Towards a global approach to digital platform regulation

Preserving openness amid the push for internet sovereignty

Research paper Updated 23 February 2024 ISBN: 978 1 78413 593 5 DOI: 10.55317/9781784135935

A man stands holding his mobile phone, in front of a mural drawn in black and white of people walking and using mobile devices.

Yasmin Afina

Former Research Fellow, Digital Society Initiative

Marjorie Buchser

Consulting Fellow, Digital Society Programme

Alex Krasodomski

Programme Director, Digital Society Programme

Jacqueline Rowe

Policy lead at Global Partners Digital

Email Jacqueline

Nikki Sun

Academy Associate, Digital Society Programme

Rowan Wilkinson

Research Analyst, Digital Society Programme

Email Rowan

After decades of reluctance, governments around the world are moving to regulate, and more actively direct, digital platforms in an effort to tackle perceived harms and to strengthen state oversight and control. Digital sovereignty is emerging as a critical goal of government policy, but the agenda is complicated by national security considerations, the influence of tech companies and domestic politics.

There is significant diversity among countries in their approaches to platform regulation, with no clearly established norms or best practice. Multilateral organizations are not providing sufficient leadership at the international level. The major digital centres of power – Brussels, Beijing, London and Washington – are pursuing vastly different regulatory models. In the absence of new approaches to global governance, a jurisdictional, fragmented ‘Venn diagram’ of national internets could emerge, undermining the promise and benefits of openness.

This research paper is produced in partnership by Chatham House and Global Partners Digital, a social purpose company working at the intersection of human rights and digital technologies, including platform regulation. The paper defines and details a set of current trends in platform regulation, outlines possible pathways for the future, and shows how, despite being overlooked by some in the tech industry, human rights provide a well-established and compelling framework that could contribute to a global regulatory approach. It concludes with recommendations on how policymakers can make progress towards alignment and preserve an open, global internet.

02 Global regulatory trends

There is some international consensus around the idea that action is required to tackle the power of large digital platforms. But the diversity of approaches adopted so far threatens the future of the open, global internet.

There is no average regulatory regime. Countries cannot be easily grouped together according to other characteristics. For example, regional and linguistic groupings may obscure as much as they reveal, with significant differences in approach between groups or countries that share borders and languages. Despite this, there are some overarching trends and commonalities. Given digital platforms’ global reach over multiple jurisdictions with competing or conflicting requirements, this chapter attempts to identify those trends and common features across a global dataset (compiled by Chatham House researchers) and to place them within a set of defined approaches. It then explores how these approaches diverge and interact.

Common requirements

Across the dataset, the most common features in regulations were enforcement through imposing fines on platforms (71 per cent) or threatening them with blocking of their services or blocking platforms altogether (51 per cent). In general, platforms were held accountable primarily for content classed as illegal (75 per cent) once they had been notified of its existence (76 per cent). There were also provisions for content that is not illegal but is seen, in some way, as harmful – such content ranges from disinformation to abuse online (51 per cent).

Table 1. Categorized survey questions gauging legislative approaches to platform regulation, per cent

	% yes	% no
Scope and governance
Does the regulation require a multi-stakeholder approach to platform governance?	33	67
Does the regulation differentiate between types of digital platforms? (For example, between video streaming services and social network platforms?)	29	71
Is the regulation enforced by an independent authority?	29	71
Does the regulation differentiate between sizes of digital platforms? (For example, as measured by annual revenue or number of users or employees?)	27	73
Penalties and sanctions
Does the regulation impose fines?	71	29
Does the regulation threaten platforms with restrictions or blocking for non-compliance?	51	49
Does the regulation threaten prison sentences for platform employees for non-compliance with content moderation requirements?	22	78
Content-based duties
Does the regulation require platforms to remove prohibited content whenever it is notified of such content?	76	24
Does the regulation tackle content which is already designated as illegal under other legislation?	75	25
Does the regulation require platforms to remove or deal with content that is not illegal?	51	49
Does the regulation require platforms to remove prohibited content within a specific timeframe?	46	54
Does the regulation require platforms to proactively monitor for prohibited content?	27	73
Does the regulation require platforms to remove prohibited content when ordered to do so by a court?	22	78
Does the regulation designate new types of content as illegal?	20	80
Business-based duties
Does the regulation require platforms to establish a local office or local contact?	51	49
Does the regulation require platforms to report regularly on the performance of their content moderation systems?	40	60
Does the regulation require platforms to register its services with authorities?	26	74
Does the regulation require platforms to carry out human rights risk assessments?	20	80
Does the regulation require platforms to submit to independent audit?	16	84
Does the regulation require platforms to store data locally?	7	93
Does the regulation require platforms to report regularly on advertising revenue?	4	96
Considerations for freedom of expression
Does the regulation explicitly mention freedom of expression?	38	62
Are there limitations on the powers of regulators in line with freedom of expression safeguards?	31	69
Does the regulation reference platforms’ responsibility to consider freedom of expression in their operations?	27	73
Are there regulatory exemptions for journalistic, scientific or public interest content?	20	80
Considerations for user capacities
Does the regulation require platforms to implement complaints mechanisms?	49	51
Does the regulation require platforms to publish terms of service?	40	60
Does the regulation require platforms to notify users of ongoing complaints or appeals?	33	67
Does the regulation require platforms to implement appeals mechanisms?	27	73

