Abstract

Ethics is seen as a critical resource for data law. But beyond this almost slogan-like truism, the exact functions which ethics might play in data law are often left unclear. This contribution clarifies the ways in which data ethics and data law are intertwined and, on this basis, offers guidelines for practitioners in terms of interpreting the GDPR. Two types of norms allow for modulation between the law and ethics of data. The first type of norms is the ‘principles’ of the GDPR. Ethical resources can be used for the interpretation of these norms using a Rawlsian reflective equilibrium approach. The second type of norms is evaluative judgment norms, the most well-known of which derive from the characteristically risk-based responsibility that the GDPR bestows on controllers. For these evaluative norms, ethical resources could be used in three different functions: as a tool for the identification and assessment of risks, as a resource for improving data controller processes, and as the basis for the codes of conduct foreseen by the GDPR. These three potential modulations between ethics and the law of data help controllers of data make sense of their responsibilities in light of the GDPR’s requirements.

Key Points
  • This article argues that ethics is an integral part of the interpretation of relevant legal norms on data. The relevance of ethics is often blurred by a failure to clearly articulate the relationships between the ethics of data and the law of data.

  • The main hypothesis of the article is that an important part of the ethics of data should be conceived of as being embedded in data law. Interpretation of the law should draw upon ethical resources. For the sake of the argument, ethics is not defined as being about substantive positions, but as a normative investigation of values. The argument focuses on how to identify and draw upon ethical resources in the context of a legal context.

  • This article addresses two specific categories of legal norms in the GDPR to exemplify how ethical resources can be made relevant for legal interpretation. The two normative categories are ‘principles’ and ‘evaluative judgments’.

  • This article offers a blueprint for data protection practitioners, administrative and judicial bodies, and political decision-makers on how to identify and make the most out of ethical resources within the law.

Introduction

Ethics has become an integral part of the ever more relevant discussion on data processing, and, more broadly, on artificial intelligence (AI). There are numerous ethical guidelines, recommendations, and charters—in short, ethical resources—addressing the governance of data processing.1 More specifically, numerous actors have called for ethics to play a larger role in the drafting of new data laws but also when it comes to interpreting and applying existing data laws. As put by the European Data Protection Supervisor in 2015, ‘in today's digital environment, adherence to the law is not enough; we have to consider the ethical dimension of data processing’.2 In the academic literature on data protection, the importance of data ethics has also not gone unnoticed. As Raab writes, ‘in recent years, there has been a noticeable “turn” from reliance on legal regulation to an emphasis on ethics – and accountability and transparency as well – in this part of the field of information policy’.3

This ethical debate is crucial for data law. However, this relevance is often blurred by a failure to clearly articulate the relationships between the ethics of data and the law of data. Data ethics might be an interesting resource for data law, but its nature and functions have to be clearly outlined if it is to be of any use. This contribution aims to propose a blueprint for conceptualizing and drawing upon ethical resources in relation to data law, taking the example of the GDPR as a key legal document.4

According to a view which I label the ‘separation thesis’, law and ethics are often conceived of as being different in kind, but complementary in function.5 Both strive to regulate data-based processing, but they do so by raising different claims. Under this ‘separate’ understanding, ethics kicks in as a second-best option for regulating specific phenomenon which the law fails to address. Where the law is absent, ethics has to jump in to fulfil three important functions: a coordinative function of providing actors with some common principles, a red-line function of crystallizing the types of practices which actors (mainly business actors) should prohibit, and a gap-filling function of providing justification for specific actions.6

In contrast, my hypothesis is that an important aspect of data ethics should be understood as being part of the law. Among the different understandings of ethics found in this context, I will focus on ethics defined as a normative investigation on values. This article is primarily making an argument about how to go about interpreting legal norms, not about substantive ethical positions which should be used for this interpretation Values-based interpretation is required to make sense of the law, and we need specific methods to identify and take advantage of the synergies between ethics and law which this conception makes possible. For data protection practitioners, administrative and judicial bodies, and political decision-makers, understanding this is key if they want to make the most out of their interpretations of the law.

I will defend this hypothesis by demonstrating that two different categories of norms entailed by the GDPR function as modulators between ethical resources and the legal norms which they crystallize. This mapping will enable data protection practitioners, as well as administrative and judicial bodies, to better draw upon these ethical resources when interpreting and applying the GDPR.

The contribution is organized as follows. The first section briefly outlines the ‘separation’ view and then presents the hypothesis of this contribution. It locates its relevance for the legal literature on the GDPR, and more broadly on data law. The second section maps the two categories of legal norms. The concluding section then summarizes this contribution’s findings in the form of a blueprint for interpreting the GDPR.

The law and ethics of data

This section presents two possible conceptions of the relations between ethics and the law. In contrast to a ‘separation’ approach, my hypothesis regards the embeddedness of ethical resources in the law. By providing definitions for key concepts, this section lays down the jurisprudential basis of the argument to come.

Two conceptions of the relation between data ethics and the law

In the context of digital technology, ethics and the law are often conceived of as being in a relation where each discipline has its own specific job. The ‘separation’ approach assumes that the two should be considered distinct in kind, but complementary in terms of the functions that they fulfil. Under this understanding, the job of the law is to clearly formulate which practices are prohibited by providing rules, as well as consequences that ensue when said rules are breached. The job of ethics is to provide a general values-based context in which we, as individuals and/or entities, can find resources to identify how we should (and should not) behave. This understanding of ethics has an action-guiding ambition. It aims at providing guidance as to states, companies and individuals ought to act. Where the law has no clear answer, ethics is used to jump in and address problematic situations. Different situations where the law has no answer are conceivable: disruptive technologies that evolve too quickly for the law to keep up, political incapacity to enact laws, unclearly formulated laws, etc. In all these situations, ethics is seen as an ‘Ersatz’, serving both guiding and coordinative functions. But ethics, like soft law norms, has to address major challenges in terms of enforceability, bindingness, and legitimacy.7

According to this ‘separation’ approach, the proliferation of ethical guidelines in the field of data-based technology does not come as a surprise.8 It is the functional answer to the law’s limited capacity to regulate complex data-based technology. Of course, this development might also be interpreted in a negative light as ‘ethical washing’ by powerful companies engaged in ethical discourse merely in order to prevent legal regulation.9

This ‘separation’ approach is relevant when it comes to addressing the GDPR. Most clearly, what the GDPR fails to regulate—or what relevant actors conceive as failures—is addressed as a field to which ethics should contribute. Where the GDPR ends or remains elusive, ethics starts. The EDPS stated in 2015 that ‘the reform of the regulatory framework (GDPR) will be a good step forward. But there are deeper questions as to the impact of trends in data driven society on dignity, individual freedom and the functioning of democracy’.10 Ethics is somehow looming large, surrounding legal norms.

In a different sense, the GDPR itself is seen as an ‘ethical’ body of law, meaning a body of law which goes in the ‘right’ direction. According to this view, which often remains quite elusive, ethics outlines a normative horizon of expectations—the objectives we should strive towards—and uses this substantive benchmark to assess the evolution of law. In this respect, ethics is more akin to a referential standard which is drawn upon to evaluate the law than a part of the law itself. Of course, one also needs to be able to define what the ‘right direction’ to strive towards actually entails.

This view that I label the ‘separation’ approach makes some good points and it would be misguided to reject it altogether. First, it is clear that value-based considerations have played a crucial external role in the legislative procedures that led to the GDPR. Value-based reasoning is omnipresent in legislative decision-making. Specific legal norms are not chosen coincidentally, but reflect the values-based positions of the political decision-makers. These positions might be stated explicitly, as is often the case in legislative debate on particularly contentious questions in which the stakes appear clearly (such as abortion or end-of-life questions). In this first preliminary sense, the debates on the adoption of the GDPR can be read from an ethical standpoint, understood as the attempt to identify the most important values and structure them around ethical concepts. Specifically, one can attempt to identify normative references in the way EU legislative bodies have addressed this challenge.11

Secondly, it is also clear that value-based arguments can be used as a way to criticize legal norms. Here, ethics is seen as a set of normative resources, grounded in values shared by a number of individuals and structured in a consistent format. For instance, we could imagine a liberal criticism of existing data law, a substantial position structured around the value of individual freedom. This substantial position is used as a benchmark to challenge an existing body of law because it fails to be ambitious enough in the sense of its values. To recall this function is important because it highlights the fact that the approach defended here relies upon the law as it exists today. This approach might be criticised for its lack of critical force. It is true that the approach sketched here is tailored for working from within a legal regime such as the GDPR. It is not well-equipped to fundamentally and totally throw the regime into question. Nevertheless, this point shall not be taken as an argument against this specific methodology, but rather in favour of complementarity with distinct approaches.

