4 May 2019

Can the EU Save the Internet?

BY WILLIAM FISHER

Instead of breaking news, op-eds, and sports results, Europeans visiting the website of the venerable Chicago Tribune are seeing what has become an all-too-familiar notification: “Unfortunately, our website is currently unavailable in most European countries.”

At last count, over 1,000 U.S. newspapers have voluntarily blocked access from Europe since the General Data Protection Regulation (GDPR)—the law intended to protect the privacy and data of individuals within the European Union—came into force in 2018. These U.S. publishers have simply deemed compliance too cumbersome and costly, opting instead to abandon their European readership and forgo online revenues from the EU market altogether.

GDPR is not the only online legal initiative taken by the European commissioners. This April, the EU approved a new directive on copyright. Article 13 of that directive makes operators like Facebook and YouTube legally liable for any content uploaded to their platforms that is in breach of copyright. Article 11 (dubbed the “Link Tax” by critics) allows publishers to charge platforms like Apple News and Google for displaying even snippets of their content. These measures have sent shockwaves throughout the online ecosystem and placed the EU at the forefront of internet regulation.


Yet for all the disruption and discord, these initiatives represent the boldest and potentially most consequential attempt to shape the future of the internet in two decades. EU commissioners are officially overwriting the law of the jungle that has determined how data is used and how content is shared online. If all goes according to Brussels’s plan, the biggest beneficiaries stand to be publishers, media outlets, and European consumers.

That message hasn’t reached much of the European public yet. GDPR is broadly popular, but the adoption of Article 13 is an altogether different story. While copyright is largely an arcane legal matter, the adoption of Article 13 was controversial enough to drive an estimated 200,000 protesters in dozens of German cities to the streets. More than 5 million people have signed an online petition in protest against it. Prominent critics such as the German politician Julia Reda argue that the strict enforcement of copyright online will have a chilling effect on speech, discouraging certain kinds of content creation such as remixes, mashups, and memes—although the directive does protect parodies. Meanwhile, the tech community and platforms such as Facebook, YouTube, Reddit, and Twitter are bracing for the wave of claims that will no doubt be brought by artists, publishers, and music producers seeking payment under Article 13 when it becomes law in two years’ time.

To appreciate the significance of the EU’s regulatory agenda, it is necessary to understand how the current online ecosystem evolved. In fact, European protesters are defending a legal framework that emerged from the United States and, inadvertently, became the global norm for the consumer internet. The two landmarks of critical legislation are the 1998 Digital Millennium Copyright Act (DMCA) and the Telecommunications Act of 1996.

These acts of Congress came into law at a time of widespread libertarian enthusiasm for a free internet driven by private investment, unhampered by government interference, and governed—if at all—by its own users. The Telecommunications Act was the first piece of federal legislation to reference the internet and the first overhaul of U.S. telecoms law since 1934. It intended to provide “a pro-competitive, de-regulatory national policy framework designed to accelerate rapidly private sector deployment of advanced telecommunications and information technologies.” It also sought to safeguard the primacy of free speech.

In what one commentator called the 26 words that created the internet, Title V of the act states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This distinction between platform and publisher—the former merely a conduit for content that is posted by others and therefore not liable for that content—became the bedrock on which the business model of Facebook and Google (the so-called Digital Duopoly) would be built.

Two years later, in 1998, the DMCA took the freewheeling spirit of the Telecommunications Act further still, explicitly creating a safe harbor for online service providers and shifting the burden of policing copyright infringement squarely onto the copyright holders themselves. Under the DMCA, it became incumbent on copyright holders to notify platforms of infringement and to substantiate their claim; only then would the platform be required to remove the offending content. The DMCA’s light-touch guidance for platforms was embraced by the EU a year later in its own Electronic Commerce Directive of 2000, which likewise adopted the liability exemption for online service providers.

