As the EU is gearing up for a major reform of key Internet regulation, we are introducing the principles that will guide our policy work surrounding the Digital Services Act. In this post, we take a closer look at what we mean when we talk about interoperability obligations, and at some of the principles that should guide interoperability measures to make sure they serve users, not corporations.
New Rules for Online Platforms
The next years will be decisive for Internet regulation in the EU and beyond as Europe is considering the most significant update to its regulatory framework for Internet platforms in two decades. In its political guidelines and a recent communication, the European Commission has pledged to overhaul the e-Commerce Directive, the backbone of the EU’s Internet regulation. A new legal act—the Digital Services Act—is supposed to update the legal responsibilities of online platforms. New competition-friendly rules that tackle unfair behavior of dominant platforms are another objective of the upcoming reform.
EFF will work with EU institutions to advocate that users are put back in control of their online experiences through transparency and anonymity measures whilst preserving the backbone of innovation-focused Internet bills: immunity for online platforms from liability for user content and banning filtering and monitoring obligations.
The reform of the e-Commerce Directive bears the risk that the EU could follow in the footsteps of Internet-hostile regulations that foster the privatization of enforcement, such as the Copyright Directive, the German NetzDG, or the French Avia Bill. On the other hand, it is also an opportunity to break open the walled gardens that many large platforms have become, and to put users’ rights to informational self-determination front and center.
We believe that interoperability obligations are an important tool to achieve these goals. Today, most elements of our online experiences are designed and regulated by large platform companies that hold significant market power. Many platforms take it upon themselves (or are required) to police expression and to arbitrate access to content, knowledge, and goods and services. They act as gatekeepers to most of our social, economic, and political interactions online. Platforms are powerful, and their power stems from many sources: most of today’s big tech players have a history of stifling competitors through technical measures, strategic lawsuits, and acquiring competitors. Over time, big platforms have become entrenched thanks to network effects, their sheer size, and the significant resources at their disposal. This is reinforced by regulation that has often become too difficult or expensive to implement for smaller competitors. The result: users become hostages, locked in a labyrinth of walled gardens.
The solution to this situation is not to reinvent the wheel, but to take inspiration from what the Internet’s early days looked like. Many of today’s significant players’ ascent was aided by interoperability—the ability to make a new product or service work with an existing product or service. Today’s incumbents made their fortunes by building their new ideas onto existing products or structures, thereby creating adversarial interoperability, often against the then-incumbents' will. In these early days of the Internet, not only did start-ups and new market entrants flourished, but also users had much more choice and control over the services and products that created their experiences online.
Principle 1: General Interoperability Obligations
EFF’s vision is a legal regime that fosters innovation and puts users back in control of their data, privacy, and online experiences. We believe that interoperability has a major role to play to make this vision of a Public Interest Internet come to life, which is why we propose interoperability obligations for platforms with significant market power. What we mean by that is simple: platforms that control significant shares of a market, and act as gatekeepers to that market, must offer possibilities for competing, not-incumbent platforms to interoperate with their key features.
While Europeans already have a right to data portability under the GDPR, this right comes with limits. It is not encompassing (users cannot port all personal data), it is conditional (only possible where "technically feasible"), and it is not clear where users should port their data to. Interoperability is the missing piece to breathe life into the right to portability. Interoperability through technical interfaces would enable users to communicate with friends across platform boundaries, or to be able to follow their favorite content across different platforms without having to create several accounts. Users would no longer be forced to stay on a platform that disregards their privacy, covertly collects their data, or jeopardizes their security, for fear of losing their social network. Instead, users would have the chance to make real and informed choices.
Principle 2: Delegability
But it doesn’t end here. Interoperability should also happen at the level of user interfaces, and should allow for as much flexibility and diversity as users want. Therefore, platforms with significant market power should also make it possible for competing third parties to act on users’ behalf. If users want to, they should be able to delegate elements of their online experience to different competent actors. For example, if you don’t like Facebook content moderation practices, you should be able to delegate that task to another organization, like a non-profit specializing in community based content moderation.
Principle 3: Limit Commercial Use of Data
To avoid the exploitation of interoperability, any data made available through interoperability should not be available for general commercial use. Most major platforms are built on business models that rely on the (often coveted) collection and sale of users’ data, thereby monetizing users’ attention and exploiting their personal data. Therefore, any data made available for the purpose of interoperability should only be used for maintaining interoperability, safeguarding users’ privacy, or ensuring data security. By prohibiting the commercial use of data used for implementing or maintaining interoperability, we also want to positively incentivize competitors with innovative, responsible, and privacy-protective business models.
Principle 4: Privacy
It is crucial to empower users to take control of how, when, why, and with whom their data is being shared. This means that key principles underpinning the GDPR and other applicable legislation—such as data minimization, privacy by design, and privacy by default—must be respected. This should also include easy-to-use interfaces through which users can give their explicit consent regarding any use of their data (as well as revoke that consent at any time).
Principle 5: Security
But users’ data and communications should not only be kept private, but also safe. Interoperability measures should always center on users’ security and should never be construed as a reason that prevents platforms from taking efforts to keep users safe. However, if intermediaries do have to suspend interoperability to fix security issues, they should not exploit such situations to break interoperability but rather communicate transparently, resolve the problem, and reinstate interoperability interfaces within a reasonable and clearly defined timeframe.
Principle 6: Documentation and Non-Discrimination
Finally, it is crucial to make sure that interoperability does not become a tool for powerful incumbents to act as gatekeepers and to further enshrine their dominant position. Our goal of user empowerment is served best when diversity and plurality are strongest, so interoperability should benefit as many competitors as possible, rather than just a few favored parties. To offer users more choice, access to interoperability interfaces should not discriminate between different competitors and should not come with strenuous obligations or content restrictions. Interoperability interfaces, such as APIs, must also be easy to find, well-documented, and transparent.
Requiring platforms with significant market power to allow interoperability with their services is an important first step to empower users to decide how they want to shape their online experiences. Data portability, interoperability, and delegability will allow users to make real choices regarding the people they want to interact with, the moderation of content they encounter, and the use of their data. Interoperability mandates, however, are not an easy or quick fix to the problems underlying the current landscape of dominant platforms. We must take a holistic view of digital policy, and take care that policymakers do not inadvertently give incumbents excuses to block their competitors from entering a market.