Web3 constitutes the first qualitative revolution of the Internet. The technology in Web2 has been neutral, while with the blockchain, it becomes a field of competition. Digital platforms (Web2) remained up to this year unregulated. In 2022 the European Union started to regulate them from a premise: technology is neutral. This premise doesn’t apply to Web3: EU rules change according to the technology used. Hence, EU rules for Web2 and Web3 are mutually incompatible. However, since the transition from Web2 to Web3 will still last years, it is necessary to find a convergence of the rules or their implementation. This article suggests a convergence on the regulatory level, defined as “participatory regulation.”

By Fabio Bassan[1]

 

I. WEB IN TRANSITION

Web1 (1990/2000) refers to the first stage of World Wide Web evolution, featured by static web pages, hosted on ISP-run web servers or free web hosting services, few content creators, no advertisements, and, importantly, relying on a content delivery network (“CDN”) that was decentralized and using open protocols.

Web2 (2000-2020) refers to websites characterized by user-generated content, featuring usability, interoperability for end users (the birth of the “social era”). It also involved the centralization of the business model by which user data are captured, aggregated, and resold. Applications were developed, delivered, and monetized in a proprietary way. All decisions related to their functionality and governance were concentrated, and revenues were distributed to managers and shareholders.

Web1 and Web2 were not separated by a technological disruption: technology stayed the same. Only the way operators used such technology changed.

Conversely, Web3 (2020 –) refers to a qualitative technological change. The Web is transformed into a database, integrated by a Distributed Ledger Technology (“DLT”) and its implementations; the blockchain is the most relevant one, due both to the business model it implies (partially or fully decentralized) and to the relevance of applications it makes possible.  Web3 applications use again open standards and protocols; platforms decentralize control; self-executing smart contracts automate the implementation of activities and transactions; governance is shared by the community; revenues are given back to creators and users.

Furthermore, Web3 creates a platform (the blockchain) on top of the basic infrastructure (the Internet). This involves a radical change, the most significant since the birth of the internet, on a conceptual but also a practical level. As for the former: the Internet was a neutral technology and so was the cloud, a platform that had developed on the Internet. The competition operated on the services that the operators provided on the technological platform, which was the same for everyone. With the blockchain, everything changes. The choice of the blockchain involves a technological choice. There are good technologies and bad technologies, not just bad uses of technology. Therefore, blockchain technology is not neutral.

As for the practical changes, Web3 marks a paradigm shift by overcoming the intermediations for data, functionality, and value.

A. Web Regulation in Transition

When it comes to regulation, Web1 (decentralized) was regulated by principles, not rules (i.e. ICANN).[2] Web2 has not been regulated, despite having a centralized business model (grounded on partially or fully closed networks).[3] ISPs provided access to a still primordial internet, and both in the U.S. and in Europe it was decided to let the market grow without intervening. However, when the Internet became a commodity, the relevant access was no longer to the Internet but to the networks that had developed on the Internet (i.e. digital platforms). Hence, it was no longer time for regulation, since digital platforms were “too big to care.”[4] The late (2022) regulation of the European Union will prove inadequate, for reasons that will be explained later in this paper. 

Web3 calls for regulation. Nevertheless, the Web3 regulation cannot be incompatible nor inconsistent with the current Web2 regulation. There will not be a switch-off: the transition will last years and with it the coexistence between Web2 and Web3. The Web2 and Web3 regulatory models and tools must therefore be, if not identical, at least consistent with each other.

Achieving this is impossible. In the area where the regulation is more advanced (the European Union) the regulation of Web2 follows old logic and dynamics, taken from the regulation of electronic communications of the 1990s. The regulation of Web3 is instead based on new models. And yet, it too has a flaw, because it assumes the convergence between the real world and the regulatory matrix built over time by the European Union, which is no longer effective

It is, therefore, necessary to apply the regulation of Web3, which is now forming, and which uses useful and coherent tools, from the regulatory Web2 base of reference. And then verify if this regulatory model is also applicable to Web2, rebus sic stantibus.

