Digital Law Basics
Digital law encompasses a wide array of legal issues concerning the digital and online world. As technology has proliferated into the fabric of our daily lives, so have the legal implications of these advances. Digital law covers online privacy and reputation management, e-commerce and consumer protection, social media and advertising, cyber fraud, data breaches, cybersecurity, and intellectual property in the digital space. In recent years, as technology has evolved, so have the ways in which companies and individuals have chosen to interact and transact online. Legal frameworks have struggled to keep up with the new technology, old law v. new technology. As a result, some digital laws have significant gaps and limitations, while others have restricted commerce , innovation, and individual freedoms. A key area of digital law are those pertaining to the scope of freedom online. These include the rules that apply to expression and activity online and by extension the limits of freedom that may be imposed on such expression and activity. Areas include restrictions on freedom of expression and censorship in specific regions and by specific entities; laws concerning the right to remain anonymous online; laws that impact upon the territory scope of freedom of expression; the use of private online platforms for speech and expression and the rules that govern how and when terms of service can be enforced against users; and who can and cannot be legally restricted from engaging in certain speech or activity online.
Data Protection and Privacy in the Digital Era
The growing digitization of business has had many benefits, but the scope for companies to accumulate and use vast amounts of personal data has raised serious privacy and data protection concerns. While some data collection is essential to a company’s operations, businesses face various risks and compliance challenges, and individuals are increasingly vigilant about how their data is treated.
Across Europe, the General Data Protection Regulation (GDPR) has had a major impact since it was implemented in 2018 and has become a dominant force in EU-wide data protection. The GDPR is designed to provide more control to EU citizens over their data, giving them greater rights to request information on how data is used, how it is processed, and to demand it be erased under certain conditions. Business have faced high-profile fines as a result of this legislation, which can be up to four percent of global annual turnover. Many other privacy laws exist around the world, including the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020. California’s new privacy regulation is similar to the GDPR in many respects, providing California residents more information and control over their data. As companies have struggled to implement GDPR-compliant systems and processes, the debate has centered around whether the new rules should be adopted in other US states and whether a national framework for data protection in the US would be required.
Privacy and data protection legislation also aims to bolster trust in the way that companies use personal data. The COVID-19 pandemic has raised many questions over the use of personal data in recent months, with the potential for governments and health authorities to access a greater volume of sensitive data and to track the movement of individuals through contact tracing programs.
Digital IP Issues
The question of intellectual property rights in cyberspace is arguably one of the most significant practical challenges and pressing legal concerns facing the Internet today. Internet intermediaries have taken the position that instantaneous access to and widespread distribution of material through their services is not infringements of the copyrights and other rights of authors and creators. However, in recent years, an increasing amount of litigation has challenged these positions. For example, many Internet users are still uncertain as to when linking to online materials constitutes copyright infringement, and whether hiding refracted links within web pages or syndicated feeds constitutes contributory infringement. Similarly, digital rights management and digital payment systems remain hotly contested areas of the law.
There have been a number of recent developments in international treaties concerning the Internet and intellectual property that directly affect several of these issues. In October 1996, the World Intellectual Property Organization (‘WIPO’) convened the Internet Copyright Conference in Geneva to negotiate a new copyright treaty, leading to the adoption of the WIPO Copyright Treaty. This treaty was designed to ‘address problems of technological management systems . . . that have arisen in the digital network environment’ and to provide ‘a coherent framework of rules, consistent with existing international copyright and related rights treaties, including the Berne Convention for the Protection of Literary and Artistic Works’. The Council of Europe followed suit in 1997, replacing the provisions of the 1950 European Convention on Human Rights as well as articles of the Berne Copyright Convention with the European Copyright Treaty.
The key principles of these treaties relevant to the above discussion are: Exemptions have also been codified in the EU Electronic Commerce Directive (Directive 2000/31/EC). In the United States, the Digital Millennium Copyright Act (‘DMCA,’ Pub.L.106-160) comprises two new statutory claims for infringement, a new safe-harbour provision for Internet Service Providers (‘ISPs’), enhanced statutory damages for copyright infringement on the Internet, and anti-circumvention provisions prohibiting unauthorized circumvention of digital locks, such as web page registration and payroll protection. DMCA Title II, §102, 17 U.S.C. §512 contains a limitation on liability for infringing acts carried out by third parties in the U.S. district courts. Section 513 establishes the statutory regime for suits brought against a party seeking redress under the DMCA for infringing activities carried out by a §512(c) service provider.
The Achilles’ heel of these ‘safe harbour’ exemptions are their vague legislative and regulatory definitions. Mid-level players like ISPs and hosting companies are simply not equipped to make a reasoned evaluation of whether a particular activity is infringing or not, and yet they worry about exposing themselves to potential damages in any section 512(c) lawsuit. For this reason, a grey market has taken off for liability insurance offerings to covering such activities, and both the U.S. Federal Trade Commission and the EU have been attempting to draft a new definition of the safe harbours, in order to provide a clearer framework for applications.
