INTRODUCTION

European Union (EU) legislators are considering legislation— the Artificial Intelligence Act (AIA), the original draft of which was published by the European Commission in April 2021[1]—that aims to ensure the safety of AI systems in uses designated as “high risk”. As originally drafted, however, the AIA’s scope was not at all limited to AI; it would instead cover virtually all software. EU governments seem to have realized this problem and are trying to fix the proposal, while some pressure groups have pushed to move the draft in the opposite direction.

The AIA proposal is currently under consideration by specialized committees of the European Parliament. The parliamentary stage began with a long disagreement among the various committees regarding who should have decisive influence over the Parliament’s position on the bill. With that disagreement now resolved, discussions on the legislation’s merits are ongoing.

The purpose of this brief is to inform debate on the proposal’s fundamental features: its scope and the key provisions setting out prohibited AI practices (related to so-called “subliminal techniques” and “social scoring”).

Read the full issue brief here.

[1] Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts, European Commission, (Apr. 21, 2021), available at https://perma.cc/RWT9-9D97.

State legislatures are now tackling consumers’ digital privacy. Given the Internet’s inherently international character, a federal bill setting a national standard for digital privacy would be ideal. Yet, in the absence of federal legislation, state governments are seeking to address consumer privacy. Unfortunately, overly broad and burdensome regulatory obligations pose a real and immediate risk to digital innovation. Ensuring a globally robust market requires balancing consumer privacy and legitimate information exchange between consumers and digital-services companies.

The attached guiding principles and legislative checklist from the Reason Foundation and the International Center for Law & Economics seeks to help legislators and stakeholders narrowly tailor state consumer-privacy policy to address concrete consumer harms while preventing disproportionately punitive responses that obstruct market performance.

Read the full checklist here.

In their zeal to curb big tech through the Digital Markets Act, the European legislators are risking the privacy and security of all Europeans. It is time to accept the reality that the measures meant to force big platforms to be more open, will force them to lower their defences and to open the data of Europeans to bad actors. No amount of wishful thinking will change the fact that forced openness is in a tug of war with security. The DMA’s privacy and security provisions do not come close to taking the problem seriously and unreasonably expect the tech companies to solve a new class of risks that the DMA will create.

Read the full piece here.

European Union (EU) legislators are now considering an Artificial Intelligence Act (AIA)—the original draft of which was published by the European Commission in April 2021—that aims to ensure AI systems are safe in a number of uses designated as “high risk.” One of the big problems with the AIA is that, as originally drafted, it is not at all limited to AI, but would be sweeping legislation covering virtually all software. The EU governments seem to have realized this and are trying to fix the proposal. However, some pressure groups are pushing in the opposite direction.

Read the full piece here.

The attached was originally published by the Institute of Economic Affairs.

Summary

• The draft Online Safety Bill presents a significant threat to freedom of speech, privacy, and innovation. “Safety” has been prioritized over freedom. The bill’s proponents wrongly assume it is possible to remove “bad” content without negatively impacting on the “good” and that platforms, not users, are responsible for “harms.”
• The bill’s inclusion of “legal but harmful” speech–along with defining unlawful speech as any content that the platform merely has “reasonable grounds to believe” is unlawful–risks state-mandated automated censorship of lawful online speech. The duties to “have regard” to freedom of expression and privacy are far weaker than the “safety” duties.
• The bill threatens innovation and competition within the U.K. economy by imposing byzantine duties that will inevitably be harder and more costly for start-ups and smaller companies to comply with, while discouraging companies from operating in the United Kingdom, limiting access to online services.
• The bill provides extraordinary discretion to the Secretary of State and Ofcom to design “codes of conduct” that will define “legal but harmful” content. They will also have the power to impose additional requirements such as age verification and undermine end-to-end encryption. The regulator will also have significant leeway about what types of content and which platforms to target.
• If the Government is unwilling to fundamentally rewrite the bill, there is a clear need for serious, independent scrutiny mechanisms to prevent regulatory and ministerial overreach.
• An Independent Reviewer of Online Safety Legislation, modelled partly on the Independent Reviewer of Terrorism Legislation, could provide some accountability.
• The Independent Reviewer would need to be properly resourced and empowered to scrutinize the activities of the Secretary of State and Ofcom and communicate findings to policymakers and the general public.
• An Independent Reviewer, properly empowered and resourced, could stand up for freedom of expression, privacy and innovation while being a bulwark against future authoritarian demands.

