reviewedArticl Intelligible Data Protection Legislation : A Procedural Approach

In this article, it is argued that legislation must be drafted clearly, simply and precisely, especially when it pertains to ordinary citizens. This involves ensuring that the legislation sets out clear procedures so that those applying it know how they should act in order to attain legally correct and valid results. To illustrate the potential benefits of this ‘procedural approach’ to legislative drafting, the article focuses on the General Data Protection Regulation (GDPR) enacted by the European Union in 2016. The article explores hidden and tacit procedural questions related to the parts of the Regulation that deal with the legal basis for processing personal data, in particular the use of data subject consent as one such basis. The article shows how it is possible to restructure these parts of the Regulation so that they are less fragmented and more intelligible. Another core point made by the article is that a ‘procedural approach’ to legislative drafting is highly desirable for the development of computerised decision-support systems. A non-procedural, fragmented approach to drafting legislation, as is manifest in the GDPR, must be abandoned if the legal system is to become an integral part of a computerised society.


INTRODUCTION
To make a sponge cake, bakers know what they will need as ingredients: white flour, sugar, baking powder, eggs and potato flour.And they know that in order to avoid disastrous results, they must start by whipping eggs and sugar.In law, the situation is often similar: when applying the law, it is not enough to know which facts and assessments that are input in the case; one also needs to know which procedures to follow to reach a legally acceptable result.The average citizen with very limited knowledge, or none at all, pertaining to statutory interpretation, needs a 'legal recipe' to avoid flawed results.
More fundamentally, legislation in democracies under the rule of law must be intelligible, not only to professionals, but to all persons who have rights and obligations pursuant to it.What causes intelligibility -or the lack thereof -is a large and complex issue far beyond the ambitions of this article.The more modest remit of this article is to discuss the significance and desirability of legislation that operates with clear 'procedures' , i.e. legislation that is designed to make clear to those applying it how they should act in order to attain legally correct and valid results. 1 The discussion here focuses on data protection legislation.Such legislation is a response to the increasingly extensive and intensive computerised processing of personal data in the modern world.It has been enacted with the formal aim of protecting individual persons by giving them particular rights as data subjects, and by introducing obligations for controllers and processors of personal data. 2 At the same time, this legislation has been rightly criticised for its poor intelligibility. 3his short and explorative article has its background in studies of eGovernment and the automated application of legislation and other legal sources. 4It assumes that legislators may learn something from a very basic quality of computer systems: most current government computer systems are 'procedural' in the sense that they process data pursuant to predefined instructions that are fixed and formalised in algorithms.In order to reach legally correct results, computers need programs giving the correct instructions in the correct sequence.Similarly, I assume that people need to find 'instructions' telling them how the legislator has intended the various provisions to be applied.Data protection legislation, however, tends to follow a very different approach.Its structure is typically non-procedural and 'fragmented' , leaving it up to those applying the law to interpret and ascertain which procedures are to be followed so as to solve legal problems.In this article, I argue that data protection law -even though it is not a type of legislation suited for full-scale automation -should adopt a procedural law-making style.In principle, I assume such a 'procedural' style is applicable to every part of such legislation. 5However, it is probably best suited and justified when applied to those parts giving rights and obligations to citizens and SMEs. 6he following discussion is based on two observations: a. clear procedures in legislation make it easier for the ordinary citizen to identify and understand legislation; b. a procedural statutory drafting style makes it easy to transform law into computer systems.
Putting the pieces of legislation together requires legal knowledge.The first observation is based on the idea that legal knowledge concerning how rule fragments must be patched together could be embedded and made explicit in the text of the law.This would reduce the legal knowledge required of lay data subjects and data controllers and would make it easier for them to understand the legislation.The second observation is intuitive, namely that the less difference there is between the logical structures of laws and the programming code in systems implementing these laws, the easier it is to transform the latter to programming code and thereby facilitate their computerisation.Although the automated application of data protection legislation is of little practical importance, there are great possibilities and a need to develop computer systems that provide support to people applying the law.
In sections 3 and 4 below, I try to demonstrate the difference between a fragmented and procedural statutory structure, using elements of the European Union (EU) General Data Protection Regulation (GDPR) 7 as example.The instances of pseudo-code that I present in this context also illustrate how relatively simple it is to computerise the law, provided a procedural statutory style is applied.

