The tension between innovation and regulation is well known, but a relatively new term has gained prominence in recent years – permissionless innovation.
While it remains uncertain who originally coined the term, it has been adopted by those who consider it “the most important concept in political economy”. Vint Cerf, one of the “parents” of the internet, says that permissionless innovation “underlies extraordinary internet-based economic growth.” The best-articulated exposition of this approach can be found in Adam Thierer’s book Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.
The permission question, as Thierer defines it, is: “Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations?” He argues that there are two possible approaches to this question – the “precautionary principle” and that of “permissionless innovation”. The precautionary principle holds that -
New innovations should be curtailed or disallowed until their developers can prove that they will not cause any harm to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions.
The permissionless innovation approach, as Thierer defines it, is the
"Notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if any develop, can be addressed later."
In other words, the idea is that public regulations stifle technological progress and innovation and should a-priori be removed, unless it is compellingly proven that a certain innovation will cause serious harm.
The permissionless innovation approach ignores an important issue, namely the fact that technological innovations are being produced at an ever-increasing pace. Since drafting, approval, and implementation are not speedy processes, regulation becomes a rearguard action. Furthermore, advocates of permissionless innovation neglect to mention that the implications of new technologies are not always immediately apparent, and that it takes time to evaluate them. While the pace of technological innovation in the past allowed for a certain amount of time between innovations, so that there was more opportunity to study their implications (and then decide whether or how to regulate them), at the current rate of advancement this is virtually impossible.
To take but one example of the problematics of permissionless innovation, let us briefly mention the issue of informational privacy. Perhaps more so than in other fields, innovation in technologies that collect and process data about users online is advancing much more quickly than the smaller, slower steps of the regulators chasing after these advances. The average user is being tracked and her information processed and analyzed countless times each day, in every action she does online, by an entire army of different technologies, with different intents – almost all unknown to her. Sometimes, even the commissioners of such tracking do not really know what is being done with the data. To say that such data collection and processing may lead to economic growth is one thing, but to say that it will lead to a better, happier, and more flourishing life is quite another.
Obviously, Thierer is aware of the fact that challenges related to issues such as privacy and security can be raised against permissionless innovation. However, he attempts to assure us by claiming that “a world of permissionless innovation will make us healthier, happier, and more prosperous—if we let it.”
I beg to differ. It seems to me that a crucial issue is missing from the debate: the question of purpose. What is the purpose of innovation? Is there some intrinsic value to innovation itself? Is innovation a means or an end?
If any scholar of religion were to follow the inhabitants of Silicon Valley, they might think that a new religion has sprung up in the area, gaining worshippers all over the world since the end of the last century. This religion worships one thing – technological progress; its axiom is innovation = good.
What we have here, I would argue, is a confusion of means and ends. Despite the fact that the discussion regarding innovation can often lead to the assumption that advocates of permissionless innovation see innovation as an end in itself, Thierer himself does not make this claim. He appears to hold the view that innovation may be considered a means to a greater good – material progress. Thierer claims that “Technological innovation is the single most important determinant of long-term economic growth and improvements in living standards. This is the consensus opinion among economists, political scientists, and economic historians.”
Thus, even the leading proponents of permissionless innovation themselves do not argue that innovation is an end in itself, but a means to an end – “economic growth and improvements in living standards”. However, the question they neglect to ask is whether economic growth or living standards (“The degree of wealth and material comfort available to a person or community.”), are ends in themselves. I would argue that innovation, and even economic growth, are not an end in themselves, but only a means to a greater good – that of happiness and a flourishing life. The idea that material progress is always a good thing should not be accepted as a guiding principle for society. Innovation might have brought about many good things, but it has also brought many other far less positive developments. Even improvements in health – and the question one always encounters when raising such precautions is would you rather live in a cave? Or be treated by a medieval doctor? – can sometimes be a negative thing, if physical health is the sole criterion at the expense of mental health.
As Thierer notes, there are indeed many problems with the current state of affairs and perhaps also with the methods of regulation. However, this does not mean that regulation should be removed by default and innovation given free, unrestrained reign.
Regulation, for all its many flaws, is an absolute necessity in this day and age. I would even venture to argue that it is needed now more than ever before – even at the cost of slowing down innovation. If this is the price we need to pay so that our decisions are more calculated, better informed, and hopefully show more consideration for their long-term implications, then so be it.
