Hostname: page-component-68c7f8b79f-p5c6v Total loading time: 0 Render date: 2025-12-17T21:43:07.570Z Has data issue: false hasContentIssue false
  • English
  • Français

From Classic to Digital Constitutionalism: Reconceptualising the Nexus of Power, Technology and Rights

Review products

Giovanni De Gregorio, Digital Constitutionalism in Europe. Reframing Rights and Powers in the Algorithmic Society (Cambridge University Press 2022)

Published online by Cambridge University Press:  17 December 2025

Ljupcho Grozdanovski
Ljupcho Grozdanovski*
Affiliation:
FNRS/University of Liège, Belgium Email: lgrozdanovski@uliege.be
Rights & Permissions [Opens in a new window]

Abstract

An abstract is not available for this content. As you have access to this content, full HTML content is provided on this page. A PDF of this content is also available in through the ‘Save PDF’ action button.

Information

Type
Review Essay
Information
European Constitutional Law Review , First View , pp. 1 - 19
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2025. Published by Cambridge University Press on behalf of University of Amsterdam

Digitalisation captured by constitutionalism

With the rise of technologies like digital platforms and artificial intelligence (AI), a flourishing legal scholarship began to take shape, tackling various aspects of how the law can or should apprehend fast-paced technological innovation. Giovanni De Gregorio’s Digital Constitutionalism in Europe Footnote 1 emerges as a seminal contribution to that scholarship, offering a thorough, rigorous and enlightening analysis of the constitutional reconfiguration(s) triggered by ‘the old meets the new’ paradigm, whereby a new object of regulation – digital platforms and, to a lesser extent, AI – has come to upset the tenets of the EU’s long-standing constitutional doctrines on the separation of powers, democratic governance and fundamental rights protection. The devising of regulatory responses to technological progress is, of course, not unprecedented. However, the challenges associated with online platforms and AI are perceived as cutting deeper into well-established constitutional postulates, seminally, that norm-setting and norm-executing powers, as well as individual safeguards, are primarily – if not exclusively– incumbent on public entities, not private actors.

Indeed, in the backdrop of Digital Constitutionalism lies a technology-induced ‘constitutional distress’ (p. 10) caused by the locus of political decision-making shifting from traditional democratic circuits to private actors. We have witnessed the growing political influence of transnational private corporations, which have been linked to instances of political unrest such as the Arab Spring and the Capitol assault. By operating outside well-established normative frameworks, platforms have gradually come to exercise powers traditionally qualified as ‘public’ and, in doing so, their – possibly adverse – effect on fundamental rights protection became more salient and tangible. YouTube’s decision to remove a video is ‘a clear interference with a user’s right to the freedom of expression,’ though that removal could be necessary to safeguard other fundamental rights, like the right to privacy (p. 81). The disruption that digital platforms caused to traditional constitutional currents – particularly regarding fundamental rights protection – warranted a prompt regulatory response: when ‘economic freedoms turn into forms of private powers’, the absence of regulation threatens to undermine democratic values, De Gregorio observes (p. 82).

When constitutional frameworks and doctrines are called to capture a new object of regulation, there is usually a choice between two paths: either regulatory invention (i.e. the creation of new legal concepts and regimes) or regulatory update (i.e. the adjustment of already existing theoretical and normative frameworks). As far as I can tell, the Digital Constitutionalism’s approach is coherentist, in a roughly Dworkinian sense.Footnote 2 De Gregorio does not propose the invention of a brand-new subfield of constitutional law and doctrine, but seems favourable to maintaining axiological integrity, positing that the ‘digital environment’ should not exist outside a (pre-existing) constitutional framework (p. 85).

As a theoretical referent, De Gregorio relies on Montesquieu’s constitutional theory – among the first to theorise modern constitutional principles like the separation of powers and the protection of rights and freedoms (p. 120). Against that backdrop, the author generically defines digital constitutionalism as ‘an expression of different constitutional approaches to digital technologies’ (p. 5-6).

Digital Constiututionalism’s focus is primarily on Europe (that is, the Council of Europe and the European Union). References to US law are made to the extent that they showcase the difference(s) between American and European regulatory trends.

The analysis is structured across seven chapters, building in a crescendo from the origins and characteristics of the law governing digital platforms to its role in protecting specific fundamental rights. The book begins by mapping out the rise of digital constitutionalism, with the first two chapters showcasing the gradual shift from platforms’ unregulated market behaviour (p. 41 ff) to an initial normative framing defined by courts, particularly the Court of Justice of the European Union in what the author qualifies as a judicial activism phase (p. 53 ff). The case law developed in relation to platforms and platform services has set the stage for the emergence of specific regulatory frameworks, analysed in Chapter 3 (p. 80 ff). That analysis is conducted through the lens of two so-called constitutional asymmetries: one tackling the opposition between democratic and authoritarian models of regulation, the other tackling the tension between democratic and platform models of governance.

In Chapter 4 (p. 123 ff), De Gregorio examines the consolidation of digital constitutionalism, by analysing the original distinctness but eventual overlap between the legal principles and regimes applied to online content and those applied to data processing. In essence, the author shows how the requirements for lawful personal data processing gradually came to frame online content monitoring and moderation. Expanding on that analysis, he goes on to examine the safeguards afforded under specific rights, namely, the freedom of expression (Chapter 5, p. 157 ff) and privacy and data protection (Chapter 6, p. 216 ff). In Chapter 7, De Gregorio outlines the future prospects pertaining to the consolidation of European digital constitutionalism (p. 273 ff). The sections of this review are organised so as to reflect the structure of Digial Constitutionalism itself.

