AUTHOR: GUNGUN SHARMA, BMS COLLEGE OF LAW

The exponential growth in technology and digitalization  on a global level have led to difficulty in enforcement of laws beyond national borders. With traditional crimes usually following a pattern in accordance to the scene of crime, cybercrimes are beyond the jurisdiction of a country with a possibility of all the people concerned being from different parts of the world. Due to the adverse nature of cyberspace, it makes it difficult to determine which country has the  authority to take the ultimate legal action. 

This paper will provide insights into the efforts taken by the international laws and agreements to cope with the issues that are  jurisdiction related, examples include UN cybercrime treaty and the Budapest convention on cybercrime which work together with the ultimate motive to punish the guilty. The paper also includes cases throwing a light on the struggle to balance privacy,laws and justice,with major significance given to cases like yahoo data breach, wannacry ransomware attack, Microsoft V. United States and Schrems II. 

The paper also highlights India's legal system, with importance given to the information technology act, 2000 and section 75,which gives India the authority to deal with instances beyond the borders or partly beyond the borders. But when it comes to practice, it makes it difficult to collect the evidence as it is digital, to gain cooperation internationally and also because of cross border conflicts. 

The research provides solutions that are enforceable and are viable like implementation of special cybercrime courts, building cooperative relations between the public and private entities, implementing uniformity and reliability in the cyber laws internationally. The study concludes that with the emerging trend of digitalization, the traditional laws are not sufficient and therefore a more standardised system of global laws is required in order to make the global space more safe and trustworthy.

 Keywords

Cybercrime, Jurisdiction, International Cooperation, Cross-Border Prosecution, Digital Evidence, Cyber security

The internet plays a crucial role in all the dynamics of a modern life be it education, government, international relations , communication or commerce. The cyber space have brought up numerous opportunities for individuals to share and collaborate with entities across the national borders, therefore helping in putting the skill set at the right platform. With the opportunities comes the challenges associated with the dynamic and global nature of cyberspace and digitalization be it regulatory or legal. The most challenging and attention worthy aspect of the exposure of the internet across nations is the cybercrime involving crimes such as ransomware, phishing and fraud, breach of sensitive data, eavesdropping.

Unlike traditional crimes which are limited to one jurisdiction or are territorial, the cybercrime has scope to exist beyond these territorial constraints, where the evidence, the victim and the perpetrators can exist simultaneously across different parts of the world. This global exposure lays down significant challenges for the countries to effectively investigate and prosecute the criminals and also possess challenges regarding the legal and territorial aspects amongst the countries in this digitalized era.

The primary issue is the principles related to the jurisdiction which includes territorial and national aspects. These principles were established when the crimes were executed within the geographical borders but with the exposure to a global platform and cyber space these traditional principles are inefficient and where the crime may be given rise in one country, be executed through the medium of computers in another country and affect the victim in another country altogether. This leads to the questions and queries as to who shall have the ultimate power to question, investigate, prosecute the criminal. The challenges can also be structural, because the concept of jurisdiction can conflict with state sovereignty, privacy, and national competing interests, which can cause delays, unnecessary competing claims, or even a complete failure to arrest, extradite, or prosecute.  As a result, cybercriminals regularly exploit jurisdictional loopholes, havens, and lag time to avoid accountability, while threatening national security and international trust in digital systems.

This research identifies jurisdictional issues arising from the prosecution of cybercrime that occurs beyond borders, and assesses the effectiveness of existing institutions and legal frameworks for combating those issues. More specifically, this research aims to assess the effectiveness of international treaties, such as the UN Cybercrime Treaty and the Budapest Convention on Cybercrime; analyze the relevance of traditional jurisdictional doctrines in cyberspace; and reveal how informed case law continues to adhere sexually to strains of enforcement against the rights of privacy and sovereignty.

This research is premised on the belief that the complex jurisdictional dilemmas engendered by international cybercrime cannot be solved by the current, disparate approaches to prosecuting cybercrime. Even if states were to consider extending their laws outside of their borders, these unilateral efforts often violate the sovereignty of other states and create troubling diplomatic situations.Thus, jurisdictional problems arising from the cross-border prosecution of cybercrime can only be addressed through a harmonised, collaborative and flexible legal framework, which considers the distinctive nature of cyberspace and the critical need for the fast and minimal evidence sharing of information.