B. The European Regulatory Matrix

The evolution of the regulation of digital markets must be inserted into an overall regulatory context that I have defined in other writings as the “regulatory matrix.”[5] Regulated markets constitute a “matrix,” composed of vertical silos (banking, insurance, financial markets, energy, transport, etc.) each subject to specific regulations and regulated and/or supervised by an independent authority, and horizontal, transversal silos, applicable to all sectors (competition, personal data protection, consumer protection). In the matrix, each box (i.e. applicable law) corresponds to an interconnection point between vertical (sectorial) and horizontal (general) rules, regulations, and standards.

1. The Implosion of the Matrix

The Matrix regulation, which has worked satisfactorily up to now, is, however, imploding under the pressure of digital evolution. Vertical silos are no longer parallel: they converge or spread apart according to contingent urgencies and needs.[6]

Similarly, horizontal silos (competition, protection of personal data, and consumer protection) are overcoming the historical constraints that have now become unbearable. This is the territoriality for data protection (Shrems I and II),[7] the economic and turnover thresholds for competition law (“modernization”),[8] and the definition of the consumer as the beneficiary of the protection.[9]

2. Regulation by Product

By implementing the matrix framework, we shifted from regulation by subjects to regulation by activity, and then to regulation by-product, an evolution that often involves a combination of the two approaches, if not all three of them (subject, activity, product), and which sometimes overcomes the conflict with the principle of prevalence, sometimes with cross-regulation.[10] The aim, as is often the case with legislative instruments, is to fill regulatory gaps and allow the market to manage sound risks. The instruments are chosen by the markets themselves: the legislator only makes them mandatory, following the wake of the market, according to the regulatory circle approach.[11] Therefore, recent EU legislative acts, if not contradictory, are at least not homogeneous with one another: each follows in the footsteps of the market, which are often divergent.

3. The Current European Regulatory Playing Field

Two extremes of the current regulation of digital markets in the European Union can be identified, within which all intermediate regulatory solutions can be placed. At one extreme we find Web2 regulation, based on the old paradigm of electronic communications. At the opposite extreme, we find the more modern Web3 regulation, which provides for sandboxes and pilots, but remains anchored to the regulatory matrix, which no longer corresponds to the reality of the markets.

On the one hand – at one regulatory extreme – even in digital markets the legislator looks backward, applying a typical “regulation by subject.” This is the case with the Digital Markets Act (“DMA”) and the Digital Services Act (“DSA”).[12] In both regulations, the European Union adopts a framework that seems new but is old and, as we already know, not very effective. It reproduces in new ways the regulatory tools adopted 30 years ago – with very mixed fortunes – against the former monopolists in telecommunications. The principle, based on regulation by subject, is simple: those who enjoy great powers (incumbents yesterday, gatekeepers today) bear greater responsibilities, so they can be the addressees of behavioral or structural obligations (under the proportionality principle). But if we leave this kind of “Superhero Ethics” and go to the market, the reality is different. The challenge lies, today as it did then, in the ability to verify compliance with regulatory obligations, which, according to the European model, is ex-post and pays for: information asymmetry, technological deficit, industrial property rights, long-standing investigations by the Commission and trials before the Court of Justice.[13] We can say that the DMA is already old because it focuses on a world that is not there anymore, and, conversely, it doesn’t face the true challenge, i.e. imagining a future based on technological development and bringing the market to this objective, supporting it with a regulatory framework that prevents – and allows for effective sanctions against – any incorrect risk management.

On the other hand, on the opposite regulatory extreme, the European legislator takes a courageous step by overcoming regulation by subject, by activity, and by-product, and directly implementing a kind of regulation by technology. The (Web3) blockchain environment is the new outpost of this regulatory frontier. The EU DLT Pilot Regulation is a typical example of this evolution,[14] as it lists the minimum requirements that technology must have and guarantee.[15]

DLT and Blockchain regulation are at the frontier of this evolution. Nevertheless, even in the new EU regulation of blockchain and cryptocurrencies (MICA, DORA, DLT Pilot) already enacted or about to be published, based on a “regulation by technology approach” – understood as the approach that legitimizes the use only of technologies that provide certain guarantees – the old regulatory matrix featuring the vertical and horizontal silos of the analog universe is reproduced. As the regulatory matrix has already been disrupted, the vertical rules that were no longer effective in the analog world are not becoming “magically” effective in the digital one, let alone the blockchain. In essence, the approach is right, but the regulatory framework that the European lawmaker applies is old and no longer relevant.

