Technology and Regulation

Meta introduced its ‘pay-or-okay’ model to respond to heightened requirements as to the way it collects users’ personal data for targeted advertising. This model entails giving users two options: paying for a tracking-free service or giving consent to personal data processing including targeted ads. While this resulted from the Meta ruling, in which the CJEU set out the requirements for freely given consent, this solution has caused a new wave of criticism, questioning whether it complies with EU law. More specifically, it raises potential concerns under data protection, consumer law, competition law and the Digital Markets Act. This paper analyses what issues this conduct creates under these areas of EU law and assesses the overall legality of the pay-or-okay model.

Data protection by design is one of the cornerstones of the reform that led to the adoption of the GDPR. Yet, the very nature of that obligation, coupled with the broad wording used by the EU legislator, makes substantiating data protection by design particularly complex. This paper is the second part a two-paper series that explores the intricacies of Article 25(1) GDPR. While the first entry delved into the history and role of data protection by design, this paper aims to clarify the material scope of that provision. It does so by analysing the three core components of Article 25(1) GDPR in light of the findings of a case law review spanning 177 administrative and judicial decisions issued by 26 supervisory authorities in 24 countries between the entry into force of the GDPR and 31 December 2023. That process exposed the role of data protection by design as a proxy to Fundamental Rights Impact Assessments and shed light on its added value in guaranteeing the flexibility and future-proofness of the Regulation.

This paper discusses how a right to an explanation can enable litigants to contest judicial profiling systems used in the administration of justice. Providing such explanations can, however, be hindered by the technical opacity of these systems, the presence of integrity concerns, or external private rights and interests. To overcome these obstacles, this paper argues that the exercise of the right to an explanation relies on technical and organizational obligations that require developers to make profiling systems contestable by design. Based on this conceptual framework, this paper critically interprets EU Data Protection Law, the right to a fair trial, and the new AI-Act. It shows how these laws can (partially) protect contestation, as well as their limitations and loopholes.

Articles 45-47 of the Digital Services Act provide for codes of conduct to ‘contribute to the proper application’ of the Act. Codes could therefore significantly shape the DSA’s implementation and its effectiveness. This article provides the most detailed analysis to date of the role of codes in the DSA, making three key contributions. First, it maps the functions and legal status of DSA codes, showing that they create de facto legal obligations for the largest platforms. This underlines the need to consider how they will shape the DSA’s interpretation. Second, the article argues that codes could significantly strengthen platform companies’ accountability by providing more detailed standards, mandating risk mitigation measures in under-addressed areas, and broadening stakeholder participation. Third, however, it identifies potential disadvantages such as capacity limitations, corporate capture, and legitimacy and accountability issues.

Two notable trends emerge in the theoretical treatment of regulation by design (RBD). Essentialists treat RBD as the product of policy enactments on the part of public bodies. Functionalists cast regulation as an overarching practice that subsumes design, which they relegate to the status of a mere instrument. The essentialist view neglects the complexity of regulatory environments, while the functionalist one neglects the complexity of regulatory practices. This article reconceptualises the relationship between design and regulation so as to account for the multifaceted nature of the latter without neglecting the autonomy of the former. Diverging from both the essentialist view of regulation as a set of rules and the functionalist view of regulation as a practice, the article advances a pragmatist view of regulation as a rule-making activity, that is, regulativity, which is performed through social practices. Thus, RBD is redefined as the regulative activity of design.

On 28 September 2022, the European Commission released its long-awaited proposal for an Artificial Intelligence Liability Directive (AILD). In contrast to the high expectations on providing a harmonised liability framework for the damage caused by AI systems, the proposed AILD only proposes minimum harmonised procedural rules to facilitate evidence disclosure and alleviate the burden of proof undertaken by claimants. This article provides a comprehensive analysis of the proposed AILD and points out the problems when implementing the proposed rules. This article argues that the AILD may never reach its full potential as its name indicates. The fragmentation among Member States regarding the substantive matters may preclude the AILD from moving a step further for harmonising substantial issues. While a comprehensive risk regulation (the EU AI Act) must be followed by an effective remedy mechanism, the proposed AILD will not fill this gap in the short run.

Business models adopted by online platforms have enabled the proliferation of online hate speech. Platforms providing end-to-end encrypted (E2EE) services have been under increased scrutiny for hosting hate mongers. Legislators struggle to conceptualise the responsibilities of E2EE services to not host hate speech without infringing the users’ rights to freedom of expression, association, privacy, or data protection. This interdisciplinary article proposes a new legal minimum standard expanding corporate human rights responsibilities of E2EE services to mitigate a category of criminal hate speech - incitement to violence. We explore the regulation and application of metadata, hashing, and homomorphic encryption to disrupt incitement to violence in large groups on E2EE services in compliance with human rights.

The General Data Protection Regulation has been seen as an omnibus law which potentially addresses all Internet-related problems. Yet, concerns have been raised about the broad scope of the GDPR that might be overreaching its capacity. Calls have been made to create a scalable and more targeted system of legal protection against digital wrongs. General principles governing the design and use of software should be at the foundation of such a scalable system. While automation via code is often an aspect of existing societal problems, software affordances amplify non-technology-specific problems in a unique way.

In the introduction to this special issue, we propose a decolonial take on data law and governance across three aspects through the dismantling of hegemonic structures, the embracing of pluriversality and finally the decentering of data and technology. The special issue covers papers that discuss a) what decolonisation means in relation to data law and governance for the digital economy, b) what kinds of methods should be employed to develop data governance frameworks that account for different infrastructural, social, and political contexts, and c) vocabularies and imaginations for how to regulate data, from the majority world. The papers are written from different disciplinary backgrounds of law, science, and technology studies, governance and policy, as well as media studies and present different points of view, and different entry points into the debate. In this piece, we explore ways to place them in dialogue as a plural whole.

EU Regulation 2016/679 (GDPR), like the pied piper of Hamelin, has and continues to lure third countries into approximating the EU data protection framework.  Some scholars believe the approximation of the EU framework, mostly done in a one-size-fits-all fashion, may not be appropriate in non-EU contexts mainly because (some) values advanced by the EU data protection framework may vary from or be incompatible with legal cultures and/or social norms of the recipient country/region. This paper looks into data protection in Africa and Latin America and the Caribbean (hereinafter LAC). The focus is on the evolution, influence and role of the EU in the development of data protection laws in Africa and LAC. The purpose is to ascertain whether and to what extent those laws are a result of the Brussels effect

Data governance is being explored across all possible avenues, ranging from domestic laws, private standards to international treaties. Amidst this din, there are also constitutional contributions at different points of time with the potential to lay down the first principles for future adjudication and law making. This article analyses the legal histories of constitutions and landmark decisions related to public biometric use in India and South Africa to identify decolonial specificities. Global governance of data has the potential to spiral into international law making with states as the unit, without acknowledging the power differentials that exist within a state. It is time that the plurality of interests within nations are accommodated in the development of technology, as the architecture of the future. For the same, the article identifies global constitutionalism as the means through which any discussion of a global data law should be approached, taking into account the decolonial consensus in post-colonial states and its contemporary use in technological debates.

Ethical principles, such as privacy, autonomy, and human rights, have been published to govern ethical data extraction and mining. These principles aim to protect individuals from unlawful data extraction for research, development, and other purposes. While these principles are necessary to protect individuals against unlawful data extraction and mining, I argue that they do not, in practice, provide solid foundations for a human-centred approach to data extraction, given the exponential growth of surveillance capitalism and data colonialism. I contend that it is best to reorient data-driven corporations to approach data extraction from a human-centred perspective, guided by collectivist principles, such as care, human dignity, and beneficence, which I develop from Ubuntu-centred African relational moral theory. I show how these principles can contest current principles, such as respect for autonomy, privacy, and human rights, to guide a human-centred approach to data extraction.

Much of the conversations and practices of data governance emanate from technocratic and/or managerial lenses. This suggests a double bias towards (a) a linear teleological model of progress, (b) propelled by claims of objectivity and pristine scientific rationality inherent to Data. This paper seeks to move away from such approaches, to draw on the offerings of Critical Theory, to develop Critical Data Governance (CDG) as an approach that eschews objectivist, instrumentalist, and universalising tendencies. This, it does, by bringing to conversation the bodies of work on Critical Policy Studies and Critical Data Studies, in order to bring to the fore a multiplicity of policy actors, norms and values, interests and interactions, venues and deliberative sites, to the study of data governance and policymaking. Towards this, the paper showcases some examples from the South(s), and then moves on to present a provocation for CDG as a Southern Standpoint for Data, overcoming the inadequacies of Critical Theory and catering to anti-/de-colonial and anti-caste aspirations of peoples.

This article presents that decolonizing cannot happen without acknowledging the role of land relations in constituting data and radically reconstituting what we are governing when we claim to govern ‘data.’ To this end, it reflects upon how the juxtaposition of the ‘data colonialism’ and the ‘Anthropocene’ discourses can be productive by highlighting their common settler colonial impulses in understanding the categories of the ‘material’ and the ‘epistemological’ as distinctive. Next, the article draws upon the Place-Thought framework proposed by Anishinaabe-Haudenosaunee scholar Vanessa Watts and others to argue that in addition to being a demand for giving land titles to Indigenous peoples, #LandBack movements should be understood as a decolonizing call for realizing the seamless coherence of the material-epistemological, both outside and within Europe. The last section proposes earthy data as decolonizing tactics against the settler understandings of data.

Digitalisation of public service provision has been and remains a pillar of the Kenyan government’s approach to development. Kenya has explicitly linked digitalisation to its ambitions for development – an approach that is echoed in the political campaign materials produced and distributed by all major political parties in the country. Yet the country’s digital policy continues to be developed primarily in English, as the countries continues to build and also receive digital technologies built elsewhere, primarily in English. This paper argues that in the context of postcolonial societies like Kenya and Tanzania, this has a distinct impact of deepening power differentials within the society that are rooted in ‘coloniality’ as defined by Grosfoguel. The use of colonial languages in the creation and dissemination of digital policy is an obstacle to decolonising the internet in postcolonial societies.
Building from Ngugi’s work on indigenous languages in public life, the paper argues that to properly map the terrain of decolonial praxis in technology, we must engage with the power differentials embedded in how languages are perceived and experienced in postcolonial societies. Languages, the paper argues, are not only a key component of colonial violence as Ngugi argued, but they also perpetuate the power disparities of incomplete decolonisation, including for example the perception of those who speak indigenous languages as their index language as being lower class and therefore more abstract to power. The paper then summarises a project developed by the author to create a lexicon for digital rights in Kiswahili as an example of some of the decolonial praxis that is necessary to addressing these power disparities in countries like Kenya and Tanzania. In this way, the paper not only proposes a theoretical argument for decolonisation but also offers a practical example of what meaningful decolonial praxis of digital technologies can look like. Overall, the paper argues that decolonisation of digital technologies is imperative to addressing the coloniality embedded in digitalisation policy in Kenya.

This essay discusses how critical social theory in Brazil can contribute to a revision of dominant approaches to AI regulation and a regulatory strategy focused on innovation, legal certainty, and economic development in Brazil. We explain the origins of the Brazilian Draft Bill on Artificial Intelligence Regulation and the main critiques during the discussions at the legislative houses in 2022. We argue that critical social theory can enlarge the discussion about which should be the regulatory goals of such legislation. Critical theory helps envision new principles that are connected to the structural problems of post-colonial societies. We intend to advance the project of enlarging the epistemologies of the South and expanding the view of Global Data Justice that relates to the social theory developed in the South.

The increasing value of data is rendering data extraction ubiquitous. Looking at recent research, I argue that work critical of extractive dynamics can give rise to a ‘double-helix of data extraction’ that exacerbates existing asymmetries by appropriating the means of critique of affected populations. I show how this dynamic might play out in practice by turning to my research on astronomy data in Chile, which adopted a decolonial lens and involved Indigenous activists. Finally, a radical embracement of reflexivity attentive to both positionality and political economy is advocated as a condition for conducting properly critical data studies (CDS), especially in the case of research relying on decolonial approaches. Although reflexivity cannot solve the double helix, it can expose the conditions underpinning research and acknowledge the limitations of research on its own.

The Indian state has tried to project an image of data sovereignty, seeing data in terms of a national asset that needs to be protected against the data colonialism of Western Big Tech through various policy documents and rhetoric. In this paper, I have tried to analyse this claim and tried to unravel how it sees data and defines data colonialism, unravelling the role which the Indian private sector plays in supporting that vision. I have then compared it with the work of decolonial scholars who have critically examined the impact of Big Data from the lens of data colonialism to argue how it fails to challenge the epistemological basis of data colonialism even as it projects to fight it.

The Chilean constitution making-process appears to be one of the most interesting democratic exercises of recent times within the context of a connected society and the increased interest in constitutionalism as a way of shaping and countering digital colonialism and digital constitutionalism, respectively.

Consequently, this paper explores how the Chilean constitution-making experience contributes to framing and re-imaging the rise of digital constitutionalism by addressing the challenges of digital colonialism within a constitutional framework.

The primary goal of this article is to analyse the path and the digital regulatory provisions of the Chilean Constitutional Convention to explore how both processes seek to offer a new approach to defining digital space through a constitutional lens. The included fundamental rights and principles should at least open the debate on the urgency to rethink how we respond to digital colonialism through a constitutional approach.