A general obligation of due diligence in international law?

Written by

Recently, arguments have emerged that a universal source exists from which it is automatically possible to derive binding due diligence obligations for states in relation to all forms of activities. Specifically, these claims contend that international law imposes a general obligation on states to act with due diligence to prevent their territory being used for activity which harms the rights of other states, and that this obligation is not restricted or confined to particular forms of activities.

These arguments have been advanced by academic initiatives in the context of debates over the application of international law to cyberspace. They are noteworthy because they have influenced the positions of an increasing number of mostly European states who have made remarkable statements that have significant implications beyond the cyber context. Indeed, if these arguments receive widespread acceptance from states, it would constitute a radical broadening of obligations of conduct for states in an unprecedented manner beyond the cyber context.

This blog post hopes to draw attention to these developments for those who may be working on related issues that concern obligations of conduct, particularly those where for decades scholars and NGOs have sought to promote the “hardening” of soft-law by developing binding due diligence obligations in primary rules of international law and domestic law. The post begins by outlining the relevant normative arguments in scholarship, before providing an overview of positions of states in the cyber context. Finally, the post will consider the implications of these normative arguments beyond the cyber context.

Arguments made in the cyber context

The Tallinn Manual 2.0 (2017), an academic publication issued at the initiative of North Atlantic Treaty Organization Cooperative Cyber Defence Centre of Excellence, contends that due diligence is a general principle of international law according to which:

‘[a] state must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states’. (p. 30)

The Manual states that:

‘A dictum in the International Court of Justice’s Corfu Channel judgment, which observes that ‘it is every state’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other states’, sets forth the generally recognised contemporary definition of the due diligence principle.’ (p. 30)

The Manual acknowledges that what it refers to as the “due diligence principle” does not encompass an obligation to take material preventive steps to ensure that the state’s territory is not used in violation of this principle, rather international law contains certain primary rules which aim to prevent a particular occurrence (p. 32). Nonetheless, despite recognising that ‘these [preventative] obligations are not inferred from the general principle of due diligence, but rather represent separate primary obligations’ and that ‘there is no such distinct primary obligation [of prevention] with respect to harmful cyber operations as such’, the Manual nonetheless relies upon the ‘general principle of due diligence’ (p.32) to identify a general obligation that is applicable in the cyber context including preventative obligations to ‘put an end to’ or ‘terminate’ harmful cyber operations emanating from a state’s territory (p. 32, p. 43, Rule 6 of the Manual).

In a more recent approach, Coco and Dias rely upon a ‘patchwork of protective obligations’ that have a basis in ‘several primary rules of international law’. They identify ‘four sets of protective duties requiring states to prevent, halt or redress certain harms’ (p. 774), the first two of which ‘can be traced to primary obligations of general international law’:

‘…(i) the duty of states not to knowingly allow their territory to be used for acts that are contrary to the rights of third states, articulated in the Corfu Channel case, which we call the ‘Corfu Channel’ principle; and (ii) states’ duty to prevent and remedy significant transboundary harm, even if caused by lawful activities, known as the ‘no-harm’ principle.’ (p. 783-804)

Despite its alternative framing, the underlying argument regarding these first two obligations effectively remains one based on identifying general principles or rules of international law from which it is possible to derive binding due diligence obligations that are automatically applicable to all forms of activity. The argument rests on a purported general obligation of states articulated in Corfu Channel that the authors argue ‘comprises a duty to both prevent and stop the harmful acts in question and arises as soon as a state knows or should have known that such act originates from or transits through its territory’ (p. 784), which is complemented by the application of a similarly broadly framed “no-harm” rule established in international environmental law.

