Top trend: Cyber in high politics
Each month we analyse hundreds of unfolding developments to identify key trends and underlying issues which impact the work of policy practitioners working in these fields. In June, there was one main trend which trumped the rest.
US National Security Advisor Jake Sullivan’s prediction that President Joe Biden was about to meet Russian President Vladimir Putin ‘with the wind at his back’ was correct. Biden’s meeting with Putin was planned to take place after a string of summits with European leaders. It was a cleverly crafted schedule.
Embraces replace impasse
The Biden-Putin summit, held in Geneva on 16 June, came after three major summits in which embrace replaced impasse. In all three summits, cyber issues were high on the agendas, not least because of the spate of ransomware attacks that crippled some of the world’s critical infrastructures.
The USA needs a close relationship with Europe for several reasons. Stronger cooperation in cybersecurity can help make critical infrastructures and supply chains more resilient to malicious cyber activity. Both sides can deliver a firmer common message to malicious actors and those who harbour them.
In other areas of digital politics, a stronger US-EU alliance can offer resistance to China’s growing power and influence. It can help balance China’s growth in the 5G sector, and its increasing involvement in international standard-setting. While fully-fledged home-grown semiconductor industries in the USA and Europe are a far cry from becoming a reality, a US–EU alliance can help pool resources and boost capabilities.
At the G7 summit held in the UK on 11–13 June 2021, leaders expressed support for the policy priorities outlined by the Digital and Technology Ministers’ meeting in April 2021. These include collaborating on digital standards-setting, free flow of data, internet safety principles, and securing infrastructure supply chains. They also endorsed the commitment to a global tax system made by G7 finance ministers earlier in June, which will soon see a global minimum tax of at least 15% on multinational corporations, and a more equitable solution to the allocation of taxing rights among countries.
The leaders also said they would be furthering their work on how to apply international law to cyberspace, building on the work of the UN GGE, the OEWG, and the G7’s own work in cyber governance.
At the NATO summit held in Brussels on 14 June 2021, NATO Allies criticised both China and Russia for their aggressive actions. They also agreed that significant malicious cumulative cyber activities could be considered an armed attack, triggering Article 5 on collective self-defence.
At the EU-US summit a day later, Biden and the European Commission and European Council chiefs, Ursula von der Leyen and Charles Michel, announced the formation of a new high-level EU-US Trade and Technology Council. While the modus operandi still needs to be ironed out, the leaders reiterated their cooperation on standards, security, trade, and data governance.
By the end of the three summits, it became clear that the USA made a comeback in multilateral diplomacy, after a weakened period during former President Donald Trump’s tenure. Although time will tell whether Europe is truly convinced, the partners have been rallied.
Cyber detente replaces cyber tensions
A bigger test, however, is whether Biden and Putin’s reciprocal cyber commitments will materialise.
Biden’s main item of the agenda was to hammer the idea that Russia was expected to take steps against Russian-based cyber criminals involved in recent ransomware attacks. After the meeting, Putin confirmed that the two sides agreed to help each other determine where the cyberattacks are originating, and how to deal with them. (The White House was already working with the Russian government in investigating the attack on meat supplier JBS, and Russia had already declared it will extradite cybercriminals on a reciprocal basis.)
Referring to the list of 16 critical infrastructure sectors which Biden said were off-limits, the US President also confirmed after the meeting that experts from both sides will ‘work on specific understandings about what’s off limits’.
According to Russian Security Council official Sergey Boiko, ‘the ball is in the US’ court’. Speaking a week after the summit, the official said that ‘contacts are planned, we have put forward our proposals on this issue, President [Vladimir Putin] voiced our readiness, and now we are waiting for counter-proposals from our partners’.
The summits, which came right in the middle of the year, opened several windows of opportunity in digital issues. The next six months will determine their fate.
Sign up for more updates on cyber detente between the USA and Russia, via our dedicated space on the Digital Watch observatory.
Digital policy developments that made headlines in June
The digital policy landscape changes on a daily basis. Our aim is to save practitioners time: We decode, contextualise, and analyse ongoing developments, offering a bite-sized authoritative update. There’s more detail in each update on the Digital Watch observatory.
Global IG architecture
The G7 Summit, the NATO Summit, and the EU-US Summit featured discussions on digital policy issues such as taxation, standards, data flows, and infrastructure security. The Biden-Putin Summit saw the start of bilateral talks on cyber issues.