Regulatory and governance challenges triggered by the digitalisation-induced ‘constitutional asymmetries’

The analysis of the emergence and consolidation of digital constitutionalism begins by the author addressing what he refers to as ‘constitutional asymmetries’ (p. 89). The term ‘asymmetry’ is used to describe power and information imbalances between platforms, on the one hand, and public and private actors, on the other. The remedies to those asymmetries are examined from two vantage points: models of regulation and models of governance.

Regarding the models of regulation, De Gregorio highlights the contrast between the liberal model, dominant in constitutional democracies and characterised by a strong pledge to the fostering of pluralism, and the illiberal model, typical of authoritarian regimes and characterised by institutionalised and centralised scrutiny over platform activity and online content.

Digital Constitutionalism’s focus is mainly on the former, placing at the core of its analysis the idea of balance between two objectives: the pursuit of platforms’ business interests and fundamental rights protection. De Gregorio remarks that since the ‘digital environment’ is a vehicle for fundamental rights and freedoms, any public intervention must carefully assess the risk of disproportionately interfering with the platforms’ economic freedoms (p. 92). The search for a ‘fair balance’ also underscores the second above-mentioned constitutional asymmetry, relating to the models of governance (p. 93). In relation to those, the term ‘asymmetry’ is used to characterise the shift of norm-setting and norm-executing powers from the public to the private (platform) sphere. Specifically, De Gregorio flags two types of powers resulting from that shift: delegated and autonomous.

Delegated powers derive from a ‘transfer of functions or public tasks from lawmakers to specialised actors both in the public and the private sectors’ (p. 95). A telling example in that connection is the early-2000s proliferation of peer-to-peer and torrent mechanisms which, due to their scale, frustrated the prosecution of millions of daily users who illegally shared and accessed online content (p. 98). Online providers were thus called to assume the function of ‘gateway points’ and perform the role – traditionally associated with public authorities – of identifying and blocking illicit online conduct (p. 98).

Gradually, instances of delegation of powers led to the emergence of new regulatory models (co- and self-regulation, as well as codes of conduct, p. 98), which crystallised in the realms of online content and personal data. As an example of delegated powers in the field of content, the author mentions disinformation, positing that online content that is false is not systematically illegal (e.g. defamatory). Since it is not always clear if and when false content is unlawful, online platforms are ‘pushed’ to enhance their monitoring, namely to avoid liability for enabling the publication of (potentially) illegal content. In a similar vein, to illustrate the exercise of delegated power in relation to data, De Gregorio refers to the obligation of data controllers to perform Data Protection Impact Assessments, set out in Article 35 of the General Data Protection Regulation. In performing these assessments, controllers are called to evaluate the risks that specific data processing might affect their economic interests but also assess their potential to violate fundamental rights. According to the author, this is a case of delegation to the data controller of the power to balance conflicting interests, ‘thus making the controller the “arbiter” of data protection’ (p. 108).

The seminal risk of such delegations is that they affect ‘some of the most intimate features of constitutional law’ (p. 99) given that the exercise, by platforms, of the so-called delegated powers is not subject to any meaningful democratic control or institutional scrutiny (p. 100). This exacerbates the need to enhance the safeguards afforded to individuals in the face of platforms’ pursuit of business interests, leading to the emergence of what De Gregorio qualifies as a new pactum subjectionis (digital social contract) (p. 114).

A characteristic feature of this pactum is that the contracts offered by platforms to their end-users are defined through a top-down approach, meaning that they are imposed upon the users, rather than negotiated with them (p. 112). Importantly, those contracts lack a strong regulatory framing on crucial individual safeguard mechanisms like judicial redress and law enforcement (p. 118). Without the constraints of such regulation, platforms are free to exercise (quasi-)judicial powers, enjoying significant discretion in how they respond to, say, individual requests for content removal or delisting (p. 118). The new pactum subjectionis is, therefore, based on sharp power asymmetries between platforms and the users of their services, showcasing a distressing kinship with the features of absolute (feudal) regimes (p. 114)Footnote 3 and signalling a serious ‘democratic degradation’ (p. 116).

Similar observations are made in connection with the so-called autonomous powers. Those derive from the platforms’ ability to define the rules governing their user communities, without affording the members of those communities any form of democratic participation (p. 115). Consumers interact with platforms, De Gregorio notes, but are not given any meaningful (political) roles in the latter’s decision-making (p. 115). In his analysis of the so-called autonomous powers, he primarily focuses on content moderation which, much like the delegated powers, is also characterised by significant platform discretion that lacks robust regulatory framing and institutional scrutiny. Platforms are thus in a position where they are free to define the rules according to which speech can flow online (p. 116). There again, private interests underlie the content of what De Gregorio calls autopoietic set(s) of rules that determine how individuals exercise their freedom of expression online (p. 118). For instance, the removal of online content or the erasure of data can be performed directly and discretionarily by platforms ‘without the involvement of any public body ordering the infringing party to fulfil the related contractual obligations’ (p. 118). That degree of discretion can have a ‘chilling effect for fundamental rights’ and, more importantly, on ‘the establishment of paralegal frameworks in the algorithmic society’ (p. 119).

In light of De Gregorio’s analysis, asserting that a constitutional framing of digital platforms’ powers was needed is an understatement. The challenge in that regard concerns the design of a constitutional framework able to support supports platforms’ freedom to conduct business and, at the same time, to afford adequate fundamental rights protection. The striking of that balance has arguably become more pressing as online content publication and moderation began to increasingly incorporate personal data, thus raising the issue of which lawfulness requirements – those on content or those on data – should apply.

