Too Slow to Deliver
Can governments regulate the networked world?
By Ansgar Baums
Being a regulator for the digital economy is like being soccer referee: no matter what you do, you always get yelled at. Rarely will you receive recognition; and complaints about bad “digital regulation” seem to be as old as the Internet. Your critics come from two very different directions: On the one hand, governments are supposedly too slow and inept to understand digital transformation. The outcome is badly drafted laws that come too late, adding costs and few benefits—often leading to the conclusion that no regulation is better than bad regulation. On the other hand, digital regulation is supposed to be too timid (“beyond pathetic,” as the Guardian’s Simon Jenkins put it recently), failing to curb the power of digital corporations or mediate the impact of digital disruption. The conclusion: a stronger stance is desperately needed. Pleasing both parties is impossible.
What does “regulation of the Internet” mean, anyway?
“Regulating the Internet” is a fuzzy term. Narrowly interpreted, it could mean all regulation directed at the Internet infrastructure as such, e.g. who’s managing the DNS; who will define the rules of the IP protocol? Such a narrow definition has its merits, but it misses the main point for political decision-makers: Digital technologies change almost every aspect of our society—so it is much more about managing the societal fall-out of digital disruption than merely its underlying code.
The list of regulatory tasks is long, so here are just four topics with significant impact that are high on the agenda today:
Infrastructure regulation: Despite all innovation, we have not found a better solution to deal with natural monopolies than regulation. How we regulate the physical infrastructures of the digital world matters a lot. Some key economies like Germany fall badly behind in benchmarks on broadband access, mainly due to a misguided strategy incentivizing to update copper rather than leapfrogging to fiber infrastructures. The heated debate about net neutrality is basically about the question to what extent infrastructure companies are allowed to monetize access to the Internet, not only by charging the customer but also by discriminating on the content or services side. There is no end in sight to a heated debate around the question how much profit is an infrastructure company allowed to make—especially in the context of European politicians viewing telecommunications incumbents as one of the few players that could compete with dominant US Internet companies.
Competition law: Since the rise of big digital platforms (“GAFA”—Google, Apple, Facebook, and Amazon, the villains often called out), regulators have been struggling with the questions of when and how to regulate these platforms. Several problems occur: (1) If a platform’s dominance cannot be measured by revenue, should we measure its “data power” instead? (2) What actually is a market? Do Google and Amazon compete as search engines, or are they operating in different markets? The answer to this question would significantly influence and market power analysis. Assuredly, the big players like to highlight just how stiff the competition in the Internet economy as a whole really is; their challengers would highlight the fact that Google dominates plenty of small market segments. (3) What are the best means to regulate big platforms? The nuclear option to regulate digital platforms would require defining digital platforms as de facto infrastructures—and then applying the torture tools of natural monopoly regulation to full the extent. The legal vehicle to do this is the so-called bottleneck doctrine.
Cybersecurity regulation: We are about to connect a myriad of “things” to the Internet. No one really knows what this will mean for cybersecurity. Experts are rather pessimistic: Most of these IoT devices lack even basic cybersecurity features. From a regulatory point of view, cybersecurity looks a lot like negative externalities stemming from a huge market failure to incorporate the price of cybersecurity. The classical regulatory answer to negative externalities is to find a way to put a price tag on it. This might happen by increasing the liability for products. Consequentially, the EU has just started a consultation on defective products; several political parties in Germany have issued statements supportive of increased liability for IoT products. The main problem with these proposals is that effective liability regulation functions as an incentive structure, not as a punishment. The incentive structure would depend on a way out of increased liability—e.g. by allowing companies to refer to certain publicly acknowledged certificates, which define “good security standards” and limit liability accordingly. Unfortunately, such a class of certificates does not exist today. Without fixing this issue, any increased liability would not achieve much except for increased costs of doing business.
Labor regulation: Digital platforms that specialize in contracting work on an ad-hoc basis implicitly establish a contractual relationship between the contractors, based on commercial law. Commercial law usually assumes a relationship between equals. In contrast, classical labor law is founded on the assumption that the relationship between employer and employee is asymmetrical—favoring the employer. Labor law is therefore in its essence protective regulation. Due to the ongoing shift from labor law- to commercial law-regulated working relationships, the main question here is: Which parts of the protective regulation of labor law should be transferred into the new world of digital labor-platforms—and which not?
Why no regulation is also regulation
One conclusion from the complexity of regulating the digital world is that it is to better do nothing than to mess things up. The antiregulatory narrative stresses the nerd culture leading to institutions such as ICANN, in which governments were in a passive, observatory role rather than in a role that determined the agenda. In geographical terms, the Internet was born and governed in Silicon Valley rather than in Washington, DC.