The Internet Governance Forum (IGF) held the second Open Consultations in the IGF 2021 cycle.
The International Committee of the Red Cross launched a Global Advisory Board on cyber threats during conflicts.
US President Biden revoked the bans on TikTok and WeChat and directed the Secretary of Commerce to investigate apps that may pose a risk to privacy or national security. Biden also expanded the list of Chinese companies barred from US investments.
E-commerce and Internet economy
The US House Judiciary Committee approved six bills aimed at curbing the dominance of large tech companies.
The European Commission and the UK launched antitrust investigations into Facebook. Germany started an investigation into Apple’s market position. The European Commission opened an antitrust inquiry into Google’s advertising services. France fined Google €220 million for abusing its dominant position in the online advertising market.
G7 leaders committed to cooperate on a global digital tax system.
El Salvador started accepting bitcoin as legal currency.
The US Supreme Court ruled in favour of a student’s freedom of expression in a case involving a Snapchat post filmed outside of school hours.
The European Commission adopted new standard contractual clauses for personal data exchanges.
The Council of Europe's Conference of ministers responsible for media and information society adopted a declaration and several resolutions on digital technologies and human rights.
Jurisdiction and legal issues
The Court of Justice of the EU ruled that a national DPA may bring any alleged GDPR infringement before a court of an EU member state even if it is not the lead authority. The Court also ruled that online platforms are exempt from liability for copyright infringing content unless they contribute to making it available.
The European Court of Human Rights confirmed the right to be forgotten.
The Court of Justice of the Economic Community of West African States ordered Nigeria to refrain from prosecuting Twitter, other social media service providers, and Twitter users without a court order.
Russia requires tech giants to open local offices.
New technologies (IoT, AI, etc.)
EU data protection bodies called for a ban on the use of AI for automated recognition of human features, including biometrics, in public spaces.
Canadian privacy regulators concluded that the police use of Clearview AI technology violated privacy rules. The UK Information Commissioner issued an opinion on the privacy implications of live FRT in public spaces.
After failing to agree on a final report in 2017, the UN GGE’s final report adopted in June was good news for multilateral diplomacy. Countries agreed on aspects related to existing and emerging threats; norms, rules and principles of state behaviour in cyberspace; and the application of international law, among others. Read our analysis.
Antitrust: Seven bills and a hearing
The appetite for tackling the market practices of the four Big Tech platforms – Google, Apple, Facebook, and Amazon – has long been felt in Washington. The House Judiciary Antitrust Subcommittee is at the forefront of the battle. The Senate’s own subcommittee is pitching in.
Led by Chair David Cicilline, the House Judiciary Antitrust Subcommittee has been going to great lengths to build a strong legal arsenal. Last year it conducted seven high-profile hearings with CEOs (including one with all four CEOs testifying), and gathered 1.3 million documents as evidence on antitrust practices. The investigations culminated in the publication of a 450-page report in October 2020, which harshly criticised GAFA’s behaviour, and recommended new laws and more vigorous enforcement.
In June, the subcommittee ramped up the fight with the introduction of a six-bill legislative package to tackle various harmful practices (and in some instances, companion bills in the Senate).
Two of them are of a more procedural nature: The State Antitrust Enforcement Venue Act would ensure that cases remain in the courts selected by state attorneys-general (AGs), rather than moved to a court which the companies prefer; the Merger Filing Fee Modernization Act increases fees in order to give authorities a financial injection to beef up their resources.
The other four bills, however, can cause serious damage to GAFA’s structures, business models, and services they offer (assuming the bills get through unscathed).
|The bill||Which practices does the bill intend to prohibit?||Which companies could be targeted by the bill and why?|
This bill is the most comprehensive, as it aims to prohibit a long list of harmful market practices.
Anticompetitive practices which the bill aims to prohibit include:
Google: The House Antitrust Subcommittee found evidence that Google leveraged its search dominance by ‘demanding that third parties permit Google to take their content, or else be removed from Google’s search results entirely’.
There’s also evidence that ‘Google required smartphone manufacturers to pre-install and give default status to Google’s own apps’.
When it comes to market intelligence, the company ‘covertly set up programs to more closely track its potential and actual competitors, including through projects like Android Lockbox’.