If ethics and the law are not the same, I adopt an approach which tries to make the most out of the interpretive potential of ethics and the law as being intimately intertwined. The conception of ethics and the law as intertwined has a fundamentally practical ambition: it aims to empower data protection practitioners as well as administrative and judicial bodies that interpret the law with better tools. As explained below, this approach allows critical force to be directly integrated into the process of interpretation of the legal norms. This reflects what Buchanan has called ‘progressive conservatism’.12 According to him, we should draw upon the most promising norms already entailed by a specific legal regime and try to make sense of them in the process of interpretation. This would allow justice to be done to both what has already been reached in terms of moral progressiveness and to what still appears to be possible.

Ethics and the law as intertwined

In the intertwined conception, the law and ethics have to be thought about together. The two are in a relation of modulation made possible by interface norms. Three clarifications are required. These clarifications represent the broader, jurisprudential background of this contribution. I have argued in more detail for this approach in other contributions.13

First, our brief discussion of the ‘separation’ thesis has highlighted different conceptions of what is to be understood by the term ‘ethics’.14 It is important to try to provide as much clarity as possible for the argument to come. On a first level, ethics is often opposed to morality. My working definition is to define ethics as rational investigation of morality. Morality encompasses the moral convictions or habits held by individuals or groups of individuals. Morality and ethics are hence not to be found on the same level. In that context, ethics considered as a scientific discipline is the scientific investigation of morality. On a second level, it is interesting to distinguish between ethics as a normative investigation of values and ethics as substantial positions anchored in specific values. It is possible to defend a liberal ethics (structured eg around the value of individual freedom), but it is also possible to practice ethics as critical investigation without being strictly committed to any one substantive moral position. For the argument to come, the focus will mostly be put on this definition of ethics as a normative investigation on values.15 This article is primarily making an argument about how to go about interpreting legal norms, not about substantive positions which should be used for this interpretation.16 Of course, the two are linked in that the methodological understanding clears the way for an argument drawing upon a substantive moral position.

Secondly, to claim that ethics and the law are intertwined is to make a claim that strikes at the core of a long-standing dispute in philosophy of law. Briefly addressing this question is vital because it marks an important difference from the ‘separation’ approach. The general hypothesis—which cannot be fully defended here—is that the law is a specific part of our broader universe of moral norms. I adopt a jurisprudential position called normative positivism which explains the sense in which the law as normative practice relies upon broader moral presuppositions. The core of a positivist jurisprudential position is that the condition of legal validity rests upon social facts, that is, non-normative facts. The legal validity of a norm depends upon the social facts that are recognised in a given context as sources for said norm.17 This is well-known from the abundant literature on legal positivism.18 But an important point of connection between law and morality is often forgotten: a positivist position is not value-free. It relies upon a number of normative presuppositions. As summarised by Besson and Marti, ‘what counts as law depends on what we value in law, and this is a normative question’.19 Normative positivists acknowledge that positivism is inevitably value-laden and claim that the identification of these values must be openly normative. On this basis, they are committed to justifying their approach on the basis of values that are linked, most importantly, to the rule of law.20 For instance, normative positivism fully acknowledges the importance of the social facts that serve as sources for the legality of the law (positivism) but, at the same time, it pays specific attention to the quality of these sources of law from the perspective of the rule of law (such as clarity, publicity, certainty, equality, transparency, and fairness).21

This normative positivist position is one of the ways one might frame the general relation between the law and moral norms. For the present argument, this possibility is sufficient because it gives substance to the idea that the law as normative and as a social practice is embedded in a broader normative realm which we can call ‘morality’. The law is hence a specific aspect of the realm of morality, working with specific rules and principles and therefore deploying a specific normativity qua law. In this sense, the law claims to offer specific reasons for actions. The law raises a specific claim on the individuals subjected to it.22

Thirdly, we can explain the idea of ‘modulation’ and ‘interface’ between law and ethics. My hypothesis is that the legal realm entails specific types of legal norms which are especially important for this process of modulation. As shall be fully defined later, values, principles, or fundamental rights which have been positivised—which are part of the law according to our positivist understanding—represent modulating norms. This interface is not to be understood as distinguishing an ‘outside’ from an ‘inside’, but rather as a point of junction between different modes of functioning.

These interface norms represent a locus of investigation for our present purposes. The necessary process of interpretation requires bodies in charge of applying the law, as well as legal scholars who propose a doctrinal reading, to make explicit and transparent how they interpret these values and principles. In other words, the claim is that they should make explicit which underlying value-based considerations they assume when defining and interpreting these legal values and principles. To acknowledge that legal interpretation is value-laden should lead legal scholars to take a structured look at their own presuppositions. In line with the definition proposed above, they should engage in an ethical investigation, trying to structure and order their moral intuitions, presuppositions, or opinions. This structuring effort and its result can be obtained using ethical resources in a process of legal interpretation. For the sake of the argument at hand, ethical resources hence refer to the conceptual and normative tools/references which legal practitioners, scholars, and judicial bodies can draw upon in interpreting these specific legal norms.

This process of modulation is bound by the functioning of the law as a specific realm.23 For example, references to the legal principle of ‘non-discrimination’ should not be used to advocate, on the basis of an ethical theory, for a completely new understanding of what equality means in a specific legal context. Instead, being as explicit as possible about what this legal concept refers to allows for transparency in doctrinal arguments that advocate for reform based upon a renewed understanding of what equality amounts to. If the bodies in charge of interpreting these legal norms are to be as transparent as possible, they need to make clear the ways in which they read these legal values and principles.24 This interpretive exercise remains internal to the law, but it draws upon resources which can be deemed ethical for our purposes. As noted by Besson with respect to human rights law, the idea is to ‘theorize the law in order to identify its immanent morality and hence the immanent critique within the law as a normative practice’.25 In light of the definition proposed above, we call this theorization and identification of the ‘immanent morality’ of the law an ethical exercise.

Identifying and interpreting interface norms

On the basis of this broad jurisprudential position, this section has the ambition of identifying and mapping two main categories of interface norms: ‘principles’ and ‘evaluative judgments’. These two categories entail norms which bring to the fore that ethical considerations are deeply embedded within a specific legal regime—the GDPR in casu. As will be addressed, the two categories do so according to different modalities. It is the main contribution of this piece to highlight these modalities and explain how to take advantage of them in interpretive practice. For this sake, the following sections are organized as follows: first, a definition of the types of norms at stake, with exemplification in GDPR norms is presented, and secondly a reflection on how ethical resources could contribute to the interpretation of these norms is conducted. This contribution is not the place to address in detail every norm identified. As shown below, some of them have been the objects of extensive scholarship to which I will here only refer briefly. The focus of the present contribution lies instead in the mapping of these different norms and the explanation of the role which ethical resources could play in legal interpretation.

Principles

The first category of interface norms that I refer to herein is ‘principles’. It is worth noting that what unites these norms is not their semantic denomination. For instance, the fact that Article 5 GDPR lists a number of norms labelled ‘principles’ does not automatically mean that these qualify as ‘principles’ in the sense proposed here. Of course, they might, but it is not necessarily the case. What these interface norms have in common is that they are or contain elements which make them general and foundational legal norms.26 These two conditions qualify them as ‘principles’ in the sense of this first category of interface norms. For the sake of this mapping, the following ‘principles’ found in the GDPR should be noted: serving mankind (recital 4), dignity (Article 88 (2)), fairness (Article 5(1)a), accountability (Article 5(2)), and the right to a human decision (Article 22).

As general legal norms, they display a high level of generality and abstractness. They are marked by a structural indeterminacy which implies that they need to be individuated through interpretation and reasoning.27 The interpretive effort required to apply these norms is especially important. Furthermore, as foundational legal norms, they grasp and express the political and moral values upon which a specific regime is founded.28 This view explains why these norms represent good resources for an exercise of justification of the legal regime that they are part of.29

The functions which the interface norms should fulfil are primarily to provide consistency and legitimacy to the legal regime. These functions are inspired by the functions which principles of law fulfil.30 First, principles fulfil the function of ensuring the consistency of a legal regime, or of a whole legal order (like EU law). In this sense, they represent fundamental structuring norms that are applicable across the whole regime or order.31 In the case of the EU, this dimension is particularly important with respect to the modulation between different understandings of Member States regarding specific issues as well as what is necessary for a post-national political community to function.

