Published by The Lawfare Institute
in Cooperation With
Are Russia and its officials entitled to foreign sovereign immunity? Does President Trump have constitutional power to determine the immunity of Russian operative Guccifer 2.0?
The Democratic National Committee (DNC) has sued Russia, the General Staff of the Armed Forces of the Russian Federation (GRU), and a military intelligence officer working on behalf of the GRU (known publicly by the pseudonym Guccifer 2.0), among other defendants including Wikileaks. The complaint claims that Russian intelligence services hacked into the DNC’s computers and extracted thousands of emails, documents, and voicemail messages, all with the purpose of influencing the U.S. election in support of Donald Trump’s campaign. It alleges violations of six federal statutes and of multiple Washington, D.C. and Virginia laws.
Typically, foreign sovereign nations are immune from suit in the United States under the Foreign Sovereign Immunities Act (FSIA). But are Russia, the GRU, and the GRU operatives entitled to that immunity? The case has the potential to generate a wide-ranging, blockbuster immunity decision with implications for various interpretive questions under the FSIA—especially for the commercial activity and non-commercial tort exceptions—and several questions not addressed by the statute, including the scope of immunity-related discovery and the immunity of individual officials. It also raises important questions of international law, some of which I note in the brief overview that follows.
Of course, these questions will only arise if Russia and the state-related defendants are properly served and if they decide to litigate rather than default. Default is especially likely for Guccifer 2.0, whose identity is unknown and who may have less to fear from a default judgment. Even for the other defendants, however, execution of a judgment in the case may be difficult due to execution-related immunity and for other reasons such as the location of assets. If the case does goes forward against any of these defendants, immunity from adjudication is a threshold issue that will be litigated at the outset. Both statutory and common law immunity provide a jurisdictional (not a substantive) defense, and the appropriate scope of jurisdictional discovery may become an important issue after the complaint is served.
Individual Immunity Issues
The complaint alleges that a Russian intelligence operative who used the online pseudonym Guccifer 2.0 and who worked out of Moscow (along with other John Doe defendants), violated a host of federal statutes by hacking into DNC computers located in D.C. and Virginia, extracting confidential documents and emails, and distributing stolen information online in order to influence the election. The Supreme Court has held that individual immunity is governed by common law, not by the FSIA, but the common law is not especially well developed. U.S. common law (and international law) afford immunity ratione materiae, also called functional or conduct-based immunity, to current and former foreign government officials. This kind of immunity covers official, but not private, conduct.
Could the president dictate the immunity of Guccifer 2.0 in U.S. courts? The U.S. government has repeatedly maintained that the executive branch has the authority to determine which sitting and former government officials are immune from suit in U.S. courts—but there are reasons to doubt this argument. In 2011, long before Trump became president, I argued that the president and the State Department lack the statutory or constitutional authority to control immunity determinations in U.S. courts. The facts of the DNC case only underscore the political risks involved in vesting such authority in the executive branch of the U.S. government. I explored those risks previously in a post about head of state immunity; many of the same arguments apply here as well.
The DNC case could also raise the issue of whether an individual may invoke immunity on his or her behalf, or whether the immunity is really that of the state (here Russia), which must invoke it. The better view is that immunity reatione materiae protects that state itself and that the state (not the individual) must invoke it. That position is not universally accepted, but it supported by U.S. cases and by international law, as discussed here. Because Russia has disavowed the cyberattacks, Russia is unlikely to admit that the alleged conduct of Guccifer 2.0 is attributable to it, potentially limiting its ability to assert that Guccifer’s conduct was that of the state itself and potentially barring it from asserting any immunity on the part of Guccifer 2.0. Note also that the complaint alleges in paragraph 35 that Guccifer 2.0 is a “Russian intelligence operative(s)”, but asserts that Guccifer 2.0 is a government official only “upon information and belief.” If Guccifer 2.0 is a private person acting at the request or direction of GFU, an immunity defense is less likely to be successful, but it could also mean that Guccifer 2.0’s actions are more difficult to attributable to the GFU or to Russia for purposes of holding that they lack immunity. Attribution standards are somewhat unsettled, as the opinions in en banc 9th Circuit decision in Sachs v. OBB Personenverkehr make clear; the Supreme Court reversed the decision without reaching the attribution issue.
Immunity of Russia and the GRU
Though individual immunity is governed by common law within the United States, the FSIA governs the immunity of Russia and of the GRU. The GRU may be considered as Russia itself or as an agency or instrumentality of Russia, depending upon the relationship between the two. The distinction matters for service of process, for the enforcement of judgments, and in certain other places under the statute. It may also matter under international law, which arguably provides less protection to some agencies or instrumentalities then to foreign states themselves.
