Technologies in Law: Digital Governance, Artificial Intelligence, and Human Rights

Executive Summary

Technology is transforming the legal environment as deeply as it is transforming the economy, healthcare, agriculture, finance, and public administration. Digital platforms, artificial intelligence, biometric systems, automated decision-making, blockchain, cloud infrastructure, algorithmic governance, and data-driven public services are changing how rights are exercised, how institutions make decisions, how companies operate, and how individuals interact with the state.

This transformation creates major opportunities. Legal technologies can improve access to justice, reduce administrative burden, support transparent governance, help lawyers and public institutions analyze large volumes of information, and make legal services more efficient. At the same time, emerging technologies create serious risks for privacy, freedom of expression, non-discrimination, due process, accountability, and human dignity.

The central challenge is not whether law should regulate technology. The real challenge is how law can remain effective in an environment where technologies are increasingly autonomous, adaptive, cross-border, and difficult to explain. Traditional legal systems were built around identifiable human actors, clear institutional responsibility, and relatively stable decision-making processes. Modern AI systems, especially agentic AI, challenge these assumptions because they can pursue goals, coordinate multi-step actions, and make decisions with decreasing levels of human involvement.

This report examines the intersection of law, technology, and human rights. It focuses on digital governance, artificial intelligence, agentic AI autonomy, GDPR compliance, the EU AI Act, human rights risks, corporate responsibility, cybersecurity, and the need for adaptive legal frameworks. It also considers why these developments are important for Armenia and for the broader digital economy agenda.

1. Law in the Digital Era

The digital era requires a new understanding of legal governance. Technology is no longer a separate technical field that lawyers can treat as external to legal systems. It is becoming part of the infrastructure through which rights, markets, public services, security, and social life are organized.

Law must therefore respond at several levels. It must protect individuals from harm. It must create predictable rules for businesses. It must support innovation. It must ensure accountability in public administration. It must preserve human rights in online and automated environments. It must also help societies distinguish between acceptable technological progress and harmful technological power.

A major difficulty is that digital technologies often operate across borders, while legal systems remain mainly territorial. A platform may be designed in one country, hosted in another, used globally, and affect individuals under many different legal regimes. This creates jurisdictional complexity and makes cooperation between states, regulators, companies, and civil society essential.

2. Digital Governance and Cyber Governance

A useful starting point is the distinction between "digital" and "cyber." These terms are often used together, but they do not always refer to the same legal questions.

The cyber domain is usually connected with security, cyber operations, critical infrastructure, cyberattacks, ransomware, state responsibility, international humanitarian law, and questions of sovereignty and non-intervention. In this field, legal debates often concern whether international law applies to state conduct in cyberspace and how traditional rules apply to new forms of conflict and coercion.

The digital domain is broader. It includes online platforms, data protection, digital markets, artificial intelligence, e-government, consumer protection, freedom of expression, privacy, digital identity, digital trade, and human rights. Digital governance is therefore not only about security. It is also about the rights and responsibilities that shape everyday digital life.

This distinction matters because legal framing affects legal outcomes. If every digital issue is treated as a cyber issue, security logic may dominate and human rights protections may become weaker. If every cyber issue is treated only as a digital service issue, serious security risks may be underestimated. A mature legal approach must recognize both dimensions.

3. The Principle of Rights Continuity

A core principle for the digital era should be rights continuity. This means that human rights do not disappear when social activity moves online or becomes mediated by technology. Privacy, freedom of expression, equality, due process, access to remedy, human dignity, and protection from arbitrary interference must apply in digital environments as they do offline.

Rights continuity does not mean that old legal rules can always be applied mechanically. Some technological contexts require new procedures, new institutions, and new technical safeguards. But the underlying principle remains the same: technology must serve human beings, not weaken their legal protection.

For example, automated decision-making in employment, healthcare, public benefits, migration, policing, or education can affect people as seriously as traditional human decision-making. The fact that a decision is generated by an algorithm does not reduce its legal significance. On the contrary, it may increase the need for transparency, contestability, and oversight.

