In the last 25 years, many lawyers have been very excited
about the global communications network connected by the Internet Protocol,
which has transformed the consumer/prosumer and small business experience of
electronic communication. Now that broadband Internet is ubiquitous, mobile and
relatively reliable in urban and suburban areas, it is being regulated as all
mass media before it. The Internet is no longer a lawless, special unregulated
zone; in fact, it never was, as seen in the wonderfully obscure case of Shetland
Times v Shetland News.[1] The major gatekeepers
are regulated for the public good and public interest to some extent, whether
that be access providers through infrastructure sharing, electronic privacy,
cybersecurity and network neutrality regulation, or the social media,
e-commerce and search giants through various duties of care including those for
notice and rapid action – in many cases requiring takedown of allegedly illegal
material in a day or even an hour,[2] and notification of
breach of security and privacy to the customer.
This short article is both a retrospective, and even
requiem, for the ‘unregulation’ argument in Internet law in that 25 years, and
a prospective on the next 25 years of computer law, in which many of the expert
treatises of the 1970s to early 1990s need to be dusted down and re-absorbed.[3] Publishing this
article in Computers & Law in 2018 is especially appropriate – the SCL
itself is 40 years old and the Society’s history far predates the commercial
Internet, with foci ‘SCL’s interests – the use of technology in the law, and
the law as it impacts on technology’.[4] Machine Learning,
smart contracts, distributed ledgers and algorithmic regulation have very long
histories and we would do well to remember those, especially given the prism of
the normalisation of the Internet as a mass medium.[5]
A Very Short Internet Legal History
Internet law was a subject of much practical and academic
interest in the 1990s in the USA, and some specialist interest in the UK and
elewhere in Europe. These foundational rules for the adaptation of liability
online focussed on absolving faultless (and low-fault, the line is shifting)
intermediaries of liability for end-user posted content. Twenty-one years after
ACLU v Reno, and 25 years since the ‘Information Superhighway’ metaphor of Al
Gore and Bill Clinton’s first administration, is as useful a time as any to
look back to the future. Settled policies were arrived at as a result of expert
testimony and exhaustive hearings, on liability, privacy, trust, encryption,
open Internet policies against filtering. Changing those policies in 2018 may
result in potentially catastrophic untying of the Gordian knots of intermediary
safe harbour/harbor, privacy, copyright enforcement, and open Internet European
regulations.
In the USA, the early legislative milestones were the
Communications Decency Act 1996, s 230 (which established no liability for
intermediaries without actual knowledge of infringement),[6]
the Digital Millenium Copyright Act 1998, s 512 (which laid out detailed rules
for copyright infringement and the action required of intermediaries when
notice of infringement was sent). These have been developed over time, and
maintain a significant degree of difference from the gradually less permissive
intermediary regime now permitted in the EU.[7] Note that the term
‘Internet Service provider’ is not used in these statutes – the terms ‘online’
or ‘interactive’ are used instead.[8] Yet we still blithely
use the legally meaningless term ‘ISP’ in all our interactions with clients!
In Europe, the milestones begin in 1996 with the
‘Convergence Green Paper’ and its responses, which explain why we refer to
Information Society services, rather than Internet services.[9] They continued with
debates over the 1997 audiovisual media law, revising Directive 89/552/EEC
(known to UK lawyers as ‘satellite TV without frontiers’) as Directive 97/36/EC
then Directive 2007/65/EC, soon to be further revised in 2018.[10] It is worth noting that European consumer
Internet use roughly dates to 1998, with the opening of the Telecoms Single
Market and broadband to 2000, with the Local Loop Unbundling Regulation. In the
1997 Teleservices Act and 1998 Bavaria v Felix Somm (Compuserv) case, Germany
showed that it wished to see a similar limited liablity regime to that in the
USA. This led, with British support, to adoption of the E-Commerce Directive
(2000/31/EC) creating the Internal Market in e-commerce. Largely drafted in
1998/9, this was incomplete as compared to the US statute, with for instance no
‘put back’ provision, and no academic/research exception to copyright rules.
Most critically, it contained no rules for how notice was to be given, leaving
these details to national implementation from 2002, and led to the large body
of case law generated by the European courts in the 15 years since. The
Copyright Enforcement Directive 2001/29/EC somewhat clarified the earlier
Directive.
