Customary International Law, National Law, and Considering Data as Objects

Cyberspace is a relatively new domain. It exists as something of a parallel universe, where properties and rules frequently differ from those of the physical world. And much of what occurs in cyberspace is unseen. Accordingly, the essential elements of customary international law—State practice and opinio juris—remain relatively limited, and their interpretation can sometimes be controversial. This poses challenges when assessing how customary international law forms and develops in cyberspace. In that regard, one particularly challenging question is whether data encountered during cyber operations constitute “objects” under the law of armed conflict.

Many commentators have expressed views on this question, with arguments made on both sides. For example, a majority of the Tallinn Manual International Group of Experts concluded that “the law of armed conflict notion of ‘object’ is not to be interpreted as including data, at least in the current state of the law” (rule 100, commentary para. 6). As this post, highlights, however, this position is in potential conflict with some national law, including domestic Italian law and may not actually align with the practice of States as viewed through domestic judicial decisions. On that score, Laiba Lone notes,

States do not appear to be in consensus on the matter. For example, Germany’s position is that “[…] a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter.” Other states, such as Norway, maintain that data can be considered an object during target selection. France is of the view that civilian content data may be considered a protected object. While Romania agreed that cyber operation against data trigger IHL and civilian objects/data may not be attacked. This is a more modern approach to interpreting the treaty. In contrast, countries like Israel, Denmark and Chile are of the view that “under current international humanitarian law […] data would not qualify as objects, in principle, because they are intangible.” Thus, the lack of state consensus makes it difficult to determine the way forward in regulating cyberspace.

This post seeks to provide clarity on the issue of whether data encountered during cyber operations constitute “objects” under the law of armed conflict by identifying relevant State practice and opinio juris through the lens of decisions by domestic courts. In addition to casting light on this important legal question, the analysis also illuminates important aspects of how customary international law is formed and developed in cyberspace.

The Identification of Customary International Law

One of the more challenging aspects of defining customary international law is ascertaining the existence of opinio juris, defined by the International Court of Justice as the “belief that [a] practice is rendered obligatory by the existence of a rule of law requiring it.” One may look to official declarations by States to ascertain opinio juris. As the Tallinn Manual notes in its introduction, “because State cyber practice is mostly classified and publicly available expressions of opinio juris are sparse, it is difficult to definitively identify any cyber-specific customary international law.”

But States do not necessarily behave according to the positions that they articulate. In other words, while statements articulating national positions on the law applicable to cyberspace could very well be evidence of State practice, such statements do not necessarily align with the actual behaviour of States. Similarly, evaluating State practice also raises challenges that can be more acute in the cyber domain. According to Conclusion 5 of the Draft Conclusions on Identification of Customary International Law (2018), “State practice consists of conduct of the State, whether in the exercise of its executive, legislative, judicial or other functions.” Much of what occurs in cyberspace, however, happens outside of public view.

How then might we properly identify customary international law in light of these challenges? One answer presents itself in Conclusion 13.2. of the Draft Conclusions, which states that “regard may be had, as appropriate, to decisions of national courts concerning the existence and content of rules of [customary international law], as a subsidiary means for the determination of such rules.” Further, Conclusion 10 of the Draft Conclusions, with regard to opinio juris, puts decisions of national courts on an equal footing with public statements made on behalf of States, official publications, and government legal opinions.

Moreover, as national courts judgments are not political statements—but rather decisions with legally binding effects—their relevance from the perspective of opinio juris might be considered even more significant than that of national positions on the law applicable to cyberspace. Indeed, it should not be forgotten, in line with the Guiding Principles applicable to Unilateral Declarations of States Capable of Creating Legal Obligations (2006), that “a unilateral declaration entails obligations for the formulating State only if it is stated in clear and specific terms. In the case of doubt as to the scope of the obligations resulting from such a declaration, such obligations must be interpreted in a restrictive manner.”

Further, as national courts judgments are generally based on analysis of national law which, in turn, was developed by national legislatures, such decisions are also evidence of the opinions and practice of States as revealed through their legislative decision-making. Insight into the rationale undergirding the actual creation of the law should be considered of great interpretive value. Decisions of national courts are, therefore, an effective means for identifying the content of rules of customary international law.

The Notion of Objects as Interpreted by Italian Jurisprudence

With that context in mind, this post next turns to Italian jurisprudence. While the Italian Position Paper on International Law and Cyberspace (2021), does not clearly address the notion of data as objects, Italian courts have addressed the question in great depth. In that regard, the judgment of the Court of Cassation n. 11959 of November 7, 2019, is instructive.

