Litigating Data Sovereignty.

• Author: Woods, Andrew Keane

ARTICLE CONTENTS INTRODUCTION 332 1. THE DATA-SOVEREIGNTY DISPUTES 339 A. The Issues 340 1. Takedown Orders for Extremist Content 340 2. Delisting and the Right to Be Forgotten 341 3. Law Enforcement Requests for Data 345 4. Surveillance 347 5. Digital Trade Restrictions 350 B. Common Features 351 1. Digitization 351 2. The Cross-Border Cloud 352 3. Conflicts of Laws 353 4. Arbitrage Opportunities 354 5. Sovereignty Concerns 355 II. THE CASE FOR SOVEREIGN DEFERENCE 359 A. What Is Data "Sovereignty"? 360 1. Sovereign Capacity 360 2. Embracing Data Sovereignty 364 B. Embracing Sovereign Differences 366 C. The Case for Sovereign Deference 371 III. THE SOVEREIGN-DEFERENCE DOCTRINES 371 A. Restraint 374 1. Remedies 374 2. Production Orders 378 3. Statutory Interpretation 380 B. Recognition 381 1. Enforcement of Judgments 382 2. Sovereign Compulsion 383 C. Encouraging Comity 384 1. Resisting Blocking Statutes 384 2. Reciprocity 385 IV. WHAT SOVEREIGN DEFERENCE DOES NOT PRECLUDE 386 A. Extraterritorial Production Orders 387 B. Global Injunctions 389 C. International Agreements 393 V. COURTS AND BEYOND 394 A. The Question of Competence 395 B. Sovereign Deference by the Legislature 399 C. Sovereign Deference by the Executive 402 D. Sovereign Deference by Internet Firms 404 CONCLUSION 405 INTRODUCTION

The key questions of internet global governance--including which nations get to determine how internet services operate globally--are being resolved by courts. A number of high-stakes cases ask courts to identify foreign sovereign interests, weigh them against domestic interests, and defer to foreign sovereigns where appropriate. (1) Consider a few recent examples:

1. On February 27, 2018, the United States Supreme Court heard oral argument in Microsoft's long-running dispute with the Department of Justice (DOJ) over the territorial reach of the Electronic Communications Privacy Act (ECPA). (2) In its petition for certiorari, the DOJ asked the Court to overturn the Second Circuit's ruling that ECPA does not apply extraterritorially--a ruling that prevented American law enforcement from compelling technology companies to produce emails stored on foreign datacenters. (3) The petitioner urged the Court to allow ECPA's production orders to compel the production of foreign-held emails, (4) a view that Microsoft argued would be an incursion upon Irish sovereignty. (5) The case raised questions, Microsoft noted, about "the sovereignty of data." (6)

2. On July 27, 2017, Google asked the U.S. District Court for the Northern District of California for declaratory relief from a Canadian court order that required Google to remove certain websites from its search results. The order sought to change Google's search results not just in Canada but also globally. (7) The issue, Google said, is one of "international comity" (8) because the "Canadian Order purports to place the Canadian court in the position of supervising the law enforcement activities of a foreign sovereign nation (the United States)." (9)

3. On July 19, 2017, France's top administrative court, the Conseil d'Etat, referred a case to the European Court of Justice for the European Union regarding Google's refusal to comply with an order that the firm apply its right-to-be-forgotten regime not only within Europe, but worldwide. (10) Google stated that it is fighting the order because "one country should not have the right to impose its rules on the citizens of other countries." (11)

   Despite their substantive differences, each of these cases presents a court with a similar set of jurisdictional line-drawing questions. What is the scope of sovereign authority over the cloud? (12) Are extraterritorial exercises of jurisdiction lawful? How much deference is owed to foreign sovereign interests in regulating internet activity? How should courts weigh competing claims of sovereign authority? In other words, each of these disputes implicates the subset of foreign affairs law known as comity. (13) Comity is the principle that courts should recognize and sometimes defer to foreign sovereign interests. This principle has been incorporated into American law in a number of different sovereign-deference doctrines. (14) How, then, do these doctrines apply to cross-border internet disputes?