In 2000, the Europeans and US published the ‘Safe Harbor’
for Privacy. Negotiated from 1998, it was always legal nonsense if sound
policy, and was struck down in Case C-362/14 Schrems. Its replacement, the
‘Privacy Shield’, is equally a sticking plaster over trans-Atlantic
differences, and may also be struck down in 2019. While this article will not
describe any of the data protection law developments over the last 25 years, it
is noteworthy that the Data Protection Directive (95/46/EC) was continually
attacked as unsuitable for the Internet that it was not expressly designed to
regulate (for which see Directive 2002/58/EC), so the new General Data
Protection Regulation is already subject to much attack for its failure to regulate
AIe and robotics, yet again technologies for which it was not expressly
designed…but may be adapted.[11]
We also saw in 2000 the landmark French criminal case ofYahoo
v LICRA, confirming that US multinationals must conform to national criminal
law on hate speech. In 2001, the Council of Europe released the Budapest
Convention on Cybercrime (in force 2004) with the Protocol of 2003 on hate
speech (entering into force in 2006), which was not signed by signatories to
the main convention including UK, Ireland and the USA.
So what is this ‘cyberlaw’ that law students are taught?
Lessig famously debated the ‘law of the horse’ with Easterbrook in 1996,
concluding that Internet law helps us understand the complexities and
multifaceted techniques of control that our environment places on us – it’s an
advanced survey course in undertsanding the Theory of Everything as applied to
the law.[12] Some of the more
interesting Internet law academic literature from the 1990s (and early
noughties) has also stood the test of time,[13]
for instance on network effects,[14] cyberlaw and control
by code or Lex Informatica,[15] free and open source
software and control of the online environment,[16]
network neutrality and the regulation of intermediaries by their networked
environment[17] and the creation of
monopoly gatekeepers resisting yet also predicting the dominance of Google,
Amazon, Facebook and Apple (GAFA).[18]
Too much specialism may be a boost for career prospects –
client ignorance is bliss or at least creates more billable hours – but
Guadamuz argued as far back as 2004 that the ‘Attack of the Killer Acronym’ was
preventing accessibility to Internet law for the wider legal profession,
clients (and faculty).[19] That
over-specialised argument was extended
by Larouche in 2008, who predicted the end of Internet law as a subject and the
abstraction of information law to move away from a specific technology (except
telecoms, media law).[20] That has happened to
some extent, with e-commerce part of standard contract law, platform dominance
in competition law, digital copyright (and patent) law, cybercrime in criminal
law, and so on, as Murray described.[21]
The law syllabus is being digitized, quite literally (e-books, e-syllabi, e-libraries).
It is not only the European institutions who are becoming
excited about more Internet regulation, driven in part by self-preservation and
the rise of disinformation (fake news – sic). These seem to be exciting times
to be an information lawyer. Law students
are no longer demanding Internet law classes, but AI or (heaven help us)
Blockchains and the Law…electronic signatures plus Merkle Trees have developed
in 25 years.[22] In 2018/19 the
cyberlaw past has arrived in the Law School: empirical textual analysis, tools
of information retrieval, and a ‘scientific legal approach’ are beginning to
once again dominate information law analysis as they did in the 1980s. It is
worth asking when students (or trainee solicitors) last visited a Law Library!
Reed and others question how we regulate Artificial Intelligence[23] (not with ethics!)
and dominance of the ‘surveillance-industrial’ state in these
post-Snowden/Schrems/GDPR times, pushing digital law into even constitutional
studies.[24] Most law students
(and most young lawyers) understand most legal issues better if it comes with
an app as an example…
The Future: OffData, a regulator for the ubiquitous computer
era
Just as Internet lawyers are widening their horizons and
returning to the broader notion of being information lawyers whose interests
extend beyond a public IP network, the end of the special place for Internet
law, and its absorption into media law, was prematurely announced. Government
in a rumoured White Paper,[25] Opposition,[26] and Ofcom in
September 2018 all called for more regulation, and potentially a new regulator,
of the Internet.[27] To put a damp squib on too much recurrent
techno-optimism or cynicism, I argue that most arguments for regulating the
Internet and cyber technologies in 2018 remain old wine in new bottles.[28]
We have lots of legal regulators of information, even if
none of those is entirely shiny, new and ‘cyber’. There is the Information
Commissioner in ‘faraway from Whitehall’ Wilmslow, the Electoral Commission,
Ofcom itself, the Advertising Standards Authority, and others. There are
technical support institutions such as the National Cyber Security Centre,[29] the Turing Institute,
and a variety of non-governmental organisations such as the new Nuffield
Foundation-supported Ada Lovelace Foundation and the venerable Foundation for
Information Policy Research (20 years young in 2018).[30]
We need to recall what is known about sectoral regulation.