In brief, the facts of the case concerned conduct of a former employee of a private company who, after his resignation, returned the company’s computer with the hard disk formatted. Further investigation discovered that the former employee had copied data from the company’s computer, which were partly found on his personal computer. Therefore, the Court had to decide if data (in the sense of files) should be considered as a mobile object, within the meaning of the criminal provision on embezzlement, as defined by Article 646 of the Criminal Code. That law states:

Whoever, to procure an undue profit for himself or others, appropriates money or other movable goods of which he has possession for any reason, is punished, upon report of the victim, with imprisonment from two to up to five years and a fine from 1.000 Euro to up to 3.000 Euro. If the object is the possession of the author as necessary deposit, the penalty is raised.

According to the Court of Cassation a file should be considered as a mobile object because:

[A]lthough it cannot be physically perceived from a sensorial point of view, it has a physical dimension constituted by the size of the data that compose it, as demonstrated by the existence of units of measurement of the capacity of a file to contain data and the different size of the physical supports in which the files can be stored and processed. Therefore, even if the requirement of a material perceptible apprehension of the file is lacking (except when it is fixed on a digital support that contains it), it certainly represents a mobile object, definable in terms of its structure, the possibility of measuring its the extension and capacity to contain data, its capacity of being transferred from one place to another, even without the intervention of physical structures directly understandable by man (para. 1.7).

This decision of the Court of Cassation cannot be described as an isolated one, as the same court in its previous case law already equated data/files with objects. Particularly, in judgment n. 24617 of June 10, 2015, within the context of seizure, the Court of Cassation acknowledged the possibility of challenging a seizure warrant in case files extracted from a computer that was still in the possession of the Prosecutor. In that decision, the Court of Cassation recognized a material interest in the exclusive availability of the data and so the possibility to challenge the seizure warrant was only subject to concrete and actual interest in the restitution of the data to be demonstrated by the claimant. In that respect, the Court referred to the 2011 Budapest Convention on Cybercrime, which “has made it explicit in the criminal law that the concept of «thing» also covers computer data as such.” (para. 6.2).

Finally, Italian Court of Cassation case law already addressed the notion of “things,” as also including “things” lacking physical tangibility. For instance, in its judgment n. 36845 of September 26, 2008, the Court was asked to determine if electromagnetic waves emission might be considered within the scope of Article 674 of the Italian Criminal Code. This states:

Anyone who throws or pours, in a place of public transit or in a private place but of common use or of others’ use, things capable of offending or soiling or harassing people, or, in cases not permitted by law, causes emissions of gas, vapours or smoke, capable of causing such effects, is punishable by imprisonment for up to one month or a fine of up to €206.

The Court concluded,

in the expression “throwing of things”, used by the Article 674 of the criminal code, can also be included, through a simple extensive interpretation, the creation, emission and propagation of electromagnetic waves. There is nothing to prevent the term “thing”, already largely generic in itself and suitable for expressing a plurality of meanings, from also including energies, which are peacefully endowed, like the res qui tangi possunt, with physicality and materiality and which therefore, both for their ability to be measured, perceived and used and for their physical individuality, can well be considered as “things” (para. 8).

This line of cases, therefore, demonstrates that Italian courts have viewed data as objects for the purposes of Italian domestic law. This has important implications for the evaluation of customary international law, for which Italian jurisprudence should be considered a significant factor. As this post demonstrates, court decisions—the reasoned articulation of the law by those responsible for its authoritative interpretation—are frequently a more accurate reflection of both State practice and opinio juris. As great jurists have opined, “In every city, the law is a solemn declaration of the intent of the sovereign power with regard to a matter of common interest.”

Conclusion

The evaluation of Italian jurisprudence in this post demonstrates that—beyond the content of national-level statements—Italian law holds that data constitutes an “object.” This judicial outcome appears to contrast with the conclusion of the majority of experts involved in drafting the Tallinn Manual, who consider that data is not an object under the law of armed conflict. This post has identified, therefore, a potential dissonance between these two positions. Moreover, this post stresses the critical importance of domestic jurisprudence in the interpretation and development of customary international law in cyberspace.

Given how frequently cyber operations are unobserved by the public eye, ascertaining State practice and opinio juris can be challenging. Domestic judgements may, therefore, fill the gap when governmental statements are unclear or moreover “give voice” to States that have not made any public statement. Furthermore, identifying general principles of law applicable to cyberspace through national judgments may also mitigate the unwillingness of States to agree on legally binging norms for cyberspace. The proposed approach seems particularly promising because it can be reasonably expected that national courts, all around the world, will necessarily address legal questions relating to cyberspace, thereby shaping and influencing development of international law in this complex field.

***

Davide Giovannelli is a Commander in Italian Navy (OF-4) seconded at the NATO Cooperative Cyber Defence Centre of Excellence as Researcher in the Law Branch. I would like to thank the anonymous reviewers for their valuable comments on an earlier draft of this piece.

Photo credit: Unsplash