Skip to main content Accessibility help
×
Hostname: page-component-78c5997874-fbnjt Total loading time: 0 Render date: 2024-11-09T08:20:26.414Z Has data issue: false hasContentIssue false

10 - EU By-Design Regulation in the Algorithmic Society

A Promising Way Forward or Constitutional Nightmare in the Making?

from Part II - Regulation and Policy

Published online by Cambridge University Press:  01 November 2021

Hans-W. Micklitz
Affiliation:
European University Institute, Florence
Oreste Pollicino
Affiliation:
Bocconi University
Amnon Reichman
Affiliation:
University of California, Berkeley
Andrea Simoncini
Affiliation:
University of Florence
Giovanni Sartor
Affiliation:
European University Institute, Florence
Giovanni De Gregorio
Affiliation:
University of Oxford

Summary

Algorithmic decision-making fundamentally challenges legislators and regulators to find new ways to ensure algorithmic operators and controllers comply with the law. The European Union (EU) legal order is no stranger to those challenges. One of the ways to deal with the rise of automated and algorithmic decision-making, could be the introduction of by-design obligations. This chapter analyses to what extent EU law tolerates, enables or limits the introduction of such obligations. Conceptualising the notion of by-design regulation as a specific form of EU co-regulation, the chapter subsequently identifies the challenges EU constitutional law could present for the further development of those obligations. In doing so, it hopes to frame and further structure debates on this type of regulation for the algorithmic society.

Type
Chapter
Information
Publisher: Cambridge University Press
Print publication year: 2021
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

10.1 Introduction

Algorithmic decision-making fundamentally challenges legislators and regulators to find new ways to ensure algorithmic operators and controllers comply with the law. The European Union (EU) legal order is no stranger to those challenges, as self-learning algorithms continue to develop at an unprecedented pace.Footnote 1 One of the ways to cope with the rise of automated and self-learning algorithmic decision-making has been the introduction of by-design obligations.

By-design regulation refers to the array of regulatory strategies aimed at incorporating legal requirements into algorithmic design specifications. Those specifications would have to be programmed/coded into existing or newly developed algorithms.Footnote 2 That may be a necessity, as the European Commission in its February 2020 White Paper on Artificial Intelligence recognised the insufficiency of existing EU legislation on product safety and the protection of fundamental rights in that context.Footnote 3 Against that background, different open questions remain as to the modalities of this kind of regulation, ranging from who is competent to how to ensure compliance with those specifications. Those obligations demand economic operators to program their algorithms in such a way as to comply with legal norms. Related to existing co-regulation initiatives, by-design obligations present a new and potentially powerful way to push economic operators more directly into ensuring respect for legal norms and principles.

This chapter will explore the potential for a more developed by-design regulatory framework as a matter of EU constitutional law. To that extent, it first conceptualises by-design regulation as a species of co-regulation, which is a well-known EU regulatory technique. The first part of this chapter revisits the three most common EU co-regulation varieties and argues that each of them could offer a basis for more enhanced by-design obligations. The second part of the chapter identifies the opportunities and challenges EU constitutional law would present in that context. In revisiting some basic features and doctrines of the EU constitutional order, this chapter aims to demonstrate that by-design regulation could be implemented if and to the extent that certain constitutional particularities of the EU legal order are taken into account.

10.2 By-Design Obligations as a Species of Co-regulation

Although by-design regulation sounds novel, it actually constitutes a species of a well-known regulatory approach of co-regulation (Section 10.2.1). That approach appears in at least three varieties in the EU legal order (Section 10.2.2), each lending itself to algorithmic by-design regulatory approaches (Section 10.2.3).

10.2.1 By-Design Regulation as Co-regulation

The notion of by-design regulation may appear vague and perhaps confusing at first glance.Footnote 4 In its very essence, however, by-design regulation refers to nothing more than an obligation imposed on businesses, as a matter of law, to program or code their technologies in such ways that they comply automatically or almost automatically with certain legal obligations.Footnote 5 A pro-active form of compliance through regulation, the law basically requires businesses to design or redesign their technologies so that certain values or objectives are respected by the technology itself. In algorithmic design, this regulatory approach would require translating legal obligations into algorithmic specifications. By-design regulation would thus require, as a matter of hard law, developers/designers to translate legal obligations into workable engineering or design specifications and principles.Footnote 6

The origins of by-design obligations as a regulatory technique originate in the privacy by design approach. According to that approach, respect for privacy must ideally become any (business) organisation’s default mode of operation.Footnote 7 When setting up technical and physical infrastructure and networks, privacy has to be designed into the operations of those networks.Footnote 8 More particularly, it was proposed to businesses to have in place privacy-enhancing technologies (PETs).Footnote 9 Within the context of its General Data Protection Regulation (GDPR), the EU additionally imposed data protection via design obligation on data processors.Footnote 10

The successful implementation of privacy by design faces two difficulties. First, given the varying conceptions of privacy maintained in different legal orders, questions arose quickly as to the exact requirements that needed to be implemented.Footnote 11 Second, beyond the difficulties to envisage the implementation of privacy by design, questions equally arose as to the liability of those designers and operators not having made or implemented a privacy-enhancing technological framework. The idea of privacy by design is appealing, yet without a legal obligation on particular businesses or public authorities to implement it and to oversee its application, the whole idea rests on shaky ground.

