This issue of the International Review of Law, Computers & Technology presents some current and innovative papers from the 2021 annual BILETA conference on the theme: ‘Taken by surprise: (Re)constituting the critical in an age of digital and pandemic’.Footnote1
The conference was hosted online for a second year due to the ongoing global pandemic. While not the same as a ‘face-to-face’ event, it did the BILETA community proud and benefitted not only from the conference organiser, Prof Paul Maharg’s wealth of experience in using technology for legal education purposes but also Kirsty Melvin’s wizardry in facilitating the conference. For example, the conference organisers provided a social hangout space where conversations about papers continued in breaks, and new and veteran attendees alike connected and re-connected.
Speaking of veterans, the Guest Editors and BILETA members take this opportunity to pay tribute to Dr Ken Russell, who sadly passed away in 2021. Ken was a stalwart of the BILETA community, a regular attendee at the annual conference and a very supportive editor, always encouraging young scholars to submit articles for publication in this journal. His loss is profound, and he is sorely missed; however, his legacy and contribution to technology and legal education will live on within BILETA and beyond, in the years to come.
The papers in this special issue – edited by Prof Dinusha Mendis, Dr Kim Barker & Dr Karen Mc Cullagh – reflect that spirit, bringing together a selection of the excellent research papers presented at the 2021 conference. As the 2021 conference call stated:
Digital itself bewilders us with its protean shifts and its relentless permeation of our lives and work. It plays key roles in liberating us, misinforming us, regulating us, oppressing us, profoundly influencing our very foundational concepts of democracy, the good, learning, global economic dependencies, epistemic critique, and epidemic transfer. How can we constitute or re-constitute what it is to be critical of and through technology in such a world? How can we be critical and insightful?
It begins with Varošanec’s article which traces the development of a proposed EU regulation on Artificial Intelligence (AI). She contends that the AI Act (in its current form) fails to address the power imbalance between private parties developing AI systems and public authorities using them. Specifically, she is concerned that insufficient attention is paid to transparency and argues that if it continues to remain in an ethical as opposed to legal framework, then AI developers will be able to self-assess their compliance with it and will equally be able to disregard or minimise compliance with aspects that do not fit with their business interests. Varošanec, therefore, claims that this will impede the ability of public authorities utilising such AI systems to provide reasons for their acts and decisions. Ultimately, this could leave an individual with little or no form of redress and reduce their trust in public authorities that use such AI systems.
Moving on from AI, Chiara’s article focuses on the security of Internet of Things (IoT) products. His article begins by exploring whether existing law, specifically the EU Cybersecurity Act is adequate. Concluding that it is not, he reviews the lessons that can be learned from EU product legislation, including the Radio Equipment Directive (RED), strengthening wireless devices’ cybersecurity, the Medical Devices Regulation, the Proposal for a General Product Safety Regulation and the Proposal for a Machinery Regulation. The review of EU products legislation illustrates that the Commission’s position has changed over the years, from its initial stance of voluntary approaches to the cybersecurity of IoT products lest it stifle innovation to mandatory inclusion of cybersecurity requirements in EU product safety laws. Thereafter, it considers the proposal for a revised Network and Digital Security Directive (NIS2) and assesses its potential impact on the field of IoT cybersecurity and demonstrates that whilst it will strengthen the level of cybersecurity protection offered to the IoT ecosystem, the NIS2 Directive will not address all IoT cybersecurity concerns. Accordingly, it concludes that new horizontal legislation is needed to address the cybersecurity issues pertaining to IoT products and explains that the legislation should be based on the principles of the New Legislative Framework, with ex-ante and ex-post cybersecurity requirements for all IoT sectors and products categories.
Bednarz meanwhile explores a different aspect to markets and data in her paper examining consumer data profiling and the resultant harms that can be caused as a result. Bednarz’s article examines how data profiling may also bring about harms to consumers, which could range from data breaches to unfair pricing, digital manipulation, discrimination, and exclusion of vulnerable consumers. This can be particularly problematic in financial services context due to the consequences it has on consumers’ access to financial products. In exploring these issues, Bednarz examines the issues by looking at the new rules which came into force in October 2021 in Australia, introduced through the Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Act 2019, as well as the data protection rules applicable to financial firms in Australia: Australian Privacy Act 1988 and the GDPR. In exploring this technological problem, Bednarz questions what happens if these frameworks fail to strike a balance between (surprisingly) competing interests of consumer protection regarding the provision of appropriate financial products and the use of consumers’ data in digital profiling?
The consumer theme continues in Vellinga’s article examining the hacakability of vehicles, and the cybersecurity risks posed by connected vehicles. Vellinga’s exploration starts by scrutinising the recent legislative steps made to improve the cybersecurity in both conventional and automated vehicles, before questioning the role of cybersecurity as it enters the realm of road safety. Vellinga questions whether the legal framework is fit for purpose, identifying gaps in the current provisions. As this contribution argues, the focus of the current legislative measures falls predominantly on the ‘first line of defence’. These measures aim to prevent unauthorised access to the vehicle’s systems but fail to identify the steps necessary to limit the damage that can be done if this first line of defence is breached and unauthorised access is gained.
The article by McLachlan et al continues the theme of connected vehicles – however, adopts a different perspective. The paper investigates in detail the background, framework and content of the United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations Working Party 29 (UNECE WP.29) cybersecurity regulation. Whilst McLachlan’s paper also questions whether the law is fit-for-purpose, it does so by examining the overall description of the processes required for certification whilst discussing gaps, issues, and the impact of implementation on key stakeholders. Through this analysis, the paper provides recommendations for manufacturers and the authorities responsible for overseeing the process. In conclusion, and in putting the discussion into a broader theoretical framework on risk certification, the paper examines the role of non-academic sources to shape public risk perception to identify legislative responses.
Egan meanwhile examines a different aspect of the suitability – or otherwise – of existing laws, and offers a discussion of information rights as tools of empowerment. In Egan’s article, the impact of the Covid-19 pandemic on digital public spaces is examined in the context of abuse. Egan posits that while there are renewed calls for the regulation of such abuses, much of this focuses on the design and enforcement of criminal law, to the detriment of other enforcement mechanisms, especially those within the context of information rights. Her article advances the argument that information rights offer significant potential to enable victim/survivors to gain control over personal information, to feel empowered, and to improve their mental health and well-being.
Whilst the authors of articles in this special edition have grappled with technlogical and regulatory challenges, and provided cogent critiques of legislative proposals, providing much food for thought, some of the issues discussed in this edition remain contested and unresolved, and we will – as a scholarly body – continue to grapple with them during the 2022 BILETA conference – and beyond.
Notes
1 Other papers presented will be published in the European Journal of Law and Technology.