Visual Legal Analytica

Discover Legal & Policy Ideas, in the Language of Graphics

Regulating the Big Tech: Legal Workability & Dysfunction in Oversight Measures

Digital technologies for sure are disruptive, and their potential to bring these unending changes, to be called as "disruptions" happen in threads. This means that even minute and subtle changes into any sub-segment of a class of technology's subset, can affect global markets at a considerable rate. Some disruptions may be considered natural and gradual, while some might be orchestrated to affect multiple sectors. Let us take a simple example. People may be aware of various kinds of IoT-based devices, which include sensors. Take an electric toothbrush. What are the factors or considerations that may surround the purpose of such a product? So, a commonsensical understanding says that the product is portable, the tracking system within the product provides a lot of data about the consumers who are using the toothbrush. If the toothbrush has some components that can also assess the condition of the teeth and the gums, then even that can be monetised and reduced into data. The understanding is this: when digital technologies cause disruption, it is obvious that the multi-sector, multi-circumstantial impact the disruption brings resembles interconnectedness. This is interesting because lawyers and policy thinkers rarely focus on the interconnectedness of technologies. Now, in the same case of the electric toothbrush, let us suppose you get the data and use algorithms to analyse the patterns, then the whole "responsible AI" paradigm comes in where you have to be compliant with some self-regulatory standards or a regulatory sandbox to assess the effectiveness of the algorithms. Then, the explainability of the algorithms also has to be checked because that determines the business model behind selling and manufacturing the electric toothbrushes beyond consumer law issues.


Since, many technology companies who use AI technologies have to address such peculiar and interesting issues, oversight and regulation has become the buzzword. It depends how you use materialise either of them. You can involve the government to act as a regulator or create one, or you may have associations and bodies that can bring the bargain of multiple players on the table for consultation. Auditing and sandbox measures also can be used wisely. Alternatively, companies within their structure or a group of companies among themselves may create consultative or enforcing panels which can act in a "regulatory" fashion to conduct oversight. Recently, some trends have emerged among Twitter, TikTok, Meta and other technology companies, which affect the regulatory landscape in India, Europe and the United States.


Taking a dive into the regulatory systems of the EU, China, the US and India, this article analyses the legal workability and fungibility of technology oversight and regulation within the big tech companies and the "Red Tech" (technology companies which are Chinese entities considering aspects of ownership).

 

Regulatory Sovereignty: Recalibrations in the Global North & Reinventing Norms in the Global South


Now, there is no generic dichotomy among major countries on this assertion that governments cannot leave technology companies, especially MNCs like Meta, Bytedance and others astray, and some regulatory systems need to be built and enforced, in the fashion that governments and stakeholders would be comfortable with. India is a special case where the government and the stakeholders are proposing unique technology governance models as we see the upcoming G20 Presidency in 2023. The European Union is building sophisticated regulatory frameworks beyond the GDPR already, while the Digital Markets Act is already in force. Anu Bradford has argued the rationale behind the EU's stringent approach to digital governance regulations and legal instruments (such as GDPR, for example) in The Brussels Effect: How the European Union Rules the World (p.140-41):

While these internal motivations to integrate the European market provided the initial impetus for regulating data privacy, the EU’s current regulatory pursuits are also shaped by external motivations. Given the global nature of data processing and the importance of cross-border transfer of data—not just within the EU but across global markets—the EU has recognized the importance of promoting international standards for the protection of personal data. With the GDPR, the EU is thus also seeking to contribute to set the global standard on data privacy with other like-minded countries, cognizant that “if we do not shape standards now, others do,” emphasizing also that those alternative global standards that may emerge may be less desirable in requiring data localization, or leveraging data protection for censorship and state surveillance. [...] Foreign governments, companies, and business groups engaged in active lobbying to mitigate the costs of GDPR on their businesses. The US government was particularly active, opposing the regulation on the grounds that it would kill innovation and research, in addition to hindering national security cooperation. [...] Marketplace discourse is amenable to the idea that an individual consumer can trade his or her commodity—personal data—without strict oversight by public institutions. In contrast, EU institutions assume a strong role in the rights discourse where they have a central role in safeguarding the fundamental rights of its citizens. Alex Turk has described the distinctions between the United States and EU in a similar vein, noting how personal data is viewed as “tradable commodity” in the United States while considered “attributes of our personalities” in the EU.

