We need binding technology neutral legislation, and this is why.
A poll on Social Media to find out who people believe is responsible for the usage of technology gave some very interesting results. (See also Sustainability and the ethics of technology https://link.medium.com/ccJklVGbd6)
There are some interesting observations to be made from these results. Although there is no absolute majority for either of the options, the collective majority does believe that the creators and users of technology at least own the responsibility over the usage, either joined or individually. It is also interesting to see that the minority feels that governments and regulators carry this responsibility.
Regardless of who is responsible for the usage of technology, and whether or not this is matter of a case-by-case decision, or if there should be some common framework for responsibility, the main question is who should enforce (and when needed penalize) the responsibility. The answer to that is of course straightforward. Governments, multilateral / international treaties and bodies like the European Union and the United Nations.
The solution is however less straightforward. Aligning local legislation with multilateral frameworks is a complicated and time consuming process. Different concepts and legal definitions of liability, and especially restrictions on liability and their effect on third parties, complicate the matter even further.
GDPR demonstrates however, despite its limitations which will be addressed later on, that it is possible to create such frameworks, which clearly define the rights for all its citizens, including the responsibility and liability for execution, regardless of the location of the other party. The common pre-GDPR privacy abuse, which unfortunately still goes on in too many companies, also demonstrates that we need more, much more multilateral frameworks to regulate the creation and usage of technology.
We have been able to learn how some companies and organizations respond to regulations and responsibilities in the recent years. The recurring data leaks and infringements of privacy regulations by Facebook for example, show us that companies are not only willing to break the rules for profit, but that they are even willing and able to continue doing so when there are no serious consequences.
The Panama-Files have showed us that companies and individuals are more than willing to find the loopholes in regulations to protect their profits, and the ruling is still open if all of it was fully legal. For now we know that at least some of it wasn’t.
And then there was, or still is, the Diesel-Gate scandal in which a significant part of the German auto industry demonstrated their willingness to cheat and commit fraud at the costs of their customers and the environment, to further increase their already good profitability…
These are only examples, and although I am fully aware that many companies will not follow these cases in point, these examples do demonstrate that the strive to increase profit will lead to criminal behavior by (some) decision makers. All the way up to the boards, as some Diesel-Gate revelations has shown. If there is anything we can learn from these discoveries in the recent years, it is that self-regulation is not an option!
On the other hand, purpose specific legislation is also not an option for several very clear reasons. First of all, technology is developing extremely fast and the pace of innovation will continue to increase. Developing legislation up till the point that these are executed by countries takes several years, especially when we look at international communities and multinational corporations. Purpose specific legislation would only lead to an ever growing gap between technology and the legal frameworks that should manage and control them.
In addition, purpose specific legislation has by its definition an enormous weakness which is even over amplified against the current setting of rapidly developing technology. The purpose will take a definition, and with the current pace of developments that definition will already be outdated before the draft legislation passes parliament.
A clear example of this is GDRP, which concepts originates from 2012. By the time it was implemented and became binding throughout the European Union in 2018, several principles were already overrun by new and unforeseen technologies, like e.g. blockchain and cryptocurrencies. The purpose specific definitions of data in GDPR assume that there is an owner of the data which is responsible and liable for the execution of GDPR compliance in its full extend. In a blockchain driven environment, there is no ownership of the data, nor is there a centralized institution which is responsible for GDPR compliance. Not to mention the challenges with the right to be forgotten once the distributed ledger technology has done what it is designed to do.
How long does it take until corporations will find ways to outrun purpose specific regulations and controls?
But let us not connect the challenges of purpose specific legislation to just blockchain, to avoid that this becomes a blockchain specific discussion. Digital Twins for example were also not a big thing in 2012, and most people are not aware that they already have a Digital Twin with for example credit score agencies. And every time a person shops online, there is a good chance that data about that person is exchanged with one or more credit score agencies. In some cases even before the person does the actual purchase, and definitely when that person selects one of the comfortable flexible payment options like instalment.
2 years ago I raised the question “does GDPR apply to the data stored in hashed digital twins?” in a panel of GDPR specialists, mainly lawyers, legislators, and consultants. Although there was a clear commitment to get back to me with an answer in a few days, that answer is still pending. What I did receive however are multiple requests from several members and participants to please explain once more what a digital twin is. Digital Twins form a bigger GDPR and privacy challenge than Blockchain!
All new EU-legislation should be guided by the ‘innovation principle’. This means that the potential effect of legislation on innovation should be investigated during the impact assessment phase of the legislative process. Technology neutrality in every level of legislation should be a core element of this.
Technology Neutrality will encourage innovation by creating transparency about the legal framework, just as much as it will encourage rapid adoption of new technology by creating transparency about usage, conditions and controls. By doing so, it will solve an innovation hindering circumstance which slows down most initiatives for developing and implementing new technologies, being the uncertainty about the legal framework.
As proud citizen of the European Union, I not only fully support this definition. I also hope that the EU will take the lead in implementing technology neutrality in all fields, including liability and controls.