Global approaches show greater coherence around identifying and dealing with sanctioned content than around tackling systems that might prevent or mitigate the spread of such content. On questions of transparency, risk assessments and audit, a few pieces of legislation tackle business practices and processes in the context of content moderation, though more holistic approaches such as the EU Digital Services Act (DSA) are buttressed by regulatory approaches to business practices, data privacy and antitrust that go beyond questions of content.2 Nevertheless, sophisticated approaches to platform content regulation, like transparency reporting on advertising revenue – which is one of the critical drivers of the design and functioning of online spaces – have rarely been called for. Similarly, the absence of multi-stakeholder participation in regulatory consultation in two-thirds of the regulatory regimes in the dataset is a concern, and core questions remain about who to include and when, where to fold inclusion into policy processes, and how to organize these efforts with a balance of flexibility and fairness.3

Regulatory approaches

Grouping regulatory regimes simply by language or region fails to capture similarities between regulations in different parts of the world. For instance, national approaches to platform regulations in Europe vary widely from Belarus to France, or in South Asia from Bangladesh to Pakistan. Characterizing regulation by similarities in approach provides an alternative window.

By clustering regulations into five approaches based on similarities and differences across 29 analytical metrics (see Appendix 1), researchers were able to identify and explore core features or characteristics that define certain different regulatory approaches taken to platform regulations around the world. While these categories are informed by legal and data analysis, they are designed to be narrative and descriptive rather than exhaustive; and to be starting points for discussion about convergence and divergence.

Some regulatory landscapes can be seen as representing more than one of the five broad approaches identified, particularly when geographies have passed or proposed multiple regulatory regimes for online platforms. For example, Australia’s Online Safety Act (and Basic Online Safety Expectations Determination) 2021 focuses on business and content duties, while its Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 centres on criminal charges for illegal content. Similarly, the EU’s wide-ranging DSA and the UK’s Online Safety Act 2023 meet the threshold for representation in both the independent regulation and user rights and capacities groups.

A summary of the five approaches and their main features is shown in Table 2.

Table 2. Approaches to platform regulation and main characteristics

Approach		Features
1	Strict custody	Prison sentences for non-compliance; legal but harmful content in scope; little proportional regulation
2	Independent regulation	Independent oversight; stronger emphasis on freedom of expression considerations
3	User rights and capacities	Transparency, redress and appeals processes mandated; few proactive monitoring requirements
4	Extensive platform monitoring	Extensive proactive monitoring requirements; legal but harmful content in scope
5	Data localization as part of content moderation regulation	Data localization requirements; powers to block access to platforms; no independent oversight

Approach 1: Strict custody

Figure 1. Cluster depicting countries following a strict custody approach

Of the 55 global regulations examined, 10 regimes exemplified the strict custody approach:

Bangladesh’s Draft Regulation for Digital, Social Media and OTT Platforms (2021);
Malawi’s Electronic Transactions and Cyber Security Act (2017);
Mali’s Law No. 2019-056 on the Suppression of Cybercrime (2019);
New Zealand’s Harmful Digital Communications Act (2015);
Nigeria’s Protection from Internet Falsehood and Manipulation Bill (2019) and Draft Code of Practice for Internet Intermediaries (2022);
The Philippines’ Anti-False Content Bill (2019);
Singapore’s Foreign Interference (Counter-measures) Act (2021);
South Korea’s Act No. 14080 on Promotion of Information and Communications Network Utilization and Information Protection (2016);
Syria’s Law on Cybercrime (2022); and
Tanzania’s Electronic and Postal Communications (Online Content) Regulations (2020).

Regulations in this group were categorized by:

Prison sentences for platform employees for non-compliance with content moderation requirements or orders (10/10 regimes);
Platforms being required to remove or deal with content that is not illegal (8/10 regimes);
No distinction in the regulation between types of online platform (10/10 regimes); and
No requirements on platforms to report on advertising revenue, submit to independent audit, localize data or implement appeals mechanisms (10/10 regimes).

Regulations in this group diverge from global trends by imposing potential custodial sentences for platform employees as a result of content moderation failings. Malian regulations, for instance, threaten local employees of non-compliant service providers with up to two years in prison, while the Singaporean Foreign Interference (Counter-Measures) Act threatens prison sentences of up to four years.4,5 Incarceration of individual employees for platform shortcomings threatens in-country platform operations, and regulations of this kind are unpopular with companies.

Eight of the 10 regulations in this group require platforms to remove or otherwise address content that is not necessarily illegal, but is defined as, in some way, harmful. This broad category is difficult to define and varies across jurisdictions depending on a government’s policy goals. Content deemed to be harmful can range from pornography or violence to misinformation or anti-government messages. The Nigerian Draft Code of Practice for Internet Intermediaries, for instance, aims to prevent the transmission of ‘false statements/declaration of facts’. South Korean regulations prohibit ’information that infringes on the rights of others’, while Tanzanian law prohibits the ‘ridicule, abuse or harming the reputation’ of the country or its flag.6,7,8

Prohibitions of ‘legal but harmful’ content are controversial. Without clear legal guidelines or definitions, they present challenges to users and industry in deciding whether content or behaviour falls foul of the regulation. By incentivizing and/or requiring platforms to remove legal content, states risk implementing restrictions on freedom of expression that do not satisfy the ‘tripartite test’ of legality, legitimacy, and necessity and proportionality (see chapter 4) under international human rights law (IHRL) and guidance.

