ABSTRACT. This study investigated the compatibility between individual data sovereignty and the General Data Protection Regulation (GDPR), using the theoretical PET, CrypTex, as a case study. CrypTex is a combination of the Solid Project, a decentralized data storage PET, and PRIMELife, a policy languages PET, that generates a machine-readable privacy policy to govern data access and sharing by data controllers. Matters such as the imbalance of power between the data subject and dominant controllers for processing activities based on Articles 6(1)(a) and (b) GDPR, the reliance on the data subject’s consent to initiate a data processing activity based on Articles 6(1)(c),(e), and (f) GDPR, the lack of safeguards for processing activities based on Article 6(1)(d) GDPR, and the one-time data exchange, prevents the data controller from demonstrating compliance with Article 5(2) GDPR. These issues were reconciled by increasing the degree of detail and specificity (granularity) of transparency and control in CrypTex. However, modifying the scale and level of detail regarding the data processing operation that the data subject is now privy to will also increase the cognitive load on the data subject. Ultimately, the data subject may choose not to exercise this increased responsibility.

ABSTRACT. Digital regulation in the European Union is increasingly grounded in a risk-based approach, which assigns a central role to risk assessment and risk management in protecting fundamental rights and freedoms. Legal instruments such as the GDPR, the NIS II Directive, the Digital Services Act, the Cyber Resilience Act, the Digital Operational Resilience Act and the AI Act require the adoption of security measures that are appropriate and proportionate to the risk, granting economic operators and public organisations a significant degree of evaluative discretion. However, when the object of protection is not merely operational continuity or system security, but fundamental rights such as privacy, freedom of expression, access to information and individual autonomy, substantial methodological and conceptual tensions emerge. The contribution starts from an understanding of cyberspace as a “market-based space”, insofar as it is constituted by digital products and services placed on the market and circulating across borders. ICT infrastructures, products with digital elements, intermediary services and online platforms are not merely technological artefacts, but commodities whose diffusion directly affects fundamental interests and rights. In this context, trust in digital goods becomes a crucial precondition for the European digital market, placing risk management at the centre of the governance of technological uncertainty, at the intersection of market regulation, security and rights protection. Against this background, the paper analyses the governance of cyber risk in the EU, focusing on the structural distinction between law and technical standards, as well as on the relationship between these two regulatory layers. EU law primarily operates through normative language, defining outcome-oriented obligations, proportionality criteria and liability regimes, whereas technical standards translate these objectives into operational and largely calculable parameters. Although some standards allow for qualitative or hybrid approaches, a persistent gap remains between legal rationality, which is value-oriented, and technical-instrumental rationality, which is oriented towards measurement and standardisation. The paper focuses on the gap between quantitative and qualitative risk assessments in the protection of fundamental rights. Quantitative models, based on metrics of probability and impact, facilitate comparability and replicability, but often prove inadequate to capture non-measurable, cumulative or systemic effects on rights, such as pervasive surveillance, information manipulation or chilling effects on freedom of expression. Qualitative assessments, which are typical of legal reasoning, are better suited to grasp the value-based dimension of risk, but raise concerns in terms of operational determinacy, comparability and accountability. Through the analysis of emblematic regulatory cases, the paper shows that EU lawmakers already rely—albeit not always explicitly—on hybrid models of risk assessment, in which qualitative descriptions of impacts on fundamental rights coexist with quantitative decision-support tools. Within this framework, a central role is played by competent administrative authorities—such as the European Data Protection Board, the European Union Agency for Cybersecurity, and, prospectively, the AI Office—which are often responsible for producing soft-law instruments (guidelines, taxonomies and operational models) aimed at rendering the risk-based approach practically applicable. These instruments not only guide qualitative assessments of impacts on fundamental rights, but in some cases also incorporate quantitative or semi-quantitative methodologies to support risk evaluation. In such hybrid settings, quantitative methods do not perform an autonomous decisional function, but rather operate as informational and comparative tools that support legal judgment, which remains anchored in qualitative and value-based considerations relating to the protection of fundamental rights. The research, conducted at the University of Turin within the framework of the SERICS (Security and Rights in the Cyber Space) project, which is fully funded by the European Union, seeks to contribute to the debate on the long-term legal and operational sustainability of such models. In particular, the paper asks whether—and to what extent—it is possible to develop approaches to risk management capable of coherently integrating legal language and numerical metrics, without reducing fundamental rights to calculable variables or renouncing effective decision-making tools in technologically complex environments. In addition to the abstract, the research will also be presented through a poster, designed to visually illustrate the conceptual framework and the main methodological nodes of the analysis.

Bibliographical references Almada M., De Gregorio G., The Mixed Nature of the AI Act: Product Safety and Fundamental Rights Regulation, Forthcoming in Malgieri G., Fuster G.G., Mantelero A., Zanfir-Fortuna G. (eds.), The Artificial Intelligence Act — A Thematic Commentary, Hart 2026; Busch L., Standards: Recipes for Reality, Mit Press, 2013; Bures, H. Carrapico (edit by), Security Privatization. How non-security-related Private Businesses Shape Security Governance, Springer, 2018; Dunn Cavelty M., Eriksen C., Scharte B., Making cyber security more resilient: adding social considerations to technological fixes, in Journal of Risk Research, vol. 26, n. 7, 2023; Durante M., Potere computazionale: L’impatto delle ICT su diritto, società, sapere [eng. Computational power: The impact of ICT on law, society and knowledge], Meltemi, 2019; Everson M., Vos E., Uncertain Risks Regulated, Routledge, 2009; Floridi, L., La quarta rivoluzione. Come l’infosfera sta trasformando il mondo [eng. The Fourth Revolution: How the Infosphere is Transforming the World], Raffaello Cortina Editore, 2017. Gallotti C., Sicurezza delle informazioni. Gestione del rischio. I sistemi di gestione per la sicurezza delle informazioni. La norma ISO/IEC 27001:2022. I controlli della ISO/IEC 27002:2022 [eng. Information security. Risk management. Information security management systems. The ISO/IEC 27001:2022 standard. The controls of ISO/IEC 27002:2022], Lulu press, 2022; Gellert R., The Risk-Based Approach to Data Protection, Oxford University Press, 2020; Gerunov A., Risk Analysis for the Digital Age, Springer, 2022; Giddens A., The changing world, Il Mulino, 2000; Kamara I, European cybersecurity standardisation: a tale of two solitudes in view of Europe’s cyber resilience, in Innovation: The European Journal of Social Science Research, 37,5, 2024; Majone G., Dilemmas of European integration. The ambiguities and pitfalls of integration by stealth, Oxford University Press, 2005; Micklitz H.W., Tridimas T., Risk and EU law, Cheltenham: Edward Elgar, 2015; Pugliese S., Il rischio nel diritto dell'Unione europea: tra principi di precauzione, proporzionalità e standardizzazione [eng. Risk in European Union law: between the principles of precaution, proportionality and standardisation], Caccucci, 2017; Puyvelde D.V., Brantly A.F., Cybersecurity. Politics, Governance and Conflict in Cyberspace, Polity Press, 2019; Refsdal A., Solhaug B., Stølen K., Cyber-Risk Management, Springer, 2015; Serini F., La frammentazione del cyberspazio merceologico tra certificazioni e standard di cybersicurezza. Alcune considerazioni alla luce delle discipline europea e italiana, [eng. The fragmentation of cyberspace between certifications and cybersecurity standards. Some considerations in light of European and Italian regulations], in Rivista italiana di informatica e diritto, fasc. 2, 2023. Serini F., Collective cyber situational awareness in EU. A political project of difficult legal realisation?, in Computer Law & Security, vol. 55, 2024.

ABSTRACT. (Poster) CONSENTIS envisions a transformative approach to personal data sharing that aligns with EU regulations and strategic initiatives, including eIDAS, EU Data Spaces, and GDPR. The project introduces a novel framework that empowers individuals with self-sovereign identity and user-centric consent management solutions, enabling them to: a) exercise full control over the collection and use of their personal data, and b) provide informed consent seamlessly through intuitive interfaces and timely notifications. CONSENTIS is an industry-oriented project, with SMEs and large companies covering more than 80% of the consortium and is built on a collaboration of 12 organisations from 10 EU member states and associated countries.

ABSTRACT. This presentation examines the proposed Article 88(c) GDPR of the November 2025 European Commission’s Omnibus Regulation [1] at a moment when the boundaries of EU data protection and AI governance are shifting rapidly. [2] As the draft clause could move toward adoption, it raises questions that go straight to the structural heart of the GDPR: the role and resilience of legitimate interests, the meaning of data minimization in an artificial intelligence environment, and the constitutional status of fundamental rights under Article 8 Charter. Integrating Article 88(c) into that framework has shown just how disruptive this clause could be. Far from a marginal technical amendment, Article 88(c) forces us to revisit assumptions that have guided EU data protection since 2018. This extended abstract outlines the main lines of argument the presentation will develop.

1. The Reconfiguration of Legitimate Interests Under Article 88(c)

At the centre of Article 88(c) lies a decisive question: what will become of Article 6(1)(f) GDPR in the context of, for instance, AI training and development? The GDPR currently treats legitimate interests as a flexible, context-sensitive legal basis, governed by a balancing test that accommodates innovation while protecting individuals. Legitimate interests is a term broadly interpreted by the Luxembourg court. [3] Article 88(c), however, places AI-related processing in a separate regulatory compartment. It contemplates that Member States may exclude the use of legitimate interests for the development and training of AI systems. This possibility is not a minor alteration—it represents a structural intervention into the GDPR’s carefully constructed equilibrium of legal bases. If the balancing test is displaced by a categorical exclusion, with consent as the only viable alternative, the entire architecture of Article 6(1)(f) becomes less predictable. The presentation will argue that this move represents a substantive recalibration of the GDPR. Even if Article 88(c) does not directly rewrite Article 6(1)(f), it indirectly reshapes it by authorizing national deviations that alter the practical scope of the balancing test. What emerges is not merely a doctrinal puzzle but a deeper shift in how the EU understands lawful processing in data-intensive AI environments, and creating a new Member States specific interplay between legitimate interests and consent.

2. The Potential Departure from Technological Neutrality

The GDPR was drafted as a technologically neutral instrument: its principles apply regardless of the underlying system or architecture. This neutrality has served as a stabilizing force, allowing the Regulation to endure through waves of technological change. Article 88(c) challenges that neutrality. By creating obligations specific to the development and training of AI systems, it singles out a technology category that was previously treated as part of the general processing landscape. This raises the question: is Article 88(c) an isolated exception, born of political momentum behind AI regulation, or does it signal a systemic turn toward technology-specific data protection rules? If the latter, the GDPR’s self-image as a future-proof framework may come under pressure. The presentation will analyze to what extent Article 88(c) marks the beginning of a differentiated regulatory model—one where automated and AI-driven processing is no longer absorbed into the general principles of data protection but becomes subject to a dedicated regime with its own lawful bases, safeguards, and national discretion. It is foreseeable that not all parts of the clause intend to create new rules, but the rules taken together may create a distinct AI related regime. Such a shift would not only challenge interpretive continuity; it would also introduce new burdens for controllers whose systems straddle multiple types of data processing. The implications extend to DPIAs, accountability frameworks, and the interplay between the GDPR and the AI Act.

3. Data Subject Rights in a Fragmented AI Regulatory Space

Article 88(c) also interacts with data subject rights in subtle but important ways. On one reading, the clause strengthens these rights by tying AI-related processing to enhanced safeguards, potentially reinforcing transparency and the right to object. On another reading, however, it may create new tensions. If Member States decide that consent is the only lawful basis for, for instance, AI training, then the stability of large-scale datasets could become heavily dependent on the fragility of individual consent. Revocation would acquire systemic importance, and the meaningfulness of consent in complex technological environments becomes an open question. The presentation will assess whether such a regime genuinely empowers individuals or whether it risks creating a facade of choice that masks structural power asymmetries. It will consider how Article 88(c) interacts with the practical effectiveness of rights such as access, portability, and objection in the context of opaque model behavior and continuously evolving training data.

4. Data Minimization, Technical Measures, and the Constitutional Boundary of Article 8 Charter

One of the most constitutionally charged elements of Article 88(c) is its explicit connection between data minimization and technical and organizational measures. This resonates strongly with Digital Rights Ireland [4], where the Court of Justice recognized that certain safeguards (TOMS) are the “essence” of Article 8 Charter. But it must be reconciled with cases such as HTB [5], which treat data minimization primarily through a necessity and least intrusive means framework. Article 88(c) effectively forces a choice: will data minimization continue to operate as a proportionality tool, or is it beginning to crystallize into a component of the essence of the right to data protection? If the latter interpretation gains traction, constitutional limits on Member State discretion become far stricter. The presentation will examine which reading is more consistent with the evolution of EU constitutional law and how Article 88(c) could push courts toward a more essence-based protection of personal data.

5. Member State Discretion and the Emergence of Divergent “National AI Rights Regimes”

This is the issue that most dramatically reshapes the future of EU data protection: Article 88(c) would allow each Member State to determine whether legitimate interests is an acceptable lawful basis for AI training and development—or whether only consent should be permitted. This discretion is unprecedented in scope for a Regulation designed to harmonize data protection law. If the clause is adopted in its current form, the Union could end up with a patchwork of national regimes differentiated along a permissive–prohibitive axis. Some Member States may select a more innovation-friendly approach by allowing legitimate interests, while others may insist on consent as the exclusive ground, adopting a more restrictive interpretation inspired by a protective reading of Article 8 Charter. What emerges is, in effect, a set of national “AI rights regimes,” each reflecting a different constitutional temperament. The nature—indeed the tone—of Article 8 protection for AI training could vary substantially across the EU. This is a profound development. For controllers, such divergence would create operational complexity, undermining cross-border consistency and triggering strategic forum-shopping. For fundamental rights, it poses deeper questions: can the EU maintain equivalent protection for data subjects if the very legality of AI training depends on national choices? Or does Article 88(c) risk fracturing the constitutional coherence of data protection across the Union? The presentation will argue that this discretion is not merely a legislative detail; it is the hinge on which the future unity or fragmentation of EU data protection may turn.

6. Conclusion

Article 88(c) is more than an incremental amendment to the GDPR. It is an intervention that touches the foundations of lawful processing, technological neutrality, constitutional proportionality, and the harmonizing ambition of EU data protection. A striking effect is the discretion it grants to Member States to redefine the status of legitimate interests for AI training. This single feature could reshape the internal market, reconfigure the meaning of Article 8 Charter across jurisdictions, and generate divergences that the GDPR was designed to prevent. The presentation will offer a structured analysis of these developments, drawing on my research on legitimate interests while situating Article 88(c) within the wider trajectory of EU AI governance. It aims to show why this clause deserves scholarly attention and how it may shape the next decade of European data protection. [6]

Footnotes: 1. The proposed Article 88(c) GDPR reads: “Processing in the context of the development and operation of Al Where the processing of personal data is necessary for the interests of the controller in the context of the development and operation of an Al system as defined in Article 3, point (1), of Regulation (EU) 2024/1689 or an Al model, such processing may be pursued for legitimate interests within the meaning of Article 6(1)(f) of Regulation (EU) 2016/679, where appropriate, except where other Union or national laws explicitly require consent, and where such interests are overridden by the interests, or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Any such processing shall be subject to appropriate organisational, technical measures and safeguards for the rights and freedoms of the data subject, such as to ensure respect of data minimisation during the stage of selection of sources and the training and testing of Al an system or Al model, to protect against non-disclosure of residually retained data in the Al system or Al model to ensure enhanced transparency to data subjects and providing data subjects with an unconditional right to object to the processing of their personal data.”.

2. See: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal.

3. In Schufa the CJEU holds: “As regards … the condition relating to the pursuit of a ‘legitimate interest’, in the absence of a definition of that concept in the GDPR, it should be emphasised … that a wide range of interests is, in principle, capable of being regarded as legitimate.”.See: Schufa, para 76.

4. Digital Rights Ireland, para 40.

5. HTB, paras 60-61.

6. Relevant literature amongst others: Alexy R., 2021. Constitutional rights, proportionality, and argumentation. In: Sieckmann J.-R. (ed). Proportionality, Balancing, and Rights. Robert Alexy’s Theory of constitutional rights. Springer Cham, 2021. pp.1-9. --, 2021. The responsibility of Internet portal providers for readers’ comments. Argumentation and balancing in the Case of Delfi AS v. Estonia. In: Elósegui M., Miron A. and Motoc I. (eds). The Rule of Law in Europe. Springer, Cham, 2021. pp.199-213. --, 2018. Proportionality, Constitutional law and sub-constitutional law: A reply to Aharon Barak. International Journal of Constitutional Law, 3-2018 (16), pp.871-879. --, 2017. Proportionality and Rationality. In: Jackson V.C. and Tushnet M. (eds). Proportionality: New Frontiers, New Challenges. Cambridge University Press, 2017. pp.13-29. Balboni P., Cooper D., Imperali R.and Macenaite M., 2013. Legitimate interest of the data controller new data protection paradigm: Legitimacy grounded on appropriate protection. International Data Privacy Law, 4-2013 (3), pp.244-261. Bieker F., 2022. The Right to Data Protection. Individual and Structural Dimensions of Data Protection in EU Law. Information Technology and Law Series IT&LAW 34. Asser Press. Springer. Brewczyńska M., 2023. Between Legitimacy and Lawfulness: In Search of Rationality and Consistency in EU Data Protection. European Data Protection Law Review, 2-2023 (9), pp.112-122. Dalla Corte L., 2022. On proportionality in the data protection jurisprudence of the CJEU. International Data Privacy Law, 4-2022 (12), pp.259-275. --, 2020. A Right to a Rule On the Substance and Essence of the Fundamental Right to Personal Data Protection. In: Hallinan D., Leenes R., Gutwirth S. and Hert P. De (eds). Data Protection and Privacy. Data Protection and Democracy, 2020. Computers, Privacy and Data Protection, Volume 12, pp.27-58. Dekhuijzen A.E. and Hert P. De, 2025. Clarifying the Necessity Requirement in Proportionality Testing. Is it about Less or Least Intrusive Means? European Law Blog, October 2025. Hert P. De, 2024. Proportionality in Modern Regulatory States Confused about Priorities. Judges Like, but do not Comply with Academic Doctrines. In: Czarnocki J. and Palka P. (eds). Proportionality in EU Digital Law: Balancing Conflicting Rights and Interests. Hart Publishers, 2024, pp.33-97. Hert P. De, Dalla Corte L. and Dekhuijzen A.E. The emergence of the ‘strict’ necessity test in European privacy and data protection jurisprudence. Forthcoming. Kamara I. and Hert P. De, 2018. Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach. Working Paper, Brussels Privacy Hub, 12-2018 (4), pp.1-33. Sloot B. van der, 2024. Regulating the Synthetic Society – Generative AI, Legal Questions and Societal Challenges. Bloomsbury Publishing, 2024. --, 2021. The half-way revolution of the European Court of Human Rights, or the ‘minimum’ requirements of ‘law’. In: Herveg J. (ed), Deep diving into data protection: 1979-2019: celebrating 40 years of research on privacy and data protection at the CRIDS. Bruxelles: Larcier, 2021. pp.1-20. --, 2020. The quality of law. How the European Court of Human Rights gradually became a European Constitutional Court for privacy cases. Journal of International Property, Information Technology and Electronic Commerce Law, 2-2020 (11), pp.160-185. --, 2017. 10 Questions about balancing. European Data Protection Law Review, 2-2017 (3), pp.187-194. Trigo Kramcsák P.R., 2023. Can legitimate interest be an appropriate lawful basis for processing Artificial Intelligence training datasets? Computer Law & Security Review, 2023 (48), pp.1-11.

ABSTRACT. On 19 November 2025, the European Commission released the long-awaited Digital Omnibus package [1] – two proposals designed to streamline and update several cornerstones of the digital legal framework in the European Union (EU), including but not limited to: the General Data Protection Regulation (GDPR) (Digital Omnibus (hereafter ‘Omnibus’)),[2] and the Artificial Intelligence (AI) Act (Digital Omnibus on AI)[3]. The package is a part of regulatory “simplification” efforts of Ursula von der Leyen's second Commission, which were called upon, among others, by Mario Draghi in his much-discussed report published in 2024.[4] The Commission justifies its initiative on the grounds that EU’s competitiveness must be increased. It explains that the EU needs a new, more “agile” approach to innovation and simpler rules governing digital technologies, including AI. The narrative in the Omnibus is that “[t]rustworthy AI is key in providing for economic growth and supporting innovation with socially beneficial outcomes”.[5] To that end, the Omnibus proposes, among other things, to facilitate the processing of personal data for the purposes of the development and operation of AI. The Commission’s Staff Working Document [6] and explanatory memoranda accompanying both proposals maintain that the initiative is mainly technical in nature and not intended to alter any underlying objectives of the revised laws. Yet, as I would like to argue in my contribution, there are serious reasons to doubt that assertion, at least with respect to the changes proposed to the GDPR concerning the principle of lawfulness of personal, including sensitive, data processing. This crucial – not only in the EU but also other data protection legal frameworks adopted across the globe – principle demands that the processing of personal data must be based on a suitable legal ground. Without such a ground, the processing is “unlawful” and, therefore, in the EU, it constitutes an infringement of the fundamental right to the protection of personal data per Article 8 of the EU Charter of Fundamental Rights (hereafter ‘CFR’). The relationship between the principle of lawfulness under the secondary EU data protection law, including the GDPR, and the mandatory requirement of legality of any interference with the non-absolute fundamental right or freedom, provided for in the primary law – i.e. in Article 52 CFR, is not straightforward, however, to legitimise the processing of personal data, the law permitting it must always meet certain quality standards.[7] The Omnibus proposes an introduction of a new provision – Article 88c to the GDPR laying down a “special” legal ground for the processing of personal data in the context of AI; and an expansion of the current Article 9 of the GDPR – allowing for such processing in relation to sensitive data. In doing so, the Omnibus, in fact, pushes the boundaries of the existing principle of lawfulness by creating new, extraordinary legal grounds for data processing applicable when the specific – in this case AI – technology is involved. As I wish to show, these – allegedly ‘technical’ – changes for greater ‘agility’ of the current data protection framework may, in practice, entail critical consequences for the individuals whose personal data will be processed on such new legal grounds. From the purely formalistic point of view, this means that the Commission would have to initiate the fully fledged legislative process rather than follow the ‘fast-track’ procedure. Most notably, however, the changes proposed by the Omnibus invite two foundational questions, which I intend to reflect on in my presentation, namely: first, what are the limits of the principle of lawfulness and legislator’s intervention through the creation of ad hoc legal grounds for personal data processing to accommodate the needs of a specific technology?; and, second, does such an intervention undermine the principle of lawfulness and, therefore, one of the key values underlying the current data protection legal regime?

--- [1] European Commission, ‘Digital Omnibus Regulation Proposal. Shaping Europe’s Digital Future’ (19 November 2025) <https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal> accessed 7 January 2026. [2] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) [19.11.2025] COM/2025/837 final 2025. [3] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) [19.11.2025] COM(2025) 836 final. [4] Mario Draghi, ‘The Future of European Competitiveness’ (2024) <https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en#paragraph_47059>. [5] Omnibus, recital 30. [6] Commission Staff Working Document Accompanying the documents Proposal for a Regulation of the European Parliament and of the Council Amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) Amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) [19.11.2025] SWD(2025) 836 final. [7] M Brewczyńska, ‘Between Legitimacy and Lawfulness: In Search of Rationality and Consistency in EU Data Protection’ (2023) 9 European Data Protection Law Review 112, 115.

ABSTRACT. The EU’s digital acquis increasingly relies on individual-facing rights that are implemented through information and choice interfaces. Users are asked to make decisions through consent prompts, opt-outs, preference settings, transparency dashboards, and notices explaining data uses and automated systems. These mechanisms are meant to strengthen autonomy and user control. At the same time, the regulatory environment has become multi-layered: new instruments regulate the same digital settings from different angles (data protection, platform governance, gatekeeper obligations, AI governance, and sectoral frameworks). This paper examines what happens when these layers meet in practice. It argues that the key issue is not only “bad consent design” or isolated dark patterns. The issue is systemic and can be described as a regulatory stacking effect: overlapping regimes generate multiple user-facing decision points within the same user journey, with different legal purposes and different meanings of “choice”. The risk is that, beyond a certain threshold, users can no longer exercise meaningful control, and consent starts to function mainly as a legitimacy narrative and a compliance shield.

The paper proposes a conceptually and empirically tractable way to analyse this phenomenon. It defines regulatory stacking as the cumulative increase in (i) the number of user-facing decision points (“consent moments”), (ii) their heterogeneity (different legal triggers and semantics), and (iii) fragmentation across multiple interfaces, settings pages, devices, and service layers. The focus is on the operational feasibility of control: even if the number of prompts is not exceptionally high, control may be undermined by fragmentation (choices distributed across multiple places) and by semantic complexity (similar issues framed differently across contexts). In this sense, “control collapses” refers to a reduction in meaningful control caused by cumulative decision burdens, fragmentation, and semantic complexity, rather than a claim that any specific platform necessarily performs poorly.

The context for this research is both practical and institutional. In recent years, EU digital regulation has expanded rapidly. The Digital Services Act and the Digital Markets Act address major features of platform environments, including advertising-related practices and recommender systems. The AI Act is entering into application in stages. The European Health Data Space Regulation is moving through its transition period. At the same time, the ePrivacy Regulation project was withdrawn, while the ePrivacy Directive and national implementations remain central to consent practices around cookies and tracking. The EU has also begun to frame simplification as a policy priority, including through omnibus-style amendments to digital legislation. This creates a timely governance question: when several instruments impose separate information duties and separate choice points in the same digital environment, do users gain more control, or does the system produce choice saturation and reduced practical autonomy?

The main research question is: How does regulatory stacking in the EU digital acquis affect the feasibility of meaningful user control, and what governance alternatives better protect core values (autonomy, privacy, fairness) under conditions of limited attention and power asymmetries? The paper advances the hypothesis that stacking can produce a paradoxical outcome. Formal empowerment may become operationally self-defeating, because users are confronted with repeated, heterogeneous, and fragmented decisions that are difficult to understand and manage over time. In such conditions, user interaction tends to become routinised (“fast clicking”), and the protective function of consent is weakened. This dynamic may also affect innovation incentives: it becomes rational to invest in interface strategies that maximise acceptance and reduce legal risk (“consent engineering”), rather than in substantive safeguards that reduce data risks at the source. The paper also engages with ongoing “interplay” debates. EU bodies and regulators increasingly publish guidance on how different instruments relate to each other, such as guidance addressing the relationship between platform obligations and data protection law. This is a necessary step for compliance coordination. However, the paper argues that interplay analysis is incomplete if it does not address the cumulative user-facing consequences of multiple instruments. The practical user experience of rights and obligations should be treated as a core governance issue, because it directly affects whether autonomy and control can be realised in everyday digital life.

Methodologically, the paper combines doctrinal analysis with a structured mapping exercise and a limited empirical plausibility check. The doctrinal component focuses on identifying the legal triggers that generate user-facing information and choice requirements in platform-mediated environments, rather than restating each instrument. The mapping component then operationalises stacking through two representative user journeys. The first is a platform journey: account creation and subsequent navigation of advertising settings and recommender settings, including transparency tools and preference controls. The second is a cross-site consumer journey: browsing media and e-commerce sites across devices, encountering cookie banners, consent prompts, and links to separate preference dashboards. For each journey, the paper records the number and type of decision points (consent, opt-out, preference toggles, acknowledgement), the data uses they are linked to, the degree of reversibility, and whether users are repeatedly asked to decide on substantively similar issues across multiple interfaces. The mapping is documented through screenshots and coded in a transparent table, producing a “stacking map” that makes the cumulative decision environment visible and comparable across services.

To avoid purely speculative claims, the paper adds a micro-empirical “reality check”. This is deliberately modest and feasible within the scope of a conference paper. It can take the form of either (i) a short time-and-attention log, where participants record how often they face consent moments and how long interactions take, or (ii) systematic screenshot sampling of consent and preference interfaces across a bounded set of services. The purpose is not statistical representativeness. The purpose is to test the plausibility of the “informed and deliberative user” assumption once stacked decision environments are mapped, and to provide descriptive evidence about the volume and structure of consent moments in everyday practice.

The paper’s expected contribution is fourfold. First, it reframes consent fatigue as a systemic governance problem linked to the architecture of multi-instrument regulation, not merely as a behavioural inconvenience or a feature of poor interface design. Second, it proposes a replicable mapping method that can be used to analyse stacking across user journeys, enabling more concrete debates than general claims about over-regulation or complexity. Third, it offers a coherence critique relevant to current policy discussions: coordination between instruments is incomplete if it ignores cumulative user-facing burdens. Fourth, it identifies reform directions that are aligned with the EU’s current simplification agenda, while emphasising that “fewer prompts” is not sufficient if substantive control is not restored. Two families of reforms are outlined. The first is consolidation, aimed at reducing duplication and preventing repeated re-asking of substantively identical choices across contexts, through more coherent and unified choice infrastructures. The second is a safeguards-first approach, which shifts the burden of rights realisation from the individual to regulated entities by strengthening default protections and enforceable constraints, especially in high-asymmetry environments such as large platforms and complex ad-tech ecosystems.

ABSTRACT. Necessity is a notion with a distinct meaning in EU data protection law.[1] In its recent case law, the Court of Justice has interpreted necessity in Article 6(1)(b-f) of the General Data Protection Regulation (GDPR) strictly as linked to the data minimisation principle contained in Article 5(1)(c) of the regulation.[2] The potential for controversy in the interpretation of these provisions and, in particular Articles 6(1)(b) and (f), and their respective overlap with consent as a condition for lawful processing in Article 6(1)(a), has long been explored in the literature. [3] However, this controversy has only recently started to crystalise in the jurisprudence. For instance, in the Mousse case, the Court noted that for processing to come within the scope of contract as a condition for lawful processing in Article 6(1)(b), it must be ‘objectively indispensable or essential to enable the proper performance of a contract’. [4] The recent jurisprudence, therefore, seemingly draws hard lines around this notion. Interestingly, however, the narrow interpretation evident in this recent case law is arguably in conflict with the more open interpretation in the Court’s earlier rulings. For example, in Huber [5], the Court interpreted necessity in what is now Article 6(1)(e) of the Regulation, in terms of effectiveness and not indispensability [6]. Assuming that necessity should be given a common interpretation across the relevant conditions for lawful processing provided in Article 6(1)(b-f) of the regulation, the potential inconsistency appears to be obvious. The recent case law arguably suggests, therefore, that the more open approach seemingly evident in Huber is now outdated. Despite this, the reach and consequence of this new approach remain hotly contested. Meta, in particular, has come under significant scrutiny regarding its reliance on contract and legitimate interests as conditions for lawful processing which hinge on this notion of necessity as alternatives to the stringent requirements for consent found in Article 7 of the Regulation, with the company subsequently moving to a pay or consent-based approach in response to enforcement actions and, ultimately, a Court of Justice ruling which found it in violation. [7] The move to the pay or consent-based approach, however, has itself also attracted the attention of the enforcement authorities and resulted in ongoing litigation before the EU courts. [8] These cases are symptomatic of the more generalisable debate surrounding the interpretation of necessity thereby demonstrating the need for more research in this area. The purpose of this paper, therefore, is to explore the notion of necessity in the GDPR and to examine the consequences, legitimacy and coherence of its narrow interpretation by the Court of Justice. In particular, the paper aims to elucidate the role played by necessity in Articles 6(1)(b-f) (i.e. as part of the conditions for lawful processing excluding consent in Article 6(1)(a)) and Articles 9(2)(b-j) (i.e. as part of the exemptions from the prohibition on the processing of sensitive personal data excluding explicit consent in Article 9(2)(a)) of the Regulation). The paper proceeds in 3 parts. In the first, the EU data protection law framework is introduced, and the role of necessity is mapped through an analysis of the provisions of the Regulation. The second part explores the interpretation of necessity in the case law of the Court of Justice and examines the consequences of the strict interpretation through the lens of this case law, but also hypothetical vignettes designed to tease out its consequences. The final part before the conclusion then explores the legitimacy and coherence of the court’s approach considering the objectives of the Regulation as one arguably impacting matters of public policy through its application.

[1] Case C-524/ 06, Heinz Huber v Bundesrepublik Deutschland, ECLI:EU:C:2008:724, at [52]: ‘… what is at issue is a concept which has its own independent meaning in Community law and which must be interpreted in a manner which fully reflects the objective of that directive, as laid down in Article 1(1) thereof.’

[2] See in particular: Case C-252/21, Meta Platforms and Others v Bundeskartellamt, ECLI:EU:C:2023:537 and Case C 394/23, Association Mousse v Commission nationale de l’informatique et des libertés (CNIL), SNCF Connect, ECLI:EU:C:2024:610

[3] See for example: [Ref to author].

[4] Case C 394/23, Mousse v Commission nationale de l'informatique et des libertés (CNIL) and SNCF Connect, ECLI:EU:C:2025:2, [43].

[5] Huber (1).

[6] For a discussion see: Lee A. Bygrave, Data Privacy Law, an International Perspective, (Oxford University Press, 2014), 150.

[7] Case C-252/21, Meta Platforms and Others v Bundeskartellamt, ECLI:EU:C:2023:537

[8] See here: EDPB opinion (‘Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms’. Meta’s action for the annulment of this opinion in the EU General Court (Case T-319/24, Meta Platforms Ireland v European Data Protection Board, ECLI:EU:T:2025:435) and then the pending appeal to the CJEU, Case C-454/25 P, Meta Platforms Ireland v European Data Protection Board, ELI: http://data.europa.eu/eli/C/2025/4590/oj).

ABSTRACT. This paper examines the Integrated Identity Management (IDM) suite not as a collection of discrete technologies, but as a coordinated socio-technical intervention that became technically integrated into BAMF’s case-management backbone and procedurally embedded in asylum adjudication. It asks how such integration reshapes administrative authority and legal accountability in asylum decision-making. Its analytical focus lies on the routinised reuse, relabelling, and juridical invisibility of IDM outputs within administrative decision-making. In 2017, the Federal Office for Migration and Refugees (BAMF) in Germany became an early adopter of machine-learning tools to infer the identity and nationality of asylum applicants it deemed untrustworthy, presenting these tools as objective, fast, and secure solutions to administrative overload (Bundesregierung, 2018). The IDM suite included four tools: a facial-recognition system that compared an applicant’s face with facial templates in case-management databases; a speech-recognition module that matched a 30-second recording to phonetic characteristics of one or more Arabic dialects present in the training databases; extraction of mobile-phone data to create a report with call logs, locations, social-media accounts, and languages found on the device; and a transliteration system that converted names from Arabic script to Latin script and proposed origins based on the frequency of a surname in telephone directories from selected Arabic-speaking countries. While existing scholarship on EU migration algorithmics has productively examined discrete devices, procurement ecosystems, and epistemic critiques of specific tools, it has not systematically analyzed what happens when multiple probabilistic technologies are technically integrated into a single asylum case-management backbone and when their outputs are persistently attached to case files while remaining juridically invisible in appeals. This paper fills that gap by tracing how the coordinated IDM suite became embedded in BAMF’s administrative and legal infrastructure, reshaping adjudicative authority through routinised reuse, relabelling as “indications,” and procedural non-disclosure. This dynamic matters because infrastructural embedding and juridical invisibility convert probabilistic outputs into durable administrative artefacts that can reshape adjudicative narratives and authority. The research is informed by an anthropological reading of the state and the anthropology of bureaucracy, treating technology and IT infrastructure as tools that construct power relations and specific ways of representing subjects of governance.(Fassin, 2015; Sharma & Gupta, 2006) Within this framework, the paper draws on Ferguson’s concept of the “anti-politics machine” to analyze how technical systems depoliticize structurally political problems while expanding institutional power (Ferguson, 1996). This perspective also enables an examination of how bureaucratic action governs the experiences of marginalized communities facing the state, and how structural violence becomes normalized through routine administrative practice. Methodologically, the study departs from device-centric case studies by assembling a multi-sourced corpus of 60 documents (2016–2025), including press materials, parliamentary requests, freedom-of-information requests, interviews with former BAMF officials, informal conversations with technical experts, internal procedural guidelines and reports, case law from multiple administrative courts, registry databases, and patents for similar tools. Using critical discourse analysis, the paper reconstructs how IDM outputs are routinised, concealed, and translated into adjudicative narratives,claims that cannot be derived from performance audits or single-device ethnographies. The central argument of this paper is that IDM tools are functional not in the sense articulated by senior-management rhetoric about security and objectivity, but in how, once infrastructurally embedded and procedurally routinised, they depoliticize asylum claims and enable forms of structural violence within adjudication. Despite criticism, dysfunction, and unreliable results, these tools were integrated into the asylum administration’s backbone and increasingly used by officials pressured to decide more cases faster while the legal system struggles with rising appeal volumes (Lobenstein, 2017). The IDM suite operates through four procedural mechanisms that restructure bureaucratic practice. First, the tools rely on legal frameworks that permit strong state demands for evidence in asylum procedures, embedding coercive data extraction within applicants’ obligations to cooperate and treating identity clarification as a precondition for protection (Bundesamt für Migration und Flüchtlinge, 2023). Second, these internal tools produce representations of asylum seekers founded on Orientalist simplifications embedded in system design and training data, with little factual validity or respect for dignity.(Said, 1977) Third, the IDM tools have been systematically integrated into the IT infrastructure that manages identity, case files, and biometric data, fixing probabilistic representations to applicants’ personal histories through persistent linkage in case-management systems. Fourth, deliberate opacity shields these practices from scrutiny: reports produced before hearings are withheld from applicants and their counsel, and BAMF working guidelines instruct officials not to state that a rejection was based on IDM results, because they are framed as non-evidentiary “indications” (Bundesamt für Migration und Flüchtlinge, 2023). Within this configuration, structural violence takes shape in the administrative persistence of discredited asylum narratives.(Das & Poole, 2004; Gupta, 2012) When credibility assessments are produced through probabilistic tools, fixed in case-management infrastructures, and framed as non-evidentiary, they follow applicants across procedures while remaining largely insulated from judicial scrutiny. Violence thus emerges not as a single act but as the cumulative effect of routinised administrative practices. Read through this lens, the IDM suite is analyzed not as a failed or misapplied technical intervention, but as a set of socio-technical arrangements that become politically productive through their integration into routine bureaucratic and legal processes. Far from delivering promised benefits, the tools became useful to bureaucratic action in unanticipated ways: they produced representations of migrants that could be used against them, fixed those representations to personal identities and case files, and obscured decision-making from meaningful challenge. References Bundesamt für Migration und Flüchtlinge. (2023). Dienstanweisung Asylverfahren. Bundesamt für Migration und Flüchtlinge (BAMF). Bundesregierung. (2018). Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Ulla Jelpke, Dr. André Hahn, Gökay Akbulut, weiterer Abgeordneter und der Fraktion DIE LINKE. – Drucksache 19/5697 –. Das, V., & Poole, D. (2004). Anthropology in the Margins of the State. Oxford University Press. Fassin, D. (2015). At the Heart of the State: The Moral World of Institutions. Pluto Press. Ferguson, J. (1996). The Anti-Politics Machine Development, Depoliticization, and Bureaucratic Power in Lesotho. Gupta, A. (2012). Red tape: Bureaucracy, structural violence, and poverty in India. Duke University Press. Lobenstein, V. C. (2017). Bamf: Behörde auf Speed. Die Ziet. Said, E. (1977). Orientalism. Penguin Books. Sharma, A., & Gupta, A. (Eds.). (2006). The anthropology of the state: A reader. Blackwell Pub.

ABSTRACT. Various principles have been adopted to guide the use of algorithms – including artificial intelligence – especially when such use has the potential to affect fundamental rights and freedoms. One common aspect highlighted among these principles is the need to ensure that decisions taken with the involvement of algorithms are contestable by their recipients. A contestable algorithmic decision can then be challenged and its lawfulness can be determined by a competent court.

While there seems to be broad consensus on the importance of contestability of algorithmic decisions, it is less clear what contestability entails in practical terms. Much of the existing literature about contestability of algorithmic decisions pertains to analysing the data subject’s right to contest solely automated decisions within the meaning of article 22(1) GDPR. While such analysis is valuable, it only looks at contestability in the narrow context of EU data protection law. On a more general level, less work has been done. As an exception, Lyons, Velloso and Miller have mapped different conceptualisations of contestability of algorithmic decisions and find that it can be perceived either as an end in itself – a fundamental right –, or as a means to an end to serve public values such as fairness, justice and autonomy. They see contestability as an overarching characteristic that facilitates the possibility to contest, appeal or challenge a certain decision and thereby enables the review of decisions. However, they do not engage with what review standards should be applied to algorithmic decisions to render them effectively contestable.

This paper tackles this so far little explored topic of how to render algorithmic decisions effectively contestable by focusing specifically on judicial review of such decisions in the administrative domain. In administrative decision-making, contestability of algorithmic decisions is important to ensure the protection of other fundamental rights such as the right to an effective remedy. Of course, one way to study contestability is through its link to the explainability of an algorithmic decision and the related decision-making process. Indeed, ensuring the contestability of administrative decisions is one of the functions of the administrative duty to give reasons that requires administrative bodies to explain their rationale to decision recipients. However, for an administrative algorithmic decision to be successfully contested, it is also necessary for a court to be able to properly review it. This is challenging considering that the administrative algorithmic decision-making process is a complex sociotechnical system. This means that administrative algorithmic decisions result from a sociotechnical decision-making process that includes various novel choices and interactions between humans and algorithms. These choices and interactions may have a bearing on how judges can assess them and – in the end – whether the resulting administrative decisions can be effectively contested.

This paper therefore strives to answer the following research question: can existing judicial review grounds be usefully applied to review administrative algorithmic decisions, or do they require further concretisation and/or revision to ensure the contestability of such decisions? By answering this question and contextualising case law related to judicial review of administrative decision-making, this paper contributes to the body of research that aims to ensure the contestability of administrative algorithmic decisions.

Since there is currently little to no case law related to reviewing administrative algorithmic decisions, the research question cannot be comprehensively answered by traditional legal case analysis. Instead, this paper sets out to develop a framework for reviewing administrative algorithmic decisions by taking a three-step approach. First, it studies existing landmark case law concerning the judicial review of administrative decisions with the aim to map the standard of review applied to administrative decisions. Second, it provides an overview of the sociotechnical reality of administrative algorithmic decision-making, the critical choices embedded therein and a selected account of sociotechnical weaknesses that could affect the lawfulness of resulting administrative decisions. Sociotechnical weaknesses represent the novel interactions between the human and algorithmic elements of the administrative algorithmic decision-making process that, if not carefully addressed, may result in unlawful outcomes. Third, this paper analyses whether the review standards derived from case law are suitable for detecting when specific sociotechnical weaknesses have resulted in unlawful outcomes such as the occurrence of algorithmic bias, or failure in human oversight.

To characterise specific sociotechnical weaknesses, the paper relies on realistic – yet hypothetical – scenarios of administrative decision-making that involve the use of algorithms. Each such scenario exemplifies at least one sociotechnical weakness that may need to be contested. Where available, such hypothetical scenarios are illustrated by concrete, ‘real-life’ examples to provide more context. These scenarios are tested against the existing judicial review grounds to establish whether applying these review grounds would enable courts to detect the relevant sociotechnical weaknesses.

For the purposes of the above analysis, this paper concentrates on case law of the the Court of Justice of the EU (CJEU) regarding the judicial review of EU administrative decisions. Analysing CJEU case law instead of specific national case law is a conscious choice that has been made while recognising that the principle of procedural autonomy foresees that EU member states can establish their own administrative procedure as long as it follows the principles of equivalence and effectiveness. Regardless of that, the adoption of EU secondary law instruments such as the General Data Protection Regulation and the Artificial Intelligence Act brings administrative use of algorithmic decision-making into the domain of EU law when such decision-making involves either the processing of personal data or the use of high-risk AI systems (e.g., when essential public services are offered). This means that decision-making by both national and EU administrative bodies that falls within the regulatory scope of these instruments will also be subject to the EU law general principles and the fundamental rights established in the Charter of Fundamental Rights of the EU. It is therefore relevant to study how the CJEU has applied these general principles and procedural requirements arising from the Charter in its case law and what that could teach us about applying them in the context of administrative algorithmic decision-making.

Preliminary results show that existing judicial review grounds are apt for detecting certain sociotechnical weaknesses inherent to administrative algorithmic decision-making. These weaknesses include, for example, the misinterpretation of administrative discretion when commissioning and developing algorithmic models, or a mismatch between the objective for and the capabilities of the specific algorithmic model used in the administrative decision-making process. However, in order to be effectively applied to the individual decision-making stage, existing judicial review grounds need further concretisation. For instance, existing CJEU case law related to judicial review of administrative decisions does not offer sufficient guidance regarding what should be the standard of review for the interaction between humans and algorithmic models. This paper suggests how such interactions could be dealt with in the course of judicial review based on scientific literature in the field of law and technology.