Secondly, principles are crucial norms for the legitimacy of a legal regime. They function both as a yardstick for the evaluation of existing legal provisions and as a tool for developing legal arguments for the further development of the same legal provisions.32 The general and foundational norms identified here are first the locus and the resources of this legitimacy discussion. As defined above, the norms themselves require an important interpretive effort which offers an opportunity to challenge their content in light of broader ethical, social, or political debates.33 Secondly, once interpreted, these norms are the vehicle for the specific normative content of the other norms. These other norms are interpreted and applied in light of these interface norms. Following Lenaerts and Gutiérrez-Fons, this explains why principles are crucial instruments for a constitutional dialogue which ‘facilitate the constant renewal of the EU legal order, epitomizing the “EU’s living constitution”’.34

The list of principles mentioned above should not be understood as exhaustive and it is possible to argue that additional norms of the GDPR should be added to the list. On the one hand, it is clear that a comprehensive analysis should also consider Articles 7 and 8 of the Charter. These norms qualify as principles as defined here and provide the general normative framework in which the GDPR is embedded.35 For reasons of space, we focus here on the norms entailed by the GDPR. On the other hand, it is interesting to explain why specific norms of Article 5 (titled ‘Principles’) are not on the list. First, the principle of ’lawfulness’ has not been included in the list because of the specific sense it takes in the GDPR. As a general principle, it seems self-evident that a process regulated by the law (such as the GDPR in this case) should respect the law. This principle of lawfulness understood as the principle of legality could be integrated in every law as a principle. In this first sense, it clearly connects to the issue of the authority of the law and the claim the law makes upon individuals that are under an obligation to respect it. Beyond this lawfulness as legality, the GDPR’s ‘lawfulness of processing’ (Article 6) can be understood as specifying conditions which processing needs to fulfil in order to be licit. Article 6(1) formulates conditions which need to be fulfilled.36 But understood in this way, lawfulness appears as a concept encompassing several, more specific rules, but not as a principle as defined above. Secondly, the other elements of Article 5(1) (transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality) are not on the list because they are conceived of as being direct emanations of fairness as a principle. They are considered parts of fairness. This can of course be disputed and a principle like transparency could be integrated into the list. Thirdly, proportionality is not included in the list of principles because it will be addressed as the core of the second category of modulation norms (evaluative judgment norms).

Interpreting principles in the GDPR

Beyond these questions of which norms qualify as principles in the sense proposed here, the main focus bears upon the specific methodological challenges of interpreting these norms. In the framing proposed here, these challenges are directly linked to the question of modulation between law and ethics. I will briefly present a possible tool for interpreting these norms and then exemplify how to use it with the principle of fairness.

From a jurisprudential point of view, the idea is to transform what could be described as a fuzzy norm into a locus where legal practitioners and scholars can draw upon ethics in order to contribute to clarity and consistency as part of their legal interpretation. I propose to take up this methodological challenge by using an instrument for integrating tools and concepts from both law and ethics in a reflective movement.37 This instrument is broadly inspired by the ‘reflective equilibrium’ famously coined by political philosopher John Rawls.38 This instrument aims to describe a process of normative exchanges. A new point of ‘equilibrium’ is reached when a first stage of reflection has been challenged and improved by integrating legal and moral elements.39 This instrument should be conceived of as being complementary to classical interpretive methods in law (textual, contextual, teleological, historical). It is situated on a different level. The reflective equilibrium is not an interpretive method; it is an instrument which helps to make one’s normative presuppositions appear explicitly. In other words, all interpretive methods require reflective equilibrium when they deal with legal norms such as principles.

This concept of reflective equilibrium is used in contrast to a top-down characterisation of the relationship between law and ethics.40 This equilibrium better crystalizes the mutual and reflective process of normative interactions.41 The reflexivity comes from the back-and-forth movement between the provisional definition of specific norms, the current use and interpretation of these norms by relevant actors in the form of normative practice, the normative reconstruction of this interpretation, and back again to the practice in order to highlight potential developments in the way the norm could be interpreted. This tool gives great importance to the idea of coherence. In its very structure, it strives towards producing coherence between the different elements infused in the search for a point of equilibrium.42

It is important to note that a Rawlsian reflective tool offers the methodological prerequisites for interpreting interface norms, but it does not directly address the substantial position defended in this reflective process. In other words, there is another level of reflection which addresses the question of a liberal, republican, socialist, or any other substantial position bearing upon the interpretation of these norms. These two levels fit the definition of ethics provided above. The primary point of my argument is to highlight the relevance of ethical resources defined as the structured investigation of one’s normative presuppositions when it comes to the interpretation of legal principles. The second level of reflection will be to propose a clearly normative and substantial argument about how a principle X should be interpreted.

The example of the principle of ‘fairness’

To exemplify how this reflective tool can modulate between ethics and the law we can identify the main steps required in order to apply it to the crucial principle of fairness as entailed by the GDPR.43 As a preliminary point, it is worth noting that the principle of fairness fulfils the two conditions identified above. It is both a general and a foundational legal norm for the GDPR. As we discuss here, it is clearly a general norm whose interpretation requires an important effort.44 At the same time, the idea of fairness appears as an occasion of justification for the overall GDPR regime. It describes and qualifies an essential feature of the legal regime. Expressed metaphorically, fairness appears as one of the pillars of this regime. The legitimacy of the overall regime would be deeply affected if fairness were erased or transformed. This finding is reinforced by the fact that the concept of ‘fairness’ is also to be found in Article 8(2) Charter.

To apply Rawlsian reflective equilibrium, we can start by identifying how fairness is to be found in the GDPR. The concept itself (fairness, fair, fairly) appears 15 times. One of these instances is not directly relevant for our purposes as it is linked to ‘fair trial’ in a very general sense. In the 14 remaining instances, fairness is linked 12 times to ‘fair processing’, 1 time to the idea of consent (recital 42, consent declaration should not include ‘unfair terms’), and 1 time as a qualification of the power of a supervisory authority (recital 129). This text analysis is only a starting point for the back-and-forth movement of reflective equilibrium.45 Because of its nature as a principle, this first step of analysis does not do justice to fairness’ normative richness. To make this richness appear, we need to address how the norm is interpreted (through case-law or doctrinal comments). This is the shift towards the normative practices surrounding fairness as a legal principle.

As proposed by Clifford and Ausloos, it is possible to distinguish between two uses of fairness in the context of data protection, and more specifically in the GDPR. The first use is qualified as ‘procedural fairness’. It includes requirements for ‘fair’ processing. The second use is qualified as ‘fair balancing’. It is the more general need for a ‘fair balance’ regarding competing rights and interests.46 This first categorization already illustrates the back-and-forth movement of reflective equilibrium. To categorize the occurrences of a specific legal norm means to take an interpretive stance towards them, a stance which, in turn, relies upon specific normative presuppositions. It is not possible to structure, organize, and interpret legal material without having normative presuppositions. What the Rawlsian approach makes clear is the requirement to be as transparent and explicit as possible about these presuppositions. Taking the example of the analysis provided by Clifford and Ausloos, their justification for this distinction is a mixed analysis of how and where fairness is used in the GDPR as well as of what it means in each instance (as explained below).47 It is also interesting that they refer to a dictionary definition of what ‘fairness’ is, thereby drawing upon the idea of catching its ordinary meaning as a starting point.48

Starting with the first category identified by Clifford and Ausloos, the equilibrium is interesting in providing a structured way to address the sub-components of fairness. If fairness is a qualification of data processing, it includes several requirements. As explained by Bygrave in more general terms, the principle of ‘fairness’ generates a set of sub-principles.49 In the context of the GDPR, it is clearly linked to the notion of ‘transparency’ (Articles 5, 13, and 14 GDPR, recital 39 GDPR).50 In the GDPR, this requirement for transparency bears mainly upon the obligation to provide information to the data subject (Recital 60). But more than the obligation to inform, the GDPR also sets standards as to how this communication should happen. In this sense, Article 12(1) specifies that information should use a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. The normative connections established between fairness and transparency are very important elements of the reflective movement. The movement tries to grasp how these two concepts were conceived of as being in relation to one another (the practices of the relevant actors involved) and challenge these connections by putting them to the test in light of a requirement for coherence. Meanwhile, it appears that fairness as in ‘fair processing’ cannot be reduced to transparency. To make this point, Malgieri suggests that fairness should be conceived together with a protection against discrimination or, even more broadly, as a principle encompassing several types of protection mechanisms addressing the imbalance of powers in a processing relation (eg on the basis of recital 71).51 In this sense, fairness would be a general principle justifying protection measures for the weakest party (or parties) in this relation.

