{"id":28868,"date":"2026-06-15T14:00:28","date_gmt":"2026-06-15T12:00:28","guid":{"rendered":"https:\/\/voelkerrechtsblog.org\/?p=28868"},"modified":"2026-06-16T08:07:12","modified_gmt":"2026-06-16T06:07:12","slug":"rethinking-the-territorial-tort-exception-in-the-age-of-proxy-states","status":"publish","type":"post","link":"https:\/\/voelkerrechtsblog.org\/de\/rethinking-the-territorial-tort-exception-in-the-age-of-proxy-states\/","title":{"rendered":"Rethinking the Territorial Tort Exception in the Age of Proxy States"},"content":{"rendered":"

Recently, there has been an increase in cybercrimes (see here<\/u><\/a>) and their potential to cause tortious harm<\/u><\/a>. Due to the inherent nature of such actions, they have transboundary effects and are often routed through proxy States with weak cyber infrastructure. In addition to this, international law recognises immunity for all State actions, barring certain exceptions<\/u><\/a> such as the territorial tort exception. This exception strips a foreign State of immunity when the tortious act causing personal injury or property damage occurs within the territory of the State where the claim is being heard. This article interrogates a growing fault line in public international law, which is the inability of the territorial tort exception to State immunity to address transboundary cyber harm routed through proxy States. It argues that this inability occurs because the standard of due diligence in cyberspace depends on proving that a State had \u201cknowledge\u201d that its territory was being used to cause harm. Given the difficulty of tracing cyberattacks, this creates a gap that allows proxy States to avoid liability and leaves victims without effective remedies.<\/p>\n

To address this failure, this article argues for a reconceptualization of jurisdictional immunity and due diligence to restore the protective purpose of the territorial tort exception and better address modern cyber harms.<\/p>\n

The Territorial Tort Exception and Its Relevance<\/strong><\/p>\n

The United Nations (\u2018UN\u2019) Charter<\/u><\/a> recognises the sovereign equality of States (Art. 2(1)), preventing them from being subject to another State\u2019s jurisdiction<\/u><\/a>. However, this immunity is limited by the territorial tort exception<\/u><\/a>. State immunity may be compared to white light dispersing into a rainbow, wherein the white light is the customary rule<\/u><\/a> of State immunity, and the territorial tort exception refracts it into differing State interpretations that can be grouped into three categories.<\/p>\n

The first group includes States that require the tortfeasor causing the damage to be present in the territory of the State claiming jurisdiction for the exception to immunity to apply. This group includes the States that are party to the European Convention on State Immunity (\u2018ECSI<\/u><\/a>\u2019) (Art. 11), the United States<\/u><\/a> (\u201cUS\u201d) (\u00a7\u00a01605), Japan<\/u><\/a> (Art. 10). This approach has been adopted by the United Nations Convention on Jurisdictional Immunities of States and Their Property (\u2018UNJISP\u2019). The second group includes the United Kingdom<\/u><\/a> (\u00a7\u00a05), South Africa<\/u><\/a> (\u00a7\u00a06), Australia<\/u><\/a> (\u00a7\u00a03), and Singapore<\/u><\/a> (\u00a7\u00a07). These States recognize that while the tortfeasor need not be physically present within the forum State, the exception will apply if the act or omission causing the injury or damage occurs within that State. The last group includes Canada<\/u><\/a> (\u00a7\u00a06), Argentina<\/u><\/a> (\u00a7\u00a02(e)), and Israel<\/u><\/a> (\u00a7\u00a05). These States recognise that only the loss or damage must occur in their territory for a foreign State to be stripped of its immunity.<\/p>\n

Thus, there is insufficient consistent State practice to establish<\/u><\/a> the territorial tort exception as customary international law (CIL). To address this, the UN drafted the UNJISP with a uniform definition of the exception, but it failed to receive the required <\/u>ratifications<\/u><\/a>. For the UNJISP\u2019s definition of the territorial tort exception<\/u><\/a> to apply, three qualifiers<\/u><\/a> have to be met. First<\/em>, the injury must be caused by an act\/omission that is attributable to a State, second<\/em>, the act\/omission must occur in whole or in part in another State\u2019s territory, and third<\/em>, the author must be present in the other State (Art. 12). Originally, this exception was intended to cover only \u2018insurable risks<\/u><\/a>\u2019; however, the International Law Commission<\/u><\/a> (\u2018ILC\u2019) has clarified that the exception may cover physical harm such as assault, battery, arson and homicide (p. 45, \u00b6 4).<\/p>\n

