It is safe to say that the ‘techlash’ has well and truly arrived. It seems that barely a week passes without a new headline warning of the risks and perils of ‘big tech’ and the misuse of data.
We are arguably at an inflection point — a recognition that the impact of technology on society is not confined to one sector or industry, but has become truly embedded in (and disrupted) all aspects of daily life. It has never been more important to ensure public trust in technology and its providers, and it has never been clearer that such trust is built on shaky foundations. It is no wonder that calls for regulatory action are increasingly being met with governmental responses.
Although the current approach is complex and fragmented (both globally and, often, by subject matter), there is no time to wait for global consensus to emerge. Businesses in every sector will need to monitor and approach compliance comprehensively, holistically, and with an eye towards driving standardisation over time in order to remain ready to respond to the digital age.
From a policy perspective, today’s US-based technology industry was born and evolved in an era of comparatively ‘permissionless innovation’. In this vision, the internet itself was a global, borderless playground where anything was possible, and anyone could invent the ‘next big thing’ with minimal barriers to entry and without the need to navigate a complex web of local and overseas laws. Seeking to control or place limits on the industry, and indeed the internet itself, could thus stifle the atmosphere of innovation that gave rise to today’s tech giants. In technology parlance, the relative under-regulation of the industry and the companies operating within it was seen as a feature and not a bug.
The first clear indication that this state of affairs could not continue was seen in 2013, with the publication of documents leaked by former NSA contractor Edward Snowden. These documents detailed the extent of mass surveillance conducted by the US government, allegedly with the involvement, knowingly or otherwise, of US-based technology companies. This prompted an intense mistrust of US technology companies and the fear that such companies may no longer be capable of ensuring the privacy of personal data, particularly from government surveillance.
Then, in 2016, consulting firm Cambridge Analytica acquired and used the personal data of millions of Facebook users with the intention of (invisibly) influencing the political process. This scandal revealed more about how data and technology can be misused in ways that consumers might never have anticipated.
These revelations, and those that followed it, have clearly and significantly damaged trust in the technology industry, and have led to a fundamental rethink of the formerly ‘light-touch’ approach to its regulation. Regulation specific to, or targeted at, the industry and its participants is quickly proliferating, including regulations targeted at online harmful content, encryption and the use of algorithms and other data-driven technologies.
In general, the role of regulation in society is multi-faceted. It is often viewed as a way to monitor and regulate behaviour and prevent harm, whether to individuals, companies, states or society more broadly. This perspective applies equally to recent technology regulation, which often seeks to:
- in the case of the EU General Data Protection Regulation and regulatory action taken by consumer protection regulators against technology companies, protect individuals in respect of the misuse of their data by others;
- in the case of regulation addressing online harmful content, protect society from the detrimental impacts of the wider proliferation of this content;
- in the case of regulation addressing critical national infrastructure, protect these key industries and infrastructure from hacking and security risks; and
- in the case of regulation addressing foreign direct investment, protect states from the perceived security risks of allowing such investment to proceed unchecked.
- However, this narrower lens ignores the critical role that regulation can play in building trust. If implemented in a way that drives toward a coherent and holistic global standard, regulation can help industry participants to establish or maintain a social licence to operate, and accordingly create an environment for their activities to flourish.
For example, the nascent aviation industry could easily have been stalled due to consumer suspicion about safety and performance. Instead, the establishment of a clear and coherent regulatory environment (national and international, and supported through industry stakeholder participation, co-regulation, and co-operation) helped the industry to establish consumer trust and consequently, achieve widespread acceptance.
It is not difficult to envisage a similar role for technology regulation, and one that is sorely needed. The current technology regulatory landscape is changing rapidly, often in a way that responds reactively with the aim of regulating behaviour in response to specific events or concerns. This does not lessen the imperative for businesses to understand and comply with these regulations now. However, it does mean that all stakeholders have a role to play in driving global standardisation of technology regulation, in order to (re)build trust in the technology industry and the digital economy more broadly.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2021