1. Introduction

During the last quarter of a century, information technology (IT) has permeated most aspects of our daily lives. At the beginning of that period possession of a computer was still a rarity¹; today almost all businesses and the majority of UK homes² make extensive use of IT. The processing and communication of digital information is now so deeply entrenched in modern life that many of the things on which we rely, such as telecommunications and finance, would cease to operate without it.

As a consequence of this quiet revolution, legislators and regulators have made IT-specific provision in their laws and regulations.³ This is both sensible and understandable. IT is now as fundamental to both commercial and non-commercial activity as, say, motor transport, and one need only imagine the chaos which would ensue if the uses of motoring technology were completely unregulated.

However, the experience of those who work with IT regulation on a daily basis is that it is often unsatisfactory in a number of respects. First, in spite of the best efforts of regulators, IT regulation has consistently failed to cope with the rapid changes in the technology and its uses which we have seen over that period. Second, sometimes as a consequence of technology change but on occasion from the outset, IT regulation has produced effects which were very different from those intended by the regulator, leading to a number of undesirable and unintended consequences.⁴

This article attempts to identify the structural defects in IT regulation which have produced these unintended consequences, and discusses how those defects might be remedied in future regulation. It concentrates on IT regulation at the European Union level, both because that regulation has wide geographical application and because it often serves as a model for other countries’ regulation. It should be noted that the structural defects identified are not unique to EU regulation, and some examples from other jurisdictions are given to demonstrate this.

2. Futureproofing – technology-neutral regulation

Regulators have not been blind to the danger that rapid and unforeseeable advances in IT will render regulation unsuitable or ineffective, and have sought to prevent this occurring. Their primary tool for achieving this end has been to produce “technology-neutral” regulation, or at least to aim to do so.

Technological neutrality means that legislation should define the objectives to be achieved and should neither impose, nor discriminate in favour of, the use of a particular type of technology to achieve those objectives.⁵

The danger which technology-neutral regulation attempts to avoid is the embedding in the regulation of a particular model of how the technology works. Because IT changes so rapidly, any regulation which is specific to a particular implementation of IT will inevitably fail to cope adequately with the technology which replaces it.⁶

The EU’s Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, Towards a new Framework for Electronic Communications Infrastructure and Associated Services: the 1999 Communications Review⁷ sets out five principles with which IT regulation should comply. Such regulation should:

Be based on clearly defined policy objectives;

Be the minimum necessary to meet those objectives;

Further enhance legal certainty in a dynamic market;

Aim to be technologically neutral, and;

Be enforced as closely as possible to the activities being regulated.

This is not the earliest use of the term “ technology-neutral” in EU legislative documents.⁸ It first appears in July 1998 in relation to the protection of minors from undesirable online content⁹ and again in October in relation to e-money regulation¹⁰, and has been used in almost all proposals to regulate IT since then.¹¹ The concept may have been applied as early as 1990 when the Directive on data protection was first proposed¹², as the European Commission’s First report on the implementation of the Data Protection Directive (95/46/EC) in 2003¹³ states:

Despite the doubts raised during the negotiation of the Directive, Member States have thus reached the conclusion that the Directive's ambition to be technology-neutral is achieved, at least as regards the processing of sound and image data.

However, the concept of technology neutrality does not appear in the 1990 proposal, and the companion proposal for a Directive on telecommunications privacy¹⁴ contains a number of provisions which are quite technology-specific.

It appears that the EU has been generally successful in achieving technology-neutral IT regulation in its most significant legal instruments in that area.¹⁵ We can illustrate this by examining four legislative instruments which are representative of that body of regulation: Directive 95/46/EC on data protection¹⁶ (the Data Protection Directive); Directive 96/9 on the legal protection of databases¹⁷ (the Databases Directive); Directive 1999/93 on electronic signatures¹⁸ (the e-Signatures Directive); and Directive 200/46/EC on electronic money¹⁹ (the e-Money Directive).

The field of application of the Data Protection Directive is explained in art. 3(1), which provides:

This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

It is immediately apparent that all technologies which might be used to process data automatically, most obviously computers but extending to older technologies such as punched card readers²⁰ and new technologies not yet invented, are covered by this drafting. Similarly, the key terms used in the Directive are either defined in technology-neutral language²¹ or are left undefined.²² The obligations imposed upon controllers and processors are non-technological and focus on behaviours such as fair and lawful processing²³, taking reasonable security precautions²⁴, providing information to data subjects²⁵ and the like. Overall, it is not possible to identify any provision of the Directive which does not apply to current technologies for processing personal data, or which would not apply to any such technology whose future development can currently be envisaged.

The Databases Directive deals with the commercial aspects of data, harmonising copyright protection for databases within the EU and introducing an unauthorised extraction right to protect some aspects of databases which are not subject to copyright. Its core subject matter is defined in apparently technology-neutral terms:

“Database” shall mean a collection of independent works, data or other materials arranged in a systematic or methodical way and capable of being individually accessed by electronic or other means.²⁶

Initially this definition was criticised for restricting protection to databases which were arranged systematically or methodically, on the ground that it would exclude those technologies which used advanced software to make unstructured data accessible.²⁷ However, it seems probable that completely unstructured databases are unlikely to be commercially exploitable²⁸ and that the definition is thus, in practice, technology-neutral.

The owner of rights in a database is granted legal protection against infringing copying of those elements protected by copyright, and against extraction or re-utilisation of a substantial part of the non-copyright protected elements.²⁹ “Extraction” is “the permanent or temporary transfer of all or a substantial part of the contents of a database to another medium by any means or in any form”, and “re-utilisation” occurs by “any form of making available to the public all or a substantial part of the contents of a database”.³⁰All of these are technology-neutral concepts.