The framework created by these laws has been unequivocally successful in fostering investment in broadband internet and the proliferation of digital services. It gave rise to a virtuous circle of technology development and value creation. But it did so at the literal expense of copyright holders and their content. DMCA advocates and critics alike acknowledge that the resulting regime has been a gift to tech platforms.

The Telecommunications Act and the DMCA discarded the business model that had previously dominated the media world, which was founded on the requirement that exhibitors of copyrighted content first secure permission from its owners: No broadcaster or print publisher would air a TV program or republish a short story without first licensing the rights from the copyright holder. By exempting online platforms from that requirement, these laws served to turn copyright holders’ revenue streams of “analog dollars” into “digital pennies”—to use one media executive’s famous formulation. The recorded music industry, for example, saw its revenues shrink from $25.2 billion to $16.9 billion in the decade following the DMCA.

At the same time, platforms were able to fund their businesses by selling ads around content they neither owned nor paid for. The fundamental business model of the Facebook and Google duopoly is built on two products: content and audiences. The platforms use content created by others to aggregate an audience; they then track that audience’s behavior online, segment the audience demographically by parsing the data, and sell those neatly targeted audience subsets to advertisers. The only guardrails guiding the use of this information are whatever protections are set forth in the private contract between the platform and its users—i.e., the terms of use—written unilaterally by each platform.

Notably, the United States has never developed a single federal data protection law, relying instead on an ad hoc patchwork of private sector self-regulation and state laws to govern information privacy, many of them predating the internet. The safe harbor provision of the DMCA provided the platforms with free content to build their audience, and the lack of oversight on consumers’ data has granted them an almost unfettered ability to monetize it through targeted advertising. The platforms have done this through their own use of that data and, often, by providing it to third parties through various commercial arrangements. The regulators’ hands-off approach to technology, combined with the network effects inherent to the internet, created a near laboratory-perfect setting for abuse—and for the rapid growth of and business dominance by the leading online platforms.

So far, the visible impact of EU regulation for consumers has been slight. Online users in the EU have certainly seen more popups displaying privacy policies and requesting consent to gather data—or blocking them entirely from U.S.-based sites that have not yet found a way to comply. At the industry level, however, GDPR has been a game-changer.
At the industry level, however, GDPR has been a game-changer.

In the first four months after GDPR went into effect alone, the European Data Protection Board reported that more than 42,000 data complaints were filed across Europe. The stakes in these cases are high. Violations can draw fines of up to 20 million euros (about $22 million) or 4 percent of a company’s global turnover, whichever is higher. For Apple, that could represent more than 8 billion euros, for Amazon more than 6 billion euros, for YouTube nearly 4 billion euros. The economic risk has challenged online businesses to rethink how they engage with consumers across all customer touch points: websites, email, mobile apps, customer portals, and voice assistants. These challenges have laid bare how fundamentally unstable many of the business models and practices underpinning the consumer internet actually are, revealing the extent to which they rely on the absence of consumer protection laws to make money.

Take the business of digital marketing. In a ruling in Poland, one company was obliged to pay a 220,000 fine, about $250,000, and contact nearly 6 million people to alert them that the company had gathered—or “scraped”—their data from online public sources without their knowledge. The company estimated it would cost nearly $9 million in postage alone to comply. If, subsequently, that company were to share or sell the data, it would have to contact those individuals once again.

GDPR puts the underlying business model of this sort of digital intelligence-gathering in jeopardy. The bad news for marketers is that they will have smaller data sets to work with in the future. The good news for consumers is that there will be less spam and privacy abuse. Recall that Cambridge Analytica gathered the data it used in its 2016 Brexit and U.S. electoral social media campaigns by scraping Facebook.

Nearly every online business is profoundly and fundamentally affected by GDPR. Certain online video games, for example, rely on concealing how much players spend in-game. They also sell that data to other companies that are seeking big online spenders. One gamer issued a GDPR request to Electronic Arts, the makers of FIFA Ultimate Team, for a record of his spending history on “loot boxes”—virtual stashes containing randomized content purchased in the game with real money. Loot boxes represent a monetization opportunity for game designers. But since their contents are hidden from the purchaser, their mechanics verge on gambling. Further, some games provide a more favorable outcome to players who purchase loot boxes, introducing a pay-to-win element in what is supposed to be a game of skill.

