner (State C). Their scenario reinforces a crucial point when assessing this entire topic: It is likely impossible to ever reconcile the respective A, B, and C negotiating positions such that a common tax framework could ensure fair treatment for each State’s interest in every circumstance.

But Should A Customary International Tax Law Exist?

This question is arguably more intriguing. Consider the individual taxpayer, who is arguably the most affected by the lack of binding legal obligations. They might say, “If there is no customary law, there ought to be! Taxation is too important to leave to individual States. Only a comprehensive approach can possibly make things fair and consistent for taxpayers and the entire international community!”

Indeed, there are various criticisms about globalization forces having encouraged a “race to the bottom” amongst States competing for highly desired foreign investment. Commentators have noted that States will often lure prospective investors with promises of low (or no) corporate tax rates, in combination with reduced workplace health and safety protections, or modified environmental compliance requirements. A single and defined global corporate tax rate might level the foreign investment playing field and at the same time protect weaker nations from being dominated by stronger investors, who are largely based in the developed world and essentially extort tax concessions from vulnerable individual taxpayers.

The ever-increasing public fury directed at transnational corporations (“TNCs”), such as Google, Amazon, Starbucks, and Netflix, and their ability to structure different intra-company networks that create tax losses to offset profits, is another powerful justification for a single international tax law framework. These enterprises are extremely profitable, and given that a typical individual taxpayer might have as much as 60 percent of their available income to pay in various taxes such as value-added and municipal-based taxes, TNCs who pay little or no tax properly prompt calls for global tax law reform.

Loopholes and Information Exchanges

The now infamous 2016 Panama Papers confirmed that wealthy individuals and corporations alike have often adopted remarkable strategies to hide their money in tax-free offshore accounts, shielded from their own national revenue agencies. There is compelling empirical evidence that these tax avoidance efforts remove billions of dollars from essential national revenue collection efforts. Further, the costs incurred by States to track and trace where these assets are hidden would likely have been reduced if a single international system was adopted.

The 2017 European Court of Justice (“ECJ”) case — Berlioz Investment Fund SA v Director of the Direct Taxation Administration, Luxembourg — is instructive. The ultimate ECJ ruling is less important to the present commentary than how the relevant national authorities were required to spend considerable time, effort, and plainly finite national resources just to deal with issues arising from requests for tax information sent by another Member State under Directive 2011/16. Further, as Steichen and Bieber astutely point out, the ECJ decision arguably strikes a blow against a global tax law, as the Court appears to favor what these authors describe as the “rule of law triumphing over the essential State need” to exchange information that is necessary to catch tax cheats.

By extension, if protection is afforded to individual privacy rights over State power to regulate, investigate, and prosecute cross-border related tax offenses, the notion that an international law in this area will be more successful strains credulity. There are simply too many variables that impact how countries pursue taxation strategies.

Is There A Solution?

Reading the Ash and Marian blog post in conjunction with their larger, more extensive academic article, these experts appear untroubled by the fact that a truly international customary tax law system has not yet evolved. Too often, the legal world becomes transfixed with the concept of ongoing law reform. It is not enough that the particular legal area seems to be developing in ways that appear logical, or that through simple, ongoing evolutionary forces the law is developing in what appears to be positive directions. This topic is a perfect example of what might be characterized as change for change’s sake. The “race to the bottom,” aggressive TNC tax avoidance practice, and patchwork enforcement quilt are legitimate concerns. However, in the face of ongoing OECD and similar model tax law success, what real additional benefits will be realized if — somehow — an enforceable global tax convention was devised, debated, and ratified by the international community? Such a process seems doomed to fail given the current global geopolitical climate, one punctuated by tensions between China and the United States that will almost certainly doom any effort to give current tax treaty models binding effect. The better and ultimately less contentious path — when considered from a global perspective — is to encourage the OECD and other tax policymaking bodies to keep promoting their models. The Ash and Marian analysis is especially cogent in this respect. The continued emphasis on model tax treaties is an equally good, if not perfect, assurance that most States will adhere to these commonly-employed, OECD-endorsed, tried and tested tax law approaches. In these uncertain times, such an outcome is likely the best one available.

Naseem “Naz” Khan is an LL.M. candidate at Durham University in England, where he is studying taxation and international human rights law.

Content, Online Scholarship, Perspectives

The Legacy of the Libertad Act: Defeating Title III Claims and Protecting International Comity

November 18, 2019

By: Jason Rotstein

Introduction

On April 17, 2019, United States Secretary of State Michael R. Pompeo announced the full implementation of the Cuban Liberty and Democratic Solidarity (Libertad) Act, or the Helms-Burton Act. “For the first time,” as of May 2, 2019, “claimants [can] . . . bring lawsuits [under Title III] against persons trafficking in property . . . confiscated by the Cuban regime.”

