pith. sign in

arxiv: 2604.17806 · v1 · submitted 2026-04-20 · 💻 cs.CY · cs.AI· cs.CR

Party Autonomy in Determining the Law Applicable to Non-contractual Obligations concerning Cross-Border Data Transfers

Pith reviewed 2026-05-10 04:02 UTC · model grok-4.3

classification 💻 cs.CY cs.AIcs.CR
keywords party autonomynon-contractual obligationscross-border data transfersprivate international lawcloud computingprivate orderingdata protection liability
0
0 comments X

The pith

In cloud data transfer disputes, parties can extend their chosen contract law to govern non-contractual obligations like data leaks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper addresses how cross-border data transfers in cloud computing create liability issues when data fragments are spread across jurisdictions, making it hard to identify a single physical location for applying traditional private international law rules. It focuses on common scenarios where a data subject sues a SaaS provider, which then seeks recourse from an IaaS or PaaS provider, creating overlapping contractual and non-contractual claims. The central proposal is that parties can use autonomy to select the law for contracts and align non-contractual obligations with it, an approach called private ordering. This would make outcomes more foreseeable without relying on location-based rules. A reader would care because it offers a practical way to handle liability in global AI and cloud environments where data has no fixed place.

Core claim

The paper claims that where contractual and non-contractual obligations concur in data transfer cases, the law governing the contractual obligation as selected by the parties can also determine the law for non-contractual obligations, termed private ordering. This overcomes the inadequacy of traditional measures that depend on identifying a physical location for distributed data fragments, such as in secret sharing technology, and enhances foreseeability for the parties involved in SaaS, IaaS, and PaaS relationships.

What carries the argument

Private ordering, the extension of party-chosen law from contractual obligations to concurrent non-contractual obligations in the same data transfer relationship.

If this is right

  • The applicable law for non-contractual claims can be set without needing to locate data physically.
  • Foreseeability increases for parties in international SaaS-IaaS-PaaS chains.
  • Traditional private international law rules based on physical location become unnecessary for these concurrent obligation cases.
  • Secret sharing and similar distributed technologies no longer create insurmountable choice-of-law problems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Contract drafters in cloud services might routinely include clauses that explicitly cover tort and data protection claims under the chosen law.
  • This approach could reduce uncertainty in cross-border AI training data disputes by prioritizing agreed law over territorial rules.
  • Courts in multiple jurisdictions could test the method by applying it to specific breach cases involving global data distribution.
  • It raises questions about limits when the chosen law conflicts with mandatory data protection rules in the data subject's home country.

Load-bearing premise

Courts will accept extending a contract's chosen law to cover non-contractual obligations even when data is distributed without a single physical location.

What would settle it

A court ruling that refuses to apply the contractually selected law to a non-contractual data breach claim involving multi-jurisdictional cloud data, or empirical evidence showing data location rules consistently produce different outcomes than contract choices.

Figures

Figures reproduced from arXiv: 2604.17806 by Kumiko Kameishi, Makiko Aoyagi, Miho Ikeda, Oliver Posani, Ren Yatsunami, Soma Araoka, Yuki Okamura.

Figure 3
Figure 3. Figure 3: Replication Type System vs. Secret Sharing Type System: Contrasting Features 17 Adi Shamir, 'How to Share a Secret' (1979) 22(11) Communications of the ACM 612. 18 See Shamir (n 17) [PITH_FULL_IMAGE:figures/full_fig_p014_3.png] view at source ↗
read the original abstract