The judicial response to the overlap between personal data and online content

Content and data have historically been viewed as separate objects of regulation, ‘running on parallel tracks’ and with minimal interaction (p. 126). This original separateness stance is reflected in the relevant EU legislation: the Data Protection DirectiveFootnote 4 regulated data, while digital services are governed by the e-Commerce Directive.Footnote 5

With time, however, separateness became less tenable, as data and content began to increasingly overlap (‘converge’). De Gregorio offers a complex analysis of that overlap, and its role in the consolidation of digital constitutionalism. Its complexity notwithstanding, that analysis seems to be structured around two main ideas. First, the substantive data/content convergence, essentially referring to the digital services increasingly incorporating some form of personal data processing. Second, the (re)shaping of the legal obligations incumbent on platforms – particularly those on fundamental rights protection – triggered by the data/content overlap.

Regarding the first point, the design of the Data Protection Directive and the e-Commerce Directive is such that they were not initially seen as sharing the vocation of applying to the same concrete instances. They, indeed, differ significantly, particularly in how they regulate liability. The e-Commerce Directive upholds the principle of non-liability for third-party content which simply means that digital platforms are prima facie not liable for any potentially illegal (say, defamatory) content made available via their services. However, the presumption of non-liability (or ‘immunity’, p. 44 ff) is not irrebuttable. It applies so long as platforms do not play an active role in the selection and/or transmission of that content or the selection of its recipient(s) (p. 132). In contrast, the Data Protection Directive – and subsequently the General Data Protection Regulation – include specific requirements framing the lawfulness of data processing that controllers must meet, regardless of any third-party conduct (p. 128).

The ‘technological convergence’ that occurred when digital services began incorporating personal data, naturally raised the issue of the Data Protection Directive’s and e-Commerce Directive’s normative overlap. Specifically, the following question was raised: although platforms are prima facie not liable under the e-Commerce Directive for the content made available through their services, could – or should – they comply with the requirements of lawful data processing (in the sense of the Data Protection Directive/General Data Protection Regulation), when they act as data controllers (i.e. determine the purpose and modalities of personal data processing)? This issue was first addressed by the European Court of Justice in what De Gregorio calls the judicial activism phase (p. 53 ff). He mentions the Google Spain caseFootnote 6 as ‘the first step’ toward a more consolidated constitutional framing of the data/content convergence.

In a dispute addressing the erasure of personal data accessible via Google’s search engine, the European Court of Justice was called to determine whether the operators of a search engine could qualify as data controllers under the Data Protection Directive (i.e. could be considered as determining the goal of that processing). The Court ruled that, since the activity of the operator of a search engine is likely to ‘affect significantly’ the fundamental rights of privacy and the protection of personal data, that operator’s activity must meet the Data Protection Directive’s requirements so that the objective of ‘effective and complete protection of data subjects … can be achieved’.Footnote 7 It followed that the automatic indexing, classification and publication of personal data, though made available by third parties could, indeed, be qualified as data controllership, within the meaning of the Data Protection Directive.

De Gregorio interprets Google Spain as revealing the limits of platforms’ discretion: the application of data controllership to them suggests their awareness that the online content made available through their services incorporated personal data (p. 140). Importantly, in the Google Spain case, a key ground in the Court of Justice’s reasoning for extending data controllership to online platforms was the protection of fundamental rights, namely, privacy and data protection, which provided the incentive for the Court to clarify, in other cases, the scope and limits of intermediation. Examples in that regard include the Promusicae,Footnote 8 LSG,Footnote 9 Google France Footnote 10 and L’Oréal Footnote 11 cases in which the Court was, in essence, called to clarify the role of intermediaries in the protection of personal data, privacy and intellectual property rights.

Based on the case law developed in the so-called judicial activism phase, De Gregorio detects the data/content overlap, as well as that of the data/content regulatory frameworks, in three topical instances: (1) when users commit an infringement through intermediaries (e.g. defamation, p. 129); (2) when they infringe privacy and data protection rules through online intermediaries’ networks (in which case the Data Protection Directive applies, p. 129); and (3) when they infringe a right falling outside the scope of data protection (e.g. hate speech) and platforms are required to provide details about the infringing users or to implement filtering systems (in which case, both the e-Commerce Directive and the Data Protection Directive apply, p. 129). Presumably, the European Court of Justice’s case law addressing the intersection between digital services and data processing/protection shed light on aspects where regulatory intervention would eventually be necessary.

The legal response to the overlap between personal data and online content

As mentioned above, the initial content/data separateness stance implied that digital services and personal data processing answered to different lawfulness requirements. I use the term ‘lawfulness’ generically, referring to De Gregorio’s analysis of various forms of compliance with constitutional requirements (like fundamental rights protection) and specific, legal requirements (like those laid out in the relevant legislation).

In the e-Commerce Directive, ‘lawfulness’ translates to an elementary requirement for platforms not to violate fundamental rights, like the right to privacy (p. 148). That requirement is ‘elementary’ because platforms are, in principle, not required to systematically monitor, nor bear responsibility for any illegal content published via their services. In contrast, the Data Protection Directive and, subsequently, the General Data Protection Regulation create several, relatively elaborate duties that frame the lawfulness of personal data processing. Those duties include, for example, the controllers’ obligation to request the data subjects’ consent, and the obligation to perform, when necessary, Data Protection Impact Assessments (p. 149).

