Chapter 2. Policy and regulation1

New players are offering audiovisual content delivery, spurring convergence in the telecommunication and broadcasting sectors

New services have blurred the contours of the telecommunication and broadcasting sectors, which were previously distinct. In turn, this has tested existing (legacy) regulatory and policy settings and encouraged a reconsideration of these frameworks. The emergence of OTT video service providers and the popularisation of triple- or quadruple-play service bundles, for example, have made decisions on issues such as must-carry/must-offer obligations and copyright and retransmission harder to allocate between formerly distinct regulatory realms.

There is an increasing diversity of distribution channels for audiovisual content in OECD countries. Most countries now have offers from public and commercial television broadcasters that include the option to watch broadcast content via the Internet, both in real time (linear online streaming) and in an on-demand, non-linear fashion (e.g. catch-up television). Offers vary in nature. While some provide real-time streaming only for subscribers, many offer linear streaming to the general public over the Internet (although these are often geo-restricted to the country or region of origin for copyright-related reasons). On-demand broadcast content is usually available for a limited time only and some providers require users to have a subscription for access.

Non-traditional players are also offering audiovisual content, especially through on-demand Internet platforms. However, as most OECD countries either do not regulate these services at all or regulate them very lightly,3 most regulators have not systematically collected data on these services and rely mostly on data from private sources. Intellectual property is another evolving factor for audiovisual content. Historically, content developers have tried to segment these rights to different delivery platforms or performance windows. Acquisition of content by platforms (via recent or planned mergers or through deeper distribution agreements) may result in more innovative and flexible modes for consumers to enjoy content.

In Europe, as part of the Digital Single Market Strategy (EC, 2015), the European Commission adopted an amendment to the European Audio-visual and Media Services Directive in May 2016 and in September 2016 submitted a legislative proposal for a European Electronic Communications Code. That proposal would revise the five European directives4 and two European Commission regulations and make them one single instrument. The revised European Audio-visual and Media Services Directive sets a new approach to online platforms (including those without editorial responsibility for content, such as video-sharing platforms) by prohibiting hate speech, protecting minors, promoting European works across all content platforms and proposing rules for more responsible video-sharing platforms (EC, 2016a). It further proposes subjecting OTTs to regulation only if they use numbering or are connected to the public switched telephone network, congruent with BEREC’s taxonomy (BEREC, 2015). Regulators in EU member states would also be able to request information from OTTs.

Currently, most OECD countries have very few regulations concerning audiovisual content provision by OTTs (which do not provide a licensed or authorised audiovisual service). Definitions of video-on-demand (VoD) services within legal frameworks in the OECD usually encompass services provided to consumers via a licensed broadcasting undertaking. In Canada, for example, VoD licensees are required to adhere to various programming codes that also apply to broadcasters and there are provisions preventing vertically integrated broadcasters from making television programming available on an exclusive or otherwise preferential basis. In Europe, consistent with the current European Audio-visual and Media Services Directive,5 notification from VoD providers can also be required, as in Hungary and the United Kingdom, which maintain national directories of all notified VoD service offerings.6 , 7

Convergence in the telecommunication and broadcasting sectors is a driver for mergers and acquisitions

This convergence between previously distinct parts of the communication industry is the main driver for mergers and acquisitions (M&As) in OECD countries. Between 2014 and 2016, mergers or acquisitions between cable network operators and mobile network operators (MNOs) featured prominently among the transactions with a market value of around USD 500 million or above (Annex 2.A1). However, as the case of Spain indicates, the trend towards convergence makes it harder for policy makers and regulators to assess outcomes (Box 2.1). Operators such as Vodafone purchased a number of fixed network operators while operators such as BT and Liberty Global purchased MNOs. In most cases the firms aim to offer a bundle of services, to benefit from the complimentary nature of the networks and to compete more effectively against rivals.

In October 2016, AT&T announced its intention to buy Time Warner for USD 85 billion. If approved by authorities, this will be one of the biggest upcoming M&As. Cable networks continue to merge with regional operators in countries such as Germany and the United States, while MNOs competing in the same market merged in Germany, Ireland and Italy. Meanwhile, in 2016, MNO mergers did not proceed in Denmark and the United Kingdom, where new entrants did not emerge from remedy negotiations.

Regulatory authorities have applied remedies or required conditions on many of these mergers. Sometimes approvals were subject to a divestment of part of the newly merged entity, such as in Belgium for the Liberty Global and Base case. In other cases, such as the one in Canada involving Shaw Communications, the fact that Shaw did not previously own a mobile network meant that authorities assessed there was no need to oppose the transaction. It was also noted that approval would not result in any change in spectrum concentration and accordingly no remedies were applied to this transaction.

In approving MNO mergers, authorities impose a number of conditions, including the divestment of spectrum or facilities (e.g. towers) to open possibilities for new MNOs or an undertaking from the merged player to offer wholesale access to mobile virtual network operators (MVNOs) and so forth. In OECD countries, remedies applied in more recent mergers appear to be more pro-competitive in terms of their goals than the remedies applied in earlier cases. This may indicate that remedies applied in earlier cases did not meet initial expectations in terms of emergence of MVNOs in merged markets, or of developments in prices and investment.

In the area of fixed networks, regulatory authorities also applied a number of conditions before approving mergers. In Portugal, authorities required divestment of network operators. In the United States, as a condition of approving the AT&T and DirecTV merger, the new entity was required by the Federal Communications Commission (FCC) to deploy fibre to the premises network facilities to 12.5 million mass market locations within four years of the merger’s closing date.

Following a merger or acquisition approval, OECD countries take a number of different approaches to assessing or monitoring market developments. When specific conditions are imposed, the merged entity will generally have to report on fulfilling those remedies. While not all authorities conduct specific post-merger reviews, they are common in a number of countries. For example, Austria’s Federal Competition Authority and the Austrian Regulatory Authority for Broadcasting and Telecommunications published two reports assessing the effects of the merger between Hutchison 3G Austria and Orange Austria that took place in 2012.

One question that arises in a post-merger case or in general monitoring of market developments is whether regulatory authorities have the information they need to assess outcomes. Assessing compliance with a precise remedy may be less challenging than assessing general outcomes such as effects on prices and investment, even though proponents of mergers often hold out more effective competition and incentives for investment as a reason for requesting approval. A further consideration for assessments is the increasing use of shared network facilities between MNOs and its potential influence on investment, particularly when this is combined with MNO mergers.

Several countries are undertaking convergence reviews to reform regulatory frameworks in light of the changing market

As communication services continue to evolve and the use of OTT services grows, a number of governments have been carrying out convergence reviews to evaluate whether different services should be brought under the same framework. In some cases, specific units have been created to ensure that policy makers have the necessary information to take informed decisions. In Australia, the government created a Bureau of Communications Research, a unit of the Department of Communications responsible for assessing new convergence trends in the communication sector. In October 2016, the bureau released a report analysing recent communication trends in that country, such as the increased demand for faster Internet services, the disruption of traditional broadcasting business models by increased demand for OTT services and local content costs, and a growth in content produced in Australia due to new entrants and platforms. The Australian Competition and Consumer Commission also announced a study on the communications market in Australia, which will examine network capacity, access to dark (unused) fibre and OTT services development. The results will be issued in 2017.

In Spain, the competition authority (Comisión Nacional de los Mercados y la Competencia [CNMC]) released a report in 2015 on the use of OTT services, which found that the main exceptions were more frequent use of messaging applications on mobile connexions (76% use in mobile against 43% in fixed) and for downloading of audiovisual content (38% of those using fixed connexions and 21% using mobile) (CNMC, 2015). Similarly, the Danish Agency for Culture published a Media Development Report in 2015 with data and analysis on the use of media on different platforms over time in that country (Danish Agency for Culture and Palaces, 2015). In 2015, New Zealand commenced the implementation of a cross-government work programme on convergence. The programme entailed an exercise to increase the understanding of issues such as content standards, taxation and the development of creative industries (MBIE and MCH, 2015). As a result of the exercise, certain programmes were designed, some of which are part of New Zealand’s Business Growth Agenda (MBIE, 2015). In the United Kingdom, Ofcom is conducting a Digital Convergence Review, which led to an interim report in February 2016 that set out the focus of the United Kingdom’s future convergence strategy and defined the process of deregulation in some cases (Ofcom, 2016).

In some countries, proposals for upcoming work on the issues around convergence are set out in the work programmes of relevant agencies. For example, the Canadian Radio-television and Telecommunications Commission’s (CRTC) strategic plan for 2016-19 revolves around the main pillars of connecting Canada with accessible, innovative and quality communication services, creating more local content and protecting users (CRTC, 2016). Korea is undergoing a similar process through the development of its Communications Commission’s overall plan for 2017-19.

Some countries have created converged regulators who have responsibility for both the telecommunication and broadcasting sectors

To encourage a more coherent regulatory approach, an increasing number of countries have reformed their communication authorities and adopted a converged structure that integrates both the telecommunication and audiovisual sectors.

Some of the benefits of establishing a converged regulator have included:

• a one-stop shop for the industry and consumers

• better enforcement and coherence among the different regulatory areas (e.g. audiovisual services, networks, communication services)

• the ability to examine the full value chain from networks to content, undertake comprehensive competition analysis, identify possible leverage of market power in neighbouring markets (bundling issues) and evaluate concerns from content standards to exclusive dealing, whereby upstream providers foreclose competing companies downstream

• cost savings, with the caveat that actual savings are dependent on the resulting structure and functioning of a converged regulator.

Most recently, in 2013, Mexico, Slovenia and Spain reformed their communication regulatory authorities to introduce a converged structure. These countries add to the list of those that had already adopted some features of a converged structure, such as Australia, Austria, Canada, Estonia, Finland, Hungary, Italy, Korea, Switzerland, the United Kingdom and the United States. The so-called “converged regulators”, which vary substantially in their structure and capacity, now total 13 among OECD countries (see Annex 2.A2).

Termination rates have declined in recent years, with some exceptions

Interconnection rates such as mobile termination rates and fixed termination rates apply to telecommunication operators providing telephony service. In OECD countries, mobile termination rates for all mobile operators (MNOs and MVNOs) generally apply. In the case of fixed operators, mobile termination rates can apply to all of them, as in Finland, Germany and Spain, or only to operators holding significant market power, as in Belgium, Denmark and Ireland.

The interconnection rates and the methodology used to update termination rates are dependent on the regulatory authority. In the United States, interstate and intrastate intercarrier charges for exchanged traffic can vary by carrier, although most rates were capped in 2011 and many terminating rates either have been or are being transitioned to bill-and-keep. In Europe, some countries use a market analysis and national consultation to elaborate a proposal for changes in the termination rates. For EU member states, such proposals must be submitted to the European Commission. In Colombia, interconnection rates are negotiated by operators in their contracts but need prior approval of an initial reference offer by the regulator (Comisión de Regulación de Comunicaciones [CRC]).

Outside the OECD area, international termination rates continue to be a concern in countries where the government establishes a cartel and applies a uniform surcharge on incoming telephone calls (OECD, 2014a). International termination rates have also drawn attention among OECD countries, with some concerned that the rates do not reflect a cost-oriented approach. In the European Union, since 1 January 2016, some regulators have begun to allow mobile operators to treat the international termination rate differently from the national termination one. Subsequently, prices change frequently (e.g. almost on a monthly basis), leading to tensions between European mobile operators and their counterparts. As Swiss operators, for example, are no longer offered the “European tariff”, this has been said to have undermined relations between MNOs.

Outside of Europe these developments have drawn the attention of the Office of the United States Trade Representative (USTR). According to the USTR, several operators within the European Union are charging higher rates for the termination of international traffic originating from outside that area than they are for traffic that originates within member states. This creates a two-tiered approach for termination, which the USTR says does not appear to reflect incremental costs for termination of such traffic.

The questions raised by the USTR were familiar ones between OECD countries in the days when the international accounting rate system was used between operators in different countries, most of which had monopolies. This system was largely superseded once telecommunication markets were liberalised and competition was able to drive rates closer to cost. Nonetheless, as regulators around the world recognise, every network operator potentially has a degree of monopoly power in terminating traffic to their own customers and, as such, the same vigilance applied to domestic rates should also apply to international rates.

