Governing “European values” inside data flows: interdisciplinary perspectives

values” inside


What rights matter? Examining the place of social rights in the EU's artificial intelligence policy debate Jędrzej Niklas, Cardiff University Lina Dencik, Cardiff University
The European conundrum Digitalisation has set into motion a deep transformation of our societies, cultures and economies (Castells, 2010) while challenging territoriality-based sovereignty (Hamelink, 1994) and eroding traditional regulatory configurations (Cohen, 2019).
Global digital connectedness is in many fundamental ways beneficial, as it facilitates cross-border communications, seamless trade and production along global value chains, and enables novel types of technology-driven innovation and new business models (Henke et al., 2016;Burri, 2021a). However, recent years have also shown the downsides of such data-based internationalisation in terms of disrupted equity, dependency and sustainability, with digital activities being mediated by actors who deploy these technologies to serve particular interests, public or private, with sometimes problematic effects manifesting themselves in and co-creating our information civilization.
Scholarship across disciplinary boundaries has nurtured a critical discourse offering conceptual perspectives on trust, power, justice and authority in digital societies (e.g., Cohen, 2019;Zuboff, 2019). These distinct perspectives speak to the literature on important human rights and societal values that are contested and renegotiated in the digital realm (Zalnieriute and Milan, 2019), including privacy and surveillance (Farrell and Newman, 2019), control over internet infrastructure (DeNardis, 2014), and fairness of algorithms (Pasquale, 2016). There is a heightened awareness of the risks from the digital (dis)intermediation of societal values that undergird social cohesion, the public sphere and democratic institutions (Van Dijck, Poell, and De Waal, 2018). As a result, the discourses on transnational interdependencies and responsibilities have turned much less deterministic and polarised, to become more nuanced and pluralistic (Irion, 2021;Yakovleva and Irion, 2020a).
In the last decade, the cross-border movement of digital products and services, as well as their underlying data have been disruptive to a range of European legal frameworks. Against this backdrop the European Union (EU) has been re-assessing how to better integrate its digital internal market paradigm with individual rights and public values that are foundational to "the European project". The substance of the rights and values is codified in primary EU law, notably the Treaty on European Union (2012), the Treaty on the Functioning of the European Union (2012), and the Charter of Fundamental Rights of the European Union (2000), as further developed and implemented in secondary EU law (European Commission, 2021). The EU certainly had a headstart in the field of personal data protection regulation that has become a very influential model across the world. So much so that the General Data Protection Regulation (GDPR) is a frequently cited example of Anu Bradford's (2020) Brussel's effect that connotes the externalisation of EU's regulatory standards. Differences over transatlantic flows of personal data on the part of the EU create new fissures in the geopolitical strategies for the digital economy of the US (Irion, 2015;2020b), while China emerges as a digital power to be reckoned with.
With its quest for digital sovereignty the EU embraces a new assertive rhetoric (Von der Leyen, 2020), juxtaposing its "value-based" approach vis-a-vis a more market-based US and a top-down state-centric Chinese one. This contestation is notable in the idea of the "four internets": within the US the "DC commercial internet" as counterpart to the existing "Silicon Valley open internet", the "Brussels bourgeois internet", and the "Beijing paternal internet" (with the "Moscow spoiler" as parasitic strategy) (O'Hara and Hall, 2020). While the "Brussels bourgeois" label seems slightly dismissive, O'Hara and Hall (2020) describe its substance as a vision of a "well-ordered, self-regulating, responsible [...] more or less open Internet, on which good behavior is the norm. Trolling, privacy invasion and fake news should be marginalized or regulated away by a strong civil society whose members are trustworthy and trusting" (n.p.). Others refer to the EU's striving to set ethical standards for novel technologies "for good" (Kalff and Renda, 2019), fully compatible with sustainability (as per the European Green Deal) and more broadly with the Sustainable Development Goals (European Commission, 2021). Kalff and Renda (2019, pp. 187-188) note in this context that "Europe's unique balance between freedom (' of' , not 'from'), and justice explains its unique legal and economic tradition. Fairness, reasonableness, good faith, pre-and post-contractual obligations are time-tested principles and part of the heritage of continental Europe".
How to leverage this potential, if true, is the key question, however. Despite the size of the single market and substantive economic activity, the EU faces the problem of "delivering" on its well-intended "plethora of promising policies" (Kalff and Renda, 2019), especially in the absence of home-region big tech firms and largescale online service providers. Smaller-scale and/or alternative ecosystems, infrastructures and architectures are yet to be developed within and by the Union, and a coordinated EU data governance approach embodying European values and digital sovereignty is still lacking. At the same time, there are concerns about regulation stifling innovation and competition, particularly focused on the GDPR and the Digital Services Act (Cennamo and Sokol, 2021), but also on how it may in fact favour big tech firms if the specifics of their business models and ecosystems and their geopolitical embeddedness are not properly accounted for (Jacobides, Bruncko, and Langen, 2020;cf. Ciulli and Kolk, 2019. Attempts are made to properly bridge competition policy and data protection law (Kira, Sinha, and Srinivasan, 2021). As a result, EU digital sovereignty has not only an external dimension. Internally, the EU seeks to leverage the constitutive role of the digital realm for European integration, to build itself constitutionally and increase its legitimacy.