This is a misleading argument, first and foremost because the Internet as such has always been shaped by conscious regulatory decision, even if it was a decision of restraint. In fact, the Cambrian explosion of the Internet—at its core, the incredibly fast growth of e-commerce—would not have been possible if it weren’t for one particular regulatory approach of restraint, developed by a Republican from California (Chris Cox) and a Democrat from Oregon (Ron Wyden) in a backroom in Washington DC in 1995: the limited liability of digital platforms (often referred to as “safe harbors”—not to be mistaken as the EU Safe Harbor privacy regulation). It became law in 1996, hidden in the Communications Decency Act, section 230:
“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”
The core idea is simple: digital platforms are intermediaries. “To sue an online platform over an obscene blog post would be like suing the New York Public Library for carrying a copy of Lolita,” as Wired put it.
Imagine eBay would be held liable for all products offered, or Amazon would be held accountable for every product review. If digital platforms would have been held liable for everything third parties would offer or do on their platforms, their business model would never have worked. In an astonishingly audacious act, government acknowledged the benefits of these digital platforms and created room to grow. The limited-liability rule has since been copied in almost every major economy, covering not only e-commerce, but also the responsibilities of platforms in publishing or regarding product liability. Given the importance of this bold regulatory act, one might question the widely held opinion that regulation always lags behind technological development. In this case, regulation actually accelerated technological innovation considerably.
It is tempting to compare the impact of this foundational regulatory act of the Internet economy with the invention of the limited liability corporation in the seventeenth century. The LLC unlocked financial investments in long-distance trade (beginning with the British East-India Company, kickstarting the first phase of globalization.) If you would ask for the invention with the biggest impact on the global economy, regulatory inventions like the LLC or Safe Harbors would make the Top 10 list.
Still, Silicon Valley struggles to acknowledge the fact that an exemption from hard regulation actually is a regulatory decision. Some of the current fights over digital policymaking seem to be rooted in this fundamental misinterpretation of the regulatory history of the Internet. While digital technology opens up new market segments that could not have been addressed before, governments license these markets. One might ask the question of why successive generations of Silicon Valley companies first hit a regulatory brick wall before acknowledging how important regulation really is.
The regulatory paradigm of platform liability is not a law of nature. It is now under scrutiny. There is a certain logic to it: Back in 1995, digital platforms were fragile but offered huge benefits for customers regarding transparency and price competition, so politicians helped out. Today, the same digital platforms loom large over many market segments and are often perceived as threats to fair competition. Little surprise that the liability exemption is questioned—e.g. the current EU Single Digital Market review.
However, there is a problem with this approach.
Why failed regulation benefits the big, and hurts the small
The reason is the paradox of platform regulation: Enforcing a stronger responsibility of digital companies for the impact of their technologies on society might benefit the big, and hurt the newcomers—and therefore contradict one of the most prolific policy goals in many countries: creating a new generation of start-ups challenging the status quo of “GAFA.” Any measures to increase liability of platforms might actually benefit the existing, dominant ones. Established players might implement costly solutions to patrol their platform for illegal content—start-ups would simply not be in a position to do it. If we trust that the Internet economy is still developing and might challenge the fat cats of today with new ideas and innovations, it would be foolish to implement regulation that basically freezes the status quo of the Internet economy.
Furthermore, digital platforms exist in a highly volatile environment. A shining star of today might be gone tomorrow, or technology simply moves on and envelopes a platform that once might have been strategically important. Remember the “browser wars.” Who would have guessed that mobile phones (different browsers!) and apps (no browser at all)—and next maybe chatbots—would dominate the access to the Internet? The technological landscape has changed beyond recognition in under a decade. The EU spent considerable political capital in regulating those browsers; but when regulation was finally enforced, the stationary browser had already lost its strategic importance. Sometimes innovation is regulator’s best friend, exactly when it makes laws redundant.
A second kind of problem stems from the fact that regulation is relying too much on making laws. Admittedly, this is what regulation was solely about for centuries. But in a highly globalized world, where “Code is Law,” the limits of national lawmaking are all too apparent. Surprisingly, there is no empirical study of the question asking if laws addressing digital markets actually achieve what they were aiming for. Anecdotal evidence points towards a growing gap between intention and outcome.
Third, sometimes digital-business models are badly affected by legacy, decidedly non-digital, regulation. Take the Uber case. You could argue that the rise of Uber is a reflection of a severe regulatory failure in the very old, traditional personal transportation market. Regionally licensed monopolies and caps on the number of licenses issued basically set incentives not to innovate at all. With a well-oiled lobbying machine in place, cab companies fought off any attempts to upgrade the market regulation over decades. Regulatory failure? Indeed. But is it a digital problem? Not really.