On the second category of ‘fair balance’, the principle of fairness also includes several elements that bear upon the ‘implicit’ dimension of fairness. In this respect, fairness is linked to principles such as proportionality and other procedural dimensions of a balancing exercise involving rights and interests. The key data protection cases addressed by the CJEU are examples of this search for a fair balance.52 As Bygrave writes, this principle of fairness means that data controllers must, very generally, take into account the interests and reasonable expectations of data subjects.53 Going further, they cannot interfere unreasonably with the data subjects’ privacy interests. In this respect, the principle of fairness used in the GDPR context connects with procedural dimensions of EU law used in different contexts, most prominently proportionality. I will address these elements in the section concerning the second category of modulation norms.

With respect to this step of analysis, reflective equilibrium is useful for structuring reflections. First, it is a tool for making explicit why specific connections are made between norms. To say that fairness and transparency are linked is a descriptive claim (the European legislator has chosen to link the two), but it is also a normative claim. We need to conceptualize in which sense fairness should be connected to transparency. This function of identifying and explaining connections between norms is a critical point of analysis to which the philosophical literature on fairness might contribute.54 As explained above, this required effort of elucidation is an intrinsic part of the legal interpretation of these norms. But the philosophical literature might be used as an interesting resource for the sake of this legal analysis.

Up to this point, reflective equilibrium has mainly been used as a reconstruction tool. It has allowed for the identification and clarification of norms and the connections between these norms (as well as within these norms if one considers the different norms to be sub-norms of an overarching norm). In a further step, reflective equilibrium can also be used in a more constructive fashion. It can take advantage of the ‘foundational’ nature of these principles. Because of it, these norms are occasions for justification of the overall legal regime which they underpin. In this sense, these principles are the locus and the normative vehicle where the question of the transformation of the legal regime can be raised. The question can, for instance, be formulated in the following way: in order to improve the legitimacy of the GDPR, how should we understand ‘fairness’ beyond its current interpretation? It is of course possible to defend the idea that the current interpretation of ‘fairness’ in the GDPR is optimal and cannot be improved. Otherwise, to argue for an improvement will be to draw upon a new understanding of fairness in order to transform and/or extend the interpretation of fairness with respect to specific cases.

This constructive approach directly connects to a more substantial argument about what fairness should be. One needs to provide a theory of fairness to argue that the current interpretation of the legal norm ‘fairness’ should evolve. This argument could also take advantage of the philosophical literature on fairness.55 This would be an example of ethics defined as providing a substantive position founded on specific values, rather than ethics as a practice. To sketch such a potential argument, it could be possible to take a republican position based upon the idea of freedom defined as non-domination and defend a renewed understanding of fairness.56 This fairness could be more clearly linked to the ambition of defending the capacity of the weakest parties in a data-based relation (the data-subject, for instance) to prevent domination from taking place.57 Fairness could then be about introducing control mechanisms which force controllers to take into account the interests of the data-subject.58

On the basis of such an argument, the equilibrium can be shifted to a new stage—namely a new interpretation of fairness. On this basis, we could then continue the process by going back to the interpretation of more specific legal norms. As explained above, legal principles such as fairness are loci for renewed interpretations, but they are also normative vehicles for said interpretations. In this sense, they are used by adjudicating bodies in interpreting more specific norms. The renewed understanding of fairness infuses a renewed understanding of other norms.

To provide two brief examples, it can be argued that a renewed definition of fairness has implications for norms which prescribe a certain level of quality to be delivered. Article 15(h) GDPR foresees that: ‘the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’ (italics added). The qualification ‘meaningful’ is about the type of information that is to be given, but the concept also gives information about the level of expectations in the relation between the data subject and the controller. A different interpretation of fairness can make this level of expectations shift towards more transparent information or more easily accessible information. Likewise, according to Article 57 (1)b GDPR, the supervisory authority shall ‘promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing’. This objective is open-ended in that no clear information is available as to what is expected from the authority in terms of the resources that they are expected to invest in fulfilling this objective. In both cases, the renewed interpretation of a principle like fairness can impact what is expected from individuals or entities through other, more specific rules.

Overall, the reflective movement outlined here provides a way to modulate between ethics and law when it comes to interpreting legal norms as ‘principles’ in the sense defined above. It helps channel ethical reflections, recognising them as being part of the legal interpretation of these norms. The same foregoing can—indeed should—be used for the other principles identified above. In this way, reflective equilibrium serves as an instrument for making one’s assumptions about these principles appear explicitly. It serves the legitimacy of the GDPR as a legal regime on two counts. Firstly, it brings to the fore an interpretation of the normative pillars of the GDPR. It highlights how crucial norms of the legal regime are interpreted and applied and challenges their coherence. Secondly, it connects this first effort with a more substantial discussion about the transformation of the normative foundations of the GDPR. The legitimacy of the GDPR is at stake when distinct understandings of fairness, dignity, or accountability are being discussed and used as a matter of interpretation.

Evaluative judgments

The second category of modulation norms entails the norms which prescribe or require an evaluative judgment. As I will show, this modulation functions differently than in the case of ‘principles’. In other words, using ethical resources as part of the principles’ interpretation is not the same as using ethical resources as part of a required evaluative judgment.

The main difference lies in the fact that an evaluative judgment norm does not only display an interpretive challenge. Indeed, the norm can be formulated in such a way as to require important interpretive effort, but the additional modulation aspect relies upon what it prescribes, namely an evaluation.59 This evaluation is the locus where this modulation between ethics and law will take place. Ethics is here defined in a more procedural sense. As will be shown, this evaluation is often linked to a broader issue in the GDPR, namely the risk-based approach taken with respect to the responsibility of the controller.

As a matter of example, Article 24 GDPR requires the controller to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the regulation. Most importantly, it requires the controller to take into account ‘the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons’. This is an example of a norm which requires, by law, a person or an entity (the controller) to make an evaluative judgment (‘taking into account’) about several elements, including those who are impacted by said data processing. Recital 75 specifies which risks should, at the very least, be taken into account. It mentions ‘physical, material and non-material damage’, thereby listing a set of potential damages. As an example of the technical and organisational measures required, Article 35 requires a data protection impact assessment for cases of ‘high risk for the rights and freedoms of natural persons’.

This evaluative judgment norm is a direct emanation of the principle of accountability (Article 5(2)).60 Because the controller ‘shall be responsible for, and be able to demonstrate compliance with Art. 5(1)’, especially fairness, he or she must be able to conduct a risk-based analysis of the processing.61 This requirement forces controllers to make evaluative judgments regarding the appropriate level of risk that they are willing to make data subjects endure.

As for the principles above, there is firstly the challenge of the interpretation of the norm itself. Most importantly, as argued by Gellert, we need to be able to define what counts as a ‘risk’ in the GDPR.62 This first mandated effort is similar to the one described above and to which the reflective equilibrium approach should contribute. But, on the top of this interpretive challenge, there remains an evaluative judgment requirement. This judgment can be qualified as an ethical judgment in that it directly raises the classical question which ethics addresses: how should we act in a specific situation? It requires the controllers to be explicit as to their values and to be able to justify their decisions. The logic of accountability is applied to the ethical resources used by controllers and to the process of making them explicit and transparent. As above with the interpretation of the principles, this ethical question is embedded in a legal context and practice. The risk analysis which controllers should conduct and the decision they make on that basis is an exercise of ethics in the law. The terms and conditions of ethical reflections are given by the law. As above, my contribution to the debate focuses on pinpointing the type of modulation at stake and a potential methodology for addressing ethical resources in the law.

The first task is to specify the way in which this evaluative judgment norm is embedded in the law. Most importantly, the judgment and the decision made on its basis are placed under the purview of the law, not only in terms of the relevant authority but also on a conceptual level. The margin of appreciation, indeed the level of responsibility, which is given to controllers, must be approached with the principle of proportionality. The principle of proportionality creates and circumvents the normative space which controllers can use for their evaluation.