Despite the practical by-design problems highlighted here, the classification of by-design obligations is less complicated from a regulatory theory perspective. It is submitted indeed that by-design obligations in their very essence always imply some form of co-regulation. Co-regulation essentially refers to a regulatory framework that involves both private parties and governmental actors in the setting, implementation, or enforcement of regulatory standards.Footnote 12 The EU is familiar with this type of regulation and has been promoting it consistently over the course of past decades. It cannot therefore be excluded that the EU could be willing further to develop and refine that approach in the context of algorithmic design obligations as well.

10.2.2 Co-regulation within the European Union

The EU’s former 2003 Interinstitutional Agreement on Better Lawmaking refers to co-regulation as ‘the mechanism whereby a [Union] legislative act entrusts the attainment of the objectives defined by the legislative authority to parties which are recognised in the field (such as economic operators, the social partners, non-governmental organisations, or associations)’.Footnote 13 In contrast with self-regulation, where private actors have been entrusted overall responsibility to determine the content, applicability, and enforcement of different rules, co-regulation still accords a certain role to governmental actors.

Within the EU legal order, one can distinguish three implicitly present formats of co-regulation currently present. Those formats differ on the basis of three distinguishing criteria: the actual norm-setter, the implementation of co-regulatory obligations, and the enforcement of respect for the regulatory requirements.Footnote 14

The first format concerns the framework applicable in the context of technical standardisation. It is well-known that, at the EU level, standards to a large extent are being developed by so-called standardisation bodies. Those bodies, essentially of a private nature, have been mandated by the EU institutions to adopt norms that have some force of law. The EU’s new approach to technical harmonisationFootnote 15 best illustrates that tendency. In this standardised co-regulation scheme, standardisation organisations play a pivotal role as norm-setters. They assemble different experts and ask those experts to set up and design a standard. Their regulatory mandate justified by them assembling experts to design technical and technocratic standards, the EU legislator can suffice in delegating to those organisations the task to come up with those highly technical standards. Following and implementing a standard thus creates a presumption that the product is safe. This system has remained in place ever since, even though a 2012 update has sought to increase the transparency over the standard-setting process.Footnote 16 Within that framework, the Court of Justice has stated that harmonised European standards, though adopted by private standardisation bodies, are to be assimilated to acts of the EU institutions.Footnote 17

The second format of EU co-regulation introduces a certification-centred approach. That approach is related closely to how the EU legislator has envisaged data protection by design in its GDPR. In that format of co-regulation, there is no pre-defined norm setter. The legislator sets out particular values or principles to be designed into certain technologies, but further leaves it up to designers or importers of technologies to ensure compliance with those values. As co-regulation allows for a more intensified administrative or judicial review over co-set standards or rules, this format presumes an ex post control of public authorities over the rules adopted. Although businesses may create or rely on standardisation organisations to translate the predetermined values into workable principles, respect for such standards does not automatically trigger a presumption of conformity. In this format, the intervention of standardisation organisations is not sufficient to trigger a presumption of conformity with the predetermined values. On the contrary, a lack of respect for the principles and values laid out by the legislator may result in a command-and-control type of sanctioning. In that case, a public authority can impose sanctions by means of a decision, which could be contested before the courts. As such, the actual content of the decision remains to be determined by the businesses responsible, yet the enforcement fully enters the traditional command and control realm.

A third possible format goes beyond the voluntary standardisation or certification approaches by allowing the legislator to impose certain designs on technology developers. More particularly, this format would see the EU institutions outline themselves in more detail than the previous varieties the values that need to be protected by and coded into the technology at hand. It would then fall upon the designers/developers concerned to implement those values. In doing so, they would respect the legal norms posited by the EU legislator. Those by-design obligations would most likely be inserted in instruments of delegated or implementing legislation. A similar approach is taken in the context of financial services regulation.Footnote 18 It would be perfectly imaginable to envisage expert groups or expert bodies assisting the European Commission in developing and fine-tuning by-design obligations in the realm of algorithmic decision-making as well. This could be coupled with a mix of traditional command and control enforcement techniques (administrative and judicial enforcement) currently also in place within that context.Footnote 19 It would indeed not seem impossible that those governance structures could also accompany the setup of by-design obligations.

The three varieties distinguished here should be understood as ideal-typical features resembling somehow similar regulatory initiatives in the EU. Those varieties actually reflect a sliding scale of regulatory possibilities, as the following table shows.

Co-regulation varietiesNorm-settingImplementationEnforcement
StandardisationStandardisation bodiesNon-binding harmonised general interest standardsPresumption of conformity + supplementary judicial enforcement
CertificationBusinesses themselves (aided by certification bodies)Non-binding individualised or certified general interest standardsSubsidiary administrative and judicial enforcement?
Control-centred co-regulationEU institutions (delegated or implementing acts, involving stakeholders)Binding technical rules + ex ante approval of technologies?Administrative and judicial enforcement

10.2.3 Room for Enhanced By-Design Co-regulation Strategies at the EU Level?

All three co-regulation varieties start from the premise that designers/developers have to construct or structure their algorithms in order to ensure compliance with applicable legal norms. If that starting point is accepted, the three varieties depict a variety of intensities with which compliance with those obligations into the design of algorithms can be guaranteed. Overall, they represent different degrees of public intervention in determining the scope and in enforcing the way in which algorithms have been designed. Given the prevalence of those different regulatory strategies in different fields of EU policy, it would seem that those varieties of by-design co-regulation could also be introduced or developed within the context of algorithmic decision-making.

