Data’s intangibility poses significant difficulties for determining where data is located. The problem is not that data is located nowhere, but that it may be located anywhere, and at least parts of it may be located nearly everywhere. And access to data does not depend on physical proximity.
These implications of data’s intangibility challenge traditional international law on jurisdiction. International jurisdictional rules rest in large part on States’ sovereignty over a particular territory and authority over people and things within it, and they presuppose that the location of people and things are finite and knowable. The era of cloud computing — where data crosses borders seamlessly, parts of a single file may exist in multiple jurisdictions, and data’s storage location often depends on choices by private companies — raises new and difficult questions for States exercising enforcement authority, companies receiving requests from law enforcement agencies, and individuals seeking to protect their privacy.
As a part of the Texas Law Review’s symposium on the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, this Essay critiques Tallinn 2.0’s rules and commentary on the international law governing jurisdiction, especially its treatment of extraterritorial jurisdiction. The Essay first describes the Manual’s rules and commentary on extraterritorial jurisdiction, and then raises a procedural objection to the Manual’s approach, namely that ongoing debates about how to determine data’s location make the law too unsettled for a restatement project. The Essay then highlights several substantive concerns with and questions raised by the Manual’s approach. In light of these critiques, the Essay concludes with some suggestions on how to make progress in resolving conflicting international claims to jurisdiction over data going forward.