Hostname: page-component-cd9895bd7-lnqnp Total loading time: 0 Render date: 2024-12-23T10:21:07.898Z Has data issue: false hasContentIssue false

Exploring the legal making of the European digital economy

Published online by Cambridge University Press:  16 December 2024

Miikka Hiltunen*
Affiliation:
Faculty of Law, University of Helsinki, Helsinki, Finland
Rights & Permissions [Opens in a new window]

Abstract

Much existing social commentary and scholarship around the regulation of the European digital economy is focused on how societies could better regulate that economy and its associated harms. Such analyses often portray a problematically viewed order as ungoverned, or not effectively governed, by law. Instead, I argue for more (re)descriptive analyses on how our pre-existing legal structures powerfully create order in the European digital economy. I explain why we should explore the productive connections between pre-existing European legal arrangements and socio-technical order, and discuss what such exploration could entail. The article covers three complementary ways in which legal arrangements are productively connected to sociotechnical order: as tools of ordering to address problems and promote values; as tools that can also enable projects unintended and unforeseen by policymakers; and as constitutive of technologies and other forms of order. It provides concrete examples of these productive connections from various contemporary struggles within the governance of the European digital economy. I argue that focusing on the analysis of productive connections may shed light on how pre-existing legal arrangements are baked into and shaped by the European socio-technical order. As the current order of the European digital economy is characterised by massive inequalities, these analyses can also direct our attention to how our pre-existing legal arrangements can produce and reproduce inequalities and oppression. Analyses of pre-existing legal arrangements might produce different attributions of responsibility and possibilities of contestation than analyses of legal deficiency.

Type
Dialogue and debate: Essay
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2024. Published by Cambridge University Press

1. Introduction

European digital law and policy is changing rapidly. For some years, the European Union (EU) has been on a quest to rein in mainly US-based ‘Big Tech’ corporations such as Meta, Alphabet, Apple, Amazon, ByteDance (TikTok), and Microsoft, in predominantly regulatory form. Many of the Union’s recent legal initiatives have been adopted and entered into force, such as the Digital Services Act,Footnote 1 the Digital Markets Act,Footnote 2 the Data Governance Act,Footnote 3 the updated Copyright Directive,Footnote 4 and the Union’s regulatory spearhead, the General Data Protection Regulation (GDPR).Footnote 5 Together, the contents of the initiatives amount to an immense set of novel legal tools. Of course, from the generalist EU law perspective, the Union’s faith in the potency of law in social engineering is unsurprising. Legal arrangements have provided the central means for the project of European integration since its inception (deployed, per the official account, in the name of peace and prosperity).Footnote 6

These novel legal tools have attracted a corresponding amount of attention from scholars and civil society. Much of this attention has focused on the constraining potential of law. Moreover, scholarly analysis tends to proceed in a strongly normative mode. Better constraining one or another business practice within the European digital economy through new legal arrangements appears to be as prescient as ever.

A specific analytical lens precedes the normative calls for new and better legal constraints.Footnote 7 This analytical lens is visible in the metaphors of ‘lawlessness’Footnote 8 and ‘digital wild west’,Footnote 9 distinctions between the successive ‘eras’ of self-regulation and hard law,Footnote 10 characterisations of corporate actors as uncontrolled giants,Footnote 11 as well as references to corporate ‘sovereignty’.Footnote 12 Shoshana Zuboff’s account of surveillance capitalism provides one (rather extreme) example of this analytical gaze. According to her, surveillance capitalism is conditioned primarily by lawlessness.Footnote 13 The listed examples draw attention to the independence of digital economy or corporate actors from law. They indicate that peculiar terrains, times or actors untouched or only lightly touched by law have been discovered. Scholarship with this analytical lens produces analyses of legal deficiency.

Exploring legal deficiencies is valuable as it can indicate points for regulatory improvement. However, in this article I argue for an alternative analytical research for European law and technology scholars. We need more (re)descriptive analyses of our pre-existing legal structures, done with an alternative analytical lens. Such a lens could guide us in exploring the connections between pre-existing EU and Member State legal arrangements and the European socio-technical order. This can illuminate how these legal arrangements enable various actors’ ordering projects in the European digital economy. Scholarly analyses performed with this alternative lens may shed light on how our pre-existing legal arrangements are enabling and producing, and also shaped by the European socio-technical order. As the current order of the European digital economy is characterized by massive inequalities in wealth, status and power, these analyses can also direct our attention to how our current legal arrangements can enable inequalities and oppression.Footnote 14 I finally argue that these analyses may invite calls for responsibility for our condition and political possibilities that differ from the analyses of legal deficiencies, which point to legal voids, transgressions and obsolescence for the purposes of legal reform. More generally, such analyses can provide a different contribution to what Mariana Valverde has stated as ‘the ultimate aim of our intellectual endeavours’ – to understand ‘what is going on.’Footnote 15

This paper proceeds as follows. In the next section, I explain why we should explore the productive connections between pre-existing legal arrangements and sociotechnical order in Europe. I seek to clarify how the analyst’s lens is different when it focuses on legal deficiency and on enabling legal structures. I then discuss what exploring connections between pre-existing legal arrangements and sociotechnical order could entail. I present three complementary ways in which legal arrangements are productively connected to sociotechnical order: as tools of ordering to address problems and promote values; as tools which, after creation by a norm-formulating authority, take life of their own and can thus enable unintended and unforeseen order; and as constitutive of technologies and other mechanisms of order. I also present some methodological moves related to ‘the set of ideas that informs, justifies and validates the aims and methods of research’,Footnote 16 which I see as potentially helpful in orienting oneself towards these productive connections. I provide concrete examples of these connections from various contemporary regulatory struggles within different fields of European digital regulation. The examples are not depicted as novel research areas, but merely instances where interesting connections might be drawn. Finally, I discuss the normative contribution of this (re)descriptive and analytical exploration.

2. From legal deficiency to enabling legal structures

A law and technology research article usually begins with a meticulous analysis of a ‘situation’ and ‘facts’, that is, possibly legally problematic practices and the legal arrangements understood to govern that practice. Indeed, law and technology scholarship is particularly attuned to various factual contexts of law. The exploration is then often used as a springboard for a normative proposal for a new authoritative interpretation or legal device. The new legal arrangement is often justified in reference to a legally authoritative precedent, policy argument, legal principle or shared value.

However, to jump to legal normativity, the preceding analytical lens seems to describe a situation or set of facts as somehow legally deficient rather than, at least primarily, legal. Referring to what I have called legal deficiencies as ‘non-legality’, Fleur Johns argues that different forms of non-legality share an ‘orientation around behaviour or phenomena which seem […] not governed, or not governed effectively, by law’.Footnote 17 What various legal deficiencies have in common is the (partial) disconnection that they portray between social, political, economic or other practices and the pre-existing legal arrangements that are meant to govern them, externalising those practices from law.

Therefore, analyses of legal deficiency tend to draw attention to problems of legal disorder, rather than mundane legal operations and their reproduction of sociotechnical order. A finding of illegality portrays pre-existing law as powerless against those practices that defy it. A finding of lawlessness portrays the legal system generally as external and irrelevant for the practices scrutinised. Yet in law and technology scholarship, one particularly persistent demonstration of this disconnection is found in the widespread notion that some legal arrangement has become obsolete in contemporary socio-technical circumstances and law thus lags behind technological change.Footnote 18 Due to obsolescence, pre-existing legal arrangements are depicted as being loosely tethered to the practices that they are supposed to govern. It is important to note that all these descriptions of legal deficiency can become productive of law. As Johns has argued, discoveries of various types of non-legality are often followed by calls for legality. Thus, non-legalities become a pre-condition of new legality.Footnote 19 The renewed legality seems to require the sacrifice of pre-existing law’s relevance through lamentations of obsolescence, absence and violation.Footnote 20

My argument here is not to discredit legal–normative analysis that seeks to propose and justify new legal constraints based on observed legal deficiencies. Such analyses, which often inspire new corrective legal arrangements, are of undeniable value. As Ryan Calo has argued, legal research’s ‘relative comfort with normativity’, which offers suggestions for how our condition could be improved by legal and policy reform, is not only one of its core orienting features but also a major strength.Footnote 21 Yet focusing on legal deficiencies also has some limits.

Firstly, focusing on how law is not effectively governing our social order and practices can direct our attention away from how our pre-existing legal and other governance norms and institutions powerfully support sociotechnical ordering, including inequalities and oppression. How pre-existing legal arrangements enable possibly problematic order, seeping into technologies and economic and political practices, may remain obscure.Footnote 22 Secondly, in addition to possible blind spots, the disconnection that analyses of legal deficiency depict between law and social order purifies law from blame when the order concerned is perceived to be unjust. Combined with the proposals for corrective new norms, the purifying disconnection assigns a late but redemptive role for law as a necessary means of justice. If a problematic practice or order involves only a loose or non-existent connection with pre-existing legal arrangements, it implies that those legal arrangements cannot be complicit in that unjust sociotechnical order. This role of law demonstrates one variety of a legal-theoretical position that Samuel Moyn has termed ‘crude functionalism’. It is a deterministic position that sees law as necessarily in service of some specific interests or goals, in this case redemptive justice.Footnote 23

However, other scholars have insisted that this role of redemptive justice assigned to law is a misdiagnosis of socio-technical order and its problems.Footnote 24 In the specific context of EU legal studies, the role of law as an external corrective imposed on problematic social order denotes that European legal arrangements, and by extension the Union itself, play the role of a hero in the righteous fight against self-serving, imperialistic US corporations and their ‘private governance’. If law is understood this way, it may have a legitimating effect on those EU legal arrangements that do uphold (corporate) power, inequalities and oppression.

Outside Europe, scholarly explorations have already charted how legal arrangements of (intellectual) property, boilerplate contracts, trade secrecy, company law, fundamental rights, varied administrative guidelines and other legal or quasi-legal tools have become productive supports of private and public actors in the US and global digital economy.Footnote 25 Europe is not exceptional in this regard. For example, the dominance that the few mostly US-based corporations currently have over the regional digital economy would not be possible without various enabling European policy and legal arrangements. Yet these arrangements in Europe and how they have produced and reproduced power are not identical to those mapped in the US or elsewhere. Thus, there is a need for increased scholarly effort to illuminate the specific connections between these European legal arrangements and socio-technical ordering, including oppression and inequalities. This is not to say that no one has conducted such work – an argument that would beg a comprehensive literature review. Rather, my argument is for the redoubling of these efforts. The next section further elaborates the idea of exploring productive connections by presenting three ways in which legal arrangements enable and produce sociotechnical order. It also suggests some methodological moves for orienting oneself towards this exploration.