In 2011, the International Court of Justice<\/u><\/a> (\u2018ICJ\u2019) did not establish whether the UNJISP definition of the territorial tort exception is reflective of CIL (\u00b6\u00a066) or not. Since neither Germany nor Italy were parties to the UNJISP or the ECSI, the ICJ analysed the contents of these two legislations \u201cin so far as they as their provisions and the process of their adoption and implementation shed light<\/u><\/a> on the content of [CIL]\u201d (\u00b6\u00a066). Consequently, due to divergent practice and limited ratifications, States are bound to recognise the tort exception primarily through their own national legislations. The next part of the paper addresses the applicability of these legislations to cyber\u00a0torts and analyses the blind spots.<\/p>\n

Application to Cyber<\/strong> T<\/strong>orts<\/strong><\/p>\n

The first approach to the territorial tort exception requires the tortfeasor\u2019s presence in the State where the damage occurs. The UNJISP and the US Foreign Sovereign Immunities Act (\u201cUS FSIA\u201d) adopt this approach. The ILC commentary<\/u><\/a> to the UNJISP specifically provides that the tort exception does not apply to \u201ctransboundary injuries or trans-frontier torts or damage\u201d (Art. 12, \u00b6 7). Similarly, the US courts have imposed the requirement of the \u201centire tort<\/u><\/a>\u201d, mandating that the tortfeasor, the harmful act, and the damage all occur within US territory. In Doe v. Ethiopia<\/em><\/u><\/a>\u00a0<\/em>(2017), for example, the claim failed because the Ethiopian government\u2019s wiretapping originated outside the US.<\/p>\n

The second approach to the territorial tort exception does not require the tortfeasor\u2019s presence in the State where the damage occurs, and the UK has extended this approach to cyber\u00a0torts. Although the wording of the UK State Immunity Act (\u201cUK SIA\u201d) appears ill-suited to transboundary cyberattacks, judicial developments suggest otherwise. There has been a shift since the case of Al <\/em><\/u>Adsani<\/em><\/u> v. UK<\/em><\/u><\/a>, where the claim failed because Kuwait\u2019s acts occurred outside the UK.\u00a0 In 2023, UK courts denied immunity to Saudi Arabia<\/u><\/a> and Bahrain<\/u><\/a> in transboundary spyware cases. Judge Knowles interpreted<\/u><\/a> the UK SIA as requiring \u201can act\u201d causing the damage on a more de minimis <\/em>basis, rather than \u201cthe act\u201d (\u00b6 30). Although this marked significant progress, it still does not address proxy States.<\/p>\n

The third category of States theoretically accommodates cyber torts by virtue of their \u2018damage-only\u2019 requirement for applying the territorial tort exception. However, there is a lack of any jurisprudence applying the same to cyber torts. Additionally, even this interpretation fails to accommodate proxy States due to the significant gap created by the due diligence obligation in cyberspace.<\/p>\n

Due Diligence and Proxy States<\/strong><\/p>\n

State sovereignty grants States control over their territory while imposing a corresponding duty of due diligence<\/u><\/a> (p. 16, \u00b6 12). In the Corfu Channel<\/em><\/u><\/a> case, the ICJ held Albania responsible for damage caused to the UK by a minefield. The court\u2019s reasoning was that the minefield could not have been laid without the State\u2019s knowledge, establishing<\/u><\/a> that States must not \u201cknowingly\u201d allow their territory to be used to cause harm (p. 244).<\/p>\n

In cyberspace, due diligence remains uncertain<\/u><\/a> due to the absence of binding international obligations, although States generally accept that international law applies to cyberspace<\/u><\/a> (p. 89). Recent non-binding norms adopted through a General Assembly Resolution<\/u><\/a> require States not to \u201cknowingly\u201d allow non-State actors to use their territory for internationally wrongful acts (\u201cIWAs\u201d) or to use proxies. Similarly, the Tallinn Manual<\/u><\/a>\u00a0recognises that due diligence obligations arise only in situations where States have knowledge of harmful activity (p. 33, \u00b6 13). Additionally, the internet\u2019s structure was not designed<\/u><\/a> for today\u2019s security threats, and attackers often route operations through proxy States with weak cyber infrastructure. This makes it impossible to trace<\/u><\/a> the origin of cyberattacks (p. 34, \u00b6 14).<\/p>\n

As cyber activities can cause personal injury and property damage, it is pertinent to assess available remedies. Victims of cyber torts generally must seek relief in domestic courts, unless their State espouses the claim before the ICJ. The absence of such cases being heard before the ICJ represents the jurisdictional challenge, as only States may be parties to ICJ proceedings (Art. 34(1)<\/u><\/a>). In the scenario where the victim files a claim in his domestic court against the tortfeasor, the Corfu Channel<\/em><\/u><\/a>\u00a0principle suggests that he will be successful in getting his remedy. However, in the context of cyber\u00a0torts, a victim may only obtain remedy against the tortfeasor\u2019s State and the routing State only if their\u00a0own State employs the UK SIA approach.\u00a0Even then, the State whose territory was used to route the attack will likely avoid liability because due diligence requires proof of actual knowledge. Unlike the mines in Corfu Channel<\/em>, the highly indiscernible nature of cyberattacks makes proving such knowledge extremely difficult. The victim is thus wronged of two counts: the first being if immunity is not stripped for the damage they faced, which depends on the approach to State immunity adopted by their State; and second, where they are unable to hold the routing State accountable for its lax cyberspace standards that made the damage possible.<\/p>\n

