1. Introduction
European digital law and policy is changing rapidly. For some years, the European Union (EU) has been on a quest to rein in mainly US-based ‘Big Tech’ corporations such as Meta, Alphabet, Apple, Amazon, ByteDance (TikTok), and Microsoft, in predominantly regulatory form. Many of the Union’s recent legal initiatives have been adopted and entered into force, such as the Digital Services Act,Footnote 1 the Digital Markets Act,Footnote 2 the Data Governance Act,Footnote 3 the updated Copyright Directive,Footnote 4 and the Union’s regulatory spearhead, the General Data Protection Regulation (GDPR).Footnote 5 Together, the contents of the initiatives amount to an immense set of novel legal tools. Of course, from the generalist EU law perspective, the Union’s faith in the potency of law in social engineering is unsurprising. Legal arrangements have provided the central means for the project of European integration since its inception (deployed, per the official account, in the name of peace and prosperity).Footnote 6
These novel legal tools have attracted a corresponding amount of attention from scholars and civil society. Much of this attention has focused on the constraining potential of law. Moreover, scholarly analysis tends to proceed in a strongly normative mode. Better constraining one or another business practice within the European digital economy through new legal arrangements appears to be as prescient as ever.
A specific analytical lens precedes the normative calls for new and better legal constraints.Footnote 7 This analytical lens is visible in the metaphors of ‘lawlessness’Footnote 8 and ‘digital wild west’,Footnote 9 distinctions between the successive ‘eras’ of self-regulation and hard law,Footnote 10 characterisations of corporate actors as uncontrolled giants,Footnote 11 as well as references to corporate ‘sovereignty’.Footnote 12 Shoshana Zuboff’s account of surveillance capitalism provides one (rather extreme) example of this analytical gaze. According to her, surveillance capitalism is conditioned primarily by lawlessness.Footnote 13 The listed examples draw attention to the independence of digital economy or corporate actors from law. They indicate that peculiar terrains, times or actors untouched or only lightly touched by law have been discovered. Scholarship with this analytical lens produces analyses of legal deficiency.
Exploring legal deficiencies is valuable as it can indicate points for regulatory improvement. However, in this article I argue for an alternative analytical research for European law and technology scholars. We need more (re)descriptive analyses of our pre-existing legal structures, done with an alternative analytical lens. Such a lens could guide us in exploring the connections between pre-existing EU and Member State legal arrangements and the European socio-technical order. This can illuminate how these legal arrangements enable various actors’ ordering projects in the European digital economy. Scholarly analyses performed with this alternative lens may shed light on how our pre-existing legal arrangements are enabling and producing, and also shaped by the European socio-technical order. As the current order of the European digital economy is characterized by massive inequalities in wealth, status and power, these analyses can also direct our attention to how our current legal arrangements can enable inequalities and oppression.Footnote 14 I finally argue that these analyses may invite calls for responsibility for our condition and political possibilities that differ from the analyses of legal deficiencies, which point to legal voids, transgressions and obsolescence for the purposes of legal reform. More generally, such analyses can provide a different contribution to what Mariana Valverde has stated as ‘the ultimate aim of our intellectual endeavours’ – to understand ‘what is going on.’Footnote 15
This paper proceeds as follows. In the next section, I explain why we should explore the productive connections between pre-existing legal arrangements and sociotechnical order in Europe. I seek to clarify how the analyst’s lens is different when it focuses on legal deficiency and on enabling legal structures. I then discuss what exploring connections between pre-existing legal arrangements and sociotechnical order could entail. I present three complementary ways in which legal arrangements are productively connected to sociotechnical order: as tools of ordering to address problems and promote values; as tools which, after creation by a norm-formulating authority, take life of their own and can thus enable unintended and unforeseen order; and as constitutive of technologies and other mechanisms of order. I also present some methodological moves related to ‘the set of ideas that informs, justifies and validates the aims and methods of research’,Footnote 16 which I see as potentially helpful in orienting oneself towards these productive connections. I provide concrete examples of these connections from various contemporary regulatory struggles within different fields of European digital regulation. The examples are not depicted as novel research areas, but merely instances where interesting connections might be drawn. Finally, I discuss the normative contribution of this (re)descriptive and analytical exploration.
2. From legal deficiency to enabling legal structures
A law and technology research article usually begins with a meticulous analysis of a ‘situation’ and ‘facts’, that is, possibly legally problematic practices and the legal arrangements understood to govern that practice. Indeed, law and technology scholarship is particularly attuned to various factual contexts of law. The exploration is then often used as a springboard for a normative proposal for a new authoritative interpretation or legal device. The new legal arrangement is often justified in reference to a legally authoritative precedent, policy argument, legal principle or shared value.
However, to jump to legal normativity, the preceding analytical lens seems to describe a situation or set of facts as somehow legally deficient rather than, at least primarily, legal. Referring to what I have called legal deficiencies as ‘non-legality’, Fleur Johns argues that different forms of non-legality share an ‘orientation around behaviour or phenomena which seem […] not governed, or not governed effectively, by law’.Footnote 17 What various legal deficiencies have in common is the (partial) disconnection that they portray between social, political, economic or other practices and the pre-existing legal arrangements that are meant to govern them, externalising those practices from law.
Therefore, analyses of legal deficiency tend to draw attention to problems of legal disorder, rather than mundane legal operations and their reproduction of sociotechnical order. A finding of illegality portrays pre-existing law as powerless against those practices that defy it. A finding of lawlessness portrays the legal system generally as external and irrelevant for the practices scrutinised. Yet in law and technology scholarship, one particularly persistent demonstration of this disconnection is found in the widespread notion that some legal arrangement has become obsolete in contemporary socio-technical circumstances and law thus lags behind technological change.Footnote 18 Due to obsolescence, pre-existing legal arrangements are depicted as being loosely tethered to the practices that they are supposed to govern. It is important to note that all these descriptions of legal deficiency can become productive of law. As Johns has argued, discoveries of various types of non-legality are often followed by calls for legality. Thus, non-legalities become a pre-condition of new legality.Footnote 19 The renewed legality seems to require the sacrifice of pre-existing law’s relevance through lamentations of obsolescence, absence and violation.Footnote 20
My argument here is not to discredit legal–normative analysis that seeks to propose and justify new legal constraints based on observed legal deficiencies. Such analyses, which often inspire new corrective legal arrangements, are of undeniable value. As Ryan Calo has argued, legal research’s ‘relative comfort with normativity’, which offers suggestions for how our condition could be improved by legal and policy reform, is not only one of its core orienting features but also a major strength.Footnote 21 Yet focusing on legal deficiencies also has some limits.
