Year in review: The digital policy developments that defined 2021

For most countries, 2021 was a continuation of pandemic woes. As people swapped contact tracing apps for vaccine passports, the wave of misinformation on COVID-19 vaccines spread even faster. 

Beyond COVID-19, the biggest themes of the year were: the geopolitical race for supremacy; restrictions on tech platforms’ market practices (notably in the USA and EU, and even more notably in China); antitrust investigations (too many to mention) and legislative proposals (including the US House and Senate bill packages); the effects of the global semiconductor shortage on the consumer tech sector; internet and social media shutdowns; issues linked to facial recognition technology; and mounting pressure to curb hate speech and disinformation, and to protect children online. Ah, and Elon Musk’s tweets on cryptocurrencies.

A month-by-month run-down of the digital policy developments that defined 2021

The first half of January was dominated by tech company reactions to the storming of the US Capitol. The internet’s role in this crisis and the resulting suspension of former USA President Trump’s social media accounts highlighted not only tech companies’ position as (unhappy) gatekeepers of content, but also the responsibility they are expected to shoulder in preventing the spread of harmful and unlawful content. 

In Facebook’s case, its decision to deplatform the former President came under scrutiny from its Oversight Board. Five months after the Capitol incident, the board ruled that the company was justified in its decision, but needed to apply a defined penalty. The new penalty? A two-year suspension.

February kicked off with a fallout between the Australian government, and Google and Facebook, which threatened to pull out of Australia over the country’s plans to enact a new Media Bargaining Code. Facebook’s daring decision to block news sharing angered several countries. Microsoft chipped in, and urged the USA to copy, rather than object to the media code. 

In the end, Australia held its ground, Facebook restored news sharing, and Google reached a deal with news companies.

March’s highlight was a milestone in multilateralism. The security-focused Open-ended Working Group (OEWG), whose members included, among other countries, the USA, China, and Russia, agreed on a set of ‘rules of the road’ on how states should behave in cyberspace. It was a much-welcome outcome, considering that the talks had failed during the previous round of discussions in 2019. 

Amb. Jürg Lauber, chair of the OEWG, at the end of the group’s third and final meeting, in which the UN member states adopted the final report and chair’s summary.

Data breaches were the talk of the month in April, after the data of 533 million Facebook users was leaked to an online hacking forum, and that of over 500 million LinkedIn users was leaked online and sold to hackers.

By the second half of April, the tensions between the USA and Russia escalated quickly after the USA attributed the SolarWinds cyberattack to Russia. Within hours, the EU, NATO, the UK, and Australia came out in support of the USA. The USA issued sanctions; Russia expelled diplomats. 

As tensions continued to brew, we turned our attention to the European Commission’s draft rules for regulating artificial intelligence (AI) systems, launched at the end of April, which were dubbed the most ambitious AI regulations seen globally to date. 

Credit: European Commission

Cybercrime reared its ugly head again in May. Colonial Pipeline, which services almost half of the east coast of the USA, from Texas to New York, was forced to close down its operations after a ransomware attack by the criminal group DarkSide. For operations to resume, the company had to pay the hackers around $5 million (75 Bitcoin) in cryptocurrency. 

A few days later, Ireland’s health network was forced to shut down its networks after a ransomware attack infected its computers with malicious software that locked users out of the system. The Irish government said it refused to pay the ransom. 

June was a time for talks. Biden’s European itinerary was carefully crafted to show (Russian President Vladimir Putin) that ‘Europe and the United States are tight’. The three-day G7 summit was followed by NATO and EU-US summits in Brussels. The much-anticipated meeting between Biden and Putin took place on 16 June in Geneva. The two superpowers had reached a cyber detente (so much so, that in October, Russia and the USA tabled a joint draft resolution on cybersecurity, co-sponsored by 50 other countries, on state behaviour in cyberspace).

Discussions on a global digital tax reached a climax on 1 July, when the OECD announced that 130 countries agreed to support a new two-pillar global tax solution. This agreement opened the door for more political and technical negotiations. Fast-forward to October: The number of countries on board rose to 140, and included Ireland and Estonia, who had previously held out. By this time, a fleshed-out deal, as well as a detailed implementation plan, was agreed to.

The end of July brought with it the disquieting revelation that more than 50,000 people – including politicians, journalists, human rights activists – were potential targets of the malware Pegasus. The technology used to infect their mobile phones was both invasive and evasive.