Grounding European values in a transnational digital setting
Building on the debate outlined above, this special issue assembles interdisciplinary perspectives on governing the digital in ways that safeguard "European values" while adequately performing in a transnational digital environment. Instead of arguing why critical European values require protection, it asks how to effectively ground these values in a transnational digital setting. The special issue seeks to identify which institutions, regulatory formations and governance fora can be harnessed without disrupting otherwise beneficial data flows (e.g. Burri, 2021b). With this in mind we invited abstracts for multidisciplinary contributions and the resulting draft papers were presented and discussed at an international workshop held online on 29 January 2021. The final set of reviewed contributions is included in this special issue. The special issue starts with a contribution on EU digital sovereignty that queries its potential to enhance the protection of European values. In their article "Safeguarding European values with digital sovereignty: an analysis of statements and policies", which offers an excellent entrance point to EU digital policy, Huw Roberts, Josh Cowls, Federico Casolari, Jessica Morley, Mariarosaria Taddeo, and Luciano Floridi interrogate the meaning and the use of digital sovereignty across EU policy fields. In their understanding, digital sovereignty constitutes "a form of legitimate, controlling authority". Using content analysis of EU documents, the authors trace the policy areas and measures that are most closely associated with digital sovereignty. This analysis identifies the five key areas that EU institutional actors most frequently mention as important for strengthening digital sovereignty, i.e. data governance; constraining platform power; digital infrastructures; emerging technologies; and cybersecurity. The authors assess the EU's ability to exercise legitimate control and discuss the efficacy of EU digital policy in the areas that have been most closely associated with EU digital sovereignty. The article concludes with recommendations on how the EU can address the identified deficits to further strengthen EU's digital sovereignty as a vehicle to protect European values.
The other nine articles in the special issue are grouped around four themes containing more than one contribution. The first theme, "Lessons from the General Data Protection Regulation", critically engages with the GDPR as a model for EU digital rulemaking. The contributions tackle enduring compliance issues for digital public services that use cloud infrastructure, the GDPR's extraterritorial application and the role of regulatory intermediaries in enforcing data protection standards.
The second theme, "Joining-up data ordering with rights-preserving governance", argues in favour of introducing data governance schemes which operate below the legislative framework but align well with European values. The third theme, "Value design in digital architectures", looks for the role of EU public policy in harnessing standardisation more effectively and explores the positive contribution of valuesensitive design of digital technologies. The fourth theme, "A European approach to artificial intelligence", conceptualizes societal harm and the underrepresentation of social rights in the current EU proposal for an Artificial Intelligence Act.

Lessons from the General Data Protection Regulation
As a corollary to digital sovereignty, EU law demands untangling personal data flows from unfettered surveillance authorities of foreign governments. The convoluted legal situation surrounding the cross-border transfers of personal data is most pronounced in the EU-US relationship although it extends well beyond (Burri, 2021b). The jurisprudence of the Court of Justice of the EU (CJEU), which invalidated twice the legal bases for the transfer of personal data from the EU to the US, holds repercussions for the cloud computing sector. The article "Mitigating the risk of US surveillance for public sector services in the cloud" by Jockum Hildén analyses the intricate legal situation from the perspective of public authorities in EU member states which are avid customers of US-incorporated cloud service providers. After reviewing the legal framework, the article documents how public authorities in the Netherlands and Sweden seek to mitigate the risks for cloudbased public sector services. The Dutch example shows how innovatively combining EU data protection law and public procurement rules helped to renegotiate the terms of service of a major cloud service provider. Nonetheless, the public sector would benefit from more legal certainty in their procurement and use of cloudbased services.
The contribution "Extraterritorial application of the GDPR: promoting European values or power?", authored by Oskar Gstrein and Andrej Zwitter, explores the GDPR's extraterritorial application and its unlikely promotion of European values.
The authors contend that it is somewhat counterintuitive to assume that the GDPR could wield that much authority abroad all the while large internet platforms could accumulate virtually unrestrained socio-economic power. The authors question whether unilateralism as embodied in the GDPR can cope with transnational data flows, legal plurality and the complexity of the digital sphere. They advocate for a more sustainable multilateral strategy that emphasises value-driven harmonisation, such as the modernised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+) of the Council of Europe as a better avenue to safeguard European values.
In his article "Governing the shadow of hierarchy: enhanced self-regulation in European data protection codes and certifications", Rotem Medzini explores two types of regulatory intermediaries, namely monitoring and certification bodies. Set against political science and regulatory governance theories, this contribution looks at the arrangements that allow these private actors to act as regulatory intermediaries whereby they monitor codes and assess conformity with certifications. The author traces rigorously why these regulatory intermediaries have been introduced and how they have been shaped during the legislative process leading up to the GDPR. According to two case studies of codes of conduct and certification, rule-takers can only adopt codes and certifications that are pre-approved and intermediated by accredited private actors. In both cases the GDPR mixes enforced self-regulation-through accreditation and the ratification of criteria-with components of enhanced self-regulation-through regulatory intermediation.

