Interview with Rotem Medzini

In a few words, can you tell us about yourself and how you found your way to the academic field?

My name is Rotem Medzini. I am currently working on my Ph.D. at the Federmann School of Public Policy and Government, and I’m a research fellow at the Cyber Law program, both at HUJI. Before arriving at HUJI, I completed my LL.B. and LL.M. in Law and Technology from the University of Haifa, and graduated from the Stanford Program for International Legal Studies (SPILS) after writing my thesis (with honors) on “How does the Regulatory System Affect the Information Collection Practices of Social Networks?” Beside my academic background, my professional experience includes clerking for the Israeli Law, Information, and Technology Authority at the Israeli Justice Department, and volunteering for several years as the Project Lead for the Israeli Chapter of Creative Commons.

What is the main core of your research? Can you give an example or two? How is it related to cyber security?
My current research project discusses regulatory intermediation in internet policy. Regulatory intermediaries are a remarkable phenomenon in regulation theory as they act as a go-between for regulators, regulatees, and sometimes also the beneficiaries of the regulation. Regulatory intermediaries are vital to understanding how to affect the regulatees’ behaviors in online contexts. I am currently investigating one particularly fascinating group of regulatory intermediaries – data protection officers (DPOs) in the European data protection regime. DPOs offer a unique case of regulatory intermediation in internet policy as they originated in 1977 Germany, a time when the internet was not yet conceptualized as it is today. More recently, however, the DPOs have been incorporated into the new European data protection regime, mainly centered around the General Data Protection Regulation. Within this new regime, the European policymakers provide DPOs predefined roles within organizations and grant them with job entitlements to ensure they would do their job of monitoring compliance and raising awareness without interruptions. Additionally, DPOs need to have qualifications of both legal, regulatory, and technological skill-sets. This combination of predefined roles, job entitlements, and skill-set makes for a very interesting regulatory intermediation.

Why did you choose this area over all others? Did your personal or professional background lead you to it?
What truly cemented my interest in internet policy and regulation was clerking at ILITA and volunteering in Creative Commons. While the academic legal debate was interesting, I found that policy on the ground was a very different matter. When you continuously work with lawyers and policy analysts of corporations and civil society, you get to see a different side of policymaking. The decision to shift from law to social sciences and public policy came from a personal interest to associate internet policy with other social phenomena and to find explanations for the phenomena I observe.

Do you think that in this cyber age these issues are even more complex compared to other times in history? If so – in what ways?
Interestingly, data protection legislation, for example, started in the 1970s. Back then the challenge was that of early mainframe computers meeting the welfare state. Nowadays the challenges are different. For instance, our freedom of expression is a vital part of online social media, but what are the right limits when faced with hate speech on social media? What about the right to equal protection when algorithms discriminate? Diverse information and communication technologies constantly challenge our fundamental human rights, yet the difference is that while regulation is always thought of as arriving from public regulators increasingly it also originating from private regulation. We see more internet regulatory capitalism, meaning there is a new division of labor between public and private actors in which you can identify delegation of responsibilities, the growth in the influence of experts, new technologies of regulation, and self-regulation.

After explaining the main core of your research, what do you think is the solution? What is the proper model for that? Is it applicable?
Around the globe, we see the difference between internet regimes. Data protection, for instance, is protected differently around the globe. Practices and technologies are being harmonized on a global scale, but there are still differences across states due to politics. And countries in many cases need to protect their interests and not completely align themselves to the interests of the bigger states or multinational corporations. Israel is no different. Israel, for instance, needs to adopt many of the regulatory instruments and technologies offered by the General Data Protection Regulation. It must do so as it is committed to complying with the European Commission adequacy decision for Israel. This decision in turn will to enable Israeli companies to work in the global market while lowering their compliance costs. Implementing Privacy by Design, conducting data protection impact assessments, and appointing data protection officers are only some examples. However, Israel should also ensure that practices adopted here by regulated actors are recognized by and equivalent to the global standards. Let’s return to the example of data protection impact assessments: if a company makes a data protection impact assessment and approves it with the Israel data protection authority, that action needs to be recognized by European data protection authorities. Maintaining the high standard offered by the GDPR will not be an easy task, but Israel must both maintain its high standards while proving its data protection authority is every bit powerful and relevant as its European counterparts.

What is the next phase in your professional life?
My current professional goal is to complete my Ph.D. After I graduate from the Hebrew University, I want to continue to a post-doc abroad.

What is your message to the public?
There is constant discussion about the surveillance state and society, and debates about how powerful specific IT companies are. The answer to how to regulate them is not by merely stating “we need to regulate.” The answer lies in understanding who is governing, how regulation evolved, what form it takes, and why.