AI regulation: Competition, arbitrage and regulatory capture

1 Step 1: Regulating a Local Jurisdiction

Imagine that a given government must decide whether to regulate a new technology, reflecting its citizens’ beliefs about the potential benefits and harms posed by that technology. This government may decide that the new technology does not pose significant risks or that any intervention will be more harmful than the status quo, and therefore choose not to regulate it. If it decides to regulate, it must design the scope of the regulatory response.

In a normal first step, such a government would create a regulatory regime targeting behavior that takes place within their jurisdiction, aiming to modify the local impact of that new technology. For example, most environmental regulations are country-specific (tackling the sources of local air pollutant emissions in a given country), ^[5] and so are most criminal laws, labor laws, intellectual property regimes, or laws impacting freedom of expression. With some exceptions, the coverage of such regulations ends where a country’s borders end.

There are many reasons why a locally targeted approach is an optimal starting point for regulatory design:

1. Governments have a primary duty to protect their own citizens;

2. The enforcement costs of country-specific regulations are typically lower, as governments have a monopoly over the use of force in their own jurisdiction, as well as local agencies, staff, and other resources to effectively produce and process information on what is happening on the ground. Violations are therefore easier to detect and prosecute;

3. Most conduct can be effectively regulated at the domestic level without much loss to the effectiveness of the regulation; and

4. Extraterritorial application and enforcement of laws can be costly.

To understand these latter two points, we need to understand companies’ potential reactions—step 2 of this framework.

2 Step 2: Companies React: Compliance, Withdrawal, or Evasion

By definition, governmental regulations that impose local limits on the deployment of a new technology should require changes in how target companies conduct their businesses in that country, with a potential negative impact on such companies’ profits. In response, companies must decide whether to comply with or evade the new obligations resulting from these regulations (or a mix of both). ^[6] Evasion is defined here as the act of moving company activities to another jurisdiction with less onerous regulations for that given activity, still with the hope of supplying the product to customers in the original country. ^[7]

For now, let us assume the existence of a foreign country in the global environment with less onerous regulations. The corporate decision to comply with the new regulations imposed by country A, or to evade them by moving operations to country B, should be a function of how onerous the new regulation is to the company’s operations given the available evasion alternatives. Holding the onerous nature of the regulation constant, the costs for a company to evade regulation can depend on the production structure of a given good, including the costs of adapting the product to meet the new regulatory needs. ^[8] It also depends on how a product is delivered.

The costs of evasion may be higher, or even insurmountable, for companies providing goods or services that rely on large physical, indivisible assets located within a given country’s jurisdiction. That is because this physical presence increases companies’ exposure to the state’s police powers and potential forfeiture of the asset: some companies supplying physical goods might be able to move production elsewhere, but that would still require local imports. As governments can seize assets at ports or borders, evasion becomes mostly a function of the capacity of governments to identify and seize these physical goods. In this context, evasion may be profitable for small, easily disguised, and highly profitable goods such as drugs, but more difficult for bulkier, easily identifiable goods such as cars or construction materials. ^[9]

The costs of evasion, however, are much lower for the growing class of intangible goods and services characterized by low marginal reproduction costs and nonrival use. ^[10] These digital products or services can rely on the decentralized, difficult-to-control nature of the Internet to be supplied at a distance, facilitating decisions to engage in evasion. ^[11] There are multiple examples of this type of arbitrage. Companies have long offered gambling services online, even in jurisdictions where the practice is illegal—and while blocking these websites is not impossible, ^[12] it is difficult to implement and may have side effects (such as a need to centralize Internet provision to enable such blocking). ^[13] Google Books is another interesting example: when launching the product, Google ensured that the scanning of the books takes place in the U.S. so that Google could rely on the fair-use defense that U.S. copyright law provides against claims of copyright infringements. This strategy proved successful. The company successfully defended Google Books against copyright infringement claims in the U.S. under the fair-use doctrine, ^[14] while evading copyright liability in the EU: as the potentially copyright-infringing acts did not take place in the European Union, Google avoided EU copyright liability due to copyright’s territoriality principle. ^[15] While the service itself—Google Books—was accessible from the EU, it was only the “training” of the service (here: book scanning), not the deployment of the service (here: display of book snippets), that could have triggered EU copyright liability. Google arguably managed to evade that liability by engaging in product development location arbitrage. ^[16]

Sometimes regulations are so onerous and the costs of evasion so high that companies withdraw from a market. We explore this reaction in more detail in Part I.B below.

