Data-driven technology has become a mainstay in our societies. Feeding AI systems and the IoT, large-scale datasets have the potential to radically reshape our understanding of things and basic social practices. It should thus come as no surprise that regulating data has become a central concern of regulation across the world. The European Union’s (‘EU’) data law (including its most recent evolutions) has become an authoritative totem as one of the most elaborate and pre-emptive regulatory framework worldwide.
Governing data boils down to determining ‘who (should) do(es) what’ with it. However, considerations on the matter spark crucial disagreements. Some might want to keep data away from others. Some may intend to share it. Some may intend to treat it as part of their community. Then again, some others may not even want to have their activities tracked and turned into data – or ‘datafied’, to use the catchword (Sadowski 2019). We can keep this going endlessly. In grappling with core challenges surrounding who should govern data, and what should be done with it, the bottom line is that individuals and organisations are asked to figure out how to ‘render to each their due’. Fundamentally, data law raises fundamental questions of justice. This makes it crucial to understand how conflicts over how data is (or ought to be) governed come to be settled in view of certain principles of justice. Each theoretical account possesses its own normative toolkit as to how to do so.
What conception(s) of justice permeate(s) EU data law? Two accounts have seemingly gained traction, providing firm theoretical foundation and normative legitimacy to EU data law since the early days of data protection (Fia 2024; Fia 2023). One is the liberal-oriented approach to data law, which revolves around informational self-determination (Rouvroy and Poullet 2009). The other is the welfarist-oriented view of data law, which frames it as a matter of market integration. If the former views data as a part of our personality, the latter construes it as an asset or a commodity to commercialise. Both accounts permeate to varying degrees EU data law, with a more pronounced market logic stirring its latest developments – ie the Data Strategy and its accompanying legislation (Data Governance Act, Data Act, Data Spaces) (Streinz 2021; Taylor and others 2022; Fia 2023; Ducuing 2024; Finck 2024; Fia 2024; Groza and Botero Arcila 2024).
Much as the theoretical discussions centre on the values and interests in question, little to no ink has been spilled on the justice dimension(s) of EU data law. By contrast, critical data studies and non-legal scholarships have looked into ‘data justice’ for a while now (Taylor 2017; Cinnamon 2020; Taylor and others 2022). The justice deficit in data legislation analyses might reflect a sheer apathy within the legal circles. Another explanation can be that the prevailing theoretical and normative perspectives on EU data law – as much as doctrinal accounts – are ill-equipped to address such questions. Yet, there is much more to consider beyond the constraints of the frameworks conventionally applied to EU data law.
Towards a critical justice theory of data law
How can we take justice more seriously in EU data law than the existing perspectives do? My suggestion is that we need to look someplace else. More substantial and wide-ranging notions of justice that would target the material features and substantial architecture of data law are a promising avenue. Relational egalitarianism takes this commitment to heart. To date, Viljoen’s democratic data governance theory (Viljoen 2021) and Naudts’ application of Iris Marion Young’s philosophy to data regulation (Naudts 2024) are amongst the most seminal endeavours in this respect.
Another avenue worth exploring is Rainer Forst’s theory of critical justice. Forst conceives of justice as the ‘human virtue and moral-political imperative to oppose relations of arbitrary rule or domination’ (Forst 2014, 33-34). Justice takes on two core meanings in his conceptualisation: minimal (or fundamental) justice and maximal justice. To resist arbitrariness and domination, the task of the former is to shape a ‘basic structure of justification’, that is putting justification into effect ‘through constructive, discursive democratic procedures in which the “justificatory power” is distributed as evenly as possible among the citizens’ (ibid 36). Everyone taking part in the socio-political order of justification is vested with equal rights to determine how the distributive networks should operate. Thus conceptualised, minimal justice is the necessary condition of maximal justice. The latter is concerned with how the ‘basic structure of society’ is formed, including fundamental questions of distribution of goods, benefits, welfare and burdens.
Importantly, the primacy of fundamental justice radically alters the agenda of justice concerns. The prerequisite to come to a just basic structure of society is the existence of ‘intersubjective relations and structures’ (ibid) fostering the equal and fair involvement of people in determining ‘who does what’, before tackling goods, benefits and burdens. In short, ‘the basic question of justice is not what you have but how you are treated’ (ibid).
Injustices in EU data law
How does EU data law treat people involved in data access relations? Answering this question urges us to go to the core of the problems. Put differently, what relations of arbitrary rule or domination does data law have the potential to leave unchecked, underlie, nurture, or even sanction?
