Courts & Litigation Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

Does Section 230 Immunity Apply Globally?

Andrew K. Woods
Monday, December 18, 2023, 2:34 PM

Section 230 was never meant to be a global immunity shield, but in an alarming string of cases, courts have expanded it to be just that.

"Globe" (Luke Price, http://tinyurl.com/545yn5b7; CC BY 2.0 DEED, https://creativecommons.org/licenses/by/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

For all the debate about Section 230—for, against, and sideways—one of the most important aspects of the law has largely escaped wider scrutiny: its geographic reach. In a striking series of cases, American courts have held that Section 230 immunizes technology platforms from foreign claimants alleging foreign harms. In short, U.S. courts have interpreted Section 230 to be a global immunity shield. 

This interpretation of Section 230 is wrong. It is inconsistent with the history and purpose of Section 230, and it is inconsistent with the courts’ own foreign affairs jurisprudence. It is also just bad policy. 

The Cases

When Gonzalez v. Google reached the Supreme Court in 2022, both fans and foes of Section 230 were atwitter. The Court was poised to address among the hottest questions in internet policy: Just how broad is the immunity provided by Section 230? The Court ultimately sidestepped the issue entirely, holding that Gonzalez was mooted by the Court’s narrow ruling in the related Twitter v. Taamneh case. There was a general sense of deflation about the big Section 230 ruling that never was. 

But in addition to sidestepping the scope of Section 230, the Court also sidestepped an important question about its geographic reach.

Nohemi Gonzalez was a 23-year-old student at California State University, Long Beach, studying abroad in Paris, when she was killed during ISIS’s citywide attack on Nov. 13, 2015. She was one of the 130 victims of that horrible terrorist act. On the theory that ISIS had made significant use of YouTube to recruit and radicalize its members, Gonzalez’s family sued Google under 18 U.S.C. § 2333, the Anti-Terrorism Act (ATA) as amended by the Justice Against Sponsors of Terrorism Act (JASTA) (codified at 18 U.S.C. § 2333(d)).  

The trial court dismissed the case for failure to state a claim, and plaintiffs appealed. The U.S. Court of Appeals for the Ninth Circuit affirmed, adding that Section 230 of the Communications Decency Act, 47 U.S.C. § 230(c)(1), provided Google with immunity for these claims. Crucial to the Ninth Circuit’s reasoning was the finding that this was a domestic application of Section 230, not an extraterritorial application. 

This conclusion is notable because nearly all the relevant activity that gave rise to the lawsuit appears to have been “extraterritorial”—the alleged radicalization and recruitment happened abroad, and of course the terrorist attack happened abroad. In fact, plaintiffs suing under the ATA can recover only for terrorist acts that “occur primarily outside the territorial jurisdiction of the United States, or transcend national boundaries,” so some amount of extraterritorial conduct was essential to the plaintiffs’ claims. 

Nonetheless, the court held that Section 230 is focused on immunity, and immunity is something that occurs at the place where one is sued. Because the Gonzalez family brought suit in U.S. court, the court held that dismissing the suit under Section 230 was a domestic application of the statute because, of course, the court is in the United States. By this logic, every lawsuit in U.S. courts is a domestic lawsuit for purposes of Section 230; there can be no amount of foreign conduct that would make a case extraterritorial for these kinds of cases.

After the Gonzalez family lost in the Ninth Circuit, they appealed and the Supreme Court granted cert. Unfortunately, the Court did not certify a question about the territoriality of Section 230. So, despite the huge public interest in the case, and the dozens of amicus briefs filed, there was essentially no talk of the statute’s geographic reach. (The only exception I can find is this fantastic but rather specialized blog of law professors working on extraterritoriality issues.) The Ninth Circuit’s ruling on the territoriality question therefore stands. 

And it is not alone. In a similar case, Force v. Facebook, plaintiffs were victims of Hamas attacks in Israel who sued Facebook for its alleged role in spreading Hamas’s content. The U.S. Court of Appeals for the Second Circuit  held in 2019 that Section 230 was a bar to these claims, even though they arose from foreign conduct. The court noted that applying an immunity statute in U.S. court is “purely domestic,” and indeed the court said that “it is unclear how an American court could apply such a provision ‘extraterritorially.’” Similar rulings seem likely in other cases.

This is odd. It is inconsistent with the way extraterritoriality works in other contexts, and it is inconsistent with the purpose of Section 230. 

Why This Is Bad Law

One common question to ask about any given statute is: Does this law apply only to conduct in the United States, or does it also apply to conduct outside the U.S.? Sometimes the answer is obvious because Congress specifies where the law applies. But often Congress says nothing about a statute’s geographic reach, and in those cases courts presume that the statute applies only in the U.S. This is known as the presumption against extraterritoriality

As international law scholar William Dodge notes, the presumption has undergone many changes over the years, and different courts have applied the presumption more actively than others. The motivations behind the presumption have changed over the years, from not wanting to conflict with international law, to a concern for international comity, and more recently a recognition of Congress’s “primary concern with domestic conditions.”  The idea, roughly speaking, is that unless a law says otherwise, courts should assume that when Congress passes a law, it intends to regulate domestic affairs and not to interfere in the affairs of other countries. For all the criticism of the presumption, and despite the presumption’s evolution over time—most notably, the shift from a “conduct” test to a “focus” test—it does not seem to be going anywhere. The Court reiterated its commitment to the presumption against extraterritoriality just last term in Abitron.  