 

II. REGULATION BY TECHNOLOGY

If the rules are incorporated into the technology, regulatory or supervisory authorities should participate from the outset with the operators who hold the technology, to make it evolve towards a path consistent with the rights and protections that according to each Nation’s culture deserve to be guaranteed. I call it “participatory regulation,[16] to underline the distance from what others call “participative regulation,[17] which is just a kind of “regulated competition.”[18]  Conversely, participatory regulation, “agreed” between the market and the supervisory or regulatory authorities, formally and informally, turns the market’s best practices into benchmarks and then standards, according to the dynamics of the “regulatory circle.” The revolution, here, is in the fact that the European supervisory and regulatory authorities, also cooperating and moving within their respective regulatory frameworks, participate in the development of the market rules.[19]

A. Participatory Regulation by Technology

The question is: may “regulation by technology,” applied according to the model of “participatory regulation” – what we can briefly define as “participatory regulation by technology” – be effective (and if so, to what extent) both in the digital platform (Web 2) and in the blockchain (Web3) ecosystems?

1. From Ecosystems to Sets. The Set Theory, Applied

The relevance of a consistent regulatory approach, on the implementation level, is critical for the development of the markets. Digital platforms, blockchains, and artificial intelligence as well, are not only ecosystems, as economists have already extensively theorized: they are real sets. If we apply the set theory, the pattern becomes clear: we have different sets of norms (digital platforms, blockchain, artificial intelligence), which in part intersect. The intersection is the “heart” of regulation: it is when a social network uses artificial intelligence or the blockchain, or when communities are created on the blockchain, or when the blockchain uses artificial intelligence, that the consistency of the regulations of the different sets is measured. Regulatory approaches that are inconsistent with each other and differ in terms of subjects, activities, and products create dangerous “regulatory escape routes” and allow operators to carry out “regulatory shopping” or even access non-regulated territories.

Consistency is sufficient, identity of the rules is not necessary: harmonizing them is the task of the authorities that apply the rules implementing the “regulatory circle” approach. Therefore, “participatory regulation,” that applies in the execution process, becomes decisive.

2. Participatory Regulation as a Tool Consistent with Web2 and Web3

Web2 and Web3 apply diametrically different business models, propose opposite visions of technological evolution, and use very different tools to achieve them. Nevertheless, participatory regulation is necessary for the regulation of digital platforms and blockchains because in both markets the rules are embedded in the technology. Technology, in the blockchain, is one of the main market drivers: it is a characterizing element and a competitive tool. Thus, it becomes critical for the regulator, who defines standards and guidelines, to look at the market’s best practices and regulate accordingly. This is precisely participatory regulation by technology, applied via the regulatory circle.

Participatory regulation by technology is compatible with both the “blockchain set” (Web3) and the digital platforms’ set (Web2). With the former, it is compliant by design because Web3 technology is the main driver of the market and competition. It is also compliant with digital platforms – most of which are already moving to Web3 – as long as we are aware of the transformation of digital platforms into legal orders, which makes participatory regulation by technology the “diplomatic channel” between the public (state) and private systems.[20]

3. Participatory Regulation and Regulatory Neutrality

Participatory regulation by technology changes the way we implement the principle of regulatory neutrality, which up to now has shaped the entire action of European legislation and European and national regulators.[21] If regulation is by technology, regulatory action cannot be neutral concerning technology: it naturally pushes towards the best technology, understood as one that guarantees more than others the rights and protections underlying EU welfare. It does so by applying the regulatory circle, taking the best practices from the market, and transforming them into standards.

 

III. PARTICIPATORY REGULATION AND REGULATORY TRANSITION

Participatory regulation, by linking Web2 and Web3, makes it possible to verify and overcome, in the detail of application contents (according to the regulatory circle) and not in the abstract, the dominant narrative that represents Web3 as a harbinger of new possibilities but also of challenges, obstacles and risks for both consumers and institutional participants. In fact, according to the master narrative, there is a trade-off between the fundamental rights and protections consumers and users are forced to give up in Web3 and the opportunities it offers.

