EU data protection law vs algorithmic regulation: tilting at windmills?
Recent legal reforms under the aegis of the European Union (EU) and Council of Europe have reinvigorated the European regulatory framework for protection of personal data, with the adoption of the EU General Data Protection Regulation (GDPR) as the principal achievement of this renewal. The GDPR is aimed at ensuring that contemporary data-processing trends – including the increasing deployment of artificial intelligence (AI) and automated decisional systems – do not ride roughshod over the fundamental rights and freedoms of individual persons.
With its beefed-up sanctions regime, liberal rules for extra-territorial scope of application, and a large array of provisions for new or revamped rights and obligations, the GDPR is commonly vaunted – also in Australia – as the ‘gold standard’ globally for data protection and a key means of achieving ‘algorithmic accountability’.
Nonetheless, its legitimacy is contested, with some critics claiming, in effect, that the EU data protection regime is an arcane, elitist endeavour amounting to little more than ‘tilting at windmills’. This seminar examines the merits of such claims, particularly with regard to the GDPR’s likely impact on the design and use of automated decisional systems.
This lecture is proudly hosted by the 3A Institute.
Lee A. Bygrave is a professor at the Norwegian Research Center for Computers and Law (NRCCL), attached to the Department of Private Law, University of Oslo. For the past three decades, Lee has been engaged in researching and developing regulatory policy for information and communications technology. He has functioned as expert advisor on technology regulation for numerous organisations, including the European Commission, Nordic Council of Ministers, Internet Corporation for Assigned Names and Numbers, and Norwegian government. He currently heads two major research projects at the NRCCL: VIROS (‘Vulnerability in the Robot Society’), which canvasses legal and ethical implications of AI-empowered robotics; and SIGNAL (‘Security in Internet Governance and Networks: Analysing the Law’), which studies transnational changes in the legal frameworks for security of critical internet infrastructure and cloud computing. Lee has published extensively within the field of data protection law where his two principal books on the subject – Data Protection Law: Approaching Its Rationale, Logic and Limits (Kluwer 2002) and Data Privacy Law: An International Perspective (Oxford University Press 2014) – are widely acknowledged as standard international texts. He has just completed co-editing and co-authoring a comprehensive article-by-article analysis of the EU General Data Protection Regulation – The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2019). His other major works concern the ways in which information concepts are (mis)understood and (mis)used in law (‘Information Concepts in Law: Generic Dreams and Definitional Daylight’, Oxford Journal of Legal Studies (2015)), the use of contract as a tool for governing internet infrastructure and online transactions (Internet Governance by Contract (Oxford University Press 2015)), and the emergence of ‘design-based’ regulatory techniques for integrating legal values into information systems architecture (‘Hardwiring Privacy’ in Brownsword et al. (eds.), The Oxford Handbook of Law, Regulation, and Technology (Oxford University Press 2017)).