3. Three types of productive connections and some methodological moves

A. Legal arrangements as instruments of sociotechnical ordering

Maintaining order requires continuous work in which legal arrangements play an important role. The most important question of how to analyse productive connections between legal arrangements and sociotechnical order concerns how to view legal arrangements themselves. I argue that one should avoid overstating the autonomy of legal arrangements while also taking them more seriously than mere neutral ordering tools of specific interests and values.

As for the avoidance of overstating law’s autonomy, one can remember that to be used is to become part of something.Footnote 26 Legal arrangements are used, perhaps most obviously by policymakers, to address perceived problems of sociotechnical ordering. By this view, legal arrangements do not play much of a role in their own right – since they work as mere instruments of order – but instead the interests and values are what matter. Thus, it becomes important to understand the purposes to which legal arrangements are designed and used. This directs the analyst’s attention to the problematisations of sociotechnical order by various actors, that is, how an actor is ‘turning givens into questions’.Footnote 27 The methodological move here is to turn an actor’s problematisations and values from research resources into a topic of inquiry. To study problematisations is to resist the urge to treat the stated harms or injustices of the current order simply as given issues to which one can start formulating legal responses with the legal tools with which one is familiar. The starting point could be certain actors’ problems in a given time and space.Footnote 28 In addition, the stated values and purposes informing problematisations, such as privacy, freedom or autonomy, would not be treated as stable reference points external to governance.Footnote 29 They are immanent to the governance. Thus, one could instead pay attention to how these values and purposes of governance are conceptualised by governing actors – what the values mean to them.

Making problems and values topics of inquiry could be insightful because framing the problems of current order, such as those related to technology and/or corporate practices, in a specific way can maintain other arrangements and practices as givens. Problematisations also influence the legal remedies that are taken up to address those problems.Footnote 30 For example, one can take the debates around the societal harms of artificial intelligence, including the large language models such as those deployed in OpenAI’s ChatGPT. In general, the policy discussions on the harms of artificial intelligence (AI) have supplied two broad understandings of what problems should be addressed and by whom. One understanding of the harm, often advanced by prominent figures in AI development and finance, brings up rather airy and intractable threats of potential human extinctionFootnote 31 and ‘loss of control of our civilisation’.Footnote 32 From such warnings of universal catastrophe projected far into the future, no clear vision of legal-political action in the present emerges except maybe one of an extreme (and highly unrealistic) version of the precautionary principle that would aim at ending the AI development entirely. Therefore, such harm formulations end up devolving agency to the AI industry itself and relying on its sense of responsibility when the threat of ‘catastrophe’ eventually seems imminent.

The other strand of understanding AI harm centers the reproduction and reinforcement of pre-existing societal inequalities both globally and regionally. It also brings up AI’s huge environmental strain.Footnote 33 These formulations of AI harm point to the present social order and its pre-existing pathologies in terms of vast power and wealth imbalances, and the ongoing climate catastrophe and resource overconsumption. These problem formulations also set aside the universalistic understanding of the harm by foregrounding the unequal power dynamics in AI design and the disparate impact of AI systems already in operation. These imbalances are visible on several axes – between the Global North and South; the biggest multinational corporations and other economic actors; and the more well-off citizens and the already marginalized groups. From this, a need for the investigation of pre-existing social order and possible intervention in the present suggest themselves. Another implication is the skepticism towards the potential of self-regulation by the dominant industry actors. Instead, such harm formulations might instead suggest intervention by democratic actors.

It is possible to approach the Union’s or European civil society actors’ other myriad problematisations of technologies with the same analytical lens. Indeed, the Union’s current attempts to rein in Big Tech or gain digital sovereignty imply that the power or conduct of some corporate actors are indeed seen as problematic. But how specifically are they being problematised? What background ideas and distinctions do such problematisations rely on? How are different values understood? This analysis can also tease out the converse – what is not thought as problematic but left as given? For example, it may be that the problem of unaccountable Big Tech power may take certain enabling legal structures of that power as unproblematic givens.Footnote 34

B. Legal arrangements that run away from their creators

The previous point focused on the problems, interests and values of sociotechnical order and on how our legal arrangements serve as tools to address those problems and promote those interests and values. However, to take legal arrangements more seriously than as mere neutral instruments of values and interests, one needs to account for how legal arrangements have a degree of autonomy from the intentions of policymakers and other norm-formulating actors. As Sara Ahmed has stated, ‘intentions do not exhaust possible uses of a thing’.Footnote 35 Often, policymakers cannot predict how actors will eventually come to rely on legal arrangements.Footnote 36

This means moving away from crude functionalism and emphasising the possibility to leverage our existing legal tools as support for various projects that can diverge from the interests of both policy-makers and sometimes even powerful social actors, such as those of capital, patriarchy or racial supremacy. A corresponding move here relates to our understanding of sociotechnical order itself. More specifically in the context of digital economy, the move is to turn corporate power or another form of order from a cause to an effect.Footnote 37 Social or political power is not a starting point that triggers a (legal) response, but a product of relations that quite likely absorb legal elements.Footnote 38 These complex and heterogeneous contributing legal elements merit further study.Footnote 39 The task is to explore and (re)describe what these relations and legal elements are. One could trace the interaction between pre-existing legal tools and actors other than the original policymakers. This also enables us to chart how legal tools and institutions can enable different concentrations of power. For any private or public actor, relying on law is necessary because our entire sociotechnical order has been thoroughly entangled with legal arrangements for a very long time. Also, when legal arrangements run away from their creators and become support for one actor, this often means restraining another one.Footnote 40

The idea of sociotechnical ordering that ubiquitously relies on legal tools that have run away from their creators can also help to make sense of law’s legitimisation of power. Legal arrangements do not only enable practices and actors concretely via the simple force of law.Footnote 41 They also justify them. Thus, by legitimisation I mean law’s function of redefining ‘power and preconception as legal right’.Footnote 42 Nowhere in law is it openly stated that a specific legal tool is meant, for example, to maintain the Big Tech hegemony over the European digital economy. Legal arrangements are instead justified in terms of the shared values and public interests that presumably informed their adoption. Thus, when mobilising different legal arrangements, private and public actors can also tap into the legitimising power of law that helps to make their projects appear natural and just.

In Europe, internal market law as one of the most traditional fields of EU law provides here the first example of the mobilisation of pre-existing legal arrangements. Following the increasing importance of services in digital economy,Footnote 43 the EU’s long-standing legal efforts to free the cross-border flows of services – officially justified in terms of individual freedom to pursue endeavors across EU Member States – have proved important also for the corporate behemoths of digital economy.Footnote 44 The free movement of servicesFootnote 45 and the freedom of establishmentFootnote 46 have enabled corporations to locate themselves in Member State of their choice (usually Ireland, Luxembourg, or Netherlands). The Court of Justice of the European Union (CJEU) has interpreted ‘service’ widely and thus many corporations are able to mobilise the freedom for their business.Footnote 47 At the same time, these corporations are able to enjoy the national legal entitlements, such as lax taxation, which have largely not been harmonised. This is the basis for a dynamic where the material benefits of digital business largely accrue to the select host locations whereas the various costs are borne locally. For example, it has been shown that online platform businesses undermine states’ income structure by competing against and bankrupting the local brick-and-mortar businesses that pay taxes to those states.Footnote 48

The free movement of services has been elaborated further in the e-Commerce Directive.Footnote 49 While a lot of scholarly attention has been devoted to the liability exemption provisions of the Directive,Footnote 50 it also contains some other important entitlements. Article 3 of the Directive encapsulates the country-of-origin principle – officially meant to guarantee the uniform enforcement of common rules in the internal market – which directs most of the regulatory authority from the country where business is done to the country of establishment. Article 4, in turn, prohibits even the country of establishment from imposing a prior authorisation as a requirement for the provision of many online services.Footnote 51 Together, these provisions serve to restrict regulatory powers both in countries of operation and establishment.

While the Digital Services Act entrusted the enforcement of its new obligations against the largest online services primarily within the Commission,Footnote 52 it did not touch the underlying internal market principles of the Directive.Footnote 53 Pursuant to a case by Google, Meta and TikTok, CJEU has recently affirmed the country-of-origin principle and thus restricted the scope of derogations that is available for Member States from the internal market entitlements.Footnote 54 This increased the pressure on any national content governance legislation attempting to offer protection against online harms nationally.

Moving from internal market law to contract law, scholarship is directing more and more attention to the ‘the empire of forms’ that undergirds the intricate business relationships of digital economy.Footnote 55 Generally, transnational contract law has come far from the auspices and intentions of nation states even though one or several national, regional, and/or international laws do govern online contracting.Footnote 56 In global digital business, different kinds of contracts are ubiquitously relied on both at the production and consumption sides. On the production side, contracts facilitate bigger and smaller firms’ activities from data licensing for developmentFootnote 57 to enrolling labor often in the form of ‘independent contractors’Footnote 58 to securing hardware supply sometimes far into the future.Footnote 59 As Klaas Eller has argued, these transnational contracts serve more the purpose of coordinating and safeguarding elaborate value chains than sanctioning in case of breach.Footnote 60 On the consumption side, adhesive contracts in the form of ‘click-wrap’ is a standard practice.Footnote 61 Consumers now routinely take up different digital services or servitised products by clicking to agree to elaborate terms of service that, among other effects, facilitate data flows from the use of service to the provider.

While the EU has recognised the importance of contract law for digital economy for long, its most far-reaching legislative projects such as the Common European Sales Law have so far failed.Footnote 62 However, the Union has been more interventionist within certain specific fields of contracts.Footnote 63 Arguably, the most notable field here is consumer law. One facilitative legal construct in this regard may be found in the legal image of the consumer itself. Even though EU law has featured various consumer–citizens with varying capabilities in different times,Footnote 64 generally the starting point in consumer law has been the protection of the consumer as the weaker contracting party. Yet Marija Bartl has shown how around the turn of the 2000s the EU consumer law’s understanding of consumer shifted towards a more self-reliant, ‘confident’ consumer.Footnote 65 This image matched rather well with the CJEU’s traditional construction of ‘reasonably well-informed and reasonably observant and circumspect’ consumer.Footnote 66 The consumer policy trend continued in the early 2010s when the Union adopted the Consumer Rights Directive and introduced its 2012 Consumer Agenda.Footnote 67 The focus on confident and rational consumer effectively meant emphasis on procedural rights and information entitlements over more stringent restrictions,Footnote 68 leading to what Hans Micklitz called ‘the expulsion of protection from consumer law’.Footnote 69

Even though scholars have already pointed out the shortcomings the information obligations in online contracting,Footnote 70 this image of confident and rational consumer continues to undergird the boilerplate contracts online and even implicating some aspects of the traditional formalist theory of contract as ‘a will-based interpersonal agreement between parties presumed as equals’.Footnote 71 Mobilising the confident consumer construct, corporations have adopted the paradoxical image of what Jake Goldenfein and Lee McGuigan call ‘managed sovereign’ – a consumer who is treated rational and self-standing for legal purposes when signing up to a service agreement, but then viewed as an endlessly pliable object of nudging and other influencing once the person is enrolled on the online service.Footnote 72 In practice, consumers have no choice but to accept the boilerplate and few spend their time reading or trying to understand the terms and conditions they agree to.

