Skip to content

2 – de legibus

An increasingly common refrain when talking of the internet and regulation is that “something must be done”. I don’t disagree with that premise given how important internet services can be in our daily lives. Indeed it would be bizarre if those charged with governing our societies did not concern themselves with such a socially impactful technology.

What is much less clear is what precisely should be done. There is always scope for political disagreements over regulation with people’s identities often defined by whether they favour more or less regulation. But in this case even where there is political consensus there remain considerable practical challenges to doing anything. This note describes those challenges as a framework for the individual areas I will cover later.

This is not intended to be a counsel of despair – that classic cry of the tech sector that ‘regulation cannot work in this brave new world so please leave it all to us’. It is rather intended to map out the landscape within which regulation will have to work so that it can be effective.

A handy alliterative summary of the three areas I am going to describe is ‘scope, scale and speed‘.

The first challenge is that of geographical scope.

Regulation is generally created and applied at a national level. There are some supra-national bodies that create and enforce sets of rules for multiple countries. In the case of the EU, this is formal legislation that is binding on all member states.

In most other cases, countries can choose whether or not to be signatories to instruments drawn up by international bodies. And there is a continual tension around how much responsibility should be given to international rule-making bodies, such as the International Telecommunications Union (ITU).

Many countries are happy to delegate technical matters to international bodies but are much less keen to sign up to anything that touches sensitive political matters.

Previous generations of information and communications technology were largely organised at the national level so services and legislation could be coterminous.

In the case of television and radio, signals could be received outside the country but the core market would generally be within a particular country or group of countries where a service held licenses. (An exception to this would be ‘propaganda’ services that were deliberately beamed into third countries but these would usually be under direct control of governments rather than regular business entities).

Telecommunication networks were built using infrastructure that was physically within a country and the providers would normally have to obtain a license from the government. Where traffic was routed outside the country there would be an explicit hand-off and usually some form of payment would be made. A small number of entities would buy international data capacity but this was an expensive commodity that was carefully used and accounted for.

So the default scope for media and telecoms services was national while international connections were atypical and generally depended on a deliberate action by an operator.

The world of the internet flips the default on its head. Once you connect a device using the internet protocols then it is able to communicate with every other other device in the world using the same protocols. This universal connectivity was the deliberate design goal of the protocols and it works remarkably well.

Rather than having to seek explicit permission to cross national borders, owners of internet infrastructure have to impose additional technical measures if they wish to prevent cross-border traffic. We have shifted from default national to default global.

Most policy makers work at the national level and are primarily concerned with issues that affect their constituents. They may have a broader interest in global welfare but this will usually be a much weaker consideration than how they see their national interest.

When concerned about what is happening over the internet we can see policy makers swinging between despair and determination.

They may be told they have no ability to fix something that matters to them because the entities concerned are outside their jurisdiction. They may unhappily hold back for a while. But if the issue is not resolved and remains truly important then they can anyway legislate at the national level and trust the courts to help them make the foreign entities comply.

The question of the power balance between the tech providers and the policy makers is very important when they do decide to act. I will look at these questions of jurisdiction and how the law can be enforced in another post.

Second, we need to consider scale.

Most industrial regulation has been built around the idea of regulating a relatively small number of entities. If we look at the traditional media and telecoms sectors we will usually see that they consist of a few hundred entities in each country. We would normally think of the mass population in a country as being subject to the criminal law but not as being ‘regulated’.

If you do not like the output of a television station and believe it to be breaching its obligations you can go to a regulator who will investigate and may sanction the station using its regulatory powers. If you do not like what another citizen says then you might go to the Police and ask them to investigate and prosecute for a breach of the criminal law.

The television station would be expected to have a compliance department with lawyers checking its output before transmission. We hope that private citizens will obey the law but our expectations of due diligence are very different than for the television station.

When we think about the tech sector, we bring a much bigger pool of entities into scope as service providers, and for some issues, especially those related to user-generated content, we may bring the entire population into scope.

A regulator which has been established to manage thousands of complaints about programming on perhaps a few hundred TV channels is unlikely to have the systems to deal with millions of complaints about hundreds of millions of internet properties. Novel mechanisms are needed to work at this scale.

The gearing of entity size to user base may also be of a different order of magnitude in the new tech world.

A telecoms provider or broadcaster with an audience of millions will typically be a large entity with a large regulatory department. An internet service can gain a global audience of millions while still having fewer than a hundred staff of whom few or none may be compliance lawyers.

There will be a process of catch-up as tech entities build their regulatory knowledge and legal departments as they grow but there may be a significant period of lag. Some may argue that it is irresponsible for tech entities to scale their users unless and until they are also able to scale their regulatory compliance capacity. Others will feel strongly that we should not hold back innovation.

