Digital Watch newsletter – Issue 25 – October 2017
1. Courts to revisit privacy cases
This month, courts have been asked to revisit two privacy-related issues. The first is the applicability of search warrants over servers in other jurisdictions, in the so-called Microsoft search warrant case. Last year, a US Court of Appeals ruled that the US government could not use a search warrant to force Microsoft to turn over e-mails stored in a data centre in Dublin. This month, the US Supreme Court decided to review the case again, re-opening the jurisdiction issue.
In the second case, the Irish Court will ask the Court of Justice of the European Union (CJEU) to determine whether certain clauses in the EU-US Privacy Shield provide enough protection for European users’ private data.
The final rulings in both cases will have widespread implications. If the US Supreme Court finds that search warrants are enough to request overseas data, this will endanger privacy protection and will expose Internet companies to requests by other countries, a concern which Microsoft has already expressed. As for the Privacy Shield, a lack of adequate protection would re-open delicate negotiations between the EU and the USA over westward data transfers.
Once again, the fact that the courts have been asked to rule on privacy aspects confirm their de facto status of rule-makers in digital policy..
2. Robots: To be or not to be?
Developments in artificial intelligence (AI) picked up pace throughout the year, with governments earmarking substantial funds for research and development (and appointing high-level officials, such as the new Minister for AI in the UAE), and the private sector making big strides in machine learning, robotics, and wider applications of AI. As innovation moves forward, so do the regulatory requirements. Whether it is a driverless car, a drone, or an automated delivery system, governments will need to ensure there are rules in place that consider security, liability, ethics, and the impact on the economy and society. Eventually, they will need to tackle the legal status of robots.
Estonia ‒ a country well-known for its forward-thinking approach to technology ‒ has announced it is working on legislation to address the legal status of AI.
One proposal under consideration, Bloomberg reports, is to create the concept of a ‘robot-agent’, which falls between a separate legal personality and an object that is someone else’s property. This would entail giving robots some form of rights and responsibilities.
Earlier this year, the European Parliament called on the Commission to consider creating a specific legal status for robots. In particular, MEPs suggested that through the status of electronic persons, sophisticated robots could be held liable for damages.
Just as the concept of legal status is important in many areas (such as corporate, competition, and tort law), the question of the legal status of robots may soon become an important area for policymakers and the legal sector.
3. Automation to affect 30% of jobs in OECD countries
Among other sectors, the work of hairdressers, barbers, and personal care professionals is less likely to be automated, while financial professionals are more likely to be replaced by computers.
As predicted in January, jobs and employment are high on political agendas this year, since they are directly affected by the digital economy. Automation has been rendering millions of jobs in traditional industries obsolete.
This month, a PricewaterhouseCoopers (PwC) report has predicted that 30% of jobs in Organisation for Economic Co-operation and Development (OECD) countries are at risk due to automation.
The Young Workers Index 2017 report, which compares the level of participation in employment, education, and training of young people across 34 OECD countries, states that the risk of automation varies considerably across industries, with transport, manufacturing, and retail facing some of the largest risks, while health and social work, arts and entertainment, and education face the lowest risks.
Similar predictions were made by the World Bank in its 2016’s World Development Report, which noted that jobs in hotels, restaurants, and hairdressing salons are less likely to be automated, compared to jobs in agriculture and the financial sector.
The PwC report also outlines several recommendations on how governments and the private sector can support workers in the automated world. Most of these recommendations focus on education, and include broadening education and training options for young people during school; focusing vocation training in science, technology, engineering, and mathematics (STEM) areas, as these jobs tend to be less at risk from automation; and engaging employers in training strategies.
Pressure will be on governments to support the creation of new jobs that replace those made obsolete, and on the private sector as the main beneficiaries of the digital economy. The Future of Work is a central theme of a series of events organised in preparation for the 2019 centennial anniversary of the International Labour Organization (ILO).
Digital policy developments
The monthly Internet Governance Barometer of Trends tracks specific Internet governance issues in the public policy debate, and reveals focal trends by comparing the issues every month. The barometer determines the presence of specific IG issues in comparison to the previous month. Learn more about each update.
Global IG architecture
Countering terrorist content was a special focus of the G7 Interior Ministers’ meeting (Ischia, Italy, 19‒20 October). The ministers discussed the issue with representatives of Facebook, Google, Microsoft, and Twitter, and agreed that the private sector should find solutions for removing content within 1‒2 hours. The G7 also committed to 'explore the design and implementation of a global law enforcement platform, hosted by Interpol' to investigate terrorist content. This was the first time that the Internet industry was invited to a G7 meeting.