As data and content gradually converged it became necessary to transpose the (procedural) lawfulness requirements from the field of data to that of online content. De Gregorio highlights three paths of convergence in that regard. The first such ‘path’ unfolds at the constitutional level, particularly in the interplay between freedom of expression, privacy, and personal data (p. 145 ff). This interaction is, prima facie, characterised by a tension between the rationales underpinning these rights, namely, secrecy (for privacy and data protection) and public disclosure (for freedom of expression). Digital technologies have certainly provided occasions for that opposition to become apparent. For instance, the data collected during the profiling of users’ behaviours (affecting their privacy and data protection) can, in turn, be used to manipulate their opinions (affecting their freedom of expression) (p. 146). That said, De Gregorio argues, the adversarial nature of the interrelationship between the rights discussed is coupled with a cooperative one, stemming from their ‘joint mission’ of protecting democratic values (p. 148). After all, in the interactions between data controllers and subjects, the protection of privacy can include a component of data protection. De Gregorio elaborates on this ‘cooperative’ rapport between the rights under discussion in the context of the second of the three paths of convergence, characterised by online content regulation incorporating procedural safeguards inspired by those in the field of data (p. 145).

In that regard – and the Digital Services ActFootnote 12 notwithstanding – De Gregorio mentions instruments like the Copyright Directive,Footnote 13 the Audiovisual Media DirectiveFootnote 14 and the Regulation on online terrorist content.Footnote 15 These instruments draw inspiration from the safeguards applied in the field of data by incorporating a generic duty of transparency into various types of content sharing and moderation. For example, in the Copyright Directive, when service providers communicate third-party content to the public, they are required to do so by first obtaining licences from rightsholders (Article 17). In a similar vein, the Audiovisual Media Directive includes specific safeguards regarding minors and protection against hate speech (p. 70). To uphold those safeguards, the Directive includes a list of ‘appropriate measures’ like age verification systems for users of video-sharing platforms, particularly in the presence of content that may impair the physical, mental or moral development of minors (p. 70). Following this trend, the Regulation on online terrorist content also mentions that hosting service providers should act in a diligent, proportionate and non-discriminatory manner and consider ‘in all circumstances’ the users’ fundamental rights, particularly the freedom of expression (p. 71).

The goal of these duties is to make available specific information on the nature and modalities of content sharing, in view of supporting end-users’ protection through procedural safeguards, seminally – but not exclusively – afforded by provisions on judicial redress. These safeguards are associated with the so-called third path of the constitutional framing of the content/data overlap. In that connection, De Gregorio argues that the General Data Protection Regulation gave ‘the incentive for online intermediaries to extensively monitor their spaces’ (p. 154) and to take users’ requests (for content removal) more seriously (p. 154). The Digital Services Act epitomises this cross-fertilisation between the e-Commerce Directive and the Data Protection Directive/General Data Protection Regulation, by providing horizontal procedural safeguards that draw inspiration from data protection law (p. 156).

Through his careful analysis of the judicial and normative framing of the content/data overlap, De Gregorio discerns a distinctly European constitutional approach to digitalisation: though the liability exemption for platforms remains the norm, the freedom they enjoy under that exemption is neither unconditional, nor absolute. In addition, while (enhanced) transparency is incorporated in many of the obligations imposed on platforms by the legislation discussed, it remains that the adequate protection of individuals calls for robust safeguards afforded under three fundamental rights: freedom of expression; the right to privacy; and the right to data protection.

The constitutional (re)framing of the freedom of expression

The analysis of the freedom of expression begins by underscoring the contrast between the American and European perspectives. In the US, the prevailing paradigm is the marketplace-of-ideas metaphor, by virtue of which the interest in promoting free expression in a democratic society should outweigh any form of censorship stemming from regulation (p. 163). Within that framework, platforms are predominantly seen as enablers of democracy, rather than threats to public discourse. This perspective helps to understand why those platforms enjoy a strong protection under the First Amendment of the US Constitution, which has – De Gregorio notes – often barred any attempt to (over)regulate speech online (p. 163).

The European approach to the freedom of expression seems to be less hostile to regulation. That right is understood as an essential constitutional entitlement to foster and enhance individual autonomy, as a component of the human dignity principle that underpins European constitutionalism (p. 159). From a European perspective, the freedom of expression can be an object of regulation, when the goal is to protect individuals’ right to self-determination through the exercise of that freedom. Democracy, indeed, relies on individual autonomy as a primary driver ‘for developing opinions and participation in decision-making processes’ (p. 159).

Expanding on the marketplace-of-ideas metaphor and reflecting on the algorithmic variant of that metaphor, De Gregorio remarks a strong market concentration (p. 170), whereby the entry barriers created by tech corporations adversely affect ‘media pluralism from a quantitative perspective’ (p. 170). The regulatory challenge related to the freedom of expression in that context is to ensure ‘exposure and pluralism in a democratic digital environment’ (p. 165-166), therefore warranting some form of democratic control over how content moderation is performed.

As content moderation came more prominently into the EU’s regulatory focus, the challenge that arose concerned the design of a regulatory framework that would ensure that the exercise of the freedom of expression would not disproportionately restrict the platforms’ freedom to conduct business. The quest for an optimal regulatory model for content moderation was also justified by the fact that content moderation became increasingly automated, opaque (i.e. remained out of the end-users’ grasp) and could be a powerful tool to silence speakers (p. 177). This triggered a ‘frustration of democratic values’ (p. 185), the regulatory response to which was twofold.

First, the opacity of content moderation was mitigated through transparency and accountability mechanisms addressed to content moderators. Provisions in that connection have been included, namely, in the Copyright Directive, the Audiovisual Media Services Directive and the Regulation on online terrorist content (p. 189-190). In addition to those, De Gregorio highlights, second, procedural safeguards enabling individuals to ‘dismantle the logic of opacity’ that characterises content moderation (p. 190). As an example, he cites the Eva Glawischnig-Piesczek caseFootnote 16 in which the European Court of Justice was called to clarify a host provider’s obligation, under the e-Commerce Directive, to remove content equivalent to content declared illegal (because defamatory). Considering the difficulties in identifying such content, the Court held that a host provider (Facebook, in this case) is not under an obligation to monitor generally the information which it storesFootnote 17 (p. 191).

