Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 1
TOWARDS GLOBAL CYBERLAW
Thomas Streinz*
I.
Introduction
At least since the early 1990s there has been a spirited ‘cyberlaw’ debate, which led to important insights
about governance, regulation, and law in the internet age. This paper revisits this debate and exposes its most
glaring lacuna. Existing cyberlaw scholarship neglects, somewhat curiously, the internet’s inherently global
aspiration and the corresponding need to develop legal mechanisms to keep key institutions of global internet
governance in check. To fill this gap, I argue that we need to move towards ‘global cyberlaw’, because
national law and international law, traditionally conceived, are ill-suited to fulfill this task. Global
Administrative Law (GAL) is an important building block for such a global cyberlaw but needs to overcome
its focus on procedural disciplines of transparency, reason giving, and review to give legitimacy to the
internet’s idiosyncratic governance structure. Only then will ‘cyberlaw’ live up to the literal meaning of
κυβερνητικός (“skilled in steering or governing”) from which the omnipresent cyber-affix is derived.
This short paper will discuss national (II.), international (III.), and global approaches (IV.) to cyberlaw in
turn. Two important caveats are in order. First, these are not mutually exclusive concepts. There is surely a
role for national and international law in governing the internet. My argument is that these bodies of law on
their own are insufficient, not that they are meaningless or superfluous. Second, internet governance is an
unhelpful buzzword if one does not distinguish between governance of internet use and governance of the
internet itself.1 The former involves the regulation of user conduct: browsing the world wide web (www),2
sending emails, downloading songs, participating in social media, hacking the DNC etc. Governance of the
internet concerns the internet’s functioning itself. The management of the internet’s unique identifiers
(‘names and numbers’) is carried out by the Internet Corporation for Assigned Names and Numbers
(ICANN),3 a not-for-profit organization under California law. The maintenance and development of
Fellow, Institute for International Law and Justice, NYU School of Law. Email: [email protected]. This
paper originated (in very different form) in the IILJ Colloquium 2015 under supervision by Benedict Kingsbury. I
presented a revised version at the Association of Internet Researchers (AoIR) Annual Conference in Berlin in fall 2016.
Thanks are due to Sara Dietz and Johann Justus Vasel for valuable comments and suggestions. The usual disclaimer
applies.
1 The ‘offical’ definition that came out of the World Summit on Information Society (WSIS) 2005 conflates the two by
defining internet governance as ‘the development and application by Governments, the private sector and civil society,
in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the
evolution and use of the Internet.’ Report of the Working Group on Internet Governance,
http://www.wgig.org/docs/WGIGREPORT.pdf.
2 The world wide web (www) is an application that is layered onto the internet. World wide web governance is a
subcategory of internet governance and mainly handled by the world wide web consortium (W3C), a global standard
setting body.
3 To provide some technological background: The Internet’s domain name system (DNS) consists of a hierarchical
structure of root name servers. They translate domain names such as www.nyu.edu into IP addresses numbers such as
128.122.119.209. To match names and numbers, they rely on the authoritative root zone file which contains a list of
*
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 2
fundamental protocols (such as TCP/IP)4 is the task of various internet standard-setting bodies, most notably
the Internet Engineering Task Force (IETF), an ‘open community’ operating under the auspices of the
Internet Society (ISOC), an international non-profit organization under Virginia law.5 As we will see, states
can at least try to regulate online behavior within their jurisdiction, but their influence over global bodies such
as ICANN, the IETF, and others in charge of the internet’s functioning and evolution is very limited. If one
believes, as I do, that exercise of power without corresponding legal limitations is a problem, we need to
apply non-state-based approaches to law to institutions such as ICANN and the IETF. In other words, we
need to develop a global cyberlaw.
II.
National Cyberlaw
National law has been the focus of the cyberlaw debate, at least in the US. One can identify three
frontiers of conflict in the mainstream debates, which I will call respectively: anarchist v. governmental,
borderless v. territorialist, and code v. horse. These frontiers are not neatly separated and overlap to a
significant extent, but they shed a light on different dimensions of the cyberlaw debate that are instructive for
my core claim, i.e. the need to develop a ‘global cyberlaw’ as a law that governs the internet’s global
administrative bodies.
