The World Conference on International Telecommunication (WCIT) last December focussed popular attention on Internet governance. In reality, the WCIT was only the latest step in a gradual increase in policy attention to Internet-related issues. Executive and legislative branches of governments are joining a variety of actors involved in governing the Internet: international organizations like the International Telecommunication Union; and non-profit entities, associations and networks, including the Internet Corporation for Assigned Names and Numbers (ICANN), the World Wide Web Consortium (W3C), the Internet Engineering Task Force (IETF) and Institute of Electrical and Electronics Engineers (IEEE).
National courts are also playing a critical, and generally unappreciated, governance role. In one recent decision, an American federal court issued a ruling limiting the ability of rights-holders to place intellectual property encumbrances on patents related to critical technical standards, protocols and software.[i] This is important to ensuring both innovation and global interoperability online. It is also in the interest of technology manufacturers, who have increasingly had to devote vast resources to a patent arms race.
American courts have also issued critical decisions on privacy,[ii] civil liberties[iii] and the functioning of law enforcement and security agencies in a digital age.[iv] These decisions are globally significant by virtue of the fact that dominant network operators, content producers and intermediaries are incorporated in the United States. They also matter because a great deal of global Internet traffic flows through the United States.
Courts from other countries are equally engaged in ruling on Internet-related cases. Thus far, most of these decisions have been made by courts in advanced industrial democracies, such as Canada[v] and the European Union (EU) and its member states.[vi]
It is appropriate, and also of immense practical importance, that domestic courts remain involved. They are crucial in interpreting and applying general rules to particular cases. They also serve as laboratories for governance innovation — even if some initial rulings are overturned by higher courts or revisited by legislative bodies.
There are, however, two critical sets of potential costs that arise from the current situation of uncoordinated governance from the bench.
First, the proliferation of rulings creates a great deal of complexity, and thus cost, for a range of actors in monitoring relevant outcomes. This is most evident in the case of businesses that operate in a large number of legal jurisdictions. It is also relevant for governments, which, for example, increasingly subcontract data hosting and management to third-party commercial cloud services that may operate in a variety of legal jurisdictions. This may create security and privacy concerns. These transaction costs are also relevant for non-profit organizations, many of which are engaged in capacity building and delivery of goods and services in a range of countries. These activities often involve the collection and electronic storage of a range of data, as well as sensitive international electronic communication. Non-profit organizations and governments in low-income countries will be particularly vulnerable to these kinds of transaction costs.
Google, Apple, Cisco, Samsung and other global technology companies operate in several dozen distinct legal jurisdictions. Doing so requires monitoring legal regimes in each jurisdiction and taking them into account when designing products and services delivered online. It requires performing these legal practices with respect to several distinct and complex areas of law, including privacy, intellectual property and others.
Second, to the extent that courts take different approaches to dealing with these issues, there will be both significant international coordination problems for governments and challenges for companies and non-profits in ensuring their business models and practices are consistent and compliant with multiple (potentially conflicting) legal regimes.
Corporations and non-profits face the prospect of significantly increased compliance costs. For example, varying privacy laws pertaining to the collection and retention of data about individuals could conceivably require the ability to identify a user’s location via Internet Protocol address, multiple web forms for users subject to different jurisdictions and even the maintenance of data storage in different physical locations with different levels of security. Failure to handle such data properly could create civil and even criminal liability.
In some cases, simultaneously complying with all relevant legal regimes may become impossible and necessitate withdrawal from some national markets. Such a situation could arise, for example, if more stringent EU privacy rules impose major restrictions on the business models of technology companies that monetize user information gained via consent provided in terms of service agreements. It could also originate in EU anti-trust rules that might require fundamental changes to corporate structures as a condition of their operation in EU jurisdiction.
States can also expect to bear costs arising from increased legal complexity. International legal cooperation is often conducted via mutual legal assistance treaties (MLATs). MLATs typically allow cooperation to be refused in the event that states’ legal regimes differ with respect to the treatment of the conduct in question, as well as on political and security grounds. Diverging legal regimes on Internet issues could imperil legal cooperation across a whole host of issues that are becoming increasingly Internet-related, such as financial transfers and tax evasion, organized crime and counterterrorism. If states respond to such frustrations by seeking leverage via linkage politics, the potential exists for damaging spirals and the escalation of disputes.
