Research Programs
More
What are you looking for?
Showing 9 of 129 Publications
TL;DR The liability protections granted to intermediaries under Section 230(c)(1) of the Communications Decency Act of 1996 can and should be conditioned on platforms taking reasonable steps to curb harmful conduct.
The liability protections granted to intermediaries under Section 230(c)(1) of the Communications Decency Act of 1996 can and should be conditioned on platforms taking reasonable steps to curb harmful conduct. Online platforms should operate under a duty of care obligating them to adopt reasonable content-moderation practices regarding illegal or tortious third-party content.
Platforms should not bear excessive costs for conduct that does not and should not give rise to liability, while they should internalize the costs of responding to actual harms and meritorious litigation. This will require reforms to civil procedure, a regulatory agency to oversee creation of a duty of care, and implementation of a “safe harbor” or presumption of reasonableness.
Read the full explainer here.
TL;DR Data is one of the pillars of the modern digital economy, but its value is contingent on its ability to flow around the globe in real time, permitting individuals and firms to develop new and novel insights and to operate at higher levels of efficiency and safety.
Data is one of the pillars of the modern digital economy, but its value is contingent on its ability to flow around the globe in real time, permitting individuals and firms to develop new and novel insights and to operate at higher levels of efficiency and safety.
Those data flows increasingly run into barriers when they seek to cross national borders. These often take the form of “data-localization” requirements to locate, store, and/or process data within national boundaries.
Data-localization policies are often framed as necessary to protect critical digital infrastructure and national-security interests, but they serve instead as trade barriers that hurt consumers more than they help. An examination of the impact on the financial services industry helps to illustrate the problem.
TL;DR Legal history offers examples of areas where attempting to apply liability directly to bad actors is likely to be ineffective, but where certain related parties might be able to either control the bad actors or mitigate the damage they cause.
Legal history offers examples of areas where attempting to apply liability directly to bad actors is likely to be ineffective, but where certain related parties might be able to either control the bad actors or mitigate the damage they cause. In such cases, the common law has long embraced indirect or vicarious liability, holding one party liable for wrongs committed by another. The purpose of this kind of indirect liability is to align incentives where they can be most useful by placing responsibility on the least-cost avoider.
The immunity from liability granted to online platforms by Section 230 of the Communications Decency Act is a departure from normal rules governing intermediary behavior. It is impossible to know exactly how a robust common law of online intermediary liability would have developed in a world where Section 230 immunity never existed.
Lessons can be drawn from how the offline world has dealt with third-party liability, especially when an intermediary operates under a duty of care. The common law offers several examples of duties that business owners owe to their customers or, sometimes, to the outside world. Central among these is the legal obligation to take reasonable steps to curb harm from the use of a business’ goods and services. If the business has created a situation or environment that puts people at risk, it has an obligation to mitigate that risk. It also can have obligations to prevent risk of harm to customers or others with whom it has entered into a relationship, even if the business did not directly create the risk.
TL;DR The Communications Decency Act of 1996’s Section 230 holds that the law will not treat online service providers as speakers or publishers of third-party content, and that actions the providers take to moderate content hosted by their services will not trigger liability.
The Communications Decency Act of 1996’s Section 230 holds that the law will not treat online service providers as speakers or publishers of third-party content, and that actions the providers take to moderate content hosted by their services will not trigger liability. A quarter-century later, a growing number of lawmakers seek reforms to Section 230. In the 116th Congress alone, 26 bills were introduced to modify the law’s scope or to repeal it altogether.
While the current debate popularly centers on whether platforms should be forced to host certain content or when they should be forced to remove other content, such reforms are virtually certain to harm, not improve, social welfare: As frustrating as imperfect content moderation may be, state-directed speech codes are much worse.
The real gains to social welfare will materialize from reforms that better align the incentives of online platforms with the social goal of deterring or mitigating illegal or tortious conduct. To the extent that the current legal regime permits social harms online that exceed concomitant benefits, it should be reformed to deter those harms if such reform can be accomplished at sufficiently low cost.