Finally, we see speed come into play.

As an example, we can look at the timetable for the recent update to data protection legislation in the European Union. The draft proposals for a new instrument to replace the 1995 Directive were published in January 2012. They were finalised in April 2016 and came into force in May 2018. This gives us over 4 years from proposal to final text and over 6 years from proposal to implementation. These were years in which the landscape of the tech sector changed considerably.

Even with the best processes, it may be unrealistic to shorten legislative timetables below 18 months for serious sectoral regulation in one country. If more countries are brought into a framework, as happens in the EU, then this may extend further.

We are then facing a reality where the issues that are top of mind as a legislative process kicks off are likely to have changed considerably by the time the ink dries on the final instrument.

This is again not exclusively a tech issue but is more acute especially at the software end of the sector. Mobile phone networks have been evolving with a new generation of standards every 10 years or so. There is a need to deploy networks physically that makes it hard to have a more frequent upgrade cycle. But where upgrades can be made in software then this can happen on a much more frequent basis, so Android has gone from ‘1G’ to ’10G’ in approximately the time that mobile networks have gone from ‘3G’ to ‘4G’.


After describing the challenges, I want to talk about how regulation can be crafted to be effective if we assume that the overall landscape is going to remain one of fast moving services being offered at scale to a global user base.

Looking at the first challenge of geographical scope, I would suggest that we aim to have regulation that is ‘interoperable’. Laws do not have to be identical in each country but national legislators can control for the extent to which there are cross-jurisdictional conflicts if they see this as a priority.

Legislators might take a position that they simply do not care what other countries are doing, or even take pride in the fact that their regulation is very different from everywhere else as they see this as conferring a national advantage. This would be unlikely to harm them politically as long as they were legislating in line with the concerns of their constituents.

At the other end of the spectrum, national legislators could decide to create common instruments with other countries as they believe this is the best way to address concerns and would work best for their own tech sector. This is the underlying rationale for the European Union’s approach to creating a ‘digital single market’. It is also there more weakly in international instruments like the Budapest Convention on Cybercrime.

These questions of national sovereignty are highly political and not limited to the tech field but the particular qualities of tech that I describe in this post mean that it may be more affected by disparate national responses than other sectors.

Questions of wider global impact are unlikely ever to trump national concerns but should be given enough weight. Very concretely, where there is a choice of methods for achieving a goal that may each be effective then one that is more ‘standard’ might be preferred over one that would require significant local variation.

This is what I mean when suggesting policy makers have regulatory interoperability as one of their goals.

The second challenge of scale can be addressed in two ways.

First, we need to consider ways in which obligations should be scaled for different sizes of entity. This will in turn depend on how policy makers balance the interest in supporting innovation with the other interests they are trying to address in regulation.

At one end of the spectrum, they could place onerous obligations with strict liability on all operators of particular kinds of service. This would force companies to staff up for compliance purposes very early or risk being shut down because of the consequences of any mistakes.

At the other end of the spectrum, obligations can be reduced for all tech entities to maximise the growth of the sector. A number of early tech legal measures followed just this approach, eg exemptions from sales tax for digital products or from full legal liability for user-generated content.

As tech companies have become bigger and more capable, there are more people looking to challenge these broad exemptions. It is now less common to see proposals that grant general exemptions for the whole sector but there may be exemptions for some types of entity.

Criteria may be designed to include only the largest companies, typically Silicon Valley giants, as we see with the German Network Enforcement Act that applies to companies with more than 2 million users in Germany. Or regulation may apply more broadly but have some form of small business exemption to help entities only while they remain very small.

A more complex but I think more effective approach is to have tiered obligations. These would include some reasonable baseline obligations that are placed on all entities offering a relevant service. There would then be additional obligations that kick in as entities reach different sizes. A paper from the French government sets out this kind of model where the criteria for each tier are based on the percentage of the French population that a service reaches.

Second, we can look at regulation that uses the scaled capacity of tech platforms themselves. For example, when it comes to complaints about content, these may be directed to the platform in the first instance with thresholds for when a regulator may get involved.

There are examples of this in existing regulation where people are expected to use company remedies before approaching a regulator. But this may be further complicated in the tech world if the entity operates from another country. The national regulator can end up overseeing scaled company processes that may be global or at least not fully determined within the regulator’s jurisdiction.

The third challenge of speed creates a real dilemma for policy makers.

It is normally preferable to have as much detail agreed in primary legislative instruments rather than leaving this to third parties to make up as they go along. But there is limited capacity in most countries for legislators to keep revisiting a subject so they have developed lighter weight methods such as secondary legislative instruments within an overall primary legislative framework.

A fast-moving sector like tech cries out for much of the detail to be set out in these secondary instruments so that rules can keep up with fast-moving technological developments.