Electronic signatures are by definition a creature of computing technology, and it might therefore be expected that their regulation could not be technology-neutral. However, the UK’s law relating to signatures has always been based on their evidential functions rather than the means used to effect a signature³¹, and the trend in e-signature regulation world-wide is to adopt a functional rather than a formal approach.³²

The e-Signatures Directive is, of course, not completely technology-neutral because it applies only to electronic signatures. However, within that limitation the Directive is remarkably successful in not mandating or excluding any particular e-signature technology.

Electronic signatures are defined by art 2 of the Directive as follows:

1. “electronic signature” means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;

2. “advanced electronic signature” means an electronic signature which meets the following requirements:

(a) it is uniquely linked to the signatory;

(b) it is capable of identifying the signatory;

(c) it is created using means that the signatory can maintain under his sole control; and

(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

This produces two types of electronic signature.

The second is advanced electronic signatures where the identity of the signatory is confirmed by a certificate issued by an appropriate third party³⁵ and complying with other provisions of the Directive (a qualified certificate)³⁶ and the certificate is created by means of a secure-signature-creation device.³⁷ The Directive provides that advanced signatures of this type will satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data, and are admissible as evidence in legal proceedings.³⁸ The characteristics of qualified certificates and secure-signature-creation devices are set out in functional, rather than technological terms: as examples, a qualified certificate must identify the issuing certification-service-provider³⁹, who must “use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process”⁴⁰, and secure-signature-creation devices must use “appropriate technical and procedural means” to ensure the uniqueness and unalterability of the signature.⁴¹ Thus although the predominate technology for creating such advanced e-signatures is via public-private key encryption⁴², it is equally feasible to implement other e-signature technologies, such as biometrics⁴³, so as to comply with the Directive.⁴⁴

The e-Money Directive regulates the issuance⁴⁵ of electronic money, defined as:

monetary value as represented by a claim on the issuer which is:

(i) stored on an electronic device;

(ii) issued on receipt of funds of an amount not less in value than the monetary value issued;

(iii) accepted as means of payment by undertakings other than the issuer.⁴⁶

The only technological element of this definition is the requirement for storage on an electronic device. The Directive makes provision for authorisation of issuers, the financial requirements for authorisation and operation, redeemability of e-money, and the sound and prudent operation of the issuer. It is possible for the national supervisor of an electronic money institution to impose technology-specific rules, but the general practice in financial supervision is for these regulations to be technology-neutral as well.⁴⁷

If, then, the EU’s regulation of IT has to a large extent succeeded in its aim of technological neutrality, we must look elsewhere for the reasons why it has failed to cope with technological change and has produced unintended consequences. Is there some other aspect of futureproofing which is not addressed by technology-neutral regulation?

3. Embedded business models

Although it is common to talk of IT regulation, this is of course no more than a shorthand expression. It would be nonsensical to speak of a computer itself as being in breach of some regulation. What we mean by IT regulation is regulation of the users of IT and the uses they make of the technology; in other words, regulation of human behaviour in relation to IT use.

Regulators cannot undertake this task purely in the abstract. They need to develop an understanding of how IT is actually being used, or how it is expected to be used, in order to identify the behaviours which the regulation should attempt to influence. Thus IT regulation will always be based on some model of technology use, a business model. “Business” is used here in the wider sense of activity⁴⁸, rather than as a limitation to commercial uses of IT, though of course the majority of IT regulation is found in the commercial sphere and applies predominantly to commercial actors.

Are these business models relevant to the problem of futureproofing? The answer must surely be, “yes”. If the business model is used not merely to identify the behaviours which should be regulated but is in addition embedded in the regulation, then the regulation will often mandate IT users to adopt that business model. It is well-known that business models in the IT arena change almost as fast as the technology itself changes, particularly where there is some element of online activity, and that predictions of the ultimate business model or models which will be adopted are rarely accurate. Thus regulation which contains an embedded business model is at risk of exhibiting the same defects, so far as futureproofing is concerned, as regulation which embeds a particular technology and is thus not technology-neutral.

Outside the field of IT regulation it is common to find business models embedded in regulation. Thus, for example, the UK Partnership Act 1890 s. 1(1) provides:

Partnership is the relation which subsists between persons carrying on a business in common with a view of profit.

and the remainder of the Act sets out the consequences of establishing such a relationship, as between the partners themselves⁴⁹ and in relation to persons dealing with the partnership. The modern shape of UK companies regulation, which was established in the second half of the nineteenth century⁵⁰, is based on an embedded business model under which the company has a discrete legal identity, is owned by its shareholders and is controlled in its day-to-day operations by its directors.

However, these are both examples are of regulation which was devised long after their respective business models became established by use. By the time the regulation was enacted the evolution of these business models had stabilised to such an extent that embedding them in the regulation did not cause major difficulties. It is instructive that the pre-1862 companies legislation, which was largely reactive to the problems which emerged as new uses of the corporate structure and new structures themselves were adopted, was amended constantly without much real success in achieving an effective system for their regulation.⁵¹

In the IT field it has been commonplace to regulate as soon as the potential implications of a new technology are noticed, and well before the business models under which that technology will be used are established. Such attempts to regulate a future which, it is clear, will contain a substantial degree of change can only be successful if the regulation is both technology-neutral and is capable of regulating the new business models which will inevitably emerge. Unfortunately, none of the regulation examined in part 2 above has succeeded in achieving this second requirement; in each case because elements of an inappropriate business model are unconsciously embedded in the regulation.⁵²

3.1 EU IT regulation

It is perhaps unsurprising to find this defect in the Data Protection Directive, given the historical origins of data protection law. The Directive is based on the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data⁵³, which itself has its origins in the Swedish Data Act of 1973⁵⁴ and the German Lande of Hesse’s Data Protection Act 1970.⁵⁵ At that time, computers were rarely found outside universities, central and local government departments and large corporations. Although there were signs that the use of computing technology might become more widespread⁵⁶, the business model on which these early laws were based was dictated by the limitations of the current technology.⁵⁷ Thus these laws assumed an organisation which:

Operated a limited number of computers, usually only one, which had limited or no connectivity to other computers;

Held each of its working⁵⁸ datasets in a single physical location and in most cases as a single set of punched cards or magnetic tapes or disks; and

Allowed direct access to the computer and datasets only to a small core of technical staff.