ABSTRACT. As states integrate algorithmic and AI systems into their decision-making infrastructures, they are effecting fundamental shifts within public law. These shifts include transformations in how public law actors – ministerial officials, legislators, and even judges – conceptualize longstanding principles, such as those that govern fair hearing processes. This phenomenon is evident in many settings, but is perhaps most apparent in immigration administration. Here, as decision-making processes are digitalized, conventional procedural fairness principles from public law are being upended and reoriented towards conventions traceable to computer science.

A striking example, and the subject of this paper’s exploration, is the shift from notice to a preoccupation with gaming. In public law, the principle of “notice” has long safeguarded an individual’s right to know, in advance, which rules administrative decision-makers will apply to their case or application. Notice is often achieved by making statutes, regulations, and policies publicly available, and even providing plain-language versions of relevant rules to would-be applicants. The assumption underlying notice is that, for an administrative hearing (including an application process) to be fair, the person whose interests will be impacted by the hearing’s outcome ought to have access to the rules and principles that will be applied to their case. Without such access, it is impossible for an impacted person to know what evidence they ought to present to a decision-maker, or which submissions or other information might be relevant and impactful. Without notice, application processes and hearings themselves become Kafkaesque (Allan 1998, Galligan 1996). They risk producing substantive outcomes that are arbitrary, unjust, and disconnected from the facts of someone’s life.

As algorithmic and AI systems have become increasingly embedded within administrative agencies, however, a contrary principle – the prevention of “gaming” – has taken hold. Immigration officials in both the United Kingdom and Canada now interpret individuals’ requests to know the “rules” that will apply to their applications – including those underpinning how algorithmic tools will assess their applications – as dangerous, even improper. Public officials, from high-level ministerial representatives on down, balk at these requests for notice. When refusing access to such rules, they often justify their refusal based on an assumption that knowing these rules will enable applicants to “game the system” (Maxwell and Tomlinson 2022, Ada Lovelace et al 2021, Cofone and Strandburg 2019).

While gaming seems to be a strange fit, at least within public law, gamification and competitions more generally, are touchstones within computer science and tech development communities (e.g. Deterding et al 2011). Indeed, some sociotechnical scholars go so far as to identify them as a bedrock of computer science culture (Bender and Hanna 2025). Games – from Alan Turing’s “imitation game” to the use of AlphaGo and chess challenges – have long been taken as relevant benchmarks for evaluating the sophistication of algorithmic systems. Likewise, concerns about being gamed or losing out to a competitor, often in the context of a tech development arms race, have become ingrained in developer culture especially with the growing rush to create and refine generative AI tools (e.g., Hao 2025).

This paper argues that this shifting approach to administrative decision-making, one that views hearing processes as games to be won rather than as eligibility assessment mechanisms, is a subtle but significant transformation. Sociolegally, it is an example of how the growing use of AI and algorithmic tools in immigration administration are reshaping public law in action. This paper will explore these effects and theorize their implications for fair decisions.

To do so, it will first illustrate the rise of concerns about “gaming the system” by drawing on empirical evidence gathered through the authors’ qualitative studies of the digitalization of immigration administration in the United Kingdom and Canada. Second, to trace the conceptual underpinnings of gaming and to understand its implications as it displaces notice, the paper will explore how gaming and competition are central to computer science and technological development communities, drawing on computer science and sociotechnical literatures. Third, it will contrast gaming with notice as a pillar of fair processes in public law, drawing on public law and sociolegal literatures to found its analysis. Finally, the paper will advance a series of arguments about how viewing administrative decision-making processes as games to be played reorients public law, altering (and perhaps reversing) relationships between the state and those whom it governs.

References

Ada Lovelace, AI Now Institute, Open Government Partnership (2021) Algorithmic Accountability for the Public Sector <https:// www.opengovpartnership.org/documents/ algorithmic-accountability-public-sector/>.

Allan, T.(1998) "Procedural Fairness and the Duty of Respect" 18 OJLS 497.

Bender, E. and Hanna, A. (2025) The AI Con: How to Fight Big Tech’s Hype and Create the Future We Want. New York: Harper.

Cofone, I. and Strandburg, K. (2019) "Strategic Games and Algorithmic Secrecy" 64 McGill Law Journal 623.

Deterding, S., Dixon, D., Khaled, R. and Nacke, L. (2011) "From game design elements to gamefulness: Defining 'gamification.'" Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, ACM 9–15. DOI: 10.1145/2181037.2181040.

Galligan, D.J. (1996) Due Process and Fair Procedures: A Study of Administrative Procedures. Oxford: Oxford University Press.

Hao, K. (2025) Empire of AI: Dreams and Nightmares in Sam Altman’s OpenAI. New York: Penguin.

Maxwell, J. and Tomlinson, J. (2022) Experiments in Automating Immigration Systems Bristol: Bristol University Press.

ABSTRACT. The advent of opaque assistive AI in courtrooms has raised concerns about the contestability of these systems, and their impact on procedural justice. The right to an explanation under the GDPR and the AI Act could address the inscrutability of judicial AI for litigants. To substantiate this right in the domain of justice, we examine utilitarian, rights-based (including dignitarian and Dworkinian approaches), and relational theories of procedural justice. These theories reveal diverse perspectives on contestation, which can help shape explainability rights in the context of judicial AI. These theories respectively highlight different values of litigant contestation; it has instrumental value in error correction, and intrinsic value in respecting litigants’ dignity, either as rational autonomous agents or as socio-relational beings. These insights help us answer three central and practical questions on how the right to an explanation should be operationalized to enable litigant contestation: should explanations be general or specific, to what extent do explanations need to be faithful to the system’s internal behavior or merely provide a plausible approximation, and should more interpretable systems be used, even at the cost of accuracy? These questions are not strictly legal or technical in nature, but also rely on normative considerations. Finally, this paper also evaluates what theory of procedural justice could best safeguard contestation effectively in the age of judicial AI. Thereto, it provides the first building blocks of an AI-responsive theory of procedural justice.

ABSTRACT. The proposed text analyses who is perceived as a source of expertise, and the role of external expertise in enforcing European Union (EU) and United States (US) competition and antitrust law, respectively, in cases concerning digital markets. It contains the analysis of the references made in decisions adopted by the European Commission (Commission) concerning Facebook/WhatsApp merger and the judgement of the US District Court for the District of Columbia in the Federal Trade Commission (FTC) v. Meta Platforms, Inc. case. The analysis aims to provide in-depth insight into who is considered a source of expertise and the role played by various stakeholders in providing expertise for enforcement purposes. It also aims to make suggestions for the further development of procedural rules for the collection and use of information in the enforcement of competition law in digital markets. The study contributes to the literature comparing the development of American and European competition law protection systems and their specificities. While existing studies emphasise the importance of the role of the courts in the US compared to the administration in the EU (e.g. Foster and Thelen, 2024), focusing on the sources used in decisions reveals differences at the dimension of the use of evidence submitted by various entities in the proceedings.

Sources, methods, and limitations of the adopted approach

The comparison is based on the use of mixed methods. Firstly, references to expert knowledge in these documents are identified and analysed from a quantitative perspective. In the case of the EU, the results concerning the Facebook/WhatsApp merger are considered in the context of the broader results achieved through analysing 14 merger cases using the same method of data collection and analysis. Second, the in-depth, qualitative scrutiny of the role played by the references to the expertise in these cases is necessary. Thirdly, the selected case study is considered in the context of the analysis of the regulatory framework governing the use of expert knowledge in competition law proceedings in both the US and the EU.

The selection of the case for the case study is the result of balancing the limitations of possible comparisons related to differences in the analysed legal systems with the proximity of the substantive issues addressed by the selected decision and judgement. This allows for a comparative analysis to be conducted for the purposes of the study. Furthermore, mitigating the risks associated with such comparisons involves considering the regulatory framework governing the use of expert knowledge in relevant proceedings, as well as recent developments in the EU’s approach to digital market regulation (e.g. the adoption of the Digital Markets Act – DMA).

Results

In total, I collected 1,497 references to expert knowledge from EU merger decisions. Of these, 59 were references to expert knowledge identified in the Facebook/WhatsApp decision. The vast majority of these references are to knowledge collected by the Commission on the basis of requests for information (RFIs) sent to market participants. I refer to this as ‘industry’ knowledge (1,274 references in merger decisions and 45 in the Facebook/WhatsApp decision). These results demonstrate that industry is by far the most frequently used source of expertise in the decisions. The second most frequently cited source is ‘commercial knowledge providers’, such as private companies like International Data Corporation, Interactive Advertising Bureau, and StatCounter (158 references in merger decisions and two in the Facebook/WhatsApp decision). Their reports, data, datasets, visualisations, definitions and typologies appear in all but one of the analysed decisions. The third most frequent type of reference was to the media, particularly press articles (21 references in merger decisions and eight in the Facebook/WhatsApp decision). Finally, documents and decisions of competition authorities and courts also appear frequently (15 references in merger decisions). In terms of the functions of the invoked sources, industry knowledge is most commonly used in merger proceedings to describe certain market characteristics and to inform competition assessments. For example, it can provide guidance on the possible behaviour of the notifying parties in terms of incentives to engage in anti-competitive behaviour or on the relevant markets, such as identifying or confirming how the relevant market should be defined or split.

The preliminary results for the FTC v. Meta Platforms, Inc. case include the identification of 886 references in the judgement. Almost half of these (401) are to transcripts, 160 are to the Defendant’s Exhibit (DX), 120 are to other cases, 75 are to the Plaintiff’s Exhibit (PX) and 34 are to various FTC documents. This catalogue reveals significant differences in what has been invoked in this proceeding compared to the EU’s decisions. The different procedural approach to the proceeding results in the testimonies of witnesses being given greater importance. It also highlights the challenges of attributing specific sources to the entities responsible for their invocation, given that the transcripts are not publicly accessible. Consequently, it is frequently impossible to definitively determine whose views are referenced by the court. At the same time, the US system makes more of the referenced evidence available, as many of the PXs and DXs are available online, albeit redacted, providing an opportunity to scrutinise their content.

This illustrates the difficulty of assessing the level of transparency with regard to the impact of expert knowledge on legal proceedings. In the case of FTC v. Meta Platforms, Inc., however, the court clearly aligns with the defendant’s perspective, as evidenced by both quantitative (e.g., number of invoked DXs) and qualitative (e.g., the substantive content of the judgement) analyses. Qualitative analysis shows that the court often adopts the defendant’s perspective and explicitly acknowledges the superior expertise of Meta’s expert regarding the social networks market compared to the FTC's (see pp. 29–30). The most common function of the invoked sources is providing information on consumer behaviour, followed by references confirming facts of the case and references pertaining to some forms of economic analysis.

Discussion and conclusions

It should be noted that the importance of RFIs in EU legal procedures leads to a high proportion of responses from large companies. As these companies are familiar with responding to the Commission’s requests and have the necessary resources, their perspective is more prevalent in the responses received by the Commission. While replies to RFIs are an important source of information on the characteristics of the analysed markets, it should be recognised that they reflect highly specific views on the issues under investigation. The analysed data also indicate a certain level of dependence of the enforcers on commercial knowledge providers with regard to information on how digital markets function.

However, compared to the sources cited in the FTC v. Meta Platforms, Inc. ruling, the entities whose expertise is referenced in the Commission’s decisions appear to be more diverse. An important characteristic of this judgement is the extensive consideration of customer behaviour, which forms the basis of the analysed case. The results suggest that, compared to the Commission’s decisions, the court placed a lower degree of reliance on the expertise of other companies operating in the same market and a higher level of reliance on the company’s own claims. The judge’s focus on the evidence and expertise provided by the defendant regarding this issue, as well as the importance assigned to the experiments and data conducted by Meta or its experts, demonstrates the challenges in contesting the company’s narrative on this matter. This has an impact on the designation of the relevant market and, consequently, the entire proceeding.

Despite these differences, it is important to note that the proceedings ended with similarly favourable results for Meta. However, the important distinction between them is when they took place. Following the 2014 Facebook/WhatsApp decision, the Commission designated Meta as a gatekeeper in relation to Facebook, Instagram, Messenger, and WhatsApp in 2023, effectively imposing certain restrictions on the operation of these services. Issuing such a ruling as FTC v. Meta Platforms, Inc. – highly reliant on the expertise provided by the party – in 2025, suggests that while the administrative model of enforcement enables knowledge accumulation and the development of specialised internal expertise on particular markets, resulting in a possible evolution of an approach to digital platforms, the judicial model of enforcement is more limited in this regard, restricting the scope for plurality of narratives – including critical ones – concerning digital markets.

References:

Federal Trade Commission v. Meta Platforms, Inc., 1:20-cv-03590, (D.D.C. Dec 02, 2025) ECF No. 705

Foster, C. and Thelen, K. (2024), Brandeis in Brussels? Bureaucratic discretion, social learning, and the development of regulated competition in the European Union. Regulation & Governance, 18: 1083-1103. https://doi.org/10.1111/rego.12570

ABSTRACT. Section I: Introduction Everyday millions of users share large amounts of personal data online through digital platforms, web sites and interactions with artificial intelligence (“AI”) chatbots. By collecting consumers’ data, firms can train their AI models, to establish a personalized profile based on each user’s preferences and interests, a practice conceptualized as “algorithmic targeting”, which may serve different purposes, such as providing users personalized ads, content or recommendations. In this paper we will focus on the use of algorithmic targeting to implement AI-personalized pricing and the privacy and anticompetitive concerns that can arise from it. The paper will be structured as follows:

Section II: Understanding algorithmic targeting. In this section, the paper will analyze how firms holding vast amounts of consumers’ personal and behavioral data can train AI models to create detailed users profiles and accurately predict their preferences, enabling the presentation of personalized offers to each consumer. In this regard, we will first study machine learning methods for algorithmic targeting that are considered as “explainable”, including: (i) predictive models, that can estimate the probability of a user’s response, using methods such as logistic regressions and decision trees; and (ii) recommendation systems that use methods such as collaborative, content-based, and knowledge-based filtering, to determine which content is more relevant to show to a specific user. In second place, we will study how algorithmic targeting can be achieved using “non-explainable” AI models , including deep neural networks and foundation models . By examining AI models from a technical perspective, the paper aims to study how these have significantly enhanced firms’ ability to engage in algorithmic targeting, and the transparency challenges arising from the processing of personal data using complex and opaque algorithms.

Section III: Algorithmic targeting enables AI price personalization. AI models have improved firms’ ability to conduct algorithmic targeting, enhancing their ability to understand each user’s preferences, constraints, and behavioral patterns, including their willingness to pay (WTP), potentially even in real time. Given this granular understanding, firms no longer need to implement pricing strategies in a broad, uniform manner. Instead, they can deploy them selectively, directing them to specific users. Therefore, the purpose of this section is to study AI-personalized pricing , in particular how the use of AI models can facilitate the conditions for its successful implementation, by enabling more accurate estimations of consumers’ WTP , and whether these can reinforce the market position of dominant firms who have access to consumers’ data that is not available for competitors.

Section IV: Legal assessment of algorithmic targeting and AI personalized pricing. In this section, we will assess the legality of using advanced AI models to target consumers and to personalize prices. To this end, the analysis is divided into two parts. The first part examines the privacy and data protection concerns arising from the automated processing of consumers’ personal data in the development and deployment of AI models, under the General Data Protection Regulation. To this end, we will first analyze the applicability of the GDPR to AI-driven algorithmic targeting, and the relevance of consumer’s personal data throughout the different phases of the development and deployment of an AI model. Then, we will examine under which circumstances, algorithmic targeting using advanced AI models may be qualified as “profiling”, and the possible application of article 22 GDPR general prohibition to such profiling. Afterwards, the paper will study how the GDPR principles, data subjects rights and special categories of data may constrain the deployment algorithmic targeting, and how the non-compliance with these provisions could lead to data protection infringements. The second part focuses on determining whether AI-driven price personalization strategies may constitute an exclusionary abuse of dominance under Article 102 TFEU. For this purpose, it analyzes how the EU Courts and the European Commission have assessed price discrimination practices in past cases, including selective pricing and abusive rebates . The main objective is to show that the current analytical framework of EU competition law is outdated, since the methods employed to determine whether certain pricing strategies are exclusionary were developed for uniform or segment-based pricing, instead of AI-personalized pricing, and fail to account for the fact that prices are currently set by AI models whose accuracy depends on access to vast amounts of reliable and often unique consumer data.

Section V: redefining EU competition law approach towards AI-price personalization. The aim of this section is to propose a modern interpretation of Article 102 TFEU that addresses the intersection of data protection infringements and exclusionary conduct. For this purpose, we will argue that algorithmic targeting consumers through the illegal processing of personal data that infringes the GDPR, such as using non-transparent AI models or by conducting profiling that infringes Article 22 GDPR, constitutes an illegal competitive advantage that distorts market competition. Afterwards, we will explain that when a dominant company uses this competitive advantage (obtained illegally) to charge AI-personalized prices to consumers, and this conduct results in the exclusion of competitors from the market, it should be considered as an abuse of its dominant position. This approach makes a shift on the current understanding of EU Competition Law, as it focuses not only on the price charged or the effect of the conduct in isolation, but analyzes the inputs and methods employed to determine such prices.

Section V: Concluding remarks. The paper will conclude by summarizing its key findings and offering recommendations for adapting EU competition law to AI- price personalization.

ABSTRACT. Since DevDay 2025, when OpenAI launched “Apps in ChatGPT”, Google and Alibaba have, by January 2026, respectively announced that their AI platforms, Gemini and Qwen, will embed third-party applications. AI assistants are increasingly oriented towards an ‘application ecosystem’, embedding third-party applications and services into conversational interaction as callable modules. This shift transforms the AI assistant from a single-function ‘assistant’ into an ‘orchestrator’ capable of connecting, coordinating and integrating multiple categories of digital services, thereby forming a ‘Super Apps ecosystem under an AI platform model’. However, existing scholarship on the Digital Markets Act (DMA) has not yet treated this development as an ecosystem gateway that controls access, ranking and transactions, leaving material uncertainty as to how such a ‘Super Apps ecosystem’ maps onto the DMA’s core platform services (CPS) categories and how the existing obligations should apply. This article classifies the distribution bottlenecks that arise within such ecosystems and, on that basis, analyses the associated ‘leveraging’ risks. It argues that DMA tools should be deployed to reconstruct the Super Apps closed loop from a ‘locking device’ into ‘contestable infrastructure’, thereby constraining those risks, and that targeted amendments to the DMA are necessary to secure a forward-looking regulatory settlement.

ABSTRACT. Ranking transparency has become an important principle in EU legal acts focused on digital markets. Online platforms (hereinafter referred to as ‘platforms’) can manipulate ranking. As a result, they can impact consumers’ choices and business users’ ability to compete.

​This paper has two main research objectives. The first objective is to determine whether the transparency requirements in EU law regarding ranking are comprehensive, proportional, and appropriately tailored to various entities. This is especially relevant in light of the Digital Omnibus Regulation Proposal, which proposes the repeal of the Platform-to-Business Regulation (P2B Regulation). The second objective is to empirically assess whether online platforms comply with the ranking transparency obligations imposed by current EU law.

To find and answer the first question, the paper explores the legal foundations of ranking transparency and its development, starting from consumer law and the right to be informed, through P2B ranking transparency, and finally provisions concerning recommender systems from the Digital Services Act (DSA). Analysis focuses on obligations concerning the ranking of products and offers transparency. The research centres around the scopes of these acts, goals, definitions of ranking, and substance of obligations. The following articles are significant for the study: Article 27 of the DSA, Articles 5 of the P2B Regulation, Article 7(4a) of Directive 2005/29/EC, and Article 6a of Directive 2011/83/EU. In the second part, the paper presents an empirical method for assessing whether or not to comply with legal requirements for ranking – empirical content analysis of terms and conditions. To answer the second hypothesis, I will collect the terms and conditions and privacy policies of five to ten platforms (from the territory of Poland), which will be selected based on their user base and types of activity. These platforms will include social media, general and specialized marketplaces, professional platforms, and video-sharing platforms. Then, I will conduct a systematic content analysis of these platform documents to determine whether they contain the required information under EU law, particularly by Article 27 of the DSA, as it applies in all EU countries without national legislation. Additionally, I assess compliance with the P2B Regulation by comparing the content of the legal documents of the same five to ten platforms operating in Poland and Germany. Germany and Poland were chosen as counterexamples because, while Germany’s DSA and P2B legislation took effect in May 2024, Poland’s P2B legislation took effect in May 2025, and no DSA legislation has been proposed. To catch a change in the terms and conditions, I compare current versions available in 2026 with archived versions from 2023, gathered by researchers from the project ‘Privacy Law of Data’ (no. 2020/37/K/HS5/02769) (Terms of Services available here: https://data.mendeley.com/datasets/dtbj87j937/3). I also rely on preliminary reports.

The scope of the research was narrowed to ranking for three main reasons. Firstly, ranking, as it is defined in art. 2(8) of the P2B Regulation is gaining importance in digital markets because it is a main factor determining the content (information, products, and offers) that users see when using platforms. Therefore, since platforms can manipulate ranking criteria and utilize user data, they have the power to hinder competition by demoting competitors (including other platforms and business users) and promoting themselves. They can also violate consumer rights and strengthen biases or discrimination. Secondly, different regulations apply to the ranking depending on the number of users and the type of platform. Compliance with the transparency obligations imposed by these acts can be verified to a certain extent by analysing the platforms’ legal documents, such as privacy policies, terms and conditions, and terms of service. Because these documents are public and easily accessible, it is possible to analyse a large number of them. Thirdly, there is a research gap in this field. Existing works focus on only part of the research object (e.g., recommender systems). Most importantly, no empirical research has been conducted on the legal documents of platforms regarding their ranking obligations.

​ Funding: The research and the proposed paper are part of a project financed from the state budget and allocated by the Minister of Science as part of the ‘Pearls of Science II’ program, project no. PN/02/0029/2023, Poland. ​ Reservations: Abstract was corrected by using Grammarly and DeepL apps. No LLM or AI model was used to create the abstract.

Bibliography: Commission Notice Guidelines on ranking transparency pursuant to Regulation (EU) 2019/1150 of the European Parliament and of the Council 2020/C 424/01. First preliminary review on the implementation of Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services {SWD(2023) 300 final}. The Commission’s study on the interplay between Regulation (EU) 2022/2065 (Digital Services Act) and other legislative acts, including Regulation (EU) 2019/1150 (the P2B Regulation). Budzinski, O. (2021). Algorithmic search and recommendation systems: The brightside, the darkside, and regulatory answers. Competition Forum, (0019). https://competition-forum.com Costa-Cabral, F. i Lynskey, O. (2017). Family ties: the intersection between data protection and competition in EU Law. Common Market Law Review, 54(1), 11–50. Genovesi, S., Kaesling, K., & Robbins, S. (eds.). (2023). Recommender Systems: Legal and Ethical Issues. The International Library of Ethics, Law and Technology. https://doi.org/10.1007/978-3-031-34804-4. Hildebrandt, M. (2022). The Issue of Proxies and Choice Architectures. Why EU Law Matters for Recommender Systems. Frontiers of Artificial Intelligence, (5/2022). https://doi.org/10.3389/frai.2022.789076. Schrepel, T. (2024). A systematic content analysis of innovation in European competition law. European Journal of Law and Economics 58, 355–395, https://doi.org/10.1007/s10657-024-09817-9.

ABSTRACT. Speakers

Emine Ozge Yildirim-Vranckaert, Doctoral Researcher, Centre for IT and IP Law, KU Leuven Dr Felicitas Benziger, Post-Doctoral Researcher, Law and Inner Self Project funded by a Research Ireland Laureate (Consolidator) Grant (2022–2026).School of Law, University College Cork Alexandra Ziaka, PhD Researcher, Tilburg Institute on Law, Technology & Society, Tilburg University Rebecca Zeilstra, Junior Assistant Professor & PhD candidate, Institute of Constitutional, Administrative Law and Legal Theory, Faculty of Law, Economics and Governance at Utrecht University

Moderator Aimen Taimur, PhD Researcher, Tilburg Institute on Law, Technology & Society, Tilburg University

Panel Description

The right to freedom of thought is widely considered a cornerstone of democratic societies and is commonly considered an absolute right under international and regional human rights law, excluding any justification for interference. Paradoxically, this absolute nature has contributed to its doctrinal underdevelopment and limited practical relevance, as mental states have often been assumed inherently inviolable. This explains the lack of extensive jurisprudence on the right to freedom of thought when compared with other rights, such as the right to private life. By focusing on the right to freedom of thought, the panel explores how traditional assumptions about mental inviolability are increasingly strained by emerging technologies. Practices such as predictive profiling, microtargeting, and addictive design architectures enable increasingly targeted and systematic forms of influence over thoughts, beliefs, preferences, and mental states more broadly, raising difficult questions about the permissibility of influence and the protection afforded by the right’s scope. Against this background, the speakers will critically examine these tensions. How should the right to freedom of thought be understood and interpreted in light of technological developments that render mental states more inferable and influenceable? What can we learn from the jurisprudence on other rights? What are the criteria that distinguish a permitted influence from impermissible manipulation? Is the prevailing interpretation of the right to freedom of thought as an absolute right still tenable? Is freedom of thought the only right that is interfered with when design hooks users, or do these practices more readily engage other rights? Emine Ozge Yildirim-Vranckaert will present a contextual threshold framework that aims to operationalise the right to freedom of thought under Article 9(1) of the European Convention on Human Rights (ECHR), drawing on the European Court of Human Rights (ECtHR) jurisprudence under art. 3 ECHR, to distinguish permissible influence from impermissible manipulation in cases of behavioural profiling and microtargeting. Dr Felicitas Benziger will revisit the absolute nature of freedom of thought by interrogating its doctrinal foundations in jurisprudence and soft law and will argue for a re-interpretation of the right’s scope and the conditions under which it can be interfered with. Alexandra Ziaka will examine how digital mind interventions influence mental states and provide insights on how the positive obligations doctrine could be used to effectively protect the right to freedom of thought against such practices. Rebecca Zeilstra will examine how hooked nudges in smartphone app design undermine user autonomy and argue that such practices are more likely to constitute an interference with the right to private life than with the rights to freedom of thought or freedom of expression. The panel contributes to the conference theme, and in particular to Track 9, by showing how values such as mental autonomy and mental self-determination are increasingly challenged by emerging technologies that reshape how thought is formed, including through subtle forms of influence. It highlights how emerging technologies expose the limitations of existing regulatory approaches, particularly with regard to the right to freedom of thought and bring to the fore the need for a renewed understanding of autonomous thought. Through complementary approaches, the panel demonstrates how legal frameworks can be recalibrated to respond to these challenges.

ABSTRACT. This article analyses the scope and efficacy of environmental protection under the Artificial Intelligence Act (AIA). We show that the AIA has a strong anthropocentric bias and that said bias manifests clearly in its reliance on fundamental rights as a means of protecting the environment. We critique this fundamental-rights approach and propose improvements to it. To those ends, we draw on experience with the main secondary-law instrument for environmental protection in the EU, the Environmental Impact Assessment. Then, we describe some regulatory pathways to non-anthropocentric assessments of the environmental impacts of AI systems under the AIA. It transpires that the environmental implications of AI development warrant more than marginal improvements to fundamental-rights assessment – they call for a deeper shift in legal thinking, away from the assumption that human interests always anchor all analyses and toward a model of regulation in which ecological harm is treated as a first-order concern.

The Artificial Intelligence Act (AIA) was enacted in June 2024. It aims to regulate the production, distribution, and use of artificial intelligence (AI) systems in the EU. The requirements that the producers and deployers of an AI system must meet depend on whether it poses an “unacceptable”, “high”, or “non-high” risk. AI systems with unacceptable risks are banned. High-risk AI systems are subject to Fundamental Rights Impact Assessment (FRIA), human oversight, and other requirements on reporting and documentation. Non-high-risk AI systems are mostly subjected to transparency requirements. The impact of the AIA on digital governance in the EU is a matter of concern. Doubts have been expressed about the merging of product safety into fundamental rights, the maximum-harmonisation implementation of the Act, and its tendency to conflate trustworthiness with risk acceptability. Another challenge, which, we maintain, is also an opportunity, is that the AIA is intended to protect the environment. The integration of environmental protection into its aims is effectuated through various provisions, of which the most notable are the obligation to conduct a FRIA (Article 27), the provisions on codes of conduct (Articles 95–96), the obligations that are imposed on providers of general-purpose AI (Article 53 and Annex XI), and the standardisation procedure (Article 40). The FRIA obligation, in particular, has been said to be one of the more promising tools for the furtherance of fundamental rights, including environmental protection. The FRIA obligation is imposed on deployers of high-risk AI systems which are public entities or private organisations that perform public services, such as healthcare services or public assistance benefits. When these actors decide to deploy an AI system, they must prepare an assessment of ‘the impact on fundamental rights that the use of such system may produce’. The explicit reference to environmental protection did not make it into the final text of Article 27 despite the efforts of the European Parliament. However, the application of Article 27 is tied to the aims of the AIA, which include the protection of health, safety, and fundamental rights, including democracy, the rule of law, and environmental protection.

The question that detains us here is this: what is the extent, role, and effectiveness of the environmental-protection provisions of the AIA and of the FRIA requirement in particular? We answer this question by focusing on the assessment of environmental harm. First, we explore the legislative basis for environmental protection in the AIA and in EU law generally. Section 2 thus explains the key mechanisms that enable environmental protection in EU primary law, namely the integration principle and the fundamental right to environmental protection. The AIA relies heavily on the latter mechanism. In Section 3, we offer a critique of this anthropocentric fundamental-rights approach and showcase its limitations. In Section 4, we show how an improved assessment of the environmental impact of AI can be designed. To that end, we draw on experiences with the main secondary-law instrument for environmental protection in the EU, the Environmental Impact Assessment (EIA). Then, in Section 5, we outline some regulatory pathways that could lead to an improved, non-anthropocentric assessment of environmental impacts under the AIA. Section 6 concludes.

ABSTRACT. The notion of the twin transition has gained prominence as a conceptual framework for analysing the deep interdependencies between the digital and green transitions. It highlights that while emerging digital technologies—such as artificial intelligence, blockchain, and the Internet of Things—are indispensable for accelerating progress toward climate neutrality within the narrowing window of opportunity available, these same technologies must themselves be designed, deployed, and governed in socially and environmentally sustainable ways. This insight has already informed a range of policy programmes within and beyond Europe. At the EU level, initiatives such as Fit for 55, REPowerEU, the Net-Zero Industry Plan, and the Strategic Technologies for Europe Platform (STEP) reflect an ambition to integrate digital innovation with climate neutrality objectives across key socioeconomic sectors including manufacturing, energy, agriculture, construction, and mobility. Yet this ambition is increasingly under strain, not least due to recent regulatory recalibrations and rollback pressures reflected in new EU budgetary priorities and the Omnibus legislative packages, which risk weakening the coherence and long-term orientation of twin transition strategies. Against this backdrop, several questions demand closer scrutiny. What is the current status—and what are the prospects—of the twin transition in a rapidly shifting (geo)political and (geo)economic landscape? Has the twin transition lived up to its aspirations, or does it require conceptual and institutional recalibration to ensure resilience and future-proofing? And, crucially, what is the place and role of law in shaping, sustaining, or contesting the twin transition? This panel invites contributions that critically examine the legal, regulatory, and governance dimensions of the twin transition within or beyond the EU. We welcome analyses that explore its normative foundations, institutional trajectories, and practical implications, as well as papers that assess how law might foster, constrain, or redefine the twin transition as a central paradigm for transforming societies in an era of intersecting ecological and technological challenges.

ABSTRACT. As the European Union (EU) advances a strategy of twinning the green and digital transitions, heightened expectations have been invested in the potential of artificial intelligence (AI) technologies to combat climate change. Importantly, relying on AI to tackle the climate crisis generates a variety of security concerns. Yet, only rarely have such concerns been the focus of critical attention. Adopting a narrative theoretical lens, this paper critically examines how security is constructed and contested across three EU regulatory frameworks that sit at the intersection of climate and AI governance – the Critical Raw Materials Act, the AI Act, and the Digital Services Act. The paper argues that these regulations fall within a genre of tragic governance. Each regulation romantically portrays the EU as a heroic values-driven actor, inspired by green, rights-based and democratic ambitions. In practice, however, these aspirations are compromised by the fatal flaw of restricted vision – security threats at the intersection of climate and AI governance are framed and addressed in ways that end up legitimating harmful patterns of exploitation affecting local communities impacted by resource mining, people on the move, and digital activists, whilst overlooking logics of overconsumption, border externalisation, and data extractive informational capitalism that expose such actors to control and domination rather than protection and empowerment. At the same time, the paper also identifies several footholds within each regulation that could serve as pathways for dominant understandings of security to be resisted. While such footholds are unlikely to completely dismantle the prevailing security narratives underpinning these regulations, they create opportunities to construct counter-narratives that resist their inevitability – potentially paving the way for future re-imaginings of EU law beyond its tragic present. (NB: an extended version of this abstract is attached as PDF)

ABSTRACT. Over the last decade, the European Union has been going through a polycrisis – ranging from digitalisation to climate change, the Covid-19 pandemic and the escalation of geopolitical tensions resulting in ongoing armed conflicts – that has tested the resilience of its frameworks and political priorities. In response, the Commission adopted the Next Generation EU, allocating 37% of resources to the green transition and 20% to the digital transition, with the aim of overcoming the crisis by promoting investments in the twin transition. More recently, the 2024 Draghi report, called for structural reforms and a renewed focus on EU industrial policy, identifying decarbonisation, digitalisation, competitiveness and strategic autonomy as key priorities. This marked a shift toward a more interventionist and goal-oriented industrial strategy, subsequently developed under by von der Leyen II mandate in the Competitiveness Compass and the Clean Industrial Deal. As for competition policy, the evolution of state aid rules – from temporary crisis measures introduced with the TCTF to a permanent framework with the current CISAF under the Clean Industrial Deal – signalled a structural reconfiguration of the role of public support in achieving the EU’s policy objectives. However, the pursuit of the twin transition is increasingly being challenged by competing political priorities, particularly the demands of the security and defence sectors on EU’s limited resources, and the push for competitiveness and strategic autonomy reflected in the simplification agenda and Omnibus packages. This raises fundamental questions regarding the current prioritisation of the twin transition, its relationship with competition law and the adequacy of EU’s competition policy, which has thus far relied on state aid rulebook reform. In particular, the definition of the twin transition itself is characterised by internal tensions, as the two goals of decarbonisation and digitalisation may conflict (eg. considering the environmental impact of data centres). Furthermore, although state aid rules offer flexibility to accommodate public interests, their extensive use risks exacerbating disparities among Member States, thereby undermining the level playing field within the internal market. In this context, the contribution acknowledges that both the greening and digitalisation of the world’s economy present a distinctive and shared challenge for EU competition law, particularly concerning the role of non-competition interests within antitrust assessment. These developments reflect broader theoretical debates, including the influence of the new-Brandeisian movement and persistent divisions within EU competition law scholarship. The central question remains whether EU competition law provisions and enforcement are sufficiently resilient in the face of the twin transition. More specifically, it is contended that while state aid rules appear relatively adaptable and reactive, other areas, such as Article 101 and 102 TFEU, have shown more limited flexibility. The issues arising under Article 101 have been partially addressed through soft-law instruments, most notably with Chapter 9 on sustainability agreements of the 2023 Horizontal Guidelines, whereas those under Article 102 have been met through the adoption of an ex ante regulatory instrument outside of the traditional competition law toolkit, namely, the Digital Markets Act. In sum, while both scholarship and institutional practice reveal growing – albeit not unanimous –recognition of the need to integrate non-competition interests into antitrust enforcement, the EU’s approach remains partial and fragmented. The challenge ahead lies in developing a coherent framework that aligns competition enforcement with the Union’s broader objectives of the twin green and digital transitions, industrial innovation, and the protection of fundamental rights, without undermining the effectiveness, legal certainty, uniformity and democratic legitimacy of EU competition enforcement.

ABSTRACT. This workshop is intended to give its attendees a practical, material experience in formulating legal solutions to technology-related problems in the contemporary banking and financial industry. The contribution of the workshop will be to give a more industry-oriented approach and an alternative type of interactive exercise under the auspices of the 2026 TILTing conference.

The workshop aims to provide attendees with a concrete understanding and hands-on experience in dealing with a series of legal issues, inspired by real-life situations faced by the facilitators in the banking and financial industry, involving the development and use of an Artificial Intelligence (AI) tool. The topic of the workshop shall be the legal aspects surrounding the release of a new AI product for AML/CFT purposes by a credit/financial institution. Participants will be divided into 3 teams, each of which will constitute a working group identifying and discussing compliance challenges, pursuant to the three major legal instruments applicable to the problem: the GDPR, the AI Act and Regulation 2024/1624 (the AML Regulation), assuming that the last one is already applicable. The identification of the challenges also entails issues arising from the interplay of the aforementioned legal acts. The participants will be asked to prepare their opinions and assessment using both a risk-tolerant and a risk-averse approach. Teams will interact, in a “role-playing” environment, where they may need to exchange contradicting arguments. Fiery questions will then come into the picture: what business sacrifices need to be made in order to achieve full compliance with a series of EU legal instruments, and what is at stake? Apart from avoiding sanctions, why should a credit/financial institution comply with the complex legal landscape in the EU? The specific problem to be discussed between the participants will be as follows.

Participants act as the legal team of an EU credit institution (the Group: a parent company and subsidiaries in Member States) at an architectural design gate. The Group is preparing to build and deploy an AI-driven customer risk scoring system for AML/CFT, processing personal data limited to data obtained pursuant to Chapter III of the AML Regulation (Customer Due Diligence). It assigns each customer a risk tier (low/medium/high), generates reasons, and recommends whether enhanced due diligence is triggered. Ultimate decisions are, however, made in subsequent processes by humans. The system shall be built in-house, but it will embed a foundation model supplied by a large AI model provider. Deployment is planned in a private cloud. The system shall be integrated with the CRM provided by a third party. The AI component will be implemented in: (i) a module for feature extraction to a separate scoring module, (ii) a recommendation module proposing the risk tier with reasons, and (iii) a chatbot assisting employees with explanations. The business proposes that the risk tier and derived risk signals for AML could later be reused to support creditworthiness assessment. Participants must consider whether they will ultimately (i) prohibit reuse entirely, (ii) firewall AML outputs so they cannot be used for credit decisions, or (iii) allow limited reuse.

GDPR Challenges

• Decision on data pooling architecture. - One side argues for central pooling of all personal data in a group data lake, as this EU-wide approach will improve detection and overall quality as well as reduce duplicate investigations, lowering AML costs for the whole group. This may affect the legal basis for personal data processing and the subjective status of particular entities within the Group. - Others argue that personal data should remain local, cross-entity sharing should be limited, and the separation of tenants on a private cloud for each of the subsidiaries should be introduced. They argue, however, that personal data may be pseudonymized or anonymised and sent to the parent company to improve the accuracy of the system.

• Automated decision-making (ADM). - One side supports a permissive design, arguing that the risk score is only a “traffic-control” mechanism for AML teams - not a decision, as outcomes are owned by separate human-led procedures. Therefore, they propose light-touch oversight, e.g., sampling-based quality assurance and exception handling. To keep this credible, they add guardrails aimed at preventing escalation. - Others argue that scores should be covered by Article 22 GDPR if it meaningfully affects outcomes for individuals, as, in fact, staff will routinely follow it. Hence, they expect the system to be built assuming it is covered by Article 22 GDPR. They suggest relying on authorisation in Article 76(5) AML and implementing the technical and organisational safeguards they still need to propose.

AI Act Challenges

• AI Act high-risk classification. - One side argues for relying on the Annex III fraud-detection carve-out: treat the system as outside high-risk and implement limited-risk obligations only. - Others argue that this interpretation is dubious, and the list of high-risk AI systems may change soon with legislative changes, so it would be prudent to already implement high-risk controls rather than wait until the system is in production.

AML Regulation (AMLR) Challenges • Effectiveness and consistency in the Group (Articles 10 and 16 AMLR). - One side argues that group-wide consolidation and consistent scoring are necessary for a coherent risk-based AML programme. Fragmented approaches would create blind spots and inconsistent treatment, exploitable by criminals. - Others argue for localised discretion as local typologies and customer bases differ, which may justify reduced consolidation.

• Article 76(5) AMLR as an automation limitation? - One side argues that Article 76(5) AMLR does not apply to this AI system. In their view, the AI system produces risk tiers and recommendations, but the relevant “decisions” (e.g., to increase/decrease due diligence intensity, refuse transactions, or terminate/maintain relationships) are taken only later under separate human-led procedures. - Others believe that Article 76(5), in fact, imposes a substantive limitation on AI-driven automation because they interpret “decisions resulting from processes involving AI systems” broadly, also covering decisions affected by processes with AI systems involved (e.g., for enhanced due diligence recommendations), even if this involvement happens at early stages.

The facilitators shall be Manos Roussos, dr. Pawel Hajduk and Elena Bouka, with the possibility to add another person from the banking or fintech industry, or academia. All three facilitators are holders of the Law and Technology LLM by the Tilburg Law School of Tilburg University. Manos Roussos is a qualified lawyer and doctoral researcher at TILT, writing his thesis on the mass registration of data under the 2024 EU AML/CFT legislative reform. In 2025, together with the second facilitator, dr. Pawel Hajduk, they co-authored an article examining the legal bases for data processing for training AI for AML/CFT purposes under EU data protection law. Dr. Paweł Hajduk is a dual-qualified lawyer (Poland and England & Wales), a subject-matter expert in AI governance and the AI Act at a Danish fintech company, BEC Financial Technologies, and a lecturer at Cardinal Stefan Wyszyński University in Warsaw. Elena Bouka is a qualified lawyer with more than 11 years of experience advising multinational companies on privacy, technology, and AI-related matters, currently working as global in-house AI legal counsel at Accenture.

The procedure of the workshop has been envisioned as follows: first, the facilitators shall present the problem of the workshop, namely, the scenario to be examined by the attendees, the laws to be reviewed for the consultations, and guiding principles to help the thought process of the attendees. The facilitators will also prepare a short document (1-2 pages long) that will be shared with each team, in order to support the attendees through the procedure, pointing out the most important factors to be taken into consideration when attempting to produce solutions to the problem.

The expected number of participants is approximately 15 individuals, who will be subsequently divided into 3 teams of 5 persons each. Each of the teams shall have 1-2 spokesperson(s), who will communicate the ideas and findings of the team. More participants are welcome, and the environment shall be flexible. The duration of the workshop shall be 75 minutes: 10-15 minutes shall be afforded for the presentation of the problem and the division of the participants into teams, followed by 25-30 minutes for internal discussion within the teams. The rest of the time will be given to the teams to discuss the solutions they have come up with, upon the related questions asked by the facilitators to create an open discussion. The spokesperson(s) will be primarily responsible for expressing the opinions of each team, but the floor will be generally open for a free-flow discussion.

The workshop will be open to the public. Participants will not be formally invited, although there will be verbal communication by the facilitators to specific individuals who may materially contribute, based on their background and expertise. At the end of the workshop, all participants ought to have developed a better understanding and ideas on how to make compliant design and operational choices in deploying AI in the financial sector.

ABSTRACT. 1. Introduction

The rapid deployment of generative artificial intelligence (AI) systems has fundamentally altered the production, circulation, and valuation of information. Large language models, image generators, and automated content pipelines now enable the mass production of synthetic text, images, and audiovisual material at near-zero marginal cost. While legal and policy debates have largely focused on discrete risks such as misinformation, deepfakes, or bias, a structurally distinct phenomenon has emerged alongside these concerns: the industrial-scale production of low-quality, repetitive, and substantively hollow synthetic content, commonly referred to as AI slop.

This paper advances a law and economics framework for understanding the harms generated by AI slop. It argues that slop should be conceptualized not as a matter of isolated deception or poor-quality speech, but as a form of algorithmic pollution-a negative externality arising from scale-driven content production that degrades informational markets, distorts incentives, and undermines the efficiency of digital ecosystems. By mapping harms across consumers, producers, firms, and markets, the paper demonstrates that existing legal frameworks are poorly equipped to address the cumulative and systemic effects of cheap, abundant synthetic content. The analysis highlights how AI slop produces welfare losses that are diffuse, persistent, and difficult to attribute to individual actors, thereby escaping traditional regulatory logics rooted in intent, falsity, or illegality.

