Law and Information

My colleague Daniel Haeusermann and I just released a new paper entitled “E-Compliance: Towards a Roadmap for Effective Risk Management.” In the article, which is largely based on consulting work we’ve been doing, we argue that the widespread use of digital communication technology on the part of business organizations leads to new types of challenges when it comes to the management of risks at the intersection of law, technology, and the marketplace. In order to effectively manage these challenges and associated risks in diverse areas such as security, privacy, consumer protection, IP, and content governance, we call for an integrated and comprehensive compliance concept in response to the structural and substantive peculiarities of the digital environment in which corporations – both in and outside the dot-com industry – operate today. See also this post. The conclusion section of the paper reads as follows:

Through significant efforts, the legal system has adjusted to the changes in the information and communications technology of daily corporate life—changes at the intersection of the market, technology, and law. Organizations must make adjustments on their part as well in order to deal with the consequences resulting from these changes in the legal system. The observation that led to this essay was that these adjustments represent a greater challenge than the already decreasing entropy surrounding concepts such as “e-commerce law” or “cyberlaw” would suggest. Our initial foray into the concept, characteristics, responsibilities and organizational guiding principles of e-Compliance confirms this observation.

E-Compliance, as discussed in this article, is confronted with the phenomenon of a close interconnection between law and technology, a prominent dynamization of the law, massive internationalization of issues and legal problems, as well as a strong increase in the significance of soft law. These characteristics, which in part may also apply to traditional areas of compliance such as financial market regulation, call in their interplay for the further development of compliance concepts as well as adaptation of the affected aspects of corporate organization. Due to the increasing amalgamation of corporate organizational nexus and ICT, the symbiotic relations between traditional compliance and e-Compliance will be increasingly amplified. The view that e-Compliance represents merely a single risk area among the many of compliance is therefore outdated in our opinion. E-Compliance is actually a multidimensional and multidisciplinary task, although there are certainly areas of law that are particularly affected by digitization (or also which particularly impact digitization) and therefore are of particular importance for the field of e-Compliance.

Thus, in conclusion, the authors do not posit a special “e-Sphere” within or without existing compliance departments. Rather, we argue for an integrated and comprehensive compliance concept that appropriately makes allowance for the structural and substantive peculiarities of e-Compliance as outlined in this essay and stays abreast with the pace of digitization.

Please contact Daniel or me if you have comments.

Earlier today, I attended a conference organized by Oliver Arter and Florian S. Joerg on Internet and e-Commerce Law in Zurich. I was invited to speak about e-Compliance in general and the implications of e-Business on compliance and corporate organization in particular. E-Compliance can be understood as a set of institutional arrangements and processes aimed at managing the legal and regulatory risks resulting from the transition from an offline/analog to an online/digital corporate information environment. My colleague Daniel Haeusermann and I have come up with the following theses – intended as discussion points and “food for thought.”

The main thesis is that e-Compliance, in important regards, is qualitatively distinct from traditional compliance. We argue that four trends support this key thesis.

Law and digital technology are closely intertwined. The compliance-relevant interactions are hereby bi-directional. Digital technology leads to legal problems that have not emerged in the paper world. Consider, for example, the use of email in a corporation as a partial replacement of oral communications and the set of legal problems associated with email usage and storage (ranging from data privacy/monitoring issues to e-Discovery exposure.) However, digital technology can also help to ensure a company’s compliance with the law. Software that can be used to enforce a “litigation hold” might be a good example in this context. At the organizational level, the suggested interplay between law and technology calls for a close collaboration between lawyers and IT-staff.