Before we move on, let’s first look closer into how we relate to data. At bottom, we refer to data by accessing it. Data access conjures and encapsulates virtually any possible relation between us and data: production, collection, analysis, use, and so forth. In outline it is a relation of power of someone (an ‘access granter’) over something (data), and between an access granter and someone who seeks access to data (an ‘access seeker’) (Fia 2023, ch. 1). This very configuration raises the possibility that access granters get on top of data access relations. More specifically, there is ‘unilateral data control’ when the most powerful access granters (‘data control holders’) are able to leverage ‘private law modules’ (Pistor 2019), such as IP rights, (more or less standardised) contracts, and technological protection measures (TPMs), to foreclose data access to the detriment of access seekers (Fia 2023, ch. 2). Data control holders are the dominant market forces, such as big tech platforms and original equipment manufacturers (Trampusch 2024). They leverage the law to spotlight self-serving interests. This eventually causes injustices. EU data law misses the mark on justice if it fails to tackle the relations of arbitrary rule and domination that unilateral data control insinuates.
Against this background, where are injustices to be found? Another contribution to this symposium emphasises that European secondary law on data and platforms ‘all rest[s] on the assumption that internet and digitalization are and remain in the realm of the private law of contracts’ (Lurger 2024). Contractual arrangements, in fact, tie together data control holders to their counterparties. Ts&Cs accompanying each and every website, app and smart objects through which data is processed are an illustrative example (Pałka 2023). Contractual apparatuses that undergird data access relation thus exhibit interpersonal injustices. Data control holders most often succeed in imposing contractual terms that echo their priorities, worldviews and interests in how data is governed in such relations (Haggart and Tusikov 2023, 175ff.; Trampusch 2024). Conversely, less equipped or more vulnerable parties to contracts (consumers, workers, small business users) hardly have a real say. The contractual nexuses are thus unjustifiable between the parties (Hesselink 2016, 691-92; Hesselink 2022, 320-22).
The unequal conformation of discreet contractual relationships also signals unjust distributive nexuses. EU data law indeed is beset with matters of social injustice. Recall that, if we adopt a radical and critical conception of justice such as Forst’s, questions as to how data should be distributed ensue from the intersubjective, relational practices that determine who does what and who receives what. It is thus key to identify what relations among people are (un-)just and, therefore, ‘asks what they owe one another and for what reasons’ (Forst 2012, 191).
Unilateral data control has detrimental repercussions in terms of access seekers’ participation and representation in governing data. As Cinnamon (2020) puts it, ‘[t]hose who produce data are able to shape the world according to their own worldview, therefore influencing the worldly experiences of those who only consume, rather than produce data or the growing array of digital platforms and products derived from it’. Therefore, access seekers’ interests, worldviews and prerogatives can be completely left out of the picture even if data relates to them by some means (non-participation). Viljoen has observed that US data legislations face a sociality problem in that they fail to consider access seekers represented by data in data flows – particularly when data production ‘relates data subjects […] to one another and to others that share relevant population features with the data subject’ (‘horizontal relations’: Viljoen 2021, 607). By the same token, EU data law prevents access seekers’ participation in how such data comes into existence.
On an adjacent level, unilateral data control results in misrepresentation. The fact that data control holders are on top of data access relations means that populations are for the most part represented the way the former want. Think of the various analytics techniques and their shortcomings in terms of group privacy (Taylor, Floridi and van der Sloot 2017). Conversely, access seekers (especially communities and people represented by data: de Souza and Taylor 2024) have no real say. By the same token, shrewd corporate tactics to capture a great deal of people’s attention on their services spur data production (Bietti 2024). The ensuing addictive, manipulated behaviours turn into data, raising questions as to how just the coming into existence of such data is, and of how the relevant populations are represented. Once again, EU data law falls short of addressing these issues.
Moving on to the distributive matters, another driver of social injustices in data law is unequal data production. The fact that some data does not even come into existence in the first place means that some aspects of reality are not turned into data due to technological underdevelopment. This is a matter of data availability (Cinnamon 2020, 221). Fisher and Streinz (2022) aptly describe situations of scarcity as ‘data deserts’. Data access ‘is frequently divided along social, economic, and geographic lines’ (Cinnamon 2020, 220), and is therefore the outcome of data control holders’ decisions and practices.
Two sites of unequal data production are data markets and the smart city. For one thing, marginalised and socially oppressed individuals and less equipped communities may well not have the means for accessing data due to patterns of socio-economic inequalities (eg lack of expertise, skills and data processing technology). Likewise, small firms operating in traditional industries such as farming and manufacturing are less prone to employ data-driven technology, especially if the start-up costs are high. This means that less tech-savvy people and businesses experience greater disadvantages in terms of lack of datafication of their business practices. Smart cities, by the same token, typically lack data infrastructures within urban areas that experience chronic indigence, social exclusion and oppression (de Lange 2019, 79).