In a joint meeting of the Economic and Social Council (ECOSOC) and Second Committee of the UN General Assembly, the UN Deputy Secretary-General warned that despite profound potential for accelerating progress on the SDGs, technology risks exacerbating existing inequalities if technological progress is not managed well.
A new ransomware, Bad Rabbit, spread around the globe using the help of a leaked NSA exploit exposed by a hacking group, security researchers confirmed.
A new report has said that 'basic IT security' could have prevented British hospitals from being attacked by the WannaCry ransomware outbreak in May. Meanwhile, the British security minister said that ‘it was widely believed in the community and across a number of countries’ that North Korea was behind WannaCry.
Yahoo! has confirmed that all 3 billion accounts were hacked in 2013. Last December, the company had said that data from over 1 billion accounts were compromised back then; this month’s confirmation triples the number of the largest breach in history.
The security protocol used to protect the majority of Wi-Fi connections around the world – known as the WPA2 protocol ‒ has been broken.
E-commerce and Internet economy
Several countries have tabled a number of papers in preparation for the 11th Ministerial Conference (MC11) of the WTO, taking place in December, in Buenos Aires. Read our analysis on page 7.
Russia is proposing a regulatory framework for cryptocurrency. Concerns with money laundering and tax evasion are the main reasons for the proposed regulation, which is expected to be introduced by the end of the year. In Ukraine, a new proposal aims to legalise all cryptocurrency transactions in the country.
At a meeting of the European Council, EU leaders agreed that companies needed to pay their fair share of taxes, and referred to the need for a global level playing field ‘in line with the work currently underway at the OECD’. This is considered a setback for the French President, who is planning to secure an EU agreement on revenue tax, independent of the OECD. Meanwhile, the OECD has received public comments on new international tax rules. The comments will contribute to an interim report, to be launched in April 2018 at the G20 Finance Ministers' meeting.
The European Commission has found that Luxembourg provided illegal tax benefits to Amazon of around €250 million. The company needs to repay the sum as back taxes. It is expected to appeal.
Following a decision by Transport for London not to renew Uber’s licence in the UK capital, the company has filed an appeal, which is expected to take months to be decided. In Norway, Uber decided to suspend its unlicensed service UberPOP in Oslo, to give time for new regulations to be introduced in the country.
The pan-European data regulator, the Article 29 Working Party (WP29), has set up a taskforce to tackle concerns over user data sharing by Facebook and WhatsApp. Meanwhile, the regulator issued new guidelines on personal data breach notification under the GDPR.
The Dutch registries for .amsterdam and .frl gTLDs have decided not to provide public access to Whois records containing information about the registrants of domain names, as this would go against Dutch privacy law.
Cameroon faced another Internet shutdown amid renewed protests in its Anglophone regions.
Jurisdiction and legal issues
The US Supreme Court has decided to review Microsoft’s search warrant case, while Ireland's High Court announced it would ask the CJEU to determine whether the Standard Contractual Clauses introduced in the EU-US Privacy Shield provided enough data protection to European users.
In Australia, Google lost its appeal of an Australian court decision which held that Google had defamed a user by 'publishing defamatory material about her in its search results'. Once Google was notified with a request to remove the defamatory material from its search results, it was dutybound to act within a reasonable time.
London is planning a new cyber court to tackle cybercrime and fraud in the financial sector.
North Korea established a new Internet connection via the Russian TransTeleCom’s network, which now handles around 60% of North Korea’s traffic. Until now, the country was connected to the global Internet solely through China Unicom.
The ICANN Board has issued a new resolution on .amazon, asking the Governmental Advisory Committee whether it has any new or additional information regarding its previous advice that the applications for .amazon should not proceed.
The Body of European Regulators for Electronic Communications (BEREC) has announced new initiatives on net neutrality. It decided to develop a net neutrality opt-in measurement tool, to be used by national regulatory authorities (NRAs) and end-users to measure the quality of Internet access services. It also adopted a net neutrality regulatory assessment methodology, aimed to assist NRAs in monitoring and supervising the implementation of the Open Internet Regulation.
The Federal Network Agency in Germany decided that Deutsche Telekom’s StreamOn service partially violates net neutrality rules, since the company does not treat video and audio services equally in consumers’ mobile phone tariffs.
New technologies (IoT, AI, etc.)
Estonia is working on legislation aimed to address the legal status of AI systems.
An independent report commissioned by the UK government outlines recommendations to transform the UK into ‘the best place in the world for businesses developing and deploying AI to start, grow, and thrive’.
The United Arab Emirates has launched an AI strategy and appointed a State Minister for Artificial Intelligence. In its second annual report, the AI Now Institute at the New York University has called for more accountability in AI systems.