In the context of EU law, it is worth recalling that the principle of proportionality has been recognized as a general principle since very early on.63 In its usual formulation, the CJEU defines it as follows: ‘the principle of proportionality, which is one of the general principles of European Union law, requires that measures implemented by acts of the European Union are appropriate for attaining the objective pursued and do not go beyond what is necessary to achieve it’.64 This understanding makes the link between the principle of proportionality and the rule of law particularly strong.65 In EU law, the proportionality test is formulated in three parts: suitability, necessity, and proportionality stricto sensu (s.s.).66 As in the preceding section, it is possible to engage in an interpretation of the principle of proportionality while drawing upon ethical resources.67 In this first sense, proportionality is a GDPR principle and the reflective equilibrium approach presented above could be applied to it. But, in this section, I focus on the evaluative judgment required from the controller, as part of a broader application of the principle of proportionality.

The controller should assess the potential risks of the processing. This assessment is expected to be proportionate. Following Franck and his work on proportionality, the idea is to conceive of this evaluative judgment as part of a normative space which lays down ‘the terms in which the parties to a dispute advance their self-justification’.68 This is the space in which a controller acting on the basis of EU law is called to assess and take into account the interests of affected individuals. This is the space of the risk-based approach.

In this respect, the requirement to make this risk-based evaluation explicit and to assess this evaluation in light of proportionality fulfils an interesting ‘unveiling’ function when it comes to the determination of the rights or interests that ought to be protected from interferences.69 The necessity to conduct a risk-based evaluation requires the controller to make explicit which rights or interests are at stake and where ‘red-lines’ for the interferences that are to be allowed should be drawn. Franck stresses this function when he writes that the role of proportionality is not to ‘prevent bad decisions but to create optimum opportunity for good ones by creating a space for rendering transparent, principled second opinions’.70

What does this reading of Article 24 mean for the modulation between ethics and the law? Here ethics is not drawn upon as a tool for interpretation, but as a resource to accompany the risk-based evaluative judgment required. In other words, to draw upon ethical resources helps the controller identify and assess the risks because it will bring to light concerns that would otherwise go unnoticed and/or unaddressed.

I propose three different ways in which ethics understood as a set of methodological and conceptual tools can contribute to this task. These three ways are modulation modes. Before proceeding with these three contributions, it is important to note that I focus on the controller interpreting and fulfilling legal obligations. Ethical resources can be used to make the controller more effective in his/her task. This ambition can be extended to the creation of teams/specialists with the explicit mission to provide this ethical expertise in applying the law. Furthermore, the reflections presented above can be used by administrative and judicial bodies supervising the implementation of the law and evolving its interpretation (through case-law or interpretive guidelines). Both of them have a comparable challenge: define as precisely as possible what the GDPR requires from the controllers and how they are expected to fulfil their obligations.

First contribution: identifying and assessing risks

First, the discipline of ethics has an important contribution to make in the identification and assessment of the potential risks bearing upon the activities carried out by the controller. As proposed by Gellert, a risk can be addressed on the basis of two elements: a risk assessment which measures the level of risk (in terms of likelihood and severity), and risk management which is about deciding whether or not to take the risk.71 The first stage might be claimed to be (relatively) objective (as being focused on establishing the facts), whereas the second stage is clearly about the importance of specific normative constraints. In this second stage, ethics as a discipline provides both the conceptual tools for assessing these risks on the basis of values deemed important and methodological considerations on the procedure designed for doing so. Let us first focus on the assessment of these risks. Conceptual tools used by ethics allow the controllers to assess these risks and identify potential red-lines which should not be crossed. For instance, Article 24 (and Article 35) specifies which kinds of threat should be taken into account, namely ‘rights and freedoms of natural persons’. The controller has the responsibility to identify potential risks for the rights and freedoms of natural persons. Applied ethics literature can provide here a context-sensitive corpus for addressing this challenging question. The controller could here draw upon medical ethics, business ethics, military ethics and the like, according to the context in which the data-process is found. These resources help the controller map the relevant risks. On this basis, the controller should be in the position to identify and justify which risks are acceptable or not.

Second contribution: clarifying procedural requirements

Secondly, this assessment of the risks and potential red-lines not be crossed has a crucial procedural dimension. The open formulation of Article 24 GDPR (‘the risks of varying likelihood and severity for the rights and freedoms of natural persons’) makes it difficult for the controller to comprehensively assess potential risks. To take every potential risk into account is an impossible mission. What can be expected from the controller are internal processes that constantly aim to identify and assess new risks. In addition to an actual identification, the capacity to identify such risks is crucial. As shall be explained in more detail later, this is part of a broader reflection on the competences required of controllers in fulfilling their legal obligations.

Ethics as a discipline has a contribution to make when thinking about these procedural requirements. For instance, it has resources to offer regarding why and how to avoid cultural bias in identifying and assessing these risks.72

This makes a strong link to the practice and scholarship on responsible innovation (RI). More specifically, it also relates to the ethics of technology assessment73 and ethical anticipation methods.74 In its current state, the field of RI tends to focus on innovation as a process of R&D, within public or private organizations.75 Most well-known is the definition given in the Rome Declaration on Responsible Research and Innovation as ‘the on-going process of aligning research and innovation to the values, needs and expectations of society’ (European Commission 2014).76 This process-focused approach has consequences for the normative questions raised (oversight and stewardship, control of the process and its stakeholders, reflections on targets, and objectives) and the sites where these questions are raised (company, public research institution, and society in general).

As an influential account within the RI literature, the framework proposed by Stilgoe, Owen and Macnaghten focuses on the qualities which the process of innovation should display: anticipation, reflexivity, inclusiveness and responsiveness.77 Overall, the predicate ‘responsible’ is seen as an ‘add-on’ which is used to describe how a process should be set up: ‘with the help of this extension, innovation processes will be better enabled to balance economic (profit), sociocultural (people) and environmental (planet) interests’.78 The GDPR requires controllers to engage in a risk assessment. The claim defended here is to incorporate a similar ‘add-on’ into controllers’ processes. The features of the innovation process could be, by analogy, applied to the process which controllers use in order to identify, assess and evaluate new risks. As part of this assessment, we suggest using best practices identified by the RI literature and the associated fields of research dealing with procedural requirements in the assessment of technologies.

Third contribution: laying down the basis for codes of conduct

Thirdly, on the top of the two previous points about substance and process, controllers could use ethical resources to secure consistency in their overall approach. As required by Article 24 GDPR, the controller must take into account the ‘nature, scope, context and purposes of processing’. In addition to the two points already mentioned, this element requires the controller to be able to demonstrate that he or she acts in a consistent way, ie by taking into account relevant contextual information. The identification, evaluation, and corresponding actions decided by the controllers should form a consistent ensemble of measures.

This requirement can also be interpreted from the perspective of Article 40 GDPR (Code of conduct). Associations or groups of controllers may adopt codes of conduct explaining and specifying how they apply the GDPR. Interesting for the present argument is the list of Article 40(2)a-k. The letters a-k need to be integrated into a consistent approach by the controller (individually) or by an association of the controllers (collectively).79 It is not sufficient to address each point individually, they need to be addressed as a coherent whole. It is worth noting that the idea of a ‘code of conduct’ itself bears this requirement of consistency. If gathered and organized in the form of a ‘code’, the decisions made by the controller(s) need to display consistency. The idea of an inconsistent code appears almost self-defeating.

For this sake, the controllers can use the body of ethical literature on drafting codes of conduct.80 The effort required by the GDPR can be located in the ‘ethics of practices’ which Floridi and Taddeo have called for in the ethics of data.81 As they propose, the goal is to ‘define an ethical framework to shape professional codes about responsible innovation, development and usage, which may ensure ethical practices fostering both the progress of data science and the protection of the rights of individuals and groups’.82 These codes of conduct are especially important in highlighting the link between the ethical culture within a company and its impact on staff members.83 The ‘ethics of practices’ is about the individual ethos of data-specialists, but it is even more about the organizational and institutional environment in which individuals are asked to work and carry out their responsibilities. The development of a code of conduct is a way to underline the relevance of these organizational and institutional features.

