Doctors, like priests and lawyers, must be able to keep secrets. For medical care to be effective, for patients to trust their doctor, patients must have confidence that they can talk frankly to them. This chapter considers the legal protections of confidential information, focusing on the common law protections of confidentiality and its recent developments to protect privacy and the latest statutory protections of data protection.
This chapter demonstrates that cyber-espionage is neither prohibited, nor promoted by the UN Charter. According to a traditional ‘instrumental’ interpretation of Articles 2(4) and 51, the use of force and armed attacks must involve a specific means: weapons. However, cyber-espionage devices do not qualify as such. Alternative interpretations were proposed by experts, and the consequentialist approach is part of them. According to this view, a cyber-operation qualifies as use of force (or an armed attack) when its effects are similar to a non-cyber operation rising to the level of a use of force. If this approach is progressively gaining acceptance among States, it does not result in a prohibition of cyber-espionage either, as it fails to cause destruction. This lack of prohibition does not mean, however, that cyber-espionage is authorised. In fact, it results in significant tensions and is not endorsed by the UN Charter. Most States also acknowledge the development of intelligence programs, but without claiming a right to do so.
The conclusion explains that, for a long time, espionage was only indirectly constrained by international law – and States were satisfied with this. This regime was however destabilised by the digitalisation of espionage. Hence, cyber-espionage is neither authorised nor prohibited: it is not unlawful, but States do not want to create a right to spy. As a matter of fact – and for the time being – regulation of cyber-espionage is mainly achieved through domestic laws. The conclusion also focuses on the managerialist approach to international law, and explains how a need to fill a so-called legal vacuum emerged in doctrine.
While espionage among nations is a long-standing practice, the emergence of the internet has challenged the traditional legal framework and has resulted in the intensification of intelligence activities. In fact, espionage was subject to indirect regulation, which applied where a spy was (often at their own risk) trespassing on foreign territory or sent behind enemy lines. With the emergence of cyber-espionage, however, agents may collect intelligence from within their own jurisdictions, with a great deal of secrecy and less risk. This monograph argues that – save for some exceptions – this activity has been subject to normative avoidance. It means that it is neither prohibited – as spying does not result in an internationally wrongful act – nor authorised, permitted or subject to a right – as States are free to prevent and fight foreign cyber-espionage activities. However, States are aware of such status of law, and are not interested in any further regulation. This situation did not emerge by happenstance but rather via the purposeful silence of States – leaving them free to pursue cyber-espionage themselves at the same time as they adopt measures to prevent falling victim to it. To proceed, this monograph resorts to a first-class sample of State practice and analyses several rules and treaties: territorial sovereignty, collective security and international humanitarian law (i.e. the rules applicable between belligerent and neutral Powers, as well as between belligerents themselves), the law of diplomatic relations, human rights law, international law and European economic law. It also demonstrates that no specific customary law has emerged in the field.
This chapter argues that neither the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) nor European Union law prohibits economic cyber-espionage. In fact, they still tolerate cyber-espionage on some specific grounds. On the one hand, Articles 3 (national treatment) and 39 (protection of undisclosed information) of the TRIPS do not prohibit it. This chapter argues that Article 3 and subsequent practice confirm that ‘national treatment’ only applies on the very territory of the Member State – i.e., it is not supposed to regulate the extraterritorial conduct of States – and is not intended to protect trade secrets. Then, pursuant to Article 39, States have a positive obligation: to give private persons the means to protect undisclosed information from ‘others’ – i.e., other private persons. However, States are not required to abstain from spying abroad. Furthermore, it argues that the ideals of an EU free market, loyal cooperation and a high level of competitiveness are not enough to prevent such activity either. The application of EU Directive 2016/943 does not give better results. On the other hand, under Article 73 of the TRIPS, Member States are free, ‘in time of war or other emergency in international relations’, to take any necessary measure for the protection of ‘essential security interests’. Yet, this power is more limited in peacetime. In fact, only information relating to ‘fissionable materials or the materials from which they are derived’, ‘traffic in arms ammunition and implements of war’ may be collected over this period. This means that, when essential security interests are at stake, certain forms of cyber-espionage are still conceivable.
If human rights treaties are concerned with the protection of privacy, this chapter argues that extraterritorial espionage usually escapes such regulation. In fact, the current understanding of jurisdiction remains physical, and it is only where physical access to the infrastructure is secured that State jurisdiction is relevant. It means that the right to privacy must only be secured where data is intercepted by national authorities as it crosses the border, or where a State requests another actor based on its territory – like an internet or cloud-service provider – to deliver pieces of data, even if information is stored abroad. This is due to the fact that this actor is indeed based on the territory of a Member State, and subject to its jurisdiction. However, this is not the case where data is directly and remotely accessed by intelligence services. Then, and even where the right to privacy applies, it does not set burdensome requirements. If human rights bodies are quite strict regarding the application of the legality principle, most cyber-espionage activities may actually find a lawful justification (whether in terms of national security, preservation of economic well-being or the prevention and repression of crimes). If the requirement of proportionality would typically require Member States to favour the least intrusive solution, it does not outlaw bulk interceptions per se.
These preliminary words briefly explore the history of espionage and the emergence of cyber-espionage. The main challenges are mentioned – i.e. the possibility to evade arrest and attribution, the cheap cost and the special nature of cyber-space.