E-Compliance is risk management in a quicksilver environment and under conditions of legal uncertainty. The speed of ICT innovation has put the legal system under enormous pressure. The legal system’s answer, essentially, is either the application of existing rules (“old law”) to the new phenomena, or legal innovation (e.g. by formulating new rules or introducing new doctrines.) Typically, both processes create uncertainty, because the legal system is forced to synchronize its relatively slow adaptation processes with the speed of technological change. A nice illustration of the increased pace of change in law that creates uncertainty are legal regimes that govern online intermediaries such as access providers, search engines, and hosting providers. Up to the year 2000 legislators around the world have enacted laws (such as the CDA or the E-Commerce Directive) to limit the liability of online intermediaries, or to “immunize” them entirely. Only few years later we now face a global trend towards stronger regulation of online intermediaries, including a reconsideration of the respective liability regimes. From an organizational perspective, this increased speed of change requires that companies in the IT-business (this includes, e.g., banks) establish “early warning systems” – for example in collaboration with academic partners – aimed at tracking trends and developments at the intersection of law, ICT, and markets.

Digitization in tandem with the emergence of electronic communication networks has internationalized (old and new) legal problems in an unprecedented way. The first driver of internationalization of e-Compliance is straightforward: it’s the global medium “Internet” itself. The second source is related to the first one, but less obvious: In our view, the digitally networked environment creates a notion of proximity that leads to an increased relevance of foreign national law for corporations being incorporated and/or operating in another jurisdiction. Good examples are cross-border e-Discoveries, where U.S. plaintiffs seek to use American procedure and evidence laws to access information stored in different jurisdictions, e.g. in Europe, usually without following the procedures set forth in respective international treaties such as the Hague Convention on Evidence. It follows from this trend that it is a necessity for successful e-Compliance to apply a global perspective. In the case of multinational enterprises this requires, for instance, that the legal and compliance departments of the entities located in different countries collaborate closely on e-Compliance issues.

The rapid evolution of digital technologies on the one hand and the increased legal uncertainty with regard to the interpretation of old and new laws on the other hand further increase the relevance of industry self-regulation, for instance in form of codes of conducts or best practice models. Again, the regulation of online intermediaries is illustrative for this trend. In Germany, for example, content regulation of online intermediaries such as search engines is largely based upon a self-regulatory approach. In the light of this development, sustainable e-Compliance increasingly includes involvement in standard-setting bodies and industry best practice-groups – both as an expression of “good corporate citizenship” and based on the acknowledgment that “soft law”, in turn, can improve a company’s e-Compliance with the increasingly complex network of legal, quasi-legal, pre-legal and ethical obligations.

With the usual time-lag, the debate about Internet censorship in repressive countries such as China and the role of Internet intermediaries such as Google, Microsoft and Yahoo! has now arrived in Europe. The EU Parliament now confirms what many of us have argued for months, i.e., that the problem of online censorship is not exclusively a problem of U.S.-based companies and is not only about China.

The recent resolution on freedom of expression on the Internet by the European Parliament starts with references to previous resolutions on human rights and freedom of the press, including the WSIS principles, as well as international law (Universal Declaration of Human Rights) and opens with the European-style statement that restrictions on online speech “should only exist in cases of using the Internet for illegal activities, such as incitement to hatred, violence and racism, totalitarian propaganda and children’s access to pornography or their sexual exploitation.”

Later, the resolution lists some of the speech-repressive regimes, including China, Belarus, Burma, Cuba, Iran, Libya, Maldives, Nepal, North Korea, Uzbekistan, Saudi Arabia, Syria, Tunisia, Turkmenistan and Vietnam. The resolution then makes explicit references to U.S.-based companies by recognizing that the “…Chinese government has successfully persuaded companies such as Yahoo, Google and Microsoft to facilitate the censorship of their services in the Chinese internet market” and “notes that other governments have required means for censorship from other companies.” European companies come into play with regard to the sale of equipment to repressive governments, stating that

“… equipment and technologies supplied by Western companies such as CISCO Systems, Telecom Italia, Wanadoo, a subsidiary of France Telecom have been used by governments for the purpose of censoring the Internet preventing freedom of expression.” (emphasis added.)