Applied as a post-facto control mechanism, the principle of proportionality further impacts these three modulations. Daring an analogy with the general application of proportionality in EU law, we can assume that the level of scrutiny applied to the responsibility of controllers will evolve over time through a nascent case-law. As explained by Craig with respect to discretionary policy choices made by the EU, the principle of proportionality is also applicable to cases in which the EU enjoys a wide margin of discretion when pursuing a general policy goal which might require complex assessment (eg agriculture policy).84 However, recognising the complexity of the parameters which should be taken into account, the CJEU applies a relatively low-intensity proportionality test which takes the form of a ‘manifestly disproportionality’ test.85 According to Craig, this low level of scrutiny is best explained as an admixture of concerns relating to expertise and legitimacy. In these policy areas, the EU has been given broad discretion, which it should be able to use without judges substituting themselves for the primary decision-makers.86 The relevant analogy to Article 24 and 35 GDPR is that the controllers can have a large margin of appreciation in conducting their risks assessment, especially in the first years of the GDPR. However, administrative and judicial actors will specify the meaning of Article 24/35 (in link with Recital 75) by identifying ‘manifest’ failure to respect one’s responsibility.

The evolving responsibilities of the controller

Overall, this case-law evolution will make the concept of responsibility for controllers evolve. To exemplify these evolutions, I rely here on the conceptual framing proposed by van de Poel and Sand regarding the ‘variety of responsibilities’ in the context of innovation.87 Issues of responsibility are usually addressed in terms of blameworthiness and liability issues for past errors.88 In this sense, controllers can be held responsible for what they have done (or failed to do) in the past.

Going beyond this classical focus of responsibility as liability, the reflection on the modulation between ethics and law can enrich the discussion by focusing mainly on two aspects highlighted by van de Poel and Sand as being particularly relevant for actors involved in innovation processes.89 These new conceptions of responsibility mirror additional competences which controllers should acquire when fulfilling their obligations. Either for a person or a team, the arguments presented so far have been demanding in terms of what the controllers should be able to do. The two understandings of responsibility discussed below try to specify the type of competences required.

Firstly, Van de Poel and Sand focus on responsibility as accountability, defined as having a ‘prescriptive dimension as it presumes the ability and willingness to account for one’s actions and to justify them to others’.90 This understanding of responsibility is of direct interest to us because it depends on the quality of the justification offered in the context of a specific community. It underlines the public dimension of the risk-based approach prescribed by the GDPR. This understanding of ‘justification’ refers to our fundamental condition as human beings acting and reflecting upon reasons in potentially conflicting situations. As Rawls explains, ‘justification as argument is addressed to those who disagree with us […]; being designed to reconcile by reason, justification proceeds from what all parties to the discussion hold in common’.91 This understanding of justification refers to a deliberative exercise of critical and comparative arguments since it confronts rival normative propositions for a specific decision ‘against a background presumption of possible objection’.92

Secondly, van de Poel and Sand focus on responsibility-as-virtue. This understanding is focused on certain character traits of the innovator: ‘this can be exemplified with an agent’s disposition to assume or to take responsibility and an awareness of a range of relevant normative demands’.93 According to this understanding, responsibility-as-virtue is associated with due care to others. Here also, it appears as a corollary of the risk-based approach prescribed by the GDPR. The risk identification and assessment cannot be apprehended as a purely technical task, not even as a purely legal task. They are prescribed and embedded in the law, but this same law integrates further normative elements through the evaluative judgment it requires. It means that controllers play a role with an impact which goes beyond their ‘technical’ tasks. Responsibility-as-virtue underlines the requirement to foster the competences of controllers in order to empower them to see their activities as part of a community’s life, with specific expectations in terms of justifications and values. They are part of a broader societal debate in which they are required to play an active role in integrating others’ perspectives. As shown here, it would be false to consider these tasks purely ‘ethical’ (in the sense of being non-binding). They are legal tasks, prescribed by the GDPR, but with an unavoidable openness towards ethical resources. In this sense, this section has exemplified how ethics can contribute in three different ways to this risk-based approach.

Conclusion: A blueprint

The objective of this contribution is to provide practitioners and judicial bodies with a blueprint for modulating between ethics and the law within the GDPR. As argued by Raab and Hijmans, ‘ethical analysis is becoming part of the application of data protection law, specifying the ethical content of data protection principles and the human-rights rationale of data protection law’.94 To recall, we distinguished between ethics as a normative investigation of values and ethics as substantive positions anchored in specific values. In light of this working definition, the main ambition of this article is to make an argument about how to interpret legal norms, not about substantial positions which should be used for this interpretation. In the course of our reflections, we have often identified ethical resources which a controller (or the institutions assessing its assessment) should draw upon in the sense of making explicit his/her presuppositions. We have not argued for any particular substantive understanding of these resources.

With this methodological ambition, the present contribution has identified two types of norms which modulate between data ethics and data law. The first type of norms is the ‘principles’ of the GDPR, namely the general and foundational legal norms of the regime. These norms are the normative pillars of the GDPR in terms of legitimacy. To draw upon these principles, we should use a Rawlsian reflective equilibrium approach. The basic insight here is to start with a preliminary understanding of these principles, before trying to bring about coherence between this understanding and the way in which these principles are interpreted and applied. Reflective equilibrium serves as an instrument for making one’s assumptions about these principles appear explicitly.

The second type of norms is those which require an evaluative judgment. As with the first type of norms (principles), the challenge here is one of interpretation, but, in addition, it is also a challenge of evaluating a specific situation. As exemplified mainly by the responsibility of controllers of data, the GDPR requires specific actors to evaluate the risks that they incur on individuals and organisations (risk-based approach). For this type of norm, I have proposed that ethical resources can be useful on three distinct levels. First, ethical resources are useful in the identification and assessment of the risks that data users can be expected to contend with. Secondly, beyond the identification and assessment of risks faced by data controllers, ethical resources can be used to improve the controllers’ processes. The scholarship on responsible innovation is a critical source of inspiration for organizing the controllers’ processes in a coherent manner. Thirdly, ethical resources can be drawn upon for the identification and formulation of practices for the controllers in the form of codes of conduct. Overall, these three contributions help controllers make sense of their responsibilities in light of the GDPR’s requirements.

By elucidating these different points of modulation between data ethics and data law, this article has shown how ethical resources can be made fruitful in the context of a legal investigation. Accordingly, it will help practitioners to better distinguish between a critical qualification of the GDPR as an ‘ethical’ legislative act (ie a substantial evaluation of the GDPR as a good/just piece of regulation) and a legal argument that requires specific actors to engage in an ethical investigation and to draw upon ethical resources. The contribution should provide legislators and data controllers with a valuable resource for optimising their interpretation of a nascent data law regime.

Footnotes

1

See the overview prepared by Müller : <http://www.pt-ai.org/TG-ELS/policy/> accessed 8 February 2021 or by Algorithm Watch <https://inventory.algorithmwatch.org/> accessed 8 February 2021.

2

European Data Protection Supervisor, Opinion 4/2015, Towards a New Digital Ethics, 4

3

Charles Raab, ‘Information Privacy: Ethics and Accountability’ in Cordula Brand (ed), Ethik in den Kulturen – Kulturen in der Ethik: Eine Festschrift für Regina Ammicht Quinn (Narr Francke Attempto, Germany 2017), 335.

4

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

5

For instance, Andersen, ‘Human Rights in the Age of Artificial Intelligence’ (2018) AccessNow 6, 14ff; Floridi, ‘Establishing the Rules for Building Trustworthy AI’ (2019) 1 Nature Machine Intelligence 261; Raab (n 3); Nemitz, ‘Constitutional Democracy and Technology in the Age of Artificial Intelligence’ (2018) 376 Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences 1.

6

Interestingly, these functions traditionally associated with ethics share important similarities with soft law and its functions. See Hagemann, Huddleston and Thierer, ‘Soft Law for Hard Problems: The Governance of Emerging Technologies in an Uncertain Future ’ (2018) 17 Colorado Technology Law Journal 37, 45.

7

Wallach and Marchant, ‘Toward the Agile and Comprehensive International Governance of AI and Robotics’ (2019) 107 Proceedings of the IEEE 505.

8

For an overview, Floridi and Taddeo, ‘What Is Data Ethics?’ (2016) 374 Philosophical Transactions of the Royal Society 1.

