The Internet is not an ethereal or otherworldly thing, and existing laws in the offline world are applicable to “cyberspace”. The Internet is for all intents and purposes a tool for making data available and for accessing it. But unfortunately, it is a tool that can be used by individuals and groups to conduct illegal activities. Similar to the offline world, governments have a social responsibility to develop laws that address criminal and illegal behaviors online. Hence, ensuring that an adequate and effective legal framework exists is an important role for governments.
Data protection and privacy
Data protection and privacy are high on top of the list of important legal issues, especially given that people are increasingly storing more of their data online and large amounts of data are collected, searched and manipulated electronically. In the EU, the Data Protection Directive 95/46/EC was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed. However, although these laws conform to the Directive in terms of basic concepts and principles, they tend to be slightly different in many relevant details. The differences in the way that each Member State implemented the law have led to inconsistencies, which create complexity, legal uncertainty and administrative costs. This affects the trust and confidence of individuals and the competitiveness of the EU economy.
In January 2012, the European Commission (“the Commission”) presented a proposal for a General Data Protection Regulation (GDPR) to replace Directive 95/46/EC. On 21 December 2015, the European Parliament and Council reached agreement on the data protection reform proposed by the Commission. The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.
Responses to the reforms haven’t been all positive. Bird & Bird lawyer Gabriel Voisin strongly maintained that, “The text adopted at today’s plenary session of the European Parliament is over-prescriptive. It will hamper Europe’s ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies”. Christian Toon, Head of Information Risk at Iron Mountain, told SCMagazineUK.com that,“While consumers will welcome the fact that the European Parliament has voted through the EU’s first major overhaul of data protection legislation since 1995, many European businesses will be feeling nervous… The reality is that many remain underprepared… Businesses that fail to address the issue now not only run the risk of significant financial penalties in the near future, but may also risk serious reputational damage that will make customer retention more complicated.”A number of other subject matter experts had similar comments.
Whether these criticisms are real or perceived, they represent a failed attempt at consensus between the European political establishment and its stakeholders. This has happened due to the fact that the GDPR was agreed to without adequate consideration of the 4000 amendments tabled by stakeholders, and the lack of political agreement among Member States in the European Council. Consensus building is a critical aspect of Internet governance. The input of committed and informed stakeholders in decision-making processes, in their substantive roles and responsibilities, is imperative to verifying that outcomes are both effective and accepted. It also guarantees that diverse stakeholders can directly contribute to activities and are privy to their results. Consensus essentially facilitates solutions that meet the diverse needs of the Internet ecosystem, and moves the governance structure from top down to bottom up.
The Internet is a cross-border platform and many of its legal and enforcement mechanisms necessitate international cooperation. The specific challenge posed by the cross-border aspect of the Internet is that activities that are legal in one country maybe illegal in another. Governments need to promote bilateral and inter-governmental agreements that support enforcement of the law. However, this is also the case in the offline world, where law enforcement can be bolstered through international cooperation between agencies. Governments have a responsibility to its citizens to cooperatively work together through international organizations such as the WTO, WIPO, Interpol and others in order to successfully combat illegal activity online.
A significant amount of international efforts have gone into the development of model laws for international cooperation and harmonization of cyber crime legislation. One example is the Council of Europe’s Convention on Cyber Crime. The first of its kind, and the only effective global treaty on cybercrime, it was developed to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and fostering international cooperation among nations. It tackles broad subject matter, dealing with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures, such as the search of computer networks and interception. There have been other attempts at creating model laws such as the Commonwealth Model Law on Cyber Crime and the Three ITU Model Laws – HIPCAR (Caribbean), ICB4PAC (Pacific Islands), and HIPSSA (Sub-Sahara Africa). The Commonwealth Model Law was not widely adopted by many States, but the fact that much of its framework has been integrated into the ITU model laws has subsequently resulted in many of its requirements being applied to legislation in African, Caribbean, and Pacific (ACP) states.
Attempts at international harmonization of laws can be rife with challenges. In several instances, the omission of necessary provisions, defective language, fragmented drafting, integration of obscure and unsafe offenses and their variance away from and contradiction with established best practices inflict great damage to the objective of enhancing international cooperation against cyber crime. In many developing countries, the main challenge has been the unavailability of subject matter expertise in drafting legislation and regulations on cybercrime and electronic evidence. To solve this, government should look at broadening the communities with which they engage. Inviting the private sector and academia to participate in developing model laws can drastically improve the quality of legislative outputs. Additionally, seeking technical assistance from international organizations can also yield substantial benefits.
Internet governance, and the multistakeholder model it employs, is a reflection of the open and inclusive nature of the global Internet and has been an integral reason behind its amazing growth and success. Many governments have realized that deeper stakeholder engagement — including governments, businesses, civil society, the technical community and academic institutions — is the optimal approach to sharing knowledge, experience, competences and best practices when developing policies to address new opportunities and respond to emerging challenges.
Traditional models of governance that would institutionalize control over the Internet by governments and inter-governmental bodies cannot achieve these goals. Such rigid decision-making processes are unable to maintain pace with rapidly changing technological advancements that characterize the Internet, and the ever-evolving requirements of Internet users. Any attempts to superimpose traditional models would dampen innovation and constrain realization of the limitless benefits of an open Internet. It would risk stifling the dynamism that has allowed the Internet to deliver so many benefits and opportunities for economic growth and social welfare.
A revisionist approach to governments’ involvement in Internet governance should focus on overhauling the rules of engagement. These new rules would allow government officials to participate in architecting a new ‘distributed global governance framework’, with defined restrictions and in their macro-level role as public policymakers for Internet-specific matters. Notably, this function should not undermine the globally accepted norms and principles of Internet governance. Within a multistakeholder environment, all concerned parties could contribute to building a platform for further public policy elaboration. This could set the stage for the transformation of Internet governance into a truly international policy-making process. But in order for that to occur, we need visionary leaders, a change in mindset from control to collaboration, and strong political will.