Data protection law also supplies examples of how legal arrangements run away from their creators and may thus facilitate unforeseen projects. Viviane Reding, an ex-Commissioner and one of the chief architects behind the GDPR has stated that ‘the goal of European privacy rules was to go after Big Tech – not the local butcher or football club’ and lamented the national regulators’ enforcement focus on ‘the nitty gritty’ despite these intentions.Footnote 73 However, the GDPR is a broad horizontal piece of legislation – arguably a ‘law of everything’Footnote 74 – that seeks to uphold a wide range of principles, freedoms, and rights across myriad of social contexts. This can also make it vulnerable to mobilisation for many projects unforeseen by its architects.

For example, to give data subjects control over their data, the GDPR grants a host of data subject rights to data access and erasure,Footnote 75 and the right to restrict or object to data processing.Footnote 76 Yet economic actors may have incentives to minimise data access by data subjects to their databases, and thus also the effective exercise of these data subject rights.Footnote 77 For this, the requirement of ‘data protection by design’ in Article 25 of the GDPR has offered a suitable legal support. In industry practice, data protection by design requirements have been translated into different techniques of privacy-enhancing technologies (PETs) that seek to prevent unauthorised disclosure. However, as scholars have shown, PETs can still leave considerable risk of re-identification particularly if an actor has complementary data on the data subjects.Footnote 78 At the same time, PETs as data protection by design sometimes do de-identify data to the extent that corporations can claim they are unable to provide data subjects their access rights including the right to erasure because they cannot identify them from their data.Footnote 79 Sometimes this might have normatively defensible reasons.Footnote 80 Yet when mobilised this way, data protection by design can also lend credence to the corporate goal of frustrating the rights granted in the GDPR itself.

The struggles over access to online platform data for research purposes is another example. The architects of the GDPR likely did not foresee nor intend privacy to be mobilised as a shield for Big Tech business operations against academic and civil society scrutiny. Nevertheless, this is exactly what Big Tech has sought to do.Footnote 81 For example, Meta started restricting access to its application programming interfaces after the Cambridge Analytica scandal revealed widespread harvesting of social media data for political projects.Footnote 82 In restricting this access, Meta has sought to harness privacy as a shield against scholarly scrutiny that relies on ‘scraping’ platform data by similar methods to the ones Cambridge Analytica used.Footnote 83

Finally, privacy and data protection law have come to frustrate general corporate accountability in the disclosure of beneficial ownership of corporations and other legal entities. The EU’s new amendments to its Anti-Money Laundering Directive sought to facilitate some corporate accountability also beyond the financing of terrorism and other crime. Amendments provided that some beneficial ownership information would be accessible to the general public to allow ‘greater scrutiny of information by civil society, including by the press or civil society organisations’.Footnote 84 However, pursuant to beneficial owners’ legal action against Luxemburg law establishing a Register of Beneficial Ownership, the CJEU later invalidated such disclosure obligation based on its disproportionate interference with the beneficial owners’ fundamental rights to privacy and personal data as guaranteed in Articles 7 and 8 of the Charter.Footnote 85 To be sure, compelling reasons may sometimes be found against public information access. Yet wielding data protection against such general disclosure mandates can also uphold corporate secrecy and power in the face of accountability demands.

Indeed, fundamental rights law provides the fourth field of examples of how pre-existing legal arrangements can be mobilised for unforeseen projects. As Rachel Griffin has shown, fundamental rights tend to incorporate a liberal-individualistic framing of human well-being.Footnote 86 This can make them amenable to mobilisation for corporate interests.Footnote 87 One can begin with freedom of expression and privacy as the most obvious rights in the digital context.Footnote 88 Rikke Frank Jorgensen has conducted research on how Big Tech corporations understand the meanings of these two fundamental rights. She has highlighted how people inside the industry see the companies’ operations as being aligned with these rights rather than opposed to them. Yet those people simultaneously understand the rights in highly specific ways that conform to their business practices.Footnote 89 Freedom of expression, for example, is what their business is ‘all about’, while human rights threats are associated with government intervention.Footnote 90 The aim is to align specific interests and general values,Footnote 91 which makes it possible to harness those values and principles to enable specific projects. Similarly, Ari Ezra Waldman has argued that our current privacy practices that revolve around individual control and managerial compliance conceptualise what ‘privacy’ and ‘privacy law’ now dominantly mean.Footnote 92

In the EU, businesses also benefit from a general fundamental right of their own. The right to conduct a business as enshrined in Article 16 of the Charter, has slowly but surely become a powerful and consistently mobilised entitlement in the Union primary law. As Hilary Hogan has shown, in the CJEU jurisprudence the right to conduct a business has evolved into a general right to corporate autonomy that protects whatever potentially profitable activities one sees fit to undertake.Footnote 93 While the right can surely be limited like most other fundamental rights, the CJEU has been willing to accept that a wide range of regulatory activities are to be viewed as infringements of the right, which must be then justified as appropriate, necessary and proportional among other requirements.Footnote 94

In the digital context, the CJEU has for example argued that ‘[t]he freedom to conduct a business includes, inter alia, the right for any business to be able to freely use, within the limits of its liability for its own acts, the economic, technical and financial resources available to it’.Footnote 95 Regarding online content governance, the CJEU has also reasoned that a filtering injunction requiring an internet service provider to ‘install a complicated, costly, permanent computer system at its own expense’ would amount to a ‘a serious infringement’ of the right to conduct a business.Footnote 96 While these judgements have certainly not prevented the EU from enacting new online content regulation, they have contributed to the strengthening of the link between fundamental rights and corporate autonomy, which enables businesses to operate fairly independently without too much public constraints. For example, in the fundamental rights impact assessment of the DSA the Commission ensured that ‘[n]one of the measures in either one of the [regulatory] options should jeopardise the protection of trade secrets or proprietary products of online platforms’.Footnote 97 Similarly, Meta has argued before the German Competition Authority that ‘limiting data processing is always unreasonable because it interferes with Facebook’s product design’.Footnote 98

Even though all the examples of legal arrangements mobilisation in this section involve powerful corporate interests, even actors with ample resources do not always succeed in connecting with legal arrangements in a durable way. The connections that different actors have managed to forge between their interests and pre-existing legal arrangements can be fragile.Footnote 99 The idea that legal arrangements can run away from their creators and be co-opted by various societal actors also accounts for the fact that authoritative legal interpreters sometimes cut the connections that these actors have forged with legal arrangements, for example by reference to a tool’s iteratively construed original purpose.Footnote 100

One can find an example of this severing of productive connections in data protection law. The GDPR not only constrains data processing and ‘protects’ personal data but also enables various data processing operations if, among other requirements, the processing has a proper legal basis.Footnote 101 Meta has long insisted that ‘there is no hierarchy between legal bases [in the GDPR], and none should be considered more valid than any other’.Footnote 102 Thus, it has refrained from asking consent for processing for advertising business, relying instead on the so-called contractual necessity legal basis.Footnote 103 Yet this connection with the GDPR was effectively severed by the European Data Protection Board’s (EDPB) recent decision against such reliance.Footnote 104 Afterwards, Meta shifted to legitimate interest legal basis instead.Footnote 105 This reliance might have also been cut by the CJEU in a judgment on Meta’s data processing for advertising in June 2023, suggesting that Meta needs recourse to consent after all.Footnote 106 This led the company to introduce an advert-free, subscription-based version of Facebook and Instagram in Europe, which serves as an alternative if a user does not consent to data processing for advertising purposes.Footnote 107 Yet this strategy was once again rejected by the EDPB, which issued an opinion arguing against such binary options as a basis for valid consent.Footnote 108 In the latest episode of the saga, the Commission opened its own separate investigation of Meta’s data processing under the Digital Markets Act.Footnote 109

As another example from data protection, civil society actors can mobilise the data rights in the GDPR for the purposes of independent research and industry scrutiny even if this is not stated as an explicit goal of the regulation.Footnote 110 They have also successfully wielded various fundamental rights against powerful corporate and state actors.Footnote 111 In the internal market context, despite the Union’s meagre competences in taxation law, the Commission has sought to address Member States’ tax benefits to their hosted digital behemoths as unlawful state aid (albeit with mixed results).Footnote 112

However, the extent to which legal arrangements appear flexible and thus harnessable is relational to the actor that seeks to harness them. This means that the well-connected and amply resourced, for example powerful multinational corporations and hegemonic states, may often be better positioned to mobilise legal tools to support their projects than the disadvantaged. They have more capabilities. Thus, legal arrangements might appear more flexible to them than to others.Footnote 113 For example, they can pursue their projects in different legal fora at the same time, such as before regulators, legislatures and courts. They can mobilise more legal services, and endure losses in individual campaigns while having still the resources to advance long-term projects.Footnote 114 They may also have connections and resources to mobilise lobbying services, think tanks, public relations services, media and even academic research to gain support and spread their conceptualisations of important values and legal-political issues.Footnote 115 No authoritative decision-maker can be totally uninformed by these various efforts for societal influence even though actors in public positions generally understand themselves to be working in the general interest.

C. Legal arrangements as constitutive of other forms of governance

The third point of focus concerns how legal tools become embedded into, and thus constitute, markets, technologies and other forms of order that are traditionally understood to be non-legal. The focus is on drawing the connections between traditionally legal and other forms of order. Here, legal arrangements are understood to be productive in a deeper sense than mere supportive instruments for various actors, whether intended or not by their original designers. They are understood to partly create various entities, including actors with interests and other forms of social order such as markets, technologies and societal governance. While this is not to deny that law also responds to market developments, new technologies and other forms of order, the orientation does entail a focus on how legal arrangements form and undergird these other governance systems.