The first frontline (anarchist v. governmental) emerged in response to John Perry Barlow’s legendary
declaration of the independence of cyberspace.6 Barlow published this declaration on the day on which Bill
Clinton signed the Communications Decency Act (CDA) of 1996 into law.7 The CDA attempted to regulate
indecency and obscenity in cyberspace—the indecency provisions were later found to be unconstitutional by
the US Supreme Court.8 Barlow took issue with what he viewed as unwelcome governmental intrusion and
declared: “Governments of the Industrial World, you weary giants of flesh and steel, I come from
Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are
not welcome among us. You have no sovereignty where we gather.” Barlow conceived cyberspace as a
naturally independent sphere, growing organically through the actions of its members. He emphasized the
non-locality and non-physicality of interactions which he thought would prevent states from regulating
names and numbers of the authoritative DNS servers for all generic top-level domains (gTLDs) such as .com, .org, .edu,
and the country code top-level domains (ccTLDs) such as .de, .mx or .uk. The ‘root authority’ lies with ICANN. See for
the historical background Milton L. Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace
(Cambridge, MA 2002).
4 More technological background: the Transmission Control Protocol (TCP) and the Internet protocol (IP) organize
how data are packetized, addressed, transmitted, routed, and received on the Internet. Every node on the internet needs
to comply with these protocols. For an account of the historical development see Peter H. Sallus, CASTING THE NET:
FROM ARPANET TO INTERNET AND BEYOND (Addison-Wesley 1995).
5 See for a helpful primer on internet technology: James Grimmelmann, INTERNET LAW: CASES AND PROBLEMS (6th ed.
2016), p. 27–35.
6 Available online at https://www.eff.org/cyberspace-independence.
7 Title V of the Telecommunications Act of 1996, the first major overhaul of US telecommunication law in sixty years.
8 Reno v. American Civil Liberties Union, 521 U.S. 844 (1997).
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 3
internet conduct or at least would pose insurmountable enforcement difficulties. Barlow’s declaration retains
its significance as a symbol of a certain anarchist or at least anti-governmental streak in internet law and
governance. The IETF’s mantra —we reject kings, presidents, and voting—continues to breath the spirit of
Barlow’s declaration.
The second frontline (borderless v. territorialist) was influentially captured in a 1996 law review article by
David Johnson and David Post.9 They argued that global computer-based communications cut undermine
the feasibility and legitimacy of applying laws based on geographic boundaries. Instead, they posited that selfgovernance of cyberspace participants would emerge, regulating conduct among themselves by creating new
laws and legal institutions online. While they acknowledge the internet’s inherently global nature, they are not
concerned with governance of the internet at all. They focus almost entirely on governance of online conduct,
as does the whole cyberlaw debate in the US, and in this respect their vision of a global self-regulated
cyberspace has not materialized.10 Indeed, many believe that the ‘unexceptionalists’, led by Jack Goldsmith &
Tim Wu won the intellectual battle when they published ‘Who controls the Internet?’, whose subtitle—
‘illusions of a borderless world’—makes it clear that they positioned themselves in the opposite corner to that
occupied by Johnson & Post. Goldsmith & Wu’s account identifies various ways by which states can regulate
online conduct on a territorial basis: the internet’s physical infrastructure (cables, servers, computers) is local;
internet service providers are identifiable business entities; and ‘netizens’ are citizens under the jurisdiction of
their home state. While they acknowledge enforcement limitations, they do not find these to be fatal for their
claim as long as the effectiveness of regulation is not fundamentally challenged.
While no doubt an important contribution to the cyberlaw literature and a useful guide when looking
for regulatory hooks, I am in disagreement with Goldsmith & Wu for two reasons: First, their account is
normatively unappealing, if one seeks to maintain the internet’s global aspiration, because it either leads to
unilateral domination or internet fragmentation. Second, they are engaged in selective realism by taking a
realist stance as far as governance of online conduct is concerned (essentially ignoring enforcement
limitations and competing claims of authority) yet resort to theoretical but entirely unrealistic possibilities of
state interference in the governance of the internet. Let me briefly expand on both arguments.
My first point is best illustrated by examples of extraterritorial regulation such as the ongoing
controversy about a so called ‘right to be forgotten’. The European Court of Justice (ECJ) ruled in Google
Spain that Google’s activities in the EU were subject to European data protection laws.11 The Court
developed a ‘right to be delisted’ from search results on the basis of EU fundamental rights, namely the right
Law and Borders: The Rise of Law in Cyberspace, 48 Stanford Law Review 1367 (1996).