4. Human Rights Risks of Emerging Technologies

Digital technologies are not neutral. Their impact depends on how they are designed, trained, deployed, governed, and monitored. The same technology can improve access to services or become a tool of exclusion and surveillance.

Privacy and Data Protection

Privacy is one of the most affected rights in the digital age. Modern systems collect, process, infer, and share enormous amounts of personal data. Smartphones, digital platforms, smart assistants, health applications, biometric systems, location services, and connected devices create detailed digital profiles of individuals.

Biometric technologies create especially sensitive risks. Facial recognition, voice recognition, fingerprint systems, and other biometric tools can be used for identification, authentication, public security, or service delivery. However, they can also enable mass surveillance, tracking of political opponents, monitoring of vulnerable groups, and permanent loss of anonymity in public spaces.

The legal challenge is to ensure that data processing is lawful, necessary, proportionate, transparent, secure, and subject to oversight. Data protection is no longer only a compliance issue. It is a central condition for democratic trust.

Freedom of Expression

Online platforms have become essential spaces for public debate, journalism, political participation, education, and social organization. At the same time, they are vulnerable to disinformation, hate speech, manipulation, harassment, and coordinated influence operations.

Regulating online harms is difficult because states must balance competing rights and interests. If regulation is too weak, online platforms can become spaces for violence, discrimination, and manipulation. If regulation is too broad or vague, it can become a tool for censorship and suppression of legitimate speech.

Legal systems must therefore focus on due process, transparency, independent oversight, appeal mechanisms, and clear definitions. Platform governance should not depend only on private content moderation rules or opaque automated filters. It must be connected to the rule of law.

Non-Discrimination

AI systems can reproduce and amplify social bias. If training data reflects historical inequality, algorithmic outputs may discriminate against certain groups. This can happen in recruitment, credit scoring, healthcare, policing, education, welfare distribution, border control, and housing.

The risk is not always intentional discrimination. Often the problem is structural. A model may use variables that appear neutral but function as proxies for gender, ethnicity, disability, age, income, geography, or social status.

Law must therefore require bias assessment, transparency, testing, documentation, and access to remedy. Non-discrimination in the AI era requires both legal standards and technical evaluation.

5. Humanitarian Data Protection as a Case Study

The humanitarian sector shows why data protection is not just a bureaucratic requirement. In crisis situations, data can save lives. Humanitarian organizations collect information to deliver food, shelter, healthcare, cash assistance, family reunification, and protection services.

However, humanitarian data can also create risks. If sensitive data about refugees, displaced persons, conflict victims, or vulnerable communities is misused, leaked, shared with hostile actors, or repurposed for surveillance, the consequences can be severe.

This is why data protection in humanitarian action is a core enabler of neutrality, impartiality, independence, and human dignity. Legal and technical safeguards must prevent scope creep, meaning the reuse of emergency data for purposes such as migration enforcement, surveillance, profiling, or political control.

The humanitarian case also shows the importance of third-party risk. Cloud providers, payment systems, digital identity vendors, and analytics companies may become part of humanitarian operations. Their role must be governed carefully because responsibility cannot be outsourced.

6. Generative AI and Agentic AI

Generative AI and agentic AI should be distinguished.

Generative AI creates content in response to prompts. It can draft text, summarize documents, generate code, create images, translate language, and support research. In law, it can help with legal drafting, contract review, document analysis, case summaries, and legal information services.

Agentic AI goes further. It can pursue goals, break tasks into steps, interact with tools, coordinate actions, make decisions, and operate with a degree of autonomy. For example, an AI agent may not only summarize a legal file but also search databases, compare laws, draft a response, send notices, update records, or trigger administrative workflows.

This shift from reactive systems to goal-oriented systems creates new legal risks. The more autonomy an AI system has, the harder it becomes to identify who made a decision, why the decision was made, whether the decision was lawful, and who is responsible for harm.