Making digital regulation work
The relationship between the Internet economy and regulators has gone from honeymoon (the 1990s) to frenemy. Internet companies need to understand that their success ultimately depends on governments who license markets. They also need to acknowledge that disruption caused by digital transformation is a serious matter to political decision-makers. Some empathy instead of insisting on the “the nation state will not help us” narrative might be in place.
On the other side, we urgently need a review of how we regulate. Today, laws often simply do not achieve what they are aiming to achieve. Realigning purpose, means, and outcomes will require some serious re-engineering of the regulatory machine. Fans of martial arts might call it a “jujutsu” approach: using the dynamics of modern technology to regulate it rather than fighting it with traditional means.
To start with, a healthy dose of pragmatism helps. Take the AirBnB case: The problem of large-scale commercial operations turning a private homestay platform into something else has bothered politicians in cities around the globe, often triggered by resistance from citizens who see their neighborhood changing dramatically. How to respond to it? Let it happen? Or succumb to the pressure of the hotel lobby and outlaw it all? The only viable option seems to be a very pragmatic—and to certain extend arbitrary— threshold regulation: Allow x numbers of rent-outs per year, everything beyond would require a business license. It took regulators a long time to appreciate the pragmatism of thresholds over dogmatic black-and-white regulation.
There are other instruments to consider:
“Nudging” is a soft approach: trying to leverage the fact that decision points can be designed with a (regulatory) purpose in mind. The US and British government are experimenting with nudging, the German government cautiously explores its benefits. Information asymmetries between companies and consumers are a perfect use-case for nudging, as we should assume that consumers would stick to default set-ups (be it cookies or security-related).
Self-regulation is often not well understood or systematically developed. It can work very well and offer pragmatic solutions for fast-moving industries—e.g. age control for access to digital content; take-back systems for devices (WEEE); or the Voluntary Agreement of the printing industry. Self-regulation can also fail spectacularly if the incentives set by the regulator are promoting extreme positions in negotiations (the “second basket” of copyright laws in Germany comes to mind). Given the importance of self-regulation for fast-moving industries, the lack of systematic review remains a mystery.
Setting up markets to solve market issues is also underutilized. Take the example of information asymmetries affecting negatively the level of privacy. In the financial sector, governments have proactively supported the rise of a broker intermediate, who translates extremely complex investments into more digestible portfolios. A privacy broker, who would align privacy preferences with the choice of apps running on a mobile phone, would be an interesting innovation to solve the information asymmetry problem.
Regulation is not yet data-driven or experimental in a systematic way. “Evidence-based public policy”—developed as concept in the 1990s, when Big Data was a vision and not yet reality—is still not the norm but rather the exemption. Smart infrastructures will provide us plenty of data on “what’s really happening,” and an option to track the impact of regulation. Do we make use of it? And do we actually have built-in processes of assessing the impact of regulation? Why don’t we try to test the impact of regulation in controlled field tests—tweaking the regulation in each case a little bit and measure which tweak was most successful? It would require a serious change in how we craft laws to harness the power of empirical data.
Digital technology is a key driver of economic growth, and it still provides solutions that could address some of the planet’s most urgent issues. We just need to figure out how the Internet economy and regulators work together rather than make each other’s lives miserable.
Soccer might again offer a lesson here: When Pierluigi Collina retired as a referee, in 2005, after 460 matches, the soccer world bowed to a man who earned the respect of all players, including the circa 130 players he sent of the field with a red card. Why? Because everyone knew that, in his heart, Collina was the greatest soccer fan of all. Maybe he’s the right role model for digital policymakers, after all.
Ansgar Baums is Head of Government Relations Europe | Middle East | Africa and head of HP’s Berlin Office. Baums is member of HP’s Cybersecurity Management Review Council, the EMEA leadership team, and leads the Government Relations support plan for 3D Printing. He publishes regularly on digital policy issues, e.g. Kompendium Industry 4.0 in 2015 on the role of digital platforms. Prior to HP, Baums was director of government Relations at SAP, and, prior, spent four years for Germany’s Federal IT Association BITKOM with focus on Economic and Innovation Policy. Baums started his professional career as an analyst at German Intelligence Service. He holds a degree in political science from Free University in Berlin, and a Master’s of Science in International Strategy and Economics from University of St. Andrews. He was a German Marshall Fund Memorial Fellow in 2017.
 An excellent account of the LLC is John Micklethwait’s The Company: A Short History of a Revolutionary Idea (Modern Library, 2003)
 https://ec.europa.eu/digital-single-market/en/news/digital-single-market-mid-term-review Cf. Niko Härting (2015): Haftungsverschärfung und Rechtsunsicherheit. IN: Ansgar Baums | Ben Scott | Martin Schössler (Ed): Kompendium Industrie 4.0 http://plattform-maerkte.de/haftung/
 Cf. Richard Thaler and Case Sunstein, Nudge. Improving Decisions About Health, Wealth, and Happiness (Yale, 2009)