Special Edition Blog Series on PhD Abstracts (Part VI)
This post is a continuation of the blog post series on PhD abstracts. You can find the first part of the series here.
Onntje Hinrichs: Data as Regulatory Subject Matter in European Consumer Law
Whereas data has traditionally not been subject matter that belonged to the regulatory ambit of consumer law, this has changed gradually over the past decade. Today, the regulation of data is spread over various legal disciplines, with data protection law forming its core. The EU legislator is thus confronted with the challenging task of constructing different dimensions of data law without infringing its core, i. e. to coordinate each dimension with the ‘boundary setting instrument’ of the GDPR. This thesis analyses one of these new dimensions: consumer law. Consumer law thereby constitutes a particularly interesting field due to its multiple interactions and points of contact with the core of data law. Authors have increasingly identified the potential of consumer law to complement the implementation of the fundamental right to data protection when both converge on a common goal, i. e. on the right to data protection and to protect consumer privacy interests. At the same time, however, consumer policy might conflict and occasionally even be diametrically opposed with the fundamental right to data protection when, for instance, consumer law enables data (‘counter-performance’) to be commodified in consumer contracts that package pieces of data into pieces of trade. To disentangle this regulatory quagmire, it is therefore necessary to better understand how consumer law participates in and shapes the regulation of data. However, up to this date, no comprehensive enquiry exists that analyses to what extent data has become regulatory subject matter in European consumer law. This thesis aims to fill that gap. This study will provide further clarity on both: what consumer law actually regulates when it comes to the subject matter of data as well as its often-unclear relationship with data protection law. At the same time, this study contributes to further the general understanding of how data is perceived and shaped as regulatory subject matter in EU law.
Robert Poe: Distributive Decision Theory and Algorithmic Discrimination
In the European Union and the United States, principles of normative decision theory, like the precautionary principle, are inherently linked to the practices of risk and impact assessments, particularly within regulatory and policy-making frameworks. The descriptive decision theory 
approach has been applied in legal research as well, where user-centric legal design moves beyond plain-language interpretation to consider how users process information. The EU Digital Strategy employs elements of both normative and descriptive decision theories, integrating these methodologies to develop an encompassing strategy, forecasting technological risks but also engaging stakeholders in constructing a digital future that is consistent with European fundamental rights. Working under the premise that “code is law,” a variety of tools have been developed to prescript normative constraints on automated decision-making systems, such as: privacy- preserving technologies (PETs), explainable artificial intelligence techniques (XAI), fair machine learning (FML), and hate speech and disinformation detection systems (OHS). The AI Act is relying on such prescriptive technologies to perform “value-alignment” between automated decision-making systems and European fundamental rights (which is obviously of the utmost importance). It is in this way that technologists—whether scientist or humanist or both—are becoming the watchmen of European fundamental rights. However, these are highly specialized fields that take focused study to understand even a portion of what is being recommended as fundamental rights ensuring. The information asymmetry between experts in the field and those traditionally engaged in legal interpretation (and let us not forget voters), raises the age-old question of who is watching the watchmen themselves? While some critical analysis of these technologies has been conducted, much remains unexplored. Questions like these about digital constitutionalism and the EU Digital Strategy will be considered throughout the manuscript. But the main theme will be to develop a set of “rules for the rules” applied to the “code as law” tradition, specifically focusing on the debiasing tools of algorithmic discrimination and fairness as a case study. Such rules for the rules are especially important given the threat of an algorithmic Leviathan.
Soumia El Mestari: Threats to Data Privacy in Machine Learning: Legal and Technical Research Focused on Membership inference Attacks
This work systematically discusses the risks against data protection in modern Machine Learning systems taking the original perspective of the data owners, who are those who hold the various data sets, data models, or both, throughout the machine learning life cycle and considering the different Machine Learning architectures. It argues that the origin of the threats, the risks against the data, and the level of protection offered by PETs depend on the data processing phase, the role of the parties involved, and the architecture where the machine learning systems are deployed. By offering a framework in which to discuss privacy and confidentiality risks for data owners and by identifying and assessing privacy-preserving countermeasures for machine learning, this work could facilitate the discussion about compliance with EU regulations and directives. We discuss current challenges and research questions that are still unsolved in the field. In this respect, this paper provides researchers and developers working on machine learning with a comprehensive body of knowledge to let them advance in the science of data protection in machine learning field as well as in closely related fields such as Artificial Intelligence.