Peering and transit between Internet service providers is largely self-regulated by the market

The interconnection of ISPs and the terms in which traffic is exchanged among them is an area largely self-regulated by market players. Recent market developments, in particular peering and transit disputes between market players, such as the Netflix-Comcast cases in the United States, have led to the debates becoming a matter of public record. In 2015, the regulatory agency in the Netherlands analysed seven prominent international disputes and concluded that in all cases except one some form of actual restrictive interconnection behaviour caused the dispute to arise, though it did not generally find actions it would describe as “anticompetitive” (ACM, 2015). It further noted that consumer harm would only arise in a situation where there was not enough interconnection capacity between the parties involved, something it had not identified in the Netherlands. The Autorité de régulation des communications électroniques et des postes (ARCEP), the communication regulatory agency of France, has also begun an administrative inquiry to clarify technical and financial conditions of interconnection between ISPs and content providers as well as between operators.

Communication regulators do not generally collect information on IP interconnection agreements because they are not subject to direct regulation. In most countries, the operator’s decision on whether and how to connect is driven by competitive market forces rather than by government regulation. However, national regulators have, by law, the authority to request such information in most cases. Some countries have specific requirements to send interconnection agreements to the relevant ministry or regulator, as in the Czech Republic and Korea. In March 2012, ARCEP decided to collect information on technical and pricing conditions for interconnection and data routing. The analysis of these interconnection data collected regularly for the period 2012-2016 was published for the first time in the report of 30 May 2017 on the state of the Internet in France (ARCEP, 2017).

Recent developments related to M&A have highlighted the importance given by regulators to interconnection. In the Charter Communications acquisition of Time Warner Cable and Bright House Network in the United States, the FCC imposed an obligation on the resulting operator to make interconnection available on a non-discriminatory, settlement-free basis to companies that meet basic criteria, something other commercial players say is consistent with both companies’ previous practices. Other conditions include addressing data caps, usage-based pricing for residential broadband, residential broadband build-out and more. In the same case, the Justice Department also examined whether the merger would allow the resulting company to become an unavoidable gatekeeper for Internet-based services, including online video distribution, that rely on a broadband connection to reach consumers.

Technological innovations are emerging as partial substitutes to regular international mobile roaming services, but competition is driving the greatest change

The IMR market continues to be transformed in OECD countries. Key factors driving this trend include technological change, commercial responses to increased demand and regulation (where competition has been determined to be insufficient). Furthermore, there is an ever-increasing range of technologies that allow consumers to bypass traditional IMR if they are willing to accept a degree of imperfect substitution. These technological paths, in one way or another, substitute the services of a home country provider, such as the complete substitution of an operator-specific SIM by one from an intermediary, such as Apple (Bourassa et al., 2016).

Over time, some of the technological alternatives to the use of conventional IMR services are overcoming aspects of imperfect substitution. An example is the Interphone sticker, which was introduced in September 2016. It enables the use of virtual SIMs from operators in participating countries, but critically enables the retention of a home country mobile number for incoming calls.8 That being said, while the rates in such an approach may be far lower than regular roaming, they tend to be much higher than obtaining a local SIM. On the other hand, if a user is willing to forego his or her mobile number and rely on data-only services, the emerging options are more propitious. Users of the Apple SIM on an iPad, for example, can select and pay local rates from two or more operators when visiting countries such as Japan and the United States without the need to insert a local SIM from the country. At the end of the day, however, all substitutes for SIMs from either the origin or the destination country rely on competitive markets. In other words, SIMs need to be unlocked for foreign use and there need to be participating operators in the visited country (i.e. without direct access to local rates, charges are higher than local rates via intermediaries).

The most widely used technological substitution for regular IMR services is Wi-Fi. In the past, while this option enabled access to data services and use of OTT telephony, it still had limitations in terms of the use of a regular mobile number. This is also changing; in March 2016, AT&T began to allow customers to use Wi-Fi when calling from abroad. These calls do not incur IMR charges, but rather the charges associated with the customers’ regular service plans. Offers called RLAH, appearing in an increasing number of countries, go a step farther. RLAH offers have become increasingly commonplace in countries such as France, Israel, Mexico, the United Kingdom and the United States and became mandatory within European Economic Area (EEA) countries from 15 June 2017, though they are conspicuously absent in many countries (see Annex 2.A3).

Regulation is emerging to ensure competition in international mobile roaming and affordable prices to the end user

The other substantial developments in IMR have been in the area of regulation. In Mexico, for example, the emergence of RLAH offers coincided with new market entry enabled by the lifting of foreign investment barriers. A further notable feature of the Mexican market, though believed to be nascent in its potential use, has been the introduction of MVNOs and the ability of those players to directly negotiate their own direct international roaming agreements. In many countries MVNOs do not have this ability and action to overcome such barriers could provide an additional option for countries that find that insufficient competition is developing in the IMR market.

The highest profile regulatory changes have undoubtedly been those in the European Union. In November 2015, the European Parliament and Council reached agreement on the Telecoms Single Market (TSM) (Regulation EU 2015/2120; European Parliament and European Council [2015]), which set out a timetable for further reductions in intra-EU retail roaming caps in April 2016 (to EUR 0.05 per minute for outgoing calls, EUR 0.02 per SMS and EUR 0.05 per megabyte of data). It also required RLAH to be subject to fair use criteria (to ensure that only periodic roaming would have to be covered) and sustainability criteria (to allow, in exceptional cases, a derogation from RLAH if roaming costs were not covered). The European Union approved a Fair Use Policy in December 2016, which details regulations to ensure the effective application of RLAH offers and to make certain that the most competitive domestic offers remain competitive (EC, 2016b). In January 2017, the European Union agreed upon a set of wholesale roaming rules defining the rates which EU operators can charge one another for use of their respective networks abroad, a final step to ensure the introduction of RLAH for periodic roaming by 15 June 2017 (EC, 2016c).

The TSM regulation followed three years after the previous roaming regulation (Roaming III), which came into force on 1 July 2012. In summary, that regulation had extended anti-bill shock and transparency mechanisms (including the EUR 50 data cap) to EU roamers travelling beyond the European Union’s borders and introduced retail caps for data for the first time, as in other countries like Canada. In Canada, the CRTC’s 2013 Wireless Code placed an automatic cap on international data roaming charges at USD 76 within a single billing cycle unless the customer explicitly agreed to pay additional charges. The TSM also established a mechanism for introducing structural solutions to decouple regulated mobile roaming services from domestic services, which were set out in European Union implementing acts following a consultation of BEREC and also provided for BEREC guidelines on wholesale access.

The European Union’s regulatory initiatives in the IMR market have provided a benchmark for many countries and have shown the role that regional bodies can play in significantly reducing prices and creating competition in IMR services. Israel, for example, used the European Union prices for bilateral agreements with Poland and the Russian Federation. Regional regulatory bodies are also active in this area, though they generally do not have the powers available to the European Union.

In the future, bilateral agreements should lead to price reductions and provide a paradigm for other countries to follow suit where there is insufficient competition (Bourassa et al., 2016). Some of these bilateral agreements have been undertaken between countries with free-trade agreements (FTAs) and could provide a framework to follow for other regions with FTAs. They could also help alleviate some concerns that bilateral or regional agreements may have to be opened up to third parties as part of most-favoured-nation obligations. Australia and Singapore updated and signed their FTA in October 2016.9 A key element of this agreement deals with IMR between the two countries. Notably, the agreement provides that either country, if it sees fit, may regulate wholesale rates and make these rates available to mobile operators from the other country. That being said, both countries subsequently had spectrum auctions that will lead to the introduction of a fourth MNO in each of their respective markets. Moreover, the same company (TPG) won the auctions to provide the new MNO in both countries. As such, the new entrant, looking to attract customers, is well placed to differentiate its services by offering improved roaming between these markets. If it does so, the tools available via the FTA may not be required. On the other hand, if competition does not address the high IMR rates between the two countries, authorities now have a regulatory mechanism to address this issue.

The most commonly used policies are government-funded innovation measures and training programmes

All countries surveyed for this edition of the DEO have policies to support the growth of the ICT sector. Most target innovation, investment or exports. Thirty-five of the 38 countries10 that responded to the ICT sector development section of the 2016 OECD DEO Policy Questionnaire reported having at least one policy that specifically supports innovation, compared to 24 with measures directed at expanding firm exports, 22 with policies that promote ICT sector investment and 15 with policies related to other ICT sector development (Figure 2.1). Comparatively, innovation policies seem to hold greater importance, as countries had 95 distinct policies to promote innovation in the ICT sector, as opposed to investment and exports, which had 54 and 48 policies, respectively.11

Figure 2.1. Policies to support ICT sector growth

Note: The total number of respondents for this question is 38. See note 9 at the end of the chapter for the list of countries.

 https://doi.org/10.1787/888933584507

This support is delivered through a variety of conduits, including tax incentives, loans, research and development (R&D) subsidies, export subsidies, block grants, and educational training programmes. Of all the policies reported by countries in the survey, 35% targeted SMEs and start-ups, while 22% were focused on companies in the ICT sector, 17% were open to all companies and the remaining 26% had other firm requirements.

The most prevalent governmental policy measure to strengthen the ICT sector is funding, which may include subsidies for companies to undertake further investment in infrastructure or R&D, or to encourage exports (Figure 2.2). Governmental funding programmes support ICT sector growth in 95% (36 out of 38) of the surveyed countries. As an example, Austria’s ICT of the Future programme provides financial support to companies that explore new ICT research topics and possible associated applications, and to encourage development based on these topics.12 Mexico and Turkey also offer subsidies to specific industries to encourage exports. Another form of governmental funding is through a venture capital (VC) fund, as is seen in the Czech Republic and Estonia.13

Figure 2.2. Policy initiatives to support ICT sector growth

 https://doi.org/10.1787/888933584526

Government-sponsored training programmes are also commonly seen as a way to develop expertise in ICT and thereby to promote innovation. These projects may be aimed at developing knowledge, sharing experiences and creating best practices, or providing expertise on a subject so that local firms can better compete in the market. For instance, the United Kingdom offers education materials on social media sales to businesses to improve their social commerce skills, while the Switzerland Global Enterprise and Spain’s Tech Center both advise companies on export promotion. The People’s Republic of China (hereafter “China”), Colombia and Finland are other countries which have implemented training programmes directed to the development of the ICT sector. Seventeen countries in the survey had some form of training programme, making it the second most common ICT policy after funding. Additionally, 14 countries offer a mixed policy approach, which often includes a training component in conjunction with other types mentioned above, like grants, subsidies, loans or tax exemptions.

Incubators and accelerators are popular tools to promote innovation in ICT start-ups and small and medium-sized enterprises

Several governments, in an effort to promote innovation, have launched initiatives aimed at helping start-ups or young SMEs through accelerators or incubators. Fifteen of the 38 respondent countries have such initiatives, making it the third most common ICT policy. While both accelerators and incubators share the same aim – to help starting businesses grow – their methods differ. Both types of institutions rely on a network of entrepreneurs to promote synergies and learning from other members, as well as some sort of mentorship, but accelerators also provide intensive education along with seed funding for the selected businesses in exchange for taking ownership of a share of the business. Given this initial investment, the competition is fierce for a spot in an accelerator’s portfolio, and the intensive period of education and mentorship usually culminates in a “Demo Day” after a few months (Hathaway, 2016). Among the governments that have taken this approach, for instance, the United Kingdom has set up the HutZero programme, which is an early-stage accelerator focused on cybersecurity. The programme offers an intensive period of business education and mentorship.14 Another example is Luxembourg’s Fit4Start programme, which accepts start-ups to make up a cohort two times per year with the winning start-ups having access to EUR 50 000 in funding in addition to “lean start-up” training and coaching to prepare the cohort for a final pitch at the end of four months.15 Brazil, France and Israel have similar programmes for start-ups and early-stage SMEs.

Other governments have adopted the approach of hosting an incubator in their country. An incubator usually charges its members a fee for access to shared office space, educational services and mentorship opportunities. The duration of the membership, from one to five years, is often longer than with an accelerator and the selection process is much less competitive (Table 2.1). In Denmark, the Danish Agency for Science, Technology and Innovation, together with the Ministry of Higher Education and Science, has launched the Innovation Incubator Scheme to help encourage start-ups early in their business development.16 Hungary, Latvia and Portugal have similar projects. Some governments, like Israel17 and Singapore, have recognised the value of these organisations for start-ups and have offered support. The Singaporean government’s Incubator Development Programme provides grant support of up to 70% of costs to enhance the capabilities of incubators and venture accelerators to assist and grow innovative start-ups in the country. However, the “business models” of these government-sponsored initiatives differ from their private sector counterparts. For instance, a government’s seed investment often does not result in partial ownership in the company once it has “graduated”, nor do chosen companies usually have to pay membership fees to partake in the incubator scheme.

