There was the usual discussion about the pros and cons of light-touch and self-regulatory approaches, in keeping with the conditions that fostered innovation and investment in the Internet.
However, the world has moved on since the late-90s; it is worth spending time to reflect on today's conditions and what new approaches are warranted. And, to what extent will US agencies set the future direction?
The Internet is deeply integrated in our everyday lives. And, the proliferation of IoT sensors and devices will only increase this level of integration and dependency. The security guru, Bruce Schneier, has pointed out that IoT security is too important an issue to be left to market forces and that the necessary precautions will only be met by a regulatory approach [1]. His might not be a lone voice. In the case of the much younger Bitcoin technology, for example, it is interesting to note the desire for private-sector players to call for regulation as a necessary condition for establishing a nascent market [2].
Going down the regulatory path, the issue then becomes one of who sets the regulatory rules. With the IoT being a global phenomenon, there is no guarantee of US leadership. Discussions in Washington D.C. might placate local firms. They risk missing the bigger picture of what is happening on the international playing field. Consider how the market for personal data is changing as firms adjust to the EU's GDPR initiative. GDPR (the General Data Protection Regulation) gives individuals significant new rights over how their personal data is collected.
In an innovative twist, GDPR applies to individuals (data-subjects) in the EU; it applies to any service provider and not just those domiciled in the EU. In the industry, it is not uncommon to hear of it referred to as the Global Data Protection Regulation. For evidence of GDPR's global impact, take a look at PayPal's recent disclosure of how it shares personal data with its network of 600 business partners [3]. Here is the same data in a more easily digestible format [4].
Having in effect set the global agenda for personal data, the EU's next step will most likely progress to rules for IoT and mixed-data assets.
In another example and at a local level, Uber is succumbing to regulatory pressure in the UK. In order to demonstrate its fitness to operate, Uber is offering to release proprietary data to help with transportation infrastructure planning. Through this gesture, Uber wants to show that it can be a better partner to the City of London [5].
These developments show that regulatory institutions can and will play a greater part in the IoT and new Internet-enabled service sectors. Innovators and investors in emerging sectors such as autonomous vehicles and data brokering, to pick two examples, should factor a pro-regulatory element into their strategies. This means engaging with the appropriate institutions and designing products/services with suitable monitoring and audit-reporting capabilities.
Strategically, it is no longer tenable to tell government, for example, to get out of the way and stop interfering with innovation.
[1] Security and the Internet of Things - https://www.schneier.com/blog/archives/2017/02/security_and_th.html
[2] Winklevoss twins pitch plan to regulate digital money http://www.businesstimes.com.sg/banking-finance/winklevoss-twins-pitch-plan-to-regulate-digital-money
[3] List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list
[4] How PayPal shares your data - https://rebecca-ricks.com/paypal-data/
[5] Uber offers to share journey data with London city planners -https://www.theguardian.com/technology/2018/mar/15/uber-offers-to-share-journey-data-with-london-city-planners
IMAGE CREDITS: Victoria Heath via unsplash.com
15 May 2018 update
ReplyDeleteETSI Summit round up on Data Protection and Privacy - see links for presentations.
http://www.etsi.org/news-events/news/1299-2018-04-news-etsi-etsi-summit-round-up-on-data-protection-and-privacy
29 June 2018
ReplyDelete"Unless America steps up with its own rules, GDPR will become the global norm", says Suzan Delbene, Democratic member of the US House of Representatives
https://www.ft.com/content/d8a70f22-7a12-11e8-af48-190d103e32a4
29 July 2018 update
ReplyDeleteStandardisation of blockchain technologies and distributed ledger technologies.
https://www.iso.org/committee/6266604.html
3 Sep 2018 update
ReplyDeleteUK media and telco industries demand more red tape for social media content
http://telecoms.com/491891/uk-media-and-telco-industries-demand-more-red-tape-for-social-media-content/
24 October 2018 update
ReplyDeleteApple and Facebook call for EU-style privacy laws in US
One interesting question is whether it will be a copy-and-paste approach.
https://www.ft.com/content/0ca8466c-d768-11e8-ab8e-6be0dcf18713
20 Nov 2018 update
ReplyDeleteFood companies fail to agree on new nutrition label in Europe
Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
https://www.ft.com/content/8005ec16-eca5-11e8-8180-9cf212677a57
But after trials in several countries and consultation with academics and consumer groups, the companies could not gain consensus around the new portion-based, colour-based scheme, said Bart Vandewaetere, a Nestlé government affairs executive.
