New analytical framework identifies inconsistencies in technology legislation
Since new technologies often develop very quickly, it is difficult for legislation to keep up. This can result in a mismatch, whereby the use and ramifications of a new technology are not sufficiently covered by existing regulatory framework, for instance, in data protection legislation. PhD researcher Mara Păun of Tilburg Law School has developed an analytical framework to identify and address these mismatches. She has been awarded a cum laude PhD based on her research.
Mismatches between assumptions embedded in the law and the new socio-technical context are referred to in the literature as regulatory disconnection. The problems can get worse if a mismatch is not adequately addressed.
Until recently, a systematic approach to identifying and addressing mismatches was lacking. Mara Păun studied how the theory of autopoiesis can enhance our understanding of the interaction between law and technology. Based on this theory, she developed an analytical framework to identify and address mismatches.
The theory of autopoiesis proposes that the world is composed of different (self-producing) systems. These systems can only view the world through their internal mechanisms that function as a filter. According to Păun, this theory provides an additional explanatory mechanism within the scientific debate on regulatory disconnection.
The autopoiesis-inspired analytical framework developed by Păun consists of questions that guide the user through the different steps of analysis in three phases. The first phase focuses on identifying the mismatch. In the second phase, this mismatch is analysed based on three sub-models of reality: an empirical, a prospective, and an operative one. This reveals the various consequences of the mismatch. The third phase brings together the insights from the first two phases and forms the basis for adapting the legislation.
To illustrate the usefulness of the framework, Păun applied it to the core concept of 'controller' in the EU’s General Data Protection Regulation (GDPR). The problem with this concept is that the law presumes that the role and capabilities of the controller are fixed. This assumption no longer reflects the reality as soon as new technologies emerge that are more complex, with more actors involved, that all interact with each other.
Answering the guiding questions shows the characteristics of the mismatch relating to the concept of controller and its ramifications for the effectiveness of the legislation. The application of the analytical framework reveals that the mismatch related to the concept of controller is both prominent and complex: it relates to a concept that is at the basis of almost all obligations laid down by the GDPR. The mismatch has proved to be even more problematic with the interpretation of the concept in recent CJEU case law. This problem cannot be remedied by re-connection through interpretation of existing provisions, which means that the European legislator needs to act to address this mismatch.
The new analytical framework can be used by a variety of professionals dealing with mismatches between the law and new technologies, including legislators, judges, and Advocates General, academics, lawyers, and NGOs.
Mara Păun’s PhD thesis (2023) is available online: Law and Technology through the Lens of Autopoiesis. An analytical framework for dealing with regulatory disconnection illustrated through the case of the GDPR.