In particular, legal arrangements can be baked into technology, and thus become constitutive of it.Footnote 116 Law and technology scholars are acutely aware that computer code can produce regulatory effects in its own right with very real consequences.Footnote 117 However, there is an increased need to analyse how specific productive interactions between legal and other governance arrangements play out. One could study, for example, how in online environments, many GDPR requirements, especially on valid data subject consent,Footnote 118 have been translated into the technological mechanism of consent management user interfaces or ‘cookie banners’.Footnote 119 The cookie banner is a choice management solution for websites offered by specialised consent management providers. It produces a layered window or banner when a website is loaded, enabling the website user to receive information on data processing and consent to it.Footnote 120 Usually, consent can be managed by clicking different choice ‘sliders’ on a pop-up window before proceeding to the website. Existing analysis has tended to revolve around the features of cookie banners that appear as possibly non-compliant with the GDPR requirements for valid consent.Footnote 121 These analyses involve a shift to legal-normative evaluation, the possible legal implications being that the GDPR is not enforced properly.

However, this assumes a certain irrelevance of the GDPR to consent management. Instead of focusing on irrelevance, one can appreciate how the GDPR has constituted an entire market that offers ‘consent-as-a-service’. Furthermore, delivering data protection and ‘being in compliance with the GDPR’ in the online environment now often involves inserting a properly designed consent management solution into one’s website. Thus consent management services constitute a significant part of online data protection. Finally, data protection law and the designs of consent management platforms have been slowly transformed in tandem through the decisions of the CJEU, EDPB and changing corporate practices. The aim of exploring these connections between consent management and the GDPR is not to draw attention to how consent management solutions and their providers are not complying with the GDPR obligations and how they could comply better. Instead, it is to induce reflection on the practices, markets and actors enabled and produced by the GDPR, and whether this is what we would like online data protection, and to some extent online privacy, to be.

Regarding other forms of order, one can also trace how legal governance interacts with more informal governance arrangements, often referred to as ‘soft law’, ‘self-regulation’, or ‘co-regulation’. Law and technology scholars are now acutely aware that various forms of ‘private ordering’ are highly consequential. However, it is common to contrast the private, unaccountable governance of corporations with traditional ‘hard law’ regulatory schemes. The latter are generally thought to be relatively absent in the European digital economy before the recent flurry of regulation by the EU. More generally, it has been debated in EU legal studies since 2000 at least whether the Union has moved from ‘integration through law’ to ‘integration through governance’.Footnote 122

Here, the methodological move is to sideline general debates and refrain from strict distinctions between hard and soft law and the related question of legal validity.Footnote 123 Nor is it sufficient to label the interactions between law and informal governance as a mixed regime of co-regulation.Footnote 124 Rather, one would trace the specific interactions that are formed between legal arrangements and more informal forms of governance, appreciating how hard law can become ‘governmentalised’ and governance ‘legalised’.Footnote 125 This also entails resisting the urge to see such amalgams simply as a lack of ‘proper’ lawfulness or to lament them as dilutions of rule of law, but also refraining from normatively embracing such amalgams. Better to illuminate how the meanings of both EU law and governance are slowly transforming through new specific hybridizations, while empowering new actors in different ways. Again, this could engender reflection on how legal tools can enable various other forms of governing actors and governance processes, while the very meaning of law also changes in the process.

For example, scholars have already chronicled how, before the new EU digital regulations, online platform content moderation by these ‘new governors’Footnote 126 were undergirded by quite traditional legal entitlements, such as the provisional immunity against liability enshrined in the e-Commerce Directive.Footnote 127 Thus, both traditional legal mechanisms and various soft law arrangements enabled new governors of online content to emerge in the first place. Correspondingly, the DSA could be said to have ushered in a new age of hard law, codifying and also transforming many platform governance practices. Yet various more informal and privatised governance arrangements of ‘regulatory managerialism’ will continue to play an important role within the European regulatory picture.Footnote 128 In the DSA regulatory complex, these include out-of-court dispute resolution, codes of conduct such as the governance scheme woven around the Code of Practice on Disinformation,Footnote 129 and monitoring by trusted flaggers, private auditors, national authorities and vetted researchers. The Commission itself is set to orchestrate all these actors and unfolding monitoring processes.Footnote 130

Here, one can study how the DSA and other new digital regulations can produce, for example, new markets for regulatory technology or auditing governance as a form of private ordering.Footnote 131 Focusing on the external auditing of online systems, the DSA mandates that the largest online platforms and search engines have their systems periodically audited by independent auditors.Footnote 132 While the DSA is rather circumspect on who exactly might become such independent auditors,Footnote 133 the Commission’s delegated regulation on external audits lays out the independence requirements so that they open the door for ‘the Big 4’ multinational audit firms (Deloitte, PwC, KMPG, and Ernst & Young).Footnote 134 As Julia Black has shown in the context of financial services, such consultancy firms with homogenous organisational cultures are highly consequential for the formation of standardisised ‘best practices’ of governance that ultimately determine what precisely is being scrutinised and how.Footnote 135 In the words of the Commission, the audit reports ‘shall offer a comparative basis for public scrutiny’ of the largest online service providers.Footnote 136 Scholarship has also pointed to the shortcomings of audit governance, including questionable independence and lack of public accountability.Footnote 137 One can study how the DSA and other digital regulations extend private audit governance into new domains, producing new kinds of private ordering.

Another example of the production of private ordering is technical standardisation. Technical standardisation governance, as undergirded by quite traditional EU law,Footnote 138 has played a vital role in the creation of the internal market for decades.Footnote 139 Three private standardisation bodies – the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (CENELEC), and the European Telecommunications Standards Institute (ETSI) – have been tasked by the European Commission to draft European harmonised technical standards for the EU. Technical standards provide crucial mediation when legal rights and obligations are baked into technologies. More recently, we have witnessed legal struggles before the CJEU on whether the European harmonised technical standards are themselves ‘law’ (they are),Footnote 140 and what obligations pertaining to their free public availability might follow from this designation.Footnote 141 These are important transformations to note as the legalisation of private governance.Footnote 142 Yet the transformation of legal requirements into technical standardisation governance also involves other stakes.

The Union’s new Artificial Intelligence Act foresees technical standardisation as the way to concretise the fundamental rights and other legal obligations for ‘high-risk AI systems’ and translate them into technological form.Footnote 143 In scholarship this regulatory approach has been received with skepticism.Footnote 144 By enabling CEN and CENELEC to draft harmonised standards, the AI Act also empowers their complex multistakeholderist governance structures.Footnote 145 Therefore, EU legal arrangements upholding standardisation governance may also indirectly enable powerful corporations ‘holding stakes’ in technical standardisation. Societal stakeholders – most notably Environmental Coalition on Standards (ECOS), European Trade Union Confederation (ETUC), and Association for the Co-ordination of Consumer Representation in Standardisation AISBL (ANEC) – face resource and expertise constraints, and in some cases their participation is standardisation processes is limited.Footnote 146 All this can amount to a form of governance that Julie Cohen calls ‘extreme multistakeholderism’ – governance that disproportionally rewards the well-connected and amply-resourced industry stakeholders.Footnote 147

The Commission’s recent struggles to reform the European standardisation governance system itself are illustrative here. In 2022, the Commission unveiled a new standardisation strategy and a proposal to amend the regulation governing the creation of harmonised standards within the European standardisation organisations.Footnote 148 This was done to account for, most notably, the fact that ‘today’s decision-making processes within the European standardisation organisations […] allow an uneven voting power to certain corporate interests: some multinationals have acquired more votes than the bodies that represent the entire stakeholder community’.Footnote 149 In particular, ETSI’s governance structure enables industry membership and the influence of financial contributions into decision-making.Footnote 150 ETSI’s deep-pocketed corporate members include, among others, Google Ireland, Meta Ireland, Amazon Web Services and several companies of the Huawei group.Footnote 151 In the end, the Commission decided to leave ETSI out from its AI standardisation request even though the organisation has been very active in the field.Footnote 152 The newly amended regulation on standardisation organisations and harmonised standards now provides that certain important decisions on European standards must be ‘taken exclusively by representatives of the national standardisation bodies within the competent decision-making body of that organisation’.Footnote 153

After a harmonised technical standard has been drafted, the Commission is meant to determine whether it fulfils the requirements set out in the standardisation request, and ultimately AI Act. In practice, and coming back to the topics of audit governance and regulatory managerialism, the assessment is carried out by independent experts called Harmonised Standard Consultants (HAS Consultants).Footnote 154 The Commission has outsourced the selection and management of these special consultants to a HAS Contractor, which for many years has been no other than the audit company Ernst & Young.Footnote 155 In sum, the elaborate translation of legal mandates into technical standards offers one field where myriad productive connections between law and other forms of governance can be traced. In technical standardisation, legal mandates are governmentalised and private governance legalised.

4. Normativity in the exploration of enabling legal structures

So far, I have argued that we need more analyses of the European digital economy where the analytical gaze is not attuned to finding various legal deficiencies that could serve as springboards for legal-programmatic proposals. I have sought to show that the analytical gaze I have briefly demonstrated above is more about the (re)description and analysis of productive connections between laws, problems, and other forms of governance including technologies, than about the normative construction of corrective arrangements. Moreover, the analysis is empirically oriented in that it avoids generalisations but instead confines itself to specific legal and governance arrangements in specific times and places. This specificity also concerns law itself, which explains why I have talked a lot about legal tools and arrangements in plural rather than a (supposedly) unified and abstract notion of law.Footnote 156 There are many small pieces of doctrine and organisational arrangements with different operational logics.

My insistence on the need for such analysis is not to achieve objectivity or a better grasp of reality. While these analyses are certainly meant to help us understand what is going on in the European digital economy, they do not attempt to mend the ‘reality deficit’ that EU legal studies has been accused of.Footnote 157 This paper was inspired by my uneasiness about the relatively minor role often assigned in policy and scholarly debates to pre-existing legal arrangements that are participating in ordering the European digital economy in incredibly powerful ways. I also felt concerned about the complicity of many pre-existing legal arrangements in the production of private and public power. Therefore, the aims of this paper are political. This brings us to my final thoughts, namely the normativity in analysing the legal making of the European digital economy. While research in this rather (re)descriptive mode refrains from suggesting programmes for new legal arrangements, I argue that normativity is still involved.