In Corfu Channel the obligation to respect and not to hamper the right of innocent passage formed the primary focus of the Court’s decision (p. 10, 27, 30, 31, 33), where the Court sought to address the case of the British passage ‘designed to affirm a right which had been unjustly denied’ by Albania (p. 30). Part of the UK claim was that ‘the Albanian Government did not notify the existence of these mines as required by the Hague Convention VIII of 1907 in accordance with the general principles of international law and humanity’ (p. 10). The Court, in identifying the basis of obligations while surmounting the inapplicability of the Hague Convention of 1907 outside times of war, utilised the following language that drew from that of the UK’s claim:

‘Such obligations are based, not on the Hague Convention of 1907, No. VIII, which is applicable in time of war, but on certain general and well-recognized principles, namely: elementary considerations of humanity, even more exacting in peace than in war; the principle of the freedom of maritime communication; and every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.’ (p. 22)

These ‘certain general and well-recognized principles’ were not addressed or elaborated upon elsewhere in the judgment. Although there is nothing in this brief passage that indicates the Court’s reasoning is confined to innocent passage or similar issues on the seas, there is also nothing in the judgement that indicates the Court intended to recognise or establish a broad general principle that each state has an obligation not to allow its territory to be used to harm the rights of other states. The full judgment underscores that the obligation was highly contextualised and construed in relation to the right of innocent passage.

This language in Corfu Channel does not refer to a duty to prevent territory being used for activity which harms the rights of other states, only an obligation ‘not to knowing allow its territory to be used for acts contrary to the rights of other states’. By adopting this particular phrasing in 1949 the Court did not intend to recognise or establish a general obligation of due diligence in international law. Since this judgment, the Court has not relied upon or otherwise acknowledged a universal source from which it is possible to derive a general obligation of due diligence for all forms of activity in the manner suggested by the arguments outlined above (see McDonald and discussion in Ollino p. 54-57), nor has it sought to characterise any primary rule containing due diligence obligations developed in one specific context as being universally applicable to another.

Indeed, in the 2007 judgement of Prevention and Punishment of the Crime of Genocide (Bosnia v. Serbia) the Court declined to infer a general ‘duty to prevent’ that applies across international law generally and explicitly cautioned against the transposition of the content of due diligence obligations from one area of international law to another, which suggests that such obligations are contained in specific primary rules that have been developed for application to particular contexts rather than there being a universally applicable general obligation of due diligence:

‘The content of the duty to prevent varies from one instrument to another, according to the wording of the relevant provisions, and depending on the nature of the acts to be prevented.

The decision of the Court does not, in this case, purport to establish a general jurisprudence applicable to all cases where a treaty instrument, or other binding legal norm, includes an obligation for states to prevent certain acts.’ (para 429)

Leading experts on obligations of conduct outside scholarship on cyber operations do not consider there to exist a general obligation of due diligence (see Krieger and Peters p. 374-376; McDonald p. 1045; Ollino p. 54-58; Aust and Feihle argue that due diligence sits in-between primary and secondary norms, p. 42-58). These positions are consistent with state practice, which reflects the fact that while due diligence obligations have been developed in specific primary rules to apply to particular distinct contexts, for other forms of activities it is accepted that only soft-law obligations exist to prevent harm, as opposed to actual legal obligations (see discussion of examples below).

The attempt to identify general preventative obligations or duties beyond the language of Corfu Channel by invoking the customary “no-harm” rule developed in international environmental law to cyberspace is similarly problematic as it is necessary to characterise the no-harm principle as possessing a far broader general application beyond that context, in addition to the need to surmount the lack of support for the existence of such universal obligations in ICJ case law. While the Trail Smelter Arbitration between the US and Canada that produced decisions in 1938 and 1941 is widely recognised as locus classicus and fons et origo of international environmental law, it cannot be assumed that a general due diligence obligation or rule applies in all situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity in question (see Bosnia v. Serbia discussion above). A general obligation of this nature would require sufficient state practice and opinio juris.

Influence on the position of states

Influenced by these arguments, an increasing number of mostly European states have released statements on the application of international law to cyber operations that may be considered to provide support for due diligence obligations in the cyber context (including Costa Rica p. 8–9, 2023; the Czech Republic, 2020; Denmark p. 452–453, 2023; Estonia p. 26, 2021; France, p. 6, 9–10, 2019; Germany, p. 3, 11, 2021; Ireland, p. 3–4, 2023; Italy p. 6–7, 2021; Japan takes a somewhat ambiguous position, p. 5, 2021; the Netherlands p. 4–5, 2019; Norway p. 71–72, 2021; Romania p. 76, 2021; Sweden p. 4–5, 2022; and Switzerland p. 7, 2021. Recently, a Common African Position was released following adoption by the African Union Peace and Security Council p. 3-4. This is a particularly significant development as the AU has 55 member states.) state positions that provide support for binding due diligence obligations in cyberspace overwhelmingly refer to Corfu Channel in identifying preventative duties rather than referring to the “no-harm” rule or transboundary harm principle (as Moynihan notes p.10, only Costa Rica and Norway refer to transboundary harm in this manner).