Joining-up data ordering with rights-preserving governance
The recognition that data ought to be governed as a resource has inspired an entirely new strand of research into the conception and practices of data ordering and governance. Data governance coins any regime that attracts data in order to be further processed to extract value from data following the logic of a particular regime. Balázs Bodó, Alexandra Giannopoulou, Kristina Irion, and Heleen Janssen make a conceptual differentiation between three levels of data governance, i.e. the macro, meso, and micro level. Their contribution "Personal data ordering in context: the interaction of meso-level data governance regimes with macro frameworks" charts the interdependence between these levels and the consequences for the governance of personal data. An international comparison between macro-level regimes distinguishes distinct approaches to data ordering and governance in the EU, US and China. In the context of global competition the authors argue that meso-legal data governance regimes determine the success or failure of the EU's approach with its rights-oriented model. Providing legal recognition to "data intermediaries" as put forward in the proposal for a Data Governance Act could be a way to construct data governance regimes at meso-level in support of the EU's fundamental rights approach. Yet, if the EU comes to prioritise data ordering over value preserving data governance, there is a risk that the fundamental rights preserving macro framework of the EU will be compromised.
As a corollary to the article above, Jan Zygmuntowski, Paul Nemitz, and Laura Zoboli take as a starting point "an ecosystem of trust" and inquire which data governance model creates conditions for data stewardship guided by European values and rights. Their contribution "Embedding European values in data governance: a case for public data commons" leverages science and technology studies, critical data studies and institutional economics in order to derive key conditions for the establishment of common European data spaces and comprehensive data-sharing framework that serve the public interest. In doing so the authors synthese a rich body of literature that is developed into an analytical framework and conceptual critique of four data governance models. Under the favoured model, which is conceptually linked to Ostrom's (1990) common-pool resources framework, data becomes a common good that is protected collectively and governed by specific rules that safeguard European rights and values. Public data commons, the authors con-clude, will serve the public interest in support of European technological sovereignty while increasing data sharing.

Value design in digital architectures
Internet governance implicates not only content regulation but also the frameworks that govern all layers of the internet's communication model (e.g. Werbach, 2002). Digital architecture plays a critical role, as it embeds certain values that are in contestation between private and public actors and may ultimately enable or hinder policy implementation (e.g. Benkler, 2000). The contribution "Policy strategies for value-based technology standards" by Amelia Andersdotter and Lukasz Olejnik acknowledges this complex interplay and explores technical standardisation in Europe and the role of non-formal, industry-driven standards bodies, such as the the World Wide Web Consortium (W3C), Internet Engineering Task Force (IETF) or the Institute of Electrical and Electronics Engineers (IEEE). Starting from the European Commission's formulation of "European values", the authors carefully map the interdependencies between enforcement of codified societal norms and industry priorities. They argue in particular that the EU should devote more resources towards absorbing already existing innovation and standardisation into its compliance mechanisms and that shaping standardisation with European values is only possible through the lens of a human-centric approach to technologies. The authors highlight the need for enhanced cooperation between standardisation bodies and regulators, as well as the difficulties associated with the interface of standard-setting and innovation.
In the article "Value Sensitive Design and power in socio-technical ecosystems", Mattis Jacobs, Christian Kurtz, Judith Simon and Tilo Böhmann explore the role of Value Sensitive Design (VSD) as a valuable framework that allows technology creators to account for values in the design of technical artefacts. However, they argue, power distribution within the process of technology design can potentially hinder the approach. The authors thus identify four factors that contribute to determining the impact of power distribution on VSD, namely: the level of decentralisation of the ecosystem; whether VSD is applied at the core or periphery; temporality, that is to say when VSD can be exercised; and the phase of VSD (conceptual, empirical, and technical) in which power can be exercised. Adopting a power-sensitive ecosystem perspective, Jacobs and colleagues explain how technology projects that aim to keep values at heart should account for power. Here the authors recognise how new regulatory initiatives and oversight institutions can support VSD practitioners and even form the basis for a close cooperation that can reveal problematic practices of powerful actors in socio-technical ecosystems and thereby lay the foundation for further regulatory action.