Different national laws pertaining to law enforcement access to Internet user information could lead to international friction in efforts to investigate cross-border computer network exploitation or computer network attacks. What one state regards as protecting the legitimate privacy of its citizens and their right to legal due process may be seen by another state as effectively harbouring criminals or terrorists.
While these problems cannot be eliminated without the complete harmonization of legal systems, they can be ameliorated. Codes of best practices on particular issues can be developed and promulgated. Although these instruments do not have legal force, they can play important coordinating roles by setting expectations and creating focal points. Such standard-setting processes are indeed the foundation of the legacy system of Internet governance. ICANN, IETF, W3C, IEEE and other bodies all engage in standard setting.
The problem is that these processes have been driven primarily by technologists; as a result, they are obscure, opaque and lack inherent legitimacy within policy-making and legal circles. Courts are, therefore, often in the position of reinventing the wheel when faced with Internet-related issues, duplicating discussions that have taken place in other settings and even fundamentally misunderstanding aspects of the underlying technology. Technical standards bodies may also miss important considerations related to the broader public interest. Legal and policy experts can add value to these technical groups and networks.
What is needed is a structured process ensuring genuine two-way communication between technical standards bodies and the legal community. In the long term, this should entail collaboration between law schools and professional legal associations, on the one hand, and the Internet-related technical community on the other. This effort must also be genuinely transnational, including both legal and policy experts from a variety of countries, if it is to achieve the goal of minimizing monitoring and compliance costs.
Such dialogue could take a number of forms, including: enhanced focus on the nature and social implications of Internet technologies both in law school curricula and in professional continuing education; training seminars on legal and public policy issues for technologists involved in standard-setting processes; and liaison arrangements institutionalizing opportunities for two-way consultation between the judiciary and the technology community on issues of mutual concern. These efforts could be fostered and facilitated by a range of international actors (independently or in collaboration), including the Organisation for Economic Co-operation and Development, the International Law Commission and the United Nations Educational, Scientific and Cultural Organization.
The author thanks Aaron Shull for his assistance in conducting legal research for this commentary.
[ii] Privacy protection in the digital world is in a period of legal flux in the United States. In a recent example, the Supreme Court declined to hear an appeal in Jennings v. Broome, WL 81229 (2013), a case that sought to clarify the application of the federal privacy law over email and digital communications. As a consequence, there are presently conflicting judicial opinions on the issue.
[iii] Concerns over the ability of children to access pornography or other obscene material on the Internet resulted in the passage of the Communications Decency Act, 47 U.S.C.A. § 223, (1996). The Act created liability for information service providers who acted as a conduit for the dissemination of the subject material to minors. However, two separate federal courts have held the statute unconstitutional. See Shea v. Reno, 930 F. Supp. 916 (S.D.N.Y. 1996), aff'd, 117 S. Ct. 2501 (1997); ACLU v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996), aff'd, 117 S. Ct. 2329 (1997). The Supreme Court has affirmed that the indecency section of the statute violates the First Amendment (Reno v. ACLU, 117 S. Ct. 2329, 2347 ).
[iv] See the Computer Fraud and Abuse Act, enacted by Congress in 1986, which amended 18 U.S.C. § 1030; see also United States v. Drew, 259 F.R.D. 449, 457 (C.D. Cal. 2009) (“[T]he latter two elements of the section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met when an individual using a computer contacts or communicates with an Internet website.”).
[v] See Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers 2 S.C.R. 427 (addressing ISP liability for copyright infringement); see also R. v. TELUS Communications Co., 2013 SCC 16 (addressing the application of general warrant powers in the Criminal Code to text messages stored on corporate servers).
[vi] See generally, Tapio Puurunen, The Judicial Jurisdiction of States Over International Business-to-Consumer Electronic Commerce from the Perspective of Legal Certainty, 8 U.C. Davis J. Int'l L. & Pol'y 133.