Regulatory Comments Intro and summary As one of his final acts in office, former President Donald Trump signed Executive Order 13984 (the EO), “Taking Additional Steps To . . .
As one of his final acts in office, former President Donald Trump signed Executive Order 13984 (the EO), “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber- Enabled Activities.” The EO directed the Secretary of Commerce to “propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account.”
In its related advanced notice of proposed rulemaking (ANPRM), the U.S. Commerce Department notes that:
…foreign persons obtain or offer for resale IaaS accounts (Accounts) with U.S. IaaS providers, and then use these Accounts to conduct malicious cyber-enabled activities against U.S. interests. Malicious actors then destroy evidence of their prior activities and transition to other services. This pattern makes it extremely difficult to track and obtain information on foreign malicious cyber actors and their activities in a timely manner, especially if U.S. IaaS providers do not maintain updated information and records of their customers or the lessees and sub-lessees of those customers.
…foreign persons obtain or offer for resale IaaS accounts (Accounts) with U.S. IaaS providers, and then use these Accounts to conduct malicious cyber-enabled activities against U.S. interests. Malicious actors then destroy evidence of their prior activities and transition to other services.
This pattern makes it extremely difficult to track and obtain information on foreign malicious cyber actors and their activities in a timely manner, especially if U.S. IaaS providers do not maintain updated information and records of their customers or the lessees and sub-lessees of those customers.
The rule of law is frustrated when courts and law enforcement are unable to locate those who commit illegal acts. Other legal frictions may arise when the law fails to deter illegal behavior or to offer incentives for firms to adopt socially optimal business practices. These concerns are particularly acute online, because the Internet hosts a large volume of activity from anonymous or otherwise difficult-to-locate users.
The Internet’s ability to facilitate anonymous or pseudonymous communications, of course, also continues a long tradition of anonymous speech being protected under U.S. constitutional law. The ANPRM acknowledged this tension when it asks “[c]an the Department implement the requirement to verify a foreign person’s identity… while minimizing the impact on U.S. persons’ opening or using such Accounts, or will the application of the requirements to foreign persons in practice necessitate the application of that requirement across all customers?” But anonymity is just one value among many that must be weighed when crafting regulatory policy—particularly with respect to enforcing criminal law and upholding national security. Thus, even if the EO has some effect on U.S. business customers, that alone ought not foreclose implementation of effective identity-verification requirements.
Further, it is important to consider how the incentives service providers face align with optimal social policy. In particular, Information as a Service (IaaS) providers may not adequately internalize the social costs that stem from their making anonymous or pseudonymous accounts available to the public. Public policy may be necessary to correct such misalignment. While the EO focuses narrowly on the use of IaaS by foreign actors, there are broader problems associated with the anonymous use of Internet-connected services. As such, the Administration, the U.S. Commerce Department, and Congress should consider broader “know your business customer” (KYBC) requirements.
But while IaaS providers’ potential misalignment of incentives is a proper subject for regulatory and legislative action, policy should be carefully calibrated to encourage compliance with broader criminal and national-security goals, while still permitting the vibrant IaaS industry to continue to thrive. The law must shape incentives such that responsibility to deal with illicit activity is placed where it is appropriate. Overly broad regulatory requirements can become burdensome, accrue more costs than benefits, and ultimately chill entry of new firms.
Thus, as described in more detail below, the EO is correct to require basic identity verification by IaaS providers, subject to some caveats. The goal of these regulations should be to collect the optimal amount of information about bad actors with the least interference in the operations of firms subject to the requirements. Thus, the Department must weigh how much benefit it realistically expects to obtain from any given level of compliance. Notably, the overwhelming number of IaaS accounts will be law-abiding users. The process is thus largely about identifying outliers, and regulatory intervention must be tempered in recognition that IaaS firms are constrained in the degree to which they can assist in furthering legitimate law-enforcement ends.
The requirements ought to be designed to obtain the optimal level of information that law enforcement and courts would need in most, but not all, cases. A minimal set of initial verification requirements, paired with an ongoing obligation to re-verify user identities, ought to resolve most problems associated with anonymous users.
