While information security is widely considered to be one of the most pressing problems of our time, it is far from clear how public actors can contribute to making information technology (IT) and information networks safe. Nevertheless, lawmakers have started to address the issue: in 2015, statutes were passed in Germany, the European Union, the U.S. and many other states, which are supposed to improve information security for essential data and information infrastructures. But can national or even supranational actors effectively regulate this global problem? And what is the potential impact of information security governance on constitutional rights? I want to understand why the existing legal regime fails to provide for an adequate level of information security and how it can become more effective - without compromising the (supra-)national constitutional framework. There are three aspects of information security governance that I plan to explore further as part of my proposed research: First, I identify and analyze the four main challenges faced by information security governance as well as their implications for effective rule making. These challenges are the non-territorial architecture of the Internet, the important role and dynamic development of technology in this field, the dialectical relationship between information security and fundamental rights, and the lack of trust in public authorities as far as the regulation of "digital" matters is concerned. Second, I reconstruct the legal regime of information security governance. A look beyond the recent statutes reveals that there already exists a large body of rules governing information security risks. This complex, partly transnational regime and the "hybrid" nature of some of the institutions involved in rule making make a global and pluralist account of information security law (ISL) necessary. Third, I seek to evaluate how information security governance can manage the tension between effectiveness and legality. In the absence of an international legal framework, it is mainly national and supranational constitutional law that legally structures information security governance. I analyze whether and how constitutional obligations are affected and, eventually, transformed when confronted with the pluralist and transnational rule making processes in which ISL is embedded. All in all, the project uses ISL as a lens to analyze general questions and challenges for regulation in the information age.

DFG Programme Research Grants