Apple: The same report said that Apple leveraged ‘its control of iOS and the App Store to create and enforce barriers to competition and discriminate against and exclude rivals while preferencing its own offerings’.
Facebook: Internal emails disclosed during the House Antitrust Subcommittee’s hearing on 29 July 2020 confirmed that the company used data to identify competitors and then ‘acquire, copy, or kill these firms’.
This bill is the most far-reaching, as it could force companies to break up into smaller entities.
The bill aims to prohibit Big Tech from having a dual role as an owner of a platform, and a seller on the same platform, saying this would amount to a conflict of interest.
Amazon: The bill, dubbed the ‘Amazon bill’, could potentially separate Amazon’s marketplace business from its seller business. The House Antitrust Subcommittee said that Amazon’s ongoing practice created ‘an inherent conflict of interest’, and incentivised the company ‘to exploit its access to competing sellers’ data and information’.
Google: The same can be said for Google, which owns its Play Store, and sells its own products.
The bill prohibits dominant platforms from acquiring other companies to expand their own market power, including smaller rivals.
Facebook: According to a Facebook senior executive, the company’s acquisition strategy is ‘a “land grab” to “shore up” Facebook’s position’. A former Instagram employee revealed that Facebook’s growth strategy was a matter of how to ‘position Facebook and Instagram to not compete with each other’.
Dubbed the ‘interoperability bill’, ACCESS aims to lower barriers to entry for other businesses by facilitating interoperability, and by making it easier for consumers to take their data elsewhere.
Apple: The company has been accused of sustaining high switching costs in the mobile operating system market. Such a bill could therefore force Apple to introduce new interoperable standards.
It will be a tough ask, as Apple has so far resisted changing its policies. In its legal battle with Epic Games (the developer of the popular game Fortnite), Apple insisted that its App Store restrictions are there to protect users’ privacy.
A seventh bill, the Tougher Enforcement Against Monopolies (TEAM) Act, was introduced in the Senate, with a whole other set of provisions for curbing anticompetitive practices. That’s just in June. Two other bills, the Klobuchar Bill (Amy Klobuchar is the subcommittee’s chair) and the Hawley Bill, were introduced in the Senate earlier this year.
The TEAM Act proposes a significant procedural change: all antitrust enforcement would be consolidated into the Department of Justice’s Antitrust Division. When it comes to market practices, the bill creates the rebuttable presumption (partly by relying on market share percentages) that mergers will harm competition, and it is up to the company to prove otherwise. (If the recent US District judgment in FTC vs Facebook has taught anyone a lesson, it's that percentages used in measuring the market share need to be backed by clear metrics and based on solid methodologies to avoid being dismissed as vague or speculative.)
Aside from the legislative push, the next major race in Big Tech is in the market for voice assistants. While everyone’s eyes were on Biden’s European summits, the Senate’s antitrust subcommittee’s hearing on 15 June was about Google and Amazon’s practices in this niche market.
Google and Amazon have already made headway, mostly by keeping the selling prices for their devices lower than it costs to manufacture them. The giant tech companies won’t bat an eyelid if they sell devices at a loss if it means expanding their business – they will simply subsidise the loss from other business lines. But for competitors, as the subcommittee heard from rival company Sonos’ senior executive, this is problematic.
The solution is not for challengers to copy the use of predatory pricing, even if they’re able to cushion the loss. Two wrongs don’t make a right. Rather, as the House subcommittee proposed, stronger legislation to restrain the practice with tighter enforcement is urgently required. Let the debates begin.
Sharing the pie: Countries agree on how to tax giant companies
Companies have long admitted that they need to pay their share of taxes. But there’s been one issue which countries were unable to agree on, and that’s how to share the pie, without being underhanded. A group of 131 countries have now found a solution: Tax companies where their users are based.
The new taxation rules, a result of years of negotiations overseen by the OECD, are concerned with the amount of tax which companies pay in the countries in which they operate. They are not specific to digital companies, but they will certainly affect them. There are two batches of tax rules under this new agreement (called Pillar One rules and Pillar Two rules).
The rules determine where multinational companies should pay their taxes in a fairer way than what the current system provides, and establish a minimum global tax rate of at least 15%. This minimum rate is one of the most important changes from the previous draft version of these rules, negotiated in October 2020.
Why are the new rules needed?