“Colour coding of food labels is very controversial in continental Europe,” said Mr Vandewaetere. “We need leadership from the European Commission to come up with a common approach.”
https://www.ft.com/content/8005ec16-eca5-11e8-8180-9cf212677a57
31 Dec 2018 update
ReplyDeleteThe data economy is global, and EU legislation should provide a regulatory environment that enables European operators to harness the full potential of data to compete globally.
https://www.computerweekly.com/opinion/Beyond-GDPR-Why-ePrivacy-could-have-an-even-greater-impact-on-Europe
1 April 2019 update, not an April's Fool joke
ReplyDeleteFacebook founder and CEO Mark Zuckerberg has governments and regulators to play a more active role in developing new rules for the internet.
http://telecoms.com/496675/facebook-calls-on-governments-to-help-control-content-on-the-internet/
2 April 2019 update
ReplyDeleteThe extract below illustrates the importance of an open governance framework.
In selecting James, Google is making clear that its version of “ethics” values proximity to power over the wellbeing of trans people, other LGBTQ people, and immigrants. Such a position directly contravenes Google’s stated values.
https://medium.com/@against.transphobia/googlers-against-transphobia-and-hate-b1b0a5dbf76
24 April 2019 update
ReplyDeleteSpeaking at an event organised by Time magazine, Cook said “We all have to be intellectually honest, and we have to admit that what we’re doing isn’t working. Technology needs to be regulated. There are now too many examples where the no rails have resulted in a great damage to society.”
http://telecoms.com/497015/apple-boss-wants-more-state-intervention-in-tech-business/
25 September 2019 update
ReplyDeletevia Benedict Evans
"there is a tendency to frame this conversation in terms of the Chinese government and the US constitution. But no-one outside the USA knows or cares what the US constitution says, and Megvii already provides its ‘smart city IoT’ products to customers in 15 countries outside China. The really interesting question here, which I think goes far beyond face recognition to many other parts of the internet, is the degree to which on one hand what one might call the ‘EU Model’ of privacy and regulation of tech spreads, and indeed (as with GDPR) is imposed on US companies, and on the other the degree to which the Chinese model spreads to places that find it more appealing than either the EU or the US models."
https://www.ben-evans.com/benedictevans/2019/9/6/face-recognition
13 Aug 2020 update
ReplyDeleteInternet of Things: How the U.K.’s Regulatory Plans Could Raise Compliance Standards
The U.K. government is concerned that despite the introduction of a self-regulatory Code of Practice in October 2018 (COP), there are still significant security flaws in many products on the market. The U.K. proposals seek to expand on the COP, which covers 13 areas (or outcome-focused guidelines) that are widely considered good practice, including requirements that all IOT device passwords are unique, all software is securely updatable, and users have clear transparency and control over the use of their data. The code is expected to be revised by the U.K. government at least every two years.
https://www.natlawreview.com/article/internet-things-how-uk-s-regulatory-plans-could-raise-compliance-standards
24 March 2021 update
ReplyDeleteRegulators are your friend
Lopokoiyit wants fintech companies and innovative start-ups to embrace engagement with regulators in their jurisdictions. “We work with them every single time. There is no product and service that we launch without the regulator. We actually have discovered it is better to, even on a concept stage, to engage the regulator.
https://www.howwemadeitinafrica.com/m-pesa-ceo-savings-wealth-management-and-insurance-the-next-big-opportunities-for-fintech-in-africa/
11 June 2021 update
ReplyDeletePublic consultation on the draft OECD Recommendation on Agile Regulatory Governance to Harness Innovation
The COVID-19 crisis has magnified the above-mentioned challenges and forced governments to rethink their approach to rulemaking. The social and economic disruption that the pandemic has wrought further highlights the strategic importance of developing more agile and co-ordinated regulatory approaches to increase responsiveness and resilience in changing environments, harness the opportunities provided by innovation and protect the public interest. As governments rebuild afresh, they must ensure that the innovation that will power economic growth and solve the world’s most pressing social and environmental challenges is not held back by regulations designed for the past.
https://www.oecd.org/gov/regulatory-policy/public-consultation-on-the-draft-recommendation-for-agile-regulatory-governance-to-harness-innovation.htm
8 March 2023 update
ReplyDeleteWhat Washington Gets Wrong About China and Technical Standards
Over the past four years, Washington’s foreign policy establishment has stumbled on a new arena for competition with China: international technical standards. During that time, standards have been the focus of news stories, think tank reports, and even several pieces of federal legislation. Across these, the master narrative is largely the same: technical standards are a key part of technology competition, China is taking over international standards bodies, and it is successfully manipulating those standards as part of its quest for global tech domination.
Parts of that narrative ring true. Technical standards are a critical part of the global technology ecosystem because they facilitate trade, can give first-movers a competitive advantage, and can generate significant revenue for companies with large patent portfolios. The Chinese government has a track record of trying to manipulate international organizations, and Chinese participation at international standards bodies is increasing.