This unique situation arises because the low standard of due diligence is juxtaposed with the stringent standard of the territorial tort exception to State immunity. Due to this gap, the very purpose of the tort exception to immunity, which is \u201cthe protection of injured parties<\/u><\/a>\u201d (p. 31, \u00b6\u00a071), is not met. The Special Rapporteur on State immunity has also found that tortious liability of a foreign State should be locally justiciable<\/u><\/a> if the damage to property, personal injury, or death occurred in the territory of the State. It is thus necessary to re-analyse the scope and substance of the territorial tort exception and its interplay with due diligence in cyberspace.<\/p>\n

The Way Forward<\/strong><\/p>\n

To ensure that victims of cyber torts are not left without a remedy, a set of amendments must be enacted in tandem.<\/p>\n

First, cyber activities can cause personal injury and property damage, yet victims of State-sponsored cyberattacks can currently obtain remedies only if their State employs the approach of the UK SIA. Thus, adopting the interpretation of Judge Knowles or the damage-only approach followed by Canada, Argentina, and Israel is the need of the hour. Employing either of these approaches would ensure that the protective purpose of the territorial tort exception is fulfilled.<\/p>\n

Second, the due diligence obligation inadequately addresses attacks routed through proxy States because it depends on knowledge. A possible remedy is to detach due diligence from this requirement of knowledge and instead require States to adopt the highest feasible cybersecurity standards within their available resources. This would not require anticipatory measures like monitoring but would involve establishing global cybersecurity standards with accepted security benchmarks. This proposed system is not foolproof for two reasons. First, States have unequal resources, meaning some will continue to have weaker cybersecurity systems and remain vulnerable to becoming proxy States; and second, even with the highest cybersecurity standards, cybercrime is notoriously untraceable. Keeping this in mind, this proposed system would still reduce the ability of States to exploit claims of lacking knowledge and prevent them from becoming safe havens for cybercrime through weak cybersecurity standards.<\/p>\n

Third, as there is a jurisdictional lacunae<\/em> surrounding cyber\u00a0torts, a dispute settlement mechanism similar to the UN <\/u>C<\/u>ybercrime <\/u>C<\/u>onvention<\/u><\/a>\u00a0should be adopted (Art. 63). The Cybercrime Convention provides that if disputes between the parties are\u00a0not settled through negotiation or other peaceful means, they may be submitted for arbitration at the request of one of the parties. If States are unable to agree on arbitration, States may approach the ICJ. Adopting this dispute settlement mechanism would prevent the jurisdictional lacunae<\/em> surrounding cyber\u00a0torts, as it would prevent victims from being left without a judicial forum.<\/p>\n

Conclusion<\/strong><\/p>\n

The standards of the territorial tort exception under the ECSI, US FSIA, and UNJISP do not adequately address cyber torts, a gap that\u00a0is further worsened by the uncertain standard of due diligence in cyberspace. This article argues for moving beyond the UNJISP approach, adopting a global cybersecurity standard, and introducing a dispute settlement mechanism similar to that of the UN Cybercrime Convention. These reforms would enable victims of cyber torts to seek remedies without being constrained by the barriers imposed by State immunity and due diligence. In doing so, the law would better reflect the realities of transnational cyber harm and restore the protective purpose underlying the territorial tort exception.<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently, there has been an increase in cybercrimes (see here) and their potential to cause tortious harm. Due to the inherent nature of such actions, they have transboundary effects and are often routed through proxy States with weak cyber infrastructure. In addition to this, international law recognises immunity for all State actions, barring certain exceptions […]<\/p>\n","protected":false},"author":35,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[6639],"tags":[4935,3745,5590],"authors":[7820],"article-categories":[6000],"doi":[],"class_list":["post-28868","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cyber-security","tag-state-immunity","tag-un-charter","authors-vaishali-patro","article-categories-article"],"acf":{"subline":""},"meta_box":{"doi":"10.17176\/20260615-190051-0"},"_links":{"self":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/28868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/comments?post=28868"}],"version-history":[{"count":5,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/28868\/revisions"}],"predecessor-version":[{"id":28876,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/28868\/revisions\/28876"}],"wp:attachment":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/media?parent=28868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/categories?post=28868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/tags?post=28868"},{"taxonomy":"authors","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/authors?post=28868"},{"taxonomy":"article-categories","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/article-categories?post=28868"},{"taxonomy":"doi","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/doi?post=28868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}