Under the FSIA, the GRU and Russia are immune from suit unless an exception applies. The DNC complaint suggests that the plaintiffs will rely on the non-commercial tort and the commercial activity exceptions (28 U.S.C. 1605(a)(5) and (a)(2)).
Paragraph 29 of the complaint alleges:
Russia is not entitled to sovereign immunity because the DNC’s claims arise out of Russia’s trespass onto the DNC’s private servers—a tortious act committed in the United States. In addition, Russia committed the trespass in order to steal trade secrets and commit economic espionage, two forms of commercial activity undertaken in and directly affecting the United States.
Application of the non-commercial tort exception in this case merits its own lengthy post. Briefly, however, the issues involved include: the “entire tort” doctrine, the “discretionary function” doctrine, and the application of the exception to causes of action that may not be readily classified as torts. I’ll discuss the first issue here. The “entire tort” doctrine generally provides that both the injury and the tortious conduct causing the injury must occur in the United States for the (a)(5) exception to apply. The entire tort test has been widely accepted (see Restatement (Fourth) Foreign Relations Law of the United States § 457, R.N. 1 (forthcoming 2018)). At a minimum, the exception does not apply to people who are harmed outside of the United States by conduct outside the United States but who continue to suffer harm or injury in the United States.
The U.S. Court of Appeals for the D.C. Circuit recently applied the “entire tort” test in Doe v. Ethiopia to find Ethiopia immune in a case alleging that the Ethiopian government had spied on a person located in Maryland after he was tricked into downloading malware. The court reasoned in part that:
Without the software’s initial dispatch or an intent to spy— integral aspects of the final tort which lay solely abroad— Ethiopia could not have intruded upon Kidane’s seclusion under Maryland law. Kidane’s Wiretap Act claim is similarly deficient. The Wiretap Act in pertinent part proscribes “intentional intercept[ions]” of “wire, oral, or electronic communication[s].” 18 U.S.C. § 2511(1)(a). But, again, the “intent,” id., and FinSpy’s initial deployment occurred outside the United States. The tort Kidane alleges thus did not occur “entire[ly]” in the United States, Jerez, 775 F.3d at 24 (internal quotation marks omitted); it is a transnational tort over which we lack subject matter jurisdiction.
The same basic analysis could apply to the DNC complaint. Indeed, that analysis might be stronger here, because in the DNC case the defendants may have performed more of the relevant conduct outside the United States—including the transfer of larger amounts of data outside the U.S. and the more extensive processing and publication of information abroad. The relevance of such conduct will vary based on the actual elements of the different causes of action in the twelve counts of the complaint.
But Doe v. Ethiopia does not necessarily get the analysis very far. To begin with, the case is arguably wrongly decided under the “entire tort” doctrine. And In any event, the “entire tort” test is not in the statute itself; it is merely an interpretation of the statutory language: “…personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of [a] foreign state…”.
The “entire tort” doctrine is also in some tension with “gravamen” test the Supreme Court adopted in Sachs v. OBB Personenverkehr, a case involving the commercial activity exception. The Court reasoned that an action is not “based upon a commercial activity carried on in the United States” merely because conduct comprising only “one element” of the cause of action takes place in the United States. Instead, the Court held—following the views of the U.S. government in its amicus brief—that an action is based upon the conduct that constitutes the “gravamen” of the suit. If a similar test were applied in the tort context, the gravamen of the DNC suit would likely be the United States.
Analysis of the commercial activity exception also varies depending upon the cause of action. RICO claims poses specific hurdles, for example, because foreign states are arguably immune from suit in criminal cases, making it difficult to satisfy the predicate act requirement. But regardless of the specific cause of action, the broader issue is whether the conduct alleged constitutes “commercial activity” under the FSIA. It is the nature of the conduct, not the purpose or intent of the government, that is dispositive under 28 U.S.C. § 1603 (d). In general, courts ask whether the private parties could engage in kind of conduct at issue in the course of business or trade, or whether it is conduct limited to sovereigns or the exercise of government authority. Criminal acts can be commercial under the statute, including actions such as bribery, forgery, and mail fraud.
The DNC complaint alleges hacking and leaking—conduct that could generally be engaged in by private parties. To that extent, the exception could apply, although the framework in which the hacking occurred is not typically associated with the term “commercial.”
If the immunity issues are litigated, jurisdictional discovery could become important. Potentially relevant issues would include the factual and legal relationships among Russia, GRU, and Guccifer 2.0 and the location from which the alleged cyberoperations originated. As the Supreme Court held in NML Capital v. Argentina, immunity issues governed by the FSIA are generally not subject to special discovery rules under the FSIA (except for terrorism- related cases), though the court did say in footnote 6 that “other sources of law” including “comity interests” might limit the district court judge’s discretion in ordering discovery. It’s unclear, however, how comity would apply in a suit alleging that the foreign state undermined our very system of government—just another interesting question raised by the DNC case.