The resolution, declaratory in nature, in one of its probably most significant parts calls on the European Commission and the Council “to draw up a voluntary code of conduct that would put limits on the activities of companies in repressive countries.” The policy document also stresses the broader responsibility of companies providing Internet services such as search, chat, or publishing to ensure that users’ rights are respected. Hopefully, the Commission and the Council will recognize that several initiatives aimed at drafting such code of conducts are underway on both sides of the Atlantic (I have myself been involved in some of these processes, including this one), and will engage in conversations with the various groups involved in these processes. In any event, it will be interesting to see how the Commission and the Council approach this tricky issue, and as to what extent, for instance, they will include privacy statements in such a set of principles – a crucial aspect that, interestingly enough, has not been explicitly addressed in the Parliament’s resolution.

The resolution also calls on the Council and Commission “when considering its assistance programmes to third countries to take into account the need for unrestricted access by their citizens.” Further coverage here.

Update: On the “European Union’s schizophenric approach to freedom of expression”, read here (thanks, Ian.)

I’ve spent the past two days here in Berlin, attending an expert workshop on the rising power of search engines organized by Professor Marcel Machill and hosted by the Friedrich Ebert Stiftung, and a public conference on the same topic.

I much enjoyed yesterday’s presentations by a terrific group of scholars and practitioners from various countries and with different backgrounds, ranging from informatics, journalism, economics, and education to law and policy. The extended abstracts of the presentations are available here. I presented my recent paper on search engine law and policy. Among the workshop’s highlights (small selection only):

* Wolfgang Schulz and Thomas Held (Hans Bredow Institute, Univ. of Hamburg) discussed the differences between search-based filtering in China versus search engine content regulation in Germany. In essence, Schulz and Held argued that procedural safeguards (including independent review), transparency, and the requirement that legal filtering presupposes that the respective piece of content is “immediately and directly harmful” make the German system radically different from the Chinese censorship regime.

* Dag Elgesem (Univ. of Bergen, Department of information science) made an interesting argument with regard to the question how we (as scholars) perceive users as online searchers. While the shift from passive consumers to active users has been debated in the context of the creation/production of information, knowledge, and entertainment (one of my favorite topics, as many of you know), Dag argues that online searchers, too, have become “active users” in Benkler’s sense. In contrast, so Dag’s argument, much of our search engine policy discussion has assumed a rather passive user who just types in a search term and uses what he gets in response to the query. Evidently, the question of the underlying conception of users in their role as online searchers is important because it impacts the analysis whether regulatory interventions are necessary or not (e.g. with regard to transparency, market power, and “Meinungsmacht” of search engines.)

* Boris Rotenberg (DG Joint Research Center, European Commission, Sevilla) linked in an interesting way the question of the search engine user’s privacy – as expression of informational autonomy – with the user’s freedom of expression and information. He argues, in essence, that the increased use of personal data by search engine operators in the course of their attempts to personalize search might have a negative impact on freedom of information in at least three regards. First, extensive use of personal data may lead to user-side filtering (Republic.com scenario). Second, it might produce chilling effects by restricting “curious searches”. Third, personalization tends to create strong ties to a particular (personalized) search engine, hindering the user to use alternative engines (“stickiness”-argument).

* Benjamin Peters (Columbia University) used the Mohammed cartoon controversy to explore three questions: (1) As to what extent do search engines eliminate the role of traditional editors? (2) Do algorithms have any sort of in-built ethics? (Benjamin’s answer, based on David Weinberger’s notion of links as acts of generosity: yes, they have). (3) What are the elements of a “search engine democracy”?

* Dirk Lewandowski (Department of information science, Heinrich-Heine Univ.) provided a framework for assessing a search engine’s quality. He argues that the traditional measurement “precision” – as part of retrieval quality – is not a particularly useful criterion to evaluate and compare search engines’ quality, because the major search engines produce almost the same score on the precision scale (as Dirk empirically demonstrated.) Dirk’s current empirical research focuses on the search engine’s index quality, incl. elements such as reach (e.g. geographic reach), size of the index, and actuality/frequency of updates.