2. The Economic Logic of AI Slop

From an economic perspective, AI slop is best understood as a predictable outcome of incentive structures embedded in platform-mediated markets. Generative AI dramatically reduces the cost of content production while platforms reward volume, engagement, and visibility rather than informational value. This combination encourages overproduction, even where the marginal utility of additional content is negligible or negative. As with other forms of pollution, individual outputs may appear harmless, yet their cumulative effect degrades a shared resource in this case, the informational environment. Crucially, AI slop is not defined by malicious intent. Much of it is produced automatically or semi-automatically for search engine optimization, advertising, political messaging, or engagement farming. Legal frameworks that hinge on intent or deception therefore struggle to capture its harms. Instead, slop represents a classic negative externality: private actors capture the benefits of scale, while the costs confusion, degraded search quality, loss of trust, and increased verification burdens are borne by consumers, creators, and society at large.

2.1. Economic Harms to Consumers: Misrepresentation, Confusion, and Deceptive Practices

The most immediate harms of AI slop fall on consumers. Even when individual pieces of slop are not factually false, they degrade the quality of information environments in which consumers make decisions. From a law and economics perspective, this can be analyzed through the lenses of search costs, bounded rationality, and information asymmetry.

Consumers rely on digital intermediaries search engines, recommender systems, and social media platforms to filter and rank information. AI slop exploits these systems by occupying prominent positions through volume and algorithmic optimization rather than relevance or quality. As a result, consumers face higher costs in identifying reliable information, expending additional time and cognitive effort to separate signal from noise. These increased search costs represent a welfare loss even in the absence of outright deception.

Moreover, the prominence of slop can amount to implicit misrepresentation. Visibility in rankings or feeds often functions as a proxy for relevance or credibility. When synthetic, low-value content crowds out higher-quality alternatives, consumers may reasonably but mistakenly infer endorsement or trustworthiness. Existing consumer protection regimes are poorly suited to address this form of harm because it does not arise from false statements, but from degraded informational infrastructures that systematically mislead by design.

2.2. Harms to Producers and Creators: Market Substitution and Revenue Loss

AI slop also imposes significant economic harms on producers and creators, particularly in content markets characterized by low margins and high competition. Generative systems can replicate stylistic features of human-produced content at scale, producing functional substitutes that compete directly with journalists, writers, musicians, and other creative professionals.

From an economic standpoint, this produces a market substitution effect. Synthetic content, produced at near-zero marginal cost, undercuts human labor, driving down prices and reducing revenues for creators who rely on scarcity, originality, or quality differentiation. In long-tail markets such as niche journalism, specialized commentary, or local cultural production this effect is especially pronounced. Creators are displaced not because consumers prefer lower quality, but because platforms prioritize abundance and engagement over value.

These dynamics weaken incentives to invest in high-quality production. Where creative labor cannot be reliably monetized, rational actors reduce investment, leading to a contraction in diversity and originality. This represents not merely a distributive harm to creators, but an allocative inefficiency: markets fail to reward socially valuable production because quality signals are overwhelmed by synthetic substitutes.

2.3. Harms to Market and Firm Efficiency

Beyond consumers and creators, AI slop undermines market and firm efficiency by distorting informational and reputational mechanisms that underpin digital markets.

2.3.1. Distorted Price and Quality Signals

In platform-mediated economies, traditional price signals are supplemented or even replaced by informational signals such as rankings, engagement metrics, and visibility. AI slop contaminates these signals. When engagement can be generated cheaply and at scale through automated content, metrics lose their informational value. Firms receive noisy feedback about consumer preferences, leading to inefficient allocation of resources and misaligned strategic decisions. Search markets provide a clear example. When slop saturates search results, the effectiveness of search as a discovery mechanism declines. Firms seeking to reach relevant audiences must either invest in similar volume-based strategies or incur higher costs to differentiate themselves. Both outcomes reduce overall market efficiency.

2.3.2. Reputational and Operational Losses

AI slop also generates reputational externalities. Synthetic content may hallucinate facts, misattribute statements, or associate brands and institutions with false or low-quality information. Even where no legal liability arises, firms must bear the operational costs of monitoring, correcting, and responding to synthetic noise. Legal, compliance, and communications teams are increasingly diverted toward defensive activities, representing a deadweight loss from a welfare perspective.

2.3.3. 5. Systemic Harms to Markets: Feedback Loops and Quality Collapse

The most significant harms of AI slop emerge at the systemic level. Slop production is characterized by self-reinforcing feedback loops. Platforms reward volume and engagement; actors respond by producing more synthetic content; increased saturation further reduces the relative payoff of quality, encouraging even greater reliance on automation. This dynamic can be described as a low-quality equilibrium. Once slop dominates informational environments, high-quality producers face diminishing returns, exit the market, or adapt by lowering standards. The result is a market-wide quality collapse, analogous to the degradation observed in markets with unchecked spam or counterfeit goods.

Traditional legal tools struggle to address this phenomenon because harm does not stem from identifiable violations, but from cumulative effects. Each additional unit of slop imposes marginal harm on the system by reducing the value of all other information. Yet no single producer has an incentive to reduce output unilaterally. This is a classic collective action problem, requiring regulatory intervention to realign incentives.

2.4. Macro-Level Harms: Digital Externalities of Cheap, Abundant Synthetic Content

At the macro level, AI slop represents a new class of digital externalities with implications for economic welfare, democratic governance, and cultural sustainability. Informational degradation undermines trust in institutions, weakens public discourse, and imposes long-term social costs that are not reflected in market prices.

From a law and economics perspective, the defining feature of these harms is cost externalization. Platforms and AI deployers capture private benefits advertising revenue, engagement data, market dominance while externalizing the costs of slop onto users, creators, regulators, and society. Existing legal frameworks, focused on discrete harms and individual wrongdoing, lack mechanisms to internalize these costs.

This regulatory gap mirrors early failures in environmental governance, where pollution was treated as an unfortunate by-product rather than a structural market failure. As with environmental externalities, effective governance of AI slop requires a shift from reactive enforcement to systemic regulation aimed at preventing degradation of shared resources.

3. Legal and Regulatory Implications

The analysis reveals three core regulatory shortcomings. First, current frameworks underestimate harms that arise from lawful but excessive production. Second, they fail to address misaligned incentives that reward volume over value. Third, they lack conceptual tools for regulating quality degradation without resorting to content-based restrictions.

A law and economics approach suggests the need for regulatory strategies that internalize externalities, potentially drawing on principles such as the polluter pays principle, platform responsibility for amplification, and transparency obligations related to content provenance and scale. The challenge is not to suppress speech, but to govern production patterns that systematically undermine market efficiency and social welfare.

AI slop represents a paradigmatic challenge for law and economics in the digital age. It exposes the limits of regulatory frameworks designed for scarcity, intent, and discrete wrongdoing in an environment defined by abundance, automation, and cumulative harm. By conceptualizing slop as algorithmic pollution, this paper offers a coherent framework for identifying where harms arise, how they propagate, and why existing legal tools fail to address them. Recognizing and internalizing the economic externalities of cheap, abundant synthetic content is a necessary step toward sustainable digital markets and resilient informational ecosystems.

References

• DeGeurin M, ‘A Ridiculous AI-Generated Rat Penis Made It into a Peer-Reviewed Journal’ (Popular Science, 16 February 2024) <https://www.popsci.com/technology/ai-rat-journal/> accessed 13 August 2025 • Field M, ‘Why the Internet Is Filling up with Nonsense “AI Slop”’ The Telegraph (1 January 2025) <https://www.telegraph.co.uk/business/2025/01/01/why-the-internet-is-filling-up-with-nonsense-ai-slop/> accessed 13 August 2025 • Hern A and Milmo D, ‘Spam, Junk … Slop? The Latest Wave of AI behind the “Zombie Internet”’ The Guardian (19 May 2024) <https://www.theguardian.com/technology/article/2024/may/19/spam-junk-slop-the-latest-wave-of-ai-behind-the-zombie-internet> accessed 13 August 2025 • Maker P, ‘AI Slop: What Labour, Spotify and Coca-Cola Can Teach Us in 2025’ (Raconteur, 9 January 2025) <https://www.raconteur.net/technology/ai-slop-flops-2025-oped> accessed 13 August 2025 • Notopoulos K, ‘Why Doesn’t Facebook Just Ban AI Slop like Shrimp Jesus?’ (Business Insider) <https://www.businessinsider.com/meta-facebook-ban-ai-slop-images-shrimp-jesus-why-2024-6> accessed 13 August 2025 • Robins-Early N, ‘How Did Donald Trump End up Posting Taylor Swift Deepfakes?’ The Guardian (26 August 2024) <https://www.theguardian.com/technology/article/2024/aug/24/trump-taylor-swift-deepfakes-ai> accessed 13 August 2025 • Wallace-Wells D, ‘Opinion | HOw Long Will A.I.’s “Slop” Era Last?’ The New York Times (24 July 2024) <https://www.nytimes.com/2024/07/24/opinion/ai-annoying-future.html> accessed 13 August 2025

ABSTRACT. In the current moment, so-called ‘Artifical Intelligence’ (AI) is a major vehicle for deregulation in the name of purported simplification [1]. It is also seen by some as a catalyst to save Europe’s endangered competitiveness [2]. We want to illustrate that such narratives threaten fundamental rights protection and explore approaches to regulate AI in a way that addresses the structural power dynamics that currently amplify discrimination and inequalities.

Our talk will comprise two parts: In the first part, we trace the developments on the EU level that got us to this specific moment in history, where the Commission and Council are working hand in hand to demolish the only recently finalized ‘digital acquis’ in order to ‘get AI on the ground’. The second part will build on the debris and identify specific areas that require action to counter the prevalent neoliberal narratives. We will analyse regulatory opportunities, charting specific changes of existing legislation on a smaller scale and developing points for regulating AI infrastructures on the grand scale.

We set the scene with the resurgence of the EU’s neoliberal instincts with the Letta and Draghi reports [3]. This, we argue, set key European actors on a path conjuring a race against China and the USA [4], based on a simplistic notion of regulation as an obstacle to economic growth [5], that serves as justification for weakening fundamental rights guarantees [6]. With the Digital Omnibus [7] and the Digital Omnibus on AI [8], the Commission is resetting data protection law as well as the only recently finalized AI Act for the sake of ‘competitiveness’. The proposals contain far-reaching changes of key notions and obligations of both acts [9]. Just as the markets are starting to wonder about the end of the AI bubble [10], the EU is launching a multitude of initiatives and investment programmes [11]. In this endeavour, the much vaunted European approach to AI is lost, before it was even ever developed.

Building constructively on this lacuna we will sketch avenues to conceive of a new holistic European approach to AI. We conceptualise this approach on different scales, looking specifically to improvements within both the GDPR and the AI Act, but also extending the view to consider the structural conditions for meaningful rights protection within the EU as well as the broader infrastructural implications of AI systems.

Analysing the current EU digital regulation, we point to specific legislative opportunities for improvements. For example, the AI Act is riddled with loopholes that allow invasive uses of AI technology [12]. Similarly, the reporting and assessment mechanisms of the GDPR and the AI Act could be much better aligned. This would ‘cut red tape’ [13], while also improving the protection of individuals’ rights. Further, the model of responsibility under the GDPR could be improved in relation to AI, specifically it would be helpful to impose GDPR obligations on providers, even when they are not controllers. Regulating a product or service upstream could more easily lead to systemic changes in the way services are operated.

At a structural level, we offer initial thoughts on the institutional and material conditions for meaningful AI regulation, looking at how legislative schemes cannot be divorced from the broader environments in which they operate. On the infrastructural level [14], we argue that AI systems do not only require vast resources and infrastructures, but are increasingly themselves becoming infrastructures, as various applications and services are built on AI systems. However, due to the resource requirements for training AI models and building AI systems, large corporations that are already entrenched in the market can further consolidate their position. Therefore we argue that AI systems should be expressly regulated from an infrastructural perspective. Such regulation has to consider the structural dependencies on the AI infrastructures of incumbent AI companies and point towards more democratic and sovereign solutions [15]. This applies to the private sector as well as the public sector. In the current development of AI in the USA, China as well as within the EU, we are seeing massive private investment in a technology lauded as key to economic and social development. Parsing hype from substance, it is necessary to ensure that the public sector, in cases where AI can sensibly be used, has the expertise and resources to develop and use AI systems without entrenching existing structural inequalities.

Exploring ways to wrestle AI from the hands of large corporations, we will illustrate how regulation could counter current hegemonic practices and reclaim a European approach to AI.

1 European Commission, A simpler and faster Europe: Communication on implementation and simplification, COM(2025) 47 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52025DC0047. 2 Speech by President von der Leyen at the Artificial Intelligence Action Summit Paris, 11 February 2025, https://ec.europa.eu/commission/presscorner/api/files/document/print/en/speech_25_471/ SPEECH_25_471_EN.pdf. 3 Enrico Letta, Much more than a Market, April 2024, https://www.consilium.europa.eu/media/ny3j24sm/muchmore-than-a-market-report-by-enrico-letta.pdf; Mario Draghi, The future of European Competitiveness, September 2024, https://commission.europa.eu/topics/competitiveness/draghi-report_en#paragraph_47059. 4 Speech by President von der Leyen at the Artificial Intelligence Action Summit Paris, 11 February 2025, https://ec.europa.eu/commission/presscorner/api/files/document/print/en/speech_25_471/ SPEECH_25_471_EN.pdf. 5 Jie Ouyang, The Omnibus Comeback of the Neoliberal EU, Verfassungsblog, 25 November 2025, https://verfassungsblog.de/the-omnibus-neoliberal-eu/. 6 Noyb, Digital Omnibus: First Analysis of Select GDPRand ePrivacy Proposals by the Commission, 2025, https://noyb.eu/sites/default/files/2025-12/noyb%20Digital%20Omnibus%20Report%20V1.pdf 7 European Commission, Digital Omnibus, COM(20225) 837 final, https://ec.europa.eu/newsroom/dae/redirection/document/121742. 8 European Commission Digital Omnibus on AI, COM(2025) 836 final, https://ec.europa.eu/newsroom/dae/redirection/document/121744. 9 Hannah Ruschemeier, The Omnibus Proposal of the EU Commission: Or how to Kill Data Protection Fast, Verfassungsblog, 17 November 2025, https://verfassungsblog.de/the-omnibus-package-of-the-eu-commission/. 10 Gerrit De Vynck, Big Tech says AI is booming. Wall Street is starting to see a bubble. The Washington Post, 24 July 2024, https:/www.washingtonpost.com/technology/2024/07/24/ai-bubble-big-tech-stocks-goldman-sachs/. 11 For instance: https://digital-strategy.ec.europa.eu/en/policies/ai-factories; https://digital-strategy.ec.europa.eu/en/news/eu-launches-investai-initiative-mobilise-eu200-billion-investmentartificial-intelligence; https://digital-strategy.ec.europa.eu/en/policies/genai4eu. 12 Sandra Wachter, Limitations and Loopholes in the EU AI Act and AI Liability Directives: What This Means for the European Union, the United States, and Beyond, 26 Yale Journal of Law & Technology 2024, https://ora.ox.ac.uk/objects/uuid:0525099f-88c6-4690-abfa-741a8c057e00/files/sht24wm314. 13 Speech by President von der Leyen at the Annual EU Budget Conference 2025, 20 May 2025, https://ec.europa.eu/commission/presscorner/detail/en/speech_25_1284. 14 Francesca Musiani et al. (eds)., The Turn to Infrastructure in Internet Governance, New York 2016, https://link.springer.com/book/10.1057/9781137483591; Geoffrey C. Bowker et al., Introduction to Thinking Infrastructures, 62 Research in the Sociology of Organizations 2019, 1-13, http://dxi.doi.org/1397781622. 15 Petter Ericson et al., AI Policy for Whom? Reclaiming Governance from Capitalist Venture, Proceedings of the Eighth AAAI/ACM Conference on AI, Ethics, and Society (AIES) 2025, https://ojs.aaai.org/index.php/AIES/article/view/36594; Lauren Berlant, The commons: Infrastructures for troubling times, 34(3) Environment and Planning D: Society and Space 2016, 393-419, https://journals.sagepub.com/doi/10.1177/0263775816645989; Alina Utrata, Towards a Democratic Approach to Corporate Power, Verfassungsblog, 14 July 2025, https://verfassungsblog.de/starlink-corporate-dependency/.

ABSTRACT. This paper focuses on the prudential regulation and supervision of UK re-insurance undertakings, in relation to Artificial Intelligence (AI) considerations. Specifically, it presents a critical analysis of the prudential provisions of the European Artificial Intelligence (AI) Act which could be adjusted and adopted in the UK regulatory and supervisory regime, in line with the Prudential Regulation Authority (PRA)’s approach to insurance supervision. Building on the gaps identified regarding the supervisory approach to AI applications within the insurance value chain, it presents proposed developments based on the EU AI Act. The purpose of this paper is to present a critique on the learnings from the EU AI Act in relation to risk management systems and risk management for UK financial regulators regarding the prudential supervision of re-insurers. These are linked to the assessment performed by the European Insurance and Occupational Pensions Authority (EIOPA) in relation to the governance and risk management of AI to ensure the appropriate regulation and supervision of the risks linked to re-insurance activities. Effectively capturing how this approach towards the prudent AI governance and risk management framework could be adopted by the PRA, and ultimately how prudential supervision should be adjusted to monitor AI applications and uses. Beyond the EU AI Act, the principles from the International Association of Insurance Supervisors (IAIS) in relation to risk management systems from a prudential angle are also discussed to complement the recommendations for UK regulators, in relation to risk management practices and the prudential regulatory expectations based on the PRA’s Rulebook, in combination with the Lloyd’s of London Principles for the London market. The focus is placed on the AI considerations within the Own Risk and Solvency Assessment, model risk management and stress testing, all interlinked core prudential components of Solvency II and Delegated Acts. This doctrinal legal research adopts a socio-legal methodology combined with economic theory in analysing the prudential regulatory frameworks underpinning AI. The economic analysis of law and regulation constitutes the methodological approach adopted to critically examine the prudential provisions of the EU AI Act applicable to re-insurers. The contribution of this paper is twofold, providing insights for advances to the (a) regulation and (b) supervision of AI applications within the insurance sector for the UK, based on the EU AI Act and EIOPA’s approach. Regulating and supervising AI applications within the UK insurance industry is of high importance, linked to AI uses and the inherent purpose of insurance. In particular referring to the growth and capacity of the insurance market, with wider applications of AI, and the insurability of risks, with the case of under-insurance and protection gap, towards affordability via increased accuracy of risks and improved underwriting, both outcomes of prudential activities. Overall, this research adds to the growing literature about regulatory implications from AI, using the UK insurance industry as a case study, commenting on the EU regulatory regime, from a prudential lens, on how this could be utilised to shape UK practice and policy.

ABSTRACT. Through a comparative legal analysis of Brazil, Ontario (Canada), and Finland, this research proposes principles for health data governance grounded in the Brazilian experience, aiming to balance the promotion of AI-driven healthcare innovation with the mitigation of individual and collective risks. It positions Brazil as both a case study and a normative contributor, thereby broadening global debates on health data governance for AI beyond dominant regulatory models from the United States, the European Union, and China.

Theoretical Background

Artificial Intelligence (AI) is increasingly reshaping healthcare, from personalised treatment to broader system efficiency, offering new tools for clinical decision-making, public health surveillance, and administrative optimisation (Alhejaily, 2024). AI-enabled systems rely on extensive and high-quality datasets, making health data a foundational resource for innovation in healthcare (Olabiyi et al., 2025). Brazil’s universal public healthcare system (Sistema Único de Saúde – SUS) generates vast volumes of health data with significant potential for AI-driven innovation (Barbalho et al., 2022). As Brazil accelerates its digital health strategy and expands data integration through initiatives such as the National Health Data Network (Rede Nacional de Dados em Saúde – RNDS), the governance of health data becomes a central policy challenge (Haddad & Lima, 2024). However, there is a tension between two competing objectives. On the one hand, AI developers, researchers, and public authorities require access to large, interoperable, high-quality and representative health datasets to develop reliable and socially beneficial AI applications (Alowais et al., 2023). On the other hand, the making available and processing of personal and sensitive health data raises significant risks to privacy, autonomy, equality, and collective interests, particularly for historically marginalized communities (WHO, 2021; Parikh et al., 2019). Brazil’s current health data governance framework neither adequately enables responsible access to data for AI innovation nor sufficiently protects individuals and communities from these risks (Porto Junior et al., 2022). Principles-based health data governance offers a promising path to address this dual challenge. Principles provide flexible normative guidance capable of operating across the entire data lifecycle, even in contexts marked by regulatory delays, institutional fragmentation, and rapid technological change (Marcucci et al., 2023). While Brazil has made important advances through the enactment of the General Data Protection Law (Lei Geral de Proteção de Dados – LGPD, Law No. 13.709/2018) and the expansion of digital health infrastructure, it still lacks a principles-based framework specifically tailored to the governance of health data in the context of AI. This gap weakens oversight, erodes public trust, and constrains responsible innovation (Aith & Falcão, 2022).

Research questions

Against this background, the research addresses the following overarching question: What principles should guide health data governance in Brazil in order to balance AI-driven healthcare innovation with the mitigation of risks to individuals and society? More specific questions include: (1) what governance principles can mitigate individual and collective harms arising from the use of health data in AI-enabled healthcare; and (2) how can such principles reduce barriers to innovation while fostering trustworthy and socially beneficial AI development?

Methods and methodology

The research combines (1) a scoping literature review with (2) a comparative legal analysis. To identify the problems addressed by the proposed principles, the scoping literature review maps the main risks and challenges arising from the use of health data for AI innovation. It draws on peer-reviewed literature and grey sources published from 2019 onwards, a period marked by renewed regulatory attention to data governance under the influence of the GDPR and related frameworks. In line with a Third World Approaches to International Law (TWAIL) perspective, the review deliberately avoids reliance on citation metrics and incorporates Global South scholarship and policy materials often excluded from mainstream academic databases (Mutua, 2000; Gathii, 2011). Building on the findings of the scoping literature review, the comparative legal analysis examines health data governance frameworks in Ontario (Canada) and Finland. These jurisdictions were selected due to their advanced digital health infrastructures, established mechanisms for the secondary use of health data, and ongoing efforts to integrate data governance with AI regulation (Boyd et al., 2021). However, rather than treating these frameworks as models for direct transplantation, the research adopts a TWAIL-informed approach that critically assesses their principles in light of Brazil’s socio-technical, legal, and institutional context, much of which is shared with the Global South (Zumbansen, 2020).

Results and Discussion

The scoping review identified challenges at both the individual and collective levels. At the individual level, recurring concerns include algorithmic bias arising from unrepresentative datasets (Henderson et al., 2022), limited transparency regarding the use of AI in clinical decision-making (Park, 2024), difficulties in achieving meaningful informed consent for secondary data use (Chau et al., 2025), and low levels of data literacy among patients, healthcare professionals, and policymakers (Castello et al., 2024). These issues undermine patient autonomy and trust, while also affecting the reliability and fairness of AI systems (Dourado & Aith, 2022). At the collective and societal level, the review highlights risks that extend beyond individual rights. These include threats to Indigenous data sovereignty (Mesquita et al., 2024), collective privacy harms affecting social groups rather than identifiable individuals (Viljoen, 2021), the reinforcement of structural inequalities through data-driven systems (Morley et al., 2020), and the often-overlooked environmental impacts associated with large-scale data storage and AI model training (Penn State News, 2025). In Brazil, these concerns are amplified by deep racial and regional inequalities and the absence of explicit legal recognition of Indigenous data governance principles (Torino et al., 2024). In addition to identifying risks, the scoping review also maps barriers to AI-driven innovation in healthcare. These include poor interoperability across fragmented health information systems (Müller et al., 2023), legal uncertainty surrounding the secondary use of health data (Vilpponen et al., 2024), limited access to high-quality datasets in underserved regions, and growing reluctance among data custodians to share data due to concerns over generative AI models and loss of control (“Gen-AI-nxiety”) (Longpre et al., 2024). At a systemic level, the literature points to risks related to research quality (Caliebe, 2019), market concentration favouring large technology firms, and the absence of international standards for health datasets (Goos & Savona, 2024). Finally, the research proposes a set of principles for health data governance in Brazil. These principles are organized under three overarching themes inspired by OECD guidance: (1) maximizing the benefits of health data for innovation and public interest, (2) protecting individuals and communities, and (3) strengthening governance, accountability, and trust (OECD, 2022). Rather than proposing detailed regulatory rules, the framework aims to support policy design, guide institutional practice, and inform future legislative and regulatory developments.

Conclusion

This research shows how an upper-middle-income country with a universal public health system, deep social inequalities, and growing reliance on transnational digital infrastructures can offer alternative pathways for health data governance that balance innovation, equity, and collective well-being beyond mainstream narratives (Belli et al., 2024).

References:

Aith, F, and Falcão, M. "Droit de la santé et numérisation du système de santé au Brésil: opportunités et menaces." Journal de Droit de la Santé et de l’Assurance Maladie 35 (2022). Alhejaily, A.-M. G. (2024). Artificial intelligence in healthcare (Review). Biomedical Reports, 22(1), 11. https://doi.org/10.3892/br.2024.1889. Alowais, S. A., Alghamdi, S. S., Alsuhebany, N., Alqahtani, T., Alshaya, A. I., Almohareb, S. N., Aldairem, A., Alrashed, M., Bin Saleh, K., Badreldin, H. A., Al Yami, M. S., Al Harbi, S., & Albekairy, A. M. (2023). Revolutionizing healthcare: The role of artificial intelligence in clinical practice. BMC Medical Education, 23(1), 689. https://doi.org/10.1186/s12909-023-04698-z Barbalho, I. M. P., Fernandes, F., Barros, D. M. S., Paiva, J. C., Henriques, J., Morais, A. H. F., Coutinho, K. D., Coelho Neto, G. C., Chioro, A., & Valentim, R. A. M. (2022). Electronic health records in Brazil: Prospects and technological challenges. Frontiers in Public Health, 10. https://doi.org/10.3389/fpubh.2022.963841 Boyd, M., Zimeta, D. M., Tennison, D. J., & Alassow, M. (2021). Secondary use of health data in Europe. Boschiero, M. N., Palamim, C. V. C., Ortega, M. M., Mauch, R. M., & Marson, F. A. L. (2021). One Year of Coronavirus Disease 2019 (COVID-19) in Brazil: A Political and Social Overview. Annals of Global Health, 87(1), 44. https://doi.org/10.5334/aogh.3182 Caliebe, A., Leverkus, F., Antes, G., & Krawczak, M. (2019). Does big data require a methodological change in medical research? BMC Medical Research Methodology, 19(1), 125. https://doi.org/10.1186/s12874-019-0774-0. Castello, G., Picanço, M., Vieira, P., & Brandão, R. (2024). Artificial Intelligence in healthcare: A qualitative diagnosis of the Brazilian scenario. In ARTIFICIAL INTELLIGENCE IN HEALTHCARE: potential, risks, and perspectives for Brazil. Chau, M., Rahman, M. G., & Debnath, T. (2025). From black box to clarity: Strategies for effective AI informed consent in healthcare. Artificial Intelligence in Medicine, 167, 103169. https://doi.org/10.1016/j.artmed.2025.103169 Dourado, D., & Aith, F. M. A. (2022). The regulation of artificial intelligence for health in Brazil begins with the General Personal Data Protection Law. Revista de Saude Publica, 56. Scopus. https://doi.org/10.11606/S1518-8787.2022056004461. Gathii, J. (2011). TWAIL: A Brief History of Its Origins, Its Decentralized Network, and a Tentative Bibliography. Faculty Publications & Other Works. https://lawecommons.luc.edu/facpubs/196 Goos, M., & Savona, M. (2024). The governance of artificial intelligence: Harnessing opportunities and mitigating challenges. Research Policy, 53(3), 104928. https://doi.org/10.1016/j.respol.2023.104928. Haddad, A. E., & Lima, N. T. (2024). Digital Health in the Brazilian National Health System (SUS). Interface - Comunicação, Saúde, Educação, 28, e230597. https://doi.org/10.1590/interface.240045. Henderson, B., Flood, C., & Scassa, T. (2022). Artificial Intelligence in Canadian Healthcare: Will the Law Protect Us from Algorithmic Bias Resulting in Discrimination? Canadian Journal of Law and Technology, 19(2), 475. Longpre, S., Mahari, R., Lee, A., Lund, C., Oderinwale, H., Brannon, W., Saxena, N., Obeng-Marnu, N., South, T., Hunter, C., Klamm, C., Schoelkopf, H., Singh, N., Cherep, M., Anis, M., Dinh, A., Chitongo, C., Yin, D., Sileo, D., … Kabbara, J. (n.d.). Consent in Crisis: The Rapid Decline of the AI Data Commons. Marcucci, S., Alarcon, N. G., Verhulst, S. G., & Wullhorst, E. (2023). Mapping and Comparing Data Governance Frameworks: A benchmarking exercise to inform global data governance deliberations (arXiv:2302.13731). arXiv. https://doi.org/10.48550/arXiv.2302.13731 Mesquita, H., Garrote, M. G., & Zanatta, R. A. (2024). Regulating Artificial Intelligence in Brazil: The contributions of critical social theory to rethink principles. Technology and Regulation, 2024, 73–83. https://doi.org/10.71265/czjtfr98 Morley, J., Murphy, L., Mishra, A., Joshi, I., & Karpathakis, K. (2022). Governing Data and Artificial Intelligence for Health Care: Developing an International Understanding. e31623. https://doi.org/10.2196/31623 Müller, T., Zahn, M., & Matthes, F. (2023). Unlocking the Potential of Collaborative AI - On the Socio-Technical Challenges of Federated Machine Learning. ECIS 2023 Research Papers. https://aisel.aisnet.org/ecis2023_rp/245 Mutua, M. (2000). What is TWAIL? Proceedings of the ASIL Annual Meeting, 94, 31–38. https://doi.org/10.1017/S0272503700054896 Olabiyi, Winner & Akinyele, Docas & Joel, Emmanuel. (2025). The Evolution of AI: From Rule-Based Systems to Data-Driven Intelligence. Park, H. J. (2024). Patient perspectives on informed consent for medical AI: A web-based experiment. Digital Health, 10, 20552076241247938. https://doi.org/10.1177/20552076241247938 Parikh, R. B., Teeple, S., & Navathe, A. S. (2019). Addressing Bias in Artificial Intelligence in Health Care. JAMA, 322(24), 2377–2378. https://doi.org/10.1001/jama.2019.18058. Penn State News. (2025, April 8). AI’s Energy Demand: Challenges and Solutions for a Sustainable Future. Porto Júnior, O., Silva, G. H. L., Magdaleno, I. G. M., Silva, D. R. S. da S., & Braoios, R. R. (2022). LGPD e uso Secundário de Dados de Saúde (A YEAR IN PRIVACY). https://baptistaluz.com.br/wp-content/uploads/2022/07/Bluz_220726_PD_AYIP_DadosSaude_V3.pdf https://iee.psu.edu/news/blog/why-ai-uses-so-much-energy-and-what-we-can-do-about-it Torino, E., Carrasco, L. B., Coneglian, C. S., & Vidotti, S. A. G. (2025). Governança e soberania de dados de povos indígenas: Aplicação de etiquetas Local Contexts na representação da informação. In Anais do XXIV Encontro Nacional de Pesquisa e Pós-graduação em Ciência da Informação (ENANCIB), 2024. Viljoen, S. (2021). A Relational Theory of Data Governance. The Yale Law Journal. Vilpponen, H., Piirainen, A., Kallberg, M., & Mikkonen, T. (2024). Secondary Use of Health Data: Centralized Structure and Information Security Frameworks in Finland (arXiv:2412.06800). arXiv. https://doi.org/10.48550/arXiv.2412.06800. WHO. (2021). Ethics and governance of artificial intelligence for health. https://www.who.int/publications/i/item/9789240029200. Zumbansen, P. C. (2020). Transnational Law: Theories & Applications. In OXFORD HANDBOOK OF TRANSNATIONAL LAW. Oxford University Press. https://papers.ssrn.com/abstract=3601385

ABSTRACT. With increased geopolitical tensions, the EU is currently considering how it could enhance its digital sovereignty, here understood as the ability of the EU and its member states to act independently from foreign governments in the digital sphere. Digital sovereignty is generally thought to be particularly important in relation to essential services for democracy, the rule of law, and services of a general economic interest. This paper assesses whether the Digital Markets Act (DMA) could be an instrument for such digital sovereignty. It argues that, while the DMA may provide conditions for EU digital sovereignty in some respects, it will certainly not automatically lead to it.

Already before its enactment, the DMA was criticised by some commentators, including the US government, as a protectionist instrument. The evidence supporting this criticism is rather slim. To the extent that non-EU technology companies dominate most EU digital markets, it is natural that any regulation aiming to make such markets more contestable and fair was going to mainly target non-EU companies. Currently, six out of the seven gatekeepers designated under the DMA are non-EU companies, with the seventh one being US-owned.

Since the DMA is meant to make markets in which currently mostly non-EU gatekeepers are active more contestable and fair, it may in practice provide opportunities for EU-based businesses. This is also apparent when looking at some of the obligations imposed by the DMA and the first enforcement actions. For instance, browser and search choice screens provide greater chances and visibility for European alternatives, like Mullvad or Ecosia. The Apple Connected Devices decision, similarly, is likely to benefit European manufacturers of smart phone accessories. To the extent that these EU-based businesses are less easily controllable by non-EU governments, this will contribute to EU digital sovereignty. The effects of this may differ from digital market to digital market, some being more relevant for EU digital sovereignty than others.

The DMA may also provide benefits for decentralized digital systems and open source software, for instance when it requires gatekeepers to allow the use of alternative app-stores or grants providers of these alternative tools access to interoperability information and data. These digital tools are not controlled by a single provider, which means that they are more difficult to control by governments (at least in some respects). The use of such tools in EU digital markets therefore boosts the EU’s independence from foreign governments (although they are at the same time resistant to control by the EU and its member states as well).

On the other hand, the benefits of the DMA do not extend to EU-based companies and open source or decentralized providers only. Beyond the gatekeepers, many or even most companies that are active in EU digital markets are equally based outside the EU. They therefore have as much to gain from such markets becoming more contestable and fair as EU-based or decentralized companies. To come back to the previous examples: many browser or search alternatives are non-European, as are many manufacturers of smart phone accessories. If these alternatives are based in different foreign jurisdictions, this may not be an obstacle to EU digital sovereignty (since no single foreign government can then control the relevant markets), but in practice many alternative providers are from the United States, thereby continuing US governmental oversight over these services. The prevalence of US alternatives is also apparent when looking at complainants at the origin of many investigations into the digital gatekeepers under Article 102 TFEU, such as Epic (complaining about Apple) and Zoom (complaining about Microsoft). There are even examples of US gatekeepers trying to benefit from obligations imposed on other US gatekeepers (e.g., Google’s complaint about Microsoft’s cloud strategy).

Finally, regardless of the beneficiary, there is a risk that the DMA obligations paradoxically entrench the power of non-EU gatekeepers, thereby undermining EU digital sovereignty. This is the case if interoperability and access obligations permit downstream markets to open up, but thereby in fact discourage downstream providers from switching to upstream competitors of the gatekeepers. This is a problem that is well known in other network industries, where granting a legal monopoly is often the trade-off for universal access obligations. If the DMA would have such an effect on non-EU gatekeepers, this would clearly be contrary to EU digital sovereignty.

ABSTRACT. New technologies create the need for new regulatory frameworks. The rise of network industries led to new issues in terms of facilitating coordination and achieving compatibility between different systems. This led to new forms of governance for such industries. Many services in the digital world, such as the World Wide Web, email, were designed through an interoperable protocol. However, as the digital markets evolved, the services became centralised to a few big players. In many cases, interoperability is denied or restricted by these few big players to gain a more advantageous position even if that is against the interests of the consumers. This is where regulators mandate interoperability or access through regulations to facilitate easy access to the market.

The Digital Markets Act (DMA) aims to impose interoperability among different digital services. However, interoperability is not merely a technical issue but an ongoing negotiation between competing interests, involving complex dynamics of technological evolution. The balancing of different commercial interests drives the extent of interoperability. Based on this, the paper examines how interoperability can be mandated for the digital markets by identifying the critical bottlenecks and finding the optimal points of interoperability to encourage entry of other players. The paper asks the following research questions: (i) What should be the process to determine which digital services should be mandated to be interoperable? (ii) What should be the extent of such interoperability for these different digital services to ensure the balance of competition and innovation in digital markets?

Interoperability as a feature is pushed in all kinds of infrastructures, whether public or private. Many interoperable public infrastructures are created as enabling infrastructures for private sector innovation (e.g. payment systems). One example is the Indian Unified Payment Interface model which separates the payment infrastructure layer from the applications layer, enabling many payment apps to compete while sharing a common layer of infrastructure. However, interoperability in private infrastructures is motivated largely by the ability to create and capture more value.

Through an extensive study of the management literature on digital ecosystems, the paper proposes a value-creation framework which analyses how value is created for consumers in the digital ecosystems and at which points, mandating interoperability can increase this value. Applying the framework, the paper identifies one service of each big-tech player that can be established as an ‘enabling infrastructure’ which can serve as a common layer for other players to enter the market and provide services, thereby increasing consumer choice.

‘Enabling infrastructure’ as a term is usually used for utilities. However, the paper uses the term more flexibly to connote an infrastructural approach to digital markets where digital services that act as bottlenecks in the ecosystems can be made more open for other players. Features of digital markets such as network effects, economies of scale and scope and winner-take-all outcomes enable the value creation to be distributed while value capture remains centralized. As critical masses appear on both sides of the platform, the complementors cannot leave the platform due to low substitutability between different platforms. Therefore, in platform markets, it gets increasingly difficult for complementors to capture value, especially if platforms’ strategic focus tends to shift from value creation to value extraction. Ecosystems with bottleneck power can leverage their market power to extract monopoly rents. This is why it is necessary to identify the necessary points of extraction in these ecosystems. The paper provides a step-by-step process of the framework that regulators can use to identify the points of interoperability in gatekeepers’ ecosystems by analyzing the method of value capture.

1. The first step is to identify the central Core Platform Service (CPS) around which the modularity of the ecosystem has been designed. For instance, in the case of Apple and Google, this would be the OS while in case of Facebook, it will be the social media platform. However, the centrality of these platforms might change with the evolution of the ecosystem. For instance, Google started with a search engine but slowly started framing its ecosystem around its OS with all its relevant apps as a bundle of services as part of the OS ecosystem.

2. The second step would be to identify the linked CPS to the central platform. Mostly all the services in any digital ecosystem are linked to each other. However, here we refer to the services which would have no or very less users if it were not for the central platform, such as app stores for Apple and Google which are not innovation platforms in itself but provide a gateway to applications on the iOS and Android ecosystem. The DMA needs to consider this inter-relation while designing remedies. The reason for this step is that it will help identify services which would not exist if it were not interoperable with the gatekeeper’s ecosystem.

3. The third step would be to identify the service or the platform among the central platform or the linked CPSs which accounts for the main value capture for each ecosystem. This is where business models would be relevant, such as device-centric model for Apple and ad-centric services of Google and Facebook. For instance, while all three, Google, Apple and Microsoft provide operating systems, their business models are different. Value extraction in Apple’s business model occurs through the integration of its hardware and software while Google provides Android at low cost, since its core business model is not software or search (where most consumer value is created), but driving ads to eyeballs. Therefore, in Google’s case, online advertising is the linked CPS where most value capture occurs and which provides Google a way to extract most value from its ecosystem.

4. The analysis in the above steps would finally be helpful for the fourth step which is to identify the modes of value extraction based on linked CPS analysis and value capture mechanisms of the gatekeepers and examine the conduct through which such value is extracted. This could be excess fees to business-users, excessive data collection from end-users or high switching costs for both business or end-users.

5. The fifth and the final step would be to identify the correct proportionate remedy based on the conduct determined through the value extraction analysis above. This step would help in imposing the most appropriate remedy on digital ecosystems instead of providing a list of remedies as in the DMA, without considering the business models or the alleged harm from the conduct of the gatekeepers.

Applying this framework, the paper identifies three different services which can act as enabling infrastructures: (1) Ad-tech (2) Social media and (3) AI. The digital ecosystems are not just aggregators or mediators but play many other vertically-integrated functions including controlling the advertising ecosystem, providing recommendations to end-users, ranking seller-side services. These are the services where unbundling can ensure entry of more players. Further, interoperability is a context-dependent mechanism i.e. not all systems need to be interoperable in the same way and to the same extent. Each of the above digital services are unique and therefore, the paper proposes different extent and ways of interoperability for each of them.

For the ad-tech ecosystem, the main advantage that gatekeepers such as Google enjoy is vertical integration. The paper emphasizes on increasing transparency by creating standards for open measurement software development, which could create a common measurement system for advertising which allow cross-platform attribution using identity interoperability and where advertisers can compare the conversion of their ads on different services. For social media platforms, the paper proposes vertical interoperability by expanding on the suggestion of a competitive layer of companies which can offer middleware products enabling consumers to tailor their feeds to their own preferences, choose from different advertising services and provide better privacy options by allowing the users to calibrate the amount of data that they are willing to share. Finally, for AI services, the paper analyses each AI layer including the hardware, data and compute, foundational model and application layer to propose the extent of interoperability based on the competitiveness between different players. The paper suggests that the foundational model layer should be treated as an enabling infrastructure and should be mandated to be open while the application layer should have a more case-by-case analysis.

ABSTRACT. This paper examines whether the European Union’s recent regulatory framework for large digital platforms—most notably the Digital Markets Act (DMA) and the Digital Services Act (DSA)—can be interpreted as an emerging form of public utilities regulation. Although these instruments are formally grounded in competition law, internal market harmonization, and risk-based content governance, this paper argues that they reflect a deeper and more structural regulatory shift. Taken together, the DMA and DSA signal an attempt to reconceptualize certain digital platforms as infrastructures of systemic importance whose private governance must be subject to heightened public oversight. In doing so, the EU appears to be developing a regulatory paradigm that, while not explicitly articulated as such, shares significant affinities with historical models of public utility and common carrier regulation. The first section of the paper provides a detailed analysis of the objectives, scope, and core obligations introduced by the DMA and the DSA, as well as the institutional ecosystem established to ensure compliance and enforcement. It examines the DMA’s ex ante obligations imposed on designated “gatekeepers,” including requirements related to interoperability, self-preferencing, data use, and access to platform services, alongside the DSA’s system of due diligence obligations, risk assessments, and mitigation duties for very large online platforms. Beyond their doctrinal differences, the paper highlights the shared logic underlying both instruments: the recognition that certain digital platforms have acquired a form of structural, intermediation-based power that cannot be adequately addressed through traditional ex post enforcement alone. The analysis emphasizes that the regulatory ambition of the DMA and DSA extends beyond correcting discrete market failures or harmful online conduct. Instead, these laws are designed to diffuse and discipline concentrated private power in digital markets and information environments. By imposing asymmetric obligations on firms deemed systemically significant, the EU seeks to rebalance the relationship between private platform governance and public authority. This ambition is reflected not only in the substantive obligations imposed on regulated entities, but also in the robust enforcement architecture created by the two acts, including enhanced investigatory powers, substantial fines, structural remedies, and a central role for the European Commission in overseeing compliance. The paper argues that this institutional design reflects an understanding of Big Tech firms as quasi-governors of essential digital spaces rather than as ordinary market actors. The paper further contends that this regulatory turn is animated by a broader normative objective: the restoration of certain foundational promises associated with the early Internet, such as openness, contestability, non-discrimination, and participatory potential. By limiting the ability of dominant platforms to unilaterally shape market outcomes, control information flows, and set the rules of access and participation, the DMA and DSA aim to reassert public values in domains that have become central to economic activity, social interaction, and democratic discourse. In this respect, the EU’s approach reflects a growing recognition that digital platforms function as essential infrastructures whose governance raises questions traditionally associated with public utilities. The second section of the paper situates this contemporary regulatory development within a comparative and historical analysis of public utility and common carrier regulation in the United States and the European Union. It traces the evolution of these concepts from their origins in transportation and communications infrastructures to their broader application in sectors characterized by natural monopoly, network effects, and high social dependence. The analysis highlights both convergences and divergences between US and EU traditions, noting differences in constitutional structure, market ideology, and the role of administrative agencies, while also identifying shared regulatory concerns related to access, fairness, and control over essential services. From this comparative analysis, the paper distills a regulatory “toolkit” traditionally associated with public utilities. This toolkit includes, among other elements, nondiscrimination and fair dealing obligations; access and interoperability requirements; constraints on vertical integration and self-preferencing; heightened transparency and accountability duties; and the recognition of enhanced public responsibility for firms controlling essential facilities. Importantly, the paper emphasizes that public utility regulation has never been static, but has historically adapted to new technologies and economic conditions. As such, the absence of formal public ownership or rate regulation does not preclude the classification of a regulatory regime as utility-like. Applying this toolkit to the DMA and DSA, the paper argues that the EU’s Big Tech regulations exhibit several defining features of public utility governance, even if they are framed in the language of competition, consumer protection, and systemic risk. Gatekeeper obligations under the DMA resemble access and nondiscrimination duties historically imposed on network monopolies, while the DSA’s risk management and accountability framework echoes earlier efforts to subject essential service providers to ongoing public oversight. Moreover, the designation of certain platforms based on size, reach, and systemic importance parallels the historical identification of firms “affected with a public interest.” At the same time, the paper acknowledges important differences between the EU’s digital platform regime and classical public utility regulation. The DMA and DSA do not impose universal service obligations, do not rely on cost-based pricing or rate regulation, and operate in markets that remain formally competitive and innovation-driven. For this reason, the paper characterizes the EU’s approach as a hybrid or emergent form of public utility–like regulation rather than a direct transposition of historical models. This hybridity reflects both the distinctive features of digital platforms and the political and legal constraints of contemporary regulatory governance. In conclusion, the paper argues that understanding the DMA and DSA through the lens of public utilities regulation offers valuable analytical and normative insights. It helps explain the scope, ambition, and institutional design of the EU’s approach to Big Tech, while also situating it within a longer regulatory tradition concerned with governing private power over essential infrastructures. More broadly, this perspective suggests that the EU may be pioneering a new model of digital governance that redefines the boundary between market freedom and public responsibility in the platform economy. The paper concludes by reflecting on the implications of this emerging paradigm for future regulatory developments, transatlantic policy debates, and the evolving relationship between digital capitalism and democratic governance.

