Introduction
In 1997, the European Commission forecasted that “the expansion of electronic commerce will be market-driven”. It was not wrong. In fact, today a handful of big companies control most of what we do online, from the way we find information, talk to each other, and now even how we interact with public authorities: in July, the Dutch Prime Minister shared a message on Twitter, drawing attention to an update on Coronavirus policy that he initially shared not on the official website of the Dutch government, but on … Facebook.
Of course, the Commission’s statement in the early days of the World Wide Web was not so much prophetic as it was self-fulfilling. Since the late 1990s, it has opted for self-regulation by industry, following the example of the US. With the adoption of the E-Commerce Directive in 2000, online platforms were mostly shielded from liability for the content they hosted from users. And since then, the Commission has continued to focus on breaking down barriers to e-commerce so as to create European tech firms that could compete with the US giants. But while the Commission was fretting about the lack of successful European tech start-ups, it failed to realise that the Internet was becoming much more than an online marketplace. As a result, it did not do enough to propose or enforce policies to safeguard and promote essential public values, such as democracy and transparency.
Unfortunately, power abhors a vacuum, as they say. And as Prof. Lessig noted years ago (1) , there is nothing inherently democratic about digital technology. He predicted that if communities would not decide democratically how to shape the online environment, others would do so, and moreover in line with their own interests. And this is what has happened. It is not that the ‘Internet’ (2) is unregulated, and that this is why it is so innovative. In fact, it is highly regulated, but the rules are created and enforced by a handful of tech firms. Europe now has to contend with an ecosystem in which a few highly integrated businesses together control around 70 key infrastructural online platforms: from payments, social media and app stores, to advertisement, marketplaces, cloud services, and more (Van Dijck 2020) (3). They have created a digital infrastructure that collects as much data from citizens as possible in order to predict their behaviour, and then manipulate it. For a profit.
While this level of online surveillance and opacity would have been unacceptable and illegal in any other setting, it has come to be a fact of life for practically everyone that connects to the net. You want to offer a channel on broadcast TV? Then you need to obtain a license, regularly air public interest messages, and respect limits on advertising to protect consumers, children in particular. You want to operate a video-sharing platform online, targeting hundreds of millions of citizens on a daily basis? For the past decades, you could run it pretty much any way you wanted to. The few legal restrictions that existed were hardly enforced in practice. The resulting pollution of our information ecosystem was entirely predictable.
As the EU races into the fourth decade of the World Wide Web, this approach is no longer tenable. It is high time that it articulated a collective vision for the Internet. This does not need to be defined in exclusionary terms; after all, there are plenty of other countries that share an interest in protecting human rights, and that oppose surveillance and manipulation of citizens, be it from the government or the private sector. It is also necessary to reach out to other countries if the EU wants to keep some of the benefits of the Internet as a global network. But this will require the EU to push back against the visions for online communications that are now prevalent in China and the US. The EU should not be as accepting of huge concentrations of power and surveillance, be it in the interest of the state or in the name of an abstract notion of innovation that is disconnected from people’s well-being.
Institutional inertia
There are some signs that the Commission is waking up to the idea that digital policy cannot be reduced to the creation of an internal market. That what is at stake are the protection of fundamental rights and a functioning public sphere and democracy.
But it is doing so reluctantly. Since the momentous founding compromise on agricultural policy, the EU has functioned mainly by breaking down national barriers to the free flow of goods, services, labour and capital. And the way it prefers to achieve this is by relatively depoliticised processes: lengthy negotiations that culminate in the adoption of regulations and directives, delegated and implementing acts, the effects of which will be felt years after the compromises have been reached. True to form, in the past years the EU has proposed measures in a wide range of policy areas that affect the digital economy and society; from audiovisual media services, copyright, platform-to-business relations, terrorist content, e-commerce, telecoms, cybersecurity, consumer protection and more. But it has resembled a complicated game of whack-a-mole that is unlikely to bring about a more democratic and sane online environment.