Cybersecurity Issues
Cybersecurity and digital legal compliance continue to be leading issues for businesses all over the world, and are no longer a question of "if" they will be targeted by an attack but rather "when." This world is still playing catch-up when it comes to dealing with cyberattacks. The United States states can rely on the FTC, SEC, FDIC, and other regulatory agencies to bring enforcement actions against companies that fail to protect their data. Enforcement action often plays out to a civil monetary penalty and a settlement agreement outlining the steps companies must follow to come under federal compliance. Over recent years, we’ve also seen the introduction of stricter state laws like the California Consumer Privacy Act (CCPA), the New York Stop Hacks and Improve Electronic Data Security ("SHIELD") Act, and the New York Department of Financial Services Cybersecurity Regulation (NYDFS Regulation 23 NYCRR Part 500) set to take effect in March 2019.
Companies in new industries are having difficulties finding the right path for handling data… Cybersecurity is a hot topic and they need to understand their risks, threats and obligations. When a company first discovers the need for cybersecurity legal counsel, it may be too late. Cybersecurity issues are almost always treated the same as normal breaches… it is a problem that needs to be fixed. The fact that you don’t know there is a problem is not typically a valid excuse for not addressing the breach. If you don’t find a way to take care of these issues, then you need to expect a lot of headaches .
For many larger firms, cybersecurity compliance is already on its radar. The problem, though, is that there are not enough cybersecurity experts to go around. The spaces where security and regulation cross over are so small that it is hard to find someone who understands both sides. Another problem larger firms face is federal enforcement. The government is cracking down on companies with lax cybersecurity measures, and larger fintechs are being hit by multiple regulators. In practice, it can feel like you are dealing with five different divisions of the same government trying to reach the same outcome. When regulators come in with different expectations, it can be difficult to manage.
One of the challenges in this area is that many companies are reluctant to disclose when they are breached. It is not uncommon for companies to handle their issues internally and not report to anybody other than the customers but not the government. There are cases when they get caught and the potential penalties can be devastating. For example, when Secured Mail Solutions was breached, the DOJ came in and asserted that Secured Mail was a business engaged in interstate commerce and subject to the PPAP privacy standards. Secured Mail was using encryption to protect PHI, but not all of its data was password protected. As a result, each time a patient’s information was stolen, it had been willfully failed to follow PPAP privacy standards. The company was charged with 1,000 counts of violation of HIPAA and HITECH. Subsequently, the DOJ negotiated a settlement of $4.8 million.
Digital Contract Law and E-signatures
As long ago as 1976, the Uniform Commercial Code was amended to recognize digital signatures (i.e. "a symbol, sound, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record"), and the UCC has been periodically further amended to recognize additional developments in the digital contract space.
The Uniform Law Commission ("ULC") has developed the Uniform Electronic Transactions Act ("UETA"), which authorizes the use of electronic records in all transactions, including signatures on paper documents, contracts, and acknowledgments.
As the ULC notes, UETA does not require that transactions in the U.S. occur electronically, nor does it replace existing law governing contracts, agency, or commercial transactions; it simply makes electronic records and signatures the legal equivalent of their handwritten counterparts. As of June 2017, 47 U.S. states have enacted some version of UETA or the Electronic Signatures in Global and National Commerce Act ("ESIGN") into law.
Under ESIGN, electronic contracts, electronic documents, and electronic signatures have the same legal standing as written contracts, documents, and handwritten signatures. Electronic signatures cannot be deemed to be, or given greater legal effect than, a signature required under any Federal law regulating interstate or foreign commerce (e.g. the UCC). ESIGN does not apply to the documents and categories of transactions excluded by UCC Section 1-107, i.e. those related to wills, trusts, divorces, court filings or proceedings, mortgages and foreclosures, and foreclosures.
Emerging Trends in Digital Law
While digital law is still a relatively nascent field, recent innovations in technology are certain to impact the direction that this area of law takes in the future. One of the biggest influences is likely to be Artificial Intelligence (AI). As machines become better trained to analyze data and detect weak signals, more and more cybersecurity breaches will be detected before they impact critical systems, which will put downward pressure on cybersecurity investment, particularly as it becomes easier to demonstrate that additional protections are not necessary. Blockchain is also likely to be relevant far beyond the cryptocurrency space, as its integrity provides forensic insight to a diverse range of activity. Digital identities will become more widely utilized, which offers the potential for global identity recognition and validation, while creating serious privacy concerns related to consent and tracking. The judiciaries of de minimis jurisdictions will have no choice but to catch up with the courts of countries like Gibraltar and Bermuda, as courts become increasingly comfortable with cross-border dispassionate dispute resolution in areas like cryptocurrencies and smart contracts . Increasingly complex smart contracts will lead to demand for smart contract lawyers who can draft contracts that live outside plug-and-play programming frameworks. Gaming law is also likely to experience an uptick in interest, as governments continue to struggle with existing regulations and game publishers become aware of US accessibility concerns. As the focus turns from piracy (and other piracy risks) to live streaming, enforcement schemes will need to become more sophisticated to continue to obtain cooperation from technology companies. Gaining access to sites like Twitch and YouTube will be essential, but media will also be required to develop more educational campaigns to encourage consumers to obtain content legally. Cloud computing will also continue to evolve as the costs of basic infrastructure like storage and authentication become cheaper, while demands for cybersecurity systems still increase. This will lead to a demand for greater transparency regarding the use of technical and management controls. As data becomes ever more valuable, clear regulation will continue to diffuse throughout the globe, as countries seek to attract greater inward investment.