Extraterritoriality – What does it mean for Records Management and Archives?

Darra Hofman and Elissa How, Presentation to the Transnational Team Research Workshop, June 13, 2016, Vienna, Austria
Edited and adapted by Corinne Rogers

What is extraterritoriality and how does it relate to the records of International Organizations (IOs), the inviolability of archives, and use of the cloud? Defining this term is challenging, but important, particularly if you are a records professional working for an international organization considering, or already using, cloud services.

“Extraterritoriality” is a term that has been used in some treaties and seat agreements of International Organizations alongside “inviolability” but exactly what it means – and why it is used in these legal instruments – can be confusing. There are two main contrasting definitions at law of “extraterritoriality.” Black’s Law dictionary states that extraterritoriality is “the freedom of diplomats, foreign ministers, and royalty from the jurisdiction of the country in which they temporarily reside.” This definition is closely linked to the concept of Diplomatic Immunity and therefore is going to be particularly relevant to International Organization that are considering storing records in the cloud but are concerned about how inviolable those records might be.

The Oxford Dictionary of Law Online states that extraterritoriality is “a theory in international law explaining diplomatic immunity on the basis that the premise of a foreign mission forms a part of the territory of the sending state.” The good news is that both of these reliable legal sources link extraterritoriality to diplomatic immunity. The bad news – or at least the challenge that we faced – is that in the course of our previous study of privacy and digital documents, we found that most scholars who discuss extraterritoriality today aren’t talking about it in relation to diplomatic immunity but are more concerned about the legal rights of their data with respect to other jurisdictions. So, we tend to think of extraterritoriality as relating to the legal reach or a state outside it’s own borders, and not linked specifically to diplomatic immunity.

The interesting thing is that the definition for the term “extraterritorial” – that is – the term without the “-ity” relates to this other meaning of extraterritoriality. If you look at Black’s Law Dictionary’s definition for “extraterritorial,” you’ll see that it means – “occurring outside a particular state or country; beyond the geographic limits of a particular jurisdiction.” Often you see the term as “extraterritorial jurisdiction.”

But, to make it all more confusing, often you do see “extraterritorial” with the “-ity” at the end, used in a way that has nothing to do with diplomatic immunity. In fact, the Dictionary of Canadian Law defines “extraterritoriality” as “the projection of a state’s authority beyond the territory of a state.” Actually, both ways of looking at the word do involve the concept of “extra” or outside territorial jurisdictions – they just approach it a little differently. As a result we have these two overlapping definitions for extraterritoriality – one relating to diplomatic immunity, one to jurisdiction outside a state’s physical borders.

So, why is this difference in definition important? Well, first off, you need to figure out which definition of “extraterritoriality” you’re talking about to assess your legal rights and responsibilities – because both are important but in different ways.

“Extraterritoriality” (in its diplomatic immunity sense) is particularly important to International Organizations because it affects your legal rights about your data. It would also be important to state diplomatic missions. “Extraterritoriality” (in its extraterritorial jurisdiction sense) is important to everyone – including but not limited to International Organization – who store or access data in the cloud because it affects your legal rights about your data.

But you really need to understand a bit of the history of the word to understand how it might impact your decision today to use the cloud. Extraterritoriality (in relation to diplomatic immunity) typically refers to a historical principle called the “theory of extraterritoriality.” The “theory of extraterritoriality” is one of the justifications relied upon in the 1960s when the international community started to codify the concept of diplomatic immunity. More specifically, the “theory of extraterritoriality” is the idea that the premises of a diplomatic mission are considered the territory of the state itself, and not part of the host state. This theory has been discarded now for quite some time – it is an outdated legal construct. But it still remains in popular culture. We think of it as the “James Bond theory of diplomatic immunity” – the idea that if you step onto a diplomatic mission, you are stepping onto the soil of another country. Just as James Bond is fiction, this concept is also accepted as outdated legal fiction.

If this “theory of extraterritoriality” has long been dismissed as legal fiction, it is even more clear that the concept simply doesn’t work when you are talking about International Organizations. This is due to the fact that International Organizations don’t have a home territory – so their physical premises clearly can’t be taken to represent – fictionally or otherwise – the territory of their home state. As a result, the theory of extraterritoriality is not only obsolete and discarded in general when it comes to diplomatic immunity, but it simply lacks relevance when you are talking about International Organizations, which do not have home territories in the same way as states.

Another theory, the “theory of functionality,” has been used to justify diplomatic immunity for International Organizations. This theory basically suggests that states or International Organizations need immunity in order to function. As a result, we should interpret the word “extraterritoriality” – if it appears in a legal instrument that creates a particular International Organization – as referring more generally to diplomatic immunity. More specifically, Muller states that “[extraterritoriality] must be understood to refer to the ensemble of privileges and immunities granted to the organizations.”