Although the ruling in the Watson case does not entail any practical changes in British law, it may offer some indication of the future of the IPA, which regulates British law on the subject of digital surveillance. The ruling should also be seen as a reminder of the partial regulation of digital surveillance in Israeli law and a call to reexamine the proportionality of the existing arrangements.
On 30 January 2018, the Court of Appeal in London published its ruling in Tom Watson MP v. Secretary of State for the Home Department (hereinafter: “Watson.”) The ruling discusses an appeal by the state against the ruling of the High Court from July 2015, which nullified some of the provisions of the British Data Retention and Investigatory Powers Act 2014 (hereinafter: DRIPA). In Watson, the court granted declarative relief, announcing that the provisions of DRIPA are inconsistent with European law. Some British media outlets rushed to describe the ruling as a judicial declaration nullifying the British digital surveillance regime, although it would not seem to be accurate to view the ruling as a full-fledged revolution.
The issue of data retention relates to the scope of the obligation imposed on database owners, and communications services providers in particular, to retain communication data and content so that this information will later be available to investigative bodies acting in accordance with a court order or any other demand. The wider the powers granted by law to the investigative bodies to intercept communication on a real-time basis, the less the need for these bodies to rely on prior information in accordance with the data retention obligation of communications providers (since they are authorized to intercept these data on a real-time basis). Conversely, the more restrictions the law imposes on the ability of these bodies to intercept communication directly, the more dependent they are on the use of data supplied by the communications providers.
In British law, DRIPA served until recently as the source of authority of the secretary of state when ordering data preservation. The secretary was empowered to instruct communications providers to retain metadata (data that does not relate to the actual content of the communication), if he believed that such retention was necessary and proportionate in the context of a wide range of purposes, including national security, prevention of crime and rioting, public security, protection of public health, collection or estimation of taxes, saving life, and preventing damage to person and property during an emergency.
In the July 2015 ruling, the High Court restricted the substantive application of DRIPA and narrowed the purposes for which it will be permitted to access and use communications data stored under the terms of an order issued by virtue of the act. The High Court determined that, as of March 2016, the provisions of DRIPA would be nullified concerning access and use of communications retained fro goals other than the prevention or identification of serious crimes, or for the goals of pursuing related legal claims. It was also established that it is not possible to permit access and use of communications data unless this is subject to judicial review ensuring the presence of strict necessity therefore. The state appealed against the decision of the High Court, which argued that the questions before it related to European law, and accordingly referred two questions to the European Court, where the questions were clarified in Tele2 Sverige AB.
The European Court ruled in Tele2 Sverige AB that, under EU law, the national regulation of data retention, cannot be general and indiscriminate. Obliging data providers to retain data will be possible when there is strict necessity to do so, and within the framework of the state regulation of the retention of communications data. Such regulation must include appropriate restrictions and controls regarding the retained data categories, the communications means from which data are collected, the scope of the objects of information regarding which data are retained, and the period of retention. Such legislation is required to define substantive and procedural conditions in which communications service providers will grant access to these data to the empowered authorities. The data concerned must be related to a person who committed a “serious crime,” as distinct from crimes on levels equivalent to felony. Judicial review (or review by an independent authority) is required of applications for these data.
However, while the European Court of Justice grappled with the Tele2 Sverige AB case, the Investigatory Powers Act 2016 (hereinafter: “IPA”) came into force in Britain. The IPA constituted a comprehensive reform of digital surveillance laws. Among other changes, it nullified the arrangements in DRIPA. This explains why the Appeals Court in Watson could only grant declarative relief regarding a law that is no longer in forced. Against the background of the ruling of the European Court of Justice in Tele2 Sverige AB, the Court of Appeal in Watson ruled that DRIPA is inconsistent with European law, insofar as its provisions permit, for the purposes of law enforcement, access to retained data not intended for the prevention of a serious crime, or insofar as it permits access to retained data without judicial review or review by another independent administrative authority.
This declarative relief undoubtedly provides moral encouragement for the opponents of the IPA, which even during its process of enactment became known as “the UK Snooper’s Charter.” The IPA regulates diverse digital surveillance practices, including various techniques for bulk collection, as well as data retention. In June 2017, the High Court granted permission to the human rights organization Liberty to instigate legal proceedings attacking the IPA.