ABSTRACT. Recent EU digital rulemaking suggests the emergence of a new paradigm in tech governance: large, structurally powerful “gatekeeper” firms are not only subject to special conduct obligations under the Digital Markets Act (DMA), but are increasingly treated as systematically disfavoured recipients of data access rights across different legal instruments. This contribution argues that the gatekeeper‑exclusion clauses in the Data Act (DA) and the Commission’s Digital Omnibus proposal (COM(2025) 837 final) mark a shift from sector‑specific competition remedies to a cross‑cutting principle of asymmetric data regulation that is closely intertwined with industrial and digital sovereignty considerations. By weaving doctrinal analysis of the DA and the Digital Omnibus with these broader normative questions, the contribution shows how seemingly technical exclusions of gatekeepers from user‑centric data access rights embody a deeper reorientation of EU tech governance in a multicentric world. It invites discussion on whether this emerging paradigm can be rendered more coherent and transparent, and whether it can be reconciled with both the EU’s internal market values and its external commitments in global digital trade.

Part I: Gatekeepers in the Data Act (Art. 5(3) and 6(2) DA):

The analysis starts from the gatekeeper exclusions in Chapter II DA, in particular Article 5(3), Article 6(2)(d) DA and the corresponding Recital 40. Chapter II grants users rights to access and share data generated by connected products and related services with third parties, but systematically excludes undertakings designated as gatekeepers under Article 3 DMA from benefitting from these user‑centric access rights. Article 5(3) prevents gatekeepers from soliciting or commercially incentivising users to share data with one of their services, while Article 6(2)(d) DA prohibits third‑party data recipients from making user‑shared data available to gatekeepers, thereby excluding gatekeepers from the contractual networks that originate in Articles 4 and 5 DA. Recital 40 explicitly justifies this asymmetry by reference to the “unrivalled ability” of a small number of very large enterprises to acquire and monetise data, and to the goal of keeping markets contestable and ensuring a “fair” distribution of data value to SMEs and traditional sectors.

The paper then reconstructs the internal rationales and open doctrinal questions around these provisions. On the one hand, the exclusion appears to follow the DMA’s logic: preventing further data accumulation by gatekeepers in adjacent markets is presented as necessary to preserve contestability and to avoid envelopment strategies into data‑driven aftermarket services, for instance in smart mobility or smart home ecosystems. On the other hand, Recital 40 also reveals a clear distributional and industrial‑policy dimension: gatekeeper exclusion is linked to the aim of directing data‑driven opportunities towards SMEs and less digitalised sectors, rather than simply remedying specific competition law concerns. This twofold rationale already points beyond classic competition policy and towards a normative preference for particular categories of firms and business models.

At the same time, the scope and consistency of the DA’s gatekeeper exclusions are highly contested. As commentators have highlighted, the prohibition only applies within the user‑centric access regime of Chapter II; data holders remain free to share the same data directly with gatekeepers through contractual arrangements, subject to consent requirements under Article 4(12) DA and other applicable law. Gatekeepers may also obtain equivalent data by acting as data holders themselves, or via other legal mechanisms such as data portability under Article 20 GDPR, which Recital 40 leaves untouched as an “other lawful means”. This design leads to paradoxical effects: while users are barred from choosing gatekeepers as data recipients within the statutory access regime, manufacturers and data holders can still monetise their data vis‑à‑vis the same gatekeepers, potentially strengthening the latter’s position through exclusive contracts or acquisitions of the data‑holder position.

The paper engages with the emerging literature that criticises this architecture as both over‑ and under‑inclusive. Critics argue that the user’s freedom to choose third‑party service providers is “severely restricted” when gatekeepers, which in practice may offer superior services or network benefits, are legally excluded from the set of eligible recipients under Article 5 DA. Others emphasise that the exclusion may have negative welfare and innovation effects in downstream markets, particularly where gatekeeper platforms play an intermediary role that reduces transaction costs and unlocks economies of scope in aggregating market information, as in the case of car data‑based mobility services or smart home ecosystems. Conversely, competition‑oriented voices call the exclusion instrumentally under‑inclusive, because competition concerns remain unaddressed as long as data holders remain free to sell or transfer data to gatekeepers outside the statutory access regime. These tensions reveal that the DA’s gatekeeper provisions cannot be fully explained within a competition‑law frame.

Part II: Regulating gatekeepers beyond DMA – further approaches at the horizon:

Part II of the paper therefore turns to the Commission’s Digital Omnibus proposal of 19 November 2025 (COM(2025) 837 final), which, inter alia, amends the Open Data and PSI Directive to allow public sector bodies to price discriminate against DMA‑gatekeepers in re‑use conditions for public sector information. Unlike Article 5(3) DA, this reform does not impose direct obligations on gatekeepers; rather, it relaxes non‑discrimination constraints for public sector bodies and explicitly empowers them to treat gatekeepers less favourably than other re‑users when setting prices and conditions. This move entrenches the idea that gatekeepers may legitimately be subjected to worse treatment than other market participants even outside the DMA’s core platform context, and that such differential treatment may extend to state measures affecting access to public sector data.

Here, the normative stakes are even higher: asymmetry is no longer justified only vis‑à‑vis private counterparts, but directly structures state action and raises constitutional issues of equal treatment and justifiable discrimination. The paper argues that, taken together, the DA’s gatekeeper exclusions and the Digital Omnibus’ PSI price‑discrimination clause signal the crystallisation of a regime overarching principle of asymmetric data governance: where gatekeepers are present, EU law increasingly normalises stricter or less favourable treatment for them, often with the implicit aim of sheltering or promoting non‑gatekeeper (and often EU‑based) actors. This principle operates upstream (by making it harder or costlier for gatekeepers to obtain data) and downstream (by subjecting their use of data to additional constraints), and it interacts in complex ways with other instruments such as the DMA’s data‑sharing obligations and the Data Governance Act’s structural separation mechanisms.

Part III of the paper situates this asymmetric principle within the broader discourse on digital sovereignty. While the DMA itself formally remains nationality‑neutral and defines gatekeepers by economic criteria, many of the designated gatekeepers are non‑EU “Big Tech” firms, and the combined effect of gatekeeper‑focused rules, data export restrictions and sector‑specific localisation requirements can be read as implementing a de facto industrial policy that favours EU‑based cloud, data and AI providers. The DA’s emphasis on benefiting SMEs and “traditional sectors with less‑developed digital capabilities”, and the political narrative around strengthening Europe’s “strategic autonomy”, reinforce this reading. The paper does not attempt to resolve the compatibility of these developments with international trade law, but it uses the gatekeeper‑exclusion provisions as a lens through which to map the instruments and trade‑offs of an emergent digital sovereignty agenda that operates through data access design.

On this basis, the paper proposes a first taxonomy of regulatory instruments used (or available) to govern gatekeepers via ex ante prohibitions on gatekeeper access to specific data flows (Articles 5 and 6 DA); permission for public sector bodies to discriminate against gatekeepers in PSI pricing (Digital Omnibus); reciprocal or conditional access models that would allow gatekeepers to benefit from user‑centric access regimes only if they commit to opening up their own data troves (as suggested in parts of the literature); stronger, more symmetric constraints on data holders selling or transferring data to gatekeepers, possibly coupled with nudging‑based consent architectures that explicitly ask users whether data may be shared with gatekeepers; more lenient approaches that rely on the DMA’s “data unlocking” obligations as a sufficient safeguard and refrain from additional gatekeeper‑specific exclusions in adjacent instruments.

Part III: Directions and rationales for enhancing EU Tech Governance:

Part III returns to the “Gretchenfrage”: Should the EU further develop this asymmetric paradigm, and if so, on which normative basis? The paper does not advocate a single preferred model, but instead draws out the trade‑offs that different paradigms imply for user autonomy, competition, innovation and the EU’s aspiration to digital sovereignty. A strongly sovereignty‑driven, distribution‑oriented paradigm may justify more pervasive gatekeeper exclusions and state‑level discrimination, but risks incoherence, circumvention via data holders, and negative welfare effects in markets where gatekeeper‑provided intermediation genuinely increases consumer surplus. A more competition‑centred paradigm would focus on closing under‑inclusive loopholes and aligning gatekeeper‑specific restrictions and obligations within the DMA’s institutional framework, but may struggle to accommodate industrial‑policy ambitions. A reciprocity‑based model, finally, would try to strike a balance by tying gatekeeper access to corresponding openness obligations, thereby operationalising a more relational understanding of fairness in data sharing.

Literature (tentative):

Bomhard, David and Merkle, Marieke: Der Entwurf eines EU Data Acts (2022) 18(3) RDi – Zeitschrift für das Recht der Digitalisierung, 168

Drexl, Josef and Banda, Carolina and Gonzalez Otero, Begoña and Hoffmann, Jörg and Kim, Daria and Kulhari, Shraddha and Moscon, Valentina and Richter, Heiko and Wiedemann, Klaus: Position Statement of the Max Planck Institute for Innovation and Competition of 25 May 2022 on the Commission's Proposal of 23 February 2022 for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act) (May 25, 2022). Max Planck Institute for Innovation & Competition Research Paper No. 22-05, available at SSRN: https://ssrn.com/abstract=4136484

Hadebe, Siyabonga: Digital Sovereignty and Tight Regulation in the EU: Analysing the Motivation behind the Digital Markets Act (30 April 2022), available at SSRN: https://ssrn.com/abstract=4785054

Hartl, Korbinian and Wentzel, Cathrin: ‘Art 5 Data Act’ in Paschke, Anne and Schumacher, Pascal (eds), EU Data Act, C.H. Beck, 2026

Heinzke, Herbers and Kraus: Datenzugangsansprüche nach dem Data Act, (2024) Betriebs‑Berater (BB) 649

Kerber, Wolfgang: Governance of IoT Data: Why the EU Data Act Will not Fulfill Its Objectives (2023) Gewerblicher Rechtsschutz und Urheberrecht International (GRUR International), 120

Kerber, Wolfgang: EU Data Act – Will new user access and sharing rights on IoT data help competition and innovation? (2024) 12(2) Journal of Antitrust Enforcement, 234

Krämer, Jan: Improving the Economic Effectiveness of the B2B and B2C Data Sharing Obligations in the Proposed Data Act (Centre on Regulation in Europe (CERRE) 2022

Lienemann, Gregor and Wienroeder, Marie: Data Licence Agreement and User’s Right of Access (Art. 4), in: Hennemann, Moritz et al. (ed), Data Act – An Introduction, Nomos, 2024, 71

Martens, Bertin: Pro- and anti-competitive provisions in the proposed European Union Data Act, Working Paper 01/2023, Bruegel

Metzger, Axel and Schweitzer, Heike: Shaping Markets: A Critical Evaluation of the Draft Data Act (2023) 31 Zeitschrift für Europäisches Privatrecht (ZEuP), 42

Podszun, Rupprecht: Der EU Data Act und der Zugang zu Sekundärmärkten am Beispiel des Handwerks, Nomos, 2023

Raue, Benjamin: in: BeckOK DatenschutzR/Schmidt, 54. Ed. 1.8.2025, DA Art. 5

Sattler, Andreas: Art. 5 Data Act, in: Specht, Lousia and Hennemann, Moritz (eds.), Commentary on the Data Act, 2nd edition, C.H. Beck, 2025

Sattler, Andreas: Art. 6 Data Act, in: Specht, Lousia and Hennemann, Moritz (eds.), Commentary on the Data Act, 2nd edition, C.H. Beck, 2025

Sattler, Andreas: Data Act and Data Protection Law, in: Sattler, Andreas and Zech, Herbert (eds), The Data Act: First Assessments, epubli, 2024, 103

Schmidt‑Kessel, Martin: Heraus‑ und Weitergabe von IoT‑Gerätedaten, (2024) MultiMedia und Recht (MMR), 75

Schweitzer, Heike and Metzger, Axel and Blind, Knut and Richter, Heiko and and Niebel, Crispin and Gutmann, Frederik: Data Access under the Draft Data Act, Competition Law and the DMA: Opening the Data Treasures for Competition and Innovation? (2023) 72(4) GRUR International – Journal of European and International IP Law, 337

Schweitzer Heike, Metzger Axel and others: Data Access and Sharing in Germany and in the EU: Towards a Coherent Legal Framework for the Emerging Data Economy, Final Report (Report for the German Federal Ministry for Economic Affairs and Climate Action, 8 July 2022)

Torregiani, Simone: Il Data Act – una versione europea del Data Nationalism? (2024) 5(2) Rivista italiana di informatica e diritto, 131

Von Dittfurth, Lukas: The European Union’s Pursuit of Digital Sovereignty through Legislation’ (2025) 16(2) Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 286

Vezzoso Simonetta, The Dawn of Pro‑Competition Data Regulation for Gatekeepers in the EU (2021) 17(2) European Competition Journal, 391

ABSTRACT. The concept of personal data lies at the heart of European Union data protection law. Whether a particular piece of data qualifies as ‘personal data’ determines the applicability of the General Data Protection Regulation (GDPR) and its associated obligations. Despite its central role, the concept remains deeply contested. Courts, regulators, and scholars oscillate between expansive interpretations that treat personal data as virtually boundaryless and more restrictive approaches aimed at preserving legal certainty. These tensions are most visible in debates surrounding identifiability, which functions as the decisive threshold for bringing data within the scope of EU data protection law.

This paper offers a conceptual reinterpretation of personal data by examining three of its definitional elements, namely ‘any information’, ‘relating to’, and ‘identified or identifiable’, and by analysing how they operate together as a relational and evidentiary construct. Rather than proposing a definitive framework to resolve the personal data debate, the paper aims to clarify the internal logic of the concept and to uncover the philosophical and technical assumptions that implicitly structure EU data protection law. It combines doctrinal legal analysis with insights from information theory, the philosophy of relations, and statistical disclosure control.

The first contribution concerns the element ‘any information’. While EU data protection law defines personal data in informational terms, neither the GDPR nor its predecessor specifies what counts as information. Drawing on information theory, the paper argues that this omission masks a more fundamental issue. The true regulatory object of data protection law is not information alone, but data. Data is a broader ontological category that includes syntactic representations which may lack semantic meaning yet still generate harm when processed. Restricting data protection to semantic information risks excluding such practices from legal scrutiny. The paper, therefore, argues for an extensional understanding of personal data that encompasses all dimensions of data processing, from syntax to semantics to pragmatics.

The second contribution addresses the element ‘relating to’. Existing legal accounts, particularly those developed by the Article 29 Working Party and endorsed by the Court of Justice of the European Union, conceptualise relatedness through relations of content, purpose, or result. While useful, these categories remain under-theorised and insufficiently sensitive to the structural diversity of relations that data can establish. To address this gap, the paper introduces a typology of relations drawn from the logic and philosophy of relations. Relations are analysed by their adicity (or arity) and by their formal properties. This framework reveals that not all relations pose equal identifiability risks, as identifiability increases with relational arity and with properties that support inference and informational asymmetry.

The third contribution focuses on the element ‘identified or identifiable’. The paper argues that only a limited subset of relations, namely those capable of singling out an individual, ground identifiability. It examines the equivalence and identity relations and shows that identity, understood as numerical self-identity, cannot serve as the foundation of a general theory of identifiability. No informational subset can fully represent an individual, and legal identification does not require exhaustive representation. Building on this account, the paper introduces the ‘identity–information paradox’, whereby representation requires a maximal set of information, yet identifiability requires only a minimal distinguishing subset. The paper also advances a weakened conception of identity, i.e. qualitative identity, grounded in nominalism. Under this approach, a subset of names or predicates may stand in for an individual if it is sufficient within a given epistemic context. This move allows identifiability to be understood as contextual and relational rather than intrinsic to data. Finally, the paper examines the standard of proof governing identifiability by considering both legal and technical considerations.

ABSTRACT. Non-personal data is a negatively defined concept of European Union (EU) data law. This creates a division in terms of fundamental rights protection, as only personal data processing falls under the purview of data protection law, and non-personal data conventionally falls outside. As a result, European regulation on non-personal data ends up being grounded in the general EU competence for the harmonisation of the internal market (Art. 114 of the Treaty on the Functioning of the EU, TFEU). Yet, this legal basis is not designed to capture the vast range of potential fundamental rights concerns implicated by non-personal data processing, especially since they emerge in AI-driven applications (industrial data, synthetic data and group data). Non-personal data regulation is thus framed exclusively through the lens of a market-functional perspective, thus leaving aside fundamental rights considerations, non-economic interests and non-market values regarding non-personal data processing. However, since the line between personal and non-personal data has been difficult to draw despite the latest CJEU case law on the definition of personal data and the non-personal definition(s) laid down in recent EU data law (such as the Data Governance Act, the Data Act and the European Health Data Space Regulation), it is evident that non-personal data is located in an uncomfortable position which does not do justice to its challenges, concerns and implications for fundamental rights protection. The paper argues that the fundamental right of data protection (Art. 8 CFREU) covers non-personal data processing, and may therefore be used for legislating on it (Art. 16 TFEU). The paper submits that data protection (primary) law does not necessarily sideline non-personal data. However, it does not call for extending the existing secondary law (the GDPR) to cover non-personal data. Rather, it accommodates an interpretation of data protection as a framework for the protection of natural persons in relation to the processing of data, irrespective of their nature, as long as the data raises fundamental rights concerns and implications. This argument unfolds on the basis that the TFEU and the CFREU provisions on data protection are capable of addressing non-personal data processing as a matter of law. On the one hand, the text of the primary law provision is drafted in such a manner to potentially cover certain key aspects of non-personal data processing practices. On the other hand, interpreting primary law provisions in their context, as well as their historical development as a matter of EU law, places them on a broader landscape of relations between natural persons and ‘data’, and invites consideration of closely linked fundamental rights concerns such as freedom of information. The paper thus highlights important aspects of EU primary law that provide entry points, and demonstrates that a more holistic narrative of ‘data protection’ as a regime for the protection of everyone from data-specific violations would enable an interface between non-personal data and adjacent fundamental rights that would better reflect the heterogeneous nature of non-personal data. Finally, it provides an overview of potential implications for the EU law of non-personal data as it exists and positions the argument within the context of the Digital Omnibus Proposal.

ABSTRACT. In this contribution, I examine the role of the principle of accountability in constraining data controllers’ decisions regarding personal data processing. In the first section, I examine the principle of accountability established by the GDPR. In the second section, I investigate the constraining role of accountability in data controllers’ data processing choices through the concept of discretion. Third, I examine the accountability instruments in the GDPR and their role in ensuring a high level of protection for the rights and freedoms of natural persons. Fourth, I identify the bodies to which data controllers are accountable, and suggest a connection between accountable actors and independent authorities. Section 5 presents the conclusions of this contribution.

ABSTRACT. The “global digipolis” is a concept that refers to digital culture and information technologies as integral to the modern city. It draws on the late 19th century sociologist George Simmel’s discussion of the metropolis [1, 2]. This paper refers to Simmel to challenge how “smart cities” and “smart housing” are conventionally framed as being more efficient in the allocation of economic opportunities, the lowering of costs, and the production of new technologies. Included is an appeal to create policies that are more responsive to the lives of their inhabitants. In turn, the risks identified with promises of efficiency, and convenience are often legal in nature, including risks of harm, eroding fundamental freedoms through marginalization, discrimination, and a loss of privacy.[2]

Two literatures resonate with Simmel’s perspective, and can help to bring the legal discussion into focus. The first is about “platform urbanization”, which looks at the transformation of urban space from the standpoint of capital accumulation (following Marx) and surveillance (following Foucault). [3] The second refers to a related literature that draws on Science and Technology Studies (STS). This allows for a, cautious, affirmation of the need for new forms of experimentation, and related epistemological strategies. Priority is typically given to the direct involvement of citizens, as users of new technologies, local practitioners, and as active (co-)creators of participatory spaces. [4, 5]

Simmel, however, pointed to a “blasé attitude”, which frames the indifference and apathy of the inhabitants as a necessity, as a matter of survival. This is not something to overcome, but should be understood as a matter of self-preservation. Furthermore, Simmel remains relevant for the emphasis that he put on political and legal theory, going back to the role of the city in antiquity, as well as re-contextualizing Enlightenment concepts, which carries over to considerations of “self” and “other” in the context of the smart home and the smart city.

The paper argues that a connection can be created between two disparate literatures, and their contrasting normative positions. [6] Central to the argument is “law and technology”, albeit that it is about the need to find ways to draw on the foundations of law as revolving around the “polis” (or “civitas”) and “domus”. These terms (the city and the home) were integral to the development of Roman law, and, by extension, today’s private law in its relation to the impact of AI on the smart home and the smart city. [7]

On the one hand, Roman law developed a layered conception of personhood in the context of growing urban zones. There is substantial continuity with today’s reliance on contracts, commercial agreements, and property rights, including in AI, in smart homes, and smart cities and their governance.[2] In other words, it applies to life in a global digipolis, understood as a pseudo-public realm from the standpoint of the circulation of the data that carries over to minds, bodies, to how we live, and to lives in urban spaces. [6, 7, 8, 9]

On the other hand, the paper considers the home and the city as strategic settings that foreground a myriad of problems that revolve around the entanglement with digital technologies and AI. These problems include the pressure put on the central premises of law is that a person is a physical and moral being with a body and an ‘inner self’ that requires legal protection. While this pressure, with Simmel, revolves around the commercial life of the city, he prioritizes the self’s survival in the context of the transformation of the city into a metropolis.

Crucially Simmel’s answer is not that of the rational agent whose self-realization and participation in society are applied to its choice in regard of the usage of technological objects. Rather, it is a disengaged citizen (who is blasé), which includes certain aspects that belong to his or her legal personhood as it is being re-negotiated under conditions of extreme connectivity. Self-preservation becomes a necessity, as a matter of (Hobbesian) survival, and is critically affirmed in how conventional understandings of privacy, autonomy, and self-determination end up being reconceptualized in policies aimed at innovation.

The paper calls attention to “the pragmatism” of the Romans, and how it applies to the proposition that it might be sensible to assign agency to nonhumans, including to AI. [7] This is happening from the standpoint of legal designs that, like the Romans, acknowledge that human possess an inherent inner value, and yet allow for a fluid distinction between persons and things. Roman pragmatism is, therefore, to be observed in how, today, the value of humanity can be constantly affirmed, while at the same time there are many kinds of hybridization at work, including those that challenge the identification of the home as a private realm [10, 13]

The outcome, following Simmel’s line of reasoning, is this: the dichotomy of the home and the city is no longer something to take for granted, or to (naturally) fall back on as an assumption for conventional legal discussions of ethical norms and principles (e.g. good faith ethics) in private law or otherwise [14]. Again, there is continuity, this time with Roman homes and cities wherein the market was prioritized, as is the case when considering how privacy and personal data are legally protected today. Yet, we will ask whether the pragmatic methodology extends to task of identifying the multiple layers of private spheres, each seen as a matrix of identity formation that is not fixed in their relation to notions of legal personhood.

The paper argues that the question needs to be approached philosophically, along the lines of the theoretical horizon derived from Simmel. Specifically he criticizes the 19th century conception of autonomy, self-determination and individuality, along similar lines as the challenge of the individual (in its Kantian sense) in 20th century critiques of modernity. These also reject sharply defined dichotomies of nature and society, subject and object, inner and outer, private and public, local and global, etc. [10] Included is the stance that the protection of the foundation of personhood is selective in the sense that it singles out privileged individuals along Euro-centric lines [11, 12].

Its demise, therefore, is not solely negative, which in Simmel’s case is again about the survive of the self. He highlights the pressure on its interior, in relation to the city as its exterior. This is different from mere (Hobbesian) survival, in its claim on the principle of self-preservation as a matter of resistance to “the social-technological mechanism”. Accordingly the conclusion seeks to establish conditions that allow for an alternative view of the protection of identity and autonomy as belonging to an inner realm, defined in contrast to the external world. [1]

In conclusion we argue that it is necessary but not sufficient to point to the long and rich history of legal thinking that draws on complex intellectual ideas about the ‘other’, which as a Roman relic refers to the ‘stranger/non-citizen’, marginal, and the one who is not an “owner of soil’. This is again the “pragmatic” position, one wherein smart home and the smart city are seen to be benefit from experimentation, and an open view of legal designs that include stakeholders and users of technology.

The paper will detail that such pragmatism remains Roman in its imperialistic sense, and yet it is possible to shift the emphasis to contemporary perspectives that take a more explicit ethical or social theoretical standpoint. Accordingly, the home and the city are to be re-imagined in terms of a future that revolves around identity formation, and bodily lives that are open to, and constructed by others. [2, 10, 11, 12, 14, 15, 16]

This means that hybridization is taken as a given (e.g. of inner and outer), as are pragmatic legal remedies working across public and private in AI-centric settings. This is and will be a given, in a global digipolis of ever more efficient smart devices, home assisted intelligence, and so on. Accordingly Simmel’s concern over the commercial life of the metropolis is amplified, in the form of platform urbanism, surveillance capitalism, or otherwise. [3, 14] Clearly these revolve around private law, and, in turn, the goal of finding ways to protect the self, and aid its sense of survival [10]. Yet, giving priority to how the Romans came up with legal considerations on fairness and equity in the market could change the discussion; it is key to a stance that allows one to question whether there is, today, another minimal morality that could be expanded upon.

The point is not to single out easy solutions, given how private law is conventionally about market relations, transaction-focused and instrumental in turning technological developments into commodities and assets. Yet, this line of critique does not change the task: to reach a more coherent conceptualization of the layers of “inner”, to be affirmed and mobilized in strategic settings like the home and the city, with as its goal to find new ways to deal with the hybrid subject-object relationships that will keep emerging in future techno-politics. [7, 13, 18]

(note 1500 words)

[1] Simmel, G. (1976) The Metropolis and Mental Life (tr. K. H. Wolff) Chapter 1 in The Sociology of Georg Simmel. (New York, Free Press) [2] Deibel, T. and Deibel E. (2026 forthcoming) “The Inner Self in Urban Techno- politics: Smart Cities and Planned Persons.” In: J. Cuffe & P. Walsh (eds.) CyberSocial Transformations: disruption and continuity in the everyday. Oxford, Berghahn books. [3] Mahmoudi D., Anthony M. Levenda, John G. Stehlin (2020) Political ecologies of platform urbanism. In: Urban Platforms and the Future City, Hodson, M., Kasmire, J., McMeekin, A., Stehlin, J.G., & Ward, K. (Eds.). (2020). Urban Platforms and the Future City: Transformations in Infrastructure, Governance, Knowledge and Everyday Life. Routledge. [4] Barns, S. (2019). Negotiating the platform pivot: From participatory digital ecosystems to infrastructures of everyday life. Geography compass 13 (9). [5] Cowley R. & Caprotti, F. (2018). Smart city as anti-planning in the UK. Environment and Planning D: Society and Space, 37(3), 428-448. [6] Deibel, E. (2025) AI and the Social Contract: Winner, Latour and political theory. The Bulletin of Science, Technology and Society. 45(1-2). [7] Ucaryilmaz Deibel, T. (2021) Back to (for) the Future: AI and The Dualism of Persona and Res in Roman Law. European Journal of Law and Technology 12, no.2, (2021):1-27. [8] Deibel, T., and E. Deibel. (2025). Forgotten Boundaries in Law: On AI and Neurotechnology. Law, Technology, and Humans. 7 (1):96-106. [9] Tamminen S. and Deibel, E (2019) Recoding life: information and the biopolitical. London, Routledge. [10] Latour, B. (1993). We Have Never Been Modern. New York, Harvester Wheatsheaf. [11] Harraway, D. (1997) ModestWitness@Second_Millenium.FemaleMan© _Meets_OncoMouse™: Feminism and Technoscience. London: Routledge. [12] Hayles, K. (1999). How We Become Posthuman: Virtual Bodies in Cybernetics, Literature, and Informatics. Chicago: Chicago University Press) [13] Arendt, H. (1997). The Human Condition. Chicago IL: University of Chicago Press [14] Deibel, T and Deibel E. (2023) Artificial Intelligence in Ancient Rome: Classical Roman Philosophy and Legal Subjectivity. In: Ruth Edith Hagengruber (ed.), Women Philosophers on Economics, Technology, Environment, and Gender History: Shaping the Future, Rethinking the Past. De Gruyter. pp. 157-168 [15] Levinas, E. (1969) Totality and Infinity: An Essay on Exteriority, tr. Alphonso Lingis. Pittsburg: Duquesne University Press. [16] Foucault, M. (2011) The Courage of Truth. New York, NY: Palgrave Macmillan. [17] Zuboff, S., & Schwandt, K. (2019). The age of surveillance capitalism: the fight for a human future at the new frontier of power. Profile Books. [18] Deibel E. (2023) Rousseau and the Future of Freedom: Science, Technology and the Nature of Authority. London: Routledge.

ABSTRACT. The development of artificial intelligence (AI) raises significant moral concerns – ranging from privacy and surveillance issues, to discrimination and possibilities for human flourishing in an AI-augmented world. Over the past decade, scholars from a wide range of disciplines, including philosophy, law, sociology, anthropology, critical data studies, media studies, computer science have sought to distinguish, scrutinize and address these concerns, under what is now commonly referred to as “AI ethics”. While this proliferation of research on the moral concerns raised by AI reflects a pressing societal and scientific need for deeper reflection on the moral challenges and disruptions instigated by the widespread adoption of AI today, it has also led to a body of literature which, in light of its astounding breadth, is challenging to navigate. In this presentation I offer a structure to this diverse, manifold, rich and ever-expending body of literature discussing the moral concerns raised by AI. In solely focusing on AI ethics principles and guidelines, most overviews of the field hold a principle-based understanding of the moral concerns raised by AI. However, as the literature review of me and my co-authors illuminates, there is more richness and diversity in the current body of literature than this dominant principle-based approach seems to suggest. In our literature review, we identify three approaches by which authors tend to formulate the moral concerns raised by AI: principles, lived realities, and power structures. These approaches can be viewed as ‘lenses’ through which authors understand and grapple with the moral concerns raised by AI, each coming with their specific theoretical sensitivities, disciplinary traditions, and methodologies. The first “principle-based” approach – the predominant approach in the AI ethics literature that is rooted in the Kantian tradition – takes moral concerns to be universal, stable, and fixed principles; which are globally shared, may travel between contexts and are often predetermined. What we call the “lived realities” approach foregrounds the interaction between people and AI systems, focusing on local practices and everyday experiences, generally on micro-level. Drawing on (post)-phenomenology, virtue ethics and Science and Technology Studies (STS), authors in this more practice-oriented approach depart from specific contexts of AI development and use as the site of identification of moral concerns. Thirdly, what we call the “power structures” approach considers AI as a social technical system, accounting for the cultural, social, political, economic context of AI development, hence human-AI interactions at macro-level, drawing on a Foucauldian and critical theory tradition. Our tripartite distinction, by way of comparison, also sheds light on the strengths and weaknesses of each of these approaches. While the principle-based approach is useful for generating guidelines which can be readily applicable across contexts and translated into law and technology design, it tends to neglect the diverse situated realities of AI adoption and implementation which are central to the lived realities approach, as well as structural concerns that shape AI development and adoption in the power structures approach. Conversely, the lived realities approach is helpful for zooming in on how people actually interact with AI in different contexts, something both the principle-based and power structures approach frequently overlook. But this micro-level orientation makes generalizations difficult, while the focus on individuals loses view of structural concerns. Finally, while the power structures approach contributes valuable macro-level analyses that bring in broader societal and political concerns, it risks seeing only power over and above the rich plurality of types of human-AI interactions that animates the lived realities approach, and it can be seen as lacking the pragmatism which is oftentimes necessary for concrete solutions. As becomes clear, each approach can also be understood as a response to the omissions and limitations of each other. In bridging together different moral frameworks, traditions, and questions, our structure may serve as a bridge for comparing AI ethics with other areas of applied ethics, such as medical and bioethics, pedagogical ethics, research ethics or business ethics – considering AI systems are quickly integrated into different spheres of society. This can contribute to developing and implementing ethical and responsible AI in numerous sectors where AI is rapidly being adopted like healthcare, education, and public policy.

ABSTRACT. In the EU digital regulation, fairness has gained increased centrality, being often advocated both as a formal and substantive principle aimed at addressing power imbalances, with warnings raised as to the risk of being exploited as a discretionary decision-making tool.

Even a proposal for a Digital Fairness Act is in the pipeline of the European Commission for 2026, aiming at tackling a range of online commercial practices, such as dark patterns and addictive designs, that exploit consumers’ vulnerabilities.

Overall, with the advent of Artificial Intelligence (AI) technologies, fairness has been mobilised as a value to which AI should adhere. From a legal point of view, fairness is related to the rights of equality and non-discrimination, despite techno-centric metrics approaches have been considered at odds with EU non-discrimination law (Wachter, Mittelstadt, Russell 2021a, 2021b). However, the European Union Artificial Intelligence Act (‘AI Act’) explicitly mentions fairness only in the recitals and does not provide a direct reference or definition in the text. Nevertheless, it does impose data governance measures to address bias in AI systems classified as high-risk.

Against this unarticulated normative value of the principle of fairness and the concurrent debate on its relevance as a principle of digital and AI governance, in our contribution, we investigate its relationship with another recurrent principle, more steadily codified in global and European AI governance: human oversight over autonomous systems, including AI.

Specifically, we delve into the relationship between human oversight and fairness, first from a philosophical standpoint and then in the context of the EU AI Act.

We address two core research questions: (i) How are human oversight and fairness related? (ii) To what extent does the AI Act establish a framework for human oversight that effectively supports the implementation of the various dimensions of fairness?

Based on a review of interdisciplinary literature, the contribution identifies three normative claims linking human oversight to fairness: 1) Human oversight attempts to mitigate AI bias, thus enabling fairness as the right not to be discriminated against; 2) Human oversight contributes to the allocation of human accountability, thus enabling fairness as a mechanism of accountability by assigning oversight to natural persons where AI systems lack legal liability; 3) Human oversight allows empathy and contextual awareness in the decision-making, thus enabling fairness as empathy, a substantive notion of fairness that takes into account individual circumstances.

Against these three claims, the contribution proceeds to assess how the AI Act regulate the requirement of human oversight over AI systems and whether it contributes to enabling fairness in its three dimensions.

Our analysis highlights four major shortcomings (i) the uneven and strict distribution of oversight roles among the different actors in the AI value chain; (ii) the prominent technical nature of the human oversight prescribed and the lack of explicit reference to organizational measures; (iii) the lack of consideration of the mental processes set in motion by human-AI interactions, other than automations bias and (iv) the lack of safeguards on the duration of the human intervention.

In conclusion, a critical analysis of the AI Act reveals that while the normative aspirations linking human oversight to fairness are acknowledged, the Act only partially operationalises them, leaving several aspects of fairness insufficiently supported.

Bibliography Article 29 Data Protection Working Party. (2018, July). Guidelines on automated decision-making and Profiling for the purposes of Regulation 2016/679. Banks, V. A., Plant, K. L., & Stanton, N. A. (2019). Driving aviation forward: Contrasting driving automation and aviation automation. Theoretical Issues Ergonomics Science, 20(3), 250–264. Beck, J., & Burri, T. (2024). From ‘human control’ in international law to ‘human oversight’ in the new EU act on artificial intelligence. In D. Amoroso, and F. S. D. Sio (Eds.), Research handbook on meaningful human control of artificial intelligence systems (104–130). Cheltenham: Elgar. Bellamy, R. K. E., Dey, K., Hind, M., Hoffman, S. C., Houde, S., Kannan, K., … Zhang, Y. (2019). AI Fairness 360: An extensible toolkit for detecting and mitigating algorithmic bias. IBM Journal of Research and Development, 63(4/5), 4:1–4:15. Binns, R. (2018). Algorithmic accountability and public reason. Philosophy and Technology, 31, 543–556. Binns, R. (2020). Human judgement in algorithmic loops: Individual justice and automated decision-making. Regulation & Governance, 16(1), 197–211. Botero Arcila, B. (2024). AI liability in Europe: How does it complement risk regulation and deal with the problem of human oversight? Computer Law & Security Review, 54, Article 106012. Brennan-Marquez, K., Levy, K., & Susser, D. (2019). Strange loops: Apparent versus actual human involvement in automated decision making. Berkeley Technology Law Journal, 34(3), 745–771. Buçinca, Z., Malaya, M. B., & Gajos, K. Z. (2021). To Trust or to Think: Cognitive Forcing Functions Can Reduce Overreliance on AI in AI-assisted Decision-making. Proceedings of the ACM on Human-Computer Interaction, 5(CSCW1), Article 188, New York: Association for Computing Machinery. Crootof, R., Kaminski, M. E., Price, W., & Nicholson, I. I. (2023). Humans in the loop. Vanderbilt Law Review, 76(2), 429–510. Cuff, B. M., Brown, S. J., Taylor, L., & Howat, D. J. (2016). Empathy: A review of the concept. Emotion Review, 8(2), 144–153. De Bruyne, J., & Dheu, O. (2023). Liability for damage caused by artificial intelligence: Some food for thought and current proposals. In P. Morgan (Ed.), Tort liability and autonomous systems accidents common and civil law perspectives (27–62). Cheltenham: Edward Elgar Publishing. De Bruyne, J., Van Gool, E., & Gils, T. (2022). Tort law and damage caused by AI systems. In J. D. Bruyne, and C. Van Leenhove (Eds.), Artificial intelligence and the law (2nd ed., pp.395–445). Intersentia. De Hert, P., & Lazcoz Moratinos, G. (2021, October 13). Radical rewriting of Article 22 GDPR on machine decisions in the AI era. European Law Blog. Dwork, C., Hardt, M., Pitassi, T., Reingold, O., & Zemel, R. (2012). Fairness through awareness. Proceedings of the 3rd innovations in theoretical computer science conference (ITCS ‘12). Association for Computing Machinery, USA, 214–226. Elish, M. C. (2019). Moral crumple zones: Cautionary tales in human-robot interaction. Engaging Science, Technology, and Society, 5, 40–60. Enqvist, L. (2023). ‘Human oversight’ in the EU artificial intelligence act: What, when and by whom? Law, Innovation and Technology, 15(2), 508–535. European Commission. (2020). White Paper on Artificial Intelligence. A European approach to excellence and trust. European Commission. (2022). The use of digitalisation and artificial intelligence in migration management. European Parliament. (2021). Guidelines for military and non-military use of Artificial Intelligence. Gerards, J., & Xenidis, R. (2021). Algorithmic discrimination in Europe – Challenges and opportunities for gender equality and non-discrimination law. European Commission: Directorate-General for Justice and Consumers, Publications Office. Gil González, E., & De Hert, P. (2019). Understanding the legal provisions that allow processing and profiling of personal data—an analysis of GDPR provisions and principles. ERA Forum, 19, 597–621. Goodman, B., & Flaxman, S. (2017). European Union regulations on algorithmic decision-making and a “right to explanation. AI Magazine, 38(3), 50–57. Green, B. (2022). The flaws of policies requiring human oversight of government algorithms. Computer Law & Security Review, 45, Article 105681. Hacker, P. (2018). Teaching fairness to artificial intelligence: Existing and novel strategies against algorithmic discrimination under EU law. Common Market Law Review, 55(4), 1143–1185. Hardt, M., Price, E., & Srebro, N. (2016). Equality of opportunity in supervised learning. Proceedings of the 30th International Conference on Neural Information Processing Systems (NIPS’16), USA, 3323–3331. High-Level Expert Group on Artificial Intelligence (HLEG AI). (2019). Ethics guidelines for trustworthy AI. Johnson, D. G., & Powers, T. M. (2005). Computer systems and responsibility: A normative look at technological complexity. Ethics and Information Technology, 7(2), 99–107. Jones, M. L. (2020). The ironies of automation law: Tying policy knots with fair automation practices principles. Vanderbilt Journal of Entertainment and Technology Law, 18(1), 77134. Keay, A. (2014). Comply or explain in corporate governance codes: In need of greater regulatory oversight? Legal Studies, 34(2), 279–304. Koulu, R. (2020). Proceduralizing control and discretion: Human oversight in artificial intelligence policy. Maastricht Journal of European and Comparative Law, 27(6), 720–735. Kyriakou, K., & Otterbacher, J. (2023). In humans, we trust: Multidisciplinary perspectives on the requirements for human oversight in algorithmic processes. Discover Artificial Intelligence, 3(44). Langer, M., Baum, K., & Schlicker, N. (2025). Effective human oversight of AI-based systems: A signal detection perspective on the detection of inaccurate and unfair outputs. Minds and Machines, 35(1), 1–30. Laux, J. (2023). Institutionalised distrust and human oversight of artificial intelligence: Towards a democratic design of AI governance under the European Union AI Act. AI and Society, 39, 2853–2866. Lazcoz, G., and De Hert, P. (2023). Humans in the GDPR and AIA governance of automated and algorithmic systems. Essential pre-requisites against abdicating responsibilities. Computer Law & Security Review, 50, 1. Lee, M. S. A., Floridi, L., & Singh, J. (2021). Formalising trade-offs beyond algorithmic fairness: Lessons from ethical philosophy and welfare economics. AI and Ethics, 1, 529–544. Leichtmann, B.,Humer, C.,Hinterreiter, A.,Streit, M., & Mara, M. (2023). Effects of Explainable Artificial Intelligence on trust and human behavior in a high-risk decision task. Computer in Human Behavior, 139. Loh, W., & Loh, J. (2017). Autonomy and responsibility in hybrid systems. In P. Lin, R. Jenkins & K. Abney (Eds.), Robot ethics 2.0.: From Autonomous Cars to Artificial Intelligence (35–50). New York: Oxford University Press. Mehrabi, N., Morstatter, F., Saxena, N., Lerman, K., & Galstyan, A. (2021). A survey on bias and fairness in machine learning. ACM Computing Surveys (CSUR), 54(6), Article 115. Mökander, J. (2023). Auditing of AI: Legal, ethical and technical approaches. Digital Society, 49(2), 1–32. Nagtegaal, R.(2021). The impact of using algorithms for managerial decisions on public employees’procedural justice. Government Information Quarterly, 38(1), Article 101536. Naudts, L., & Vedder, A. (2025). Fairness and artificial intelligence. In N. A. Smuha (Ed.), The Cambridge handbook on the law, ethics and policy of artificial intelligence (pp. 79–100). Cambridge: Cambridge University Press. OECD. (2019). Artificial Intelligence in Society. Paris: OECD Publishing. OECD. (2021). OECD Regulatory Policy Outlook 2021, Chapter 3. Paris: OECD Publishing. Restrepo Amariles, D. (2017). Supping with the Devil? Indicators and the rise of managerial rationality in law. International Journal of Law in Context, 13(4), 465–484. Santoni De Sio, F., & van den Hoven, J. (2018). Meaningful human control over autonomous systems: A philosophical account. Frontiers in Robotics and AI, 5, Article15. Shneiderman, B. (2016). Opinion: The dangers of faulty, biased, or malicious algorithms requires independent oversight. Proceedings of the National Academy of Sciences of the United States of America, 113(48), 13538–13540. Smuha, N. A., and Ahmed-Rengers, E.(2021). How the EU can achieve legally trustworthy AI: a response to the European Commission’s proposal for an Artificial Intelligence Act. Solove, D. J., & Matsumi, H. (2024). AI, algorithms, and awful humans. Fordham L. Rev, 92(5), 1923–1940. Sterz, S., Baum, K., Biewer, S., Hermanns, H., Lauber-Rönsberg, A., Meinel, P., & Langer, M. (2024). On the Quest for Effectiveness in Human Oversight: Interdisciplinary Perspectives. The 2024 ACM Conference on Fairness, Accountability, and Transparency (FAccT ‘24). Association for Computing Machinery, USA, 2495–2507. Veale, M., & Edwards, L. (2018). Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling. Computer Law & Security Review, 34(2), 398–404. Veale, M., Van Kleek, M., & Binns, R. (2018). Fairness and accountability design needs for algorithmic support in highstakes public sector decision-making. 10.1145/3173574.3174014. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI ‘18). Association for Computing Machinery, USA, Paper 440, 1–14. Vedder, A., & Naudts, L. (2017). Accountability for the use of algorithms in a big data environment. International Review of Law, Computers & Technology, 31(2), 206–224. Verdiesen, I., Santoni de Sio, F., & Dignium, V. (2021). Accountability and control over autonomous weapon systems: A framework for comprehensive human oversight. Minds and Machines, 31, 137–163. Wachter, S., Mittelstadt, B., & Russels, C. (2021a). Why fairness cannot be automated: Bridging the gap between EU non-discrimination law and AI. Computer Law & Security Review, 41, Article 105567. Wachter, S., Mittelstadt, B., & Russell, C. (2021b). Bias Preservation in Machine Learning: The Legality of Fairness Metrics Under EU Non-Discrimination Law. West Virginia Law Review, 123(3). Xenidis, R., Senden, L. (2020). EU non-discrimination law in the era of artificial intelligence: Mapping the challenges of algorithmic discrimination. In U. Bernitz, et al. (Ed.). General principles of EU law and the EU digital order (151–182). lphen aan den Rijn: Kluwer Law International. Zarsky, T. Z. (2014). Understanding Discrimination in the Scored Society. Washington Law Review, 89(4), 1375–1412. Zerilli, J., Knott, A., Maclaurin, J. et al. (2019). Algorithmic decision-making and the control problem. Minds and Machines, 29, 555–578. Zuiderveen Borgesius, F. (2018). Discrimination, artificial intelligence, and algorithmic decision-making Council of Europe.

