Stefan Schiffner

On the endeavour designing and deploying a privacy certification scheme under the GDPR

PDF logo

Abstract: The talk will shortly sketch the genesis of a certification scheme. First, it will introduce the concept of GDPR certification under Art 42 /43 GDPR. Then it will reflect on the initial research challenges and the resulting research projects which lead to the development of lean sketch of a certification scheme. Some focus will be taken on the various technological obstacles on the way. The second half of the talk will then tell the story from finished research project to a scheme that can be used in practice; including, the legal and organisational inhibitors.

Photo showing Stefan Schiffner, copyright held by Johannes Noldt, BHH

Stefan Schiffner is lecturing Computer Networks and IT Security at BHH University of Applied Sciences Hamburg. He has been a post doctoral researcher at University of Luxembourg, an expert in information security at the European Union’s Cyber Security Agency (ENISA), and a post-doctoral researcher at TU Darmstadt, were he led a team of researchers on the topics of privacy and trust within the Telekooperation group. He holds a Ph.D. from KU Leuven (Topic: models for online privacy, trust and reputation) and the Degree of Diplom Informatiker from TU Dresden. His research interests focus on secure information technologies and their policy implications. This includes specifically Privacy Enhancing Technologies, computational trust, “by Design” Paradigms, and maturity and market readiness of technologies. A computer scientist by training, Stefan is an advocate for the free use of cryptographic techniques and anonymisation tools as means for individuals to exercise their right to privacy and freedom of speech.


Maria Grazia Porcedda

The effacement of information technology from EU law: the need for collaborative approaches to redesign the EU’s regulatory architecture

Abstract: EU information technology law is built like a multi-storey house: on the ground floor is technology development and on the top floor are regulatory principles and rights; in the middle floor lie standards, which should connect the top with the ground floor. The house is built on the premise that these floors are seamlessly connected, but are they? The multi-storey house was in fact built without staircases, causing a practical disconnect between regulatory principles and technology development. In this talk, which draws from the 2023 book ‘Cybersecurity, Privacy and Data Protection in EU law’, we will explore why information technology is effaced from EU law in practice, and the implications for cybersecurity, data protection, data markets, identity management, privacy and many other fields. We will explore what collaborative approaches may be needed to redesign the EU regulatory architecture.

Photo showing Maria Grazia Porcedda

Maria Grazia Porcedda (website) is Assistant Professor in Information Technology Law at the School of Law, Trinity College Dublin. She works on the relationship between law and technology and especially privacy, data protection, cybersecurity and cybercrime in EU law. She is the author of ‘Cybersecurity, Privacy and Data Protection in EU Law. A law, policy and technology analaysis’ (Hart Publishing 2023). Maria Grazia is the Principal Investigator, among others, of the Provost’s PhD Projects Award PRECYLI on cybercrime law in Ireland. She is a member of the EDPB’s Support Pool of Experts, of Horizon Europe VIGILANT’s Advisory Board and of ADAPT, the Global Centre of Excellence for Digital Content and Media Innovation. She visited the School of Law at Pompeu Fabra University (Barcelona) and the Tilburg Institute of Law and Technology. Maria Grazia holds a PhD in Law from the European University Institute.


Lothar Fritsch

The subtle differences between privacy risk and privacy breach consequences

PDF logo

Abstract: Handling personal data may cause risks for the persons whose data is processed or stored. But which risks are we referring to when we discuss privacy risks? Regulation sets specific emphasis on especially sensitive personal data, as well as on processing efforts that are affecting a large number of individuals, or society as a whole. Risk analysis in the form of data protection impact analysis (DPIA) and Privacy risk analysis (PRA) is required or strongly recommended in various frameworks. This talk will examine the concept of privacy risks and their consequences. It will present the various perspectives and what they actually capture, or neglect. Listeners will gain a better understanding on risks and consequences of personal data breaches, and about the maturity of the assessment methods used to assess such risks.

Photo showing Lothar Fritsch

Lothar Fritsch is professor for Applied Cybersecurity at Oslo Metropolitan University. His areas of interest are information privacy, identity management, cyberwar, privacy technology, privacy risk assessment, and general cybersecurity topics. Lothar has been part of pan-European research projects on privacy and identity management, and has worked on topics such as privacy enhanding technology, privacy risk analysis, and human factors in information security. He teaches and supervises in many areas of computer science, among others Internet of Things, network security and Privacy by Design. He supervises PhD students, and bachelor and master thesis projects, in collaboration with industry, associations and public organizations.


Martin Degeling

The Digital Services Act: New rules for online platforms and how to hold them accountable

Abstract: The Digital Services Act is a legislative approach by the European Union to regulate (large) online platforms. It imposes a new set of roles regarding transparency, e.g. in content moderation or online advertising and mandates risk assessments and audits for those very large online platforms and search engines like Instagram, TikTok, Google or Zalando. They must assess the impact of their platforms, organizations and algorithms on systemic risks like election integrity or the mental health of its users. In my talk, I will describe the idea of the DSA and its implications for researchers conducting studies on online platform data practices. I will draw examples from our research on TikTok and approaches to discuss methodologies for data-based platform research.