An example of a broad statement of support is provided by Romania:

‘The due diligence principle entails that a state may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects. This principle (which implies a certain obligation of conduct on the part of states) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every state is under an ‘obligation not to allow knowingly its territory to be used for acts contrary to the rights of other states’. (p. 76)

Denmark’s broad position considers that: ‘As a general rule due diligence requires States to take all reasonable measures to prevent, eliminate and mitigate potentially significant harm to legally protected interests of another State, or the international community as a whole.’

However, even states that endorse binding obligations of due diligence in the cyber context recognise clear disagreement over their existence and application (eg. Japan p. 48, 2021; and the Netherlands p. 59, 2021), or express the expectation that such obligations will develop and crystallize over time (eg. Denmark p. 8, 2023).

In reaction to these claims, other states have sought to anchor their analysis of due diligence obligations firmly within international law more broadly, and the sources therein. Some of these states have reasonably reiterating that references to due diligence activities in reports of the UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, adopted by consensus among 25 participating states, were explicitly defined as ‘voluntary, non-binding norms of responsible state behaviour’ (2021 UN GGE Report p. 10). These states consider that there is not a general due diligence obligation that is automatically applicable to cyberspace, where there is currently insufficient state practice and opinio juris to support a rule of customary international law containing binding due diligence obligations. For example, see Argentina at 2:15, 2020; the US p. 141, 2021; the UK, 2021; New Zealand p. 3, 2020; and Israel p. 404, 2020.

As the US position explains:

‘In recent public statements on how international law applies in cyberspace, a few states have referenced the concept of ‘due diligence’: that states have a general international law obligation to take steps to address activity emanating from their territory that is harmful to other states, and that such a general obligation applies more specifically, as a matter of international law, to cyber activities. The United States has not identified the state practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law.’ (p. 141)

Others have generally called for due diligence obligations to be developed if they are to become established in the cyber context (eg, Singapore p. 84, 2021), or make statements featuring non-mandatory language consistent with defining due diligence in the cyber context as a voluntary non-binding norm of responsible state behaviour as reflected by state positions in UN fora consensus reports (eg, Australia, 2020; Canada, 2022; China p. 1–2, 2021; Poland p. 4, 2022; also see the consensus position of states in the 2021 UN GGE Report p. 8; and 2015 UN GGE Report p. 7, 8).

The majority of states remain silent and have yet to make their position on the matter known publicly, where state silence can mean acceptance exceptionally and only under specific circumstances (see Azaria). There is also the issue of to what extent state positions may be said to constitute state practice or opinio juris, especially in light of the widespread nature of remote offensive cyber operations undertaken by states and the lack of practice in relation to states undertaking preventative actions due to a belief that they are legally obligated to do so in accordance with such a general obligation. In practice, opinio juris is often difficult to ascertain because in their behaviour states may or may not be consciously pursuing the objective of contributing to the creation or modification of a customary rule.

Implications beyond the cyber context

The argument—based primarily on a particular interpretation of phrase in Corfu Channel—that there is a general principle or rule which imposes an obligation of due diligence on states to prevent their territory being used for activity which harms the rights of other states, regardless of the nature of the activity in question, is inconsistent with the acceptance that there are many activities where only soft-law non-binding obligations exist to prevent harm as opposed to actual legal obligations. In modern times there are unfortunately many examples of activities taking place on the territory of one state that may to varying degrees be considered to cause or contribute to harm to the rights of other states, especially if the actions of non-state actors are included within this scope. Some examples include:

  • the collapse of a banking system which may lead to a global financial crisis, or indeed various basic functions of international commerce and trade that may harm the rights of other states;

  • the publication or dissemination of journalism or media in physical form, transmissions or broadcasts emanating from state territories that may harm the rights of other states;

  • the spread of infectious diseases such as COVID-19 that may harm the rights of other states;

  • a national emergency or crisis that results in an exodus of the population to neighbouring states that may harm the rights of those states;

  • the spread or transmission of organisms that cause ecological or other harm on the territory of other states;

  • the supply of arms or the operation of Private Military Companies that may harm the rights of other states;

  • the conduct of various espionage activities that may harm the rights of other states;

  • A wide variety of unfriendly acts that are lawful and unregulated by international law (see examples in Richter);

  • and a wide variety of activities understood as retorsion that are lawful and unregulated by international law (see examples in Giegerich).