ABSTRACT. The ‘human-in-the-loop’ has emerged as an essential component of most regulatory strategies for automated decision systems and is now formally enshrined in the European Union (EU)’s Artificial Intelligence (AI) Act. Simultaneously evocative and under-specified, the notion that a human will remain in control of any automated system with effects we care about is a powerful one. The popularity of this governance mechanism has made it, in the words of Goldenfein, ‘a sort of Talisman of the appeal to re-humanise – a symbolic regulatory apparatus’ which can comprehensively counterbalance the risks of automation and optimisation.

This vision of the human-in-the-loop as a failsafe makes sense when situated historically. The absence of a human operating and overseeing an aircraft autopilot or manufacturing robot constitutes a liability in both practical and legal terms. The success or failure of these complex machines is also relatively easy for their human operators to define and recognise: they either do or do not accomplish their task cleanly and effectively, without harming the individuals relying on them. With the shift of emphasis from machines to machine learning and probabilistic prediction, however, the task of the human-in-the-loop suffers both semantic and conceptual slippage. When machines are applied to risk profiling in welfare systems, healthcare allocation in a hospital, or any other high-stakes and contested social domain, the human-in-the-loop often becomes used to denote a moral or legal backstop rather than a source of ground truth or engineering expertise. Despite this consequential shift in application, the assumption that human-in-the-loop oversight (hereafter: HITL) can be adapted to stabilise accountability and prevent harm in any kind of automated system remains implicit in many emerging AI regulations.

In order to justify our reliance on HITL, we need to be able to understand where and to what extent it can function meaningfully and effectively, and where it cannot. We therefore aim with this article to systematise and operationalise existing evidence about the conditions under which HITL can and cannot be relied upon to prevent large-scale harms. With one exception that we are aware of, the growing literature on HITL does not yet offer tools to help institutions deploying automated decision systems to proactively make this judgement. To address this gap, we focus on automated decision systems that affect people at scale: systems that cannot be opted out of because they are public, and also often punitive. These systems sit at the social end of a spectrum ranging from less to more human impact in systems’ purpose and application.

After describing the problem in greater detail, we examine how we got here – namely how a control engineering mechanism has come to be applied to political questions for which there is no ground truth or societal agreement. We analyse these developments through the lens of ‘regulatory managerialism’, a mode of governmentality characterised by ‘the regulatory state’s entanglement with managerial governance’. We then discuss three cases in which automated decision systems were justified on the basis of unsupported claims about the prevalence of fraud or gang-related crime, promises of efficiency or safety gains, and the capacity of the relevant humans-in-the-loop to act as a safeguard. These include the Gangs Violence Matrix, DUO, and Udbetaling Danmark. In each, HITL proves to be a necessary but insufficient form of governance. After highlighting the various ways in which HITL failed to prevent individual and societal harm, we identify epistemic injustice – the exclusion of the perspectives and experiences of particular groups in decision-making – as a shared feature of these three cases.

Epistemic injustice has been conceptualised by Fricker as composed of two facets: testimonial injustice, where people are not considered credible, and hermeneutical injustice, where people do not have access to ‘equal participation in the generation of social meanings’. The assumption that people may either be actively subverting a system – or that they will try to if given enough information about its internal workings – is inherent to risk profiling systems in law enforcement and welfare. It also, however, enacts testimonial injustice by defining subjects as inherently untrustworthy. The systems we analyse are premised on what Van Dijck has called ‘dataism’ – the belief that if something can be quantified and expressed statistically, it must be reliable – and a conviction that data and statistics can tell the truth where people will lie. This also aligns with Fricker’s notion of hermeneutical injustice: such systems are designed according to precepts of opacity and formal objectivity to prevent decision subjects from acting in ways that will diminish their chance of being flagged. This baked-in opacity also makes them next-to-impossible for decision subjects to identify and challenge, a feature termed ‘epistemic fragmentation’ by Milano and Prunkl.

HITL becomes instrumental in these forms of epistemic injustice through the assumption that it will have a modulating effect on an automated decision system’s values and functioning. Because the systems we analyse rely on formalised definitions of deviance and data derived from already inequitable social systems, they can result in unjust decisions without making mechanical or calculative errors – something that is difficult to reconcile with the notion of the human-in-the-loop as a check on ground truth. Far from being a dislocated, disembodied knower with a ‘view from nowhere’, the designated human-in-the-loop is usually already somehow involved with the system in question and confined to its logic. As McQuillan puts it, ‘it is not that key decisions are delegated to machines with no human-in-the-loop; rather, that people making pressured decisions are presented with empirical rankings of risk, whose derivation they have no way of questioning’.

Although civil society organisations such as Amnesty International have been and remain essential for exposing the political nature of these HITL failures, we argue that governance needs to be structured in a way that makes the public institutions deploying automated decision systems responsible for anticipating them and taking action before they cause large-scale rights violations. We therefore conclude by offering a framework intended to help public institutions address the asymmetries in power and information that render HITL ineffective. We also identify three ‘limits-of-the-loop’: characteristics of systems that can only be made safe through higher level changes. By making these limits explicit and proposing alternative governance solutions where the HITL prescribed and endorsed by the AI Act is likely to be necessary but insufficient, our aim is not to undermine or advocate for abandoning HITL, but to help stabilise accountability for semi-automated decision-making and better align it with EU law’s aim to protect fundamental rights.

ABSTRACT. 1. Introduction

Bias is a buzz word which frequently features in the regulatory discussions on artificial intelligence (AI) at the European level. As the European Commission recognizes, AI is being developed in various sectors, including the cultural sector.1 While policy underlines that AI offers opportunities, its creation and use also present risks. One notable risk is the often-mentioned bias. Bias seems like a clear concept, which is however more nuanced as it connotes a myriad of meanings and gradations.2 It forms the central concept of this paper, focusing on the social and legal implications of bias in cultural heritage collections with the National Library of The Netherlands (hereafter: KB) and gender bias as a casestudy.

Notably, last summer, the KB agreed to make available digital public domain texts from its collections to help train the Dutch generative language model of GPT-NL, which aims to serve as an ethically responsible public alternative to ChatGPT. At the same time, the KB recognizes that none of its collections are entirely bias-free. While the KB thus contributes to developing an infrastructure alternative to Big Tech, hence furthering digital sovereignty, it remains relevant to research what bias is and what kind of bias may be present where in the collections, since such biases may be reproduced in the technology. In addition, although libraries and other cultural heritage institutions are known for their traditional role to safeguard the fundamental values of diversity, equity and inclusivity , they find themselves in a precarious position in the political climate in some parts of the world.

Against this background, we aim to conceptualize the concept of ‘bias’. While bias is mentioned no less than 25 times in the AI Act, the term is not defined. We can even wonder whether it is a legal concept at all, requiring interdisciplinary and inclusive dialogue. Therefore, our contribution to the bias discussion has two main aims. First, we set out to unravel the concept of bias and different meanings, manifestations and types; second, together with the interdisciplinary KB team – next to us legal scholars consisting of a digital collection specialist, a computer scientist and an AI researcher – we experiment with a way to flag types of bias in selected digitized KB collections. Taken together, our research aims to answer the following question: What is ‘bias’ and how can interdisciplinary dialogue help explore a way to flag types of bias in digitized cultural heritage collections, in view of their subsequent use in the algorithmic information society?

2. Design

To answer the central question, the research is designed as follows. Section 2 starts with analyzing the concept of ‘bias’, taking an interdisciplinary perspective. The section works from the etymological origins of the concept to its contemporary meanings, including from a philosophical perspective. We intend to tease out characteristics rather than a closed definition, in order to compare the meaning of bias in the AI Act against later in the paper. Since one definition of bias is ‘a deviation of a norm’,3 the question arises: which norm? From whose perspective? In addition, we recognize that bias manifests itself at various levels, starting with the composition of collections – that is, stemming from different value systems over time, whose voices are or are not included? – to their actual content and the metadata to unlock the collections. Notably, the manifestations of bias gain another dimension when cultural heritage collections are used as input for AI systems. This account is meant as a form of reflection following the slow archives approach elaborated by Christen & Anderson. That is, examining “structures, practices, and processes of collection, cataloging, and curation to expose where cultural authority is placed, valued, and organized within archival workflows”. This approach should help increase transparency and awareness of potential biases in cultural heritage collections, also before AI is applied.

Next, building on the awareness of different values systems involved, Section 3 centers on introducing the perspective of positionality as a central thread in the research, i.e. awareness of both researchers’ own worldviews as shaped by their backgrounds and how this influences their research. In the case of this research, the theoretical underpinnings of ‘positioning’ and criticizing perceived neutrality, in particular in challenging hegemony, and adding positions are central features.

After the theoretical stage is set, Section 4 analyzes EU legal and policy action on AI through the lens of ‘bias’ and ‘positionality’. Policy documents stress among other things that AI systems should have ‘no built-in bias’ and that strategies to address bias should involve all stakeholders. Yet, as observed, it is not always clear what policy documents mean by ‘bias’. This is however a crucial question, since establishing bias, as well as its consequences – think of legal or practical ones – depends on consensus on its main characteristics. First, therefore, we map to what extent we recognize the identified bias characteristics in the policy discussions. Second, this section links how and where bias is addressed in legal and policy text to positionality as a reflection tool with a discussion of how to operationalize the concept based on archival science and critical and feminist theory perspectives.

The research then turns to the technological experiments in Section 5. Since users of digitized cultural heritage collections will have different backgrounds and may not be aware of the intricacies stemming from for instance the origins, orientation or time frame of the materials, we need to find a way to increase transparency and awareness of potential biases. This is recognized by Europeana’s datasheets initiative: originally a machine learning concept, datasheets are currently being adapted to the cultural heritage field, aiming to provide context on the provenance of cultural data in order to encourage informed decisions on the data’s use. Similarly, data envelopes are being developed to provide context on collections in a machine-readable way to users before they interact with the data. Our research aims to provide entry points to concretize ‘bias’ in the datasheets and -envelopes.

To that end, the experiments train word embedding models following the work of Hamilton. The models indicate the context in which words appear in relation to other words. Although it is interesting that the models consequently provide information about associations, changing meanings and potential biases over time, we should acknowledge certain limitations from the outset. For instance, we could initially only focus on one type of bias (gender) in specifically designated collections (newspapers, no fiction). In addition, given the current state of technology, training the models is very time consuming. For the training data, we were moreover dependent on the availability of digitized materials in Dutch. And an obvious limitation regarding gender, in turn, is that we were bound to the binary categories of ‘male’ and ‘female’, since a Dutch version of the Homosaurus has not yet been developed. Still, these first experiments might be extended to other forms of bias at a later stage.

Taking the main findings of the analysis together, Section 6 concludes and indicates routes for further research. One route regards the tools or information that could be added to the digital KB collections to foster transparency and awareness on ‘bias’, contributing to the balance between values and innovation.

3. References

1. See https://www.kb.nl/nieuws/kb-stelt-rechtenvrije-collecties-beschikbaar-voor-nederlands-ai-model (last consulted 7 January 2026). 2. See the KB’s ethical principles on AI: https://www.kb.nl/sites/default/files/documents/AI%20Principes%20KB.pdf. 3. Eddy Ng et al, ‘The Anti-DEI Agenda: Navigating the Impact of Trump's Second Term on Diversity, Equity and Inclusion’ (2025) 44 Equality, Diversity and Inclusion: An International Journal 137-150 4. See for instance this news: https://www.libraryjournal.com/story/librarian-of-congress-carla-hayden-fired. 5. Kelly Breemen & Vicky Breemen, ‘Introducing ‘BIAS’, or rather: a project on assessing bias in cultural heritage collections in theory and practice’, KB Lab blog 22 September 2025. 6. Kimberly Christen and Jane Anderson, ‘Toward Slow Archives’ (2019) 19 Archival Science 87-116. 7. Cf. Andrew Gary Darwin Holmes, ‘Researcher Positionality – A Consideration of Its Influence and Place in Qualitative Research – A New Researcher Guide’ (2020) 8 International Journal of Education 1-10. 8. Cf. Owen C. King, ‘Archival Meta-metadata: Revision History and Positionality of Finding Aids’ (2024) 24 Archival Science 509-529; Michelle Caswell, ‘Dusting for Fingerprints: Introducing Feminist Standpoint Appraisal’ (2021), in Elvia Arroyo-Ramirez et al, 3 ‘A Radical Empathy in Archival Practice’: Journal of Critical Library and Information Studies (special issue); Donna Haraway, ‘Situated Knowledges: The Science Question in Feminism and the Privilege of Partial Perspective’ (1988) 14 Feminist Studies 3 575-599. 9. European Parliament, ‘Artificial intelligence in education, culture and the audiovisual sector’ (2020/2017(INI)) (resolution of 19 May 2021 on artificial intelligence in education, culture and the audiovisual sector), pt. 4. 10. Among others: Caswell 2021; Haraway 1988. 11. See Henk Alkemade, Steven Claeyssens e.a., ‘Datasheets for Digital Cultural Heritage Datasets’ (2023) 9 Journal of Open Humanities Data 1-11. 12. Mrinalini Luthra and Maria Eskevich, ‘Data-Envelopes for Cultural Heritage: Going beyond Datasheets’ (2024) Proceedings of the Workshop on Legal and Ethical Issues in Human Language Technologies 52-65. 13. William L Hamilton, Jure Leskovec and Dan Jurafsky, ‘Diachronic Word Embeddings Reveal Statistical Laws of Semantic Change’ (2018) Association for Computational Linguistics. 14. See https://homosaurus.org/.

4. Author bios

Kelly Breemen is Assistant Professor at the Centre for Intellectual Property Law (CIER) of Utrecht University’s Molengraaff Institute for Private Law, specialising in research at the intersection of art, culture, law and technology. She holds a research master (2012, cum laude) and PhD in information law from the University of Amsterdam (2018, Institute for Information Law, IViR). Her dissertation focused on the protection of indigenous peoples’ traditional cultural expression (TCEs) from a copyright, cultural heritage and human rights law perspective. Previously, she was a researcher at the NIOD Institute for War, Holocaust and Genocide Studies, conducting academic research on heritage issues and themes in a broader sense, her other main research interest. She was involved in the NWA project Pressing Matter: Ownership, Value and the Question of Colonial Heritage in Museums.

Vicky Breemen is Assistant Professor at Utrecht University’s Centre for Intellectual Property Law (CIER) and the Montaigne Centre for Rule of Law and Administration of Justice. She holds a research master’s degree (cum laude, 2012) and a doctorate (2018) in information law, both from the University of Amsterdam. Her dissertation on the future principles of a library privilege in copyright law was awarded the Dutch Association of Information Professionals’ annual prize for best publication (Victorine van Schaickprijs KNVI, 2019). A central thread in Vicky’s research is the interplay between law, culture and technology, utilising both legal and non-legal concepts and sources. At the UU, she has contributed to various projects on algorithmic decision making and its impact on fundamental rights and values.

For their law & humanities oriented research, Kelly and Vicky have among others been awarded the Witteveen Memorial Fellowship in Law & Humanities 2018 by Tilburg University (to research modalities of sharing and accessing TCEs via digital libraries and the historical, ethical, cultural-political and legal issues involved) and the Researcher-in-Residence Fellowship 2024 at the Dutch Royal Library (for a project on the practical implications of AI in unlocking cultural heritage collections in a project titled ‘BIAS – Towards a Bias Impact Assessment Scale for digitised cultural heritage collections’).

ABSTRACT. The essential facilities doctrine (EFD) has long occupied a paradoxical position within EU competition law. Conceived as an exceptional mechanism under Article 102 TFEU to address refusals to deal by dominant undertakings, it has traditionally been constrained by stringent limiting principles—most notably the requirement of indispensability—aimed at preserving investment incentives and respecting firms’ freedom to conduct a business. In this classical formulation, the doctrine sought to reconcile competitive openness with dynamic efficiency by intervening only in narrowly circumscribed circumstances. Yet, recent developments in EU case law and regulatory policy suggest that the doctrinal, economic, and normative foundations of the EFD are undergoing a profound transformation, particularly in digital markets.

This paper argues that the rise of digital platforms, ecosystem-based competition, and data- and infrastructure-driven innovation signals not merely an adaptation of the essential facilities doctrine, but a gradual transition toward a distinct conceptual framework that may be described as an Essential Digital Facilities Doctrine (EDFD). This emerging framework reflects a shift in the economic reasoning underpinning Article 102 TFEU enforcement: from a focus on classical bottlenecks and static foreclosure toward an assessment attentive to ecosystem dynamics, openness by design, cumulative innovation, and systemic access dependencies. Beyond doctrinal refinement, the paper conceptualises the EDFD as an instrument of digital governance, operating at the intersection of competition law, innovation policy, and value-based constraints in technologically complex and geopolitically fragmented environments.

The paper proceeds in three steps.

First, it retraces the evolution of the essential facilities doctrine in EU competition law, from its consolidation in Magilland Bronner to its progressive recalibration in subsequent jurisprudence. While Bronner articulated a restrictive test centred on indispensability and the elimination of all competition, subsequent case law has increasingly relativised these conditions. Decisions such as Microsoft, Slovak Telekom, and Android Auto II reveal a doctrinal trajectory in which indispensability no longer operates as an absolute threshold in all refusal-to-deal scenarios. This evolution reflects a recalibration of the balance between short-term competitive openness and long-term dynamic efficiency, driven by the structural features of digital markets—network effects, data accumulation, economies of scale and scope, and vertical and conglomerate integration. The paper shows that this recalibration is not merely technical, but normative: it reflects changing assumptions about how innovation occurs, how market power is exercised, and how competition law should respond to forms of dependency that are qualitatively distinct from traditional infrastructure bottlenecks.

Second, the paper analyses how the rationale of the essential facilities doctrine operates in digital platform ecosystems, with a particular focus on interoperability disputes. Building on Android Auto, it shows how the Court of Justice has moved away from a purely infrastructure-centric understanding of essentiality toward an assessment grounded in system design and economic openness. Where platforms are conceived as partially open systems, access obligations increasingly derive from the logic of exclusionary effects and ecosystem foreclosure rather than strict indispensability. This evolution blurs the traditional boundary between competition law and regulation, as Article 102 TFEU increasingly performs quasi-regulatory functions by shaping access conditions, interoperability standards, and ecosystem governance.

This dynamic is further accentuated by the coexistence of Article 102 TFEU with the ex ante obligations imposed by the Digital Markets Act (DMA). Rather than rendering competition law obsolete, the DMA reshapes the context in which Article 102 operates by influencing how access, fairness, and contestability are conceptualised. The paper argues that this coexistence produces a hybrid enforcement landscape, in which ex post competition law retains a central role in areas not fully captured by ex ante regulation, while simultaneously internalising some of the normative objectives of digital regulation. From a governance perspective, this raises broader questions about regulatory hybridity, institutional design, and the allocation of authority between courts, competition authorities, and sector-specific regulators.

Third, and more originally, the paper extends the analysis to the emerging markets for generative artificial intelligence, where the limits of the current EU digital competition framework become particularly apparent. While the DMA establishes an ambitious regime for designated “core platform services”, generative AI systems and their key inputs—such as large-scale computing power, proprietary training datasets, foundation models, and cloud infrastructures—do not, at this stage, fall squarely within its material scope. The DMA’s service-centred taxonomy and gatekeeper logic thus appear ill-suited to capture AI ecosystems characterised by layered vertical integration, cumulative innovation, and strategic control over upstream resources.

Against this backdrop, the paper argues that Article 102 TFEU remains the central legal instrument for addressing access-related concerns in AI-driven markets, particularly when assessed through the lens of dynamic competition. It explores whether—and under what conditions—key AI-related inputs may constitute “essential digital facilities”, paying particular attention to strategic partnerships between dominant technology firms and AI start-ups. These partnerships often combine preferential access, long-term exclusivity, and deep technical integration, generating new forms of dependency that may shape innovation trajectories, market tipping, and long-term contestability without taking the form of classical refusals to deal.

The paper highlights a conceptual ambiguity that has thus far remained insufficiently theorised. Traditionally, the essential facilities doctrine was understood as a safeguard for dynamic competition: by constraining refusals to deal only in exceptional circumstances, it sought to preserve innovation incentives while avoiding static over-enforcement. However, recent case law suggests that once the Bronner framework is declared inapplicable—particularly in platform contexts designed as “open systems”—dynamic competition considerations risk being implicitly sidelined in favour of a more conventional assessment of dominance and exclusionary effects. Drawing on Android Auto, the paper questions whether safeguarding access is the only, or even the primary, means of protecting dynamic competition in digital ecosystems.

From a governance perspective, the paper argues that access obligations framed without sufficient regard to innovation incentives may induce dominant platforms to respond strategically by increasing the technical or economic cost of interoperability. This may occur through architectural redesigns, increased access fees, or the invocation of security and integrity constraints. While refusals to grant access may be objectively justified where interoperability would genuinely threaten platform security or integrity, the mere absence of pre-existing technical templates cannot suffice to justify exclusion. A balanced approach instead requires ensuring interoperability where feasible, while allowing dominant undertakings to require appropriate compensation for the costs, risks, and investments incurred.

On this basis, the paper advances the contours of an Essential Digital Facilities Doctrine grounded in a refined dynamic competition framework. Rather than replicating the classical EFD or abandoning dynamic considerations once Bronner is set aside, the proposed EDFD integrates innovation incentives, ecosystem evolution, and strategic design choices into the assessment of access obligations. More broadly, it conceptualises competition law as a tool of digital governance, capable of mediating the tension between innovation, openness, and value-based constraints in AI-driven markets.

The paper concludes by situating the EDFD within the broader debates addressed by the TILTing Perspectives conference. It argues that competition law plays a critical role in shaping how technological power is distributed and legitimised in a multipolar digital world, particularly where ex ante regulatory frameworks remain incomplete or fragmented. In this sense, the transformation of the essential facilities doctrine exemplifies a wider reconfiguration of Article 102 TFEU in the digital age—one in which competition law increasingly operates at the intersection of markets, values, and technological governance.

ABSTRACT. Digital products increasingly compete through interface architectures that maximise engagement, using design patterns such as autoplay, infinite scroll, algorithmic personalisation, and gamification. EU policy responses have started to target these ‘addictive design’ practices, including platform-governance obligations under the Digital Services Act (DSA) for very large online platforms (VLOPs) and the modernisation of consumer-protection approaches under the Unfair Commercial Practices Directive (UCPD). Yet the regulatory emphasis remains largely consumer-centric: preventing or reducing individual harms associated with excessive use, such as cognitive strain, attention loss or emotional distress, through measures like pattern-specific prohibitions, transparency and consent requirements, and risk-management obligations. This paper argues that this framing only partially captures the governance challenge.

Addictive design is not only a matter of individual consumer welfare; it is also a competitive strategy shaped by market incentives that can, in turn, reshape market structure. The central question aligns with TILTing 2026’s focus on balancing values and innovation: whether, and to what extent, Article 102 TFEU can address the market-level harms of addictive design as a competition problem, as an alternative to blanket prohibitions that risk chilling legitimate interface innovation. Ultimately, the paper argues that Article 102 can address the competition distortions of addictive design through existing abuse categories in many dominant-firm scenarios, while leaving only residual measurement problems for calibrated development. The paper delivers (i) an incentives account of proliferation across inter-firm and intra-firm competitive dynamics; (ii) a mapping from design characteristics to Article 102 theories of harm; and (iii) a high-level enforceability and evidentiary-compatibility test across two business models.

The paper advances two linked claims. First, addictive design proliferates because it is often competitively rational within digital markets where attention operates as a scarce input. Attention can be monetised through advertising, but it also generates feedback effects: capturing more attention produces more data and engagement signals, which improve personalisation and retention, which in turn facilitate further attention capture. These dynamics are reinforced by firm-level product development practices, such as continuous A/B testing and metric-driven iteration, in which engagement indicators (time spent, clicks, and responses to calls to action) become internal proxies for product success. Under these conditions, short-run engagement gains can become a dominant design logic even when they diverge from long-term product quality or user welfare. Second, the competitive harms associated with addictive design are not confined to a single market structure. In markets characterised by intense rivalry, firms may face race-to-the-bottom dynamics in which attention capture becomes the dominant survival strategy, crowding out innovation on dimensions such as usability, informational quality, and the time or energy required to achieve user goals. In markets characterised by entrenched dominance, addictive design can instead reinforce lock-in, increase switching costs, and widen the scope for quality degradation without meaningful user exit. This duality motivates the paper’s core governance move: rather than treating addictive design as uniformly harmful (and therefore best addressed through horizontal rules), the paper focuses on context-specific harmful scenarios, especially those involving firms with significant market power, where intervention can target competition distortions while preserving room for beneficial experimentation.

Against that background, the paper offers a preliminary enforceability test under Article 102 TFEU using two contrasting business models as case studies: multi-sided social media platforms and subscription-based language-learning applications. The contrast is intentional and contributes to the paper’s core message. Social media exemplifies zero-price services with diverse use cases, third-party content, and strong network effects, where addictive design is commonly associated with undesired over-consumption. Language-learning apps, by contrast, are typically subscription-based, focused on a single core service, and often framed as under-consumed ‘merit goods’, where increased use may be perceived as beneficial in the short run. This pairing allows the analysis to capture how consumer expectations, consumption norms, and business-model characteristics shape both (i) the plausibility of competitive harm and (ii) the limits of consumer-protection approaches when user-facing harm is ambiguous or not immediately apparent.

The Article 102 analysis builds on its context-sensitive logic, including the special responsibility imposed on dominant firms. It asks how ‘anti-competitive addictive design’ can be translated into recognised competition parameters—price, choice, quality, and innovation—without requiring the creation of a standalone abuse category. For multi-sided social media platforms, the paper examines how addictive defaults and algorithmic personalisation can fit within established abuse frameworks. On the exploitative side, it conceptualises engagement-maximising design that runs against consumer preferences as a form of non-price ‘overcharge’ in a zero-price setting, operationalised through quality degradation while acknowledging evidentiary and conceptual obstacles in measuring attention as a competitive parameter. On the exclusionary side, it analyses how default bias, reduced discoverability of rivals’ services, and increased switching costs can plausibly function as foreclosure mechanisms when deployed by dominant platforms. The focus is administrability: identifying how existing doctrine can accommodate attention-related harms through recognised indicators rather than proposing a novel ‘attention abuse’.

For language-learning apps, the paper explores a different competitive configuration. Gamified progress systems, streaks, and reward multipliers may be benign, or even desirable, from individual user’s perspective, yet can acquire competitive significance when deployed by firms with substantial market power. The paper develops the idea of ‘progress lock-in’ as a mechanism that can weaken multi-homing, concentrate attention on a single service, limit product comparison, and amplify data-driven optimisation advantages that deter entry and soften quality-based rivalry. It further highlights how a highly dominant firm’s ‘leader effect’ may turn such practices into market norms. Competitors may be encouraged or pressured to follow these norms, potentially reducing diversity of design and narrowing the direction of innovation. This case study is used to illustrate how design practices popularised by dominant firms can generate competition concerns and resistance to innovation in digital markets that receive less regulatory attention.

Overall, the preliminary enforceability analysis yields a cautiously optimistic assessment of Article 102 TFEU’s capacity to address harmful uses of addictive design. Many harmful scenarios involving dominant firms can be addressed within established abuse categories and established lines of reasoning, such as quality degradation, default bias, and restrictions on rivals’ discoverability. This enables competition law to distinguish between commercial practices across contexts by reference to market outcomes. It allows competition law to discipline harmful optimisation incentives while preserving space for beneficial interface innovation. At the same time, the paper identifies residual challenges where harms resist translation into recognised competitive parameters and where evidentiary tools may not fit well, for example difficulties in operationalising tests such as a ‘small but significant non-transitory decrease in quality’ (SSNDQ) for addictive interface design. These residual issues are framed as candidates for calibrated doctrinal development and future research, subject to necessity and proportionality.

By reframing addictive design as a competition issue that can distort innovation incentives and market outcomes, this analysis contributes to debates central to European tech governance. The paper examines how fundamental values of market fairness, consumer welfare, and sustainable competition can be upheld without reflexively restricting innovation, through regulatory instruments that remain context-sensitive, enforceable, and institutionally coherent. In this respect, the distinction between exploitative and exclusionary abuses provides a useful lens for instrument choice in addressing market harms associated with addictive design. Exploitative theories may be more contested in instrument selection insofar as they overlap with consumer law’s welfare-centred objectives, whereas exclusionary theories are more likely to identify a domain in which competition law has distinctive governance value. Finally, the paper positions competition law as a complement to consumer protection and platform regulation, and suggests that revisiting existing competition instruments may, in some contexts, be less institutionally costly than introducing new tailored legislation that risks further fragmentation of the EU digital regulatory framework.

ABSTRACT. Like most economic regulators, the UK’s Competition and Markets Authority has weathered its fair share of political turbulence in its history, but few episodes compare to the saga following the UK government’s abrupt removal of Marcus Bokkerink as CMA Chair in January 2025 and the interim appointment of Doug Gurr, a former Amazon UK executive. This is not an isolated incident. This national episode reflects global shifting pressures on competition enforcers as ‘accountability’ is reframed through an economic growth narrative centred on (tech) innovation. Our research starts unpacking whether this narrative reflects a shift towards accountability to a narrower set of interests than before. The CMA as a way to change the narrative The UK government’s interventions could be interpreted as a conscious and considered effort to regain control of the growth discourse, with the CMA positioned as a conduit for the government’s pro-investment and pro-business narratives. The CMA’s response initially resembled self-preservation through narrative alignment: strengthening its support with lawmakers and business by accelerating and rebranding procedural reforms already underway. To align with the Government’s strong growth-centric strategic steer , half the battle for the CMA seemed to be to change the mood music that accompanied its approach to enforcement to placate impatient ministers. Following the 2024 elections, the Labour Government framed its “securonomics” agenda as less “big state” and more “smart and strategic state”, focused on rebalancing market forces and state control, with a greater role afforded to the latter, as part of an enduring partnership with business. By beginning of 2025, political priority had turned to choreographing a visible shift in tone, with regulators in the government’s crosshairs. When launching his modern industrial strategy to a room of international investors, the Prime Minister pledged to “rip out” the regulatory bureaucracy that blocks investment. He vowed to ensure that every regulator “takes growth as seriously as this room does”. The message was simple, if not simplistic: growth requires investment, investment calls for deregulation, and deregulation demands that regulators fall into line by cutting red tape. With regulators under the political microscope, the CMA became vulnerable to pressure points, which the government seized upon to reset the narrative. The first was the CMA’s – largely ill-founded (but, nonetheless, entrenched) – reputation as an overreaching and overzealous enforcer of merger control in the post-Brexit era, allowing the government to portray it as a chief culprit for low levels of FDI into the UK. This created a simpler narrative of regulators as primary inhibitors of investment, which the government then pledged to tame. The Microsoft/Activision decision was often cited as an example of this ‘over-enforcement’. Commentators stated that the CMA’s initial prohibition decision (in April 2023) signalled to the world that the UK was “closed for business”. The question of whether the authority was deserving of its reputation became a moot point: what mattered is that this reputation gained traction over time and emboldened its critics. Second, while the UK’s other regulators (particularly, its financial watchdogs) have also been on the receiving end of political scorn from the Labour government, the CMA’s status as a cross-economy regulator of global notoriety made its leadership a lightning rod for political signalling by a government determined to send a clear and powerful message of ‘change’ to international investors, as well as a warning for other regulators to “get with the programme”. The removal of the CMA Chair carried symbolic weight, reframing the leadership change as a pivotal inflection point on the road to deregulation. Although in the immediate aftermath of this forced resignation, the CMA largely repackaged existing reform trajectories, these had important implications for how competition enforcement was perceived, particularly for who is seen as the ultimate beneficiaries of the law. Underlying this is the growing tendency throughout the first part of 2025 for the CMA’s effectiveness to be a been assessed more-and-more frequently through the eyes of large corporations, rather than those of consumers and third-party stakeholders. Ministerial rhetoric framed the Chair’s removal and reforms as a “massive step-change” at the CMA, one that was welcomed by businesses and which had reinforced the Government’s resolve to “take out more regulators”. By mid-2025, it became clear that narrative change alone was not enough. The government (publicly and behind closed doors) pushed the CMA and other regulators to have more ‘accountability’. If accountability is the answer, what is the question? Regulators in the UK are now facing increased pressure to justify their interventions. In an update to its Regulation Action Plan, the Government ‘pledged’ to ‘implement ambitious regulatory reforms with a target to reduce the annual admin burden on business by £5.6 billion by the end of the Parliament’. The Action Plan portrays regulators as unpredictable and insufficiently responsive to businesses, particularly to innovative and high-growth businesses. The Plan foresees that regulators will reform their operations to cut the ‘regulatory burden’ they create, and that regulators should perform better and be more accountable. To address this, the Government would ‘formalis[e] performance reviews’ of regulators and ‘strengthen their accountability for providing high-quality services by publishing their performance against time-bound targets’. This conveys a message to businesses that regulators remain very much on notice. This has been recognised by businesses themselves, with several recent instances where prominent UK investors (including Getty Images and IVC Evidensia) appear to issue public ultimatums, threatening to pull UK investment if the CMA adopts commercially unfavourable decisions in ongoing investigations they are involved in. It might be an early sign that businesses accept the new narrative of regulator accountability to business. This reorientation of the government-regulator-businesses dynamic would appear to have significant implications for how we view regulatory independence and accountability going forward. The UK government’s new regulatory ‘accountability’ agenda risks clashing with the broader public interest role of regulators. In particular, in the context of the CMA, a focus limited to calculating the costs on (a handful of) businesses risks undermining the societal benefits regulators can bring. While the Plan briefly refers to consumer protection and competition, and acknowledges, close to the end of the Plan, that regulation may be ‘necessary to address economic, societal and environmental risks, or to promote better outcomes for communities and consumers’, it puts the emphasis on businesses to reduce burdens by ‘challenging unnecessary regulation’, namely regulation where the administrative burdens posed to business are too high’ or which provide uncertainty for businesses. These are not, on the face of it, unreasonable aims. But the weight afforded to business seems to mimic the weight given in the Government’s overall strategy of accountability: businesses are the priority. Other stakeholders – who benefit widely from regulators’ actions and may have less lobbying power – appear to come a distant second. One headline in the Government’s Budget Policy Paper is ‘Relentlessly pursuing growth’, outlining a desire to boost productivity and tackle under-investment. At the same time, the Policy Paper outlines spending on welfare of the most vulnerable and incentivising consumption on the high street. There is a stark omission in this narrative: of how regulators and authorities contribute to protecting the most vulnerable in society, and how competition enforcement enables new business to emerge by breaking open industries beyond the incumbents. A competition authority’s priority is not to incentivise big incumbent business at all costs, but to prevent market failures and anti-competitive conduct by those with market power. The Government is correct to say that regulators need to be accountable, but perhaps wrong about who they ought to be accountable to. Independence of authorities from political intervention is important, but it has to be paired with accountability: an explanation of the benefits of its work to the public. As Kati Cseres argues in forthcoming work, accountability is not merely about narrow performance measures, but about accountability to (and input from) the wider public. Experts have argued, particularly in digital platform markets and high-paced innovation, that regulators did not step in soon enough and did not go far enough to address societal and economic impacts, with harms becoming entrenched. The CMA is often held aloft as an example of an authority attempting to explain the benefits of its actions to the public. However, over the course of 2025, the pressure to be accountable seemingly shifted to a very narrow subset of stakeholders: big business. A strategy to ensure cost-consciousness, legal certainty and predictability is not problematic in itself, but over-emphasis may jeopardise the authority’s ability to achieve wider societal benefits. The big businesses with the potential to change the structure of industries move fast – it is difficult to regulate them when your hands are tied. A cost–benefit analysis is sensible – but how much value we put on short-term costs for big businesses (as opposed to long-term – and more difficult to measure – benefits to SMEs, consumers, and citizens) is a sticking point. Undervaluing those benefits is a real risk, particularly in a climate where lodestar more readily resembles reducing costs and ensuring growth at all costs.

ABSTRACT. The Draghi report posits that an ‘innovation defence’ is a key solution for achieving the objective of ‘revamping competition.’ It references the role that competition law should play in this regard by suggesting the introduction of ‘innovation defence’ to European Union (EU) merger control. Against this background, our article aims to provide empirical insight into the answers to the question of how to defend innovation in merger control concerning digital markets, which have been so far provided in merger proceedings. To this end, we analyse how the European Commission (Commission) has approached the interaction between innovation, competition and company size in its decisional practice. We use a systematic content analysis to scrutinise the role of references to innovation in 18 merger decisions adopted by the Commission with regard to digital markets. Next, we discuss the results of our analysis, setting these against the background of how this interplay is presented in the Draghi report. We argue that the innovation defence proposed in the Draghi report should be enriched by the use of the concept of the directionality of innovation in order to ensure that the interests of all the involved stakeholders are taken into consideration.

Methods and sources

In order to identify the relevant decisions, first, we selected merger cases due to the type of economic activity they involved and the names of the Parties. As a result, we collected 36 decisions, of which 31 we identified as related to digital markets. Out of these decisions, the phrase ‘innovat’ – used to capture forms such as ‘innovative’ and ‘innovate’ – appears at least once in 18 cases. We identified 325 uses of the term, distributed unequally among the cases. The cases identified through this process were then subjected to the coding exercise. For the purpose of the coding exercise, we treated a paragraph as a coding unit. We divided identified citations depending on the entity to which they may be assigned, which allows us to scrutinise the plurality of narratives and arguments presented in the decisions.

Our coding framework is to a large extent based on the work by Thibault Schrepel titled ‘A systematic content analysis of innovation in European competition law’ (2024). We adjusted it by, e.g., dividing the identified mentions into the entities to which they may be assigned (the Commission, the Parties, and the third parties). We collected quotations coded with regard to the following variables: (1) the role of the quotation in the decision (e.g., if it concerns theory of harm or relevant market); (2) whether the innovation discussed concerns product or process and if it is incremental or disruptive; (3) whether it is discussed from the short- or long-term perspective; (4) whether it takes place within or outside the relevant market; (5) whether it approaches innovation as having incentive or impact effect and if it concerns innovation as necessary to survive in the market or being the market leader; and, most importantly, (6) how the interplay between the size of the company and innovation is presented in the decision: is it big or small companies that drive innovation?

Results

The analysis indicates that the Commission is the primary entity whose arguments concerning innovation are present in merger decisions. However, it is evident that the position of third parties and the Parties is quite influential. While the term is frequently invoked in the context of the description of market characteristics, approximately one third of the identified quotations pertain to the arguments concerning the theory of harm. This illustrates the importance of considerations of innovation in the merger cases. The results demonstrate that innovation discussed in merger decisions generally pertains to product innovation that occurs within the relevant market, and that it is discussed both from the short- and from the long-term perspective. The differences in the perspectives presented by the Commission and other parties may be illustrated with the references to incremental and disruptive innovation, as well as innovation as necessary for surviving in the market or for leading in the market. The Commission refers to both the increments and disruptive innovation, and usually approaches innovation as necessary for surviving in the market. In contrast, the views of third parties that are often invoked in the context of disruptive innovation. Both Parties and the third parties seems to more often refer to innovation as necessary for becoming market leader.

These differences in the perspective presented by the Commission, the Parties, and the third parties, are very much present with regard to the issue of the interplay between the size of companies, competition, and innovation. Based on the identified mentions of innovation, we identified three narratives concerning this topic, the starting point for all of them being the growth of concentration resulting from the merger:

1) Low concentration supports competition and drives innovation, because small companies tend to be innovative and may challenge the position of more established players: This narrative sometimes emerges from the arguments advanced by third parties, e.g., in the Meta/Kustomer, Broadcom/VMware or Google/Motorola decisions, but in Meta/Kustomer is also adopted by the Commission. Merger is presented as potentially leading to anti-competitive behaviours such as market foreclosure and refusing to share certain resources, which could hinder the ability of the smaller companies to innovate and therefore may result in lower innovation in the market.

2) High concentration supports competition and drives innovation, because big companies have the resources to innovate and they compete among themselves: Notwithstanding the fact that the level of concentration is higher, competition is intensifying, as only large undertakings are relevant players in digital markets. This is due to larger enterprises possessing greater resources, including financial capital, intellectual property (IP), and data, which facilitates innovation. Consequently, the merger will lead to an increase in innovation, as suggested by the Parties in the Microsoft/Yahoo! and Meta/Kustomer decisions, and by the Commission in Microsoft/Yahoo! and Microsoft/Activision Blizzard.

3) High concentration decreases competition and innovation, because big companies do not have the motivation to compete and innovate: While this scenario is similar to the first one, the narrative does not underline the role of small undertakings but rather focuses on the potential negative effects of strengthening the position of big companies and facilitating its unilateral actions and power leading to the reduction of competition due to the absence of an incentive to innovate, as they benefit from a lack of competitive pressure, scale, network effects and resources. This scenario is presented by third parties in Oracle/Sun, by the Commission in Microsoft/Activision Blizzard, and by both the third parties and the Commission in Intel/McAfee, and Google/Fitbit.

Discussion and conclusions

Our study shows that the views represented by the entities participating in the analysed proceedings vary. The characteristics of innovation underscored by the Parties and the third parties differ. Thus, in the light of the lack of decisive evidence on the economic effects of the interplay between concentration and innovation, it is important to guarantee that the enforcer is familiar with the arguments presented by various types of entities. We observe that the inclusion of the views represented by third parties in the analysis of the topic of innovation and size of the companies, is often accompanied by the commitments. This suggests the interplay between the scope of the types of entities involved in the dialogue on innovation taking place when issuing the given decision and the increased level of a nuanced approach present in merger analysis.

In light of the results, we contend that the response to the question of how to defend innovation in the context of merger control within digital markets – in the light of their specific character, resulting from the importance of access to certain resources for the development of innovation – is contingent on whose perspective is given due consideration. Thus, we suggest that incorporation of an ‘innovation defence’ within the context of merger proceedings may not adequately address the challenges to innovation in digital markets in the absence of concomitant measures that would ensure the protection of smaller companies. Our research shows that these companies frequently hold divergent perspectives on the role of innovation within the market. Thus, we argue that the innovation defence should be accompanied by the introduction of the approach based on the concept of directionality of innovation, as developed by Juliane Mendelsohn and Lukas Breide in their work ‘Considering the Direction of Innovation in EU Merger Control’ (2024). Directionality of innovation, understood as fostering diverse and polycentric forms of innovation, could inspire the implementation of protections such as commitments concerning access to resources, e.g., data or IP for other undertakings, and the development of criteria concerning the presentation of evidence on the prospective impact of mergers on innovation by not only the Parties, but also third parties. We argue that such steps are necessary in order to ensure the nuanced approach to the interplay between innovation and the size of companies, taking into account both the specificity of digital markets and particular cases.