7. The Six Levels of Agentic AI Autonomy

A practical way to understand agentic AI is to classify autonomy by the level of human involvement.

Level 1: Human Operator

At this level, the human makes the decision and uses AI only as a tool. The AI may provide information, but the human remains fully in control.

Level 2: Human-AI Collaboration

The human and AI work together. The AI may suggest actions, but the human remains actively involved in the decision-making process.

Level 3: AI Decision with Human Approval

The AI proposes or makes a decision, but it cannot be implemented without human approval. The human acts as an approver.

Level 4: AI Decision with Human Consultation

The AI makes a decision after consulting a human. The human provides input, but the system has greater autonomy.

Level 5: AI Decision Observed by Human

The AI makes decisions independently, while the human monitors the system as an observer.

Level 6: AI Decision with No Human Monitoring

The AI makes decisions autonomously with no human input or ongoing monitoring.

This taxonomy is important because legal safeguards should increase as autonomy increases. At lower levels, human involvement is embedded in the decision-making process. At higher levels, protection must rely more on system-level oversight, logging, auditability, explainability, intervention rights, and accountability mechanisms.

8. GDPR and Automated Decision-Making

The General Data Protection Regulation remains one of the most important legal frameworks for data protection and automated decision-making. It gives individuals rights over their personal data and imposes obligations on controllers and processors.

Agentic AI creates pressure on several GDPR rights.

Right of Access

The right of access allows individuals to know whether their personal data is being processed and to receive information about that processing. In automated decision-making, this includes meaningful information about the logic involved.

With adaptive AI, this becomes difficult. A traditional system may follow a relatively stable decision tree. An agentic AI system may make decisions through dynamic, multi-step, context-dependent processes. Explaining one output may not be enough. Regulators and controllers may need to reconstruct a decision pathway.

Right to Data Portability

The right to data portability allows individuals to receive and transfer their data. This becomes more complex when systems generate inferred or derived data. In AI systems, the most valuable information may not be the raw data provided by the person, but the predictions, classifications, risk scores, annotations, and insights generated from that data.

This raises an important policy question: should individuals have rights only over data they provide, or also over meaningful inferences produced about them?

Right to Erasure and Machine Unlearning

The right to erasure, often called the right to be forgotten, becomes technically complex in AI systems. Deleting raw data from a database may not remove the influence of that data from a trained model.

Machine unlearning is an emerging technical approach that attempts to remove the influence of specific data from an AI model without retraining the entire system from the beginning. It could become important for GDPR compliance. However, it raises difficult questions: how can an organization prove that a model has truly forgotten data? How can regulators verify unlearning? What happens when data has shaped an autonomous agent's future behavior?

9. Accountability and Legal Personality

A major legal debate concerns whether autonomous AI systems should have legal personality. This report takes a cautious position: granting legal personality to AI may distract from human and institutional accountability.

Under current legal frameworks, accountability should remain with natural persons and legal entities: developers, deployers, controllers, processors, companies, public authorities, and responsible professionals. AI systems do not have moral responsibility, legal judgment, or democratic legitimacy. They should not become shields behind which humans avoid responsibility.

The better approach is to clarify responsibility across the AI lifecycle. Who designed the system? Who trained it? Who selected the data? Who deployed it? Who monitored it? Who benefited from it? Who had the power to prevent harm? These questions are more useful than treating AI as an independent legal person.

10. The EU AI Act and Risk-Based Governance

The EU AI Act represents one of the most important attempts to regulate AI through a risk-based framework. It classifies AI systems according to levels of risk and imposes stronger obligations on high-risk systems.

High-risk AI systems may include systems used in areas such as employment, education, law enforcement, migration, access to essential services, healthcare, and other contexts where decisions can seriously affect people's lives.

For law and public governance, this is very important. Automated systems used by courts, ministries, regulators, police, border agencies, public service providers, or employers can have major consequences for rights. Risk-based regulation helps direct legal attention to the systems where harm is most likely or most serious.

