Portal de Periódicos da CAPES

The (In)Flexibility of Techno-Regulation and the Case of Purpose-Binding

2011; RELX Group (Netherlands); Linguagem: Inglês

1556-5068

Bert‐Jaap Koops,

Cybersecurity and Cyber Warfare Studies

Current literature on techno-regulation – the conscious deployment of technology to regulate people’s behaviour – briefly touches upon the issue of flexibility. On the one hand, it is suggested that technology-embedded rules tend to be rigid, whereas legal norms are flexible and open to interpretation. On the other hand, technology in principle allows for flexibility through open configurations and the plasticity of software, while law is relatively static. This article analyses the role of open norms and software plasticity in techno-regulation in order to shed more light on the (in)flexibility of techno-regulation. This is done through a case study of the legal norm of purpose-binding in data-protection legislation. The issue of flexibility and interpretation plays at the level of both the legal norm (purpose-binding in the Data Protection Directive) and its application in practice (defining purposes for concrete data processing). Regulating data protection with purpose-binding is trying to control a moving target – purposes for data processing that shift in the database age – with an instrument that is itself far from fixed, since it is an open, procedural norm. The case study provides a heuristic for looking at the feasibility of techno-regulation , in highlighting three steps involved in techno-regulation: identifying the legal norm, moving from legal norm to techno-rule, and deploying the techno-rule in practice. The core step is the second, where the transition from law to technology is primarily made, in which three levels are distinguished: a) development of technical frameworks (e.g., privacy markup languages such as P3P and EPAL), b) filling in the frameworks for concrete cases, and c) enforcing links between actions and rules within the framework. The case of purpose-binding adds to our understanding of techno-regulation and flexible rules by suggesting the following insights that can be studied and developed in further research. A trade-off exists between the plasticity of technology in techno-regulation and the usefulness and adoption of techno-regulation. The more plastic the techno-regulation, the less it adds to legal regulation; and the more it is to add, the more rigid it will have to be. Techno-regulation may be a realistic venture for simple rules that are well suited to be represented computationally, which may help organisations in compliance assurance, but it has little added value in terms of enhancing precision or enforceability, and may therefore be less interesting from a regulatory and theoretical perspective. Techno-regulation as enforcement of a legal norm is problematic if the norm itself is complex due to openness, fuzziness, contextual complexity, or regulatory turbulence. Since much cyberlaw and privacy law is complex and in flux, perhaps paradoxically, techno-regulation does not seem particularly suited to regulate cyberspace itself or to enhance privacy. The outlook for techno-regulation may therefore be limited. Rules need breathing space, and it still takes a human being to make a rule come to life.