Web3 would not have privacy, security, or enforceability, and in exchange would offer certainty of exchanges, and immediacy of transactions. In truth, neither are true in the abstract. As for the presumed limits of Web3, know-your-customers and anti-money laundering procedures are about to become Web3 standards, thanks to legislators’ and regulators’ work viaparticipatory regulation.” Privacy can be ensured directly by the blockchain or through tools that operate on it. Smart contracts’ legal enforceability is guaranteed on a regulatory level in many countries and is now also ensured on an application level, via the “regulatory circle.” As for the opportunities offered by the tools on Web3, only some of the blockchains guarantee security, transparency, decentralization, the immediacy of the transaction, and the contextuality of performance and payment.

These comparisons cannot be made in the abstract; it is necessary to always classify and separate. This job cannot be done by the legislator: it is up to the regulators. For this reason, “participatory regulation” becomes the main tool for linking Web2 and Web3 regulation, which, as mentioned, will coexist for a few years and must be consistent with each other.


[1] Professor of International Law, Roma Tre University.

[2] For the difference between rules-based and principles-based regulation see: Louis Kaplow, Rules Versus Standards: An Economic Analysis, 42 Duke Law Journal, 557-629, at 577 (1992); Carlos Conceicao – Rosalind Gray, Principles-Based Regulation – Problems of Uncertainty, 26 International Financial Law Review, (2007).  

[3] Both in the USA (with the Decency Act and the Telecommunications Act, both of 1996) and the European Union (with the directive on electronic commerce of 2001) the choice of the legislators was that of not regulating a newborn market until it adequately developed. For a commentary and a review of the literature of the time, see FABIO BASSAN, COMPETITION AND REGULATION IN COMMUNITY LAW OF ELECTRONIC COMMUNICATIONS, GIAPPICHELLI (2002).

[4] This was the expression used by EU Commissioner Thierry Breton referring to some big platforms.

[5] FABIO BASSAN, POTERE DELL’ALGORITMO E RESISTENZA DEI MERCATI IN ITALIA: LA SOVRANITA’ PERDUTA SUI SERVIZI, RUBETTINO, (2019); FABIO BASSAN, DIGITAL PLATFORMS AND GLOBAL LAW, EE PUBLISHING, (2021).

[6] The first example is related to a vertical silo: banks sell insurance, financial and mixed products, and the regulatory issue is raised here again in terms of prevalence or cross-regulation (banks, insurance, financial markets). A second example may be the prehistoric convergence between telecommunications and television. The frontier has shifted to the audiovisual content of digital platforms, which grew in their ante litteram sandbox and are now too big to care.

[7] In Schrems I (CJEU, 6 October 2015, Case C-362/14, Max Schrems v. Data Protection Commissioner – “Safe Harbour”), the CJEU ruled that national data protection authorities have the right to investigate individual complaints related to EC decisions and legal instruments based on these decisions, but also made very clear that only the CJEU is authorized to declare such a decision or instrument invalid. The CJEU also declared the Safe Harbour agreement invalid. The main reason for this ruling appeared to be the fact that the CJEU found that in adopting Article 3 of the Safe Harbour agreement, the EC exceeded its powers by making a shortcut to the adequacy procedure that should be followed according to Directive 95/46/EC. Following the invalidity of the Safe Harbour agreement, the EU–US Data Protection Shield (“Privacy Shield”) mechanism was implemented to replace the Safe Harbour agreement and to function as an instrument for EU/US data transfer.

In Schrems II (CJEU, 16 July 2020, Case C-311/18 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems), while the Court of Justice invalidated Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield, Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries were deemed valid.

[8] In 2019, the French, German, and Polish governments jointly proposed options for modernizing EU competition policy. It follows the German 2030 industrial strategy proposals of 5 February 2019 and the Franco-German Manifesto for a European industrial policy fit for the 21st Century, of 19 February 2019. The European Commission Proposal for a Digital Market Act of December 2020 originates from here.

[9] Communication from the Commission to the European Parliament and the Council, New Consumer Agenda Strengthening consumer resilience for sustainable recovery, COM(2020) 696 final.