The announcement represented the first time a presidential administration did not suspend Title III’s private right of action, since the enactment of the Libertad Act on March 12, 1996.[1] This administration’s stated policy goal in effectuating Title III was to increase global pressure on the promotion of democracy in Cuba and the region. The announcement coincided with the administration’s increased efforts to stifle support, including Cuba’s support, for the Maduro Government in Venezuela.

Specifically, the statute invites a federal private right of action: (1) by U.S. nationals, (2) who acquired ownership prior to enactment (March 12, 1996) of a claim to property, which was expropriated by the Cuban Government between January 1, 1959 and March 12, 1996; (3) and the claim must be brought (a) against persons who have trafficked or are trafficking in the confiscated property and (b) no later than two years after the trafficking giving rise to the action ceased to occur. “Trafficking” is defined as the use of, the participation in the use of or transfer of the expropriated property or the deriving of a commercial benefit from activity involving the property.

The potential specter of liability and scourge of Title III—the Department of State reports that there are at least 200,000 potential claims under Title III—has concerned stakeholders since enactment. Title III’s definition of “trafficking” reaches an endless causal chain of transactions and/or benefits involving property, including securities, in Cuba. No attenuation principle or defenses to trafficking are available under the statute, and the act of state doctrine is declared inapplicable. Therefore, for more than twenty years, defeating a Title III claim has been seen as a legal puzzle.

The global legal community received Title III as a violation of international law.[2] Foreign governments—Canada, Europe, and Mexico—enacted “blocking statutes” to protect their nationals’ interests.

This Post analyzes the purpose and effectiveness of a blocking statute, and the role of a blocking statute in a litigation defense based on international comity doctrines such as foreign compulsion. The Post examines, in particular, the EU blocking statute and its import within a Title III litigation strategy; and the Post proposes that one of the legacies of the Libertad Act—before the Act is repealed or suspended again—may be as a vehicle for further defining the contours of the foreign sovereign compulsion doctrine. Title III litigation can serve as a barometer for the viability of sustaining an international comity defense in an era characterized by the expansion of the extraterritorial application of U.S. law. As the jurisdictional reach and extraterritorial application of U.S. law expands, how will courts react to a defense based on blocking statutes and the doctrine of foreign sovereign compulsion? Will the doctrine and jurisprudence evolve to avoid international discord and promote comity?

Blocking Statutes and the Foreign Sovereign Compulsion Doctrine

Blocking statutes are foreign countermeasures: foreign laws that conflict with and attempt to counteract the effect of the extension of U.S. law beyond its borders. Defenses based on blocking statutes almost uniformly fail, however, in U.S. courts.

Since Société Nationale Industrielle Aérospatiale v. U.S. District Court for S. Dist. of Iowa, 482 U.S. 522, 555 (1987), which held that a French Blocking statute “does not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate the statute,” “U.S. courts have ordered foreign parties to break their own countries’ laws with increasing frequency” and “almost all of the U.S. court-ordered violations of foreign law contravene foreign ‘blocking statutes.’”

Blocking statutes are treated by U.S. courts as issues of international comity, choice of law, and the deference to be afforded to a foreign sovereign and its laws. On balance are U.S. interests, the foreign interests, the litigants’ interests and, in the discovery context, the degree to which alternative procedures are viable. Courts typically consider four factors, which usually militate against the viability of a foreign blocking statute defense: (1) the fact that federal law governs matters of procedure, including discovery procedures;[3] (2) the severity and enforcement history of sanctions under a foreign blocking statute—i.e. are the sanctions real?; (3) temporality—whether the foreign law was enacted post-hoc; and, relatedly, (4) whether the foreign law pertains to the original, underlying conduct at issue in the litigation.

A litigation defense based on a blocking statute is often characterized as a foreign sovereign compulsion or international comity defense. It asks courts to consider “the political questions raised by one sovereign adjudicating the acts and/or laws of another.” The foreign sovereign compulsion doctrine, as detailed in the Restatement (Third) of the Foreign Relations of the United States § 443 (1986), recognizes that a foreign party should not be caught “between the rock of its own law and the hard place of U.S. law” and provides reasonable “protection from being caught between the jaws of this [U.S.] judgment and the operation of laws in foreign countries.” In practice the scope of the defense is narrow, especially as applied most frequently in the antitrust context: the defendant’s act (e.g., anticompetitive behavior) challenged as a violation of U.S. law must have been compelled in the first instance by a foreign sovereign within that sovereign’s jurisdiction and the refusal to comply must trigger the imposition of severe sanctions.