The rise of platform governance might vindicate their view, at least partially, see infra.
11 In this case Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of such data. Soon to
be replaced by the EU’s General Data Protection Regulation (GDPR).
9
10
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 4
to private life and the right to protection of personal data.12 According to the ECJ, these individual rights
override not only the economic interest of Google, but also the interest of the general public in having access
to that information. This contrasts sharply with the strong protection of free speech that is afforded under
the First Amendment in the US.13 The extent of the extraterritorial consequences of the ECJ’s decision was,
and remains, contested. Google agreed to remove search results from its European websites (such as
google.de, google.fr etc.) but refused to delist globally (including google.com). In the interpretation by the
French data protection authorities, however, EU law demands global enforcement, including compliance with
the Google Spain decision in all Google’s activities on each of its websites.14 Google appealed and the Conseil
d’Etat sent the case back to the ECJ where it is now pending.15 This illustrates how the global nature of the
internet undermines traditional notions of territoriality. If the EU wants to secure a right to be forgotten for
its citizens, it has to push for a complete removal of the relevant information from all Google websites,
including those aimed at and primarily used by consumers outside Europe. Otherwise, the information could
simply be retrieved by a person in Spain who visited google.com instead of google.es. Goldsmith & Wu are
fine with this power struggle. Their account favors political and economic powerful jurisdictions, because
they are most likely to achieve widespread compliance (e.g. through mechanisms that Anu Bradford has
described as the Brussels effect).16 The alternative solution to extraterritorial enforcement is to restrict the
access of domestic internet users—which ultimately leads to internet fragmentation and undermines the
internet’s global aspiration.
My second point questions Goldsmith & Wu’s claim that the US government continues to control key
institutions of internet governance.17 It is true that historically, the US government had considerable influence
over the internet’s key technologies because they were the offspring of research funded by the Department of
Defense. Gradually, however, the research and business community took over. These quarters continue to be
US dominated today, but there is no guarantee that this state of affairs will persist—the Chinese digital
economy is growing and catching up quickly. In any case, governmental influence in internet governance
institutions is uniquely limited. Governments are represented in ICANN via a governmental advisory
committee, but even the consensus of all 146 represented states can be overruled by ICANN’s boards of
directors by a simple 2/3 majority. At the IETF, there is no formal role for governments at all. Against this
backdrop, Goldsmith & Wu’s claim of continued US control is a vast overstatement. ICANN’s legal status as
Articles 7 and 8 of the EU Charter of Fundamental Rights.
Robert G. Larson III, ‘Forgetting the First Amendment: How Obscurity-Based Privacy and a Right to Be Forgotten
Are Incompatible with Free Speech’ 18 Communication Law and Policy 91 (2013).
14 See Reuters of May 24, 2016: France Fines Google Over ‘Right To Be Forgotten’, available at
http://www.reuters.com/article/us-google-france-privacy-idUSKCN0WQ1WX.
15 Press release of 24 February 2017, available at http://www.conseil-etat.fr/Actualites/Communiques/Droit-audereferencement.
16 Anu Bradford, ‘The Brussels Effect’ 107 Northwestern University Law Review 1 (2012).
17 Admittedly, they made their argument more than ten years ago, before the Snowden revelations, which severely
damaged the US position in internet governance.
12
13
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 5
a non-for-profit under California law gives the US jurisdiction, but any attempt to bring the organization
under US government control would ‘break the internet’, because a new, non-US based domain name system
would surely emerge. In the absence of unique identifiers these systems would not be interconnected — the
condition sine qua non for the inter-net.
Finally, the third frontline concerns the very existence of cyberlaw as a legal discipline: specifically, the
question of whether there is any useful or illuminating category of “cyberlaw” worthy of special attention. In
a famous conference keynote address, Judge Easterbrook claimed that cyberlaw was like the law of the horse,
i.e. just an eclectic application of different laws and regulations to certain phenomena in cyberspace without
unifying theme and without much space to distill any overarching principles and insights. Indeed, looking
back over more than 20 years of cyberlaw scholarship gives a sobering picture, because much of the literature
used the ‘cyber’ moniker without any conceptual or intellectual purchase. But not Larry Lessig, who felt
prompted by Judge Easterbrook to develop a new theory of law and regulation in cyberspace which he
encapsulated in the catchphrase ‘code is law’.18 The key insight is that in cyberspace code decides to a large
extent what we can or cannot do—much like law in real life. Hence code-makers fulfill similar functions as
law-makers. If traditional law-makers want to retain control, they should pass legislation requiring certain
coding solutions (e.g. a browser feature that prevents children from accessing porn). Lessig’s insights are
profound, but his concerns and framing are almost entirely US centric. He sees a struggle between ‘West
Coast code’, i.e. Silicon Valley technological innovations and ‘East Coast code’, i.e. legislation out of
Washington, DC. He offers no solutions for the extraterritoriality problem. And his curious disregard of the
internet’s global nature is especially glaring, because, if code is law, there is arguably no more fundamental
internet law maker than the IETF and ICANN.