Platform regulations in the dataset that follow a strict custody approach do not differentiate between types of online platforms and services. This lack of differentiation hampers proportional regulation, and likely favours larger platforms with the resources to comply. Absence of independent auditing and appeals processes suggests that these regimes prioritize state control over online spaces.

It is notable that this regulatory approach did not correlate with requirements mandating data localization, pointing to states looking to boost their legal leverage over online platforms without resorting to expensive and skill-intensive technical leverage built on accessing local data.

Overall, business conditions for platforms under strict custody regimes are restrictive. For example, the risk of harsh punishments for individual employees tends to be viewed by businesses as regulatory overreach, and threats to individuals working at technology companies have even been described as ‘hostage-taking laws’, following controversy over their use in Brazil, India and Russia over the past decade.9

Industry groups have also raised the risks of directorial criminal liability for failure to comply with content moderation requirements. Civil society organizations, meanwhile, warn that these types of sanctions could lead to overzealous removal of content by risk-averse decision-makers.10 This risk is further exacerbated by requirements to remove content that is legal where that content might be deemed harmful in the local context.

Strict custody regimes are geared towards strengthening state or judicial power over online platforms.

Regulations assigned to the strict custody regimes group tend to put less emphasis on systemic change at a platform level, and tend not to build in significant user protections or routes towards additional platform oversight. For the most part, the regulations implement neither independent audits of platforms nor appeals or transparency mechanisms for users. There is some variation: regulations in Bangladesh, Nigeria and South Korea do call for transparency in terms of service and around platform decisions, while regulations in The Philippines, Singapore and Syria make no mention of protections for users or systemic platform change.

Strict custody regimes are geared towards strengthening state or judicial power over online platforms. Civil society and individual experiences of platforms under strict custody regimes should be expected to reflect this emphasis, with reduced freedom to challenge state-aligned narratives, and reduced access to material deemed by the national government to threaten social order.

Approach 2: Independent regulation

Figure 2. Cluster depicting countries following an independent regulation approach

Of the 55 global regulations examined, nine regimes exemplified the independent regulation approach:

Australia’s Online Safety Act (2021); Online Safety (Basic Online Safety Expectations) Determination (2022); and Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act (2019);
Canada’s Proposed Approach to Online Safety (Discussion Guide and Technical Paper) (2021);
The EU’s Proposal for a regulation of the European parliament and of the council for laying down rules to prevent and combat child sexual abuse (2022); Digital Services Act (2022); and Directive 2018/1808 of the European Parliament and of the Council of 14 November 2018 amending Directive 2010/13/EU (Audiovisual Media Services Directive);
Ireland’s Online Safety and Media Regulation Bill (2022);
New Zealand’s Harmful Digital Communications Act (2015); and
The UK’s Online Safety Bill (now the Online Safety Act; 2023).

Regulations in this approach were categorized by:

Regulation enforced by an independent regulatory authority (9/9 regimes);11
Explicit mention of freedom of expression (8/9 regimes) and limitations on regulators’ enforcement powers in line with freedom of expression safeguards (9/9 regimes);
Proportional or differing regulation between types of online platform (7/9 regimes) backed by fines (8/9 regimes);
Multi-stakeholder input into the regulatory process (6/9 regimes); and
Legal content that could be damaging to social order being in scope (6/9 regimes), but including neither proactive monitoring requirements (2/9 regimes) nor data localization requirements (0/9 regimes).

Regulatory regimes following this approach were marked by distance placed between the government and private interests and the regulator, and by limits to the power of the regulator on the grounds of freedom of expression. Provisions for independent regulators are mainly concentrated among liberal democracies – for example, Austria, France and the UK all propose an independent regulator – although the approach of separating regulatory supervision of platforms from government has also been followed by countries taking a different approach to regulation like Kenya, Malawi and Tanzania.

Provisions that limit regulatory enforcement in line with freedom of expression safeguards are often written into these types of regulation. For example, the Australian eSafety Commissioner’s powers are limited if their enforcement ‘would infringe any constitutional doctrine of implied freedom of political communication’.12 Ireland’s Online Safety and Media Regulation Bill includes provisions for platforms to notify the regulator if, in their view, a regulation excessively infringes on their users’ freedom of expression.13

The commitment to multi-stakeholder input further strengthens the levels of societal, industrial and third-sector input into regulatory decision-making. For instance, the inclusion of multi-stakeholder consultations in the policy development process likely makes the DSA function on a measured and compromise-based approach, boosting regulatory innovation and reducing ecosystem disruption.14 At a national level, French law calls for collaboration between platforms and news agencies, publishers and journalists to tackle disinformation.15

Under an independent regulation approach, powers and regulations tend to differentiate between different types of platform – i.e. a social media platform will carry different responsibilities to those of a search engine.16

Regulations assigned to the independent regulation approach tend to be those proposed by liberal democracies. Such regulatory regimes try to achieve a balance between increased state authority over platforms and a reduction in harmful content on the one hand, and commitments to preserving liberties on the other.17

Regulations assigned to the independent regulation approach try to achieve a balance between increased state authority over platforms and a reduction in harmful content on the one hand, and commitments to preserving liberties on the other.

