How extraterritorial laws impact your organization's sovereignty?

A world based on state sovereignty is a world of mutually exclusive territorial jurisdictions; a world without overlapping jurisdictions.[1]

The usual conception we have is that each State is sovereign within its geographical limits. However, the reality is that digitalization and extraterritorial laws today challenge the notion of territorial sovereignty and create overlapping jurisdictions. The mismatch between internet territory and political territory is at the root of the current technological debate, since internet communications and digital technologies tend to be unbounded geographically.[2] Although this helps create a unified and unfragmented digital space, it poses certain legal uncertainties concerning extraterritorial laws.

Extraterritorial laws are laws in a given territory that can produce effects and be applicable within a sovereign foreign territory. A major consequence of such laws is that they create a “denial of territoriality i.e. the attempt to exercise control over persons, situations or areas outside the controller’s territory.[3] Today, this issue is not only relevant within the borders of a State but also extends to the business world, becoming a key factor that companies must consider when developing their strategy.

The organizational risks of extraterritorial laws

The global debate surrounding sovereignty and extraterritorial laws stems from the concrete risks that companies face on a daily basis. The first risk is not being aware that foreign laws may impact your business. One well-known example of this is the US Cloud Act.[4] During a criminal investigation, it allows US law enforcement agencies to order communication service providers to disclose data regardless of where that data is located.[5]

The Cloud Act applies not only to US-based organizations, but also to entities like US subsidiaries of foreign companies and non-US subsidiaries of American companies. Hence, you may be required to disclose your data or your customers’ data to a US law enforcement agency under the Cloud Act. The risk here is that companies could lose the trust of clients concerned about having their data disclosed to a foreign authority.

In addition, legal uncertainties arise when a company is unable to grasp the scope and implications of extraterritorial laws. Some companies might comply with access requests even when they are not covered by such foreign laws, and vice versa. Moreover, it creates a concrete risk of conflict with foreign law. As an example, if a foreign government issues a subpoena for data stored in another country, that country may require a stronger warrant than a subpoena.[6] Another example is Article 48 of the General Data Protection Regulation (GDPR), which clearly states that transfers or disclosures are not authorized by EU law unless they are based on an international agreement such as a mutual legal assistance treaty. This would put the company in a difficult position, where complying with one country’s laws would violate the laws of another. Finally, the possible weakening of information security is another risk that organizations face.

Indeed, extraterritorial laws must be analyzed in conjunction with the increase in laws related to the technical access to data by law enforcement authorities (e.g. the Australian Assistance and Access Bill 2018). The increase in requests from law enforcement authorities and technical access requests can have a direct impact on data security. In fact, it directly opposes the application of principles such as security by design or the importance of encrypting data in transit, at rest, in communication exchanges or in the cloud. While some US providers argue that they have received very few requests to date, the proliferation of laws related to data access (US Cloud Act, E-Evidence regulation, etc.) creates a substantial risk that organizations will simplify access and weaken security measures to facilitate compliance. In addition, it’s worth noting that the US Cloud Act includes the right for service providers to “intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government” — including real-time interception.[7] Even if this foreign government has entered into an executive agreement with the US, the possibility of real-time interception is simply not technically compatible with highly secure encryption methodologies.

While it is true that companies cannot always be experts in every extraterritorial law that might impact on their sovereignty, it is nevertheless crucial to develop a strategy for dealing with any legal request coming from a foreign government, both for internal needs and requests concerning client data.

Can you protect yourself, and how?

First of all, can an organization rely on the State’s ability to regulate data protection and cybersecurity within its own territory? With the adoption of the GDPR, the European Union has ensured that it maintains the ability to protect the personal data of its citizens, regardless of their location. Concerning its territorial scope, Article 3 states that the regulation applies “regardless of whether the processing takes place in the Union or not.”

Without such requirements, the EU would have simply lost its ability to protect the personal data of its citizens in a world where a massive amount of data is processed outside its territory. In addition, the Mutual Legal Assistance treaties that regulate judicial cooperation between States were introduced for reasons, such as privacy protections and to provide legal certainty. These are now being bypassed by extraterritorial laws. Data protection is essential to building trust in the digital transformation, but it is not enough. The ability of governments to regulate and set standards for cybersecurity, AI governance and data flows is also essential to preserve the sovereignty of companies over their data.

Second, is it possible for companies to implement adequate contractual measures to maintain their sovereignty? In some cases, the extraterritorial law behind a data access request may have no obligation to notify the owner of the data.[8] Hence, you may not be able to challenge a disclosure request simply because you are not even aware of it. It is possible to set up contractual terms that require you to be informed and/or enable you to challenge a data access request before a judge, although this may not always be effective. For example, the warrant might need to remain confidential and in practice, court challenges of warrants are often unsuccessful. Legal certainty and contractual legal terms are all important to preserving organizational sovereignty over data but alone, they are ineffective. Hence, they must be implemented alongside technical measures.

When every barrier has been overcome, a last one remains, making it the most strategic of all: encryption. Security best practices such as zero knowledge and data partitioning as well as highly secure identity and access management are essential to ensure that your organization is protected against the impact and uncertainty around extraterritorial laws. The increasing cooperation between data protection and cybersecurity authorities regarding standards and certifications (like the European Cloud services certification scheme) is helping solution providers address sovereignty concerns and protect customers against extraterritorial laws, while ensuring transparency.

In this digital world, you cannot escape extraterritorial laws, which is why you must retain control over data and protect it as if it were gold.


[1] JACKSON, R. 1999. “Sovereignty in World Politics: A Glance at the Conceptual and Historical Landscape”

[2] “Will the Internet fragment?” Milton Mueller

[3] Representations of the (Extra)territorial: Theoretical and visual perspectives Cedric Ryngaert*, Utrecht Law Review

[4] Clarifying Lawful Overseas Use of Data

[5] including data stored on servers outside of the US (Cloud Act §2713)

[6]New U.S. CLOUD Act is a threat to global privacy – Access Now

[7]https://www.justice.gov/dag/page/file/1152896/download

[8] This is the case for the Cloud Act for example

Share this article

About the authors

Wissame En-Naoui

Data Protection Legal Expert, Atos

Wissame is a Data Protection Legal Expert at Atos since two years and support the data protection compliance at a global level. She has a strong legal educational background with a focus in European and international data and technology law. She holds two master’s degree in this field, from the University of Oslo (LLM in ICT law) and the prestigious University Paris II Panthéon-Assas (Master 2 in digital law).

Follow or contact Wissame

Laurence Bégou

Responsible for relations with institutional partners and communication for Digital Security, Atos

Laurence has held several roles in the European parliament as political advisor, working on regulations related to the digital single market (GDPR, e-privacy, contract law, etc).

In her last position at the ANSSI (French national cybersecurity agency), Laurence was European and International Political Affairs Officer, managing the international relations of ANSSI on cybersecurity key topics such as Cloud, IOT, 5G.

At Atos, Laurence is responsible for relations with institutional partners and communication for Digital Security.

Follow or contact Laurence