This business model explains why the 1981 Council of Europe Convention concentrates its provisions primarily on the “ automated data file” and the “controller of the file”.⁵⁹ Article 3, which sets out the scope of the Convention, contains seven references to files and only one reference to the processing of personal data. The data security obligations of art. 7 apply only to the file, and the subject access provisions of art. 8(a) and (b) similarly apply only to files. It is clear that the drafters of the Convention had the business model set out above very much in mind, and to some extent embedded that model implicitly in the Convention.

By 1995 when the Data Protection Directive was enacted, it was clear that the processing of personal data was being undertaken very differently from the 1970s model. Many businesses were operating networks of personal computers, allowing staff to store data locally as well as to access central data files, and a rapidly increasing proportion of the population had access to a personal computer at home.⁶⁰ This was also the year when the internet is thought to have entered the consciousness of the general public⁶¹, but although this development must have been known to the European Commission it was too late for the Directive to be amended to take account of the new possibilities for processing personal data online.

The legislative history of the Directive shows a recognition that the underlying business model for personal data processing was changing. The original 1990 proposal followed the Council of Europe Convention by drafting in terms of the file⁶², but the importance of this concept was reduced in the Commission’s modified proposal of 1992⁶³ and eliminated in the final text.⁶⁴ In spite of these amendments, however, three elements of the 1970s business model remain embedded in the Directive:

The concept that an organisation, rather than its individual staff, determines whether personal data will be collected and for what purposes. This is seen most clearly in the notification provisions of arts. 18 and 19, which require a controller to notify the relevant national authority of a number of matters, including types of data to be collected and the purposes for which they will be processed, and not to commence processing prior to such notification. In the modern, distributed processing model these matters can be initiated by individual staff, and it is not feasible for an organisation to prevent decisions to collect and process data being made, or to require them to be reported so that notification can be made. In practice this problem is largely overcome by notifying very wide and general categories of data and processing, but it is almost certain that every large organisation is still in breach of these articles because of the activities of some of its staff.

The concept of controller itself is also an echo of the 1970s, containing an implicit assumption that there is central control of personal data processing and that the organisation’s staff merely undertake that processing in accordance with central instructions. Under art. 2(d) the controller is defined as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”. If this were applied strictly to, say, a modern university, it is clear that almost every member of academic staff, and a large proportion of non-academic staff, will be controllers because they act autonomously in determining the purposes and means of processing personal data.⁶⁵ This would mean that each of these staff would have obligations to notify, to provide information to data subjects, to receive and act on subject access requests etc.

The assumption that data can only be accessed via possession of a physical copy of the dataset is implicit in art. 25, which provides:

… the transfer⁶⁶ to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if … the third country in question ensures an adequate level of protection.

It is clear that if a copy of a dataset⁶⁷ containing personal data is given to a person in a third country, a transfer will have taken place. However, it was only in 2003 in the case of Lindqvist⁶⁸that the ECJ determined whether permitting remote access from a third country to personal data held on a server in the controller’s country would infringe art. 25. The court decided that including personal data in a web page amounted to “processing”, but that its availability world-wide via the internet was not a transfer of that data to persons accessing the website. Unfortunately the court did not give reasons for this decision, which nonetheless appears to confirm that art. 25 is not applicable to remote access to data and thus that the 1970s business model is firmly embedded in this part of the Directive.

The Databases Directive was enacted only a year after the Data Protection Directive, but even by the date of its original proposal in 1992⁶⁹ database technology was comparatively well-advanced and, in particular, the commercial methods of exploiting databases had largely ceased to evolve. Databases were then, and still are, exploited in one of two ways: by providing online access on a subscription basis (usually via dial-up in 1996 rather than online, as today); or by supplying a copy of the database to be installed on the user’s computing equipment in return for a licence fee. Although the business models were stable, however, the Databases Directive unintentionally embedded in its drafting the concept that the business of database makers was to seek out and make available third party data, rather than exploiting their own data.

Under art. 7(1) the Directive grants a sui generis right to prevent unauthorised extraction and/or reutilisation to:

… the maker of a database which shows that there has been qualitatively and/or quantitatively a substantial investment in either the obtaining, verification or presentation of the contents …

Until 2004, the general consensus was that these words covered databases both of content originating from third parties, and content originating from the maker of the database.⁷⁰ Organisations which generate data, such as stock exchanges and market research companies, spend large amounts of money and effort in collecting, checking and storing their data, and there seemed no doubt that this would amount to a “substantial investment” for the purposes of art. 7(1). In that year, however, the ECJ decided the case of British Horseracing Board Ltd and Others v William Hill Organization Ltd.⁷¹The claimant (BHB) maintained a large database of information relating to horse racing, and the defendant had copied parts of it indirectly from sources published under licence from BHB, for use in the defendant’s betting business. Initially in the UK the case proceeded on the assumption that the BHB database was protected by the sui generis right⁷², and concentrated on whether William Hill’s use infringed that right. Various questions about the proper interpretation of the Directive were referred to the European Court of Justice⁷³, including two which asked for a ruling on the proper interpretation of “obtaining” and “ verification” in art. 7(1). In its judgment, the ECJ concentrated on these two questions. It made a distinction between creating and obtaining data, and held that any investment in the creation of data should not be taken into account in deciding whether the investment in making a database was substantial. When the UK Court of Appeal applied this ruling to the facts⁷⁴, the outcome was that the investment in the BHB database was almost all in its creation, and that therefore the database received no protection via the sui generis right.⁷⁵

The effect of this decision is that most databases which consist of data generated by their maker will fall entirely outside the Directive’s sui generis protection. The implicit and clearly unintended⁷⁶ assumption of the drafters, that the database industry’s role was to collect and make available third party data rather than to generate such data itself, was found by the ECJ to be reflected in the language of art. 7(1) and the recitals, and thus to limit the scope of the sui generis right.