First, existing rules are based on a very old system where tax accrues in the country in which a company is headquartered. This doesn’t make much sense in the digital age, when these giant companies deal with users in practically every country around the world. Tech companies will therefore fall under these rules, regardless of where they are headquartered.
Second, companies have been able to employ some very creative practices – most of which are perfectly legal (tax avoidance is legal – evasion is illegal). A typical practice used by many giant US tech companies involved using the company’s intangible intellectual property to relocate profits to a tax haven, utilising subsidiaries in countries like Ireland and the Netherlands as conduits. Such schemes were given creative names too: from the Double Irish and the Dutch Sandwich, to the Single Malt avoidance strategies.
Which countries have agreed to the new rules – and who’s missing?
Negotiations at the OECD, with the involvement of 139 countries (called the OECD Inclusive Framework) have been going on for years. Of these, 131 countries have reached consensus on the new rules. These include all of the G20 countries.
The missing eight countries include three EU member states: Ireland, Estonia, and Hungary. A fourth EU country – Cyprus – was not even among the original group of 139. Ireland has been staunchly opposed to the rules: Its low-tax approach has been attracting companies; if it increases the rate, it could lose a tonne of business, and put at stake lots of jobs.
Yet, the OECD’s aim is to get everyone on board. Having 131 countries agree to the rules is already a big achievement, as that covers 90% of the world’s economic wealth. The remaining countries – and that includes the non-EU jurisdictions of Barbados, Kenya, Nigeria, Saint Vincent and the Grenadines, and Sri Lanka – will face considerable pressure to get on board, which if they do not, could end up in disputes with other countries.
The EU countries who are not yet on board will also face pressure from the EU. One of the EU’s main aims is to have a stronger Single Market. Such a market cannot really evolve if companies have to deal with 27 different EU tax frameworks. Plus, there’s a long list of other tax avoidance issues, described below, which the EU is also unhappy about.
For the USA, the new tax rules are the culmination of a different ball game. At the end of this process, the USA will have succeeded in establishing rules for large companies across every sector, rather than affecting only the giant companies in the tech industry, most of which are US-based.
What do the new tax rules mean for tech companies (and tax havens)?
Very large companies which generate more than €20 billion in revenues (the likes of Google, Amazon, Facebook, Apple, and Microsoft) will have to pay taxes on whatever profit they make above a 10% threshold. More importantly, they will have to pay these taxes in countries where their users or customers are based. This means that under this first batch of rules, described as Pillar One, tax havens’ days are numbered.
A second group of rules, described as Pillar Two, will apply to companies earning €750 million, or more, in revenues. There will be many more companies which will fall under this definition. The rules mean that even if companies shift their profits to lower-tax jurisdictions, there will still be a minimum 15% tax imposed everywhere (or almost everywhere).
What comes next?
The G20 finance ministers are expected to endorse this new agreement when they meet on July 9–10. This will mark the next step in sealing the deal.
Meanwhile, a lot of technical discussions will be needed to draft an implementation plan by October, which is the ambitious deadline set by the OECD. By the time the new taxes take effect in 2023, existing unilateral tax measures introduced by a handful of countries will be retired. The years-long negotiations are finally paying off.
CJEU rules on platform liability for copyright infringement
If users of video or file sharing platforms post content that violates copyright, are the platforms liable for the copyright infringement? Or are they exempt from liability? The CJEU provided answers to these questions in a recent ruling.
The latest ruling by the Court of Justice of the EU tackles two questions brought up by the German Federal Court of Justice on the responsibility of online platforms in these cases.
1. Are operators of online platforms infringing copyright rules if they simply host copyrighted content on their platforms?
In the context of article 3(1) of Directive 2001/29, the Court ruled that operators cannot be considered to ‘communicate’ such content, unless they actively contribute to the wrong-doing beyond merely providing access to their platforms.
Such a situation would arise if the operator:
- knows that the protected content is available illegally on the platform and does not take measures to delete or block it;
- does not put in place appropriate technological measures to effectively and credibly counter copyright infringement, although it knows or should know that users distribute content illegally via the platform;
- participates in selecting protected content illegally communicated to the public;
- provides tools on its platform specifically intended for the illegal sharing of such content or knowingly promotes such sharing.
2. Can online platforms be exempted from liability for the content they host?
In line with Article 14(1) of Directive 2000/31, the Court ruled that an operator can be exempted from liability if it simply performs a technical, automatic and passive role, and has no knowledge or awareness of specific illegal acts committed by its users relating to protected content uploaded to its platforms.