From the perspective of individual safeguards, the Eva Glawischnig-Piesczek case also reveals the absence of a unitary framework of users’ rights or remedies. Under the e-Commerce Directive, member states enjoy significant discretion in defining the procedural conditions under which rights and remedies (in connection with content moderation) can be exercised (p. 192). To remedy this lack of uniformity, De Gregorio submits two suggestions. He, first, posits that the horizontal direct effect doctrine could broaden the possibilities for individuals to hold digital platforms accountable before national courts. The downside of this interpretation is that the reliance on horizontal direct effect might lead to ‘compressing’ platforms’ freedom to conduct business, which – De Gregorio exclaims – ‘cannot be tolerated’ under the European constitutional perspective (p. 200).

In that context, the second suggestion is to focus on fostering media pluralism (p. 201). ‘It is worth wondering how European constitutional law can provide other ways to remedy the challenges to the right of freedom of expression in a public sphere which is characterised by opacity and lack of accountability’ (p. 202). The ‘other ways’ alluded to by the author relate to two interpretations of the freedom of expression.

On the one hand, that freedom can be interpreted as encouraging public actors to regulate content moderation by, as De Gregorio puts it, injecting safeguards that enhance exposure and diversity (p. 203). In that connection, he examines the case law of the European Court of Human Rights on the role of the media in a democratic society (p. 204-205) and the European Court of Justice’s case law (namely, the Sky Österreich caseFootnote 18 ) addressing Article 11 (freedom of expression) of the EU Charter of Fundamental Rights, particularly its ‘right to be informed’ and ‘media pluralism’ dimensions (p. 206). Based on these case law strands, the author argues that a more ‘democratically framed’ (that is, pluralism-oriented) content moderation could, indeed, be a way to enhance the effective exercise of the freedom of expression, without undermining the platforms’ exercise of the freedom to conduct business.

On the other hand, De Gregorio suggests the definition of (clearer) liability regimes for platforms. The idea is to make platforms ‘responsible for protecting democratic values through more transparent and user-driven procedures’ (p. 208). The European Commission’s Code of Practice on Disinformation is mentioned as helpfully supporting platforms by framing content moderation without, strictly speaking, regulating it (p. 209).

Against that backdrop, and following the fil rouge of balance between the freedom of expression and the platform’s freedom to conduct business, De Gregorio suggests four general principles which – according to him – ought to guide platforms’ democratic regulatory framing: (1) the ban of general monitoring obligation (i.e. platforms should not be obliged to generally moderate online content); (2) transparency and accountability (content moderation rules should be assessed and explained to users ex ante and ex post, particularly in cases where content is removed or blocked); (3) proportionality (translating to a fair balance between user rights and platform obligations); and (4) availability of human intervention (implying a human-in-the-loop in the process of content moderation).

Expanding on those principles, the author refers to the Digital Services Act, which he perceives as a ‘primary step’ toward a normative framework supported by the rise of European digital constitutionalism (p. 211). The Digital Services Act includes both substantive obligations and procedural safeguards that require platforms to disclose information, assess risks of fundamental rights violations and provide redress mechanisms (p. 212). However, it maintains the exemption from liability principle (inherited from the e-Commerce Directive) while encouraging platforms to take voluntary measures (in terms of content monitoring and moderation), thus increasing their level of transparency and accountability (p. 212).

Throughout this analysis, self-determination, as integral to the human dignity principle, emerges as the rationale underlying De Gregorio’s plea for frameworks that promote (more) transparency and pluralism in connection with content moderation. It is also the rationale underlying De Gregorio’s analysis of the interrelationship between the right to privacy and the right to personal data protection.

The constitutional (re)framing of the right to privacy and the right to data protection

Retracing the origins of the right to privacy, De Gregorio recalls the original (American) interpretation of that right as being a right to be left alone (p. 220). Expanding on that view, in Europe, the European Court of Human Rights made a clearer connection between the right discussed and human dignity, interpreting it as a condition for the development and fulfilment of personality, particularly personal autonomy and identity (p. 220). De Gregorio showcases the progression from a negative understanding of the right to privacy (i.e. ‘obligation not to …’) to a positive (i.e. ‘obligation to’) understanding thereof, through the inclusion of the right to data protection in the scope of privacy (p. 220).

On the level of the Council of Europe, this shift was reflected in the enforcement of Convention No. 108 on the protection of individuals with regard to automatic processing of personal data – a pioneering instrument, considering its adoption in a time (1981) when the Internet was not yet developed (p. 223). With the advent of Big Data (p. 225 ff) and the normalisation of automated data processing, De Gregorio highlights the dangers of the opacity of algorithmic technologies, considering the risks that profiling and automated decision-making lead to discrimination and have, more generally, adverse effects on individual rights and freedoms (p. 231). In that context, protecting privacy – particularly the so-called ‘informational privacy’ – becomes paramount, to promote individual autonomy and self-determination (p. 232).

Expanding on previous developments regarding the increased transparency (of automated data processing) and platform accountability, De Gregorio suggests that the General Data Protection Regulation’s principles – such as lawfulness, purpose limitation, and accuracy – be interpreted in conjunction with the data controller’s accountability. This would include considering the nature, scope, context, and purpose of the processing, as well as the assessment of risks of fundamental rights violations (p. 246).

