Cybersecurity & Tech

A Vision for Regulatory Harmonization to Spur International Research

Anna Lenhart
Wednesday, May 3, 2023, 8:30 AM
Multilateral agreements aimed at regulatory harmonization would allow for thoughtful international research on the information environment that considers user data rights.
Federal Trade Commission headquarters in Washington, D.C. (Victoria Pickering,; CC BY-NC-ND 2.0,

Published by The Lawfare Institute
in Cooperation With

On May 1, Reps. Lori Trahan (D-Mass.) and Jay Obernolte (R-Calif.) sent a letter asking the Biden administration to “initiate a multilateral negotiation to establish an international research center to facilitate cross platform research on the information environment.” The lawmakers asked the administration to consult with key stakeholders from partnered and allied nations to “outline the purposes, functions, and related administrative provisions of the research center” including “to facilitate secure information sharing between online platforms and researchers” and to “ensure access to the information by the research center does not infringe upon reasonable expectations of personal privacy of users of online platforms.”

The lawmakers are pushing the administration to address a limitation present in existing legislative proposals that facilitate researcher access to social media data. For example, bills such as the Digital Services Oversight and Safety Act and the Platform Accountability and Transparency Act task the Federal Trade Commission (FTC) with determining the confines of what data must be made available and the level of data protection required. The global nature of the information environment means that these proposals are limited by the FTC’s jurisdiction, described as protecting against “deceptive and anticompetitive business practices that affect U.S. consumers,” which presumably does not include mandating access to personal information belonging to consumers outside of the United States. But there are research questions critical to lawmakers that span beyond the jurisdiction that covers U.S. consumers, such as: How is Russian propaganda spreading through Ukraine? What are the most effective counternarratives? How does the speed at which a platform removes illegal content affect the spread of that information across countries and media outlets? 

Additionally, there are technical challenges associated with separating application programming interfaces (APIs) containing anything from ad targeting data to newsfeed posts by the data subject’s residence. For example, which country’s researchers get access to a post that includes friends who live in different countries? Or a meeting between U.S. activists and a foreign diplomat? How do researchers study an organized extremist group that has members across continents? 

Europe is actively determining how to implement a regulation related to this issue. Article 40 of the Digital Services Act (DSA), an online safety regulation that recently entered into force, gives digital services coordinators, digital regulators within each EU member state, the ability to mandate that platforms share data with researchers “who use the data solely for performing research that contributes to the detection, identification and understanding of systemic risks in the [European] Union.” Regulators throughout the EU are grappling with a set of jurisdictional questions similar to those of U.S. legislators and other partners or allies considering transparency into online platforms. As platforms look to comply with the DSA, they lack clarity regarding whether their researcher access programs and APIs can be extended to other nations and how best to handle data pertaining to residents outside of Europe. Meanwhile, the same uncertainty about international data transfers that has been hampering important collaborative health research is poised to impact scholarship that could truly protect consumers.

Multilateral agreements aimed at regulatory harmonization—clarifying areas of legal conflict and drafting compromise approaches or necessary safe harbors—would open the door for a world-class research center that facilitates cross-border and cross-platform studies unencumbered by potentially endless court battles. 

There are a few policy areas that necessitate harmonization for a smooth and thoughtful approach to international research on the information environment that considers user data rights.

Data Protection Laws

Nations throughout the democratic world have laws regarding how data belonging to consumers can be collected and processed. These laws impact a platform’s ability to provide data to researchers (even voluntarily). Privacy laws play a role in clarifying what personal data is considered public while also outlining the acceptable use of personal data for research. 

For example, Europe’s General Data Protection Regulation (GDPR) includes obligations related to the processing of the personal data of EU residents and includes carve-outs for researchers in certain circumstances where appropriate safeguards are met. The U.S. has the FTC Act Section 5, which can hold companies accountable for unfair or deceptive acts or practices, and the Common Rule, which outlines when identifiable private information can be used for research. 

Within these two contexts—the U.S. and the EU—there are differences that leave platforms looking to provide comprehensive transatlantic data sets uncertain how to proceed. The U.S. FTC Act does not include well-defined provisions for protecting consumer data or sharing data for research purposes, but it can and has been used to regulate data access agreements deemed deceptive, most notably In the Matter of Cambridge Analytica, LLC. Researcher access programs in the U.S. operate mostly under the Common Rule, which states that public information (regardless of whether it includes personal or sensitive data) is not considered human subjects research and can be made widely available. In the EU, however, the GDPR covers all personal data regardless of whether it is shared publicly and includes carve-outs for research. Many of the details for internet research have been clarified by the European Digital Media Observatory (EDMO) working group, which has drafted a Code of Conduct under Article 40 of the GDPR. The code would require researchers and platforms to consider contextual factors, such as the potential impact on rights and freedoms and reasonable expectations of data subjects, when assessing the appropriate safeguards to put in place for data sharing and research activities.