All in all, companies have differing economic incentives to engage in evasion when a new regulation significantly impacts their business. However, evasion seems to be a relatively rare scenario: firms—even those that deliver digital goods—do not always shift production to different jurisdictions whenever a new regulation is passed. As step 3 outlines, that is partially because firms understand that governments have powerful tools at their disposal that can make such evasion strategies even costlier.

3 Step 3: Regulators React to Evasion, Including by Adopting Extraterritorial Regulations

If companies choose to evade regulation, governments must then subsequently choose whether to tolerate this evasion or respond in kind by ramping up the regulatory regime. ^[17]

Detecting and addressing evasion at the local level may itself be costly. Building on the above example, identifying illegally imported drugs can be a difficult task that requires scanning the millions of products entering national ports (among others), making enforcement expensive. Technology can sometimes make it easier for authorities to detect violations—for example, AirBnB is prohibited from operating in some jurisdictions, and because its business model requires disclosing the locations of the rental homes it offers, regulators can rely on automated tools to detect and thwart evasion. But often there is no technological silver bullet to ensure appropriate enforcement.

An alternative (or complement) can be to expand the scope of the legal regime: governments—especially those of large countries ^[18]—may discourage entities from moving their operations abroad by establishing that their regulations also cover activities taking place outside of their direct jurisdiction. This cross-border shift helps close some simple loopholes, as companies can no longer escape regulation by simply moving certain activities to a different geographic location (as in the Google Books example).

Antitrust laws and the U.S. Cloud Act exemplify how corporate evasion can justify an extraterritorial shift. Antitrust laws began by covering solely violations that took place within a given country’s jurisdiction. The growth of international commerce and international cartels, however, led authorities in the U.S. and the EU to move towards an extraterritorial application of their laws, which they called an “effects-based approach.” ^[19] This new system allowed jurisdictions to prosecute cartel agreements whenever the net result of such agreements was an increase in domestic prices, no matter where the actual violation of the law (in this case, the agreement to raise prices) took place. Similarly, the U.S. CLOUD Act requires U.S.-based companies to provide American law enforcement agencies with any data they have stored in their servers—if so requested by a warrant or subpoena—no matter where the data/server is geographically located. ^[20] Congress passed the CLOUD Act in 2018 as an explicit anti-evasion measure, motivated by a 2^nd Circuit court ruling that Microsoft was not required to provide the FBI with emails that were stored in data centers in Europe.

Figure I

The Different Steps of the Local Regulatory Game

1 Step 1: Governments Again Start with Local Regulations

Regulators still decide whether to regulate a new technology based on their perceptions of whether or not the new product is harmful. The incentives here are largely the same: countries start by regulating local conduct through local laws, because if such local regulation is successful, they can receive the benefits of the regulatory regime without incurring the costs of having to police evasion.

However, regulators must also consider that other jurisdictions are simultaneously making the same determinations.

2 Step 2: Companies Comply or Evade. Regulatory Capture Influences Decisions

As in the local regulatory game presented in Part I.A, companies are now faced with the choice of compliance or evasion. However, international competition between countries allows companies to influence the regulatory rules of other jurisdictions by sharing part of the arbitrage rents these companies gain when they move their operations to other “low-regulation” jurisdictions. This is a form of regulatory capture, ^[21] but one that allows low-regulation countries to generate negative externalities to other countries, as they appropriate part of the evasion gains. Ireland, for example, has historically pitched itself as a low-tax, low-regulation jurisdiction within the EU. As more tech companies settled there—employing locals at high salaries and increasing Irish exports—Ireland was increasingly encouraged to cater to the local industry by further lowering taxes and regulatory requirements while externalizing the costs to other EU countries. ^[22] This has prompted other countries, such as Luxembourg and The Netherlands, to match incentives. ^[23]

The relative positions between countries start mattering more. As a result, the possibility of capture increases the likelihood of arbitrage, as companies can now directly induce the formation of low-regulation regimes around the world from where they can base their operations.