Canada encourages both accelerators and incubators through the Canada Accelerator and Incubator Program (CAIP). In 2013-15, CAIP provided approximately USD 80 million over five years to outstanding business accelerators and business incubators. The funds are non-repayable. The Industrial Research Assistance Program collects data annually and will evaluate CAIP’s outcome after its completion in 2019-20. Other governments, such as Lithuania and Norway, have programmes where the government acts as a guarantor for start-up companies or SMEs to facilitate access to finance in their early development stages. For example, the Czech Republic, France, Italy, Latvia and Mexico offer governmental loans, some of which have preferential grace periods and interest rates, to companies.

Tax incentives are another tool used by policy makers from 15 of the countries surveyed. Brazil, for instance, offers tax breaks to investors who have bought debt issued by telecommunication operators to finance broadband infrastructure projects, as well as to the operators themselves who have investment projects to expand or modernise telecommunication networks. Other countries allow companies to depreciate the value of goods above the normal rate of depreciation; in Italy, for example, companies can depreciate new capital goods at a rate of 140% and high-tech purchases such as nanotechnologies, big data and smart materials up to a rate of 250%. Costa Rica, Lithuania, Sweden and Turkey also offer various forms of tax exemptions. Finally, many governments establish high-level strategies as a way to support ICT development at a broader scale, for instance in digital or innovation strategies.

Governments are offering their services online and focusing on becoming more efficient through the use of ICT tools

Policies to promote the adoption of ICTs by public administrations can be split broadly into three categories: the first involves creating or promoting e-government services for individuals; the second involves creating or promoting e-government services for firms; and the third is focused on improving the internal functioning of governments themselves and making them more transparent through the public availability of information. Each of these categories is given roughly equal priority in terms of the number of policies (Figure 2.4).

Figure 2.4. Policies to promote ICT adoption by public administrations

Notes: The total number of respondents for this question is 38. See note 17 at the end of the chapter for the list of countries. ICT = information and communication technology.

 https://doi.org/10.1787/888933584564

Policies to develop or promote e-government services for individuals and households are aimed overall at bringing governmental services for citizens online. This includes allowing citizens to pay their taxes, submit various forms and update their personal information online. Eighty-seven per cent of the countries surveyed have a policy of this type. By way of example, Colombia has several initiatives to migrate paper-based forms online; these include having a digital registry to track and update civil registration, medical records, and electronic documentation of education and military service. Colombia has also made some consular services available online, including for the issuance and renewal of passports. Switzerland has implemented an electronic voting system for voters abroad, and a few cantons have recently begun to offer this option for Swiss residents. Austria, Israel, Korea and Portugal are other examples of countries which offer various e-services for citizens. Along the same line of making governmental services more efficient by going digital, many governments have converted to solely digital media to communicate with citizens. Norway has adopted a “digital-by-default” approach, forcing citizens to actively choose to receive paper mail in lieu of receiving communication digitally via a secure digital mailbox. Austria and Lithuania have similar programmes for digital communication.

Given that many of these e-services include the transfer of personal data, some countries (slightly less than a quarter of those surveyed) have developed e-ID and e-authentication services to make these online services more secure. Policies specifically related to digital security and privacy are discussed in more detail later in this chapter, as well as in OECD (2016a). Therefore, the policies represented here may not be fully representative of all the security initiatives that countries have put in place.

Over half of the countries that responded to the survey have created a website to communicate relevant information related to the e-services provided by the government. Information dissemination and awareness of available e-tools is integral to stimulate further use of e-government services among citizens. It is also important that the site be easily navigable and that users can find related information on services. Several countries have “one-stop” websites, and some, such as Korea and Slovenia, even offer their websites in multiple languages to be accessible to foreigners living in the country.

Similar policies are directed towards firms. For instance, web portals for a “one-stop” point for e-government information and online submission of forms are also offered for businesses. Given that they often reduce the governmental administration burden both for firms and governments, it is no surprise that these services are also available to businesses. Online submission of forms, including online tax services, is by far the most common policy directed towards businesses, with 31 of the 38 countries having such a policy. Many countries allow all paperwork to be completed electronically for official registration as a legal entity (Latvia, the Russian Federation, Spain and Switzerland). Other examples of e-forms specifically for firms include e-invoicing for government suppliers (Belgium, Colombia, Norway and Switzerland); online licensing systems (the Czech Republic and Singapore); and online tax declaration, including value-added tax (VAT) and customs declaration (Israel, Korea, Mexico and Switzerland, among others). One-third of the countries surveyed have “one-stop” portals directed towards business users which contain more specialised information related to the establishment and registration of a legal business entity and provide links to access the required online forms. Austria, Denmark, Finland, Portugal and Spain are among the countries that offer such online business portals.

Unique to e-services for businesses is the large number of governmental processes directed towards a single online platform for public procurement. Such portals integrate all of a government’s buying and selling across governmental entities in one place. By making all government procurement specifications available via the Internet, companies have equal access to information, making the public procurement system more transparent. Japan’s “Government Electronic Procurement System” provides a good example of the various digital procedures incorporated within the e-public procurement process, including the public notice of specification, bid, open bill, conclusion of contract, performance evaluation on contract and payment. Just under half of the countries surveyed have such public procurement processes online, including many EU countries, Costa Rica, Korea, Singapore, Switzerland and Turkey.

Approximately one-third of governments are also reviewing the e-services available to firms in an effort to make internal processing of business administration more efficient and to reduce the regulatory burden where possible. This often entails sharing information among governmental offices more seamlessly, offering integrated services for business, and allowing firms to comment and file complaints with governmental services as a feedback loop to drive further improvements. Slovenia has established a Single Business Point, which aims to reduce the number and volume of data required of firms for reporting purposes and is in the process of a review to further reduce administrative burdens and simplify regulatory procedures. Canada has a number of initiatives to make internal processing more efficient for businesses. The Canada Revenue Agency is establishing a standard identifier for businesses to be recognised across the government. It is also implementing several service transformation initiatives such as single sign-on, real-time status updates and e-payments. In addition, to facilitate digital transformation, Innovation, Science and Economic Development Canada (ISED) is implementing a department-wide strategy to deliver innovative, integrated client-centric digital services to improve the ways in which businesses can access government services. Through this initiative, ISED aims to work closely with the Federal, Provincial, Territorial and Municipal partners to better engage clients. Brazil, the Netherlands and Singapore are additional examples of countries that are reforming their internal processes.

Open data portals and legislation for access to public sector information aim to improve transparency

The theme of governments “going digital” is central to policies aimed at improving internal governmental functioning, with over 80% of respondents reporting at least one policy to support the digitalisation of governmental functions. While related to the digitalisation efforts highlighted in the paragraphs above, these policies are more focused on bringing governmental documents and registries online, keeping them up to date and easy to find and access, and promoting zero paper policies through digital communication. Some examples of such processes include the Czech Republic’s electronic legislative library, which enables tracking of legislative documents, monitoring of comments and the secure storage of all versions. China and Costa Rica have implemented zero paper policies, while Canada, Japan and Poland have put in place electronic documentation management for the exchange, update and version control of electronic documents, as well as the disposal of obsolete documents within the public administration.

Sharing information between ministries is also a common theme. Approximately 60% of governments have policies to increase internal information sharing and collaboration, which includes ensuring interoperability between governmental platforms. By way of example, Colombia’s Interoperability Framework is an effort to help the state function as a single institution, and establishes a common interoperable platform for the seamless exchange of information. The Information Management Framework in Norway defines the data responsibilities of each agency, and is establishing a common framework to integrate the data from various agencies to create a common data directory. Finland, Israel, Luxembourg and the Russian Federation have similar policies in place.

Thirty-one of the 38 governments surveyed reported having at least one policy in place to increase public access to governmental information. These open data programmes have a dual aim: the first is to promote transparency and accountability within the government by making information available to the public. Chile offers an example of an open data initiative with such an aim, as it allows access to the public sector budget through its “Open Budget” platform. Brazil publishes all governmental expenditures online on its Transparency Portal. Both of these programmes are a step towards transparent governments. The second aim of open data initiatives is to promote access to and effective reuse of data, so that the data may be used for research or innovation towards the benefit of society. The objectives of the open data campaigns in Canada and Israel are indeed to increase public access to information to encourage innovation in the public sector and the society more broadly. However, that is not to say that open data initiatives cannot accomplish both aims; they can simultaneously encourage the effective reuse of data and increase the transparency of the public administration.

About 58% of the governments surveyed have legislation establishing public access to information and defining parameters on which information is publicly shared. The EU Directive on the reuse of PSI provides a common legal framework for public access to government-held data (EC, 2017a). The directive aims to promote transparency and competition in the market and focuses on the economic benefits of the reuse of information. EU member states were obliged to transpose the directive into national law by 2015, which all EU respondents to the survey had done at the time of writing. Brazil, Costa Rica, Japan and Mexico also have such legislation defining the PSI to which the public should have access.

Training programmes and subsidies are the most common types of policy to encourage the use of ICTs by individuals and households

A number of different policy configurations, both financial and non-financial, encourage individuals and households to use ICTs in their daily lives, with non-financial programmes being slightly more prevalent. Training in the use of ICTs is the most common non-financial policy, with over half of the countries reporting a policy of this type. Of these, 44% have policies that target specific disadvantaged groups who may lack basic ICT skills due to the digital divide resulting from income disparity, disability or age. Norway and Singapore have digital literacy programmes for seniors, while China targets rural communities, and Brazil and Israel target low-income households and individuals. Canada and Latvia both have training programmes to give jobseekers the skills needed in the current market; Latvia has allocated over EUR 100 million to training programmes under its NDS, to be disbursed from 2014 to 2020. Among the countries that responded to the questionnaire, Hungary, Latvia and Poland reported the highest budgets for training programmes. The “Enable IT” programme in Singapore aims to train persons with a disability to use assistive technology to better meet the demands of their daily lives, both personally and professionally. Several countries have programmes to “train the teachers” as a more effective way of disseminating ICT skills; China, Estonia and Poland have adopted this approach.

In addition to training programmes, governments also frequently conduct communication campaigns to promote digital technologies, e-services and ICT tools. These campaigns are generally directed towards a broad audience, with only around one-quarter being targeted to a specific group. Most of the campaigns, which are largely sponsored by governments in European countries, have the goal of promoting the safe use of the Internet. Finally, a smaller proportion of countries have projects to build telecommunication infrastructure to increase broadband access to previously underserved areas. Hungary, Lithuania, Luxembourg, Poland and Slovenia have projects of this sort, often incorporated within their respective NDSs. As these countries are all members of the European Union, these initiatives are likely related to meeting the European Union’s broadband targets of enabling access to all households at a speed of at least 30 Megabits per second (Mbps), and to half of all households at 100 Mbps by 2020 (EC, 2015). Costa Rica and Turkey both have similar initiatives, although these have more varied aims, like establishing public Wi-Fi access points or mobile telecommunication infrastructure.

Over two-thirds of policies that use financial incentives to support usage are specifically directed at disadvantaged groups who historically have had less access to ICT equipment or training, such as senior citizens, people in rural and remote areas without access to the Internet, or people from disadvantaged, low-income areas. Roughly 70% of financial-based policies come in the form of a grant or stipend to either purchase ICT equipment or services, like establishing broadband and paying for the service, or to be used towards classes in ICT skills. Israel offers a subsidy for low-income households to purchase personal computers as well as a three-year warranty on ICT equipment and optional ICT training. Other countries offering similar programmes are Austria, Canada, China, Colombia, Costa Rica, Hungary and Singapore. One-fifth also offer a tax incentive for an ICT purchase, as in Brazil, which grants an exemption on the purchase of smartphones, or in Denmark and Poland, which offer tax advantages for the installation of a broadband connection.