The above represents a simple and incredibly high-level comparison on two regions. Just imagine the potential complexity of including laws from other partner nations, U.S. states, or sector-specific data protection laws such as those for health information or even financial data (sometimes captured by social media platforms).

To be clear, the multilateral agreements suggested in this article should aim to facilitate international research collaboration on the information environment—not to facilitate data flow for all of digital commerce. Given Europe’s leadership with the GDPR, some of these necessary conversations have already begun under adequacy decisions. However, even as the U.S. and others struggle to reach adequacy, researcher access, which can and should be structured to generally exclude access for law enforcement purposes, may have a simpler path forward. Additionally, the GDPR’s adequacy decisions work in only one direction: They ensure that European data is protected overseas, but a researcher access agreement must consider the data rights of individuals in all involved nations.

Research Ethics Frameworks

Beyond the specifics of when data can be made available to researchers, nations vary in their considerations regarding what constitutes ethical research. Most notably, the European and Scandinavian view of research ethics is often described as deontological, emphasizing human rights and autonomy, whereas the U.S. view of research ethics is often described as utilitarian, allowing some risk to subjects if it is assessed in relation to anticipated benefits. Additionally, countries vary in the requirements for oversight bodies, such as institutional review boards or ethics committees. Fortunately, most research ethics rely on frameworks that leave flexibility for international collaboration. Organizations such as the Association of Internet Researchers and the International Society for Ethics and Information Technology have been grappling with these questions for decades, and researchers have navigated these differences on a project-by-project basis. Multilateral agreements will need to consider the ways international research collaboration agreements have been structured in the past in order to create a cohesive agreement that can work for most internet research.

Competition Laws

Platforms and regulators alike frequently cite impact on competition as a way to avoid data sharing. Experts on the information environment, however, suggest that the capability to study information flows across platforms is crucial. Therefore, the ability (via data standards and underlying infrastructure) for data from a mix of platforms to be combined must be considered. There is a large gulf between platform data being combined to answer questions about the spread of conspiracy theories and platform data being combined to set prices or entrench the power of monopolies. Countries involved in an international research effort should consider any difference in views and laws regarding collusion and corporate spying. The multilateral agreement should provide clarity on where these lines fall, carefully consider who is granted researcher access, and place limits on commercial use to ensure healthy competition in the digital markets, while avoiding the impulse to assume that all data access presents a risk to such competition. 

Possession of Illegal Content

Scholars who study content moderation practices pertaining to illegal content, censorship, and human rights abuses have requested access to data sets of removed or actioned content. Some laws, however, stipulate that individuals (researchers included) cannot possess content such as child sexual abuse material. Therefore, these multilateral agreements need to consider how variations in rules regarding possession of illegal content could impact these data sets. 
What constitutes illegal child sexual abuse material varies among democratic nations. For example, there are variations in the age of sexual consent and what constitutes child pornography, with the depiction of fictional characters being particularly consequential. For example, in the U.S. “fictional child pornography” is protected under the First Amendment (unless it is considered obscene according to legal precedent), whereas in Canada it is illegal to be in possession of child pornography depicting fictional characters. This issue is particularly challenging for researchers looking at “borderline” content (for example, child nudity depicted with regard to a historical event) or content created by generative artificial intelligence tools.

Where Do We Go From Here?

Trahan and Obernolte’s letter highlights existing efforts for international cooperation on social media research, such as the EDMO’s work to establish an independent intermediary body that could help facilitate researcher data access provisions under various European regulatory frameworks, Princeton University’s Empirical Studies of Conflict Project, and the Carnegie Endowment for International Peace’s Institute for Research on the Information Environment. These efforts have garnered participation from popular platforms and funders but will struggle to realize the vision for a large-scale, cross-platform, transnational research center on the information environment unless a multilateral framework is achieved.

When nations have come together to draft clear multilateral agreements to foster international research—from the international fusion research center, ITER, to the European organization for nuclear research, CERN, to the Antarctic Treaty System—tremendous progress has been made. An international center for research on the information environment would certainly come with its own challenges as unique as the internet itself. But both technological and regulatory developments are moving forward rapidly—with significant consequences for democratic societies—and stakeholders across sectors and jurisdictions have the opportunity to join forces to better understand the information environment and uphold democratic values.

Anna Lenhart is a Policy Fellow at the Institute for Data Democracy and Politics at The George Washington University. Most recently she served as a Technology Policy Advisor in the US House of Representatives.

Subscribe to Lawfare