The EU Blocking Statute and the Libertad Act

The EU Blocking Statute, Council Regulation (EC) No 2271/96 of November 1996 aims, among others, at counteracting the extra-territorial application of U.S. laws. It provides that “EU Operators [including nationals, residents and legal persons incorporated in the European community] shall not comply with the listed extra-territorial legislation, or any decision, ruling or award based thereon.” Under the statute, “business decisions [should] remain free” and not be “forced upon EU operators by the listed extra-territorial legislation which the Union law does not recognise as applicable to them.”

Since the full implementation of the Helms-Burton Act in May 2019, multiple Title III lawsuits have been filed against French, German, and Spanish operators. By merely participating in the litigation, these EU operators are confronted with the prospect of violating Articles 5 and 9 of the Blocking Statute, which prohibit compliance with U.S. extra-territorial sanctions, (“whether directly or through a subsidiary or other intermediary”), including requests by courts. These violations are to be enforced by sanctions and penalties implemented by each Member State that are “effective, proportional, and dissuasive.” Meanwhile, non-appearance in a Title III suit in the U.S. could result in a default judgment and have other knock-on effects such as an exclusion from entering the United States and doing business in the United States under Title IV of the Libertad Act.[4] How then will a U.S. court rule when faced with a Title III EU operator defendant’s dilemma?

Predicting How a Court Will Rule

Recent case law on foreign sovereign compulsion and blocking statutes suggest a renewed focus on fairness and the protection of international comity. At its essence, an international comity defense asks a court to determine whether a defendant “is subject to conflicting legal obligations under two sovereign states” and whether “compliance with the laws of both countries is . . . impossible.”

The characterization of the EU blocking statute therefore is crucial. To sustain a viable defense, a defendant must show that it cannot comply with both the blocking statute and the requirements of Title III. The EU blocking statute conflicts with Title III in two ways: (1) it approves of “trafficking,” business interests with Cuban property—the underlying conduct which is the focus of Title III; and (2) it compels an EU operator defendant to abstain from complying with Title III litigation by sanctioning compliance with Title III litigation.

But other considerations relating to international comity must also be taken into account. For example, the Guidance Note 2018/C 277 I/03 to the EU Regulation, which states: “In 1998, the Union and the U.S. signed a Memorandum of Understanding by which the U.S. administration suspended the application of certain provisions of the Cuba extra-territorial sanctions ‘as long as the EU and other allies continue their stepped up efforts to promote democracy in Cuba.’” Importantly, Pompeo’s announcement on April 17, 2019 did not reference this Memorandum and did not suggest that operators from the EU and other allies were punished for their sovereign’s failure to uphold its commitment to promote democracy in Cuba.

Therefore, a court deciding a Title III action against an EU operator and resolving to abstain may rely on the compulsion experienced by a defendant in its home jurisdiction—to not comply with the requirements of Helms-Burton Act (including through the participation in Title III litigation)—as well as on the need to maintain “reciprocal tolerance” and “amicable working relationships between nations.” Recent case law suggests that courts are more likely to focus on the former. In In re Vitamin C Antitrust Litig., 837 F.3d 175, 194 (2d. Cir. 2016) the court boiled international comity to a true or pure conflict analysis and noted “that while we abstain from adjudicating Plaintiffs’ claims with respect to the Defendants’ conduct, the Plaintiffs are not without recourse to the executive branch, which is best suited to deal with foreign policy, sanctions, treaties, and bi-lateral negotiations.”

Conclusion

Cases that turn on considerations of international comity often raise fraught political issues. Title III of the Helms-Burton Act is an object lesson: for years, it seemed a non-administrable law, confirmed by presidential practice suspending its application. Now that it has taken effect, defendants find themselves caught, in some instances, between conflicting legal obligations under two sovereigns.

The effectuation of the Helms-Burton Act can be seen as apiece with the expanding jurisdictional reach of U.S. law. The Helms-Burton Act, therefore, provides a fruitful context to test and clarify the scope and parameters of international comity and the comity doctrine of foreign sovereign compulsion. The atmospherics surrounding the Helms-Burton Act suggest that international comity may evolve to meet the challenge of Title III.

Even if a defense fails based on a government interest analysis—i.e. the interests of the U.S. sovereign prevail over those of the foreign state—a judge may be sympathetic to the defendant caught between conflicting obligations. A judge may also abstain to preserve international harmony. A settlement or damage award in a Title III suit would likely set off parallel litigation under the EU Blocking Statute and other reciprocal treatment. Under Article 6, EU operators can bring a parallel private right of action against persons who cause damage to them through the extraterritorial application of U.S. law, such as a Title III lawsuit. A judge may abstain therefore to avoid internecine international conflicts. The evolution of jurisprudence in the Helms-Burton context could thus have a broader impact on the international comity doctrine beyond defeating the albatross of Title III.