(1)Cross-border data transfers have become a matter of daily occurrence against the backdrop of the development of cloud computing and artificial intelligence. Consequently, where a data leak gives rise to civil liability, the determination of that liability inevitably assumes an international dimension involving foreign elements. (2)As is starkly demonstrated by secret sharing technology in cloud computing, fragments of data may be presumed to be distributed across multiple jurisdictions on a global scale. This renders traditional private international law measures -- predicated on the identification of a physical location -- inadequate for the purposes of determining the applicable law, a difficulty that is particularly acute in relation to non-contractual obligations. (3)Bearing in mind the typical scenario encountered in practice -- in which a Data Subject brings a claim for damages against a SaaS (Software as a Service) provider, which in turn seeks recourse against an IaaS (Infrastructure as a Service) or PaaS (Platform as a Service) provider -- a characteristic feature of such cases is the concurrence of contractual and non-contractual obligations. Taking this feature into account, it is possible to determine the applicable law governing non-contractual obligations through party autonomy -- by aligning it with the law governing the contractual obligation as selected by the parties, an approach that may be termed private ordering. This serves to overcome the difficulties associated with the identification of a physical location and, at the same time, contributes to ensuring the foreseeability of the parties.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes that in cross-border data transfer disputes involving cloud services, where data fragments are distributed across multiple jurisdictions rendering physical location identification impractical for determining applicable law to non-contractual obligations, parties can use autonomy to align the law for non-contractual claims with their chosen contractual law. This 'private ordering' approach is suggested for typical scenarios involving data subjects claiming against SaaS providers who then seek recourse from IaaS/PaaS providers, thereby enhancing foreseeability.

Significance. If the proposal holds, it offers a practical normative framework for resolving choice-of-law issues in data liability cases arising from distributed cloud computing, potentially improving legal certainty in international data protection and AI contexts. The approach leverages the concurrence of contractual and non-contractual obligations, a feature common in SaaS/IaaS chains, and draws on established private international law doctrines without introducing new parameters or circular reasoning.

major comments (2)
  1. Abstract paragraph (3): The central claim that party autonomy can validly extend to non-contractual obligations (e.g., damages for data leaks) by alignment with the parties' contractual choice of law is load-bearing for the entire proposal but is asserted without citation or analysis of the specific legal basis or limitations; instruments such as Rome II Regulation Article 14 permit limited party autonomy in torts only under strict conditions (e.g., after the event, not prejudicing third parties or mandatory rules), and the manuscript does not examine whether data-subject claims against SaaS providers fall within these bounds or how privity issues with upstream IaaS contracts would be resolved.
  2. Abstract paragraph (2): The assertion that secret-sharing technology and distributed data make traditional location-based private international law rules 'inadequate' is presented as self-evident, but lacks concrete case-law examples or doctrinal analysis showing actual failures in practice (e.g., under Rome II Article 4 or equivalent rules on lex loci delicti), which is necessary to justify bypassing them entirely via private ordering.
minor comments (2)
  1. The abstract is concise and logically structured, but the manuscript would benefit from an explicit roadmap of sections (e.g., doctrinal background, comparative analysis, limitations) to aid readers.
  2. Consider adding a dedicated section discussing potential conflicts with mandatory data-protection rules (such as GDPR Article 3 or equivalent) that might override chosen law even if party autonomy is extended.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the referee's thoughtful review and recommendations. We address the major comments point by point below, indicating the revisions we plan to make to the manuscript.

read point-by-point responses
  1. Referee: Abstract paragraph (3): The central claim that party autonomy can validly extend to non-contractual obligations (e.g., damages for data leaks) by alignment with the parties' contractual choice of law is load-bearing for the entire proposal but is asserted without citation or analysis of the specific legal basis or limitations; instruments such as Rome II Regulation Article 14 permit limited party autonomy in torts only under strict conditions (e.g., after the event, not prejudicing third parties or mandatory rules), and the manuscript does not examine whether data-subject claims against SaaS providers fall within these bounds or how privity issues with upstream IaaS contracts would be resolved.

    Authors: We thank the referee for highlighting this important point. The full manuscript elaborates on the typical scenario involving concurrence of contractual and non-contractual obligations in the data transfer chain. However, we agree that the abstract's brevity leaves the legal basis underexplored. In revision, we will expand the relevant sections to provide citations and analysis of Rome II Regulation Article 14, discussing the conditions for party autonomy in torts, including post-event agreements and protections for third parties and mandatory rules. We will also clarify the scope: the proposed alignment primarily addresses the recourse claims between SaaS and IaaS/PaaS providers, where privity exists, and discuss how this enhances foreseeability for the overall liability chain without directly binding data subjects who are not parties to the upstream contracts. This addresses potential privity concerns. revision: partial

  2. Referee: Abstract paragraph (2): The assertion that secret-sharing technology and distributed data make traditional location-based private international law rules 'inadequate' is presented as self-evident, but lacks concrete case-law examples or doctrinal analysis showing actual failures in practice (e.g., under Rome II Article 4 or equivalent rules on lex loci delicti), which is necessary to justify bypassing them entirely via private ordering.