This study is crucial because it highlights one of the most significant and important aspects of international law and criminal justice. Understanding the questions that have been unanswered with respect to jurisdictional aspects to fight against the cybercrime will help administrators, policy makers, professional practitioners or at the very least it will help in providing insights into real time scenarios. The study primarily focuses on identifying the flaws in the existing law and order and hence provide insights to construct a more dynamic, centric and effective law and order in order to fight against cyber crime. In addition it highlights the importance of communication and cooperation amongst the nations so as to ensure a safe and secure international and national law enforcement against cybercrime.

Furthermore it also highlights the importance of creating a balance between the fundamental rights along with cyber security measures like privacy and justice.

The scholarship on prosecuting cross-border cybercrime raises serious questions about the adequacy of jurisdictional principles that predated and evolved during the digital age. Brenner highlights that when crimes cross borders, the jurisdictional principle of territoriality, which represents the historical foundation of criminal law, is insufficient.. Clough contends that more jurisdictional claims based on country and universality are being tested in cybercrime scenarios where the perpetrators are proxies or anonymous. The UNODC's 2013 Comprehensive Study on Cybercrime found that different countries define cybercrime in significantly different terms, which complicates cooperation. Academics have also discussed the role of international instruments.

The 2001 Budapest Convention has been hailed as a landmark treaty, but some academics assert that it was not drafted in an inclusive manner—hence the reason why it has not been ratified by states such as Russia and India.

Judicial comments, for example, the Schrems II case (CJEU, 2020), illustrate the tension between state sovereignty, data protection, and the exchange of cross-border evidence, while gaps remain with enforcement frameworks, extradition, and data sharing.

Despite the gaps remaining, the literature generally agrees on the need for coordinated responses.

The study adopts a doctrinal legal research approach in its investigation of laws, treaties, and case law relevant to state jurisdiction with regard to cybercrime. A comparative legal analysis is applied to the frameworks of the US and EU, and India. The doctrinal analysis provides for the opportunity to identify inconsistencies in existing laws and frameworks with respect to state jurisdiction, such as the inconsistent narrow approach taken in the GDPR and the broader approach of the U.S. CLOUD Act that has extraterritorial reach. The comparative research approach identifies how different jurisdictions manage disputes when claiming user or state jurisdiction. Additionally, the report uses case study analysis to better situate the discourse on the real-world challenges when prosecuting individuals, e.g. the historical case of the Yahoo Data Breach (2014), and other incidents, e.g. WannaCry ransomware (2017), Microsoft v. United States (2018), Schrems II (2020), and United States v. Ivanov (2001). The research draws upon both primary legal sources, opinions, and agreements, and secondary sources. This multidimensional approach will help in examining jurisdictional issues raised and their potential answers.

The methodology for this study will use a doctrinal legal research design to examine laws, treaties, and case law with respect to state jurisdiction in cybercrime. The analysis will use a comparative legal analysis of the jurisdictions of the US, EU, and India. Doctrinal analyses allow for the assessment of conflicts in the statutory regime regarding state jurisdiction, contrasting narrow applications under the GDPR with the expansive nature of extraterritoriality conventions in the US. The comparative research aspect of the study outlines the different constructs of jurisdictions and how claims relate to issues of user or state jurisdiction. The report will also use case-study analysis to contextualize the discussions on the real-world issues of whether to prosecute an individual, citing cases such as Yahoo Data Breach in 2014, WannaCry ransomware in 2017, Microsoft v. United States in 2018, Schrems II in 2020, and United States v. Ivanov in 2001. The study will rely on primary legal documents, opinions, and agreements, along with secondary sources. The comprehensive approach to using different sources and methods will ensure a detailed analysis of the jurisdictional issues and satisfactory resolution of these claims.

The inconsistency in statutory obligations between jurisdictions is another barrier. The definitions, offenses and punishments associated with cybercrime are different in various national systems. Unauthorized access to a computer may be viewed as a minor offense in one jurisdiction, but as a significant felonious offense in another. The evidential burdens established in different legal standards will also vary between jurisdictions, and specifically within the context of examining the evidence from a digital perspective. This is likely to present a challenge to cooperation with other jurisdictions, purely based on the differences in the legal systems. Privacy laws inhibit the flow of data across borders, and particularly within the European Union, data is governed by the General Data Protection Regulation (GDPR).