[10] Filippo Annunziata, MiFID II as a template. Towards a general charter for the protection of investors and consumers of financial products and services, EU financial law private and public enforcement of EU investor protection regulation, in QUADERNI DI RICERCA GIURIDICA DELLA CONSULENZA LEGALE, BANK OF ITALY 90 (Raffaele D’Ambrosio, Stefano Montemaggi, et al. eds., 2020); Raffaele D’Ambrosio, The liability regimes within the SSM and the SRM, law, and practice of the Banking Union and of its governing institutions, in QUADERNI DI RICERCA GIURIDICA DELLA CONSULENZA LEGALE, BANK OF ITALY, 88, (Raffaele D’Ambrosio ed. 2020); Veerle Colaert, Product Governance: Paternalism Outsourced to Financial Institutions?, European Business Law Review, Volume 31, Issue 6,  977-1000 (2020); Veerle Colaert, The MiFIR and PRIIPs Product Intervention Regime: In Need of Intervention?, European Company and Financial Law Review, Volume 17, Issue 1, 99-124, (2020); VEERLE COLAERT, DANNY BUSH, THOMAS INCALZA, EUROPEAN FINANCIAL REGULATION: LEVELLING THE CROSS-SECTORAL PLAYING FIELD, BLOOMSBURY PUBLISHING, 384 (2019); Veerle Colaert, The Regulation of PRIIPs: Great Ambitions, Insurmountable Challenges?, Journal of Financial Regulation, 203-224 (2016); Antonio Marcacci, European regulatory private law going global? The case of product governance, European Business Organization Law Review, Volume 18, Issue 2, 305–332 (2017); Danny Busch, Product governance and product intervention under MiFID II/MiFIR, in Regulation of the EU Financial Markets: MiFID II and MiFIR, (Danny Busch, Guido Ferrarini eds., 2016); Rik Mellenbergh, MiFID II: New governance rules in relation to investment firms, European Company Law, Volume 11, Issue 3, 172–177 (2014).

[11] FABIO BASSAN, DIGITAL PLATFORMS AND GLOBAL LAW, EDWARD ELGAR PUBLISHING, 16 (2021). According to the “regulatory circle,” the rules arise from the market, and they become benchmarks that the national supervisory and regulatory authorities transform into standards, which they share in the network of European authorities and, if necessary, send to the European Commission, which adopts executive acts or, if appropriate, proposes legislative acts, which fall back on the market, closing the circle. The advantage of the “regulatory circle” is that the best practices are binding (self-binding for the companies that adopt them) immediately, or as soon as the national and European authorities propose them as standards or guidelines.

[12] Regulation 2022/1925 of the European Parliament and of the Council on Contestable and Fair Markets in the digital sector (Digital Markets Act); Regulation 2022/2065 of the European Parliament and of the Council on a Single Market for Digital Services  and Amending Directive 2000/31/EC (Digital Services Act).

[13] In the current regulation, there is an additional aggravating factor: centralization. The European supervisor is the Commission. Centralization, and control as the only means, are unreasonable and unhistorical solutions.

[14] The DLT Pilot Regulation (Regulation 2022/858 of the European Parliament and of the Council on a pilot regime for market infrastructures based on distributed ledger technology, and amending Regulations (EU) No 600/2014 and (EU) No 909/2014 and Directive 2014/65/EU), approved on May 30, 2022, and which will apply from March 23, 2023, allows the launch of experimental projects for the inclusion of DLT and blockchain in the financial markets. Since the current EU legislation on financial services is not perfectly suited to crypto assets, the Regulation introduces three new “statuses” (MTF DLT; SS DLT; TSS DLT). It does not introduce new categories of subjects but refers to the National Regulatory Authorities (“NRAs”) the task of determining the use of these new technologies, indicating the requirements of the subjects who can operate, as well as any cases of exemption. Operators are responsible for guaranteeing the correct execution of the operations. ESMA plays the role of guidance (through non-binding opinions and standard forms), as well as coordination with the NRAs.

[15] Between the two regulatory ends, we find intermediate solutions, such as EU MICA and DORA Regulations. MICA (Proposal of a Regulation on markets in crypto-assets) entrusts the NRAs with the task of indicating the scope of action of operators by verifying the correctness of the offer to the public of crypto assets (through the supervision of the White Papers that must be drafted, notified, and published by the operators) and the requirements for providers of crypto-currency services provided by the European legislator (via authorization). The EBA and ESMA must adopt rules and technical standards, as well as carry out a further check on the markets (non-binding) if requested by the NRAs.