August was a month for data protection fines. Luxembourg’s data protection watchdog fined Amazon a record €746 million for processing personal data in breach of the EU’s GDPR. The Irish data protection watchdog fined WhatsApp €225 million for failing to be transparent about how it uses data collected from people across other partner services such as Facebook and Instagram. 

Privacy activists and policymakers from other European countries were not impressed…

Towards the end of August, as the Taliban took over control of Afghanistan, social media companies struggled to respond to the Taliban’s increased presence on online platforms.

In parallel, Apple’s new measures to help enhance child safety online and limit the spread of child sexual abuse material (CSAM) were met with a volley of protests, and placed on hold. China took a more unstintly approach to protecting young adults from online addiction: No online video games between Monday and Thursday, and only one hour a day – from 8pm to 9pm – on Fridays, Saturdays, and Sundays, and on public holidays.

Also in parallel, China released a five-year blueprint to strengthen regulation across the tech industry, among other sectors. This reconfirmed what The Economist has just described as the subject that overshadowed all others: Xi Jinping’s attempts to assert control over China, especially its consumer-technology firms.

In September, the much-awaited Epic Games v. Apple judgement saw the latter emerge largely unscathed, with one exception. The court ruled that Apple must change its anti-steering rules, which had so far prohibited developers from ‘steering’ users to alternative in-app payment systems. Apple’s request to delay implementing this order was denied by the court.

Towards the end of the month, all eyes were on the general debate of the UN General Assembly’s 76th session. Addressing the opening of the debate, UN Secretary-General António Guterres did not mince words: ‘We face the greatest cascade of crises in our lifetimes… we are on a dead end to destruction.’ His firm words came a few days after another impassioned plea as part of the report on Our Common Agenda. 

UN Secretary-General António Guterres addresses the opening of the general debate of the General Assembly’s 76th session. Credit: UN Photo/Mark Garten

The US-EU Trade and Technology Council, which took off at the end of September, set the stage for transatlantic cooperation on a range of aspects (a post-Schrems II data protection agreement is not one of them). 

October ushered in a new headache for Facebook: How to respond to criticisms about the social media platform’s (not-so-good) effect on young users. This came after the Wall Street Journal revealed that Facebook was aware that its photo-sharing platform Instagram harmed the mental health of young users, especially teenage girls. Plus, a former employee-turned-whistleblower testified in a US Senate hearing about the company’s damaging products and practices. Due to pressure, Facebook ended up putting on hold its plans for a new Instagram app for young users. Lawmakers also quizzed YouTube, TikTok, and Snapchat.

We’ve been calling it Facebook until now. Towards the end of October, the company announced it was rebranding to Meta, and focusing on the metaverse, described as the successor to the internet we know today. In a matter of weeks, not only did the metaverse become the new tech hype, but many other developments were ushered in (new technology, new geopolitical race, and new policy issues).

Back to artificial intelligence, UNESCO adopted the first-ever global framework for ensuring that AI-driven digital transformations promote human rights and contribute to the achievement of the sustainable development goals. 

In November, the UK’s Competition and Markets Authority ordered Meta (formerly Facebook) to sell image platform Giphy, which it acquired last year for US$400 million (€354 million). It’s one thing for an authority to look into a merger; it’s quite another for a company to be ordered to sell an acquisition. The EU’s economy ministers were in a similar mood when it green-lighted the draft texts for the Digital Markets Act (DMA) and the Digital Services Act (DSA), on competition and content moderation, which policymakers are keen to see adopted in the coming year(s). 

Gig platform workers around the world were handed several wins as they wrangled for better working conditions. Among the most important are a new draft set of rules, proposed by the European Commission in December, which would presume that gig workers are considered and treated as employees, regardless of what their contracts state. 

It’s also worth mentioning a US court ruling, in August, which declared California’s Proposition 22 unconstitutional. (The voter-approved ballot measure, passed in November 2020, allowed companies to classify their drivers and couriers as independent contractors rather than employees, which meant that workers could only benefit from a slice of the protections which employees are entitled to). 

Earlier this year, the UK’s Supreme Court ruled that Uber drivers are workers, and not self-employed. In Spain, food delivery apps operating in Spain were ordered to regularise their delivery riders as employees, according to a new law.  

There was no slowing down for digital policy events at the end of the year. The annual gathering of the Internet Governance Forum was heavily focused on development aspects, while the first substantive session of the UN Open-ended Working Group (2021–2025) laid bare the open issues.

This article was originally published in the Digital Watch Weekly. Subscribe to receive the digest every Friday.