Introduction
In an era of globalized communication and digital connectivity, intelligence agencies routinely engage in cross-border data collection to detect threats, prevent terrorism, track criminal activity, and protect national security. This practice involves collecting data—such as emails, phone records, internet traffic, and metadata—from foreign nationals or entities located outside a nation’s borders. While intelligence gathering is an essential tool of statecraft, it raises serious legal, ethical, and diplomatic issues, particularly regarding sovereignty, privacy, due process, and compliance with international law.

1. Principle of Sovereignty and Non-Intervention
The cornerstone of international law is the principle of state sovereignty. Under Article 2(4) of the UN Charter, states are prohibited from intervening in the internal affairs of another state. Unauthorized surveillance operations that target or access foreign networks, data centers, or communications infrastructure can violate this principle.

Example
If Country A conducts clandestine surveillance operations on a government server or telecom infrastructure in Country B without consent, it may be considered a violation of B’s sovereignty—even if no physical intrusion occurs.

Legal Consideration
States must either seek consent or operate within the bounds of international cooperation frameworks. Otherwise, such activity could constitute a breach of international law and provoke diplomatic disputes or retaliation.

2. Jurisdiction and Applicable Law
Cross-border data collection raises questions about which laws apply—the laws of the collecting country, the laws of the data subject’s country, or international law. Intelligence agencies must often navigate complex legal frameworks involving conflicting national laws on data protection, surveillance, and national security.

Example
The U.S. Foreign Intelligence Surveillance Act (FISA), particularly Section 702, authorizes surveillance of non-U.S. persons outside the U.S. However, EU law—under the GDPR and European Court of Justice rulings—requires data transferred outside the EU to be protected to equivalent standards, even when used for surveillance.

Legal Consideration
Failure to honor the data protection laws of other countries can result in court challenges, data transfer bans (like the invalidation of the U.S.-EU Privacy Shield), or sanctions under local data sovereignty laws.

3. Human Rights and Privacy Protections
International human rights instruments—including the International Covenant on Civil and Political Rights (ICCPR) and the European Convention on Human Rights (ECHR)—protect the right to privacy, including against unlawful or arbitrary surveillance. These rights extend to foreign nationals, even when targeted by foreign intelligence services.

Example
In the Schrems II decision, the Court of Justice of the European Union (CJEU) ruled that U.S. surveillance practices under FISA did not provide adequate privacy protections for EU citizens, leading to the termination of the Privacy Shield agreement.

Legal Consideration
Intelligence agencies must ensure that data collection is necessary, proportionate, and subject to oversight, even when conducted extraterritorially. This includes minimizing data collection, avoiding mass surveillance, and ensuring avenues for legal redress.

4. Consent, Notification, and Due Process
In most cross-border surveillance operations, data subjects are unaware they are being monitored and have no means to challenge or appeal the surveillance. This lack of transparency and accountability can violate procedural fairness standards and due process rights under both domestic and international law.

Example
A foreign journalist whose emails are monitored by an intelligence agency may suffer a breach of press freedom, without any opportunity to contest the surveillance or hold the agency accountable.

Legal Consideration
Laws in democratic states often require judicial authorization, independent oversight (such as intelligence tribunals or parliamentary committees), and post-facto redress mechanisms to ensure accountability in foreign surveillance operations.

5. Intelligence Sharing and Mutual Legal Assistance Treaties (MLATs)
Countries may circumvent legal challenges by entering into bilateral or multilateral agreements for intelligence sharing or legal cooperation, such as Mutual Legal Assistance Treaties (MLATs), Five Eyes alliance, or EU-U.S. data transfer frameworks.

Example
Under an MLAT, Country A may request user data from Country B’s telecom providers or law enforcement, subject to judicial approval and domestic legal safeguards in Country B.

Legal Consideration
Such frameworks provide a legal path for cross-border intelligence collaboration, ensuring data collection complies with both countries’ laws. However, these mechanisms are often criticized for being slow and lacking transparency.

6. Cyber Espionage and International Norms
Cross-border intelligence collection in cyberspace may amount to cyber espionage, which remains a legally gray area. While espionage itself is not explicitly prohibited under international law, certain forms—like hacking into foreign defense systems or critical infrastructure—may be illegal and escalate to a breach of sovereignty or international peace.

Example
A state-sponsored cyber operation that exfiltrates classified research from a university in another country could be deemed an act of cyber theft or economic espionage.

Legal Consideration
Despite the absence of a global treaty on cyber espionage, norms developed by the UN GGE and OEWG call for responsible state behavior, protection of critical infrastructure, and respect for sovereignty.

7. Data Localization and Sovereignty Laws
Many countries have enacted data localization laws that require certain categories of data—especially personal, financial, or health data—to be stored or processed only within national borders. These laws are partly aimed at preventing foreign surveillance.

Example
India’s Digital Personal Data Protection Act (DPDPA) allows for data transfers only to “trusted” countries, while requiring data fiduciaries to ensure compliance with privacy standards.

Legal Consideration
Intelligence agencies collecting data stored in such countries may face legal action or diplomatic protest unless access is obtained through official legal cooperation channels.

8. Legal Immunity and State Responsibility
Intelligence operations are usually shielded by state secrecy doctrines or legal immunities, making it hard to hold state actors accountable. However, if data collection causes harm—such as violating privacy, commercial loss, or reputational damage—affected parties may seek remedies under state responsibility doctrines in international law.

Example
If a surveillance operation results in a data breach that affects a private company’s trade secrets, that company may demand reparations or raise a dispute through diplomatic channels or international courts.

Legal Consideration
Although intelligence services are rarely prosecuted, countries may be held responsible under international law for acts that breach international obligations, such as violating human rights or unlawfully infringing on sovereignty.

9. Emerging Frameworks and the Need for Global Consensus
Given the absence of a comprehensive treaty governing intelligence surveillance, international efforts are underway to develop voluntary norms, transparency standards, and confidence-building measures.

Example
The United Nations and various regional organizations (like the OSCE) are working on frameworks to encourage transparency in surveillance laws, establish notification procedures, and promote the rule of law in cyber operations.

Legal Consideration
A globally accepted legal framework would help reconcile the tension between legitimate intelligence needs and privacy rights, and ensure accountability for surveillance conducted beyond borders.

Conclusion
Cross-border data collection for intelligence purposes is a complex and sensitive area of law. It involves balancing national security interests with respect for state sovereignty, human rights, data protection laws, and due process. As technology evolves and global data flows expand, the need for clearer legal frameworks, greater transparency, and stronger international cooperation becomes more urgent. States must strive to ensure that intelligence practices are lawful, accountable, and aligned with international norms to maintain trust and uphold the legitimacy of surveillance operations.