On 23 June 2026, the United States Supreme Court issued its ruling in Cisco Systems, Inc. et al. v. Doe et al. (No. 24-856), bringing to a close fifteen years of litigation over whether an American technology company could be held liable under U.S. federal law for designing surveillance infrastructure that, according to the claimants, was used to persecute a religious minority in China. The Court did not rule on the merits. It ruled on the legal avenue used, holding that federal courts may not create new causes of action under the Alien Tort Statute (1789) — ATS — and that the Torture Victim Protection Act (1991) — TVPA — does not extend to aiding-and-abetting liability. The ruling significantly narrows the procedural space available in the United States for corporate accountability in human rights. It does not, however, eliminate the underlying problem: companies operating in repressive contexts continue to face growing legal, reputational and regulatory exposure — and the centre of gravity of that exposure is shifting towards Europe.

The Case and Its Context: Fifteen Years of Transnational Litigation

The lawsuit was filed in 2011 by the Human Rights Law Foundation, a Washington-based non-profit organisation, on behalf of a group of Falun Gong practitioners — a Chinese spiritual movement founded in 1992 and banned by the Chinese Communist Party in 1999 following a silent protest by thousands of followers near the Party's central leadership compound in Beijing. What followed, according to the complaint, was a systematic campaign of state persecution: arbitrary detention, torture, forced labour and coercive religious conversion.

The central allegation was not that Cisco had sold standard networking equipment to China. It was that Cisco executives, including its CEO, personally met with Chinese authorities to "explicitly" endorse the objectives of the so-called "Golden Shield"1 — including what the Party internally called douzheng, a term designating violent political repression. Internal Cisco documents, cited extensively by Justice Sotomayor in her dissenting opinion — though the company has disputed their content and interpretation — showed, according to the dissent, the company pledging to tailor the system to the Party's repressive goals, characterising Falun Gong practitioners using the same dehumanising terminology employed by the Communist Party, and marketing its services at Chinese trade fairs using materials that explicitly described their utility for the douzheng of the group.

It is important to note that, although these facts appear explicitly in the text of the ruling — specifically in the dissenting opinion — the majority of justices who agreed on the final decision did not pronounce on the truth of these allegations, as their reasoning focused exclusively on the absence of federal court jurisdiction to hear such claims under the ATS.

A federal district court dismissed the complaint in 2014 for insufficient domestic nexus with the United States. The Ninth Circuit Court of Appeals reversed that decision in 2023, allowing the aiding-and-abetting claims under both the ATS and the TVPA to proceed. The Supreme Court granted certiorari in early 2026 and issued its ruling on 23 June 2026.

Normative Framework: The ATS and the TVPA

The Alien Tort Statute (ATS), enacted in 1789 and codified at 28 U.S.C. § 1350, grants U.S. federal courts jurisdiction over certain civil claims brought by foreign nationals for torts committed in violation of international law or a U.S. treaty. In Sosa v. Alvarez-Machain (2004), the Supreme Court held that the ATS does not create a broad cause of action, but permits, in very limited circumstances, claims for certain clearly defined violations of international law.

The Torture Victim Protection Act (TVPA) of 1991 expressly creates a civil action for victims of torture and extrajudicial killing committed under colour of foreign law. In Mohamad v. Palestinian Authority (2012), the Supreme Court clarified that the TVPA only permits suits against natural persons, not organisations.

The Ruling: Holdings and Legal Architecture

Holding I

The ATS does not authorise courts to create new causes of action for violations of international law, decisively restricting claims against companies for aiding and abetting human rights abuses committed abroad.

Holding II

The TVPA does not expressly establish aiding-and-abetting liability. Congressional silence on this form of liability is dispositive.

The majority's reasoning rests on two pillars. The first is institutional: the ATS does not authorise federal courts to create new causes of action for violations of international law, so that any expansion of liability for aiding and abetting human rights abuses committed abroad rests with Congress, not the judiciary, absent express legislative authorisation. The second is structural: ATS cases, by their very nature, implicate foreign policy. The mere fact that a case affects foreign relations — inevitable in ATS litigation — is the legal ground sufficient to close the proceedings definitively, without reaching the merits.