3 Step 3: Governments React: Extraterritorial Regulations, Harmonization, or Increased Fragmentation

The fact that capture is a possibility does not mean that it always happens. ^[24] Governments continue to have the ability to resist capture or arbitrage by increasing enforcement against companies that do not comply with their laws or by adopting extraterritorial regulations.

In other words, in the regulatory game we outline, regulators also behave strategically in at least two ways. First, they can continue to transition to an extraterritorial regime that diminishes the incentives for companies to move their operations abroad—the gains from arbitrage have to be very large for the evasion to be profitable. Second, capture can also lead to an inverse result, ^[25] that is, regulators shift their local laws to drive fragmentation, hindering international imports and favoring local industries.

To understand these dynamics better, one needs to consider the importance of scale for a given industry. If multiple countries employ extraterritorial regulations, a product or service relying on this technology might be subject to multiple (and often conflicting) overlapping obligations that companies cannot evade by moving the location of their operations.

This conflict of laws creates costs for companies in at least three different ways: (i) companies must spend resources and time to simply understand the different legal requirements (transaction costs); (ii) companies may be forced to adapt their product/service offerings to the requirements of the different jurisdictions, losing economies of scale typically associated with the supply of a homogenous good; and (iii) companies may lose benefits from network externalities, as overlapping regulations may force them to create regional versions of their services. For simplicity, we will refer to those costs as the loss of economies of scale, and we assume that losing economies of scale will make the underlying products that are regulated worse in quality and/or more expensive to supply. The more divergent the regulations across countries, the less scale a given company can achieve.

As discussed in Part I.A, different business models are differently impacted by losses in economies of scale. For the purposes of the regulatory game, what matters is the interaction between the business model and the level of regulatory divergence. Sometimes, regulatory divergences are small and scale is not important for the delivery of the underlying product, so the overall “tax” on a given company that tries to offer products in both jurisdictions is small. The U.S. and Europe, for example, have different consumer protection rules, ^[26] but many similar products are still sold across borders with changes in warranties and disclosures.

At other times, regulations differ significantly, forcing major product restructurings—multinationals engaged in international mergers are regularly required to divest specific assets in specific jurisdictions to appease local requirements from antitrust authorities. ^[27] Ultimately, extreme divergences in regulations may induce companies to exit a jurisdiction altogether—Google and Meta, for example, left China because they did not want to comply with some of the regulatory requirements imposed by the Chinese government. ^[28]

Importantly, the opposite dynamics can also happen. That is, if scale is very important to business models, large companies may voluntarily adopt strict standards or lobby countries to harmonize their regulatory regimes through international agreements. ^[29] We further explore these outcomes below.

As governments decide whether to adopt extraterritorial or local laws, they balance these considerations, and their perceptions reflect the different forms of lobbying they are subject to.

Figure 2 depicts the different steps of this game.

Figure 2

The Steps of the International Multiplayer Regulatory Game

4 Four Potential End-States

The ultimate result of the global regulatory game we have outlined depends on how much countries diverge in their initial policy preferences and how important scale economies are for companies’ operations. Figure 3 depicts the four most likely outcomes, mapping them on more traditional international governance arrangements: (i) the prevalence of multiple local regimes; (ii) international harmonization; (iii) unilateral dominance; and (iv) global fragmentation.

Which of these outcomes emerges for a particular case of technology regulation will depend on the relative benefits and costs to governments that stem from regulating the technology locally or globally, and to companies from abiding by or evading these regulations. These governance arrangements also have potentially different welfare outcomes.

Figure 3

Four Governance Outcomes

More specifically:

1. Multiple local regimes are the good version of a multipolar world. In this equilibrium, multiple local regimes coexist because (i) countries accept some levels of arbitrage to avoid a tit-for-tat war, and (ii) the costs of adapting products to local requirements are not high enough for businesses to voluntarily export stricter standards.