In its efforts to achieve technology-neutrality, the e-Signatures Directive managed also to avoid embedding most aspects of the various e-signature business models which were then under development. However, its aim of legislating for a type of e-signature⁷⁷ which would be accepted in all Member States and beyond required it to include provisions relating to the liability of the entity (the certification-service-provider) which certifies the signatory’s identity and other attributes.⁷⁸ By issuing such a certificate, the certification-service-provider is subject to negligence-based liability to any person who relies on the following matters:

The accuracy of the certificate’s contents⁷⁹;

That the person named in the certificate controlled the technology used to create the signature⁸⁰; and

That the certification-service-provider’s register of revoked certificates is accurate.⁸¹

These liability provisions contain an implicit assumption that these matters are under the certification-service-provider’s control, i.e. that it performs identity and attribute checks before issuing the certificate, verifies that the signatory controls the technology and operates the register of revoked certificates. These liability provisions derive from the ANSI X.509 standard⁸², which assumed an open rather than a closed PKI model⁸³, and thus that the applicant for a certificate would provide proof of identity direct to a Certification Authority (a certification-service-provider in the Directive’s terms). This assumption was based on an operational business model described in RFC 2527⁸⁴ which assumed that a signatory would purchase a single signature certificate from an independent Certification Authority and would use that certificate to validate all his e-signatures.

As e-signature schemes have been developed in recent years it has become clear that this model is not commercially viable. What happens in practice is that third parties, such as corporations or trade associations, identify a need for their employees or members to use electronic signature technology. In that case the third party enters into an agreement with a Certification Authority under which the third party will act as a Registration Authority. The Registration Authority, which already has a relationship with potential signatories, then identifies individuals and their attributes and provides the necessary identification information to the Certification Authority, using technology provided by the Certification Authority. The signature certificate issued by the Certification Authority thus certifies that the signatory has identified himself to the Registration Authority, and not directly to the Certification Authority.

This modern business model does not map accurately to the liability provisions of X.509-based legislation such as the Directive. As explained above, those laws place liability for inaccurate information in the certificate on the Certification Authority, whereas the body which has failed to take proper identification evidence is the Registration Authority. The consequences of this mismatch will be explored in part 4 below.

The Directive also provides in art. 6(3) and (4) that a certification-service-provider may establish use limitations and transaction limits⁸⁵ in the certificate. However, it does not explain the legal basis on which such limitations will be binding on the relying party, or even provide that they will be binding at all. This is also based on RFC 2527, whose description of the liability of Certification Authorities to relying parties assumes that limitations contained in a published certificate policy⁸⁶ will be binding, either in contract or tort.⁸⁷ It is far from certain that this is a correct statement of the law, because it assumes that relying parties will receive from their software, or will seek out, information about these matters before relying on a certificate. Given that the appropriateness of the scheme of liability allocation in the Directive is based on the enforceability of these limitations, it is surprising that the UK implementing legislation⁸⁸ does not deal at all with the issue of use limitations and reliance limits, apparently sharing RFC 2527’s presumption that these will be binding in contract or tort.

In the case of the e-Money Directive, there are two elements of embedded business model, one accidental, based on the anticipated way in which the technology would be used, and the other deliberate. The first element is the assumption that e-money would be used in a similar way to cash, and would therefore consist of an electronic equivalent of notes and coins which would be held in the possession of the customer, rather than merely recorded as accounting data as is the case for value held in bank accounts.⁸⁹ Thus recital 3 of the Directive states, “electronic money can be considered an electronic surrogate for coins and banknotes, which is stored on an electronic device such as a chip card or computer memory and which is generally intended for the purpose of effecting electronic payments of limited amounts”, and the definition of electronic money in art. 1(3)(b) is:

monetary value as represented by a claim on the issuer which is:

(i) stored on an electronic device;

(ii) issued on receipt of funds of an amount not less in value than the monetary value issued;

(iii) accepted as means of payment by undertakings other than the issuer.

The rapid spread of internet access to consumers has meant that much simpler e-payment technologies have become workable – for example, the world’s largest non-bank payment service, PayPal, holds funds on its internal accounting system and effects payments by simple book transfers. Only in the last two or three years have stored value e-money systems, the primary technology envisaged by the Directive, begun to achieve commercial significance.⁹⁰

The deliberately embedded element was that issuers of e-money should be regulated as financial institutions, adopting the regulatory mechanisms which had been devised to ensure that custodians of financial assets would not put the value of those assets unreasonably at risk. Without considering whether this was the most appropriate way of regulating a pure payment technology with almost no custodianship element and which, at the time, had not been put into commercial operation to any appreciable extent⁹¹, the Commission proposed a text under which e-money would be authorised and supervised by a national financial supervisor⁹², meet minimum capital and liquidity requirements⁹³, limit investment of the float to specified, low-risk vehicles⁹⁴, and engage only in “ the provision of closely related financial and non-financial services”.⁹⁵

The justification for these restrictions (most importantly the last, as we shall see in part 4 below) is to some extent for the protection of consumer holders of e-money, but primarily to “preserve a level playing field between electronic money institutions and other credit institutions issuing electronic money”⁹⁶ by limiting the ability of e-money issuers to compete with established financial institutions. For these policy reasons, therefore, the Directive embeds a business model under which e-money issuers are require to be regulated institutions, engaging solely⁹⁷ in the business of issuing and redeeming e-money. As explained below, recent developments in technology have led other types of business entity into the field of payment services, with the consequence that the Directive’s provisions do not fit appropriately with their business practices.

3.2 Embedded business models in non-EU regulation

This examination of EU examples of IT regulation merely illustrates a phenomenon which can be observed world-wide. Business models are embedded in much of the world’s IT regulation, perhaps to an even greater extent than that of the EU.⁹⁸ This is seen particularly clearly in the field of e-signatures, where early legislation was usually inspired by the ANSI X.509 business model and thus embedded many features of that model.⁹⁹

One of the most troublesome business models which often attracts the attention of regulators is that of the offline publishing industry, in which those who make information available to the public, publishers, undertake a process of selecting the material which they will make available and exercise editorial control over its contents to ensure, amongst other things, that the published information complies with national controls on content such as defamation and indecency laws. Regulators have consistently failed to resist the temptation to apply this model to online intermediaries such as ISPs, based on the only similarity with publishers that each makes information accessible. Perhaps the most interesting examples of this phenomenon are the US Communications Decency Act 1996¹⁰⁰ and the Australian Broadcasting Services Amendment (Online Services) Act 1999.

The intention of the Communications Decency Act was to introduce new criminal offences of knowingly creating, sending, transmitting or displaying obscene or indecent materials to minors, or knowingly permitting the use of telecommunications systems for these purposes. As a counterbalancing element, the legislation provided protection for “Good Samaritan” activities on the part of ISPs. The aim was to overrule Stratton Oakmont Inc v Prodigy Services Co¹⁰¹ and thus permit ISPs to introduce blocking or filtering technology without assuming the role of editor or publisher, which would otherwise make them responsible for the third party content.¹⁰² However, the new criminal offences were struck down in ACLU v Reno¹⁰³ as infringing the First Amendment protection for freedom of speech, leaving the immunity provisions of § 230(c) to stand alone. The relevant part is sub-section (1) which provides, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The effect of this, discussed further in part 4 below, is to give a broad immunity from civil liability to ISPs and other intermediaries.

Australia’s attempt to apply the publishing business model to ISPs took a different approach, trying to impose the same censorship regime as for films. The Broadcasting Services Amendment (Online Services) Act 1999 inserted a new Schedule 5 into the Broadcasting Services Act 1992, s. 10 of which defines “ prohibited content”¹⁰⁴ which ISPs must not host. Content which has not yet been classified, including content hosted outside Australia, is “potential prohibited content”. ¹⁰⁵ On request from any person this must be classified by the Australian Broadcasting Authority (the ABA), using the same tests as for films and video games.¹⁰⁶ If a complaint is made that potentially prohibited content is being hosted in Australia or is accessible via an Australian ISP, and it is classified as prohibited content by the ABA, then the ABA can issue a take-down notice to the ISP¹⁰⁷ or, in the case of content hosted outside Australia, give notice requiring the ISP to prevent access to that content.¹⁰⁸ Failure to comply with such a notice by the end of the next business day is a criminal offence.

Both these laws were enacted on the assumption that, like offline publishers and film distributors, an ISP is capable of examining the content it makes available, accessing its compliance with legal standards and making the editorial decision whether to make that content available. This is so far from reality that it is unsurprising that neither law achieved its legislative aims.

3.3 Consequences of embedding

It would seem obvious that the presence of embedded business models will have the consequence that IT regulation is less futureproof than it might be. As new business models develop, compliance with regulation will inevitably become more difficult.

More serious, however, is the effect that these embedded business models have on the behaviour of those who are subject to the regulation. The next part of this article argues that the consequences of embedding have been largely unforeseen, and have been so different from what was expected by the regulators that, in some instances, the regulation produces effects which are very far from the original intention of its promoters.

4. Unintended consequences of embedded business models

Regulation aims to influence and control human behaviour, and the vast majority of businesses and private individuals want to act lawfully. It is therefore no surprise that IT users adopt behaviours which they believe will enable them to comply with IT regulation. If, though, we examine the behaviours which they have been constrained to adopt, it is often the case that these are very different from what the regulator originally intended. In many instances these unintended consequences of regulation are caused by those features which embed outdated or unworkable business models.

Part 3.1 above identified three embedded business model elements in the Data Protection Directive: that an organisation rather than its staff as individuals would determine the processing of personal data; that individuals would not exercise sufficient autonomous control over these matters to be data controllers themselves; and that access to and use of personal data required possession of a physical copy of the dataset. The consequences of the mismatch between this model and reality, where possession and control of data is widely distributed and online access is, for most purposes, indistinguishable from use of a local copy of a dataset, has three main consequences.

First, the requirement to notify to a controller’s national authority the types of personal data which will be held and the purposes for which they will be processed has become almost meaningless. Organisations no longer have detailed knowledge of the personal data processing undertaken by their staff, and in some cases even their “big picture” understanding of that processing may be inaccurate. In order to permit theoretical compliance with the Directive notification is made using broad, uninformative categorisations of data types and processing purposes¹⁰⁹, which fail to achieve the Directive’s aim that data subjects should easily be able to discover what kinds of data an organisation might hold about them and how the organisation intends to use that data.¹¹⁰ Notification has become a purely internal compliance function, undertaken for its own sake rather than for any useful end.

The second consequence is that compliance with the letter of the Directive is in many respects impossible in practice for any but the smallest organisation. To take just two examples:

Article 11 requires a controller who obtains personal data from a source other than the subject to inform the subject of various matters at the time of recording the data or disclosing it to a third party. In, say, a university it is highly likely that some academics will have produced their own databases of information about their students’ academic progress. Whether those students are informed about this will depend entirely on that academic’s knowledge of data protection law. It is not feasible to devise central systems or processes to ensure that the university as a whole complies with art. 11. All large organisations experience similar compliance problems.

A subject access request under art. 12 will be met by disclosure of the relevant records from an organisation’s central computer systems, but it is unlikely that the organisation will be able to identify whether individual members of staff hold further information on their own computers or, even if this is discoverable, to devise an effective system for disclosing that information. It is fortunate that in practice most data subjects are satisfied with disclosure of central records only.

This situation is not unworkable because organisations and their staff normally comply with the spirit of the law, to the extent that they are aware of it. However, a system of regulation with which full compliance is impossible is clearly undesirable.¹¹¹

Thirdly, the concept of protecting data subjects against the transfer of their personal information to “data havens”, based on controlling the possession of datasets, has become meaningless in the online age. Lindqvist¹¹², if it is correctly decided and not reversed by future legislation, means that the complex legal structures which have been developed to make offshore outsourcing possible¹¹³ will no longer be required if the dataset can be stored within the EU and simply accessed remotely by the outsourcing service provider. The aim of art. 25, that personal data held in the EU should not be processed in another country which does not provide an adequate level of protection for that data, has been defeated by a change in business model.

The Databases Directive embeds a simple business model concept, that databases are made by intermediaries who collect third party data and make it available rather than by those who collect or generate data themselves directly. The effect of art. 7(1), as explained in British Horseracing Board Ltd and Others v William Hill Organization Ltd¹¹⁴, is to prevent most databases whose content was generated by their maker from benefiting from the sui generis right. This is exactly the opposite of the original intention of the legislator.¹¹⁵

It is not possible for the maker of an unprotected database to prevent indirect extraction or re-utilisation by limiting access to online customers and imposing contractual restrictions on them, as art. 8(1) provides:

The maker of a database which is made available to the public in whatever manner may not prevent a lawful user of the database from extracting and/or re-utilizing insubstantial parts of its contents, evaluated qualitatively and/or quantitatively, for any purposes whatsoever.

The only option remaining is to create a special-purpose corporate vehicle, to which the data is licensed for a fee and which itself compiles the data into a database. Provided such a vehicle makes the database, rather than merely receiving a ready-made copy from the data creator, the licence fees will amount to a substantial investment in obtaining the data and should thus qualify the database for sui generis right under art. 7(1). Such a corporate vehicle serves no commercial purpose other than overcoming the defects in the Directive caused by the embedded business model.

The liability provisions of the e-Signatures Directive embed a certification model under which the certification-service-provider itself performs checks on the identity and other attributes of the signatory and also confirms that the signatory possesses the signature-creation key. The effect of this is that the person who actually performs these functions, the Registration Authority, has no direct liability to a relying party.¹¹⁶ This mismatch of business models creates real uncertainty as to the certification-service-provider’s liability. There are two possibilities:

Because liability under the Directive is negligence-based¹¹⁷, a certification-service-provider might be held to have no liability at all to a relying party. Both UK¹¹⁸ and US¹¹⁹ negligence cases have held that where a function is properly delegated to a third party it will not be negligent for the delegator to rely on the performance of that third party unless there are reasons to suspect improper performance. This interpretation, if correct, would mean that the Directive has in practice failed to achieve its aims so far as liability is concerned.

If, however, the negligence liability imposed on certification-service-providers by the Directive is a non-delegable duty¹²⁰ then liability can be reallocated from the certification-service-provider to the Registration Authority by means of indemnity provisions in the contract between them. These will normally extend beyond relying party losses and encompass some of the certification-service-provider’s own risks. To counterbalance the extra risks which a Registration Authority thereby accepts, it is likely to insist on use limitations which prevent the certificates being used outside the confines of the closed PKI for which the contract was negotiated. This need to allocate liability risks through contract, rather than imposing them by law on the party who can obviate the risks, makes it less likely that existing closed PKIs will be extended to create the form of open PKI for Europe envisaged in the Directive.

It is worth noting that the uncertainties as to the liability position are made worse by the Directive’s failure to specify clearly whether, and on what legal basis, any use limitations and transaction limits are binding on relying parties. This failure derives from assumptions about the way in which certification-service-providers and relying parties will communicate during the signature verification process, and thus how the law of contract and tort will view these limitations, and is a further consequence of implicit business model embedding.

The two embedded business model features found in the e-Money Directive, that e-money would be held in the possession of the user and that issuers should be authorised financial institutions only, have combined to produce real uncertainty as to which electronic payment technologies fall under the Directive. The wording of art. 1(3)(b)(i) requires e-money to be a claim on the issuer which is “stored on an electronic device”, and it is strongly arguable that online payment systems which operate by transferring account balances held with the service provider (accounted e-payments) do not fall within this definition. What is stored on the provider’s accounting systems is not the value itself but instead a record of the provider’s indebtedness to each customer.¹²¹

To avoid the risk of acting unlawfully, accounted payment services such as PayPal and Neteller have obtained UK authorisation as electronic money institutions. However, a number of other businesses which are already in possession of customer funds have recognised the value of providing a payment service as part of their business model. The most important of these are the mobile telephone companies whose customers pre-pay for airtime. From those prepayments the companies can offer the service of making payment to selected merchants by simple internal accounting transfers. This accounted e-payments business model does not map easily on to the regulatory regime of the Directive, and the UK FSA’? s attempt to treat such services as e-money¹²² has foundered because, apparently unnoticed by the FSA, requiring mobile telephone companies to become authorised as electronic money institutions would prevent them from continuing to provide telecommunications services. It remains to be established whether such payment services will be treated as e-money or will fall under the far less onerous provisions of the proposed Payment Services Directive.¹²³

It may also be worth noting here that the supervisory model for e-money issuers, based on the assumption that they act as custodians of assets, means that acting as an authorised e-money issuer can only be a low-margin activity, and is only likely to be profitable for large issuers. This is a substantial entry barrier to potential new e-money services. As pointed out in part 3.1, however, the embedding of this business model was intentional, and may thus in part have been designed to preserve existing financial institutions from competition in the payment services market.

