Transnational Space Law in the 21st Century: What Laws Govern Data in Outer Space?


In 1956, Philip C. Jessup published his eminent Transnational Law, in which he coined the term to include “all law which regulates actions or events that transcend national frontiers”, including “both public and private international law”, as well as “other rules which do not wholly fit into such standard categories”. Just a few years afterwards, the world watched in awe as humankind first launched a satellite into orbit in 1957, an astronaut into outer space in 1961, and landed men on the Moon in 1969. With a looming space weapons race, the international society felt the urge to establish treaties to govern this new frontier. And so, the 1967 Outer Space Treaty and other subsequent instruments came to be, forming a new field within public international law. Fast forward to 2020 and a realm that was once conceived to be restricted to States extended to the private sector, as SpaceX, after having launched a sprawling web of Starlink satellites into orbit, also successfully launched astronauts into space and carried them to the ISS.

The legal framework governing outer space has thus become outdated, and public international law alone is currently insufficient to regulate companies’ complex space operations and the emerging celestial economy. The Outer Space Treaty, the bedrock of international space law, was drafted before the time of data, when space exploration could not be conceived to include commercial uses, such as data processing. Human activities in space have since drastically changed, and seem to necessarily fall under Jessup’s definition of “transnational situations”, involving individuals, corporations, States, international organizations and other actors.

Therefore, I contend that the regulation of outer space in the 21st century calls for a more conscious usage of “Transnational” rather than “International” Space Law. More specifically, in this piece I will delve into the issue of data processing and remote sensing satellites, and the challenge they pose to data protection and privacy lawyers.

Data flows in the vacuum

Transnational data protection law is currently a very complex and confusing field. There are over a hundred national data protection laws, which at times overlap. This patchwork is only made more obtuse by regional instruments that do not displace municipal laws, such as the APEC Cross-Border Privacy Rules system. There are too many different laws governing the same personal data, and tracing connecting factors will only get murkier in the future.

Such chaotic landscape evidently calls for international harmonization, but public international data protection law is essentially inexistent, albeit being increasingly necessary. In a 2006 report, the International Law Commission noted that, although “the international binding and non-binding instruments, as well as the national legislation adopted by States, and judicial decisions reveal a number of core principles” relating to the protection of personal data in transborder flows of information, it is still a field “in which State practice is not yet extensive or fully developed”.

In other words, at the time of that report, the ILC was of the view that customary international data protection law was still a distant future possibility. Nonetheless, a pertinent point to raise is that, 14 years later, multiple relevant developments have taken place, which could substantiate claims that data protection custom has emerged, including the entry into force of the General Data Protection Regulation (GDPR). The European GDPR has unleashed a wave of data protection legislation drafting around the world, mainly due to its extraterritorial application, which has notable legal implications for satellite operators.

The GDPR, into the void

The GDPR does not explicitly address data transfers in outer space. Some lawyers argue that, because of this, its chapter 5 (which governs transfers of personal data to third countries or international organizations) could be claimed to be inapplicable to data transfers outside Earth. This way, businesses could potentially rely on such loophole to avoid its GDPR obligations with respect to its operations in space.

However, others dismiss such readings, maintaining that it is not because space objects are in space that the GDPR does not apply”. This seems to be the better position, because the fact that a data processing object is in orbit does not defeat the purpose of article 3, in its definition of the territorial scope of applicability of the GDPR. That is, the GDPR will be fully applicable in any given data transfer if the personal data belongs to subjects who are in the EU, or if the data processing entity is established in the EU, “regardless of whether the processing takes place in the Union or not.”

It must be noted that the GDPR sets forth a major carve-out within its material scope clause. Pursuant to Article 2, the Regulation does not cover data processing pursued by Member States in connection with national security. It has been noted that this exception may entail complex legal distinctions in scenarios involving dual-use space technologies and the concession of security-related tasks to private entities by States.

Take Starlink and the USA, for instance. A research funded by the US Army has recently found that Elon Musk’s mega-constellation of low Earth orbit (LEO) satellites, in addition to its civilian functions of offering global broadband internet to a commercial audience, could grant the US Military a more effective and secure alternative to the Global Positioning System (GPS). That is especially relevant since China has been reported to have jammed and otherwise spoofed GPS signals, displaying cyber capabilities that could be hugely detrimental to the US, whose military is strategically reliant on the GPS.

In instances where a corporation concurrently pursues civilian and military activities, it could prove difficult to determine to what extent the national security exception applies, and just what data are governed by the GDPR.

All-seeing eyes in the sky

In Eyes in the Sky: The Secret Rise of Gorgon Stare and How It Will Watch Us All, Arthur Holland Michel concludes that we’re probably headed to a future where every inch of the planet is surveilled, probably from space, at all times.” Michel argues that this is a frightening yet reasonable prospect, as “the cost of launching large constellations of satellites has fallen tremendously, and cameras have shrunk so that you can now put a very, very powerful camera on a relatively small satellite.”

Indeed, besides processing data, satellites are usually launched with the purpose of conducting sophisticated remote sensing activities, e.g. capturing very high-resolution imagery of Earth. Such activities raise notable issues under privacy law (understood as a distinct body of law from data protection law), again entangling the interests of individuals, corporations and States. The dual-use nature of remote sensing space technologies further blurs the lines between the State and the private sector; for, in January 2020, reports suggested that China’s civilian satellites were being employed to spy on Japan, gathering high-definition images of a Japanese base near the disputed Senkaku Islands.