Firstly, focusing on how law is not effectively governing our social order and practices can direct our attention away from how our pre-existing legal and other governance norms and institutions powerfully support sociotechnical ordering, including inequalities and oppression. How pre-existing legal arrangements enable possibly problematic order, seeping into technologies and economic and political practices, may remain obscure.Footnote 22 Secondly, in addition to possible blind spots, the disconnection that analyses of legal deficiency depict between law and social order purifies law from blame when the order concerned is perceived to be unjust. Combined with the proposals for corrective new norms, the purifying disconnection assigns a late but redemptive role for law as a necessary means of justice. If a problematic practice or order involves only a loose or non-existent connection with pre-existing legal arrangements, it implies that those legal arrangements cannot be complicit in that unjust sociotechnical order. This role of law demonstrates one variety of a legal-theoretical position that Samuel Moyn has termed ‘crude functionalism’. It is a deterministic position that sees law as necessarily in service of some specific interests or goals, in this case redemptive justice.Footnote 23
However, other scholars have insisted that this role of redemptive justice assigned to law is a misdiagnosis of socio-technical order and its problems.Footnote 24 In the specific context of EU legal studies, the role of law as an external corrective imposed on problematic social order denotes that European legal arrangements, and by extension the Union itself, play the role of a hero in the righteous fight against self-serving, imperialistic US corporations and their ‘private governance’. If law is understood this way, it may have a legitimating effect on those EU legal arrangements that do uphold (corporate) power, inequalities and oppression.
Outside Europe, scholarly explorations have already charted how legal arrangements of (intellectual) property, boilerplate contracts, trade secrecy, company law, fundamental rights, varied administrative guidelines and other legal or quasi-legal tools have become productive supports of private and public actors in the US and global digital economy.Footnote 25 Europe is not exceptional in this regard. For example, the dominance that the few mostly US-based corporations currently have over the regional digital economy would not be possible without various enabling European policy and legal arrangements. Yet these arrangements in Europe and how they have produced and reproduced power are not identical to those mapped in the US or elsewhere. Thus, there is a need for increased scholarly effort to illuminate the specific connections between these European legal arrangements and socio-technical ordering, including oppression and inequalities. This is not to say that no one has conducted such work – an argument that would beg a comprehensive literature review. Rather, my argument is for the redoubling of these efforts. The next section further elaborates the idea of exploring productive connections by presenting three ways in which legal arrangements enable and produce sociotechnical order. It also suggests some methodological moves for orienting oneself towards this exploration.
3. Three types of productive connections and some methodological moves
A. Legal arrangements as instruments of sociotechnical ordering
Maintaining order requires continuous work in which legal arrangements play an important role. The most important question of how to analyse productive connections between legal arrangements and sociotechnical order concerns how to view legal arrangements themselves. I argue that one should avoid overstating the autonomy of legal arrangements while also taking them more seriously than mere neutral ordering tools of specific interests and values.
As for the avoidance of overstating law’s autonomy, one can remember that to be used is to become part of something.Footnote 26 Legal arrangements are used, perhaps most obviously by policymakers, to address perceived problems of sociotechnical ordering. By this view, legal arrangements do not play much of a role in their own right – since they work as mere instruments of order – but instead the interests and values are what matter. Thus, it becomes important to understand the purposes to which legal arrangements are designed and used. This directs the analyst’s attention to the problematisations of sociotechnical order by various actors, that is, how an actor is ‘turning givens into questions’.Footnote 27 The methodological move here is to turn an actor’s problematisations and values from research resources into a topic of inquiry. To study problematisations is to resist the urge to treat the stated harms or injustices of the current order simply as given issues to which one can start formulating legal responses with the legal tools with which one is familiar. The starting point could be certain actors’ problems in a given time and space.Footnote 28 In addition, the stated values and purposes informing problematisations, such as privacy, freedom or autonomy, would not be treated as stable reference points external to governance.Footnote 29 They are immanent to the governance. Thus, one could instead pay attention to how these values and purposes of governance are conceptualised by governing actors – what the values mean to them.
Making problems and values topics of inquiry could be insightful because framing the problems of current order, such as those related to technology and/or corporate practices, in a specific way can maintain other arrangements and practices as givens. Problematisations also influence the legal remedies that are taken up to address those problems.Footnote 30 For example, one can take the debates around the societal harms of artificial intelligence, including the large language models such as those deployed in OpenAI’s ChatGPT. In general, the policy discussions on the harms of artificial intelligence (AI) have supplied two broad understandings of what problems should be addressed and by whom. One understanding of the harm, often advanced by prominent figures in AI development and finance, brings up rather airy and intractable threats of potential human extinctionFootnote 31 and ‘loss of control of our civilisation’.Footnote 32 From such warnings of universal catastrophe projected far into the future, no clear vision of legal-political action in the present emerges except maybe one of an extreme (and highly unrealistic) version of the precautionary principle that would aim at ending the AI development entirely. Therefore, such harm formulations end up devolving agency to the AI industry itself and relying on its sense of responsibility when the threat of ‘catastrophe’ eventually seems imminent.