This research will propose a new approach to protect against risks related to personal data exploitation, drawing a methodology for the implementation of data management and analytics in edge computing and serverless offerings in considering privacy properties to modulate the prevention of risks and promotion of innovation. In addition, it will establish AI-driven processes to increase the user’s ability to define in a more accurate way both his offerings in edge computing environments and the data management and analytics as regards the protection of her/his privacy; draw the architecture in terms of data governance and analytics linked with the resource resources management on such dynamic environments.
n the era of immense data accumulation in the healthcare sector, effective data management is becoming increasingly relevant in two domains: data empowerment and personalisation. As healthcare shifts towards personalized and precision medicine, prognostic tools that stem from robust modeling of healthcare data, while remaining compliant with privacy regulations and the four pillars of medical ethics (Autonomy, Beneficence, Non-maleficence and Justice) are lacking. The following thesis assesses the principles that the design of health data storage and processing should adhere to through the prism of personal information management systems (PIMS). PIMS enable decentralized data processing, while adhering to data minimization and allowing for control of data exposure to third parties, hence enhancing privacy and patient autonomy. We propose a system where data is processed in a decentralized fashion, providing actionable recommendations to the user through risk stratification and causal inference modeling of health data sourced from electronic health records and IoT devices. Through an interoperable personal information management system, previously fragmented data which can be variably sourced and present with inconsistencies can be integrated into one system consistent with the EHDS, and as such data processing can proceed more accurately. When attempting to design clinically actionable healthcare analytics and prognostic tools, one of the main issues arising through current risk stratification models is the lack of actionable recommendations that are deeply rooted to pathologies analyzed. We therefore compare whether causal inference models derived from existing literature and known causal pathways can provide equally accurate predictions to risk stratification models when medical outcomes are known. This would allow for explainable and actionable outcomes, as physicians are reluctant to act upon “black box” recommendations due to medical liabilities and patients are less likely to be compliant to unexplained recommendations, rendering them less effective when translated to the clinic. Simulated datasets based on different types of data collected are analyzed according to risk stratification and causal inference models in order to infer potential recommendations. Different methodologies of risk stratification and causal inference are assessed and compared in order to find the optimal model that will function as a source of recommendations. Finally, we propose a holistic model under which the user is fully empowered to share data, analytics and metadata derived from this data management system with doctors, hospitals and researchers respectively with recommendations that are designed to be explainable and actionable.
does not lose its relevance, but on the contrary is gaining momentum. One of the frequently proposed models was the concept of data ownership, which, after being abandoned, seemed scientifically unattractive for a while, but now continues to be discussed among legal scholars and policymakers. Today, a fresh perspective on the data ownership is essential, placing the greatest emphasis on personal data ownership in order to empower data subjects and expand their capabilities and control. In this area, the practical side and the improvements that individuals and companies with an awareness of data ownership can get are significant. When it comes to the boundaries of data ownership, first of all it is necessary to look at the existing gaps and problems “from the inside”, and find out what is generally considered problematic for the data subject itself? What are the expectations of the data subjects themselves? What level of control over their data do they consider acceptable and sufficient? Along with efforts to find answers to these pressing questions, there is an obvious need to provide suggestions for improving the level and quality of personal data management, which could be satisfactory for data subjects. The issues of privacy, access to data, as well as the ability to use and benefit from their data by individuals can not be overlooked. In this regard, an analysis of provisions of the Data Act Proposal is to be done, as well as consideration of the data ownership approach as artifact as exchange. Scientific research has been relatively little developed regarding individuals’ perception of the value of their own data, while this provides new opportunities and makes it valuable for the possibility of understanding the views and needs of data subjects.
Data is a crucial resource that plays an essential role in the economy and society. Yet, due to market failures, data has been often treated as a commodity and held in silos by a few actors, often large companies. In light of recent developments, there have been talks about transferring data from exclusive control of certain groups to making it accessible for public use. The European Union has taken a step in this direction by introducing the “European Data Strategy”, a set of rules and regulations that amongst other objectives, also aimed at making it easier for stakeholders to share data among themselves and with governments. However, this regulatory framework which includes different modalities of business-to-government data sharing is fairly new and the synergy between them is still yet to be seen since many of them may overlap and have possible contradictions.
proposal, with a specific focus on its secondary use framework and the implications of transparency requirements of the General Data Protection Regulation (GDPR). The research delves into the intricate intersection of EHDS provisions, GDPR transparency requirements, and the proportionality principle. In this context, whether a rights-based approach to privacy regulation still suffices to address the challenges triggered by new data processing techniques such as secondary use of data will be discovered. GDPR’s rights-based approach grants individuals a set of rights and obligation to offer transparency is one of them. However, it is highly unclear how these rights could be able to employ by data subjects under EHDS secondary use framework.