In scholarship, the map has been widely used as a metaphor of the (re)descriptions that researchers make. Firstly, regarding maps as descriptions, some theories recognise the political function of maps so that ‘a map is at once “an instrument of depiction – of objects, events, places – and an instrument of persuasion [and pedagogy] – about these, its makers and itself”’.Footnote 158 Indeed, ‘maps rely on selectivity, since, for finite beings, navigating the world requires leaving out some details and focusing on others’.Footnote 159 A complete 1:1 map would be not only impossible but would also fail to orient its users in specific directions.Footnote 160 The scholar as a map-maker always has to decide what details to leave in and what to leave out.Footnote 161 These choices are value-laden and thus involve politics.

Secondly, the world-making capacity of maps has been documented by James Scott in his classic study of states’ means of legibility. The administrative maps drawn to make sense of varied terrains – cities and forests – aided governments in transforming those same terrains so that eventually they corresponded with the maps.Footnote 162 As for scholarly maps and research more generally, the performativity of research methods has been readily accepted within certain strands of social theory.Footnote 163 This entails acknowledging that any research contributes to making specific realities, and destabilising or marginalising other realities. Social science never merely describes one reality but helps produce a specific reality depending on theories, methodologies and methods. For example, research has detailed how game theory and economic theories of market design inspired the creation of the now dominant Silicon Valley online platforms as ‘multi-sided markets’.Footnote 164 Therefore, research does not merely represent the things and practices but also intervenes in them. Moreover, because of the necessary selectivity I have just pointed out, this implies that the worlds that can be created are multiple.Footnote 165 Politics and normativity, from which one cannot escape, are involved in all research, also in the sense of world-making.Footnote 166 What sort of worlds do we want to help realise by describing and drawing attention to them, and what worlds do we want to marginalise?

So, what realities might one want to help produce if not those featuring rampant legal deficiencies? As is hopefully clear by now, they should be realities that place our pre-existing legal arrangements as central and powerful features of our socio-technical ordering. Giving up the urge to formulate legal-normative proposals frees one’s resources for the (re)describing of existing arrangements. This enables thicker descriptions. One can analyse more, including more connections between legal arrangements and our socio-technical ordering.

In the specific context of (European) social commentary on the digital economy, there already exists a mainstream sensibility for reform – a collective urge that something needs to be done. Similarly, we have no shortage of suggestions for what should be done. I believe that, in this context, the normative thrust of these analyses lies in their potential to channel responsibility for our current order and its possible injustices to legal and policy arrangements that can be taken for granted or deemed as marginal. As Fleur Johns has argued in the international context: ‘If international law and lawyers are shown to be complicit in constituting and/or entrenching that which they purport to stand against […] then attributions of responsibility and questions of reform might emerge that are different to those currently circulating’.Footnote 167 Analyses of the legal making of the European digital economy may reorient our reformist sensibility and engender reflection on the limits of legal reform.

As regards reorientation, while describing and analysing the productivity of law does not involve normative proposals, it can prime other actors to see different possibilities for reform. They can help to bring forward what is seen as unproblematic or may even fall outside the current reformist vision. What arrangements do specific problematisations take as given? Would it be worthwhile to reconsider a legal mechanism previously taken as given instead of devising a new regulatory framework imposed on top of it, keeping pre-existing arrangements intact?

As regards reflection, exploring the connections between the European legal arrangements and socio-technical ordering can highlight law’s possible complicity in inequalities and oppression, guarding against overreliance on legal reformism.Footnote 168 Such reformism risks fetishising specific legal mechanisms as necessary means of justice. As Julie Cohen has stated, legal responses to power and injustice all invite ‘new strategies for evasion, capture, co-optation, and arbitrage’, becoming ‘sources of opportunity and targets for co-optation’.Footnote 169 Such analyses can also help maintain a sense of humility and responsibility in reformist urges by reminding us that while legal tools can indeed be seen as instruments for progressive projects, they are more than merely neutral and stable conduits of good intentions, and even well-meaning efforts to improve our condition can bring unintentional consequences. This does not make legal reform futile, but serves to temper reformist urges. It contributes to ‘a moderate concession to the epistemologies highlighting societal complexity and “unknowability” of the economy’.Footnote 170 Highlighting how law enables reveals both the potency and limits of legal engineering.

5. Conclusion

In this paper, I have argued that much law and technology scholarship and social commentary is attuned to formulating better regulation in the form of new norms, rulings, administrative decisions, administrative organisations or other legal arrangements. These formulations are in turn based on what I have called analyses of legal deficiency, which portray (often problematic) practices or technologies as ungoverned, or not effectively governed by law. The new legal arrangements are then presented as correctives to legal deficiency. I further argued that while these analyses are valuable, we also need more legal research with an alternative analytical lens. Such alternative analyses would focus on connecting the myriad pre-existing European legal arrangements to the socio-technical ordering that they enable and reproduce. Conducting such an analysis means to refrain from seeing European legal arrangements as external and relatively powerless to possibly problematic power clusters, practices, or technologies, but rather as productive structures of those phenomena.

I proceeded to discuss three complementary ways in which legal arrangements are productively connected to sociotechnical order: as instruments of ordering to address problems and promote values; as more than mere tools that also enable unintended and unforeseen projects; and as constitutive of technologies and other forms of order. All highlight how our legal arrangements enable and produce sociotechnical order in Europe. Even while the description and analysis of enabling legal arrangements dispenses with programmatic legal or policy formulations, I have sought to articulate the political-normative potency of such research. More specifically, I argued that analysing pre-existing legal arrangements might produce different attributions of responsibility and opportunities for political contestation than analyses of legal deficiency tend to generate. They can also highlight both the potential and limits of legal reform. Finally yet importantly, describing and analysing how our myriad pre-existing legal arrangements enable order can provide its own contribution to the question of ‘what is going on’. Often, when investigating our (frequently oppressive and highly unequal) order of things, within the digital economy or elsewhere, we find that one crucial answer is law.

Acknowledgements

I am grateful to Päivi Leino-Sandberg, Susanna Lindroos-Hovinheimo, Ukri Soirila, Tuuli Talvinko, Frida Alizadeh Westerling, my colleagues at the University of Helsinki Legal Tech Lab, and my colleagues at the Amsterdam Centre for Transformative Private Law (ACT) internal seminar on 30 October 2023, for comments on earlier drafts of this paper.

Funding statement

The paper has been written within the ‘Information in the EU’s Digitalized Governance (INDIGO)’ project. The project INDIGO is financially supported by the NORFACE Joint Research Programme on Democratic Governance in a Turbulent Age and co-funded by State Research Agency of Spain (AEI); Academy of Finland (AKA); Deutsche Forschungsgemeinschaft (DFG); Luxembourg National Research Fund (FNR); and the European Commission through Horizon 2020 under grant agreement No. 822166. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests

The author has no conflicts of interest to declare.

References

1 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act), OJ L 277/1.

2 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), OJ L 265/1.

3 Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act), OJ L 152/1.

4 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, OJ L 130/92.

5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1 (hereafter in footnotes GDPR).

6 PJ Cardwell and T Hervey, ‘Bringing the Technical into the Socio-Legal: The Metaphors of Law and Legal Scholarship of a Twenty-First Century European Union’ in D Cowan and D Wincott (eds), Exploring the ‘Legal’ in Socio-Legal Studies (Springer 2016) 157–82, 160.

7 ML Jones, ‘Does Technology Drive Law? The Dilemma of Technological Exceptionalism in Cyberlaw’ (2) (2018) University of Illinois Journal of Law, Technology & Policy 249, 256.

8 NP Suzor, Lawless: The Secret Rules That Govern our Digital Lives (Cambridge University Press 2019); S Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (PublicAffairs 2019) 101 and 104.

9 N Nielsen, ‘EU ends “Wild West” of Big Tech’ (EUObserver, 22 March 2022) <https://euobserver.com/world/154591> accessed 27 November 2023; EPP Group, ‘New and strong rules for online platforms to end “digital Wild West”’ (EPP Group 2022) <www.eppgroup.eu/newsroom/news/new-rules-for-online-platforms-to-end-digital-wild-west> accessed 27 November 2023; AC Witt, ‘The Digital Markets Act – Regulating the Digital Wild West’ 60 (2023) Common Market Law Review 625.

10 L Floridi, ‘The End of an Era: from Self-Regulation to Hard Law for the Digital Industry’ 34 (2021) Philosophy & Technology 619.

11 M Eifert et al, ‘Taming the Giants: The DMA/DSA Package’ 58 (2021) Common Market Law Review 987.

12 V Lehdonvirta, Cloud Empires: How Digital Platforms Are Overtaking the State and How We Can Regain Control (MIT Press 2022); KE Eichensehr, ‘Digital Switzerlands’ 167 (2019) University of Pennsylvania Law Review 665; F Pasquale, ‘From Territorial to Functional Sovereignty: The Case of Amazon’ (LPE Blog 2017) <https://lpeproject.org/blog/from-territorial-to-functional-sovereignty-the-case-of-amazon/> accessed 27 November 2023; and S Wróbel, ‘The new Leviathan is an autonomous digital machine’ (LSE Blog 2021) <https://blogs.lse.ac.uk/businessreview/2021/02/08/the-new-leviathan-is-an-autonomous-digital-machine/> accessed 27 November 2023.

13 Zuboff (n 8) 101, 104. For criticisms of this supposedly lawless condition, see A Kapczynski, ‘The Law of Informational Capitalism’ 129 (2020) The Yale Law Journal 1460; JE Cohen, ‘Surveillance Capitalism as Legal Entrepreneurship’ 17 (2019) Surveillance & Society 240; and F Johns, ‘“Surveillance Capitalism” and the Angst of the Petit Sovereign’ 71 (2020) The British Journal of Sociology 1049.

14 There can be many aspects of inequality including within the dimensions of wealth, race, gender, sexual orientation, and disability. Different dimensions of inequality can also intersect in powerful ways. AP Harris and JJ Varellas, ‘Introduction: Law and Political Economy in a Time of Accelerating Crises’ 1 (2020) Journal of Law and Political Economy 1, 11.

15 M Valverde, ‘The Sociology of Law as a “Means against Struggle Itself”’ 15 (2006) Social & Legal Studies 591, 594.

16 G Sullivan, ‘Law, Technology, and Data-Driven Security: Infra-Legalities as Method Assemblage’ 41 (2022) Journal of Law and Society 31, 43.