That framework of standard-setting by standardisation bodies clearly lends itself to the context of algorithmic regulation and the imposition of by-design obligations on their developers/designers. It can indeed be imagined that EU legislation would require any coder, programmer, or developer to respect all privacy, individual liberty, or other protective values the EU as an organisation holds dear. Those ‘general interest’ requirements, as they would be referred to under the New approach,Footnote 20 would have to be respected by every producer seeking to make available or use a certain algorithm to customers falling within the scope of EU law. The actual implementation and coding-in of those values into the algorithms concerned would have to take place in accordance with general interest standards adopted by standardisation organisations. It is not entirely impossible to envisage that similar bodies to CEN, CENELEC, or ETSI could be designated to develop general interest standards in the realm of algorithmic governance.

In the same way, a certification mechanism could be set up. By way of example, the GDPR refers to the possibility of having in place a certification mechanism that would include data protection concerns in the standardisation process of technologies. In order for that system to work, data protection certification bodies have to be set up. Those private bodies would be responsible for reviewing and attesting to the conformity of certain data protection technologies with the values and principles of the GDPR.Footnote 21 So far, those mechanisms are still in the process of being set up and much work needs to be done in order to extract from the GDPR a set of workable principles that would have to be integrated in the technologies ensuring data processing and in the algorithms underlying or accompanying those technologies.Footnote 22

The more enhanced control-centred co-regulation framework could also be made to fit algorithmic by-design regulation. In that case, the EU legislator or the European Commission, or any other type of EU executive body that would be responsible for the drafting and development of by-design obligations, would need to be involved in the regulation of algorithms. It could be expected that some type of involvement of businesses concerned would be useful in the drafting of the by-design obligations. Ex ante approval mechanisms or ex post enforcement structures could be envisaged to guarantee that businesses comply with those requirements.

10.3 By-Design-Oriented Co-regulation: A Promising Way Forward or EU Constitutional Law Nightmare in the Making?

It follows from the previous section that, in light of its co-regulation experiences, the EU legal order would not be as such hostile to the introduction of by-design obligations. In order for a regulatory approach to be made operational, regulatory strategists have to ensure a sufficient amount of constitutional fit,Footnote 23 if only to legitimise the regulatory approach offered in this context.

It is submitted that at least three challenges in an increasing order of relevance can be highlighted in that regard. First, the principle of competence conferral may impose constraints on the introduction and development of by-design obligations, which deserve to be qualified (Section 10.3.1). Second, in the same way, the by-design system setup would amount to a delegation of certain powers to private or public actors. From that point of view, concerns regarding compliance with the so-called Meroni doctrine arise (Section 10.3.2). Third, and most fundamentally, however, the major challenge of by-design regulation lies in its enforcement. In a constitutional order characterised itself by the lack of a common administrative enforcement framework, questions can be raised regarding the effectiveness of control over the respect of by-design regulations (Section 10.3.3). Although the EU constitutional framework raises challenges in this regard, it is submitted that those challenges are not in themselves insurmountable. As a result, by-design regulation could become a complementary and useful regulatory strategy aimed at responding to challenges raised by the algorithmic society (Section 10.3.4).

10.3.1 Competence Conferral Challenges

A first constitutional challenge that the setting-up of a more developed by-design regulation framework would encounter concerns the EU’s system of competence conferral.Footnote 24 The Treaty contains different legal bases which could grant the Union the competence to set up a co-regulatory framework focused on by-design obligations.

The principal challenge with those different legal bases is that one has to verify what kind of values one wants to programme into algorithms as a matter of EU law. Absent any discussion so far beyond data protection, that remains a very important preliminary issue to be determined. It could be submitted that values of non-discrimination, consumer protection, free movement principles, or others would have to be coded in. In this respect, it will appear that the EU can go farther in some domains than in others.

The most appropriate Treaty bases are the transversal provisions containing a list of values that need to be protected across the board by EU policies and offering the EU the power to take action to protect those values. It would seem that those values could also be developed into technical specifications to be coded into algorithmic practice.

First, Article 10 of the Treaty on the Functioning of the European Union (TFEU) holds that in defining and implementing its policies and activities, the Union shall aim to combat discrimination based on sex, racial or ethnic origin, religion or belief, disability, age, or sexual orientation. Article 18 TFEU complements that provision by stating that within the scope of application of the Treaties, and without prejudice to any special provisions contained therein, any discrimination on grounds of nationality shall be prohibited. To that extent, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, may adopt rules designed to prohibit such discrimination. Article 19 adds that the Council, acting unanimously in accordance with a special legislative procedure and after obtaining the consent of the European Parliament, may take appropriate action to combat discrimination based on sex, racial or ethnic origin, religion or belief, disability, age, or sexual orientation. In that context, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, may adopt the basic principles of Union incentive measures, excluding any harmonisation of the laws and regulations of the Member States, to support actions taken by the Member States in order to contribute to the achievement of the objectives of non-discrimination. To the extent that non-discrimination is one of the key values of the European Union, it can take action either to harmonise non-discrimination on the basis of nationality, or to incentivise Member States to eradicate all forms of discrimination. The notion of incentivising is important here; it would indeed appear that, under the banner of non-discrimination, the EU could take measures to stimulate non-discriminatory by-design approaches. At the same time, however, the EU may not harmonise laws regarding non-discrimination on grounds other than nationality. It follows from this that EU rules could only incite Member States to take a more pro-active and by-design oriented compliance approach. A full-fledged ex ante or ex post algorithmic design control approach in the realm of non-discrimination would potentially go against Article 19 TFEU. It would thus appear that the EU is competent to put in place particular incentive mechanisms, yet not necessarily to set up a complete law enforcement framework in this field. Regarding discrimination on the basis of nationality, setting up such a by-design framework would still be constitutionally possible, as Article 18 TFEU grants broader legislative powers to the EU institutions.

