Our four working hypotheses are these: (i) only individuals can be addressed when regulating CANSs, (ii) from a legal perspective, CANS’s behaviors are emergent, (iii) for adequate advise on how to regulate the behavior of CANSs effectively, legal scholarship needs to be informed about complexity and (iv) all CANSs are difficult to regulate. They are based on our CLSR paper that the PDC is a CANS. Yet, these working hypotheses just help to gain perspective and focus, they are only starting points.
Two background questions that need useful answers arise immediately when it is our aspiration to address legal scholarship. First, how does a country actually develop a “good” law and accompanying institutions and norms to regulate the behaviors of CANS? The fact that data protection law tries to regulate a CANS does not mean that legal interventions cannot work. Some scholars have even developed laundry lists of applicable criteria, mechanisms and strategies that they consider “essential” for a CAS regulation. Even if one was to agree that the lists are complete and acute (in fact they are not), how can we get legal scholars or legislators to adopt such a list — more than just in name?
Second, even if we assume that legal scholars realize that CANS theory matters, that it can claim to help understand in general how individual behaviors contribute to critical transitions in the behavior of CANSs (or may prevent them from occurring), the question remains: What mixtures of arrangements in mandatory and in `soft’ law are adequate? Precisely because personal-data users form a CANS that proves difficult to regulate. As mentioned alsewhere, both in the EU and in China will individuals sell their souls to Google, Facebook and app providers (or to their Chinese functional siblings), in order to get access to their services. And we suspect that the networks of individual traders in securities and derivatives form a CANS (the Financial system) too, and that it suffers from similar difficulties that prevent simple and straightforward regulation.
Our current work investigates whether these four working hypotheses, together with our two background questions are useful, for instance when we discuss material research questions like: How to generate effective legal regimes for the domestication of a specific CANS’ behaviors? We expect that the questions of whether to allow, e.g., data users freedom of choice among legal regimes and of how to obtain good legal regimes are related.
We start from the initial idea that constant, transparent competitive pressures of product, financial and compliance competitions provide an attractive policy approach, within mandatory limits to be set and enforced by general mandatory institutions that preserve inhibitions against the abuse of power (or détournemant de pouvoir). We do not believe that current EU/China regulations on personal data protection meet this requirement.