Unticking the Boxes – should IT laws comply with a post-crunch ethos?

February 1, 2010

The core question posed in the SCL’s introduction to the Policy Forum was: will we see more emphasis on social responsibility and a slide away from the focus on profit and expansion?
That is a loaded question, with its implicit suggestion that the pursuit of profit is not socially responsible. At the Forum that translated into a contrast between profit and probity. But the probity of pursuing profit is down to how you go about it. Rob, defraud, bribe, set up Ponzi schemes, persuade the State to prevent others entering your market, lobby the legislature to secure profitable privileges for yourself, backed up by the coercive power of the State – these are hardly moral activities. But strip away the pernicious influence and temptations of State power, put fraud on one side and you are left with profit-seeking by engaging in voluntary exchange of goods, services and money, within a framework of enforceable contracts and the rule of law – a consensual and thoroughly moral activity. So juxtaposing profit and probity didn’t get us very far.

What about the background of the credit crunch? The politicians are currently laying the blame for the credit crunch entirely at the door of greedy, unscrupulous and occasionally dishonest bankers and the like. Those people certainly take their share of the blame for their misjudgements and recklessness, but any serious evaluation of the causes of the credit crunch has to stand back from the clamour of politicians and examine the institutions and actions of government that created conditions in which it was rational for banks to lend to hopelessly bad risk borrowers.

When the full history of the credit crunch comes to be written, it may come to be realised that much of the behaviour that has rightly been vilified was also a rational response to artificial conditions created by State-backed incentives and guarantees. There is something extremely unedifying, if not exactly immoral, about politicians who, in pursuit of voter-friendly social welfare ideals, deliberately create conditions in which it is rational to behave badly, then castigate those who do so.

Nor does it lie in the legislator’s mouth to complain that he expected individuals to serve his lofty public policy goals by complying with the legislation in some other way that he would have preferred. If legislators were subject to the same laws of intention as the rest of us, namely that they are taken to intend the natural and probable consequences of their actions, many of these supposedly unintended consequences would be regarded as wholly intended.
Whether tinkering with financial services regulation is the appropriate response to the credit crunch, I do not know. But nothing that I heard in the discussion at the Policy Forum convinced me that if changes in approach to technology legislation do occur, they will have had anything to do with any rethinking of financial regulation brought about by sub-prime mortgages, collateralised debt obligations, Bernie Madoff or the banking collapse.

It is certainly true that in the technology area, as elsewhere, the policy and legislative process could do with an injection of morality, leading to a more principled approach to lawmaking less influenced by predicted voter perceptions, concentrated interests and lobbying. However, public choice economists teach us that, since legislators and policymakers, like anyone else, act rationally in their own interests, that is little more than a pious hope.

One change suggested by Professor Chris Reed was that law-makers should identify specific desired results and spell them out in legislation. This was in contradistinction to the ‘tick-box’ compliance approach which he suggested had been inspired by quantitative economics and which represented an approach of ‘leaving it to the market’.

In considering this proposal we should distinguish between two different types of legislation: legislation setting out a general rule of civil or criminal liability and legislation creating and empowering a regulatory agency armed with discretionary powers. In general legislation it is normally unnecessary to set out an intended result. There is little point in spelling out in the Theft Act that it is the purpose of the Act to deter and punish theft. General legislation, as F. A. Hayek explained, does not further a particular purpose but the countless different purposes of different individuals. For such legislation, which is ‘merely the condition for the successful pursuit of most purposes’ (Law, Legislation and Liberty, vol 1, p 113), defining an intended result is impossible since, by its very nature, the legislation does not set out to achieve a defined regulatory objective. Rather the purpose of such legislation is to define the boundaries of a field in which an unknowable number and variety of flowers may bloom.

General legislation does not, it should be noted, connote vagueness. Hayek was a critic of vague legislation. Hayek was, however, no supporter of interventionist, concrete legislation aimed at achieving specific economic results. He favoured general rules that leave as much as possible to individual choice and to the discovery process of the market. Hayek’s version of ‘leaving it to the market’ is the antithesis of detailed ‘tick-box compliance’ rules that have characterised much financial services regulation, and which Professor Reed suggested had found its way into the computer and telecommunications fields.

Professor Diane Rowland rightly pointed out in her comments at the SCL Forum that the targets of discretionary regulation in any field commonly demand legal certainty from their regulators, and that this is likely to take the form of a demand for objective checklists. This relationship between a regulatory agency and its industry clientele can be likened to this exchange from Monty Python’s Life of Brian:
 ‘Brian: Now, f*** off!
 Follower: How shall we f*** off, Oh Lord?’

Economists will say that it is no surprise at all to find a regulatory agency acting to fulfil a demand from its industry clientele as it speeds along the road to regulatory capture.