The presumption is easy to apply in some cases. For example, if Congress were to pass a law that prohibited the construction of roller coasters at amusement parks, a court could reasonably presume that this prohibition was intended to apply to amusement parks located only in the U.S., and not Paris or Tokyo. But what if instead the law in question were a grant of immunity? Imagine that Congress passed a law that immunized amusement parks for accidents on their grounds. Clearly, if someone were injured at Disneyland in Los Angeles, this law would seem to bar their suit in a U.S. court. But what if they were injured at one of Disney’s foreign parks—does this grant of immunity apply to amusement parks in Europe or Asia? 

The logic of the presumption against extraterritoriality would suggest courts should interpret statutory grants of immunity as applying only to domestic conduct, since the presumption is that Congress was principally interested in domestic affairs and not interested in the affairs of other countries. It would seem absurd to conclude that the presumption against extraterritoriality calls for interpreting the statute to immunize foreign conduct. 

Yet that is essentially what the Ninth Circuit held in Gonzalez. Congress passed Section 230 to provide immunity for internet providers from certain kinds of lawsuits. Congress did not specify the law’s geographic reach. The question now is whether that immunity should insulate a platform from lawsuits related to conduct anywhere in the world, or only where the underlying conduct that gives rise to the lawsuit occurred in the U.S. But so far courts have sidestepped this important question and asked instead, “Where does the immunity apply?” Since the answer to this question is simply “in U.S. court,” the courts have wrongly concluded that this is a domestic application of the statute. 

Paradoxically, this extends Section 230 immunity to conduct that occurs anywhere in the world. Courts are inverting the logic of the presumption and are extending Section 230’s immunity provisions worldwide.

There is a second reason the Ninth Circuit’s Gonzalez decision is the wrong way to apply the presumption against extraterritoriality to platform immunity. To interpret Section 230 this way is to effectively treat it as overriding JASTA, the statute that gave rise to the claim in Gonzalez. When Congress passed JASTA, amending the Anti-Terrorism Act, in 2016, the aim was to be extremely broad minded about secondary liability for terrorism. As this amicus brief, filed in Taamneh on behalf of Anti-Terrorism Act scholars, attests: The “unambiguous purpose of JASTA” was to “authorize aiding-and-abetting liability on ‘the broadest possible basis.’” It would therefore seem quite odd to use a canon of interpretation to construe Section 230 as effectively limiting JASTA as it applies to technology platforms, especially since JASTA was passed in 2016, 20 years after Section 230 was passed. This awkward result is easily avoided if courts interpret the presumption against extraterritoriality correctly—as a presumption that Congress intended to regulate (and immunize) domestic conduct, but not foreign conduct.

Why This Is Bad Policy

Besides being bad law, effectively extending Section 230 to shield global conduct is bad internet policy. The U.S. has no interest in immunizing technology firms—U.S. or otherwise—from harmful conduct that takes place on their platforms where the harm is conducted and felt abroad. To do so is to further exacerbate the sense shared by so much of the world that American technology giants are a form of American imperialism. In the wake of the Snowden revelations, the U.S. has sought to assure foreign partners that it takes their concerns seriously. The transatlantic dialogues in the wake of the collapse of Privacy Shield have more or less centered on this point. To have American courts construct a global immunity shield for tech firms, especially when doing so is inconsistent with Congress’s intent in JASTA, undermines the broader efforts to assure the world that U.S. internet policy is not American impunity. 

This is also inconsistent with the goals of Section 230 itself. When Congress passed Section 230, its primary aim was to incentivize technology firms to moderate content on their sites. Congress worried about liability for editorial decisions disincentivizing platforms from doing any moderation at all; as Jeff Kosseff puts it, the thought was “we’re going to remove this disincentive and let the platforms come up with moderation policies and procedures that best serve their users.” But if the goal was to incentivize platforms to moderate effectively, immunizing platforms for failing to take adequate moderation steps is hardly consistent with that policy goal. Even for those Section 230 advocates who think the only way platforms will moderate well is if they are given a blanket immunity shield, it is far from clear why this shield ought to apply to conduct abroad. 

This is something Congress could easily fix: It could simply clarify that Section 230 does not immunize technology firms for foreign-based harms. David Sloss outlines one proposal along these lines. But I also think the courts could reverse course on this crucial question and clarify how the presumption against extraterritoriality ought to work with immunity statutes. The next time a foreign claimant brings a suit against one of the big technology firms for some foreign-perpetrated harm, and the firms trot out Section 230, the court should hold that Section 230 does not automatically immunize the platform for this foreign-born claim.  


Andrew Keane Woods is a Professor of Law at the University of Arizona College of Law. Before that, he was a postdoctoral cybersecurity fellow at Stanford University. He holds a J.D. from Harvard Law School and a Ph.D. in Politics from the University of Cambridge, where he was a Gates Scholar.

Subscribe to Lawfare