Friday, April 07, 2023

27th Annual BTLJ-BCLT Symposium: From the DMCA to the DSA: Panel 4: Industry Perspectives

Moderator: Daphne Keller, Stanford Cyber Policy Center   

DSA represents a shift to operational mandates compared to DMCA, Art. 17—thoughts?

Sabrina Perelman, Pinterest: Important to remember what DSA is and isn’t. We’ve preserved the safe harbor, prohibition against general monitoring. Good Samaritan provision still exists. What drastically changed is what we have to do around content and what we have to be transparent about—operational and technical concerns. You can understand the reasons for transparency and user efficiency, but putting it into practice is another matter. How do you navigate sending 100s of millions of statements about actions per week? How do you avoid giving away the store to bad actors/give away competitively sensitive information about user safety when giving your explanations? Could be good for consistency: there may be some things we’ll have to do for DSA that we’ll choose to do more broadly. But there are EU inconsistencies: Prevailing interpretations of local laws may stick around—not clear that Germany will repeal NetzDG/change interpretation of law.

Canek Acosta, Microsoft: DMCA goes further in some ways/losing conditional immunity, DMA goes further in others/transparency, Art. 17 goes further in staydown. Scale is important: the content moderation team’s job is mostly to keep stuff up, which represents the balance of fundamental rights/free expression—but if you get 4 million requests in 6 months that’s very challenging.

Chris Riley, Data Transfer Initiative: It could have been very different—we weren’t far away from a world where the EU passed a law saying “don’t let illegal content up or you’ll be liable”—magic filter demand was with us for a while. We’re better off than that! We’re not out of the woods on magic filter demands, so have some perspective.

Remy Chavannes, Brinkhof: theory of harmonization is great; platforms will have to stick their necks out and challenge bad laws because nations will resist getting rid of old laws or their courts will insist that EU directives are just the preexisting law of the member state.

Keller: does DMCA have lessons?

Holly Hogan, Automattic: it’s very different in being about liability instead of accountability. But checks and balances between complainants and users is a core value of DSA as well. Experience of DMCA is that it can be efficient for legit complaints, it’s also something that can be abused by people w/an interest in silencing speech. We reject 75% of notices we get for being incomplete or not actionable. Good chunk, 10%, are flatly abusive—addressing uncopyrightable subject matter, attacking clear fair use/permissible exceptions, or just fraudulent—a scam run by an international charitable org trying to remove anything critiquing it. Users are scared by notices and so we have to create a system that protects them as best we can.

Rob Arcamona, Meta: We can’t expect any one stakeholder to do any of this alone. If there are going to be answers to these questions we’ve talked about, they can only come by understanding the different pressures, tradeoffs, and intentions that each party has. Discussing how there are ambiguities and how things operate in practice is the only way forward.

Keller: DSA creates complex ecosystem with multiple roles, some funded and some less so—that may be a positive development where there are recognized roles for stakeholders.

Arcamona: you have to understand others’ roles, not just your own role.

Clemens Molle, Bird & Bird: DSA’s stringency is hard to evaluate: clients ask for the most stringent approach so we can determine whether we will follow it, but that’s not so simple/possible.

Keller: what about operating under all 3 regimes, DSA, DMCA, Art. 17—what are the complexities?

Arcamona: Concerns about stacking/different components of service may be subject to different regimes. Individual member states that have legislated particular actions beyond Art. 17 under its guides: in Germany, user associations can file against overblocking; Sweden has an individual right to sue; Italy: can issue rules about how appeals can go, including staydown appeals, in contrast to Germany where content is supposed to stay up as long as possible. Preflagging in Germany/Austria differs in some respects. Spain=maximalist for ©. All these differ from Art. 17. Are any of these valid? Did the DSA overtake the extra bits over the top of Art. 17?

Chavannes: platforms will have to litigate; no opinion is valid until the CJEU gives an answer in 5-10 years, if you know that a particular service is under Art. 17—and if you aren’t, you have entirely different regime under the YT case. The definitions are a mess, overlapping in uncertain ways, and there’s no way to find out whether if you’re in scope before lawsuit. You have to make up your mind whether you’re going to challenge national regulators; platforms have complex incentives and internal stakeholders not keen to litigate.

Annemarie Bridy, Google: You have to build for compliance while you’re deciding—there are workflows that need to be created or rejiggered. What if a service adds features or grows into scope?

Keller: what are people most/least prepared for?

Perelman: we’re ok on statements of reasons, terms & conditions disclosure, etc., stuff on our side. Not clear: how many appeals will we be getting? What is transparency reporting really meant to cover?