To recap, national conceptions of cyberlaw tend to discount the internet’s global nature and are unable to
control global institutions of internet governance. Yet, the internet is widely considered an example par
excellence for a global public good. Even though certainly no perfect global public good, because there may be
cases in which internet users compete for access (if only for lack of bandwidth or server capacity) or where
access to the internet is restricted (as in North Korea), the internet’s unique scalability and network effects
favor expansion at negligible cost, while exclusion is very expensive (if not impossible), and benefits are being
spread across the globe.19 Ordinarily, the regulation of global public goods calls for cooperative efforts on the
international stage. Yet, as we will see, international cyberlaw falls short of this ambition.
III.
International Cyberlaw
Despite the internet’s global reach, there is surprisingly little substantive international law that specifically
or explicitly addresses the use of the internet. When governments realized that the internet posed a regulatory
See Larry Lessig, ‘The Law of the Horse: What Cyberlaw Might Teach’ 113 Harvard Law Review 501 (1999)
See the various definitions of global public goods by Inge Kaul, Isabelle Grunberg & Marc A. Stern, GLOBAL PUBLIC
GOODS: INTERNATIONAL COOPERATION IN THE 21ST CENTURY (Oxford 1999).
18
19
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 6
challenge, they generally pursued regulatory objectives through national law rather than international
agreements. There are important exceptions: national security concerns prompted states to develop the
Council of Europe Convention on Cybercrime,20 which has been ratified by 46 states, 21 of which are not
members of the Council of Europe.21 Yet, the Convention fails to include important cybersecurity players,
most notably China and Russia. This example points to the challenges for any attempt to govern the use of
the internet by means of classic international law. Its traditional consensus-based approach has come under
pressure when global public goods are at stake.22 The internet is no exception. Indeed, it is highly doubtful
that countries like the United States and the United Kingdom on the one hand and China and Russia on the
other hand will be able to agree on common standards for internet usage. The former adhere to the concept
of an open internet, which operates largely without governmental interference (mass surveillance activities
notwithstanding), while the latter advocate a sovereignty-based model of internet governance which seeks to
impose borders on the internet to make it governable. In essence, the national cyberlaw debate repeats itself
on the international level.
The problem is exacerbated by the relatively minor role of traditional (intergovernmental) international
organizations in internet governance. While international organizations have become important law makers
on the international stage in other areas,23 not least by facilitating the drafting and ultimately adopting of new
international instruments, there is no universally recognized forum for such activities in the realm of internet
governance, which explains why the Council of Europe has stepped up its efforts to fill this gap to a certain
extent. A further problem is the rapid technological progress which works against the cumbersome and
lengthy decision lawmaking procedures which governments have traditionally employed in international law.
When powerful economic interests have favored cooperation, states have occasionally been able to agree
on international legal rules. In 1996, they concluded the World Intellectual Property Organization (WIPO)
Copyright Treaty, which entered into force in 2002, awarding copyright protection to computer programs and
databases. The Anti-Counterfeiting Trade Agreement (ACTA), signed in 2011 by ten OECD countries
(including the EU and 22 of its Member States) aimed for even stronger copyright enforcement, but was
ultimately defeated in the European Parliament. Increasingly, states negotiate rules on ‘digital trade’ in
international free trade agreements. The Trans-Pacific Partnership (TPP) agreement between the US and
eleven Pacific-rim countries set a new template for international rules on controversial issues of internet law
and policy such as access restrictions, free data flows, data privacy, server location requirements, source code
Also known as the Budapest Convention; see the analysis by Mike Keyer ‘Council of Europe Convention on
Cybercrime’ 12 Journal of Transnational Law & Policy 287 (2002-2003) and Amalie M. Weber ‘The Council of Europe’s
Convention on Cybercrime’ 18 Berkeley Technology Law Journal 425 (2003).