European approach to artificial intelligence
Artificial intelligence (AI) has been one of the policy areas, where the EU has newly positioned itself as a regulatory entrepreneur and seeks to promote a "European approach" in reaping the benefits of technological innovation while safeguarding fundamental rights and key values (European Commission, 2021a). Against the backdrop of these initiatives, the contribution by Nathalie Smuha, "Beyond the individual: governing AI's societal harm", argues for a more nuanced policy design that distinguishes different types of harm arising in the context of AI (individual, collective and societal). She enriches the current AI discourse by conceptualising AI's societal harm in particular and argues that a shift in perspective beyond the individual towards a regulatory approach that addresses AI's effects on society at large is needed. By making an analogy to environmental law and policy, Smuha identifies distinct "societal" mechanisms that the EU could employ in this context that involve public oversight mechanisms to increase accountability; public monitoring mechanisms to ensure independent information gathering about AI's societal impact; and procedural rights with a societal dimension, including a right to access to information, access to justice, and participation in public decision-making on AI, regardless of the demonstration of individual harm.
In "What rights matter? Examining the place of social rights in EU's AI policy debate", Jędrzej Niklas and Lina Dencik explore the role of social rights in the EU debate on AI policy. The commitment to "European" values, they argue, rarely results in consistent policy frameworks. However, new policy areas, such as AI policy, allow us to take a closer look at what concerns, interests and priorities shape the European project today. The authors embark on a systematic analysis of the submissions to the public consultation on the EU White Paper on AI Strategy, open to citizens and stakeholders in 2020. They find that social rights occupy a marginal position in the EU's policy debate on emerging technologies, whereas human rights, with emphasis on individual privacy and non-discrimination, take central stage.
These concerns are often translated into design solutions or procedural safeguards and a commitment to market creation-at the expense of concerns over key questions of economic inequality and redistribution.

Concluding remarks
The articles in this special issue testify to the complexities of data governance in the public interest. As the current debate about the GDPR shows, its extraterritorial enforcement and effectiveness are controversial and its transnational appeal as a regulatory model has not been conclusively established so far. Yet, the GDPR is only one piece of the data governance puzzle that the EU must solve in a way that safeguards its core values and establishes it as a "regulatory entrepreneur" able to put in place functioning legal frameworks along the line from hard law to softer co-and self-regulatory instruments. This EU project is ongoing and there are several important legal initiatives in the pipeline, such as the proposals for a Digital Services Act, a Digital Markets Act, a European Data Act, and an Artificial Intelligence Act, all of which require regulatory designs that are robust enough to address the conundrum sketched in the first part of this editorial. How to uphold and implement European values in the complex competitive international landscape characterised by rapid technological developments is a crucial concern for policymakers and societies, and a highly relevant area for further investigation.
When passing new legislation the EU should not only clearly conceptualise digital sovereignty but also define forward-looking strategies that can deal with transnational configurations of actors, digital infrastructures, and algorithms, as well as current geopolitical and sustainability challenges. This requires sustained accompanying efforts to cultivate value-sensitive design at the level of digital technologies, to reduce asymmetries of power and knowledge between providers and users, and to generate acceptance of and compliance with a shared set of values throughout digital ecosystems. At the same time, other actors from business and civil society should also play an active role in contributing to European values and to setting standards. Public scrutiny by academics and civil society has shown enormous potential to hold providers of digital technology accountable, which needs to be recognized and strengthened. This will continue to be an area of contestation given that scalable alternative business models and decentralized digital infrastructures, also feasible for the many smaller-scale entities in the EU, are not yet available. With this special issue we seek to advance a research agenda that harnesses multidisciplinary research to re-conceptualise and ground public interest governance with transnational digital technologies in Europe and beyond. relentless support throughout the production of this special issue.
The international workshop and this special issue received financial support from the Amsterdam Centre for European Studies (ACES) at the University of Amsterdam, as well as the research project "The Governance of Big Data in Trade Agreements" at the University of Lucerne, sponsored by the Swiss National Science Foundation.