By Lisa Quest and Anthony Charrie.
This article first appeared in MIT Sloan Management Review on September 19, 2019.
Today’s patchwork of privacy laws and industry self-regulation lack transparency and coherence and don’t go far enough to protect customers and competition.
Over the past decade, tech giants have risen to become the biggest companies in the world, all while operating with little formal, structured government oversight. But this lack of oversight has come at a cost. Today’s patchwork of privacy laws and industry self-regulation lack transparency and coherence: The combination drives up the cost of innovation and doesn’t go far enough to encourage healthy competition or to protect the billions of people worldwide who now rely on the products and services tech companies produce.
A growing chorus of businesses, lawmakers, and regulators are now calling for big tech companies to be broken up, while tech executives are asking for closer government regulation.
So, what is the right way to regulate the tech industry?
One way that governments can put tech companies on a level playing field, both with each other and with competitors in regulated industries, would be to introduce a regulator for the tech industry in their country. Having a regulatory regime with nationwide statutes and clearly defined rules of engagement would also cut the cost of innovation while holding companies accountable for mitigating abuses of their inventions, ranging from criminal acts like recruitment of terrorists and child pornography to socially harmful acts like sharing user data and facilitating the spread of fake news.
For a national tech regulator to be effective, it would need to adopt regulations and new supervision methods capable of staying ahead of the potential threats posed by accelerating technological change.
The first country to figure out the best way to regulate the broader tech industry could become the focal point for the next chapter of the world’s digital revolution. Drawing on lessons from other regulated industries, we propose several ideas for how to accomplish this with big tech.
Create an overarching regulatory structure. To regulate tech, governments first need to determine the appropriate regulatory scope for the industry. Defining what is within the regulated perimeter, what is outside, and how new companies and their activities are brought in is crucial in establishing how to engage with both regulated and unregulated areas. It provides clarity for both individuals and companies on what is protected and what is not.
Focus on three overarching objectives. Tackle the most pressing issues facing the industry: safeguarding individuals and society from maltreatment; promoting responsible innovation and robust competition; and establishing understandable and consistent parameters for data privacy and monetization.
These regulatory goals need to be reinforced by metrics that will enable an agency to judge if tech companies are complying with national statutes. If they are not in compliance, the agency should be empowered to carry out a specific range of disciplinary measures to encourage appropriate behaviors such as cease-and-desist orders, comply-or-explain requirements, fines, or legal sanctions.
Develop standards-based regulations. Innovations coming out of tech companies and the risks that accompany them are evolving so rapidly that it’s easy for regulators to fall behind. Standards-based regulatory regimes capable of adapting to technological and social change can help regulators get out in front and stay there.
Standards can be reworked for new risks, but changes to regulations and laws require extensive public consultation. With a standards-based approach, regulators can introduce new guidelines to encourage sensible innovation or, conversely, swiftly hold tech companies accountable when unforeseen risks arise.
Similar to conduct standards in the financial services and energy industries, standards-based regulatory regimes can nimbly adjust to gray areas of regulatory compliance. This is most important in the area of artificial intelligence ethics.
Having a standing body to facilitate engagement that is permanently staffed and capable of doing research and analysis ensures that information is shared and new threats are addressed.
Prioritize activity based on risk. Tech companies constantly introduce new apps, other software, and hardware globally, and there’s a real chance that even if cash-strapped governments implement new regulations, they won’t be able to afford adequate staffing to properly enforce them. So regulators should use a risk-based approach to prioritize the companies and activities that put the most people at risk and rank the spectrum of potential threats.
The degree of supervisory intrusiveness should be commensurate with the size of the potential risks that companies pose. Big companies may require dedicated in-house supervisory teams, while much smaller teams can oversee primarily automated data-driven reports from startups. This ensures startups are not unfairly disadvantaged due to the high costs of regulatory compliance.
Make supervision digital by default. Machine-executable regulations, integrated data platforms, and application programming interfaces for reporting should be part of the standard operating model from day one to reduce the cost of compliance for companies while increasing the efficacy of risk management. By replacing quarterly reports with technology platforms that permit regulators to pull information related to key risk indicators from companies’ systems directly, regulators will be able to monitor companies more proficiently.
These techniques are being piloted in major financial services markets, including the United States, Singapore, and the United Kingdom. There are early signs that automated supervisory technologies are reducing the cost of compliance for tech companies and the cost of supervision for regulators. They are also increasing the effectiveness of risk management by reducing human data entry errors. Initiatives like the Global Financial Innovation Network of regulatory agencies worldwide, which allows companies to test new supervisory technologies and services in the financial services sector across jurisdictions, should be replicated for the tech industry globally.
Collaborate with the private sector. Regulators can play a key role in preventing risks from materializing by forming structured partnerships to work with tech companies to identify and address newly emerging risks with new regulations as quickly and efficiently as possible.
Having a standing body to facilitate engagement that is permanently staffed and capable of doing research and analysis ensures that information is shared and new threats are addressed. Such partnerships already exist in other industries. For example, the Joint Money Laundering Intelligence Taskforce formed by banks, regulators, and the government in the United Kingdom exchanges and analyzes information related to money laundering and wider economic threats.
The actions tech giants take today spur not only global growth but also potential threats. Governments should assist in rebuilding public trust in tech companies by establishing national regulators that can prevent abuses while permitting technological advances, because these companies’ technologies influence the very essence of our lives, and practical action could make a real difference to billions of people. This will require well-organized, national regulatory regimes that can hold tech companies accountable while encouraging innovation and healthier competition.