In addition to a stronger regulatory framing of data controllers, De Gregorio also focuses on the procedural safeguards afforded to individuals. He notes that data subjects have the right to object to automated data processing under Article 22(1) of the General Data Protection Regulation, which certainly helps to balance the relationship between controller and subject (p. 248). However, the degree of transparency that controllers are required to provide based on said article remains unclear (p. 249). Indeed, the latter creates an obligation for controllers to provide an explanation about the logic involved in instances of automated data processing (p. 250-251). Still, the benefit from that explanation is not absolute (p. 251), but is conditioned upon the meeting of stringent requirements, namely, that the processing is entirely automated and that it produces legal, or similarly significant effects on the data subject (p. 251). The practical difficulty in meeting those requirements may limit the benefit from the entitlement (to an explanation) Article 22 of the General Data Protection Regulation laudably affords.

In this context, De Gregorio advocates for a ‘constitutional reframing’ of the General Data Protection Regulation (p. 253 ff), proposing a shift in focus toward human dignity as a foundational principle in consolidating data protection as both a ‘positive dimension of the right to privacy’ and a safeguard for freedom of expression (p. 257). In that connection, he highlights various principles and rights (e.g. equality, consent) as well as mechanisms (e.g. human-in-the-loop) intended to shield off dehumanisation (p. 261). The human-in-the-loop principle is, for the author, ‘a paradigmatic attempt to introduce procedural safeguards’ (p. 268) suggesting that ‘the last word over individual rights and freedoms should be human’ (p. 269). Whether this is actually conducive to better decision-making is up for debate. Suffice it to stress that the goal is to, nevertheless, ensure that human dignity and democratic values are not ‘annihilated by the lack of transparency and accountability in the exercise of powers in the field of data’ (p. 271).

Importantly, and in addition to human dignity, De Gregorio highlights the principle of proportionality as a cornerstone of the ‘risk-based approach based on the principle of accountability’ (p. 262). He links proportionality to accountability because the former underpins the obligations of data controllers to safeguard data subjects’ privacy and data protection (p. 264). Proportionality also informs how risks should be assessed within the privacy and data protection framework, given that ‘fundamental rights are the parameters on which the risk-based approach, as a system where data controllers’ responsibility is assessed on a case-by-case basis, is grounded’ (p. 264).

What lies ahead?

As for the future, De Gregorio re-emphasises human dignity as a key principle to mitigate the threats of techno-determinist solutions that could ‘lead to processes of dehumanisation and gradually the vanishing of democratic values’ (p. 279). If we consider that (effective) fundamental rights protection is democracy’s signature trait, then we should not forget that many of the modern human rights theories are fundamentally dignitarian.Footnote 19 In many ways, a legislature’s commitment to safeguard human dignity is the hallmark of being democratic. The debates surrounding AI revived this dignitarian approach, as regulators and scholars pondered on achieving the difficult balance between economic growth (stemming from enhanced AI innovation) and fundamental rights protection.Footnote 20 In that connection, De Gregorio argues that ‘granting extensive protection to fundamental rights over innovation could lead the Union to become a “standard-taker” rather than a “standard-maker” in the fourth industrial revolution’ (p. 281), one of the EU’s most important challenges being to draw the line between innovation and risk (p. 281). It seems that the Union’s ambition with its recent digital legislation has been to simultaneously enhance market gains and guarantee fundamental rights protection, which the De Gregorio calls the European third way (p. 284). In terms of governance, the ‘third way’ would imply a deeper and more structured blend between public authority and private ordering aiming to strike a ‘proportionate balance between hard and self-regulation’ (p. 291). The Digital Services Act and the General Data Protection Regulation already illustrate this.

Perhaps the European third way – the Brussels effectFootnote 21 oblige – will become a truly global benchmark for regulation. So far, the Union’s approach has, indeed, been ‘oriented towards rising as a global standard-maker’ (p. 299) rather than focusing on promoting European industry and innovation, which probably drove Draghi to read the riot act in his recent report.Footnote 22 But this discussion goes beyond the scope of this review.

In the remaining, concluding paragraphs, I will highlight the key reasons why, in my view, Digital Constitutionalism is truly a tour de force, emerging as a crucial current in the broader landscape of the legal scholarship on law and digitalisation. From this book’s many merits, I will highlight three praiseworthy points.

First, De Gregorio astutely and eloquently elaborates on a key constitutional challenge (or ‘distress’) that digitalisation brought about: the shift of power(s) from the public to the private sphere. Indeed, traditional constitutionalist currents, including Montesquieu, conceptualised constitutionalism primarily, if not exclusively in relation to the theory of state, as can be inferred from the works of classical scholars like Carré de Malberg,Footnote 23 Jellinek,Footnote 24 SchmittFootnote 25 and Kelsen.Footnote 26 It is possible to contend that a constitutional order, in essence, expresses a foundational ‘idea of law’ (idée de droit)Footnote 27 which determines how individual freedoms should both direct and limit state discretion.

The advent and development of the EU offered a unique opportunity to conceptualise constitutionalism beyond the state, encouraging scholars to inquire if a supra-national legal order can be ‘constitutional’, bearing in mind its vertical separation of powers, the evolution of fundamental rights protection and the role of ‘constitutional jurisdiction’ the Court of Justice came to play, while famously qualifying the Union Treaties as constitutional norms.Footnote 28 The gradual process of the EU’s constitutionalisation gave way to noteworthy work on the genesis and specificity of the European constitutionalism,Footnote 29 the (possible) existence of a European constituent power,Footnote 30 and the emergence of a specific form of ‘constitutional patriotism’Footnote 31 as individuals came to politically identify with (and claim protection from) supranational entities like the EU.