On the TVPA, the majority reasoned by analogy with Central Bank of Denver v. First Interstate Bank (1994): since Congress knows how to impose aiding-and-abetting liability expressly and chose not to do so in the TVPA, its absence is dispositive. The verb "subjects" was interpreted narrowly, as requiring a direct causal connection between the defendant and the victim's suffering — a connection that aiding-and-abetting liability, which reaches those one or more steps removed from the principal, exceeds.

The Dissent: An Alternative Institutional Vision

Justice Sotomayor filed a dissenting opinion, joined in part by Justices Kagan and Jackson, arguing that the ruling departs from prior precedent and that any exclusion of corporate liability should have been decided expressly by Congress. She argued that the majority, in practice, overruled Sosa v. Alvarez-Machain without acknowledging it — a critique of precedent treatment that echoes the pattern of other recent decisions by the Court.

On the foreign policy question, the dissent noted that both political branches of the U.S. Government had publicly and repeatedly condemned the Chinese government's persecution of Falun Gong practitioners, and that China itself had filed no brief in the proceedings opposing jurisdiction — undermining the majority's assumption that proceeding would necessarily harm bilateral relations.

"Like the pirates of the eighteenth century, whose conduct troubled Blackstone and the First Congress, today's torturers, slave traders and perpetrators of genocide are hostis humani generis, enemies of all mankind."

Justice Sotomayor, Dissenting Opinion, Cisco Systems v. Doe (2026)

The dissent's conceptual framework — independent corporate responsibility for contributing to human rights harm, even where the proximate perpetrator is a State — remains the prevailing international standard. The Supreme Court has decided that this framework cannot be made operative through U.S. federal courts. It has not decided that the framework is wrong.

What the Ruling Says — and What It Does Not

Three interpretive clarifications are necessary before drawing practical conclusions from this decision.

Practical Lessons for Companies: Ten Criteria for Action

Lesson 01 Coherence between public commitments and operational reality is a legal and reputational imperative

Cisco publicly proclaimed its commitment to "the power of a free and open internet." The internal documents cited in the litigation told, according to the claimants, a different story. The gap between public positioning and operational conduct in repressive markets is not merely an ethical problem: it is evidentiary material in legal proceedings, a signal to investors and insurers, and the substrate of reputational damage that outlasts the legal process. Companies must conduct honest internal audits of whether their stated human rights policies are reflected in their commercial decisions, contractual terms and country-specific deployments.

Lesson 02 Human Rights Impact Assessments for dual-use technologies must precede — not follow — contract execution

Technologies with surveillance, monitoring, facial recognition or behavioural analytics capabilities carry inherent dual-use risk. Setting aside considerations arising from international sanctions and export controls, the UN Guiding Principles (Principle 17) require that human rights due diligence be proportionate to the severity of potential impact and conducted before business decisions are taken. A Human Rights Impact Assessment carried out after a contract is signed serves as governance documentation; it does not constitute due diligence.

Lesson 03 Executive conduct in commercial negotiations is a source of legal exposure

The most damaging allegations in the complaint did not concern software architecture. They concerned what executives allegedly said in meetings, what they promised in presentations, and what internal communications revealed about their knowledge and intentions. Companies must implement protocols ensuring that those who interact with government counterparts in high-risk jurisdictions do so within a documented human rights framework, with legal counsel present or briefed, and without making commitments — formal or informal — that endorse objectives contrary to international standards.

Lesson 04 End-use clauses are not optional in high-risk technology contracts

Contracts for technology susceptible to being used to monitor, identify or facilitate action against individuals or groups must include enforceable end-use restrictions. These clauses should explicitly prohibit use of the technology for persecution, discrimination or suppression of protected activities; require the counterparty to notify any government demand to expand or repurpose the system; and include termination rights triggered by documented human rights violations.