Second, Article 11 TFEU holds that environmental protection requirements must be integrated into the definition and implementation of the Union policies and activities, in particular, with a view to promoting sustainable development. Article 12 refers to consumer protection. Both provisions are accompanied by specific legal bases that would allow for co-regulatory by-design mechanisms to be set up.Footnote 25

Third, Article 16 refers to the right to personal data protection. According to that provision, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. This provision constituted the legal basis for the GDPR and the data protection by design framework outlined in that Regulation.Footnote 26 Neither during negotiations, nor after its entry into force, has the choice of a legal basis for this type of by-design obligations been contested. It could be concluded, therefore, that this provision could serve as a legal basis for data protection by design measures. Beyond data protection, however, this provision would be of no practical use.

Fourth, Articles 114 and 352 TFEU seem to be of limited relevance. Article 114 TFEU allows the EU to adopt the measures for the approximation of the provisions laid down by law, regulation, or administrative action in Member States which have as their object the establishment and functioning of the internal market. That provision essentially aims at harmonising Member States’ regulatory provisions rather than imposing specific design obligations on algorithmic designers. However, it cannot be excluded that the imposition of specific obligations can be a means to avoid obstacles to trade from materialising. In that understanding, this provision may serve as an additional basis to adopt measures setting up a co-regulatory by-design framework.Footnote 27 Article 352 states that if action by the Union should prove necessary, within the framework of the policies defined in the Treaties, to attain one of the objectives set out in the Treaties. According to the Court,

recourse to Article [352 TFEU] as a legal basis is … excluded where the Community act in question does not provide for the introduction of a new protective right at Community level, but merely harmonises the rules laid down in the laws of the Member States for granting and protecting that right.Footnote 28

In other words, Article 352 TFEU can be relied on to create a new Union right, or body, that leaves the national laws of the member states unaffected and imposes additional rights.Footnote 29 That provision seems less relevant for the introduction of by-design obligations. Those obligations essentially aim to implement certain policies and to ensure better compliance with certain rights, rather than to create new ones.

It follows from the foregoing analysis that the Treaty does contain several values and legal bases allowing those values to be protected in a by-design way. From the previous cursory overview, it now seems more than ever necessary to catalogue the values the EU holds dear and to question what actions the EU could take in terms of by-design regulation for them. In addition, the Charter of Fundamental Rights, a binding catalogue of EU fundamental rights, could play a complementary role in that regard.Footnote 30

10.3.2 Implementation and Delegation Challenges

The setup of by-design regulatory mechanisms requires the involvement of either government actors or private bodies (standardisation or certification bodies). Even when the European Union has the competence to set up a particular regulatory framework which includes the imposition of by-design obligations, EU constitutional law also limits or circumscribes the delegation of powers conferred on the EU to public (Section 10.3.2.1) or private bodies (Section 10.3.2.2). In both instances, delegation is not entirely impossible, yet additional conditions need to be met.

10.3.2.1 Delegation of Technical Rules to the Commission and Expert Committees

According to Article 290 TFEU, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act.Footnote 31 A delegation of power under that provision confers power on the Commission to exercise the functions of the EU legislature, in that it enables it to supplement or amend non-essential elements of the legislative act. Such a supplementary or amending power needs to emanate from an express decision of the legislature and its use by the Commission needs to respect the bounds the legislature has itself fixed in the basic act. For that purpose, the basic act must, in accordance with that provision, lay down the limits of its conferral of power on the Commission, namely the objectives, content, scope, and duration of the conferral.Footnote 32 In addition, Article 291 TFEU states that where uniform conditions for implementing legally binding Union acts are needed, those acts shall confer implementing powers on the Commission. A 2011 Regulation outlines the basic framework for doing so.Footnote 33 Any delegation to the Commission or to an expert committee has to respect that framework.Footnote 34

10.3.2.2 Delegation to Private Standardisation Bodies?

The questions noted previously all remain regarding the delegation of by-design standardisation or certification powers to private organisations, such as standardisation bodies. Those questions go back to case law dating from 1958. In its Meroni judgment, the Court invalidated a delegation of discretionary regulatory competences by the European Commission to a private body.Footnote 35 Meroni limited the delegation of regulatory powers to private bodies in two ways. First, it limited the delegation of powers. Delegation of rule-making powers was to be expressly provided for in a legal instrument, only powers retained by a delegating body could be delegated, the exercise of these powers was subject to the same limits and procedures as they would have been within the delegating body and such delegation needed to be necessary for the effective functioning of the delegating institution.Footnote 36 Second, the judgment limited the scope of powers delegated. It maintained that the powers delegated could only include clearly defined executive powers that were capable of being objectively reviewed by the delegating body.Footnote 37 A delegation of powers by the High Authority to a private body outside the realm of supranational law would not fit that image. The 1981 Romano judgment was said to have confirmed that position in relation to the Council, although that judgment focused on public authorities to which powers delegated would escape judicial review as to their compliance with EU law.Footnote 38