Health data is sensitive and sharing it could have many risks, which is especially true for genetic data. One’s genome might also indicate physical or health risks that could be used for more personalized healthcare or personalized insurance premiums. These risks affect not only the individual who has initially consented to the collection and sharing, but also those who may be identified from the DNA, such as genetic relatives or those who share a genetic mutation. How can relevant individuals come together to consent to genetic data sharing? Collective consent stems from indigenous bioethics where indigenous tribes fought for their right to consent to biomedical research as a community, not just as individuals. It has been used in research partnerships with indigenous groups to improve stakeholder involvement instead of treating indigenous populations as test subjects. Though it has been proposed, no digital collective consent (wherein multiple individuals consent in different via different governance structures such as families or tribal leader) exists for the general public. Challenges span legal-ethical issues and technical properties such as transparency and usability. In order to build collective digital consent to meaningfully address real world challenges, this work uses genetic data sharing as a use case to better understand what tools and methods can enhance a user-friendly, transparent, and legal-ethically aware collective consent. I conducted a theoretical and empirical study on collective consent processes for health data sharing. First, we explored the privacy and biomedical gaps in collective consent, as it has not been implemented widely outside of indigenous populations. Then I surveyed user goals and attitudes towards engaging elements within different consent mediums, then I analyzed the transparency and user-relevancy of policies from notable DTC genetic testing companies to find gaps in. Last, I validated the framework for transparent, user-centered collective consent with a use-case with a company in Norway.
Mitisha Gaur: Re-Imagining the Interplay Between Technical Standards, Compliances and Legal Requirements in AI Systems Employed in Adjudication Environments Affecting Individual Rights
Data portability is a key instrument to realize the EU policy vision on data governance. Because it allows for data sharing and re-use through forms of access control, it has the power to benefit all players while adequately protecting their rights. Regrettably, economic, legal, and technical issues have hindered the development of information exchange systems supporting data portability. To create platforms and tools for data portability, developers need that emerging expertise of “legal engineers” identifies the legal requirements, to make sure that users, consumers, and “prosumers” can enjoy their rights securely, effectively, and without infringing others’ rights and legitimate interests. This research aims at finding such legal requirements inside the actual, dynamic wave of EU legislation on the issues of data governance (including data sharing, access, control, re-usability), competition in digital markets and provision of digital services. This quest for legal requirements moves beyond black letter law, leveraging case law development, as well as European and national relevant authorities’ guidance. The goal is to clarify what is requested to developers of portability services and personal data controllers in terms of implementable organizational and technical measures. This clarification effort uses established methods of requirements engineering elicitation and documentation, and is carried out with the use of relational databases. It is coordinated with the mapping of relevant ISO standards (most importantly, ISO/IEC 27701), and further evaluated for compatibility with the elicited requirements in a loop that potentially leads to guidelines for either reform or implementation. Lastly, this work provides a list of technical solutions as individuated by relevant authorities, case law and field experts.
websites ask us to create a new digital identity or log in using a big platform, we do not know what happens to our data. That is why experts and governments are working on creating a safe and trustworthy digital identity. This identity would let anyone file taxes, rent a car, or prove their financial income easily and privately. This new digital identity is called Self-Sovereign Identity (SSI). In our work, we propose an SSI-based model to evaluate different identity options and we then prove our model value on the European identity framework.
In this special edition series of blog posts, we are excited to present the PhD abstracts of our 15 Early Stage Researchers (ESRs). Each ESR has not only contributed to the interdisciplinary research within the LeADS project and its four Crossroads but has also pursued their own individual research within the scope of their PhD thesis.
Qifan Yang: Reciprocal interplay between personal data protection under the GDPR and market competition in the data-driven society.
Data processing and AI-based techniques are now widely used in multiple sectors, including business, sociology, healthcare, mobility, research, etc. Moreover, companies and public organizations have produced and/or collected various types of data which today are stored in data silos that need to be integrated to build a data economy that drives innovation. Such data spaces should involve different stakeholders in collaborative data processing including distributed data life cycle as well as decentralized data governance. Naturally, when several systems are interconnected to carry out each step of the data life cycle, this data life cycle can be defined as distributed. When multiple entities manage data governance, this type of data governance is called decentralized data governance. Collaborative data processing raises several issues and challenges, especially, ensuring the reliability of distributed systems, trust in the decentralized governance of data processing, and compliance with legal requirements concerning data processing. Data quality plays a central role in these challenges to create a data economy. Data quality evaluation is a potential indicator to enhance the reliability, trust, and legal compliance of shared data across collaborative data processing. The main contribution of my research will respond to questions such as: are data governance stakeholders able to make the right decisions to maintain data quality? What are the data quality criteria that can be used to assess trust in all data governance stakeholders based on their actions and decisions? What are the data quality criteria pertinent to data governance? Then, how to assess the reliability of all components in distributed systems, i.e. the ability of each component to perform correctly and not degrade the quality of the data? How to create data quality contracts at each step of the data life cycle based on appropriate data quality criteria? Finally, how do we respond to the fact that there is no existing work that categorizes data quality criteria according to different EU regulations, such as the GDPR, the Data Act, or the Data Governance Act?