* Nadine Schmidt-Maenz (Univ. of Karlsruhe, Institute for Decision Theory and Management Science) presented the tentative results of an empirical long-term study on search queries. Nadine and her team have automatically observed and analyzed the live tickers of three different search engines and clustered over 29 million search terms. The results are fascinating and the idea of topic detection, tracking, and – even more interestingly – topic prediction (!) highly relevant for the search engine industry, both from a technological and business perspective. From a different angle, we also discussed the potential impact of reliable topic forecasting on agenda-setting and journalism.

* Ben Edelman (Department of Economics, Harvard Univ.) empirically demonstrated that search engines are at least in part responsible for the wide spread of spyware, viruses, pop-up ads, and spam, but that they have taken only limited steps to avoid sending users to hostile websites. He also offered potential solutions to the problems, including safety labeling of the individual search results by the search engine providers, and changes in the legal framework (liability rules) to create the right incentive structure for search engine operators to contribute to overall web safety.

Lot’s of food for thought. What I’d like to explore in greater detail is Dag’s argument that users as online searchers, too, have become highly (inter-)active, probably not only in the sense of active information retrievers, but increasingly also as active producers of information while being engaged in search activities (e.g. by reporting about search experiences, contributing to social search networks, etc.)

The Yale Journal of Law and Technology just published my article on search engine regulation. Here’s the extended abstract:

The use of search engines has become almost as important as e-mail as a primary online activity. Arguably, search engines are among the most important gatekeepers in today’s digitally networked environment. Thus, it does not come as a surprise that the evolution of search technology and the diffusion of search engines have been accompanied by a series of conflicts among stakeholders such as search operators, content creators, consumers/users, activists, and governments. This paper outlines the history of the technological evolution of search engines and explores the responses of the U.S. legal system to the search engine phenomenon in terms of both litigation and legislative action. The analysis reveals an emerging “law of search engines.” As the various conflicts over online search intensify, heterogeneous policy debates have arisen concerning what forms this emerging law should ultimately take. This paper offers a typology of the respective policy debates, sets out a number of challenges facing policy-makers in formulating search engine regulation, and concludes by offering a series of normative principles which should guide policy-makers in this endeavor.

As always, comments are welcome.

In the same volume, see also Eric Goldman‘s Search Engine Bias and the Demise of Search Engine Utopianism.

I’ve just read Rep. Chris Smith’s discussion draft of a “Global Online Freedom Act of 2006,” which has been made available online on Rebecca MacKinnon’s blog. Rebecca nicely summarizes the key points of the draft. From the legal scholar’s rather then the activist’s viewpoint, however, some of the draft bill’s nitty-gritty details are equally interesting. Among the important definitions is certainly the term “legitimate foreign law enforcement purposes,” which appears, for instance, in the definition of substantial restrictions on Internet freedom, and in sec. 206 on the integrity of user identifying information. According to the draft bill, the term ”legitimate foreign law enforcement purposes” means

And the next paragraph clarifies that

While the first part of the definition makes a lot of sense, the second part is more problematic to the extent that it suggests, at least at a glance, a de facto export of U.S. free speech standards to the rest of the world. Although recent Internet rulings by U.S. courts have suggested an expansion of the standard under which U.S. courts will assert jurisdictions over free speech disputes that arise in foreign jurisdiction, it has been my and others impression that U.S. courts are (still?) reluctant to globally export free speech protections (see, e.g. the 9th Circuit Court of Appeal’s recent Yahoo! ruling.)

Indeed, it would be interesting to see how the above-mentioned definition would relate to French legislation prohibiting certain forms of hatred speech, or German regulations banning certain forms of expression—black lists, by the way, which are also incorporated by European subsidiaries of U.S. based search engines and content hosting services.

