Editorial

Data flows do not stop at national borders—but that is nothing new. What is relatively new, however, is that the IT law of a national legislature also increasingly does not stop at its own national borders—this is what is known as the “extraterritorial effect” of laws. For Europe, this extraterritorial effect of IT-related legislation, even outside of pure business law or antitrust legislation, has gained widespread attention since 2016at the latest with the General Data Protection Regulation (GDPR). In this way, concepts such as the “market location principle” mean that foreign companies based in other countries must also adapt more and more to European law in the design of their IT processes if they want to develop business activities in the EU. With the general global consolidation of IT regulation that we are currently seeing and have seen increasingly in recent years, the extraterritorial effect of laws is also more and more affecting cybersecurity law. The Chinese legislature in particular regularly creates uncertainty for foreign companies with business activities in the People’s Republic of China by not only continuously enacting new laws with an IT security focus—such as the Cryptography Law and the Data Security Law—directly following the Chinese Cybersecurity Law from 2016, but also interpreting existing regulations in the often general clause-like formulations of current IT security legislation in such a way that they can have a global extraterritorial effect. This currently includes, for example, attempts to require manufacturers to first disclose zero-day vulnerabilities to Chinese authorities before they can be published via other disclosure procedures. The last example in particular proves that the actual impact of extraterritorial IT legislation is enormous and can ultimately even become a prerequisite for market ac-


Dear reader,
Data flows do not stop at national borders-but that is nothing new. What is relatively new, however, is that the IT law of a national legislature also increasingly does not stop at its own national borders-this is what is known as the "extraterritorial effect" of laws. For Europe, this extraterritorial effect of IT-related legislation, even outside of pure business law or antitrust legislation, has gained widespread attention since 2016 at the latest with the General Data Protection Regulation (GDPR). In this way, concepts such as the "market location principle" mean that foreign companies based in other countries must also adapt more and more to European law in the design of their IT processes if they want to develop business activities in the EU. With the general global consolidation of IT regulation that we are currently seeing and have seen increasingly in recent years, the extraterritorial effect of laws is also more and more affecting cybersecurity law. The Chinese legislature in particular regularly creates uncertainty for foreign companies with business activities in the People's Republic of China by not only continuously enacting new laws with an IT security focus-such as the Cryptography Law and the Data Security Law-directly following the Chinese Cybersecurity Law from 2016, but also interpreting existing regulations in the often general clause-like formulations of current IT security legislation in such a way that they can have a global extraterritorial effect. This currently includes, for example, attempts to require manufacturers to first disclose zero-day vulnerabilities to Chinese authorities before they can be published via other disclosure procedures.
The last example in particular proves that the actual impact of extraterritorial IT legislation is enormous and can ultimately even become a prerequisite for market ac-cess-or should at least be observed from a compliance perspective in order to avoid fines, claims for damages and government sanctions. Even if the Chinese legislature is often used as an example to demonstrate the increasingly strong extraterritoriality of IT legislation, it is by no means alone-and more and more countries are coming up with new regulations. For example, IT security regulations that also have an effect abroad can now be found in Indian law, in U.S. law and in Russian legislation and, with the new IT Security Act 2.0 (IT-SiG 2.0), not least also in German legislation when it comes to guarantee declarations and international supply chain proofs for secure IT products. In some cases, such regulations are also linked to far-reaching data localization obligations in order to ensure the value and protection of (personal) data as a national security interest.
Extraterritorial laws in IT are, so to speak, "in vogue" and are increasingly becoming a means of exerting pressure in terms of economic policy, not only to control foreign companies and transnationally active large corporations, but also to play off one's own economic power on the international stage. National state security interests also play a role, as noted earlier. An interesting effect of extraterritorial IT legislation with the market location principle is also that states align their own national law with the corresponding foreign laws with their international impact. The best example in this context is the new Chinese "Personal Information Protection Law" (PIPL), which recently came into force on November 1, 2021 and has transferred numerous principles from the European General Data Protection Regulation into national Chinese law, but without necessarily pursuing the same regulatory objectives as the EU legislator. Consequently, if a state or an association of states has considerable market power, economic policy considerations in an international context can certainly influence national legislation. And, of course, this also applies beyond IT and cybersecurity.
However, companies affected by foreign IT laws are mostly left alone to find and correctly interpret the legal provisions that apply to them, as well as to collect any necessary contacts with authorities for implementation. Language and cultural barriers further complicate dealing with foreign IT compliance requirements. Small and medium-sized enterprises (SMEs) in particular face considerable problems here. In addition, the legal and political spheres overlap, as there is no clear point of contact or problem solver for the dilemma of foreign impact of international IT legislation: Should the legal counsel directly be addressed, or is it better to rely on the influence of industry associations, chambers of commerce, or national ministries to engage in dialogue with the relevant states? There is certainly no panacea here-just as the last word has probably not yet been spoken in this still open question and challenge for international IT compliance.
As a result, however, it can at least be stated that it makes more and more sense to deal with foreign legislation in a global context-also beyond the law of IT security-in order to continue to offer products and services in line with the market. This issue of the ICLR is once again intended to help with this task, among other things, and contains various current and interesting contributions and topics "around the globe": For example, one focus in this issue is the draft for a new EU NIS-2 Directive, which is examined from different perspectives by the authors of two articles. There are also news with regard to China, which was already mentioned at the beginning of this editorial. These are presented in the article on the new Chinese data security law with a practical perspective. Other international papers provide an overview of the legal basis for cybersecurity in Russia and India's new legislation on platform regulation, which is also relevant from a security perspective. Several articles in this issue also take a closer look at Germany in terms of criminal law in dealing with criminal trading platforms on the Internet and the latest relevant legislation, as well as portscans in the light of civil law claims. Going beyond purely legal considerations, another paper presents the depths and shallows of "Open Source Intelligence" (OSINT), which can be used, among other things, to prepare for cyber attacks. Finally, we venture a look "across the pond" with a paper that compares and analyzes the German and Brazilian (constitutional) legal guarantees for IT security. Last but not least, this issue introduces a new section, "Numbers & Statistics," which records data breaches numerically, breaks them down by different countries, and evaluates them.
As always, I hope you enjoy reading the latest issue of the International Cybersecurity Law Review. If you have any questions, please do not hesitate to contact the authors of the articles directly-and feel invited to contribute your own article to one of the upcoming issues if you are currently working on an internationally relevant topic of cybersecurity regulation that might be of interest to the readership.
Mit den besten Grüßen aus der Hansestadt Bremen, Prof. Dr. Dennis-Kenji Kipker Funding Open Access funding enabled and organized by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4. 0/.