Governing by proxies: Indicators and the Transformation of Rights in the EU

In recent years, the European Union has developed an extensive regulatory framework for the  governance of data and artificial intelligence, most notably through the AI Act and the European  Data Strategy. These initiatives are explicitly grounded in fundamental rights and the ambition to  promote “human-centric” digital governance.

At the same time, however, a less visible transformation is taking place within European public  administration. Decision-making processes are increasingly structured through indicators, scoring  systems, and data models that translate complex legal and social realities into measurable  variables.

This development raises questions that go beyond the regulation of technology as such, and  speaks to a distinctive feature of the European approach: the attempt to reconcile data-driven  governance with a deeply rights-based legal order. It concerns the transformation of legal decision making itself: not only how law constrains algorithmic systems, but how the growing reliance on  data-driven instruments reshapes the way rights are interpreted, applied, and ultimately  experienced.

In this context, indicators do not merely support administrative action. They begin to function as  proxies for legal categories, mediating the relationship between individuals and their rights in ways  that are not always visible within traditional legal frameworks. While similar data-driven practices  can be observed in other jurisdictions, the European context is distinctive in that these  developments unfold within a legal framework that explicitly centres fundamental rights as a  primary normative reference in ways that challenge the assumptions of traditional legal reasoning.

From legal categories to data categories

EU digital regulation does not only seek to constrain the use of artificial intelligence; it also actively  enables and structures the use of data in public governance. Instruments such as the AI Act, the Data Governance Act and the Data Act aim to facilitate data sharing and reuse across sectors,  including within and between public administrations.

This evolving framework encourages public authorities to operate as data-driven actors, integrating  large datasets and analytical tools into decision-making processes. As a result, legal categories that  have traditionally required interpretation—such as vulnerability, risk, or eligibility—are increasingly  translated into structured data inputs.

This process has been explicitly acknowledged in EU data protection practice. In EDPB-EDPS Joint  Opinion 1/2026 on the Digital Omnibus, the European Data Protection Board and the European  Data Protection Supervisor emphasise the challenges involved in identifying and regulating high risk AI systems, noting in particular that the list of such systems cannot be exhaustive and that  even systems not formally classified as high-risk may still adversely affect individuals’ fundamental  rights. The Opinion further highlights that the impact of AI systems is highly dependent on context,  use, and evolving data practices, making their classification and assessment inherently complex.

These challenges are further illustrated—albeit in a limited and context-specific manner—by the  EDPS mapping exercise on high-risk AI systems within EU institutions, agencies, and bodies. Based  on voluntary self-assessments, the report shows that the classification of systems often depends  on how actors interpret the applicable legal framework. It reveals variations in categorisation  practices, instances of over- or under-classification, and a lack of consistency across institutions,  while also acknowledging that the mapping is partial and evolving.

While the scope of this exercise remains limited to EU-level actors and cannot be generalised, it  nonetheless provides a concrete illustration of a broader structural difficulty: translating open ended legal categories into stable and operational classifications in data-driven environments.

This translation is therefore not merely technical. It involves a process of reduction, in which  complex social and legal realities are reformulated in ways that can be processed by models and  metrics. What is gained in standardisation and scalability may, however, come at the cost of  nuance and contextual judgment.

It is at this point that indicators begin to assume a new role: not simply as tools for informing  decisions, but as operational substitutes for legal evaluation that significantly shape the way rights  are concretely realised.

The AI Act and the operationalisation of fundamental rights

The architecture of the AI Act provides a particularly clear illustration of how fundamental rights are  operationalised within the EU’s data-driven regulatory framework. Rather than applying rights  directly to specific decisions, the Regulation adopts a risk-based approach, under which legal  obligations are triggered by the classification of AI systems into categories such as prohibited or high

risk, including a range of public sector uses listed in its annexes.

In this model, fundamental rights concerns—such as risks to equality, due process, or access to  essential services—are not addressed in the abstract, but are translated into ex ante assessments of  risk that determine the applicable regulatory regime. Systems classified as high-risk are subject to a  set of requirements relating to risk management, data governance, transparency, human oversight,  and accuracy, which are designed to mitigate potential harm.

Crucially, however, this framework does not operate through a direct legal qualification of individual  situations. The allocation of a system to a given risk category depends on how its purpose and  context of use are defined and interpreted, and on how potential harms are anticipated and  measured. In this sense, the protection of fundamental rights becomes mediated through proxy

based determinations of risk, which structure when and how legal safeguards are activated.

The result is not a displacement of rights, but a shift in their mode of operation: from principles  applied within legal reasoning to parameters embedded in classificatory and technical frameworks that increasingly shape the conditions under which those rights are made effective.