In its Policy Principles on AI, the Information Technology Industry Council advises governments to ‘use caution before adopting new laws, regulations, or taxes that may inadvertently or unnecessarily impede the responsible development and use of AI’.
Many policy discussions take place in Geneva every month. The following updates cover the main events of the month. For event reports, visit the Past Events section on the GIP Digital Watch observatory.
The United Nations Conference on Trade and Development (UNCTAD) launched its Information Economy Report 2017: Digitalization, Trade and Development, at the Palais de Nations, in Geneva, on 3 October, 2017. The report looks at the trends in digitalisation and examines how information and communication technologies (ICTs) are impacting global trade and development. In addition, by providing data and statistics, the report aims to encourage policymakers to engage in evidence-based discussions on this topic, and to adopt legal frameworks adapted to changes in digitalisation. The report’s measurements of the digital economy point to its fast growth, especially within developing countries, but there are still major digital divides that need to be factored in. As such, it was noted during the event that, to tackle trade, development, and digitalisation issues, the dialogue between trade and Internet governance communities needs to be strengthened, and coordination needs to be improved across stakeholders.
The group’s first meeting took place from 4 to 6 October, in Geneva. In a context in which the digitalisation of economic activities and trade becomes increasingly relevant to achieving the sustainable development goals (SDGs), UNCTAD brought together governments and experts from international organisations and the non-government sector to discuss how developing countries can harness the benefits of e-commerce. The meeting also touched on the importance of strengthening physical and technology infrastructure in developing regions and of developing partnerships between developed and developing countries. Warnings about the disruptive potential of platforms on the economy and on labour standards were also advanced by some experts.
The lecture, delivered by economist Jacques Attali at the closing of the 2017 Latsis Universitaires Prizes ceremony, focused on whether and how humanity can put AI at its service. Attali identified several shortcomings of AI, some of which not only stand as future pitfalls, but can already be observed (such as the impact of AI on the labour market). Maintaining that AI should be put ‘at the service of humanity’, Attali then enumerated the many ways in which this could be done in areas such as medicine, security, and even policymaking. He finished with a warning: despite the benefits of AI, humanity should not forego the task of developing its own intelligence, individually and collectively.
Held on 17–19 October, the first meeting of this group set up by the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) was dedicated to identifying and analysing distributed ledger technology-based applications and services; drawing up best practices and guidance which support the implementation of those applications and services on a global scale; and proposing a way forward for related standardisation work in the ITU-T study groups. The contributions focused on horizontal relevance use cases (data access control, security, and identity management) and vertical, industry-specific environments such as telecoms, fintech, energy, and supply chain management as high-priority. Four working groups were established: (1) State of the art: ecosystem, terminology & definitions, concepts; (2) Applications & services; (3) Technology reference framework; (4) Policy reference framework.
Geneva Digital Talks tackling technology, jurisdiction, and cybersecurity
Digital governance solutions for cybersecurity, and overcoming policy silos are among the aims of the newly launched Geneva Digital Talks, an initiative of the Canton of Geneva, digitalswitzerland, and the Geneva Internet Platform. They were launched on 12 October, with a panel discussion on the benefits of a multidisciplinary approach to cybersecurity.
The talks will contribute towards finding inclusive and sustainable digital governance solutions by encouraging the participation of Geneva-based organisations in global cyber discussions. Events discussing technology, policy, prevention, and jurisdiction in relation to cybersecurity are coming up in November:
- 1 November – Tweetup: Current Internet governance challenges[link]
- 3 November – How can technological solutions advance cybersecurity?
- 9 November – Preventing cyber conflicts: Do we need a cyber treaty?
- 9 November – Current Internet governance challenges: What's next?
- 28 November – Where to protect my legal interest in digital disputes?
GDPR: Integrating human rights into business practices
The EU General Data Protection Regulation (GDPR) is now only months away from entering into force (May 2018). There have been numerous debates as to how it will change the landscape of data protection in the EU and beyond. But looking at the broader picture, the GDPR brings an important aspect into sharper focus: the integration of human rights into business practices.
Under the magnifying glass: rights and obligations
Most of the discussions surrounding the GDPR are related to the strict terms it will introduce when it comes to the protection of personal data, the rights that users will have, and how these will be ensured. In this regard, the new law introduces several obligations for data controllers (those who decide which data should be collected and how it should be processed) and data processors (those who hold or process the data).
They are, for example, asked to put in place appropriate technical and organisational measures to ensure the security of the personal data they process. If, despite such measures, personal data breaches occur, controllers need to notify the data protection authority, and in some cases, the affected individuals, when the breach risks affecting their rights and freedoms. Implementing these provisions can be a difficult task, and this is why, earlier this month, Article 29 Working Party published a set of draft Guidelines on personal data breach notification (under public consultation until 28 November).
