The Amsterdam Law & Technology Institute’s team is inviting external faculty members to publish guest articles in the ALTI Forum. Here is a contribution authored by Catalina Goanta (Utrecht University) & Jerry Spanakis (Maastricht University) exploring when legal compliance came for the Internet.
The dawn of the Internet saw a fictitious separation of human spaces: the offline versus the online world. The first had geographical boundaries that turned imaginary legal systemsinto material realities, crystalized through centuries of experiences with (more or less optimal, efficient or effective) processes and procedures ensuring that individuals abide by the laws of the state. The latter was a new Wild West, initially populated by dedicated groups who saw in the Internet a new technology that had the potential to redefine societal interactions. And just like with any terra nullius, this Wild West had no preset governor, no laws, and therefore no higher force that would coerce any form of compliance.
‘You have no sovereignty where we gather’
The resulting perceived lawlessness of cyberspace resulted in different visions relating to how oversight based on human decisions could be replaced by technological infrastructure.The most prominent group of self-entitled troublemakers to shape a techno-social agenda along these lines were the cypherpunks, who used cryptography to stimulate rage against the state machine. ‘Cypherpunks write code’, as Bartlett reminded us. Tim May, one of the most prominent cypherpunks, wrote a credo for the movement in the form of the Crypto Anarchist Manifesto, shared on Cypherpunk mailing list in 1992. His libertarian ideals revealed a vision of a world free from any form of surveillance, including that resulting out of the enforcement of the law:
Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure, so too will cryptologic methods fundamentally alter the nature of corporations and of government interference in economic transactions. Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures. And just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property.
Echoes of the same desire for freedom from the state can also be traced in John Perry Barlow’s Declaration of Independence of Cyberspace.
Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.
Whatever complex motivations lied in the background of such revolutionary techno-political movements, a palpable theme stands out: reinventing cyberspace outside of the reach of the state.
Legal compliance and content moderation
In the following decades, the centralization of infrastructure and power by big companies such as Google and Facebook facilitated just that: an enforcement world running at two speeds: the traditional offline world, well known to the state; and the online space where the private sector has been exponentially developing technologies that continue to be opaque and often incomprehensive for industry outsiders, and that reflect resources which very few national or supranational authorities can match.
Content moderation is a good example of how this divideaffected what we see online, particularly on social media networks. A quick look at the content reported on platforms such as Facebook, Twitch, Twitter and TikTok shows how social media platforms are primarily concerned with policingcriminal content (e.g. terrorism, child pornography), as well as intellectual property violations. At least in Europe, this reflects the focus of the early e-Commerce Directive (Preamble Recital 8 on criminal law harmonization; Recital 50 on copyright) in determining intermediary liability. This focus, often balanced against fundamental rights such as freedom of expression, has created an incomplete narrative around what legal compliance ought to look like on the Internet. Consumer protection, media, tax, public health, product liability, are only a few examples of specific areas of regulation applying to social media content. In the European Union, a lot of the afore-mentioned areas have led to considerable volumes of mandatory rules from which private parties may not deviate (e.g. consumer rights). For instance, platforms may not impose arbitration clauses in consumer contracts, given that such clauses have been deemed to be unfair in the light of the Unfair Contract Terms Directive.
To say that the reality of legal compliance in the case of content moderation is messy would be an understatement. National and supranational rules are fragmented across numerous regulatory and policy areas, complemented by self-regulation, and interpreted with more or less legal certainty. A video posted on YouTube showing a treasure hunter digging for buried archaeological relics may be subject to municipal and national legislation regarding the legality of handling cultural heritage objects privately. An Instagram page dedicated to cryptocurrency investments may be subject to regulations relating to financial services. The web of applicable legal rules is often difficult to map even for experts in the legal field, given the increasing complexity of the regulatory puzzle. Not abiding by such rules means that platforms would not be legally compliant, thus leading to violations of potentially mandatory legal frameworks – this is reflected in the current definition of illegal content embedded in the upcoming Digital Services Act Art. 2 (1)(g):
‘illegal content’ means any information of activity, including the sale of products or provision of services which is not in compliance with Union law or the law of a Member State, irrespective of the precise subject matter or nature of that law.
The future of digital legal compliance
In practice, although they may mandate conduct from all members of society, laws are often not written to be applied to every single citizen in a legal system. Their enforcement always relies on how enforcement agencies prioritize the finite resources they are granted. Yet with current exponential development of technology, regulators and public authorities can finally design rules and procedures to optimize resource allocation in ways unseen before. Leading the way in the infrastructural understanding of digital markets is the UK’s Competition and Markets Authority. It has set up a state of the art Data, Technology and Analytics Unit, including a Behavioural Hub, where data scientists with practical and academic experience join forces with enforcement agents to bring together law, consumer behaviour and computer science insights. The depth and multidisciplinary nature of their work is reflected in reports such as the Online Choice Architecture discussion paper released in April 2022, focusing on dark patterns in digital markets.
The World Economic Forum calls this type of enforcement regulatory technology. Beforehand, Harvard’s Bruce Schneierwas calling for ‘technologists who work in the public interest’, leading to the concept of public interest technology, which has a broader connotation but certainly includes the approach of government hiring technologists to pursue regulatory objectives. From a more procedural perspective, we can speak about digital (forensic) investigations and enforcement.
While it may be the only option ahead, checking legal compliance on digital markets does not come without concerns. Two issues which should be considered essential to the further development of this field deal with the outsourcing of technology solutions, as well as the procedural cannibalization of enforcement. The first problem reflects situations where, unlike the case of the CMA described above, authorities do not have internal capacity to design and develop their own investigation and enforcement architectures. Depending on the mandate of given authorities, this may entail very basic needs such as writing and deploying web scrapers to collect data for investigations, but also more complex machine learning approaches (e.g. to detect fake reviews using logistic regression). If authorities do not have a vision, a strategy and sufficient funding to build the capacity necessary to support this architecture, a potential solution is outsourcing. Yet if authorities do not have the capacity to develop machine learning frameworks, they most certainly will not have the ability to understand whether the opaque solutions of a private company are sufficiently accurate, privacy-preserving and secure. This is why it is important that administrative evaluation processes (especially in the light of the upcoming AI Act) are developed and streamlined to capture the most essential pitfalls of having to purchase such technology from the market.
The second problem is that of coordination. If all public authorities tasked with the checking of legal compliance in various domains develop data units over night, questions about the legitimacy and mandates of overlapping investigations and enforcement actions immediately appear (overlapping investigations are already a reality, but digital evidence collection will only worsen the coordination issue). This was visible in the Cambridge Analytica investigation, where the Italian Competition Authority fined Facebook on the basis of violating unfair practice law, whereas the same incident was investigated in the UK by the data protection authorities. With the creation of more and more enforcement authorities (e.g. digital service coordinators), it is imperative that future regulation harmonizes cooperation across domains, countries, levels of governance, etc., for an optimal use of resources, as well as for a cohesive approach to law enforcement.
Obviously, these are not the only issues with legal compliance becoming more datafied and automated. There are fundamental concerns against increased surveillance, as well as needs for clear rules on accountability, or on the limits of procedural discretion. However, digital enforcement will have to be tailored according to these needs, because it is a necessary reality of our increasingly digitized societies. It is happening as we speak, and in the next decade, it will most likely be one of the most important regulatory trends dealing with digital markets. And we need to talk about it much more than we currently do.
Catalina Goanta & Jerry Spanakis
Citation: Catalina Goanta & Jerry Spanakis, When legal compliance came for the Internet, ALTI Forum, April 22, 2022.
Invited by Thibault Schrepel