   This Article offers a roadmap for answering this question. Despite the novelty of the underlying technologies involved in these cases, the doctrinal challenges are not so new. Courts have long resolved cross-border legal controversies by applying sovereign-deference principles, and in that regard today's data sovereignty disputes are no different. A study of these principles reveals that courts have a suite of tools at their disposal to manage data sovereignty concerns and in so doing craft sensible global internet policy. The Article examines both how these sovereign-deference doctrines might apply to data sovereignty disputes (15) and how they might not apply. (16) Contrary to what some have claimed, these doctrines anticipate that sovereign interests extend beyond territorial borders. (17) In several high-profile internet disputes, large technology firms and some states have argued that sovereignty concerns prohibit extraterritorial exercises of jurisdiction. (18) However, no principle of sovereign deference per se prohibits global injunctions, global takedown requests, or other forms of extraterritorial exercises of jurisdiction over the cloud. (19) Instead, comity principles sometimes call for deference to and even enforcement of cross-border legal orders. (20) Ultimately, the Article offers a defense of two controversial positions: (1) that efforts by national sovereigns to regulate the internet in ways that have extraterritorial effects are inevitable; and (2) that courts are well equipped to manage disputes where conflicts arise.

   In earlier work, which focused on law enforcement access to data in other jurisdictions, I argued that courts should rely on a relatively simple conflicts-of-laws principle: they should balance competing governments' interests against one another. (21) This Article builds on that idea by clarifying the meaning of "government interest" in the context of the frequently invoked sovereignty doctrines, and by looking beyond the law enforcement context to the cross-border regulation of the internet more generally.

   In doing so, the Article connects two distinct scholarly literatures: scholarship about the regulation of data and scholarship about foreign affairs. Reading these literatures together makes good sense today for two reasons. First, scholars of data regulation are increasingly concerned with sovereignty, which has long been a central focus of foreign affairs scholarship. While sovereignly concerns arose in even the earliest internet scholarship, they have new significance today. (22) Many of the early internet-jurisdiction cases dealt with relatively simple scenarios--such as when someone in State A posts something online that violates the law in State B (23)--that do not match the scale or complexity of, say, the European Union regulating speech rules for a two-billion-user platform like Facebook. (24) The power dynamics were different then as well. When Yahoo! battled with France over a decade ago, in one of the early data sovereignty cases, Yahoo! was a relatively small company. (25) By contrast, today's data sovereignty disputes pit the world's most valuable companies against nation-states. Indeed, in their extreme form, they pit alliances of powerful companies against alliances of nations. (26) This new power dynamic is precisely what has caused some scholars to worry--wrongly, in my view (27)--that states have ceded sovereignty to large technology firms. (28)

   Second, reading these literatures together reveals a shared concern over institutional competence. Scholars writing about the regulation of new technologies have engaged in a decades-long debate about the proper role of courts as creators of technology policy. (29) Some argue that courts should exercise special restraint in areas of fast-changing technology policy because they are less well suited to developing technology policy than the other branches of government. (30) Others disagree, arguing that technology policy is not so exceptional and that courts offer certain advantages over the other branches. (31) This exchange echoes similar debates about the role of courts in foreign affairs. (32) There is a growing body of scholarship that describes how courts engage in forms of isolationism, (33) while others argue that judicial management of foreign relations is more common and less exceptional than previously thought. (34) Whether these developments are cause for celebration or cause for concern depends on one's views about the appropriate role for courts in foreign affairs, (35) perhaps the central normative question among foreign affairs scholars. (36)

   These two literatures converge in the data-sovereignty cases. One might view the cases as especially ill-suited for courts because they require courts to set technology policy for the global internet. And yet, these cases continue to test both our foreign affairs doctrines and the judiciary's ability to manage new areas of technology policy. We may need to look to other actors besides courts to manage these disputes, and we may also learn something new about the appropriate relationship between the judiciary and other branches in managing both foreign affairs and technology policy. (37)

   The Article proceeds as follows. Part I examines several high-profile internet-governance cases and identifies some of their shared features. The resolution of each of these issues defines, often for the first time, the limits of state control over the internet. Because the phrase "sovereignty" is so notoriously broad, Part II offers a specific articulation of what that concept might mean in the context of the internet. This Part interrogates the idea that...