    Authors: We accept that additional support for this assertion would strengthen the argument. The manuscript posits that the distributed nature of data fragments under secret-sharing technology makes pinpointing a single 'place where the harmful event occurred' under traditional rules like Rome II Article 4 impractical. In the revised version, we will incorporate doctrinal analysis from private international law literature on the challenges of applying lex loci delicti to digital and cloud-based torts, and include references to any relevant judicial decisions or hypothetical scenarios illustrating these difficulties. This will better ground the justification for exploring private ordering as a complementary approach. revision: yes

Circularity Check

0 steps flagged

No circularity: normative legal proposal with no self-referential reduction

full rationale

The paper presents a normative argument proposing that party autonomy can align non-contractual obligations with chosen contractual law in cross-border data cases, termed 'private ordering.' This rests on the observed concurrence of contractual and non-contractual claims in SaaS/IaaS scenarios and standard private international law concepts, without equations, fitted parameters, self-definitional loops, or load-bearing self-citations. The claim does not reduce to its own inputs by construction; it is a policy suggestion open to external legal validation or critique.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on standard principles of private international law allowing party autonomy in contracts and the factual premise of data distribution in cloud systems; no free parameters or new entities are introduced.

axioms (2)
  • domain assumption Private international law permits parties to select the governing law for contractual obligations.
    This is invoked as the basis for extending the same selection to non-contractual obligations.
  • domain assumption Data in cloud computing and secret sharing can be distributed across multiple jurisdictions without a determinable single physical location.
    This underpins the claim that traditional location-based rules are inadequate.

pith-pipeline@v0.9.0 · 5589 in / 1451 out tokens · 35662 ms · 2026-05-10T04:02:39.842116+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

7 extracted references · 7 canonical work pages · 1 internal anchor

  1. [1]

    Scaling Laws for Neural Language Models

    Introduction This paper examines, through a comparative legal study of EU law and Japanese law, whether party autonomy can influence the choice of law applicable to non -contractual obligations, with particular reference to cross-border data transfer. Two technological developments have particularly accelerated cross -border data transfers in recent years...

  2. [2]

    Brussels Effect

    <https://doi.org/10.6028/NIST.SP.800-145> accessed 5 March 2026. 3 regulatory authorities and business operators, particularly administrative fines such as those under Article 83 of the GDPR 56 . Such research has addressed, in particular, regulations governing the provision of personal data to third parties in foreign jurisdictions such as Articles 44 to...

  3. [3]

    Data Subject

    A Typology of Data Flows Grounded in Prevailing Practice 2-1. Purpose and Scope of This Chapter This chapter develops a typology of how data flows are structured in practice. Although t his paper examines how to determine the law that should govern private -law disputes arising from cross -border data transfers, the assumed fact pattern is consequential i...

  4. [4]

    lex loci damni

    Choice-of-Law Issues in the context of Cross-Border Data Transfer: Cloud Computing as a Challenge to the Principles of lex loci damni and lex loci delicti commissi 3-1. Introductory Remarks The classification of data flows from a technical perspective, as shown in the previous section, suggests that there will be an increase in cases that are difficult to...

  5. [5]

    Basis of Liability

    Potential of Party Autonomy as a Means of Determining the Governing Law of Non - Contractual Obligations 4-1 Introductory Remarks The question then arises as to what method would be appropriate for determining the governing law applicable to claims based on such non-contractual obligations. In order to undertake this examination, it is useful to recall Ta...

  6. [6]

    49 Jun Yokoyama, Private International Law in Japan (Wolters Kluwer, 2019) 78

    124–125. 49 Jun Yokoyama, Private International Law in Japan (Wolters Kluwer, 2019) 78 . 50 Ibid. 51 See Tokyo District Court Judgement, 15 October 2024, as an example of a case where it would have been desirable to rely on AGRALJ Article 20 in order to determine the applicable law for defamation. However, in this judgment, the court failed to clearly ref...

  7. [7]

    Conclusion This paper has proposed a typological classification of cross-border data transfers as they occur in the actual economy, and has advanced a legal analysis focusing on the basis of liability — whether contractual, non-contractual, or concurrent — as well as on the presence 26 of foreign elements, with a view to examining the appropriate framewor...