21 The current ratification status is available at
http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&CL=ENG.
22 Cf. Niko Krisch ‘The Decay of Consent: International Law in an Age of Global Public Goods’ 108 The American Journal
of International Law 1 (2014).
23 See generally José E. Alvarez, INTERNATIONAL ORGANIZATIONS AS LAW-MAKERS (Oxford 2006).
20
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 7
protection, domain-name dispute settlement, and the liability of intermediaries. Despite TPP’s demise, the US
will likely continue to push for similar rules, because of its economic interest in free data flows, especially in
an era of cloud computing. The World Trade Organization (WTO) will likely launch its own ‘digital trade
agenda’ at the next ministerial conference. The fact that international economic law increasingly addresses
issues of internet law and policy is unsurprising in light of the internet’s enormous economic significance for
global communications, cross-border services, operation of global value chains etc. At the same time, the
emerging international law of digital trade is far from all-encompassing and faces severe obstacles because of
divergent views about the right balance between free data flows on the one hand and privacy and security
concerns on the other hand.
Even if there was nearly universal agreement between states, such an agreement would be restricted
to govern the use of the internet. Governance of the internet lies in the hand of actors which are not states
and which are generally not subject to public international law. The various standard setting bodies that drive
the technological development of the internet, and ICANN, which controls the internet’s domain name
system, operate outside the confines of international law as traditionally perceived. This is why any analogy to
existing international law governing realms such as the high seas, outer space, and Antarctica, is misplaced
when it comes to the governance of the internet itself.24 We need to look to global law, rather than public
international law, to respond to this regulatory challenge.
IV.
Global Cyberlaw
Global cyberlaw is meant to govern those who control the internet’s core infrastructure: names, numbers,
and protocols. I will first explain why such a law is needed before presenting Global Administrative Law
(GAL) as a potential building block in comparison with two competing global law approaches: international
public law and global constitutionalism.
1. The Need for Global Cyberlaw
If one asked internet pioneers, they would likely say that the internet has been quite successful without a
global legal framework. I would retort that there is an important difference between the times in which
internet researchers and entrepreneurs advanced the technology in computer labs without much
governmental oversight or public interest and today’s world, in which the internet has become the backbone
of worldwide communication and the basis for political and economic activities around the globe. Today, the
stakes are indefinitely higher than they were before.
What added value can a new cyberlaw provide? To control essential facilities of the internet and to steer
its future development means exercising a huge amount of power. In the event of exercise of power by
But see Kristen E. Eichensehr ‘The Cyber-Law of Nations’ 103 The Georgetown Law Journal 317 (2015) (arguing for
multistakeholder governance, governance through norms, and regulated militarization).
24
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 8
people and/or institutions, there should be rules, norms and processes to control such exercise, and law
provides this framework. This is why the rule of law has emerged as a global ideal (despite its indeterminacy
and vagueness).25 In a basic conception, it posits that we want to be governed by rules and not by men or
women. This may sound simplistic but carries a deeper insight about the inherent qualities of law. It guards
against arbitrariness, nurtures expectations, and puts a premium on reasoned decision making. Its inner logic
rationalizes the decision-making process and legitimizes its outcome.
The question “who governs the internet?” becomes less daunting, if one can rest assured that the power,
that is exercised by the various actors of internet governance, is subject to legal limits. The lackluster role of
law in the governance of the internet is a rule of law problem that needs to be addressed. There is a risk that
the still prevalent anti-government narrative translates into an anti-law narrative. To mitigate this concern, it is
important to note that new approaches to international law have emerged which recognize, that there can be
a law beyond the state. Global Administrative Law (GAL) is one of them.