ABSTRACT. Speakers

Dr Timo Istace, Senior Researcher & Guest professor Multilevel Fundamental Rights Law, Faculty of Law, University of Antwerp Dr Sjors Ligthart, Associate Professor, Criminal Law Department, Faculty of Law, Tilburg University and Postdoc, University of Utrecht, Willem Pompe Institute for Criminal Law and Criminology, School of Law, University of Utrecht Julie Van Pée, PhD Researcher, Institute for International Research on Criminal Policy (IRCP), Department Criminology, Criminal Law and Social Law, University of Ghent Dr Naomi van der Pol, Assistant Professor, Willem Pompe Institute for Criminal Law and Criminology, School of Law, University of Utrecht

Moderator

Alexandra Ziaka, PhD Researcher, Tilburg Institute on Law, Technology & Society, Tilburg University

Description

Neurotechnologies are no longer confined to laboratories or clinical trials. They are entering social platforms, immersive digital environments, and criminal justice systems, often quietly and without a clear legal vocabulary to describe what they do to the human mind. These technologies do not merely observe behaviour. They infer, predict, and sometimes intervene in neural processes themselves. Law has not fully caught up with this shift, and in some respects it has not yet decided whether it wants to. This panel takes the protection of the mind seriously, without assuming that existing legal categories are fit for purpose. It asks what happens to rights such as freedom of thought, mental privacy, and personal autonomy when technologies can access neural data, shape mental states, or modulate cognition in ways that remain largely invisible to the person affected. The contributions do not start from a position of panic, but neither do they accept that incremental adjustments to data protection or AI regulation will suffice. Across different legal contexts, from EU digital regulation to human rights law and criminal justice, the panel examines how neurotechnologies expose conceptual limits in current governance frameworks. Neural data sits awkwardly alongside biometric data. Mind interventions challenge the traditional focus on observable harm. Claims about absolute protection of the inner self sit uneasily next to arguments about positive obligations to offer neurotechnological rehabilitation. What unites the panel is a shared concern that governance debates too often circle around innovation on one side and rights on the other, without confronting how deeply neurotechnologies cut into that distinction. The mind has long been treated as a protected interior space, legally and philosophically. Neurotechnologies make that assumption harder to sustain, but also harder to abandon. Dr Timo Istace will introduce a normative framework for identifying undue mind interventions and argue that neurotechnological interventions are especially likely to qualify as such where they intentionally undermine mental autonomy by bypassing, distorting, or disarming the mental abilities that enable it, while also reflecting on the implications of this framework for the future interpretation of the right to freedom of thought. Dr Sjors Ligthart will examine the scope of absolute protection in human rights law, with particular focus on the inviolable core of the right to respect for private life and its protection of mental privacy and mental integrity, both of which are increasingly at stake in the context of neurotechnologies. Julie Van Pée will analyse how neuroreading and neuromanipulation in immersive digital environments, such as the metaverse, expose regulatory gaps and conceptual ambiguities in EU digital law, while clarifying the legal status of neural data and its distinction from biometric data. Dr Naomi van der Pol will examine the potential of neurotechnologies to support and enhance certain rights and argue for the recognition of a right to neurorehabilitation, assessing whether such a right can be derived from existing rights under the European Convention on Human Rights. By bringing together doctrinal analysis and normative reflection, the panel contributes to TILTing 2026’s broader question of how technology is governed when values are asserted in one place and infrastructures are built elsewhere. Neurotechnologies offer a clear case where regulation cannot rely on scale, visibility, or market power alone. The question is not only how to regulate these technologies, but what kind of legal imagination is required once the mind itself becomes a site of governance.

ABSTRACT. Panel Proposal- AI4POL

1 Description of the Interactive Panel and Its Relevance to the Conference Theme

Artificial intelligence (AI) systems are rapidly reshaping socio-economic interactions, regulatory landscapes, and individual autonomy. Increasing automation and self-learning make controlling outcomes increasingly difficult. Based on ongoing research in the AI4POL Horizon project, this panel explores two connected ways for businesses, regulators and individuals to maintain control, namely the need to facilitate machine unlearning and to protect consumer autonomy. Machine unlearning is the ability to selectively forget or undo the influence of certain data within a dataset. Techniques of machine unlearning are becoming of increasing relevance as datasets more often consist of a mix of data and more legislative instruments (including the Data Act, European Data Spaces, GDPR and copyright protection) impose a responsibility on data holders to undo harm once illegal data is identified. Consumer autonomy refers to the need to protect the ability of individuals to make informed and independent decisions, which is challenged by recommendation algorithms that trick individuals into making choices that may not necessarily reflect their true preferences and needs.

By focusing on these two issues, the panel discusses pervasive legal and governance challenges at the intersection of AI, law, and society, and engages participants in deliberative exercises that bridge conceptual analysis with policy and regulatory practice. The session is designed to be highly interactive, drawing on interdisciplinary insights from law, ethics, and computer science to illuminate how emerging AI capabilities interact with foundational democratic values such as accountability, fairness, and human autonomy.

The theme of “Between Values and Innovation: Tech Governance in a Multicentric World” foregrounds the tension between promoting technological innovation and upholding core values in contexts where technological architectures and market power are globally distributed. This panel addresses precisely these tensions: machine unlearning raises questions about the enforceability of individual rights and data governance once data have been embedded in complex AI systems; and AI-driven consumer manipulation implicates the conditions for informed decision-making and personal autonomy in digital environments. By framing these issues as not only technical problems but as challenges to legal and ethical norms as well as democratic oversight, the session situates them squarely within debates about how to govern innovation without compromising values.

Rather than presenting static solutions, the panel facilitates an interactive and collaborative exploration of how legal, ethical and technical concepts can be operationalised in practice, including the development of testable definitions and governance principles that reflect both regulatory intent and technological realities. This approach resonates with the conference’s emphasis on rethinking tech governance in a pluricentric world, where legal responses must contend with transnational digital infrastructures, diverse regulatory philosophies, and the global distribution of innovation.

By bringing together diverse perspectives, the panel aims to equip attendees with a deeper understanding of the democratic stakes of AI governance, the limits of purely technical fixes, and the importance of embedding legal reasoning into design and regulatory processes. In doing so, the session contributes to the broader conference goals of inspiring critical reflection on the governance of AI and fostering dialogue that bridges academic research, regulatory practice, and policy design.

2 Abstract for TILTING perspectives - AI4POL

The proposed panel presents a legally grounded and interdisciplinary discussion of machine unlearning and consumer autonomy as two interconnected ways to maintain control in contemporary artificial intelligence governance. Together, these issues illustrate how core regulatory objectives in the European Union, such as data protection, innovation, and consumer autonomy, are increasingly mediated by complex socio-technical systems. The panel starts from a central claim: the primary difficulty in AI governance today lies not in the absence of legal or ethical norms, but in their effective operationalisation within automated environments. Addressing this gap requires translating abstract legal and ethical concepts into testable, enforceable, and technologically informed standards that remain compatible with democratic values.

The first area of discussion concerns machine unlearning as an emerging technical capability with significant regulatory relevance. Machine unlearning refers to methods that enable the selective removal of specific data from trained machine learning models without full retraining. From a governance perspective, this raises foundational questions about control, accountability, and compliance in data-intensive systems. Legal frameworks governing data access, data withdrawal, and data reuse increasingly assume that rights and obligations remain meaningful even after data have been integrated into automated decision-making systems. The panel examines from an interdisciplinary perspective whether and how machine unlearning can plausibly support such assumptions. Starting from a review of the current possibilities for machine unlearning in computer science, the panel discusses how such existing techniques can support the effective implementation of legal requirements in the Data Act, the European Data Spaces, the GDPR and copyright protection – situating this discussion within broader legal standards such as effectiveness, proportionality, verifiability, and auditability. The panel explores the extent to which unlearning techniques can meaningfully operationalise obligations related to data correction, erasure, and purpose limitation, while also highlighting their limitations and the risk that technical promises may obscure unresolved normative questions about responsibility and institutional oversight. The analysis thus cautions against viewing unlearning as a silver bullet, while recognising its potential role as one element in a more comprehensive governance toolkit.

The second area of discussion addresses online consumer manipulation in AI-driven interfaces, focusing on personalised choice architectures that shape consumer decision-making at scale. While concerns about manipulation are well established in both consumer protection law and AI ethics, enforcement remains fragmented and conceptually underdeveloped. The panel discussion starts from the premise that the main difficulty is not the absence of applicable rules and ethical norms, but the challenge of identifying when influence becomes illegitimate manipulation in complex, adaptive systems. Drawing on consumer law, AI governance frameworks, and established ethical principles, the panel discusses ways to protect consumer autonomy by assessing how to define manipulation and make trade-offs between competing values, including autonomy, fairness, convenience, and commercial objectives. Particular attention is given to the role of design choices such as defaults, personalisation, and behavioural targeting and to the possibility of embedding legal and ethical constraints directly into system design. By translating high-level ethical commitments into actionable design principles, the analysis advances a more concrete understanding of what fairness- or autonomy-preserving design can mean in practice.

Across these two areas, the panel centers the democratic implications of AI governance. Machine unlearning raises questions about whether individuals and public authorities can retain meaningful control over data-driven systems once they have been deployed. Consumer manipulation directly affects the conditions under which individuals form preferences and exercise choice in digital environments. In each case, the effectiveness of governance mechanisms is closely tied to issues of accountability, transparency, and institutional capacity. The analysis therefore treats AI governance not merely as a technical or compliance-oriented exercise, but as a matter of sustaining the legitimacy of regulatory authority and the conditions for democratic oversight in increasingly automated societies.

Finally, the panel situates these analyses within a broader perspective on governing both AI systems and the use of AI as a regulatory instrument. Technical tools, definitional frameworks, and design principles can enhance the ability of regulators and policymakers to monitor compliance, detect risks, and intervene proactively. At the same time, the panel emphasises the limits of technocratic solutions and the continuing importance of legal interpretation, institutional judgment, and public accountability. By combining doctrinal legal analysis with insights from ethics and computer science, the panel advances an interdisciplinary approach to AI governance that is attentive to both practical enforceability and democratic values. In doing so, it contributes to ongoing debates about how legal systems can remain effective and legitimate in the face of rapidly evolving algorithmic technologies.

3 Panel Members

• Patricia Prufer and/or Pradeep Kumar- Centerdata – in the lead for input from Task 1 from a technical perspective • Inge Graef- TLS- overarching legal/policy issues for Task 1 and 3 • Bart Engelen- TiU- in the lead for input from Task3 from an ethical perspective • Giulia Sandri- ECAS and Scientific Advisor to the European Unit at the Université libre de Bruxelles- overarching democracy question

Moderator- Pratiksha Ashok

ABSTRACT. Introduction and problem statement

Long before the adoption of the Digital Services Act (DSA), legal scholarship has discussed the para-constitutional and state-like powers exercised by online platforms through their terms and conditions. One of the main arguments advanced by such scholarship is that, despite being contractual instruments, terms and conditions can shape the enjoyment of fundamental rights by a large number of the population in ways that resemble the exercise of state powers. With the adoption of the DSA, this role of terms and conditions seems to have found recognition. It can be argued that several provisions have been drafted to rebalance power relations between platforms and users, while providing safeguards against the exercise of unfettered power by platforms. Among others, Article 14 of the DSA provides safeguards vis-à-vis the restrictions on freedom of expression that can be imposed by terms and conditions of certain providers. The introduction of provisions dedicated to terms and conditions in the DSA addresses some of the issues raised by legal scholars over the years, but also raises new questions. The DSA delegates important regulatory functions to providers of online platforms, leveraging their technical and managerial expertise to pursue public policy objectives. This is most evidently the case for providers of very large online platforms, who are subject to wide-ranging risk management obligations to protect public interests and values. As a consequence, terms and conditions are not only the exercise of private powers, but also a means to implement legal obligations and meet regulatory expectations set by the European Commission about the curation and moderation of content in online public fora. This raises the question of whether the legal institutionalization and consolidation of the power de facto enjoyed by online platforms may have implications for the horizontal applicability of fundamental rights in the contractual relationship between users and providers. As the fundamental rights of the Charter mainly constrain the exercise of public powers to protect individuals, it is not clear whether it could apply in circumstances where fundamental rights are affected by public-private hybrid modes of regulation implemented through contractual instruments. This question goes to the core of the question about the state-like nature of the actions taken by providers of online platforms, not only because of the powers that they traditionally de facto enjoy, but also in light of the attribution of a regulatory function to terms and conditions under the DSA. It calls for a conceptualization of the contractual relationship between providers and users taking into account both the asymmetrical bargaining power and the role of providers as institutionalized regulators of the conduct of users on online information ecosystems.

Research question and methodology

The paper aims to answer the following research question: How does the role played by terms and conditions as an instrument to implement the provisions of the Digital Services Act affect their interpretation? In order to answer the research question, doctrinal research is conducted in two steps. First, the regulatory function that the EU legislator accorded to terms and conditions under the DSA is described and conceptualized, clarifying how this differs from the role played by contracts to implement similar pieces of legislation, such as the GDPR. Second, a doctrinal analysis is conducted to evaluate whether, in light of such regulatory function, the DSA could be a catalyst for the recognition of direct or indirect horizontal effects of the Charter in the relationships between users and providers. This analysis not only looks at the possible interpretation of relevant provisions of the DSA, such as Article 14(4) – as already done in existing scholarship (see Quintais, Appelman and Fathaigh, 2023). It also provides normative recommendations for the recognition of direct horizontal effect, grounded in a conceptualization of the regulatory role of terms and conditions.

ABSTRACT. We are spending more time online than ever.[1] Social media platforms have become central arenas for public discourse, but simultaneously they act as catalysts for profound societal harms. The unchecked proliferation of non-consensual sharing of intimate images (including AI-generated deepfakes), targeted harassment, and other forms of online violence serves as a potent tool for silencing specific demographics.[2] By instilling a well-founded fear of harassment, these dynamics threaten to limit who can exercise their freedom of expression. This underscores that online safety is a functional prerequisite for democratic participation; without a safe digital environment, the inclusivity of public discourse is undermined.   Recognising the challenges posed by the concentrated power of digital platforms and their role as societal gatekeepers, the EU has introduced new digital regulation. Regulation 2022/2065, the Digital Services Act (DSA), is one of the key legislative components in the EU’s Digital Strategy for creating a safer digital single market where fundamental rights are protected. The DSA is designed to combat illegal online content and behaviour. Alongside its various due diligence obligations for online platforms, it sets out a procedural framework for individual remedy including the notice-and-action mechanism (Article 16), internal complaint-handling system (Article 20), out-of-court dispute settlement (Article 21), trusted flaggers (Article 22), and right to lodge a complaint with a Digital Services Coordinator (Article 53).   The DSA is currently being implemented across Europe. The Commission has imposed its first fines under the DSA[3], and the Digital Services Coordinators (DSCs) are operationalizing their supervisory roles in member states[4]. Simultaneously, the enforcement of the DSA faces an increasingly volatile political climate, characterised by an ideological clash between European regulatory values and the US-centric ethos of major platforms[5].   The DSA plays a key role in safeguarding European values and democracies. It is widely accepted that platform regulation must be harmonized at the EU level to remain effective against global digital actors. Furthermore, effective legal remedy requires mechanisms outside traditional judicial processes, as the sheer volume of online harms would overwhelm national court systems[6]. However, the DSA’s effectiveness has been challenged in the scholarly debate already before it came to force. Historically, EU internet regulation has been rooted in internal market objectives. Despite its ambitious rhetoric, the critics argue that the DSA’s 'DNA' remains fundamentally anchored in this internal market logic rather than protection of fundamental rights.[7]   While Europe’s approach to platform regulation is frequently characterised as rights-based[8], it relies increasingly on proceduralisation – procedural mandates rather than substantive protections[9]. This is evident also in the DSA. Its provisions move European platform governance from largely voluntary self-regulation to a model of enforced self-regulation, where online platforms are bound by mandatory procedural obligations but retain significant discretion in their operational implementation.[10] In this framework, the 'enforced' element is critical, relying on the ability of public authorities, such as DSCs, to intervene when platforms fail. This dynamic reflects the Collingridge dilemma[11]: the DSA represents an attempt to overcome the structural difficulty of controlling the immense societal power of online platforms by ‘enforcing’ procedural mandates built on the self-regulation already established by the platforms.   Given that the success of EU’s procedural approach in digital policy is inherently tied to the robustness of its procedural obligations, there is an urgent need to examine enforcement practices and their impact. The DSA is still in the early stages of its practical application, and therefore much of the scholarly debate has remained at a theoretical or normative level. This paper aims to bridge this gap. It examines the DSA implementation through empirical data, focusing on the individual’s right to lodge a complaint with a national DSC under Article 53. Evidence already suggests that, in the context of platform governance, individual remedies often remain underutilised and their significance limited.[12] This paper uses the local implementation efforts in Finland—a country with high digital literacy and trust in authorities—as a case study and seeks to identify whether the DSA’s procedures meet this challenge. How well does the Article 53 complaint mechanism reach the masses of social media users? What do the complaint categories or demographics reveal about the accessibility of the procedure? Furthermore, what do these potential shortcomings indicate about the practical viability of the DSA’s procedural framework?   The paper adopts a law-in-action perspective. The methodology combines legal doctrinal analysis with a comparative study of user complaints. The primary data consists of complaints lodged with the Finnish DSC (Traficom), which are compared with a strategically selected sample from the Finnish Competition and Consumer Authority’s consumer protection database to benchmark against an established consumer protection pathway. The data is further mirrored against publicly available data on social media platform demographics and content moderation categories.   The paper argues that success of EU digital policy hinges on the practical functionality of its procedural mandates: without their effective enforcement, Europe’s rights-based digital regulation risks becoming ‘all bark and no bite’. The paper presents a methodological framework developed to study the ongoing enforcement practices of EU digital regulation and to map the ‘stumbling blocks’ hindering platform accountability. The combination of law-in-action approach and comparative empirical research provides a replicable model to evaluate the EU digital regulation across different jurisdictions. With this model, the paper contributes to the urgent scholarly task of monitoring and refining European digital policy, ensuring it evolves to better fulfil its ambitious promise of a safe and trustworthy online sphere.  

[1] Eurostat. 2024. Digital economy and society statistics – households and individuals. [2] European Union Agency for Fundamental Rights (FRA). 2025. Fundamental Rights Report 2025. Publications Office of the European Union, Luxembourg. [3] On December 2025, the European Commission issued a fine of €120 million to X for breaching its transparency obligations under the DSA. Press Release from 15 December 2025. https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2934 [4] For instance, the Irish DSC Coimisiún na Meán commenced on 2 Dec 2025 two formal investigations into the TikTok and LinkedIn platforms, under the DSA assessing whether these platforms have contravened Articles 16(1), 16(2)(c) and Article 25 of the DSA. https://www.cnam.ie/coimisiun-na-mean-commences-investigations-into-tiktok-and-linkedin/ [5] See e.g., Le Monde. 26 Dec 2025. The myth of 'European censorship' is wielded by the Trump administration to avoid regulating Big Tech. https://www.lemonde.fr/en/opinion/article/2025/12/26/the-myth-of-european-censorship-is-wielded-by-the-trump-administration-to-avoid-regulating-big-tech_6748855_23.html [6] Ethan Katsh and Orna Rabinovich-Einy. 2017. Digital Justice: Technology and the Internet of Disputes. Oxford University Press. [7] For examples of the academic debate on the DSA, see see Rachel Griffin. 2025. Procedural Fetishism in the Digital Services Act. European Journal of Legal Studies 16 (Feb. 2025); Marta Maroni. 2023. “Mediated Transparency” The Digital Services Act and the Legitimisation of Platform Power. In (In)Visible European Government. Routledge; Gerhard Wagner, Martin Eifert, Axel Metzger, and Heike Schweitzer. 2021. Taming the Giants: The DMA/DSA Package. Common Market Law Review 58, 4 (2021), 987–1028; and Paddy Leerssen. 2023. An End to Shadow Banning? Transparency Rights in the Digital Services Act between Content Moderation and Curation. Computer Law & Security Review 48 (Apr. 2023), Article 105790. [8] See for instance, Anu Bradford. 2023. Digital Empires: The Global Battle to Regulate Technology. Faculty Books; and Rachel Griffin. 2022. Rethinking Rights in Social Media Governance. https://sciencespo.hal.science/hal-03940983 [9] Susanna Lindroos-Hovinheimo, Ida Koivisto, Riikka Koulu, and Suvi Sankari. 2025. Tekoälyn sääntely. Alma Insights. [10] Nikolaus von Bernuth. 2025. The Premise of Good Faith in Platform Regulation. Verfassungsblog, Apr. 14, 2025. Medzini has also separated ‘enhanced’ self-regulation from ‘thin’ self-regulation. In the enhanced self-regulation platforms rely on first-party and independent third-party intermediaries. Rotem Medzini. 2022. Enhanced Self-Regulation: The Case of Facebook’s Content Governance. New Media & Society, Volume 24, Issue 10, Pages 2227–2251. https://doi.org/10.1177/1461444821995822 [11] David Collingridge. 1980. The Social Control of Technology. Frances Pinter. [12] Jennifer M. Urban, Joe Karaganis, and Brianna Schofield. 2017. Notice and Takedown in Everyday Practice. SSRN Scholarly Paper No. 2755628. https://doi.org/10.2139/ssrn.2755628

ABSTRACT. Consumers increasingly rely on AI agents to compare products, evaluate services, and bridge information gaps on their behalf. These agents promise to empower consumers with knowledge-based decision-making at unprecedented scale. Yet their effectiveness depends critically on access to publicly available data that platforms increasingly restrict through technical and contractual barriers—from CAPTCHAs that verify human identity to blanket prohibitions on automated access. While websites routinely permit human users and dominant firms to access this data, they often block AI agents acting on consumers' behalf. This differential treatment creates consumer welfare harms that existing legal paradigms cannot resolve. The legitimacy of data access restrictions has sparked intense debate, particularly regarding publicly available data that could fuel academic research or train algorithms powering new technologies. Critics argue that these barriers stifle innovation and knowledge creation; defenders raise concerns about platform integrity, security, and intellectual property. Yet, this debate has largely overlooked how access restrictions specifically harm consumers by disabling their AI agents while preserving advantages for dominant market players. This research proposes a consumer-welfare-based framework that delineates when data access barriers are justified and when they must yield to AI agents acting on consumers’ behalf. Our approach resolves the tension between platform control and consumer empowerment while reducing the comparative advantages that dominant firms currently enjoy in accessing public data. We also propose technological solutions that address legitimate concerns of webpage owners, creating a balanced regime that protects both consumer welfare and website owners’ legitimate interests. While this research makes the case for consumer-welfare-increasing access, our technical solution can be used to safely provide access to many other types of data or legal justifications thereof.

ABSTRACT. Digital platforms have emerged as central arenas for public communication, shaping how individuals communicate, organise, and access information within infrastructures owned by private corporations rather than the state. This shift has introduced a structural tension at the heart of contemporary democracies, as the public sphere has migrated into privately owned spaces governed by opaque contractual rules and algorithmic systems. Users try to participate in political and social life through platforms that can delete, demote, or render lawful speech invisible without meaningful oversight. Consequently, constitutional systems must address how expressive freedoms can be protected in environments where private actors mediate the entire communicative process. This paper identifies this normative gap by bringing platform governance into direct dialogue with the positive obligations framework under the European Convention on Human Rights (ECHR). Social media platforms now function as modern public forums, yet they are governed by unilateral terms of service that grant platforms broad discretion over speech. Users lack bargaining power, face limited opportunities to challenge decisions, and often receive no explanation when their content is removed or demoted. Such practices conflict with the heightened protection afforded to public debate under Article 10, particularly when the expression concerns matters of public interest. In classical theory, the public sphere was conceived as an autonomous domain free from both state intervention and market control. Habermas envisioned it as a communicative space where individuals debated issues of common concern on equal terms. Today, the primary locus for political deliberation exists on digital platforms. These platforms, driven by commercial incentives, have become the leading sites for public discourse. Algorithmic curation now determines which content is visible and which disappears, with moderation systems deciding the survival of particular expressions. These mechanisms affect not only unlawful or harmful material but also legitimate contributions to public debate. Scholars, including Balkin, Cohen, and Papacharissi, have highlighted that platforms no longer operate as neutral intermediaries. Balkin conceptualises them as information fiduciaries, shaping the knowledge environment in ways that carry public responsibilities. Cohen discusses how code, architecture, and algorithmic design structure user behaviour and silence voices without imposing formal prohibitions. Papacharissi underlines the emotional and decentralised character of online publics, yet notes their vulnerability to invisibility when moderation or reporting systems are invoked. Together these perspectives reveal a hybrid entity that is neither purely private nor meaningfully accountable through traditional public law. The binary distinction between public and private fails to capture the structural power of platforms over social communication. The jurisprudence of the ECHR provides essential guidance for protecting freedom of expression within privately owned communicative spaces. In Appleby and Others v. United Kingdom (2003), the Court acknowledged that such spaces can serve democratic functions, requiring the state to safeguard meaningful access, even against the owner’s wishes, when they are vital to political participation. In Prager and Oberschlick v. Austria (1995), the Court emphasised the right to receive information as an integral facet of Article 10. This principle becomes especially relevant in environments where algorithms control visibility. In Delfi AS v. Estonia (2015), the Court recognised platform responsibility for harmful content but also stressed the necessity for moderation practices that are predictable, transparent, and open to contestation. Finally, in Khurshid Mustafa and Tarzibachi v. Sweden (2008), the court extended this reasoning, affirming access to communication channels as a component of expressive freedom. These cases indicate that the positive obligations doctrine compels states to protect participation in public debate, even within privately owned infrastructures. However, this doctrine was forged in a pre-platform era and does not fully address the current situation, in which a handful of corporations wield decisive influence over the content users encounter. The Court has not yet articulated a framework that directly addresses algorithmic demotion, shadow banning, or the removal of lawful content in accordance with internal platform guidelines. This absence has created a normative gap. States are expected to protect democratic speech, yet the central arenas for communication now lie beyond public control. The European Union’s Digital Services Act (DSA) is a recent attempt to resolve these contradictions. It introduces obligations requiring platforms to provide reasons for content removal, offer appeal mechanisms, and ensure transparency through mandatory reporting and third-party audits of algorithmic practices. The DSA acknowledges the necessity of subjecting private authority in public communication to procedural constraints. Nevertheless, it does not resolve the underlying theoretical conflict between the constitutional protection of expression and the private property logic that informs platform governance. The DSA remains a regulatory, rather than constitutional, intervention. The Turkish Constitutional Court example illuminates the stakes of this transformation. Turkey exemplifies a jurisdiction where platform constraints and state pressure converge, creating a legal landscape where users are exposed to both public censorship and private suppression. The Court has acknowledged that social media constitutes an essential forum for democratic engagement, and that the state bears a positive obligation to protect individuals not only from state interference, but also from arbitrary restrictions imposed by platforms. Nevertheless, Turkish law remains primarily focused on state security and platform liability, affording users affected by content demotion or account-level sanctions no procedural rights. The absence of such protections highlights the precise legal vacuum that this paper seeks to theorise a regime in which the formal right to speak exists without a practical right to remain visible in the spaces where speech matters. Accordingly, this paper advances three main claims. First, digital platforms must be understood as hybrid public infrastructures whose governance determines access to democratic participation. Second, the right to freedom of expression must be reconceptualised to include visibility as a constitutional interest, distinct from mere non-interference, and states must protect this interest through positive obligations. Third, regulatory mechanisms like the DSA, while promising, must be situated within a broader constitutional architecture that subjects opaque algorithmic governance to procedural and democratic constraints. To address the divergence between digital platform governance and the ECHR’s positive obligations doctrine, the latter must evolve to reflect the transformed architecture of public discourse. Platforms now exercise a structural power over speech similar to that traditionally reserved for public actors. Their control over the visibility, accessibility, and circulation of political expression necessitates a doctrinal framework that treats digital platforms as communicative spaces where constitutional values must be respected. This evolution does not entail redefining platforms as state actors but rather acknowledging their hybrid nature and democratic functions. ECHR jurisprudence, alongside the regulatory model introduced by the DSA, demonstrates that democratic states must adopt clear and enforceable obligations regarding transparency in content moderation. States should require that platforms provide reasons for content removals, establish meaningful appeal procedures, and be subject to independent oversight mechanisms insulated from both corporate and governmental pressure. Securing freedom of expression requires more than limiting state censorship; it demands protection against the invisible architectures through which private actors shape speech via algorithms, ranking systems, and opaque contractual terms. The most significant threats to democratic discourse now stem not from legal prohibitions but from unexplained demotions, the shadow removal of lawful content, and automated moderation systems that elude public scrutiny. Accordingly, democratic societies must reconceptualise the relationship between private property and expressive freedom. As long as public discourse occurs within privately owned, algorithmically governed infrastructures, the absence of a robust constitutional framework will expose users to arbitrary suppression. The positive obligations doctrine should be adapted to address the structural power platforms wield over contemporary communication. Procedural safeguards similar to those in the DSA must be integrated into a broader constitutional paradigm that recognises the public communicative function of digital platforms. Private governance structures mustn’t supersede the fundamental requirement that individuals can participate in public debate on equal and transparent terms. In the twenty-first century, the protection of freedom of expression depends not only on what individuals are allowed to say but also on whether their voices remain visible within technologically mediated communication. Safeguarding this visibility calls for a constitutional response that bridges the gap between the ECHR’s doctrine and the regulatory innovations exemplified by the DSA.

ABSTRACT. This panel addresses the topic of digital addiction, which has recently come to the fore as an important legal and policy issue. The issue was brought to attention among others in the European Parliament’s 2023 Resolution on addictive design of online services and consumer protection in the EU single market, as well as in the European Commission’s 2024 Digital Fairness Fitness Check.

Digital addiction refers to individuals spending more time on digital services (e.g., social media, games, etc.) than they had initially meant to. It can lead to serious harms under the form of traditional addiction symptoms such as obsessive-compulsive disorders or sleep disorders.

Digital addiction has been described as taking place through so-called attention-capture dark patterns. That is, designing digital interfaces (e.g., a website, an app) in such a way that it induces digital addiction. Common attention-capture dark patterns include so-called doom scrolling (showing new content endlessly) or gamification (endowing online interfaces with game-like features).

Digital addiction can be seen as the ultimate form a surveillance capitalism, since keeping individuals hooked to a service is the best way to ensure maximised engagement and thus monetisation of their data.

Even though the Digital Services Act (DSA) does not explicitly address digital addiction it contains a number of provisions that are potentially relevant. But how much can be achieved through these existing provisions? To what extent can they reign in the political economy at the heart of online platforms and associated digital services?

This panel explores this issue by looking at several key caveats: digital addiction and the transactional decision concept (i.e. UCPD or DSA for addressing attention-capture dark patterns); the political economy of the DSA; the DSA’s potential to address digital addiction in online gaming, and the DSA’s risk assessment duties for Very Large Online Platform (VLOPs).

ABSTRACT. 1 Introduction This is an essay about recent attempts in the scholarly and more policy-oriented literature to conceptualize alternative ways of doing ‘data governance’ in an often ‘democratic’ fashion. My rethinking of this theme started, or maybe restarted, when reading work by an anonymous group of French anarcho-communists who call themselves the comité invisible, or The Invisible Committee. In their To Our Friends, they criticize various radical leftist movements for bringing on themselves the ‘curse of symmetry’: the usage of tactics or forms of (self)government that mimic those being used by their opponents, and because of this, the eventual reproduction of – in my words – conventional forms of government.

The provisional structure of this essay is as follows.

First, I conduct a close-reading of two influential contributions to what I dubbed the ‘data governance debate’. One paper from the US written by Salomé Viljoen, and another one written by EU-based law and policy scholars Marina Micheli and colleagues.

Next, I offer an interpretation of the Committees’ ‘curse of symmetry’ argument as presented in To Our Friends. I pay explicit attention to (at least) three themes: the problem of symmetry, the problem of scale, and lastly, the problem of government or governance. I connect, whenever possible, arguments in the Committee’s text to similar or related arguments as put forward in political philosophy, governmentality studies, and the field of Science and Technology Studies (STS).

While this essay is foremost a personal attempt to see what data governance discussions could learn from anarchist literature, it might nudge readers into reflecting more on the presuppositions present in these debates: neoliberal and/or representative democracy.

2 Collective data governance [to be added later: section on Viljoen; section on Micheli et al.]

3 The curse of symmetry The Invisible Committee is, as said, an anonymous group writing in French and, according to Wikipedia, associated to a group of anarchist saboteurs dubbed as the Tarnac Nine. They’ve published a couple of books that in translated form have been published by MIT Press. For now, I will focus on their book length message to their ‘friends’, explain what I take to be the ‘curse of symmetry’, and how I understand their attempts to avoid falling prey to this curse. I intend to differentiate between three different ways of imagining alternatives to conventional ways of doing (collective) governance, as presented by the Committee in their book. First, the need to conduct asymmetrical tactics or responses to commercial and state-induced violence. Second, the need to reconceptualize the problem of scale to that of the ‘situation’. Third, the call to move beyond the practice of governance or government altogether, and to frame alternatives in terms of organizing, shared ways of living, and through these, a deconstruction of the need to, and subject of, government itself. Such statements require some elaboration, so please bear with me.

In the fifth chapter of To Our Friends, the ‘curse of symmetry’ is introduced within the context of a discussion of leftist and revolutionary attempts to wage ‘class’ or ‘social’ war:

“It sometimes seems as if revolutionaries are compelled to constitute themselves on the same model as what they’re fighting. Thus, as a member of the International Workingmen’s Association summarized it in 1871, the bosses being organized worldwide around their interests as a class, the proletariat must likewise organize itself worldwide, as a working class and around its interests.”

Not only did the First International, according to the Committee, make this mistake, other revolutionary movements from the past and up until the present were and are plagued by this ‘curse of symmetry’. Examples listed here are the Italian Red Bridgades in the 20th century, and scholars and activists who argue for the importance of ‘multitudes’ to act as counterweights to the diffuse and networked character of ‘Empire’. I will unpack the Committee’s diagnosis that symmetrical responses, also within a data governance context, are problematic in three steps.

What, firstly, is an important presupposition in both the examples being offered by the Committee, as well as in much of the data governance debate, is that the problems to be solved are ones of control, or governance, by a group, collective, or people. Instead of capitalists, and big tech firms, as many of these arguments go, the people and communities should be in control over the means of production, data, technology, or platforms. The Dutch philosopher Thijs Lijster is illustrative here when he’s arguing for collective control and decision-making of big tech platforms by the ‘99%’.

The Committee argues that such arguments for better communal or democratic control invertedly contribute to their own submission because they reproduce their own categorization and existence as particular groups, communities, or populations. As we shall discuss more extensively, the construal of such (collective) entities is – for many Foucault-inspired scholars - a characteristic form in which power is nowadays exercised, and it is key to resist this by not couching one’s solution in these same terms.

Secondly, the idea that there exists a people, population, multitude or community goes hand in hand with the argument that these, and not capitalists or governments, should be in control of whatever the ‘regulatory object’ is under consideration (e.g. data, algorithms, platforms). The fundamental issue to consider here is, for the Committee, not control of data or technology but, following Foucault, ‘civil war’. Civil war, for the Committee, does not have to do with a citizenry-led equivalent of a military conflict as a means to be able to get something back, but with a particular way of understanding – for the lack of a better word – existence. This way of understanding existence is premised on the irreducible plural and hence also conflictual nature of life that is fundamentally at odds with ideas of control and government premised on the identification and stabilization of certain actors.

Here, and thirdly, the Committee emphasizes the importance for a more ‘situational’ understanding of life in which ‘care for the world’, is accompanied by a resistance toward the key categories in which government is conducted (e.g. ‘population’; ‘society’ ) but also government itself. Power, the state, government, all should be ‘destituted,’ the Committee argues, and “To destitute power is to take away its legitimacy, compel it to recognize its arbitrariness, reveal its contingent dimension. It’s to show that it holds together only in situation, through what it deploys in the way of stratagems, methods, tricks – to turn it into a temporary configuration of things which, like so many others, have to fight and scheme in order to survive.” Control and self-government are not only problematic due to their symmetrical character, but need to be accompanied if not replaced by proactive acts of destitution aimed at the transformation of government – including self-government - from a ““self-evident” truth” to a hypothesis.

In the next three sections, I will unpack three elements of the Committee’s argument that I think are relevant for contemporary data governance discussions.

3.1 On symmetry, politics, and strategy I will firstly and briefly recap the ‘curse of symmetry’ argument and tie that more explicitly to the two examples of data governance discussed in section 2. By doing so, I make tangible the extent to which recent discussions on data governance are indeed plagued by this curse. I then ‘open up’ the discussion by trying to elucidate the Committee’s ‘civil war’ argument, through discussing a debate between Ulrich Beck and Bruno Latour on the viability of cosmopolitanism. A discussion of this debate, I suggest, clarifies how the Committee’s understanding of ‘governance’ as one of pertaining to the deconstruction of those in charge of subjects as actors doing governance, challenges conventional conceptions of governance as ones having to do with control and management.

3.2 On scale and situations Secondly, I will reflect on the problem of ‘scale’ present in many (global) data governance contributions. Present in such (implicit) theories of democracy is the so called ‘all affected principle’: everyone affected by a decision should be implicated in the decision-making process. The Committee seems to reject this principle and argues in contrast for a more problem, issue-centered or ‘small-scale’ conception of politics. Who or what is engaged in politics deserves empirical scrutiny of particular problems (issues) and the way in which they materialize in practice. Questions of scale and ‘upscaling’, especially when debating data and tech governance, are for this reason fraught with suspicion. The fact that tech firms are very well able to affect a lot of people on a very large geographical scale, does not directly mean that the answer to this is a forms of communal or democratic governance at that same scale.

3.3 On governance and organizing Then, quite possibly, the most complicated conceptual challenge the Committee poses to its readers: their criticism of state-based governance combined with the abandonment of every kind of legitimacy whatsoever:

“We have to give up the idea that one make the revolution in the name of something, that there’s a fundamentally just and innocent entity which the revolutionary forces would have the task of representing. One doesn’t bring power back down to earth in order to raise above the heavens. Desituting this epoch’s specific forms of power requires, for a start, that one challenge the notion that men need to be governed, either democratically by themselves or hierarchically by others, returning it to its status as a hypothesis, not a “self-evident” truth.”

If one takes the Committee seriously, there’s something fundamentally wrong with the notion and practice of ‘government’. In this last section, I reflect on the implications of this argument. Because if it makes sense, and if democracy, government, state and commerce have transformed into a highly complex and toxic mixture of large-scale control and violence, what’s the purpose of framing our solutions in precisely these same terms?

ABSTRACT. Regulation (EU) 2024/1689 on Artificial Intelligence (the so-called AI Act) represents the first comprehensive attempt to regulate, at the European level, the development and use of AI systems through a risk-based approach. This regulatory model is based on the idea that the intensity of legal obligations must be proportionate to the potential impact of AI systems on fundamental rights, security, and public order. In this context, the justice sector assumes central importance, as it is directly linked to the protection of the right to a fair trial, the independence and impartiality of judges, and, more generally, the rule of law in the European Union legal system. The AI Act classifies as "high-risk" AI systems intended for use in the administration of justice or in decision-making processes that impact the exercise of the judicial function, subjecting them to a particularly stringent set of substantive and procedural requirements. These include, in particular, obligations regarding data quality and representativeness, risk management and mitigation, technical documentation, traceability, human oversight, and transparency. The rationale for this choice is clearly the need to prevent distorting or discriminatory effects that could undermine the effectiveness of judicial protection and citizens' trust in the judicial system. However, the European legislator decided not to automatically extend the high-risk classification to AI systems intended for purely ancillary administrative activities that do not impact the effective administration of justice in individual cases. This category includes, for example, systems for anonymizing or pseudonymizing decisions, documents, or judicial data, internal communication tools among judicial staff, and, more generally, administrative support tasks. This exclusion responds to the need to avoid excessive regulatory rigidity and to avoid hindering technological innovation in areas considered, at least apparently, to have a low decision-making impact. Starting from this regulatory distinction, the paper critically analyzes the growing diffusion, in European Union member states, of public case law databases that use artificial intelligence systems to guide and optimize case law searches. These tools, increasingly based on machine learning and natural language processing techniques, do not simply provide neutral and passive access to decisions, but also select, classify, and prioritize legal information. They suggest relevant precedents, identify prevailing case law, build semantic connections between cases, and, in some cases, propose guided research paths. Formally, these systems are generally classified as ancillary tools, as they do not adopt binding decisions or directly intervene in the judgment of individual cases. Consequently, they tend to fall outside the scope of the AI Act's provisions regarding high-risk systems. This paper challenges this interpretation, arguing that a merely functional and immediate risk assessment is insufficient to grasp the true impact of these technologies on the administration of justice. Specifically, it highlights how public case law databases perform a crucial cognitive and educational function. Lawyers, judges, and other legal practitioners increasingly rely on these tools not only to find precedents, but also to guide their learning, structure legal arguments, and interpret the evolution of case law. In this context, the algorithmic opacity of the selection and ranking criteria for decisions takes on crucial importance. An algorithm that favors certain orientations, that makes some decisions more visible than others, or that uses relevance parameters unknowable to the user risks exerting an indirect but systemic influence on the way the law is understood, applied, and ultimately produced. The impact of AI on the administration of justice, therefore, is not limited to the decision of a single case, but manifests itself along a broader and more indirect chain, involving the formation of interpretative expectations and the construction of the cognitive horizons of legal practitioners. From this perspective, the risk is not so much that human decision-making is replaced by algorithmic decision-making, but rather that of silent and cumulative conditioning, capable of impacting the intellectual autonomy of judges and the evolution of jurisprudence as a whole. In light of these considerations, the paper questions the existence and necessity of a principle of algorithmic transparency specifically referring to public case law databases. This principle is understood not in a merely informative sense, but as a requirement for substantial knowledge of the operating logic of AI systems, the relevance criteria adopted, the algorithm training methods, and any metrics used to assess similarity between cases. In a public context, characterized by an asymmetric informational power relationship between administration and users, algorithmic transparency is essential for protecting legitimate expectations and safeguarding trust in the judicial system. The paper traces this requirement to the founding values of the European Union legal system, particularly the principle of the rule of law, the right to a fair trial, and the requirement of predictability of public action. From this perspective, public AI-based case law databases can be considered true digital justice infrastructures, whose regulation cannot ignore high standards of accountability and controllability. Finally, the analysis critically assesses the AI Act's framework, questioning the existence of a potential regulatory flaw. While acknowledging the overall coherence of the risk-based approach, the paper argues that the Regulation does not adequately address the forms of indirect and systemic risk arising from AI systems that are formally ancillary but substantially impact the justice decision-making ecosystem. This necessitates tools to supplement the regulatory framework, such as interpretative guidelines, enhanced transparency requirements for public digital infrastructures, and sector-specific codes of conduct, capable of filling the gap left by the current legislation. In conclusion, the analysis of public case law databases offers a paradigmatic testbed for assessing the AI Act's ability to address the challenges posed by artificial intelligence, not only in terms of automated decisions, but also of its cognitive and structural influence on the processes of lawmaking and enforcement.

Essential Bibliography Lupo, G. (2019). Regulating (Artificial) Intelligence in Justice: How Normative Frameworks Protect Citizens from the Risks Related to AI Use in the Judiciary. European Quarterly of Political Attitudes and Mentalities, 8(2), 75-96 Figueiredo Peluso Lopes, G 2025, 'Bias in adjudication and the promise of AI : Challenges to procedural fairness', Law, Technology and Humans, vol. 7, no. 1, pp. 47-67. https://doi.org/10.5204/lthj.3812 Kusche, I. (2024). Possible harms of artificial intelligence and the EU AI act: fundamental rights and risk. Journal of Risk Research, 1–14. Laptev, V.A., Feyzrakhmanova, D.R. Application of Artificial Intelligence in Justice: Current Trends and Future Prospects. Hum-Cent Intell Syst 4, 394–405 Ballot Jones, L., Thornton, J. & De Silva, D. Limitations of risk-based artificial intelligence regulation: a structuration theory approach. Discov Artif Intell 5, 14 (2025).

ABSTRACT. An essential component of planetary surveillance is capturing data related to people, objects, environments, cities with sensors. Sensory data measure, quantify, categorise individuals, objects and concepts, and have significant governance effects. Governance by (sensory) data can take many forms, including setting enforcement priorities, affecting methods of proof, and even changing the content of legal norms. These are posited in the broader framework of regulatory and scholarly debates on structuring data governance towards increasing societal welfare, with their success often assessed by their effects on the growth of the digital economy and innovation, health, sustainability, empowerment of individuals as consumers, patients, and data subjects. In the European Union regulatory initiatives aim to facilitate, structure, and constrain private data power by integrating public values in information economy by increasing data sharing and access, towards innovation, competition, open science and open government (e.g., the Data Act and the Data Governance Act).