The Meroni doctrine may be problematic from the point of view of setting up a by-design regulation framework.Footnote 39 The delegation of standardisation or certification powers to private bodies without any possibility of judicial oversight by the EU Courts has been considered particularly problematic in this regard. Although the EU framework of delegating standardisation powers to private organisations in the realm of product safety has been in operation for more than thirty years, its compatibility with EU law has recently come under scrutiny.Footnote 40 It is to be remembered that the Court of Justice in that context held that standards adopted by private organisations following an EU mandate to do so, are to be considered norms which can be reviewed by the Court of Justice, despite them formally not being EU legal acts.Footnote 41 Although the practical consequences of those rulings remain far from clear, the Court has succeeded in opening a debate on the constitutionality of delegation to private organisations. In the wake of this case law, it now seems that standards set up by private organisations should by some means be subject to judicial control.

That background is of direct relevance to discussions on the possibility to introduce by-design obligations. To the extent that delegation of standard-setting powers to private standardisation bodies is problematic under EU law, the setup of a standardised co-regulatory by-design regime would be a less likely choice to make. Prior to setting up this kind of legal regime, additional guarantees will have to be put in place in order to ascertain some kind of judicial oversight over those standards. Given that it is unclear at present how far such oversight should go, setting up a standardisation-based regime seems more difficult to attain. The alternative of certification-based co-regulation, which asks every designer/developer individually to integrate the EU law-compatible values into their algorithms, avoids such delegation and would seem a more viable alternative in the current state of EU law, should the control-centred model and the accompanying delegation to public authorities be considered a less preferred option.

10.3.3 Enforcement Challenges

A third EU constitutional law challenge concerns the enforcement of the by-design regimes set up. Even when the EU is competent and when certain by-design regulatory tasks can be delegated to public or private authorities, the actual application and enforcement of those by-design obligations are likely to raise additional constitutional law problems. It is to be remembered in this regard that the EU has not set up an administrative enforcement system to guarantee the application and implementation of its norms. Quite on the contrary, Article 291 TFEU explicitly obliges the Member States to guarantee this.Footnote 42 As a result, it falls in principle upon Member States to set up and organise surveillance and sanctioning mechanisms. This has resulted in a wide diversity of institutional and organisational practices, giving rise to EU law enforcement being differently structured and understood in different Member States.Footnote 43

In order to overcome somehow the Member States’ diversity in this realm, the European Union has in some domains tried to streamline the enforcement of EU rules. To that extent, EU agencies or networks of Member States’ supervisory authorities have been set up.Footnote 44 Within those agencies or networks, representatives of Member States’ authorities assemble and determine policy priorities or decide upon non-binding best practices.Footnote 45 In the realm of financial services regulation, EU agencies representing all Member States’ authorities even have the power to impose sanctions in cases where Member States’ authorities are unable or unwilling to do so.Footnote 46 As such, a complex regime of coordinated or integrated administration is set up.Footnote 47 Alternatively, the European Commission itself has taken on responsibility for the direct enforcement of EU law, whenever it has been conferred such role by the Treaties. In the field of EU competition law, the Commission thus plays a primary role in that regard.Footnote 48 Decisions taken by the Commission and/or EU agencies are subject to judicial oversight by the EU Courts, oftentimes following an internal administrative review procedure.Footnote 49 To a much more marginal extent, the EU envisages the private enforcement of its norms. Under that scheme, private individuals would invoke EU norms in their private interest, thus resulting in those norms being enforced against perpetrators of them. It generally falls upon national judges to apply the law in those contexts. The fields of competition law and consumer protection law are particularly open to this kind of enforcement,Footnote 50 which nevertheless remains of a subsidiary nature compared to public enforcement. The presence of those different frameworks allows one to conclude that a patchwork of different EU enforcement frameworks has been set up, depending on the policy domain and the felt need for coordinated application of EU legal norms.

The existence of this patchwork of enforcement frameworks has an impact on debates on whether and how to set up a by-design enforcement structure. Three observations can be made in that respect.

First, a standardisation-focused co-regulation framework would rely on essentially private standards and a presumption of conformity. That presumption could be invoked before Member States’ courts and authorities to the extent that it has been established by an EU legislative instrument. This form of essentially private enforcement has worked for technical standards, yet has recently come under scrutiny from the Court, calling for some kind of judicial oversight over the process through which norms are set. Questions can therefore be raised to what extent this system would also fit by-design obligations as envisaged here. It would be imaginable that the EU legislator would decide to set up a two-step enforcement procedure in this regard. On the one hand, it would delegate the setting of by-design specifications translating EU legal obligations to a standardisation body. The procedures of that body would have to be transparent, and norms adopted by it could be subject to judicial – or even administrative – review. Once the deadline for such review would have passed, the norms are deemed valid and compliance with them in the design of algorithms would trigger a presumption of legality, which could be rebutted on the basis of concrete data analysis. As this system would mix public and private enforcement to some extent, it would seem likely that it can be made to fit the EU’s enforcement system. It is essential, however, that the legal instrument establishing the features of by-design regulation clearly establishes how the different enforcement features would relate to each other.