2. Global Administrative Law
GAL is perfectly suited for decision making bodies such as ICANN and the IETF. The proponents of
GAL define it as “the mechanisms, principles, practices, and supporting social understandings that promote
or otherwise affect the accountability of global administrative bodies, in particular by ensuring they meet
adequate standards of transparency, participation, reasoned decision, and legality, and by providing effective
review of the rules and decisions they make.”26 The focal point of this definition is the insight that global
administrative bodies that exercise regulatory functions have emerged, as states on their own may be
unwilling (e.g. because of political or economic considerations) or unable (e.g. because of jurisdictional limits
or lack of resources) to exercise their regulatory authority. This gap is filled by global administrative bodies,
which engage in abstract rule-making and concrete decision-making, that have effects on the subjects that
operate in the respective regulatory environments. This new kind of global rule and decision-making raises
questions about the accountability and legitimacy of the respective regulatory regimes precisely because it
departs from orthodox conceptions about international decision-making. Classic intergovernmental
organizations derive their legitimacy from their constituting member states.27 As long as decisions are made
by consensus of state representatives, the eventual outcome can be conceptualized as an exercise of state
authority and decision makers can be held accountable by their respective constituencies. This line of
reasoning falls short in the case of institutions in which states play only a marginal role (as in ICANN) or no
role at (as in the IETF).
See the contributions in Michael Zürn, André Nollkaemper & Randall Peerenboom, RULE OF LAW DYNAMICS: IN AN
ERA OF INTERNATIONAL AND TRANSNATIONAL GOVERNANCE (Cambridge 2012).
26 See Benedict Kingsbury, Nico Krisch & Richard B. Stewart ‘The Emergence of Global Administrative Law’ 68 Law &
Contemporary Problems 15 (2005).
27 See the classic account by Thomas M. Franck ‘Legitimacy in the International System’ 82 American Journal of International
Law 705 (1988).
25
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 9
However, one has to bear in mind that different global administrative arrangements have developed for a
reason, e.g. to address regulatory challenges that would otherwise prove ungovernable. In addition, the global
administrative body ought to be aware that compliance might be negatively affected if their rule- and
decision-making is perceived as illegitimate. In particular, they have to guard themselves against the
impression that their rule and decision making constitutes not more than an arbitrary exercise of power. This
is why global administrative bodies have a strong self-interest to develop mechanisms, principles, and
practices that enhance accountability and bolster their legitimacy. The bulk of these mechanisms, principles,
and practices constitute the emerging Global Administrative Law (GAL).
Across different administrative regimes, reoccurring patterns become visible, most notably the principles
of transparency, participation, reason giving, and review. They help to hold regulators accountable. ICANN
has already undertaken various efforts to boost its legitimacy by adapting its governance structure and
decision-making procedures to GAL standards. 28 Admittedly, these efforts have not been without setbacks.
An initial attempt to make the elections of the ICANN Board more participatory by conducting direct
elections failed due to a lack of participants.29 The quest for enhanced accountability might lead to ‘multiple
accountabilities disorder’.30 In its most recent governance reform, ICANN created a whole new, highly
complex, and yet untested structure with special rights for ‘empowered communities’. To serve as a
meaningful legal framework, GAL needs to overcome its fixation on procedural disciplines: normative criteria
such as fairness, effectiveness, and justice but also context-specific values such as interconnectedness and
openness should be part of the global cyberlaw formula.
The IETF has been less in the spotlight than ICANN but governments increasingly realize that
controlling the internet’s technological foundations is an important forum to enhance cybersecurity. If
Lawrence Lessig is right that ‘code is law’ in the age of the internet, the IETF is one of the predominant
lawmakers. Thus there is a need to analyze IETF’s intricate code/law making procedures and to subject them
to GAL disciplines. The IETF’s mantra of decision-making by rough consensus and running code (RCRC)
may not only serve as a basis for a new theory of transnational private law,31 it should also be recognized as
an increasingly important exercise of regulatory power, which needs to be checked by law to be legitimate.
On legitimacy concerns surrounding ICANN cf. JONATHAN WEINBERG “ICANN and the Problem of Legitimacy” 50
Duke Law Journal 187 (2000).
29 Cf. Jonathan G. Palfrey Jr. ‘The End of the Experiment: How ICANN’s Foray into Global Internet Democracy Failed’
Harvard Public Law Working Paper No. 93; Berkman Center Research Publication No.2004-02, available on SSRN:
https://ssrn.com/abstract=487644.
30 See on this novel disease Jonathan G. S. Koppell ‘Pathologies of Accountability: ICANN and the Challenge of
‘Multiple Accountabilities Disorder’’ 65 Public Administration Review 94 (2005).
31 This is the approach taken by Gralf-Peter Calliess & Peer Zumbansen in their seminal book ROUGH CONSENSUS AND
RUNNING CODE: A THEORY OF TRANSNATIONAL PRIVATE LAW (Oxford 2012).