9

On this issue, see Rességuier and Rodrigues, ‘AI Ethics Should not Remain Toothless! A Call to Bring Back the Teeth of Ethics’ (2020) 7 Big Data & Society 1, See also the danger of ‘ethics shopping’ in using regions with less stringent ethical regulations as a base. European Group on Ethics in Science and New Technologies to the European Commission, et al. Statement on Artificial Intelligence, Robotics and ‘autonomous’ Systems: Brussels (European Commission, Brussels 2018) 14.

10

(n 2).

11

For an interpretation of the power relations behind the EU legislative process on data, Hasselbalch, ‘Making Sense of Data Ethics. The Powers Behind the Data Ethics Debate in European Policymaking’ (2019) 8 Internet Policy Review 1.

12

Buchanan, Justice, Legitimacy and Self-Determination: Moral Foundations for International Law (Oxford political theory, Oxford University Press, Cambridge 2004) 63.

13

References omitted for review.

14

For a brief history of the distinctions drawn between ethics and morality, Shaw, Ethics, Moral Life and the Body (Palgrave Macmillan, London 2015) 12ff.

15

This should not be conflated with a descriptive approach to morality in which the moral habits of people are studied from the perspective of social sciences. The ambition here remains normative. Klenk, ‘”Moral Philosophy” and the “Ethical Turn” in Anthropology’ (2019) 2 Zeitschrift für Ethik und Moralphilosophie 331.

16

As example of a substantial position, I have proposed a republican reading of the idea of digital integrity. Reference omitted for review.

17

Correspondingly, sources can be defined as all the social facts that provide the ways for the creation, modification and annulments of legal standards. These social facts are ultimately grounded in social conventions. Andrei Marmor and Alexander Sarch,' The Nature of Law', The Stanford Encyclopedia of Philosophy (Fall 2019 Edition), Edward N. Zalta (ed.).

18

Among many, Gardner, ‘Legal Positivism: 5 1/2 Myths’ (2001) 46 American Journal of Jurisprudence 199, 199.

19

Besson and Martí (eds), Legal Republicanism : National and International Perspectives (Oxford University Press, Cambridge 2009) 34.

20

Waldron, ‘The Concept and the Rule of Law’ (2008) 43 Georgia Law Review 1, 61.

21

Besson, ‘Theorizing the Sources of International Law’ in Besson and Tasioulas (eds), The Philosophy of International Law (Oxford University Press, Cambridge 2010) 172.

22

This is the issue of the authority of the law, which can, for instance, be accounted for on the basis of the position defended by Raz. Raz, ‘The Problem of Authority: Revisiting the Service Conception’ (2006) 90 Minnesota Law Review 1003.

23

Green, ‘General Jurisprudence: A 25th Anniversary Essay’ (2005) 25 Oxford Journal of Legal Studies 565, 571.

24

Green, ‘Positivism and the Inseparability of Law and Morals’ (2008) 83 New York University Law Review 1035, 1051.

25

Besson, ‘The Law in Human Rights Theory’ (2013) 7 Zeitschrift für Menschenrechte – Journal for Human Rights 120, 126.

26

For this position, Guastini, ‘Les principes de droit en tant que source de perplexité théorique’ in Caudal-Sizaret (ed), Les principes en droit (Economica, London 2008); Besson, ‘General Principles in International Law - Whose Principles?’ in Besson, Pichonnaz and Gächter-Alge (eds), Les principes en droit européen - Principles in European law (Schulthess, Zürich 2011).

27

Raz, ‘Legal Principles and the Limits of Law’ (1972) 81 The Yale Law Journal 823, 838.

28

Besson (n 26) 26. This echoes the proposal formulated by Molinier to refer to the general principles of EU law as ‘principes fondateurs’. Molinier, Les principes fondateurs de l'Union européenne (Droit et justice, PUF, France 2005), For the notion of ‘underpinnings’ of the GDPR; Raab and Hijmans, ‘Ethical Dimensions of the GDPR ' in Cole and Boehm (eds), Commentary on the General Data Protection Regulation (Edward Elgar, UK 2020).

29

Green, ‘Positivism and the Inseparability of Law and Morals’ (2008) 83 New York University Law Review 1035, 1050.

30

Besson (n 26) 55.

31

On the cross-fertilization effect, Groussot, General Principles of Community Law (The Hogendorp papers, Europa Law Publishing, the Netherlands 2006) 421ff; Bogdandy and Bast (eds), Principles of European Constitutional Law (2nd revised edn, Hart; CH Beck, Oxford and München 2010) 26ff.

32

Farahat, ‘‘We want you! But …’ Recruiting Migrants and Encouraging Transnational Migration Through Progressive Inclusion’ (2009) 15 European Law Journal 700, 710.

33

For a similar approach to principles in IP law, Merges, Justifying Intellectual Property (Harvard University Press, Cambridge, MA 2011).

34

Lenaerts and Gutiérrez-Fons, ‘The Constitutional Allocation of Powers and General Principles of EU Law’ (2010) 10 Common Market Law Review 1629, 1169.

35

For an overview, Tinière, ‘Article 8 - protection des données à caractère personnel’ in Picod and Van Drooghenbroeck (eds), Charte des droits fondamentaux de l'Union européenne : commentaire article par article, vol 2 (Bruylant, Belgium 2018).

36

Clifford and Ausloos, ‘Data Protection and the Role of Fairness’ (2018) 37 Yearbook of European Law 130, 156.

37

I have used a preliminary version of this tool in the context of justice issues in international trade law. References omitted for review

38

For the original formulation, Rawls, A Theory of Justice (Belknap Press of Harvard University Press, Cambridge, MA 1971) 18.

39

As put by Daniels, ‘a reflective equilibrium is the end-point of a deliberative process in which we reflect on and revise our beliefs about an area of inquiry, moral or non-moral’. See Daniels, ‘Reflective Equilibrium’ (2011) Stanford Encyclopedia of Philosophy. For reference to this tool in dealing with AI, Davis, ‘Artificial Wisdom? A Potential Limit on AI in Law (and Elsewhere)’ (2019) 72 Oklahoma Law Review 51, 65.

40

For the use of bottom-up/top-down, see Nicolaidis and Lacroix, ‘Order and Justice Beyond the Nation-State: Europe’s Competing Paradigms' (2003) 1 Order and Justice in International Relations 125, 128; Besson, ‘The European Union and Human Rights: Towards A Post-National Human Rights Institution?’ (2006) 6 Human Rights Law Review 323, 28.

41

Fichtelberg, Law at the Vanishing Point : a Philosophical Analysis of International Law (Applied legal philosophy, Ashgate 2008) 35ff; Sunstein, Legal Reasoning and Political Conflict (Second edn, Oxford University Press, Cambridge 2018) ch 1; Taekema and van der Burg, ‘Legal Philosophy as an Enrichment of Doctrinal Research Part I: Introducing Three Philosophical Methods’ (2020) 1 Law and Method 1, at 11.

42

For a critical reading of these implications, Amaya, The Tapestry of Reason : an Inquiry into the Nature of Coherence and Its Role in Legal Argument (European Academy of Legal Theory series, Hart Publishing 2015), 361ff.

43

On this issue, Clifford and Ausloos, ‘Data Protection and the Role of Fairness’ (2018) 37 Yearbook of European Law 130; Malgieri, ‘The Concept of Fairness in the GDPR: a Linguistic and Contextual Interpretation’ (2020) Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency 154, 166; Butterworth, ‘The ICO and Artificial Intelligence: The Role of Fairness in the GDPR Framework’ (2018) 34 Computer Law & Security Review 257.

44

This feature explains why Clifford and Ausloos argue that the ‘precise meaning of the fairness principle remains ill-defined’. Clifford and Ausloos, ‘Data Protection and the Role of Fairness’ (2018) 37 Yearbook of European Law 130, 186.

45

Malgieri (n 43) .

46

Clifford and Ausloos, ‘Data Protection and the Role of Fairness’ (2018) 37 Yearbook of European Law 130, 138.

47

Ibid.

48

For a reflection on the recourse to dictionary definition in the WTO case-law, Van Damme, ‘Treaty Interpretation by the WTO Appellate Body’ (2010) 21 European Journal of International Law 605, 625.

49

Bygrave, Data Privacy Law: An International Perspective (Oxford University Press, Cambridge 2014), 146.

