Author: Poornesha Palanivelan, Government Law College, Tiruchirappalli
1: TO THE POINT
The rise of cyberspace has fundamentally challenged the classical Westphalian model of territorial sovereignty. While the internet transcends physical borders, states continue to assert sovereign rights over digital infrastructure, data flows, and online conduct. This article examines whether sovereignty can retain its traditional meaning in the digital age and how international law must evolve to accommodate cyber realities.
II: USE OF LEGAL JARGON
This article employs terms such as territorial jurisdiction, prescriptive authority, enforcement jurisdiction, non-intervention doctrine, attribution, due diligence, sovereign equality, extraterritorial application, and customary international law. These concepts provide a legal foundation for analysing how states exercise sovereign powers in cyberspace.
III: THE PROOF
1. Introduction: The Cyberspace Paradox
Cyberspace is inherently borderless, decentralised, and global, yet states remain territorial, centralised, and sovereign. This creates a structural legal paradox:
States claim the right to control what occurs “within their territory.”
But cyberspace activities rarely occur in one territory alone.
Data packets route across continents; cyber-attacks originate from distributed networks; platforms operate transnationally; and digital markets ignore borders. As a result, the traditional concept of sovereignty — grounded in territorial exclusivity — faces unprecedented strain.
2. Classical Sovereignty vs. Cyber Sovereignty
Under classical international law (reflected in the Montevideo Convention, UN Charter, and ICJ jurisprudence), sovereignty includes:
Territorial integrity
Political independence
Exclusive jurisdiction over internal affairs
Non-intervention by other states
However, cyberspace is characterised by:
Non-territorial data structures
Multiplicity of actors (private platforms, hackers, AI agents)
Jurisdictional overlap
Invisible cross-border interactions
This has led to two competing models:
(A) Absolute Cyber Sovereignty (China, Russia Model)
States argue they can regulate:
Internet architecture
Digital platforms
Data storage
Cybersecurity operations
within their borders without external interference.
(B) Multi-Stakeholder / Shared Governance Model (US, EU Model)
Cyberspace should remain:
Open
Interoperable
Governed by states + private actors + civil society
with limited sovereign restrictions.
Neither model alone adequately captures the complex legality of cyberspace. A hybrid understanding is emerging.
3. Territorial Jurisdiction in Cyberspace
States traditionally exercise prescriptive, adjudicative, and enforcement jurisdiction based on:
Territorial principle
Nationality principle
Objective territoriality
Effects doctrine
Protective principle
Universal jurisdiction
Problem:
Cyberspace blurs all territorial notions.
For example:
A server in Germany is used by a company incorporated in Singapore to provide services to users in India, causing economic harm in Canada.
Whose jurisdiction applies?
International law offers no single, universally accepted test.
4. Extraterritoriality and Overbroad Claims
Many states extend domestic laws to foreign digital actors:
GDPR (EU) applies extraterritorially to any entity processing EU citizens’ data.
US CLOUD Act compels companies to furnish data stored overseas.
India’s IT Rules impose obligations on intermediaries operating beyond national borders.
China’s Cybersecurity Law demands local data storage and security checks.
Such laws reflect functional territoriality — sovereignty applied to anyone affecting a state’s digital space. However, broad assertions create:
jurisdictional conflicts
regulatory fragmentation
trade tensions
double standards and digital protectionism
5. Non-Intervention and Cyber Operations
Under customary international law, the non-intervention principle prohibits coercive interference in:
political independence
sovereign functions
elections
national security apparatus
But cyberspace complicates attribution and proof.
Examples:
Distributed Denial-of-Service (DDoS) attacks
Influence operations through bots
Ransomware attacks
Critical infrastructure hacking
States argue these constitute violations of sovereignty. Other states disagree, claiming traditional thresholds are not met.
This uncertainty reveals the gap between legal theory and cyber realities.
6. Normative Developments: Tallinn Manuals
Although not binding, Tallinn Manual 1.0 and 2.0 offer scholarly guidance.
Key positions:
States have sovereign rights in cyberspace similar to physical domains.
Cyber operations causing effects equivalent to physical harm may violate sovereignty.
Mere trespass (e.g., malware that does nothing) is debated — whether it breaches sovereignty remains unsettled.
The Manuals highlight the ongoing fragmentation and lack of consensus.
7. UN Efforts and International Dialogue
Several UN bodies attempt to shape cyber norms:
(A) UN Group of Governmental Experts (UN GGE)
Developed voluntary norms like:
Responsible state behaviour
Due diligence
Non-targeting of critical infrastructure
(B) UN Open-Ended Working Group (OEWG)
Promotes global cooperation, transparency, and cyber capacity building.
(C) Debates on a Treaty for Cyberspace
No global treaty exists.
Challenges include:
sovereignty concerns
attribution problems
differing political interests
tensions between openness and control
8. Private Actors and Platform Governance
Big Tech companies (Google, Meta, Amazon, etc.) control much of global digital infrastructure.
Their policies often have quasi-sovereign effects:
platform bans
content moderation
algorithmic curation
data localisation decisions
encryption policy
This creates a form of “platform sovereignty”, where non-state actors indirectly regulate cyberspace.
States argue this undermines their sovereign powers.
9. The Fragmentation of Cyberspace
Due to increasing regulation, cyberspace is moving away from borderlessness toward:
national firewalls
local data hosting
content filtering
certification requirements
geo-blocking
digital trade restrictions
Examples:
China’s “Great Firewall”
Russia’s “Sovereign Internet” law
EU’s digital market rules
U.S. national security controls on foreign apps
This phenomenon is called “Splinternet” — a fractured internet where territoriality is gradually reasserted.