Now, compare this with India's vision of technology and data governance, in the realm of "good" digital public infrastructure (DPI). The larger focus of the Government of India is to build centralised initiatives and systems to safeguard and utilise citizen identity in the digital realm for their welfare and accessibility. Considering the classification of India 1, India 2 and India 3 made in the case of consumers across the country, it is clear that for this decade, the Government is doubling down on accessibility and inclusion in the digital realm, through simplified digital governance measures and promoting technology companies & start-ups (with its own bureaucracy-level features and pitfalls, which are natural when risks are undertaken for good). An article published on DPI by Observer Research Foundation entitled Creating ‘Good’ Digital Public Infrastructure explains this core aspect of Indian technology governance:

DPI set up in areas critical to the functioning of an economy must be able to accommodate any unexpected increase in demand in the number of transactions or users, and also be able to respond to the evolving needs of a large and diverse set of users. Promoting and mainstreaming the use of open technologies—such as open-source software, and application programming interfaces and protocols, where anyone is free to access, use and share code—can be useful as they encourage collaboration and distribute the ability to solve population-scale challenges. [...] The technological and legal features of open technologies help governments avoid vendor lock-ins and, consequently, lower the costs of switching between vendors of proprietary software. The adaptability of open technologies is also useful in creating customised solutions tailored to local contexts. In other words, open technologies are a key enabler of citizen-centric innovation.

If we take India and the European Union into perspective, it is determinant that both the actors have a citizen-sensitive and conscious ethic behind building facets of digital governance. The difference lies in this: Europe will focus on sophisticated regulations (which even India would need sooner than later) while India would embrace building optimal systems which redefine many aspects of digital inclusion, especially for countries in the Global South. When we analyse the recent orders passed by the Competition Commission of India against Google on OEMs and online payments, it seems apparent that the Government intends to reshape certain first principle points and methods towards shaping digital governance before they develop sophisticated regulations at a statutory level. The approach is rational because in general, India's rule of law and natural justice paradigms are not interpreted nor enforced with a proper sense at the district level. For example, the Section 66A of the Information Technology Act, 2000, which was struck down by the Supreme Court of India in the infamous Shreya Singhal case, was still used to prosecute individuals at the state level.


Now, let us compare the US with the EU here for some perspective. When the Digital Markets Act came into being, the US Chamber of Commerce (USCC) expressed displeasure with the Biden Administration providing specific points of disagreement over the enforcing potential of the EU legislation. Sean Hather, the Senior Vice President of USCC explains the same in an article, whose excerpt has been provided therein:

In reality, some of the concerns raised by the Biden Administration on the DMA are sensible. This also shows that sophisticated tendencies over technology regulation, could be expressly stringent, and their practicality may be affected. The European Union has to be sensitive and adaptive with a sector-to-sector approach to shape the paradigms of technology regulation. This is where the maximalist scope and tendency of regulatory systems must be rationed for good. This also shows that leaving countries like India, Singapore, Japan, Israel, the United Arab Emirates, Saudi Arabia and related countries, regulatory tendencies are acting in a maximalist fashion, which may yield some results. However, Europe's approach creates some dysfunction in their regulatory capacity, which could indirectly affect markets in the United States and even India. This comes in when big technology companies based out of the United States and China are found responsible for anti-competitive practices. When the expectations of a regulator are maximalist or impractical, it is apparent that major corporate players may hedge the turmoil and impossibility that comes with those expectations to shape their ways. In the next section, it is discussed how certain major big technology companies are shaping regulation and oversight paradigms.


The Big Tech & the Red Tech


Let us form some proper context here. The term Big Tech refers to technology companies in the West, including the FAAMG companies. The term Red Tech refers to several Chinese technology companies or technology companies owned by Chinese entities, public and private. When technology companies of the Global North are taken into perspective, we understand that at least despite their intervening and curbing tendency, at least there is a passive case to develop consultative and dispute resolution measures to resolve better sophisticated global legal norms and compliance methods. In the case of Red Tech, the paradigm is dissimulated and uncertain, due to the techno-economic relations among the US and Chinese business communities. Similar may be said when it comes to Indian and Chinese business communities, be it investors, technology companies, facilitators etc. From a legal perspective, the United States is different from China in adopting regulatory oversight wherein their regulatory landscape is still flexible and consultative. In the case of China, the approach is becoming protectionist, thereby an effort to decouple the impact of technology and finance ecosystems in the United States. For sure, China can do that in stealth mode to avoid risks easily and build economic resilience. However, the legal purpose of their regulatory visions is blurring day by day. A certain set of provisions in the Cybersecurity Law of China reflect the same tendency:

Article 28: Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.
Article 37: Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.

Here is an excerpt from the Regulations on the Management of Security Vulnerabilities of Network Products approved by the Ministry of Industry and Information Technology in China, giving a clearly dissimulated outlook towards regulation and oversight.

