Cyberlaw deals with the legalities of our interactions with technologies and one another in cyberspace. It is an umbrella term that encompasses matters as diverse as cybersecurity, data privacy, social media, artificial intelligence, autonomous weapons, and cryptocurrency.
New products, platforms, capabilities, and threats are constantly emerging. It is the job of lawmakers to determine how they fit into existing legal frameworks, and to create new legislation when they do n0t. However, establishing agreements has proven challenging at the country level and internationally alike, and it is an area of law that is increasingly impacted by geopolitics.
Here, we look at some existing and upcoming cyber legislation and lay out what remains up for discussion and debate.
Leading the way: data privacy, cybersecurity
One of the most developed areas of cyberlaw pertains to data and privacy. In 2018, the European Union (EU) passed the General Data Protection Regulation (GDPR) to regulate data use, processing, and privacy across the EU and the European Economic Area (EEA). The GDPR builds on the Council of Europe's 1981 legally binding Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or Convention 108.
Today, around 120 countries have adopted data protection and privacy legislation and many have introduced new laws or amended existing ones to apply to cyberspace, often modelling them on the GDPR. They include South Korea's Personal Information Protection Act (PIPA), Japan's Act on the Protection of Personal Information (APPI), Brazil's General Data Protection Law, and South Africa's Protection of Personal Information Act (POPI).
In the U.S., the American Data Privacy and Protection Act was introduced in the House in June 2022 and is currently pending. According to Scott J. Shackelford, an expert in business law at Indiana University and executive director of the university's Center for Applied Cybersecurity Research, the U.S. has adopted a more "freewheeling model" than other countries, including "a lighter-touch regulatory, both for privacy and cybersecurity."
Individual U.S. states, however, have adopted tougher measures, such as the California Consumer Privacy Act of 2018 and its 2020 amendment, the California Consumer Privacy Act (CCPA), or Proposition 24.
For the most part, there is "a little bit of a transatlantic divide" on privacy, said Shackelford, but he sees some convergence on cybersecurity, due in part to initiatives like the United Nations' norms for Responsible State Behavior in Cyberspace, and the National Institute for Standards and Technology's Cybersecurity Framework.
Cybersecurity laws within the U.S. often vary by state. However, in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law. This federal legislation requires critical infrastructure companies to report cybersecurity incidents, including ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).
"For the longest time, we've had these 50 different versions of data breach notification laws. It really depended on where you lived in terms of when you got notified what rights you had," said Shackelford.
Cyberlaw meets geopolitics
According to Talita Dias, an expert in law and new technology at Oxford University in the U.K., the concept of cyberspace itself muddies legal discussions. Viewing cyberspace as a new 'space' — rather than a new set of technologies or social human phenomenon — is misleading.
However, in the absence of a specific treaty or a set of rules for this new phenomenon, "A majority of legal scholars and a significant majority of states, within the UN, for example, have accepted that international law applies," Dias explained.
The current reality is a legal landscape fraught with challenges: from conflicting political motivations to disagreements on how to interpret existing laws, on the scope (or limits) of state interventions and sovereignty, and on the application of humanitarian law.
Multi-stakeholder discussions of artificial intelligence (AI), for example, face numerous barriers, according to Shackleford. These include the war in Ukraine and uncertainty around the technology sector in China, which make it "harder for companies and civil society across these different regions to collaborate," he said.
Nevertheless, a proposal for the first major regulation of AI was published by the European Commission in April 2021; it is expected to pass into law next year or in 2024. The Artificial Intelligence (AI) Act aims to align AI with EU values and fundamental rights using a risk-based approach; it assigns four risk categories to applications of AI (unacceptable, high, limited, and minimal or no risk).
Conflicts of rights
Social media is perhaps the area where legislation intersects most colorfully with public engagement. Legal debates rage around subjects such as mis- and disinformation, hate speech, and free speech—the latter topic made more contentious with Elon Musk's recent acquisition of Twitter.
Dias explained the key legal regime currently regulating social media is the UN International Covenant on Civil and Political Rights, which includes articles that protect freedom of expression and the right to information, and prohibits propaganda for war and some forms of incitement to violence and discrimination.
The challenge is balancing protections like freedom of expression against an individual's right against harms, such as discrimination. As Dias explained, "You have conflicts of rights that have taken place offline, but are now given a new dimension online because of the scale, the speed of the problem."
Some tech companies, including Facebook's Oversight Board, cite provisions of the International Covenant on Civil and Political Rights in their decisions; however, content moderation remains a challenge. For Dias, the "heart of the problem" is recommendation algorithms, as they tend to promote sensationalist content, including disinformation conspiracy theories and hate speech, that goes viral.
Efforts to legislate are, however, underway. The European Commission's Digital Services Act (DSA) is set to be applied across the EU by the end of next year, and in the U.K., the Online Safety Bill is currently making its way through Parliament. Both place a duty of care on service providers—such as social media platforms— to protect users from illegal and harmful content.
Dias welcomes the provisions as "solid," but flags issues around defining harmful and illegal content (which varies by country, in the case of the DSA) as potentially challenging.
Existing laws, such as the Digital Millennium Copyright Act and the Communications Decency Act, impact social media in the U.S. However, the First Amendment (which protects freedom of speech and of the press, among other things) makes passing bills like those seen in the E.U. or the U.K. unlikely. "Even if they passed the two houses of Congress, they're going to be struck down by the Supreme Court," Dias said.
Looking forward, Shackleford points to areas such as the metaverse, blockchain, and cryptography as likely to come under the legal spotlight. However, he anticipates future cyberlaws are likely to converge with areas like climate risk and become more focused on "bigger ideas," such as resilience. "There's a lot of cross-pollination going on between sustainable development and cybersecurity right now," he said.
As the lines between our online and offline lives become increasing blurred, the notion of cyberlaw as a distinct legal area may dissolve. For now, however, it remains a complex and ever-changing picture.
Karen Emslie is a location-independent freelance journalist and essayist.