This system preserves sovereignty and potentially high levels of welfare, as it enables some differentiation according to national preferences without significant losses as to scale. Consumer protection rules are good examples of multiple local regimes coexisting. ^[30]

2. International harmonization occurs when countries and companies recognize that fragmentation is costly, pushing societies to bridge differences in regulatory preferences to safeguard economies of scale. The likelihood of harmonization is a function of how costly the fragmentation is vis-à-vis how different countries perceive the best mitigation strategies for the harms generated by the new technology.

Assuming that harmonization decisions are voluntary and well-informed, this should be a mostly welfare-enhancing outcome, as it preserves national sovereignty and scale. One example of this process is the evolution of antitrust policy. The rise of antitrust regimes around the world after the fall of the Soviet Union led to increasing conflict between different jurisdictions. These conflicts became increasingly costly—in particular in merger review. As a solution, countries like the U.S. started sponsoring the expansion of international bodies focused on coordinating antitrust policy, such as the International Competition Network and the OECD Committee on Antitrust Policy. ^[31] These were attempts by a leading jurisdiction to foster international harmonization by “educating” developed and developing jurisdictions on what a sound antitrust policy was supposed to look like. ^[32] Similar beliefs that harmonization would be more beneficial than a tit-for-tat war led to the expansion of the World Trade Organization and the lowering of trade barriers. ^[33] In related fashion, the EU actively uses bilateral and multilateral trade agreements to extend its regulations to other jurisdictions. ^[34]

3. Unilateral imposition of a regulatory regime (Brussels effect): In some cases, policy divergences prevent international harmonization through governmental cooperation. An alternative outcome, then, is for companies to sponsor this harmonization by adopting a single product/service in all the jurisdictions where they do business, regardless of the local requirements. This is the so-called “Brussels effect,” which takes place when a large country with significant regulatory capacity adopts a strict regulatory regime that governs a mostly inelastic and indivisible asset. ^[35] Companies, then, decide that economies of scale are more important than regulatory fragmentation and voluntarily adopt the stricter regulation in a way that leads to a de facto leader in international regulation. The divergence in policy preferences, however, is not so high that other countries force companies to adhere to their own laxer national regulatory standards. One example of the “Brussels effect” in action is Apple’s voluntary worldwide adoption of USB-C type connectors for all its iPhones from model 15 onwards, which took place after the EU imposed the use of such chargers inside the bloc. Apple could have maintained its Lightning chargers elsewhere but voluntarily decided not to. ^[36] As other countries did not express a strong preference for the Lightning charger, the EU standard became the de facto global standard.

The welfare impacts of this process are ambiguous. If economies of scale trump the losses generated by the lack of regulatory divergence, then welfare goes up, while the opposite can also be true.

4. Fragmentation (Splinternet): A final potential outcome is pure fragmentation, with countries insisting that their rules must apply to their own jurisdiction no matter the losses to economies of scale that are generated by global convergence. ^[37]

For this outcome, welfare implications are again ambiguous. There are many good reasons why countries may determine that certain goods must be produced within the country and require that they comply with local laws, regardless of the costs to businesses. Companies, however, may lose so much scale by having to adapt their products to local requirements that they may end up pulling out of the market altogether. This can lead to higher prices and/ or lower quality. The welfare outcomes will depend on whether the gains from the imposition of the national law trump the losses in scale caused by the regulatory fragmentation. Content moderation laws (broadly defined) provide a good example of these dynamics. Google and Meta, for example, have pulled their services out of jurisdictions such as Russia, China, Spain, Australia, and even Canada rather than comply with local regulatory requirements. ^[38] Meta is also being forced to change part of its business model in Europe, adopting a subscription model in response to local regulatory requirements regarding privacy. ^[39]

It is worth noting that these four “outcomes” are not categorical or permanent—they are a stylized representation that should help us better understand the dynamics that may arise as a result of an iterative process of regulatory competition and evasion. Many regulatory regimes in the real world will be mixed: a certain level of harmonization combined with a certain level of fragmentation. It is also possible that the increasingly costly nature of fragmentation will push countries to harmonize certain aspects of their regulatory regime or accept some levels of unilateral imposition, among others. For our framework, this increasingly costly nature of fragmentation over time can be understood as either countries or companies acquiring better information on the costs and benefits of their positions, or as an external shock that disrupts the equilibrium and induces players to rearrange their positions (like the adoption of a new technology that resets the original game).