17 F Johns, Non-Legality in International Law: Unruly Law (Cambridge University Press 2013) 11.

18 See eg, Eifert et al (n 11) 987, arguing that ‘the existing legal framework has not been able to address these problems and risks adequately’; Witt (n 9) 627, arguing that ‘The e-Commerce Directive, the Union’s key legislative e-commerce instrument, dated from 2000 and no longer reflected economic realities.’; and C Goanta et al, ‘Social Media Contracts – The Quest for Fairness and the Need for Reform’ (Verfassungsblog 2023) <https://verfassungsblog.de/radical-reforms/> accessed 11 October 2023, arguing that ‘The regulatory quest for fairness in the social media space is a never-ending one, due to the lagging nature of regulation in a fast-paced environment like the internet’.

19 Johns, Non-Legality in International Law (n 17) 43–5.

20 Similarly, ibid., 44–9; and Jones (n 7) 256.

21 R Calo, ‘The Scale and the Reactor’ (SSRN 2022) 17–18 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4079851> accessed 27 November 2023. For a critical account of normativity in legal research, see P Schlag, ‘Spam Jurisprudence, Air Law, and the Rank Anxiety of Nothing Happening (A Report on the State of the Art)’ 97 (2009) Georgetown Law Journal 803, 822, arguing that ‘lots of normative recommendations’ have provided ‘a successful full-employment strategy’ for legal academics as the work of what should be done more or better ‘would never dry up.’

22 For this enabling quality of law, see D Rohde and N Parra-Herrera, ‘Law as Architecture: Mapping Contingency and Autonomy in Twentieth-Century Legal Historiography’ 3 (2023) Journal of Law and Political Economy 509, 510 and 537–8.

23 S Moyn, Reconstructing Critical Legal Studies (SSRN 2023) Yale Law School, Public Law Research Paper 13 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4531492> accessed 5 September 2023. As Moyn shows, crude functionalism has featured prominently also in critical strands of legal scholarship, where law is seen necessarily as a means of oppression.

24 M Maroni, ‘The Right to Access the Internet: A Critical Analysis of the Constitutionalisation of the Internet’ (LLD Thesis, Unigrafia 2022) Ch 8; S Viljoen, ‘The Promise and Limits of Lawfulness: Inequality, Law, and the Techlash’ 2 (2021) Journal of Social Computing 284, 288; P Terzis, ‘Against Digital Constitutionalism’ 3 (First View, 2024) European Law Open 1 <https://doi.org/10.1017/elo.2024.15> accessed 22 July 2024; and R Griffin, ‘Public and Private Power in Social Media Governance: Multistakeholderism, the Rule of Law and Democratic Accountability’ 14 (2023) Transnational Legal Theory 46, 62–7.

25 See eg, Kapczynski (n 13); JE Cohen, Between Truth and Power: The Legal Constructions of Information Capitalism (Oxford University Press 2019). For a more celebratory account, see A Chander, ‘How Law Made Silicon Valley’ 63 (2014) Emory Law Journal 639. For a critical-leaning account of international (humanitarian) law’s productive power, see F Johns, #Help: Digital Humanitarianism and the Remaking of International Order (Oxford University Press 2023) 178–204.

26 S Ahmed, What’s the Use? On the Uses of Use (Duke University Press 2019) 11.

27 Johns, Non-legality in International Law (n 17) 1.

28 N Rose and M Valverde, ‘Governed by Law?’ 7 (1998) Social & Legal Studies 541, 545–6; M Dean, Governmentality: Power and Rule in Modern Society (2nd edn, Sage Publications 2010) 38–9.

29 Dean (n 28) 45–6.

30 M Windsor, ‘Expertise as Framing’ in E Korkea-aho and P Leino-Sandberg (eds), Law, Legal Expertise and EU Policy-Making (Cambridge University Press 2022) 43–54.

31 G Hinton et al, ‘Statement on AI Risk: AI experts and public figures express their concern about AI risk’ (Center for AI Safety 2023) <www.safe.ai/statement-on-ai-risk#open-letter> accessed 27 November 2023.

32 Y Bengio et al, ‘Pause Giant AI Experiments: An Open Letter’ (Future of Life Institute 2023) <https://futureoflife.org/open-letter/pause-giant-ai-experiments/> accessed 27 November 2023.

33 EB Bender et al, ‘On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?’ (2021) FAccT ‘21: Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency 610 <https://doi.org/10.1145/3442188.3445922> accessed 27 November 2023. See also T Gebru et al, ‘Statement from the listed authors of Stochastic Parrots on the “AI pause” letter’ (DAIR Institute 2023) <www.dair-institute.org/blog/letter-statement-March2023> accessed 27 November 2023; K Crawford, Atlas of AI: Power, Politics, and the Planetary Costs of Artificial Intelligence (Yale University Press 2021); P Terzis, ‘Law and the Political Economy of AI Production’ 31 (2023) International Journal of Law and Information Technology 302; and A Balayn and S Gürses, ‘Beyond Debiasing: Regulating AI and Its Inequalities’ (EDRi 2021) <https://edri.org/our-work/if-ai-is-the-problem-is-debiasing-the-solution/> accessed 22 July 2024. For an example of an insightful exploration of ‘rationalities in global governance of AI’, see M Veale et al, ‘AI and Global Governance: Modalities, Rationales, Tensions’ 19 (2023) Annual Review of Law and Social Science 1, 15–22.

34 Griffin, ‘Public and Private Power in Social Media Governance’ (n 24) 17.

35 Ahmed (n 26) 60.

36 I Kampourakis, ‘Legal Theory in Search of Social Transformation’ 1 (2022) European Law Open 808, 816, referring to this as the ‘inevitable indeterminacy of social engineering’.

37 J Law, ‘Power, Discretion and Strategy’ in J Law (ed), Sociology of Monsters: Essays on Power, Technology and Domination (Routledge 1991) 162, 170; and J Law, ‘Notes on the Theory of the Actor-Network: Ordering, Strategy, and Heterogeneity’ 5 (1992) Systems Practice 379, 380.

38 R Cotterell, ‘Subverting Orthodoxy, Making Law Central: A View of Sociolegal Studies’ 29 (2002) Journal of Law and Society 632, 639 (viewing law as ‘routine structuring’); and M Koskenniemi, ‘Performing Legal Expertise: Reflections on the Construction of Transnational Authority’ in E Korkea-aho and P Leino-Sandberg (eds), Law, Legal Expertise and EU Policy-Making (Cambridge University Press 2022) 19–42 (describing how trans-national law penetrates all social relations).

39 Johns, #Help (n 25) 178.

40 Rohde and Parra-Herrera (n 22) 538.

41 F Schauer, The Force of Law (Harvard University Press 2015).

42 RM Unger, ‘The Critical Legal Studies Movement’ 96 (1983) Harvard Law Review 563, 582, as cited in Moyn (n 23) 2.

43 CJ Hoofnagle et al, ‘The Tethered Economy’ 87 (2019) George Washington Law Review 783; and J Sadowski, ‘The Internet of Landlords: Digital Platforms and New Mechanisms of Rentier Capitalism’ 52 (2020) Antipode: A Radical Journal of Geography 562.

44 For a more extensive treatment on the interrelations of the internal market and online platforms, see M Hiltunen, ‘Social Media Platforms within Internal Market Construction: Patterns of Reproduction in EU Platform Law’ 23 (2022) German Law Journal 1223.

45 TFEU, Art 56.

46 TFEU, Art 49.

47 See eg, Case C-484/14, Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, ECLI:EU:C:2016:170, para 41. See also S Weatherill, The Internal Market as a Legal Concept (Oxford University Press 2017) 34–6.

48 Lehdonvirta (n 12) 194.

49 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) OJ L 178/1.

50 Directive on electronic commerce, Arts 12–15.

51 CJEU has confirmed the placement of several platform services within the relevant ‘information society service’ category. See eg, Case C-324/09, L’Oréal SA and Others v eBay International AG and Others, ECLI:EU:C:2011:474; Case C-18/18, Eva Glawischnig-Piesczek v Facebook Ireland Limited, ECLI:EU:C:2019:821; and C-390/18, criminal proceedings against X (AirBnB Ireland), ECLI:EU:C:2019:1112.

52 DSA, Section 4.

53 DSA, Art 2(3).

54 Case C-376/22, Google Ireland Limited, Meta Platforms Ireland Limited, Tik Tok Technology Limited v Kommunikationsbehörde Austria (KommAustria), ECLI:EU:C:2023:835.

55 DA Hoffamn, ‘Defeating the Empire of Forms’ 109 (2023) Virginia Law Review 1367.

56 KH Eller, ‘Transnational Contract Law’ in P Zumbansen (ed), The Oxford Handbook of Transnational Law (Oxford University Press 2021) 513–30, 519–22; and C Gardiner, ‘Principles of Internet Contracting: Illuminating the Shadows’ 48 (2019) Common Law World Review 208.

57 Johns, #Help (n 25) 192–6.

58 Terzis, ‘Law and the political economy of AI production’ (n 33) 311–14; and J Salminen et al, ‘Digital Platforms as Second-Order Lead Firms: Beyond the Industrial/Digital Divide in Regulating Value Chains’ 30 (2022) European Review of Private Law 1059, 1075.

59 Terzis, ‘Law and the Political Economy of AI Production’ (n 33) 316–19.

60 Eller (n 56) 522.

61 Gardiner (n 56).

62 Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on a Common European Sales Law’ COM(2011) 635 final. For a brief official summary of the saga, see European Parliament, ‘Common European sales law (CESL): Legislative Train Schedule’ (2024) <www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-common-european-sales-law> accessed 22 July 2024.

63 Data licensing is one example, see B Botero Arcila and T Groza, ‘The New Law of the European Data Market: Demystifying the European Data Strategy’ (2023) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4580036> accessed 22 July 2024.

64 D Leczykiewicz and S Weatherill (eds), The Images of the Consumer in EU Law: Legislation, Free Movement and Competition Law (Hart Publishing 2016).

65 M Bartl, ‘Socio-Economic Imaginaries and European Private Law’ in PF Kjaer (ed), The Law of Political Economy: Transformation in the Function of Law (Cambridge University Press 2020) 228–53, 245–6.

66 Case C-210/96, Gut Springenheide GmbH and Rudolf Tusky v Oberkreisdirektor des Kreises Steinfurt - Amt für Lebensmittelüberwachung, ECLI:EU:C:1998:369, para 37. The construction of consumer in the CJEU jurisprudence goes all the way back to Case C-120/78, Rewe-Zentral AG v Bundesmonopolverwaltung für Branntwein (Cassis de Dijon), ECLI:EU:C:1979:42.