The broader picture: human rights and business practices
From a broader perspective, the GDPR is one of the first legal acts to firmly introduce the notion that digital rights need to be integrated into the business operations and strategies of companies.
The intersection between business and human rights is not a new concept. The UN has already made progress in this area, through, for example, the UN Guiding Principles on Business and Human Rights. The importance of creating businesses that are built on respect for human rights has been mostly related to their traditional, 'offline' practices. When it comes to rights that affect their online conduct, such as privacy and freedom of expression, their integration into business has been less straightforward. In this context, the GDPR stands out as one of the first instruments that provides a concrete answer on how to practically incorporate human rights – in this case the right to privacy and data protection – into businesses’ online operations.
To start with, the GDPR is imposing a set of specific rules and requirements for handling personal data. The implementation of these requirements has a significant impact on how business operations are designed. This is illustrated, for example, by the privacy-by-design concept which requires businesses to implement human rights standards from the very beginning of the production process. The privacy impact assessment, which becomes mandatory, is another illustration. The right to privacy and data protection will therefore become a paramount factor when developing new business plans and strategies.
Another important aspect of the GDPR relates to penalties and sanctions. The biggest concern of many Internet companies operating in the EU has traditionally been the consequences of non-compliance with competition law and other areas that are related to trade and relations in the internal market, due to high penalties and strict sanctions. The well-known penalty of 10% on worldwide turnover for undertakings in breach of EU competition law is one of the most severe, and indicates the importance of competition law for the EU and its member states.
Interestingly, the GDPR introduces similar sanctions, which are not so common in the human rights area. The maximum fine of €20 million, or 4% of a company’s annual global turnover (whichever is higher), for not complying with certain GDPR provisions, highlights the significance that the EU also places on data protection. In addition, the fact that the EU has opted for a Regulation for privacy and data protection (which is directly applicable to member states), puts more emphasis on human rights and related responsibilities for businesses.
There are different arguments that seek to explain why the EU has chosen this approach, given that data protection has become a business issue with serious implications for the internal market, and that data has become a main trade unit. The reality is that the GDPR’s overarching aim is the protection of the rights of individuals where it concerns the handling of their personal data. Therefore, the core of the GDPR is indisputable in the area of human rights, regardless of its implications in other fields. The biggest contribution that the GDPR brings to the human rights area, therefore, is the strong link it creates between human rights and business practices.
WTO Ministerial: Towards a compromise on E-commerce
E-commerce will be one of the main topics on the table during the WTO’s 11th Ministerial Conference (MC11) in December, in Buenos Aires. The backdrop for this discussion is the growing relevance of e-commerce for modern economy and the applicability of existing WTO e-commerce framework which has been in place since 1998.
Digital policy issues, such as data localisation, interoperability of standards, or access to the source code, are increasingly framed as trade-related issues. Should WTO negotiate new e-commerce rules? Some are in favour, some are against. Others are proposing a compromise between the camps, by focusing either on the process, or on specific issues. Among the proposals is the creation of a working group (WG) or a working party (WP) on e-commerce, with differing views on its potential mandate. The following highlights the main proposals made in October. Click on the links below to read the full text for each proposal, and read additional analysis.
With the clock ticking fast and with polarised views on the table, it seems unlikely that a negotiating mandate on e-commerce will be approved at MC11. However, there could be room to identify a zone of possible agreement on priorities and frameworks. The possibility of starting plurilateral discussions under the WTO has not been ruled out either. At the present stage, perhaps the journey is more important than the destination: e-commerce discussions have given member states the opportunity to reach a better understanding of each other’s positions and frustrations, and to question the remit of international organisations in the increasingly interlinked digital and trade policy spaces.
5 Steps to Help You Get Ready for the IGF
The 12th Internet Governance Forum (IGF) meeting is around the corner. With less than two months left before the meeting on 18–21 December, it is time to start prepping.
What can we expect?
‘Shaping your digital future’ is the theme of the 12th IGF, which will take place at the United Nations Office in Geneva. The meeting will feature more than 200 sessions, including high-level sessions and main sessions, workshops, open forums, dynamic coalition meetings, and sessions organised by national and regional IGF initiatives.
All these will focus on a wide range of Internet governance and digital policy topics, from digital rights to cybersecurity and cybercrime, form sustainable development and the digital economy, to the digital divide, the IoT and AI.
Newcomers to the IGF will have a dedicated track, aimed at integrating them more easily into the meeting. There will also be the traditional IGF Village, where more than 40 organisations active in the field of Internet governance will promote their work. And an Art@IGF project which connects digital policy with art in an interdisciplinary exhibition of today’s digital issues.
So, what can you do to prepare for the meeting?