10. Pathways for Reconciling Sovereignty with Cyberspace
To manage the tension between sovereignty and cyberspace, international law must evolve through
(A) Functional Sovereignty
Sovereignty based not solely on territory but also on:
digital effects
user harm
data-flow connections
infrastructure impact
This allows states to regulate what materially affects them while avoiding excessive extraterritoriality.
(B) Multilateral Cyber Norms
International law needs:
a global cybercrime convention
harmonised rules on data jurisdiction
cooperation for cyber attribution
coordinated responses to state-sponsored cyber operation
(C) Due Diligence Obligations
States must prevent their territory from being used for:
cyberattacks
data theft
disinformation campaigns
by both state and non-state actors.
(D) Cyber Diplomacy
States must resolve disputes through:
digital diplomacy
coordinated enforcement
cross-border data cooperation
rather than unilateral action.
(E) Multi-Stakeholder Model
International law should integrate:
private platforms
civil society
technical experts
into cyber governance.
This reflects the reality that cyberspace is co-managed by multiple actors.
IV: ABSTRACT
This article analyses the evolving concept of sovereignty in cyberspace against the backdrop of borderless digital networks and classical territorial principles under international law. It explores the tension between state jurisdiction and global data flows, evaluating models such as cyber sovereignty, multi-stakeholder governance, and extraterritorial digital regulation. After examining legal frameworks, UN efforts, and scholarly guidelines such as the Tallinn Manuals, the article highlights gaps in international law regarding attribution, enforcement, and non-intervention. It argues that functional sovereignty, multilateral cooperation, due diligence obligations, and hybrid governance are essential to reconcile territoriality with the transnational nature of cyberspace. The article concludes that international law must adapt to address the complexities of cyber operations, digital platforms, and cross-border jurisdictional conflicts to maintain stability, accountability, and rule of law in the digital age.
V: CASE LAWS (INTERNATIONAL & NATIONAL)
1. The Corfu Channel Case (ICJ, 1949)
Held that states must not allow their territory to be used for acts contrary to the rights of other states — foundational for modern cyber due diligence obligations.
2. Nicaragua v. United States (ICJ, 1986)
Defined the non-intervention principle, applicable today to cyber operations targeting political independence or sovereign functions.
3. United States v. Ivanov (US District Court, 2001)
Recognised extraterritorial jurisdiction in cybercrimes where harmful effects occur within the prosecuting state.
4. Google Inc. v. Equustek Solutions (Supreme Court of Canada, 2017)
Upheld global takedown orders, asserting a state’s authority to extend internet regulation extraterritorially when necessary.
5. Schrems I (CJEU, 2015) & Schrems II (CJEU, 2020)
Invalidated EU–US data transfer agreements, reinforcing data protection as a sovereign right and highlighting tensions in cross-border data governance.
6. LICRA v. Yahoo! (French Court, 2000)
Held that France could require Yahoo! to restrict access to certain content even if servers were located outside France, affirming territorial effects doctrine.
7. India – Shreya Singhal v. Union of India (2015)
Though unrelated to cyber sovereignty directly, it shapes state power over online speech and intermediary liability — key aspects of digital jurisdiction.
VI: CONCLUSION
Sovereignty in cyberspace is neither obsolete nor absolute. It is undergoing transformation. While cyberspace challenges classical territorial boundaries, states continue to assert legitimate jurisdictional authority to protect citizens, regulate digital markets, and secure national interests. However, unilateral or excessive exercises of cyber sovereignty risk fragmenting the global internet and undermining international cooperation.
VII: FAQS
1. What is meant by “cyber sovereignty”? Cyber sovereignty refers to a state’s claim to regulate and control digital infrastructure, data flows, and online activities within its borders, similar to how it exercises authority over physical territory. Some states, like China and Russia, adopt an absolute model, while others, like the US and EU, prefer multi-stakeholder governance.
2. Why does cyberspace challenge traditional sovereignty? Unlike physical territory, cyberspace is borderless and decentralized. Data packets travel across multiple jurisdictions, platforms operate globally, and cyberattacks often originate from distributed networks. This undermines the classical Westphalian principle of exclusive territorial control.
3. How do states assert jurisdiction in cyberspace? States rely on principles such as territoriality, nationality, effects doctrine, and protective jurisdiction. For example, the EU’s GDPR applies extraterritorially to protect EU citizens’ data, while the US CLOUD Act compels companies to provide data stored abroad.
4. What role do international law and UN bodies play? International law is evolving but lacks a binding global treaty on cyberspace. The UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) promote voluntary norms like responsible state behavior and non-targeting of critical infrastructure. However, consensus remains limited due to political differences.
5. How do private companies influence sovereignty online? Big Tech platforms exercise “platform sovereignty” by controlling content moderation, data localization, and encryption policies. Their decisions often have quasi-sovereign effects, shaping digital spaces beyond state regulation.
6. What is the “Splinternet”? The Splinternet describes the fragmentation of the global internet into national or regional networks due to firewalls, geo-blocking, and local data hosting requirements. Examples include China’s Great Firewall and Russia’s Sovereign Internet law.
7. Can sovereignty survive in the digital age? Yes, but it must adapt. Sovereignty in cyberspace is neither obsolete nor absolute. A functional approach—based on digital effects, due diligence obligations, and multilateral cooperation—offers a balanced way to reconcile state authority with the transnational nature of cyberspace.