Regulatory regimes under this approach are not absolute: they are limited in autonomy, power and scope. Although the fines proposed by these regimes are significant – the DSA alone can fine a platform up to 6 per cent of global revenue – independent regulation regimes do not go as far as demanding costly compliance requirements, such as the proactive monitoring of speech or user data localization.18

Nevertheless, they are given a significant remit. Most go beyond sanctioning only illegal content and demand platforms tackle a diverse range of harmful material or behaviour, with greater platform latitude around how precisely that content or behaviour will be tackled.

For businesses, this may prove a compliance challenge. For the most part, industry actors will feel listened to under independent regulation regimes and protected from heavily prescriptive regulation on the grounds of freedom of expression. Co-regulatory models recognize the evolving nature of digital ecosystems and the complex responsibilities of the companies concerned.19

However, the issue of ‘legal but harmful’ content or behaviour has dogged the debate on digital regulation, despite repeated international guidance – including interventions from the UN Special Rapporteur on the Protection and Promotion of Freedom of Expression and the UN Human Rights Committee – that states should not force companies to remove speech that is not explicitly illegal.20,21 Some regulators have now dropped such requirements, but those persisting will require clarity on a regulator’s expectations to avoid a significant burden to platforms in scope.22

Approach 3: User rights and capacities

Figure 3. Cluster depicting countries following a user rights and capacities approach

The most common approach, user rights and capacities, contained 17 of the 55 regulatory regimes:

Austria’s Communication Platforms Act (2020);
Bangladesh’s Draft Regulation for Digital, Social Media and OTT Platforms (2021);
Brazil’s Draft Bill 2630 on Freedom, Responsibility and Transparency on the Internet (‘The Fake News Law’) (2020);
Canada’s Proposed Approach to Online Safety (Discussion Guide and Technical Paper) (2021);
The EU’s Digital Services Act (2022); Proposal for a regulation of the European parliament and of the council for laying down rules to prevent and combat child sexual abuse (2022); and Regulation 2021/784 on addressing the dissemination of terrorist content online (2021);
France’s Law n° 2021-1109 consolidating respect for the principles of the Republic (2019);
Germany’s Network Enforcement Act (NetzDG) (2017);
India’s Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules (‘IT Rules’) (2021);
Indonesia’s Minister of Communication and Informatics Regulation No. 5 of 2020 on Private Electronic System Operators (2020);
Israel’s Social Networks Bill (2021);
Nigeria’s Draft Code of Practice for Internet Intermediaries (2022);
Poland’s Law on the Protection of Freedom of Speech on Social Networking Sites (2021);
Russia’s Federal Law No. 149-FZ on Information, Information Technologies and Protection of Information (2006);
Taiwan’s Draft Digital Communication Law (2022); and
The UK’s Online Safety Bill (now Online Safety Act; 2023).

Regulations in this group were broadly categorized by:

A focus on empowering platform users, with mandates on transparency, redress and appeals (at least three processes mandated; 17/17 regimes);
Provisions for illegal content to be removed on notification (15/17 regimes), rather than requirements for proactive monitoring (5/17 regimes);
Sanctions limited to fines for platforms (16/17 regimes) over prison sentences (1/17 regimes); and
Requirements for local contacts (13/17 regimes), rather than data localization (1/17).

This category covers a diverse set of regulatory approaches brought together by their mandating processes and mechanisms aimed at strengthening the tools available to users and civil society when interacting with platforms.

The study checked legislation for four commonly used tools: appeals mechanisms, transparency reporting, complaints procedures and terms of service. A requirement for platforms to implement a complaints mechanism was most common among the regimes analysed, with one-half of the regimes mandating this. Germany’s NetzDG, for instance, requires platforms to implement a means for users to report illegal content. French regulation mandates the same, noting the importance of users being able to report content promoted on behalf of a third party.

Other requirements included publishing terms of service (42 per cent of regimes), and providing appeals mechanisms to allow users to challenge platform removals (27 per cent) and be kept up to date on those challenges and other complaints (33 per cent).

Content monitoring requirements under user rights and capacities regimes are usually lighter than under the other approaches identified. The focus is on illegal content and its removal by platforms after notification, usually referred to as ‘notice and takedown’ regimes. Only a minority of such regimes demand proactive monitoring by platforms. Infractions are punishable by fines, with limited liability for individual employees.

A user rights and capacities approach puts the onus on the platform to improve, while being comparatively less prescriptive about how those improvements are made.

User rights and capacities regimes further impose a number of business duties. Transparency reporting, for instance, is a requirement in 88 per cent of such regimes (compared with 40 per cent across all the regimes reviewed for this study). A local office or point of contact also tends to be mandated.

In many respects, user rights and capacities regulation is rooted in a tradition of encouraging self-regulation, through setting targets but leaving execution to platforms outside of a handful of serious offences. Over time, legislatures have increasingly viewed platform improvements as necessary but not sufficient. This has contributed to the rise of independent regulation and stricter regulation of sanctioned content, but alongside these laws, regimes continue to mandate changes to platform design and function. In short, a user rights and capacities approach puts the onus on the platform to improve, while being comparatively less prescriptive about how those improvements are made.