In addition, the uncertainty regarding the arrangements for the transfer of information between the EU and the UK in the post-Brexit era may also tend to restrain the broad authorities of the IPA, whose computability with European law is doubtful. Indeed, before the granting of the ruling in Watson, the British government circulated a legislative memorandum for the proposed amendment of the IPA for public comment. Among other changes, the proposal sought to change the purposes for which the secretary may order the preservation of communications data and bring some of the powers to secure communications data under quasi-judicial review.
A comparison between the developments in the UK and the remainder of Europe and the Israeli law concerning data perseveration yields some fairly unflattering results from Israel’s perspective. The issue of data preservation is not regulated in detail. The Protection of Privacy Law and the regulations enacted by virtue thereof do not include general provisions concerning the period of retention of data in the database, the content of data that may be retained, the maximum period of holding of the data, or any other aspect of data retention. Israeli law does not include any prohibition against the preservation of sensitive information, nor any restrictions applying to the period of preservation of sensitive information by cellular communications companies. Some observers argue that the enactment of the Communications Data Law created a possible obligation of data retention.However, the GSS Law empowers the prime minister to establish by way of secret rules provisions determining the manner in which the holder of the telecommunications license must preserve information, the period of preservation, and modalities for the transfer of the information to the GSS. This obligation applies to the preservation of non-content data.
In any case, when it comes to Israel, there are more questions than answers. The scope of data retention undertaken by the communications companies remains unclear. Do the GSS rules order indiscriminate data preservation, or solely for the purpose of specific intelligence goals? Are data preserved for security purposes in accordance with the GSS rules also used by other authorities for non-security-related purposes (such as in the framework of an order by virtue of the Communications Data Law)? Does the police rely on voluntary data preservation on the part of holders of telecommunications licenses?
It is apparent that the existing Israeli law is inconsistent with the European standard as applied by the British court in Watson. The Communications Data Law allows the police to ask the court to grant an order for receipt of communications data, among other reasons for the goals of the discovery, investigation or prevention of misdemeanors, a category that includes a wide range of offenses, some of which are not necessarily of sufficient severity to justify the violation of privacy inherent in the law. Moreover, in urgent cases the Communications Data Law permits the receipt of communications data without judicial review(though not for the purpose of discovering or preventing misdemeanor-type offenses). In Association for Civil Rights in Israel v. Israel Police, which attacked the Communications Data Law, the application of the arrangement to misdemeanor-type offenses was found to the proportionate, in light of the judicial criticism of the granting of a communications data order for these purposes. The arrangement permitting the receipt of communications data without a court order in urgent cases was also found to be proportionate, subject to the interpretation requiring the exercising of strict administrative discretion.
Lastly, it is also important to note the privacy reform in the European Union. In May 2018, the General Data Protection Regulation (GDPR) will come into effect. The data protection principles embodied in the GDPR include the principle of storage limitation, which proposes that personal information will be retained in a manner permitting the identification of the object of the information for a period not exceeding that required for the goals for which it is processed. Europe has recognized Israel as having a proper level of protection of private information. However, in light of the new threshold set by the GDPR, as well as European case law over recent years, it is impossible to know whether, in the absence of the regulation of digital surveillance laws, including regarding the issue of the retention of and access to communications data, this decision (which has significant economic ramifications) will remain intact.
 Tom Watson MP v. Secretary of State for the Home Department, EWCA  Civ 70.
 HCJ 3809/08 Association for Civil Rights in Israel v. Israel Police (published in Nevo, 28 May 2012).
 Ibid., paras. 18-19 of President Beinish’s ruling.
 Ibid., paras. 26-27 of President Beinish’s ruling.
 Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU) (hereinafter: “GDPR.”)
 24. Article 29 Data Protection Working Party, Opinion 2009/6 on the level of protection of personal data in Israel (1 Dec. 2009).
 In addition to Tele2 Sverige AB, it is also worth mentioning: CJEU, Joined cases C-293/12 and C-594/12 (Digital Rights Ireland v Minister for Communications, Marine and Natural Resources, Seitlinger and Others), (18 Apr. 2014) , as well as the court decision in CJEU, C-362/14 (Maximillian Schrems v Data Protection Commissioner), 6 Oct. 2015, which discusses the impact of mass surveillance on data transfer to private American companies. The decision may indicate the current mood in Europe concerning the level of privacy required for the transfer of information about European objects of information to third party countries.