Most of the ways that we protect people, especially with law, hinge on enforcement by a sovereign country. And, when the protection is against abuse in commercial spaces, most law is aimed at punishing individual companies. Regulating digital markets effectively, given their tendency to globalize and unbundle companies, will require more focus on international harmonization and supply chain accountability.
There’s a concept in technology design called service-oriented architecture, where each core function of a system is separated into a dedicated, standalone unit. All of the components of that system are then connected through an application programming interface (API). So, service-oriented architecture, as an approach, has designers finding or building the individual components of each core system function, and then connecting them using APIs. By focusing each component on its core function, designers can optimize their code without the dependencies or vulnerabilities that often come from highly connected systems. The risk, of course, is that when taken to scale, focusing on core functions externalizes the costs of maintenance. So, for example, every time you update one component, every component that connects to it has to adapt, often with very little project management, notification or support. Essentially, service-oriented architecture unbundles what would be a larger system into lots of component pieces, which optimizes each unit but can cause lots of side effects as it scales.
Technology companies are increasingly deploying the service-oriented architecture approach, not just to their tools, but to the way they structure their companies. As sovereigns begin to legislate around data rights, market regulations and security authorities, companies are beginning to rethink their own corporate architecture. Increasingly, companies are disaggregating individual components of a company in order to optimize for beneficial regulations; one might call this service-oriented incorporation.
The earliest and most obvious example of this dynamic comes from taxation. Companies often choose where to incorporate their business, based on a country’s law and whether or not it is beneficial. As companies expand, that often means restructuring their corporate structure in order to minimize the company's global tax liability. For example, Ireland gave technology companies tax rates so favourable that the European Union . A significant number of technology companies moved their European headquarters to Ireland to take advantage of the rates. But taxes are just the tip of the iceberg — nearly every type of market regulation creates an opportunity for service-oriented incorporation. And, while Europe has inarguably led the globe in harmonization with its “one-stop shop” for digital regulation — the General Data Protection Regulation — even that agreement is starting to fray as data protection authorities diverge on approach.
The counterargument to consumer protection — at least in digital regulation — is surveillance and sovereign security powers. Australia, for example, recently passed a law that enables them to compel companies to give them a back door to their end-to-end encryption, functionally introducing a huge security vulnerability. This is different from what’s being done in countries actively banning end-to-end encryption, like China, Russia and Turkey — the law doesn’t ban encrypted services, but it gives the Government of Australia the power to force the creation of a vulnerability. As a result, a number of privacy and security-oriented firms are threatening to leave Australia, or trying to rearchitect themselves in order to limit their exposure to Australian authority.
The most prominent corporate example of service-oriented incorporation, of course, is Alphabet, Google’s parent company. Google created Alphabet to avoid antitrust scrutiny. Google had learned its lesson from United States v. Microsoft Corp. and the ensuing decades of anti-competitive regulatory scrutiny. In 2001, the United States had brought an antitrust case against Microsoft, claiming that Microsoft’s Windows was a monopoly, and that bundling its browser, Internet Explorer, into the operating system constituted anti-competitive practice. In the end, the parties settled — but that settlement required Microsoft to expose its APIs to third-party developers and to appoint an independent oversight body, with full access to the company’s records, systems and code.
Google, similar to Microsoft’s dominance in operating systems, had achieved comparable dominance in search — and a growing breadth of acquisitions in everything from health care to infrastructure. Google’s creation of Alphabet, and its subsequent corporate spin-out of a range of companies, was a direct attempt to manage its regulatory threat surface: it didn’t functionally partition its backend or dispossess common investors, all of which raises significant questions about whether the reorganization had any real effect on its competition practices. Google’s transition to Alphabet wasn’t a win for consumer protection or antitrust, but it was a clear example of companies reorganizing their corporate infrastructure to adapt to new regulatory threats.
Whether for necessity or profit-maximization — if they can be separated — technology companies are taking service-oriented incorporation approaches to limit the impact of the regulation of digital spaces. While Alphabet’s creation is perhaps the largest attempt at service-oriented incorporation, the same tactics are often used to limit corporate accountability. From Cambridge Analytica to Blackwater, there’s plenty of evidence that it’s easier to register a new company than to reinvent a market.
While it’s easy to ascribe this trend to optimization or greed, it’s also worth recognizing that many companies are simply trying to manage the liability inherent in a rapidly changing, poorly harmonized global regulatory context. Sovereigns are taking a clearly self-interested approach, often unilaterally passing unharmonized laws that have transformative impacts on operations, product design and employee safety. The lack of global agreement on basic regulatory principles makes the stakes high enough that even company CEOs are calling for regulation.
The global policy dialogue seems to be waking up. The Group of Twenty’s meeting this summer will focus on, in part, global rules for data governance. Existing governance mechanisms are not up to the task of governing data; new institutions are needed as much as, if not more than, new rules.
In the meantime, digital governance policy itself should refocus in two key ways: it needs to shift from national legislation to building international harmonization, and it needs to find ways to embed public interest accountability into supply chains and global markets. As it stands, the global policy landscape isn’t designed for the dynamism of digital spaces or the kind of nuance that data governance requires. As a result, most decisions about public data governance are made by sovereigns, in regulations or bilateral treaties, without any participation from or exposure to the range of perspectives and interests affected.
Similarly, the majority of data governance decisions are made through private relationships and sealed in opaque contracts, whether the parties are individuals, companies, non-profits or governments. The most meaningful and fastest way to begin addressing the failures of data governance is not for public bodies to declare top-down rules, but to give individuals and markets the tools they can use to hold companies responsible themselves.
In many ways, we’re still in the early stages of data governance and its attendant policies. We’re far enough along in corporate governance and regulation, though, to know how regulatory disagreements between companies and countries can escalate into world-changing abuse. If we’re serious about building data governance, we’ll need to make sure that it works the way technology does — through global, unbundled supply chains.