Lesson 05 Internal communication practices must be consistent with stated human rights policies

Internal materials that characterise a client's repressive campaign targets using dehumanising language — as was alleged in this case — represent a corporate governance failure of the first order. Such materials do not only create legal exposure: they reveal the actual cultural norms operating within the organisation, regardless of what the code of ethics states. Companies must establish clear protocols for internal communications relating to government clients in sensitive markets, including review by legal and compliance functions before materials describing the client's objectives are produced or circulated.

Lesson 06 A judicial victory in one jurisdiction does not eliminate exposure in others

The U.S. Supreme Court ruling governs U.S. federal courts. A company whose conduct has been described — in a published Supreme Court opinion — as potentially facilitating a state campaign of torture, arbitrary detention and forced religious conversion retains reputational and regulatory exposure in every jurisdiction where accountability frameworks are operative. Multinational legal strategy must be designed with full awareness of this multi-jurisdictional reality from the outset.

Lesson 07 Remediation must be person-centred and operationally genuine

The UN Guiding Principles (Principles 22 and 29–31) require that companies that have caused or contributed to adverse human rights impacts provide or cooperate in their remediation. This is not satisfied by policy updates, public statements or procedural improvements to due diligence processes. Effective remediation requires engagement with affected individuals or their representatives, assessment of the actual harm suffered, and appropriate redress. Companies whose technology has been used in ways that violated human rights should engage proactively with independent experts and affected communities, rather than waiting for litigation to compel them to do so.

Lesson 08 Compliance functions must have structural authority over high-risk commercial decisions

The pattern this case exemplifies — in which commercial pressures prevailed over human rights considerations — reflects a corporate governance architecture in which compliance functions lack effective authority over strategic business decisions. Best practice requires that General Counsel and Chief Compliance Officer functions have both access and authority at the executive and board levels when contracts involving dual-use technology, high-risk government clients or repressive-context deployments are under consideration.

Lesson 09 Companies should begin aligning with the CS3D now, rather than waiting for national transposition or application deadlines

The directive applies to very large EU companies and very large non-EU companies with significant EU turnover.2 Companies that start building their due diligence, supplier engagement, and remediation processes now will be better positioned to demonstrate genuine compliance and reduce the risk of regulatory scrutiny or litigation.

Lesson 10 Reputation is built on conduct, not on judicial outcomes

Perhaps the most enduring lesson of the Cisco litigation is that legal outcomes and reputational outcomes are separate, though related, phenomena. Cisco obtained a procedural victory in every forum that ultimately decided the case. The litigation nonetheless produced a public record — internal documents, executive commitments, engineering decisions and judicial opinions describing them in detail — that will remain available to researchers, journalists, investors, civil society organisations and regulators for decades. The question is not only whether a court will find liability; it is whether the company, subjected to full public scrutiny of its decisions, would be able to stand behind them with integrity.

Conclusion: A Closed Door and an Open Question

The U.S. Supreme Court's ruling in Cisco Systems v. Doe represents, in doctrinal terms, a significant contraction of the space available for corporate accountability in human rights before U.S. courts. The ATS has been definitively stripped of its capacity to generate new judicially created causes of action. Combined with the exclusion of aiding-and-abetting liability under the TVPA, the ruling effectively removes U.S. federal courts as a meaningful forum for claims of the type at issue in this case.

What remains is a genuinely open question about where accountability norms will develop and how they will be enforced. Justice Sotomayor's vision — in which American courts would serve as a forum of last resort for victims of international law violations — has been foreclosed for the foreseeable future. But the underlying normative commitments have not been abandoned: they are being institutionalised through a different mechanism and a different geography. European mandatory human rights due diligence frameworks, the updated OECD Guidelines for Multinational Enterprises, and the ongoing normative work of the UN B-Tech Project and the Office of the High Commissioner for Human Rights collectively represent a regulatory ecosystem that is more demanding, more operationally specific and geographically far-reaching than the ATS ever was.

