According to some countries and legal scholars, the sovereignty principle does not constitute an
independently binding rule of international law that is separate from the other rules derived from it.
The Netherlands does not share this view. It believes that respect for the sovereignty of other
countries is an obligation in its own right, the violation of which may in turn constitute an
internationally wrongful act. This view is supported, for example, by the case law of the International
Court of Justice, which ruled in Nicaragua v. United States of America that the United States had
acted in breach of its obligation under customary international law not to violate the sovereignty of
another state. 4 Below the government will discuss the significance of this obligation in more detail.
Firstly, sovereignty implies that states have exclusive jurisdiction over all persons, property and
events within their territory, within the limits of their obligations under international law, such as
those relating to diplomatic privileges and immunity, and those arising from human rights
conventions. This is the internal aspect of sovereignty. Secondly, sovereignty implies that states
may freely and independently determine their own foreign policy, enter into international obligations
and relations, and carry out activities beyond their own borders, provided they respect the rules of
international law. This is the external aspect of sovereignty.
Both aspects apply equally in cyberspace. States have exclusive authority over the physical, human
and immaterial (logical or software-related) aspects of cyberspace within their territory. Within their
territory they may, for example, set rules concerning the technical specifications of mobile networks,
cybersecurity and resilience against cyberattacks, take measures to combat cybercrime, and enforce
the law with a view to protecting the confidentiality of personal data. In addition, they may
independently pursue foreign ‘cyber’ policy and enter into treaty obligations in the area of
cybersecurity. The Netherlands’ decision to accede to the Convention on Cybercrime of the Council
of Europe is an example of the exercise of Dutch sovereignty.
States have an obligation to respect the sovereignty of other states and to refrain from activities
that constitute a violation of other countries’ sovereignty. Equally, countries may not conduct cyber
operations that violate the sovereignty of another country. It should be noted in this regard that the
precise boundaries of what is and is not permissible have yet to fully crystallise. This is due to the
firmly territorial and physical connotations of the traditional concept of sovereignty. The principle
has traditionally been aimed at protecting a state's authority over property and persons within its
own national borders. In cyberspace, the concepts of territoriality and physical tangibility are often
less clear. It is possible, for example, for a single cyber operation to be made up of numerous
components or activities initiated from or deployed via different countries in a way that cannot
always be traced. In addition, there are various ways of masking the geographic origin of activities
performed in cyberspace. What is more, data stored using a cloud-based system is often moved
from one location to another, and those locations are not always traceable. So it is by no means
always possible to establish whether a cyber operation involves a cross-border component and thus
violates a country's sovereignty. Even if the origin or route of a cyber operation can be established,
these kinds of operations do not always have a direct physical or tangible impact.
From the perspective of law enforcement (which is part of a state’s internal sovereignty), the manner
in which the principle of sovereignty should be applied has not fully crystallised at international level
either. Shared investigative practices do seem to be developing in Europe and around the world,
however. Data relevant to criminal investigations is increasingly stored beyond national borders, for
example in the cloud, in mainly private data centres. And when it comes to criminal offences
committed on, or by means of, the internet, the location of data – including malicious software or
code – and physical infrastructure is often largely irrelevant. It is easy to hide one’s identity and
location on the internet, moreover, and more and more communications are now encrypted. Even
in purely domestic criminal cases – including cybercrime – where the suspect and victim are both in
the Netherlands, cyber investigations often encounter data stored beyond our borders, particularly
when investigators require access to data held by online service providers or hosting services, or
need to search networks or (covertly) gain remote entry to an automated system. The act of
exercising investigative powers in a cross-border context is traditionally deemed a violation of a
country’s sovereignty unless the country in question has explicitly granted permission (by means of
a treaty or other instrument). Opinion is divided as to what qualifies as exercising investigative
powers in a cross-border context and when it is permissible without a legal basis founded in a treaty.
In cyberspace too, countries’ practices differ in their practical approaches to the principle of
sovereignty in relation to criminal investigations. The Netherlands actively participates in
Case concerning military and paramilitary activities in and against Nicaragua (Nicaragua v. United States of
America), International Court of Justice (ICJ), 27 June 1986, paras 15 and 292.
4
2