This is where the Chinese model could get counterproductive when their regulatory landscape is dissimulated enough to become complicated. The US and Europe are stuck with the economic risks attached to the technology companies, while the Chinese have over-stringent regulations with steering some efforts towards building an economy of innovation (with Chinese characteristics). India's role becomes prone towards promoting technology for socio-economic development, which is reasonable for the global economy to promote entrepreneurship and better economic practices. Let us now estimate how certain technology companies have achieved or addressed the legal avenues of regulation and oversight.


TikTok's Issues on Surveillance and Auditing

Tiktok has been contentious due to its data and company ownership issues for long. However, the potential of a low-attention spanning app to surveil populations was not properly understood by several governments in the North Atlantic region. In 2020, India had banned the App among many of Chinese origin or ownership due to these subtle privacy and security issues. The justification of the Government of India was backed by two concerns, data privacy-security issues and international trade law applied on national security considerations, taking into reference that there were border clashes at Galwan in June 2020. Recently, the United States has raised concerns on Tiktok's surveillance features. Emily Baker-White explains this in an article for Forbes:

But an important factor distinguishes ByteDance’s planned collection of private users’ information from those cases: TikTok recently told lawmakers that access to certain U.S. user data — likely including location — will be “limited only to authorized personnel, pursuant to protocols being developed with the U.S. Government.” TikTok and ByteDance did not answer questions about whether Internal Audit executive Song Ye or other members of the department are “authorized personnel” for the purposes of these protocols. These promises are part of Project Texas, TikTok’s massive effort to rebuild its internal systems so that China-based employees will not be able to access a swath of “protected” identifying user data about U.S. TikTok users, including their phone numbers, birthdays and draft videos. This effort is central to the company’s national security negotiations with CFIUS. [...] Oracle spokesperson Ken Glueck said that while TikTok does currently use Oracle’s cloud services, “we have absolutely no insight one way or the other” into who can access TikTok user data. “Today, TikTok is running in the Oracle cloud, but just like Bank of America, General Motors, and a million other customers, they have full control of everything they're doing,” he said.

It is also clear that to express considerations to promote "transparency", Tiktok has made some express disclosures on privacy policies for European users. Here is an excerpt from the report:

TikTok updated its privacy policies for European users on Tuesday, adding explicit disclosures that personal data from the app may be viewed by employees in China. [...] In addition to China, TikTok data may be handled by employees in countries including Brazil, Canada, Israel, Japan, Malaysia, the Philippines, Singapore, South Korea and the US, the company said. Access to European user data, TikTok added, is allowed for “certain employees within our corporate group” and is “based on a demonstrated need to do their job.”

Observing this clearly shows that governments in the North Atlantic region are not developing clearer self-regulatory measures, considering the fact that Chinese entities can bear legal justifications for any dissimulated measures to create confusion and uncertainty over their compliance ethics in practice. Outright ban may be possible but the problem with oversight and regulatory ethics is not limited to jurisprudence in a top-down fashion. Restrictive laws can be made, but regulations work when the economic and political coordinates that affect how such regulations and measures may work, are understood. Economic uncertainty looms in due to the interpenetrated relations among Western and Chinese business community people and the directed usage of the technologies among people, not just from an angle of purpose, but also precision. Political uncertainty has less to do with the need to regulate. All regulatory and oversight bodies of any hierarchy are created to develop political consensus within a legal and administrative polity to involve stakeholders. Governments in the North Atlantic region have to develop practical interests to shape their regulatory landscape. For example, the concerns raised by the US Chamber of Commerce on the EU's Digital Markets Act (DMA) may be genuine. However, even some generic implementation of the GDPR (which also is a stringent regulation) was made possible. The European Commission may not conflate GDPR violations with antitrust issues directly, but they can use the sophisticated nature of GDPR and even the DMA to enable some interconnected impact of their regulatory strength. Some hedging has to happen because it is inevitable that maximalist positions (if based on first principles, which is the case with DMA and GDPR to some extent) can be diversified by several countries. In short, territorially, the EU is the epicentre of regulation-related disruptions, which even China intends to be. The problem is this: on data and antitrust, many markets including India are already critical of China. That is not the case with Europe. Of course, the situation with Tiktok shows that dissimulated and protectionist conduct in tech regulation may yield some hedged results, but cannot be pushed further in the long-term aspect.