While the intention of the draft bill is certainly a legitimate one and while some of the draft provisions (e.g. on international fora, code of conduct, etc.) deserve support, the evil—as usual—is in the details. Given its vague definitions, the draft bill (may it become law) may well produce spillover-effects by restricting business practices of U.S. Internet intermediaries even in democratic countries that happen (for legitimate, often historic reasons) not to share the U.S.’ extensive free speech values.

Addendum: Some comments on the draft bill from the investor’s perspective here. Note, however, that the draft bill also includes foreign subsidiaries of U.S businesses to the extent that the latter control the voting shares or other equities of the foreign subsidiary or authorize, direct, control, or participate in acts carried out by the sbusidiary that are prohibited by the Act.

Today, the US House of Representatives’ IR Subcommittee on Africa, Global Human Rights and International Operations, and the Subcommittee on Asia and the Pacific are holding an open hearing on the question whether the Internet in China is a Tool for Freedom or Suppression. My colleague Professor John Palfrey, among the foremost Internet law & policy experts, has prepared an excellent written testimony. In his testimony, John summarizes the basic ethical dilemmas for U.S. corporations such as Google, Microsoft, Yahoo and others who have decided to do business in countries like China with extensive filtering and surveillance regimes. John also raises the question as to what extent a code of conduct for Internet intermediaries could guide these businesses and give them a base of support for resisting abusive surveillance and filtering requests and the role academia could play in developing such a set of principles.

I’m delighted that our Research Center at the University of St. Gallen in Switzerland is part of the research initiative mentioned in John’s testimony that is aimed at contributing to the development of ethical standards for Internet intermediaries. Over the past few years, a team of our researchers has explored the emergence, functionality, and enforcement of standards that seek to regulate the behavior of information intermediaries. It is my hope that this research, in one way or another, can contribute to the initiative announced today. Although the ethical issues in cyberspace are in several regards structurally different from those emerging in offline settings, I argue that we can benefit from prior experiences with and research on ethics for international businesses in general and information ethics in particular.

So far, the heated debate about the ethics of globally operating Internet intermediaries has been a debate about the practices of large and influential U.S. companies. On this side of the Atlantic, however, we should not make the mistake to think that the hard questions Palfrey and other experts will be discussing today before the above-menioned Committees are “U.S.-made” problems. Rather, the concern, challenge, and project – designing business activities that respect and foster human rights in a globalized economy with local laws and policies, including restrictive or even repressive regulatory regimes – are truly international in nature, especially in today’s information society. Viewed from that angle, it is almost surprising that we haven’t seen more constructive European contributions to this discourse. We should not forget that European Internet & IT companies, too, face tough ethical challenges in countries such as China. In that sense, the difficult, but open and transparent conversations in the U.S. are in my view an excellent model for Europe with its long-standing human rights tradition.

Update: Rebecca MacKinnon does a great, fast-speed job summarizing the written and oral testimonies. See especially her summary of and comments on the statements by Cisco, Yahoo!, Google, and Microsoft.

Late, very late, but hopefully not too late — finally online available some thoughts on Grokster by Harvard Law School Clinical Professor John G. Palfrey, Jr. and me. It’s a piece written for a non-U.S., non-IP-law-audience with a general interest in the topic. Here’s the abstract:

Here is my second position paper (find the first one here) in preparation of the upcoming Regulating Search? conference at ISP Yale. It provides a rough arc of a paper I will write together with my friend and colleague Ivan Reidel. The Yale conference on search has led to great discussions on this side of the Atlantic. Thanks to the FIR team, esp. Herbert Burkert and James Thurman, Mike McGuire, and to Sacha Wunsch-Vincent for continuing debate.

Regulating Search? Call for a Second Look

1. The use of search engines has become almost as important as email as a primary online activity on any given day, according to a recent PEW survey. According to an another survey, 87% of search engine users state that they have successful search experiences most of the time, while 68% of users say that search engines are a fair and unbiased source of information. This data combined with the fact that the Internet, among very experienced users, ranks even higher than TV, radio and newspapers as an important source of information, illustrates the enormous importance of search engines from a demand-side perspective, both in terms of actual information practices as well as with regard to users’ psychological acceptance.