Moreover, it would be highly inadvisable to prescribe specific technological measures that providers must use. Providers should be free to implement what they consider to be appropriate identity-verification systems, so long as those systems elicit the needed information. Relatedly, IaaS providers are bound by the requirements of laws like the EU’s General Data Protection Regulation (GDPR) and therefore need the flexibility to design their systems to comply both with the Department’s final rules as well as various privacy regimes to which they are subject.
Read the full comments here.
Presentations & Interviews ICLE Director of Innovation Policy Kristian Stout took part in a virtual panel hosted by the Center for Data Innovation about whether the “automated decision . . .
ICLE Director of Innovation Policy Kristian Stout took part in a virtual panel hosted by the Center for Data Innovation about whether the “automated decision opt-out” features of the EU’s General Data Protection Regulation (GDPR) could be improved without harming users. The full clip is embedded below.
ICLE Issue Brief A new issue brief published jointly by ICLE and the Progressive Policy Institute looks at looming threats to transatlantic data flows between the U.S. and EU that power an estimated $333 billion in annual trade of digitally enabled services.
(This issue brief is a joint publication of the International Center for Law & Economics and the Progressive Policy Institute)
Data is, logically enough, one of the pillars supporting the modern digital economy. It is, however, not terribly useful on its own. Only once it has been collected, analyzed, combined, and deployed in novel ways does data obtain its highest utility. This is to say, a large part of the value of data is its ability to flow throughout the global connected economy in real time, permitting individuals and firms to develop novel insights that would not otherwise be possible, and to operate at a higher level of efficiency and safety.
Although the global transmission of data is critical to every industry and scientific endeavor, those data flows increasingly run into barriers of various sorts when they seek to cross national borders. Most typically, these barriers take the form of data-localization requirements.
Data localization is an umbrella term that refers to a variety of requirements that nations set to govern how data is created, stored, and transmitted within their jurisdiction. The aim of data-localization policies is to restrict the flow of data across a nation’s borders, often justified on grounds of protecting national security interests and/or sensitive information about citizens.
Data-localization requirements have in recent years been at the center of a series of legal disputes between the United States and the European Union (EU) that potentially threaten the future of transatlantic data flows. In October 2015, in a decision known as Schrems I, the Court of Justice of the European Union (CJEU) overturned the International Safe Harbor Privacy Principles, which had for the prior 15 years governed customer data transmitted between the United States and the EU. The principles were replaced in February 2016 by a new framework agreement known as the EU–US Privacy Shield, until the CJEU declared that, too, to be invalid in a July 2020 decision known as Schrems II. (Both complaints were brought by Austrian privacy advocate Max Schrems).
The current threatened disruption to transatlantic data flows highlights the size of the problem caused by data-localization policies. According to one estimate, transatlantic trade generates upward of $5.6 trillion in annual commercial sales, of which at least $333 billion is related to digitally enabled services.[3] Some estimates suggest that moderate increases in data-localization requirements would result in a €116 billion reduction in exports from the EU.
One difficulty in precisely quantifying the full impact of strict data-localization practices is that the list of industries engaged in digitally enabled trade extends well beyond those that explicitly trade in data. This is because “it is increasingly difficult to separate services and goods with the rise of the ‘Internet of Things’ and the greater bundling of goods and services. At the same time, goods are being substituted by services … further shifting the regulatory boundaries between what is treated as goods and services.” Thus, there is reason to believe that the true value of digitally enabled trade to the global economy is underestimated.
Moreover, as we discuss infra, there is reason to suspect that data flows and digitally enabled trade have contributed a good deal of unmeasured economic activity that partially offsets the lower-than-expected measured productivity growth seen in the both the European Union and the United States over the last decade and a half. In particular, heavy investment in research and development by firms globally has facilitated substituting the relatively more efficient work of employees at firms for unpaid labor by individuals. And global data flows have facilitated the creation of larger, more efficient worldwide networks that optimize time use by firms and individuals, and the development of resilient networks that can withstand shocks to the system like the COVID-19 pandemic.