Mandating the creation and maintenance of tools that improve platform users’ experience of a platform contributes to industry innovation in meeting regulatory requirements. This kind of principle-based approach – provided it can be shown to be effective in meeting regulatory objectives – reduces burdens on both the regulator and the regulated platforms. These tools – often referred to as ‘middleware’ – could sit independently of major platforms.23

A risk with non-prescriptive regulation comes in delegating definitions around the design of critical compliance tools to the regulated platforms. An advertising transparency database, or a platform application programming interface (API) – to give two examples – should be designed to standards agreed on by a wider range of stakeholders than just the platforms themselves. Provision of routes to input by a multi-stakeholder audience is critical, and platforms and regulators must be open to working with the third sector and academics on assessing and establishing best practice. There is an added risk that best practice comes to be defined by the biggest platforms, whose resources to develop and deploy solutions cannot be matched by smaller competitors. In the absence of an open solution and increased platform collaboration, smaller platforms may find themselves forced out of the market. Tackling this power imbalance through government software cooperation may be a viable path forward.24

Although rarely explicit in the legislation, a focus on processes and tools that allow users, communities and platforms to wield power and balance rights against one another is the approach truest to a human-rights based framework. Empowering individual users through dedicated processes and tooling is therefore likely the closest analogue to a human-rights based approach to platform regulation (see chapter 4).

Approach 4: Extensive platform monitoring

Figure 4. Cluster depicting countries following an extensive platform monitoring approach

Five regimes from four countries exemplified an approach to content moderation emphasizing enhanced monitoring by platforms:

Belarus’ Law of the Republic of Belarus No. 128-Z on amendments and additions to some laws of the Republic of Belarus (2018);
China’s Provisions on the Governance of the Online Information Content Ecosystem (2019) and Draft Regulations on the Protection of Minors on the Internet (2022);
Nigeria’s Draft Code of Practice for Internet Intermediaries (2022); and
Russia’s Federal Law No. 149-FZ on Information, Information Technologies and Protection of Information (2006).

Regulations in this group were categorized by:

Requiring proactive content moderation (5/5 regimes);
Mandating regular reports on content moderation systems (4/5 regimes);
The inclusion in scope of legal content that could be damaging to social order (5/5 regimes); and
Sanctions including blocking and restricting access to content or platforms (4/5 regimes), but not extending to prison sentences (1/5 regimes).

Regulations grouped under platform monitoring were defined by looser definitions of sanctioned content (for instance, legal content that could be damaging to social order). Belarusian law, for instance, sanctions the sharing of ‘materials containing obscene words and expressions’ in addition to illegal content.25 Nigerian laws concerning the use of automated accounts, meanwhile, sanctioned content that may ‘be prejudicial to public health, public safety, public tranquillity or public finances’ or ‘diminish public confidence in the performance of any duty or function of, or in the exercise of power by the Government’.26 Such definitions reduce clarity to end users and platforms as to the limits of acceptable content.

Nevertheless, these looser definitions are backed by stricter monitoring requirements and punishments for offending organizations. Most notably, all five regimes mandate proactive content moderation, rather than liability only after notification of behaviour or content that is in breach of the regulations.27 Proactive content moderation places expectations on platforms to remove sanctioned content as soon as, or before, it is posted. Most regulatory regimes have clauses for proactive content moderation, but these clauses are largely restricted to illegal content such as that related to child sexual abuse material (CSAM), terrorism and copyrighted materials. Such requirements are inconsistent with IHRL, even when only applied to CSAM or terrorism-related content.28

This approach is further characterized by comparatively far-reaching punishments for platforms failing to comply. For instance, Russian law provides for administrative, civil or criminal liability.29 In four of the five regimes surveyed, regulators are further empowered to block offending platforms and providers.

The combination of penalties for legal content deemed harmful to individuals or to social order and platform liability beginning with when content is posted, rather than when a platform is notified of it, makes platform monitoring regimes troubling from both a regulatory compliance standpoint and from a civil liberties perspective. Vague categories of prohibited content contradict international standards on freedom of expression, under which any restrictions on speech must be clearly provided for in law, in pursuit of a legitimate aim, and proportionate and necessary to the achievement of the stated aim. Such categories make it difficult for technology companies to arbitrate the types of speech allowed and prohibited, and translate poorly to automated content identification systems. Moreover, broad criminal provisions are routinely cited as tools used to suppress freedom of expression.30

With sanctions extending to the blocking of access to platforms, user experience under platform monitoring regimes is characterized by opacity.

Extending requirements to the more diffuse category of ‘legal but harmful’ content creates a heavy technological burden on platforms as automated techniques centring on language and image recognition become required. The lines around permissible content are blurred, as these automated technologies can struggle to identify this kind of content accurately. Coupled with risk-averse enforcement, large-scale removal of speech that should be legitimate under IHRL and guidance on freedom of expression becomes more likely. Such regimes incentivize the platform to remove in case of doubt, rather than run the risk of violating regulation, particularly when regulation mandates individual employee liability.

With sanctions extending to the blocking of access to platforms, user experience under platform monitoring regimes is characterized by opacity. Decisions made at both state and platform level are unlikely to be clearly explained to a user, particularly those around the removal of content or the suspension of user access. Only one of the regulations in this group – China’s Draft Guidelines for Implementing Subject Responsibilities on Internet Platforms – mandates independent audits for ‘super-large’ platforms.31

Approach 5: Data localization as part of content moderation regulation

Figure 5. Cluster depicting countries following a data localization as part of content moderation regulation approach

Five regimes from four countries were distinguished by explicitly referring to data localization as part of their approach to content moderation:

Pakistan’s Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules (2021);
Russia’s Federal Law No. 149-FZ on Information, Information Technologies and Protection of Information (2006);
Turkey’s Law on the Regulation of Publications Made in the Internet Environment and Combating Crimes Committed through these Publications (2007);
Vietnam’s Decree No. 72/2013/ND-CP on the management, provision and use of Internet services and online information (2013); and
Vietnam’s Law on Cybersecurity (2018; including Decree 53/2022 Elaborating a Number of Articles of the Law on Cybersecurity of Vietnam).