Upon receiving his data from FIFA Ultimate Team, the gamer was shocked to learn that he had spent over $10,000 on loot boxes over a two-year period. He then sought to peel back further layers of data to better understand how items he had received in loot boxes were assigned to him. Were they randomized, or had the game developer strategically withheld the most valuable items to encourage further purchases? Peel back too many layers and the business models that guide life online, whether in sharing pictures or playing games, can start to look distinctly nefarious.

As online privacy takes center stage, other jurisdictions are modeling their own consumer data protection measures on GDPR.
As online privacy takes center stage, other jurisdictions are modeling their own consumer data protection measures on GDPR. California’s Consumer Privacy Act, passed into law in 2018, goes into effect in 2020. With Apple, Facebook, and Google now advocating legislation at a federal level, it seems inevitable that the United States will follow the EU’s lead in safeguarding data privacy and harmonizing laws across state lines. And thus GDPR is setting a new global standard for consumer data protection: In the face of inevitable regulation, online service providers recognize the efficiency of ensuring a one-size-fits-all regime. If a company is going to make the requisite investment to comply with EU law, why not make GDPR’s simple, if stringent, guidance the baseline for consumer data protection around the world?

Likewise, the provisions of Articles 11 and 13 set a much higher bar for the practice of sharing or displaying copyrighted content online. No matter where they are domiciled, online service providers that wish to operate in the EU will be compelled to abide by these provisions once the new copyright directive goes into effect. As with data privacy, it is likely the platforms will ultimately advocate for a single unified solution for treating copyrighted content across all the markets in which they are present. This could end up giving global content creators and copyright holders the same protection as their EU counterparts.

Critics of the EU copyright directive argue that Articles 11 and 13 will result in a distribution patchwork where only licensed content will be available online, further balkanizing an internet that’s already fragmenting under pressure from the walled garden internet models of China and Russia. They contend that platforms will respond by creating automated tools to scan uploaded content for copyrighted material and preemptively remove it (the hypothetical “upload filter”). Although copyright holders will be entitled to compensation for links to their work under the so-called Link Tax, these critics assert that copyrighted content will simply be filtered out, pointing to what happened previously with similar initiatives in Germany and Spain.

EU regulators have sought to be responsive to these critics by creating a more flexible framework. To ensure that individual content creators’ voices won’t be stifled, the final text of Article 11 exempts “private or non-commercial uses of press publications by individual users.” Rather than setting a draconian standard for implementation, the enforcement of Article 13 depends upon platforms’ “best efforts” to police copyright infringement.

Most importantly, this time around, public opinion no longer favors Big Tech. Online businesses are now seen to have enjoyed a free ride by monetizing consumer attention and data through targeted advertising: Facebook and Google have effectively been running a restaurant without paying for the food. As the platforms’ dominance has grown, the reading public and TV audiences have watched local news coverage and print publications shrink. The public has begun to understand that publishers and broadcasters must get a bigger piece of the online pie in order to survive.

Recent headlines and congressional hearings about high-profile data abuse by technology companies merely put a match to the powder keg. The current backlash is a reaction against two decades of dubious business practices. Last week it was revealed that Facebook expects to pay a fine of between $3 billion and $5 billion to the Federal Trade Commission for violating terms of a 2011 agreement with the agency to protect users’ privacy. That may be relatively small for the company—but much more could be coming down the pipeline.

A regulatory revolution is now shaking the online world to its core, forcing all stakeholders to rethink their conduct, their businesses, and, in the case of consumers, their rights. Though unlikely revolutionaries, the EU commissioners understood that the time was right to rise in rebellion against our tech overlords. After all, the internet has always favored disruptors.

No comments: