Companies like Facebook, Google (Alphabet), Amazon, and Uber have long presented themselves as creative pioneers who collect and analyze massive amounts of user data to improve the human condition. Savvy marketing and personal acts of altruism have combined to create a calculated image of these companies as rebels and outsiders, doing no evil, working to leverage data analytics to disrupt tired and unimaginative incumbents in order to connect and empower the world. The tech community’s first major crisis occurred via the unbridled economic hype and enthusiasm presaging the , and current big tech companies may be similarly humbled by ongoing pricks to the veneer covering the structural deficiencies of their data-driven business practices. Recently, French President Emmanuel Macron has about the need to “dismantle […] these big giants” as a competition issue, and, here in Canada, there is a growing call for a that prioritizes domestic interests.

Facebook’s current time in the spotlight is just the most recent instance of big tech’s proclivity for moving fast and, unintentionally, breaking the wrong things. Zuckerberg may have inadvertently said as much himself in the immediate wake of the Cambridge Analytica revelations. In an interview with the New York Times, he , “If you had asked me, when I got started with Facebook, if one of the central things I’d need to work on now is preventing governments from interfering in each other’s elections, there’s no way I thought that’s what I’d be doing, if we talked in 2004 in my dorm room.”

Such a revelation may be an instructive lesson for a fresh-faced undergraduate student thinking through the implications of disruptive technologies for the first time. However, they are worrisome when the head of a global technology behemoth who has run the company for over a decade and has utters them.

But they’re not terribly shocking. Since the early 1990s, lawmakers and technologists have advanced the idea of increased connectivity through information and communication technologies (ICTs) as, what then-Secretary of State Hillary Clinton would call them some 20 years later, the . In with the New York Times, Zuckerberg echoed a similar sentiment to defend Facebook’s revenue model: “The thing about the ad model that is really important that aligns with our mission is that — our mission is to build a community for everyone in the world and to bring the world closer together. And a really important part of that is making a service that people can afford. […]Therefore, having it be free and have a business model that is ad-supported ends up being really important and aligned.” However, a from Facebook Vice President Andrew Bosworth that seemingly downplays “the ugly” side of Facebook’s activities effectively punctures this grandiose narrative. Today’s big tech firms have come of light-touch regulation from lawmakers and responded by giving normative and ethical concerns a back seat to connectivity and disruption.

More recently, though, legislators on both sides of the Atlantic have begun to rethink this arrangement. In the European Union (EU), next month’s enforcement date for the new will introduce heavy fines for companies that do not comply with harmonized data privacy regulations. And at a into Russian online disinformation activities during the 2016 Presidential election campaign, Senator Dianne Feinstein from Facebook, Twitter, and Google that “You created these platforms, and now they’re being misused. And you have to be the ones who do something about it—or we will.” Depending on the outcome of Zuckerberg’s appearances this week, the US Congress may begin to make good on Sen. Feinstein’s threat.

Regulating or, in the words of Macron, dismantling big tech will be no easy task. These companies have amassed large stores of data about our innermost feelings and have developed technologies that . These companies have also entranced governments with the promise of jobs and economic prosperity . It is imperative that any attempts to harness big tech for the public good are not done in a knee-jerk or . The challenges these companies and new emerging technologies pose require long-term and strategic thinking around the social, economic, ethical, and democratic impacts of our increasingly data-driven society.

Joseph F. Turcotte is a Senior Editor with the IPilogue and the����Coordinator. He��holds a PhD from the Joint Graduate Program in Communication & Culture (Politics & Policy) at �첥��Ƶ and Ryerson University (Toronto, Canada).

The post Breaking Up With Big Tech? appeared first on IPOsgoode.

In December 2012, the Commission put forward its proposal for a General Data Protection Regulation (“GDPR”). According to the Commission’s own words, “The Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”

After almost four years, at the end of the so-called trialogue, the Commission, the Council and the EU Parliament have reached agreement on a proposed text, which needs the final vote of the Parliament and the agreement of both the Council and the Commission. It is likely, indeed it is expected, that by the end of February the Regulation will have been finally approved. The purpose of this comment is not to analyze the text and the wording of the GDPR; I will rather concentrate my analysis on two points:

1. When the Regulation was first presented on 25 January 2012, the premise, indeed the very basis to move from the Directive to the GDPR was (and still is) to have only one law applicable in all of the EU: is it really the case? Will Europe finally have a uniform law, applicable across all 27 Member States?

2. Technology is moving ahead at a pace never experienced before. In addition, the widespread use of mobile devices has created a whole new market of products; finally, robots are coming in our world very strongly (and in some areas they have been used for decades already). Is the GDPR what we need to tackle the issues raised by new, ever-changing technology?

��

1. One single law.

According to the words of Commissioner Viviane Reding, when the GDPR shall be effective we shall have a single privacy law in all 27 countries. According to the words used by the Commission in January 2012, the GDPR would have delivered ”a single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year”[1].�� Four years later, more or less the same triumphant words have been used in the press release issued at the time the European Institutions reached agreement: “a single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year”[2��.

The truth of the matter is quite different. Section 88 of the GDPR repeals Directive 95/46/EC, but not Directive 2002/58/EC, the so-called ePrivacy directive (amended with Directive 2009/136/EC), better known to most practitioners as the “Cookies Directive”. The fact that there would not be a uniform regime was well known to everyone under the sun (including the Commission, one hopes). Indeed, the Commission itself, one and half year after pounding the drums of a uniform legislative scenario, issued a request for proposal under which the chosen contractor was required to evaluate (among other things) the potential problems deriving from having�� two different legal instruments[3] in force at the same time. One and a half year after stating “one Europe, one law”, the Commission itself was looking for someone to tell them what would be the potential consequence of a dual-system legal environment. Hard to believe, but the highest authority in Europe did not know itself what it would be the consequences of its own acts, and asked someone else to assess them!�� There are two possible scenarios to justify this mess: under the first scenario, someone within the Commission made a gross mistake: he/she did not know of the existence of Directive 2002/58/EC. The second scenario is that the future co-existence of the GDPR with the ePrivacy Directive was well known (one would be very hard pressed to believe that the Commission ignored it), but if this is the case the words of Ms. Reding sound very odd indeed.

So much for what happened in 2012. But if it is hard to believe that at that time Ms. Reding may have been misled by some functionary, it is just as difficult to accept the same statement and the same words being used today[4]. To top this mess off, when one reads the entire press release, it states that the Junker Commission has delivered a comprehensive Data Protection reform, which included the GDPR as well as the new Data Protection Directive for the police and criminal justice sector. “The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism”[5��.

Which means that European shall cope with three legal instruments on the same subject: one Regulation and two Directives. So long to the “single law” approach.

Now, some may say that the two Directives have a different scope as compared to the Regulation; nevertheless, the reality shall be that Europe shall continue to have different rules on different aspects of Data Protection in each Member State.

But on this topic there is more to be said, much more.

The real problem lies in the following fact. Since the implementation of Directive 95/46/EC, each the Data Protection Authoritiy (“DPAs”) of the Member States has approved specific regulation on several items. Just to stay with Italy, the Italian DPA has issued regulations on matters like video-surveillance, fidelity cards, system administrators, clinical trials, mobile payments, etc. The list could go on for a couple of pages. The same has happened in other countries. Now, all this secondary legislation is not going to be impacted by the GDPR. In fact, Whereas n. 8 states the following:

“This regulation does not exclude Member States law that defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful”.

And Whereas n. 134 is more explicit on the point: “Commission decisions adopted and authorization by supervisory authorities based on Directive 95/46/EC remain in force”.

In other words, if yesterday Italy, Spain, Sweden and (or, if you wish) UK had a specific regulation on anyone of these items, the situation shall remain the same and businesses will continue to cope with different regulation for the same processing in different countries[6]. On one hand, this is logical: if all these regulations were repealed, there would be an enormous legislative vacuum and personal data would not be protected. But different regulations on the same subject shall still be in place all over Europe.

Finally, according to Whereas n. 119, “Member States may lay down the rules on criminal sanctions for infringements of this Regulation”. Again, this is going to create differences between the laws of Member states and set the condition for a round of forum shopping, just as it happened with Directive 95/46/EC.

The sad conclusion is that no, there is not going to be one single law in all 27 Member states. This is what we were told, but this is not going to be the case. It is extremely disappointing, since I believe Europe has a duty to tell the Europeans the real story. It has not been the case with the GDPR.

��

2. The state of the art and the GDPR

“Rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale…Technology has transformed both the economy and social life”[7��.

“These developments require a strong and more coherent data protection framework”[8��.

Yes, technology has changed our lives, and shall continue to do so, in a way and at a pace we can hardly imagine. I have always made the point that if one compares the IT industry to the automotive industry, we’re about at the time of the Ford Model T (whose production started in 1908). The Model T looked pretty much like Granma Duck’s old car. If one compares the timeframe, considering that widespread use of the net and of IT technology has started in the last decade of the past century, that’s where we are. In other words, what we see and what we know to-day is only the beginning. Industrial robots have been used in manufacturing for more than two decades now; medical robots are used in complex and non-invasive surgery, many of them are operated via network, so that the surgeon is not present in the location where the surgery is being performed, but outside the hospital, and in some cases in another country. Robots are starting to be used in households.�� Drones are one of the hottest items in the marketplace: Amazon is said to be using them to deliver its parcels. Computing power and storage capacity is getting faster, cheaper and more easily available at ever decreasing cost. Telecommunication technology is moving ahead with unprecedented speed. Users and consumers are linked 24 hours a day, seven days a week; they buy goods on line, participate in auctions, post comments on restaurants and on any commercial item available under the sun. Big data is getting bigger and bigger, fostered by a surge in availability of different means of connection (gaming consoles, smartphones, tablets); cloud computing is now used by medium and small business thanks to IT giants like Microsoft, Google, Amazon, etc. Internet of things shall open more potential for new and creative use of old household objects: lights, heating systems, tv sets, fridges, etc.

Without a doubt, the biggest change (and the most taunted one) shall be in the automotive industry, that for the first time in its history is opening up to the use of a technology other than engine technology. In this industry many example of automation or digitalization are already a mature technology (to name one: gps or similar technology is available on almost every car), and the declared goal of the Googles and Apples of this world is the autonomous car. This will change even more the way we live.

This dramatic and continuous change seems to have been missed by European Legislators. The GDPR is still based on the same principles and logic of Directive 95/46/EC, with some changes here and there, but the basic structure is the same. On its part, the Directive is based on the principles of the Strasburg Convention[9], which dates back to 1981. The question is: does someone really believe that the complexities and the technologies of this century can be regulated by a set of rules that were established 35 years ago?

Does someone really believe that the information-consent process, in the way it is conceived today (and shall remain, with the new GDPR), is the answer to the advancements of technology?

I do not believe, as some famous law scholar does, that technology is the law and that we should therefore cave in to any and all new development of science and IT. That’s not my position.

On the other hand, using a standard that was devised at a time when the computing model was the old IBM mainframe is unacceptable. With this standard, it shall become more and more difficult to comply with the law, to apply it to new devices and usages, to the creative new products and little things that we are starting to get used to, and that shall be the norm in the future.

No, in my opinion the GDPR is not a step forward, but a meaningless repetition of an old cliché, another painful evidence that law cannot keep the pace with technology.

3. A final point

The GDPR is, beyond any doubt, one of the most complex statutes ever enacted by the EU. Including the lengthy whereas clauses, the Regulation is some 200 pages long, with many (too many) sections interconnected among them; several of the key sections of the law have cross references to other sections; complex wording leaves ample room for dubious interpretation, in short, the GDPR�� is one of the most complex pieces of legislation ever. The cost of education on this Regulation is going to be very, very significant. The press release of the EU maintains that with the GDPR there shall be savings for 2.3 billion for business. I do not know who arrived to this figure, but what I know is that the GDPR shall require a significant shift in the way companies carry their business: a large number of companies shall hire a Privacy Officer; all business are now required to maintain a record of all processing activities (whatever that means)[10], to carry out a security assessment, to implement prior consultation with the DPA (in certain cases) etc.

There are no doubts in my mind that the protection of privacy is a fundamental human right[11] and that “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls “the right to be left alone”.��12��

If Europe wants to be serious in protecting the right to be left alone, adequate legal instruments have to be put in place: they have to be simple, easy to understand and easy to implement, otherwise they shall fail.

The post The General Data Protection Regulation: From Promises to Reality appeared first on IPOsgoode.

In an , Javier Fernandez, a lawyer for CropLife Latin America, argues that better protection of regulatory data is necessary in order to foster innovation in the agricultural industry. In consideration of projections of an exploding global population, a decreasing amount of natural resources, and the greater reliance of farmers (especially in developing countries) on efficient technologies to remain profitable so that they can continue to produce, proper stimulation of the agricultural industry may be vital. Intellectual property law has historically been used as a means of shaping a variety of industries, but the standard protection of the final invention is sometimes not enough of an economic incentive for companies to continue productive research. By protecting the large amounts of useful data that innovative companies have discovered while developing a new product, and which they must release to regulatory bodies to judge safety and efficacy, these companies are more likely to continue investing in such costly research.

Mr. Fernandez believes that there are two main ‘prongs’ of regulatory data protection, which he calls ‘data protection’ and ‘data confidentiality’. The first prong has to do with implementing an exclusivity period in which “third parties are precluded from relying on the originator’s proprietary test data to obtain their crop protection product marketing approvals”. The second prong requires regulatory bodies to maintain high standards with the information that they collect. Despite legitimate reasons for release to the public of this data (such as for public safety, non-commercial research, education, etc.) the release of this information should be strictly controlled, keeping in mind the interests of the company that originally produced it.

This additional layer of protection on top of standard patent protection can be said to be needed because the data must be released in order to get approval for the originator’s product from a regulatory agency and so it can be used by another company to get approval for a similar product that may not infringe on the originator’s patent.���� (TRIPS) agreement provides that member states “shall protect [test and other] data against unfair commercial use ... [and] against disclosure”. As an example of the rationale underlying such a provision, the Pest Management Regulatory Agency of Health Canada uses the following as one of its objectives in its :

A policy that provides fair protection of the proprietary interests in data to encourage the introduction of new and reduced-risk pest control products while providing a predictable, timely process for the introduction of competing generic pesticide products to the Canadian market.

A separate argument for greater protection of regulatory data that is made in the article is that “[i]mproper reliance on originators’ proprietary data increases the possibility of substandard, copycat products reaching the marketplace that can pose unacceptable risks to health and the environment”. This seems quite sensible, but if safety is an actual concern, then it should follow that such an exclusivity period ought to be infinite, meaning that third parties should never be allowed to use another company’s regulatory data to get approval for a separate product. Understandably, this argument can be viewed outside of the sphere of intellectual property, but one of the ideas simultaneously brought up by Mr. Fernandez is that third parties can obtain licences to use the originator’s information, and this does not seem to mesh with the idea of maintaining high safety standards.

The substance of this topic is very applicable to other industries as well. This past summer, for example, there were many in the U.S. over legislation that touched on the exclusivity period for biologics companies. The economic bases that underlie these sorts of debates obviously vary by sector, and so research is always necessary to determine the likely market consequences that would follow with any amendment to the law. Within the agricultural industry specifically, given the wide social implications mentioned earlier, it is crucial that a correct balance is struck in order to benefit all interests at stake.

The post Protecting Regulatory Data in the Agricultural Industry appeared first on IPOsgoode.