However, risk classification should not become a substitute for real impact analysis. A system that is formally classified as lower risk may still harm individuals in practice. Therefore, legal frameworks should combine classification with monitoring, complaint mechanisms, and evidence-based review.

11. Fundamental Rights Impact Assessment

The Fundamental Rights Impact Assessment, or FRIA, is one of the most important governance tools for AI. It is broader than a data protection assessment because it looks beyond personal data and considers wider effects on human rights and society.

A FRIA should examine questions such as:

1. Which rights may be affected? 2. Which groups may be vulnerable to harm? 3. Could the system discriminate? 4. Is the system necessary and proportionate? 5. Is there a less intrusive alternative? 6. Can individuals understand and contest decisions? 7. Is human oversight meaningful? 8. Are logs and audit trails available? 9. Who is responsible if harm occurs?

Article 27 of the EU AI Act addresses fundamental rights impact assessment requirements for certain high-risk AI systems. FRIA should not be treated as a formal checklist completed at the end of development. It should be integrated into the full lifecycle of the system, from design to deployment and monitoring.

12. Data Protection Impact Assessment

A Data Protection Impact Assessment, or DPIA, focuses specifically on risks to personal data. It is especially important when processing is likely to create high risks for individuals, such as large-scale monitoring, sensitive data processing, profiling, or automated decision-making.

DPIA and FRIA are connected but not identical. DPIA asks whether personal data is being processed lawfully and safely. FRIA asks whether the system affects broader rights such as equality, freedom of expression, human agency, dignity, access to services, and due process.

In the AI era, both tools are needed. DPIA protects data rights. FRIA protects the broader human rights environment.

13. Meaningful Human Oversight

Human oversight is often mentioned as a safeguard, but it must be meaningful. A human reviewer who simply approves machine outputs without understanding them is not real oversight. A human who cannot challenge, pause, override, or correct the system is not exercising genuine control.

Meaningful human oversight requires competence, authority, information, time, independence, and institutional support. Humans must be able to understand the system's purpose, review its outputs, detect errors, challenge assumptions, and intervene when necessary.

This is especially important for agentic AI. As autonomy increases, oversight must shift from occasional review to continuous governance. High-autonomy systems should include monitoring, logs, alert mechanisms, escalation procedures, and the ability to stop or recalibrate the system.

14. Explainability and the Explainability Gap

Explainability is central to legal accountability. Individuals affected by automated decisions need to understand why a decision was made. Regulators need to investigate whether systems are lawful. Controllers need to verify that systems are working as intended.

However, explainability becomes difficult with complex AI. Some systems operate through patterns that are not easily translated into human reasoning. Agentic AI creates an additional challenge because it may make a sequence of decisions over time rather than a single isolated output.

This creates an explainability gap. The legal system asks for understandable reasons, while technical systems may produce complex, dynamic processes. Closing this gap requires better documentation, logging, audit trails, model cards, system cards, testing records, user instructions, and independent review.

Explainability should be designed into systems from the beginning. It cannot be added only after harm occurs.

15. Standardization, Procurement, and Corporate Responsibility

Law alone cannot govern technology effectively. Technical standards, procurement rules, corporate governance, and human rights due diligence also matter.

International standards can help translate abstract legal principles into practical technical requirements. They can support risk management, cybersecurity, bias testing, documentation, auditability, data quality, and lifecycle monitoring.

Public procurement is especially powerful. Governments can require vendors to meet human rights, cybersecurity, transparency, and data protection standards before buying AI systems. This can shape markets and encourage responsible innovation.

Corporate responsibility is also essential. The UN Guiding Principles on Business and Human Rights establish that companies have a responsibility to respect human rights. For technology companies, this means conducting human rights due diligence, identifying risks, preventing harm, mitigating impacts, and providing remedy when harm occurs.

16. Lifecycle Governance of AI Systems

AI governance should cover the entire lifecycle of the system.