Jason Rotstein is an associate at Arent Fox LLP in Washington, D.C., practicing litigation, trade, and international arbitration. He counsels parties in complex cross-border disputes and international litigation, including Helms-Burton Act litigation. He also writes commentary on developments in public international law, particularly the interaction between international tribunals and courts. The views expressed in this Post are his alone and do not reflect the opinion of Arent Fox LLP or its clients.

[1] The story of Title III of the Helms-Burton Act reads as the stuff of legend, especially for international lawyers: personal vendettas, punitive measures, and, potentially, internecine international conflicts. In one camp are Nicholas Gutierrez and Ignacio Sanchez, who participated in the drafting of the legislation and shepherded the transfer of claims to U.S. nationals. (Title III retroactively provides rights to persons who transferred or assigned a claim to ownership of expropriated Cuban property to a U.S. national prior to enactment.) For them and potential claimants, the announcement represented the end of a road. In another camp are the scores of potential defendants, for which the mechanics of Title III have been a source of perplexity and perturbation.

[2] See U.S. Department of State, Legal Considerations Regarding Title III of the Libertad Bill, 141 Cong. Rec. S15106-01, 1995 WL 600630 (daily ed. Oct. 12, 1995) (“The LIBERTAD bill would be very difficult to defend under international law, harm U.S. businesses exposed to copy-cat legislation in other countries, create friction with our allies, fail to provide an effective remedy for U.S. claimants and seriously damage the interests of FCSC certified claimants. It would do so by making U.S. law applicable to, and U.S. courts forums in which to adjudicate claims for, properties located in Cuba as to which there is no United States connection other than the current nationality of the owner of a claim to property.”); see also Vaughan Lowe, U.S. Extraterritorial Jurisdiction: The Helms-Burton and D’Amato Acts, 46 Int’l Comp. L.Q., 378, 384 (1997); Andreas F. Lowenfeld, Agora: The Cuban Liberty and Democratic Solidarity (LIBERTAD) Act, 90 Am. J. Int’l L. 419, 429-430 (1996); Robert L. Muse, A Public International Law Critique of the Extraterritorial Jurisdiction of the Helms-Burton Act (Cuban Liberty and Democratic Solidarity (Libertad) Act of 1996), 30 Geo. Wash. J. Int’l L. & Econ. 207 (1996); August Reinisch, Widening the US Embargo Against Cuba Extraterritorially: A Few Public International Law Comments on the ‘Cuban Liberty and Democratic Solidarity (LIBERTAD) Act of 1996’, 7 Eur. J. Int’l L. 545, 550 (1996).

[3] Blocking statute litigation frequently arises in discovery disputes. Discovery is sought in a foreign country and a foreign blocking statute mandates alternative procedures.

[4] Although Title IV is an administrative sanction, a Title III and a Title IV action may happen in parallel. The actions are often complementary and the pressures to settle concomitant.

Perspectives

“Contracting Out” Human Rights in International Law: Schrems II and the Fundamental Flaws of U.S. Surveillance Law

By: Genna Churches and Monika Zalnieriute

Introduction

International Data Transfers and U.S. Surveillance Law: Schrems I

International Data Transfers Continued: Schrems II

So How Can Data Be Transferred to the United States Now?

Will “Contracting Out” Human Rights to the United States Be Possible?

Conclusion

UK and Canada Domestic Courts’ Game-changing Rulings and International Custom: A Dress Rehearsal for Global Sustainability Law?

Introduction

R v. Secretary of State for Transport (the Heathrow Ruling)

Discussion

Nevsun v. Araya (the Nevsun Ruling)3I am grateful to Penelope Simons for her insightful comments on my analysis of this case.

Discussion

General Implications

What to Expect Next

Concluding Remarks

Security and Human Rights Challenges of Cyber Due Diligence

Introduction

Cyber Due Diligence

The Preventive Component of Due Diligence

Intersections with Human Rights Law

Conclusion

The International Health Regulations: The Past and the Present, But What Future?

The IHR: An Instrument Informed by Past Pandemics

At Present: IHR vs. COVID-19

Nations’ Lack of Core Capacities Hurt COVID-19 Response

Member States Violated Key IHR Provisions

Political Pressures Pose Impediments

What Future for the IHR?

Conclusion

International Tax Law: Adopting the OECD Model in Light of Recent Empirical Findings

The Current State of Play

An Ephemeral Customary Tax Law

But Should A Customary International Tax Law Exist?

Loopholes and Information Exchanges

Is There A Solution?

The Legacy of the Libertad Act: Defeating Title III Claims and Protecting International Comity

Introduction

Blocking Statutes and the Foreign Sovereign Compulsion Doctrine

The EU Blocking Statute and the Libertad Act

Predicting How a Court Will Rule

Conclusion

R v. Secretary of State for Transport **(the Heathrow Ruling)**

Nevsun v. Araya **(the Nevsun Ruling)**³