The attached was originally published by the Institute of Economic Affairs.

Summary

• The draft Online Safety Bill presents a significant threat to freedom of speech, privacy, and innovation. “Safety” has been prioritized over freedom. The bill’s proponents wrongly assume it is possible to remove “bad” content without negatively impacting on the “good” and that platforms, not users, are responsible for “harms.”
• The bill’s inclusion of “legal but harmful” speech–along with defining unlawful speech as any content that the platform merely has “reasonable grounds to believe” is unlawful–risks state-mandated automated censorship of lawful online speech. The duties to “have regard” to freedom of expression and privacy are far weaker than the “safety” duties.
• The bill threatens innovation and competition within the U.K. economy by imposing byzantine duties that will inevitably be harder and more costly for start-ups and smaller companies to comply with, while discouraging companies from operating in the United Kingdom, limiting access to online services.
• The bill provides extraordinary discretion to the Secretary of State and Ofcom to design “codes of conduct” that will define “legal but harmful” content. They will also have the power to impose additional requirements such as age verification and undermine end-to-end encryption. The regulator will also have significant leeway about what types of content and which platforms to target.
• If the Government is unwilling to fundamentally rewrite the bill, there is a clear need for serious, independent scrutiny mechanisms to prevent regulatory and ministerial overreach.
• An Independent Reviewer of Online Safety Legislation, modelled partly on the Independent Reviewer of Terrorism Legislation, could provide some accountability.
• The Independent Reviewer would need to be properly resourced and empowered to scrutinize the activities of the Secretary of State and Ofcom and communicate findings to policymakers and the general public.
• An Independent Reviewer, properly empowered and resourced, could stand up for freedom of expression, privacy and innovation while being a bulwark against future authoritarian demands.

Read the full paper here.

There has been a wave of legislative proposals on both sides of the Atlantic that purport to improve consumer choice and the competitiveness of digital markets. In a new working paper published by the Stanford-Vienna Transatlantic Technology Law Forum, I analyzed five such bills: the EU Digital Services Act, the EU Digital Markets Act, and U.S. bills sponsored by Rep. David Cicilline (D-R.I.), Rep. Mary Gay Scanlon (D-Pa.), Sen. Amy Klobuchar (D-Minn.) and Sen. Richard Blumenthal (D-Conn.). I concluded that all those bills would have negative and unaddressed consequences in terms of information privacy and security.

Read the full piece here.

The attached is a part of the Transatlantic Technology Law Forum’s (TTLF) Working Paper Series, which presents original research on technology, and business-related law and policy issues of the European Union and the United States. TTLF is a joint initiative of Stanford Law School and the University of Vienna School of Law.

Abstract

The goal of this project is to assess the data privacy and security implications of the “new wave” of legislation on digital services—both in the United States and in the EU. In the European Union, the proposals for the Digital Services Act and the Digital Markets Act include provisions that have potentially significant security and privacy implications, like interoperability obligations for online platforms or provisions for data access for researchers. Similar provisions, e.g., on interoperability, are included in bills currently being considered by the U.S .Congress (e.g., in Rep. David Cicilline’s American Choice and Innovation Online Act and in Sen. Amy Klobuchar’s American Innovation and Choice Online Act). Some stakeholders are advocating that the EU and U.S. legislatures go even further than currently contemplated in a direction that could potentially have negative security and privacy consequences—especially on interoperability. I aim to assess whether the legislative proposals in their current form adequately addresses potential privacy and security risks, and what changes in the proposed legislation might help to alleviate the risks.

Introduction

Increasing information privacy and security through the law is notoriously difficult, even if that is the explicit goal of legislation. Thus, perhaps we should instead expect the law at least not to unintentionally decrease the level of privacy and security. Unfortunately, pursuing even seemingly unrelated policy aims through legislation may have that negative effect. In this paper, I analyze several legislative proposals from the EU and from the United States belonging to the new “techlash” wave. All those bills purport to improve the situation of consumers or competitiveness of digital markets. However, as I argue, they would all have
negative and unaddressed consequences in terms of information privacy and security.

On the EU side, I consider the Digital Services Act (DSA) and the Digital Markets Act (DMA) proposals. The DSA and the DMA have been proceeding through the EU legislative process with unexpected speed and given what looks like significant political momentum, it is possible that they will become law. On the U.S. side, I look at Rep. David Cicilline’s (D-R.I.) American Choice and Innovation Online Act, Rep. Mary Gay Scanlon’s (D-Pa.) Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, Sen. Amy Klobuchar’s (D-Minn.) American Innovation and Choice Online Act, and Sen. Richard Blumenthal’s (D-Conn.) Open App Markets Act.

I chose to focus on three regulatory solutions: (1) mandating interoperability, (2) mandating device neutrality (a possibility of sideloading applications), and (3) compulsory data access (by vetted researchers or by authorities). The first two models are shared by most of the discussed legislative proposals, other than the DSA. The last one is only included in the DSA.

Read the full paper here.

Some EU decision-makers have adopted a radical and unreasonable interpretation of EU data protection law that lacks a limiting principle. The ultimate result may be that EU customers lose access not only to cloud services offered by U.S. providers but also to almost any software from the United States. One can only hope that the EU Court of Justice rejects this interpretation and adopts the more pragmatic view shared by the European Commission and many EU governments.

Read the full piece here.