Where regulation has been based on the liability model for offline publishers and broadcasters, as discussed in part 3.2 above, the unintended consequences have been far more striking. Because parts of the original US Communications Decency Act were unconstitutional, these were struck out by the Supreme Court leaving only the provisions granting immunity from civil suit. In subsequent litigation it has been held that the Act provides a complete immunity from civil actions for defamation,¹²⁴ even where the ISP pays the author for the right to provide access to the defamatory material,¹²⁵ and even from a civil action alleging negligence in failing to prevent continued solicitations to purchase child pornography made via the ISP’s system.¹²⁶ The aim of the legislation was to make ISPs police the internet and reduce the volume of indecent material available; the outcome has been exactly the opposite, and ISPs do no policing at all.¹²⁷ Similarly, the Australian Broadcasting Services Amendment Act had been intended to apply cinema censorship rules to online content. However, ISPs have no obligation in respect of prohibited content if they operate a “ restricted access system”¹²⁸, and have therefore universally adopted the simplest method of achieving this by supplying filtering software to their customers. Filtering software is notoriously ineffective, particularly as its filtering parameters can be adjusted by technically knowledgeable users such as children. So far as an outside observer can ascertain little or no censorship of online content occurs in Australia, but providers of filtering software have found an important and continuing market.

5. Business model-neutral regulation

If, then, embedding business models in IT regulation produces structural defects which have unintended and unfavourable consequences, it would seem obvious that we should aim to regulate IT in a way which is not only technology-neutral, but business model-neutral as well. Achieving this aim is, however, more difficult than stating it.

A counsel of perfection would be to abstain from regulation until the business models adopted for a new field of IT activity have become established, thus reducing substantially the danger of unintentionally embedding features of an incompatible business model. Such a policy of masterly inactivity¹²⁹ is difficult to sustain, however, in the face of the pressures on IT regulators. All the EU Directives discussed above were enacted to resolve the situation of differing and incompatible national laws, as was the US E-Sign Act. Masterly inactivity can be effective if these pressures are absent; the US took a policy decision in 1996 not to regulate e-money until it became a significant factor in the payment services market¹³⁰, and this has proved a wise decision as the current e-money business models are very different from those envisaged in 1996.

5.1 A three-step approach

It is unusual to find a business model embedded in regulation intentionally – the only example identified above is the restriction of e-money issuance to authorised institutions. More commonly the embedding is both implicit and unconscious. The first step towards business model-neutral regulation must therefore be for the regulator to articulate the business model which has inspired that regulation.

This will enable two important checks to be made:

The business model can be compared with current uses of the technology to identify errors and omissions. As an example, although the internet had not entered the public consciousness during the period 1990-1995 when the Data Protection Directive was under discussion, it was well-known that organisations were sharing data cross-border via proprietary networks rather than transferring datasets between those countries. Articulating this fact would have raised the question whether such sharing amounted to a “transfer” of data, and thus avoided embedding in the Directive the assumption that physically transferring copies of datasets were the only way in which cross-border use would be undertaken.

Predicted changes in the technology and its use can then be researched, and their effects on the underlying business model analysed. In relation to e-signatures the concept of involving a Registration Authority in the certification process had been identified by 1999¹³¹, and even before that date experts were arguing that the closed PKI model would be more commercially successful than the open model.¹³² Identifying this as a potential development in the e-signatures business model would have raised the question of what liability the e-Signatures Directive should impose on Registration Authorities. Similarly, the e-Money Directive’s embedding of the stored value business model for e-money was based on the predominate technologies of the time, but accounted e-payment systems were already in operation¹³³ and the mass penetration of the internet to private users was clearly predictable.¹³⁴ This should have alerted the regulators to the possibility that the accounted e-payment model might soon become viable, and thus led them to consider whether such payment services should be encompassed by the Directive.

The second step is to avoid the temptations of analogy. The fact that an existing sphere of activity operates successfully under its current regulation does not mean that a new activity, whose anticipated business model has common features with that of the existing activity, can successfully be regulated in the same way. The US Communications Decency Act and the Australian Broadcasting Services Amendment Act provide striking examples of how spectacularly this approach can fail. The danger of regulating by analogy will be much reduced if the business model of the new activity is properly articulated, as suggested in step one, because if this is done the differences between the two business models should become apparent.

The final step which regulators need to take, once they have a clear (and ideally reasonably mature) business model in mind, is to ensure so far as is possible that the regulation does not either (a) mandate those subject to the regulation to adopt the particular business model, or (b) favour that model over alternative models which might later be developed. This is a similar approach to that which has been largely successful in achieving technology-neutral regulation¹³⁵, and is examined in detail in the next part.

5.2 Achieving business model-neutrality

Once a clear and accurate business model for the activity to be regulated has been developed, regulators will have sufficient information about that activity to attempt to draft it in business model-neutral terms. There are a number of techniques which would assist this process.

First, it is essential to identify and enunciate the regulatory objectives. It is surprising how seldom this is done in any depth, and how easy it is to assume that controlling some aspect of the business model will achieve the intended result without questioning that assumption. Two examples from the EU IT regulation discussed above illustrate this particularly clearly.