A third site of social injustice is the lack of distribution of benefits (‘value’) arising from data processing practices. The monetary value of personal data has been a debated topic in the data protection literature (Malgieri and Custers 2018). An access seeker that contributes to producing data might be willing to exchange data for remuneration. Yet, data control holders are well positioned to singlehandedly harness the gains derived from large-scale data processing. As a result, access seekers tend to be side-lined.
Justice in EU data law and its democratic core
To incorporate critical justice into data law requires to come up with devices and strategies that tackle injustices. Data law should be equipped to prevent and replace the relations of arbitrary rule and domination unilateral data control has the potential to cause. Recall that earlier we have viewed data access as a relation of power. If that is the initial concern of justice, then it is primarily a matter of how goods (in our case, data) ‘come into the world in the first place, who decides on the distribution, and how it is carried out’ (Forst 2012, 195). This takes the crucial step of creating a basic structure of justification of data law. Intersubjective, relational practices that empower parties (including the most marginalised and oppressed) should determine ‘who does what’ with data in view of justifications that cannot be reasonably rejected by others. To do so, democratic participation and deliberation should be front and centre. Democratic practice would thus inform the discussion and determination on the structures and networks of data production and (pre-)distribution (rather than re-distribution). Thus, data governance mechanisms informed by intersubjective practice would be something of a political construct.
It is then crucial to seek avenues for democratic arenas that do not leave aside those on the fringes of society. At bottom, participation should be coupled with meaningful opportunities for deliberation that would equally involve access seekers and access granters. Together they would form democratic polities deliberating on how data access should take place in society. To be sure, participation becomes more difficult whenever collective actors (eg communities and groups) get involved. In addition to conflicts of rights and interests, there is a risk that members of collectives themselves do not settle their internal differences on how to exercise them.
Determining ‘who does what’ with data then touches fundamental distributive matters (‘what to do with data’). What should equally treated society members involved in data governance target through intersubjective, democratic practice? To answer this query, we need to go back to the core of the unjustifiable relations that EU data law currently does not address. Of course, one first key matter is to decide what aspects of reality (should) get datafied, whether the societal or the private interest prevails. The existing EU data legislation misses out on offering solutions to this crucial question (Cinnamon 2020; Fisher and Streinz 2022). Yet, it is crucial to interrogate the extent to which we can accept that a democratic society undergoes processes of datafication. While the distributional criteria and mechanisms are left to intersubjective determination, one can anticipate what is at stake by looking back on the injustices. Three questions stand out, with an ensuing plethora of solutions of the polities’ choosing. First, access matters. How should data access operate in society? Secondly, and relatedly, questions of data use. What purposes should data be accessed (ie produced, collected, analysed, used) for? Third, the value that should accrue to the involved participants. Who should benefit from data processing practices? To what extent? (Fia 2023, ch. 6).
Conclusion
To take justice considerations seriously, EU data law cannot overlook the relations of arbitrary rule and domination that unilateral data control insinuates. Meanwhile, radically democratic devices of participation and deliberation addressing ‘who decides what’, ‘who does what’ and ‘what to do with data’ should take pride of place in the data law acquis. This however takes extraordinary staying power. Where do we even start? On paper, bottom-up laboratories of democratic data governance could inspire the European legislator. There is a bourgeoning body of both conceptual frameworks and local experiences that point in this direction. Take for example the DECODE Project in Barcelona (Monge and other 2022), data commons (Van Maanen, Ducuing and Fia 2024), data cooperatives (Fink 2024), data justice (Taylor 2017).
Yet grassroots initiatives find it hard to scale. Hence the conclusion that they tend to wither away if left unaided. But it would a mistake to downplay their potential by picturing them as regulatory pipe dreams. What should we do about it? One catalyst for change may be the recognition of data governance (counter-)norms that bottom-up movements produce as norm-making (de Souza and Taylor 2024). However, there is a lot to be pessimistic about whether and how this commitment can take off at European level. Market instrumental data law (Fia 2024), reflecting the innate democratic deficiencies of European (private) law making, is probably not the right driver. To mention another contribution to this symposium, ‘[s]takeholder consultation is not democratic empowerment’ (Hesselink 2024). That is why – more than ever – we must carefully rethink the role EU data law can play in building, recognising and empowering meaningfully inclusive arenas fuelled with justificatory power. Only if EU data law prioritises the democratic determination of the structures and networks of data production and distribution will it do justice to justice.
Art by Tomoko Nagao
Il quarto stato with motta, campari, pirelli, armani, prada, chicco, alitalia and visa at piazza duomo
2016 Digital contents
© 2024 TOMOKO NAGAO