Admittedly, it is difficult to take bold collective action in an EU of 27 Member States, but it does happen in time of crisis. The EU realised that the Eurozone cannot be managed with mere accounting rules, but only following the financial crisis in 2008, and the ensuing (perceived) problems of sovereign debt. In the wake of the migration crisis in 2015, the EU learned that it cannot deal with human lives in the same way it sets annual fishing quotas. In 2013, Edward Snowden revealed the existence of a global mass surveillance infrastructure, and this provided the conditions to successfully conclude negotiations on the General Data Protection Regulation, which became applicable in May 2018. It was a major first step toward encoding a democratic vision of the ‘Internet’ by providing a set of binding principles that everyone has to respect when handling personal data.
And yet, this alone will not be sufficient. It is predicated on the idea that granting individuals rights to protect themselves is an effective check on power. This is a tenuous proposition in view of the power of some of the big tech firms, but it becomes untenable when there is no backing from strong regulators with the resources and willingness to aggressively enforce the rules. Of course, since the Snowden revelations, there has been no shortage of events that could – and should – create the political conditions for more collective action to shape the net. From the ‘WannaCry’ ransomware attacks in 2017 that grinded the UK’s National Health Service to a halt, to the Facebook – Cambridge Analytica scandal in 2018, which involved the illegal use of millions of citizens’ data for the purpose of political advertising. It would appear that the Corona crisis will accelerate politicisation of the ‘Internet’, as it is both highlighting and further increasing our dependency on digital infrastructure, which citizens and their representative institutions neither control nor understand.
The way forward
After the first year of the von der Leyen Commission, there is room for cautious optimism. The EU is preparing new rules to govern the design and use of automated decision-making systems (‘AI’), the governance of online platforms, as well as rules to increase availability and use of data that does not relate to individuals. There is potential for the rules to address the concentration of power in the digital economy head on. But the proof of the pudding is in the eating, and much of the success will hinge on arrangements to ensure effective enforcement. Will the new rules have the same institutional flaws as the enforcement mechanism created for the General Data Protection Regulation? Or will institutions be created that can effectively hold to account companies that operate across the EU, in a range of different markets, and that possess nearly unlimited resources?
In the longer term, the EU needs to work towards a vision for the Internet that it wants for its citizens. Is it to be more decentralised, with smaller and more specialised social media that do a better job of community moderation of content? There are existing examples for this, such as Mastodon, from which it can learn. Is it to be a space where public authorities have more control over some of the fundamental digital infrastructure on which European hospitals, energy grids and universities are run? There are useful initiatives here, such as the Franco-German project to create a non-profit European cloud – Gaia-X. Is it to be a space where individuals retain much more control over their personal data? Both the German Presidency of the Council of the EU and the Commission are looking into a public infrastructure for online identification and authentication. If realised, it could allow citizens to only share minimum aspects of their identity when using a service, instead of handing over troves of personal data each time they register for a new app.
To make it all happen will require regulation, but it will also require much more. Apart from setting new rules, the EU should invest in the types of innovation it wants to see. The Corona recovery funds that are now being released offer a real opportunity. And, crucially, public authorities can decide how to spend their budgets, which has a significant effect on the way markets develop. What if all public authorities would only purchase goods and services, which accounts for roughly 14% of EU GDP, from companies that respect fundamental rights, such as the right to privacy, and observe minimum standards of transparency? That would be a far cry from the present, where governments rely on social media for their official communications, no matter how many times the latter break the law.
_______
1) L. Lessig, Code and Other Laws of Cyberspace, Version 2.0 (Basic Books, 2006).
2) As E. Morozov pointed out in To Save Everything, Click Here (2013), the Internet as such does not exist. It is shorthand for a range of different technologies, from physical infrastructure such as fibre-optic cables to protocols that allow you to send and receive emails. For brevity’s sake, I will continue to use the term.
3) J. Van Dijck, “Governing Digital Societies. Private platforms, public values”, Computer Law & Security Review 36 (2020).