Policies supporting ICT usage in firms overlap with policies to develop the ICT sector overall

Encouraging the use of ICT tools in businesses can be done through both financial and non-financial means. Financial-based schemes are slightly more common, with 24 countries reporting 55 distinct financial policies, compared to 20 countries answering that they have 50 non-financial initiatives. Of the policies based on financial schemes, monetary support for the purchase of ICT equipment or towards ICT development is the most common, with 16 countries out of 24 using this method. Spain and Turkey both have programmes to encourage SMEs to adopt cloud computing solutions, while Singapore’s iSPRINT Programme enables SMEs to use smart technology as a way to boost productivity and growth. Other countries such as Belgium, Estonia, Hungary and Poland support investment in R&D infrastructure and the integration of ICT and e-business tools for the optimisation of business operation and management. France, Japan and Mexico have similar policies.

Roughly a quarter of the respondents reported having a tax incentive for ICT purchases or for R&D. However, other OECD work shows that 29 of the 35 OECD countries have an R&D tax credit (OECD and EC, 2017: 4). For example, Canada offers a tax incentive to any Canadian business conducting R&D and Japan offers various tax incentives for companies to increase investment in digitalisation and in facilities designed to increase productivity. Meanwhile, Singapore’s productivity and tax credit allows eligible businesses to deduct up to 400% on expenditures incurred on prescribed activities that promote innovation and productivity, and China offers a VAT exemption and income tax reductions for SMEs.

Policies that are not directly financial are more concerned with increasing the use of ICTs by business by offering targeted training. Training accounts for over half of the individual policies reported by countries, with 10 of the 20 countries having at least one such training programme. The training itself is mostly focused on the digitalisation of business services, e-commerce or on the effective use of digital media. Germany’s “Trusted Cloud” training programme helps SMEs gain an understanding of cloud computing and its possible applications within their business. Australia and Switzerland offer training courses and information related to effective digital business management: Australia’s “Digital business kits” offer tailored tips for operating online, as well as case studies and support to businesses. Meanwhile Switzerland provides information on information technology (IT) infrastructure, IT security, and e-commerce and advises SMEs on the potential steps to make businesses more digital on its digital.swiss and SME portals.

The policies listed here, both for financial and non-financial initiatives, strongly overlap with policies directed at the overall development of the ICT sector. This is perhaps unsurprising, as increasing firms’ use of ICT and incentivising them to purchase ICT goods and conduct R&D is linked to increasing ICT sector development overall. However, only policies aimed at increasing ICT use in firms were used for this discussion; others related to supporting the overall development of ICT businesses through innovation and support of ICT industries, start-ups and SMEs were not included in the analysis as they have already been discussed. For a more detailed description of the policies to encourage overall ICT sector development, please see the end of the section on “Access and connectivity”.

Computing devices and Internet connections dominate public expenditures on ICT goods and services for schools

Questionnaire results indicate that the two most common types of government ICT expenditure policies involve financial support for either ICT equipment or Internet connections for public schools. Each of these types of policies has been implemented in about half of the respondent countries. A quarter of the countries also mentioned having policies for buying or developing digital learning materials, such as e-textbooks.

Several countries have implemented policies designed to help poor and/or disabled students to gain or improve access to ICTs. For example, Chile’s Digital Empowerment of Persons with Disabilities policy aims to improve access, participation, retention and learning for students with a disability or disease through the use of ICT. The programme delivers technologies and digital resources, including teaching training for the efficient use of those resources. Its purpose is to improve their pedagogical practices to give students a more inclusive and sustainable education. Costa Rica’s “Tecno@prender” programme is aimed partially at educational institutions in zones that have shown lower economic development. It supports curriculum development and the promotion of a meaningful learning process for students by providing ICT infrastructure and equipment as well as connectivity in educational institutions. Estonia has a needs-based support system for students who cannot afford digital devices or who have specialised digital device needs due to a disability. Israel provides assistance to 2 400 schools for buying ICT equipment, acquiring Internet access and supporting teachers in the use of ICTs, depending on the socio-economic level of their students.

A number of other innovative programmes were described in the questionnaire responses. Among these is Brazil’s policy for bringing broadband to rural public schools: to obtain spectrum for commercial operation of mobile 4G services, companies must provide free broadband Internet access (wired, wireless or via satellite) to rural schools. Colombia’s Democratizing Innovation in the Americas programme connects vulnerable young people (aged 15-25) from low-income backgrounds with ICT-related economic opportunities in their region. Luxembourg’s MathemaTIC is an interactive learning application (app) introduced by the Ministry for Education in all primary classes for 10-12 year-old students. They can access MathemaTIC 24/7 on any connected device, at school, home or elsewhere. Parents and teachers can use the app to track students’ learning progress. The app is also available in several languages. Mexico’s Digital Inclusion programme is notable for its breadth as well as the fact that it aims to prepare students for the 21st century by focusing more on creating information than consuming it. The programme provides connectivity and digital devices; training to promote teachers’ ICT skills and their ability to apply them in pedagogic activities; digital educational resources that will be curated and evaluated to ensure their quality and impact; initiatives that promote creativity and research for solving today’s social problems through ICT; and ongoing monitoring and evaluation that will allow the programme managers to find ways to improve it. About 2 million students and teachers are expected to benefit from this policy. Finally, through policies such as E-school bag, Slovenia has developed 30 interactive e-textbooks covering mathematics, sciences, languages, history, etc.

Some policies for developing students’ ICT skills are being implemented at very substantial scales. China, for instance, has a long-term policy that aims to give all primary and secondary schools full network coverage, including fixed broadband and Wi-Fi. So far, 87% of Chinese schools are fully covered. Poland aims to create a network connecting all of its approximately 30 000 schools via broadband Internet access by 2018. Turkey’s FATIH project will invest about USD 1.3 billion to equip all schools with broadband Internet connections and smartboards and to distribute tablets to 8 million students.

ICT literacy objectives in school curricula are expanding beyond proficiency in productivity software and coding

With respect to ICT literacy in state and national school curricula, objectives have branched out beyond teaching competency in coding and the use of productivity software such as word processing and spreadsheets. Several countries have recognised the need to provide students with the means to use ICTs safely and responsibly, as well. For example, Japan not only encourages its schools to familiarise pupils with computers and information and communications networks and to teach basic operation skills, but to provide instruction on information ethics and how to use information devices appropriately. Similarly, Portugal’s Seguranet Project promotes safe Internet and mobile device usage in the educational community. In addition to basic computer and programming skills and the use of software, Latvia’s school curriculum includes digital security.

Other countries’ ICT curricula include such topics as teaching students how to critically assess what they see online and encouraging them to take advantage of e-government resources. Singapore’s Media and Digital Literacy programmes, for example, aim to nurture discerning citizens who have the ability to evaluate media content effectively and to use, create and share content safely and responsibly. The Digital Poland programme, meanwhile, aims to enhance students’ ability to use the Internet and specifically includes the use of e-public services.

Of course, countries also continue to support educational opportunities for coding and general digital skills development, as well. Canada’s CanCode programme is an example of such efforts. CanCode will invest approximately USD 40 million over two years, starting in 2017-18, to support initiatives providing educational opportunities for coding and digital skills development to Canadian youth from kindergarten through high school.21

Policies in support of vocational training and higher education in ICT are common, may involve partnerships with the private sector, and sometimes aim to assist specific groups, such as the unemployed, women and the elderly

A large majority of respondents have policies in place to support vocational training and higher education in ICT. Frequently, but not always, these involve programmes that lead to a university degree or a vocational certification. They are also often funded entirely by the public sector.

However, several countries have formed partnerships with corporations, professional associations and other groups to fund and design programmes that produce trained personnel with ICT skills that match available jobs. Estonia’s Ministry of Education and Research, for example, co-operates with private sector partners and universities to support the IT Academy initiative. It promotes the further development of IT higher education through scholarships, summer schools, in-service training and IT curricula development, among other things. The United Kingdom has begun to offer digital degree apprenticeships, which are the product of a government-backed collaboration between employers and higher education institutions. These apprenticeships help employers to tailor graduate-level candidates to their business needs through on-the-job and academic training, while young people are given opportunities to study for an honours degree while they work.

Many policies are aimed at helping specific groups of people rather than students in general. Most common among these are programmes designed specifically for training unemployed people to begin new careers in ICT-related fields. The Czech Republic’s Ministry of Labour and Social Affairs, for example, has a nearly USD 100 million strategy to increase digital literacy and e-skills development among job seekers, including displaced workers. Turkey offers hundreds of vocational training courses to the unemployed to help prepare them for ICT-related occupations. The Netherlands has a programme called Make IT Work that is for highly educated but unemployed people who are looking for a new career in ICT. It retrains them for jobs such as software engineering, business analysis, ICT project management and ICT consulting. Israel’s Welfare and Social Services Ministry offers training and job placement in ICT specifically for disadvantaged populations. An innovative feature of that programme is that it includes grants to employers who give jobs to trainees. All of these programmes should help to soften some of the job displacement effects that are part of the digitalisation process.

The unemployed are not the only group that policy makers are aiming to assist with ICT training, though. In Australia, where only one in four IT graduates are women, the National Innovation and Science Agenda supports the improvement of gender equity and diversity in STEM (science, technology, engineering and mathematics) fields, including ICT, by increasing opportunities for women. Among the initiatives is a new grant programme designed to foster interest in STEM among women and girls. Luxembourg supports a programme with similar objectives called Rails Girls, an idea that began in Finland but is now a global, non-profit volunteer community. It promotes women-only coding classes such as app programming. Another group, the elderly, is the focus of an Austrian policy that supports a training course leading to a further qualification for ICT teachers and trainers who work with older citizens. In addition, a Colombian Ministry of Information and Communications Technology’s initiative called Apps.co has so far trained more than 65 000 budding entrepreneurs to develop their ideas into sustainable digital businesses.

A number of countries have implemented forward-looking programmes that strive to match current ICT training priorities with expected skills needs in various industrial sectors

In Belgium, for example, the Employment Agency of Wallonia carries out prospective studies on the expected impact of the digital transformation on occupations and skills in a wide variety of fields. The resulting catalogue of emerging and future jobs is then used to select training courses to be reinforced. Finland’s Ministry of Transport and Communications carried out such a study in 2016 specifically to find out what types of skills are needed by companies with respect to data use and intelligent robotics and automation. Spain’s Ministry of Energy, Tourism and the Digital Agenda has developed a white paper for the design of university degrees taking into account the differences in supply and demand of profiles related to the digital economy. To sum up, it is an effort for an early alignment between industry and the educational system within the digital economy. Meanwhile, the Latvian Ministry of Economics has made medium- and long-term forecasts every year since 2008 that enable the higher education system to better match the supply of IT specialists to the labour market’s demand for them.

Some countries have adopted a comprehensive strategy for ICT skills development targeting all segments of the population and all levels of specialisation, from general basic skills to research-level training in emerging technologies

For example, the recently launched Portugal INCoDE.2030 initiative on digital skills involves several measures organised around five priority lines of action – inclusion, education, qualification, specialisation and research – that respond to three challenges – citizenship, employment and knowledge. The initiative is a co-operative effort between government, business and other stakeholders. It includes measures designed to improve digital inclusion and literacy, the physical and cognitive access of the whole population to digital services, ICT programmes at all education levels, teacher training, analytic skills for a data-driven economy and society, production and diffusion of information, privacy and security, training for high value-added jobs, lifelong ICT learning, R&D for the production of new knowledge and advanced forms of ICT applications (including: big data, the IoT, and blockchain; information and intelligent systems involving artificial intelligence (AI) and human-centred computing; and computing and communication foundations involving quantum computing and other areas). The initiative has a co-ordination structure across all government sectors and involves tailored partnerships that pull together primary and secondary schools, higher education, vocational schools and universities, research organisations, businesses, civil society, and public administration agencies.

Many digital innovation policies involve support for innovation networks and better access to financing

Most of the policies for improving the conditions for digital innovation described by the respondents involve creating better access to financing or supporting innovation networks. With respect to financing, Brazil’s Ministry of Science, Technology, Innovation and Communications has a noteworthy programme called Project Inova Empresa. It provides businesses and R&D institutes with lines of credit and other financial support to promote innovation, including digital innovation. Initiated in 2013, Inova Empresa has a budget of up to USD 11 billion and has helped approximately 400 businesses and 140 R&D institutes in the ICT sector alone.

Germany has taken a multi-pronged approach to financing digital innovation. The Federal Ministry for Economic Affairs and Energy, sometimes in co-operation with the European Investment Fund, has developed a suite of five funds25 that provide different kinds of financing to innovative companies at various stages of development. For example, one fund provides equity to business angels for financing innovative companies in their early phases, while another is designed specifically to finance fast-growing but underfunded companies. Another fund teams up with investors from the private sector to provide VC to innovative start-ups and young technology companies, while another provides VC to innovative technology companies in the seed phase. Some of those funds have existed for more than ten years while others started in 2016. Altogether, they have a budget of approximately USD 4 billion.

Regarding innovation networks, Denmark’s Ministry of Higher Education and Science and the Danish Agency for Science, Technology and Innovation have helped to build 22 such networks. These networks offer companies access to the latest research and innovation trends within their respective fields of expertise. The networks also help companies to find collaboration partners on small- or large-scale research and innovation projects by connecting private companies, researchers, the public sector, technological service providers and other partners, both in Denmark and abroad. Each network receives a main grant of approximately USD 2 million from the agency for science, technology and innovation, but they also attract funding from other public and private sources. In all, 7 522 companies have participated in these networks and 5 348 of them have fewer than 50 employees.

In 2017, Switzerland’s Commission for Technology and Innovation will promote R&D projects concerning ICT with a minimum of USD 30 million. More than 40% of all start-ups coached by the commission will come from the ICT sector. Additionally, the Commission for Technology and Innovation has set up several theme-based national innovation networks that work on issues such as additive manufacturing, Industry 4.0, the digital economy, and interactive and imaging technologies. These networks will receive an annual payment from the government that ranges from approximately USD 200 000 to USD 400 000.

One programme that does not fit into either the funding or innovation network categories is a partnership between the UK Treasury and the Bank of England. Its purpose is to broaden access to payment systems for non-bank payment institutions. The objective is to allow FinTech payment firms to access payment systems directly. Currently, these firms must access payment systems via a bank (indirect access), which comes at a cost. Direct access is expected to boost competition starting in 2018, when the arrangement will go live.26

Finally, the questionnaire results show that 5 of the 18 countries that mentioned having at least one policy for improving digital innovation conditions specifically aimed their policy (or policies) at SMEs, while another 5 aimed their policy at start-ups. One might have expected a sharper focus on start-ups, or at least on young firms generally. As mentioned earlier, OECD research has shown that more than half of SMEs are older businesses, but it is young SMEs (less than five years old) that play a central role in enhancing innovation, growth and job creation (OECD, 2014b).

Another topic that received little attention in the questionnaire responses was efforts to build a regulatory environment in which businesses can thrive and fail. By reducing the cost and administrative burden of starting up a new company, governments can increase incentives to innovate. This includes implementing bankruptcy regulations that reduce the costs of failure and ease the legal procedures for restarting a business, which would better recognise the fact that innovation is risky and occurs through “trial and error” (Adalet McGowan and Andrews, 2015). Figure 5.5 in Chapter 5 provides a comparative view of the level of administrative burdens that start-ups face in various countries.

Inadequate or outdated regulation may also limit the returns that firms can achieve from their investments in digital technologies, as it can hold them back from entering new markets or developing new products or business models. For example, recent OECD work finds that product market regulation, employment protection legislation and ICT regulation have significant effects on the uptake of ICT hardware (DeStefano, De Backer and Moussiegt, 2017).

Few countries reported policies that boost investment specifically in ICTs or knowledge-based capital for the purpose of fostering innovation

While questionnaire results mentioned earlier show substantial policy activity with respect to stimulating both ICT usage by firms and ICT sector development generally, only 3 of the 35 countries that responded to the digital innovation section of the questionnaire mentioned a policy tailored specifically to increase investment in ICTs or KBC for the purpose of increasing innovation. Those policies were varied and included Colombia’s training programme to help IT and digital content businesses access foreign investment, Lithuania’s general financial support to SMEs that introduces e-business solutions for optimising business processes, and Mexico’s telecommunication sector reform that removed a cap on foreign ownership.

These results seem to indicate some limitations concerning the questionnaire, though, as they do not necessarily conform to findings in other studies. For example, the OECD has published lengthy reports on KBC and the many policies that countries use to stimulate investment in it (OECD, 2013a; 2015d). In the case of ICT-specific investment promotion instruments, one reason for their scarcity in the questionnaire responses may be that government measures overall have shifted from investment support to supporting R&D and innovation expenses, although they are increasingly counted as investment. Another reason may be that ICTs are considered to be a self-evident component embedded in any kind of investment and might therefore not be categorised separately or limited only to ICTs.

Ten countries listed at least one policy that may augment ICT or KBC investment, but those policies are more general measures, such as tax credits for all types of R&D or grants for investments in companies that are considered to be innovative.

The attention and resources devoted to policies for creating data analytics capacity is surprisingly low

As explained in Chapter 5, DDI holds great potential to create economic benefits and has already begun to deliver on its promise in many sectors. Overall, however, policy makers seem to be paying relatively little attention to their countries’ data analytics capacities.

That is not to say that nothing is being done. Some respondents mentioned formidable programmes. These include efforts such as setting up big data research centres and designing postgraduate degree programmes. One country, Colombia, has a national Big Data Strategy for its public sector, entailing a contract with the Massachusetts Institute of Technology that will result in a general architecture and pilot projects to showcase the use and benefits that big data analytics can bring to the public sector.

But in all, only eight countries described policies that were specifically about data analytics, and many of those were comparatively small steps, such as holding big data contests and conducting assessment studies. There was nothing in this area that approached the billions of dollars that are being spent on the other types of digital economy policies mentioned earlier.

New and proposed regulations for markets where digital technologies are changing market dynamics suggest that policy makers are focusing on online platform markets

Reflecting the potentially disruptive impact that online platforms such as Uber and AirBnb are having on existing industries, respondents mentioned the road transportation and accommodation sectors more than any others when asked to describe new or contemplated regulations for markets in which digital technologies are raising competition challenges. (Among the 18 respondents that reported such regulations, 8 listed transportation measures and 5 listed accommodation measures.)

The responses that provided information about the specific nature of the regulations, however, were split almost evenly between those that described measures to increase government control over digital technologies (7) and those that described granting greater freedom to or otherwise assisting digital technologies (9). In a few cases the measures contained both types of elements.

At first glance, the split may appear to indicate a difference of opinion among the surveyed countries about whether competition from disruptive digital technologies is to be welcomed or feared. The nature of the restrictive measures that are mentioned in the questionnaire responses, though, mainly reveals concerns for consumers and tax collection rather than worries about protecting incumbent firms. France’s recent Law for a Digital Republic, for example, imposed new rules for online platform operators, but they are largely aimed at protecting consumers’ personal data.27 Meanwhile, in the other category, new or proposed regulations reflect a desire to promote digital technologies. For example, Finland’s new Transport Code, adopted in May 2017, deregulates market access in the transport sector, including in the taxi market. The objective is to enable digitalisation of the whole transport sector primarily by removing regulatory obstacles to digitalisation and innovation, by being technology-neutral, and by introducing new rules on access to essential information of transport services through open APIs. In the second phase of the reform, Finland is considering applying the MyData model28 to further promote the adoption of the Mobility as a Service29 concept.

Countries’ policies for fostering digital content creation and diffusion do not follow a distinct pattern

Countries’ responses about digital content creation and diffusion reveal widely varying policies rather than a consistent pattern. The most frequently mentioned policy measure, digitising cultural resources and making them available online, showed up in only five countries’ responses. Some of the other notable policies include:

• Belgium’s “Infotelligence”, which allows francophone daily newspaper publishers to share the collection, processing, use and presentation of their information on an independent digital platform. Using big data and AI, it will allow publishers to better understand the behaviour and needs of their readers and to customise the supply of information. Consequently, the platform will offer readers better organised, more relevant content. An express aim of the project is to lead the sector away from international online giants such as Google, Apple, Facebook and Instagram.

• Colombia’s Apps.co initiative, mentioned earlier, helps to transform ideas for applications (apps) into sustainable businesses – including games, apps for the disabled and apps for the government. So far it has funded 84 projects at a cost of approximately USD 3.5 million.

• Israel’s “Campus” is an open, edX-based, national online education platform for high school students, underprivileged populations and government employees. It is projected to benefit between 100 000 and 200 000 people in 2017, rising to 1.5 million in 2019.

• Portugal has a somewhat different education-related programme called B-on (Biblioteca do Conhecimento Online), which is an online knowledge library that provides unlimited and permanent access for research and higher education institutions to full texts of scientific periodicals and e-books through nationally negotiated contracts.

A small number of countries have addressed the need for interoperable Internet of Things standards, but most have not

Only Germany, Japan, the Netherlands and Spain mentioned having efforts underway to promote the development and application of interoperable standards for the IoT.

This is an area where more policy makers could make important strides: recent surveys of potential cloud users have highlighted a lack of standards – specifically open standards – as one of the biggest barriers to their use of advanced ICTs such as the IoT (OECD, 2016a: 33). As an example, an executive survey by the World Economic Forum (WEF, 2015) indicates that lack of interoperability ranks behind security concerns, but before uncertain return on investments, among the top three barriers to IoT adoption. Fear of potential vendor lock-in is often the culprit, as users know they can become extremely vulnerable to price increases if they cannot practicably migrate to another vendor.

Policies for facilitating data (re)use across organisations and sectors are popular and take many forms

Policies for encouraging and facilitating data use and reuse across organisations are common among the respondents, with 28 of the 35 countries indicating that such policies are in place. Motivations generally revolve around a desire to encourage innovation in both the private and public sectors, improve public services, improve efficiency within government agencies, and promote open government.

About two-thirds of the data use and reuse policies focus on making government data available (or more available) in open formats. One popular measure is to create a national open data portal where the public can access a wide variety of open datasets. Alternatively, Chile holds an annual public hackathon, in which participants compete to develop the best applications using open public datasets. Since 2012, Portugal has had a National Digital Interoperability Regulation, which specifies a series of open formats and essentially states that the government must always provide information in open formats rather than in proprietary ones. Slovenia’s Act on Access to Public Sector Information similarly promotes open formats, as does Spain’s National Interoperability Framework, which includes a set of technical standards that cover all aspects of the digitalisation of public services. The Japanese government has taken many steps to improve the use of data (see Box 2.2 for details on some of them).

Other measures adopted by several countries, including Canada, Estonia, Israel, Latvia, Luxembourg and Spain, are based on the “once-only principle”. That principle holds that public agencies are allowed to collect data only if they are not already in another public sector database. In other words, if a company or an individual has already submitted data to the public sector, then that company or individual should not have to submit it again, but rather the public sector itself should cross-use data. That clearly motivates government agencies to adopt common formats and share data across organisational boundaries, though it may also raise data protection concerns.

One measure unlike any others mentioned in the survey has been implemented in the United Kingdom, where a working group consisting of industry experts from the banking, data, consumer and business communities developed an open banking standard in 2016. The standard offers guidance on how banking data should be created, shared and used by its owners and those who access it, so as to help people transact, save, borrow, lend and invest their money. The underlying idea was that enabling the sharing of data that banks have historically held will improve people’s banking experience. When securely shared or published openly using open application programming interfaces, the data can be used to build useful applications and resources to help people find what they need. For example, customers can look for a mortgage more easily, banks can find customers whose needs match up well with a new product, and businesses can share data with their accountants. That, in turn, will improve competition, and efficiency and stimulate innovation in the banking sector.30

E-health policy measures range from small steps to ambitious undertakings and tend to involve research funding, health data platforms or telemedicine

One example of funded research is the German Federal Ministry of Education and Research’s R&D programme for medical technology, which aims to stimulate patient-centred innovation, support high-potential SMEs and promote digitalisation in healthcare generally. Ministries in several other countries, such as Norway and the United Kingdom, have issued papers about how the health and care system could use technology, including e-health, to improve outcomes for patients and citizens.

Seven countries mentioned having policy measures to create platforms, standardise health records, and link healthcare procedures and services to the people who received them, the health professionals who provided them and the facilities where they were performed. Some of these systems, such as Brazil’s Unified Health System National Card (which operates through an electronic registry), have existed for years. Others, like Costa Rica’s Single Digital Health Record system, a platform to be used by primary healthcare centres of the Costa Rican Social Security Fund, are currently under development.

