Chagal-Feferkorn & Elkin-Koren on LEX AI: Revisiting Private Ordering by Design

Karni Chagal-Feferkorn (University of Ottawa Common Law Section) and Niva Elkin-Koren (Tel-Aviv University – Faculty of Law) have posted “LEX AI: Revisiting Private Ordering by Design” (Berkeley Technology Law Journal, Vol. 36) on SSRN. Here is the abstract:

In his seminal paper from 1997, Professor Joel R. Reidenberg articulated a novel governance strategy known as “Lex-Informatica.” Under the principles of Lex-Informatica, norms are no longer shaped by leaders, legislators, or judges, but rather by technological capabilities and design choices that grant users the flexibility to shape their own online experience based on their preferences. A quarter century later, a “second generation” of online governance systems has emerged, making use of artificial intelligence: “Lex-AI”.

The literature on governance by AI often focuses on governance of AI, seeking to render AI decision-making more compatible with principles of fairness, due process, and accountability. Scholars have also focused on who is governing behavior by using AI. Missing from these discussions is an inquiry into how norms are generated and enforced through the proliferation of AI. Ultimately, in order to govern AI and fully understand its social implications, we must first ascertain what is lost in translation as we shift to AI in deciding legal matters.

This paper explores how Lex AI governs and the implications of shifting from governance by a set of legal norms to the governance of human behavior and social relations by data-driven algorithms.
We argue that Lex AI is a sui generis type of governance—one which deserves scrutiny by regulators and policymakers. Lex AI bypasses autonomous choice as it is often based on personalization that is conducted for the user and not by the user. As such, it does not neatly fit the definition of private ordering—the process of setting up of social norms by parties involved in the regulated activity. When viewed as a distinct type of collective action mediated by algorithms, Lex AI may enable efficient collection of granular information on the preferences, needs, and interests of members of society, but Lex AI also raises new types of challenges. Path dependency, coupled with the reduced opportunity to signal users’ true preferences or to take part in the deliberation of the applicable norms, may render Lex AI a less efficient and less legitimate form of governance.
Shaping Lex AI to enhance social welfare may require a fresh way of thinking about these challenges and the public interventions that might address them.

Congiu, Sabatino & Sapi on The Impact of Privacy Regulation on Web Traffic: Evidence From the GDPR

Raffaele Congiu, Lorien Sabatino, and Geza Sapi (European Commission; University of Dusseldorf) have posted “The Impact of Privacy Regulation on Web Traffic: Evidence From the GDPR” on SSRN. Here is the abstract:

We use traffic data from around 5,000 web domains in Europe and United States to investigate the effect of the European Union’s General Data Protection Regulation (GDPR) on website visits and user behaviour. We document an overall traffic reduction of approximately 15% in the long-run and find a measurable reduction of engagement with websites. Traffic from direct visits, organic search, email marketing, social media links, display ads, and referrals dropped significantly, but paid search traffic – mainly Google search ads – was barely affected. We observe an inverted U-shaped relationship between website size and change in visits due to privacy regulation: the smallest and largest websites lost visitors, while medium ones were less affected. Our results are consistent with the view that users care about privacy and may defer visits in response to website data handling policies. Privacy regulation can impact market structure and may increase dependence on large advertising service providers. Enforcement matters as well: The effects were amplified considerably in the long-run, following the first significant fine issued eight months after the entry into force of the GDPR.


Solove on The Limitations of Privacy Rights

Daniel J. Solove (George Washington University Law School) has posted “The Limitations of Privacy Rights” (98 Notre Dame Law Review, forthcoming 2023) on SSRN. Here is the abstract:

Individual privacy rights are often at the heart of information privacy and data protection laws. The most comprehensive set of rights, from the European Union’s General Data Protection Regulation (GDPR), includes the right to access, right to rectification (correction), right to erasure, right to restriction, right to data portability, right to object, and right to not be subject to automated decisions. Privacy laws around the world include many of these rights in various forms.

In this article, I contend that although rights are an important component of privacy regulation, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture. I advance three reasons why rights cannot serve as the bulwark of privacy protection. First, rights put too much onus on individuals when many privacy problems are systematic. Second, individuals lack the time and expertise to make difficult decisions about privacy, and rights cannot practically be exercised at scale with the number of organizations than process people’s data. Third, privacy cannot be protected by focusing solely on the atomistic individual. The personal data of many people is interrelated, and people’s decisions about their own data have implications for the privacy of other people.

The main goal of providing privacy rights aims to provide individuals with control over their personal data. However, effective privacy protection involves not just facilitating individual control, but also bringing the collection, processing, and transfer of personal data under control. Privacy rights are not designed to achieve the latter goal; and they fail at the former goal.

After discussing these overarching reasons why rights are insufficient for the oversized role they currently play in privacy regulation, I discuss the common privacy rights and why each falls short of providing significant privacy protection. For each right, I propose broader structural measures that can achieve its underlying goals in a more systematic, rigorous, and less haphazard way.


Nabilou on Probabilistic Settlement Finality in Proof-of-Work Blockchains: Legal Considerations

Hossein Nabilou (University of Amsterdam, Amsterdam Law School; UNIDROIT) has posted “Probabilistic Settlement Finality in Proof-of-Work Blockchains: Legal Considerations” on SSRN. Here is the abstract:

The concept of settlement finality sits at the heart of any type of commercial transaction; whether the transaction is in physical or electronic form or is mediated by fiat currencies or cryptocurrencies. Transaction finality refers to the exact moment in time when proprietary interests in the object or medium of transaction pass from one party to his counterparty and the obligations of the parties to a transaction are discharged in an unconditional and irrevocable manner, i.e., in a way that cannot be reversed even by the subsequent legal defenses or actions against the counterparty. Given the benefits of finality in terms of legal certainty and its potential systemic implications, legal systems throughout the globe have devised mechanisms to determine the exact moment of the finality of a transaction and settlement of obligations conducted using fiat currencies as a medium of exchange. However, as the transactions involving cryptocurrencies fall beyond the scope of such rules, they introduce new challenges to determining the exact moment of finality in on-chain cryptocurrency transactions. This complexity arises because the finality of the transactions in the cryptocurrencies that rely on proof-of- work (PoW) consensus algorithms is probabilistic. The probabilistic finality makes the determination of the exact moment of operational finality nearly impossible.

After discussing the mechanisms of settlement of contractual obligations in the traditional sale of goods as well as payment and settlement systems – which rather than relying on the concept of operational finality, rely upon the concept of legal finality – the paper argues that even in the traditional payment and settlement systems the determination of operational settlement finality is nearly impossible. This is because no transaction, even a transaction involving a cash payment, cannot be operationally deemed irrevocable as it remains prone to hacks or unwinding by electronic means or mere brute force. The paper suggests that the concept of finality is inherently a legal concept and, as is the case in the conventional finance, the moment of finality in PoW blockchains should also rely on the conceptual separation of operational finality from legal finality. However, given the decentralized nature of cryptocurrencies, defining the moment of finality in PoW blockchains, which may require a minimum level of institutional infrastructures and centralization to support the credibility of the finality, may face insurmountable challenges.