Second, a more control-centred EU enforcement framework could also be envisaged. In order to set up that kind of framework, it is important to take stock of the limits of the EU enforcement structure. In essence, the imposition of fines will generally have to be entrusted to Member States’ authorities, as the GDPR showcases.Footnote 51 Those authorities’ powers and procedures can be harmonised to some extent,Footnote 52 and their operations could be complemented by a formal network of national authorities or an EU agency overseeing those activities.Footnote 53 As other sectors have demonstrated, it does take time, however, before such a regime is operational and functions smoothly.Footnote 54 From that point of view, it could also be questioned whether it would not be a good idea to entrust the European Commission with sanctioning powers in this field. Article 291 TFEU could be interpreted as allowing for this to happen by means of secondary legislation, if a sufficient majority is found among the Member States.Footnote 55 Entrusting the European Commission with those powers would require a significant increase in terms of human and financial resources. It remains to be questioned whether the Member States would indeed be willing to allocate those resources to the Commission, given that this has not happened in other policy fields. More generally, however, whatever institution would apply and enforce those rules, in-depth knowledge of both law and of coding/programming would be required, in order meaningfully to assess how the by-design obligations would have been integrated into an algorithm’s functioning. That again would require a significant investment in training both programmers and lawyers to work at the EU level in the general interest.

Third, what is often lacking in discussions on EU law enforcement is the attention that needs to be paid to compliance with legal rules. Compliance refers to the act of obeying an order, rule, or request,Footnote 56 and is a preliminary step in ensuring effective enforcement. If one can ensure an addressee of a legal norm respects that norm, no ex post enforcement by means of fines or other sanctions would be possible. It is remarkable, therefore, that EU administrative governance pays little transversal attention to compliance. In some domains, such as the free movement of goods produced lawfully in one Member StateFootnote 57 or in the realm of competition law,Footnote 58 the EU has taken some modest steps to ensure compliance. It is submitted, however, that compliance needs to be the keystone of any enforcement framework, should the EU indeed wish to pursue a by-design regulatory approach on a more general scale. By-design obligations by their very nature are indeed meant to ensure compliance with EU legal norms. By coding into existing or new algorithms certain specifications that would lead to lawfully functioning algorithms, by-design regulation essentially seeks to avoid that people are harmed by algorithms and would have to claim compensation or other types of sanctions ex post. From that point of view, by-design regulatory obligations are in themselves a form of compliance. It thus would appear strange to emphasise too much the possibility of sanctions or other public enforcement tools, without giving a central place to the need for businesses to implement the specifications in their algorithms. In that context, it could be imagined that the EU would like to put in place some kind of ex ante authorisation mechanism. Technical specifications or designs authorised by the European Commission would then be presumed to be legal, triggering the presumption of conformity as well. Such authorisation mechanisms exist in other fields of European Union law. It would seem that, at least in theory, the introduction of a similar mechanism would also be possible in this context as well.

It follows from those observations that the introduction of a by-design regulatory framework would necessitate a debate on how those obligations will be enforced, what the relationship will be between compliance programmes and ex post sanctions, and how the different enforcement approaches would relate to each other. No matter what by-design framework would be opted for, discussions on compliance and the tools to ensure and enforce such compliance would have to be laid out in a more developed way. An ex ante authorisation mechanism appears to offer the possibility to ensure compliance of certain technical specifications with EU values from the very outset. Integrating those authorised tools in newly designed algorithms could thus be conceived of as a valuable strategy for enhancing the enforcement of by-design obligations.

10.4 Conclusion

This chapter analysed to what extent the EU would have the competence to set up a by-design regulatory approach and, if so, whether the EU constitutional framework would pose certain limits to it. Although the EU has not been conferred explicit competences in the realm of algorithmic by-design regulation, different legal bases may be relied on in order to establish a more general by-design co-regulatory framework. That does not mean, however, that the EU constitutional framework would not tolerate any new by-design regulatory frameworks. If certain key principles are taken into account, the EU may very well proceed with the development of those frameworks. It thus would only require a certain political will to proceed in this regard. Should that will exist, one can conclude there is a strong chance to integrate by-design obligations better in the EU regulatory framework.

Footnotes

1 See, on the rise of automated decision-making and on the challenges this raises, Frank Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (Harvard University Press, 2015). See also Karen Yeung, ‘Hypernudge: Big Data as a Mode of Regulation by Design’, (2017) 20 Information, Communication & Society 118136. On artificial intelligence in particular, Nicolas Petit, ‘Artificial Intelligence and Automated Law Enforcement: A Review Paper’, SSRN Working Paper 2018 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3145133 accessed 29 February 2020.

2 According to the European Commission, Independent High Level Expert Group on Artificial Intelligence, Ethics Guidelines for Trustworthy AI, 8 April 2019, p. 8 https://ec.europa.eu/futurium/en/ai-alliance-consultation accessed 29 February 2020, compliance with EU law is a prerequisite for ethical behaviour.

3 See European Commission, White Paper on Artificial Intelligence – A European Approach to Excellence and Trust, COM (2020) 65 final, https://ec.europa.eu/info/sites/info/files/commission-white-paper-artificial-intelligence-feb2020_en.pdf accessed 29 February 2020, pp. 11 and 14.