Finally, China, Colombia and Germany noted that they have telemedicine policies in place. The main purpose of these programmes is to extend healthcare to more places in a cost-effective manner. One telemedicine centre in China, for instance, is connected to more than 700 two-way satellite sites and more than 60 remote vehicle satellite mobile terminals that cover more than 1 300 locations across the country, facilitating remote diagnosis and treatment. Germany currently has more than 200 regional telemedicine projects underway.31

Overall, countries’ policy measures on e-health range from rather modest to immense. On the more modest end of the spectrum are projects such as building web-based medical appointment and cancellation systems. Towards the other end are efforts such as Germany’s R&D funding programme for medical technology, mentioned earlier, which has a ten-year budget of well over USD 500 million. China’s effort to develop big data for health and medical applications, meanwhile, involves building 100 regional clinical medicine data centres to give urban and rural residents standardised electronic health records and fully functional health cards. In 2016, the national population and health science data-sharing platform released data sets that included biomedical, basic medical, clinical, public health, Chinese medicine, pharmacy, population and reproductive health information. The total data volume was 49.1 terabytes, equivalent to about 20 billion single-spaced typewritten pages of data.

Countries have undertaken, or are contemplating undertaking, a wide variety of reforms and reviews of their regulatory frameworks in light of the digital transformation, many of which concern labour laws or sector-specific employment rules

Measures related to the digital transformation of jobs fall into two broad categories: those that have already been implemented and those that are about considering the possibility of regulatory reforms. In the former group are efforts that include:

• statutorily defining telework (Slovenia) and regulating the relationship between companies and teleworkers (Colombia)

• conducting ex ante and ex post reviews of the administrative burdens imposed by regulations, with digitalisation being an increasingly important factor (Switzerland)

• digitalisation and deregulation of transport and enabling the Mobility as a Service concept with data-related rules (Finland) and FinTech (Switzerland) sectors to remove barriers to the development of new services

• a comprehensive reform of labour law in light of the rapid development and progress of technologies (Lithuania; see the next subsection for more details on the new law).

The measures that involve ongoing considerations of regulatory reform in light of digital transformation include:

• possible changes to on-call time regulations for workers in the ICT sector (Estonia)

• deliberations on labour market regulations that are being challenged by the online platform economy (Norway)

• the design of a digital test concept for evaluating the suitability of all current regulations for meeting the challenges brought by digitalisation (Switzerland)

• a public, multi-stakeholder dialogue process on the future of work (Germany).

Germany’s dialogue process is a major effort. Entitled Work 4.0, it is part of a comprehensive review of labour market and social policies. In 2015, the Federal Ministry of Labour and Social Affairs initiated the process by publishing a green paper for discussion.32 The paper outlined the main trends, important areas for action and key social issues concerning the world of work in the future. It also contained a set of fundamental questions that initiated a broad dialogue about how society will work in the future. The questions were addressed with the help of experts from the fields of research and operational practice, social partners and associations, including trade unions helmed by the German Trade Union Federation. The Federal Ministry of Labour and Social Affairs published a white paper detailing policy proposals in late 2016.33

Norway’s deliberations on labour market reforms are also extensive. A committee is assessing the opportunities and challenges that arise from the sharing economy. Its work emphasises the potential for the more efficient use of resources. The committee is also focused on identifying regulations that are being challenged by the sharing economy, including labour market regulations. Its mandate includes:

• evaluating whether regulations should be adjusted to achieve a greater degree of symmetry between the sharing economy and traditional activities, and evaluating whether there are regulations from which certain players should be exempted

• assessing the potential effects of the sharing economy on labour, including employees and contractors; in this regard, the committee will also consider the consequences of more people being able to be self-employed and the need for changes in the rules that apply to this group

• examining regulations in individual markets where sharing economy actors are especially prominent, and considering whether it is necessary to change the regulations as a result of new technology or new business models.

Few countries have enacted entirely revised labour laws in light of the new forms of work enabled by digital technologies, but several have added new provisions and regulations to recognise developments such as teleworking and informal work contracts

Seventeen of the 35 countries that responded to this section of the questionnaire listed new labour laws, regulations or social partners’ agreements related to new forms of work enabled by digital technologies that they have developed or are currently developing. Among the specific new measures implemented or under discussion in those countries, new types of workers’ status and contracts were mentioned the most frequently.

For example, Austria’s Ministry of Labour, Social Affairs and Consumer Protection is currently observing and discussing trends on workers’ status so that it can be in a position to implement informed, appropriate measures to address the transformation of work and ensure employee protection. The ministry has its eye on phenomena such as crowd working, recruitment via Internet platforms and comparable new forms of work. It is particularly concerned about the risk that these phenomena could cause job insecurity and replace regular forms of work. Depending on the relevance of these concerns in the future, the ministry may have to develop instruments to maintain proper working and remuneration conditions. Linked to this example, Austria’s Industry 4.0 platform34 includes both social partners. Affiliates of the Austrian Trade Union Federation (Österreichischer Gewerkschaftsbund [ÖGB]) are taking part in the general discussions and various working groups.

In the Czech Republic, an amendment to the Labour Code is currently working its way through the legislative process. The amendment will change, among other things, provisions that concern work performed outside the employer’s site, such as telework. The new approach is that whenever electronic communications networks are used for off-site work: 1) the employer must provide the hardware and software necessary for the performance of the work, except when the employee performs the work using his/her own equipment, and to ensure, particularly in terms of software, data protection in case of their transfer; and 2) the employee must act so as to protect the data and information related to the performance of the work.

Similarly, Lithuania has just completed a full revision of its Labour Code, which now includes principles regarding the protection of employees’ personal data and the privacy of their personal lives. The code now provides that the exercise of the right of ownership to the ICTs used in the workplace must not infringe the inviolability of employees’ communications. Lithuania’s new Labour Code also introduced several new types of employment contracts: for apprenticeships, project work, workplace sharing and multiple-employer contracts.

Colombia is one of several countries that have set certain mandatory terms for contracts involving telework. Among the key issues that telecommuting contracts must specify are:

• the technology and required environment, and how to perform the work in terms of time and if possible space

• the days and times that the teleworker will carry out his or her activities for the purpose of defining liability in case of an accident and preventing ignorance of the legal maximum working week

• the responsibilities regarding custody of work items and the method of delivery by the teleworker when finalising the telework

• the security measures that the teleworker must know and comply with.

The international legal framework for trade in a digital world

International trading relationships are governed by bilateral, regional, and multilateral trade and investment agreements, which play an essential complementary role to domestic structural reforms. Multilateral action is of particular importance in promoting the mutual interests of countries in terms of trade liberalisation, locking-in domestic reform and building confidence between firms and the societies in which they operate.

Trade-related aspects of the digital transformation are covered under multilateral agreements and plurilateral agreements forged at the World Trade Organization (WTO). WTO agreements are technologically neutral, so disciplines pertaining to trade in goods under the General Agreement on Tariffs and Trade (GATT), or trade in services under the General Agreement on Trade in Services (GATS), apply equally in the online and offline worlds. Hence a wide range of WTO agreements are considered relevant to trade in a digital world, including the Agreement on Trade-Related Aspects of Intellectual Property Rights, the Agreement on Technical Barriers to Trade, the Information Technology Agreement and its recently concluded expansion, and the Trade Facilitation Agreement. Yet with rapid changes in technology, there is a discussion among WTO members about whether there is a need to update or clarify existing rules and commitments.

Already in 1998, in recognition of the growth of e-commerce and the opportunities it presented for trade, WTO members agreed to establish a work programme to examine trade-related issues concerning e-commerce (WTO, 1998). They also agreed not to impose customs duties on electronic transmissions. While the agreement not to impose customs duties on electronic transmissions has been extended at every WTO Ministerial since the initial agreement, the work programme has varied over the years.

As the digital transformation has progressively deepened, countries have also begun to include issues specifically related to trade in a digital world in bilateral and regional trade agreements. In addition to specifying that general provisions of the agreement also apply in the online world, some bilateral and regional trade agreements include specific chapters on digital services, e-commerce and telecommunication. While agreements vary, these chapters sometimes include:

• measures that prohibit the imposition of customs duties

• measures aimed at non-discriminatory treatment of digital products

• measures that promote paperless trading

• measures that prevent the imposition of localisation requirements for computing facilities

• measures protecting the movement of cross-border data flows

• measures regarding privacy online

• measures on data protection

• measures ensuring enforceable consumer protection for online transactions

• restrictions on certain types of Internet content (e.g. routing traffic to domestically owned firms, blocking particular sites)

• measures to restrict the imposition of mandatory requirements to transfer or provide access to a software’s source code

• measures concerning unsolicited commercial electronic messages (i.e. to advocate for the effective regulation of unsolicited spam and telemarketing)

• measures promoting strong and balanced copyright protection and enforcement.

In this respect, current and future negotiations of bilateral and regional trade agreements, which increasingly touch upon some of the emerging and complicated trade issues, as well as discussions within the WTO context, will most likely pave the way to further developing the trade-related aspects of the digital transformation.

Nearly half of the countries surveyed have included trade-related aspects of the digital transformation in their bilateral or regional trade agreements

Eighteen of the 35 countries that responded to the digital transformation section of the questionnaire indicated that issues related to trade in a digital world have been included in their bilateral or regional trade agreements. Within such agreements, five of the topics in the list above appeared with roughly equal frequency: 1) privacy on line; 2) cross-border data flows; 3) consumer protection for online transactions; 4) restrictions on certain types of Internet content; and 5) prohibitions on the imposition of customs duties.

Chile provided an extensive response and has provisions of nearly all the types mentioned above within its trade agreements. See Box 2.3 for more information on those provisions, most of which were mentioned by other respondents, as well.

Capacity building focusses on education and skills development

Demand for cybersecurity specialists has increased significantly in recent years but supply has remained low. Increasing the current pool of skilled digital security and risk management professionals is a policy objective for 31 of the 33 countries that responded to this section of the questionnaire. According to Burning Glass, in the United States, online job postings for digital security professionals took approximately 14% longer to fill than the average for all IT jobs. Digital security talent shortages are reported by all countries.

Among the main barriers to attracting more individuals to digital security professions, countries mentioned low awareness of career opportunities, which is compounded by the limited statistics on job offerings and absence of a standard higher education curriculum. Today, digital security is part of specialised postgraduate programmes, certifications or professional trainings, whereas what is needed is a system in which digital security skills are honed from primary to secondary education, university as well as work-based training.

Countries are introducing a wide range of policy measures and initiatives aimed at addressing the digital security skills gap. In the United States, the National Initiative for Cybersecurity Education is a partnership between government, academia and the private sector focused on cybersecurity education, training and workforce development. In 2017 Luxembourg created the Cyber Security Competence Centre, based on a PPP with the objective of delivering cybersecurity services and training. In the United Kingdom, the National Cyber Security Centre established in 2016 aims to work with industry, government and academia to support the next generation of researchers, students and innovation. In France, the National Digital Security Agency has recently launched a number of training and professional certification initiatives (e.g. CyberEdu, SecNumedu) in collaboration with universities and the private sector. Korea’s MSIP/KISA provides scholarships for digital security college students, including budget support for universities.

Steps are being taken to promote digital security risk awareness and to foster good practice in small and medium-sized enterprises

When asked about the three most pressing digital security challenges affecting economic and social activities, most countries responding to the survey mentioned cyberattacks against small firms or cyberattacks that disrupted or prevented economic and social activities and cybercrime/cyberespionage that involved the theft of digital intellectual property and assets.

SMEs, and early-stage start-ups in particular, are critical to economic growth; they drive competition and innovation, and contribute to job creation. They also face distinct challenges in managing digital security and privacy risk. A digital security incident that can result in a loss of consumer trust, damage to reputation or a drop in revenue may be more damaging for an SME than for a larger company because they are more likely to find it difficult to weather a temporary loss of customers or revenue. As well, SMEs may not have the resources or expertise to effectively assess and manage risk. On the positive side, SMEs that are aware of the risk and can demonstrate they have robust digital security and privacy practices may have a competitive advantage when seeking partnership opportunities with larger organisations.

Promoting digital security risk awareness by SMEs was a specific objective of 82% of countries. However, only 46% of countries who responded have developed specific incentives (rewards and/or sanctions) for business to promote digital security risk management. Japan and Korea provide tax incentives for companies that invest in digital security products.

The United Kingdom also requires that “only companies that have a valid Cyber Essentials certification can supply central government with any services that require the processing of personal data”. The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against Internet-borne threats.