The other strand of understanding AI harm centers the reproduction and reinforcement of pre-existing societal inequalities both globally and regionally. It also brings up AI’s huge environmental strain.Footnote 33 These formulations of AI harm point to the present social order and its pre-existing pathologies in terms of vast power and wealth imbalances, and the ongoing climate catastrophe and resource overconsumption. These problem formulations also set aside the universalistic understanding of the harm by foregrounding the unequal power dynamics in AI design and the disparate impact of AI systems already in operation. These imbalances are visible on several axes – between the Global North and South; the biggest multinational corporations and other economic actors; and the more well-off citizens and the already marginalized groups. From this, a need for the investigation of pre-existing social order and possible intervention in the present suggest themselves. Another implication is the skepticism towards the potential of self-regulation by the dominant industry actors. Instead, such harm formulations might instead suggest intervention by democratic actors.
It is possible to approach the Union’s or European civil society actors’ other myriad problematisations of technologies with the same analytical lens. Indeed, the Union’s current attempts to rein in Big Tech or gain digital sovereignty imply that the power or conduct of some corporate actors are indeed seen as problematic. But how specifically are they being problematised? What background ideas and distinctions do such problematisations rely on? How are different values understood? This analysis can also tease out the converse – what is not thought as problematic but left as given? For example, it may be that the problem of unaccountable Big Tech power may take certain enabling legal structures of that power as unproblematic givens.Footnote 34
B. Legal arrangements that run away from their creators
The previous point focused on the problems, interests and values of sociotechnical order and on how our legal arrangements serve as tools to address those problems and promote those interests and values. However, to take legal arrangements more seriously than as mere neutral instruments of values and interests, one needs to account for how legal arrangements have a degree of autonomy from the intentions of policymakers and other norm-formulating actors. As Sara Ahmed has stated, ‘intentions do not exhaust possible uses of a thing’.Footnote 35 Often, policymakers cannot predict how actors will eventually come to rely on legal arrangements.Footnote 36
This means moving away from crude functionalism and emphasising the possibility to leverage our existing legal tools as support for various projects that can diverge from the interests of both policy-makers and sometimes even powerful social actors, such as those of capital, patriarchy or racial supremacy. A corresponding move here relates to our understanding of sociotechnical order itself. More specifically in the context of digital economy, the move is to turn corporate power or another form of order from a cause to an effect.Footnote 37 Social or political power is not a starting point that triggers a (legal) response, but a product of relations that quite likely absorb legal elements.Footnote 38 These complex and heterogeneous contributing legal elements merit further study.Footnote 39 The task is to explore and (re)describe what these relations and legal elements are. One could trace the interaction between pre-existing legal tools and actors other than the original policymakers. This also enables us to chart how legal tools and institutions can enable different concentrations of power. For any private or public actor, relying on law is necessary because our entire sociotechnical order has been thoroughly entangled with legal arrangements for a very long time. Also, when legal arrangements run away from their creators and become support for one actor, this often means restraining another one.Footnote 40
The idea of sociotechnical ordering that ubiquitously relies on legal tools that have run away from their creators can also help to make sense of law’s legitimisation of power. Legal arrangements do not only enable practices and actors concretely via the simple force of law.Footnote 41 They also justify them. Thus, by legitimisation I mean law’s function of redefining ‘power and preconception as legal right’.Footnote 42 Nowhere in law is it openly stated that a specific legal tool is meant, for example, to maintain the Big Tech hegemony over the European digital economy. Legal arrangements are instead justified in terms of the shared values and public interests that presumably informed their adoption. Thus, when mobilising different legal arrangements, private and public actors can also tap into the legitimising power of law that helps to make their projects appear natural and just.
In Europe, internal market law as one of the most traditional fields of EU law provides here the first example of the mobilisation of pre-existing legal arrangements. Following the increasing importance of services in digital economy,Footnote 43 the EU’s long-standing legal efforts to free the cross-border flows of services – officially justified in terms of individual freedom to pursue endeavors across EU Member States – have proved important also for the corporate behemoths of digital economy.Footnote 44 The free movement of servicesFootnote 45 and the freedom of establishmentFootnote 46 have enabled corporations to locate themselves in Member State of their choice (usually Ireland, Luxembourg, or Netherlands). The Court of Justice of the European Union (CJEU) has interpreted ‘service’ widely and thus many corporations are able to mobilise the freedom for their business.Footnote 47 At the same time, these corporations are able to enjoy the national legal entitlements, such as lax taxation, which have largely not been harmonised. This is the basis for a dynamic where the material benefits of digital business largely accrue to the select host locations whereas the various costs are borne locally. For example, it has been shown that online platform businesses undermine states’ income structure by competing against and bankrupting the local brick-and-mortar businesses that pay taxes to those states.Footnote 48
The free movement of services has been elaborated further in the e-Commerce Directive.Footnote 49 While a lot of scholarly attention has been devoted to the liability exemption provisions of the Directive,Footnote 50 it also contains some other important entitlements. Article 3 of the Directive encapsulates the country-of-origin principle – officially meant to guarantee the uniform enforcement of common rules in the internal market – which directs most of the regulatory authority from the country where business is done to the country of establishment. Article 4, in turn, prohibits even the country of establishment from imposing a prior authorisation as a requirement for the provision of many online services.Footnote 51 Together, these provisions serve to restrict regulatory powers both in countries of operation and establishment.
While the Digital Services Act entrusted the enforcement of its new obligations against the largest online services primarily within the Commission,Footnote 52 it did not touch the underlying internal market principles of the Directive.Footnote 53 Pursuant to a case by Google, Meta and TikTok, CJEU has recently affirmed the country-of-origin principle and thus restricted the scope of derogations that is available for Member States from the internal market entitlements.Footnote 54 This increased the pressure on any national content governance legislation attempting to offer protection against online harms nationally.