Under binding international space law, however, there are no hard norms prohibiting remote sensing of other countries from outer space. The Outer Space Treaty proclaims outer space as “the province of all mankind” (article I), “not subject to national appropriation by claim of sovereignty” (article II). In other words, outer space has the legal status of res communis omnium, a global commons where States can only exercise jurisdiction exceptionally, over objects to which they are “launching States” pursuant to article VIII (launching States are defined as any state that “launches or procures the launching of an object into outer space”, and any State “from whose territory or facility an object is launched”; international organisations can also act as launching States, such as the European Space Agency).

In other words, under space treaty law, States have no right to deny being sensed by other States from space. However, certain non-binding international norms further regulate remote sensing. The Principles Relating to Remote Sensing of the Earth from Outer Space, adopted by the UN General Assembly in 1986, defines “remote sensing activities” as “operation of remote sensing space systems, primary data collection and storage stations, and activities in processing, interpreting and disseminating the processed data.” In its principle XII, it establishes that:

“As soon as the primary data and the processed data concerning the territory under its jurisdiction are produced, the sensed State shall have access to them on a non-discriminatory basis and on reasonable cost terms. The sensed State shall also have access to the available analysed information concerning the territory under its jurisdiction in the possession of any State participating in remote sensing activities on the same basis and terms, taking particularly into account the needs and interests of the developing countries.”

Citing German and Canadian statutes, Timiebi Aganaba-Jeanty explains that “implementation of the Remote Sensing Principles on the national level takes different forms, ranging from a focus on the satellite system, the data, the transaction or a combination of these”, but that “access to Earth observation data is ultimately subject to the political, strategic and military considerations of the most powerful states”.

Faced with a paucity of binding international law on remote sensing from space, several jurisdictions have sought to limit, through national legislation, the level of intrusion satellites could achieve into their citizens’ privacy, and indeed the privacy of the state itself, as Ivo Emanuilov has put it. That is, the highly sophisticated yet low-cost intelligence gathering enabled by the rise of commercial satellite operators poses risks to the national security of states, inasmuch as it has opened to non-state actors a realm once restricted to the most powerful nations.

Belgium even threatened to take legal measures against Google if it refused to comply with its request to blur locations of sensitive military locations on their Maps/Earth platforms. The legal basis for such claim by the Belgian Ministry of Defence was article 120ter of the Belgian Penal Code, which subjects to authorisation of the armed forces any survey, topographical operation, taking of photographs or sale, exhibition or distribution of reproductions of areas surrounding military facilities. Then again, though Google ultimately complied, it was noted that under existing public international law, Belgium could not exercise jurisdiction over Google’s remote sensing activities.

Likewise, US federal law prohibits American commercial satellites from taking images with a higher resolution than 25cm, but the US does not have jurisdiction over satellites from other nationalities, which could sell images with higher granularity to US citizens in the near future – and the market is promising. For example, the Indian Cartosat-3 displayed the finest-resolution imagery commercial satellites could offer at the time of its launch in 2019. In such cases, US authorities would have to resort to regulating how companies could use satellite imagery with respect to its citizens’ privacy rights.

To be sure, even if a State cannot exercise jurisdiction over a given satellite operator, it can legally compel the State that has jurisdiction to take action. Under article VI of the Outer Space Treaty, States shall bear international responsibility for national activities in outer space, including those of its “non-governmental entities”, such as corporations. Furthermore, under article VII, as well as the 1971 Convention on International Liability for Damage Caused by Space Objects, which elaborates on that article, launching States shall be liable for any damage that the space object may cause on Earth or in space.

In the early era of space exploration, State-to-State legal dispute settlement involving liability for space objects was conceived to address damages arising out of satellites falling on Earth or colliding into each other in orbit. Nowadays, it would be pertinent to ask whether article VII’s text (“damage to another State Party to the Treaty or to its natural or juridical persons by such object or its component parts on the Earth, in air or in outer space”) could also be construed so as to entail liability of launching States for data breaches, privacy violations, or national security transgressions stemming from space operations.

Conclusion: 21st century space law is transnational

It is exceedingly clear that, the more the world protrudes into outer space, the more transnational the field of space law becomes. This is in great part due to the booming space data economy, which musters LEOs, big data, the internet of things and cutting-edge remote sensing capabilities to take the information society to the next step. Accordingly, space lawyers will need to work on transnational terms, skilfully wielding both public and private international law, as well as legal mechanisms somewhere “in between”. For that end, perhaps the study of transnational law as a distinct legal field will prove particularly important to space lawyers.


(This post has been authored by Pedro R. Borges de Carvalho. Pedro is an associate researcher on law & tech at IDTEC – Instituto de Direito e Tecnologia, and the founding president of the Public International Law Litigation Society (PILLS) at the Pontifical Catholic University of Rio de Janeiro (PUC-Rio). Pedro holds a degree of Bachelor of Laws from PUC-Rio)

Cite As: Pedro R. Borges,  ‘Transnational Space Law in the 21st Century: What Laws Govern Data in Outer Space?’ (The Contemporary Law Forum, 03 October 2020) <> date of access. 

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.