It should be mentioned that, although constitutionalism admittedly evolved beyond the state, it seldom – if ever – abandoned the original legacy of public law actors having an exclusive claim to norm creation, execution and adjudication. The ‘constitutional distress’ digital platforms triggered stems precisely from the latter’s defiance of long-standing and oft unquestioned (because seen as uncontroversial) views of constitutionally determined public power(s).

De Gregorio is, of course, aware of this, rightly choosing, as point of departure, the concept of power, which allows him to, first, examine the structural issues – tackling the (re)organisation of legal systems necessary to accommodate the rise of platforms – and laying down the analytical framework within which he, second, addresses the issue of fundamental rights protection as both an objective and a limit to platform discretion.

In the broader context of the scholarship on regulationFootnote 32 and the rule of lawFootnote 33 in connection with digital technologies, De Gregorio’s approach is original and refreshing. For the better part of the last decade, the zeitgeist in savant circles has been the issue of risks associated with those technologies – particularly AI – which, naturally, pushed scholars to zoom in on the individual safeguards needed to prevent or mitigate those risks.Footnote 34 In that context, De Gregorio’s approach is commendable: he does not follow the well-trodden path of departing from risks to determine how to better protect individual rights. Instead, he begins with the very source of those risks, namely, the powers that operators such as digital platforms (and, by extension, AI providers) acquire by catering their technologies to markets and users. The analysis thus structured offers a much-needed bird’s-eye view and a clearer understanding of why the doctrine of digital constitutionalism, as conceptualised by De Gregrorio, marks a rupture (specifically on the concept of power) but also preserves continuity (on democracy and fundamental rights) with more traditional constitutional currents.

Second, one of Digital Constitutionalism’s strengths stems from its analysis of the overlap between online content and data. Scholarship’s general trend has been to approach each concept (and corresponding legal regime) separately, often omitting to address the issue of adequate legal framing in instances where content and data intersect. In that connection also, Digital Constitutionalism offers an insightful and much-needed analysis. It departs from the case law of the European Court of Justice and shifts to regulation, offering valuable insights into the process of the procedural safeguards applied in the field of data being gradually extended to online content.

The seminal case mentioned in that connection is Google Spain, though other cases, like Fashion ID,Footnote 35 support De Gregorio’s arguments relating to the content/data overlap. In that case, a retailer’s website (Fashion ID) included a Facebook ‘like’ button, which enabled Fashion ID to transmit, to Facebook, the personal data of its website’s visitors, without them being aware of this (or even having clicked the ‘like’ button).Footnote 36 Formally, this was a ‘data protection’ case, since the Court of Justice’s ruling (a reference for preliminary ruling) was based on the Data Protection Directive (the predecessor of the General Data Protection Regulation). The Court of Justice was called to clarify whether Fashion ID could qualify as controller, to which it answered affirmatively. It also stated that the consent of the website’s visitors was required, regarding the data processing the purpose of which was determined by Fashion ID. This case can be seen as one of illustrations of the content/data overlap, considering how a ‘simple’ social plugin on a website provided the occasion for a platform like Meta to collect personal data of that website’s unsuspecting visitors. In such instances, it seems logical that the requirements on data processing associated with controllership and consent frame the modalities under which online content is accessed.

Finally, a laudable strength of Digital Constitutionalism is that it ‘speaks’ not only to legal scholarship, but more broadly to the social sciences and humanities. This is, in large part, due to its dignitarian foundation, considering that human dignity offers the conceptual framework within which De Gregorio’s views on principles like transparency (the ‘dismantling of opacity’) and enhanced procedural safeguards (like the human-in-the-loop principle, p. 257) take shape.

Indeed, in his discussions of the interpretations and safeguards associated with the freedom of expression, the right to data protection and the right to privacy, De Gregorio tackles the issue of safeguards more broadly, moving beyond the ‘judicial protection’ approach, as the preferred vantage point in the scholarship on fundamental rights and digitalisation, seminally represented by Pollicino.Footnote 37 Broadening the scope of his inquiry beyond judicial protection, De Gregorio grounds his analysis in a notion of balance between fundamental rights and the economic interests of digital platforms which – we often forget – also benefit from constitutional entitlements, namely, the right to conduct business. Indeed, this idea of balance runs as the undercurrent throughout Digital Constitutionalism, resulting in a compelling and well-rounded analysis. The astute observations on the rights to privacy, data protection and the freedom of expression – which offer different guarantees but share the same dignitarian foundation – connect nicely with strands in the digital humanities and science and technology scholarship that view new technologies as ‘vehicles’ or ‘mediators’ of values, acting as individuals’ ‘extended minds’Footnote 38 and decisively shaping their sense of identity. I can, for example, see Digital Constitutionalism opening new sub-fields of research by offering a constitutional lens to non-legal currents on technology-induced individuation.Footnote 39 That constitutional lens can also inform a new approach within an already flourishing vulnerability scholarshipFootnote 40 which – especially in the field of AI – seeks to identify the key ways in which technologies ‘exploit’ individuals by reason of specific personal features, naturally raising the issue of the constitutional guarantees able to shield from such exploitations.

While much work remains to be done to fully realise the various facets of De Gregorio’s vision of the digital constitutionalism, the foundations he lays are both intellectually and normatively robust, providing a crucial starting point for future research in the rapidly evolving field of new technologies.

References

1 G. De Gregorio, Digital Constitutionalism in Europe. Reframing Rights and Powers in the Algorithmic Society (Cambridge University Press 2022).

2 Dworkin’s famous political integrity argument suggests an internal moral coherence of laws which allows the preservation of its political integrity: R. Dworkin, Law’s Empire (Harvard University Press 1986) p. 176.