Goal Setting

The first question is whether the AI system should exist at all. The purpose must be lawful, legitimate, necessary, and aligned with human rights.

Design and Development

Developers must integrate data protection by design, security by design, explainability, human oversight, and documentation from the beginning.

Training and Validation

Training data must be assessed for quality, representativeness, bias, and legality. Systems must be tested before deployment.

Testing and Red Teaming

AI systems should be tested under realistic and adversarial conditions. Red teaming can identify vulnerabilities, harmful outputs, manipulation risks, and failure modes.

Deployment

Deployment should include user training, accountability structures, monitoring tools, complaint channels, and escalation procedures.

Maintenance and Monitoring

AI systems should not be abandoned after launch. They require continuous monitoring, audits, updates, bias checks, and review of real-world impacts.

17. Access to Justice and Legal Technology

Technology can also improve access to justice. Many people cannot afford legal advice or do not understand legal procedures. Digital tools can help provide legal information, document templates, case tracking, translation, online dispute resolution, and public service guidance.

AI can support lawyers by summarizing case law, reviewing contracts, organizing evidence, drafting legal documents, and identifying relevant legislation. Courts and public institutions can use technology to improve efficiency and transparency.

However, legal technology must be designed carefully. AI legal tools should not mislead users, generate false legal claims, or replace professional legal judgment in complex matters. Access to justice means more than access to automated answers. It requires reliability, fairness, accountability, and the ability to reach a human expert when necessary.

18. Implications for Armenia

For Armenia, the intersection of law and technology is strategically important. Digital transformation, e-government, AI adoption, cybersecurity, digital identity, innovation policy, and data governance are all connected to legal modernization.

Armenia can benefit from developing a stronger legal-tech and digital governance agenda in several directions:

1. Creating clear rules for public-sector AI and automated decision-making. 2. Strengthening data protection and cybersecurity in public services. 3. Supporting legal technology startups and digital justice tools. 4. Introducing AI literacy for lawyers, judges, public servants, and policymakers. 5. Developing public procurement standards for responsible AI systems. 6. Encouraging cooperation between legal experts, technologists, universities, and public institutions. 7. Aligning national digital governance with international human rights standards. 8. Supporting research on AI, law, and human rights through think tanks and academic institutions.

The Institute of Digital Economy can play a useful role in this field by connecting legal analysis with technology policy. It can support research, public discussion, training, policy recommendations, and international cooperation.

For Armenia, this is not only a legal issue. It is also a digital economy issue. A trusted digital economy requires trusted digital governance. Businesses, citizens, researchers, investors, and public institutions need legal certainty. If Armenia wants to develop AI, digital platforms, health technologies, fintech, agritech, and e-government, it also needs strong rules for data, accountability, cybersecurity, and human rights.

Conclusion

The relationship between law and technology is becoming one of the defining governance challenges of the digital age. AI, data systems, digital platforms, biometrics, cloud infrastructure, and automated decision-making can improve public services, legal work, business efficiency, and access to justice. But they can also create new forms of surveillance, discrimination, opacity, and unaccountable power.

The future of legal governance must be adaptive, human-centered, and rights-based. It must preserve the principle that technology should serve people, not replace legal responsibility. Human rights must continue online. Accountability must remain with humans and institutions. AI systems must be explainable, contestable, secure, and subject to meaningful oversight.

For Armenia and similar countries, this field offers both a challenge and an opportunity. By developing responsible digital governance, Armenia can protect rights, support innovation, strengthen public trust, and position itself as a serious participant in the global digital economy.

Sources and Useful Links

• European Commission — AI Act
• European Commission — Navigating the AI Act
• AI Act Service Desk — Article 27: Fundamental Rights Impact Assessment
• GDPR Legal Text
• European Commission — Data Act
• European Commission — European Health Data Space
• OHCHR — UN Guiding Principles on Business and Human Rights
• Oxford Process on International Law Protections in Cyberspace