Elon Musk's Ever-dynamic Approach for Twitter

There is no doubt that Elon Musk has a special ambition for Twitter. Most of the measures regarding content moderation have not changed. A decision has been made to form a content moderation council for managing Twitter. Much cannot be stated from a legal perspective except some trends regarding the App's moderation and advertising avenues. To keep Twitter paid or not as a whole or in different segments of use is not a legal issue, but to ensure compatible moderation standards and avoid clickbait advertising and hateful & deceitful conduct on the App could be intriguing. Making Twitter a private company has also to do with the lack of clarity the algorithms have as they process user tweets and encourage users to engage, which could become a legal dilemma if free speech is manipulated by algorithms to keep encouraging users to give reactive and overtly contrarian opinions on the platform. Additionally, Twitter has to address the role of technology regulation bodies across the world, including those in India, especially under the IT Rules of 2021. Musk had tweeted once that Twitter has to abide the laws and rules of the countries across the world and free speech laws of those countries are the prerogative of their system and people. Twitter also causes antitrust issues by making US stock markets volatile by mere tweeting on cryptocurrencies and company shares, which also can be addressed if possible. From a competition and data law perspective, Twitter may create a better example of technology regulation and effective business models if the flaws are addressed properly.


Apple's Security-Privacy Dynamic

Apple's business angle on their guarantees on Privacy against advertisements and the dispute with Facebook explains their security-privacy dynamic. For sure, Apple's products offer security options and convert their privacy-security options into business considerations. There are some genuine concerns shared by Spotify, Meta, Google and others on the 30% commission for hosting on the App Store. Interestingly, the case of antitrust breaches by Apple in India filed by Tinder is unique. Here is an excerpt which explains the reasons why had Tinder filed the same:

Match argues in its India filing that users in other countries often prefer to use payment methods which Apple does not permit, and in India a state-backed online transfer system was preferred. "Apple is therefore leveraging its dominant position in the iOS App Store market, to promote the exclusive use of its own payment solution," Mark Buse, head of global government relations for Match, said in the filing.

Even when the Competition Commission of India had imposed penalties on Google on the OEMs and the Android Device Ecosystem, their explanation on the non-substitutability of the Play Store and the App Store is intriguing:

Apple’s business is primarily based on a vertically integrated smart device ecosystem which focuses on sale of high-end smart devices with state of the art software components. Whereas Google’s business was found to be driven by the ultimate intent of increasing users on its platforms so that they interact with its revenue earning service i.e., online search which directly affects sale of online advertising services by Google. [...] The Commission examined the substitutability between Google’s Play Store for Android OS and Apple’s App Store for iOS from the perspective of all three demand constituents and found that there is that no substitutability between Google’s Play Store and Apple’s App Store. The CCI further noted that there might be some degree of competition between the two mobile ecosystems i.e., Android and Apple, however, that too is also limited at the time of deciding as to which device to buy. At that stage also, the CCI was of the considered view that the primary and the most significant factor in the mind of an end user is the hardware specification and the device price.

While antitrust is a genuine area where Apple could be affected in the North Atlantic region, another issue which Apple has to resolve is their impact on small businesses and the algorithmic dragnet which affects several users. Ben Thompson explains the impact of Apple's App Tracking Transparency (ATT) policy in Stratechery:

One of the interesting aspects of the company’s App Tracking Transparency (ATT) policy is that it very much touches on property rights. Most of the headlines (and, frankly, impact on advertising earnings) are about the unique Identifier for Advertisers (IDFA); post-ATT you only get the IDFA from end users if they agree to Apple’s prompt about tracking (which, it’s worth repeating, is much scarier than Apple’s own prompt). Apple can enforce this on a technical level: if you don’t agree to the prompt, then iOS simply doesn’t give you a valid IDFA. [...] However, ATT goes much further than this: it also decrees that you cannot “track” users using any other method; for example, a merchant as part of a sale almost certainly captures a user’s email address. However, that merchant cannot share that email address with Facebook, which would allow Facebook to match that purchase to an ad shown to a user with the same email address. Apple is not blocking this technically — all of this communication would happen on a server-to-server basis, not via the user’s iPhone — but they are blocking it legislatively, with the threat of App Review blocking the Facebook app.

Conclusion

Dysfunction is a real threat to self-regulation and owning the sophisticated and dissimulated form of operations that technology companies aspire for. There is some public discussion in place about the need to have public utility declared over platforms like Facebook, Twitter and others, by governments, in the US, India and other places. The problem yet remains unresolved even if that is being thought of: tech companies do not disclose enough and governments still fail to understand how the element of technology as a realm can be adjusted with the human element of accountability, privacy, foresight and explainability. There are genuine issues with political clarity but consultative engagement, for sure would legitimise the oversight and regulation bodies. Legal workability is the key to shape soft law principles which can be helpful.