Moving from internal market law to contract law, scholarship is directing more and more attention to the ‘the empire of forms’ that undergirds the intricate business relationships of digital economy.Footnote 55 Generally, transnational contract law has come far from the auspices and intentions of nation states even though one or several national, regional, and/or international laws do govern online contracting.Footnote 56 In global digital business, different kinds of contracts are ubiquitously relied on both at the production and consumption sides. On the production side, contracts facilitate bigger and smaller firms’ activities from data licensing for developmentFootnote 57 to enrolling labor often in the form of ‘independent contractors’Footnote 58 to securing hardware supply sometimes far into the future.Footnote 59 As Klaas Eller has argued, these transnational contracts serve more the purpose of coordinating and safeguarding elaborate value chains than sanctioning in case of breach.Footnote 60 On the consumption side, adhesive contracts in the form of ‘click-wrap’ is a standard practice.Footnote 61 Consumers now routinely take up different digital services or servitised products by clicking to agree to elaborate terms of service that, among other effects, facilitate data flows from the use of service to the provider.
While the EU has recognised the importance of contract law for digital economy for long, its most far-reaching legislative projects such as the Common European Sales Law have so far failed.Footnote 62 However, the Union has been more interventionist within certain specific fields of contracts.Footnote 63 Arguably, the most notable field here is consumer law. One facilitative legal construct in this regard may be found in the legal image of the consumer itself. Even though EU law has featured various consumer–citizens with varying capabilities in different times,Footnote 64 generally the starting point in consumer law has been the protection of the consumer as the weaker contracting party. Yet Marija Bartl has shown how around the turn of the 2000s the EU consumer law’s understanding of consumer shifted towards a more self-reliant, ‘confident’ consumer.Footnote 65 This image matched rather well with the CJEU’s traditional construction of ‘reasonably well-informed and reasonably observant and circumspect’ consumer.Footnote 66 The consumer policy trend continued in the early 2010s when the Union adopted the Consumer Rights Directive and introduced its 2012 Consumer Agenda.Footnote 67 The focus on confident and rational consumer effectively meant emphasis on procedural rights and information entitlements over more stringent restrictions,Footnote 68 leading to what Hans Micklitz called ‘the expulsion of protection from consumer law’.Footnote 69
Even though scholars have already pointed out the shortcomings the information obligations in online contracting,Footnote 70 this image of confident and rational consumer continues to undergird the boilerplate contracts online and even implicating some aspects of the traditional formalist theory of contract as ‘a will-based interpersonal agreement between parties presumed as equals’.Footnote 71 Mobilising the confident consumer construct, corporations have adopted the paradoxical image of what Jake Goldenfein and Lee McGuigan call ‘managed sovereign’ – a consumer who is treated rational and self-standing for legal purposes when signing up to a service agreement, but then viewed as an endlessly pliable object of nudging and other influencing once the person is enrolled on the online service.Footnote 72 In practice, consumers have no choice but to accept the boilerplate and few spend their time reading or trying to understand the terms and conditions they agree to.
Data protection law also supplies examples of how legal arrangements run away from their creators and may thus facilitate unforeseen projects. Viviane Reding, an ex-Commissioner and one of the chief architects behind the GDPR has stated that ‘the goal of European privacy rules was to go after Big Tech – not the local butcher or football club’ and lamented the national regulators’ enforcement focus on ‘the nitty gritty’ despite these intentions.Footnote 73 However, the GDPR is a broad horizontal piece of legislation – arguably a ‘law of everything’Footnote 74 – that seeks to uphold a wide range of principles, freedoms, and rights across myriad of social contexts. This can also make it vulnerable to mobilisation for many projects unforeseen by its architects.
For example, to give data subjects control over their data, the GDPR grants a host of data subject rights to data access and erasure,Footnote 75 and the right to restrict or object to data processing.Footnote 76 Yet economic actors may have incentives to minimise data access by data subjects to their databases, and thus also the effective exercise of these data subject rights.Footnote 77 For this, the requirement of ‘data protection by design’ in Article 25 of the GDPR has offered a suitable legal support. In industry practice, data protection by design requirements have been translated into different techniques of privacy-enhancing technologies (PETs) that seek to prevent unauthorised disclosure. However, as scholars have shown, PETs can still leave considerable risk of re-identification particularly if an actor has complementary data on the data subjects.Footnote 78 At the same time, PETs as data protection by design sometimes do de-identify data to the extent that corporations can claim they are unable to provide data subjects their access rights including the right to erasure because they cannot identify them from their data.Footnote 79 Sometimes this might have normatively defensible reasons.Footnote 80 Yet when mobilised this way, data protection by design can also lend credence to the corporate goal of frustrating the rights granted in the GDPR itself.
The struggles over access to online platform data for research purposes is another example. The architects of the GDPR likely did not foresee nor intend privacy to be mobilised as a shield for Big Tech business operations against academic and civil society scrutiny. Nevertheless, this is exactly what Big Tech has sought to do.Footnote 81 For example, Meta started restricting access to its application programming interfaces after the Cambridge Analytica scandal revealed widespread harvesting of social media data for political projects.Footnote 82 In restricting this access, Meta has sought to harness privacy as a shield against scholarly scrutiny that relies on ‘scraping’ platform data by similar methods to the ones Cambridge Analytica used.Footnote 83
Finally, privacy and data protection law have come to frustrate general corporate accountability in the disclosure of beneficial ownership of corporations and other legal entities. The EU’s new amendments to its Anti-Money Laundering Directive sought to facilitate some corporate accountability also beyond the financing of terrorism and other crime. Amendments provided that some beneficial ownership information would be accessible to the general public to allow ‘greater scrutiny of information by civil society, including by the press or civil society organisations’.Footnote 84 However, pursuant to beneficial owners’ legal action against Luxemburg law establishing a Register of Beneficial Ownership, the CJEU later invalidated such disclosure obligation based on its disproportionate interference with the beneficial owners’ fundamental rights to privacy and personal data as guaranteed in Articles 7 and 8 of the Charter.Footnote 85 To be sure, compelling reasons may sometimes be found against public information access. Yet wielding data protection against such general disclosure mandates can also uphold corporate secrecy and power in the face of accountability demands.