The process that seeks to gather evidence has become one of the primary jurisdictional challenges. Investigators face difficulties in identifying the location of relevant data and forming lawful access to that data, especially in the context of cloud computing and data centers being located in multiple jurisdictions. Data sovereignty is understood such that authorities from another jurisdiction often face barriers to achieving immediate access to relevant information when that information is located in another jurisdiction and without taking appropriate employment procedures. This means that important digital evidence is often missing, delayed, or incomplete.

Mutual Legal Assistance Treaties (MLATs), and extradition, also pose significant hurdles. Extradition is usually barred by human rights issues; political issues are often also a factor between governments; or an exception of not extraditing based on nationality is cited. Although the process for mutual legal assistance is necessary, it is often tedious and lengthy, and is not fast enough to address the pace of cybercrime and the decay of evidence. By the time the responses have been received, the offender may have deleted evidence, moved the operation, or even left the jurisdiction.

The existence of safe havens adds to the problem. Some jurisdictions will decline to participate in an international request for assistance in cybercrime investigations, whether deliberately or as a result of their own lack of legal and technical capacity. These jurisdictions effectively act as safe havens for criminals, allowing them to operate with some level of impunity. A lack of cooperation undermines the deterrent factor of international cybercrime law enforcement and enables criminal actors to continue to act in these safe havens with increased confidence.

Several new initiatives provide cautious optimism despite these challenges. Central initiatives to promote global cooperation are the Second Additional Protocol to the Budapest Convention and expected approval of the UN Cybercrime Treaty in 2024. Each instrument aims to strengthen the capacity of states to cooperate with one another, as well as facilitate the collection of evidence that may exist beyond a state’s borders. The success of these initiatives is ultimately contingent upon political will, the harmonization of laws, and resourcing in individual countries. That said, implementation is not uniform and thus, while there are positive developments, there remain substantial gaps in developing a truly cohesive and effective framework for cross-border prosecution of cybercrimes.

The implications of the findings of the study also highlight how territorial sovereignty is under slow, but steadily, unwinding as cyberspace pervades traditional physical borders. Unlike traditional crimes, cybercrimes traverse borders - often virtually by design. As witnessed in Yahoo! Inc. v. LICRA, in which the extraterritorial reach of French law was challenged against claims of jurisdiction in the U.S., courts have entertained concepts such as the effects principle in attempts to ameliorate this gap. p. However, these theories continue to be contested and diverse, which is a new exception to the notion of the tensions over the issues of sovereignty and privacy rights exhibited to date by the European Union under its General Data Protection Regulation (GDPR) and the type of extra-territorial claims that the United States continues to exhibit under Computer Fraud and Abuse Act that basically allows for assertions of healthy trespass by the US government, are disturbingly alike. As these contrasting theories express, the legal system ships that have existed have already shown that there were already structural inconsistencies between countries that then operated with states that had simply opposing goals (one, security; the other, privacy and sovereignty). With regard to previous scholarship, this article (in relation to Brenner's controversial position) does primarily re-articulate Brenner's position that it looks again at the historically-based notions of territorial jurisdiction as not way too limited to properly address the difficult issues of cybercrime, however in the context the biggest contribution is looking at the implications in Indian law where Section 75 of the Information Technology Act, 2000 imparts a level of curiosity in this situation.

Even though, in theory, this legal connection extends India's extraterritorial jurisdiction, it is practically limited by procedural preconditions like having Mutual Legal Assistance Treaties (MLATs) in place for crimes committed by its people or systems. The law still holds its legitimate force, but its applicability is often diminished, or prevented entirely, by exhausting and lengthy procedures.Moreover, case law such as Schrems II has illustrated that privacy and data protection concerns can obstruct sharing of evidence across borders between similarly cooperative countries like the US and EU. This demonstrates that countries can hinder enforcement of laws, with one another, and in instances where the countries are not adversaries.

These conclusions have significant implications for legal theory and practice. From a theoretical perspective, the research supports the observation that jurisdiction must be redefined to meet the challenges presented by cybercrime, that it must expand beyond rigid territorial limitations, and that it must accommodate the social, dynamic, and networked nature of cyberspace criminality. In practice, the findings suggest that reforms need to be enacted and implemented urgently. These reforms will include the development of expedited processes for Mutual Legal Assistance Treaties (MLAT) to ensure timely access to digital evidence, the adoption and implementation of the UN Cybercrime Treaty, and the exploration of specialized international tribunals or courts to handle extremely complex, highly technical cases. There's even the possibility that formalized and robust public-private partnerships could facilitate better collaboration with IT corporations that frequently maintain potentially critical evidence across many jurisdictions.