Riley: easier ability to prepare for what’s in control of company—you can build a capacity to issue a transparency report, but things that are interactive/dependent on further assessments and guidance like audit reports are very hard to figure out—no shared knowledge base.

Hogan: core concepts like transparency and reasons for decisions are already part of our company, so that’s the clearest path. Challenge: figuring out who’s a good faith actor or a bad faith actor—mistakenly posted © content or running up against mature content—French Vogue is ok but maybe something else isn’t. The spam exception exists but who else deserves more attention is not clear.

Chavannes: How to cope with the uncertainty? US lawyers may find the uncertainty offensive with all the different definitions and lack of clarity over simple things like which bits of which services fall under which rules—even something as basic as territorial application: does an American complainant complaining about Italian user get coverage, and vice versa? Need to avoid panic and paralysis.

Bridy: questions about ADR and how it doesn’t recognize that © is different from TOS violation. The real parties in interest in an ordinary demotion are platform and user—the real parties in interest. For © it’s different—the real parties in interest are rightholders and users, and the platform is an intermediary, which the DMCA lets get out of the way so the real parties in interest can litigate if they want to. Should © disputes go to the same process with the same parties?

Arcamona: Amount of focus and attention is high, but we’re least prepared for deharmonization of © regimes across Europe. Digital Single Market was supposed to harmonize rules. However, if small nuances continue in member state implementation continue to require big operational differences, you’ll end up with different types of services and access to content in one part of EU than in others.

Acosta: Transparency reporting is already happening; we have to collect additional data and format it right, but that will be fairly straightforward. Risk assessment is thorny—there’s not a lot of specificity, even w/examples. How do you measure the risk of freedom of expression v. copyright takedowns? Now that generative AI is built into our products, is it UGC? Where does it fall and how does the DSA affect it?

Keller: people are more prepared for the things w/the soonest deadlines. Researcher access to data can’t come into effect until all the national coordinators exist, so that has a longer timeline. Non-VLOPs who may not be paying attention to Europe and aren’t obligated until 2024: don’t know how many of them are thinking about this.

Arcamona: Rule that became Art. 17 was supposed to be 2018; we started implementation then and hoped to interact w/member states about implementation. Compliance starts far earlier than you anticipate b/c of operational and engineering runup time.

Keller: what to be grateful for?

Perelman: we dodged staydown.

Chavannes: democratic mandate: plaintiffs said this was 20 years old, and judges were sympathetic: should they really be interpreting the rules this way and preserving safe harbors? That’s really important.

Keller: lawful but awful, which UK wants as a whole new category—de facto illegal online but liability falls on platform rather than speaker. Many other parts of the world are in paroxysms about age verification. But maybe it would have been better to get a Brussels standard.

Chavannes: no bullet is ever fully dodged in Europe—all these things are coming again: must pay/must carry; bans on advertising; these things never really die.

Keller: how will audits work?

Riley: not clear. Financial accounting has established procedures and bodies. Chicken and egg: there’s no agreed upon thing to measure qualifications against. This is an opportunity and a challenge—reaching out to different stakeholders and there’s a way to create a knowledge playbook from social scientists and others to find questions to be asked.

Keller: ADR?

Hogan: Intent is for when a mistake was made—to reach the light of day/deter bad decisions. But the other clear bad outcome use is trolls that harass you b/c you won’t host their content any more. Folks who feel most entitled to do this can be very abusive and leverage that system to their advantage for a while. But Bridy also points to different types of disputes, not really about TOS. We see real attempts to remove critical content. In GDPR, we have a number of complaints to data protection regulators captioned as privacy/right to be forgotten/sprinkling in © where there’s a headshot, but it’s really a defamation case. We’re stuck in this gobetween role; users are often scared and there’s a powerful player on the other side. What do we do in that case? We have a user-absent case in front of a data regulator where we say “we’re just a processor, but this is an accusation of corruption against a public official, so this really isn’t a right to be forgotten case.” There are also disputes over what should be allowed—© cases around permissible use. Does that end up in ADR—is that efficient/providing access to justice? But do we build up a body of law behind closed doors that has a large impact on the internet? Users and platforms might not know what’s allowed w/o published caselaw.

Chavannes: how much work will platforms put into these cases? Search engines have litigated some RTBF cases, but sometimes they just withdraw into the bushes. Do you invest in defending interpretations of policies? Potentially unlimited number of institutes in member states incentivized by cost structure to let users win—if that’s the case, what’s the benefit of defending free expression, when users can just pick a provider that will let them win?

Keller: can you opt out of targeted ads since you’re supposed to be able to opt out of recommendations?