According to the logic of the arguments presented by Coco and Dias (p. 794), failure to take preventative measures in such scenarios may result in the engagement of responsibility for the duty-bearer whereupon other states can respond with countermeasures. Might such a general obligation of due diligence that results in states being able to readily invoke countermeasures (as a result of their ability to point to failure to comply with due diligence as being an internationally wrongful act) result in an escalation of conflict?

The implications of such a general obligation of due diligence are also significant for the development of technology in a broader sense. If Microsoft release VASA-1 which offers lifelike audio-driven talking faces generated in real time, OpenAI release their voice cloning tool, or in relation to the provision of LLMs such as ChatGPT, is the US under a general obligation to prevent their use from causing harm to the rights of other states, for example, widespread harassment of target groups, criminal activity or political disinformation? Is the US under a general obligation to prevent Meta’s services causing harm to the rights of other states, or China under a general obligation to prevent TikTok’s services causing harm to the rights of other states? Have those endorsing a general obligation of due diligence considered implications for prominent challenges presented by AI technology that may cause harm to the rights of other states, including the development of lethal autonomous weapons systems, surveillance and persuasion technology, bias in decision-making, accidents and mistakes in decision-making, impact on employment, safety-critical applications and cybersecurity operations? Inevitable yet unpredictable advancements in technology would entail drastic implications for the obligations of states on whose territory such technology is being developed, where a failure to comply with such an obligation would purportedly enable states to take countermeasures against these states.

Furthermore, it is unclear why states would go to great lengths in forming specific primary rules containing due diligence obligations for certain forms of activity, and why they have not relied on a universal source from which to derive binding obligations rather than specific primary rules when pleading cases before the ICJ. As Krieger and Peters note (p. 376), the acceptance of due diligence as a general principle would create an additional legal argumentative burden for states when they intend to apply a different liability standard and would imply that due diligence is normatively more desirable than other standards (e.g. absolute harm prevention or mere avoidance of gross recklessness). Moreover, there are ongoing long-term efforts to develop binding obligations in the area of business and human rights, and similar efforts to develop human rights due diligence obligations, which are at odds with the existence of such a general obligation. Due consideration does not appear to have been given to the implications of these arguments outside the narrow confines of cyber operations, where they would significantly broaden the scope of obligations of states under international law.

Conclusion

Contrary to claims that a general obligation exists that requires states to act with due diligence to prevent their territory being used for activity which harms the rights of other states, states have developed binding obligations in relation to particular activities encompassed within primary rules tailored to those discrete contexts. Even if the obligation referred to in Corfu Channel is understood to constitute a general obligation that is universally applicable to all types of activities, its language does not refer to a duty to prevent territory being used for activity which harms the rights of other states, only an ‘obligation not to knowing allow its territory to be used for acts contrary to the rights of other states’. To interpret the obligation articulated in Corfu Channel as implying a duty to prevent is clearly adding something to the interpretation of the obligation that goes beyond what the ICJ established, which would necessitate sufficient state practice and opinio juris to crystallise that this post demonstrates is currently lacking.

The absence of a general obligation of due diligence does not preclude a specific rule of customary international law containing due diligence obligations for cyber operations from developing in the future should sufficient state practice and opinio juris emerge. However, the increasing number of states which endorse the view that there is a universal general obligation on states to act with due diligence to prevent harm to other states in order to identify such obligations for cyberspace must also accept that such a position entails obligations beyond the cyber context. In light of the broad nature of some statements by states which support the arguments addressed critically by this post, it would be interesting to see scholars that work on obligations of conduct in forms of state activity beyond the cyber context engage with the implications of these positions for different areas of state activity.

Print Friendly, PDF & Email

Leave a Comment

Your comment will be revised by the site if needed.

Comments