Law and Technology in a Global Digital Society

Artificial intelligence and autonomous systems are a central technological basis for the global transformation of the economy and society into the so-called “digital society”. This transformation process requires an adaptation of the legal framework for this technology, the scope of which goes far beyond partial amendments in matters of detail, but raises fundamental questions of law. The question of the role of machines in law is relevant in numerous areas of law and calls for new legal concepts.

The following article outlines the current legal discussion on the legal framework for autonomous systems and describes legal challenges of artificial intelligence in the field of civil and commercial law.

The conventional criminal law theory usually relies on the idea of humanism, where human agent, who is independent of his/her external circumstances, can unilaterally control non-human agent through his/her free will. However, AIs and emerging technologies gradually reveal that we will not be able to sustain this assumption, due to the “autonomous” nature of these artifacts. It becomes more and more obvious that these artificial objects influence our mode of existence in various ways. Therefore, it is important to focus on and to analyze interpenetrative relationship between human subject and artificial object, in order to reconstruct the criminal law which can accompany with the recent technological development. The future criminal law should not exclusively target the will of human agent, rather it should consider the nature of hybrid of subject/object and distribute the criminal responsibility to human and non-human thorough structured democratic process for elaborating our “good life.”

In the legal discussion on autonomous systems, the question of responsibility for damage caused by these systems is a major issue. This article analyzes the current law and the ongoing discussion on liability for damages caused by autonomous systems in European and German law with the aim of providing impulses for the development of an adequate legal framework for liability. It focuses on the question of the appropriate concept and addressees of liability.

The article comes to the conclusion that the traditional fault-based liability de lege ferenda has to be supplemented by a system of strict liability and in this respect advocates a strict liability in the sense of a causal liability. The addressee of strict liability should not only be the operator of the system, but also its producer. With regard to causal liability of the producer, however, a differentiation is required: The producer should only be the addressee of causal liability if, instead of the operator of the system, he plays the central role in controlling the risks emanating from the autonomous system.

Not all legal bases can be useful for automated decision-making, eventually not even the ones provided by Article 22 GDPR. The method used to make automated decisions and to profile data subjects using Machine Learning technologies is still somehow obscure to the data protection community—and beyond. Strengths and weaknesses of automated decisions should dispel some myths and encourage a better understanding of this complex phenomena and its functioning.

The rise of new technologies allow massive collection of data and transform the suspicion standards, as well as the old school small-data policing. Our daily routines, social networks, biometrics and thoughts feed private and public databases, while profiling algorithms turn all the noisy data into information. Inferences from digitised data lead to a new type of suspicion that drives not from the observation of individuals’ actions, but rather from their interconnected data. This chapter analyses the technologies, which pave the way for a new type of policing and traces the consequences of algorithmic suspicion. It further elaborates the legality and proportionality of the interference with fundamental rights before a citizen does anything overtly criminal. Finally, it questions whether new data protection rules at European Union level meet the challenges of the data-driven predictive policing.

The aim of this chapter is to assess the level of privacy available to cryptocurrency users. Even though privacy is often mentioned as a reason to use cryptocurrency, the privacy level is in reality quite low. This should first of all be explained because of the transparency of the transactions’ register and second of all because of the difficult applicability of data protection measures. This is being illustrated through the question of the applicability of the General Data Protection Regulation. In this respect, two principal maladjustments problems are addressed: those regarding the addressees of the General Data Protection Regulation’s provisions and those resulting from the immutability of the register. These uncertainties have tended to strengthen the development and use of anonymization techniques by the community to compensate the transparency of the register. The chapter finally addresses these techniques, their potential as a privacy-enhancement tool but also their limits to ensure users’ fundamental right to data protection.

While algorithmic decision-making has been used in the private sector for years, we have only recently started to apply it in mainstream fields of the public sector. The key concept is to increase efficiency through automated processes. In many legal frameworks, efficiency is also a guiding legal principle for public administration. Hence, the argument could be made, that public bodies must employ algorithmic decision-making, insofar as it is more efficient than conventional procedures. In the article, the merits of this argument shall be evaluated at the example of the Austrian legal framework. Economic efficiency is described as a legal principle and public interest and its relationship to other interests such as privacy is explored.

Digital assistants become more relevant and create some data protection related questions. This paper gives an overview over this new data protection challenges.

GDPR compliance for non-EU companies face a significant legislation and implementation gaps. One of the most common myths about GDPR that non-EU companies can easily avoid the implementation of the regulation and penalties. But GDPR is built in such a way that not only to force a non-EU company to fully comply with GDPR, but also force the company from the EU territory to carefully select its counterparties for the processing of personal data from outside the territory of the European Union. This study aims to determine how GDPR compliance for East European non-EU companies can be better targeted in order to increase privacy of personal data floating out of European Union. Specifically, it investigates on example of Ukraine, as non-EU country and other neighboring countries whether the fundamental privacy rights should be granted a higher level of protection and non-compliance with the requirements of the GDPR can have a negative impact for non-EU organizations and companies for non-compliance.