What’s the relevance and reach of this ruling?
The Court clarified that this ruling does not concern the Copyright Directive, which brings into play a new liability regime for copyright in the case of online content-sharing service providers, and which still needs to be transposed into national legislation by several EU states, despite the June deadline. One of the controversies in this new directive is about article 17, which says that providers ‘carry out an act of communication to the public’ whenever they provide access to copyright-protected content uploaded by their users, and, therefore, need to obtain an authorisation from the right holders.
But the CJEU ruling still carries relevance in the current legal context. On the one hand, online platforms not covered by the new directive (for instance, a not-for-profit online encyclopedia like Wikipedia) are still bound by the legal framework as interpreted by the CJEU.
On the other hand, the new liability regime is being challenged at the CJEU by Poland, and it remains to be seen whether and how the Court will interpret it.
Moreover, the CJEU judgment could also have implications for the proposed Digital Services Act (DSA). For instance, the DSA assumes that a provider has knowledge or awareness of illegal content (and thus become liable for it unless it acts to remove it or disable access to it) if it simply receives a notification from an individual or an entity that considers the content to be illegal.
In contrast, the CJEU ruled that actual knowledge refers to specific illegal acts, so liability would intervene only when providers do not take action on notified content for which it has been established that it infringes copyright. As such, commentators argue that the DSA would have to be amended in light of the court ruling.
Policy updates from International Geneva
Many policy discussions take place in Geneva every month. In this space, we update you with all that’s been happening in April. For other event reports, visit the Past Events section.
This event, organised by the Core Group on new technologies (Republic of Korea, Austria, Brazil, Denmark, Morocco, Singapore) and the Office of the UN High Commissioner for Human Rights, discussed the impact, opportunities and challenges of new and emerging digital tech. It focussed on the promotion and protection of human rights, paying close attention to challenges and issues that the Human Rights Council (HRC) should address in its work. The discussion also served to raise awareness of the HRC’s work.
Can better data contribute to making peace with nature? – 22 June 2021
The event, part of the 2030 Digital Fasttrack Studios series, was organised by the Graduate Institute and the Center for Trade and Economic Integration. The discussion tackled the collection and analysis of quality data in relation to the ocean, climate, and biodiversity.
Organised as part of the World Trade Organization's Simply Services seminar series, the event discussed issues related to connectivity, competition and collaboration in digital trade, and the impact of COVID-19 on online services. The issues were tackled in the light of the current e-commerce discussions taking place at the WTO.
Book launch: Internet Governance at the Point of No Return – 23 June 2021
Prof. Rolf H. Weber, the author of the book Internet Governance at the Point of No Return provided an overview of the most relevant legal principles that play a substantive role in internet governance. The author elaborated on the concepts of legitimacy, participation, transparency, and accountability.
12 Tours to Navigate Digital Geneva: Data Tour – 24 June 2021
The roundtable discussion, organised by the Geneva Internet Platform as part of the 12 Tours to Navigate Digital Geneva series, debated ongoing and further collaboration on data and digital issues among Geneva-based International Organisations.
Data Disrupts Trade: Exploring Innovative Solutions – 24 June 2021
Organised by the Graduate Institute and the Center for Trade and Economic Integration, this discussion addressed data flows in trade and the inclusion of data-related clauses in Free Trade Agreements. Close attention was paid to the divergences in addressing data flows by different stakeholders, especially in the context of WTO negotiations.
Organised a week after the Biden-Putin Summit took place in Geneva, this discussion took stock of the outcome of the summit, and what this meant for digital issues. Panelists discussed the impact of the new cyber detente on other global policy processes, and what to expect from the bilateral expert dialogue between the USA and Russia.
Upcoming global policy events: Are you tuned in?
Learn more about upcoming digital policy events around the world.
Issue 61 of the Digital Watch newsletter, published on 8 July 2021 by the Geneva Internet Platform and DiploFoundation | Contributors: Stephanie Borg Psaila (editor), Andrijana Gavrilović, Marco Lotti, Virginia (Ginger) Paque, and Sorina Teleanu | Editing and design: Aleksandar Nedeljkov, Viktor Mijatović, and Mina Mudrić | On the cover: Cyber in high politics. Credit: Vladimir Veljašević | Get in touch: email@example.com