In the Schrems II decision, the court found that provisions of U.S. national security law and the surveillance powers it grants to intelligence agencies do not protect the data of EU citizens sufficiently to justify deeming U.S. laws as providing adequate protection (known as an “adequacy” decision). In addition to a national “adequacy” decision, the EU General Data Protection Regulation (GDPR) also permits firms that wish to transfer data to the United States to rely on “standard contractual clauses” (SCC) that guarantee protection of citizen data. However, a prominent view in European policy circles—voiced, for example, by the European Parliament—is that, after Schrems II, no SCC can provide a lawful basis for data transfers to the United States.
Shortly after the Schrems II decision, the Irish Data Protection Commission (IDPC) issued a preliminary draft decision against Facebook that proposed to invalidate the company’s SCCs, largely on the same grounds that the CJEU used when invalidating the Privacy Shield. This matter is still pending, but a decision from the IDPC is expected imminently, with the worst-case result being an order that Facebook suspend all transatlantic data transfers that depend upon SCCs. Narrowly speaking, the IDPC decision only immediately affects Facebook. However, if the draft decision is finalized, the SCCs of every other firm that transfers data across the Atlantic may be subject to invalidation under the same legal reasoning.
Although this increasingly restrictive legal environment for data flows has been building for years, the recent problems are increasingly breaking into public view, as national DPAs grapple with the language of the GDPR and the Schrems decisions. The Hamburg DPA recently issued a public warning that the use of the popular video-conference application Zoom violates GDPR. The Portuguese DPA issued a resolution forbidding its National Institute of Statistics from transferring census data to the U.S.-based Cloudflare, because the SCCs in the contract between the two entities were deemed insufficient in light of Schrems II.
The European Data Protection Supervisor has initiated a program to “monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the ‘Schrems II’ Judgement.” As part of this program, it opened an investigation into Amazon and Microsoft in order to determine if Microsoft’s Office 365 and the cloud-hosting services offered by both Amazon and Microsoft are compatible with GDPR post-Schrems II. Max Schrems, who brought the original complaint against Facebook, has through his privacy-activist group submitted at least 100 complaints as of August 2020 alone, which will undoubtedly result in scores of cases across multiple industries.
The United States and European Union are currently negotiating a replacement for the Privacy Shield agreement that would allow data flows between the two economic regions to continue. But EU representatives have warned that, in order to comply with GDPR, there will likely be nontrivial legislative changes necessary in the United States, particularly in the sensitive area of national-security monitoring. In effect, the European Union and the Unites States are being forced to rethink the boundaries of national law in the context of a digital global economy.
This issue brief first reviews the relevant literature on the importance of digital trade, as well as the difficulties in adequately measuring it. One implication of these measurement difficulties is that the impact of disruptions to data flows and digital trade are likely to be far greater than even the large effects discovered through traditional measurement suggest.
We then discuss the importance of network resilience, and the productivity or quasi-productivity gains that digital networks and data flows provide. After a review of the current policy and legal challenges facing digital trade and data flows, we finally urge the U.S. and EU negotiating parties to consider longer-term trade and policy changes that take seriously the role of data flows in the world economy.
Read the full issue brief here.
Popular Media Capping months of anticipation, President Joe Biden on July 9 unveiled his Executive Order on Promoting Competition in the American Economy, which he argues will “lower . . .
Capping months of anticipation, President Joe Biden on July 9 unveiled his Executive Order on Promoting Competition in the American Economy, which he argues will “lower prices for families, increase wages for workers, and promote innovation and even faster economic growth.” To achieve these lofty goals, the order prescribes regulatory interventions that interfere with property and contract rights in industry after industry.
Read the full piece here.
TL;DR As part of its ongoing debate over infrastructure spending, Congress should consider how to best encourage broadband deployment.
As part of its ongoing debate over infrastructure spending, Congress should consider how to best encourage broadband deployment. Lawmakers have been considering ways to fund deployment, particularly through subsidies to users or providers.
As important as it is to get subsidies right, the lowest-hanging fruit to facilitate deployment and adoption of broadband is to reform policies that needlessly impede the construction and efficient operation of broadband services. Chief among those are rules governing pole attachments and eligible telecommunications carrier (ETC) requirements.