For example, legislation may have required entities to publish an ’email address’ (or even a ‘fax number’) so users can contact them. If standard practice has moved on so that contact forms are a better option than open email addresses that fill up with spam, or if entities prefer to use messaging service channels and these are effective then the regulation should be updated to allow for this. And it should not require primary legislative time to make such a change.

One way to make regulation effective is to specify the purpose in the primary instrument without mandating the use of particular technologies. For the contact requirement, the law might order entities to ‘maintain easy-to-use contact methods for their users…’ without listing technologies unless as a non-exhaustive list of exemplars, eg ‘… such as email, online messaging or other effective methods’.

This kind of formulation opens up the scope for legal argument over whether specific methods are in fact ‘easy-to-use’ and ‘effective’. Refining definitions through case law fits more easily into some legal traditions than others but on balance I think it is preferable for the intent of the law to be clear, and for this to be applied considering all relevant factors, than for the law to be a check box exercise.

At one level it may be convenient for entities to know they can definitely mitigate a legal risk by maintaining a fax number as that is what the legislation requires even when nobody uses faxes any more. But this does not feel like effective regulation when entities are told to do something that does not make sense.

Example 2 – ePrivacy Directive 2009

A Directive created by the the EU in 2009 is an instructive illustration of how these challenges can play out. The main purpose of the ePrivacy Directive is to support the privacy and security of communications over telecoms networks. It was originally drafted in 2002 and was then updated in 2009. As I write this in early 2020, there is an open process to produce another revision of the Directive, converting it into a Regulation,

A key amendment made in 2009 was a requirement to seek consent for the use of cookies. This is set out in the technical language of section 5.3 :-

5. 3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Text of ePrivacy Directive 2009

An entire industry has developed around the provision of pop-up banners that are deemed necessary to be in compliance with this section of the Directive. The Daily Mash website provides a good example of what this looks like :-

cookie banner from dailymash website
Cookie banner when visiting,uk in a new browser.

This legislation hits up against all the challenges I have described above.

In terms of Scope, the legislation is concerned with the placing of cookies on devices that are physically located within the EU. This means that any website run from anywhere in the world should be taking steps to comply for anyone who accesses their site from within the EU. Given the default global nature of the web, this brings masses of sites into scope as they are unlikely to have expressly tried to exclude EU users.

In terms of Scale, the 2009 legislation was passed at a time when cookies had become common, hence the policy maker interest, but were not at the scale they are today. This technology has proved useful for a host of purposes such that it is now common for websites to trigger the reading and writing of dozens of cookies when they are loaded. The trend towards rich websites that include content from multiple sources has driven this in large part so sites use maps, videos and social media functionality from third parties. It also stems from the increasing sophistication of the online advertising market which now uses a network of providers to decide who gets to show their ad in a particular space and to measure the effectiveness of campaigns.

It feels like the legislation was conceived at a time when cookies were seen to be an optional extra as a departure from the ‘purity’ of a single owner run website that you interacted with anonymously. But the web was becoming richer and business models were evolving in the Commerce layer that depended on cookies at the Data layer.

Looking at Speed, we have not only seen the developments in cookie use but also a rapid shift to using mobile devices since 2009. There are some quite fundamental shifts happening in the way that people access services, especially as they move from websites to apps with integrated 3rd party code. And you can be sure that this will shift again over the lifetime of any legal instrument on a 10-year long update cycle.

So how could policy makers have done this better?

There was a proposal during the debate over the ePrivacy Directive to focus on cookie controls in the browser. This was eventually rejected as policy makers felt it was too weak and put the onus on the user rather than the website owner. As a practical solution though it has significant advantages over the version eventually agreed. Web browsers and mobile phone operating systems are really powerful points of control. If the goal was to give people power to decide what sites can do on their devices control at the device level is likely to be more effective than relying on millions of sites all around the world to do this.

It might also have been better to dig more into what the real goals were before legislating. If the intent of the Directive was to make the collection of data for targeted advertising purposes harder, as I think it was for most of the policy makers who supported it, then this could have been made explicit. The focus would then have been placed on regulating online advertising companies, whichever technologies they use today or tomorrow, rather than on a particular technology du jour.

Summary :- There are some important qualities inherent in the tech landscape that make it different from most other sectors and present policy makers with novel challenges. I describe these as scope, scale and speed. There are ways to regulate the sector if we work with the challenges rather than wishing them away. This requires national regulation to be cognisant of what is happening in other countries, for it to be realistic for large numbers of entities of very different sizes and with vast user communities, and for it to be capable of update more quickly than the cycle of traditional primary legislation.

Leave a Reply

Your email address will not be published. Required fields are marked *