The Data Protection Directive does not explain what it aims to achieve by the prohibition in art. 25 on transferring personal data outside the EU. Is it the transfer itself which is the problem, or is the aim to ensure that personal data originating within the EU does not lose the privacy protections set out in the Directive when it is processed in a third country?¹³⁶ Assuming the latter to have been the regulatory aim, then if this had been expressed it would have been clear that data whose storage remained within the EU, but was processed outside, presented a potential problem. The difficulty could have been resolved either by defining “transfer” to include such remote processing or by imposing an obligation on the controller to ensure that any processing outside the EU did not deprive the data of those protections unless the place of processing also provided adequate protection. The latter would have been preferable because it addresses the aim more directly, and should thus work for future technologies or business models which might fall outside a revised definition of “transfer”.

The regulatory objective of the liability regime set out in the e-Signatures Directive¹³⁷ appears to have been to give a remedy to a relying party who suffers loss as a consequence of inaccurate information in a signature certificate. However, this is not stated anywhere in the legislative history of the Directive, which simply and without comment sets out a minimum level of liability for certification-service-providers. Had the regulatory aim been enunciated, it should have alerted the legislators to the possibility that this information might in practice be verified by persons other than the certification-service-providers and a consequent recognition that the verifying person might more appropriately bear the liability. This would have been a more nearly optimum solution because (a) it is the person who verified the information who was negligent and is therefore responsible for the loss, and (b) this approach regulates the behaviour of the verifier rather than the person who merely has the status of certification-service-provider, the quality of whose processes may play no role in determining whether the verification is accurate.

This leads us to the second technique, which is for the regulation to address human behaviour directly, rather than indirectly by regulating institutions, structures or status. The latter approach contains an implicit assumption that the institution, structure or person of that status actually undertakes the behaviour in question, and thus embeds part of the underlying business model. As we have seen, this assumption is often falsified by changes in business model: Registration Authorities take over functions which in the e-signatures model were performed by certification-service-providers, individual staff members take decisions about personal data processing which the data protection model presumed would be the preserve of the employer, non-financial institutions identify a business case for providing ancillary e-payment services, and so on. Even when business models change the behaviours usually continue, and thus regulating behaviour alone tends towards business model-neutrality.

The third requires regulators to recognise that the behaviours addressed by the regulation may not always be carried out in the manner anticipated in their original business models. A failure to notice this can lead to the unintentional embedding of a business model by limiting the scope of the regulation to those behaviours envisaged in the model. The drafters of the Databases Directive defined “making” a database in terms of “obtaining, verification or presentation”¹³⁸ of its contents, and therefore granted sui generis protection where there had been a substantial investment in those activities. Had they resisted the temptation to explain “making” and merely required there to have been a substantial investment in that making, British Horseracing Board Ltd and Others v William Hill Organization Ltd¹³⁹would have been decided differently and the original intention of the Directive would have been preserved.¹⁴⁰

Finally, IT regulation should be undertaken at the most general level which is likely to achieve its objectives. The more detail included in regulation about the precise behaviours which are to be regulated, the more likely the regulation is to become outdated. For the same reasons, there is likely to be an inverse relationship between the volume of detail and the regulation’s business model-neutrality. It is instructive to compare IT regulation with the regulation of banks and financial services; the latter has proved far more robust in coping with technology and business model change. The reason for this seems to be the de-centred regulatory system adopted for the financial industries¹⁴¹, under which legislation sets out general principles¹⁴², softer regulation is produced by an industry supervisor to explain these general principles in more detail and can be changed rapidly in response to new developments¹⁴³, and codes of practice are developed by the industry itself at the most detailed level.¹⁴⁴ This regulatory system permits, for example, primary legislation to impose obligations to act reasonably or fairly while leaving the detail of what is reasonable or fair to be determined at a lower regulatory level.¹⁴⁵

6. The law of unintended consequences

Legislators have a touching faith that passing laws is an effective way to ensure that what they intend to happen will in fact happen. They therefore have a natural tendency, when devising legislation, to concentrate on their intended consequences. Unfortunately, these do not always come to pass.

The Databases Directive aimed to correct the “… very great imbalance in the level of investment in the database sector both as between the Member States and between the Community and the world's largest database-producing third countries …”< sup>¹⁴⁶ by creating a uniform protection regime for databases in the EU, but the level of EU database production has not increased over the pre-Directive level.¹⁴⁷ The e-Signatures Directive states confidently that “a clear Community framework regarding the conditions applying to electronic signatures will strengthen confidence in, and general acceptance of, the new technologies”¹⁴⁸, but at the time of writing there is little or no use of e-signatures outside closed PKIs, and no sign of cross-border use within the EU. The e-Money Directive aimed “to provide a regulatory framework that assists electronic money in delivering its full potential benefits and that avoids hampering technological innovation in particular”¹⁴⁹, but the result has been that only a handful of electronic money institutions are authorised in the EU and e-money represents a tiny proportion of payment transactions.¹⁵⁰

This tendency to concentrate on the intended consequences of regulation often means that its potential to produce unintended consequences is overlooked. As this article has explained, these unintended consequences are usually quite different from what was originally intended, and in some cases produce almost diametrically opposite effects.

One of the most important reasons why regulation has unintended consequences is that it embeds a business model in the regulation, usually unintentionally. IT users who operate under other business models need to modify their behaviours to become compliant with the regulation, and the mismatch between business models often results in those behaviours being very different from the regulator’s expectations.

Embedded business models can be avoided by producing regulation which is both technology and business model-neutral. Business model-neutrality is a new concept for regulators¹⁵¹, and it is suggested that it might be achieved via the three-step process outlined in part 5 of this article.

The alternative to business model-neutrality is that we will continue to see IT regulation which fails to achieve its aims and produces unintended consequences. That this provides much-needed work for both academic and practising lawyers is an additional unintended consequence; how far it is also undesirable must be left for the reader to judge.