Martin Degeling is a researcher at Stiftung Neue Verantwortung, a berlin-based Think Tank for technology policy. Previously, he was a post-doctoral researcher at Ruhr-University Bochum and Carnegie Mellon University. His research interests are black-box auditing of algorithmic systems, usable privacy and security, and data protection.


Wojciech Wiewiórowski

The Myth of ‘Global Standard’ in Personal Data Protection

Photo showing Wojciech Wiewiórowski

Wojciech Wiewiórowski is the European Data Protection Supervisor (EDPS) since December 2019. He is an adjunct professor in the Faculty of Law and Administration of the University of Gdańsk. He was among others adviser in the field of e-government and information society for the Minister of Interior and Administration, the Director of the Informatisation Department at the Ministry of Interior and Administration. He also represented Poland in committee on Interoperability Solutions for European Public Administrations (the ISA Committee) assisting the European Commission. The Inspector General for the Protection of Personal Data (Polish Data Protection Commissioner) 2010-2014 and the Vice Chair of the Working Party Art. 29 in 2014. In December 2014, he was appointed Assistant European Data Protection Supervisor. After the death of the Supervisor - Giovanni Buttarelli in August 2019 - he replaced Mr. Buttarelli as acting EDPS. His areas of scientific activity include first of all Polish and European IT law, processing and security of information, legal information retrieval systems, informatisation of public administration, and application of new IT tools (semantic web, legal ontologies, cloud, blockchain) in legal information processing.


Jaap-Henk Hoepman

Privacy Is Hard And Seven Other Myths. Achieving Privacy Through Careful Design

Abstract: In this talk Jaap-Henk Hoepman will discuss some of the myths surrounding privacy (like “I have nothing to hide” and “We are not collecting personal data” or “You have zero privacy anyway. Get over it.”). All to show that technological developments have had a tremendous impact on our privacy, but also can be used to protect our privacy. He will talk about the legal protection of privacy through the General Data Protection Regulation (GDPR), and discuss how relying on purely legal measures is not enough. The systems themselves should be designed in a privacy friendly manner, through privacy by design. He will explain the privacy by design philosophy, and make it concrete by describing eight privacy design strategies.

Photo showing Jaap-Henk Hoepman

Jaap-Henk Hoepman (1966) is currently a guest professor at the PRISEC - Privacy And Security group of Karlstad University, Sweden.

He is also an associate professor at the Digital Security group of the Radboud University, Nijmegen, the Netherlands, working for the iHub, the interdisciplinary research hub on Digitalization and Society. He is also an associate professor in the IT Law section of the Faculty of Law of the University of Groningen. Moreover he is a principal scientist (and former scientific director and co-founder) of the Privacy & Identity Lab.

He studies privacy by design and privacy friendly protocols for identity management and the Internet of Things. He speaks on these topics at national and international congresses and publishes papers in (inter)national journals. He also appears in the media as security and privacy expert, and writes about his research in the popular press. He is actively involved in the public debate concerning security and privacy in our society.

In October 2021 his book Privacy Is Hard and Seven Other Myths. Achieving Privacy through Careful Design appeared at MIT Press.

In his free time he enjoys making composing music, designing graphics, cooking, and practising Okinawan Goju Ryu karate-do.


Marit Hansen

AI and Data Protection - Challenges for Controllers, Processors and Supervisory Authorities

PDF logo

Abstract: In 2023, numerous artificial intelligence (AI) tools such as large language models and graphics software were made available to the public. Data protection regulators began investigating data processing related to some of these AI tools. At the same time, the legislative process on the European AI law continued. However, there are still some issues to be resolved in terms of promoting fair AI-powered data processing that impacts data subjects or society. In her talk, Marit explains data protection challenges for controllers, processors and supervisory authorities. She presents risks from the data protection perspective and beyond, and discusses potential steps to mitigate those risks.

Photo showing Marit Hansen

Since 2015 Marit Hansen has been the State Data Protection Commissioner of Land Schleswig-Holstein and Chief of Unabhängiges Landeszentrum für Datenschutz (ULD). Before being appointed Data Protection Commissioner, she had been Deputy Commissioner for seven years. Since her diploma in computer science in 1995 Marit has been working on privacy and security aspects. Her focus is on “data protection by design” and “data protection by default” from both the technical and the legal perspectives. She often gives talks and has been lecturing at various universities and academies. Marit was member of the Data Ethics Commission of the German Government. Her contribution to education and research on privacy-enhancing technologies has awarded her an honorary doctorate from Karlstad University, Sweden.


Liina Kamm

Deploying privacy enhancing technologies in an e-government

PDF logo

Abstract: Would it not be amazing if a country could build data-driven services based on the data of its population or organisations while preserving the privacy of the individuals and providing transparency on the processing? In this talk we will take a look at the possibilities that different privacy enhancing technologies offer by enabling different stakeholders to process data without seeing individual values. We look at issues that public sector organisations have with using PETs and issues that could be solved by PETs.

Photo showing Liina Kamm

Liina Kamm received her PhD in computer science from the University of Tartu in 2015. She is a senior researcher and research project lead at Cybernetica (a deep-tech SME in Estonia). She started her professional career designing software for the Estonian Genome Foundation and for cross-border clinical trials. She then focused her research on enabling privacy-preserving statistical analysis for social sciences and genomics.