The official version of this Book Review was published on European Data Protection Law, issue 4, 2019, pp. 583-585 (please cite only the official version).

The mission of this volume is clear and brave: teaching (relevant) law to computer scientists “and Other Folk”. It comes from the wide experience of Mireille Hildebrandt in teaching “Smart Environment, Data Protection and the Rule of Law” at a Computer Science faculty (Radboud University). This book is not only the last gift of a dedicated teacher before leaving her classes (due to the beginning of a full-time research project, CoHuBiCol[1]), but also a small encyclopedia of ICT Law and a generous semantic experiment.

The added value of teaching law to people experts in other topics is similar to the emotional travel of explaining humanity to aliens: teaching means learning, explaining implies questioning and addressing segments becomes looking for the bigger picture of the system. The audience of the book is extremely important since it informs not only the title, but also the structure and the semantic of the volume: explaining a discipline to people who have their own (different) expertise, background and forma mentis requires an effort of intellectual empathy. That is why I call this book a “semantic experiment”: like in the example of aliens, the author needs to find first a shared grammar with her audience, starting from common grounds in order to clarify differences and deconstructing prejudices or instinctive precognition.

However, this essay is not only about explaining law to computer scientists. It reaches at least other two goals: explaining (to lawyers) what are the expectations and biases of computer scientists about law; and introducing lawyers to the intersection between law and computer science. That is why we could also read the title as “Computer Science for Lawyers and Other Folk”: not only lawyers are made able to understand complex computational notions (like Machine Learning, AB testing, p-hacking and Distributed Ledger Technologies, only to mention some), but they are called to participate in the mission of this interdisciplinary dialogue. In doing this, the author never yields to the temptation of using mainstream keywords (AI, blockchain), while preferring instead a more respectful and descriptive semantic (‘AB testing’, ‘DLT’, etc.).

The book has a clear structure, based on three Parts: I. What Law Does, II. Domains of Cyberlaw and III. Frontiers of Law in an Onlife World. In the first Part, the volume deals with the general notions of law, democracy and the rule of law, with an analysis of different legal sectors (private law, public law, criminal law), including the more delicate perspective of international and supranational law. This Part is an occasion for non-lawyers to understand the density of our modern legal structure, and to correctly position the other chapters of the book in a broader picture.

The second Part analyses more in detail issues of ICT law: privacy and data protection, cybercrime, copyright in cyberspace, and private law liability for faulty ICT. One might think that this part is just an introduction to cyberlaw, but actually it is a deep analysis of existing legislation and caselaw and where the author manages to clarify important points that are usually misunderstood (just to take the example of data protection, e.g., it rightly position the discussion on lawfulness of data protection, it largely explains the potentiality of the risk-based approach and of the Data Protection Impact Assessment, even beyond mere data subjects, it gives an intellectual contextualization of the idea of Data Protection by Design and of profiling regulation).

 

The third Part addresses some of the most controversial and innovative topics in law & technology: Legal Personhood for AI; Legal by Design and Legal Protection by Design; the relationship between ethics, law and code (the “closure” chapter, where closure is not only meaning conclusions, but, more interestingly, the different attitude of ethics, law and codes to adaptive flexibility). The structure of the book is, thus, like an ascending climax from the general picture of the Rule of Law to the stimulating new legal frontiers of digital life.

One of the clearest lessons that the reader learns about (cyber)law is the elegance of complexity. Complexity of “regulating technology”, i.e. considering technology as an object of regulation (data protection, cybercrime, software copyright, faulty ICT are all examples), but also a subject of regulation, subject in terms of legal subjectivity (personhood of AI), as well as subject in terms of the tool (the code) that provides regulation as an alternative to law (and ethics).

One of the main protagonists of this volume is the language. Legal architecture appears as an affordance of language (horal, written, printed, encoded, as the first chapter suggests), but language is also a common ground for lawyers and computer scientists. Both Law and Computer Science codify, i.e. translate open principles into circumscribed rules, but they do it through different levels of adaptive flexibility and closure. Language affordance is, thus, both a methodological issue and an object of analysis. This becomes particular clear in several parts, in particular when the author explains the interpretation of positive law, in particular the notion of reasonableness or the notion of privacy.

As Hildebrandt affirms, the current use of the notion of privacy in computer science is mostly limited to anonymity and re-identification, but privacy is historically and conceptually much more than that. It is grounded on personhood and identity: the author employs the idea of the mask (from the Latin etymology of “persona”). The mask is both the symbol of human identity and a shield from unreasonable intrusions, both a channel to the world and a barrier from the world. This is why she defines privacy as a “moving target”. After explaining the different theories and historical interpretations of privacy, Hildebrandt argues that looking for a specific meaning may be a sterile exercise: it is much wiser to assume Wittgenstein’s notion of “family of resemblance”, a pragmatic bottom-up approach according to which “privacy should be seen as a practice rather than as a formula”. And the reference to the “formula” is not random: formula as well as codes lack adaptive flexibility. Accordingly, she argues, the notion of privacy by design (as well as legal by design or even fairness by design) needs to be discussed through a more flexible approach: privacy (and legal or ethical rules in general) cannot be merely “translated into codes”. From (ethical) principles to (technology-driven) effects there are several intermediate layers that the computer scientist and the lawyers need to consider.