But Washington’s master narrative around technical standards is wrong. It’s not wrong because the Chinese Communist Party is a trustworthy actor in these arenas—it isn’t. The narrative is wrong because it fundamentally misunderstands what international technical standards do and how standards development organizations (SDOs) operate. There are real concerns when it comes to China and technical standards, and those concerns require targeted actions. But to make the right prescription, the U.S. policy community must first correctly diagnose the problem.
https://carnegieendowment.org/2023/02/27/what-washington-gets-wrong-about-china-and-technical-standards-pub-89110
16 November 2023 update
ReplyDeleteChina Gains as U.S. Abandons Digital Policy Negotiations
The future of U.S. global digital policy hangs in the balance following a shock decision by the office of the United States Trade Representative (USTR) that the United States no longer supports provisions that protect cross-border data flows, prohibit forced data localization, safeguard source code, and prohibit countries from discriminating against digital products in the World Trade Organization (WTO). The USTR’s previous position allows data to flow freely, with restrictions as the exception, in contrast to China’s position that seeks stricter control and oversight based on local law and regulation before allowing data to flow. While the difference between the two positions may have seemed rather technical, it served as the foundation for U.S. government support for an open Internet and digital economy. That foundation is now gone.
As Nigel Cory and Samm Sacks write in Lawfare, without U.S. support for trade commitments against data localization, U.S. policymakers and companies will have a harder time pushing back on localization requirements in countries where U.S. and Chinese firms are in fierce competition for market share.
The USTR’s decision has far-reaching implications for the future of governing the internet and data that will reverberate beyond the WTO and IPEF. The absence of U.S. advocacy for data flows sends the message to other countries that they can enact restrictions that will discriminate against U.S. firms—which undermines the U.S. economy and leadership in governing digital technologies.
https://itif.org/publications/2023/11/16/china-gains-as-us-abandons-digital-policy-negotiations/
https://www.lawfaremedia.org/article/china-gains-as-u.s.-abandons-digital-policy-negotiations
12 Jan 2024 update
ReplyDeleteOn the theme of single-provider business models
US regulator considers stripping inspection authority from Boeing employees
Mid-air blowout of 737 Max 9 prompts review of system where company staff certify aircraft
Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
https://www.ft.com/content/1588974e-db75-4a02-9aff-deb0b75ed379
The move to review the oversight programme, where Boeing’s own employees certify aircraft safety on behalf of the Federal Aviation Administration, was prompted by the grounding of some 737 Max 9s following the mid-air incident over Oregon last Friday. The so-called “organisation designation authorisation” earlier came under scrutiny when two Boeing 737 Max 8s crashed in 2018 and 2019.
Mike Whitaker, FAA administrator, said the agency was “exploring” its options for using an independent third-party to oversee inspections of Boeing’s aircraft and its quality controls.
https://www.ft.com/content/1588974e-db75-4a02-9aff-deb0b75ed379
12 September 2024
ReplyDeleteIoT update: Implementing the EU Data Act
The date of application of the EU Data Act is slowly approaching. By 12 September 2025 all IoT providers / manufacturers will need to implement the Data Act.
The Data Act will affect IoT providers that commercialize IoT products due to the new obligation to share the data obtained through IoT with the user of the IoT product (or related services) and with third parties at the request of the user. This means that data (personal and non-personal) that was only at the disposal of the IoT provider / manufacturer from 12 September 2025 will need to be shared upon request. The scenarios of application of the Data Act are quite broad: smart cars, medical devices, smart watches, smart TVs, planes, all kind of wearables, industrial machinery… Basically, any “smart” or “IoT” product can potentially trigger the sharing obligation.
However, there are limitations, requirements and not all types of data collected through IoT devices are in-scope of the sharing obligation. In addition there are potential defences to reduce the impact of the Data Act (e.g. contractual limitations, privacy considerations, competition restrictions…).
In addition (albeit further away), by 12 September 2026, IoT products shall be designed and manufactured in such a manner that IoT data, including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge, etc. directly accessible to the users.
https://www.lexology.com/library/detail.aspx?g=c6301f0b-aaed-469f-a3a8-72830e8de44c
2 April 2025 update
ReplyDeleteWhich IoT Regulator Will the Rest of the World Follow?
The EU effect: Setting tomorrow’s standards
For a hint of where things are going, it is worth looking at how different markets tackled a similar technology problem and regulatory solution in data privacy. Once again, Europe led the way in 2016 with the General Data Protection Regulation (GDPR). On the other hand, The United States decided against federal thresholds.
The result? Major tech companies applied GDPR globally and countries from Brazil to India modeled their privacy laws after the framework.
Europe’s reputation for leading security and privacy regulation makes it the natural template for emerging markets. So, do not be surprised to see local versions of the Cyber Resilience Act. As devices handle increasingly critical societal functions, countries will likely favor legislation that guarantees stronger safeguards rather than optional baselines.
https://www.eetimes.com/which-iot-regulator-will-the-rest-of-the-world-follow/