Read the full paper here.

There has been a wave of legislative proposals on both sides of the Atlantic that purport to improve consumer choice and the competitiveness of digital markets. In a new working paper published by the Stanford-Vienna Transatlantic Technology Law Forum, I analyzed five such bills: the EU Digital Services Act, the EU Digital Markets Act, and U.S. bills sponsored by Rep. David Cicilline (D-R.I.), Rep. Mary Gay Scanlon (D-Pa.), Sen. Amy Klobuchar (D-Minn.) and Sen. Richard Blumenthal (D-Conn.). I concluded that all those bills would have negative and unaddressed consequences in terms of information privacy and security.

Read the full piece here.

The attached is a part of the Transatlantic Technology Law Forum’s (TTLF) Working Paper Series, which presents original research on technology, and business-related law and policy issues of the European Union and the United States. TTLF is a joint initiative of Stanford Law School and the University of Vienna School of Law.

Abstract

The goal of this project is to assess the data privacy and security implications of the “new wave” of legislation on digital services—both in the United States and in the EU. In the European Union, the proposals for the Digital Services Act and the Digital Markets Act include provisions that have potentially significant security and privacy implications, like interoperability obligations for online platforms or provisions for data access for researchers. Similar provisions, e.g., on interoperability, are included in bills currently being considered by the U.S .Congress (e.g., in Rep. David Cicilline’s American Choice and Innovation Online Act and in Sen. Amy Klobuchar’s American Innovation and Choice Online Act). Some stakeholders are advocating that the EU and U.S. legislatures go even further than currently contemplated in a direction that could potentially have negative security and privacy consequences—especially on interoperability. I aim to assess whether the legislative proposals in their current form adequately addresses potential privacy and security risks, and what changes in the proposed legislation might help to alleviate the risks.

Introduction

Increasing information privacy and security through the law is notoriously difficult, even if that is the explicit goal of legislation. Thus, perhaps we should instead expect the law at least not to unintentionally decrease the level of privacy and security. Unfortunately, pursuing even seemingly unrelated policy aims through legislation may have that negative effect. In this paper, I analyze several legislative proposals from the EU and from the United States belonging to the new “techlash” wave. All those bills purport to improve the situation of consumers or competitiveness of digital markets. However, as I argue, they would all have
negative and unaddressed consequences in terms of information privacy and security.

On the EU side, I consider the Digital Services Act (DSA) and the Digital Markets Act (DMA) proposals. The DSA and the DMA have been proceeding through the EU legislative process with unexpected speed and given what looks like significant political momentum, it is possible that they will become law. On the U.S. side, I look at Rep. David Cicilline’s (D-R.I.) American Choice and Innovation Online Act, Rep. Mary Gay Scanlon’s (D-Pa.) Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, Sen. Amy Klobuchar’s (D-Minn.) American Innovation and Choice Online Act, and Sen. Richard Blumenthal’s (D-Conn.) Open App Markets Act.

I chose to focus on three regulatory solutions: (1) mandating interoperability, (2) mandating device neutrality (a possibility of sideloading applications), and (3) compulsory data access (by vetted researchers or by authorities). The first two models are shared by most of the discussed legislative proposals, other than the DSA. The last one is only included in the DSA.

Read the full paper here.

Others already have noted that the Federal Trade Commission’s (FTC) recently released 6(b) report on the privacy practices of Internet service providers (ISPs) fails to comprehend that widespread adoption of privacy-enabling technology—in particular, Hypertext Transfer Protocol Secure (HTTPS) and DNS over HTTPS (DoH), but also the use of virtual private networks (VPNs)—largely precludes ISPs from seeing what their customers do online.

Read the full piece here.

Some EU decision-makers have adopted a radical and unreasonable interpretation of EU data protection law that lacks a limiting principle. The ultimate result may be that EU customers lose access not only to cloud services offered by U.S. providers but also to almost any software from the United States. One can only hope that the EU Court of Justice rejects this interpretation and adopts the more pragmatic view shared by the European Commission and many EU governments.

Read the full piece here.