Consensus, driven by stakeholders, used to be the default method of internet governance both in the United States and by its allies in Europe and elsewhere. Under this approach, instead of imposing government rules on digital companies, national governments largely deferred to the decisions of groups composed of industry representatives, academics, technical experts and civil society members. China never accepted this model, arguing instead for “internet sovereignty,” whereby the online world would fall under the jurisdiction of national governments. Many other governments have followed this approach.
Indeed, without quite saying so, many governments around the world have quietly abandoned multi-stakeholderism. It turned out that, without legally enforceable requirements, this model proved ineffective at digital governance. Centralized online regulations have been adopted or are pending in Australia, Canada, the European Union, Germany, Ireland, the United Kingdom and the United States.
But multi-stakeholder groups should have a new role to play in a world in which national governments set the rules for digital industries. Technical and industry experts, as well as independent civil society organizations knowledgeable in this space and representing marginalized, underserved voices, can and should provide vital guidance to regulatory agencies seeking to implement new digital rules and laws.
Susan Ness, a former commissioner of the US Federal Communications Commission and now a distinguished fellow with the Annenberg Public Policy Center (APPC) at the University of Pennsylvania, and Chris Riley, former lead of the US State Department Internet Freedom program and now the principal of Cedar Road Consulting and a distinguished research fellow at the APPC, have called for a modular approach to implementing digital legislation. “Working with civil society and the tech industry,” they argue, “transatlantic governments would recognize common ‘modules’ — discrete standards, protocols, codes of conduct, or oversight systems — as satisfying the requirements of their separate regulatory regimes.”
This is a promising approach. Legislation cannot determine all details of a new digital regulatory regime. Typically, legislatures authorize a regulatory agency to make key implementation and extension decisions. Australia has established a new agency, the eSafety Commissioner (eSafety), for this purpose, and Canada appears likely to follow this model. The United Kingdom and Ireland would assign this role to their traditional media regulator. A directorate of the European Commission would implement and enforce the European Union’s new Digital Services Act. In the United States, most proposals call for its consumer protection agency, the Federal Trade Commission, to be the digital regulator.
Multi-stakeholder groups can help by developing specific approaches to implementing legislative requirements. Ness and Riley think these groups can help develop “systems for vetting researchers and approving their access to platform data” and “vetting procedures, minimum standards and oversight of independent auditors seeking to conduct risk assessments and algorithm impact audits.” Indeed, such tasks could especially benefit from the broad perspective, expertise and legitimacy these groups bring to the table.
They might, for instance, produce a creative compromise concerning the vexing policy challenge of balancing user privacy with the needs of researchers and auditors. Some successes in this regard could help provide proof of concept that would encourage agencies to adopt this approach.
This approach also holds out the attractive possibility of jurisdictional interoperability. For Ness and Riley, this is the principal rationale for multi-stakeholder implementation. If the multi-stakeholder recommendations are good enough to satisfy legislative requirements in one jurisdiction, the same implementation approach might work in others, even if the underlying laws differ. This uniform approach across jurisdictions would benefit industry, regulators and users alike.
There are ways forward, other than ceding public authority to private entities, that can give stakeholders a recognized and invaluable implementation role.
Pending legislation should explicitly allow for multi-stakeholder implementation. One model, which Ness and Riley do not endorse, comes from the United States, where securities laws authorize the Securities and Exchange Commission (SEC) to set financial accounting standards for public companies and to recognize standards established by an appropriate and independent private sector standard-setting organization. In 1973 and again in 2003, the SEC has recognized standards adopted by the Financial Accounting Standards Board (FASB) as authoritative, in the absence of any contrary determination by the agency. The FASB is a seven-person private, independent, non-profit body consisting of former accounting-firm officials, academics and accounting-standards users. SEC recognition means that current, revised and future FASB standards become binding on public firms operating in the United States without further SEC action. Firms violating FASB standards are sanctioned through SEC enforcement actions.
With eSafety’s new law, the Online Safety Act 2021, Australia takes a similar approach, calling for digital industry groups to set up codes of conduct. Measures in other jurisdictions, such as the UK Online Safety Act and the EU Digital Services Act, also allow for implementation through industry codes of conduct.
But multi-stakeholder implementation must be wider than codes developed solely by industry groups. Ness and Riley think the process should include “legislators” as well as “academics and industry experts.” Civil society has a key role to play as well. This broader representation would allow government officials to have their say as part of a developing stakeholder consensus.
However, it is not clear that the best multi-stakeholder model is to cede authority to an independent private sector standard-setting organization, even one with broader representation. In many, if not most, cases, implementation decisions are not mere technical details, to be resolved by specialists; they will embody often controversial policy compromises. In such situations, a digital agency’s wholesale adoption of a private sector organization’s standards as authoritative and its blanket recognition of all future rules adopted by the group, as the SEC does with standards adopted by the FASB, would give away too much public power to an essentially private institution.
My own initial take is that, as a general matter, administrative agencies should not simply outsource digital implementation to multi-stakeholder groups. Final decisions about whether to accept certain practices, standards or protocols as satisfying new digital legislative requirements should be affirmatively made by the agencies tasked by legislatures to implement the law. In addition, due process rules, such as the Administrative Procedure Act in the United States, might need to apply in certain circumstances to ensure openness, transparency and public participation in agency determinations.
There are ways forward, other than ceding public authority to private entities, that can give stakeholders a recognized and invaluable implementation role. Ness and Riley are considering a range of structures for stakeholder engagement with government, depending on the nature of the implementation issue. One idea, contained in proposed digital competition laws in the United States, would require the implementing agency, the Federal Trade Commission, to set up a committee consisting of industry, technical experts and civil society representatives to assist the agency with “considerations relating to implementation and technical aspects” of the law’s requirements.
The committee is to be advisory and will have no implementation or enforcement role, but the agency will be required to give “strong consideration” to the committee’s recommendations in making its final implementation decisions. This is an attractive legislative template that leaves ultimate authority with the administrative agency but ensures full consideration of vital stakeholder perspectives. Requiring the agency to obtain the recommendations of a multi-stakeholder committee makes it more likely that final agency action will comport with industry realities and the needs of a diverse range of stakeholders.
Multi-stakeholder groups might prefer a more privileged role — a restoration of the deference governments granted to them under the older approach. But governments have rightly moved away from that model. They will and should retain full sovereignty over the digital world in the new regulatory regime. Multi-stakeholder groups should be granted a new role — that of working with regulatory agencies to ensure that the expertise and perspectives of academia, industry representatives, technical experts and civil society are front and centre in regulatory decisions about the digital world.