Regulations in this group were categorized by:

Data localization requirements (5/5 regimes);32
Requirements to remove illegal content on notification (4/5 regimes), rather than requirements for proactive monitoring (1/5 regimes);
Few (5/5 regimes) or no (3/5 regimes) considerations of freedom of expression;
Sanctions including blocking and restricting access to content or platforms (4/5 regimes), but not extending to prison sentences (0/5 regimes); and
An absence of independent regulator or audit requirements (0/5 regimes).

The relatively small number of countries referring to data localization in their content moderation regulation may be misleading, as many others are beginning to mandate data localization in wider reforms and legislation targeting the digital economy. These countries include Brazil, China, Nigeria and Russia.33,34 Although it does not mandate data localization, the EU’s data protection legislation places certain restrictions and conditions on the transfer of data, while other countries have mandated data localization for certain types of data, including financial or medical.35

This approach to content regulation generally requires platforms to store, and likely provide access to, data on territory over which a state has legislative authority.36 For example, an October 2020 amendment to Turkey’s Regulation of Internet Broadcasts and Prevention of Crimes Committed through Such Broadcasts (Law No. 5651) requires domestic or foreign social network providers to store user data in Turkey.37

Over the past decade, platforms – most of them based in the US – have had significant discretion in managing government data-access requests. For countries looking to manage speech or behaviour more closely, US-based data storage impedes their attempts to identify users responsible for infringements.

The five regimes demanding data localization in the context of content regulation provide few protections for freedom of expression in their legislation, and have been proposed by countries where protections for speech and other human rights are limited. The legislation often coincides with requirements for companies to hand over user data or identify users to state authorities on request. Taken together, the proposed regulations may represent an attempt by a state to significantly increase control over the internet inside its borders. Notably, none of the regimes grouped under this approach provide for an independent regulator, with the government taking responsibility for enforcement.

Governments may choose to adopt and enforce data localization requirements for several reasons. The main reason is to enable ‘easy’ access to data by national law enforcement and/or security agencies. When government agencies require access to data that may be hosted in another country outside of their jurisdiction, not only do they require cooperation from the company hosting the data, but also from the government of the territory where that data is hosted. From a law enforcement viewpoint, data localization measures help circumvent such obstacles by ensuring that data (or at least, a copy of the data) is in a certain territory/jurisdiction.38

This approach to content regulation generally requires platforms to store, and likely provide access to, data on territory over which a state has legislative authority.

Beyond the issue of access, data stored within a given country’s territory would, in principle, be subject to that country’s jurisdiction, and thus, laws, regulations and policies. Depending on the processes in place in that country’s jurisdiction and the overall legal landscape surrounding data access, the government would be in a better position to apply measures over any data located in its territory.

Yet data localization requirements have implications and give rise to concerns. Mandating the installation or use of hardware inside a country’s borders may prove a step too far for all but the largest digital platforms or services in light of the financial and operational implications.39 When faced with demands for compliance, it is probable that smaller platforms will seek to end their operations and provision of services to users in that territory. If fully enforced, users may see a reduction in service availability and find online services dominated by platforms capable of meeting these regulatory requirements, occasionally punctuated by other platforms and services too small to catch the regulators’ attention. These trends combined would likely mean that users are significantly limited in their experience of the open, global internet.40

In addition, data localization requirements would mandate companies to store data in physical systems geographically located in the territory of countries putting in place such measures; hence, instead of centralizing all data in a single location, they will have to acquire (or rent) and ‘maintain servers in each of these countries in which they do business’.41 Proliferation of data centres would have a considerable environmental impact, due to the compute powers required and subsequent energy consumption, as well as their greenhouse gas emissions and waste.42

Data localization carries further risks. Centralizing digital infrastructure inside a country’s borders puts that infrastructure at risk should that country come under attack. ‘Data embassies’ located abroad, such as those employed by Estonia,43 highlight the advantages of securing a country’s data beyond its own physical borders. Localization also presents a risk for users dependent on platforms to act as a buffer against state authority. In dealing with some states around the world, US-based platforms have been reluctant to abide by national laws, up to and including challenging requests for data or information about users in court, frequently on the grounds that data is not held in that particular country. A lack of regulatory safeguards in the data localization as part of content moderation regulation group will not reassure platforms, while data localization weakens a company’s ability to protect its local users’ privacy or freedoms.