When trying to determine what those rights and responsibilities might be, you need to look at the legal instrument that created the IO. For many, this will be a treaty, or perhaps what can be called a “head” or “seat” agreement. Whatever the legal instrument is, you need to examine it. Unlike the situation for states, where there can be presumed to be accepted norms at international law, International Organizations are created – and governed – by some type of legal instrument – and therefore not presumed to have particular rights, privileges or immunities. Put simply: the governing legal instrument is key, and you need to understand the term extraterritoriality (in the diplomatic immunity sense) on a case-by-case basis as it relates to your organization.

Let’s look at the role of the legal instrument in more detail. In examining this issue, we looked at the legal instruments creating or enabling several large international organizations.** Regarding the inviolability of archives, some enabling legislation states that the archives of the IO shall be inviolable, while the enabling legislation of other IOs require that the archives shall be inviolable wherever located.

These instruments are instructive for several purposes. The first example is notable, touching as it does on both the inviolability and the extrajurisdictional nature of “extraterritoriality” as it concerns the Agency’s archives. Other organization’s legal instruments aligned more closely with the language in the second example, preserving only the inviolability of the archives explicitly.

Secondly, the legal instruments are important for understanding how IO’s extraterritorial rights differ from those of governments and their agents. In many IOs, each member country must separately accept the agreement, illustrating its ultimately contractual nature. Furthermore, many states condition their acceptance of the agreement on the modification or deletion of terms. A number of countries, for example, may reject sections referring disputes between the IO and its members to the International Court of Justice, while others change the terms to make explicit that their nationals remain subject to their national law even while carrying out the IO’s mission. This provides a useful contrast to the case of intergovernmental relations, where extraterritorial inviolability is not negotiated, but flows from the territorial rights of each state.

In contrast, another approach determines that the legal instrument establishing the IO does not declare its archives inviolable on any theory. The closest we found are regulations that address policy-driven public access (as opposed to the unauthorized access or seizure of archives that inviolability is meant to address). Such regulations are meant to balance competing interests regarding institutional archives in a number of institutions within, in this case, the EU. The first is sprawling regulation addressing access, administration, third party documents, and a bevy of other concerns. The second is meant to protect the right to privacy and the personal data of EU citizens, and provides a framework meant to balance the issues of privacy against legitimate needs for access to data. While this is a distinct issue from inviolability per se, it is nonetheless illustrative of the controlling nature of the legal instrument.

Now we turn towards the second, more common, definition of extraterritoriality in the extraterritorial jurisdiction sense. In this sense, extraterritoriality, applies to everyone and has more general application to your decision. It’s not a new concept, but with the proliferation of cross-border data flows – and especially in the cloud – it has become a frequent topic of discussion and concern by those considering using the cloud.

This is because there are legal risks when you consider extraterritoriality and the cloud.

We should stress that we are not talking today about other types of risks that records managers and archivists need to consider when moving records to the cloud – things like deleting information from the cloud according to retention schedules, issues of trust and reliability in data, or inappropriate access through hacking. We are focusing solely on legal rights and responsibilities.

Basically, these legal risks result from other jurisdictions having the ability to assert their legal rights with respect to your data when that data is in their physical jurisdiction. And you can quickly see why this is going to be problematic. It can be challenging enough to know your risks in your own jurisdiction, but having to understand what rights you might be giving up in other jurisdictions is even more difficult. Not to mention that most people don’t have any way of determining in what jurisdiction their data might be at any given time.

So, while in general it’s very challenging – some would say unrealistic – to learn what laws might apply to your data when it is outside your jurisdiction, in most cases you will have less legal protection over your data when it is in another jurisdiction. And, depending on where you are coming from, your data will possibly cross into a jurisdiction with considerably less privacy protection.

One major concern people have is the threat of foreign government surveillance. For example, if a Canadian’s data is stored on an American server, the fear is that the NSA legally can access it and that the Canadian might have considerably fewer options to address any repercussions coming from privacy breaches. Other concerns include metadata capture by cloud service providers, i.e. that metadata created by cloud service providers may be very revealing, but you may have very little legal control over it. Finally, there may be copyright issues to consider as your data crosses jurisdictional lines.

The cloud forces us to question the wisdom of continuing to view rights over digital data from a territorial perspective. Privacy protection is contextual and differs greatly from one jurisdiction to another. Depending on where you are, privacy may be conceived as a human right – that is a matter of dignity of the person, or as a matter of personal liberty. Across borders, there are not simply different laws, but completely different approaches to the law.

In conclusion, both definitions of extraterritoriality are important for IOs. In considering how extraterritoriality may affect legal control of your records, you need to look at your enabling legal instrument. You need to recognize that jurisdictions matter when dealing with records and data in the cloud, and that they will most likely cross jurisdictional lines. In addition to records managers and archivists, make sure your legal department is a part of all decisions regarding cloud usage.

Muller, A.S. International Organizations and their Host States: Aspects of Their Legal Relationship (The Hague: Kluwer Law International, 1995).

Darra Hofman and Elissa How both have legal backgrounds, and both are Graduate Research Assistants for InterPARES Trust.

*This blog post does not constitute legal advice. If you have questions regarding your organization and your legal rights and responsibilities, you should consult with a lawyer.

**Although all the information used about these agencies is publicly available, we have chosen not to identify them by name.

Further Reading