For companies, the appropriate response to this ruling is not to conclude that the risk of accountability for human rights harm has diminished. It is to recognise that the centre of gravity of that accountability is shifting — from retrospective litigation to prospective regulation — and to prepare accordingly. The standards that will be applied are not new; they are the UN Guiding Principles, operationalised through binding law. The time to align with them is now.

Resources and References

Primary sources — case law

  • Cisco Systems, Inc. v. Doe I, No. 24-856, 609 U.S. _ (23 June 2026) [Opinion of Barrett, J.; dissent of Sotomayor, J.; opinion concurring in part and dissenting in part of Jackson, J.].
  • Sosa v. Alvarez-Machain, 542 U.S. 692 (2004).
  • Kiobel v. Royal Dutch Petroleum Co., 569 U.S. 108 (2013).
  • Jesner v. Arab Bank, PLC, 584 U.S. 241 (2018).
  • Nestlé USA, Inc. v. Doe, 593 U.S. 628 (2021).
  • Mohamad v. Palestinian Authority, 566 U.S. 449 (2012).
  • Central Bank of Denver, N.A. v. First Interstate Bank of Denver, N.A., 511 U.S. 164 (1994).

International and European regulatory frameworks

  • United Nations. Guiding Principles on Business and Human Rights (Ruggie Framework). UN Doc. A/HRC/17/31 (2011).
  • European Union. Directive (EU) 2024/1760 on Corporate Sustainability Due Diligence (CS3D), OJ L, 5 June 2024.
  • European Union. Directive (EU) 2026/470 ("Omnibus I") amending the CSRD and the CS3D, OJ L, 26 February 2026.
  • OECD. Guidelines for Multinational Enterprises on Responsible Business Conduct (2023 edition). OECD Publishing, Paris.
  • Alien Tort Statute, 28 U.S.C. § 1350 (1789).
  • Torture Victim Protection Act of 1991, 106 Stat. 73, note following 28 U.S.C. § 1350.

Media coverage and investigative journalism

  • Reuters / Jan Wolfe. "US Supreme Court ends suit alleging Cisco helped China pursue Falun Gong." 23 June 2026.
  • Bloomberg Law / David Foster & Danielle Deaulniers Stempel. "What Companies Need to Know About the Cisco Human Rights Case." 24 June 2026.
  • Associated Press / Mark Sherman. "Supreme Court will take up Cisco's bid to shut down lawsuit by Falun Gong." 9 January 2026.
  • The Guardian. "US supreme court ends lawsuit alleging Cisco helped China pursue Falun Gong." 23 June 2026.
  • KQED / Nisa Khan. "Supreme Court Sides With Cisco in International Human Rights Case." 24 June 2026.
  • Associated Press / Dake Kang & Yael Grauer. "Silicon Valley enabled brutal mass detention and surveillance in China, internal documents show." 9 September 2025.
  • Cisco / Dev Stahlkopf. "The Power and Importance of a Free and Open Internet." Cisco News Blog, 21 August 2023.

Academic scholarship

  • Ewell, C., Hathaway, O. & Nohle, E. "Has the Alien Tort Statute Made a Difference? A Historical, Empirical, and Normative Assessment." Cornell Law Review, vol. 107, p. 1205 (2022).

1 The "Golden Shield" is the Chinese government's internet surveillance and censorship system, colloquially known as the Great Firewall. It operates as a nationwide control network that blocks access to foreign websites, restricts information and monitors web traffic to ensure state control.

2 The Omnibus I Directive (EU) 2026/470, published on 26 February 2026 and in force since 18 March 2026, substantially reduced the personal scope of the CS3D relative to the original 2024 text. Following the reform, the Directive applies only to EU companies with more than 5,000 employees and worldwide net turnover exceeding €1.5 billion, and to non-EU companies with EU net turnover exceeding €1.5 billion. National transposition has been postponed to 26 July 2028, with effective application from July 2029.