Indeed, fundamental rights law provides the fourth field of examples of how pre-existing legal arrangements can be mobilised for unforeseen projects. As Rachel Griffin has shown, fundamental rights tend to incorporate a liberal-individualistic framing of human well-being.Footnote 86 This can make them amenable to mobilisation for corporate interests.Footnote 87 One can begin with freedom of expression and privacy as the most obvious rights in the digital context.Footnote 88 Rikke Frank Jorgensen has conducted research on how Big Tech corporations understand the meanings of these two fundamental rights. She has highlighted how people inside the industry see the companies’ operations as being aligned with these rights rather than opposed to them. Yet those people simultaneously understand the rights in highly specific ways that conform to their business practices.Footnote 89 Freedom of expression, for example, is what their business is ‘all about’, while human rights threats are associated with government intervention.Footnote 90 The aim is to align specific interests and general values,Footnote 91 which makes it possible to harness those values and principles to enable specific projects. Similarly, Ari Ezra Waldman has argued that our current privacy practices that revolve around individual control and managerial compliance conceptualise what ‘privacy’ and ‘privacy law’ now dominantly mean.Footnote 92
In the EU, businesses also benefit from a general fundamental right of their own. The right to conduct a business as enshrined in Article 16 of the Charter, has slowly but surely become a powerful and consistently mobilised entitlement in the Union primary law. As Hilary Hogan has shown, in the CJEU jurisprudence the right to conduct a business has evolved into a general right to corporate autonomy that protects whatever potentially profitable activities one sees fit to undertake.Footnote 93 While the right can surely be limited like most other fundamental rights, the CJEU has been willing to accept that a wide range of regulatory activities are to be viewed as infringements of the right, which must be then justified as appropriate, necessary and proportional among other requirements.Footnote 94
In the digital context, the CJEU has for example argued that ‘[t]he freedom to conduct a business includes, inter alia, the right for any business to be able to freely use, within the limits of its liability for its own acts, the economic, technical and financial resources available to it’.Footnote 95 Regarding online content governance, the CJEU has also reasoned that a filtering injunction requiring an internet service provider to ‘install a complicated, costly, permanent computer system at its own expense’ would amount to a ‘a serious infringement’ of the right to conduct a business.Footnote 96 While these judgements have certainly not prevented the EU from enacting new online content regulation, they have contributed to the strengthening of the link between fundamental rights and corporate autonomy, which enables businesses to operate fairly independently without too much public constraints. For example, in the fundamental rights impact assessment of the DSA the Commission ensured that ‘[n]one of the measures in either one of the [regulatory] options should jeopardise the protection of trade secrets or proprietary products of online platforms’.Footnote 97 Similarly, Meta has argued before the German Competition Authority that ‘limiting data processing is always unreasonable because it interferes with Facebook’s product design’.Footnote 98
Even though all the examples of legal arrangements mobilisation in this section involve powerful corporate interests, even actors with ample resources do not always succeed in connecting with legal arrangements in a durable way. The connections that different actors have managed to forge between their interests and pre-existing legal arrangements can be fragile.Footnote 99 The idea that legal arrangements can run away from their creators and be co-opted by various societal actors also accounts for the fact that authoritative legal interpreters sometimes cut the connections that these actors have forged with legal arrangements, for example by reference to a tool’s iteratively construed original purpose.Footnote 100
One can find an example of this severing of productive connections in data protection law. The GDPR not only constrains data processing and ‘protects’ personal data but also enables various data processing operations if, among other requirements, the processing has a proper legal basis.Footnote 101 Meta has long insisted that ‘there is no hierarchy between legal bases [in the GDPR], and none should be considered more valid than any other’.Footnote 102 Thus, it has refrained from asking consent for processing for advertising business, relying instead on the so-called contractual necessity legal basis.Footnote 103 Yet this connection with the GDPR was effectively severed by the European Data Protection Board’s (EDPB) recent decision against such reliance.Footnote 104 Afterwards, Meta shifted to legitimate interest legal basis instead.Footnote 105 This reliance might have also been cut by the CJEU in a judgment on Meta’s data processing for advertising in June 2023, suggesting that Meta needs recourse to consent after all.Footnote 106 This led the company to introduce an advert-free, subscription-based version of Facebook and Instagram in Europe, which serves as an alternative if a user does not consent to data processing for advertising purposes.Footnote 107 Yet this strategy was once again rejected by the EDPB, which issued an opinion arguing against such binary options as a basis for valid consent.Footnote 108 In the latest episode of the saga, the Commission opened its own separate investigation of Meta’s data processing under the Digital Markets Act.Footnote 109
As another example from data protection, civil society actors can mobilise the data rights in the GDPR for the purposes of independent research and industry scrutiny even if this is not stated as an explicit goal of the regulation.Footnote 110 They have also successfully wielded various fundamental rights against powerful corporate and state actors.Footnote 111 In the internal market context, despite the Union’s meagre competences in taxation law, the Commission has sought to address Member States’ tax benefits to their hosted digital behemoths as unlawful state aid (albeit with mixed results).Footnote 112
However, the extent to which legal arrangements appear flexible and thus harnessable is relational to the actor that seeks to harness them. This means that the well-connected and amply resourced, for example powerful multinational corporations and hegemonic states, may often be better positioned to mobilise legal tools to support their projects than the disadvantaged. They have more capabilities. Thus, legal arrangements might appear more flexible to them than to others.Footnote 113 For example, they can pursue their projects in different legal fora at the same time, such as before regulators, legislatures and courts. They can mobilise more legal services, and endure losses in individual campaigns while having still the resources to advance long-term projects.Footnote 114 They may also have connections and resources to mobilise lobbying services, think tanks, public relations services, media and even academic research to gain support and spread their conceptualisations of important values and legal-political issues.Footnote 115 No authoritative decision-maker can be totally uninformed by these various efforts for societal influence even though actors in public positions generally understand themselves to be working in the general interest.