However, the research acknowledges some limitations. Given that a significant portion of the study relies on secondary sources, it likely does not capture the latest developments in the fast-changing national and international cyber law reform arena.Moreover, due to the inherent dynamic of cyber law, all agreements, cases, and collaborations are open to rapid changes, which makes generalizing findings to different jurisdictions problematic, while emphasizing the need for ongoing studies that keep pace with changes in the law and technology. Despite these limitations, however, this discussion provides a comprehensive treatment that offers the jurisdictional

Traditional ideas about jurisdiction, especially the territorial idea - which has been the heart of criminal law for ages is, given cross-border cybercrime, becoming obsolete. Territoriality is ephemeral in a digital age, in which offenders, victims, and evidence can all be in different countries. Additionally, this divergence is even more pronounced if evidence exists in different parts of the world on servers, or if cyber-attacks occur with simultaneous impact in multiple countries. Although they might represent useful points-of-own departure, recent legal frameworks, including a UN Cybercrime Treaty yet to take effect, Budapest Convention, and relevant national legislation like India's Information Technology Act, 2000, vary (widely) and often represent the political divides between sovereign states. Ultimately, the result is a patchwork of legal regimes that hinder cooperation and allow for cybercriminals to chuckle at jurisdictional boundaries. This research draws several comparative recommendations for how to approach these matters. First, it is essential to reach what would ultimately be universally consistent definitions of cybercrime, crime, and procedures. Finally, it is crucial that the definitions reflect the private international law concept of jurisdiction which takes into account the nature of the crime and not just physical presence/territory which is each state's prevailing approach. Second, fast-track governments should be developed which limit or even outright eradicate bureaucracy from procedures such as Mutual Legal Assistance Treaties (MLATs) which currently hamper issues of cooperation and evidence-sharing. Third, countries must fully participate or be created as part of an international treaty or agreement, such as the UN Cybercrime Treaty or the Budapest Convention in order to begin to create authority and deter the possible creation of a "safe haven" country for cybercriminals. Additionally, capacity-building programs for developing countries, who often lack the capacity, or resources, or technical capacity, to investigate some of the more complex issues of cybercrimes, should also be a priority.

Finally, public-private partnerships are also heavily required as private enterprises generally hold many of the essential types of data. In addition, international courts or tribunals created under international law may also be a venue to consider these many complex issues, due to the particular expertise of digital forensics and, of course, the reliance on that expertise that international law has created. 

Future research should examine multiple aspects of the issue as it continues to evolve. One aspect will be the role of private companies, particularly internet service providers, as well as the technology sector, who are acquiring evidence and executing the application of law. Another aspect will be the relationship of human rights norms and prosecution of cybercrime, specifically related to privacy, freedom of expression, and due process in transnational investigations. 

As technology areas such as blockchain, quantum computing, and artificial intelligence rapidly develop, definitions of cybercrime and legal theories regarding jurisdiction will also evolve. Understanding how new technologies affect accountability, attribution, and collecting evidence will be required to create adaptive legal solutions.

In summary, existing doctrines or fragmented models are inadequate to address the issue of prosecuting transnational cybercrime. It requires a robust, more cooperative, and forward-looking legislative framework, which balances cyber security necessities with the protection of fundamental rights. The global community is only able to effectively tackle cybercriminal impunity of the digital age through international cooperation, mutual confidence, and new systems of legal accountability.

International Agreements and Reports

• Council of Europe, Convention on Cybercrime, Nov. 23, 2001, E.T.S. No. 185.

• United Nations, Comprehensive Study on Cybercrime, U.N. Doc. V.13-83718 (2013).

• Europol, Internet Organised Crime Threat Assessment (IOCTA) (2022).

Books

• Susan W. Brenner, Cybercrime: Criminal Threats from Cyberspace (Praeger 2010).

• Jonathan Clough, Principles of Cybercrime (Cambridge Univ. Press 2015).

Cases

• Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. (Schrems II), ECLI:EU:C:2020:559.

• Microsoft Corp. v. United States, 584 U.S. ___ (2018).

• Yahoo! Inc. v. La Ligue Contre Le Racisme et L’Antisémitisme, 433 F.3d 1199 (9th Cir. 2006).

Statutes

• Clarifying Lawful Overseas Use of Data (CLOUD) Act, Pub. L. No. 115-141, 132 Stat. 1213 (2018).