In all these instances, the assumption is that sensory data captured are of sufficient accuracy and quality to express a reliable form of knowledge about the true state of reality — crucial for establishing trust in decision-making and for successful innovation in digital economy, among others. Accuracy is an attribute of information systems, and a pursuit of science and technology practices, referring to the degree to which a measurement corresponds to its true value or underlying reality. At the same time, operationalisation of accuracy shapes what becomes visible through measurement and how, privileging certain objects or phenomena while excluding others. In contemporary digital infrastructures, accuracy processes consist of information capture by sensor devices and its analysis involving hardware and software (e.g., data science methods). Accuracy is integral to shaping data’s representative power and the production of data as “form”, which refers to collections of information that document observations about the world, valuable for knowledge-making in information society. Despite the centrality of accuracy in shaping data epistemologies, it is discussed in information law scholarship in silos - as a principle of data protection law or in literature focusing on specific sectors (e.g., health), for example.

Taking conceptual and explorative approaches, this article systematises how accuracy is legally constructed, towards what legal ends, and on which rationales, exploring the purposes accuracy has in shaping law’s relationship to knowledge, truth and the operation of digital infrastructures. This article explores these questions from a sensing perspective. For that reason, its analysis is grounded on cases involving sensory data capture and their analysis, namely, consumer devices (wearables), climate monitoring, medical devices, forensics. The principle of data accuracy in the EU data protection law is analysed with these cases, as it horizontally structures legal accuracy relations with respect to personal data.

This article is situated in the European Union legal order, its laws, regulations and case law as its legal framework related to sensory data capture and analysis (e.g., Medical Devices Regulation, Ambient Air Directive, the General Data Protection Regulation, Unfair Consumer Practices Directive). Here, the accuracy of data is regulated in different ways towards varying legal ends with norms found in inter alia constitutional law, competition law, criminal law, privacy and data protection law, consumer law, torts and contracts law. For example, in consumer devices like wearables, accuracy is regulated through standards and general consumer protection norms. In matters of public interest, for instance air quality, accuracy is both a regulatory standard to ensure quality of information but also a benchmark against which citizens can participate in regulatory knowledge-making activities. These create multiple conceptualisations of the relationships of accuracy to law. Emphasis is made on how these legal dynamics shape power, knowledge, visibility, equality, participation and accountability in data through accuracy, drawing on literature from privacy and data protection (law), science and technology studies, critical data studies and surveillance studies.

This article shows that the legal notion of accuracy is a spectrum, from truth-seeking to operational, defined by a set of legal procedures. Not merely technical, data accuracy is as a result of negotiations of situated practices shaped by the operation of law. This article conceptualizes the relationship of the notion of accuracy to law for the European data law and governance scholarship from a sensory data capture perspective.

ABSTRACT. The European Commission’s Digital Omnibus Proposal presents amendments intended to simplify the EU’s digital framework to support innovation. It has been asserted that these measures will result in significant savings for companies and public authorities, whilst also placing competitiveness. New GDPR provisions have been proposed for the processing of personal data in AI development and operation , designing AI regulatory sandboxes, defining oversight and its delineation among the European AI Office, DPAs, and the EDPB or EDPS. Independent DPA involvement is a constitutional guarantee. The Commission has proposed the processing of personal data for the development of AI systems and models, based on the legal basis for the legitimate interest. The Digital Omnibus Proposal frames these measures as preserving high standards while reducing bureaucracy. In a Joint Opinion on the Digital Omnibus Proposal, the EDPB and EDPS accepts the need to enable bias detection and its correction but warns that, unless strict necessity and precise scoping are restored for special category of personal data and competence boundaries are codified, the safeguards mandated by fundamental rights may be infringed. Clarifying responsibilities under the AI Act and GDPR is necessary to uphold Article 8(3) of the Charter of Fundamental Rights of the European Union effective. Current approach reverses the proportionality of Article 52(1) of the Charter of the Fundamental Rights of the European Union, placing the burden on fundamental rights protection to accommodate AI that render enforcement uncertain and creating a preference for AI that undermines the principle of technological neutrality and principle of data minimisation enshrined in GDPR. In practice, the combination of vague thresholds and information asymmetries would make ex-post control by data subjects and DPAs illusory. The AI systems have the potential to increase social biases, particularly in cases where the training data reflects characteristics based on personal data. The necessity of bias correction is undeniable, however, such measures must be implemented without infringing upon the fundamental rights. The gap this paper addresses that substantive derogation for processing personal data and special category of personal data across AI lifecycles cannot be assessed in isolation from the institutional design and competence allocation within the data protection. The objective of this paper is to conduct a doctrinal analysis of the Digital Omnibus Proposal to assess the processing of personal data for the development of AI systems or models and to determine the extent to which human rights are protected and bias is addressed. The central research question is whether the Digital Omnibus Proposal lower the level of data protection safeguards guaranteed by the GDPR and Article 8 of the Charter of Fundamental Rights of the European Union by prioritising innovation over proportionality. Building on the identified risks to right to the protection of personal data, this paper examines whether the Commission’s proposed amendments to the GDPR satisfy Article 52(1) of the Charter of Fundamental Rights of the European Union, regarding the criteria of legality, necessity, and proportionality, while maintaining the GDPR’s technology-neutral protection architecture. This paper contests the Digital Omnibus Proposal’s premise of simplification, demonstrating instead that absent enforceable safeguards and independent supervision, simplification operates as derogation from the level of protection guaranteed by European data protection law. To comply with Article 52(1) and the independent supervision enshrined in Article 8(3) of the Charter of Fundamental Rights of the European Union, it urges either rejection of proposed Articles 9(2)(k), 9(5) and the related Article 88c of the GDPR or rephrasing to restore strict necessity, add verifiable safeguards, and coordinate institutional roles. This aligns the reform with constitutional requirements rather than administrative convenience.

ABSTRACT. There has been significant criticism of the enforcement of data protection law (see e.g. Lancieri, 2021; Gentile and Lynskey, 2022; Blockx, 2025). Ireland and the role of its national regulatory authority, the Data Protection Commission (‘DPC’), has come under considerable scrutiny in this context.

The DPC takes on particular important due to the decentralised framework for enforcement of the General Data Protection Regulation (GDPR) and the significance of the DPC as the lead authority for a number of large technology operators which have their headquarters in Ireland. The DPC has been criticised for overuse of amicable settlements as opposed to harsher sanctions such as fines or enforcement notices (e.g. Fiorentini, 2025, Domínguez De Olazábal, 2025). However, significantly, even when there has been an uptick in the issue of administrative sanctions by the DPC, reportedly most of these fines have gone uncollected due to ongoing judicial proceedings (Irish Times, 2024; Irish Times, 2026.)

One important dimension of enforcement which has not received due attention is the national procedural frameworks which must support the GDPR, as Member States currently retain autonomy over important components of the enforcement process (see also Gentile and Lynskey, 2022). This paper aims to offer such a contribution, adopting a mix methods approach to provide an account and analysis of the role of national procedural law in the enforcement activities of the DPC.

Based on a corpus of all the published judgments involving the DPC before the Irish Courts and a dataset of filings in the High Court of Ireland, this paper combines traditional doctrinal analysis with a content analysis to provide an account of the DPC’s activities before the Irish courts. This analysis is necessarily partial due to limitations in the availability of data, and nevertheless provides some important insights into the role that national procedural judicial proceedings play in enforcement of data protection law in Ireland. It also partially contributes to the gap of empirical evidence relating to enforcement of the GDPR identified by Li et al, 2023.

Alongside the descriptive contribution of the paper, three important analytic insights emerge from this study.

First, the complexity and proceduralism of data protection law, and the nature of the obligations thereunder, seem to be adding to the enforcement burden faced by the DPC.

Second, the DPC’s role as a public actor under Irish law, and the obligations of constitutionalised fair procedures to which it is subject, create additional challenges, placing a very high enforcement burden upon the DPC.

Third, a number of big tech actors seem to be weaponizing these national procedures in order to ‘flood the zone’ and undermine the enforcement capacity of the regulator. This echoes patterns of corporate resistance to tech laws at the EU level which has been observed by Weigl and Guzik, 2025, and von Bernuth’s argument that the assumption of ‘good faith’ in EU platform laws is leading to challenges of enforcement (von Bernuth, 2025).

While focused on the jurisdiction of Ireland, this nevertheless has important lessons and consequences for broader issues of the enforcement and enforceability of the GDPR across the EU and similar questions arising in relation to other data and digital laws.

ABSTRACT. The General Data Protection Regulation (GDPR) introduced a decentralised enforcement model based on proceedings conducted by independent national data protection supervisory authorities (DPAs) and, in cross-border proceedings, on the ‘one-stop-shop’ mechanism (OSS). While OSS aimed to ensure the consistent interpretation and application of EU data protection laws in cross-border cases, in practise several shortcomings have been revealed: fragmented procedural standards across Member States (MS), limited transparency for data subjects, a lack of specific rules of cooperation between DPAs, and slow resolution of complex cross-border complaints frequently involving large-scale, technology-driven processing operations. In response, the EU adopted additional procedural rules to improve cooperation among national data protection authorities – Regulation 2025/2518 (Procedural Regulation) – intended to harmonise key steps of cross-border complaint handling and to accelerate proceedings. The new regulations include, among other measures, structured exchanges of information between DPAs, formalised ‘summary key issues’ instruments, strict deadlines for completing investigations, mechanisms for faster resolution of straightforward cases, and enhanced procedural rights for complainants and investigated parties (including a right to receive preliminary findings and a right to be heard).

This paper aims to assess whether, under the assumptions, the Procedural Regulation will ensure faster and more coherent cross-border GDPR enforcement and, on the other hand, whether it aligns with the standards established by the Court of Justice of the European Union (CJEU, Court) in this matter. It puts forward two related arguments. First, despite introducing more explicit procedural rules and timeframes, the Procedural Regulation may not, in practice, meaningfully shorten proceedings and may, in some circumstances, create additional administrative burdens that risk slowing enforcement. Second, several design choices appear only partially aligned with the CJEU’s emerging procedural standards for GDPR enforcement, particularly regarding effective judicial protection, access to remedies, and the practical demands of sincere and effective cooperation within the OSS model.

Methodologically, the study conducts a doctrinal analysis of a dataset of 19 CJEU judgments relevant to GDPR enforcement and cross-border cooperation. An analysis of selected case law revealed several recurring themes, of which the following were relevant to the objectives of this article regarding the standards adopted by the Court: 1) due diligence and reasonable timelines in case handling: DPAs must handle and investigate complaints actively, without passivity or undue delay; the focus is on the obligation of diligent, effective engagement aimed at restoring compliance within a reasonable time; 2) binding decisions and full judicial review (the right to effective judicial remedy): according to the Court each DPA’s response to a complaint is a legally binding decision (including a dismissal or rejection) and, thus, national courts must be able to exercise full review over supervisory decisions while respecting the institutional independence of DPAs and the structure of administrative discretion; 3) the significance of ‘one-stop-shop’ mechanism and the principle of sincere and effective cooperation: the CJEU states that the principle of sincere and effective cooperation between DPAs is essential to ensure the correct and consistent application of the GDPR; 4) necessity and proportionality of enforcement measures: DPAs must select corrective measures within the limits of proportionality and justify their choices in a manner consistent with transparency and accountability.

The paper evaluates four key elements of the Procedural Regulation: 1) structured cooperation and information exchange; 2) the concrete timelines for investigations; 3) simplified procedures for resolving cases, namely the early-resolution mechanism and the simple cooperation procedure; and 4) the rights of complainants and parties under investigation.

First, determining the documents to be exchanged between DPAs may operationalise the principle of sincere and effective cooperation. Yet, the Procedural Regulation’s documentation requirements can contribute to overburdening the structures of DPAs, which already lack sufficient financial, technical, and human resources. Without parallel improvements in capacity, digital tooling, or incentives for responsiveness, formalisation risks becoming an additional layer rather than a genuine accelerator.

Second, the introduction of clear timeframes addresses a lack of predictability and may strengthen complainants’ ‘sense of certainty’. However, the time limits adopted in the Procedural Regulation are lengthy, compared to the current average time for resolving cases, which raises a question about whether the deadlines reflect the CJEU’s standard to act ‘with all due diligence’. Furthermore, timeframes alone do not guarantee the authority’s non-passivity: time limits can coexist with periods of low procedural intensity, and the Procedural Regulation does not necessarily ensure that each stage is pursued with the level of diligence implied by the Court’s standard.

Third, the accelerated resolution mechanisms (including the early-resolution mechanism and the simple cooperation procedure) aim to close straightforward cases sooner without commencing the OSS mechanism. While attractive on policy grounds, early resolution raises sensitive questions about compliance with the proximity principle and access to effective remedies, particularly judicial remedies. In consequence, while enduring procedural efficiency, this approach may put the data subjects at a significant disadvantage in asserting their rights.

Fourth, enhanced party participation (including the right to receive preliminary findings and the right to be heard) strengthens the transparency and gives parties to the investigations the possibility to access to the administrative files to express their views on the facts and legal conclusions, as well as the draft decision, which is a notable improvement in light of sense of certainty of the parties. It reflects the CJEU’s emphasis on the importance of robust procedural guarantees. At the same time, the structure of the participation process may still contradict the requirements of equality and effective participation of the parties, particularly in cases with a large amount of technical complexity, which already puts complainants at a disadvantage.

Two main conclusions can be drawn from this paper. First, despite the political promise of faster, more coherent enforcement in the cross-border cases, the Procedural Regulation: 1) may not in practise speed up proceedings; 2) early-resolution mechanism can repeat the risks of ‘amicable settlement’ and create risks regarding the access to effective judicial remedies; 3) added formalities may hinder cooperation and, in consequence, reaching a consensus. Second, it is evident that during negotiations on the Procedural Regulation, legislators did not take the CJEU’s standards into account. This raises questions about the role of the Court’s case law in the European legal system. In my opinion, through its judgments, the Court not only interprets current legislation but also highlights potential shortcomings in existing legislation that legislators may consider when introducing amendments. However, it appears that the CJEU’s standards were disregarded in the Procedural Regulation case.

ABSTRACT. Few concepts in GDPR enforcement are cited as often - and defined as vaguely - as dissuasiveness. This paper examines how the principle is articulated in the European Data Protection Board’s Binding Decisions and what this reveal about the evolving architecture of GDPR enforcement. While dissuasiveness forms part of the EU’s long‑standing enforcement triad, its normative content remains underdeveloped and unevenly applied across supervisory authorities. By analysing the EDPB’s jurisprudence, the paper maps emerging patterns in how deterrence is invoked, justified and operationalised, while also identifying persistent ambiguities that the Board has not yet resolved. Particular attention is given to the arguments raised by national authorities during dispute resolution, including unresolved tensions around proportionality, harm, economic advantage and the relationship between general and specific deterrence. The analysis shows that the EDPB’s decisions provide partial guidance but fall short of offering a coherent or comprehensive account of what makes a sanction dissuasive. The paper therefore highlights the issues that require further clarification if dissuasiveness is to develop into a clearer and more normative standard within the EU’s enforcement framework. It ultimately argues that clarifying this principle is essential not only for effective GDPR enforcement but also for shaping the balance of authority, accountability and autonomy in the EU’s broader digital governance landscape.

ABSTRACT. Online platforms’ shaping data access under the GDPR. An empirical study into uses of Data Download Packages

Big online platforms collect large amounts of digital traces about individuals giving rise to numerous societal, ethical and legal concerns. These online platforms often restrict people’s access to data they hold, by raising obstacles and encapsulating data in opaque ways. In response to these practices, regulators introduced requirements of transparency in the past decades; regulators began explicitly prescribing more detailed transparency obligations and rights, requiring that it should be transparent to natural persons that data concerning them are processed, and what implications this processing may have, and elsewhere, such as in the California Consumer Privacy Act 2018.

Within the EU, transparency obligations are present across different digital policy instruments such as EU’s Digital Markets Act, Data Act, Digital Services Act, the AI Act, and the General Data Protection Regulation (for an overview of recent transparency provisions introduced across legal frameworks in the EU’s digital policy agenda, see Ausloos 2023). These provisions are significant in light of dominant (digital) political economy paradigms, where human well-being and personal autonomy are often subordinate to the priorities and values of powerful economic and state actors.

An important source of transparency rights can be found in the GDPR, and in Art. 8 of the EU Charter of Fundamental Rights. Transparency and access rights constitute the core tenet of EU data protection law, with a broad scope aimed at empowering data subjects. Given the GDPR’s key objective is to protect and empower individuals concerning their personal data, the GDPR sets high standards for controller compliance. The GDPR requires data controllers to comply with its transparency provisions, most of which can be found in GDPR’s Chapter III, ‘the rights of the data subject’. Pursuant to the GDPR, controllers must inform data subjects ex ante about their intentions, the personal data they seek to process, and third parties they might obtain or share personal data from/with.

Controllers usually inform subjects through privacy notices/policies, which must be complete, written in concise and accessible form, and in clear and plain language. Ex ante information rights are complemented by an ex post right of access; i.e., to request confirmation that personal data concerning the individual are being processed, to receive individualised details on the processing operations, and a full copy of all personal data being processed. Controller responses must be written in concise and accessible form, in clear and plain language meaning that controllers must tailor information to the particular situation of the individual, and be complete, presenting an individualised overview of all personal data involved in the controller’s data processing activities.

Notably, GDPR’s access rights are purpose-blind; they do not require a particular motivation and can be deployed to support and safeguard a wide range of interests, rights and freedoms. This purpose-blindness has permitted different uses – from invoking data rights to achieve better work conditions, to reverse-engineer discriminatory credit scoring algorithms, to disclose unethical practices by investigative journalistic uses of data rights. Access rights are increasingly used in investigative research, by journalists, rights defending organisations, and academic researchers, especially in social and communication sciences.

Online platforms often respond to access requests through online forms generating so-called “data download packages” (‘DDPs’), i.e., an online platform’s self-engineered software tool communicating responses to the data subjects. The data subject receives a.zip file filled with various data files, such as .csv, JSON or .html. DDPs can, in theory, offer useful tools to fulfil a controller’s transparency obligations.

Controllers often face disincentives to provide full transparency and completeness of information to which data subjects are entitled. The right of access allows data subjects to inspect the processing of ‘their’ data, enabling them to expose unlawful processing, to facilitate data portability or data deletion. Access also enables scrutiny by researchers, journalists or NGOs, potentially opening controllers up to regulatory scrutiny or fines, reputation loss, or to changes in their business model. Full compliance with the GDPR’s transparency obligations, controllers may claim, may however reveal business-sensitive information. Moreover, producing both a complete and individualised overview of a data processing operations concerning a data subject likely require a business’s substantial resources. Faced with these disincentives, controllers may prefer operationalising overly constrained understandings of their transparency obligations, for instance, by limiting the scope of data included in DDPs.

Controllers seeking to reduce their transparency duties might look for opportunities to push their own interpretation of transparency obligations with access rights. Instead of observing the text and rationale of legal obligations, case law, or regulatory guidance as issued by the European Data Protection Board, businesses may try to operationalise their own business-oriented interpretation of the GDPR’s transparency obligations. Such practice may however lead to twisted interpretations and faulty compliance, effectively undermining access rights. In our empirical research, we identified examples of such (mis)interpretations, by revealing how controllers deployed their DDPs, which, we argue, are the site of ‘‘interpretive entrepreneurship”, a term introduced by Durkee in the context of international law where private actors laws aim to regulate vigorously develop and operationalise their own interpretations of a law to shape that law’s understanding in a way benefitting the business’s interests. Durkee refers to businesses’ practices “developing the law by interpreting it", where a business proactively seeks to shape regulators, agencies, courts, the public at large – should comprehend and apply a law as applied by that business. Interpretative entrepreneurship occurs between regulatory intentions to empower data subjects on one hand, and controller interests in remaining opaque and minimising regulatory costs. This practice denotes deliberately shaping the interpretation and application of legal obligations to protect one’s business model or “a [businesses’] act of developing the law by interpreting it”. Controllers wishing to reduce their transparency duties will look for strategic opportunities to push their interpretation of legal obligations. Instead of observing the text and rationale of legal obligations, case law, or regulatory guidance, online platforms may try to influence these by operationalising their own constrained interpretation of the law. This may lead to twisted interpretations and faulty compliance, effectively undermining GDPR’s transparency and access rights.

The aim of this paper is to explore whether the GDPR’s transparency obligations and data access rights as operationalised through DDPs are subject to considerable entrepreneurship by the social media platform controllers under review. The interpretive entrepreneurship aspect means that defective compliance is not flagrant, but unobtrusive and sophisticated.

We first describe the key features of the concepts of interpretive entrepreneurship (§2) and of the GDPR’s data access rights (§3) while providing examples of how interpretive entrepreneurship occurs in current practices. We then demonstrate, based on empirical research, how interpretive entrepreneurship has occurred in interpretations of the GDPR’s access rights by eight online platforms (Facebook, Google, Instagram, Netflix, Spotify, TikTok, WhatsApp and X/Twitter) through their uses of DDPs. We close our evaluation with reflections regulators may consider tackling these practices. The description of interpretive entrepreneurship is based on law, legal and law-business-oriented literature research, case law, and regulatory guidance. The methodology of our two empirical studies is described in §4.

ABSTRACT. This panel will explore the forthcoming implementation of the EU’s e-Evidence Regulation (EU 2023/1543) (‘the Regulation’), which will apply from August 2026 and fundamentally reshape cross-border criminal investigations in Europe.

Moderated by Eleni Kosta, Full Professor at Tilburg University, the discussion will trace the life cycle of a European Production Order (EPO), examining the roles, responsibilities, and challenges faced by key actors at each stage of this new legal framework.

The panel features four critical perspectives, each presented by a leading expert in the field:

1. Issuing law enforcement authorities: Stanislaw Tosza, Professor, University of Luxembourg Addressing the practical and normative challenges faced by law enforcement, including assessments of necessity, proportionality, and mutual trust, as well as the activation of notification obligations to ensure procedural fairness and respect for fundamental rights. The presentation will focus on the substantial preparatory activities and assessments required to issue preservation and production orders, such as establishing the suspect’s residence, determining the scope of the Regulation, and assessing potential privileges or immunities.

2. Addressed online service providers: Gavin Robinson, Assistant Professor, Leiden University Focusing on corporate responsibilities, including due diligence in executing EPOs, navigating potential conflicts with third-country laws, and ensuring compliance with GDPR when handling e-evidence requests. The discussion will highlight the quasi-judicial role of service providers in reviewing orders, the grounds for refusal, and the structural vulnerabilities that may arise from asymmetries in legal and financial capacity.

3. The judge in the issuing state: Vanessa Franssen, Professor, ULiège and Affiliated Senior Researcher, KU Leuven Analysing the judicial review criteria for authorising production orders, the complexities of balancing fundamental rights limitations, and the application of the ne bis in idem principle in cross-border contexts. The presentation will address the terminological ambiguities and fragmented judicial roles introduced by the Regulation, as well as the judge’s role in approving orders, responding to refusal grounds, and adjudicating conflicts with third-country laws.

4. The defence attorney at trial: Marc van der Ham, Researcher, Tilburg University Highlighting the rights of the defence and the challenges arising in the enforcement and use of e-evidence during prosecution, with a focus on transparency, accountability, and the protection of legally privileged communications. The discussion will critically examine the Regulation’s impact on the fairness of criminal proceedings, the risks of arbitrary application, and the lack of harmonised standards for evidence admissibility and legal privilege.

Through concise opening presentations and moderated dialogue, panellists will illuminate the legal, practical, and fundamental rights dimensions inherent in applying the Regulation. The panel aims to foster critical reflection on how to safeguard fundamental rights while enhancing the effectiveness and fairness of transnational criminal justice.

This panel directly engages with the core themes of TILTing 2026, exploring how the Regulation embodies the EU’s attempt to reconcile innovation with democratic values in a fragmented digital governance landscape. The Regulation seeks to streamline cross-border access to electronic evidence, a critical enabler of law enforcement innovation, while embedding fundamental rights safeguards and procedural fairness into its design.

Yet, its implementation raises profound questions about the authority to govern technology in a multi-centric world:

• How can Europe assert its normative vision of digital justice when the infrastructures and platforms underpinning e-evidence (e.g. cloud services, encryption, data flows) are dominated by non-European actors with competing legal and geopolitical agendas?

• How can the protection of fundamental rights and the rule of law be upheld when public institutions are increasingly challenged by the opportunities digital technologies offer criminals to evade justice, while governments may also exploit or justify overreach in response to these challenges?

By examining the roles of law enforcement, corporations, judiciaries, and defence attorneys, the discussion will uncover the fault lines between efficiency and rights protection, harmonisation and normative diversity, and European leadership versus dependence on global tech giants. In doing so, it contributes to the conference’s call for inclusive dialogue on co-governance arrangements that are flexible, legitimate, and resilient, offering insights into how legal frameworks can guide technological progress without sacrificing the rule of law or human flourishing.

ABSTRACT. Algorithmic decision-making systems, including AI-driven tools, now shape core competitive parameters such as pricing, output, inventory management, ranking, and strategic forecasting. While these technologies can generate substantial efficiencies, they also reshape incentives and market dynamics in ways that challenge established competition law doctrines. The past couple of years has seen significant regulatory and caselaw development in this area – but the questions involved remain largely unsettled.

This panel, bringing together leading academics who have written on the subject, takes stock of what competition scholars and policymakers already know—with reasonable confidence—about the competitive effects of algorithms, and where uncertainty, disagreement, or evidentiary gaps remain. Moving beyond the well-explored literature on algorithmic price coordination, the discussion will focus on underexamined but increasingly salient issues, including: • Algorithm-driven unilateral conduct, such as exclusionary design choices, self-preferencing, and feedback effects • The role of algorithms in entrenching or amplifying market power absent explicit coordination • Implications for merger control, including theories of harm involving data, learning effects, and dynamic competition • The limits of existing enforcement tools and evidentiary standards in algorithm-mediated markets

By synthesizing insights from law, economics, and technology–informed scholarship, the panel aims to distinguish robust findings from speculative concerns and to identify priority areas for future research and enforcement.

ABSTRACT. The rapid development and dissemination of deepfake technologies mark a qualitative shift in the governance challenges posed by digital media. Unlike earlier forms of manipulated or misleading content, deepfakes rely on generative artificial intelligence to produce highly realistic synthetic audio-visual representations that can convincingly simulate real persons(Allen, 2021; Chesney & Citron, 2024; Kuźnicka-Błaszkowska & Kostyuk, 2025). This capacity to fabricate appearances, speech, and events at scale has profound implications for democratic discourse (Bennet, 2023; Dobber et al., 2021), journalistic practice (Wu 2023), and public trust(Twomey et al., 2023). At the same time, deepfakes occupy an ambivalent legal position: while they may cause significant harm, they can also constitute protected expression, including satire, artistic creation, or political critique(Barber, 2023). This tension places deepfakes at the intersection of AI governance, platform regulation, and fundamental rights protection, an intersection that lies at the core of Track 4’s focus on power, accountability, and digital infrastructures. This paper examines how the European Union’s two central digital regulatory instruments, the Artificial Intelligence Act (AI Act) and the Digital Services Act (DSA), collectively govern deepfakes, and whether their interaction produces a coherent, democratically legitimate framework. The central argument is that, while the EU has taken an ambitious regulatory approach, deepfakes reveal structural weaknesses in the current governance model, particularly the reliance on platforms to operationalise vague legal standards through private content moderation and risk management systems. As a result, regulatory power over public discourse is increasingly delegated to private actors, raising concerns about legal certainty, accountability, and freedom of expression (Kuźnicka-Błaszkowska, submitted). The AI Act addresses deepfakes primarily through a risk-based regulatory architecture and targeted transparency obligations. Synthetic media systems capable of generating or manipulating content are generally not classified as “high-risk” unless they are deployed in specific regulated contexts(Łabuz, 2023). Instead, the AI Act relies on horizontal obligations requiring providers or deployers to disclose that content has been artificially generated or manipulated (art 50 AI Act). While this approach reflects an attempt to preserve innovation and expressive freedoms, it also leaves significant discretion in determining when and how deepfakes should be identified, labelled, or restricted. The paper argues that this design choice creates uncertainty both for regulated actors and for individuals exposed to deepfake content, particularly where disclosure obligations are unevenly enforced or technically difficult to implement. The DSA approaches deepfakes from a different regulatory angle, focusing on systemic risk mitigation and platform responsibility for illegal and harmful content. Deepfakes are not regulated as a distinct category; instead, they are addressed indirectly through obligations imposed on very large online platforms (VLOPs) to assess and mitigate risks to civic discourse, electoral processes, and fundamental rights and remove illegal content. These obligations include the implementation of content moderation systems, algorithmic adjustments, and cooperation with trusted flaggers. While the DSA explicitly states that platforms are not subject to a general monitoring obligation, the practical effect of its risk-based duties is to encourage proactive moderation and automated detection of potentially harmful content, including deepfakes. The paper’s first contribution is a doctrinal analysis of how deepfakes are legally constructed under the AI Act and the DSA, both separately and in interaction. It demonstrates that the two regimes rely on different conceptualisations of risk, responsibility, and harm, resulting in a fragmented regulatory landscape. The AI Act focuses on the characteristics of the technology and the obligations of AI system providers, while the DSA centres on the systemic effects of content circulation and the organisational duties of platforms. The absence of clear coordination mechanisms between these frameworks creates regulatory gaps, particularly with regard to enforcement and the allocation of responsibility between AI developers, content creators, and platforms. The second contribution lies in the paper’s critical examination of platform accountability. Drawing on the concept of “censorship by proxy,” the paper argues that legal uncertainty within both the AI Act and the DSA incentivises platforms to err on the side of over-removal of contested content (Kuźnicka-Błaszkowska, submitted). Faced with high compliance costs, reputational risks, and potential sanctions, platforms may adopt overly restrictive moderation practices, especially in relation to political or journalistic content that incorporates synthetic media techniques. This dynamic risks chilling lawful expression and disproportionately affecting actors who rely on platforms to reach the public, such as independent journalists, activists, and civil society organisations (Caruso 202). From a governance perspective, this shifts crucial decisions about the boundaries of acceptable speech from democratically accountable institutions to private companies operating under opaque rules (Suzor 2019). The third contribution of the paper is methodological. In addition to doctrinal legal analysis, it integrates qualitative insights from semi-structured interviews with journalists and civil society actors engaged in media freedom and disinformation monitoring. These interviews provide an empirical perspective on how deepfake regulation and platform governance are experienced in practice. By incorporating these perspectives, the paper bridges the gap between law-on-the-books and law-in-action, responding to calls within socio-legal and critical AI governance scholarship to ground normative analysis in lived experience. The paper situates its findings within broader debates on EU digital constitutionalism and risk-based regulation. It argues that the governance of deepfakes exemplifies a broader trend in EU digital law: the use of flexible, technology-neutral standards combined with extensive delegation of implementation to private actors. While this model offers adaptability, it also raises questions about democratic legitimacy, transparency, and effective remedies for rights violations. In the context of deepfakes, these concerns are particularly acute, given the stakes for public trust, electoral integrity, and freedom of expression. The paper concludes by outlining normative implications for future regulatory development. It argues for clearer legal standards regarding deepfakes, stronger procedural safeguards for users affected by content moderation decisions, and a more explicit allocation of responsibility between AI system providers, content creators, platforms, and public authorities. Rather than relying predominantly on platform-based enforcement, the paper suggests that deepfake governance should be embedded within a more robust public oversight framework that aligns technological regulation with fundamental rights protection. By critically analysing how deepfakes are governed at the intersection of AI regulation and platform law, this paper contributes to Track 4 by illuminating how emerging digital governance regimes redistribute power, reshape accountability structures, and challenge democratic freedoms in the digital public sphere.

ABSTRACT. The blocking of social media and the restriction to people’s access to online platforms have become, in several parts of the world, widely employed instruments to fight against misinformation and hate speech as well as to guarantee public order and national security during periods of social unrest and delicate political moments. Nonetheless, orders imposed by public authorities to limit or completely block access to specific social media platforms, or to social media in general, have the potential to severely impact fundamental rights such as freedom of expression and assembly, as well as access to information. Social media crackdowns, as examples of the broader category of internet shutdowns, have given rise to a lively and complex legal debate concerning the legitimacy and proportionality of such invasive measures and, more generally, the possibility of regulating and controlling access to social media by State institutions. The role of courts in advancing this debate and in evaluating respect for fundamental rights, as well as the balancing exercise carried out by public authorities, has become increasingly relevant in recent years. Human rights advocates have often denounced the lack of a proper legal basis governing social media shutdowns and have called for judicial intervention. This has proven crucial in prompting legislative debates on such instruments and in reinforcing guarantees and safeguards to ensure that limitations on access to social media do not become tools of political repression and control. This contribution intends to analyze the role of courts in different legal systems, using a comparative law method, in order to identify common grounds, principles and evaluation approaches. The investigation will focus on the most recent and relevant case law of supreme and international courts concerning government-imposed social media blocks. In particular, it will examine the case decided by the French Conseil d’État concerning the blocking of TikTok in Nouvelle-Calédonie, a decision of the ECOWAS Court of Justice, as well as a Supreme Court–related case in Nepal. The contribution ultimately aims to show how social media governance requires serious reflection involving not only on issues of disinformation and content moderation but also, more broadly, on the very possibility of accessing such platforms. Although most cases originate in Global South countries, where democratic institutions are still consolidating, the decision of the French Conseil d’État stands as a key example demonstrating that limitations on social media access and the balance between control and freedoms must be carefully scrutinized even in established democracies. The contribution will begin by underlining the challenges and legal issues connected to social media shutdowns. As underlined by 2022 Report of the Office of the United Nations High Commissioner for Human Rights, unlike ongoing filtering activities, shutdowns are characterized by a voluntary alteration of an existing operating state of the Internet. Experts identify six categories of Internet disruption among which we can find national or subnational shutdowns of apps or services (including VoIP services such as Skype). Such targeted interferences of communication platforms are increasingly widespread. This necessary definitional introduction, which also highlights the impacts on fundamental rights and is based on a review of the most relevant literature, will then move to the analysis of case law, starting with the judgment of the Conseil d’État (no. 494511, 1 April 2025) on the legality of the blocking of TikTok in Nouvelle-Calédonie in May 2024 for reasons of public order and national security. In this decision, the French Court specified, for the first time, the conditions under which the Prime Minister may temporarily block access to social media, recalling the need for exceptional circumstances and specific requirements. On this basis, the Court held that the Prime Minister’s decision was unlawful. Similarly, in May 2025, the Community Court of Justice of the Economic Community of West African States (ECOWAS Court), in case ECW/CCJ/APP/37/23 concerning the Republic of Senegal, delivered a pivotal decision, anticipated by an earlier ECOWAS judgment of 2020 (ECW/CCJ/JUD/09/20 concerning the Togolese Republic). Following the controversial decision of the Senegalese government to block major social media platforms in 2023 during a period of political unrest, the Court articulated crucial considerations regarding the legitimacy of social media blocks. It recognized that access to social media today constitutes an essential derivative of freedom of expression and access to information, protected by the African Charter on Human and Peoples’ Rights as well as by the International Covenant on Civil and Political Rights. The absence of proportionality, necessity and a proper legal basis was identified as determining the unlawfulness of social media blackouts imposed by public authorities. The recent case of Nepal will also be examined. Although there is no definitive case law at present, the blocking of several social media platforms in Nepal triggered widespread public protests, including anti-corruption demonstrations led particularly by Gen Z citizens. The government justified its decision (Notice by the Ministry of Communication and Information Technology on Managing the Social Networking Platform Usage in Nepal, 28 August 2025) by referring to a previous legislation (Directive of Management of Social Media, 2080) and on a decision of the Nepalese Supreme Court (Case No. 080-CF-0012 (2024/2025)), which required the adoption of specific regulatory measures for social media, including mandatory registration and oversight by an independent authority. The subsequent proposed legislation (Social Media Bill 2081), which was criticized by activists as well as by UNESCO (https://articles.unesco.org/sites/default/files/medias/fichiers/2025/03/SM%20bill%20legal%20Analysis%20%283%29.pdf), formed the basis of protests that erupted in 2025. Several petitions were filed by activists challenging the legality of both the ban and the regulatory framework governing online platforms and these cases are currently pending before the Supreme Court of Nepal. Based on the analysis of the aforementioned cases, the contribution aims to underline that social media platform governance poses multiple problems and legal questions: the blocking of social media, through orders issued by public authorities to prevent access to platforms, is a practice that is rapidly expanding and therefore requires careful analysis. Although jurisprudence remains limited, there is a growing number of cases in which activists and civil society challenge social media shutdowns as violations of fundamental rights, pointing to a global trend toward the judicialization of digital rights. The role of courts thus proves crucial in fostering this legal debate, in shaping platform governance, and, within the specific case studies analyzed, in determining how to properly balance online freedoms with the need to exercise certain forms of control over social media, particularly when they may be used to endanger security. Essential bibliography: G. De Gregorio, N. Stremlau, Internet Shutdowns and the Limits of Law, in International Journal of Communication, 14:4227, 2020; G. Formici, Access denied: gli Internet shutdowns alla prova del diritto. Spunti di riflessione a partire dalla giurisprudenza della Supreme Court indiana. DPCE Online, 57(1), 2023; N. Mulani, The Politics of Internet Shutdowns. Governance Lessons from Kashmir’s Internet Shutdowns, in Verfassungsblog, 20 December 2022; United Nations High Commissioner for Human Rights, Internet Shutdowns: Trends, Causes, Legal Implications and Impacts on a Range of Human Rights, A/HRC/50/55, 2022.

ABSTRACT. X’s suspension of the European Commission’s advertising account, Mark Zuckerberg’s public assertion of platform‑governance prerogatives that signalled practices potentially at odds with statutory expectations, Cloudflare’s threat to exit Italy after a fine, and Apple’s resistance to and contestation of its gatekeeper designation under the Digital Markets Act, on the grounds that the interoperability requirement would distort its product integrity, together crystallised a governance dilemma involving states and powerful digital platforms. These episodes are symptomatic of a deeper structural dynamic in which platforms and states sometimes co‑produce the governance environment and then contest its meaning and limits. They illuminate two complementary pathways into this entanglement. First, an acute coercive event, exemplified by the X–European Commission suspension, shows how a dominant private platform can, in particular circumstances, curtail sovereign communication by constraining speech. Second, a discursive and organisational signal, captured by a platform executive’s public posture, reveals how corporate rhetoric and policy posturing can reshape expectations about platform governance of public communication and may prefigure practices that conflict with statutory requirements for content moderation. Together, these pathways demonstrate how state-platform power struggles weaponise authority, with ordinary users bearing the consequences.

This paper, grounded in doctrinal research and situated within the European Union’s platform‑regulation regime, reconceptualises state–platform power dynamics by treating entanglement as a durable, adversarial contest over authority rather than merely a set of paradoxes or a one‑sided capture by platforms. Drawing on niche‑construction from ecology and the security dilemma from international relations, it develops, 'Contested Entanglement Theory', which frames state–platform relations as a materially mediated contest capable of producing governance outcomes that reflect both user‑protection aims and deeper power struggles. The theory contends that the pendulum can tilt bidirectionally: while platforms often enjoy an advantage owing to their technical familiarity with the online terrain and its sanitisation, this advantage is not absolute; the state retains legal, regulatory and institutional levers that, in specific contexts, can countervail platform power and reshape the balance of authority. Building on work that identifies market and infrastructural forces as drivers of platform regulation, the paper proposes Contested Entanglement Theory as a plausible mechanism through which those forces coalesce into regulatory imperatives. This dynamic carries significant implications for the right to freedom of expression. The theory synthesises niche construction from ecology and the security dilemma from international relations to explain how legal or technical inscriptions and reciprocal insecurity produce escalation dynamics that proceed from trigger to retaliation to settlement to institutionalisation, thereby generating systemic effects that matter for user rights and the principles of democratic fairness.

Online platforms operate as territorialised spaces whose material and informational effects extend beyond the virtual domain into the physical realm. This overlap creates a pressing need for coexistence and shared governance: ‘platform governors’ must legitimately recognise the constitutional stakes of their design and enforcement choices, while traditional authorities must develop calibrated tools and institutional practices to assert oversight and, where appropriate, compel compliance. Those levers can collide, producing institutional friction and power struggles as each actor seeks to assert authority and shape the governance of the online realm. Niche construction supplies the ontological claim that authority is materially produced: in ecology, organisms modify their environment and thereby alter selection pressures for themselves and others. Transposed to digital governance, actors do not merely announce rules; they reshape the environment in which rules operate. Application‑programming‑interface (API) and code restrictions change what third parties can do and how transparency and accountability are enforced; moderation pipelines and firmware updates alter the affordances of speech. These governance acts materially embed change, reconfiguring incentives and observability for other actors and for subsequent governance choices. This account does not imply that EU platform regulation is merely a conditioned response to platform‑driven selection pressures in every case. The state itself generates selection pressures through legal design, enforcement priorities and institutional practice, and these pressures in turn condition platform behaviour and regulatory outcomes. However, some regulatory measures are exogenous, anticipatory or normative: they arise from constitutional commitments, political choices, public‑interest concerns or efforts to correct market failures and may precede or deliberately constrain platform behaviour. In short, platform‑driven selection pressures are a powerful causal mechanism in many instances, but they are neither the sole nor a deterministic source of regulatory change; causation is often bidirectional and contingent. The security dilemma supplies the strategic claim that such inscriptions are often interpreted as threats. Defensive inscriptions, whether technical, contractual or legal may be read by the counterparty as hostile. A platform tightening API access to prevent compelled disclosure may be construed by a state as obstruction; a state threatening fines for non‑compliance may be construed by a platform as an attempt to capture governance prerogatives. These reciprocal moves can escalate until a settlement emerges, which then hardens into a durable feature of the governance landscape. Recognising this contested entanglement matters for courts and regulators: not every intervention is democratic or user‑centric, so courts and regulators must distinguish legitimate, user‑protective measures from partisan or strategic controls. This reconceptualisation renders the DSA’s reforms more implementable, evidence‑sensitive, and legally tractable for regulators and courts, thereby enhancing protection of users’ fundamental rights.

Combined, these two source theories explain why materially inscribed governance choices do not merely change capabilities but also generate strategic perceptions that produce escalating cycles. Contested Entanglement Theory rests on three interlocking propositions. First, mutual dependency: platforms supply infrastructure, reach and operational capacity that regulators require for enforcement, public communication and information dissemination; the state supplies legal legitimacy, market access and enforcement capacity. This mutual dependency generates repeated interactions in which each actor can materially influence the other. Second, asymmetric leverage: each actor holds distinct coercive tools, and leverage is context-dependent, which can be protective or politically instrumental. A state may wield fines, criminal sanctions, platform bans, or regulatory designation; a platform may wield account suspension, algorithmic throttling or API restrictions. The deployment of these tools all have implications for the right to freedom of expression. Third, institutional hardening: repeated settlements ossify into norms, standards and technical defaults that privilege either both or one actor. What begins as an ad-hoc accommodation can become a durable feature of the governance landscape through path dependence and lock‑in.

These argumentative foundations are framed and supported by mapping regulatory regimes that reflect the shift in information‑control governance and platform‑obligation dynamics, such as content moderation, transparency and accountability, from the e‑Commerce Directive to the Digital Services Act (DSA). Those regimes illustrate the state’s increasing oversight role and the legal basis for bringing ‘digital governors’ within statutory remit. The law seeks leverage over ‘delegates’ while platforms, long accustomed to self‑regulation, assert governance prerogatives that may carve out practices inconsistent with statutory norms. Attempts to impose order therefore risk provoking defensive consolidation, strategic resistance or reaction as each actor protects its perceived domain of user‑guardianship. Analysing mutual reinforcement as a bi-polar risk, resulting from each entity guarding and reinstating its power over the other, the paper traces these dynamics back to early internet regulation debates, including cyber‑libertarianism, cyber‑paternalism, and network‑communitarianism, in order to provide focused insights into how to confront these institutional power struggles for a more robust, user‑centric ecosystem.

Limitations: European Union regulatory change is necessary to justify the claims advanced in this paper, but it does not ensure the generalisability of the postulated state–platform entanglement, nor does it displace other power dynamics identified in the literature or eliminate cross‑national heterogeneity in how platform regulation unfolds. The analysis is deliberately confined to speech and information control and does not address other regulatory domains. The study focuses on dominant platforms; the size, market position, or transnational scope of a platform’s operations may materially affect the paper’s claims and the degree to which regulatory settlements harden. Methodologically, the study applied explicit selection criteria and relied on a small number of industry events to exemplify the argument; this approach therefore risks availability bias, selection bias, and limited generalisability, and calls for cautious interpretation of the findings.