Indicators, proxies, and the transformation of legal mediation

The increasing reliance on indicators within public administration is sometimes framed through the  well-known idea of “code is law”, associated with According to this perspective,  technological architectures regulate behaviour by embedding constraints directly into digital  systems, thereby displacing traditional legal rules.

While this account captures an important dimension of contemporary digital governance, it does not fully describe the transformation currently unfolding within European administrative practices.  In many cases, legal norms are not replaced by code, nor are decisions fully automated. Rather, they are mediated through layers of quantification that translate legal categories into operational variables.

In data-driven administrative settings, indicators function as structured proxies for concepts such as risk, vulnerability, or eligibility. These proxies do not merely assist decision-making; they shape the conditions under which legal judgment is exercised. Administrative discretion is not eliminated, but increasingly channelled through predefined metrics, thresholds, and classificatory schemes.

The result is a form of governance in which the effective content of rights is neither determined solely by legal norms nor directly by code, but emerges through the interaction between legal frameworks and the proxy-based systems that operationalise them. In this sense, the shift is not from law to code, but within law itself: toward a model in which rights are progressively articulated, and in part defined, through indicators embedded in administrative and technical infrastructures.

From proxies to practice: data-driven administration in action

The role of indicators as proxies becomes particularly visible in concrete administrative practices.  Across , welfare allocation increasingly relies on scoring systems that assess  eligibility or prioritise beneficiaries based on predefined criteria often in line with EU-wide policy  frameworks and data-sharing infrastructures. Similarly, labour inspections and tax enforcement are  often guided by risk-based models that rank individuals or firms according to the likelihood of non compliance. In urban governance, access to public services or interventions may be shaped by  performance indicators and predictive tools that allocate resources across territories.

In each of these cases, the underlying legal framework remains formally intact. Yet, in practice, the  decisive moment shifts to the construction and application of the indicators themselves. It is at this  level that complex individual situations are translated into comparable units, and where the  conditions for accessing rights or being subject to public intervention are effectively determined.

What Governing by Proxies Means for Public Law

The increasing reliance on indicators does not render law obsolete, nor does it displace the  centrality of fundamental rights within the European legal order. However, it does transform the  conditions under which those rights are exercised and made effective. When legal categories are  operationalised through proxies, key principles of public law—such as transparency, accountability,  and the possibility of contestation—are confronted with new structural limits.

In particular, the opacity of complex models, the standardisation inherent in quantitative systems,  and the dispersion of responsibility across technical and institutional actors make it more difficult  to trace how decisions are actually made and justified. This does not necessarily result in a loss of  legality, but it challenges its traditional forms.

The task, therefore, is not to reject indicators, but to re-embed them within a framework of legal  guarantees capable of addressing their specific features. This requires moving beyond the  assumption that rights can be fully captured through measurable proxies, and instead recognising  the need for procedural and institutional safeguards that preserve space for interpretation,  justification, and contestation.

Ultimately, the question is not whether rights can be translated into numbers, but whether a legal  system grounded in fundamental rights can remain meaningful when their practical content is  increasingly shaped by the proxies through which they are administered. This question is  particularly pressing in the European Union, where the commitment to fundamental rights is not  only constitutional, but also embedded in the very design of its digital regulatory framework. Instruments such as the AI Act—with its risk-based classification of systems and specific safeguards  for high-risk applications—and the General Data Protection Regulation—notably its provisions on  profiling and automated decision-making—explicitly frame data-driven practices in terms of rights  protection. At the same time, initiatives such as the Data Governance Act and the Data Act  promote the expansion and circulation of data within and across public administrations. Together,  these instruments do not merely regulate technology; they structure the conditions under which  rights are operationalised in data-driven environments.

*Main image: _pexels-peaky-31177054

*Secondary image: _karla-hernandez-LrlyZzX6Sws-unsplash

Suggested citation:

Cesaria Claudia Losito, ‘Governing by proxies: Indicators and the Transformation of Rights in the EU’ (Comparative Digital Law Blog, 24 April 2026) <https://lawandtech.ie/governing-by-proxies-indicators-and-the-transformation-of-rights-in-the-eu>.

About the author:

Cesaria Claudia Losito is a PhD candidate in Economics and Finance of Public Administrations at the University of Bari Aldo Moro. Her research explores the transformation of public law in data-driven governance, with a particular focus on indicators, algorithmic profiling and the operationalisation of fundamental rights in the italian and european context. She is currently working on the role of quantification in administrative processes and its implications for accountability, transparency, and judicial review. Her broader research interests include EU digital regulation, AI governance, and the relationship between law, data, and public power.