4 As also mentioned in Pagona Tsormpatzoudi, Bettina Berendt, and Fanny Coudert, ‘Privacy by Design: From Research and Policy to Practice – The Challenge of Multi-disciplinarity’ in Bettina Berendt, Thomas Engel, Demosthenes Ikonomou, Daniel Le Métayer, and Stefan Schiffner (eds.), Privacy Technologies and Policy (Springer, 2017) 199.

5 To some extent, this idea is closely related to the theory that the infrastructure of cyberspace limits possibilities in itself. In that regard, code is law as well; see Lawrence Lessig, Code and Other Laws of Cyberspace (Basic Books, 1999) 6. The idea of by-design regulation demands designers/developers to code in certain values so as to limit that technology would keep defying certain legal values or obligations. See also Karen Yeung, Footnote n. 1, 121.

6 Compare with Ira Rubinstein, ‘Privacy and Regulatory Innovation: Moving beyond Voluntary Codes’, (2011) I/S: a Journal of Law and Policy for the Information Society 371.

7 European Network and Information Security Agency (ENISA), Privacy and Data Protection by Design – From Policy to Engineering, available at www.enisa.europa.eu/publications/privacy-and-data-protection-by-design accessed 29 February 2020, 2014 Report, 2.

8 Ann Cavoukian and Marc Dixon, ‘Privacy and Security by Design: An Enterprise Architecture Approach’, available at www.ipc.on.ca/wp-content/uploads/Resources/pbd-privacy-and-security-by-design-oracle.pdf accessed 29 February 2020.

9 For a review of such technologies, see Yun Shen and Siani Pearson, Privacy Enhancing Technologies: A Review, available at www.hpl.hp.com/techreports/2011/HPL-2011-113.pdf accessed 29 February 2020.

10 See Article 25 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] O.J. L119/1 (hereafter GDPR).

11 Seda Gürses, Carmela Troncoso, and Claudia Diaz, ‘Engineering Privacy-by-Design’, available at www.esat.kuleuven.be/cosic/publications/article-1542.pdf accessed 29 February 2020, p. 2.

12 See, for a most basic definition, http://ec.europa.eu/smart-regulation/better_regulation/documents/brochure/brochure_en.pdf. See also Christopher Marsden, Internet Co-Regulation (Cambridge University Press, 2011) 46; Michèle Finck, ‘Digital Co-regulation: Designing a Supranational Legal Framework for the Platform Economy’, (2018) 43 European Law Review 47, 65.

13 European Parliament, Council, Commission, Interinstitutional Agreement on better law-making, OJ2003, C 321/01, point 18. This agreement has been replaced by a new 2016 interinstitutional agreement ([2016] O.J. L123/1), in which the notion of co-regulation no longer explicitly features that notion. That does not mean, however, that the EU no longer relies on co-regulation. Quite on the contrary, best practices and guiding principles for better co-regulation have still been developed in 2015; see https://ec.europa.eu/digital-single-market/sites/digital-agenda/files/CoP%20-%20Principles%20for%20better%20self-%20and%20co-regulation.pdf.

14 I have found those implicit three criteria to underlie the conceptualisations made by Linda Senden, ‘Soft Law, Self-Regulation and Co-Regulation in European Law: Where Do They Meet?, 9 Electronic Journal of Comparative Law (2005), and Ira Rubinstein, ‘The Future of Self-Regulation Is Co-regulation’ in Evan Salinger, Jules Polonetsky and Omer Tene (eds.), The Cambridge Handbook of Consumer Privacy (Cambridge University Press, 2018) 503523. I do, however, take responsibility for limiting my typology to a distinction on the basis of those three criteria. I would like to state, as a caveat, that this typology could be refined; yet is taken as a starting point for further reflections on the possibilities for by-design co-regulation in the EU legal order.

15 See, on the EU’s new approach from a constitutional perspective, Harm Schepel, The Constitution of Private Governance – Product Standards in the Regulation of Integrating Markets (Hart, 2005). See also Noreen Burrows, ‘Harmonisation of Technical Standards: Reculer Pour Mieux Sauter?’, (1990) 53 Modern Law Review 598.

16 Regulation 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC, and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No. 1673/2006/EC of the European Parliament and of the Council, [2012] O.J. L316/12. See also Harm Schepel, ‘The New Approach to the New Approach: The Juridification of Harmonized Standards in EU Law’, (2013) Maastricht Journal of European and Comparative Law 523.

17 CJEU, Case C-613/14, James Elliott Construction, EU:C:2016:821, para. 34.

18 See, for that framework, Niamh Moloney, ‘The Lamfalussy Legislative Model: A New Era for the EC Securities and Investment Services Regime’, (2003) 52 International and Comparative Law Quarterly 510.

19 On this framework in EU financial services regulation, see Pieter Van Cleynenbreugel, Market Supervision in the European Union. Integrated Administration in Constitutional Context (Brill, 2014) 5255.

20 Annex II of the 1985 New Approach Resolution refers to essential safety requirements or other requirements in the general interest which can be translated into harmonised technical standards.

21 Article 43 GDPR.

22 European Network and Security Information Agency, ‘Privacy by Design in Big Data. An Overview of Privacy Enhancing Technologies in the Era of Big Data Analytics’, December 2015 Report, www.enisa.europa.eu/publications/big-data-protection accessed 29 February 2020, and European Data Protection Supervisor, ‘Preliminary Opinion on Privacy by Design’, 31 May 2018, https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf accessed 29 February 2020 (hereafter EDPS Opinion 2018), p. 16.