50

(FRA), Handbook on European Data Protection Law (Publications Office of the European Union, Luxembourg 2014) 73. In the case-law, Case C-201/14, Smaranda Bara and Others v Casa Naţională de Asigurări de Sănătate and Others [2015], Electronic Report of Cases, s 34; C-496/17, Deutsche Post AG v Hauptzollamt Köln [2019], Electronic Report of Cases, s 54.

51

Malgieri (n 43), 158ff

52

Among others, C-553/07, College van burgemeester en wethouders van Rotterdam v M. E. E. Rijkeboer [2009] ERC 2009 I-03889; Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014], Electronic Report of Cases.

53

Bygrave (n 49).

54

Fairness is a huge topic in political philosophy. For an overview, Ryan, ‘Fairness and Philosophy’ (2006) 73 Social Research 597. In the context of machine learning and data-based technologies, Binns, ‘Fairness in Machine Learning: Lessons from Political Philosophy’ (2018) Proceedings of the 1st Conference on Fairness, Accountability and Transparency 149.

55

The Rawlsian approach of justice defined as fairness has given rise to a very substantial body of literature. See Rawls, Justice as Fairness: a Restatement (Harvard University Press, Cambridge, MA 2001).

56

This reflects the classical definition of domination as arbitrary measures given by Pettit. As Pettit writes, ‘an act is arbitrary, in this usage, by virtue of the controls—specifically, the lack of controls— under which it materializes, not by virtue of the particular consequences to which it gives rise’. Pettit, Republicanism: a Theory of Freedom and Government (Oxford political theory, Clarendon Press, UK 1997) 52. For republican references in the privacy related literature, Roberts, ‘A Republican Account of the Value of Privacy’ (2015) 14 European Journal of Political Theory 320; Roberts, ‘Privacy, Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications’ (2015) 78 The Modern Law Review 535.

57

For a critical interpretation of republican justice defined as fairness, Southwood, ‘Republican Justice’ (2015) 18 Critical Review of International Social and Political Philosophy 669.

58

Malgieri provides such an argument which he links to what a functional approach to fairness should bring about in the GDPR, without mentioning the republican approach. Malgieri (n 43).

59

For a similar point about the relevance of moral judgments for the law, Davis, ‘Artificial Wisdom? A Potential Limit on AI in Law (and Elsewhere)’ (2019) 72 Oklahoma Law Review 51, 55ff.

60

In French for instance, both arts 5 and 24 use the concept of ‘responsibility’. Raab and Hijmans (n 28) 10. For a linguistic analysis of the GDPR, Malgieri (n 43) 159ff.

61

This has given rise to an important scholarship on the risk-based approach of the GDPR. See Gellert, ‘Data Protection: A Risk Regulation? Between the Risk Management of Everything and the Precautionary Alternative’ (2015) 5 International Data Privacy Law 3, ; Macenaite, ‘The “Riskification” of European Data Protection Law through a two-fold Shift’ (2017) 8 European Journal of Risk Regulation 506, art 29. Data Protection Working Party, ‘Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks’.

62

Gellert, ‘Understanding the Notion of Risk in the General Data Protection Regulation’ (2018) 34 Computer Law & Security Review 279, 280ff.

63

Harbo, ‘The Function of the Proportionality Principle in EU Law’ (2010) 16 European Law Journal 158, 164ff.

64

Joined cases C-92/09 and C-93/09, Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010], ECR 2010 p. I-11063, s 74.

65

C 11-70, Internationale Handelsgesellschaft mbH v Einfuhr- und Vorratsstelle für Getreide und Futtermittel [1970] ECR 1970 1125, 1147.

66

Craig, EU Administrative Law (Collected Courses of the Academy of European Law, 2nd edn, Oxford University Press, Cambridge 2012) 601.

67

For instance, Letsas, ‘Rescuing Proportionality’ in Cruft, Liao and Renzo (eds), Philosophical Foundations of Human Rights (Oxford University Press, Cambridge 2015).

68

Franck, ‘On Proportionality of Countermeasures in International Law ’ (2008) 102 American Journal of International Law 715, 715.

69

For inspiration, Lecucq, ‘Le principe de proportionnalité : simple technique juridictionnelle ou norme de fond. Réflexions tirées du droit constitutionnel des étrangers’ (2010) 8è Congré Mondial de l'Association Internationale de Droit Constitutionnel 1, 6.

70

Franck (n 68).

71

Gellert, ‘Understanding the Notion of Risk in the General Data Protection Regulation’ (2018) 34 Computer Law & Security Review 279, 280ff.

72

For an early call warning against the putative objectivity of risks assessment, Shrader-Frechette, Risk Analysis and Scientific Method (Springer, the Netherlands 1985).

73

For a global reflection on what this requires, Ladikas and others, ‘Chapter 12: Conclusions: Incorporating Ethics into Science and Technology Policy’ in Miltos Ladikas, Sachin Chaturvedi, Yandong Zhao, Dirk Stemerding (eds), Science and Technology Governance and Ethics (Springer International Publishing, the Netherlands 2015). See also the proposal by Marchant, Meyer and Scanlon, ‘Integrating Social and Ethical Concerns Into Regulatory Decision-Making for Emerging Technologies’ (2010) 11 Minnesota Journal of Law, Science & Technology.

74

Floridi and Strait, ‘Ethical Foresight Analysis: What it is and Why it is Needed?’ (2020) 30 Minds and Machines 77.

75

Blok and Lemmens, ‘The Emerging Concept of Responsible Innovation. Three Reasons Why it is Questionable and Calls for a Radical Transformation of the Concept of Innovation' in Koops (ed), Responsible Innovation: Concepts, Approaches, and Applications (Springer, New York 2015).

76

See also the influential definition proposed by von Schomberg: ‘responsible Research and Innovation is a transparent, interactive process by which societal actors and innovators become mutually responsive to each other with a view on the (ethical) acceptability, sustainability and societal desirability of the innovation process and its marketable products (in order to allow a proper embedding of scientific and technological advances in our society)’. Von Schomberg, ‘Prospects for Technology Assessment in a Framework of Responsible Research and Innovation’ in Dusseldorp and Beecroft (eds), Technikfolgen abschätzen lehren: Bildungspotenziale transdisziplinärer Methode (Springer, New York 2012) 50.

77

Stilgoe, Owen and Macnaghten, ‘Developing a Framework for Responsible Innovation’ (2013) 42 Research Policy Elsevier 1568.

78

Blok and Lemmens (n 75) 20.

79

For a proposal on the GDPR in the context of IoT, Wachter, ‘The GDPR and the Internet of Things: a Three-step Transparency Model’ (2018) 10 Law, Innovation and Technology 266.

80

For an analogy in the field of nursing, Snelling, ‘The Metaethics of Nursing Codes of Ethics and Conduct’ (2016) 17 Nursing Philosophy 229.

81

Floridi and Taddeo, ‘What is Data Ethics?’ (2016) 374 Philosophical Transactions of the Royal Society 1, 1.

82

Ibid 3.

83

On this issue, Somers, ‘Ethical Codes of Conduct and Organizational Context: A Study of the Relationship Between Codes of Conduct, Employee Behaviour and Organizational Values’ (2001) 30 Journal of Business Ethics 185, ; Erwin, ‘Corporate Codes of Conduct: The Effects of Code Content and Quality on Ethical Performance’ (2011) 99 Journal of Business Ethics 535.

84

Craig (n 66) 590.

85

C-491/01, The Queen v Secretary of State for Health, ex parte British American Tobacco (Investments) Ltd and Imperial Tobacco Ltd [2002], ECR 2002 p. I-11453, s 123.

86

Craig (n 66) 600.

87

Ibo van de Poel and Martin Sand, ‘Varieties of Responsibility: Two Problems of Responsible Innovation’ (2018) Synthese 1.

88

Giuffrida, ‘Liability for AI Decision-Making: Some Legal and Ethical Considerations’ (2019) 88 Fordham Law Review 439.

89

van de Poel and Sand (n 87) 14.

90

Ibid 5.

91

Rawls (n 38) 580.

92

Simmons, Justification and Legitimacy: Essays on Rights and Obligations (Cambridge University Press, UK 2001) 124.

93

van de Poel and Sand (n 87) 6.

94

(n 28) 7.

Author notes

Faculty of Law, University of Zürich, Zürich, Switzerland;

This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic-oup-com.libproxy.ucl.ac.uk/journals/pages/open_access/funder_policies/chorus/standard_publication_model)