Ofcom was set up almost 20 years ago as a result of technological convergence
between broadcasting and telephony,[31]
but deliberately constructed not to regulate Internet content. It is now
required to so do. This is not a moment for unique solution peddling or an
ahistorical view of the need to extend competences beyond a privacy, a
security, a sectoral competition and a communications regulator. In
constructing what I call ‘OffData’, a regulator of electornic communications
and content,[32] we need to learn the
lessons of previous regulatory mergers both inside (OfCom) and outside (OfGem)
communications.
While information law is maturing, and the old ‘Internet
law’/‘cyberlaw’ nomenclature may be fading, what we do as lawyers dealing with
computers and their impact on society is growing more important. Some of the
new ideas about regulating the Internet and AI betray a worryingly ingenue view
of technology and law. It is now our job as somewhat grizzled, experienced
information lawyers to help policy makers understand that we have a great deal
of experience in making laws for cyberspace.
Chris Marsden is Professor of Internet Law at the University
of Sussex, author of a number of works on Internet law (most recently Network
Neutrality: From Policy to Law to Regulation (2017)) and a member of the SCL
Advisory Board.
[1]
See Athanasekou, P. E., ‘Internet and Copyright: An Introduction to Caching,
Linking and Framing’, Work in Progress, 1998 (2) The Journal of Information,
Law and Technology (JILT). Also, Opinion of Lord Hamilton in the case of The Shetland Times Ltd v. Dr Jonathan Wills
and Zetnews Ltd. Court of Session, Edinburgh 24 October 1996, at http://www.linksandlaw.com/decisions-87.htm
[2]
European Commission (2017) Communication on Tackling Illegal Content Online:
Towards an enhanced responsibility of online platforms; European Commission
(2018) Recommendation on Measures to Effectively Tackle Illegal Content Online,
published 1 March.
[3]
An extremely good place to start is Reed, Chris (2010) Making Laws for
Cyberspace, Oxford University Press, especially at pp. 29-47.
[4]
Eastham, Laurence (2011) Interview with SCL’s New President, Richard Susskind,
Society for Computers and Law, 23 August at https://www.scl.org/articles/2191-interview-with-scl-s-new-president-richard-susskind
See also Susskind, Richard (2018) Sir Henry Brooke – A Tribute, Society for
Computers and Law, at https://www.scl.org/articles/10221-sir-henry-brooke-a-tribute
[5]
See Paliwala, Abdul [ed] A History of Legal Informatics, Prensas Universitarias
de Zaragosa, Spain 2010
[6]
Communications Decency Act 1996 was Part V of the Telecommunications
Deregulation Act 1996, in which S.222
deals with privacy and transparency. In 1997, ACLU v Reno 521 U.S. 844 overturned s.223 Part V.
[7]
Guadamuz, Andres (2018) Chapter 1: Internet Regulation pp.3-20 in Edwards, L.
ed Law, Policy and the Internet Hart/Bloomsbury Publishing: Oxford.
[8]
Marsden, C. [2018] ‘Regulating Intermediary Liability and Network Neutrality’
Chapter 15 pp.733-788 in I. Walden ed. Telecommunications Law and Regulation,
Oxford, 5th edition.
[9]
Whitehead, Phillip (1997) Draft Report on the Commission Green Paper on The
Protection of Minors and Human Dignity in Audiovisual and Information Services
(COM[96]0483 – C4-0621/96) PE 221.804 of 24 April 1997.
[10]
COM (2016) 287: Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL amending Directive 2010/13/EU on the coordination of certain provisions
laid down by law, regulation or administrative action in Member States
concerning the provision of audiovisual media services in view of changing
market realities Procedure 2016/0151/COD. The Parliament common position on the
Directive’s revision is expected to be adopted in October 2018. See European
Parliament (2017) Audio Visual Services Directive, May 2017 –
www.europarl.europa.eu/RegData/etudes/PERI/…/IPOL_PERI(2017)600421_EN.pdf
[11]
Regulation EU 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation) OJ L119.
See Veale, Michael and Edwards, Lilian (2018) Clarity,
Surprises, and Further Questions in the Article 29 Working Party Draft Guidance
on Automated Decision-Making and Profiling, Computer Law & Security Review
34(2) pp 398-404, at http://dx.doi.org/10.2139/ssrn.3071679.
