Opinion, advice, and analysis by the TNW community

EU lawmakers need to look beyond the ‘top layer’ when regulating the internet

It's time for evidence-based policy making that is laser-targeted.

Untitled design(68)
Caroline Greer
Story by
Caroline Greer

Head of European Public Policy, CloudflareCaroline is the Head of European Policy, leading Cloudflare's public policy and advocacy initiatives, addressing a wide range of digital policy goals. Caroline focuses in particular on privacy and dat… (show all) Caroline is the Head of European Policy, leading Cloudflare's public policy and advocacy initiatives, addressing a wide range of digital policy goals. Caroline focuses in particular on privacy and data protection, content moderation and intermediary liability, cybercrime, cybersecurity and digital rights issues.

Brussels policy makers could be forgiven for wanting to move quickly to regulate ‘the internet.’ Assailed by an avalanche of public opinion and a ‘techlash’ against many of the tech giants, politicians and legislators have quickly sought to target those that loom large. Unsurprisingly, this has meant a disproportionate focus on the well-known consumer facing technology platforms.

Outwardly, this may seem like a sensible move. But problems occur when policy makers see these large tech platforms as ‘the internet,’ when in fact they are nothing more than the ‘top layer’ — the proverbial tip of the iceberg. Policy ideas and initiatives that underestimate the complexity of the internet ecosystem, with all its different parts, players, and business models, are dangerous and can ultimately lead to unintended consequences.

Many of the social concerns of today are clearly amplified at that top application layer of the internet, however, policy makers need to take a more nuanced approach in their regulatory efforts and reflect on the intricacy of the internet.

Take an internet giant like Google, for example, which many know for its search engine or video platform service YouTube. Besides these very visible consumer-facing services, Google also runs myriad other services at deeper layers of the internet stack. The same holds true for many internet companies.

Lazy, broad-stroke attempts at internet legislation risk having far more of an impact on internet infrastructure services than is commonly understood, many of which have little or nothing to do with the subject of the legislation they end up being targeted by. More broadly, this type of policy making is also having a chilling effect on innovation and indeed the decisions of smaller companies to enter the European market.

There has been a worrying trend under the current political mandate to apply blunt regulatory tools across a broad spectrum of internet services. The most recent EU legislative example is the draft Copyright Directive and its firehose aim at “online content sharing service providers.”

There are, in fact, many services which would be caught by this clumsy definition and the lack of precision in the text, and this is despite some of the carve-outs thrown in at a relatively late stage of the legislative process. As widely reported, the stakes are extremely high, with the pressure on all companies to filter and remove content which may in fact involve a perfectly legal use.

The current EU legislative proposal to address the removal of terrorist content online is another good example of noble intentions let down in parts by a fundamental misunderstanding of how the internet works.

Not only could this regulation actually be dangerous, as it fails to address due process concerns and respect fundamental freedoms and rights (as well described recently by a number of UN Special Rapporteurs) but once again, the proposal may pull in a wide range of companies and organizations which provide a hosting service function even if the service is not itself at risk.

Ultimately, the end result is that efforts to target a few come at the expense of other players who typically have little or no part in fueling online harms.

At the other end of the spectrum, the incredible complexity of legal text and service definitions involved in the current draft of the ePrivacy Regulation and the now approved EU Electronic Communications Code has resulted in confused looks and “it depends” reactions when presented to expert in-house engineers.

Such complex legal drafting frequently arises when policy makers grab at brand examples or try to take a crystal ball view of internet networks and services, all while attempting to strike compromises. The result is convoluted text which internet companies are then left to try to interpret and put into action, including those companies who had no reason to be included in the first place.

There is no easy solution, of course, other than to take time and considerable care when drafting. The desire to harmonize legislation at EU level — which is of benefit to internet companies that operate across borders, and correctly reflects the global nature of internet services today — is high, and damage can also be done when member states are left to their own devices in deciding which internet services are in scope, leaving companies to juggle this uncertainty (NIS Directive anyone?).

The internet has become deeply and irrevocably complex. There is a general lack of understanding that not all internet businesses involve the analysis, control or promotion of content, or even touch content in any meaningful way. The complexity of hosting services in particular needs to be better understood, and services making up the technical infrastructure layers of the internet should be isolated from content regulatory efforts.

We do, however, have a window of opportunity for self-correction. The new European Commission mandate is a chance to take a fresh and more effective approach to internet policy making and legislation. I hope that after such a rush of legislative efforts in recent years, time is taken to assess the impacts and to understand the inner workings of the internet.

My colleague and I at Cloudflare want to see evidence-based policy making that is laser-targeted. Regulation should be as narrow as possible in its focus, to reduce any negative impacts at the core infrastructure layers and to ensure that the internet continues to deliver on efficiency, speed, resilience, and security for European consumers.

Policy makers should engage with companies across all layers of the internet stack to improve their knowledge of how the internet actually functions beyond those services that are most visible to the eye or those that grab the headlines. We can and should do better.

Published June 18, 2019 — 14:00 UTC