Regulation 2022/2554 (DORA) creates a regulatory perimeter within which companies can cope with all types of malfunctions and threats related to information and communication technology (“ICT”). The management of ICT risk is entrusted directly to companies, which identify the sources of ICT risks, adopt suitable tools and personnel to collect information, and carry out periodic tests to identify weaknesses, deficiencies, and gaps. DORA entrusts the NRAs with the task of providing feedback to the companies from which they receive the reports. The European Agencies (“ESAs”) define technical standards, and regulations, adopt annual reports on accidents that have occurred (to process statistics) and monitor the risks due to the companies’ dependence on third-party suppliers.

[16] Fabio Bassan, Digital Platforms and Blockchains: The Era of Participatory Regulation, in European Business Law Review, forthcoming, (2023).

[17] Participative regulation can be seen both as a practice where regulatory agencies invite companies and consumers to participate in their decision-making, and as a dialogue between regulators and gatekeepers to craft suitable obligations (according to the Digital Markets Act). See Vikas Kathuria, The Rise of Participative Regulation in Digital Markets, Journal of European Competition Law & Practice (forthcoming). In the first case, participative regulation is achieved through consultations on draft decisions, on which operators and consumers provide information. It is a tool that relies on competition between operators to overcome information asymmetries, and is therefore on the one hand too narrow, on the other risky, particularly in the cases (at the two extremes) of markets in the first phase of growth or of consolidated, oligopolistic markets.

The second case concerns a specific regulation that imposes limits on the conduct of firms that hold particular market positions. In the past, these commitments, anticipating any abusive behavior on the market since they are aimed at preventing them, were imposed on the incumbent telecommunications operators. Today, the same methodology (but with different commitments) is envisaged for the most relevant digital platforms, which meet the requirements of gatekeepers. In other writings, I have defined these procedures as part of a “regulated competition.” It is a methodology that originates from competition law, and whose purpose is typically pro-competitive. It should not be confused with participatory regulation, a regulatory method according to which regulatory and supervisory authorities cooperate with operators from the initial stage of product development, to allow its evolution consistent with the protections and rights that regulators want to guarantee to consumers and the market.

[18] Bassan supra n. 2.

[19] See the Communication by the Bank of Italy on Decentralized Technology in Finance and Crypto-assets (June 2022). It is exactly the participatory regulation that the Bank of Italy applies.

[20] Bassan supra n. 10. In a recent book, I theorized the transformation of digital platforms (especially “closed” ones, such as social networks), into private legal systems. This observation requires a radical change in the way digital platforms are to be considered and in the regulation that can be applied to them.

[21] Regulation and laws are never neutral: Brad A. Greenberg, Rethinking technology neutrality, Minnesota Law Review, Volume 100, 1495-1562 (2015); Mireille Hildebrandt, Laura Tielemans, Data Protection By Design and Technology Neutral Law, Computer Law & Security Review, Volume 29, Issue 5, 509-521 (2013); Wolfgang Briglauer, Volker Stocker, Jason Whalley, Public Policy Targets in EU Broadband Markets: The Role of Technological Neutrality, Telecommunications Policy, Volume 44, Issue 5, 1-15 (2020); Carys Craig, Technological Neutrality: Recalibrating Copyright in the Information Age, Osgoode Legal Studies Research Paper (2016); Janja Hojnik, Technology Neutral EU Law: Digital Goods Within the Traditional Goods/Services Distinction, International Journal of Law and Information Technology, Volume 25, Issue 1, 63-84 (2017); Renato Mangano, Blockchain Securities, Insolvency Law and the Sandbox Approach, European Business Organization Law Review, Volume 19, Issue 4, 715-735 (2018); Anne Veerpalu, Functional Equivalence: An Exploration Through Shortcomings to Solutions, Baltic Journal of Law & Politics, Volume 12, Issue 2, 134-162 (2019); Edgar A.Whitley, for E-Identity: a Critical Reflection Based on UK Identity Policy, Journal of International Commercial Law and Technology, Volume 8, Issue 2, 134 (2013).