Data localization debates can cut both ways. Pressure on ByteDance from the US government to use local US data storage for US users of its app, TikTok, highlights the growing international concern about the security implications of unrestricted data flows.44

In a way, it would not be realistic to expect a ‘one-size-fits-all’, harmonized approach to data localization that would be universally adopted and operationalized. While cooperation agreements are in place to, for example, facilitate cross-border data transfers, data localization measures inherently rest on the concept of data sovereignty and, thus, countries’ exercise of prerogatives and control in line with their respective national priorities. Yet stricter approaches to data localization, and the subsequent power authoritarian governments hold over their populations, raise questions regarding implications for human rights. For example, Russia’s data localization requirements and strict monitoring and enforcement are seemingly motivated by government concern over the use of social media in anti-government protests. This apparent focus jeopardizes the users’ (and, more generally, the population’s) right to the freedom of expression, right to protest and enjoyment of broader civil and political rights.45

Democratic context

Legislation is inseparable from the context in which it is enforced. A full examination of the regulatory approach to platforms and the democratic integrity of each government is beyond the scope of this paper, but a partial picture can be discerned.

Within the groups identified in this paper, and even globally, there are noticeable outliers. Examples include requirements for human rights due diligence reporting in countries that do not otherwise recognize human rights, and protections for freedom of expression in countries known to habitually suppress anti-government speech.

These outliers, however, tend to be anomalies. Taking the 2021 Freedom House Global Freedom Index as an indicator of the strengths of protection for political rights and civil liberties in a given country, it is clear that stricter regulations tended to be concentrated in countries with lower ‘freedom scores’. Countries with strong democratic traditions, meanwhile, tend to support multi-stakeholder, independent regulations, with caveats in line with protections for individual liberties and rights.

Similarly, there is a strong correlation between national regimes that task independent regulators with platform regulation and countries scoring highly on the Freedom House index, while requirements around surveillance and data localization are largely found in countries with lower scores.

Figure 6. Regulatory groups and countries, measured against their Freedom House ranking

— Source: Freedom House (2021), Freedom in the World 2021: Democracy Under Siege, report, Washington, DC: Freedom House, https://freedomhouse.org/report/freedom-world/2021/democracy-under-siege.

See the EU Digital Markets and European AI Acts.

Chatham House Director’s Office and International Law Programme (2021), Reflections on building more inclusive global governance: Ten insights into emerging practice, Synthesis Paper, London: Royal Institute of International Affairs, https://www.chathamhouse.org/2021/04/reflections-building-more-inclusive-global-governance/03-ten-insights-reflections-building.

Law No 2019-056 on the Suppression of Cybercrime, 24–27.

Foreign Interference (Counter-measures) Act (FICA), 45 (3a, 4a).

The Protection from Internet Falsehood and Manipulation Bill 2019, 1, 16(a).

Act on Promotion of Information and Communications Network Utilisation and Information Protection (Act No. 14080, Mar. 22, 2016), 44(1).

Tanzanian Electronic and Postal Communications (Online Content) Regulations, 2020, and their Amendment Regulations 2022, Third schedule (under reg 16).

Elliot, V. (2021), ‘New laws requiring social media platforms to hire local staff could endanger employees’, Rest of World, 14 May 2021, https://restofworld.org/2021/social-media-laws-twitter-facebook.

Burns, H. (2021), ‘Online abuse: Why management liability isn’t the answer’, Open Rights Group, 5 May 2021, https://www.openrightsgroup.org/blog/online-abuse-why-management-liability-isnt-the-answer; Keller, D. (2021), ‘Empirical Evidence of Over-Removal By Internet Companies Under Intermediary Liability Laws: An Updated List’, Stanford Law School Center for Internet and Society, 8 February 2021, https://cyberlaw.stanford.edu/blog/2021/02/empirical-evidence-over-removal-internet-companies-under-intermediary-liability-laws.

OECD (2019), ‘Independent sector regulators and competition’, 2 December 2019, https://www.oecd.org/daf/competition/independent-sector-regulators.htm.

16/233 and 474.38, Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019.

Online Safety and Media Regulation Bill, Part 12 (46: *139ZO(3, 4), 139ZU).

Morar, D. and Santos, B. (2022), ‘Is the DSA a New Dawn of Legislating Platform Governance Globally?’, Lawfare, 30 November 2022, https://www.lawfareblog.com/dsa-new-dawn-legislating-platform-governance-globally.

Law n° 2018-1202 of 22 December 2018 relating to the fight against the manipulation of information, §14.

Online Safety Bill, 183-186, Sched. 1, 11.

Reisman, R. (2023), ‘From Freedom of Speech and Reach to Freedom of Expression and Impression’, Tech Policy Press, 14 February 2023, https://techpolicy.press/from-freedom-of-speech-and-reach-to-freedom-of-expression-and-impression.

EU Digital Services Act, articles 42, 59 and 60.

Buchser, M. and Moynihan, H. (2021), ‘Can global technology governance anticipate the future?’, Chatham House Expert Comment, 27 April 2021, https://www.chathamhouse.org/2021/04/can-global-technology-governance-anticipate-future.

UN Office of the High Commissioner for Human Rights (2018), Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 6 April 2018, https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/38/35.

UN International Covenant on Civil and Political Rights Human Rights Committee (2011), General comment No. 34: Article 19: Freedoms of opinion and expression, 12 September 2011, https://www2.ohchr.org/english/bodies/hrc/docs/gc34.pdf.

MacCarthy, M. (2022), ‘U.K. government purges “legal but harmful” provisions from its revised Online Safety Bill’, blog, Brookings Institution, https://www.brookings.edu/blog/techtank/2022/12/21/u-k-government-purges-legal-but-harmful-provisions-from-its-revised-online-safety-bill.

