Silicon Valley’s Regulatory Lament
I read with great interest Paul’s recent post, relaying the thoughts of his friend, a longtime government lawyer now working on cyber issues in the private sector. The post includes lots of thoughtful commentary on US-EU regulations, and I recommend it to readers interested in these issues. But what struck me was a sentiment in the post – really a lament – that is widely shared in Silicon Valley.
Published by The Lawfare Institute
in Cooperation With
I read with great interest Paul’s recent post, relaying the thoughts of his friend, a longtime government lawyer now working on cyber issues in the private sector. The post includes lots of thoughtful commentary on US-EU regulations, and I recommend it to readers interested in these issues. But what struck me was a sentiment in the post – really a lament – that is widely shared in Silicon Valley. The lament is that the current state of Internet regulations around the world places Internet firms in a uniquely precarious position.
Nearly everyone who follows these issues agrees that the current set of global Internet regulations is suboptimal: states are posturing on privacy, surveillance, and internet sovereignty and the result is that Internet companies are often caught in the crosshairs of overlapping and conflicting laws. This is a problem I’ve spent some time looking into, and I am deeply sympathetic these concerns.
But I still find myself shifting in my seat when I hear friends complain that the regulatory challenges faced by today’s internet firms are “unbelievable” or “unprecedented” or even “unsustainable.”
Because while the current state of affairs is painful, to be sure, it is neither unprecedented nor unbelievable – and in fact it is to be expected.
For as long as global commerce has existed, incompatible and overlapping national laws have made life difficult for international firms. And even when countries don’t already have overlapping or competing laws, they sometimes get them quick when foreign companies show up on their shores seeking to compete with local businesses. (If you have any doubt about whether conflicts of laws are a new problem for global firms, call the general counsel’s office at General Electric or Exxon or Costco.)
So these problems are not new. But they’re uniquely bad for Internet companies, right? I’m not so sure. One thing that makes Internet companies different from their bricks-and-mortar counterparts is the ability to ship their product faster than they can grow their legal compliance teams. A coder in a garage can put her business online and enter a hundred different markets overnight. As a contrast, when Coca-Cola entered new markets it developed distributors, manufacturers, and compliance teams. The whole operation grew at a pace that matched, more or less, the scale of its expansion. Not so for internet companies. This means – as Paul’s friend rightly points out – that the smallest Internet companies are at a greater risk of being unable to cope with regulatory conflicts.
That seems right. Fortunately, there are a few pieces of good news on this front. First, these small firms are often judgment proof for precisely the same reason that allows them to be in a hundred markets overnight: they have no physical assets in the country in question. Because the coder in the garage has no assets in France or Brazil, she has nothing that could be seized there. Of course, her website can be slowed or shuttered, but these are rather extreme measures that most states are only willing to do as a last-resort.
Second, and perhaps more importantly, the small Internet startup can deal with compliance the same way it deals with every other aspect of its business, from data storage, to payments, to marketing: by outsourcing it. Indeed, there are a number of legal teams that specialize in helping startups handle regulatory hurdles in new markets. So it is true that startups are at a disadvantage vis-à-vis large firms when it comes to handling regulatory compliance in a big scary world, but this problem is not unique to compliance. Large firms are better at compliance, but they are also better at managing data storage, electronic payments, and customer service.
The other piece of good news for smaller firms is that when states get jealous of their territory and lash out at (typically foreign) Internet firms, they are most likely to pick on large firms, not the little guys. For example, when Brazil recently upset about law enforcement access to encrypted messages, they did not shut down the dozens of small-scale communications platforms in Brazil; they shut down WhatsApp.
None of which is to say that the the pressure felt by today’s most innovative companies is lessening; if anything, the trend is moving in the wrong direction. But let’s not pretend that the regulatory challenges are novel or unprecedented, just because the technology is.