When do digital issues need to be considered on a national vs global scale? At what level should regulations and decisions be made? A lot of the ideas I’ve been exploring recently and that are cropping up on the global stage are forcing us to explore the line between national and global digital space in more depth. These are opening the stage for us to start collaborating more internationally – perhaps even adopting the same regulation around new digital topics across multiple countries. I’ve picked a sample of cases to look at what this could look like and what the impact is.
Case #1: GDPR
I think you’ve realized by now that I think this is a very important piece of legislation, partly because it is one of the most active and most expansive legislations in this space. It also brought the issue of privacy into a global discussion. It has an immense scope, by applying to companies doing any business in the EU to those reaching EU citizens, and is broad enough to get the attention of global companies. By creating the first widespread rules about modern privacy, it guaranteed that any attempts by other countries to adopt privacy regulation will face a dilemma that largely impacts businesses. The dilemma is whether or not to have the same rules as GDPR.
If each country adopts different regulation, companies will quickly become burdened with high overhead costs of complying with the different regulations for each country they operate in. It could also inadvertently bring a reduction in privacy as companies will need to better track country of operation or citizenship for each user, to make sure each person is offered the version of the product that follows the laws specific to them. This becomes even more complex if someone is protected by two different sets of differing laws – such as an EU citizen in the US if (for example) the US had rules that required a different type of output for the same set of GDPR operations. Which set of rules would dominate?
If countries instead collaborated to create comprehensive technology privacy laws that match GDPR and/or GDPR is adjusted to a version that more countries sign off on, we can start to create better global norms and protect consumers without unduly burdening companies.
Privacy regulation is one clear area where governments need to collaborate in order to protect interests of both consumers and businesses.
Case #2: Apple’s Refusal to Decrypt a Phone
Next look at the case of the FBI trying to unlock the San Bernadino shooter’s iPhone. They asked Apple to decrypt the phone, but Apple refused on the grounds that creating a workaround would reduce iPhone security dangerously (learn more). Eventually, the FBI got the phone unlocked through a third-party company. But this has re-prompted a discussion around the rights of governments in the digital space – should they have a way to get into phones that are encrypted, and more broadly, to intercept encrypted data?
There are a couple ways to make this happen that rise to the front of conversations, but underlying are two international-oriented questions. Which governments get access? How do you control for that?
In this case, Apple is an American company and it could be said that they have a responsibility to the US government and thus the US government gets access. What if US allies then ask for access as well? And then their allies make the same request? Who determines whether the tool is being used responsibly and who gets access? What happens if a stable and approved government is replaced by one that wouldn’t be approved? The acess then creates a risk for creating a means of suppressing people and violating rights, such as by stifling speech. If something like this was created, there needs to be a global discussion on how permission is granted, and most likely there would need to be a new committee that oversees requests to determine whether the request will maintain global values.
Even if we agree who gets access and who doesn’t, how is that enforced? Once others know that there is a secret way to intercept encrypted data, they will try to find this. These adversaries could be nations that were not granted permission, or even just other hackers. Once the tool exists, it will be hard to make sure it is only available to authorized parties, and thus creates a risk for everyone.
The moral of this example is that governments need to be careful when unilaterally requesting this type of access, because it has global implications and could create privacy and security risks for everyone. If they do move ahead with this type of tool, some of the conversation around future use may benefit from considering global implications from the start.
Case #3: Cybercrime Prosecutions
This is a case that I’ll need to come back to in more depth later, but it’s worth mentioning here. In many cases in which cybercriminals are identified, the legal track hits a roadblock because the criminal and the victim are in different jurisdictions – so it can be hard to get the arrest or to determine who gets jurisdiction. Some even say this that jurisdiction conflicts are the #1 challenge to prosecuting cyber criminals.
Global cooperation will need to improve to make it easier to prosecute cyber criminals, something that will also help protect individuals since it adds a disincentive for the criminals. By coordinating on both definitions of cybercrime and how to determine jurisdiction, we can improve the cybercrime judicial process.
These are just 3 scenarios that show how the decisions we are making around technology and policy need to shift towards a global perspective. Perhaps we will begin to see more regulation in digital space that is supported by many countries together.
TechLawLogy: The Art and Science of Technology Policy 