1 Complex and Fluid Multi-Agent Game

The regulation of AI is a fast-moving field, and one where countries and companies participate in a dynamic game that can be partially rationalized by the “model” outlined above. Governments use a combination of regulatory regimes and subsidies to ensure control over the different layers that make up the AI supply chain (in particular compute capacity and data). Companies try to pit governments against one another to gain additional leverage in international negotiations and to weaken restrictions that they see as detrimental to their business models. This complex game, which is also influenced by government notions of “strategic autonomy,” is shaping the current evolution of AI regulations and technologies. ^[53]

Let us start with the governmental side of the game. Anu Bradford’s work has detailed the geopolitical competition between the U.S., the EU, and China to impose their different visions for digital regulation. ^[54] This competition manifests itself in measures such as the U.S. working with the EU to restrict China’s access to high-end GPUs and other advanced AI chips, ^[55] or the U.S., the EU, and China entering into an international competition—and potentially a zero-sum game—to provide subsidies for companies willing to move the production of such high-end chips to their own jurisdictions. ^[56]

A similar dynamic has begun to emerge in data access. China has long recognized the key role of data in the training of AI models, and has restricted access to certain data of Chinese citizens to companies aligned with the Chinese government’s view of the world. ^[57] While the Western world has not gone that far, it is worth noting the rapid decline of open-access data that has been previously used to train AI models. ^[58] This decline is triggered by companies trying to better monetize their valuable data through the imposition of technical and legal restrictions that prevent the scraping of their websites, combined with selected licensing agreements that grant access to a database in exchange for monetary payments. ^[59] This blocking of data access for commercial purposes, however, also creates the infrastructure that Western governments may need to provide selective access to their own databases, and it is no surprise that controlling and enabling access to data is at the center of the AI industrial policy of the EU through the Data Act, the AI Act, and others. ^[60] Military experts in the U.S. are already talking about restricting Chinese access to American-controlled data, ^[61] and the U.S. government is starting to take steps in this direction (even if AI is not the main focus). ^[62]

Companies understand that this level of international competition for relative and absolute supremacy in AI technologies provides them with an opening to shape regulation to their advantage. For example, European companies have used this international competition to shape the drafting of the EU’s AI Act to make it more EU-company-friendly, and a coalition of companies is using this international competition to push for the reforms of other EU regulations that they dislike—such as data privacy laws. ^[63] Governments are increasingly responsive to these pleas—a 2024 high-level expert report commissioned by the President of the European Commission to shape the evolution of European competitiveness denounced the GDPR and the AI Act as overly complex and restrictive of AI advancements, calling for their reform to safeguard Europe’s position in the “global AI competition” shaped by “winner takes most dynamics.” ^[64] In the U.S., tech companies have also used the innovation race to successfully pressure California’s governor to veto a 2024 bill that would have imposed restrictions and safeguards on the development of AI models in the state. ^[65]

This dynamic game is prompting some countries to impose their will over other countries, and some companies to shape the evolution of the regulatory systems. The game also shapes the way laws are drafted and how companies react to these laws. For example, it is interesting to note that the EU AI Act is a cross-jurisdictional regulatory regime where providers of AI systems may be subject to its rules as long as there is an impact on the EU market, independent of where they are physically located. ^[66] This decision can be seen as both a push to eliminate opportunities for regulatory arbitrage and an attempt by the EU to emerge as the leader in the international debate on AI regulation. The EU is trying to rely on a “Brussels effect,” de facto exporting its rules through voluntary adoption by technology companies. ^[67] Companies, however, are actively pushing back through the use of mechanisms described above. This may not only include lobbying complemented by unilateral threats—both Apple ^[68] and Meta ^[69] have opted not to release their latest AI models in Europe “due to the unpredictable nature of the European regulatory environment.” It may also include the exploration of legal uncertainty under the AI Act. While the AI Act, for example, requires providers of general-purpose AI models to “put in place a policy to comply with Union law on copyright and related rights” (Article 53 (1)(c) AI Act), it is an open question whether EU copyright law actually covers machine-learning training activities that take place outside the EU. As copyright’s territoriality principle may put a limit to the AI Act’s extraterritorial reach, companies may at least have an incentive to move any training activities outside the European Union, thereby still engaging in regulatory arbitrage. ^[70]

2 The Likely Outcome: Fragmentation with Occasional Pushes for Harmonization

As the simple model we developed in Part I outlines, the final outcomes of the regulatory AI game between a country and companies depends on how a government perceives the relative costs and benefits of local versus extraterritorial regimes, and on how companies perceive their ability to comply with or evade such regulations. These decisions are partially shaped by a government’s differing preferences on how important it is to obtain relative or absolute superiority vis-à-vis international competitors. Once one introduces international competition between countries, whether a government will push for international harmonization or fragmentation of rules or whether it will try to expand the reach of its own regime through extraterritorial application will again depend on its preferences vis-à-vis the technology it is attempting to regulate.

While this regulatory game can lead to various equilibria—ranging from the dominance of one regime over fragmented national regimes to a harmonized global regime—we stipulate that for AI technologies, neither a Brussels effect nor global harmonization is likely to emerge. ^[71] Current actions by different players increasingly indicate that being a technology leader in AI systems is of such vital importance that governments are willing to use a combination of regulation and their physical control over infrastructure as a lever to shape AI governance in their favor. When European AI regulation can be understood in terms of achieving “AI sovereignty,” other countries will consider how this technology and its regulation impacts their own sovereignty as well. ^[72] The more the regulation of AI technologies and the fencing off of foreign influence over these technologies become matters of national security, the more likely we are to end up in a world of policy fragmentation. ^[73] In our model, this means that governments’ strong policy preferences outweigh considerations for the global availability of AI technologies.

For some technologies—in particular technologies that are subject to strong economies of scale and network effects—fragmented regulations impose a significant cost. If different countries regulate social media in different ways and prevent the exchange between users of different social media in different regions of the world, this hampers the potential these media have for global connectivity. As the consumption of AI systems is much less subject to externalities in consumption, fragmented AI regulations may appear less worrisome than fragmented social media regulations at first sight. However, a world of AI fragmentation will not come without costs—and these may be significant. As outlined in Part II.A, current AI models require significant scale to operate efficiently. As these costs grow and lead to lower-quality models, industry players and even governments themselves may push for certain levels of harmonization that can enable gains in economies of scale. This will be contrasted against the level of policy divergence between different countries. Ultimately, the less likely an initial policy divergence between the agents, the more likely that some form of harmonization will take place. In practical terms, this may mean, for example, that the United States and European countries will achieve a certain level of harmonization as a way to facilitate cooperation between their agents, thereby increasing the costs of the isolation imposed on more important adversaries such as China. ^[74]

If this is the case, what we may ultimately witness is a dynamic game marked by bursts of fragmentation in certain areas where autonomy trumps scale (e.g., chip production or even privacy regulation), ^[75] with the formation of certain and restricted regulatory blocs that enable countries to tap into economies of scale that are key for certain applications. One risk here is that companies may successfully pit governments against each other in a race to the bottom that ultimately weakens the nascent regulatory system for AI—a process we are starting to witness in the push against privacy protection in AI systems and against AI safety laws.

As our discussion indicates, we are skeptical that a more cooperative equilibrium such as a broad system of international harmonization will emerge in the area of AI regulation. This would require changes in the policy divergences between countries—say, for example, a growing international consensus that AI models are indeed a threat to mankind that justifies the adoption of international safeguards similar to those imposed on nuclear weapons. It seems that, at least for now, mankind has not arrived at any such agreement.