C. Legal arrangements as constitutive of other forms of governance
The third point of focus concerns how legal tools become embedded into, and thus constitute, markets, technologies and other forms of order that are traditionally understood to be non-legal. The focus is on drawing the connections between traditionally legal and other forms of order. Here, legal arrangements are understood to be productive in a deeper sense than mere supportive instruments for various actors, whether intended or not by their original designers. They are understood to partly create various entities, including actors with interests and other forms of social order such as markets, technologies and societal governance. While this is not to deny that law also responds to market developments, new technologies and other forms of order, the orientation does entail a focus on how legal arrangements form and undergird these other governance systems.
In particular, legal arrangements can be baked into technology, and thus become constitutive of it.Footnote 116 Law and technology scholars are acutely aware that computer code can produce regulatory effects in its own right with very real consequences.Footnote 117 However, there is an increased need to analyse how specific productive interactions between legal and other governance arrangements play out. One could study, for example, how in online environments, many GDPR requirements, especially on valid data subject consent,Footnote 118 have been translated into the technological mechanism of consent management user interfaces or ‘cookie banners’.Footnote 119 The cookie banner is a choice management solution for websites offered by specialised consent management providers. It produces a layered window or banner when a website is loaded, enabling the website user to receive information on data processing and consent to it.Footnote 120 Usually, consent can be managed by clicking different choice ‘sliders’ on a pop-up window before proceeding to the website. Existing analysis has tended to revolve around the features of cookie banners that appear as possibly non-compliant with the GDPR requirements for valid consent.Footnote 121 These analyses involve a shift to legal-normative evaluation, the possible legal implications being that the GDPR is not enforced properly.
However, this assumes a certain irrelevance of the GDPR to consent management. Instead of focusing on irrelevance, one can appreciate how the GDPR has constituted an entire market that offers ‘consent-as-a-service’. Furthermore, delivering data protection and ‘being in compliance with the GDPR’ in the online environment now often involves inserting a properly designed consent management solution into one’s website. Thus consent management services constitute a significant part of online data protection. Finally, data protection law and the designs of consent management platforms have been slowly transformed in tandem through the decisions of the CJEU, EDPB and changing corporate practices. The aim of exploring these connections between consent management and the GDPR is not to draw attention to how consent management solutions and their providers are not complying with the GDPR obligations and how they could comply better. Instead, it is to induce reflection on the practices, markets and actors enabled and produced by the GDPR, and whether this is what we would like online data protection, and to some extent online privacy, to be.
Regarding other forms of order, one can also trace how legal governance interacts with more informal governance arrangements, often referred to as ‘soft law’, ‘self-regulation’, or ‘co-regulation’. Law and technology scholars are now acutely aware that various forms of ‘private ordering’ are highly consequential. However, it is common to contrast the private, unaccountable governance of corporations with traditional ‘hard law’ regulatory schemes. The latter are generally thought to be relatively absent in the European digital economy before the recent flurry of regulation by the EU. More generally, it has been debated in EU legal studies since 2000 at least whether the Union has moved from ‘integration through law’ to ‘integration through governance’.Footnote 122
Here, the methodological move is to sideline general debates and refrain from strict distinctions between hard and soft law and the related question of legal validity.Footnote 123 Nor is it sufficient to label the interactions between law and informal governance as a mixed regime of co-regulation.Footnote 124 Rather, one would trace the specific interactions that are formed between legal arrangements and more informal forms of governance, appreciating how hard law can become ‘governmentalised’ and governance ‘legalised’.Footnote 125 This also entails resisting the urge to see such amalgams simply as a lack of ‘proper’ lawfulness or to lament them as dilutions of rule of law, but also refraining from normatively embracing such amalgams. Better to illuminate how the meanings of both EU law and governance are slowly transforming through new specific hybridizations, while empowering new actors in different ways. Again, this could engender reflection on how legal tools can enable various other forms of governing actors and governance processes, while the very meaning of law also changes in the process.
For example, scholars have already chronicled how, before the new EU digital regulations, online platform content moderation by these ‘new governors’Footnote 126 were undergirded by quite traditional legal entitlements, such as the provisional immunity against liability enshrined in the e-Commerce Directive.Footnote 127 Thus, both traditional legal mechanisms and various soft law arrangements enabled new governors of online content to emerge in the first place. Correspondingly, the DSA could be said to have ushered in a new age of hard law, codifying and also transforming many platform governance practices. Yet various more informal and privatised governance arrangements of ‘regulatory managerialism’ will continue to play an important role within the European regulatory picture.Footnote 128 In the DSA regulatory complex, these include out-of-court dispute resolution, codes of conduct such as the governance scheme woven around the Code of Practice on Disinformation,Footnote 129 and monitoring by trusted flaggers, private auditors, national authorities and vetted researchers. The Commission itself is set to orchestrate all these actors and unfolding monitoring processes.Footnote 130
Here, one can study how the DSA and other new digital regulations can produce, for example, new markets for regulatory technology or auditing governance as a form of private ordering.Footnote 131 Focusing on the external auditing of online systems, the DSA mandates that the largest online platforms and search engines have their systems periodically audited by independent auditors.Footnote 132 While the DSA is rather circumspect on who exactly might become such independent auditors,Footnote 133 the Commission’s delegated regulation on external audits lays out the independence requirements so that they open the door for ‘the Big 4’ multinational audit firms (Deloitte, PwC, KMPG, and Ernst & Young).Footnote 134 As Julia Black has shown in the context of financial services, such consultancy firms with homogenous organisational cultures are highly consequential for the formation of standardisised ‘best practices’ of governance that ultimately determine what precisely is being scrutinised and how.Footnote 135 In the words of the Commission, the audit reports ‘shall offer a comparative basis for public scrutiny’ of the largest online service providers.Footnote 136 Scholarship has also pointed to the shortcomings of audit governance, including questionable independence and lack of public accountability.Footnote 137 One can study how the DSA and other digital regulations extend private audit governance into new domains, producing new kinds of private ordering.
