The UK and EU establish positions as regulatory first movers while the US watches

British Union Jack and EU flags are pictured before the meeting with Britain's Brexit Secretary Stephen Barclay and European Union's chief Brexit negotiator Michel Barnier at the EU Commission headquarters in Brussels, Belgium, September 20, 2019.   Kenzo Tribouillard/Pool via REUTERS - RC11CD6EA940

The first mover advantage is well established in the commercial marketplace. The same concept works in the regulatory marketplace: Whoever gets there first has the upper hand to define what follows.

Unfortunately, while other liberal democracies race to define the digital future, the United States is AWOL. The nation whose governmental support helped establish American technological leadership now stands immobile when it comes to national governance and public interest oversight of that technology. When the Congress finally does get around to online oversight, the odds are high that since the policies already implemented in the European Union (EU) and United Kingdom (U.K.) will be the international standards the U.S. will have to follow.

I recently met with senior officials of the multiple British regulators that, under new legislation, will be charged with overseeing the activities of the major online platforms. I walked away with the conclusion that while the U.K. government’s long-promised, but undelivered legislation lags the EU, the U.K. is ahead in the preparation to implement digital oversight—even though Parliament has yet to enact the necessary legislation.

London and Brussels step to the front

The EU has enacted the Digital Markets Act (DMA), dealing with competitive issues, and the Digital Services Act (DSA), dealing with online content. The acts are now law and being implemented on a phase-in basis by the European Commission (EC), the EU’s administrative body.

Heretofore, the Commission has fulfilled the role of administrative technocrats to keep the machinery of the 27-member EU running. Now, the EC must develop the DNA of a regulator as well. Reportedly, the Commission is building a 150-200 person staff to focus on the new competition and content authorities.

In the U.K., Parliament has yet to pass the British equivalent of the DMA, the Digital Markets, Competition, and Consumer Bill, or the DSA equivalent, the Online Safety Bill. The government also has been unclear as to when lawmakers will act, other than to say both measures will be acted upon in this session of Parliament. Such legislative inertia has not stopped the relevant agencies, however.

While, in Brussels, the EC is developing its regulatory skills, the Digital Markets Unit (DMU) that will oversee the U.K. Digital Markets Bill has been stood up for over a year as a part of the Competition & Markets Authority (CMA). The DMU staff, currently around 40, will ultimately reach 150 to 200 focused experts. Ofcom, the U.K.’s equivalent of the Federal Communications Commission (FCC) will be responsible for the Online Safety Bill. Already, it has 350 employees working on content-related issues. Both the DMU and Ofcom have begun market studies and consultations that will define their ultimate actions.

“Because there is a belief digital platform companies have failed to sufficiently exercise their Duty of Care, however, the governments are stepping in.”

Duty of Care and risk-based regulation

Both the U.K. and EU initiatives are grounded in the common law, “Duty of Care” that holds providers of goods and services have the responsibility to anticipate the adverse effects of their offerings and take steps to mitigate those effects. The tort of negligence is rooted in the Duty of Care.

Because there is a belief digital platform companies have failed to sufficiently exercise their Duty of Care, however, the governments are stepping in. Both the EU and U.K. initiatives are based on the identification of the risks created by the platforms and how those risks can be mitigated.

“What is happening in London and Brussels is the creation of a de facto global digital risk management standard.”

Such risk-based systems are different from old industrial era regulatory micromanagement. Rather than top-down, “this is how you will run your business” regulation, risk-based oversight involves government making the effort to work with companies to identify harms and mitigation strategies. Companies’ failure to voluntarily do this is what has triggered government intervention.

Different processes, hopefully compatible results

While the goal of risk identification and mitigation may be similar, the U.K. and EU have dissimilar processes to reach such results.

The EU approach is a legislator-driven model. The DMA, for instance, identifies companies as “gatekeepers” based on their size. Once so designated, the companies must comply with legislated behavioral expectations. The U.K. has begun its oversight with more regulatory discretion to determine if a company has “strategic market status” and, if so, tailor specific remedies to the company.

The risk of such different approaches is that they could produce different outcomes. This is particularly worrisome in the interconnected world where, if the outcome of such different processes were to yield different requirements, incompatible results would be highly disruptive to both consumers and companies. There appears to be a heightened awareness that it does not serve anyone to have major substantive differences between the EU and U.K. policies. As one U.K. official told me, “When faced with the same evidence as the EU sees, it is not unreasonable to expect similar solutions.” Similarly, he observed, the U.K. and EU are not operating unaware of each other, and there is an expectation of significant amounts of cross-fertilization.

Participatory regulation

In the U.K., both Ofcom and the DMU plan to pursue what they describe as “participatory regulation.” This means that regulators will work one-on-one with target companies to develop behavioral expectations that can be regulatorily enforced.

In the case of Ofcom’s content moderation oversight, the companies will be expected to conduct their own Duty of Care analysis and share the conclusions with the regulator. The agency then will provide guidance on the validity of the assessment. Once a risk is identified, the parties work together to develop a behavioral code.

One of the first issues to be tackled, probably in 2024, is online content and children. Because of the sensitivity of free speech issues, Ofcom is looking to eschew choosing among various pieces of content in favor of behavioral codes. For instance, the code could require the platforms to use facial recognition software to identify the age of the user and deny access to certain material to anyone under 18.

The Digital Markets Unit plans a similar participatory process to develop a code for issues that can affect marketplace competition. Studies are already under way to determine which companies have substantial and entrenched market power in a specific area. Once that determination is made, the process will begin—with public input—to determine an enforceable behavioral code for the target company.

The creation of the DMU is a reflection that participatory regulation can be more efficient than antitrust litigation. The DMU code is not a substitute for the enforcement of competition laws by the parent Competition & Markets Authority; rather, it is intended to encourage through bespoke enforceable behavioral codes a flourishing and competitive marketplace.

“The creation of the DMU is a reflection that participatory regulation can be more efficient than antitrust litigation.”

Many of those I spoke to believe that the platform companies prefer the U.K.’s approach because of its tailor-made oversight rather than the EU’s more generic requirements. There is also a belief that it will benefit consumers more because, unlike when an appeal of an EU rule can shut down the rule as it affects all companies, an appeal in the U.K. affects the implementation of only one company’s rule.

Oscar Wilde was right

The U.S. is a passive observer of activities in the U.K. and EU. Congress has failed to pass either privacy or competition protection legislation. The Federal Trade Commission (FTC) is looked to for regulatory intervention but is under-resourced, under-empowered, and overstretched with responsibilities extending across the entire economy. The FTC made headlines when it recently added a dozen people to its new Office of Technology, but that workforce pales in comparison to the hundreds of specialists being mobilized in the EU and U.K.

Oscar Wilde warned of life’s two great tragedies: “One is not getting what one wants and the other is getting it.” The major digital platforms are American companies that have successfully used their economic and political power to keep Congress from acting. Having achieved what they wanted; they now face the reality that nations where they are not national assets will be making the rules for the interconnected world.

What is happening in London and Brussels is the creation of a de facto global digital risk management standard. The U.S. will have a difficult time participating in development of such a global standard if it has no policy of its own. As a result, the American platform companies may be looking at a future in which others define the rules and then the U.S. government, late to the matter, decides, “Well, you do it over there, let’s set that as the standard for American markets as well.”