Data protection, which aims at protecting the right of individuals to informational self-determination, requires appropriate IT security measures. However, the relation between data protection and IT security is more complex: Protection goals from both fields are identical in some cases, but contradictory in others. Reactive security measures require the processing of vast amounts of personal information, but are often necessary to protect other (personal and non-personal) information. The article attempts to shed some light on this complex relationship.

IT security is a central basis for industrial networks, so-called “Industrie 4.0”, as indicated by current security incidents and criminal attacks on IT systems, some of which have caused dramatic damage. The significance of the law for IT security and the design of a legal framework for IT security have not been clarified yet. This is probably also related to the fact that IT security has been understood traditionally as a technical task.

This paper analyzes, on the basis of German and European law, the potential of the various legal instruments for ensuring IT security. This analysis relates to the two central tasks of law in in the area of IT security, the formulation of normative requirements and the enforcement of such requirements. Finally, conclusions are drawn for the further development of the legal framework for IT security.

It is all too common to call for an intervention by means of criminal law whenever a severe wrong occurs—such as when private personal data of politicians are leaked, when malicious websites use a special JavaScript applet to mine Bitcoin on visitors’ computers (cryptojacking), or when a social bot spreads “fake news”. In this article, I provide an overview over core concepts, models, and limitations of a regulation of IT security through criminal law. On the basis of the German and European Union legal orders, I discuss generic regulatory aspects of substantive criminal law (1) and provide an overview on the criminal law provisions on cybercrime (2). On this basis, I analyse the role criminal law already has in regulating IT security in the EU and in Germany, and how this role may expand in the future (3).

Conducting banking transactions via Online Banking is well established in today’s society. It is therefore not surprising that it is subject to frequent criminal attacks which lead to high economic damage. The so-called phishing attacks, which have been occurring in Germany since about 2005 are a particular example of this. The investigation of phishing cases is interesting from both a technical and a legal perspective. This article gives a basic overview of the development of phishing in recent years, different attack methods and various Online Banking procedures with which attempts are made to protect against phishing attacks. Furthermore, this contribution explains the basic European and German legal rules which apply in case of a phishing attack. Since the attacker cannot usually be identified and held accountable, it must be determined who is liable for the damage caused by the phishing attack. Phishing in Online Banking has received very specific legal regulation, initially European and subsequently at German level. This paper will therefore examine the apportionment of risk under German law and according to the currently applicable European standards introduced by the First and Second Payment Services Directives. In addition, the most important innovations introduced by the Second Payment Services Directive are considered, in particular the so-called Two-Factor authentication.

The Internet of Things (IoT) will revolutionize the way we interact with physical objects, connecting each other and also connecting them to the Internet to make everyday life easier, with an intense flow of data and information from all consumers. The purpose of this article is to verify the functioning of the Internet of Things, as well as analyze the right to privacy in this new technology in a smart network. For that, the method used was the deductive method. It is concluded that the principle of transparency is the guideline for legal conduct on the capture and processing of data and information in the IoT structure.

The paper looks at the past, present and future of AI in the legal sector through the lens of the public reaction to Alpha Go’s victory over a human opponent. It discusses the merit and limits of the “game metaphor” for an evaluation of legal AI, and asks in particular if empathy and creativity in law will become pushed aside should more and more legal tasks get performed by machines. Or can we instead think of different futures, either because of our evolving understanding of what it means to be a “good lawyer”, or our evolving understanding of the capabilities of AI?

Lawmakers and theorists around the world are debating the need for a new set of rules to support transactions in a distributed ledger. It is particularly important for civil law countries because they rely on specific legislation provisions in order to formalize what has already appeared in practice. The same situation applies to smart contracts. The article addresses the appropriate legal response to smart contracts as a type of new digital contractual relationship. The author analyses their characteristics in Belarus, in the EU countries (Portugal, Germany, and Italy), and Russia, where the smart contract term has not yet appeared in legislation. Based on a review of the current legal approach to smart contracts in these countries it is determined whether new e-commerce trends towards creating a fundamentally different environment require a new legal approach.

This contribution looks at different forms of internet-based crowdsourcing to engage the general public in the legislative process. While defining the requirements that make this particular application of crowdsourcing possible and evaluating three representative examples (the Finnish off-road traffic law, the Icelandic constitution reform process, and the platform Madison in the United States), two main approaches are identified as the most promising forms of crowdsourcing in order to engage as many people as possible. These are Feedback/Commenting as well as Know-How Accumulation, both due to their ease of access. Furthermore, arguments for and against the use of crowdsourcing in the legislative process are presented. The overall conclusion, despite some hurdles, is positive in that citizen engagement via crowdsourcing, under the right circumstances, has the potential to lead to a more deliberative, representative, open and transparent process that also heightens governments accountability, increases the quality of newly drafted laws and improves the overall acceptance of democracy itself.