28
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 10
3. Alternative Approaches
It is instructive to consider alternative approaches to GAL to bolster the claim that the latter is best
equipped to serve as a foundation of global cyberlaw as defined here. I will briefly discuss two of them:
‘international public law’ and ‘global constitutionalism’. There are more.32
The former wants to move from public international law to international public law as a legal framework
for global governance.33 The key concept to which such an international public law seeks to respond is the
‘exercise of international public authority’. However, if applied to the context of internet governance, the
limitations of this approach become readily apparent. Its legalistic rather than aspirational or effectual
demarcation between the national, supranational, and the international prevents ‘international public law’ to
be usefully applied to institutions such as ICANN or the IETF. According to von Bogdandy et al, “[w]hether
an act amounts to an exercise of international public authority, in contrast to domestic or supranational
authority, depends on the provision it invokes as a legal basis.”34 This understanding, while providing a clear
rule to shed the national from the international, grossly miscategorizes global institutions of internet
governance. ICANN, a non-for profit organization under California law, would be exercising national public
authority despite its global reach. The IETF, which operates without any formal legal basis, falls completely
through the grid. As it turns out, ICANN and IETF also fail to meet the two other IPA criteria—‘publicness’
and ‘authority’. Even though both institutions claim to act in the public interest, this claim is not backed by a
specific ‘mandate’.35 And even though both institutions wield significant power, this power is not based on
international law.36 If asked for input on global cyberlaw, international public law responds with a 404 error.
Global constitutionalism has been a burgeoning yet somewhat undefined concept that has been
transposed to political and legal orders other than states. Ingolf Pernice has argued for its application in the
context of internet governance. His particular version of global constitutionalism has the benefit to operate
from the perspective of the individual ‘netizen’ without requiring a cosmopolitan ‘global citizenry’. 37 Indeed,
certain element of global constitutionalism might be useful to fill normative gaps in global cyberlaw. For
instance, GAL-style participation rights could be fine-tuned in line with a normative claim about the benefits
of deliberative rulemaking. Other variants of global constitutionalism, however, come with the heavy baggage
of a state-based imagery. For instance, attempts to draft ‘digital bill of rights’ often fail to take the specific of
Neil Walker, INTIMATIONS OF GLOBAL LAW (Cambridge 2015), p. 55 identifies no less than ‘seven species of global
law’.
33 Armin von Bogdandy, Matthias Goldmann & Ingo Venzke, ‘From Public International to International Public Law:
Translating World Public Opinion into International Public Authority’, Max Planck Institute for Comparative Public
Law & International Law (MPIL) Research Paper No. 2016-02 (February 25, 2016), available at SSRN:
https://ssrn.com/abstract=2770639.
34 Ibid, at 24 (emphasis also in original).
35 Ibid, at 29.
36 Ibid, at 31.
37 Ingolf Pernice, ‘Global Constitutionalism and the Internet. Taking People Seriously’, HIIG Discussion Paper Series
(2015-01) (March 10, 2015), available at https://ssrn.com/abstract=2576697.
32
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION
Towards Global Cyberlaw | Thomas Streinz | Global/Emil Noël Fellows Forum Spring 2017 | February 26, 2017 | 11
the cyber context into account. Fundamental rights have been developed over centuries in contention with
state authority and are intrinsically tied to a particular institutional setup. To transpose them into cyberspace
without adaption—“everything that is protected offline, needs to be protected online”—is an empty slogan.
V.
Conclusion
There is a role for national law, classic international law, and novel approaches to international law in
internet governance. National governments will continue to regulate the use of the internet domestically to
reflect local preferences. Mitigating the extraterritorial effects of such regulations remains an unresolved
challenge. If there is enough common ground or economic interest among a certain group of states, they will
push ahead to conclude treaties under international law which address specific questions of internet usage (as
in the case of the cybercrime convention or with regard to copyright protection treaties). In addition, there is
a need for global cyberlaw which addresses the actors of internet governance which control its functioning
and future development. GAL is a useful building block for it. More works remains to be done: GAL needs
to be operationalized in the specific institutional contexts of ICANN, the IETF, and other internet
governance bodies. Furthermore, the dominant role of platform companies such as Amazon, Facebook,
Microsoft, and Google and their transnational operation raises questions about the proper legal framework.
Global cyberlaw remains work in progress.
***
WORKING DRAFT – PLEASE DO NOT QUOTE OR CIRCULATE WITHOUT PERMISSION