Fukuyama, F. et al. (undated), Middleware for Dominant Digital Platforms, A Technological Solution to a Threat to Democracy, Stanford, CA: Stanford University Cyber Policy Center, https://fsi-live.s3.us-west-1.amazonaws.com/s3fs-public/cpc-middleware_ff_v2.pdf (accessed 19 May 2023).

Riley, C. and Ness, S. (2022), ‘Modularity for International Internet Governance’, Lawfare, 19 July 2022, https://www.lawfareblog.com/modularity-international-internet-governance.

Law of 17 July 2018 No. 128-Z, 30-1(2.2).

The Protection from Internet Falsehood and Manipulation Bill 2019, C770, ii, vi.

Multiple Chinese laws require proactive content moderation. These include Provisions on the Governance of the Online Information Content Ecosystem, 10; and Draft regulations on the Protection of Minors on the Internet, 20(5), 26, 30.

UN Office of the High Commissioner for Human Rights (2018), Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression.

Federal Law of 27 July 2006 No. 149-FZ ‘On Information, Information Technologies and Protection of Information’, 10.4(13), 10.5(17).

See, for example, Amnesty International (undated), ‘Freedom of Expression’, https://www.amnesty.org/en/what-we-do/freedom-of-expression.

cqn.com.cn (2021), ‘Guidelines for implementing subject responsibilities on internet platforms (Draft for comments)’, 29 October 2021, https://www.cqn.com.cn/zj/content/2021-10/29/content_8747098.htm.

Note that this is not an exhaustive list of laws including data localization requirements, which includes a range of other laws such as cybersecurity and data protection laws that are not included in the database and this paper because they do not also include content moderation requirements. In these five specific cases, the pairing of data localizations requirements with content moderation requirements is particularly of interest, given the opportunities for enforcement of content regulations and forcing platforms to hand over data of non-compliant users.

Federal Law No 242-FZ, part 5, article 18.

Article 37, Cybersecurity Law of the Peoples’ Republic of China, 2017.

Pfeifele, S. (2017), ‘Is the GDPR a data localization law?’, IAPP, 29 September 2017, https://iapp.org/news/ a/is-the-gdpr-a-data-localization-law.

While there is no universally accepted definition of what data localization means, as well as on its scope and overall legal and administrative force, the EU has attempted to provide a definition. See Article 3(5), EU Regulation 2018/1807: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1807. For another approach, see also Svantesson, D. (2020), ‘Data localisation trends and challenges: Considerations for the review of the Privacy Guidelines’, OECD Digital Economy Papers, 22 December 2020, https://doi.org/10.1787/20716826.

Law on the Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts, 4 (6).

Cory, N. and Dascoli, L. (2019), ‘How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them’, Information Technology & Innovation Foundation, 19 July 2019, https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what- they-cost.

Ibid.

Internet Society (2020), ‘Internet Way of Networking Use Case: Data Localization: How mandatory data localization impacts the Internet Way of Networking’, 30 September 2020, https://www.internetsociety.org/resources/doc/2020/internet-impact-assessment-toolkit/use-case-data-localization.

Komaitis, K. (2017), ‘The ‘wicked problem’ of data localisation’, Journal of Cyber Policy, 2(3), pp. 355–65, https://doi.org/10.1080/23738871.2017.1402942.

Gonzalez Monserrate, S. (2022), ‘The Staggering Ecological Impacts of Computation and the Cloud’, The MIT Press Reader, 14 February 2022, https://thereader.mitpress.mit.edu/the-staggering-ecological-impacts-of-computation-and-the-cloud.

e-Estonia (undated), ‘Data Embassy’, https://e-estonia.com/solutions/e-governance/data-embassy.

Calamug, A. (2022), ‘Delivering on our US data governance’, Tiktok, 17 June 2022, https://newsroom.tiktok.com/en-us/delivering-on-our-us-data-governance.

Newton, M. (2018), ‘Russian Data Localization Laws: Enriching “Security” & the Economy’, The Henry M. Jackson School of International Studies, 28 February 2018, https://jsis.washington.edu/news/russian-data-localization-enriching-security-economy.

Previous chapter Next chapter

Towards a global approach to digital platform regulation

Show authors

02 Global regulatory trends

Common requirements

Table 1. Categorized survey questions gauging legislative approaches to platform regulation, per cent

Regulatory approaches

Table 2. Approaches to platform regulation and main characteristics

Approach 1: Strict custody

Figure 1. Cluster depicting countries following a strict custody approach

Figure 1. Cluster depicting countries following a strict custody approach

Approach 2: Independent regulation

Figure 2. Cluster depicting countries following an independent regulation approach

Figure 2. Cluster depicting countries following an independent regulation approach

Approach 3: User rights and capacities

Figure 3. Cluster depicting countries following a user rights and capacities approach

Figure 3. Cluster depicting countries following a user rights and capacities approach

Approach 4: Extensive platform monitoring

Figure 4. Cluster depicting countries following an extensive platform monitoring approach

Figure 4. Cluster depicting countries following an extensive platform monitoring approach

Approach 5: Data localization as part of content moderation regulation

Figure 5. Cluster depicting countries following a data localization as part of content moderation regulation approach

Figure 5. Cluster depicting countries following a data localization as part of content moderation regulation approach

Democratic context

Figure 6. Regulatory groups and countries, measured against their Freedom House ranking

Figure 6. Regulatory groups and countries, measured against their Freedom House ranking