Lithuania can apply “economic sanctions” against companies that do not meet legal obligations regarding digital security.

Countries use a wide range of other policy measures and actions to promote digital security risk management as a business priority. These include:

• toolkits and good practice guidelines

• training courses for entrepreneurs and employees

• guidance on effective de-identification/anonymisation/pseudonymisation practices

• updating and maintaining privacy-enhancing measures (such as encryption)

• audit controls

• risk assessments (privacy impact assessments and threat risk assessments)

• up-to-date and revised information-sharing agreements.

Nineteen out of 33 countries reported that there was interest in digital risk insurance (cyberinsurance) as a market-based approach to manage business risk. Insurance coverage for digital security risk is viewed by these countries as a means for companies and individuals to transfer a portion of their financial exposure to insurance markets. Insurance companies can also potentially contribute to the management of digital security risk by promoting awareness, encouraging measurement and providing incentives for good practice. Those same countries generally have considered measures to encourage businesses to adopt digital security risk insurance. The digital security risk insurance market is still developing, however, and countries that did respond reported that they were just looking at how policy in this area could be applied. Canada, for example, reported that it is in the early stages of assessing this issue as part of its cyber review.

These opinions are reflected countries’ responses when they were asked to rank, in order of relevance, eight main obstacles to the adoption of risk insurance in their countries (Table 2.2).

The top two obstacles for most countries were:

1. Lack of actuarial models: More comprehensive data on the frequency and impact of digital security incidents (and the related claims payments) is needed for the development of actuarial models and to provide more confidence in the underwriting of insurance coverage for digital security risk.

2. Cost of insurance premiums: The premiums for digital security insurance per million in coverage has been estimated to be three times more expensive (for the same amount of coverage) than general liability coverage and six times more expensive than property coverage.

International co-operation enables progress on information sharing and at the technical level

Facilitating international co-operation on cross-border digital security issues is a priority for all responding countries. Countries mentioned a large number of initiatives aimed at improving international collaboration particularly to promote greater information sharing and exchange on digital security incidents.

The European Directive on Security of Networks and Information Systems (NIS Directive) adopted in 2016 represents a very significant step in this direction. The directive requires EU member states to increase their preparedness by establishing a Computer Security Incident Response Team (CSIRT) and a competent national authority in charge of digital security, and to improve strategic co-operation and exchange of information with each other. Additionally it requires EU member states to adopt appropriate measures to promote of a culture of digital security risk management. Member states are also asked to “ensure that the competent authorities have the necessary powers and means to assess the compliance of operators of essential services with their obligations”, which includes an obligation to notify incidents having a significant impact on the continuity of the essential services they provide.36

The NIS Directive’s aim is to create a collaboration framework, within which member states and the European Commission can share early warnings on risks and incidents. Co-operation is facilitated by the creation of a single point of contact in each country; the establishment of a “Co-operation Group” with representatives of the member states, the European Commission and the European Network and Information Security Agency; and by the creation of a CSIRT Network. EU members have until May 2018 to adopt appropriate laws and regulations to comply with the directive; some countries such as France37 and Germany38 have already adopted legislative and regulatory measures in this area.

In accordance with its International Strategy for Cyberspace, the policy priorities of the United States are to promote innovative open markets; enhance security, reliability and resilience of global networks; and extend law enforcement collaboration. There are many venues and forums in which the United States promotes information sharing. A key area of focus is information sharing between CSIRTs with national responsibility. Accordingly, the US government works closely with foreign authorities, as well as through international and regional organisations focused on cybersecurity information sharing. Similarly, Australia partners with international law enforcement, intelligence agencies and other computer emergency response teams. The country is planning to appoint a Cybersecurity Ambassador who will identify opportunities for practical international co-operation and ensure Australia has a co-ordinated, consistent and influential voice on international cybersecurity issues.

Canada’s Computer Emergency Response Team (CERT) works with the international CERT community in an effort to address and co-ordinate responses to serious cybersecurity incidents. In Colombia, the “National Digital Security Police of Colombia, through the Police Cyber Center, is part of international agreements and alliances in order to report incidents.” Latvia has a memorandum of understanding (MOU) in place for co-operation in cybersecurity with Estonia and Lithuania. Separate MOUs cover agreements with Azerbaijan and Kazakhstan and Georgia. Spain highlighted the role of the international Forum of Incident Response and Security Teams (FIRST)39 in co-ordinating incident reporting. France is actively promoting its approach for the protection of critical infrastructure to other countries. It will also be part of formal collaborations in Europe as a result of the implementation of the NIS Directive including the “European network of CSIRTs”. France is also participating in CERT-level co-operation groups (TF CSIRTs, FIRST, NatCSIRT, AfricaCERT), bringing together CSIRTs around the world. Finally, 24 OECD countries, 13 partner economies, 8 international organisations and 11 companies have joined the Global Forum for Cyber Expertise launched in 2015 in the context of the Global Conference on Cyber Space. The objective of the Global Forum for Cyber Expertise is to exchange best practices and expertise on cyber capacity building. The aim is to identify successful policies, practices and ideas and multiply these on a global level.

Awareness, skills and empowerment are the most frequent policy levers used by governments to promote privacy protection

To better protect privacy, it is necessary to be both aware and well informed about all potential privacy risks. Policy makers and privacy enforcers recognise raising the level of awareness, skills and empowerment as a key lever to better address privacy risks (OECD, 2016g). In fact, enhancing privacy awareness and education is the most frequently adopted policy measure, in particular by privacy-enforcement agencies. Most agencies do so by providing guides and good practices, including offline or online publications; online publications are usually available through dedicated websites. Some agencies provide templates to help organisations develop privacy notices or privacy management plans such as in the case of the Office of the Australian Information Commissioner (OAIC). The OAIC developed a specific privacy management plan template for public sector agencies.42 The EU GDPR requires data protection supervisory authorities to carry out awareness-raising activities addressed to data controllers and processors, as well as to individuals, in particular in the educational context.

Many government agencies are reaching out to the public through events such as conferences, consultations and workshops. While some of these events aim to provide the public with basic knowledge and a better understanding of privacy (see, for example, regular roadshows and talks organised by Singapore’s Personal Data Protection Commission [PDPC] to educate the public on the importance of protecting their personal data), others are dedicated to more specific and advanced privacy issues. Examples of the latter include public workshops organised by the US Federal Trade Commission (FTC) to examine the privacy and security implications of emerging technologies, including smart TVs, drones and ransomware, and to discuss what impact those changes will have on the marketplace, or a series of public debates on the ethical questions raised by algorithmic decision making initiated in January 2017 by the CNIL in accordance with its new mission of looking at the ethical and societal issues raised by digital technologies. Several agencies are also using media, including in some cases serious games, to raise awareness about privacy issues. The Israeli Law Information and Technology Authority, for instance, initiated a comprehensive plan for media appearances in television, radio, newspapers and on the Internet with regards to the importance of the right to privacy, data protection and the related risks. The CNIL, as another example, has organised a web campaign based around a serious game called “Fred et le chat démoniaque” to illustrate privacy risks associated with the dissemination of digital content.

Education and training programmes also rank highly among the measures adopted by governments to promote privacy. While most of these measures target students and teachers (mainly in primary and secondary education institutions), others focus on adults working in the public sector. In 2015, for example, Canada’s Office for the Privacy Commissioner created and distributed a classroom activity to schools across Canada to help teachers familiarise students with privacy policies and issues related to the collection of personal information online. In Norway, the Center for ICT in Education together with the Data Protection Authority put in place an initiative, DuBestemmer (YouDecide), to disseminate teaching resources about privacy and digital responsibility for children and young adults aged 9-18. Focusing on government officials, the Japanese Ministry of Internal Affairs and Communications developed a course about the implications of privacy within the government. There are also some notable education programmes aimed at the private sector, such as the “Start with Security” initiative by the FTC (2015), which highlights the key data security principles for businesses of all sizes and in all sectors.

In terms of mechanisms for enhancing empowerment, most governments have measures to simplify privacy complaint procedures, such as introducing digital services,43 and in some cases emphasising the introduction and/or simplification of compensation claim procedures.44 A recent development is the implementation of mechanisms to enhance individuals’ access to their own personal data, such as the provision on the “right of data portability” included in the EU GDPR. Other countries have also implemented or are considering implementing similar rights. For example, the Blue Button initiative of the US Department of Health and Human Services allows patients to download their health records quickly and securely. The Israeli Law Information and Technology Authority, as another, published draft guidelines for public consultation according to which service providers must transfer consumers’ electronic transcripts of phone conversations or chats upon their request. All these mechanisms are in line with the Individual Participation Principle of the OECD Privacy Guidelines: In the world of big data, data portability seems the only reasonable means to provide data “in a form that is readily intelligible to [the individual]”. This is because data portability enables the individual to apply data analytics and related services to his or her own personal data to gain the knowledge needed to “challenge data relating to him”. However, questions on how best to implement data portability remain unanswered.

Fostering privacy as a business priority and supporting related innovation rank high among government policies

While regulatory developments are ongoing, there is increasing understanding that regulation is only one element in strengthening privacy protection. A recent development, for example, is the promotion of privacy as a business opportunity. Governments have adopted different types of approaches to achieve this objective. A large majority of governments rely on awareness-raising campaigns as discussed above. The Finnish Ministry of Transport and Communications, for instance, organises the Digital Business Forum on Data Protection two to three times a year with the goal not only to help companies prepare for GDPR implementation, but also to see data protection as a business opportunity. Similarly, the Israeli Law Information and Technology Authority has highlighted in its Vademecum for Business45 ten best practices that can improve not only a firm’s corporate social responsibility image, but also business performance, essentially by increasing consumers’ trust.

Many governments are also implementing certification schemes to increase business’ incentives to implement effective privacy-enhancing processes. In Korea, for instance, the Korea Communications Commission incentivises businesses to obtain the Privacy Certification by reducing fines or postponing sanctions when a certified business faces a privacy violation investigation due to a personal data breach. Similarly, in the United Kingdom, the Information Commissioner’s Office is currently planning a privacy seals programme that could act as a “stamp of approval” demonstrating good privacy practice and high data protection compliance standards. In some other cases, governments are promoting privacy as a business priority by emphasising the link between digital security and privacy protection. For instance, this is the case in Mexico, where the Federal Institute for Access to Public Information and Data Protection provides a table of functional equivalence between digital security standards and in collaboration with the Spanish National Cybersecurity Institute has developed a strategic plan to help organisations improve their digital security when processing personal data. Last but not least, the EU GDPR creates the possibility to implement certification schemes that will help data controllers to demonstrate compliance and individuals to assess the level of data protection afforded by products and services. These certification schemes might be used both to demonstrate compliance with the new rules for processing operations at the EU level and to provide adequate safeguards for international data transfers.

R&D is being increasingly promoted by governments to address privacy issues arising from emerging technologies such as the IoT. Governments are also promoting R&D in privacy-enhancing technologies (PETs), including anonymisation and cryptography technologies and techniques, as well as their adoption across organisations. While it is true that most countries have policy measures that aim directly or indirectly at the promotion of (academic) research (the “R” of R&D), policy measures promoting the development of business-relevant technologies and applications (the “D” of R&D) as well as new business models remain rather rare. Very few countries have established funding schemes to directly support privacy-related R&D and innovation. But there are positive exceptions: France’s Investments Programme for the Future (Programme d’investissements d’avenir) supports the development of PETs. In October 2015, a call for projects was launched within the programme to mobilise up to EUR 10 million for innovative companies in three areas: 1) the anonymisation of personal data; 2) the protection of privacy in the context of the IoT; and 3) innovative privacy architectures, such as distributed architectures. The objective of this call for projects is to encourage good practices in PETs and to support companies in developing commercial solutions. Another example is SPRING Singapore, an agency under the Ministry of Trade and Industry that developed a funding scheme (the Capability Development Grant) to promote the adoption privacy-enhancing processes in SMEs. Up to 70% of the project cost of an SME for enhancing its privacy measures are covered by the grant.