PROCEDURAL CLARITY AND PREDICTABILITY
Legislators usually pass laws with a view to having an impact on the lives of ordinary citizens.To have an effect, the law must communicate.To that end, legislative acts must be drafted clearly, simply and precisely. 8This follows also from the general principle of legal certainty that is central to rule of law ideals.Legislation usually attempts to contribute to legal certainty, but the mere existence of legislation does not necessarily contribute much.In unfortunate cases when statutory texts are unclear, legislation functions more as an 'inventory of legal uncertainty' than as a source of intelligible legal solutions.Indeed, some go so far as to claim that 'well-intentioned laws that are badly drafted or not readily accessible are also a form of tyranny' . 9ere, I refrain from attempting to specify the numerous quality aspects of legislation that influence the degree of its intelligibility.Instead, I narrow the discussion to a very basic distinction inspired by computerised processing: some statutory interpretation problems could be said to concern data ('what') 10 and others concern procedures ('how').In this context, I choose to understand provisions of the law as descriptions of how legally relevant data input must be processed in order to arrive at legally acceptable results.
By 'procedure' I refer to a series of actions conducted in a certain order or manner for a certain purpose.The purpose can be, for instance, to clarify the kind of legal basis for processing of personal data that is required or, further, to establish whether there is valid consent from data subjects.Procedures create coherence.Procedures may follow explicitly from the provisions of the law, but are often only implicit and hard to discover for laypersons.
Procedural questions encompass, for instance, whether or not conditions of the law are alternative or cumulative, the sequence in which conditions should be assessed, or how age and time should be calculated.Logical operators 11 in sentences like 'IF data subject's age is 18 years OR (data subject's age is 16 -18 years AND processing relates to information society services) OR (data subject's age is less than 16 years AND processing is authorised by parent) […]», constitute necessary links between concepts describing data (cf.phrases between the operators).
On the basis of the above-mentioned distinction, we may ask to what extent uncertainty regarding statutory interpretation of procedural questions is acceptable.The question implies that certain problems of legal interpretation should be acceptable and even desirable because they produce effects that are positive and defensible when seen, for instance, from the perspective of legislators or officials applying the law.On this point, I presume that a clash of interest typically exists between, on the one hand, ordinary citizens who would like to understand the law even though they have no legal competence, and on the other, legislators and professional stakeholders.The latter may find it desirable and even necessary that legislation contains vague terminology, room for discretionary expert assessments etc.The view may be that such 'poor quality' provisions (from the citizen's viewpoint) must be accepted in order to attain sufficiently flexible, adequate and effective regulation.
In this respect, I will merely point out that, given the multifaceted and rapidly changing character of our societies, there are often good reasons for adopting legislation that operates with vague terminology and discretionary expressions of expert opinions, to the extent that it creates reasonable flexibility in its application.The decisive question, however, is whether unclear or undecided procedures are necessary to attain such flexibility.My assertion is that, in the great majority of cases, procedural uncertainty represents ambiguity that is neither necessary nor legally acceptable.In other words, my presumption is that there rarely exists a legitimate rationale for legal uncertainty regarding how rule elements must be joined together to reach legally valid results.Refusal to accept procedural legal uncertainty is not incompatible with the acknowledgment of the need for flexible and dynamic legislation.Such need may be fully met through the use of vague terms, expressions giving room for expert assessments etc. connected to input data.
The examples from the GDPR in the next two sections concern legal matters that many ordinary citizens need to understand, namely, the legal basis for the processing of personal data where consent, in particular, constitutes one such basis.I am well aware that the following examples do not constitute a general proof that a procedural approach is fruitful, but hopefully they will cause further discussions.

