Territoriality Principle and its Limitations

Global nature of internet vs. territorial jurisdiction of laws

The Territoriality Principle is a traditional basis of jurisdiction that grants a country the authority to apply its laws to crimes committed within its territorial borders. This works effectively in physical crimes but becomes problematic in cyberspace where actions and effects cross borders in milliseconds.

The Internet is a borderless medium—a cyber attack launched from a server in Russia may affect a bank in India, using infrastructure located in Singapore. This fragmented geography makes territorial law enforcement inadequate to handle cyber offences.

Limitations of Territoriality in Cyberspace

• Difficulty in identifying physical location of servers or actors
• Cybercrime may involve victims and perpetrators across multiple jurisdictions
• Delays and procedural complexities in transnational investigation
• Conflicts between national laws (e.g., what is illegal in one country may be legal in another)

Example: A person in the UK launches a phishing attack targeting Indian users via a US-based email provider. Who should prosecute? Under what law? These questions highlight the limitations of territoriality in cyberspace.

Nationality Principle

Jurisdiction based on nationality of offender

The Nationality Principle allows a country to claim jurisdiction over its citizens, even if the offence is committed outside its territory. This principle becomes important when a cyber criminal is an Indian citizen committing crimes abroad.

Under this principle, Indian courts may initiate legal proceedings if an Indian national, for example, hacks into a US government server while residing in France.

Importance in Cyberspace

• Helps address crimes committed by citizens beyond physical borders
• Acts as a deterrent for citizens engaging in cybercrime from foreign jurisdictions

Challenges

• Requires strong diplomatic cooperation and mutual legal assistance
• May conflict with sovereignty of the nation where the crime occurred

Example: An Indian student abroad writes ransomware targeting Indian banks and foreign institutions. Though the offence occurs outside India, the nationality principle may still apply for prosecution in Indian courts.

Protective Principle

Jurisdiction based on national interest

The Protective Principle permits a state to claim jurisdiction over acts committed outside its territory by foreign nationals, if those acts threaten the security, economy, or governmental functions of the state.

It is particularly relevant in cyber terrorism, economic espionage, and cyber warfare where an attack from another country may target sensitive national infrastructure or data systems.

Application in Cyberspace

• Cyber espionage targeting defence or intelligence agencies
• Disruption of financial markets through cyber manipulation
• Attacks on healthcare or public utility systems (e.g., power grids)

Example: If a hacker in Iran disrupts the Indian Air Traffic Control system, India may prosecute the foreign hacker under the protective principle—even if the person never physically entered India.

Challenges

• Requires attribution and proof of foreign origin
• May trigger diplomatic tensions or conflict with international law norms

Universality Principle

Jurisdiction based on universally condemned crimes

The Universality Principle allows any nation to claim jurisdiction over certain crimes considered so serious that they affect the international community as a whole. Examples include:

• Genocide
• War crimes
• Piracy
• Cyber terrorism (emerging inclusion)

In the cyber domain, there is growing consensus that certain categories of cybercrime—such as child pornography, cyber terrorism, and crimes against humanity facilitated through digital platforms—should fall under universal jurisdiction.

Application in Cyberspace

• Global coordination in tracing and arresting operators of darknet child exploitation networks
• Prosecution of cyber terrorists even if no direct connection exists between the attacker and prosecuting state

Example: An international hacker collective launches a cyber attack on a United Nations peacekeeping mission. Any country can initiate legal action under the universality principle regardless of location or nationality.

Limitations

• Lack of uniform international legal definitions for cyber terrorism or cyber war
• Absence of a binding global treaty on cyber jurisdiction

Conclusion: The jurisdictional principles of Territoriality, Nationality, Protective, and Universality offer different mechanisms to prosecute cybercrime. However, given the borderless nature of cyberspace, a combination of these along with strong international cooperation is essential.

Section 75: Application of Act to offences committed outside India

If the offence involves a computer, computer system or computer network located in India

Section 75 of the Information Technology Act, 2000 extends the applicability of the Act to offences or contraventions committed outside the geographical boundaries of India provided they involve a computer resource located in India.

This provision ensures that even if the perpetrator is outside India, the Indian legal system can exercise jurisdiction if the target of the offence is within the country.

Legal Text: "The provisions of this Act shall apply also to any offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India."

If the offence involves accessing a computer, computer system or computer network located in India

This means that any unauthorized access or cyber attack targeting Indian servers, databases, or websites—even when initiated from a foreign location—is triable under Indian law.

Example: A hacker based in Germany breaches the data of Indian citizens stored on a server located in Mumbai. Even though the offender is outside India, Section 75 empowers Indian authorities to prosecute the hacker as the crime involves a resource located within India.

Importance of Section 75

• Empowers cross-border enforcement of cyber law
• Deters foreign-based cyber criminals from targeting Indian systems
• Supports India's sovereignty in cyberspace

Jurisdiction based on location of crime and location of offender

Traditional vs Cyber Jurisdictional Challenges

Unlike physical crimes, where the location of the act is clearly definable, cyber crimes involve multiple jurisdictions: the location of the offender, the location of the target system, and the location where the effects of the crime are felt.

This creates jurisdictional complexity in terms of:

• Which country's laws should apply?
• Which court has the right to try the case?
• How can the accused be extradited or summoned?

Factors Considered for Cyber Jurisdiction

• Place of origin of the cyber activity
• Location of computer systems involved
• Place where the consequences occurred
• Nationality or domicile of the offender

For example, if a person in Dubai hacks into an Indian bank server and customers in Bengaluru face monetary loss, multiple jurisdictions become involved: Dubai (offender), India (target system), Karnataka (victims).

Indian Court Interpretations

Indian courts have taken a liberal interpretation of territorial jurisdiction in cyber cases, where even the location of impact or damage (such as the location of the victim) can be sufficient for a court to assume jurisdiction.

Jurisdiction in relation to Internet Service Providers (ISPs)

Role and Regulation of ISPs in India

Internet Service Providers (ISPs) play a key role in the delivery and control of internet access. They may also be involved—intentionally or unintentionally—in hosting, transmitting, or allowing illegal content or cyber offences to pass through their networks.

Under the IT Act and associated rules:

• ISPs are considered intermediaries under Section 2(1)(w)
• They are required to exercise due diligence under Section 79 to avoid liability
• They may be required to block content under government directives (Section 69A)

Jurisdictional Implications for ISPs

• ISPs must comply with Indian legal obligations if they operate in India, regardless of where their parent company is based
• They may be held liable for failing to prevent or report cybercrime incidents
• Indian courts can summon foreign ISPs if the crime affects Indian users or systems

Example: A US-based ISP hosts a website that publishes defamatory content targeting an Indian government officer. The site is accessible in India. The Indian court can claim jurisdiction over the matter and direct the ISP to remove such content.

Safe Harbour Protection

ISPs enjoy “safe harbour” protection under Section 79 only if they:

• Act as mere conduits and don’t initiate transmission
• Don’t select the receiver or modify the information
• Act promptly on takedown requests for unlawful content

Failure to meet these conditions may result in loss of exemption and legal liability.