3 Coincidentally, Varoufakis expressed a similar opinion, when qualifying the digital (i.e. platform-dominated) markets as technofeudal, alluding to platforms’ power over individuals’ data, without those individuals having much say in how their data are collected, used and stored by the technolords (as Varoufakis qualifies online platforms). See Y. Varoufakis, Technofeudalism: What Killed Capitalism? (Bodley Head 2023).

4 Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data O.J. 1995, L 281/31.

5 Directive 2000/31 on certain legal aspects of information society services, in particular electronic commerce, in the Internal market O.J. 2000, L 178/1.

6 ECJ 13 May 2014, Case C-131/12, Google Spain, ECLI:EU:C:2013:424.

7 Ibid., para. 38.

8 ECJ 29 January 2008, Case C-275/06, Promusicae, ECLI:EU:C:2007:454.

9 ECJ 19 February 2009, Case C-557/07, LSG, ECLI:EU:C:2009:107.

10 ECJ 23 March 2010, Joined Cases 236/08 to C-238/08, Google France, ECLI:EU:C:2009:569.

11 ECJ 12 July 2011, Case C-324/09, L’Oréal, ECLI:EU:C:2010:757.

12 Regulation No. 2022/2065 on a Single Market for Digital Services O.J. 2022, L 277/1.

13 Directive 2019/790 on copyright and related rights in the Digital Single Market O.J. 2019, L 130/92.

14 Directive 2018/1808 on the coordination of certain provisions laid down by law, regulation and administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) O.J. 2018, L 303/69.

15 Regulation No. 2021/784 on addressing the dissemination of terrorist content online O.J. 2021, L 172/79.

16 ECJ 3 October 2019, Case C-18/18, Eva Glawischnig-Piesczek, ECLI:EU:C:2019:821.

17 Ibid., para. 47.

18 ECJ 22 January 2013, Case C-283/11, Sky Österreich, ECLI: EU:C:2012:341.

19 See e.g. R. Dworkin, Taking Rights Seriously (Harvard University Press 1978) p. 193; S. Riley, ‘Human Dignity as a Sui Generis Principle’, 32(4) Ratio Juris (2019) p. 439; R. Bayefsky, ‘Dignity, Honour, and Human Rights’, 41(6) Political Theory (2013) p. 775.

20 The search for balance between market rationality and democatic rationality is expressed in the White Paper on AI which alludes to the balance sought between the ecosystems of trust and of excellence: White Paper on AI, COM (2020) 65 final.

21 A. Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020).

22 M. Draghi, The Future of European Competitiveness, 9 September 2024, https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en#paragraph_47059, visited 30 November 2025.

23 R. Carré de Malberg, Contribution à la théorie générale de l’État (Sirey 1920).

24 G. Jellinek, L’État moderne et son droit (Giard & Brière 1911).

25 C. Schmitt, La théorie politique du mythe (PUF 2009); C. Schmitt, Le nomos de la terre: dans le droit des gens du ‘jus publicum europaeum’ (PUF 2001).

26 H. Kelsen, Pure Theory of Law (Clark 2005).

27 G. Burdeau, Traité de science politique (LGDJ 1980) p. 98.

28 ECJ 23 April 2986, Case C-294/83, Les Verts v Parliament, ECLI:EU:C:1985:483, para. 23.

29 See, namely, J. Gerkrath, L’émergence d’un droit constitutionnel pour l’Europe : modes de formation et sources d’inspiration de la Constitution des Communautés et de l’Union européenne (Université de Bruxelles 1997).

30 G. Marti, Le pouvoir constituant européen (Bruylant 2011).

31 Constitutional patriotism was conceptualised by Habermas and gave way to a significant constitutional and political scholarship. For a comment on this doctrine, see, for example, F.H. Llano Alonso, ‘European Constitutional Patriotism and Postnational Citizenship in Jürgen Habermas’, 103(4) Archiv für Rechts und Socialphilosophie (2017) p. 504.

32 See K. Yeung and S. Ranchordas, An Introduction to Law and Regulation: Text and Materials (Cambridge University Press 2024).

33 N. Smuha, Algorithmic Rule by Law: How Algorithmic Regulation in the Public Sector Erodes the Rule of Law (Cambridge University Press 2024).

34 This focus on risks is visible even in earlier works on ‘constitutional perspectives’ on digitalisation. See, for instance, I. Pernice, ‘Risk Management in the Digital Constellation – A Constitutional Perspective’, 26(2) Revista de Internet, Derecho y Politica (2019) p. 83.

35 Case C-40/17, Fashion ID, ECLI:EU:C:2019:629.

36 Ibid., para. 26.

37 See O. Pollicino, Judicial Protection of Fundamental Rights on the Internet: A Road Towards Digital Constitutionalism? (Hart Publishing 2021).

38 M. Jones, ‘Mind Extended: Relational, Spatial, and Performative Ontologies’, 39 AI & Society (2024) p. 21.

39 See, inter alia, S. Pierosara, ‘Narrative Autonomy and Artificial Storytelling’, 39 AI & Society (2024) p. 1785; E. Grosz, ‘Identity and Individuation: Some Feminist Reflections’, in E. Grosz et al. (eds.), Gilbert Simondon. Being and Technology (Cambridge University Press 2012) p. 37; A. Bardin, Epistemology and Political Philosophy in Gilbert Simondon. Individuation, Technics, Social Systems (Springer 2015); B. Latour, ‘Agency at the Time of Anthropocene’, 45 New Literary History (2014) p. 1.

40 M. Coeckelbergh, Human being @ Risk. Enhancement, Technology, and the Evaluation of Vulnerability Transformations, Philosophy of Engineering and Technology, vol. 12 (Springer 2013); G. Malgieri, Vulnerability and Data Protection Law (Oxford University Press 2023).