PROCEDURES: EXAMINING THE GDPR'S MAIN STRUCTURES OF CONDITIONS
It is useful to regard the procedural aspects of legislation as questions of main procedure and sub-procedures. 12The initial main procedure embedded in the GDPR may be described in the following seven steps: 13 1.assess if processing of personal data falls within the scope of the Regulation (cf.Articles 2 and 3 and various exceptions); 2. determine the legal basis of planned processing (cf.Article 6); 3. determine the purpose(s) of planned processing (cf.Article 5(b)); 4. determine the degree and duration of identification (cf.Article 5(e)); 5. determine data quality requirements for planned processing (cf.Article 5(c) and (d)); 6. determine data security measures for planned processing (cf.Article 5(f)); 7. determine measures concerning 'data protection by design and by default' in respect of planned processing (cf.Article 25).
For each of these steps of the required main procedure, the regulation contains scattered provisions regarding sub-procedures that must be carried out (regarding scope, legal basis, purpose specification, etc.).Determination of the legal basis of planned processing, for instance, must be conducted pursuant to Article 6 regarding lawfulness of processing.Basically, Article 6 identifies the data subject's consent and several types of 'necessary' or statutory grounds as alternative legal bases for processing personal data.Here, I do not treat this rather comprehensive and complex Article in detail, but limit discussion by identifying one basic structural-procedural issue about which the provision is silent.This issue concerns the choice of legal basis for processing of personal data.
If we go deeper into this issue, we have the following problem structure (abbreviated as pseudo-code): Determine conditions These various types of legal bases are apparently of equal priority, and there are no guidelines in the Regulation regarding which of them to choose.As a practical matter, this is primarily a problem concerning the choice between using consent or necessary grounds as legal basis.If a procedural drafting approach is followed, it is required that the legislator clarify whether or not those who apply the law have free choice between consent and necessary grounds.Alternatively, the legislator could specify situations where one of the legal bases should be selected before the others. 15ne of the necessary grounds as stated in Article 6(1)(e) comprises situations where national parliaments pass legislation that makes processing of specific personal data necessary. 16The provision requires that processing of personal data is 'necessary for the […] exercise of official authority vested in the controller'.When such a legal basis exists (e.g.pursuant to national legislation), it will have priority over consent and the other necessary grounds listed in Article 6(1)(b) -(f).In the Regulation, however, this priority is not made explicit.
I fail to see any justifiable reason why the legislators should be silent about the fundamental choices regarding the alternatives referred to in Article 6.These choices are decisive for possible application of the consent arrangement.Even if the legislators were unable to establish clear procedures on this point, it is hard to see why the legislators have refrained from specifying relevant arguments, thereby strengthening ordinary citizens' ability to identify and understand the basic structure of these problems.When uncertainty exists regarding the type of legal basis required for the processing to be lawful, people applying the law will need to understand all provisions constituting the potential legal basis, i.e. statutory law of the relevant Member States, consent of the data subject or necessary grounds as stated in the Article.Lack of structural clarity on this level arguably weakens the traction of the law.

ESTABLISHING SUB-PROCEDURES
Choice of legal basis makes it necessary to examine sub-procedure II in section 3 above.For instance, in cases when a controller has decided to base processing of personal data on consent from data subjects, there needs to be clarity about which detailed sub-procedures are to be followed in order to end up with valid expressions of consent. 17asic rule fragments concerning consent can be deduced from the following provisions: • Article 4 (11), in which 'consent' is defined (together with 25 other terms in other paragraphs of Article 4).• Article 6, in which consent is established as one alternative of lawful processing.• Articles 7 and 8, where we find more specific rules regarding consent.
The Regulation does not indicate any procedure regarding how obtaining consent should be carried out; it is up to each person reading the text to find out where to start and how to proceed.These procedures could have been made visible in at least two ways -either one by one or in combination.The most direct way would be to organise a cluster of all provisions determining how consent must be carried out, and place these provisions in a sequence showing step by step what to assess in order to arrive at a legally valid result.An alternative method could be to introduce internal references between relevant provisions. 18To readers of the Regulation, the first method mentioned is probably best, but in some situations it may be difficult to compile every relevant provision in sequence.Thus, a combination of the two methods is probably preferable.
In the following, I demonstrate that it is possible to redesign the relevant fragments of the Regulation regarding consent and transform them into -what I believe to be -a much clearer described procedure.First, to inform the reader, I have cited a relevant selection of provisions from the Regulation.Thereafter, I restructure these text elements by defining a consent procedure.
The provisions that are chiefly relevant are formulated in the Regulation as follows:

Article 4 Definitions
For the purposes of this Regulation: […] (11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; […]

Article 6
Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; […]

Article 7
Conditions for consent 1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.Any part of such a declaration that constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time.The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Prior to giving consent, the data subject shall be informed thereof.It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Article 8
Conditions applicable to child's consent in relation to information society services 1.Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Although these cited provisions are placed close to each other in the Regulation, they are not compiled into a procedure.Very important provisions regarding consent are placed as parts of Articles regulating definitions (Article 4) and lawfulness of processing (Article 6).The legislators have not grouped or made references between provisions regarding the same topic.For instance, one implicit main rule concerning power to consent is that the age of consenting persons must be 18 years or more (cf.Article 4).Articles 8(1) and (2) contain exceptions to this rule, but no reference is made to Article 4. Withdrawal of consent is partly regulated in Article 7(3), but the preceding and succeeding provisions in paragraphs (2) and (4) are not related to withdrawal.
If we try to redesign these provisions to design a consent procedure without making changes in terms of content, it seems to follow from the Regulation that the rule fragments referred to above may be grouped under four legal issues, each with an appurtenant procedure.In the example below, I have expressed relevant rules in pseudo-code style.The aim of this first phase is only to establish procedure.Concepts and phrases of the referred Articles are addressed later, when the pseudo-code is transformed back into natural language (see further below).For each of these elements A-D, I have identified a structure of conditions.These conditions are joined together by a simple logical structure.The natural language that determines the substantive contents of these conditions is not necessarily affected by establishment of procedures. 19Although the wording of my example in natural language above differs from the original text of the GDPR, establishment of procedure does not limit possibilities of reintroducing vague concepts and expert assessments.My defragmentation experiment, in other words, has only strongly reduced legal uncertainty regarding procedure.All other possibilities of flexibility regarding inputs are intact.