2. The data also suggests that the transition from an analog/offline to a digital/online information environment has been accompanied by the emergence of new intermediaries. While traditional intermediaries between senders and receivers of information—most of them related to the production and dissemination of information (e.g. editorial boards, TV production centers, etc.)—have diminished, new ones such as search engines have entered the arena. Arguably, search engines have become the primary gatekeepers in the digitally networked environment. In fact, they can effectively control access to information by deciding about the listing of any given website in search results. But search engines not only shape the flow of digital information by controlling access; rather, search engines at least indirectly engage in the construction of the messages or meaning by shaping the categories and concepts users’ use to search the Internet. In other words, search engines have the power to influence agenda setting.

3. The power of search engines in the digitally networked environment with corresponding misuse scenarios is likely to increasingly attract policy- and lawmakers attention. However, it is important to note that search engines are not unregulated under the current regime. Markets for search engines regulate their behavior, although the regulatory effects of competition might be relatively weak because the search engine market is rather concentrated and centralized; a recent global user survey suggests that Google’s global usage share has reached 57.2%. In addition, not all search engines use their own technology. Instead, they rely on other search providers for listings. However, search engines are also regulated by existing law and regulations, including consumer protection laws, copyright law, unfair competition laws, and—at the intersection of market-based regulation and law-based regulation—antitrust law or (in the European terminology) competition law.

4. Against this backdrop, the initial question for policymakers then must concern the extent to which existing laws and regulations may feasibly address potential regulatory problems that emerge from search engines in the online environment. Only where existing legislation and regulation fails due to inadequacy, enforcement issues, or the like, the question of new, specific and narrowly tailored regulation should be considered. In order to analyze existing laws and regulation with regard to their ability to manage problems associated with search engines, one might be well-advised to take a case-by-case approach, looking at each concrete problem or emerging regulatory issue (“scenario”) on the one hand and discussion relevant to incumbent legal/regulatory mechanisms aimed at addressing conflicts of that sort on the other hand.

5. Antitrust law might serve as an illustration of such an approach. While the case law on unilateral refusals to deal is still one of the most problematic and contested areas in current antritrust analysis, the emergence of litigation applying this analytical framework to search engines seems very likely. Although most firms’ unilateral refusals to deal with other firms are generally regarded as legal, a firm’s refusal to deal with competitors can give rise to anti-trust liability if such firm possesses monopoly power and the refusal is part of a scheme designed to maintain or achieve further monopoly power. In the past, successful competitors like Aspen Skiing Co. and more recently Microsoft have been forced to collaborate with competitors and punished for actions that smaller companies could have probably gotten away with. In this sense, search engines might be the next arena where antitrust laws with regard to unilateral refusals to deal are tested. In addition to the scenario just described, the question arises as to whether search engines could be held liable for refusal to include particular businesses in their listings. Where a market giant such as Google has a “don’t be evil” policy and declines from featuring certain sites in its PageRank results because it deems these sites to be “evil,” there is an issue of whether Google is essentially shutting that site provider out of the online market through the exercise of its own position in the market for information. Likewise, the refusal to include certain books in the Google Print project would present troubling censorship-like issues. It is also important to note that Google’s editorial discretion with regard to its PageRank results was deemed to be protected by the First Amendment in the SearchKing case.

6. In conclusion, this paper suggests a cautious approach to rapid legislation and regulation of search engines. It is one of the lessons learned that one should not overestimate the need for new law to deal with apparently new phenomena emerging from new technologies. Rather, policy- and lawmakers would be well-advised to carefully evaluate the extent to which general and existing laws may address regulatory problems related to search and which issues exactly call for additional, specific legislation.