23 For that argument in the context of technical standards, Linda Senden, ‘The Constitutional Fit of European Standardization Put to the Test’, (2017) 44 Legal Issues of Economic Integration 337.

24 Art. 4(1) and 5 of the Treaty on European Union (TEU).

25 See indeed also Art. 169 and 191–193 TFEU.

26 See EDPS 2018 Opinion, pp. 18–19.

27 As confirmed by CJEU, Case C-270/12, United Kingdom v. Parliament and Council, EU:C:2014:18.

28 CJEU, Case C-436/03, European Parliament v. Council, EU:C:2006:277, para. 37.

29 Footnote Ibid., paras. 44–45.

30 Charter of Fundamental Rights in the European Union, [2012] O.J. C236/391. The Charter does not give the EU additional competences, yet at the same time affirms the key values the EU wants to promote throughout its policies. It could therefore be imagined indeed that those values constitute the background against which value-inspired specifications will be developed that would be part of the by-design co-regulatory enterprise.

31 Paul Craig, ‘Delegated Acts, Implementing Acts and the New Comitology Regulation’, (2011) 36 European Law Review 675.

32 CJEU, Case C-696/15 P, Czech Republic v. Commission, EU:C:2017:595, para. 55.

33 Regulation 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers, [2011] O.J. L55/13.

34 Joana Mendes, ‘The EU Administration’ in Pieter-Jan Kuijper et al. (ed.), The Law of the European Union, 5th edition (Kluwer, 2018) 267311.

35 CJEU, Case 9/56, Meroni v. High Authority, EU:C:1958:7 at p. 152.

36 CJEU, Case 9/56, Meroni, at 150–151. See, for a schematic overview, Takis Tridimas, ‘Financial Supervision and Agency Power’ in Niamh Nic Shuibhne and Lawrence Gormley (eds.), From Single Market to Economic Union. Essays in Memory of John A. Usher (Oxford University Press, 2012) 6162.

37 CJEU, Case 9/56, Meroni, at 152.

38 CJEU, Case 98/80, Giuseppe Romano v. Rijksinstituut voor Ziekte- en Invaliditeitsverzekering, EU:C:1981:104, 1241, para. 20 on the prohibition to take binding decisions by an administrative commission.

39 See Opinion of Advocate General Jääskinen of 12 September 2013 in Case C-270/12, United Kingdom v. Council and European Parliament, EU:C:2013:562, para. 68.

40 Linda Senden, Footnote n. 23, 350.

41 CJEU, Case C-613/14, James Elliott Construction, EU:C:2016:821.

42 According to Robert Schütze, ‘From Rome to Lisbon: “Executive federalism” in the (New) European Union’, (2010) 47 Common Market Law Review 1418.

43 See also Pieter Van Cleynenbreugel, Footnote n. 19, 209 for an example as to how the EU tried to overcome such diversity.

44 See also Joana Mendes, Footnote n. 34, 283 and 295.

45 For an example, see Article 16 of Regulation 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority) amending Decision 716/2009/EC and repealing Commission Decision 2009/78/EC, O.J. L 331/12; Regulation 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority) amending Decision 716/2009/EC and repealing Commission Decision 2009/79/EC, O.J. L 331/ 48; Regulation 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority) amending Decision 716/2009/EC and repealing Commission Decision 2009/77/EC, O.J. L 331/84. All three regulations established the so-called European Supervisory Authorities in EU financial services supervision, establishing bodies that assemble representatives of different Member States’ authorities. Collectively, they are referred to as the ESA Regulations.

46 By way of example, Regulation (EU) 236/2012 of the European Parliament and of the Council of 14 March 2012 on short selling and certain aspects of credit default swaps, [2012] OJ L86/1.

47 Pieter Van Cleynenbreugel, ‘EU Post-Crisis Economic and Financial Market Regulation: Embedding Member States’ Interests within “More Europe”’ in Marton Varju (ed.), Between Compliance and Particularism. Member State Interests and European Union Law (Springer, 2019) 79102.

48 See Article 103 TFEU and Article 11 of Council Regulation 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty, [2003] OJ L 1/1.

49 For an example, see Article 58 ESA Regulations.

50 In the realm of EU competition law, see most notably Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union, [2014] O.J. L349/1. In the realm of consumer protection law, see the Proposal for a Directive on representative actions for the protection of the collective interests of consumers, and repealing Directive 2009/22/EC, COM 2018/184 final, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2018:184:FIN.

51 Article 83 GDPR.

52 Article 58 GDPR.

53 Article 65 GDPR – the European Data Protection Board has a role in the resolution of disputes between supervisory authorities.

54 See, in that context, Eillis Ferran, ‘The Existential Search of the European Banking Authority’, (2016) European Business Organisation Law Review 285317.

55 Provided that Article 114 TFEU would be relied upon, a qualified majority would be required in this regard.

57 See https://eur-lex.europa.eu/legal-content/EN/HIS/?uri=COM:2017:795:FIN for a proposal in this regard currently in development at the level of the Parliament and Council.

Save book to Kindle

To save this book to your Kindle, first ensure [email protected] is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×