At a practical level, stating a legislative purpose in general legislation can be positively unhelpful. In UK domestic legislation the closest we come to it is the Long Title. So the Computer Misuse Act 1990 is ‘An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes’. To go further would simply provide the lawyers with more to argue about: the Long Title is ‘an unreliable guide to interpretation, but should not be ignored.’ (Bennion on Statutory Interpretation, p 730.)

The perils of spelling out purposes, or regulatory objectives, in general legislation can be seen in the EU approach to legislative drafting, where context and objectives appear in the recitals to the Directive or Regulation.  Often there are more Recitals than operative clauses. The Electronic Commerce Directive has 65 Recitals and only 24 Articles. The Copyright in the Information Society Directive has 61 Recitals and 15 Articles.

However, the recitals are often contradictory – hardly surprising given that in reality they are a series of nods in the direction of every industry, political or national governmental interest that has achieved a measure of lobbying success during the legislative process – an outcome to be deprecated, but which public choice economists are well placed to illuminate and explain.
In legislation enacting general law, all that is required is to draft clearly. However that is an aspirational aim, not something necessarily to be expected. The prospects of achieving it are intimately related to the nature of the legislative institutions and processes that bring forth the legislation.

By contrast with general legislation, legislation constituting a regulatory agency invariably does spell out regulatory objectives. Where legislation creates and empowers a regulatory agency with broad discretion in the use of its powers, it is necessary, in order to limit the powers of the agency, to define the purposes (or regulatory objectives) for which those powers are to be used.

The regulatory objectives contained in the Financial Services and Markets Act 2000 are contained in the clause setting out the general duties of FSA, which are defined by reference to the regulatory objectives. In the computer and communications field, one can point to further examples:
– Communications Act 2003, s 3 (general duties of OFCOM, defined by reference to a list of specified broad objectives).
– Data Protection Act 1998, s 51 (general duties of Information Commissioner) – including to promote the observance by data controllers of, inter alia, the Data Protection Principles, which are, to my mind, regulatory objectives.

To the extent that a tick-box compliance approach may exist in the computer and telecommunications areas, it seems to me most likely to have been the result of factors peculiar to those industries and technologies. To take the example of the Electronic Signatures Directive, such factors could include:
– the overly technocratic and technology-specific approach that seems to afflict legislators and lawyers when faced with new technology.
– the fact that those most familiar with a new technology are likely to be those who have a commercial interest in securing an advantage for that technology by encouraging technology-specific legislation
– gaps in understanding between lawyers and information technologists – in the case of electronic signatures the gross overestimation by the IT community of the importance of a signature’s ability reliably to identify the signatory, and the apparent inability of lawyers to convince them otherwise
– the perceived need to accommodate Member States with legal systems that traditionally imposed strict requirements of form.

The ePayments Directive is probably best regarded as an example of financial services regulation. The Data Protection Act 1998 is an arcane combination of broad principles, obscurely defined constructs such as data controllers and data processors, detailed exceptions, individual rights, public law sanctions, tribunals, courts and a regulatory agency (the Information Commissioner).

The Data Protection Act sets out broad, indeed vague, regulatory objectives (the eight principles) and also suffers from obscurity. It has the worst of all worlds. While it may have objective elements such as notification and consent, those smack more of a bureaucratic approach or specific policy decision than of any provenance in economics-inspired financial services regulation.

In numerous areas, such as employment, CCTV, education and health, the Information Commissioner’s Office has issued specific guides. To the extent that these strive for a tick-box compliance approach, the most likely explanation is that this is the behaviour of a regulatory agency seeking to satisfy industry demand for objective criteria.

I remain unconvinced that there is a single legislative approach that has found its way into computers and telecommunications, at least not one inspired by quantitative economics or that can be characterised as ‘leaving things to the market’. At the very least, one has to differentiate between the legislation setting up discretionary regulatory agencies on the one hand, and the behaviour of those agencies on the other. The institutions and processes that produce these legislation rules are very different from each other, and are likely to produce different types of rules. The tick-box compliance approach is much more typical of the activities of discretionary regulators, responding to the demands of the industries that they regulate. One also has to distinguish between legislation establishing general liability rules on the one hand, and legislation creating discretionary regulatory agencies on the other, which are bound to have inherently different characteristics.

We could certainly do with better legislation in the computer and telecommunications fields: more principled, more general, more certain, less prescriptive, less discretionary. However, while legislatures remain convinced that their role is to harness businesses and citizens to specific policy objectives rather than leaving them to pursue their own ends, and since legislators can be expected to continue in thrall to opinion polls and interest groups, that is unlikely to happen any time soon.

Graham Smith is a Partner at Bird & Bird LLP: graham.smith@twobirds.com