Another example of the production of private ordering is technical standardisation. Technical standardisation governance, as undergirded by quite traditional EU law,Footnote 138 has played a vital role in the creation of the internal market for decades.Footnote 139 Three private standardisation bodies – the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (CENELEC), and the European Telecommunications Standards Institute (ETSI) – have been tasked by the European Commission to draft European harmonised technical standards for the EU. Technical standards provide crucial mediation when legal rights and obligations are baked into technologies. More recently, we have witnessed legal struggles before the CJEU on whether the European harmonised technical standards are themselves ‘law’ (they are),Footnote 140 and what obligations pertaining to their free public availability might follow from this designation.Footnote 141 These are important transformations to note as the legalisation of private governance.Footnote 142 Yet the transformation of legal requirements into technical standardisation governance also involves other stakes.
The Union’s new Artificial Intelligence Act foresees technical standardisation as the way to concretise the fundamental rights and other legal obligations for ‘high-risk AI systems’ and translate them into technological form.Footnote 143 In scholarship this regulatory approach has been received with skepticism.Footnote 144 By enabling CEN and CENELEC to draft harmonised standards, the AI Act also empowers their complex multistakeholderist governance structures.Footnote 145 Therefore, EU legal arrangements upholding standardisation governance may also indirectly enable powerful corporations ‘holding stakes’ in technical standardisation. Societal stakeholders – most notably Environmental Coalition on Standards (ECOS), European Trade Union Confederation (ETUC), and Association for the Co-ordination of Consumer Representation in Standardisation AISBL (ANEC) – face resource and expertise constraints, and in some cases their participation is standardisation processes is limited.Footnote 146 All this can amount to a form of governance that Julie Cohen calls ‘extreme multistakeholderism’ – governance that disproportionally rewards the well-connected and amply-resourced industry stakeholders.Footnote 147
The Commission’s recent struggles to reform the European standardisation governance system itself are illustrative here. In 2022, the Commission unveiled a new standardisation strategy and a proposal to amend the regulation governing the creation of harmonised standards within the European standardisation organisations.Footnote 148 This was done to account for, most notably, the fact that ‘today’s decision-making processes within the European standardisation organisations […] allow an uneven voting power to certain corporate interests: some multinationals have acquired more votes than the bodies that represent the entire stakeholder community’.Footnote 149 In particular, ETSI’s governance structure enables industry membership and the influence of financial contributions into decision-making.Footnote 150 ETSI’s deep-pocketed corporate members include, among others, Google Ireland, Meta Ireland, Amazon Web Services and several companies of the Huawei group.Footnote 151 In the end, the Commission decided to leave ETSI out from its AI standardisation request even though the organisation has been very active in the field.Footnote 152 The newly amended regulation on standardisation organisations and harmonised standards now provides that certain important decisions on European standards must be ‘taken exclusively by representatives of the national standardisation bodies within the competent decision-making body of that organisation’.Footnote 153
After a harmonised technical standard has been drafted, the Commission is meant to determine whether it fulfils the requirements set out in the standardisation request, and ultimately AI Act. In practice, and coming back to the topics of audit governance and regulatory managerialism, the assessment is carried out by independent experts called Harmonised Standard Consultants (HAS Consultants).Footnote 154 The Commission has outsourced the selection and management of these special consultants to a HAS Contractor, which for many years has been no other than the audit company Ernst & Young.Footnote 155 In sum, the elaborate translation of legal mandates into technical standards offers one field where myriad productive connections between law and other forms of governance can be traced. In technical standardisation, legal mandates are governmentalised and private governance legalised.
4. Normativity in the exploration of enabling legal structures
So far, I have argued that we need more analyses of the European digital economy where the analytical gaze is not attuned to finding various legal deficiencies that could serve as springboards for legal-programmatic proposals. I have sought to show that the analytical gaze I have briefly demonstrated above is more about the (re)description and analysis of productive connections between laws, problems, and other forms of governance including technologies, than about the normative construction of corrective arrangements. Moreover, the analysis is empirically oriented in that it avoids generalisations but instead confines itself to specific legal and governance arrangements in specific times and places. This specificity also concerns law itself, which explains why I have talked a lot about legal tools and arrangements in plural rather than a (supposedly) unified and abstract notion of law.Footnote 156 There are many small pieces of doctrine and organisational arrangements with different operational logics.
My insistence on the need for such analysis is not to achieve objectivity or a better grasp of reality. While these analyses are certainly meant to help us understand what is going on in the European digital economy, they do not attempt to mend the ‘reality deficit’ that EU legal studies has been accused of.Footnote 157 This paper was inspired by my uneasiness about the relatively minor role often assigned in policy and scholarly debates to pre-existing legal arrangements that are participating in ordering the European digital economy in incredibly powerful ways. I also felt concerned about the complicity of many pre-existing legal arrangements in the production of private and public power. Therefore, the aims of this paper are political. This brings us to my final thoughts, namely the normativity in analysing the legal making of the European digital economy. While research in this rather (re)descriptive mode refrains from suggesting programmes for new legal arrangements, I argue that normativity is still involved.
In scholarship, the map has been widely used as a metaphor of the (re)descriptions that researchers make. Firstly, regarding maps as descriptions, some theories recognise the political function of maps so that ‘a map is at once “an instrument of depiction – of objects, events, places – and an instrument of persuasion [and pedagogy] – about these, its makers and itself”’.Footnote 158 Indeed, ‘maps rely on selectivity, since, for finite beings, navigating the world requires leaving out some details and focusing on others’.Footnote 159 A complete 1:1 map would be not only impossible but would also fail to orient its users in specific directions.Footnote 160 The scholar as a map-maker always has to decide what details to leave in and what to leave out.Footnote 161 These choices are value-laden and thus involve politics.