67 M Bartl, ‘Internal Market Rationality, Private Law and the Direction of the Union: Resuscitating the Market as the Object of the Political’ 21 (2015) European Law Journal 572, 580. See Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council, OJ L 304/64; and Commission, ‘A European Consumer Agenda – Boosting confidence and growth’ COM(2012) 225 final.

68 Bartl, ‘Internal Market Rationality (n 67) 583–5.

69 H-W Micklitz, ‘The Expulsion of the Concept of Protection from the Consumer Law and the Return of Social Elements in the Civil Law: A Bittersweet Polemic’ (2012) EUI LAW Working Paper 2012/03 <https://cadmus.eui.eu/handle/1814/20374> accessed 22 July 2024.

70 B Mäihäniemi, ‘The Role of Behavioural Economics in Shaping Remedies for Facebook’s Excessive Data Gathering’ 46 (2022) Computer Law & Security Review 1, 6–7; and Cohen, Between Truth and Power (n 25) 178–82.

71 Eller (n 56) 514.

72 J Goldenfein and L MacGuigan, ‘Managed Sovereigns: How Inconsistent Accounts of the Human Rationalize Platform Advertising’ 3 (2023) Journal of Law and Political Economy 425.

73 Post on X by @johnnyryan <https://x.com/johnnyryan/status/1805174733601743357> accessed 14 July 2024.

74 N Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ 10 (2018) Law, Innovation and Technology 40.

75 GDPR, Arts 15 and 17.

76 GDPR, Arts 18 and 21.

77 M Veale, R Binns and J Ausloos, ‘When Data Protection by Design and Data Subject Rights Clash’ 8 (2018) International Data Privacy Law 105, 121.

78 Ibid., 108–11; and A Calvi, G Malgieri and D Kotzinos, ‘The Unfair Side of Privacy Enhancing Technologies: Addressing the Trade-offs between PETs and Fairness’ (2024) FAccT ‘24: Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency 2047, 2054.

79 Veale et al, AI and Global Governance (n 77) 112–14.

80 See A Cormack, ‘Is the Subject Access Right Now Too Great a Threat to Privacy?’ 2 (2016) European Data Protection Law Review 15.

81 C de Vreese and R Tromble, ‘The Data Abyss: How Lack of Data Access Leaves Research and Society in the Dark’ 40 (2023) Political Communication 356, 358.

82 C Cadwalladr and E Graham-Harrison, ‘Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach’ (The Guardian, 17 March 2018) <www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election> accessed 11 October 2023.

83 M Clark, ‘Research Cannot Be the Justification for Compromising People’s Privacy’ (Meta Newsroom 2021) <https://about.fb.com/news/2021/08/research-cannot-be-the-justification-for-compromising-peoples-privacy/> accessed 27 November 2023. On scraping methods, see J Ausloos and M Veale, ‘Researching with Data Rights’ 2020 (2020) Technology & Regulation 136, 139–40.

84 Recital 30 of Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, OJ L 156/43. The relevant obligation was Article 1(15)(c).

85 Joined Cases C-37/20 and C-601/20, WM and Sovim SA v Luxembourg Business Registers, ECLI:EU:C:2022:912.

86 R Griffin, ‘Rethinking Rights in Social Media Governance: Human Rights, Ideology and Inequality’ 2 (2023) European Law Open 30, 40–4. See also D Kennedy, ‘The International Human Rights Movement: Part of the Problem?’ 15 (2002) Harvard Human Rights Journal 101.

87 B Sander, ‘Democratic Disruption in the Age of Social Media: Between Marketized and Structural Conceptions of Human Rights Law’ 32 (2021) The European Journal of International Law 159, 161–2.

88 Guaranteed in Arts 11 and 7 of the Charter.

89 RF Jørgensen, ‘Framing Human Rights: Exploring Storytelling Within Internet Companies’ 21 (2018) Information, Communication & Society 340; and RF Jørgensen, ‘What Platforms Mean When They Talk About Human Rights’ 9 (2017) Policy and Internet 280.

90 Jørgensen, ‘Framing Human Rights’ (n 89) 344–5.

91 P Miller and N Rose, ‘Governing Economic Life’ 19 (1990) Economy and Society 1, 27.

92 AE Waldman, ‘Privacy, Practice, and Performance’ 110 (2022) California Law Review 1221, 1225–6 and 1249–51. Of course, scholars also have sought to provide different conceptualisations. See eg, S Lindroos-Hovinheimo, Private Selves: Legal Personhood in European Privacy Protection (Cambridge University Press 2021); and JE Cohen, ‘What Privacy Is For’ 126 (2013) Harvard Law Review 1904.

93 H Hogan, ‘The Origins and Development of Article 16 of the Charter of Fundamental Rights’ 2 (2023) European Law Open 753, 781–3.

94 Ibid., 781.

95 Case C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, ECLI:EU:C:2014:192, para 49.

96 Case C-70/10, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), ECLI:EU:C:2011:771, para 48. See also Case C-360/10, Belgische Vereniging van Auteurs, Componisten en Uitgevers (SABAM) v Netlog, ECLI:EU:C:2012:85.

97 Commission, Impact Assessment accompanying the document Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, SWD(2020) 348 final, Part 1/2, para 259.

98 Case B6-22/16, Facebook – exploitative business terms, 6 February 2019, para 691, as cited in I Graef, ‘Consumer Sovereignty and Competition Law: From Personalization to Diversity’ 58 (2021) Common Market Law Review 471, 490.

99 E Cloatre and R Dingwall, ‘“Embedded Regulation:” The Migration of Objects, Scripts, and Governance’ 7 (2013) Regulation & Governance 365, 372.

100 K Lenaerts and JA Gutiérrez-Fons, ‘To Say What the Law of the EU Is: Methods of Interpretation and the European Court of Justice’ 20 (2014) Columbia Journal of European Law 3, 31–7. They argue, at 32, that the systematic interpretative method enables the CJEU to identify the objective of an EU law provision.

101 GDPR, Art 6.

102 Meta, ‘How Meta Uses Legal Bases for Processing Ads in the EU’ (Meta Newsroom 2023) <https://about.fb.com/news/2023/01/how-meta-uses-legal-bases-for-processing-ads-in-the-eu/> accessed 27 November 2023.

103 GDPR, Art 6(1)(b).

104 EDPB, ‘Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR)’ (The EDPB Binding Decision 3/2022, 5 December 2022).

105 Meta (n 102).

106 Case C-252/21, Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social), ECLI:EU:C:2023:537, paras 115–18.

107 Meta, ‘Facebook and Instagram to Offer Subscription for No Ads in Europe’ (Meta Newsroom 2023) <https://about.fb.com/news/2023/10/facebook-and-instagram-to-offer-subscription-for-no-ads-in-europe/> accessed 27 November 2023.

108 EDPB, ‘Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms’ (17 April 2024) <https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en> accessed 13 July 2024.

109 Commission, ‘Commission opens non-compliance investigations against Alphabet, Apple and Meta under the Digital Markets Act’ (25 March 2024) <https://ec.europa.eu/commission/presscorner/detail/en/ip_24_1689> accessed 13 July 2024.

110 Ibid. For an account of the struggles between online platform corporations and researchers, see A Bruns, ‘After the “APIcalypse”: Social Media Platforms and Their Fight Against Critical Scholarly Research’ 22 (2019) Information, Communication & Society 1544.

111 Griffin (n 86) 54.

112 See Case C-457/21 P, Commission v Amazon.com and Others, ECLI:EU:C:2023:985; and beyond Big Tech, Joined Cases C-885/19 P and C-898/19 P, Fiat Chrysler Finance Europe v Commission, ECLI:EU:C:2022:859. In the case against Ireland and Apple, the Court accepted the Commission’s reasoning. Case C-465/20 P, Commission v Ireland and Others, ECLI:EU:C:2024:724.

113 Rohde and Parra-Herrera argue that ‘[l]egal forms are remarkably persistent and remarkably protean’. Rohde and Parra-Herrera (n 22) 537–8. On the limits of law’s open-endedness and plasticity, that is, the limits of its ‘contingency’, see also S Marks, ‘False Contingency’ 62 (1) (2009) Current Legal Problems 1.

114 M Galanter, ‘Why the Haves Come out Ahead: Speculations on the Limits of Legal Change’ 9 (1974) Law & Society Review 95. In the international context, see also N Tzouvala, Capitalism As Civilisation: A History of International Law (Cambridge University Press 2020) 38, arguing that ‘international law might read as open, plastic or indeterminate in Geneva, London or New York, but not so much in Baghdad, Nauru or Cairo’.

115 Cohen, Between Truth and Power (n 25) 104, arguing that ‘Powerful actors also use their resources to reshape those narratives, however, supplying a range of inputs that include legal arguments, economic models, empirical studies, opinion polls testing public responses to carefully crafted questions, and compelling rhetorical and metaphoric devices for framing descriptions and arguments. Those inputs function as information subsidies, supplying policymakers who have limited resources of their own with ready access to a trove of facts, anecdotes, theories, and narrative frameworks from which to draw’.

116 Cloatre and Dingwall (n 99).

117 L Lessig, Code: And Other Laws of Cyberspace (Basic Books 1999). See also J Grimmelmann, ‘Regulation by Software’ 114 (2005) The Yale Law Journal 1719.

118 GDPR, Art 7.

119 M Degeling et al, ‘We Value Your Privacy… Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy’ (Network and Distributed Systems Security (NDSS) Symposium, San Diego, California, USA, 24–27 February 2019) <www.ndss-symposium.org/ndss-paper/we-value-your-privacy-now-take-some-cookies-measuring-the-gdprs-impact-on-web-privacy/> accessed 28 September 2023.

120 M Veale and FZ Borgesius, ‘Adtech and Real-Time Bidding under European Data Protection Law’ 23 (2022) German Law Journal 226, 243–4. See eg, OneTrust, ‘Cookie Consent: Simplify cookie compliance and consent management’ (OneTrust LLC 2023) <www.onetrust.com/products/cookie-consent/> accessed 28 September 2023.

121 M Kretschmer et al, ‘Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web’ 15 (4) (2021) ACM Transactions on the Web 1; M Toth et al, ‘On Dark Patterns and Manipulation of Website Publishers by CMPs’ 3 (2022) Proceedings on Privacy Enhancing Technologies 478; and Z Liu et al, ‘Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?’ (arXiv 2023) <https://arxiv.org/abs/2202.00885> accessed 28 September 2023.