ABSTRACT. Wikipedia, the free encyclopedia, is commonly regarded as one of the primary sources of information worldwide. Its source-based editorial model, combined with a vast, international community of volunteers committed to updating articles and countering vandalism, has contributed through the years to its reputation as a generally reliable and broadly accessible source across political and geographical boundaries (Giles, 2005; Lih, 2009). As a paradigmatic example of a self-governed (Jemielniak, 2014; Lombardi, 2024) and self-regulated (Sileoni, 2011; Jankowski et al., 2025) platform, its economically and content-related ‘free’ nature has increasingly been unwelcome in authoritarian States, where governments actively seek to control information and shape public discourse through both legal and technological means, often by promoting their own political agendas. In such contexts, digital platforms cease to function as neutral intermediaries and instead become sites of political propaganda, in which content moderation practices and access to information are directly subordinated to State interests. It therefore comes as no surprise that Wikipedia has been banned in China, North Korea, and Myanmar, while individual editors have faced prosecution in Belarus, Saudi Arabia, and Syria (Clark et al., 2017), evidencing how the ‘enemies’ of a free Internet are spread across the globe (Frosini, 2023). A particularly significant case study is provided by the Russian Federation. Following the invasion of Ukraine in 2022, the Kremlin implemented a stringent legal framework aimed at suppressing what was deemed ‘foreign influence’ and ‘anti-Russian sentiment’. Through Federal law № 32-FZ/2022, which introduced art. 207.3, par. 3, of the Criminal Code, the dissemination of ‘fake news’ concerning the Russian armed forces or the ‘special military operation’ became punishable by up to fifteen years of imprisonment. A series of further legislative acts has been enacted over the past three years to consolidate this regulatory trajectory. Such a legislative intervention effectively made independent contributions increasingly risky, exposing them to the possibility of being classified as digital offenses against the State. This ultimately established the legal basis for extensive forms of content moderation enforced through the threat of criminal prosecution (Šerstoboeva, 2024). Legislative action has followed two interconnected trajectories. On one hand, plural and transnational sources of information have been progressively delegitimized and portrayed as threats to national security. On the other hand, the Russian Government has actively supported the development of a domestically controlled platform capable of reaching wide segments of the population, including users who have increasingly disengaged from traditional media. This dual strategy demonstrates how contemporary platform governance operates not solely through overt censorship, but through the strategic reconfiguration of the informational environment. These measures have had a direct effect on Russian-language Wikipedia and on Wikimedia Russia (WMRu), the national chapter of the Wikimedia Foundation. Editors contributing to articles related to the war in Ukraine or to other politically sensitive topics face the risk of surveillance, prosecution, and incarceration, despite formal guarantees of anonymity (Kurek et al., 2025). As a result, Wikipedia’s governance mechanisms were forced to adapt defensively: information about the authors of the edits has been removed from the Chronology, while warnings in the form of prominent, red blocks appear on Discussion pages, urging users residing in Russia or Belarus not to disclose personal data. At the institutional level, pressure also mounted against Wikimedia Russia. In December 2023, its executive director was forced to resign from his academic position at Moscow State University amid threats of being designated a ‘foreign agent’, a classification that was ultimately applied to WMRu itself in March 2024. As mentioned above, these legal interventions were not only aimed at restricting freedom of expression online and access to information on existing platforms. They also sought to enable the emergence of an alternative, State-controlled information platform: Ruwiki. The not-so-free encyclopedia was launched in January 2024 and explicitly promoted as a new primary source of ‘reliable information’ for the Russian population (Rožkov, 2024). Ruwiki was conceived not merely as an alternative encyclopedia, intended to replace Wikipedia altogether, but as an instrument of State propaganda. Its content was extracted from Russian Wikipedia, systematically omitting and rewriting all the elements deemed to be ‘Western disinformation’. Ruwiki’s stated objective is therefore to supplant Wikipedia with a platform characterized by centralized control over content and editorial decision-making (Trokhymovyč et al., 2025). In particular, all criticisms against Vladimir Putin and other Government members were removed, as well as international condemnations of Russian military actions. Entries related to the war in Ukraine were rewritten to conform to official State narrative, thereby transforming the encyclopedia into a vehicle for State-sponsored disinformation. A key example is provided by President Putin’s biographical article, in which references to international arrest warrants and judicial proceedings were omitted entirely. Within the section ‘Controversies’, the only remaining criticism concerns his habitual lateness to international meetings. Such editorial choices illustrate how platform-level governance can be mobilized to normalize disinformation, while preserving the formal appearance of neutral and objective encyclopedic knowledge. In contrast to Wikipedia’s decentralized and community-driven model, Ruwiki’s governance structure operates under legally and institutionally opaque conditions. Although officially funded by undisclosed private investors, the platform maintains clear but informal connections with the Russian government. These ties are evidenced by extensive State-supported advertising campaigns, including promotional materials, bearing the notorious slogan ‘Знаешь, где узнать’ (literally: ‘Know where to know’), displayed for months on administrative buildings. Further confirmation of institutional backing came with Ruwiki’s receipt of the RUNET Prize, awarded by the Federal Agency for Press and Mass Media. The resulting blurring of public and private authority raises significant concerns regarding accountability and transparency in platform governance. From a technological perspective, Ruwiki further diverges from the fully human-edited Wikipedia through its reliance on artificial intelligence for content production and moderation. The platform is not open to public editing; instead, it operates through the LLM YandexGPT under the supervision of an internal editorial team. YandexGPT performs multiple governance functions simultaneously: it flags content considered ‘anti-patriotic’, alters or suppresses undesirable information, and actively manipulates search outcomes. Users are thus presented not only with the information they explicitly search for, but also with additional content deemed ‘appropriate’ by the system. While similarities may be drawn with recently launched Elon Musk’s Grokipedia, Ruwiki represents a far more centralized and State-driven model of algorithmic content moderation (Meduza, 2025). The proposed intervention and the subsequent paper would therefore adopt an interdisciplinary approach to examine Ruwiki as a critical case study of contemporary platform governance. Firstly, it would analyze the legal framework enabling State intervention in digital platforms, illustrating how criminal law and regulatory measures can be employed to systematically constrain freedom of expression and access to information. Secondly, by conducting a necessary ‘technological analysis of law’ (Iannotti della Valle, 2023), it would provide a multifaceted comparison between Wikipedia and Ruwiki, highlighting how divergent governance structures produce radically different outcomes for content moderation and informational pluralism, with direct implications for fundamental rights. Finally, a sociological approach would assess the impact of this not-so-free, AI-driven encyclopedia on public opinion formation, focusing on its role in shaping political attitudes within the Russian population in order to maintain the current political status quo. The paper ultimately argues that Ruwiki may constitute a dangerous precedent: a State-governed digital platform that combines legal coercion, AI content moderation, and disinformation to redefine the boundaries of government-allowed knowledge. By transforming an encyclopedia into an instrument aimed at spreading nationalistic propaganda, this model raises critical questions about freedom of expression and access to information in the digital age, with implications that may extend well beyond the Russian context.

ABSTRACT. Cyberbullying among children: a definitional landscape analysis in EU Member States’ legislation Cyberbullying is a form of violence, materializing either fully online or facilitated with the use of information and communication technologies. Cyberbullying, differs from a traditional understanding of bullying, not only because of the use and role of technology in committing bullying, but also its effects and impact: the multiplicity of technological means and platforms to approach the victim and materialize the threat, an amplified harm for the victims by disseminating harmful content in the online environment, and often anonymity of (re-) offenders. Cyberbullying does not have an impact only on the individual at the time the harmful behaviour occurs, but also on overall digital identity and citizenship of the individuals(1). Next to the victim – offender relation, there are also groups of observers, silent bystanders, who in the online world, are also often invisible witnesses (2). Due to the prevalence of cyberbullying, especially on social media and among children (3), there is an increased need identified for regulating cyberbullying as a harmful behaviour. However, there are currently diverse terminological approaches on cyberbullying (4), across EU Member States. This diversity and fragmentation may lead not only to reporting discrepancies, but also more generally hamper effective protection, especially in cross-border cases. While the fragmentation is known, there are a few recent studies examining how different EU Member States, approach cyberbullying. The Joint Research Centre (JRC) has recently highlighted that "considering the specificities of cyberbullying will be essential for the design and implementation of effective interventions aimed at preventing and fighting this form of online abuse."(5) In our study, we are exploring the question on how EU Member States define and regulate cyberbullying, focusing on selected Member States: Italy and Austria on the one hand, which have introduced dedicated frameworks on cyberbullying, and The Netherlands and Greece on the other hand, which treat cyberbullying as traditional bullying, harassment, defamation, threat or stalking, depending on the specific behaviour characteristics and conditions. In our study, we adopt a children’s rights based approach, focusing on the best interests of the child, dignity, and accountability (6). The contribution offers a first comparative analysis of the different definitions, regulations, and constitutive characteristics of cyberbullying, aiming at informing policy- and law-making in the field.

_________________

1. Velazco-Cueva, M., & Zegarra-Valladolid, L. (2025). Digital citizenship of secondary school students in regular basic education. Futurity Proceedings, 2. 2. Carter, M. A. (2013). Third party observers witnessing cyber bullying on social media sites. Procedia-Social and Behavioral Sciences, 84, 1296-1309; Pepler, Debra, Faye Mishna, Jeremy Doucet, and Melanie Lameiro. "Witnesses in cyberbullying: Roles and dilemmas." Children & schools 43, no. 1 (2021): 45-53. 3. Ray, G., McDermott, C. D., & Nicho, M. (2024). Cyberbullying on Social Media: Definitions, Prevalence, and Impact Challenges. Journal of cybersecurity, 10(1), tyae026. 4. Ebube, S. (2023). The Role of Legal Frameworks in Addressing Online Hate Speech and Cyberbullying. American Journal of Law and Policy, 1(1), 13-24; Ebube, S. (2023). The Role of Legal Frameworks in Addressing Online Hate Speech and Cyberbullying. American Journal of Law and Policy, 1(1), 13-24. 5. Cachia, R., Villar Onrubia, D., Barreda Angeles, M., Economou, A. and Lopez Cobo, M., Cyberbullying: Considerations towards a common definition, Publications Office of the European Union, Luxembourg, 2025, https://data.europa.eu/doi/10.2760/7772296, JRC143340. 6. See https://www.unicef.org.uk/child-friendly-cities/crba/ (accessed 20 September 2025).

ABSTRACT. Cybersecurity cannot be treated anymore as a mere technical issue. As the ordinary functioning of our society is structurally bundled with networks, information systems, digital services and connected products, cyber risk becomes systemic and multidimensional, cutting across the economic, social and, certainly, legal fields. Products with digital elements have become ordinary consumer infrastructures, and their vulnerabilities cannot be considered as marginal defects; they are vectors for intrusion into private environments and communications, for disruptions of entire supply chains and might even endanger physical safety. To address the inadequate level of cybersecurity of digital products delivered to the EU market, Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), was adopted: the CRA introduces a horizontal and mandatory set of cybersecurity requirements products with digital elements must comply with, to be placed on the EU Internal Market. In doing so, the CRA primarily builds on the principles and mechanisms of EU product safety legislation (i.e., the New Legislative Framework). Early scholarship on the CRA has focused primarily on its technical requirements, its interaction with existing EU legal frameworks (either other ‘digital laws’, or product safety and liability frameworks) and its implications for manufacturers and supply chains. This means that the legal literature discusses cybersecurity or digital products mainly as regulatory objects in themselves, detached from the legal positions of end users. What is overlooked, however, is the normative shift that the CRA entails vis-à-vis consumer protection. This perspective is, indeed, underexplored, despite being implicitly embedded in several of the Regulation’s core provisions. The EU consumer acquis has already begun to translate “security” from a technical desideratum into a legally qualified and enforceable expectation to be guaranteed in consumer transactions. Under Directive (EU) 2019/770, for example, security is part of the objective conformity standard: digital content or service must possess the security standard that is “normal” for content or service of the same type and which the consumer may reasonably expect; consumers must be informed of and supplied with security updates, that are necessary to keep digital content or services in conformity. Furthermore, for “goods with digital elements”, Directive (EU) 2019/771 similarly mandates that sellers provide security updates to ensure that such goods “remain in conformity” overtime. When taking this standpoint, the CRA can be understood as extending and hardening a trend: shifting cybersecurity from an externality borne by end-users to a regulated attribute of products, to be sustained by relevant economic operators over time. Compared to the abovementioned Directives 770 and 771 of 2019, the CRA highlights this paradigm shift more evidently, as it focuses specifically on the regulation of cybersecurity risks of digital products, without addressing other types of safety risks. This paper addresses precisely the junction between cybersecurity and consumer protection as it proposes an analytical framework for reading the CRA through the lens of consumer protection, and for understanding that reading as part of an incremental constitutionalization of EU cybersecurity law. The point, though, is not to collapse cybersecurity into consumer law; rather, it is about demonstrating that the CRA operationalises a normative proposition that has been emerging across EU digital regulation: cybersecurity is now a condition of ordinary market participation and a legitimate expectation for consumers. Therefore, cybersecurity becomes a matter of consumer protection in the strong sense, and not merely an engineering variable to be addressed by technical experts, or a compliance checkbox. The CRA lays down essential cybersecurity requirements for placing products with digital elements on the Union market and sets out cybersecurity-relevant obligations for all economic operators involved in the value chain of those products. Thus, from December 2027, manufacturers of products with digital elements will be subject not only to reinforced information duties, but also to obligations concerning secure design, vulnerability handling, security updates, and lifecycle support. As these obligations cannot be adequately explained in terms of neutral technical standards or compliance constraints, this article advances the view that they can be read as consumer-rights contents that recalibrate consumers’ legitimate expectations. Through the analysis of selected CRA’s obligations and mechanisms, the research unveils the Regulation’s consumer-oriented rationale, aimed at protecting users from systemic and long-term cybersecurity risks that traditional consumer law has struggled to address. In particular, the paper highlights four consumer-relevant implications brought about by this paradigm shift. First, it alters the consumer’s normative position in relation to cybersecurity risks. The CRA is not limited to pre-contractual information duties that are supposed to allow consumers to take conscious choices, and then focusing on the producers’ only. Conversely, it aims to make cybersecurity legible and actionable for users when selecting and then using products, including through transparency about support periods. This reframes the role of consumers from passive bearers of cyber risk into holders of reasonable expectations, standardised by the legal order and protected throughout the whole consumption journey. Second, it reconfigures responsibility. The CRA’s lifecycle approach moves the burden of vulnerability handling away from consumer self-help and toward manufacturers’ processes. The consumer is still implicated, but the baseline is no longer “buyer beware” in security. It becomes “producer must anticipate and sustain”. Third, the CRA operates as a vehicle for the “normativization” of cybersecurity interests traditionally left to contract, market dynamics, or soft law. Lastly, this new approach, as embedded in the CRA, raises the constitutional stakes of cybersecurity. Attacks on connected products affect not only economic interests but also consumer health and safety and, more broadly, the conditions of exercising rights in a digitised society; in parallel, constitutional scholarship has begun to debate whether EU law is moving toward a standalone “right to cybersecurity” . These debates are typically not anchored in consumer law. Conversely, consumer law analyses of security updates and conformity often fail to consider constitutional implications. The result is a conceptual gap: the consumer-protection and the constitutional registers are discussed, but rarely integrated. Against this background, the research’s analytical framework explicitly connects connected-device insecurity to consumers’ health, safety, and fundamental rights. The normative implications arising from this choice have consequences not only for understanding the CRA itself, but notably for the evolution of EU cybersecurity and consumer law.

ABSTRACT. Social media users who are interested in improving their fitness level, getting their skin to look smoother, or who are looking for weight loss tips find their ‘for you’ pages flooded with content from health and beauty influencers. These influencers use the algorithms of TikTok and Instagram to promote products such as skin-boosting greens, weight loss methods, and viral beauty tools. One observation from influencer marketing strategies is that monetised posts – whether disclosed as advertisements or not – contain a large amount of exaggeration. Influencers who promote sleeping gummies that ‘are literally like a drug’ and diet supplements, raving that ‘the energy it gives you, yesterday I didn’t sit down until eight o’clock in the evening.’ Whereas some consumers are not as susceptible to these marketing claims, many consumers in the health and beauty sector can be seen as a specific type of consumer due to their level of desperation. This desperation stems from keeping up with the latest beauty trends to fit in with society, struggles with outward appearance such as acne, which doctors are unable to resolve or – worst case scenario – the consumer being in palliative care and looking for a wonder drug. As Nehf explains, ‘many riches have been gained at the expense of people who are willing to believe almost anything out of desperation’. Research on psychological vulnerabilities in relation to consumer deception shows that due to desperation, consumers’ thinking can be seen as impaired, leaving them more susceptible to ‘sales of fraudulent remedies for terminal illnesses and excess weight.’ Under the Unfair Consumer Protection Directive (hereafter: UCPD), such consumers desperate for a cure or relief can be categorised as either average consumers or vulnerable consumers . This paper specifically looks at vulnerable consumers who can be categorised as such due to their credulity, which is defined by the European Commission as covering ‘groups of consumers who may more readily believe specific claims’. As explained in the paragraph above, consumers in the health and beauty industry can be especially credulous due to their desperation for a beauty-enhancing product, a weight-loss drug or a wonder drug to cure an incurable disease. When analysing the credulity of consumers – and with that their status as vulnerable consumers – the last clause of Article 5.3 UCPD must be considered. ‘This is without prejudice to the common and legitimate advertising practice of making exaggerated statements or statements which are not meant to be taken literally.’ This specific clause separates an unfair commercial practice, such as a misleading practice, from a legally allowed amount of advertising exaggeration that is often referred to as ‘puffery’. The European Commission explains this as ‘a subjective or exaggerated statement about the qualities of a particular product, which is not meant to be taken literally.’ The European Commission included this clause with ‘the idea that, for instance, a national measure prohibiting claims that might deceive only a very credulous, naive or cursory consumer (e.g. ‘puffery’ […]) would be disproportionate and create an unjustified barrier to trade. This explanation is remarkable, as it highlights a dichotomy in the use of the term ‘credulous’ by the European Commission in their explanation of the UCPD. On the one hand, the term is used to describe consumers as specifically vulnerable to unfair commercial practices and thus more protected under the UCPD. On the other hand, the term is used to describe a legally allowed advertising exaggeration that only consumers who are ‘very credulous’ would fall for. So, consumers who could be considered vulnerable due to their credulity should be protected more by the UCPD, while at the same time, exaggerated statements should not be prohibited because they are only believed by ‘very credulous’ consumers. This shows that there is a dichotomy between the level of protection of a credulous consumer when faced with a potentially misleading advertisement due to an exaggerated statement. To understand this dichotomy, this paper explores the concepts of puffery and credulity. The research question this paper answers is: ‘How should the concept of puffery be delineated in cases of health and beauty influencer marketing, given the vulnerability of consumers in this sector due to their credulity?’ The research will consist of legal doctrinal research focusing on the UCPD as well as case law analysis of the Court of Justice of the European Union. Where useful, regulation and case law from EU Member States will be referenced to further the understanding of the implementation of the UCPD. The historical analysis of puffery as a legal term will, for a substantial part, focus upon the United Kingdom, as this is where the term developed into a legal defence. For the analysis of current (potentially) misleading commercial practices on social media in the health and beauty industry, influencer content on Instagram and TikTok is analysed. Firstly, the historical development of puffery as a legal term is discussed. Secondly, examples of potentially unfair commercial practices of influencer marketing in the health and beauty sector are discussed in relation to puffery. Thirdly, the clause allowing commercial practices to contain puffery under the UCPD will be analysed in relation to consumer credulity, consisting of a close reading of the relevant UCPD articles as well as relevant case law. Lastly, an updated interpretation of the legal interpretation of puffery under the UCPD in cases of health and beauty influencer marketing is presented. Preliminary findings indicate that the development of the legal understanding of puffery has always had close ties to the health and beauty industry. While the current understanding of puffery is adequate for the analysis of cases of misleading product advertising via traditional communication channels such as radio, television and newspapers, newer marketing strategies seen in the health and beauty sector on social media platforms show the need for a new delineation of the term puffery. While the UCPD clarifies the relation between credulity and vulnerability, influencer marketing in the health and beauty sector has already made vulnerable consumers even more susceptible to unfair commercial practices. These sector developments showcase the need for a clearer distinction between legitimate exaggeration, i.e. puffery and misleading commercial practice as defined under Article 6 UCPD.

ABSTRACT. In May 2024, the EU published a new Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) legislative package, aiming to clarify the European AML/CFT landscape. The constantly evolving methods of money laundering urged the call for higher levels of supranational collaboration and supervision, as well as modernized regulation, which would replace the money laundering regime evolved through the past three decades – yet most recently reformed in 2018. The 2024 EU AML/CFT legislative package brings several novelties in the European AML/CFT regime, which are materialized through 3 different legal instruments: Regulation 1624/2024 (the AML Regulation) creates a "single rulebook" that harmonizes rules to be followed by entities that are active in the AML/CFT field, while the establishment of a new European Anti-Money Laundering Authority is provided by Regulation 1620/2024 (the AMLA Regulation). The mechanisms to be put in place by EU Member States themselves, though, are provided by Directive 1640/2024, usually referred to as the 6th Anti-Money Laundering Directive (AMLD6). One of the most notable developments constituted by the package is found in Chapter II (Articles 10-18) of the AMLD6, which is the revision of the regulatory framework on interconnected centralized AML/CFT registers across the EU.

To further elaborate, pursuant to the AMLD6 framework, which shall be applicable in the Union by July 2027, EU Member States are explicitly required to establish national centralized registers, in order to allow for timely identification of individuals for AML/CFT purposes by all related stakeholders. Cross-border AML/CFT cooperation has been a matter of high priority in the European legislative agenda of the past decade and was developed through the 2024 EU AML/CFT legislative reform. However, such cooperation needed to be based on stable grounds, for which a crucial component was deemed necessary; cross-border access to information, which is to be greatly facilitated by the AML/CFT registers and their interconnection. More specifically, those national centralized registers will collect a plethora of information on individuals from obliged entities; which, according to Article 3 of the AML Regulation extend to a great variety (and quantity) of entities, including but not limited to banks and financial institutions. Each member-state shall establish three different types of national centralized registers that will store relevant information; a beneficial ownership register, a bank account information register, and a real estate information register. Each individual’s information included in the registers inevitably includes personal data, such as their full name, nationality, bank account information, beneficial ownership on legal entities, and/or information on property ownership. The information stored in each register is different, but at least one element, that can render a person identifiable, shall be included, in order to maintain a better overview of the identity of individuals having a beneficial interest in legal entities, bank accounts and real estate ownership.

Out of those three types of registers, the two former ones, namely the beneficial ownership and bank account registers, shall be interconnected via EU interconnection systems dedicated to them, facilitating immediate access across the EU. Indeed, the AMLD6 stipulates that all information (including personal data) stored in national beneficial ownership and bank account registers, will be subsequently shared across the EU, in order to be accessible by several actors, that are potentially active in combatting money laundering. These actors differ by type of register, although they eventually encompass a substantial extent and variability of actors, including but not limited to Union bodies, national public authorities, and even obliged entities for the purposes of customer due diligence. In any case, the law grants access to all registers to any and all competent authorities in charge of “prevention, investigation, detection, or prosecution of criminal offences”. This broad definition of “competent authorities” obviously includes national law enforcement authorities, which practically means that all national registers will include massive amounts of personal data, which will be subsequently made accessible via the (interconnected) systems on an even larger, EU-wide scale. Simply put, through a fully indicative example; the exact same personal data on beneficial ownership and bank account will be easily and immediately accessible to e.g., the Dutch police, the AMLA, the Estonian AML/CFT supervisory authority and the Portuguese Financial Intelligence Unit, through the registers. At the same time, any information on real estate ownership shall be immediately accessible by competent authorities on a national level, and subsequently shared with their respective counterparts across the EU relatively easily, based on the legal environment created by the 2024 EU AML/CFT legislative reform, which practically facilitates the exchange of information between authorities combatting money laundering.

On the other hand, access to citizens’ personal data specifically by public authorities for combatting crime is crucial, but also is accompanied by several concerns. First and foremost, data may be exploited or used illegitimately or disproportionately. On a “macro” basis, access of numerous public authorities to such a large volume of personal data may establish the existence of mass surveillance, raising concerns about potential power abuse deriving from the systematic monitoring of citizens’ financial activities. This may lead to the infringement on a series of fundamental rights, particularly data protection, and a chilling effect on the business life of citizens. Besides, the direct unmediated access to personal data by competent authorities, without the necessity of a judicial order or warrant, may bear severe data protection risks, especially since such access will be granted to these authorities for a vast amount of personal data.

Massive data amounts, large-scale processing, and registers facilitating access to a broad quantity and variety of stakeholders of different natures; from national law enforcement and Union administrative authorities, to multinational financial institutions and other obliged entities. Several perspectives of the new European AML/CFT regime already seem problematic. The purpose of this research is twofold; it will highlight the risks related to free, immediate and unlimited access to personal data through the registers brought by the AMLD6, while it carry out a balancing exercise to review the compatibility of the soon-to-be established registers with EU data protection law. Furthermore, considering that the registers will be eventually established, the research examines potential safeguards to be put in place alongside the formation of the registers, in order to ensure lawful and proportionate access to personal data.

ABSTRACT. The Lisbon Treaties conferred the competence for the common commercial policy to the European Union (EU). Consequently, the EU can conclude trade agreements with third countries on behalf of its Member States. In recognition of the growing importance of digital trade, the European Commission (Commission) made digital trade rules a priority in its 2021 trade policy review. Despite being considered a late entrant to digital trade rulemaking, the EU has nevertheless become a central actor of digital trade diplomacy keen to formalise its digital trade rules with third countries.

Specifically, the EU champions and proliferates a new digital trade law provision which protects source code of software. This provision prohibits a party to the agreement to “require the transfer of, or access to, the source code of software owned by a person of the other Party as a condition for the import, export, distribution, sale or use of such software, or of products containing such software, in or from its territory”. The provision is subject to a variety of specific exceptions in addition to the agreement’s general exceptions and security exceptions. Currently, the EU has inscribed the software source code provision in the digital trade chapter of its bilateral free trade agreements with Japan, the United Kingdom and New Zealand and in dedicated digital trade agreements with Singapore and Korea.

This article focuses on the EU internal dynamics between EU digital trade policy and internal market regulation which has thus far not received much scholarly attention. It will introduce and demonstrate the surprisingly direct influence that EU digital trade law arguments exert on EU digital regulation which I will refer to as inverse compatibility. Pursuant to Article 207(3) TFEU the Council and the Commission shall be responsible for ensuring that the agreements negotiated are compatible with internal Union policies and rules. Inverse compatibility connotes that EU institutions invoke trade law arguments with a view to influence an EU legislative proposal accordingly. While this may not unusual with a view to consistency in EU law, in the context of this article EU digital trade rules have outpaced EU policy formulation in the field of governing artificial intelligence.

The legislative proposal for and procedure leading to the EU flagship Artificial Intelligence Act (Regulation (EU) 2024/1689) will be used as a case study. Based on official documents from the Commission’s interservice consultations and Council working party meetings concerning the legislative proposal for an Artificial Intelligence Act it has been possible to reconstruct how the Commission invoked the provision on source code of software from digital trade law to weaken the Act’s rules on market conformity assessments and supervision of AI systems. While it is widely accepted that free trade agreements affect domestic regulation, the EU internal perspective exposes the uncontested force of digital trade law arguments during interservice consultations while the difficulties to obtain access to the relevant EU official documents underscore a lack of transparency and democratic accountability.

The article uses a combination of research methods. For introducing and analysing the relevant provisions from digital trade law and the versions of the Artificial Intelligence Act the doctrinal legal method will be implemented. The in-depth case study of the legislative proposal for an Artificial Intelligence Act has been selected for bringing to the fore conflicts about effective regulation and supervision and access to, and possibly transfer of source code, including AI models and weights. Access requests to EU offical documents pursuant to Regulation (EC) 1049/2001 were harnessed to gather empirical evidence and interpet EU law in context. This research approach incurred significant delays and required an appeal and a complaint to the EU Ombudswomen in order to be granted access to the requested EU official documents.

(See uploaded abstract for references).

ABSTRACT. With the proliferation of crypto assets, the methods by which individuals acquire, store, and transfer these assets have undergone a fundamental transformation. In particular, trading and custody services offered by crypto-asset service providers have led to the establishment of complex contractual relationships between users and platforms. Within these relationships, users generally assume that the crypto assets recorded in their accounts belong to them; however, the legal implications of this assumption remain highly uncertain, especially regarding custody and control. These uncertainties raise the question of what ownership claims signify in relation to crypto assets and the extent to which such claims can be effectively protected. In this framework, the service relationship established between crypto-asset service providers and users cannot be characterised merely as the performance of a service obligation. Instead, it gives rise to a type of contract that, in practice, determines who exercises control over a digital asset of substantial economic value and to what degree. The widely cited motto “Not your keys, not your coins” captures precisely this distinction between legal ownership and factual control, rendering the question “Is it even mine?” almost inevitable in the context of crypto assets. Since control over crypto assets in their technical operation is typically exercised through private keys, the question of who holds actual control over the asset diverges significantly from the notion of physical possession in classical property law. The primary objective of this study is to examine the legal foundations of ownership claims in crypto-asset service agreements and to explore the extent to which contractual provisions may limit these claims. Scholarly and practical debates on the ownership of crypto assets often focus on the legal nature of the asset itself. In practice, however, the decisive factor is not merely the classification of the asset, but rather the actual control and powers of disposal over it. In this respect, the adage “not your keys, not your coins” reveals that ownership of crypto assets is inherently linked not only to economic ownership but also to control, access, and the ability to exclude others. The study first analyses the legal nature of crypto-asset service contracts by comparing them with classical contract types. Comparisons with bailment, agency, commission, and similar structures show that crypto-asset custody relationships do not fully correspond to any of these established categories. On the contrary, the practical outcomes of these relationships often result in a disproportionate allocation of risk to the user's detriment. This observation suggests that the traditional system of named contracts is insufficient to explain the legal configuration of crypto-asset relationships, and that the element of “control”, such as key management, transfer authority, the power to freeze accounts, and similar mechanisms, has assumed a central role in the contractual framework. Accordingly, crypto custody service agreements should not be regarded merely as instruments regulating the provision of a technical service; they function as constitutive documents that determine how ownership claims over crypto assets will operate in practice, who will exercise actual control, and which party will ultimately bear the economic risk. Crypto-asset service agreements, therefore, exhibit a hybrid structure that does not coincide precisely with traditional sales or custody contracts. While they share similarities with classical contract types such as commission, agency, brokerage, and custody, it is argued that, because access to the crypto asset is mediated through cryptographic keys, “actual control” in the custody relationship can shift to the service provider more strongly and comprehensively than in ordinary custody arrangements. Although the platform–user relationship does not neatly fit into any single named contract type, a prevailing view in Turkish legal doctrine classifies these contracts as custody agreements and acknowledges the presence of agency-like elements, particularly in the execution of buy–sell orders on behalf of the user. The decisive point here is that the relationship designated as “custody” by the parties is, in practice, defined by who holds the keys, under what conditions the asset may be accessed, and which technical and contractual instruments enable the platform to restrict the user’s powers of disposal unilaterally. From the user’s perspective, an asset with economic value appears to be held on the platform; however, the actual control over this asset is largely shaped by the service provider’s technical capabilities and contractual powers. This situation requires reconsidering the traditional distinction between ownership and possession in the context of crypto assets. Possession of crypto assets is not established through physical control but through digital keys and platform infrastructure, raising the question of how effectively ownership claims can be protected. Standard provisions frequently encountered in crypto-asset service agreements, such as account-freezing clauses, transfer restrictions, delisting powers, and unilateral termination rights, do not necessarily constitute a direct expropriation or confiscation of property rights. Nonetheless, they may lead to outcomes that effectively prevent the exercise of those rights. Because most of these interventions can be implemented without a judicial decision and rely solely on the contractual framework, service providers have created a zone of influence over property akin to that exercised by public authorities. Consequently, the issue must be assessed not only within the limits of freedom of contract but also in light of the constitutional and human-rights-based protection of property and the principles of legal certainty and foreseeability. Especially in a system where ownership and factual control are structured through keys, the “contractual powers” of the party that effectively controls those keys can become so extensive as to determine the economic substance of ownership. The area where property claims are most vulnerable is the custodial or pooled-custody models offered by many service providers. In such models, the degree to which user assets are segregated from the provider’s own assets is often unclear; the record-keeping system, the methods of account segregation, and the manner in which pools of “same-type assets” are maintained may lack transparency and verifiability. This opacity generates a significant risk that users’ ownership claims may be downgraded to mere creditor claims in cases of insolvency or similar crises. Thus, the question “whose crypto is it?” acquires immediate, tangible economic relevance rather than remaining a purely theoretical concern. In Turkish law, a special protective approach has been adopted to mitigate this risk. Based on the principle that, in the event of the bankruptcy of a crypto-asset service provider, users’ crypto assets and certain monetary claims are to be evaluated separately from the provider’s own estate, these assets are excluded from the bankruptcy estate. In this context, the “right of separation” emerges as a key protective mechanism that prevents the user from being absorbed among ordinary unsecured creditors. However, the effectiveness of this protection in practice depends on several contentious factors, including the reliability and integrity of the provider’s records, the criteria for determining which assets are genuinely allocated to customers, and the method by which the right of separation will be exercised if, at the time of bankruptcy, there are insufficient quantities or types of crypto assets actually available. At this juncture, not only the principle of recognising a right of separation but also the procedural rules for its implementation, including whether substitute value or functional equivalents can be claimed, become crucial in determining whether the user’s property claim will be genuinely safeguarded. This study contends that ownership is not entirely extinguished within the framework of crypto-asset service agreements; however, it may be significantly eroded through contractual and technical mechanisms. Such erosion often remains invisible to users and is normalised through standard-form contract terms that are rarely negotiated. The concluding section argues that minimum contractual safeguards should be established and model clauses developed with the specific aim of reinforcing users’ ownership claims. In particular, it appears necessary to ensure a clear and adequate segregation of user assets from the provider’s own estate, to limit the platform’s unilateral intervention powers in line with the principles of proportionality, transparency, and necessity, and to strengthen the registration, auditing, and evidentiary infrastructure that will render the right of separation effective in insolvency scenarios. Moreover, where possible, the protection of “control”, at least the user’s ability to withdraw or transfer the asset, should be enhanced in favour of the user. Only under these conditions can the question “whose crypto is it?” acquire a meaningful and operational answer in both law and practice.

ABSTRACT. Digitalisation has driven technology-oriented transformations in many sectors, including the news industry. As consumers increasingly began to rely on digital media channels to access news, digital platforms offering search engine, social media, and news aggregation services assumed a gatekeeping role vis-à-vis news publishers. At first glance, the relationship between digital platforms and news publishers appears to be based on mutual benefit: publishers divert user interest and attention to digital platforms through the content they provide, while digital platforms increase traffic to publishers' websites and thereby generate advertising revenues for them.

However, as large technology undertakings expanded their product and service portfolios over time and transformed into multi-layered digital ecosystems, the value transfer between the parties began to operate in favor of the platforms. Given that news publishers and digital platforms also compete horizontally for user attention and advertising revenue, the deepening power asymmetry has forced news publishers to accept commercial terms that weaken their economic rights, while enabling digital platforms to monetise press publications, thereby developing their own services and generating more revenue from the digital advertising pool. News publishers' economic dependence on digital platforms increased, and the previously symbiotic relationship eroded. Consequently, news publishers came to need digital platforms more than platforms needed them, while digital platforms entrenched themselves through diversified products and services. News publishers, as contributors to the value generated within digital media ecosystems, saw their competitive position erode against platforms and were forced out of the market due to their inability to appropriate a share of this surplus.

Moreover, the vertical relationship between digital platforms and news publishers has produced anti-competitive outcomes, including discriminatory treatment of publishers resulting from the opacity of the algorithms employed by platforms. By maintaining unilateral control over referral rates and the distribution of news content, platforms have acquired the ability to influence both publishers’ revenue streams and users’ exposure to particular types of information, thereby shaping user interests and attention. Given that the distribution of press publications through ranking algorithms is directly linked to the prevention of disinformation and to the public’s right to access objective and timely news, the power exercised by platforms in the digital news media sector raises concerns that extend beyond private commercial interests to matters of public interest.

In order to address the market failure in the digital news media sector, the European Union introduced a novel intellectual property regime under Directive (EU) 2019/790 (the “CDSM Directive”) , granting press publishers a neighbouring right. Accordingly, without the consent of news publishers, service providers may not reproduce or make their content available to the public and publishers are entitled to a remuneration for the reuse of their content. This legislative initiative demonstrates that the objective was to strengthen the bargaining position of news publishers in order to counterbalance the market power of digital platforms, in light of the intense competitive pressure arising from the development of digital news channels. The fact that this intervention is structured through intellectual property (“IP”) law indicates that news publishers have been unable to effectively enforce the copyrights transferred from content creators and therefore require stronger IP protection to ensure effective competition. However, despite the CDSM Directive and the strengthening of publishers' IP rights, the challenges faced by the news publishing sector have persisted, necessitating intervention by competition authorities in certain Member States.

France, one of the first Member States to transpose the CDSM Directive, offers a notable example. In 2020, the French Competition Authority found that Google exerted economic pressure on press publishers to conclude agreements with zero remuneration. Google subsequently offered commitments to address these concerns, yet it was found in breach for failing to determine remuneration on the basis of transparency, good faith, objectivity, and non-discrimination, resulting in a second administrative fine in 2023. Similar investigations have taken place in Germany , Italy , and Spain . This demonstrates that the exploitative and exclusionary effects arising from the increased market power of digital platforms also fall within the scope of competition law scrutiny. These developments show that IP and competition law, which are conventionally regarded as serving opposing goals, can be jointly applied to advance a common public interest objective, namely the promotion of sustainability in news media sector.

The core issue of this research is how the IP rights of news publishers should be protected while at the sime time promoting competition in the digital news media sector. The first question for conducting this research is how the CDSM Directive, which grants neighbouring IP rights to news publishers, has affected competition in the digital news media sector. Firstly; CDSM Directive envisages a compensation in favor of news publishers. However, digital platforms may refuse to display the content of news publishers when such publishers seek to enforce the rights granted to them under the CDSM Directive. This refusal would harm both the publishers and the content creators who produced the relevant material by reducing their visibility. In such a scenario, it must be examined whether the refusal-to-deal theory of harm could be relied upon to compel digital platforms to negotiate with news publishers. This is particularly relevant given that, with the rise of digital markets, the conditions for applying refusal-to-deal doctrines have evolved in recent EU case law. Secondly, digital platforms may agree to negotiate with news publishers in accordance with the CDSM Directive, but exert pressure on publishers to accept low levels of remuneration. Such conduct could be examined in terms of the exploitative effects it may generate under the concept of unfair trading conditions. However, this raises the further issue of the extent to which competition authorities should intervene in determining whether the remuneration is fair. For instance, in Germany, the Bundeskartellamt chose not to intervene to examine the adequacy of remuneration in Google News Showcase.

Thirdly, even where a news publisher and a digital platform fully comply with the CDSM Directive and reach an agreement on remuneration, the competitive effects arising in the relevant market must be assessed more carefully. For example, remunaration obligations introduced by the CDSM Directive may create barriers to entry for potential players seeking to provide news aggregation services. Additionally, news publishers may prefer to work exclusively with the search platform that offers the largest user reach and avoid the transaction costs associated with contracting with smaller search engines; alternatively, if rival platforms offer lower levels of remuneration compared to the dominant platform, publishers may refuse to license their content to them, or may be pressured by the dominant platform to behave in this way. Such dynamics could increase market concentration in the search engine market and restrict consumers’ right to access information for the sake of protecting the economic interests of press publishers and digital platforms. Moreover, the content creators who hold the original IP rights over the content may also suffer harm, as it remains unclear to what extent they benefit from the remuneration paid by digital platforms.

Last but not least, with the growing momentum of generative artificial intelligence (“AI”) technologies, the question of how to safeguard competition while protecting the rights of IP rightsholders has become an increasingly salient area of debate. Digital platforms offering generative AI services may infringe the IP rights of press publishers by using their content for AI purposes, and they may simultaneously reduce the visibility of both publishers and content creators through AI-generated overviews, while also placing rival AI service providers and search engines at a competitive disadvantage. In this regard, the European Commission very recently announced that it had opened an investigation into Google.

From a broader perspective, the question of how to promote competition while protecting IP rightsholders is closely related to how the value generated within the digital news media ecosystem is allocated among stakeholders, and constitutes an important research problem at the intersection of intellectual property law, competition law and digital regulation. With advances in AI technologies, this question will become an even more critical topic of debate. Indeed, it is highly consequential for safeguarding the economic interests of IP rightsholders and preserving competition in the market, as well as for determining how consumer perception will be shaped by the content promoted by different interest groups, thereby carrying significant implications for the broader public debate.

ABSTRACT. For a long time, legal scholars have discussed the para-constitutional and state-like power of online platforms. These discussions have mostly been directed at designing a legal response to the unfettered exercise of power by online platforms. Scholars adhering to the strand of ‘’digital constitutionalism’’ have advocated, among others, for the establishment of rule of law safeguards in the online environment that resemble those enjoyed by individuals vis-à-vis states. The Digital Services Act (DSA) introduced several safeguards in this regard, such as statements of reasons, complaint-handling systems and transparency requirements for the actions of providers of online platforms. While the DSA may have empowered individuals and curbed arbitrary decision-making and content moderation practices by online platforms, it also attributed new responsibilities and regulatory functions to online platforms. Among others, providers of very large online platforms and search engines have assumed a new role as ''systemic risk managers’’. As part of this role, they are entrusted with wide-ranging responsibilities to protect a range of public and private interests and values, some of which have an important political character, such as civic discourse, public health and public security. When performing systemic risk management, regulated entities may need not only to interpret or discursively construct protected interests and values, but also balance them and decide on whether it is justified to restrict fundamental rights. For instance, they may be required to restrict legal content qualifying as disinformation in order to mitigate systemic risk to civic discourse. Criticism has been voiced regarding the legitimacy of entrusting online platforms with discretion to make choices of great societal and political significance, including choices determining the effective enjoyment of freedom of expression (among others, see Griffin 2025, Palumbo and Ducuing 2025). Despite some scholarship discussing the exercise of power in systemic risk management, there is no contribution to date trying to examine the legal issues pertaining to the attribution of ‘’political’’ discretion to regulated entities under the DSA. This question entails understanding whether there is a notion of ‘’political’’ discretion that can be identified in primary EU law, and if the delegation of such discretion under the DSA raises legal questions. This paper examines the systemic risk management regime of the Digital Services Act (DSA) through the lens of EU constitutional law. Under this regime, private actors assess and mitigate systemic risks to public and private interests, while the European Commission acts as the exclusive supervisory and enforcement authority. Building on the Meroni doctrine and the case-law interpreting Article 290 TFEU, this paper contends that these regimes entail the delegation of political discretion, including the power to take normative decisions concerning contested public values. It examines the limits of political discretion that primary EU law reserves for the legislature. On this basis, the paper shows how indeterminate legislative concepts and expansive discretion in systemic risk management allow regulated entities and the European Commission to exercise political judgment that ought to remain with the EU legislator. By analysing the extent to which systemic risk management may overstep the permissible boundaries of delegated authority, the article develops a framework for evaluating the legality of this emerging regulatory approach in EU digital legislation. It concludes by calling for empirical inquiry and normative guidance on the practical implementation of systemic risk management.

ABSTRACT. This panel will provide a platform to discuss recently published and forthcoming books in the Cambridge Elements in Data Rights and Wrong Series published by Cambridge University Press and edited by Jeannie Paterson and Damian Clifford. This series provides a home for fresh arguments about data rights and wrongs along with legal, ethical and other responses and aims to encourage new ways of thinking about data as enmeshed within complex social, institutional and technical relations. The panel will explore the thematic overlaps between 3 of the books in the Elements Series:

o Rachelle Bosua, Damian Clifford, Jing Qian, and Megan Richardson, Data Rights in Transition, Elements in Data Rights and Wrongs (Cambridge: Cambridge University Press, 2025);

o Nahide Basri, Revisiting the Relationship between Privacy and Data Protection, Elements in Data Rights and Wrongs (Cambridge: Cambridge University Press, In-Press); and,

o Claes Granmar, Media Freedom and Data Rights: The Swedish Experience, Elements in Data Rights and Wrongs (Cambridge: Cambridge University Press, Forthcoming).

The panel will explore the development and reform of data rights in response to socio-technical transformations, the challenges presented in terms of the overlaps between these data rights, and the right to data protection more specifically, and how data protection legislation such as the EU General Data Protection Regulation and the data subject rights it provides intersect with national constitutional traditions in particular regarding freedom of expression and information.