Oxford University Press's
Academic Insights for the Thinking World

Will data privacy change the law?

It is customary to distinguish between three different forms of jurisdiction. As is well known, prescriptive (or legislative) jurisdiction relates to the power to make law in relation to a specific subject matter. Judicial (or adjudicative) jurisdiction, as the name suggests, deals with the power to adjudicate a particular matter. And, finally, enforcement jurisdiction relates to the power to enforce the law put in place, in the sense of arresting, prosecuting, and punishing an individual under that law.

However, not least due to the increase in cross-border contacts stemming from the Internet, it is useful to also consider a fourth type of jurisdiction. Indeed, what we can call “investigative jurisdiction” protects a state’s power to investigate a matter without exercising adjudicative jurisdiction, applying prescriptive jurisdiction, or enforcing actions against the subject of its investigation. It is particularly useful in the context of data privacy law and consumer protection—areas where complaints are often best pursued by bodies such as privacy commissioners/ombudsmen and consumer protection agencies.

In light of this, it does not make sense to bundle investigative jurisdiction with enforcement jurisdiction, as is traditionally done. Indeed, the crucial importance of distinguishing investigative jurisdiction from other forms of jurisdiction was at the core of a 2007 decision by the Federal Court of Canada.

In Lawson v Accusearch, Inc.[2007] 4 FCR 314, the Privacy Commissioner of Canada was forced to defend, in court, her decision to decline to investigate a complaint made by Lawson of the Canadian Internet Policy and Public Interest Clinic against a corporation based in the United States. Sean J. Harrington of the Federal Court stated that:

I agree with her [the Privacy Commissioner of Canada] that PIPEDA [Personal Information Protection and Electronic Documents Act] gives no indication that Parliament intended to legislate extraterritorially. […] [However, the] Commissioner does not lose her power to investigate because she can neither subpoena the organization nor enter its premises in Wyoming. […] It would be most regrettable indeed if Parliament gave the Commissioner jurisdiction to investigate foreigners who have Canadian sources of information only if those organizations voluntarily name names. Furthermore, even if an order against a non-resident might be ineffective, the Commissioner could target the Canadian sources of information. I conclude as a matter of statutory interpretation that the Commissioner had jurisdiction to investigate, and that such an investigation was not contingent upon Parliament having legislated extraterritorially[.]

Moreover, the ongoing dispute between Microsoft and the United States government, in which the government attempted to force Microsoft into providing details about an e-mail account held by its subsidiary in Ireland, further illustrates why it is the right time to distinguish, define, and delineate investigative jurisdiction.

As I have argued elsewhere, there are strong reasons to think Microsoft will be successful in the dispute. Yet the very fact that dispute arose in the first place highlights the fact that contemporary jurisdictional thinking has failed to adequately address the challenges posed by the Internet in general, and perhaps cloud computing as well. This failure may partly be blamed on the law’s unwillingness to part with traditional categorisations rather than recognizing models and structures that better correspond to the new technological reality.

Image Credit: “Microsoft” by SimeonK. CC BY NC 2.0 via Flickr.

Recent Comments

There are currently no comments.