122 For an account for the relevance of various ‘new governance’ arrangements within the EU, see J Scott and DM Trubek, ‘Mind the Gap: Law and New Approaches to Governance in the European Union’ 8 (2002) European Law Journal 1; and for a treatment of new governance as ‘red herring’, RD Kelemen, Eurolegalism: The Transformation of Law and Regulation in the European Union (Harvard University Press 2011) 9.

123 Cotterell (n 38) 637–8.

124 For an exploration and normative embrace of digital co-regulation in the EU, see M Finck, ‘Digital Co-regulation: Designing a Supranational Legal Framework for the Platform Economy’ 43 (2018) The European Law Review 1, 9–16.

125 Rose and Valverde (n 28) 543.

126 K Klonick, ‘The New Governors: The People, Rules, and Processes Governing Online Speech’ 131 (2018) Harvard Law Review 1598. See also T Gillespie, Custodians of the Internet: Platforms, Content Moderation, and the Hidden Decisions That Shape Social Media (Yale University Press 2018).

127 Arts 12–15 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) OJ L 178/1. Recital 40 states that ‘this Directive should constitute the appropriate basis for the development of rapid and reliable procedures for removing and disabling access to illegal information’.

128 JE Cohen and AE Waldman, ‘Introduction: Framing Regulatory Managerialism as an Object of Study and Strategic Displacement’ 86 (2023) Law and Contemporary Problems i.

129 European Commission, ‘The 2022 Code of Practice on Disinformation’ (European Commission 2023) <https://digital-strategy.ec.europa.eu/en/policies/code-practice-disinformation> accessed 28 September 2023; and Transparency Centre, ‘Discover the Code of Practice on Disinformation’ (Transparency Centre 2023) <https://disinfocode.eu/> accessed 28 September 2023. On the varied roles of codes of conduct in the European digital governance, see generally, C Van der Maelen, ‘Hardly Law or Hard Law? Investigating the Dimensions of Functionality and Legalisation of Codes of Conduct in Recent EU Legislation and the Normative Repercussions Thereof’ 47 (2022) The European Law Review 752.

130 See J van Hoboken et al (eds), ‘The DSA has been published – now the difficult bit begins’ (Verfassungsblog 2022) <https://verfassungsblog.de/dsa-published/> accessed 11 October 2023.

131 V Elliott, ‘Big Tech Ditched Trust and Safety. Now Startups Are Selling It Back As a Service’ (WIRED, 6 November 2023) <www.wired.com/story/trust-and-safety-startups-big-tech/> accessed 23 November 2023.

132 DSA, Art 37.

133 Ibid., Art 37(3).

134 Commission Delegated Regulation (EU) of 20.10.2023 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council, by laying down rules on the performance of audits for very large online platforms and very large online search engines, C(2023) 6807 final, recital 8. See P Terzis, M Veale and N Gaumann, ‘Law and the Emerging Political Economy of Algorithmic Audits’ (2024) The 2024 ACM Conference on Fairness, Accountability, and Transparency (FAccT ’24) 1255, 1260.

135 J Black, ‘Forms and Paradoxes of Principles Based Regulation’ (2008) LSE Legal Studies Working Paper No 13/2008, 28–9 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1267722> accessed 6 August 2024.

136 Commission, ‘Delegated Regulation on independent audits under the Digital Services Act’ (20 October 2023) <https://digital-strategy.ec.europa.eu/en/library/delegated-regulation-independent-audits-under-digital-services-act> accessed 6 August 2024.

137 Terzis et al (n 134) 1260–3; and J Laux, S Wachter and B Mittelstadt, ‘Taming the Few: Platform Regulation, Independent Audits, and the Risks of Capture Created by the DMA and DSA’ 43 (2021) Computer Law & Security Review 1, 7–9 <https://doi.org/10.1016/j.clsr.2021.105613> accessed 6 August 2024.

138 See particularly, Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council, OJ L 316/12.

139 Technical standardisation in the EU more generally has long been a topic of scholarly interest. See eg, H Schepel, The Constitution of Private Governance – Product Standards in the Regulation of Integrating Markets (Hart Publishing 2005); and M Cantero Gamito and HW Micklitz (eds), The Role of the EU in Transnational Legal Ordering: Standards, Contracts and Codes (Edward Elgar Publishing 2020). For a concise account of the role of harmonized technical standards in the EU governance regime, see Case C-588/21P, Public.Resource.Org and Right to Know v Commission and Others, Opinion of Advocate General Medina, EU:C:2023:509, paras 16–51.

140 Case C-613/14, James Elliott Construction Limited v Irish Asphalt Limited, EU:C:2016:821, para 40.

141 Case C-160/20, Stichting Rookpreventie Jeugd and Others v Staatssecretaris van Volksgezondheid, Welzijn en Sport, EU:C:2022:101, paras 48–9; and Case C-588/21P, Public.Resource.Org and Right to Know v Commission and Others, ECLI:EU:C:2024:201, paras 81–5.

142 H Schepel, ‘The New Approach to the New Approach: The Juridification of Harmonized Standards in EU Law’ 20 (2013) Maastricht Journal of European and Comparative Law 475; and R Vallejo, ‘The Private Administrative Law of Technical Standardization’ 40 (2021) Yearbook of European Law 172.

143 See Commission, ‘Commission Implementing Decision on a standardisation request to the European Committee for Standardisation and the European Committee for Electrotechnical Standardisation in support of Union policy on artificial intelligence’ C(2023)3215.

144 See eg, M Veale and FZ Borgesius, ‘Demystifying the Draft EU Artificial Intelligence Act: Analysing the Good, the Bad, and the Unclear Elements of the Proposed Approach’ (2021) Computer Law Review International 97, 104–6; NA Smuha and K Yeung, ‘The European Union’s AI Act: Beyond Motherhood and Apple Pie?’ in NA Smuha (ed), The Cambridge Handbook on the Law, Ethics and Policy of Artificial Intelligence (Cambridge University Press forthcoming, 2025) 28–32 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4874852> accessed 22 July 2024; and M Cantero Gamito and CT Marsden, ‘Artificial Intelligence Co-regulation?: The Role of Standards in the EU AI Act’ 32 (2024) International Journal of Law and Information Technology 1, 14–17.

145 On multistakeholderism generally, see M Raymond and L DeNardis, ‘Multistakeholderism: Anatomy of an Inchoate Global Institution’ 7 (3) (2015) International Theory 572.

146 Commission, ‘Proposal for a Regulation’ (n 181) 1–2. See ECOS, ‘The Green Line to Standards’ (2024) <https://ecostandard.org/> accessed 22 July 2024; ETUC, ‘Speaking with a single voice on behalf of workers in Europe.’ (2024) <www.etuc.org/en> accessed 22 July 2024; and ANEC, ‘The European consumer voice in standardisation’ (2024) <www.anec.eu/> accessed 22 July 2024.

147 Cohen, Between Truth and Power (n 25) 228–31.

148 Commission, ‘An EU Strategy on Standardisation: Setting global standards in support of a resilient, green and digital EU single market’ COM(2022) 31 final; and Commission, ‘Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 1025/2012 as regards the decisions of European standardisation organisations concerning European standards and European standardisation deliverables’ COM(2022) 32 final.

149 Commission, ‘An EU Strategy on Standardisation’ (n 148) 4.

150 Cantero Gamito and Marsden (n 144) 13.

151 ETSI, ‘Membership of ETSI’ (2024) <www.etsi.org/membership> accessed 22 July 2024.

152 ETSI, ‘Artificial Intelligence’ (2024) <www.etsi.org/technologies/artificial-intelligence> accessed 22 July 2024.

153 Regulation (EU) 2022/2480 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 1025/2012 as regards decisions of European standardisation organisations concerning European standards and European standardisation deliverables, OJ L 323/1, Art 1(2).

154 CEN, ‘HAS assessment process (Innovative process)’ (4 March 2024) <https://boss.cen.eu/developingdeliverables/pages/en/pages/has_assessment_process/> accessed 25 August 2024.

155 Kommission Arbeitsschutz und Normung (KAN), ‘Contract signed for the work of the HAS Consultants’ (12 September 2022) <www.kan.de/en/help-advice/news/detailansicht-en/vertrag-fuer-has-consultants-geschlossen> accessed 25 August 2024. See also EY, ‘Would you like to become a Harmonised Standards Consultant?’ (2024) <www.ey.com/en_be/consulting/harmonised-standards-consultant> accessed 25 August 2024.

156 Rose and Valverde (n 28) 545, arguing that: ‘There is no such thing as Law [but rather] the empirical diversity of legal sites, legal concepts, legal criteria of judgement, legal personnel, legal discourses, legal objects and objectives’ (emphasis omitted).

157 A Vauchez, ‘EU Law, Down to Earth’ 1 (2022) European Law Open 148, 149.

158 D Wood and J Fels, ‘Designs on Signs/Myth and Meaning in Maps’ 23 (1986) Cartographica 54, as cited in Johns, #Help (n 32) 36.

159 M Andrejevic, Automated Media (Routledge 2020) 113.

160 A Orford, ‘In Praise of Description’ 25 (2012) Leiden Journal of International Law 609, 625; and Andrejevic (n 159) 113.

161 Orford (n 160) 625.

162 JC Scott, Seeing Like a State: How Certain Schemes to Improve the Human Condition Have Failed (Veritas paperback edn, Yale University Press 1998) 11–83.

163 J Law and J Urry, ‘Enacting the Social’ 33 (2004) Economy and Society 390, 392–3; A Mol, ‘Ontological Politics: A Word and Some Questions’ in J Law and J Hassard (eds), Actor Network Theory and After (Blackwell 1999) 74–89, 77–80; M Callon, ‘Introduction: The Embeddedness of Economic Markets in Economics’ 46 (1) (1998) Sociological Review 1, 2; and Sullivan (n 16) 43–5.

164 S Viljoen et al, ‘Design Choices: Mechanism Design and Platform Capitalism’ July–December (2021) Big Data & Society 1.

165 Law and Urry (n 163) 397; and Mol (n 163) 75.

166 Law and Urry (n 163) 396.

167 Johns, Non-legality in International Law (n 17) 9.

168 Kampourakis (n 36) 820. See also M Koskenniemi, ‘Enchanted by the Tools: An Enlightenment Perspective’ 35 (2020) American University International Law Review 397, 419–23. For one example in the digital context, see the criticism of overreliance on human rights in the context of social media governance, see Griffin, ‘Rethinking Rights’ (n 86).

169 Cohen, Between Truth and Power (n 25) 269–70.

170 Kampourakis (n 36) 816.