Chavannes: it would be very odd for recommender systems rules to apply to ads; there was a legislative debate over banning targeted advertising that was resolved against doing so, so it would be antidemocratic to say otherwise. That being said, it’s not clear enough to absolutely prevent a nation from saying it’s so. Ask in 10 years. Dealing w/uncertainty: take the message certainly—a US lawyer is trained to read black letter law, but that’s the worst way to think about DSA compliance. Work towards improving user communication/transparency; that buys you the right to have discussions around the edges around compliance. Clever lawyering is a bad way to deal with it; avoid fines by trying to comply.

Riley: European process is designed to give power to regulator to penalize behavior according to sense of direction they’re trying to establish; this is very hard in the US common law system. Three phrases help the point: coping with uncertainty; building for compliance; operational balance.

Keller: legal and public policy teams should be talking to one another. People in Brussels continue to matter as enforcers in a way that they might not with other directives.

Fred von Lohmann: Implicit story about the competitive arena: go with the spirit of the thing and don’t be a rules lawyer and try to find the edge. That’s a fine thing if there are only a few big players. But if you’re in a highly competitive environment, you can’t wait for an edgy competitor to be fined out of existence—you’ll be out of business first. What I’ve heard in these days is worry of trollification of DSA process—white supremacists crowdsourcing 50,000 complaints and 50,000 appeals, each of which requires human review. The DSA is supposed to deter that with trusted flaggers, but the trolls won’t come in that way; the other way is that you can temporarily suspend their accounts after a period of notification. His experience is that they don’t care b/c they generate 50,000 new accounts the next day. How do people feel about this trollification, not just about ©? Is there enough in the DSA to protect against it?

Hogan: worries about that. Even under DMCA, we’ve sued abusers and never got a penny. There’s no real downside to trolling. They just come back. We’ve experienced at high volumes a pernicious organization on behalf of rightsholders, flooding our system w/1000s of junk notices taking up ½ of our queue, blocking legitimate claims. But if they have 10 claims that are good in there, hard to ignore them. Worry about amplification of trolls, as well as the 80 year old blogger who is targeted for abuse—hard to create downsides for that. Requires a big T&S team and investment of resources.

Perelman: we’ve been lucky so far and able to review everything.

Chavannes: under the good guy theory, you should want to be in that situation—don’t do the responses and then litigate to get a narrow interpretation of the provisions from the CJEU.

Keller: Chavannes is a firm lawyer whose solution is to litigate early and often.

Chavannes: cheaper than 50,000 responses!

Molle: you can use automated means to do this as long as there’s human supervision—you could structure procedures in a way to take some of the blows that way.

Keller: are spammers going to bother to sue?

Q: on cost benefit analysis—it’s one thing to have some practices in place, but how should a US startup think about this? Should they block the EU and wait to grow? Or should they try to comply early on?

Arcamona: Posting on blogs as way to influence policymakers: we read them too! Cloud hosting in Chechnaya, shut down for fear they couldn’t comply. That’s important.

Keller: comply a little, hope it looks ok, hope you don’t get any attention?

Hogan: it depends on your userbase and economic value of EU; if you know about the DSA, which you might not if you’re a 5 person startup. We’ve seen publishers decide not to continue in EU under GDPR—it could happen.

Chavannes: is the US such a safe space for a fledgling online platform these days? [I mean … still yes?]

Riley: Yeah, Texas and Florida are worrisome. But it depends on how worried your lawyers are; are you really going to get noticed by the regulators if you’re small?

Keller: you don’t just have to worry if you’re in Texas—any of your users can bring a case.

Acosta: it’s common to pilot a feature in one jurisdiction for a while to test it. It’s possible that they’ll stay out for a while but it’s a big market so it will stay attractive.

Q: all of you are VLOPs. To what extent are you considering core functionality and product changes until the dust settles? I would advise going in general direction but abstain from significant changes you’re not evidently required to do.

Hogan: not a VLOP!

Perelman: we are a very small VLOP; have to grapple with that but with far fewer resources, including $ and tech, than others. That has required creative lawyering—talk about what we have to do, what we should do. Some product changes, but maybe there are some requirements that you do find the bare minimum and see where the dust settles.

Samuelson: 6% of global turnover is big and other countries will be attracted to it.

Arcamona: for Art. 17, we had to ramp up before it came into effect. DSA adds some pressure to that. So you have to keep having dialogues about tradeoffs. When the lawsuits come they will be fast and furious so advance planning is the key.

Chavannes: the fine changes the tone of the conversation w/regulators—amazed if it happens in first 5 years. The regulator can afford to sit back and say “you have to do this” b/c you know that they have that option.

No comments: