Skip to content Skip to footer

BILETA 23 abstracts

Overview of the accepted abstracts (with links to the actual abstract)

  1. Alessa, Hibah (University of Leeds) and Basu, Subhajit (University of Leeds). Technology and Procedure in Dispute Resolution: A Procedural Model of Reform for Saudi Arabia’s Commercial Courts or Top-Down Transformation?
  2. Aridor Hershkovitz, Rachel (Israel Democracy Institute) and Shwartz Altshuler, Tehilla (Israel Democracy Institute). Cybersecurity Regulations – A Comparative Study
  3. Ashok, Pratiksha (UC Louvain). A Tryst with Digital Destiny – Comparative Analysis on the Regulation of Large Platforms between the European Digital Markets Act and the Indian Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules
  4. Barker, Kim (Open University Law School/ObserVAW). Online Violence Against (Women) Gamers: A Contemporary Reflection on Regulatroy Failures?
  5. Barrio, Fernando (Queen Mary University of London). Climate Change Implications of Unregulated Technological Energy-Efficiency
  6. Barrio, Fernando (Queen Mary University of London). Legal, Fair and Valid Assessment in Times of AI-Generated Essays
  7. Blakely, Megan Rae (Lancaster University). Cyberlaw of Massive Multiplayer Online Games: Copyright and Deauthorization of Dungeons & Dragons
  8. Brown, Abbe (University of Aberdeen). Can You Really Get Your Act Together?
  9. Cavaliere, Paolo (University of Edinburgh Law School) and Li, Wenlong (University of Birmingham). Examining the Legitimacy and Lawfulness of the Use of Facial Recognition Technology in Public Peaceful Assemblies: Towards a Reconceptualisation of the Right to Freedom of Assembly in the Digital Era
  10. Celeste, Eduardo (Dublin City University). The Digital Constitutionalism Teaching Partnership: Connecting Virtual Learning Spaces with an Interdisciplinary Toolkit
  11. Chomczyk Penedo, Andres (Vrije Universiteit Brussel). The Regulation of Data Spaces under the EU Data Strategy: Towards the ‘Act-ification’ of the 5th European Freedom for Data?
  12. Clifford, Damian (Australian National University) and Paterson, Jeannie (University of Melbourne). Banning Inaccuracy
  13. Cooper, Zachary (VU Amsterdam). The Utility of Incoherence: How Legislating the Present Confuses the Future
  14. Da Rosa Lazarotto, Bárbara (Vrije Universiteit Brussel). The Right to Data Portability: An Holistic Analysis of GDPR, DMA and the Data Act
  15. De Amstalden, Mariela (University of Birmingham). Future Technologies and the Law: Regulating Cell-Cultivated Foods
  16. De Conca, Silvia (VU Amsterdam). The Present Looks Nothing like The Jetsons: A Legal Analysis of Deceptive Design Techniques in Smart Speakers
  17. Degalahal, Shweta Reddy (Tilburg University). Reconsidering Data Protection Framework for Use of Publicly Available Personal Data [8840]
  18. Diker Vanberg, Aysem (Goldsmiths, University of London). Application of EU Competition Law to Artificial Intelligence and Chatbots: Is the Current Competition Regime Fit for Purpose?
  19. Dinev, Plamen (Lecturer, Goldsmiths, University of London). Consumer 3D Printing and Intellectual Property Law: Assessing the Impact of Decentralised Manufacturing
  20. Esposito, Maria Samantha (Politecnico di Torino). Regulatory Perspectives for Health Data Processing: Opportunities and Challenges
  21. Faturoti, Bukola (University of Hertfordshire) and Osikalu, Ayomide (Ayomide Osikalu & Co, Lagos, Nigeria). When Bitterness Mixes with Romance: The Weaponisation of Pornography in Africa
  22. Flaherty, Ruth (University of Suffolk). ChatGPT: Can a Chatbot be Creative?
  23. Fras, Kat (Vrije Universiteit). Article 22 of the GDPR: In Force Yet Redundant? The Relevance of Article 22 in the Context of Tax Administrations and the Automated Decision Making
  24. Fteiha, Bashar (University of Groningen). The Regulation of Cybersecurity of Autonomous Vehicles from a Law and Economics Perspective
  25. Gordon, Faith (Australian National University). Rights of Children in the Criminal Justice System in the Digital Age: Insights for Legal and Judicial Education and Training
  26. Griffin, James (University of Exeter). The Challenge of Quantum Computing and Copyright Law: Not What You Would Expect
  27. Guan, Taorui (The University of Hong Kong). Intellectual Property Legislation Holism in China
  28. Guillén, Andrea (Institute of Law and Technology, Faculty of Law, Autonomous University of Barcelona). Automated Decision-Making under the GDPR: Towards the Collective Dimension of Data Protection
  29. Gulczynska, Zuzanna (Ghent University). Processing of Personal Data by International Organizations and the Governance of Privacy in the Digital Age
  30. Gupta, Indranath (O.P. Jindal Global University, India) and Naithani, Paarth (O.P. Jindal Global University, India). Recent Trends in Data Protection Legislation in India: Mapping the Divergences with a Possible Way Forward
  31. Harbinja, Edina (Aston University). Regulatory Divergence: The Effects of UK Technology Law Reforms on Data Protection and International Data Transfers
  32. Harbinja, Edina (Aston University); Edwards, Lilian (Newcastle University) and McVey, Marisa (Queen’s University Belfast). Post-Mortem Privacy and Digital Legacy – A Qualitative Empirical Enquiry
  33. Hariharan, Jeevan (Queen Mary University of London) and Noorda, Hadassa (University of Amsterdam). Imprisoned at Work: The Impact of Employee Monitoring on Physical Privacy and Individual Liberty
  34. Higson-Bliss, Laura (Keele University). ‘Will Someone not Think of the Children?’ The Protectionist State and Regulating the ‘Harms’ of the Online World for Young People
  35. Hoekstra, Johanna (University of Edinburgh). Online Dispute Resolution and Access to Justice for Business & Human Rights Issues
  36. Hof, Jessica (University of Groningen) and Oden, Petra (Hanze University of Applied Sciences Groningen). Breaches of Data Protection by Design in the Dutch Healthcare Sector: Does Enforcement Improve eHealth?
  37. Holmes, Allison (University of Kent). Becoming ‘Known’: Digital Data Extraction in the Investigation of Offences and its Impact on Victims
  38. Jondet, Nicolas (Edinburgh Law School). The Proposed Broadening of the UK’s Copyright Exception for Text and Data Mining: A Predictable, Promising and Pacesetting Endeavour
  39. Joshi, Divij (University College London). Abstract – Governing ‘Public’ Digital Infrastructures
  40. Kalsi, Monique (University of Groningen). Understanding the Scope of Data Controllers’ Responsibility to Implement Data Protection by Design and by Default Obligations
  41. Kamara, Irene (Tilburg Institute for Law, Technology, and Society). The Jigsaw Puzzle of the EU Cybersecurity Law: Critical Reflections Following the Reform of the Network and Information Security Directive and the Proposed Cyber Resilience Act
  42. Keese, Nina (European Parliament) and Leiser, Mark (Vrije Universiteit Amsterdam). Freedom of Thought in the Digital Age: Online Manipulation and Article 9 ECHR
  43. Kilkenny, Cormac (Dublin City University). Remediating Rug-pulls: Examining Private Law’s Response to Crypto Asset Fraud
  44. Krokida, Zoi (University of Stirling). The EU Right of Communication to the Public against Creativity in the Digital World: A Conflict at the Crossroads?
  45. Lazcano, Israel Cedillo (Universidad de las Américas Puebla (UDLAP)). DevOps and the Regulation of the “Invisible Mind” of the Digital Commercial Society
  46. Leiser, Mark (Vrije Universiteit Amsterdam); Santos, Cristiana (Utrecht University) and Doshi, Kosha (Symbiosis Law School). Regulating Dark Patterns across the Spectrum of Visibility
  47. Li, Wenlong (University of Birmingham) and Chen, Jiahong (University of Sheffield). Understanding the Evolution of China’s Personal Information Protection Law: The Theory of Gravity Assist
  48. Maguire, Rachel (Royal Holloway, University of London). Copyright and Online Creativity: Web3 to the Rescue?
  49. Mangan, David (Maynooth University). From the Workplace to the Workforce: Monitoring Workers in the EU
  50. Manwaring, Kayleen (UNSW). Repairing and Sustaining the Third Wave of Computing
  51. Mapp, Maureen (University of Birmingham). Private Crypto Asset Regulation in Africa – A Kaleidoscope of Legislative and Policy Problems
  52. Margoni, Thomas (CiTiP); Quintais, Joao (University of Amsterdam) and Schwemer, Sebastian (Centre for Information and Innovation Law (CIIR), University of Copenhagen). Algorithmic Propagation: Do Property Rights in Data Increase Bias in Content Moderation?
  53. Marquez Daly, Anna Helena (University of Groningen). Innovation & Law: Encouraging Lovers or Bitter Nemesis?
  54. Mathur, Sahil (The Open University). Digital Inequalities and Risks – Perspectives from FinTech
  55. McCullagh, Karen (University of East Anglia). Brexit UK Data Protection – Maintaining Alignment with or Diverging from the EU Standard?
  56. Mendis, Sunimal (Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, The Netherlands). Fostering Democratic Discourse in the (Digital) Public Sphere: Proposing a Paradigm Shift in EU Online Copyright Enforcement
  57. Milkaite, Ingrida (Ghent University). A Children’s Rights Perspective on Privacy and Data Protection in Europe
  58. Neroni Rezende, Isadora (University of Bologna). The Proposed Regulation to Fight Online Child Sexual Abuse: An Appraisal of Privacy, Data Protection and Criminal Procedural Issues
  59. Nottingham, Emma (University of Winchester) and Stockman, Caroline (University of Winchester). Dark Patterns of Cuteness in Children’s Digital Education
  60. Orlu, Cyriacus (PhD Candidate, Faculty of Law, Niger Delta University) and Eboibi, Felix (Faculty of Law, Niger Delta University). The Dichotomy of Registration and Operation of Cybercafes under the Nigerian Cybercrime Legal Frameworks
  61. O’Sullivan, Kevin (Dublin City University). The Court of Justice Ruling in Poland and Our Filtered Futures: A Disruptive or Diminished Role for Internet User Fundamental Rights?
  62. Oswald, Marion (Northumbria University); Chambers, Luke (Northumbria University) and Paul, Angela (Northumbria University). The Potential of a Framework Using the Concept of ‘Intelligence’ to Govern the Use of Machine Learning in Policing
  63. Paolucci, Frederica (Bocconi University). Digital Constitutionalism to the Test of the Smart Identity
  64. Paul, Angela (Northumbria University). Police Drones and the Possible Human Rights Issues: A Case Study from England and Wales
  65. Poyton, David (Aberystwyth University). The ‘Intangibles’: A Veritable Gordian Knot. Are we Slicing through the Challenges?  Or Unpicking them Strand-by-Strand?
  66. Przhedetsky, Linda (University of Technology, Sydney) and Bednarz, Zofia (University of Sydney). Algorithmic Opacity in Consumer Markets: Comparing Regulatory Challenges in Financial Services and Residential Tenancy Sectors
  67. Quintais, João Pedro (University of Amsterdam, Institute for Information Law) and Kuczerawy, Aleksandra (Centre for IT & IP Law, KU Leuven). “Must-Carry” Obligations for Online Platforms: Between Content Moderation and Freedom of Expression
  68. Rachovitsa, Mando (University of Groningen). “It’s Not in the Cloud!”: The Data Centre as a Singular Object in Cybersecurity and Critical Infrastructure Regulation
  69. Ramirezmontes, Cesar (Leeds University). EU Trade Marks and Community Designs in the Metaverse
  70. Rebrean, Maria (Leiden University – eLaw – Center for Law and Digital Technologies). Giving my Data Away: A Study of Consent, Rationality, and End-User Responsabilisation
  71. Romero Moreno, Felipe (Hertfordshire Law School). Deepfake Technology: Making the EU Artificial Intelligence Act and EU Digital Services Act a Human-Rights Compliant Response
  72. Rosenberg, Roni (Ono Academic College, Law Faculty). Cyber Harassment, Revenge Porn and Freedom of Speech
  73. Rosli, Wan Rosalili Binti Wan (School of Law, University of Bradford) and Hamin, Zaiton (Faculty of Law, Universiti Teknologi MARA). The Legal Response to Cyberstalking in Malaysia
  74. Samek, Martin (Charles University, Faculty of law). New EU Regulation and Consumer Protection: Are National Bodies up to the Task?
  75. Scharf, Nick (UEA Law School). 3A.M. Eternal? What The KLF Can Teach Us about the Past, Present and Future of Copyright
  76. Shattock, Ethan (Maynooth University). Knowledge of Deception: Intermediary Liability for Disinformation under Ireland’s Electoral Reform Act
  77. Siliafis, Konstantinos (Canterbury Christ Church University) and Colegate, Ellie (University of Nottingham). Addressing the Potential Pitfalls of the UK’s Online Safety Bill’s Provisions in Relation to Adults
  78. Sinclair, Alexandra (LSE). ‘Gaming the Algorithm’ as a Defence to Public Law Transparency Obligations
  79. Soukupová, Jana (Charles University). Digital Assets, Digital Content, Crypto-Assets, Data and Others: Are We on the Road to a Terminological Confusion?
  80. Sumer, Bilgesu (KU Leuven). Keeping Track of the Regulation of Biometric Data within the EU Cyberlaw: Legal Overlaps and Data Protection Challenges
  81. Sümeyra Doğan, Fatma (Jagiellonian University). Re-Use or Secondary Use: A Comparison between Data Governance Act and European Health Data Space
  82. Sutter, Gavin (Queen Mary University of London). Qui Docet, Discit: Some Reflections on Lessons Learned Across Two Decades of Teaching an Online LLM
  83. Terzis, Petros (UCL) and Veale, Michael (UCL). Foundations for Regulating Computational Infrastructures
  84. Tur-Sinai, Ofer (Ono Academic College) and Helman, Lital (Ono Academic College). Bracing Scarcity: Can NFTs Save Digital Art?
  85. Unver, Mehmet (University of Hertfordshire) and Roddeck, Lezel (Bucerius Law School). Artificial Intelligence in the Legal Sector: Ethics on the Spot
  86. Urquhart, Lachlan (University of Edinburgh) and Boniface, Christopher (University of Edinburgh). Legal Aspects of the Right to Repair for Consumer Internet of Things
  87. Van Schendel, Sascha (Tilburg University). The Regulation of AI in Criminal Justice: Building a Bridge between Different Legal Frameworks
  88. Van ‘t Schip, Mattis (Radboud University). The Regulation of Supply Chain Cybersecurity in the EU NIS2 Directive: A Novel Approach to Cybersecurity for the Internet of Things
  89. Vellinga, Nynke (University of Groningen). Rethinking Compensation in Light of the Development of AI
  90. Verdoodt, Valerie (Ghent University) and Lievens, Eva (Ghent University). The EU Approach to Safeguard Children’s Rights on Video-Sharing Platforms: Jigsaw or Maze?
  91. Wang, Xiaoren (University of Dundee); Heald, Paul (University of Illinois) and Ge, Weihao (University of Illinois). Creatively Misinformed: Mining Social Media to Capture Internet Creators and Users’ Misunderstanding of Intellectual Property Registration System
  92. Williams, Elin (University of Liverpool, PhD Candidate in Law/Edge Hill University, Visiting Lecturer in Law). Money Laundering Through Cryptocurrency Mixers: Exploiting Existing Weaknesses in the Anti-Money Laundering Regime
  93. Wolters, Pieter (Radboud University). The Influence of the Data Act on the Shifting Balance between Data Protection and the Free Movement of Data
  94. Xiao, Leon Y (IT University of Copenhagen; QMUL; York; Stanford). Beneath the Label: Poor Compliance with ESRB, PEGI, and IARC Industry Self-Regulation Requiring Loot Box Presence Warning Labels by Video Game Companies
  95. Yardimci, Gizem, Aphra Kerr and David Mangan (Maynooth University). Protecting Elections in the Digital Age: Examining the Potential Regulatory Impact of the EU’s Draft AI Act on Political Bots
  96. Zardiashvili, Lexo (Leiden University). The End of Online Behavioral Advertising
  97. Zucchetti Filho, Pedro (Australian National University). Facial Recognition in Brazil: Current Scenario and Future Developments

1.    Alessa, Hibah (University of Leeds) and Basu, Subhajit (University of Leeds). Technology and Procedure in Dispute Resolution: A Procedural Model of Reform for Saudi Arabia’s Commercial Courts or Top-Down Transformation?

Keywords:   Technology, Artificial Intelligence, Innovations, Administration of justice, Saudi Courts

Abstract. The judicial system reaffirms the state’s legitimacy and represents its power to distribute burdens and benefits to citizens. Hence, the system is burdened by the very high expectations placed on it by the state and its citizens. However, it has been argued that courts that comprise the Saudi judicial system continue to lose ground to ADR regimes, and if the fledgling Saudi system is not reformed, it will lose further the confidence of domestic and foreign parties while parallel international tribunals thrive. Parties avoid court-centred justice for several reasons, such as procedural inefficiencies.

Notwithstanding, the amendment of procedural law requires important innovations in court practice, process, and procedure. Along with exploring more routine forms of procedural and digitization of court services, this article gives particular attention to innovations in the use of e-litigation platforms, blockchain technology and, controversially, the use of artificial intelligence models in courts to enhance communication, analyses, and adjudication in the judicial system. AI is used in this study to describe computer systems that make logical deductions normally associated with the human mind and perform tasks that require human intelligence. Despite decades of proposals and legislation related to information technology around the world, many national legal frameworks are being shaped by AI and automated technologies in particular. This further requires the identification of challenges courts in have jurisdictions face and how they have mitigated similar challenges.
Therefore, the intended purpose of this article is to consider the broader direction of travel in the court administration, any lessons that can be learned, and whether a technology-centred agenda offers a better roadmap for reform for Saudi courts. As to its scope, the analysis to document the full spectrum of digital transformations that have emerged across jurisdictions. In addition, key innovations in procedure and technology in legal processes of a more general nature will be explored to how such endeavours raise deeper questions about the nature of justice itself and the capacity of innovative mechanisms to widen access to justice and enhance efficiency and fairness in the administration of justice.

This article will conclude that technology has its numerous benefits. It can be used to widen, reengineer, or even reimagine access to justice, fostering more efficient processes of dispute settlement and offering alternatives to the paper-based systems and lawyering that has come to slow down traditional court functions. On the other hand, however, concerns remain over technologies that rely disproportionately or inequitably on automated judgments or machine learning, sometimes with the implied or express aim of placing such processes out of the realm of legitimate (judicial) review and legal contestation. The enterprise of law involves making choices and balancing between different interests and is, therefore, by its nature a subjective, discretionary, value-laden enterprise. Therefore, this article suggests that special attention should be paid to undertaking comprehensive research to understand the feasibility of an advanced technology and AI-driven system to reform and develop Saudi courts. Then, a regulatory framework based on global best practices should be adopted.

2.    Aridor Hershkovitz, Rachel (Israel Democracy Institute) and Shwartz Altshuler, Tehilla (Israel Democracy Institute). Cybersecurity Regulations – A Comparative Study

Keywords:   cybersecurity, regulation, market failures, government intervention, cyberattack, critical infrastructure, hard/centralized command-and-control regulation, soft/decentralized command-and-control regulation., collaborative regulation., self-regulation

Abstract. In December 2022 Israel’s State Comptroller published a disturbing report claiming that there’s a systemic problem with Israel’s cyber defense readiness which seems to derive from a lack of incentives and sanctions to promote the creation of defense mechanisms against cyberattacks and digital illiteracy among cyberspace users and policymakers.

The unique features of cyberspace, especially hyperconnectivity and the speed of information transfer, are at the heart of both the great benefits it brings to society and the huge dangers it poses. The tremendous damage liable to be caused by cyberattacks, combined with the absence of adequate incentives for investment in cyber protection, has created a market failure that justifies government intervention in the regulation of cybersecurity.

Government intervention in the regulation of cyber protection faces several challenges, however. Some of these are technological challenges, while others stem from the complexity of the cyber protection world and its cross-sectoral nature.

Another major challenge is that governments play multiple roles regarding cyberspace, wearing different “hats” that sometimes conflict with each other: they own critical infrastructure; are responsible for national security; act as a regulator for private-sector entities that possess cyberinfrastructure and are responsible for protecting it; play an active role in public and private cooperative efforts for cyber protection; act on the international level with and against other countries in an effort to protect cyberspace, whose geographical boundaries are blurred; produce and disseminate information regarding cyber protection; and finally, they can serve as a cyber attacker that poses threats to other states or organizations.

Western countries, including Israel, have been engaged for several years in attempts to regulate cyber protection. What these various attempts have in common is the adoption of a conceptual approach underlying effective regulation of cyber protection: that responsibility is shared by all actors, and that the regulation of cyberspace should not apply only to critical infrastructure or focus solely on the public sector. At the same time, the scope of this responsibility, the type of regulation that is appropriate, and the regulatory tools chosen should be determined based on the anticipated level of risk to the public interest from a successful cyberattack against each actor or sector. This approach is similar to the principle of “common but differentiated responsibilities” that has become standard in international law in the context of environmental protection and mitigation of climate-change harms.

Our study surveys cyber protection policy in several countries: the United States, Australia, UK, the European Union and two of its member states (Denmark and France), and Israel. The different countries employ a variety of regulatory tools to protect cyberspace: hard/centralized command-and-control regulation; soft/decentralized command-and-control regulation; collaborative regulation; and self-regulation. The degree of responsibility of each actor in cyberspace, and consequently the regulatory tool selected to regulate cyber protection, are determined according to an assessment of the risk to important national interests posed by a cyberattack on a particular organization or on organizations in a particular sector. Therefore, the definition of these important national interests is the key to understanding the scope of state intervention in the market in order to protect cyberspace.

3.    Ashok, Pratiksha (UC Louvain). A Tryst with Digital Destiny – Comparative Analysis on the Regulation of Large Platforms between the European Digital Markets Act and the Indian Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules

Keywords:   Digital Markets Act, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, Large Platforms, Significant social media intermediaries, European Union, India
Abstract. At the stroke of the century, the world awoke to digital transformation that changed the course of lives. As countries drafts legislations and regulations fit for tomorrow, the legal environment is saturated with digital policies. However, in this sea of legislation, there is a need for a lighthouse, a guiding source to provide clarity on concepts and regulatory impacts while keeping in mind sovereign necessities and national legislations.

As the European Union (EU) implements its Digital Markets Act, 2022 (DMA), with the intent of protecting consumer welfare and restoring a level playing field, the world is introduced to a new era of regulation of the digital economy. The DMA regulates the operations of gatekeepers. Gatekeepers are platforms that significantly impact the internet market, serving as a gateway for businesses and end-users and having a durable position in the market. Though the list of gatekeepers is not released, it is clear from the explanations that they refer to big tech companies of Amazon, Facebook, Google, Apple, and Microsoft.

In a similar timeline, India enacted path-breaking legislation in the form of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (IT Rules). These Rules regulate all intermediaries, including social media, on-demand and significant social media intermediaries. The Rules did not state what significant social media intermediaries were and gave the power to the Central Government to notify the same. On the same day, the Central Government notified that a social media intermediary would be considered a significant social media intermediary if they have fifty lahks (5 million) users in India.

Two crucial differences are observed. Firstly, India’s legislation covers all social media intermediaries, including significant social media intermediaries. In contrast, the DMA applies only to gatekeeper platforms that perform core platform services, which include social media services. Secondly, the DMA defines the gatekeepers based on certain obligations such as the significant impact on the internal market, durable position, number of users, entry barriers, and structural market characteristics. This definition contrasts the IT Rules, as the subsequent notification prescribes a threshold of users. However, there is a point of similarity in the objective of regulation of large platforms. As jurisdictions around the globe pass legislation in relation to regulation of platforms, this paper attempts to analyse one of the aspects of regulation of the digital economy- large platforms.
This research intends to compare the DMA and the IT Rules in-depth and the scope of such legislation. This paper investigates the teleologic reasoning into the phenomenon of large platforms and their regulation in the India and the EU is provided. This research does not attempt to answer whether a specific system is better than the other- but to stimulate academic discussion into different systems and view different regulatory systems under a critical magnifying glass. A comparative methodology is adopted to draw out the differences in the regulation from the perspective of large platforms in the EU and in India.

4.    Barker, Kim (Open University Law School/ObserVAW). Online Violence Against (Women) Gamers: A Contemporary Reflection on Regulatroy Failures?

Keywords:   online violence against women (OVAW), online games, online harms, harmful communications, social media

Abstract. Online violence against women (OVAW) and online abuse have been acknowledged as obstacles to gender equality in physical and digital spaces. These forms of discrimination and harassment threaten women’s ability to participate fully and freely in digital life, across social media platforms, websites, messaging apps, and – increasingly visibly – online games. These spaces are integral to interaction and yet the scale, of social media abuse in the form of OVAW has raised the question about the appropriate responses – both regulatory and legal.

In growing recognition of the problematic phenomenon that (now) encompasses OVAW, increasing sectors have identified potential responses. From addressing OVAW through so-called ‘harms based models’, to legislation to capture ‘online hate’, or ‘harmful communications’, the dominant narratives have focussed on online safety, rather than in tackling pernicious forms of behaviour through nuanced regulatory responses beyond simply legislative reform.

As discussions surrounding the metaverse, and fediverse begin to dominate tech narratives, existing questions remain about how to regulate interactive online platforms currently, before considering technological developments in virtual and augmented reality contexts. This paper offers a contemporary assessment of the responses to Online Violence Against Women, placing this harmful phenomenon in the context of online games, assessing the scope and scale of the problem, before analysing the responses of leading online games to OVAW. The paper concludes by questioning where games – and women – go from here.

5.    Barrio, Fernando (Queen Mary University of London). Climate Change Implications of Unregulated Technological Energy-Efficiency

Keywords:   sustainability, energy consumption, technology regulation, vampire energy, climate change
Abstract. The world already feels the reality of climate change, and the UN’s Intergovernmental Panel on Climate Change has clearly stated that situation will worsen if not decisive action is taken immediately. Consequently, policy makers in all levels have made climate change a central issue to tackle through plans and actions, being the use of technology one of the options for both mitigate the warming of the planet and adapt to the realities of a warmer world. However, more attention needs to be paid to the emissions produced by the intensive and extensive use of different technologies, which includes when technological devices are not in use.

Vampire energy, also known as standby power or phantom loads, refers to the energy consumed by electronic devices and appliances when they are turned off or in standby mode. With the increase of multiple devices at personal, household and institutional levels, this type of energy consumption has become a significant contributor to overall energy use and carbon emissions at global scale. To that it is necessary to add that sustainability is not necessarily included as a factor when designing or programming those devices or the systems that run on them, not forgetting whole technological developments that inherently consume vast amounts of energy, like crypto-currency mining.

In relation to vampire energy, there are regions and countries with laws and in place to limit standby power consumption, like the EU Regulation (EC) No 1275/2008 and Regulation (EC) No 801/2013, the Ecodesign Regulation, or in the US, the California Appliance and Equipment Energy Efficiency Standards, but it is important to note that while they set limits to the amount of energy that devices can use while in standby, they multiplication of devices make those limits, low individually, insufficient for the impact that ghost loads are currently having in the planet.

From the software point of view, even the energy performance software and those producing Energy Performance Certificates don’t seem to be tested for energy-efficiency, and there is a silence in the regulatory framework about it. Here different apps are included and the (lack) of legal requirements in relation to sustainability of computer software extends to systems used daily by hundreds of millions of people around the world. Just to give a simple example, many navigation systems used by drivers, present as the preferred route the one that implies a shorter trip in time, even if that trip reduces only one minute a two-hour trip and represents three times the distance, multiplying the petrol use and carbon emissions to save one or few minutes; sustainability is not programmed as a consideration, only time-efficiency is.

The paper first explains the energy uses of different technologies, like devices in standby, software and digital environment, to then analyze the current regulatory framework impacting such use, including recent court decisions imposing liability on non-tech companies for their emissions, to end with proposal for comprehensive regulation on energy use by new technologies aiming at reducing their climate change impact.

6.    Barrio, Fernando (Queen Mary University of London). Legal, Fair and Valid Assessment in Times of AI-Generated Essays

Keywords:   AI, Assessment methods, Copyright, Data protection, Higher education
Abstract. Back in 1859 Charles Dickens enunciated the famous words “[i]t was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness […] it was the season of Light, it was the season of Darkness…”, and it could be argued that we was writing about today’s situation in relation to the use of certain technologies to support human endeavours, with assessment in higher education not being an exception to it.

The advent of readily available, and mostly free, artificial intelligence tools based on transformer-based language for Natural Language Processing, NPL, that allow students to write university essays in matter of seconds and with no further input, raises a number of legal and pedagogical issues that need to be considered. The issues are multiple and will likely keep expanding, but this paper is centred around copyright, data protection, and the honesty and integrity of the assessment process, with focus on UK law and global pedagogical practices.

Being the threshold for originality relatively low in UK, in most cases, the AI tool would create original works, which, in principle, could attract copyright protection as computer-generated work under the UK Copyright, Designs and Patents Act 1988, CDPA. According to that piece of legislation, the author would be “the person by whom the arrangements necessary for the creation of the work are undertaken”, which is not as clear as it seems. The the instructions for the essay are . given by the teacher, the student simply enters them but gives the “order”, and the content is generated by the AI tool, so the question is who owns the copyright in the resulting essay: the teacher, the student, the AI tool, as in the Chinese case of 2020, the creator of the algorithm, the owner of the tool, or who? If the student is the sole copyright holder, they may be able to submit the essay as their own work, but if it is found that someone else is the copyright holder, the sole act of submitting it can be deemed copyright infringement.

Algorithmic systems can require the input of personal data, which can be stored by the AI tool and or its owner. The current systems make no reference to any of the data protection principles nor seek permission for the processing of personal data. As the AI tools would need at some point to be monetised, would that include the use of the data for tailored advertisement like current social media platforms? If that is the case, the situation raises concerns about the protection of the data, and the legality of its processing.

The use of the mentioned AI also raises pedagogical concerns, being honesty and integrity of the assessment process central to them.

The paper analyses these legal and pedagogical issues, as well as potential ways forward both in law and assessment practice.

7.    Blakely, Megan Rae (Lancaster University). Cyberlaw of Massive Multiplayer Online Games: Copyright and Deauthorization of Dungeons & Dragons

Keywords:   mmorpg, games, copyright
Abstract. MMOs have sharply risen in popularity and sophistication over the past few decades.   Although the population is not as numerous as social media platforms like Facebook, MMOs have more complexity on the platform and heavily engaged, symbiotic user communities and rely on user creative – and sometimes copyrightable – contributions, governed largely by Terms and Conditions (T&Cs). This has required early navigation of the legal issues surround copyright and user rights in virtual spaces and less obviously, cultural impact of the same.

Legally, MMO gaming contractual enforceability is undertested.  The T&Cs often require arbitration, which leaves little legal evidence or precedent as to how disputes are resolved. Many game companies are based in the United States, which has less strict consumer protection in relation to contractual protections than in the EU.   Cases brought forth regarding the nature of how these intangible assets are provided to the player have been compelling into arbitration in adherence with the T&Cs, leaving the other pertinent issues to confidential proceedings with no legal precedent. MMOs rely heavily on their relationship with the player community, and the players rely on the representations made through community leaders and through the legal instruments.

One of the most established multiplayer games, Dungeons and Dragons (D&D), has recently modified its T&Cs to revoke many of the rights users retained to their creative contributions to the virtual world.  Previously, all users were required to comply with and attach an Open Games Licence (OGL) to any community material, requiring the content to be open to any user, amongst other terms.   D&D has now ‘deauthorized’ their OGL 1.0, despite it previously being issued as ‘perpetual.’

This action reflects concerns that game developers rely heavily on community contributions for profit whilst retaining all of the rights to the possibly copyrightable material.  The outward facing representations often do not align with the text of the T&Cs, but the generally accepted relationship between the developer and users is one of tolerated (and sometimes even encouraged) infringement.  However, the recent D&D actions indicate that the developers may indeed intend to enforce rights after all, which indicates a shift in the way user creative contributions may evolve.

8.    Brown, Abbe (University of Aberdeen). Can You Really Get Your Act Together?

Keywords:   governance, control, data
Abstract. Technology and data can bring opportunities beyond the “cyber”, notably increased societal benefits in relation to environmental sustainability and energy and health.

This breadth brings the prospect of clashes between regimes (public and private) set up to address the wider goals, and those regimes which have a focus on technology and data, as a result of their different priorities and timelines. Examples are a focus on rewarding innovation and controlling information in the short and longer term (such as through intellectual property, freedom of information, trade secrets and data protection), or a more immediate collaborative and sharing approach to ensure that the societal goal is met.  The potential for such a clash is there when new regimes are created; regard to it is had rarely.  Yet is a combined approach being seen through the European strategy for data?

This research forms part of a wider project analysing stances being taken directly to data and technology by actors (legislators, regulators, funders, negotiators, activists) in different forms of law, governance and regulation (relating to marine biodiversity, environmental data, health research and energy) which have their own focus on wider societal goals. The wider project argues that there is a need for more holistic and less fragmented consideration of varied areas of law and values (such as sharing or control), as a means of achieving wider societal goals at a more structural and substantive level.

This paper will explore ongoing developments at EU level, to evaluate the extent to which a more holistic approach is being taken by the European strategy for data.  With goals of data sovereignty and global competitiveness, the strategy includes the Data Governance Regulation, Data Act, Directive on open data and re-use of public sector information. These new approaches to non personal data also sit alongside plans for intersection and and sharing of information through European data spaces – which include health, green deal and energy.

The paper will compare this landscape, and the pathway to it, with emerging findings from elsewhere in the project. The paper will evaluate risks and benefits which can be gained from the European data strategy for wider proposals regarding effective delivery of aligned and parallel regimes, and for the possibility of implementing a hierarchy or overarching common goals.

9.    Cavaliere, Paolo (University of Edinburgh Law School) and Li, Wenlong (University of Birmingham). Examining the Legitimacy and Lawfulness of the Use of Facial Recognition Technology in Public Peaceful Assemblies: Towards a Reconceptualisation of the Right to Freedom of Assembly in the Digital Era

Keywords:   Freedom of Assembly, Facial Recognition Technologies, Artificial Intelligence Act, European Court of Human Rights, Surveillance, Privacy
Abstract. The growing use of facial recognition technologies (FRTs) in publicly accessible spaces and particularly in the context of assemblies has attracted severe criticism and resistance worldwide. This particularly worrying use of FRTs sits at the intersection of deeper changes concerning both increasing capabilities of surveillance technologies and security concerns at the societal level, leading in turn to the fast uptake of preventive measures against perceived threats to national security (Fura and Klamberg 2012),  marking a distinct shift from reactive to proactive policies  in this field (De Hert 2005), especially in the wake of the 9/11 attacks and afterwards.

In response to this growing and now long-lasting trend, academic voices have raised a diverse range of concerns for the impact of FRTs over a number of human rights both online and offline. Most commentators have noted how these technologies impinge on the rights to privacy and data protection. As such, FRTs are largely conceptualised as a breach of privacy of privacy first and foremost, with limited focus, in comparison, on the specific link between technologies and other human rights such as the right to freedom of assembly. Similarly, in the case-law of the European Court of Human Rights the impact of FRTs on freedom of assembly has so far struggled to emerge as a discrete issue, oftentimes considered in conjunction with other rights like freedom of religion and expression. On several occasions, the Court has used a particular choice of words declaring a violation of article 11 ‘interpreted in the light of ’ Article 9 or Article 10.

In stark comparison to the lack of academic conversation, civil society voices have been quicker to raise the alarm, noting how FRTs can even exert a stronger ‘chilling effect’ than other surveillance tools (GCN, 2020) and disproportionately target minorities (Amnesty International, 2021).
The lack of a thorough conceptualisation of the specificities of the right to freedom of assembly and its interplay with FRTs is also apparent by the state of current legislative proposals put forward by European institutions. While the Council of Europe’s legal framework does not ban facial recognition, the EU has put forward a proposal for a draft EU artificial intelligence (AI) act, unveiled in April 2021, to significantly limit the use of biometric identification systems including facial recognition. If the Act passes in its current form, the use of real-time facial recognition systems in publicly accessible spaces for the purpose of law enforcement would not be prohibited as such, allowing Member States to set up judicial or administrative authorisations as deemed appropriate for identifying terrorists, finding missing children, and fighting serious crimes. But it remains contested in situations of public peaceful assemblies despite the seemingly legitimate reasons of use.

As EU authorities take steps to regulate FRTs and the European Court of Human Rights admits cases of FRT being used in public assemblies, this paper aims to contribute to a firm understanding of facial recognition as a direct restriction to freedom of assembly in its own right. We propose a framework of analysis which, by reflecting on the innate tensions between the right to freedom of assembly and security policies, seeks to refocus the debate on the regulation of FRTs on its impact on freedom of assembly and the urgent need to safeguard it adequately.

10.                      Celeste, Eduardo (Dublin City University). The Digital Constitutionalism Teaching Partnership: Connecting Virtual Learning Spaces with an Interdisciplinary Toolkit

Keywords:   legal education, teaching partnership, digital rights, interdisciplinary teaching toolkit, virtual learning spaces
Abstract. The paper analyses the benefits and challenges of setting up an international and interdisciplinary teaching partnership on digital constitutionalism. Since 2019, the Digital Constitutionalism Teaching Partnership has regrouped seven European universities (Dublin City University, Helsinki, Salerno, Bremen, Padova, Goldsmiths London and Maastricht) offering synchronous and asynchronous digitally-connected learning spaces to more than 200 students every year. The partnership presents an interdisciplinary character, aiming to advance students’ knowledge and practical skills in the field of digital rights from multiple disciplinary perspectives (law, political science, sociology, communication studies, international relations).

The first part of the paper reconstructs the context where the teaching partnership emerged, clarifying the positioning of this pedagogical initiative in the existing literature. The partnership did not originally present any structural support from the partner universities. It stemmed from occasional collaboration among researchers working in the field of digital rights and constitutionalism who teach undergraduate and postgraduate modules covering IT law or digital policies. The Covid-19 pandemic facilitated the organisation of synchronous online sessions, which were subsequently maintained in the 2021-2022 hybrid edition of the teaching partnership and integrated with in-person activities, also involving travelling abroad. The denomination ‘teaching partnership’ does not receive a univocal definition in the literature. References to teaching partnerships in law were not found. The paper will then propose a definition of the main elements characterising the digital constitutionalisation teaching partnership.

The second part of the paper investigates the benefits of the teaching partnership both for students and for teachers. From a student perspective the teaching partnership contributes to enhance the internationalisation of classes, interculturality, interactivity, motivation of students and acquisition of digital skills through a variety of assessment methods. From the perspective of the teachers, this initiative allows to develop a common teaching toolkit, benefitting from practices used across various disciplines, to crowdsource forms of assessment, and promote student involvement in public policy initiatives. In various editions, indeed, the teaching partnership relied on research-led activities to involve students in the drafting of policy documents that were later presented at public events with relevant law and policy-makers as well as other stakeholders.

The third part of the paper examines the multiple challenges of this initiatives. Logistical issues to solve included timetabling lectures across multiple time zones and the use of online platforms, in particular given a stratification of edtech platforms following the Covid-19 forced digitalisation of teaching. Data protection emerged as a complexity to address due to the exchange of student data for assessment purposes. The absence of structural funding for these types of initiatives at the partner universities originally led the lecturers involved in the partnership to cover student travel expenses with their own funds. The recent introduction of funding under Erasmus+ for Blended Intensive Programmes is explored as a potential solution to this issue. In particular, the paper examines the differences between the activities so far performed in the context of the teaching partnership and the definition of Blended Intensive Programmes according to the 2022-2023 Erasmus+ call.

11.                      Chomczyk Penedo, Andres (Vrije Universiteit Brussel). The Regulation of Data Spaces under the EU Data Strategy: Towards the ‘Act-ification’ of the 5th European Freedom for Data?

Keywords:   data spaces, data protection, free flow of data, digital single market
Abstract. Data, both personal and non-personal, is necessary for the development of a data-driven digital economy; while generating datasets can be costly, making existing ones available by sharing them can be a sensible alternative to pursue. But how exactly can this take place? The current landscape around databases is one of fragmentation and lack of interconnection. In this sense, data spaces have been proposed in the EU Data Strategy as the necessary infrastructure to enable an EU flourishing digital economy. However, it is surprising that their regulation is, for the time being, relatively scarce and spread out, with notable sectoral exceptions such as the European Health Data Space.

Not all information is equal as it is possible to distinguish between personal and non-personal data. Different rules have emerged in the last decade, and even more so in the last years, to tackle data-related legal challenges: from the General Data Protection Regulation up to the Free Flow Regulation but also including the recent Data Governance Act or the Data Act proposal. However, the boundaries between these two legal categories are becoming blurrier, particularly as non-personal can be combined using AI-powered tools to reidentify to whom such data belongs.

While all these rules put in place requirements to process information in a manner that does not compromise fundamental rights, those very same rules acknowledge that data should flow between those who need it. In this sense, certain EU lawmakers have proclaimed the emergence of a 5th European freedom relating to data, information, and knowledge flows, depending on the definition. It would be enshrined alongside the traditional freedoms for persons, goods, services, and capital flows that have constituted the core of the European Union and its economic integration process. As part of the Digital Single Market, data spaces might be necessary for the realization of this novel freedom.
While the catalogue of data-related rules is expanding, particularly through what some scholars have called ‘act-ification’, alongside ‘GDPR mimesis’ and ‘EU law brutality’, data spaces, despite their supposed key role, remain substantially in the regulatory shadows. While there is a proposal for the European Health Data Space on the table, the particularities of the health services sector, such as the abundance of sensitive data or patient-practitioner confidentiality duty, may cast doubts over whether this will be a blueprint used for further regulation.

Therefore, this contribution will explore what are data spaces from a regulatory perspective by tracing their policy origins and current reception in existing legislation. By doing so, we will try to answer whether the EU lawmaker is effectively consolidating a 5th European freedom -a right to free data flows- and how it reconciles with existing fundamental rights, particularly the right to personal data protection. Ultimately, this contribution will seek to answer whether a general-purpose regulation for data spaces is necessary to ensure a certain degree of cohesion across sectors.

12.                      Clifford, Damian (Australian National University) and Paterson, Jeannie (University of Melbourne). Banning Inaccuracy

Keywords:   Data protection, Consumer protection, Consent, Bans, Paternalism
Abstract. Ubiquitous personal data processing and the effects of personalisation have raised well-documented concerns. Concerns have also been explored relating to the accuracy of consumers services derived from intensive data processing. These kinds of services – from step counting, to emotion detection and mood monitoring, are typically presented in the form of ubiquitous devices or products. But they raise real concerns about the efficacy or accuracy of what is being offered, which typically rely on approximations and predictions that are unverified and opaque.

How does the law treat such concerns? And what is the appropriate regulatory response? At the centre of these debates is the data subject/consumer, and their protection. The current regulatory approach assumes our capacity to choose as active market participants. However, several authors have focused on how individual consent established in data protection and privacy law as a means of legitimising the personal data processing inherent to such devices law is ineffective. There is also a growing literature focusing on how data protection and privacy and consumer protection (and indeed, contract law) can work together to bolster this ideal of the rational individual at the centre of these protections. This response typically relies on producing clearer forms of notice or disclosure and demanding stronger manifestations of consent. But many scholars have called for more paternalistic interventions.

In previous work we have highlighted that this does not have to be a binary choice: We believe that paternalistic interventions in the form of targeted bans would improve the environment in which consent can function properly without removing the fictional rational data subject/consumer entirely from the framework.

The aim of this paper then is to explore the circumstances in which a technology may be banned/blacklisted. To contextualise the discussion there will be a particular focus on products/services where there are clear and well-documented accuracy concerns, such as emotional artificial intelligence. The paper will highlight how, although relevant, data protection and privacy law is incapable of being the regulatory solution to the problem presented. The dangers need a regulatory approached focused not only on the protection of personal data but also on the downstream effects associated with the use of such data. This is the role of consumer law and policy.
Importantly, we believe that this does not eliminate the role for consent but instead may make it more meaningful when it is given. In other words, our argument is that there is a role for more paternalistic interventions such as bans but that this does not remove the role for the individual consumer/decision maker.

The paper will therefore analyse the role of consumer law in regulating inaccuracy. It will draw a distinction between inaccuracy as (1) a fault and (2) an inherent feature of consumer products and services. The aim is to frame the relevant considerations in identifying when bans may be justified. In doing so the paper will interrogate the challenges associated with the ex ante regulation of inaccuracy and the policy and theoretical debates inherent to any paternalistic intervention (i.e. but more specifically in the form of bans), when pursuing the primary goals of consumer law: promoting consumer autonomy and protecting consumer welfare.

13.                      Cooper, Zachary (VU Amsterdam). The Utility of Incoherence: How Legislating the Present Confuses the Future

Keywords:   The Utility of Incoherence, Regulation of Emergent Technologies, Blockchain, Technology Within the Law, Algorithms in the Judiciary

Abstract. A glut of legislation has been passed in recent years in pursuit of greater control of internet architectures and the behaviour they harbour. This emergent law seeks to massage cybertechnologies in line with its in own ideologies. However, the relationship is a mutual one, and legislation is itself moot if it is not beholden to the functionality and ideologies of that which it seeks to regulate. As these architectures have become progressively more entangled and co-dependent, the law has become less malleable to other disparate emergent technologies. This web of legislation may therefore backfire, where it is fundamentally incapable of regulating architectures upon which its application is entirely incoherent. Thus, even legislation which is ostensibly tech-neutral will not be able to meaningfully regulate technologies which were not considered at the time of drafting. We may look to, for example, the fundamental incoherence of applying the General Data Protection Regulation to public permissionless blockchains.

Thus, where much discourse around emergent technologies is often built around whether a technology is going to be able to replace the functionality of a prevailing technology, the greater challenge to the law in fact comes with non-replacement. As disparate emergent technologies of increasing sophistication regulate behaviour through their own in-built privatized regulatory infrastructures, reinterpretation of existing legislation in an attempt to stretch its remit risks fundamentally endangering its pre-existing coherence. The greater the level of sophistication and depth of coherence between prevailing technological and legal infrastructures, the more this danger exacerbates. Thus, as with the private community resolution of the Decentralized Autonomous Organization (DAO) Hack, which actively avoided a judicial intervention that would have clarified the legal character of any number of new concepts and entities, we may find that we are more comfortable allowing these technological infrastructures to privately regulate themselves, rather than undermine the functionality of our current legislative web.

Thus, paradoxically, a greater density of cyberlegislation may in fact lead to a future of even lower regulatory control, as the increasing specificity of regulatory application can be more readily exploited by design, with multiple fringe architectures co-existing with functionalities intentionally abstracted from legal regulatory models. I refer to this speculative future as “the regulatory multiverse”, wherein a centralised controlled framework distracts from a peripheral landscape wherein fragmentation and legal incoherence abounds.

Is such a future improbable, fundamentally limited by our inability to develop technological architectures of requisite innovation or utility at a fast enough rate to create such confusion? Or will the inherent utility of incoherence be exploited by design, as it currently is by AI and blockchain technologies? And how can we avoid such a future if not through drafting ever more bespoke legislation, deepening the web of coherence to be exploited? Critically, if the law is to maintain its regulatory sovereignty over the future, it may need to disentangle itself from the architectures of the present.

14.                      Da Rosa Lazarotto, Bárbara (Vrije Universiteit Brussel). The Right to Data Portability: An Holistic Analysis of GDPR, DMA and the Data Act

Keywords:   The right to data portability, GDPR, Digital Markets Act, Data Act

Abstract. The right to data portability is a right enshrined by the General Data Protection Regulation which aims to empower data subjects by giving them more control, giving them the right to obtain a copy of their personal data and the right to transfer data directly from one controller to another. Most recently, the Digital Markets Act and the Data Act Proposal also touched on the right to data portability, adding new nuances to this right. However, due to many factors – such as the lack of proper regulation, technical capability, and data protection deadlocks – the right to data portability has found little or no application in reality. Due to this innocuousness, data subjects are left in a grey zone, having little control over their data, benefitting data controllers which hold on to data that otherwise would be ported to other controllers. In this context, this paper explores the complementarities and conflicts between the right to data portability as enshrined in the General Data Protection Regulation, Data Markets Act and Data Act Proposal. Taking into consideration the underlying objectives of these Regulations, namely the protection of data subjects’ personal data, the regulation of digital markets and the development of the European data economy through the free flow of data. Through this paper, we propose not only to proceed with a comparative analysis of the right to data portability but to advance on a holistic analysis of the tangible application of the right and how these regulations might permit the application for the benefit of data subjects or maintain the status quo.

15.                      De Amstalden, Mariela (University of Birmingham). Future Technologies and the Law: Regulating Cell-Cultivated Foods

Keywords:   future technologies, sustainability, global governance and regulation

Abstract. It is no longer a science fiction tale. In December 2020, a table of four sitting in a luxurious Singaporean private members club was served the world’s first dish made with lab-grown meat ever sold in a restaurant. Garnished with bean puree and accompanied with a bao bun and waffles, these chicken nuggets of the future had only been approved for sale by the Singapore Food Agency a mere weeks before, after a lengthy (if opaque) inspection process that had lasted over two years. The moment was significant because it marked the operationalisation of the very first regulatory approval anywhere in the world for foods produced using cell-cultivation technology.

Such future technologies are redefining fundamental elements of our life, and these innovations promise to change the way we perceive, behave, socialise and even eat. Lab-grown, cell-cultivated or ‘cultured meat’ is estimated to become widely available for sale directly to global consumers imminently. Provided that the technological scale-up for mass consumption is successful, the multitrillion global meat market appears to be on the verge of a disruption unlike anything seen in times past. Cultured meats, with its cells being grown in bioreactors instead of slaughtering animals, have been praised with the potential to display far-reaching effects on climate change mitigation, food security and animal welfare.

This presentation explores the role of global governance mechanisms, in particular experimentalist governance, in responding to the array of issues that future, transformative (bio)technologies pose for the law: from responses to risks in light of scientific uncertainty, labelling and consumer protection, restrictions on international trade and intellectual property, to raising ethical and philosophical questions. While there appears to be a lack of an integrated understanding about the nature, causes and implications of regulatory shifts (if any) addressing future technologies, this presentation asks whether and to what extent effective, agile and responsive legal frameworks can and should be designed to promote innovation that aims at tackling pressing global challenges.

Based on the premise that scarce responsiveness in regulatory frameworks has the potential to significantly stifle innovation, this presentation will also deliberate about the potential to construe cell-cultivation technology as a ‘technology of abundance’. It ultimately reflects on the continuing emergence of novel forms of global governance – understood as a highly dense and complex cooperative system of entities that are public and private, international and regional – in spite of increasing tendencies towards geopolitical fragmentation and de-globalisation.

16.                      De Conca, Silvia (VU Amsterdam). The Present Looks Nothing like The Jetsons: A Legal Analysis of Deceptive Design Techniques in Smart Speakers

Keywords:   deceptive design, dark patterns, data protection, consumer protection, Smart speakers
Abstract. This paper maps the deceptive design techniques deployed by Alexa and Google Assistant to manipulate users into sharing more data and buying products, discussing how the GDPR, UCPD, DSA, and AI Act apply to it. The goal is to identify potential overlapping, conflicts, or gaps in the law, proposing solutions to empower users and foster a healthy digital market.

Amazon Alexa and Google Assistant are virtual assistants (VA), that is a software that allows users to operate smart devices via voice commands. VAs are embedded into smartphones or purpose-built speakers, and are marketed to consumers as the personal assistants that will simplify the lives of the whole family. The natural language interaction and the capabilities of VAs are powered by advanced machine learning and by the collection of large amounts of personal data of users. In order to build a long-term relationship with the users and make sure they share data on an almost constant basis, VAs have been designed to prompt and stimulate individuals to interact with them, or to act on their prompts by purchasing goods or visiting web pages.

This persuasion is obtained using various deceptive design techniques (also known as dark patterns). Many deceptive design techniques have already been identified in relation to websites, especially e-commerce and social networks. However, because of the vocal interaction, some of the deceptive design techniques used by VAs present innovative features and a peculiar functionality.
By mapping the techniques used by Amazon and Google, the paper identifies the most problematic and undesirable ones, ordering them into categories based on the most popular deceptive design typologies: Vocal Prompts (given during a conversation with the users); Visual Prompts (given while the VA is dormient on those devices equipped with a screen); Strategic Replies containing ‘personalised’ offers; and the Peer-Like Relationship established between the human and the machine, aiming at profiling the user for preferences and vulnerabilities. Based on this distinction, the paper analyses a selection of secondary EU law provisions, focusing in particular on the GDPR, UCPD, DSA, and the proposal for AI Act.

The contribution of this paper is two-fold: on the one hand it identifies several uncertainties in the application of the abovementioned legislation to VA deceptive design, offering the chance to reflect on the systemic gaps existing in the regulation of deceptive design at European Union level.
On the other hand, by focusing specifically on virtual assistants, this paper shows how these very popular, yet still new, devices are changing the ways in which individuals experience the internet. The paper unveils that the vocal interface used by VAs requires some adjustments in those provisions and rules designed with screens, monitors, or even paper in mind. This is particularly important to empower users and protect the (digital) rights of individuals, especially in the light of the diffusion of the Internet of Things and the smart home, and the subsequent blurring of the boundaries between the online and offline sphere.

17.                      Degalahal, Shweta Reddy (Tilburg University). Reconsidering Data Protection Framework for Use of Publicly Available Personal Data [8840]

Keywords:   Privacy, Data protection, Digital public sphere, Clearview AI, Publicly available personal data
Abstract. In early 2020, news reports of Clearview AI developing a facial recognition tool that was trained using publicly available images of individuals from social networking sites started surfacing. Soon after, Clearview AI’s practices were challenged across the European Union and United States. The common thread across most of the orders for fines has been the reiteration of the need to provide privacy notice to individuals and the importance of transparency of processing operations of entities. Despite the vast theoretical and empirical literature on consent fatigue and the limitations of the transparency ideal, the obligation to provide a privacy notice and seek informed consent seems to be the primary mode of protection offered to publicly available personal data.

Prior to 2020, debates on privacy in public started gaining traction after introduction of surveillance cameras and facial recognition on public streets. These debates focused on privacy invasive measures using digital technologies that lead to constant surveillance in physical public spaces. However, such constant surveillance extends to digital spaces as well. The interconnected and interoperable nature of digital platforms combined with the ability to create vastly detailed sensitive profiles of individuals through data aggregation techniques makes defining what is public for the digital space complicated and worthy of further research. The fact that Clearview AI’s web scraping activities were challenged by data protection authorities only after news reports of their activities begs the question if the current safeguards for publicly available personal data are adequate. The paper will examine this question through the jurisdiction of EU and US. EU and US have been identified as in scope for research as both these countries represent different approaches to privacy protection i.e. privacy as control and privacy as social norms respectively. The scope has been  narrowed down to fourth amendment jurisprudence from the US and the GDPR in the EU as these largely reflect the attitudes of the regulator and legislator towards protections offered to publicly available personal data. The adequacy of these protections will be evaluated against the Contextual Integrity framework proposed by Helen Nissenbaum to examine if norms surrounding contextual disclosure have been adequately translated into the legal frameworks. Based on US’s approach towards data protection and the contextual integrity framework, additional measures that can enhance said protection in the EU will be proposed.

18.                      Diker Vanberg, Aysem (Goldsmiths, University of London). Application of EU Competition Law to Artificial Intelligence and Chatbots: Is the Current Competition Regime Fit for Purpose?

Keywords:   AI, chatbots, EU Competition Law, DMA, GDPR

Abstract. The development of machine learning, complex algorithms and advancements in big data processing have led to innovative applications of Artificial Intelligence (AI). For instance, ChatGPT, a chatbot released in November 2022, has captivated online users with its ability to answer a variety of complex questions in a logical and articulate way albeit not always accurately.  As technology advances and the cost of storing and analysing data gets lower, more companies are investing in machine learning to assist in pricing decisions, planning, trade, and logistics. With the advent of the Internet of Things (IoT ), our daily activities such as our consumption and transport habits are increasingly collected and used/exploited by companies.   These developments raise a plethora of challenging legal and non-legal questions with regard to the relationship between man and machine, control, and lack of control over machines and the accountability of these machines for their activities.
The use of AI is likely to give rise to a wide range of competition law issues.  First, if a few market players, such as Google, and Facebook, dominate the development and deployment of AI, these companies may leverage their existing market power to drive out competitors leading to increased market concentration.  Second, companies with a dominant market position may use AI to engage in predatory pricing to drive out competitors. Third, AI may be used for price fixing, which would reduce competition and harm consumers, as evidenced in Case 5023, in which the Competition and Markets Authority has issued a penalty to online sellers of posters of frames, as they have used automated re-pricing software to implement a price-fixing agreement not to undercut each other’s prices on Amazon UK. Fourth, the development of intelligent chatbots and AI may require significant investment which could create barriers for new entrants.  Finally, companies may use AI to bundle or tie products and services to other products and services to create barriers to entry for new competitors.
In this context, this paper concentrates on competition law issues that are likely to arise by the development of AI, with a particular focus on intelligent chatbots, and analyses whether EU Competition Law is fit to deal with the challenges posed by AI. The paper argues that EU competition law combined with other legal instruments such as the DMA and the GDPR is fit for purpose. Nevertheless, given the emerging nature of AI, the European Commission should lead the way to develop further guidance in this field in cooperation with other stakeholders such as data protection, consumer protection agencies and technology companies.

19.                      Dinev, Plamen (Lecturer, Goldsmiths, University of London). Consumer 3D Printing and Intellectual Property Law: Assessing the Impact of Decentralised Manufacturing

Keywords:   Intellectual property law, 3D printing, Empirical, Socio-legal, Disruptive technology, Copyright, Patents, Trade marks
Abstract. As a technology which allows users to ‘convert’ informational content into tangible objects on a decentralised basis, 3D printing may call into question well-established intellectual property (IP) norms and policies. While the technology is not new in the strict sense, its consumer side is certainly novel and fascinating. Desktop 3D printing has the potential to democratise production, equipping users with manufacturing tools and allowing them to make various creative decisions. But it is also this particular aspect of the technology which is especially controversial from the perspective of IP law: the key issue here is not how things are done, but who does things. Unlike the file sharing issues experienced in the past, 3D printing goes beyond copyright and allows users to interfere with all major IP rights. As the lack of legal certainty in this area has already raised concerns among stakeholders, this paper draws on a combination of legal and empirical methods with the aim of contributing to evidence-based policymaking.

There are a range of important legal and policy questions raised in this context: what measures can be adopted to mitigate the risk of decentralised infringement, especially as 3D printing allows traditional methods of control to be circumvented? Does the technology further challenge the IP framework’s ability to maintain artificial scarcity in the digital age (in an environment where copying is the norm, not the exception) and how should the law respond? It is also unclear whether IP law provides adequate protection for 3D printing design files, considering that they may contain a diverse range of products protectable by different rights and some areas, such as patent law, have not yet experienced the full force of digitisation. What are the norms, practices and attitudes towards IP and licensing within the community? Is IP actually a concern?

To address these complex doctrinal and normative questions, the paper first looks at the wider socio-economic implications of the technology and its ‘disruptive’ potential, before considering the challenges it poses to IP theory and practice. It examines the novel legal issues that 3D printing raises in the context of UK and EU IP law, drawing on relevant provisions, case law, and taking into account key technological aspects which are commonly overlooked in the legal literature. The paper then presents the results of the author’s empirical research, offering one of the most comprehensive case studies on the topic to date. Through two streams of data collection involving 171 research subjects from the UK, EU and US (including industry representatives from some of the world’s leading 3D printing companies, engineers, lawyers, and end users), it aims to assess the urgency for reform, capture the experiences and views within the community, and gauge the extent to which IP is a concern. The conclusion is prescriptive in nature, offering specific solutions and recommendations.
Disclaimer: The empirical component of this study was completed as part of my PhD which was funded by the City Law School and the Modern Law Review

20.                      Esposito, Maria Samantha (Politecnico di Torino). Regulatory Perspectives for Health Data Processing: Opportunities and Challenges

Keywords:   health data, data protection, fundamental rights

Abstract. The exploitation of the vast amount of health data available in Europe could represent a huge opportunity for healthcare delivery and innovation. The COVID-19 pandemic highlighted the value of effective access to and sharing of health data, underlying the importance of stronger coordination among European countries to protect people’s health better. To overcome this need, the EU legislator in 2020 put the basis for a solid European Health Union, in order to improve EU-level protection, prevention, preparedness and response against health emergencies.

The European Health Data Space (EHDS) is the first proposal to address this need, supporting the digitalisation of health data and promoting their availability, access and sharing at the European level, to both public interests and the interest of patients. At the same time, this Regulation has important interactions with other existing and forthcoming European data regulation initiatives (e.g. Data Act, GDPR, Data Governance Act, Digital Market Act, the Artificial Intelligent Act), as well as with various national health data-related policies.

Against this background, despite the EHDS recognising the importance to ensure a clear framework as well as coherence and consistency between all data policies and regulations, several provisions in the current proposal are unclear or seem inconsistent with other legislative measures. This is the case, for example, of the definition of ‘data holder’ in the EHDS Proposal, in relation to which the interplay with the definition of ‘data holder’ provided in the Data Act and in the DGA is unclear. Similarly, issues arise from the definition of ‘data user’ in the Proposal and its relationship with the definition of ‘data recipient’ in the same Proposal, as well as with the definition of ‘recipient’ in the GDPR and the notion of ‘data user’ in the DGA.

As a result, this multi-layered collection of provisions in the field of health data leads to legal uncertainty and negative outcomes, both for patients and for regulators and businesses. The former will be inclined not to share their data and the latter will be forced to bear significant enforcement costs stemming from various policies.

This paper will discuss the critical issues emerging from the current European Health Data Space proposal stressing the need for greater clarity in the definitions and rules laid down in the Regulation and in the interplay between its provisions and other data-related initiatives. Finally, the paper provides some suggestions to address this complex regulatory scenario in the field of health data processing to ensure the effective use of data and, at the same time, protect human rights and freedoms.

21.                      Faturoti, Bukola (University of Hertfordshire) and Osikalu, Ayomide (Ayomide Osikalu & Co, Lagos, Nigeria). When Bitterness Mixes with Romance: The Weaponisation of Pornography in Africa

Keywords:   revenge pornography, cybercrime, Africa, blackmail, sextortion
Abstract. The steady inroad of digital technology in Africa has orchestrated a cultural shift in the creation and consumption of creative content. Thanks to the proliferation of mobile phones and the penetration of internet services. An average African netizen has developed a penchant for recording social, political, and cultural activities. This attitude has now extended to creating homemade or amateur pornography videos. When being recorded, the existence of the passion video is only known to the participants until the relationship goes sour, except when it is inadvertently leaked. In the last decade, Africa has witnessed a rise in incidences of revenge pornography. Although it is common among celebrities and public figures, the victims are not limited to any societal status. Revenge pornography is an emerging variant of cybercrime in Africa. Despite the outcries that usually accompany its release, it is less theorised, and the law surrounding it is underdeveloped compared to other cybercrime, like financial crime. The research investigates the state of revenge pornography under the law of selected African countries. It explains why there is a paucity of case law despite the growing incidences. It argues that the genderisation of the crime may also leave some members of society without protection

22.                      Flaherty, Ruth (University of Suffolk). ChatGPT: Can a Chatbot be Creative?

Keywords:   artificial intelligence, creativity, copyright, machine learning, text and data mining, copyright infringement

Abstract. The way copyright applies to derivative reuses of creative works such as fanfiction by humans is well known, having been updated recently by the CDM Directive and case law such as Shazam Productions. However, what is less well known is how this applies to similar works generated by Artificial Intelligence. Can a machine learn how to be ‘creative’ enough to attract copyright protection? Furthermore,’style’ is not a protectable characteristic in copyright due to the idea/expression dichotomy, so does this mean derivative works written by bots should be permissible? This presentation will use a sample of AI-generated fanfiction from Chat GPT as a case study to analyse the ways current copyright law and AI laws apply to machine learning outputs. Text and data mining legislation and laws relating to how the AI ‘learns’ from its material will be analysed to explore whether there is any harm created by this form of reuse, and if so who suffers the harm, and who is responsible for it. This will add to the literature surrounding the use of artificial intelligence.

23.                      Fras, Kat (Vrije Universiteit). Article 22 of the GDPR: In Force Yet Redundant? The Relevance of Article 22 in the Context of Tax Administrations and the Automated Decision Making

Keywords:   gdpr, tax, automated decisions
Abstract. Since the adoption of the GDPR, the process of automated decision-making has been framed within the legal boundaries within the article 22 of the GDPR. In the year 2023, the automation of tasks within the tax authorities in the entire EU has become the new normal. More precisely, a plethora of researchers demonstrates that up to 90% of the decision at the tax administrations are made in an automatic manner. Each of such decisions constitutes a certain influence on the positions of the taxpayers, varying in their legal effects on them.

GDPR as a legal act is applicable to the workings of public administrations, including tax authorities. So far, there have been many cases at the national as well as EU level where taxpayers invoke the GDPR in the context of their legal proceedings regarding the lawful processing of personal data, data transfers, and others in regard to art. Art 5 and Art. 15 of the GDPR. These articles offer a certain degree of de iure protection to the taxpayers.

In contrast to these articles stands art. 22 which offers legal safeguards for taxpayers in regard to automated decisions. However, in fact, many of the Member States have applied derogations to this article, including the Netherlands and Poland. According to the Dutch derogation of the art. 22 “Article 22(1) shall not apply if the automated individual decision-making, (…)  necessary to comply with a legal obligation imposed on the controller is necessary for the performance of a task carried out in the public interest. 2 (…) the controller appropriate measures for protection of the rights and freedoms and legitimate interests of the data subject.” According to the Polish derogation “The processing of data may take place in an automated manner, which may involve automated decision-making (…) This applies to the following cases: assessing the risk of violation of the law, where this assessment is made on the basis of the data declared in the submitted documents, based on established criteria, assessing the risk of violation of the law, where this assessment is made on the basis of data obtained from publicly available registers and social networking sites, based on established criteria. In the above cases, is automatic classification to the risk group, where qualification to the group of unacceptable risk may result in a change of relationship and taking additional actions provided for by law.”

In both derogations, I identify certain issues that I intend to investigate in this paper. The main question of this paper is whether art. 22 of the GDPR offers any substantial (de facto) legal protection of the taxpayers in light of the derogations applied by Member States.

24.                      Fteiha, Bashar (University of Groningen). The Regulation of Cybersecurity of Autonomous Vehicles from a Law and Economics Perspective

Keywords:   Cybersecurity of Autonomous Vehicles, Cyberattacks, Law and Economics, Incentives Regulation
Abstract. While Autonomous Vehicles (AVs) promise to generate considerable benefits to the society, they are still fraught with many cybersecurity risks which make their introduction onto the European roads far from guaranteed. More specifically, the fact that AVs operate using highly sophisticated computerized systems and software as well as rely on connectivity and network communications makes them highly vulnerable to cyber-attacks. In particular, it appears disconcerting that deeply rooted defects in AVs software or network systems could be exploited by hackers for malicious intentions. Additionally, the gravity of the current situation is further exacerbated by the absence of a tailored legal framework regulating the cybersecurity of AVs. Central to this latter view is the fact that the successful uptake of AVs is significantly reliant on the introduction of a legal framework addressing the cybersecurity risks that come along with them. Therefore, the key question that arises in this context is how should this legal framework be designed and formulated at the European level? In answering this question, the use of Law and Economics approach, more specifically the theory of optimal enforcement could serve as a useful tool in developing a regulatory framework for the cyber-security of AVs. Law and Economics views legal rules as a system of incentives guiding future actions to achieve  a given purpose. This is particularly relevant in the context of cybersecurity of AVs because they are vulnerable to cyberattacks due to the absence of the security-enhancing incentives that motive the responsible actors to sufficiently protect their vehicles against cyberattacks. Therefore, the problem of cybersecurity of AVs is not only a question of technology, but one where human factor is equally important because security-enhancing incentives are lacking in the automotive industry. Worth noting, the main stakeholders involved in the design and development of  AVs, including the manufacturers of AVs, component makers and suppliers have different roles and incentives with respect to the cyber-security of the AVs. Hence, this contribution intends to employ the theory of optimal enforcement to examine which legal instruments (private enforcement through liability or public enforcement through safety regulation or perhaps a smart mix) will be more suitable for providing the necessary security-enhancing incentives that gear the actions of the main stakeholders towards ensuring that AVs remain secure and resilient in face of cyberattacks. Accordingly, the primary focus of this contribution is to examine an incentives-based regulatory framework can be structured with the aim to guide the actions of the key stakeholders towards enhancing the security of such vehicles.

25.                      Gordon, Faith (Australian National University). Rights of Children in the Criminal Justice System in the Digital Age: Insights for Legal and Judicial Education and Training

Keywords:   Children, Digital, Education
Abstract. The impact of the digital age on the justice system, in particular social media platforms and new technologies is a significant concern, yet it is under-researched in the context of children, the principle of ‘open justice’ and the work of Children’s Courts in criminal matters and in university and practice training for lawyers. In addressing contemporary concerns that exist, this scoping study will explore the existing tensions between children’s rights, the open court environment, the principle of ‘open justice’, and digital technology, from the perspectives of professionals and key stakeholders. This presentation is linked to a project that is funded by the AIJA and it identifies how the work of the Children’s Courts is portrayed and what the Courts, judicial officers and key stakeholders identify as the opportunities and challenges of emerging digital technologies and social media platforms on the work of the Children’s Courts and the principle of ‘open justice’.  The core themes of exploration are therefore: representations of children in contact with the criminal justice system; representations of the work of the Children’s Court related to criminal proceedings; opportunities and challenges of the digital age for the Children’s Court. The paper will present some key insights and implications for legal and judicial education and training in the digital age.

26.                      Griffin, James (University of Exeter). The Challenge of Quantum Computing and Copyright Law: Not What You Would Expect

Keywords:   Quantum, Copyright, Balance, Reform

Abstract. Quantum computing poses a challenge to existing copyright law, but not in the ways in which we are accustomed. Increasing iterations of technologies since the inception of copyright law have seen an increase in the ability to make easy copies. However, quantum computing potentially turns that on its head, making it potentially more difficult to make copies.

Quantum computing was initially founded as a means by which to answer complex questions of quantum mechanics. Like quantum mechanics, its very basis is one of uncertainty. A quantum computer can work exponentially faster than a digital computer. This is because binary (such as 01010101) is replaced with probabilities, allowing for faster number crunching and faster execution of code.

Quantum data is unique, due to the infinite possibilities with quantum probabilities. This uniqueness means that, whilst it is possible to make copies that appear exact, there will be the ability to establish if something is a copy or not within the code itself. Indeed, this author submits that there are two likely outcomes from quantum computing:

1) An enhancement of existing proprietary copyright boundaries
2) An increase in the tracking and tracing of content

For (1), this occurs because every ‘copy’ will contain unique differences, meaning it will be far easier to detect unauthorised copies. For (2), an increase in tracking and tracing will occur due to the technology itself, but also because of the specific legal protection that currently exists under s.296 CDPA 1988 (and other similar provisions in other jurisdictions stemming from Art 12 WIPO Copyright Treaty 1996).

In summary, quantum computing will enhance rather than decrease the enforcement of copyright law. This is in contrast to digital technology, which required legal amendments. Given that digital technology is looking increasingly obsolete due to difficulties in small scale manufacture, digital technology could even be described as a ‘false turn’ in our understanding of the propensity of technology to encourage easy reproduction of copyright works. This is even more so considering other upcoming technologies, such as biological compute chips (using synthetic neurons) & photonic computing. These also are likely to share the same characteristics of quantum computing when it comes to copyright law.

The argument of the paper is that regulators should be extremely wary of any attempts to extend or enhance current copyright regulation over newer non-digital technologies. If anything, attention should be paid to the question of whether existing laws might combine with these newer technologies in ways that might undermine the copyright balance, by considerably strengthening the positions of existing right holders.

27.                      Guan, Taorui (The University of Hong Kong). Intellectual Property Legislation Holism in China

Keywords:   intellectual property legislation, China, innovation policies, pluralism, holism
Abstract. China’s intellectual property system has long been of interest to Western scholars. However, little research has analyzed it systematically. Existing studies mainly concentrate on whether the system provides property rights to intellectual products and whether it protects these rights effectively. While few would deny the importance of intellectual property protection, limiting their attention to this aspect has kept scholars from developing a broader understanding of China’s intellectual property system. Since the Chinese government adopted the National Intellectual Property Strategy Outline in 2008, it has taken a holistic approach to building the system, meaning that its legislation has come to focus not only on the provision of property right protection to intellectual products, but also on the creation of intellectual products, the implementation of intellectual products and their property rights, the management of them, and the supply of intellectual property-related services.

To provide a more comprehensive view of China’s intellectual property system, this Article reviews the legislative history of China’s intellectual property law and presents the reasons for the Chinese government’s adoption of this holistic approach to legislation. It also analyzes this approach through a systematic survey of intellectual property laws that the Chinese government has enacted, at both the central and local levels. It demonstrates that the holistic approach to intellectual property legislation is a manifestation of the Chinese government’s deliberate adoption of pluralistic innovation policies with the goal of systematically enhancing its innovation capacity. While the effectiveness of this approach remains to be seen, it highlights issues that are also relevant to policymakers in developing countries. The Article also describes the role that the Chinese government plays in innovation through its intellectual property system. While this state-driven model of innovation is able to concentrate resources in critical technological areas, it is subject to challenges related to decision-making and rent-seeking.

28.                      Guillén, Andrea (Institute of Law and Technology, Faculty of Law, Autonomous University of Barcelona). Automated Decision-Making under the GDPR: Towards the Collective Dimension of Data Protection

Keywords:   Data protection, Automated decision-making systems, Profiling, Algorithmically-determined groups, Collective harms

Abstract. Automated decision-making systems are used both in the public and private sector to make decisions about individuals in multiple areas with legal, economic, and societal impact, including education, social benefits, criminal justice, employment and finance. The growing deployment of such systems has been facilitated by the increasing ability to collect and process vast amounts of personal data. Hence, the General Data Protection Regulation (GDPR) has been considered a useful tool to deal with algorithmic harms arising from automated decision-making systems. The GDPR is particularly relevant to the regulation of these systems for Article 22 specifically addresses “Automated individual decision-making, including profiling”.

The literal text of this provision illustrates how data protection laws are commonly based on an individualistic paradigm. Yet the way automated decision-making systems operate challenges the foundations of individual data protection rights, in favour of a collective approach. Automated decision-making systems make use of profiling techniques to analyse clusters of people with allegedly shared properties rather than individual behaviour and make decisions upon. The nature of such algorithmically-determined groups renders individual rights largely ineffective.

Members of these ad hoc groups do not know (i) that they are part of the group; (ii) who else is in the same group and, consequently, cannot interact with other members; (iii) what other groups exist and how they are treated in comparison to those other groups; and, (iv) the consequences that belonging to that group has on their chances in life.

Such lack of awareness calls for an additional layer of protection at a collective level to overcome the limits of individual rights set out in data protection laws. In particular, it begs the question, does the GDPR address the collective dimension of data protection?

This article contends that, although data subject’s rights related to automated decision-making are insufficient to provide collective protection, other GDPR provisions –representative bodies, data protection impact assessments and certification schemes– could prove useful. While these provisions appear to be most promising for safeguarding collective interests, they are flawed. Hence, proposals to address their shortcomings are also provided.

The role of representative bodies in safeguarding collective interests could be strengthened if prior data subjects’ mandate were not required. Civil society bodies would significantly benefit from access rights that could be introduced through the non-exhaustive list of rights under Article 22(3).

DPIAs could serve as a robust mechanism to reinforce the collective dimension of data protection. Meaningful stakeholder’s consultation and disclosure of genuine, relevant information ought to be strongly encouraged. Lastly, certification schemes provide certification bodies with holistic access to the system, which could thus become effective watchdogs in specific fields.

The GDPR does provide the building blocks of the collective dimension of data protection. However, drawbacks need to be addressed to significantly enhance protection at the collective level in the GDPR. Future research should focus on how this collective dimension could benefit from other fields, such as non-discrimination and consumer law, and how these could aid at filling the gaps of the GDPR at the collective level.

29.                      Gulczynska, Zuzanna (Ghent University). Processing of Personal Data by International Organizations and the Governance of Privacy in the Digital Age

Keywords:   processing of data by international organizations, data protection, right to privacy, international governance of privacy, extraterritoriality of EU law, GDPR

Abstract. The recent reform of the EU’s data protection framework has attracted global attention due to the broad scope of application of the General Data Protection Regulation (GDPR), as well as its strict data transfer rules. These two features have resulted in the de facto imposition of European rules on entities outside the EU’s jurisdiction exporting its standards globally, which, in turn, has triggered many questions about both the legitimacy of the “Brussels effect” and, more generally, effective governance of privacy in a borderless digital context.

A related topic that has received far less attention is that the GDPR has, for the first time, expanded the scope of data transfer provisions to include transfers to international organizations (IOs). While this can be justified by concerns about the comprehensiveness of the protection provided to data leaving the EU, it brings the “extraterritoriality of EU law” to another level, creating potential conflicts not only with other national laws, but also with international law. Concerns about the new rules have been expressed by the United Nations (UN), as IOs – also those from the UN family – have been regularly asked to comply with EU data protection standards since the GDPR came into force and at multiple occasions were faced with refusals to share data from EU actors.

This phenomenon raises new issues in the global discussion of informational privacy and its place in international law governing IOs, inter-States relations and regulatory approaches to the digital environment.

The issue of data processing by IOs in the broader (legal) context in which they operate has received limited scholarly attention. When the topic is addressed, it is often piecemeal.  Indeed, the existing literature on the subject takes either the viewpoint of IOs and their need to process data to fulfill their mandate; or the perspective of municipal (typically EU) law, discussing the legitimacy (or lack thereof) of EU applicability claims in light of EU constitutional framework, particularly fundamental rights. What is missing, however, is a combined perspective of both international and national legal orders and their assessment against the broader backdrop of digital governance and informational privacy.

The Article aims to fill this gap. It combines both the perspective of international law and that of municipal law on the processing of data by IOs. What balance should be struck between the functional autonomy of IOs and the (indirect) imposition by States of their national standards in this regard? Can such an approach be justified under international law by the objective of advancing the fundamental right to privacy? Or should this approach be considered unlawful given the international community’s lack of agreement on the content of the right to informational privacy? The Article discusses these issues against the broader background of the search for suitable solutions to regulate the borderless digital sphere.

30.                      Gupta, Indranath (O.P. Jindal Global University, India) and Naithani, Paarth (O.P. Jindal Global University, India). Recent Trends in Data Protection Legislation in India: Mapping the Divergences with a Possible Way Forward

Keywords:   Data Protection, GDPR, Digital Personal Data Protection Bill 2022, India, EU

Abstract. India is yet to have a comprehensive data protection legislation that would cater to various issues relating to the processing of personal data. The recent passage of the Digital Data Protection Bill in 2022 is the newest endeavour in the process of making the first data protection legislation in India. The Bill is open for public consultation. The idea of data protection is not an unheard concept in India, having a background of more than a decade. In the last decade or so, several attempts have been made to provide answers to the ever-increasing questions relating to data protection measures assuring privacy to individuals. The first data protection intervention in India happened as early as 2008 through the amendments to the Information Technology Act 2000. The amendments introduced Sections 72-A (Punishment for Disclosure of information in breach of lawful contract) and 43-A (Compensation for failure to protect data). After that, there were several attempts including but not limited to the passage of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). In 2017, the Supreme Court of India recognised the right to privacy as a fundamental right under the Constitution of India in the landmark case of KS Puttaswamy vs Union of India. The Supreme Court recognised the need for a comprehensive data protection legislation in India. 2018 was a landmark year with the publication of the report entitled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”, released by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna. Other efforts include the Personal Data Protection Bill, 2019, introduced in Parliament (which was a revised version of the PDP Bill, 2018) and the Report of the Joint Committee on the Personal Data Protection Bill, 2019 (JPC Report). The JPC also released the Data Protection Bill, 2021.

Therefore, the recent attempt in 2022 must be understood in the context of all those previous attempts. This paper maps the divergences in data protection endeavours over the years in India and proposes a way forward while comparing the existing data protection framework under EU GDPR.

31.                      Harbinja, Edina (Aston University). Regulatory Divergence: The Effects of UK Technology Law Reforms on Data Protection and International Data Transfers

Keywords:   digital regulation, data protection adequacy, cross-border data protection, law reform, UK technology law and regulation
Abstract. The paper examines examples of ongoing law reforms in technology law in the UK and the EU, discussing their effects on data protection and commercial data transfers.

This paper examines aspects of this ‘digital law reform package’, and analyses the effects of a specific technology law reform on another area of law reform in the digital sphere. In particular, I question the effects of online safety law reform (the Online Safety Bill) and AI regulation on data protection in the UK and commercial data transfers between the UK and the EU. The focus will be on the most significant proposal in these reforms that may compromise or otherwise impact the UK data protection regime, its adequacy and its relationship with the EU data protection regime. I challenge these proposals based on their divergence and inconsistency and conclude that the technology (and other) law reform needs are approached holistically, or we risk unintended and adverse consequences, not only on the enforceability of these proposals but also on the UK’s data protection adequacy and, notably, data protection and privacy rights of individuals in the UK.

The paper endorses Armstrong’s regulatory alignment/divergence model as a framework. He submits that regulatory alignment/divergence in any given policy area will be a ‘function of the operation and interaction of different modes of governance: hierarchy, competition, co-ordination, networks and community.’

The paper approaches the questions of relevant law reforms comparatively, looking at the proposals in context and action, and assessing their consequences and effects on individuals and society.

32.                      Harbinja, Edina (Aston University); Edwards, Lilian (Newcastle University) and McVey, Marisa (Queen’s University Belfast). Post-Mortem Privacy and Digital Legacy – A Qualitative Empirical Enquiry

Keywords:   post-mortem privacy, digital legacy, digital remains, empirical research, interviews
Abstract. In this qualitative study, we seek to better understand empirically the commercial, technical and legal challenges that arise when considering post-mortem privacy rights in the digital era.

To this end, we interviewed a sample of nineteen legal professionals, civil society and regulators, primarily based in the UK. This has enabled us to gather data and in-depth insights into post-mortem privacy challenges and understand key stakeholders’ perspectives in this area. Emergent themes we discover in our study include: awareness, reform, solutions, platforms/tech/contracts and the limitation of current practice.

Notably, we discover the significant impact of the Covid-19 pandemic on the greater stakeholder interest, practice and development of new business models in this area. Regarding the legal profession, we find that they claim the new area of expertise and attempt to conceptualise the area where there is little law and policy. Moreover, we note the importance of understanding the legal and financial risks that practitioners face due to the uncertainties surrounding the law of digital remains. Our key findings highlight the need for law reform, raising user awareness and improving technological solutions.

We will use taxonomies and findings from the qualitative study to inform a quantitative baseline assessment interested in whether individuals in the UK understand what happens to their personal data after death if they are concerned with developments in this area and whether current data management tools (such as Facebook’s Legacy Contact or Google’s Inactive Account Manager) are helpful.

33.                      Hariharan, Jeevan (Queen Mary University of London) and Noorda, Hadassa (University of Amsterdam). Imprisoned at Work: The Impact of Employee Monitoring on Physical Privacy and Individual Liberty

Keywords:   Employee monitoring, Privacy, Surveillance, Tracking, Human rights and technology
Abstract. In recent years, rapid advances in technology have meant that employee surveillance occurs in new and sophisticated ways. Employees being monitored at work is hardly a new phenomenon. But there are now a wide range of tools available to track worker activity, boasting features like keystroke logging, website monitoring, and video surveillance. The use of such software has become increasingly prevalent, particularly as a result of the pandemic with the surge of people working from home.

This paper understands employee monitoring in terms of the impact it has on the employees’ individual liberty and physical privacy. In particular, it addresses how monitoring affects the physical and spatial components of privacy and connects monitoring with imprisonment.

From a legal perspective, the permissibility of employee monitoring is complex. Under UK and European law, the issue is most commonly analysed through the lens of data protection legislation or compatibility with the right to private life enshrined in Article 8 of the ECHR. However, when one delves into this jurisprudence and academic commentary, it can be observed that monitoring is almost exclusively understood in terms of the impact it has on the employees’ informational privacy. On this logic, the concern with workplace surveillance is that it implicates the employee’s control over information and data. And if informational privacy risks can be appropriately managed, then monitoring can be justified.

Our paper pushes against this dominant narrative. While an individual’s informational privacy is an important part of what is at stake, we argue that there are two reasons why employee monitoring is concerning which go beyond the use of information and data. First, drawing on the broad theoretical literature on privacy, we point out that informational privacy is typically only understood as one aspect of individual privacy. Privacy is generally conceptualised as embracing distinct physical or spatial components as well, which are highly relevant in the monitoring context.

Second, we make the novel claim that, in extreme situations, monitoring can be so intense that it constitutes a form of imprisonment. Imprisonment is the restraint of a person’s liberty, typically in a prison institution with walls and locks. However, as English courts have recently recognised in the context of the false imprisonment tort, physical barriers are not necessary for imprisonment to occur. We argue that some of the monitoring activities reported recently are so constraining of individual liberty as to clearly meet this threshold.

This revised approach to the wrong of employee monitoring has significant legal implications. For one, it brings into sharp focus some of the ways in which the law has developed, and needs to develop further, in order to protect our physical privacy comprehensively. And importantly, it also means that firms have to recalibrate their assessment and justification of monitoring in light of the recognition that workplace surveillance could constitute a form of imprisonment. In particular, an employer could potentially be liable in false imprisonment for extreme monitoring, which, in turn, reframes the legal risks of conducting tracking activities.

34.                      Higson-Bliss, Laura (Keele University). ‘Will Someone not Think of the Children?’ The Protectionist State and Regulating the ‘Harms’ of the Online World for Young People

Keywords:   Legal education, Internet regulation and governance, Communications law and regulation, Young people and the online world
Abstract. Since 2018, following a green paper exploring the regulation of the online world (HM Government, 2018), the Conservative Government in the United Kingdom have continued the rhetoric that they wish to become one of the safest places in the world to go online. To do this, following several white papers and draft bills, the UK government has introduced the Online Safety Bill before Parliament. And despite the emphasis being originally on the regulation of online companies, in particular the likes of social media platforms such as Facebook and Twitter, much of the recent discussions have centred around the protection of children.

The online world has become the modern ‘moral panic’ of the digital world, with parents now more worried about their children online than smoking or drinking (PSHE Association, 2016). The ‘harms’ to young people from the online world are well documented, with barely a week going past without stories emerging in the press of the dangers of the online world for children (see for example: Acres, 2023). In turn, the State takes a protectionist approach as we have seen with the Online Safety Bill. Here, we will regulate or criminalise such behaviours to protect young people. However, what is often missed from these discussions is the voices of these young people we are trying to protect, alongside the positive sides of the online world. Instead, we as adults seem to decide what we believe is harmful to young people and then prohibit such behaviour.

This paper will explore two growing areas of ‘harms’ associated with the online world and young people: (1) sexting and (2) discussions around mental health. It will outline the concerns we as adults and the State have towards these behaviours, before turning to examine how young people view the online world. This paper will reject this traditional protectionist stance. Instead, the paper will argue that a protectionist approach to combatting the ‘harms ‘of the internet will not tackle the underlying causes of such behaviours – social norms and lack of adequate legal, technological, and pastoral education. It will suggest that instead of young people viewing such content on ‘regulated’ sites, such as Facebook and Twitter, echo chambers will instead be created on smaller ‘unregulated’ sites which in the long run will do more harm. The paper will conclude by emphasising the importance of centralising the voices of young people in developing legal, policy and educational responses to online harms and will provide the basis for a future grant application.

35.                      Hoekstra, Johanna (University of Edinburgh). Online Dispute Resolution and Access to Justice for Business & Human Rights Issues

Keywords:   Business & Human Rights, Arbitration, Access to Justice, AI, Online Dispute Resolution

Abstract. The Covid pandemic and advancing technology has increased the use of Online Dispute Resolution (ODR) through, for instance, the use of AI to automate parts of the process which can make the dispute resolution process more efficient and speedier.

This of course raises significant questions on different issues, including on access for justice. ODR can lower some barriers for access to justice such as the parties to the dispute not needing to travel. At the same time, it requires for the parties to have access to good technology and be proficient in its usage. This would especially be important when talking about non-commercial parties.

This paper analyses how ODR affects access to justice in relation to business & human rights arbitration with a focus on victims of corporate human rights abuses. For victims of corporate human rights abuses it can be difficult to access justice because of the power disbalance between the victims and the corporation. Right holders (both as a group or individuals) often have a lack of means. Furthermore, the law itself often forms a barrier in holding corporations accountable. Arbitration and alternative dispute resolution are promoted as an alternative avenue for right holders to obtain justice. This however does also raise questions with regards to feasibility and access to justice.

The first part explains the role arbitration and dispute resolution have with regards to business & human rights issues.. The second part of the paper explores ODR and the use of AI in dispute resolution. The third part examines the issues and opportunities this represents for business & human rights arbitration in relation to access to justice.

36.                      Hof, Jessica (University of Groningen) and Oden, Petra (Hanze University of Applied Sciences Groningen). Breaches of Data Protection by Design in the Dutch Healthcare Sector: Does Enforcement Improve eHealth?

Keywords:   Enforcement, Dutch supervisory authority, Data breaches, Data protection by design, eHealth, Dutch healthcare sector

Abstract. The Dutch healthcare sector processes highly sensitive personal data, including health data. If handled carelessly, this can have a major impact on the fundamental rights and freedoms of natural persons. To provide a consistent level of protection, the General Data Protection Regulation (GDPR) contains obligations for controllers/processors, including data protection by design (prevention), and requires consistent supervision of this by the national supervisory authority (correction).

This paper shows that the Dutch supervisory authority’s (AP, Autoriteit Persoonsgegevens) enforcement of data protection by design in the healthcare sector is currently insufficient to improve data protection in eHealth.  It does so by examining data breach notifications and privacy complaints received by the AP since 2018.  The paper shows that in spite of the high number of breach notifications and privacy complaints received on the healthcare system, the AP has followed enforcement in only seven cases.  A closer look of these case also reveals that the same corrective measures were not imposed for almost the same infringements.

This paper argues that the lack of consistent supervision by the AP has direct consequences for the fundamental rights and freedoms of natural persons: without consistent supervision, there is no incentive to be GDPR-compliant and make eHealth compliant with data protection by design. It argues further that given that cases tend to involve the same type of infringements, it would make sense for the AP to focus more on prevention, by giving information and advice in favour of data protection by design. This will ensure data protection from the start when developing eHealth and prevent data breach notifications and privacy complaints in the future.

37.                      Holmes, Allison (University of Kent). Becoming ‘Known’: Digital Data Extraction in the Investigation of Offences and its Impact on Victims

Keywords:   Surveillance, Privacy, Data extraction, Victims
Abstract. Digital evidence is a key element in the investigative process and its acquisition can be critical to a successful prosecution. While access to an alleged offender’s data falls within the remit of investigative material, there is increasingly a demand to subject victims to intrusive digital examinations. Within the United Kingdom, these demands have been placed on legislative footing with the passage of the Police, Crime, Sentencing and Courts Act 2022, which provides for the examination of ‘electronic devices’, a term which lacks substantive definition within the Act. As such, this provision has the potential to encompass not only traditional communicative devices such as mobile phones and computers, but to expand to further instruments such as Internet of Things devices, thereby greatly increasing the ways in which information about victims can become ‘known’. This paper interrogates the types of data which can be derived through these provisions and the connections it can reveal, through an examination of the devices and the terms and conditions of their use. Such measures subject victims to enhanced scrutiny, reinforcing power disparities between the victim and the state. Using the case study of the policing of sexual offences in England and Wales, this paper examines the lived experiences of victims of offences who have been subjected to these ‘digital strip searches’ and the impact on the ability of these individuals to access justice.  It is argued that the requirement for victims to consent to intrusions into their privacy, making access to justice contingent on individuals’ willingness to subject their lives to intrusive surveillance practices, represents a fundamental barrier to participation in the justice system.

38.                      Jondet, Nicolas (Edinburgh Law School). The Proposed Broadening of the UK’s Copyright Exception for Text and Data Mining: A Predictable, Promising and Pacesetting Endeavour

Keywords:   Copyright, Copyright exceptions, Text and data mining, Text and data analysis, Artificial Intelligence, Big Data, Brexit, CDPA, Directive on Copyright in the Digital Single Market 2019/790

Abstract. The UK is looking into reforming its copyright law to expand the exception for text and data mining (TDM). The UK TDM exception, introduced in 2014, was the first of its kind in Europe and implemented policies to promote research and innovation, particularly in the fields of life science and Artificial Intelligence. The new frontier of research is defined by the analysis of vast quantities of copyright-protected works such as academic papers, books, music or TV broadcasts. Prior to being analysed, the protected works needs to be copied on the users’ computers which, in the absence of agreement from the copyright owners, infringes copyright law. In the past decade or so, many countries have introduced new exceptions in their copyright law to allow for TDM even without the agreement of rightholders.

The UK was a trailblazer in Europe by adopting its TDM exception, arguably breaching the EU copyright rules of the time in doing so. This innovation shaped the debate on copyright reform in other European countries and at EU level. Eventually, the EU adopted its own regime for TDM exceptions in 2019. However, this EU regime, though a step in the right direction, was felt by many to be still too complex and restrictive, particularly when compared to the position in the US.
This paper will argue it was predictable that the UK, now that it has exited the EU, would revisit its TDM exception, especially as the policy objectives of promoting research and innovation, highlighted more than a decade ago, are now at the centre of the government’s economic strategy. We will also argue that the proposed changes are promising, as they will generalise and simplify the use of the exception whilst still providing sufficient guarantees to protect the interests of rightholders. Lastly, we will argue that the UK’s position is likely, once again, to force and rethink of EU copyright rules on TDM exceptions and to be a marker for any discussion of changes to international copyright norms.

39.                      Joshi, Divij (University College London). Abstract – Governing ‘Public’ Digital Infrastructures

Keywords:   it governance, architecture is politics, embedded norms

Abstract. Socio-legal scholarship on technology have for long drawn attention to the embedded politics of artefacts, and their role as sites for the explicit articulation of norms and values. Governments are also increasingly recognising that particular technological and organisational configurations of information systems offer affordances for embedding norms and values in the production of particular kinds of social order. In particular, the platform-based architectures which are hierarchical, scalable and configurable or programmable – offer the opportunity to enact ‘governance-by-design’ – to explicitly embed values and norms towards the fulfilment of particular regulatory agendas or to realise other values.

Governments around the world are increasingly attempting to mobilise information infrastructure as mechanisms for governance-by-design, which can enact particular normative values or structures of governance. Among these, the Government of India is attempting to develop and deploy ‘public digital infrastructure’ – consisting of communication protocols, data science infrastructure and platform-based information systems at a wide scale. Already, the ‘stack’ has come to incorporate India’s controversial biometric digital identity system(s) known as ‘Aadhaar’, the open banking APIs and payment systems known as UPI, a personal data governance scheme called the ‘Data Empowerment and Protection Architecture’, and most recently, the National Digital Health Mission.

This paper will study the implications of ‘public digital infrastructures’ for the law and governance of information systems. Do public digital infrastructures offer a more democratic alternative to information governance, and under what conditions? How is this distinct from current processes for creating and governing infrastructure with reference to distinct normative frameworks (such as security, human rights, sovereign law, ‘freedom’)? What regulatory and governance paradigms does the ‘public’ nature of these infrastructures invoke (eg. public law duties, local democratic forums)? What are the possibilities and limitations of current approaches to information governance in ensuring that important values like privacy, dignity and equality are protected in their creation?

40.                      Kalsi, Monique (University of Groningen). Understanding the Scope of Data Controllers’ Responsibility to Implement Data Protection by Design and by Default Obligations

Keywords:   Data Protection by Design and by Default, Privacy by Design, Responsibility of Data Controllers, Digital Value Chains
Abstract. Since its introduction in 1995, Privacy by Design (PbD) is widely recognized as an essential component of fundamental privacy protection. However, PbD has remained a voluntary compliance initiative without any means to ensure its effective implementation. Article 25 of the General Data Protection Regulation (GDPR) codifies the PbD approach as a legal obligation under which all technologies processing personal data are required to follow Data Protection by Design and by Default (DPbDD). However, obligations resulting under this Article are only binding on data controllers which considerably limits the material scope of the legal obligations. For instance, the design and manufacturing stage of technologies may not coincide with the stage when the data controller comes into the digital value chain. This implies that the burden of implementing DPbDD is essentially on the users of technology, and not on its designers. This leads to the question of to what extent can we talk about protection by design if stages like product development and innovation are excluded.

In this work, we assess the key motivation behind the legislative choices with regard to the personal scope of Article 25. Using a holistic interpretation of Article 25 in light of other provisions of the GDPR, we discuss whether the DPbDD approach is more restrictive in comparison to the original PbD approach. We further argue that other provisions of the GDPR allow for the possibility, albeit not direct, to influence the design phase of technologies. However, we found that it remains unclear whether this possibility ensures a co-division of responsibility between controllers and other actors involved in the digital value chain. We propose to resolve this unclarity by looking at the field of corporate supply chain due diligence, particularly regarding the due diligence obligations and responsibility of mother companies for actions of their subsidiaries and business relationships.

41.                      Kamara, Irene (Tilburg Institute for Law, Technology, and Society). The Jigsaw Puzzle of the EU Cybersecurity Law: Critical Reflections Following the Reform of the Network and Information Security Directive and the Proposed Cyber Resilience Act

Keywords:   cyber resilience act, cyber security act, cybercrime, network and information security directive
Abstract. In December 2022, the reformed Network and Information Security Directive was published (Directive (EU) 2022/2555), replacing the 2016 NISD1 (Directive 1148/2016). The reform of the Network and Information Security Directive does not appear in a legal vacuum and is far from a standalone EU regulatory effort in the field of cybersecurity. Back in 2002, the EU’s Cybersecurity Strategy for the Digital Decade had already stressed the absence of EU collective situational awareness of cyber threats, despite the dependence of many of the critical sectors such as transport, energy, health, and telecommunications on network and information security. The annual Europol Internet Organised Crime Assessments are increasingly reporting the rise of cybercrime-as-a-service, improvements in the modus-operandi and sophistication of malware operators, and the overall increase in cybercrime opportunities.

However, it is true that the past years, the EU legislator has intensified the legislative activity, in what has been characterised as an “actification” of the regulation of new technologies (Papakonstantnou, De Hert 2022). Following the 2013 Cybercrime Directive (Directive 2013/40/EU) and NISD1, which was the first EU-wide horizontal cyber security law [Markopoulou et al. 2019], the Cybersecurity Act was published in 2019 [CSA], a proposal for a Regulation for high level of cybersecurity in EU institutions and agencies was published in March 2022 [COM(2022) 122 final] and a new legislative proposal on the European Cyber Resilience Act was published in September 2022 [COM(2022) 454 final; CRA].

Against this background this article puts together the jigsaw pieces of what emerges to be the EU cybersecurity legal framework, by taking as a reference point the NISD2, and its interaction with the EU legislat