In the first EU measure of its type, Council Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the Union or its Member States [17th May 2019] contains targeted sanctions against online “external threats” to IP. This Regulation is aimed at threats which originate from outside the EU, use infrastructure from outside the EU, or otherwise the person(s) instrumental in such a cyberattack are established abroad (Article 1).
Amongst other criteria, Article 2 of the Regulation targets an actual or attempted cyberattack on IP which has a, potentially, “significant effect”, on the “loss of commercially sensitive data”. Such commercially sensitive data will fall within the definition of a ‘trade secret’ under Council Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure [8 June 2016] if that data: 1. is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; 2. has commercial value because it is secret; 3. has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
Article 3 of this new Regulation imposes an asset freeze on natural or legal persons, entities or bodies who are responsible for the actual or attempted cyberattack; provide financial, technical or material support for or are otherwise involved in the cyberattack; or are associated with the natural or legal person, or bodies involved. As a result of such an asset freeze, all funds and economic resources belonging to, or controlled by, such listed persons and that fall under EU jurisdiction (e.g. held by EU banks) will be frozen. In addition, no funds or economic resources may be made available to or for the benefit of the said listed person by parties falling under EU jurisdiction.
This latest EU Regulation should serve to remind us that the “big international question” of cyberspace governance still remains to be resolved, albeit Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) would note that the major private sector providers are more receptive than ever to its resolution (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).
In his article Jurisdiction In Cyberspace: A Theory of International Spaces Darrel Menthe asserts that, “unless it is conceived of as an international space, cyberspace takes all of the traditional principles of conflicts-of-law and reduces them to absurdity.” Akin to the “law of the flag” on the high seas, nationality of a vessel (manned or unmanned) in outer space or the nationality of the base in Antarctica, Menthe advocates, even in the absence of such a sui generis treaty regime as regulates the other three international spaces, that jurisdictional analysis requires cyberspace should be treated as a fourth international space governed by a comparable set of default legal rules (see Darrel Menthe, Jurisdiction In Cyberspace: A Theory of International Spaces 4 MICH.TELECOMM.TECH.L.REV 69 (1998)).