Nine recommendations for EU governance of and by digital technologies

Over the past year-and-a-half, a number of TRIGGER research partners led by the International Risk Governance Center at EPFL have done in-depth work looking at EU governance of and by digital technologies. This issue is of increasing importance, as digital technology becomes an ever more central feature of the global governance landscape that is TRIGGER’s core focus.

This research on technology governance culminated in a recent report setting out nine recommendations for how the EU should proceed in this area. These recommendations draw on earlier work, including research on three technology domains (open standards and open source software, blockchain technologies, and artificial intelligence/machine learning) as well as wider cross-cutting analyses of evolving EU digital policy. We summarise the nine recommendations below:

1. Prioritise regulation of algorithmic decision-making

At the core of the EU’s values and traditions is the principle that technology should be at the service of humans and not the other way around. This is especially relevant in the case of artificial intelligence/machine learning (AI/ML). TRIGGER researchers focused in particular on the concerns that arise when an AI/ML system is used to make and implement decisions without human intervention or control, such as with autonomous driving or facial recognition technology but also with more benign-seeming cases, for example a hospital’s appointment scheduling system. Therefore, the recommendation is that the EU should ensure that any algorithmic decision-making concerning critical matters for consumers and citizens which occurs without appropriate human oversight is treated for regulatory purposes as a high-risk application and prioritised.

2. Be clearer about how risk-based and principles-based regulation are used

There are important differences between the uses of risk-based and principles-based regulation. Both have a role in the EU’s governance of digital technologies, and both must be developed in a clear, nuanced, consistent and implementable manner. The EU has emerged as a global regulatory leader with its principles-based ethos, with an emphasis on fundamental individual rights as a keystone of technology governance. But it is also important to see the elaboration and operationalisation of such governance principles as an ongoing task, in order to maximise the principles’ real-world traction. There must be clarity and consensus on what principles like fairness or equality mean. And on a technical level, it must be possible to operationalise these principles: developers must be able to understand and implement them in code.

3. Consider applying the precautionary principle to AI/ML

The precautionary principle has been mainly applied to the management of environmental and human health risks, but it may be worth explicitly expanding its scope to cover potential risks posed by digital technologies. The speed with which new digital technologies propagate across societies can be faster than the pace at which a robust evidence base about the impacts of these technologies can be developed. Application of the precautionary principle can be contentious and seen as hindering innovation, however, if it is for example interpreted as requiring harm-avoidance measures unless there is “full scientific certainty” about a technology’s impacts. It is worth noting though that the proposed expansion of the precautionary principle to cover digital technologies is in line with the “Ethics Guidelines for Trustworthy AI” produced by the EU’s High-Level Expert Group on AI and recommended under certain conditions by the group in its subsequent “Policy and Investment Recommendations”.

4. Focus on domain-specific regulation

This is one of the key recommendations that emerged from the analysis of AI/ML and the recommendation is that it should shape the EU’s approach to the governance of digital technologies more generally. The primary focus of policymakers should not be on technologies per se, but rather on their specific applications and uses, because this is where risks arise. In addition, policy should not focus only on those aspects of a technology that may need to be restricted or regulated in some way. Where appropriate, policymakers should also advocate for the increasing use of digital technologies that can mitigate domain-specific risks, such as various forms of privacy-preserving technologies. A balanced risk assessment is needed, encompassing not just potential undesirable outcomes that require regulation, but also the desirable outcomes that technologies may be able to deliver.

5. Invest in the development and implementation of technology for privacy and trustworthiness

The EU should invest in and incentivise the development and use of technologies that help to protect fundamental rights “by design”. This means paying greater attention to “governance by digital technology” alongside the more familiar “governance of digital technology”, recognising the fact that technology can help to solve some important governance challenges. The EU should prioritise the development and deployment of enabling technologies, such as various confidential computing techniques that offer a potential “risk-superior” solution on the trade-off between privacy and innovation. The EU should also seek to incentivise those technological solutions that contribute to achieving one or more of the requirements for trustworthiness. This potentially includes the use of solutions that would embed legal rules in technical specifications that could be mandated across the EU.

6. Define ethical red lines

A transparent and legitimate process is needed to assess whether there are any applications of digital technologies that should be ruled out, regardless of their potential benefits, because the risks they pose are too great or because they are incompatible with the EU’s fundamental values. An example of such an application might be a lethal autonomous weapons system (“killer robot”) in which killings are decided on by an algorithm.

7. Clarify the scope, rationale and goals of technological sovereignty

Greater clarity is needed as to the intention and concrete implications of the EU’s goal of digital or technological sovereignty, and there are fundamental questions about how the EU intends to engage with the rest of the world. Technological sovereignty can be understood in this context as the objective of ensuring that the EU retains the value of its digital resources and is able to make and enforce decisions about the use of digital technologies across its territories. But what does this mean in practice? The EU should spell out what it sees as the costs as well as the benefits of prioritising sovereignty, and it should also explain in greater detail how sovereignty in the technological domain might interact with developments in other major domains of global interdependency, including climate, trade and competition policy.

8. Balance public and private forms of governance

The EU should weigh the relative pros and cons of public and private forms of governance with regard to maximising its effectiveness at shaping the global governance landscape. With the GDPR, the EU has shown that it has the heft required to project rules globally. However, it would be unwise to generalise the case of data protection to digital technologies more generally and conclude that flagship regulations are the most effective way of proceeding. There may be instances where the EU would enjoy more leverage by seeking to influence sectoral standards, guidelines and codes of conduct, ex-ante conformity assessments or self-regulation more generally. However, compliance and enforcement are a particular challenge with such forms of governance. Platform governance is likely to be a key test-bed for mixed public-private approaches to digital technology governance.

9. Develop a strategy for working with other key global governance actors

The EU should clarify how it intends to work with other key actors, the most important of whom are the US and China, given the clear leadership role these countries play in the development and deployment of digital technologies. Acknowledging the complexity of the EU’s relationships with these countries is a crucial starting point for the EU to find a consistent and durable way of acting on its goal of increased sovereignty and autonomy. It will be necessary to clarify whether or how such a joint agenda might constrain the EU’s technological sovereignty. The EU may also need to prepare for questions from the US about whether a joint agenda in this area is undermined by the EU’s decision to deepen its economic ties with China without first aligning with the US. There may be differing levels of consensus that could be achieved with different groupings: only a very thin agreement might be possible between all three of the US, China and the EU, whereas a much greater level of overlap is likely to be possible between the EU and US.