This is clear also for the notion of fairness: Hildebrandt explains that there might be several “ethical” approaches to that concept, e.g. from uninformed utilitarianism, to Rawlsian “maximin” utilitarianism, to the Kantian idea of universal rules behind a veil of ignorance, to the more recent pragmatism (or consequentialism). However, the legal notion of fairness must be more circumscribed in order to be foreseeable, but it should be also contestable on legal grounds. On the contrary, the computational conception of fairness is formalized and fixed, since codes leave no room for ethical choices. This is why the path from ethics to law and from law to codes cannot be a one-way path. This path should be accompanied by adequate safeguards. Three tools could help: explanation, contestation and justification (three tools that – as the author affirms – we can find in different parts of the GDPR). Explanation of codes means clear information about their logic and functioning in order to be able to contest it. Once the code is contested, the code designer should provide a justification. This is a dynamic path: the code might be adapted after contestation and these adaptations might change both the explanation and the justification of algorithms. We remark that, as the author clearly argues, explanation and justification are two separate concepts, the first relates to the transparency of the code (and it enables contestation), the second relates to its compatibility with lawfulness and fairness.

From these reflections we can understand also the difference between “legal by design” and “legal protection by design”. The first concept is a dangerous exercise of translating principles into fix codes, the second one is a methodological attitude in order to prevent risks to fundamental rights and freedoms of individual (in a contestable, explainable and justifiable way).

As it emerges from this review, this work lays on tensions: between fairness and autonomy, tension between privacy and security, between adaptiveness and closure, between abstraction and pragmatism, “between salient complexity and practical effectiveness” (as for the scope of privacy and data protection).

In sum, this is also a precious intellectual autobiography of Mireille Hildebrandt. We rediscover some of her works on privacy and data protection in smart technologies,[2] on information property,[3] on political philosophy on agency[4] and on fairness of algorithmic systems,[5]  just to mention some. However, in the volume all these works and ideas flow in a fluent narrative, finding their exact location in a bigger picture. Although the book structure was thought for teaching, with the urgency to address all relevant cyberlaw topics in a limited space and deliver a complete and clear handbook to students, there is no sense of fragmentation: every chapter is connected to another as means to ends and vice versa. One example of this is the cybercrime chapter, which offers an explanation of criminal law in the cyberworld, and an occasion to “test” the concepts of human rights (mainly privacy) violations in public as explained one chapter before. Another example is the implicit dialogue between human identity and subjectivity in all three parts of the book.

Law for Computer Scientists and Other Folk defines itself as a “textbook and essay”, but while reading it we discover that it is much more. It is a guided tour in the intellectual dangers of modern law, an inclusive and patient dialogue between system and segments and a methodological manifesto for interdisciplinary acuity.

 

 



 

[1] Counting as a Human being in the Era of Computational Law, https://www.cohubicol.com/

[2] Mireille Hildebrandt, Smart Technologies and the End(s) of Law: Novel Entanglements of Law and Technology (Edward Elgar Publishing, 2015).

[3] Mireille Hildebrandt and Bibi van den Berg, eds., Information, Freedom and Property: The Philosophy of Law Meets the Philosophy of Technology, 1 edition (Milton Park, Abingdon, Oxon; New York, NY: Routledge, 2016).

[4] Mireille Hildebrandt, Antoinette Rovroys (eds), Law, Human Agency and Autonomic Computing, Routledge, 2011 https://www.book2look.com/book/ppvtK4IFCy.

[5] Mireille Hildebrandt and Serge Gutwirth, Profiling the European Citizen: Cross-Disciplinary Perspectives (Springer Science & Business Media, 2008); M. Hildebrandt, “The Dawn of a Critical Transparency Right for the Profiling Era,” in Digital Enlightenment Yearbook, ed. J. Bus, 2012th ed. (Amsterdam : IOS Press, 2012), 41–56, https://repository.ubn.ru.nl/handle/2066/94126; Mireille Hildebrandt, “Profile Transparency by Design? Re-Enabling Double Contingency,” 2013, https://works.bepress.com/mireille_hildebrandt/63/; Mireille Hildebrandt, “Privacy As Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning,” December 3, 2017, https://papers.ssrn.com/abstract=3081776.