Secondly, the world-making capacity of maps has been documented by James Scott in his classic study of states’ means of legibility. The administrative maps drawn to make sense of varied terrains – cities and forests – aided governments in transforming those same terrains so that eventually they corresponded with the maps.Footnote 162 As for scholarly maps and research more generally, the performativity of research methods has been readily accepted within certain strands of social theory.Footnote 163 This entails acknowledging that any research contributes to making specific realities, and destabilising or marginalising other realities. Social science never merely describes one reality but helps produce a specific reality depending on theories, methodologies and methods. For example, research has detailed how game theory and economic theories of market design inspired the creation of the now dominant Silicon Valley online platforms as ‘multi-sided markets’.Footnote 164 Therefore, research does not merely represent the things and practices but also intervenes in them. Moreover, because of the necessary selectivity I have just pointed out, this implies that the worlds that can be created are multiple.Footnote 165 Politics and normativity, from which one cannot escape, are involved in all research, also in the sense of world-making.Footnote 166 What sort of worlds do we want to help realise by describing and drawing attention to them, and what worlds do we want to marginalise?
So, what realities might one want to help produce if not those featuring rampant legal deficiencies? As is hopefully clear by now, they should be realities that place our pre-existing legal arrangements as central and powerful features of our socio-technical ordering. Giving up the urge to formulate legal-normative proposals frees one’s resources for the (re)describing of existing arrangements. This enables thicker descriptions. One can analyse more, including more connections between legal arrangements and our socio-technical ordering.
In the specific context of (European) social commentary on the digital economy, there already exists a mainstream sensibility for reform – a collective urge that something needs to be done. Similarly, we have no shortage of suggestions for what should be done. I believe that, in this context, the normative thrust of these analyses lies in their potential to channel responsibility for our current order and its possible injustices to legal and policy arrangements that can be taken for granted or deemed as marginal. As Fleur Johns has argued in the international context: ‘If international law and lawyers are shown to be complicit in constituting and/or entrenching that which they purport to stand against […] then attributions of responsibility and questions of reform might emerge that are different to those currently circulating’.Footnote 167 Analyses of the legal making of the European digital economy may reorient our reformist sensibility and engender reflection on the limits of legal reform.
As regards reorientation, while describing and analysing the productivity of law does not involve normative proposals, it can prime other actors to see different possibilities for reform. They can help to bring forward what is seen as unproblematic or may even fall outside the current reformist vision. What arrangements do specific problematisations take as given? Would it be worthwhile to reconsider a legal mechanism previously taken as given instead of devising a new regulatory framework imposed on top of it, keeping pre-existing arrangements intact?
As regards reflection, exploring the connections between the European legal arrangements and socio-technical ordering can highlight law’s possible complicity in inequalities and oppression, guarding against overreliance on legal reformism.Footnote 168 Such reformism risks fetishising specific legal mechanisms as necessary means of justice. As Julie Cohen has stated, legal responses to power and injustice all invite ‘new strategies for evasion, capture, co-optation, and arbitrage’, becoming ‘sources of opportunity and targets for co-optation’.Footnote 169 Such analyses can also help maintain a sense of humility and responsibility in reformist urges by reminding us that while legal tools can indeed be seen as instruments for progressive projects, they are more than merely neutral and stable conduits of good intentions, and even well-meaning efforts to improve our condition can bring unintentional consequences. This does not make legal reform futile, but serves to temper reformist urges. It contributes to ‘a moderate concession to the epistemologies highlighting societal complexity and “unknowability” of the economy’.Footnote 170 Highlighting how law enables reveals both the potency and limits of legal engineering.
5. Conclusion
In this paper, I have argued that much law and technology scholarship and social commentary is attuned to formulating better regulation in the form of new norms, rulings, administrative decisions, administrative organisations or other legal arrangements. These formulations are in turn based on what I have called analyses of legal deficiency, which portray (often problematic) practices or technologies as ungoverned, or not effectively governed by law. The new legal arrangements are then presented as correctives to legal deficiency. I further argued that while these analyses are valuable, we also need more legal research with an alternative analytical lens. Such alternative analyses would focus on connecting the myriad pre-existing European legal arrangements to the socio-technical ordering that they enable and reproduce. Conducting such an analysis means to refrain from seeing European legal arrangements as external and relatively powerless to possibly problematic power clusters, practices, or technologies, but rather as productive structures of those phenomena.
I proceeded to discuss three complementary ways in which legal arrangements are productively connected to sociotechnical order: as instruments of ordering to address problems and promote values; as more than mere tools that also enable unintended and unforeseen projects; and as constitutive of technologies and other forms of order. All highlight how our legal arrangements enable and produce sociotechnical order in Europe. Even while the description and analysis of enabling legal arrangements dispenses with programmatic legal or policy formulations, I have sought to articulate the political-normative potency of such research. More specifically, I argued that analysing pre-existing legal arrangements might produce different attributions of responsibility and opportunities for political contestation than analyses of legal deficiency tend to generate. They can also highlight both the potential and limits of legal reform. Finally yet importantly, describing and analysing how our myriad pre-existing legal arrangements enable order can provide its own contribution to the question of ‘what is going on’. Often, when investigating our (frequently oppressive and highly unequal) order of things, within the digital economy or elsewhere, we find that one crucial answer is law.
Acknowledgements
I am grateful to Päivi Leino-Sandberg, Susanna Lindroos-Hovinheimo, Ukri Soirila, Tuuli Talvinko, Frida Alizadeh Westerling, my colleagues at the University of Helsinki Legal Tech Lab, and my colleagues at the Amsterdam Centre for Transformative Private Law (ACT) internal seminar on 30 October 2023, for comments on earlier drafts of this paper.
Funding statement
The paper has been written within the ‘Information in the EU’s Digitalized Governance (INDIGO)’ project. The project INDIGO is financially supported by the NORFACE Joint Research Programme on Democratic Governance in a Turbulent Age and co-funded by State Research Agency of Spain (AEI); Academy of Finland (AKA); Deutsche Forschungsgemeinschaft (DFG); Luxembourg National Research Fund (FNR); and the European Commission through Horizon 2020 under grant agreement No. 822166. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests
The author has no conflicts of interest to declare.