A
Transformation from fragmented structure -where it is required that those who apply the law have background legal knowledge so as to understand which procedure to follow, to a defined procedure where such knowledge is unnecessary -is similar to what we would do to develop a computer system that supports the application of provisions regarding consent.However, instead of taking the next step of formalisation by programming the rules here expressed in pseudo-code, I transform such code back into natural language.Thus, the next phase is to write procedures in full plain language, using phrases and concepts similar to those in the original text.Here, I only illustrate this transcription by showing a full text version of the first sub-procedure (A) regarding power to consent: This article is downloaded from www.idunn.no.© 2017 Author(s).This is an Open Access article distributed under the terms of the Creative Commons CC-BY 4.0 License (http://creativecommons.org/licenses/by/4.0/).

CONCLUSION
I have no specific knowledge as to why the provisions of the GDPR have been structured in the fragmented and incomplete way they are.There are reasons to assume that this law-making style is largely the result of tradition rather than conscious reflection over desirable structure, and that this tradition is possibly combined with a belief that lawyers have the ability to decipher the text of the law.The legislators have probably not considered it important that ordinary citizens should be able readily to apply the Regulation.
Yet, this fragmented style of statutory drafting must be abandoned if the legal system is to become an integral part of a computerised society.The high cost in time and money of transforming laws into computer systems that support or automate application of the law is likely to make the development of such systems improbable.In addition, the chances of incorrect transformation very likely increase if there is a high degree of fragmentation of legislation.
In this article I have discussed a realm of law that is currently not well adapted for automation.Many other laws resemble the GDPR: thus, digitisation must be conducted primarily by developing systems that support those who apply the law.If legislators desire more computer-supported application of the law (cf.the ideals of 'data protection by design' as expressed in, inter alia, GDPR Article 25) and more automated legal decision-making, the only logical conclusion is that they must prepare the ground for this to happen -or at least avoid making it more difficult than necessary. 22If computer systems are to be designed to support data protection, legislators cannot continue to pass legislation that does not live up to the very basic requirements of computerised information systems: i.e., provision of clear, detailed procedures.
Many of us will reject the idea of computers replacing legal assessment.We see the value of manual assessments involving the richness of natural language, expert reasoning, and so on.Yet, even if legislation were to be applied completely manually, clear procedures expressed in legislation should have high priority.The example of how the consent procedure could be more clearly defined illustrates that a procedural law-making style also makes it easier for people to gain an overview and understanding of legal matters.

NOTES
1 Of course, such 'procedural' legislation only addresses one aspect of statutory interpretation.In particular, it does not necessarily resolve issues of interpretation concerning the semantics of the terminology used in the legislation.2 Even though data controllers and processors are often large businesses operating globally, one should not forget that the very wide scope of data protection legislation means that it usually encompasses small and medium sized enterprises (SMEs) and people acting as individuals.

Who may consent on behalf of the data subject?
This article is downloaded from www.idunn.no.© 2017 Author(s).This is an Open Access article distributed under the terms of the Creative Commons CC-BY 4.0 License (http://creativecommons.org/licenses/by/4.0/).IF Authorised by data subject to act on his/her behalf OR holder of parental responsibility for data subject under the age of 18 years THEN power to consent on behalf of the data subject 3 See e.g.Chris Reed, 'You talkin' to me?' in Dag Wiese Schartum, Lee A. Bygrave and Anne Gunn Berge Bekken (eds), Jon Bing: En Hyllest / A Tribute (Gyldendal Akademisk 2014) 154-170.4 See e.g.Dag Wiese Schartum, 'Developing E-government Systems: Legal, Technological and Organizational Aspects' (2010) 56 Scandinavian Studies in Law 125; and Dag Wiese Schartum, 'Law and algorithms in the public domain' (2016) 10(1) Etikk i praksis / Applied Ethics 15.