Chair for Law and
Artificial Intelligence

The chapter documents the transformation of European Union data law from a legislative ensemble centred primarily around the fundamental right to data protection towards a much broader and more complex area of EU law of which data protection is but one element. Whereas data protection law implements data subjects’ right to data protection in submitting the processing of personal data to a qualified prohibition, the new legislative proposals and acts encourage the processing of (personal) data. This transforms the latter into an object of economic rights, a tradable commodity that can be sold or donated. This paradigm shift will undoubtedly result in tensions that will be keeping practitioners, academics, and judges busy for decades to come. Rather than providing a detailed overview of these tensions, this contribution documents the evolution of EU data law through the lens of the internal market and ponders the practical future implications thereof.

This symposium analyses European Union (EU) law as a means for both perpetuating commodification processes and potentially mitigating their consequences. This issue framing essay traces the evolutionary trajectory of commodification as a conceptual framework in contemporary intellectual debates, zeroing in on the most prominent theoretical frameworks underpinning its usage. It then relates the evolution of these debates more concretely to the context of the EU as a major institutional forum for the concept’s actualisation. Lastly, it connects these narratives to current conversations on the law’s role in constituting capitalism and consolidating its attendant structural inequalities. In so doing, it also canvasses the contributions that make up this symposium, showing how each enhances the discussion of commodification in the EU context.

Cyberattacks on medical devices and facilities can compromise the privacy of patients and, in the worst-case scenario, jeopardize health and lives. Studies on cyberattacks on medical devices indicate a significant increase since the COVID-19 pandemic. Given the critical implications of potential cyber threats, this contribution explores the extent to which current legal frameworks address the challenges in developing and using AI-based medical products. Compared to conventional medical devices, AI-based medical technology opens additional points of attack for cyberattacks due to its special technical characteristics. As the EU legal framework for cybersecurity is currently undergoing substantial changes, this contribution focuses exclusively on the regulatory requirements for cybersecurity that specifically pertain to AI-based medical devices. These requirements arise not only from the Medical Devices Regulation EU 2017/745 but also notably from the upcoming EU AI-Act.

Michèle Finck: ‘Data Protection’, Oxford Encyclopedia of European Union Law (2023)

Available here. As part of the European Commission's broader data strategy, the Data Governance Act (“DGA”) introduces a new regulatory regime for data intermediaries, which, inter alia, pursues the objective of increasing the competitiveness of the European data economy by bolstering trust in data-sharing mechanisms. Against this backdrop, we introduce data intermediaries and critically examine the DGA's related legal regime by testing its underlying assumptions and highlighting its intrinsic weaknesses and limitations as part of the broader EU data law puzzle. As a result, the paper brings to the fore certain contradictions between DGA's means and ends. Indeed, due to various questionable assumptions, the DGA imposes requirements that not all data intermediaries can satisfy and entrenches a specific techno-organisational form for data intermediation services that may turn out to be economically non-viable. Consequently, one must wonder whether the DGA's rules on data intermediaries are necessary and proportionate in light of the freedom to conduct a business. We furthermore uncover inconsistencies and loopholes between the DGA, the GDPR, the draft Data Act, and the Digital Markets Act. Overall, while the DGA's underlying efforts are laudable, its precise postulations may hinder the achievement of its underlying objectives due to two main factors. First its own internal limitations and incoherences, and, second, uncertainties and tensions resulting from its interplay with the broader EU data law framework.

Available here. Few policy issues will be as defining to the EU’s future as its reaction to environmental decline, on the one hand, and digitalisation, on the other. Whereas the former will shape the (quality of) life and health of humans, animals and plants, the latter will define the future competitiveness of the internal market and relatedly, also societal justice and cohesion. Yet, to date, the interconnections between these issues are rarely made explicit, as evidenced by the European Commission’s current policy agendas on both matters. With this article, we hope to contribute to, ideally, a soon growing conversation about how to effectively bridge environmental protection and digitalisation. Specifically, we examine how EU law shapes the options of using data—the lifeblood of the digital economy—for environmental sustainability purposes, and ponder the impact of on-going legislative reform.

Available here. Mechanisms to control public power have been developed and shaped around human beings as decision-makers at the centre of the public administration. However, technology is radically changing how public administration is organised and reliance on Artificial Intelligence is on the rise across all sectors. While carrying the promise of an increasingly efficient administration, automating (parts of) administrative decision-making processes also poses a challenge to our human-centred systems of control of public power. This article focuses on one of these control mechanisms: the duty to give reasons under EU law, a pillar of administrative law designed to enable individuals to challenge decisions and courts to exercise their powers of review. First, it analyses whether the duty to give reasons can be meaningfully applied when EU bodies rely on AI systems to inform their decisionmaking. Secondly, it examines the added value of secondary law, in particular the data protection rules applicable to EU institutions and the draft EU Artificial Intelligence Act, in complementing and adapting the duty to give reasons to better fulfil its purpose in a (partially) automated administration. This article concludes that the duty to give reasons provides a useful starting point but leaves a number of aspects unclear. While providing important safeguards, neither EU data protection law nor the draft EU Artificial Intelligence Act currently fill these gaps.

Available here. Existing and planned legislation stipulates various obligations to provide information about machine learning algorithms and their functioning, often interpreted as obligations to “explain”. Many researchers suggest using post-hoc explanation algorithms for this purpose. In this paper, we combine legal, philosophical and technical arguments to show that post-hoc explanation algorithms are unsuitable to achieve the law’s objectives. Indeed, most situations where explanations are requested are adversarial, meaning that the explanation provider and receiver have opposing interests and incentives, so that the provider might manipulate the explanation for her own ends. We show that this fundamental conflict cannot be resolved because of the high degree of ambiguity of post-hoc explanations in realistic application scenarios. As a consequence, post-hoc explanation algorithms are unsuitable to achieve the transparency objectives inherent to the legal norms. Instead, there is a need to more explicitly discuss the objectives underlying “explainability” obligations as these can often be better achieved through other mechanisms. There is an urgent need for a more open and honest discussion regarding the potential and limitations of post-hoc explanations in adversarial contexts, in particular in light of the current negotiations of the European Union’s draft Artificial Intelligence Act.