See also O’Conor M. (2018) ‘GDPR is for life not just 25th of May’, SCL, 18
April, https://www.scl.org/blog/10192-gdpr-is-for-life-not-just-the-25th-of-may
[12]
Lessig, L. (1999) The Law of the Horse: Or What Cyberspace Might Teach, Harvard
Law Review Volume 113, pp 501-546, his final response to Easterbrook’s
provocation https://www.law.upenn.edu/fac/pwagner/law619/f2001/week15/easterbrook.pdf
[13]
See for instance Marsden [2012] Oxford Bibliography of Internet Law, OUP, NY,
NY.
[14] Lemley,
M. and McGowan D. (1998), Legal Implications of Network Economic Effects 86
Cal. L. Rev. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=32212
[15]
Lessig, L. (1999) Code and Other Laws of Cyberspace, Basic Books.
[16]
Benkler, Y. (2002)Coase’s Penguin, or Linux and the Nature of the Firm, 112
Yale L.J. http://www.benkler.org/CoasesPenguin.html
[17]
Wu, T. (2003) When Code Isn’t Law, Virginia Law Review, Vol. 89, at
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=413201
[18]
Zittrain, J. (2006) The Generative Internet, Harvard Law Review, Vol. 119, at
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=847124
[19]
Guadamuz, Andrés, (2004) Attack of the Killer Acronyms: The Future of IT Law.
International Review of Law, Computers & Technology, Vol. 18, No. 3, pp.
411-424, available at: http://ssrn.com/abstract=726164
[20]
Larouche, Pierre (2008) On the Future of Information Law as a Specific Field of
Law TILEC Discussion Paper No. 2008-020 at SSRN: https://ssrn.com/abstract=1140162
or http://dx.doi.org/10.2139/ssrn.1140162
[21]
Murray, A. (2013) Looking Back at the Law of the Horse: Why Cyberlaw and the
Rule of Law are Important, 10:3 SCRIPTed 310 http://script-ed.org/?p=1157
[22]
See two extremely important new books that critically analyze this phenomenon:
Werbach, K. (2018) The Blockchain and the New Architecture of Trust, MIT Press,
and Finch, M. (2018) Blockchain Regulation and Governance in Europe, Cambridge
University Press.
[23]
Reed, Chris (2018) How should we regulate artificial intelligence? Phil. Trans.
R. Soc. A 2018 376 20170360; DOI: 10.1098/rsta.2017.0360.
[24]
See for instance Frischmann , Brett M., An Economic Theory of Infrastructure
and Commons Management. Minnesota Law Review, Vol. 89, pp. 917-1030, 2005 https://ssrn.com/abstract=588424
all cited and discussed in Marsden (2018) supra n.20.
[25]
https://www.buzzfeed.com/alexwickham/uk-government-regulator-internet
[26]
https://liambyrne.co.uk/press-release-labour-proposes-new-duty-of-care-for-social-media-firms-to-protect-children-online/
[27]
White, Sharon (2018) Tackling online harm – a regulator’s perspective: Speech
by Sharon White to the Royal Television Society 18 September at
https://www.ofcom.org.uk/about-ofcom/latest/media/speeches/2018/tackling-online-harm
[28]
Marsden, C. (2018) 24 April Oral Evidence to
Lords Communications Committee, ‘The internet: to regulate or not to
regulate?’ Parliamentlive.tv
https://parliamentlive.tv/Event/Index/4fac3ac3-3408-4d3b-9347-52d567e3bf62)
[29]
Merging CESG (the information security arm of GCHQ), the Centre for Cyber
Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the
cyber-related responsibilities of the Centre for the Protection of National
Infrastructure (CPNI)
[31]
Oftel (1995) Beyond the Telephone, the TV and the PC: Consultation Document.
Note two further consultations were released, the last in 1998 – seen as a
forerunner to the agenda on convergent communications for government and
eventually Ofcom. See Barnes, Fod (2000) ‘Commentary: when to regulate in the
GIS? A public policy perspective’, Chapter 7, pp.117-124 in Marsden, C. ed.
(2000) Regulating the Global Information Society, Routledge, New York. In the
USA literature, see Werbach, K. (1997) Digital Tornado: The Internet and
Telecommunications Policy. Federal Communications Commission Office of Plans
and Policies Working Paper 29. Washington. FCC
[32]
Marsden, C. (2018) ‘Prosumer Law and Network
Platform Regulation: The Long View Towards Creating Offdata’, 2
Georgetown Tech. L.R. 2, pp 376-398