While most governments engage in international collaboration, many still lag in co-ordinating their own domestic privacy policies

International co-operation remains and will continue to be an important policy area for privacy protection as the volume of cross-border data flows increases. Governments ranked the potential incompatibilities of legal regimes as a key rationale in favour of international co-operation, above the lack of resources to address international privacy issues and existing restrictions on international data sharing, including the current practices of law enforcement and intelligence agencies to collect or exchange personal data internationally. Of the 34 countries responding to this section of the questionnaire, 26 could name at least one initiative through which they co-operate internationally. Participation in the Global Privacy Enforcement Network was most frequently cited as a key arrangement for privacy co-operation, beside the Article 29 Working Party (in the case of EU member states) and the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement (in the case of APEC countries). Furthermore, the APEC Cross-border Privacy Rules System (CBPRs) (APEC, n.d.), a third-party certification mechanism of an organisation’s privacy protection policies and practices, which is based on the OECD Privacy Guidelines, is growing steadily. As of June 2017, Canada, Japan, Mexico and the United States had joined the CBPRs. Korea had applied and the Philippines, Singapore and Chinese Taipei were considering participation. In Japan, the CBPRs is considered a requirement for cross-border personal information transfer. APEC and the EU are discussing ways to promote interoperability between binding corporate rules under the EU Directive and APEC/CBPRs regarding both the applicable standards and the application process under each system. In addition, for the European Union and the United States, an important development has been the establishment of the EU-US Privacy Shield Framework, which ensures the free flow of data from controllers/processors in the European Union to Privacy Shield-certified US companies while guaranteeing a high level of data protection.46 Also worth mentioning are the new provisions on international co-operation for the protection of personal data in the EU GDPR that are focused on facilitating effective enforcement co-operation, providing international mutual assistance, and promoting discussion and the exchange of best practices with third-country authorities.

Privacy policy making and regulation involves multiple government agencies, including but not limited to privacy-enforcement agencies and ministries in charge of justice or legal affairs and the digital economy. But it also involves government agencies in charge of specific sectors such as healthcare, finance and transportation, to name just a few. This means that privacy policy making and regulation requires ongoing mechanisms or processes to ensure co-ordination and coherence of policy and regulatory developments and implementation. However, while most governments engage in international collaboration, in particular through their privacy-enforcement agencies, domestic co-ordination of national privacy policy and regulatory development remains poor in a number of countries. According to the responses to the 2016 OECD DEO Policy Questionnaire, a third of all responding countries do not have an ongoing mechanism or process in place to ensure co-ordination and coherence of their privacy policies and regulations at the national level, and where countries report having such mechanisms in place, the extent to which these are effective remains uncertain.

In many countries privacy policy co-ordination is achieved at different levels during policy development. This can involve cross-governmental working groups, national consultation procedures and PPPs. In other countries, a dedicated co-ordination body exists – in some cases attached to highest level of government (e.g. the Prime Minister’s Office) – to ensure co-ordination and coherence of policies and regulations across government agencies. This is the case in Israel, for example, where a central unit in the Prime Minister’s Office is evaluating the efficiency of Israeli regulations, including privacy regulations. In some countries, the introduction of a co-ordination mechanism was established in the context of the development and/or implementation of their national digital economy strategy (see Chapter 1). In the process of the 2015 launch of Digital Roadmap Austria, for instance, a co-ordination team was formed and more than 100 experts from all federal ministries as well as a number of local authorities and associations, social partners, unions and employers’ associations, and other organisations were involved. Subsequently, hundreds of citizens took part in an online consultation process. The resulting consultation paper was the basis for the present Roadmap. In other cases, the negotiation of the GDPR has been a driver to establish or enhance domestic co-ordination mechanisms in a number of EU member states. In Belgium, for instance, processes have been put in place to co-ordinate between the different public authorities, as well as to engage with the private sector during the negotiation of the GDPR. To what extent these co-ordination processes and mechanisms are still used and effective to ensure the continuous co-ordination and coherence of privacy policy and regulation remains to be seen. At the EU level, the new data protection legal framework provides for mechanisms to ensure co-ordination across member states. The consistency mechanism foreseen in the GDPR will help to ensure consistent application of the rules, in particular when a supervisory authority intends to adopt measures that may affect a significant number of individuals in different member states. Dispute resolution mechanisms and new ways of exchanging relevant information between authorities will also support co-ordination at the EU level.

The development of national privacy strategies promises to enhance a whole-of-government approach to privacy

Legislation continues to be the primary response to addressing personal data protection. Rather than being directed at all stakeholders, these laws typically impose obligations on organisations subject to the law and require them to grant individuals specific rights. As highlighted in the previous sections, there are a wide range of complementary measures such as education and awareness raising, which are often left to privacy-enforcement authorities or civil society bodies. While protection by the law is essential, privacy in an increasingly data-driven economy would thus benefit from a multifaceted strategy, reflecting a whole-of-society vision supported at the highest levels of government, as called for in the OECD Privacy Guidelines (Part 5) and more generally in Chapter 1 of the current report, in the section entitled “The current state of national digital strategies”.

The OECD Privacy Guidelines recommend that governments “develop national privacy strategies that reflect a co-ordinated approach across governmental bodies”. Along the model of “digital security strategies”, such multifaceted privacy strategies would help create the conditions for privacy protection to become a differentiator in the marketplace while providing the flexibility needed to capitalise on emerging technologies. They could also encourage R&D and innovation with respect to privacy by design approaches and help focus efforts by privacy-enforcement authorities and other actors. Co-ordinated privacy strategies at the national level would help foster co-operation among all stakeholders and lessen uncertainty in data flows.

While many countries have adopted national digital security strategies, very few have adopted equivalent privacy policy strategies, despite the need to introduce, or improve existing, co-ordination mechanisms as highlighted above. According to the responses to the 2016 OECD DEO Policy Questionnaire, more than half of the countries (18 out of 34) clearly indicated that they did not have a national privacy strategy. For most countries, including those that report having a national privacy strategy, the concept is either misunderstood or remains unclear.

Policy makers are beginning to grapple with the challenge of applying consumer protection frameworks to online platform markets

Online platform markets have steered debates in many OECD countries over how to regulate economic activity. In this area, regulators must balance competing considerations: appropriate regulatory measures can protect consumers but unnecessary or excessive regulation can impact the disruptive innovation associated with these platforms, thus reducing the benefits for consumers. When access to an online platform is a service in itself, the OECD Recommendation of the Council on Consumer Protection in E-commerce highlights that consumer laws should apply. Less obvious is whether and how responsibilities can be imposed on platforms for users’ actions (OECD, 2016c). In June 2016, the European Commission issued its “European agenda for the collaborative economy”, which is part of the Single Market Strategy. It provides non-binding guidance on how existing EU law should apply to the collaborative economy, including peer-to-peer markets, and clarifies key issues facing market operators and public authorities, such as consumer protection, market access requirements, liability if a problem arises, labour law and tax (EC, 2016d). In 2017, the Commission concluded a review of EU consumer protection laws, suggesting that enhanced transparency of online platforms could be one area for possible change (EC, 2017c).

A number of countries have recently looked into issues related to the development of online platform markets, along with appropriate policy responses, by conducting studies or organising events. In 2015, the US FTC held a public workshop entitled the “Sharing” Economy: Issues Facing Platforms, Participants, and Regulators” to examine competition, consumer protection and economic issues arising from the activity of the online platform markets. A staff report drawing on the workshop’s discussions and more than 2 000 public comments examines regulatory approaches to protect consumers and the public. One observation made by participants was that regulatory issues in these platforms may diverge from those posed by traditional suppliers. Moreover, online platforms are innovating at a rapid pace, which will likely require adjusting regulation as these platforms develop, thus requiring flexibility in regulatory approaches and avoidance of pre-emptive regulation (FTC, 2016).

In 2015, the Competition Bureau of Canada undertook a comprehensive study of the taxi industry in light of the rapid expansion and proliferation of ride-sharing services such as Uber. The aim of the study was to explore how existing regulations for taxi and limousine services could be adapted to govern ride-sharing services. The bureau concluded that regulators should both ensure that new regulations on ride-sharing services were no broader than necessary to achieve policy goals while also relaxing existing regulations on traditional taxis, with the aim of creating a level playing field. That way, consumers can benefit from lower prices, reduced waiting times and higher quality service. Ultimately, competition can ensure that consumers have the broadest range of products and services at the best possible prices (Competition Bureau of Canada, 2015).

Self-regulation initiatives such as codes of conduct, accountability measures and enforcement mechanisms interface with other policy initiatives and existing consumer laws. Sharing Economy UK in partnership with Oxford University and SAID business school recently developed the TrustSeal, the first trust mark for the sharing economy. It sets out minimum standards for businesses to ensure certain standards of business conduct. Trust mechanisms such as reviews and endorsements have sometimes been associated with a form of self-regulation, although it is difficult to assess the extent to which such mechanisms protect consumers.

Mechanisms for cross-border enforcement co-operation should be strengthened to protect consumers in e-commerce

The issue of cross-border barriers to e-commerce growth is discussed in Chapter 6. These barriers are affecting consumer trust in e-commerce as consumers may find it difficult to understand which rules apply to their transactions and what rights and responsibilities apply in case of a problem. The 2016 OECD Recommendation of the Council on Consumer Protection in E-commerce (OECD, 2016c) encourages countries to improve the ability of their consumer protection enforcement authorities to co-operate and co-ordinate with each other with a view to provide for effective consumer protection enforcement co-operation in the context of global e-commerce. One example at national level is the US SAFE WEB Act, passed in 2006 and reauthorised in 2012, which gives the FTC enhanced abilities to combat cross-border fraud, including through enhanced information sharing and investigative assistance powers that allow the FTC to co-operate with foreign counterparts. At the international level, the Econsumer.gov website, a project of more than 35 countries under the umbrella of the International Consumer Protection and Enforcement Network, helps consumer protection and law enforcement authorities gather and share cross-border consumer complaints that can be used to investigate and take action against international scams.

Within the context of its Digital Single Market Strategy, the European Commission is looking at different measures to reduce barriers to cross-border e-commerce, notably by removing key differences between domestic and global e-commerce marketplaces. In May 2016, the Commission put forward a proposal for the reform of the Consumer Protection Co-operation, with the aim of equipping EU enforcement authorities with the powers they need to better co-operate in cross-border investigations. It also made a proposal for a regulation on geo-blocking, a form of discrimination based on the place of residence. To improve and facilitate dispute resolution in cross-border online disputes, in 2013 the European Union adopted its Directive on Consumer Alternative Dispute Resolution and its Regulation on Online Dispute Resolution, which were followed in 2016 by an Online Dispute Resolution platform. This platform, available in 23 languages, assists consumers in finding access to bodies that offer online dispute resolution.

Some countries have engaged in bilateral agreements that facilitate cross-border co-operation on e-commerce issues. For instance, the Korea Consumer Agency has signed MOUs with the National Consumer Affairs Center of Japan, the Better Business Bureau and the Office of the Consumer Protection Board of Thailand, which sets out procedures for cross-border dispute resolution.

The complexities of global e-commerce supply chains highlight the need for greater co-operation to detect and deter the sale of unsafe products to consumers

The 2016 OECD Recommendation of the Council on Consumer Protection in E-commerce recognises that consumer product safety issues have become more challenging as global e-commerce supply chains become more complex. It calls for online businesses to not offer, advertise or market unsafe goods or services. It also encourages businesses to co-operate with the competent authorities when a good or a service on offer is identified as presenting a risk to the health or safety of consumers (OECD, 2016c).

In recent years, a number of market surveillance activities and enforcement actions have been undertaken by consumer product safety authorities in order to detect and deter unsafe products made available through e-commerce. This includes having in place organisations dedicated to e-commerce market surveillance, such as the “Control of e-commerce of Food, Feed, Cosmetics, Commodities and Tobacco” in Germany or the Electronic Commerce Surveillance Centre in France, and developing specific guidelines and strategies on market surveillance (OECD, 2016e). The 2016 National Market Surveillance Programme in Turkey includes market surveillance activities and procedures for detecting unsafe products (Turkish Government, 2016).

Co-operation between market surveillance and custom authorities as well as international co-operation between authorities is essential considering the important cross-border element of product safety issues. In the European Union, the RAPEX-China system enables information sharing on unsafe products between the EC and Chinese authorities. The Cooperative Engagement Framework between Canada, Mexico and the United States provides a framework for sustained and increased co-operation on consumer product safety in North America. Online sweeps, such as the OECD online product safety sweep conducted in 2015 in 25 jurisdictions, are also seen as an effective way of enhancing international co-operation (OECD, 2016e).